Windows Analysis Report
PO-78140924.BAT.PDF.exe

Overview

General Information

Sample name: PO-78140924.BAT.PDF.exe
Analysis ID: 1519457
MD5: 0c3d90f3a7607383e1e4a5da779b23f2
SHA1: bf3452b178fe50a53d94498cd2efc777c993954b
SHA256: 4b3d9e2b4d5af94fe3953942fe920f42c3928a7c4c9d5ccd841bd1fac367690e
Tags: exeuser-TeamDreier
Infos:

Detection

FormBook
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Antivirus / Scanner detection for submitted sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Sigma detected: Suspicious Double Extension File Execution
Suricata IDS alerts for network traffic
Yara detected FormBook
AI detected suspicious sample
Binary is likely a compiled AutoIt script file
Found direct / indirect Syscall (likely to bypass EDR)
Initial sample is a PE file and has a suspicious name
Machine Learning detection for sample
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Performs DNS queries to domains with low reputation
Switches to a custom stack to bypass stack traces
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Writes to foreign memory regions
Checks if the current process is being debugged
Contains functionality for execution timing, often used to detect debuggers
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to call native functions
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)
Contains functionality to check if a window is minimized (may be used to check if an application is visible)
Contains functionality to dynamically determine API calls
Contains functionality to query CPU information (cpuid)
Contains functionality to read the PEB
Contains functionality to retrieve information about pressed keystrokes
Contains functionality to simulate keystroke presses
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Extensive use of GetProcAddress (often used to hide API calls)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found inlined nop instructions (likely shell or obfuscated code)
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Potential key logger detected (key state polling based)
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Sigma detected: Uncommon Svchost Parent Process
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

AV Detection
barindex
Antivirus / Scanner detection for submitted sample
Source: PO-78140924.BAT.PDF.exe Avira: detected
Multi AV Scanner detection for submitted file
Source: PO-78140924.BAT.PDF.exe ReversingLabs: Detection: 79%
Yara detected FormBook
Source: Yara match File source: 2.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000004.00000002.3895831173.0000000000480000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.3897012807.0000000000D10000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.3897058690.0000000000D60000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000002.2158074372.0000000003B20000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000002.2157680976.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000002.2158514500.0000000004200000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000002.3897432800.0000000002360000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
AI detected suspicious sample
Source: Submited Sample Integrated Neural Analysis Model: Matched 100.0% probability
Machine Learning detection for sample
Source: PO-78140924.BAT.PDF.exe Joe Sandbox ML: detected
Uses 32bit PE files
Source: PO-78140924.BAT.PDF.exe Static PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
Source: Binary string: R:\JoeSecurity\trunk\src\windows\usermode\tools\FakeChrome\Release\Chrome.pdb source: YKkstfciYBQ.exe, 00000003.00000000.2070305149.000000000077E000.00000002.00000001.01000000.00000004.sdmp
Source: Binary string: wntdll.pdbUGP source: PO-78140924.BAT.PDF.exe, 00000000.00000003.2042653624.0000000004540000.00000004.00001000.00020000.00000000.sdmp, PO-78140924.BAT.PDF.exe, 00000000.00000003.2041650984.00000000046E0000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.2046417159.0000000003800000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.2048886154.0000000003A00000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.2158145354.0000000003D9E000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.2158145354.0000000003C00000.00000040.00001000.00020000.00000000.sdmp, mstsc.exe, 00000004.00000002.3897347942.00000000044F0000.00000040.00001000.00020000.00000000.sdmp, mstsc.exe, 00000004.00000003.2170653792.0000000000DAF000.00000004.00000020.00020000.00000000.sdmp, mstsc.exe, 00000004.00000002.3897347942.000000000468E000.00000040.00001000.00020000.00000000.sdmp, mstsc.exe, 00000004.00000003.2164958755.0000000000BFF000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: wntdll.pdb source: PO-78140924.BAT.PDF.exe, 00000000.00000003.2042653624.0000000004540000.00000004.00001000.00020000.00000000.sdmp, PO-78140924.BAT.PDF.exe, 00000000.00000003.2041650984.00000000046E0000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, svchost.exe, 00000002.00000003.2046417159.0000000003800000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.2048886154.0000000003A00000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.2158145354.0000000003D9E000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.2158145354.0000000003C00000.00000040.00001000.00020000.00000000.sdmp, mstsc.exe, mstsc.exe, 00000004.00000002.3897347942.00000000044F0000.00000040.00001000.00020000.00000000.sdmp, mstsc.exe, 00000004.00000003.2170653792.0000000000DAF000.00000004.00000020.00020000.00000000.sdmp, mstsc.exe, 00000004.00000002.3897347942.000000000468E000.00000040.00001000.00020000.00000000.sdmp, mstsc.exe, 00000004.00000003.2164958755.0000000000BFF000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: mstsc.pdbGCTL source: svchost.exe, 00000002.00000003.2115002578.0000000007300000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.2115127900.0000000007500000.00000004.00000020.00020000.00000000.sdmp, YKkstfciYBQ.exe, 00000003.00000003.2094204761.0000000003D42000.00000004.00000001.00020000.00000000.sdmp, YKkstfciYBQ.exe, 00000003.00000003.2093852104.0000000003C02000.00000004.00000001.00020000.00000000.sdmp
Source: Binary string: svchost.pdb source: YKkstfciYBQ.exe, 00000003.00000002.3899395542.0000000003EDC000.00000004.80000000.00040000.00000000.sdmp, mstsc.exe, 00000004.00000002.3897855714.0000000004B1C000.00000004.10000000.00040000.00000000.sdmp, mstsc.exe, 00000004.00000002.3896033202.00000000006A1000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 00000006.00000002.2459301249.000000003282C000.00000004.80000000.00040000.00000000.sdmp
Source: Binary string: mstsc.pdb source: svchost.exe, 00000002.00000003.2115002578.0000000007300000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.2115127900.0000000007500000.00000004.00000020.00020000.00000000.sdmp, YKkstfciYBQ.exe, 00000003.00000003.2094204761.0000000003D42000.00000004.00000001.00020000.00000000.sdmp, YKkstfciYBQ.exe, 00000003.00000003.2093852104.0000000003C02000.00000004.00000001.00020000.00000000.sdmp
Source: Binary string: svchost.pdbUGP source: YKkstfciYBQ.exe, 00000003.00000002.3899395542.0000000003EDC000.00000004.80000000.00040000.00000000.sdmp, mstsc.exe, 00000004.00000002.3897855714.0000000004B1C000.00000004.10000000.00040000.00000000.sdmp, mstsc.exe, 00000004.00000002.3896033202.00000000006A1000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 00000006.00000002.2459301249.000000003282C000.00000004.80000000.00040000.00000000.sdmp
Source: C:\Users\user\Desktop\PO-78140924.BAT.PDF.exe Code function: 0_2_0007449B GetFileAttributesW,FindFirstFileW,FindClose, 0_2_0007449B
Source: C:\Windows\SysWOW64\mstsc.exe Code function: 4_2_0049C460 FindFirstFileW,FindNextFileW,FindClose, 4_2_0049C460
Found inlined nop instructions (likely shell or obfuscated code)
Source: C:\Windows\SysWOW64\mstsc.exe Code function: 4x nop then xor eax, eax 4_2_00489C00
Source: C:\Windows\SysWOW64\mstsc.exe Code function: 4x nop then pop edi 4_2_0048E012
Source: C:\Windows\SysWOW64\mstsc.exe Code function: 4x nop then mov ebx, 00000004h 4_2_00E504DE

Networking
barindex
Suricata IDS alerts for network traffic
Source: Network traffic Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.5:49714 -> 172.96.187.60:80
Source: Network traffic Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.5:49719 -> 3.33.130.190:80
Source: Network traffic Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.5:49720 -> 3.33.130.190:80
Source: Network traffic Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.5:49717 -> 172.96.187.60:80
Source: Network traffic Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.5:49710 -> 217.70.184.50:80
Source: Network traffic Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.5:49721 -> 3.33.130.190:80
Source: Network traffic Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.5:49725 -> 67.223.117.189:80
Source: Network traffic Suricata IDS: 2050745 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) M5 : 192.168.2.5:49713 -> 217.70.184.50:80
Source: Network traffic Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.5:49712 -> 217.70.184.50:80
Source: Network traffic Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.5:49711 -> 217.70.184.50:80
Source: Network traffic Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.5:49724 -> 67.223.117.189:80
Source: Network traffic Suricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.5:49713 -> 217.70.184.50:80
Source: Network traffic Suricata IDS: 2050745 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) M5 : 192.168.2.5:49709 -> 81.88.63.46:80
Source: Network traffic Suricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.5:49709 -> 81.88.63.46:80
Source: Network traffic Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.5:49716 -> 172.96.187.60:80
Source: Network traffic Suricata IDS: 2050745 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) M5 : 192.168.2.5:49718 -> 172.96.187.60:80
Source: Network traffic Suricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.5:49718 -> 172.96.187.60:80
Source: Network traffic Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.5:49732 -> 3.33.130.190:80
Source: Network traffic Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.5:49741 -> 85.153.138.113:80
Source: Network traffic Suricata IDS: 2050745 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) M5 : 192.168.2.5:49739 -> 3.33.130.190:80
Source: Network traffic Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.5:49738 -> 3.33.130.190:80
Source: Network traffic Suricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.5:49739 -> 3.33.130.190:80
Source: Network traffic Suricata IDS: 2050745 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) M5 : 192.168.2.5:49727 -> 67.223.117.189:80
Source: Network traffic Suricata IDS: 2050745 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) M5 : 192.168.2.5:49731 -> 103.248.137.209:80
Source: Network traffic Suricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.5:49727 -> 67.223.117.189:80
Source: Network traffic Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.5:49746 -> 172.67.165.25:80
Source: Network traffic Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.5:49740 -> 85.153.138.113:80
Source: Network traffic Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.5:49730 -> 103.248.137.209:80
Source: Network traffic Suricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.5:49731 -> 103.248.137.209:80
Source: Network traffic Suricata IDS: 2050745 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) M5 : 192.168.2.5:49743 -> 85.153.138.113:80
Source: Network traffic Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.5:49736 -> 3.33.130.190:80
Source: Network traffic Suricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.5:49743 -> 85.153.138.113:80
Source: Network traffic Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.5:49734 -> 3.33.130.190:80
Source: Network traffic Suricata IDS: 2050745 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) M5 : 192.168.2.5:49722 -> 3.33.130.190:80
Source: Network traffic Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.5:49726 -> 67.223.117.189:80
Source: Network traffic Suricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.5:49722 -> 3.33.130.190:80
Source: Network traffic Suricata IDS: 2050745 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) M5 : 192.168.2.5:49735 -> 3.33.130.190:80
Source: Network traffic Suricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.5:49735 -> 3.33.130.190:80
Source: Network traffic Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.5:49737 -> 3.33.130.190:80
Source: Network traffic Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.5:49744 -> 172.67.165.25:80
Source: Network traffic Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.5:49733 -> 3.33.130.190:80
Source: Network traffic Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.5:49728 -> 103.248.137.209:80
Source: Network traffic Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.5:49742 -> 85.153.138.113:80
Source: Network traffic Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.5:49729 -> 103.248.137.209:80
Source: Network traffic Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.5:49745 -> 172.67.165.25:80
Performs DNS queries to domains with low reputation
Source: DNS query: www.heldhold.xyz
IP address seen in connection with other malware
Source: Joe Sandbox View IP Address: 67.223.117.189 67.223.117.189
Source: Joe Sandbox View IP Address: 217.70.184.50 217.70.184.50
Internet Provider seen in connection with other malware
Source: Joe Sandbox View ASN Name: VIMRO-AS15189US VIMRO-AS15189US
Source: Joe Sandbox View ASN Name: SINGLEHOP-LLCUS SINGLEHOP-LLCUS
Source: Joe Sandbox View ASN Name: DNC-ASDimensionNetworkCommunicationLimitedHK DNC-ASDimensionNetworkCommunicationLimitedHK
Source: Joe Sandbox View ASN Name: CLOUDFLARENETUS CLOUDFLARENETUS
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: global traffic HTTP traffic detected: GET /a4ar/?vf5pwn=bigEPZ6XMKFUrjbkOOF/tc1QSeZpy4rj9U81Matj+rZ/AUf1cwoUFkvfutX9dfv4h0MjihypUwM2GA6oEMuOCaAaQ3Lxux4SSFbsDgkYjgjAaiC5myZdzdYIguvdh1gvDg==&lHul=nfQTqL40vDEpIp30 HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-US,en;q=0.9Host: www.2bhp.comConnection: closeUser-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/46.0.2490.4 Safari/537.36
Source: global traffic HTTP traffic detected: GET /8pln/?vf5pwn=T9/DtY4QstE2hf5N+QbDCp08BY0+/KIvfz5cQjr/yHb6PkgoDrQz8TZtAEENUqwsBaW/Syqgj8DnNvIHzYG9qM2494p5Ur94ranWdRPLWWfdK4ZvNUpqMUToNubzG0SM8g==&lHul=nfQTqL40vDEpIp30 HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-US,en;q=0.9Host: www.ultraleap.netConnection: closeUser-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/46.0.2490.4 Safari/537.36
Source: global traffic HTTP traffic detected: GET /v2c3/?lHul=nfQTqL40vDEpIp30&vf5pwn=4KW7rJi8xQgG5JuhUUy4oHXtvgFnSuEzPrutLC9Z2JC7riozJk19TyUHcpxc9ASY/m5rLPYp2hVK9kL/MGxet5jRO5AJzixTprPi8JCHFDrvphN2mQYrYWI0Ljg/1k5GCA== HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-US,en;q=0.9Host: www.dalong.siteConnection: closeUser-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/46.0.2490.4 Safari/537.36
Source: global traffic HTTP traffic detected: GET /xamn/?vf5pwn=eI40u+kXl6dCNOxtOqaVh3t2St2MUXLKXPnA2oRVh57cb1FOyw5acKt1uSVkrtOGePUCnlUQIJS7kZjahSWR4W4fWnAv/fqpdm4W58wxIsvJOF8/cGdHH0QztCYqDUNhvQ==&lHul=nfQTqL40vDEpIp30 HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-US,en;q=0.9Host: www.mgeducacaopro.onlineConnection: closeUser-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/46.0.2490.4 Safari/537.36
Source: global traffic HTTP traffic detected: GET /fava/?lHul=nfQTqL40vDEpIp30&vf5pwn=GCDZpLqdSYk7fT5BaAxVCvWfN8QL3LUdfdSMH3wAhEJHSlsoeLITVJbnCwS/lbUV+KMqaRxHJZIr2IJ0lKwQAngPiIKVJBW1l0NVsB5cz1lTXdEnKbnDfocvymGyGvQBrQ== HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-US,en;q=0.9Host: www.heldhold.xyzConnection: closeUser-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/46.0.2490.4 Safari/537.36
Source: global traffic HTTP traffic detected: GET /5o7d/?vf5pwn=zMeRclQqEZ6cHEkv6r3h6rNdPeIv0NfXLXq5VQFXrGMOKBUumeR2nXgC5pr3HgG3QDdipY9Tb1BbXYBiFpGdsHlq0LOSSwDS14egmHnY5/1aPOe4+/4uS5IVfZSCCmkbAw==&lHul=nfQTqL40vDEpIp30 HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-US,en;q=0.9Host: www.63582.photoConnection: closeUser-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/46.0.2490.4 Safari/537.36
Source: global traffic HTTP traffic detected: GET /kt2f/?vf5pwn=3qIRfQl/AKdo1myXluGCiikgEIMzjkfYZ4NmxJouZDst8nFYGFmfJjzqUfk6VEmL81v5o0lFZhte5+gDx+sfHO+i2Ne6X81cG7kNzDpu31X3NSjbrBV+9ESn2I73xzu4qQ==&lHul=nfQTqL40vDEpIp30 HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-US,en;q=0.9Host: www.asiapartnars.onlineConnection: closeUser-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/46.0.2490.4 Safari/537.36
Source: global traffic HTTP traffic detected: GET /al6z/?lHul=nfQTqL40vDEpIp30&vf5pwn=VRCNh0NW0GgzXjJ+E9kBcAqzCeGDRYuLK6gi/31OI/HLVz3edLOFPgfBWIIFI1yv4KnHdZ/ByCAdRrOw29Cpu7tsWuW3JQaVwptT6evyL2oGhO/bgF+68v7eWhteCSlc6A== HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-US,en;q=0.9Host: www.linkwave.cloudConnection: closeUser-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/46.0.2490.4 Safari/537.36
Source: global traffic HTTP traffic detected: GET /3lu7/?vf5pwn=nzWofdhWpyQTuQkAURoZiOuSpDDcsuZ4SJ26h7kwykQFM8AQx5IfrLSrYivs6QFJHI8FrKvcoPkOi5L1XFRCJcPncARSRGAtt0+HcJ3GcQEnXiNUfFJGdHJ4JUWSbdHV9w==&lHul=nfQTqL40vDEpIp30 HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-US,en;q=0.9Host: www.mfgarage.netConnection: closeUser-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/46.0.2490.4 Safari/537.36
Source: global traffic DNS traffic detected: DNS query: www.2bhp.com
Source: global traffic DNS traffic detected: DNS query: www.ultraleap.net
Source: global traffic DNS traffic detected: DNS query: www.dalong.site
Source: global traffic DNS traffic detected: DNS query: www.mgeducacaopro.online
Source: global traffic DNS traffic detected: DNS query: www.heldhold.xyz
Source: global traffic DNS traffic detected: DNS query: www.63582.photo
Source: global traffic DNS traffic detected: DNS query: www.useanecdotenow.tech
Source: global traffic DNS traffic detected: DNS query: www.asiapartnars.online
Source: global traffic DNS traffic detected: DNS query: www.linkwave.cloud
Source: global traffic DNS traffic detected: DNS query: www.mfgarage.net
Source: global traffic DNS traffic detected: DNS query: www.b5x7vk.agency
Source: unknown HTTP traffic detected: POST /8pln/ HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-US,en;q=0.9Accept-Encoding: gzip, deflateHost: www.ultraleap.netOrigin: http://www.ultraleap.netContent-Length: 207Content-Type: application/x-www-form-urlencodedCache-Control: no-cacheConnection: closeReferer: http://www.ultraleap.net/8pln/User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/46.0.2490.4 Safari/537.36Data Raw: 76 66 35 70 77 6e 3d 65 2f 58 6a 75 76 46 59 68 35 34 77 34 36 70 41 31 52 66 4e 51 72 73 6b 61 4b 4d 33 35 76 51 7a 47 57 52 74 63 31 66 38 33 30 62 31 4a 32 38 54 46 74 63 79 2b 44 4e 50 4c 41 73 55 63 6f 4e 74 50 70 6e 76 58 68 6d 33 72 38 48 6b 4b 75 77 70 76 39 69 48 6f 37 6a 45 77 70 42 4e 61 49 78 51 76 36 4f 4b 59 53 36 7a 5a 32 50 51 61 72 4d 72 4d 43 34 36 48 6b 76 6b 49 63 47 36 46 6e 6e 43 68 55 32 55 4c 69 43 57 57 52 4a 79 36 78 45 50 35 46 42 39 4b 76 44 46 72 55 6d 70 2b 51 72 33 6a 4d 66 38 65 42 46 34 4c 75 4c 65 52 6b 6f 73 31 75 4a 4b 65 37 72 63 49 42 2f 4e 63 6e 4d 55 43 79 56 65 59 41 73 3d Data Ascii: vf5pwn=e/XjuvFYh54w46pA1RfNQrskaKM35vQzGWRtc1f830b1J28TFtcy+DNPLAsUcoNtPpnvXhm3r8HkKuwpv9iHo7jEwpBNaIxQv6OKYS6zZ2PQarMrMC46HkvkIcG6FnnChU2ULiCWWRJy6xEP5FB9KvDFrUmp+Qr3jMf8eBF4LuLeRkos1uJKe7rcIB/NcnMUCyVeYAs=
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Thu, 26 Sep 2024 13:22:25 GMTServer: ApacheContent-Length: 203Connection: closeContent-Type: text/html; charset=iso-8859-1Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 61 34 61 72 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /a4ar/ was not found on this server.</p></body></html>
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundConnection: closecache-control: private, no-cache, no-store, must-revalidate, max-age=0pragma: no-cachecontent-type: text/htmlcontent-length: 796date: Thu, 26 Sep 2024 13:22:54 GMTserver: LiteSpeedData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 31 30 30 25 22 3e 0a 3c 68 65 61 64 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 73 68 72 69 6e 6b 2d 74 6f 2d 66 69 74 3d 6e 6f 22 20 2f 3e 0a 3c 74 69 74 6c 65 3e 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0d 0a 3c 2f 74 69 74 6c 65 3e 3c 73 74 79 6c 65 3e 40 6d 65 64 69 61 20 28 70 72 65 66 65 72 73 2d 63 6f 6c 6f 72 2d 73 63 68 65 6d 65 3a 64 61 72 6b 29 7b 62 6f 64 79 7b 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 23 30 30 30 21 69 6d 70 6f 72 74 61 6e 74 7d 7d 3c 2f 73 74 79 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 20 73 74 79 6c 65 3d 22 63 6f 6c 6f 72 3a 20 23 34 34 34 3b 20 6d 61 72 67 69 6e 3a 30 3b 66 6f 6e 74 3a 20 6e 6f 72 6d 61 6c 20 31 34 70 78 2f 32 30 70 78 20 41 72 69 61 6c 2c 20 48 65 6c 76 65 74 69 63 61 2c 20 73 61 6e 73 2d 73 65 72 69 66 3b 20 68 65 69 67 68 74 3a 31 30 30 25 3b 20 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 20 23 66 66 66 3b 22 3e 0a 3c 64 69 76 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 61 75 74 6f 3b 20 6d 69 6e 2d 68 65 69 67 68 74 3a 31 30 30 25 3b 20 22 3e 20 20 20 20 20 3c 64 69 76 20 73 74 79 6c 65 3d 22 74 65 78 74 2d 61 6c 69 67 6e 3a 20 63 65 6e 74 65 72 3b 20 77 69 64 74 68 3a 38 30 30 70 78 3b 20 6d 61 72 67 69 6e 2d 6c 65 66 74 3a 20 2d 34 30 30 70 78 3b 20 70 6f 73 69 74 69 6f 6e 3a 61 62 73 6f 6c 75 74 65 3b 20 74 6f 70 3a 20 33 30 25 3b 20 6c 65 66 74 3a 35 30 25 3b 22 3e 0a 20 20 20 20 20 20 20 20 3c 68 31 20 73 74 79 6c 65 3d 22 6d 61 72 67 69 6e 3a 30 3b 20 66 6f 6e 74 2d 73 69 7a 65 3a 31 35 30 70 78 3b 20 6c 69 6e 65 2d 68 65 69 67 68 74 3a 31 35 30 70 78 3b 20 66 6f 6e 74 2d 77 65 69 67 68 74 3a 62 6f 6c 64 3b 22 3e 34 30 34 3c 2f 68 31 3e 0a 3c 68 32 20 73 74 79 6c 65 3d 22 6d 61 72 67 69 6e 2d 74 6f 70 3a 32 30 70 78 3b 66 6f 6e 74 2d 73 69 7a 65 3a 20 33 30 70 78 3b 22 3e 4e 6f 74 20 46 6f 75 6e 64 0d 0a 3c 2f 68 32 3e 0a 3c 70 3e 54 68 65 20 72 65 73 6f 75 72 63 65 20 72 65 71 75 65 73 74 65 64 20 63 6f 75 6c 64 20 6e 6f 74 20 62 65 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 21 3c 2f 70 3e 0a 3c 2f 64 69 76 3e 3c 2f 64 69 76 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE html><html style="height:100%"><head><meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no" /><title> 404 Not Found</title><style>@media (prefers-color-scheme:dark){body{background-color:#000!important}}</style></head><body style="color: #444; margin:0;font: normal 14px/20px Arial, Helvetica, sans-serif;
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundConnection: closecache-control: private, no-cache, no-store, must-revalidate, max-age=0pragma: no-cachecontent-type: text/htmlcontent-length: 796date: Thu, 26 Sep 2024 13:22:57 GMTserver: LiteSpeedData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 31 30 30 25 22 3e 0a 3c 68 65 61 64 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 73 68 72 69 6e 6b 2d 74 6f 2d 66 69 74 3d 6e 6f 22 20 2f 3e 0a 3c 74 69 74 6c 65 3e 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0d 0a 3c 2f 74 69 74 6c 65 3e 3c 73 74 79 6c 65 3e 40 6d 65 64 69 61 20 28 70 72 65 66 65 72 73 2d 63 6f 6c 6f 72 2d 73 63 68 65 6d 65 3a 64 61 72 6b 29 7b 62 6f 64 79 7b 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 23 30 30 30 21 69 6d 70 6f 72 74 61 6e 74 7d 7d 3c 2f 73 74 79 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 20 73 74 79 6c 65 3d 22 63 6f 6c 6f 72 3a 20 23 34 34 34 3b 20 6d 61 72 67 69 6e 3a 30 3b 66 6f 6e 74 3a 20 6e 6f 72 6d 61 6c 20 31 34 70 78 2f 32 30 70 78 20 41 72 69 61 6c 2c 20 48 65 6c 76 65 74 69 63 61 2c 20 73 61 6e 73 2d 73 65 72 69 66 3b 20 68 65 69 67 68 74 3a 31 30 30 25 3b 20 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 20 23 66 66 66 3b 22 3e 0a 3c 64 69 76 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 61 75 74 6f 3b 20 6d 69 6e 2d 68 65 69 67 68 74 3a 31 30 30 25 3b 20 22 3e 20 20 20 20 20 3c 64 69 76 20 73 74 79 6c 65 3d 22 74 65 78 74 2d 61 6c 69 67 6e 3a 20 63 65 6e 74 65 72 3b 20 77 69 64 74 68 3a 38 30 30 70 78 3b 20 6d 61 72 67 69 6e 2d 6c 65 66 74 3a 20 2d 34 30 30 70 78 3b 20 70 6f 73 69 74 69 6f 6e 3a 61 62 73 6f 6c 75 74 65 3b 20 74 6f 70 3a 20 33 30 25 3b 20 6c 65 66 74 3a 35 30 25 3b 22 3e 0a 20 20 20 20 20 20 20 20 3c 68 31 20 73 74 79 6c 65 3d 22 6d 61 72 67 69 6e 3a 30 3b 20 66 6f 6e 74 2d 73 69 7a 65 3a 31 35 30 70 78 3b 20 6c 69 6e 65 2d 68 65 69 67 68 74 3a 31 35 30 70 78 3b 20 66 6f 6e 74 2d 77 65 69 67 68 74 3a 62 6f 6c 64 3b 22 3e 34 30 34 3c 2f 68 31 3e 0a 3c 68 32 20 73 74 79 6c 65 3d 22 6d 61 72 67 69 6e 2d 74 6f 70 3a 32 30 70 78 3b 66 6f 6e 74 2d 73 69 7a 65 3a 20 33 30 70 78 3b 22 3e 4e 6f 74 20 46 6f 75 6e 64 0d 0a 3c 2f 68 32 3e 0a 3c 70 3e 54 68 65 20 72 65 73 6f 75 72 63 65 20 72 65 71 75 65 73 74 65 64 20 63 6f 75 6c 64 20 6e 6f 74 20 62 65 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 21 3c 2f 70 3e 0a 3c 2f 64 69 76 3e 3c 2f 64 69 76 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE html><html style="height:100%"><head><meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no" /><title> 404 Not Found</title><style>@media (prefers-color-scheme:dark){body{background-color:#000!important}}</style></head><body style="color: #444; margin:0;font: normal 14px/20px Arial, Helvetica, sans-serif;
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundConnection: closecache-control: private, no-cache, no-store, must-revalidate, max-age=0pragma: no-cachecontent-type: text/htmlcontent-length: 796date: Thu, 26 Sep 2024 13:23:00 GMTserver: LiteSpeedData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 31 30 30 25 22 3e 0a 3c 68 65 61 64 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 73 68 72 69 6e 6b 2d 74 6f 2d 66 69 74 3d 6e 6f 22 20 2f 3e 0a 3c 74 69 74 6c 65 3e 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0d 0a 3c 2f 74 69 74 6c 65 3e 3c 73 74 79 6c 65 3e 40 6d 65 64 69 61 20 28 70 72 65 66 65 72 73 2d 63 6f 6c 6f 72 2d 73 63 68 65 6d 65 3a 64 61 72 6b 29 7b 62 6f 64 79 7b 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 23 30 30 30 21 69 6d 70 6f 72 74 61 6e 74 7d 7d 3c 2f 73 74 79 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 20 73 74 79 6c 65 3d 22 63 6f 6c 6f 72 3a 20 23 34 34 34 3b 20 6d 61 72 67 69 6e 3a 30 3b 66 6f 6e 74 3a 20 6e 6f 72 6d 61 6c 20 31 34 70 78 2f 32 30 70 78 20 41 72 69 61 6c 2c 20 48 65 6c 76 65 74 69 63 61 2c 20 73 61 6e 73 2d 73 65 72 69 66 3b 20 68 65 69 67 68 74 3a 31 30 30 25 3b 20 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 20 23 66 66 66 3b 22 3e 0a 3c 64 69 76 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 61 75 74 6f 3b 20 6d 69 6e 2d 68 65 69 67 68 74 3a 31 30 30 25 3b 20 22 3e 20 20 20 20 20 3c 64 69 76 20 73 74 79 6c 65 3d 22 74 65 78 74 2d 61 6c 69 67 6e 3a 20 63 65 6e 74 65 72 3b 20 77 69 64 74 68 3a 38 30 30 70 78 3b 20 6d 61 72 67 69 6e 2d 6c 65 66 74 3a 20 2d 34 30 30 70 78 3b 20 70 6f 73 69 74 69 6f 6e 3a 61 62 73 6f 6c 75 74 65 3b 20 74 6f 70 3a 20 33 30 25 3b 20 6c 65 66 74 3a 35 30 25 3b 22 3e 0a 20 20 20 20 20 20 20 20 3c 68 31 20 73 74 79 6c 65 3d 22 6d 61 72 67 69 6e 3a 30 3b 20 66 6f 6e 74 2d 73 69 7a 65 3a 31 35 30 70 78 3b 20 6c 69 6e 65 2d 68 65 69 67 68 74 3a 31 35 30 70 78 3b 20 66 6f 6e 74 2d 77 65 69 67 68 74 3a 62 6f 6c 64 3b 22 3e 34 30 34 3c 2f 68 31 3e 0a 3c 68 32 20 73 74 79 6c 65 3d 22 6d 61 72 67 69 6e 2d 74 6f 70 3a 32 30 70 78 3b 66 6f 6e 74 2d 73 69 7a 65 3a 20 33 30 70 78 3b 22 3e 4e 6f 74 20 46 6f 75 6e 64 0d 0a 3c 2f 68 32 3e 0a 3c 70 3e 54 68 65 20 72 65 73 6f 75 72 63 65 20 72 65 71 75 65 73 74 65 64 20 63 6f 75 6c 64 20 6e 6f 74 20 62 65 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 21 3c 2f 70 3e 0a 3c 2f 64 69 76 3e 3c 2f 64 69 76 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE html><html style="height:100%"><head><meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no" /><title> 404 Not Found</title><style>@media (prefers-color-scheme:dark){body{background-color:#000!important}}</style></head><body style="color: #444; margin:0;font: normal 14px/20px Arial, Helvetica, sans-serif;
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundConnection: closecache-control: private, no-cache, no-store, must-revalidate, max-age=0pragma: no-cachecontent-type: text/htmlcontent-length: 796date: Thu, 26 Sep 2024 13:23:02 GMTserver: LiteSpeedData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 31 30 30 25 22 3e 0a 3c 68 65 61 64 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 73 68 72 69 6e 6b 2d 74 6f 2d 66 69 74 3d 6e 6f 22 20 2f 3e 0a 3c 74 69 74 6c 65 3e 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0d 0a 3c 2f 74 69 74 6c 65 3e 3c 73 74 79 6c 65 3e 40 6d 65 64 69 61 20 28 70 72 65 66 65 72 73 2d 63 6f 6c 6f 72 2d 73 63 68 65 6d 65 3a 64 61 72 6b 29 7b 62 6f 64 79 7b 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 23 30 30 30 21 69 6d 70 6f 72 74 61 6e 74 7d 7d 3c 2f 73 74 79 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 20 73 74 79 6c 65 3d 22 63 6f 6c 6f 72 3a 20 23 34 34 34 3b 20 6d 61 72 67 69 6e 3a 30 3b 66 6f 6e 74 3a 20 6e 6f 72 6d 61 6c 20 31 34 70 78 2f 32 30 70 78 20 41 72 69 61 6c 2c 20 48 65 6c 76 65 74 69 63 61 2c 20 73 61 6e 73 2d 73 65 72 69 66 3b 20 68 65 69 67 68 74 3a 31 30 30 25 3b 20 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 20 23 66 66 66 3b 22 3e 0a 3c 64 69 76 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 61 75 74 6f 3b 20 6d 69 6e 2d 68 65 69 67 68 74 3a 31 30 30 25 3b 20 22 3e 20 20 20 20 20 3c 64 69 76 20 73 74 79 6c 65 3d 22 74 65 78 74 2d 61 6c 69 67 6e 3a 20 63 65 6e 74 65 72 3b 20 77 69 64 74 68 3a 38 30 30 70 78 3b 20 6d 61 72 67 69 6e 2d 6c 65 66 74 3a 20 2d 34 30 30 70 78 3b 20 70 6f 73 69 74 69 6f 6e 3a 61 62 73 6f 6c 75 74 65 3b 20 74 6f 70 3a 20 33 30 25 3b 20 6c 65 66 74 3a 35 30 25 3b 22 3e 0a 20 20 20 20 20 20 20 20 3c 68 31 20 73 74 79 6c 65 3d 22 6d 61 72 67 69 6e 3a 30 3b 20 66 6f 6e 74 2d 73 69 7a 65 3a 31 35 30 70 78 3b 20 6c 69 6e 65 2d 68 65 69 67 68 74 3a 31 35 30 70 78 3b 20 66 6f 6e 74 2d 77 65 69 67 68 74 3a 62 6f 6c 64 3b 22 3e 34 30 34 3c 2f 68 31 3e 0a 3c 68 32 20 73 74 79 6c 65 3d 22 6d 61 72 67 69 6e 2d 74 6f 70 3a 32 30 70 78 3b 66 6f 6e 74 2d 73 69 7a 65 3a 20 33 30 70 78 3b 22 3e 4e 6f 74 20 46 6f 75 6e 64 0d 0a 3c 2f 68 32 3e 0a 3c 70 3e 54 68 65 20 72 65 73 6f 75 72 63 65 20 72 65 71 75 65 73 74 65 64 20 63 6f 75 6c 64 20 6e 6f 74 20 62 65 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 21 3c 2f 70 3e 0a 3c 2f 64 69 76 3e 3c 2f 64 69 76 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE html><html style="height:100%"><head><meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no" /><title> 404 Not Found</title><style>@media (prefers-color-scheme:dark){body{background-color:#000!important}}</style></head><body style="color: #444; margin:0;font: normal 14px/20px Arial, Helvetica, sans-serif;
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Thu, 26 Sep 2024 13:23:22 GMTServer: ApacheX-Frame-Options: SAMEORIGINContent-Length: 32106X-XSS-Protection: 1; mode=blockConnection: closeContent-Type: text/htmlData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 0a 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 73 68 72 69 6e 6b 2d 74 6f 2d 66 69 74 3d 6e 6f 22 3e 0a 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 64 65 73 63 72 69 70 74 69 6f 6e 22 20 63 6f 6e 74 65 6e 74 3d 22 46 61 62 6c 65 73 22 3e 0a 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 61 75 74 68 6f 72 22 20 63 6f 6e 74 65 6e 74 3d 22 45 6e 74 65 72 70 72 69 73 65 20 44 65 76 65 6c 6f 70 6d 65 6e 74 22 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 68 6f 72 74 63 75 74 20 69 63 6f 6e 22 20 68 72 65 66 3d 22 61 73 73 65 74 73 2f 63 75 73 74 6f 6d 2f 69 6d 61 67 65 73 2f 73 68 6f 72 74 63 75 74 2e 70 6e 67 22 3e 0a 0a 20 20 20 20 3c 74 69 74 6c 65 3e 20 34 30 34 3c 2f 74 69 74 6c 65 3e 0a 0a 20 20 20 20 3c 21 2d 2d 20 61 6e 69 6d 61 74 65 2e 63 73 73 2d 2d 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 68 72 65 66 3d 22 61 73 73 65 74 73 2f 76 65 6e 64 6f 72 2f 61 6e 69 6d 61 74 65 2e 63 73 73 2d 6d 61 73 74 65 72 2f 61 6e 69 6d 61 74 65 2e 6d 69 6e 2e 63 73 73 22 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 3e 0a 20 20 20 20 3c 21 2d 2d 20 4c 6f 61 64 20 53 63 72 65 65 6e 20 2d 2d 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 68 72 65 66 3d 22 61 73 73 65 74 73 2f 76 65 6e 64 6f 72 2f 6c 6f 61 64 73 63 72 65 65 6e 2f 63 73 73 2f 73 70 69 6e 6b 69 74 2e 63 73 73 22 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 3e 0a 20 20 20 20 3c 21 2d 2d 20 47 4f 4f 47 4c 45 20 46 4f 4e 54 20 2d 2d 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 66 6f 6e 74 73 2e 67 6f 6f 67 6c 65 61 70 69 73 2e 63 6f 6d 2f 63 73 73 3f 66 61 6d 69 6c 79 3d 4f 70 65 6e 2b 53 61 6e 73 3a 33 30 30 2c 33 30 30 69 2c 34 30 30 2c 34 30 30 69 2c 36 30 30 2c 36 30 30 69 2c 37 30 30 2c 37 30 30 69 2c 38 30 30 2c 38 30 30 69 22 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 3e 0a 20 20 20 20 3c 21 2d 2d 20 46 6f 6e 74 20 41 77 65 73 6f 6d 65 20 35 20 2d 2d 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 68 72 65 66 3d 22 61 73 73 65 74 73 2f 76 65 6e 64 6f 72 2f 66 6f 6e 74 61 77 65 73 6f 6d 65 2f 63 73 73 2f 66 6f 6e 74 61 77 65 73 6f 6d 65 2d 61 6c 6c 2e 6d 69 6e 2e 63 73 73 22 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 3e 0a 20 20 20 20 3c 21 2d 2d 20 46 61 62 6c 65 73 20 49 63 6f 6e 73 20 2d 2d 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 68 72 65 66 3d 22 61 73 73 65 74 73 2f 63 75 73 74 6f 6d 2f 63 73 73 2f 66 61 62 6c 65 73 2d 69 63 6f 6e 73 2e 63 73 73 22 20 72 65 6c 3d 22 73 74 79
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Thu, 26 Sep 2024 13:23:25 GMTServer: ApacheX-Frame-Options: SAMEORIGINContent-Length: 32106X-XSS-Protection: 1; mode=blockConnection: closeContent-Type: text/htmlData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 0a 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 73 68 72 69 6e 6b 2d 74 6f 2d 66 69 74 3d 6e 6f 22 3e 0a 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 64 65 73 63 72 69 70 74 69 6f 6e 22 20 63 6f 6e 74 65 6e 74 3d 22 46 61 62 6c 65 73 22 3e 0a 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 61 75 74 68 6f 72 22 20 63 6f 6e 74 65 6e 74 3d 22 45 6e 74 65 72 70 72 69 73 65 20 44 65 76 65 6c 6f 70 6d 65 6e 74 22 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 68 6f 72 74 63 75 74 20 69 63 6f 6e 22 20 68 72 65 66 3d 22 61 73 73 65 74 73 2f 63 75 73 74 6f 6d 2f 69 6d 61 67 65 73 2f 73 68 6f 72 74 63 75 74 2e 70 6e 67 22 3e 0a 0a 20 20 20 20 3c 74 69 74 6c 65 3e 20 34 30 34 3c 2f 74 69 74 6c 65 3e 0a 0a 20 20 20 20 3c 21 2d 2d 20 61 6e 69 6d 61 74 65 2e 63 73 73 2d 2d 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 68 72 65 66 3d 22 61 73 73 65 74 73 2f 76 65 6e 64 6f 72 2f 61 6e 69 6d 61 74 65 2e 63 73 73 2d 6d 61 73 74 65 72 2f 61 6e 69 6d 61 74 65 2e 6d 69 6e 2e 63 73 73 22 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 3e 0a 20 20 20 20 3c 21 2d 2d 20 4c 6f 61 64 20 53 63 72 65 65 6e 20 2d 2d 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 68 72 65 66 3d 22 61 73 73 65 74 73 2f 76 65 6e 64 6f 72 2f 6c 6f 61 64 73 63 72 65 65 6e 2f 63 73 73 2f 73 70 69 6e 6b 69 74 2e 63 73 73 22 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 3e 0a 20 20 20 20 3c 21 2d 2d 20 47 4f 4f 47 4c 45 20 46 4f 4e 54 20 2d 2d 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 66 6f 6e 74 73 2e 67 6f 6f 67 6c 65 61 70 69 73 2e 63 6f 6d 2f 63 73 73 3f 66 61 6d 69 6c 79 3d 4f 70 65 6e 2b 53 61 6e 73 3a 33 30 30 2c 33 30 30 69 2c 34 30 30 2c 34 30 30 69 2c 36 30 30 2c 36 30 30 69 2c 37 30 30 2c 37 30 30 69 2c 38 30 30 2c 38 30 30 69 22 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 3e 0a 20 20 20 20 3c 21 2d 2d 20 46 6f 6e 74 20 41 77 65 73 6f 6d 65 20 35 20 2d 2d 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 68 72 65 66 3d 22 61 73 73 65 74 73 2f 76 65 6e 64 6f 72 2f 66 6f 6e 74 61 77 65 73 6f 6d 65 2f 63 73 73 2f 66 6f 6e 74 61 77 65 73 6f 6d 65 2d 61 6c 6c 2e 6d 69 6e 2e 63 73 73 22 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 3e 0a 20 20 20 20 3c 21 2d 2d 20 46 61 62 6c 65 73 20 49 63 6f 6e 73 20 2d 2d 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 68 72 65 66 3d 22 61 73 73 65 74 73 2f 63 75 73 74 6f 6d 2f 63 73 73 2f 66 61 62 6c 65 73 2d 69 63 6f 6e 73 2e 63 73 73 22 20 72 65 6c 3d 22 73 74 79
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Thu, 26 Sep 2024 13:23:27 GMTServer: ApacheX-Frame-Options: SAMEORIGINContent-Length: 32106X-XSS-Protection: 1; mode=blockConnection: closeContent-Type: text/htmlData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 0a 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 73 68 72 69 6e 6b 2d 74 6f 2d 66 69 74 3d 6e 6f 22 3e 0a 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 64 65 73 63 72 69 70 74 69 6f 6e 22 20 63 6f 6e 74 65 6e 74 3d 22 46 61 62 6c 65 73 22 3e 0a 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 61 75 74 68 6f 72 22 20 63 6f 6e 74 65 6e 74 3d 22 45 6e 74 65 72 70 72 69 73 65 20 44 65 76 65 6c 6f 70 6d 65 6e 74 22 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 68 6f 72 74 63 75 74 20 69 63 6f 6e 22 20 68 72 65 66 3d 22 61 73 73 65 74 73 2f 63 75 73 74 6f 6d 2f 69 6d 61 67 65 73 2f 73 68 6f 72 74 63 75 74 2e 70 6e 67 22 3e 0a 0a 20 20 20 20 3c 74 69 74 6c 65 3e 20 34 30 34 3c 2f 74 69 74 6c 65 3e 0a 0a 20 20 20 20 3c 21 2d 2d 20 61 6e 69 6d 61 74 65 2e 63 73 73 2d 2d 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 68 72 65 66 3d 22 61 73 73 65 74 73 2f 76 65 6e 64 6f 72 2f 61 6e 69 6d 61 74 65 2e 63 73 73 2d 6d 61 73 74 65 72 2f 61 6e 69 6d 61 74 65 2e 6d 69 6e 2e 63 73 73 22 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 3e 0a 20 20 20 20 3c 21 2d 2d 20 4c 6f 61 64 20 53 63 72 65 65 6e 20 2d 2d 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 68 72 65 66 3d 22 61 73 73 65 74 73 2f 76 65 6e 64 6f 72 2f 6c 6f 61 64 73 63 72 65 65 6e 2f 63 73 73 2f 73 70 69 6e 6b 69 74 2e 63 73 73 22 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 3e 0a 20 20 20 20 3c 21 2d 2d 20 47 4f 4f 47 4c 45 20 46 4f 4e 54 20 2d 2d 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 66 6f 6e 74 73 2e 67 6f 6f 67 6c 65 61 70 69 73 2e 63 6f 6d 2f 63 73 73 3f 66 61 6d 69 6c 79 3d 4f 70 65 6e 2b 53 61 6e 73 3a 33 30 30 2c 33 30 30 69 2c 34 30 30 2c 34 30 30 69 2c 36 30 30 2c 36 30 30 69 2c 37 30 30 2c 37 30 30 69 2c 38 30 30 2c 38 30 30 69 22 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 3e 0a 20 20 20 20 3c 21 2d 2d 20 46 6f 6e 74 20 41 77 65 73 6f 6d 65 20 35 20 2d 2d 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 68 72 65 66 3d 22 61 73 73 65 74 73 2f 76 65 6e 64 6f 72 2f 66 6f 6e 74 61 77 65 73 6f 6d 65 2f 63 73 73 2f 66 6f 6e 74 61 77 65 73 6f 6d 65 2d 61 6c 6c 2e 6d 69 6e 2e 63 73 73 22 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 3e 0a 20 20 20 20 3c 21 2d 2d 20 46 61 62 6c 65 73 20 49 63 6f 6e 73 20 2d 2d 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 68 72 65 66 3d 22 61 73 73 65 74 73 2f 63 75 73 74 6f 6d 2f 63 73 73 2f 66 61 62 6c 65 73 2d 69 63 6f 6e 73 2e 63 73 73 22 20 72 65 6c 3d 22 73 74 79
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Thu, 26 Sep 2024 13:23:31 GMTServer: ApacheX-Frame-Options: SAMEORIGINContent-Length: 32106X-XSS-Protection: 1; mode=blockConnection: closeContent-Type: text/html; charset=utf-8Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 0a 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 73 68 72 69 6e 6b 2d 74 6f 2d 66 69 74 3d 6e 6f 22 3e 0a 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 64 65 73 63 72 69 70 74 69 6f 6e 22 20 63 6f 6e 74 65 6e 74 3d 22 46 61 62 6c 65 73 22 3e 0a 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 61 75 74 68 6f 72 22 20 63 6f 6e 74 65 6e 74 3d 22 45 6e 74 65 72 70 72 69 73 65 20 44 65 76 65 6c 6f 70 6d 65 6e 74 22 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 68 6f 72 74 63 75 74 20 69 63 6f 6e 22 20 68 72 65 66 3d 22 61 73 73 65 74 73 2f 63 75 73 74 6f 6d 2f 69 6d 61 67 65 73 2f 73 68 6f 72 74 63 75 74 2e 70 6e 67 22 3e 0a 0a 20 20 20 20 3c 74 69 74 6c 65 3e 20 34 30 34 3c 2f 74 69 74 6c 65 3e 0a 0a 20 20 20 20 3c 21 2d 2d 20 61 6e 69 6d 61 74 65 2e 63 73 73 2d 2d 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 68 72 65 66 3d 22 61 73 73 65 74 73 2f 76 65 6e 64 6f 72 2f 61 6e 69 6d 61 74 65 2e 63 73 73 2d 6d 61 73 74 65 72 2f 61 6e 69 6d 61 74 65 2e 6d 69 6e 2e 63 73 73 22 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 3e 0a 20 20 20 20 3c 21 2d 2d 20 4c 6f 61 64 20 53 63 72 65 65 6e 20 2d 2d 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 68 72 65 66 3d 22 61 73 73 65 74 73 2f 76 65 6e 64 6f 72 2f 6c 6f 61 64 73 63 72 65 65 6e 2f 63 73 73 2f 73 70 69 6e 6b 69 74 2e 63 73 73 22 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 3e 0a 20 20 20 20 3c 21 2d 2d 20 47 4f 4f 47 4c 45 20 46 4f 4e 54 20 2d 2d 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 66 6f 6e 74 73 2e 67 6f 6f 67 6c 65 61 70 69 73 2e 63 6f 6d 2f 63 73 73 3f 66 61 6d 69 6c 79 3d 4f 70 65 6e 2b 53 61 6e 73 3a 33 30 30 2c 33 30 30 69 2c 34 30 30 2c 34 30 30 69 2c 36 30 30 2c 36 30 30 69 2c 37 30 30 2c 37 30 30 69 2c 38 30 30 2c 38 30 30 69 22 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 3e 0a 20 20 20 20 3c 21 2d 2d 20 46 6f 6e 74 20 41 77 65 73 6f 6d 65 20 35 20 2d 2d 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 68 72 65 66 3d 22 61 73 73 65 74 73 2f 76 65 6e 64 6f 72 2f 66 6f 6e 74 61 77 65 73 6f 6d 65 2f 63 73 73 2f 66 6f 6e 74 61 77 65 73 6f 6d 65 2d 61 6c 6c 2e 6d 69 6e 2e 63 73 73 22 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 3e 0a 20 20 20 20 3c 21 2d 2d 20 46 61 62 6c 65 73 20 49 63 6f 6e 73 20 2d 2d 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 68 72 65 66 3d 22 61 73 73 65 74 73 2f 63 75 73 74 6f 6d 2f 63 73 73 2f 66 61 62 6c 65 73 2d 69 63 6f 6e 73 2e 63 73 73 22 20 72 65 6c
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Thu, 26 Sep 2024 13:25:00 GMTContent-Type: text/htmlTransfer-Encoding: chunkedConnection: closeCF-Cache-Status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=OWVRwH4o6es9cjRv9KQrITzRg2KDIR%2BsbB4vGKVMxFspfW7ZdvE1tyPEK1GgciZs0GZxZGO43cv1FKkEn6nYLYyMI%2F88tCw8sF%2Fn6r8xIkK2ldEGGmP7x%2BIDIGGfKPcqDmY30A%3D%3D"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 8c9393d46f097d0b-EWRContent-Encoding: gzipData Raw: 61 37 0d 0a 1f 8b 08 00 00 00 00 00 00 03 ed 8e 4d 0a c2 30 10 85 f7 85 de 61 3c 40 88 85 2e 87 6c 44 c1 85 6e 3c 41 ea 8c 4d 20 9d 94 31 82 bd bd 54 2d 88 6b 97 ae 1e bc 9f 8f 87 a1 0c c9 d5 15 06 f6 e4 b0 c4 92 d8 b5 eb 16 8e b9 c0 2e df 84 d0 be 4c b4 cf 4a 5d 61 97 69 9a f5 cc 52 58 1d 86 e6 7b 11 1a 87 f6 1d cf 6c 75 4b 59 fa 28 f7 cf cc 2e 34 bb 3c 59 19 03 1e 46 4f 14 a5 87 92 81 e2 d5 77 89 e1 70 da 6f c1 0b c1 26 68 1e 18 2e 1a 59 28 4d c0 aa 59 61 f4 3d 83 31 7f c4 af 11 0f 27 a7 bf a8 24 02 00 00 0d 0a Data Ascii: a7M0a<@.lDn<AM 1T-k.LJ]aiRX{luKY(.4<YFOwpo&h.Y(MYa=1'$
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Thu, 26 Sep 2024 13:25:03 GMTContent-Type: text/htmlTransfer-Encoding: chunkedConnection: closeCF-Cache-Status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=crm9UGmSKpf08C3wAoPeM%2F09gSKvJtzPxskaWgjSa2cigzSTY8pZ4z9oDcb3zyg2wQLHivAoqsVBmHYZUVIse8y5cUKh9PoyxXvnmAeNWfweGgQwvpw290brO5ZfR3dZGZMHxA%3D%3D"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 8c9393e7ad8a42eb-EWRContent-Encoding: gzipData Raw: 61 37 0d 0a 1f 8b 08 00 00 00 00 00 00 03 ed 8e 4d 0a c2 30 10 85 f7 85 de 61 3c 40 88 85 2e 87 6c 44 c1 85 6e 3c 41 ea 8c 4d 20 9d 94 31 82 bd bd 54 2d 88 6b 97 ae 1e bc 9f 8f 87 a1 0c c9 d5 15 06 f6 e4 b0 c4 92 d8 b5 eb 16 8e b9 c0 2e df 84 d0 be 4c b4 cf 4a 5d 61 97 69 9a f5 cc 52 58 1d 86 e6 7b 11 1a 87 f6 1d cf 6c 75 4b 59 fa 28 f7 cf cc 2e 34 bb 3c 59 19 03 1e 46 4f 14 a5 87 92 81 e2 d5 77 89 e1 70 da 6f c1 0b c1 26 68 1e 18 2e 1a 59 28 4d c0 aa 59 61 f4 3d 83 31 7f c4 af 11 0f 27 a7 bf a8 24 02 00 00 0d 0a 30 0d 0a 0d 0a Data Ascii: a7M0a<@.lDn<AM 1T-k.LJ]aiRX{luKY(.4<YFOwpo&h.Y(MYa=1'$0
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Thu, 26 Sep 2024 13:25:06 GMTContent-Type: text/htmlTransfer-Encoding: chunkedConnection: closeCF-Cache-Status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=IProemyRG98En7CWZdF5GfaX%2FSemz5Ye%2BaDogSHz%2FU3WGZsXphsfVu4nAYsd1MLoJaxK1nz%2BqW7CmqVrraUXmpxK8CCNoNnbvuyhZRFApA2N1VLsn%2BlD%2BvpUWVFo%2FsnxdOtvlA%3D%3D"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 8c9393fb0e5918bc-EWRContent-Encoding: gzipData Raw: 61 37 0d 0a 1f 8b 08 00 00 00 00 00 00 03 ed 8e 4d 0a c2 30 10 85 f7 85 de 61 3c 40 88 85 2e 87 6c 44 c1 85 6e 3c 41 ea 8c 4d 20 9d 94 31 82 bd bd 54 2d 88 6b 97 ae 1e bc 9f 8f 87 a1 0c c9 d5 15 06 f6 e4 b0 c4 92 d8 b5 eb 16 8e b9 c0 2e df 84 d0 be 4c b4 cf 4a 5d 61 97 69 9a f5 cc 52 58 1d 86 e6 7b 11 1a 87 f6 1d cf 6c 75 4b 59 fa 28 f7 cf cc 2e 34 bb 3c 59 19 03 1e 46 4f 14 a5 87 92 81 e2 d5 77 89 e1 70 da 6f c1 0b c1 26 68 1e 18 2e 1a 59 28 4d c0 aa 59 61 f4 3d 83 31 7f c4 af 11 0f 27 a7 bf a8 24 02 00 00 0d 0a 30 0d 0a 0d 0a Data Ascii: a7M0a<@.lDn<AM 1T-k.LJ]aiRX{luKY(.4<YFOwpo&h.Y(MYa=1'$0
Source: YKkstfciYBQ.exe, 00000003.00000002.3900775999.00000000063C2000.00000040.80000000.00040000.00000000.sdmp String found in binary or memory: http://www.b5x7vk.agency
Source: YKkstfciYBQ.exe, 00000003.00000002.3900775999.00000000063C2000.00000040.80000000.00040000.00000000.sdmp String found in binary or memory: http://www.b5x7vk.agency/zznj/
Source: mstsc.exe, 00000004.00000003.2351304274.000000000767E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://ac.ecosia.org/autocomplete?q=
Source: mstsc.exe, 00000004.00000003.2351304274.000000000767E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
Source: mstsc.exe, 00000004.00000003.2351304274.000000000767E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
Source: mstsc.exe, 00000004.00000003.2351304274.000000000767E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
Source: mstsc.exe, 00000004.00000003.2351304274.000000000767E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://duckduckgo.com/ac/?q=
Source: mstsc.exe, 00000004.00000003.2351304274.000000000767E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://duckduckgo.com/chrome_newtab
Source: mstsc.exe, 00000004.00000003.2351304274.000000000767E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
Source: YKkstfciYBQ.exe, 00000003.00000002.3899395542.000000000490C000.00000004.80000000.00040000.00000000.sdmp, mstsc.exe, 00000004.00000002.3897855714.000000000554C000.00000004.10000000.00040000.00000000.sdmp String found in binary or memory: https://fonts.googleapis.com/css?family=Open
Source: mstsc.exe, 00000004.00000003.2346362902.00000000006C5000.00000004.00000020.00020000.00000000.sdmp, mstsc.exe, 00000004.00000002.3896033202.00000000006BB000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://login.live.com/oauth20_authorize.srf?client_id=00000000480728C5&scope=service::ssl.live.com:
Source: mstsc.exe, 00000004.00000003.2346362902.00000000006C5000.00000004.00000020.00020000.00000000.sdmp, mstsc.exe, 00000004.00000002.3896033202.00000000006BB000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://login.live.com/oauth20_authorize.srfclient_id=00000000480728C5&scope=service::ssl.live.com::
Source: mstsc.exe, 00000004.00000003.2346362902.00000000006C5000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://login.live.com/oauth20_desktop.srf&lw=1&fl=wld2
Source: mstsc.exe, 00000004.00000003.2346362902.00000000006C5000.00000004.00000020.00020000.00000000.sdmp, mstsc.exe, 00000004.00000002.3896033202.00000000006BB000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://login.live.com/oauth20_desktop.srf?lc=1033
Source: mstsc.exe, 00000004.00000003.2346362902.00000000006C5000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://login.live.com/oauth20_desktop.srf?lc=1033E
Source: mstsc.exe, 00000004.00000003.2346362902.00000000006C5000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://login.live.com/oauth20_desktop.srf?lc=1033LMEM
Source: mstsc.exe, 00000004.00000003.2346362902.00000000006C5000.00000004.00000020.00020000.00000000.sdmp, mstsc.exe, 00000004.00000002.3896033202.00000000006BB000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://login.live.com/oauth20_desktop.srflc=1033k
Source: mstsc.exe, 00000004.00000003.2346362902.00000000006C5000.00000004.00000020.00020000.00000000.sdmp, mstsc.exe, 00000004.00000002.3896033202.00000000006BB000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://login.live.com/oauth20_logout.srf?client_id=00000000480728C5&redirect_uri=https://login.live
Source: mstsc.exe, 00000004.00000003.2346362902.00000000006C5000.00000004.00000020.00020000.00000000.sdmp, mstsc.exe, 00000004.00000002.3896033202.00000000006BB000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://login.live.com/oauth20_logout.srfclient_id=00000000480728C5&redirect_uri=https://login.live.
Source: mstsc.exe, 00000004.00000003.2345245031.0000000007659000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://login.live.com/oauth20_logout.srfhttps://login.live.com/oauth20_authorize.srfhttps://login.l
Source: YKkstfciYBQ.exe, 00000003.00000002.3899395542.00000000050E6000.00000004.80000000.00040000.00000000.sdmp, mstsc.exe, 00000004.00000002.3897855714.0000000005D26000.00000004.10000000.00040000.00000000.sdmp String found in binary or memory: https://secure.sahibinden.com/login?return_url=http%3A%2F%2Fwww.mfgarage.net%2F3lu7%2F%3Fvf5pwn%3Dnz
Source: YKkstfciYBQ.exe, 00000003.00000002.3899395542.0000000004456000.00000004.80000000.00040000.00000000.sdmp, mstsc.exe, 00000004.00000002.3897855714.0000000005096000.00000004.10000000.00040000.00000000.sdmp, mstsc.exe, 00000004.00000002.3899373295.0000000007390000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://whois.gandi.net/en/results?search=ultraleap.net
Source: mstsc.exe, 00000004.00000003.2351304274.000000000767E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.ecosia.org/newtab/
Source: YKkstfciYBQ.exe, 00000003.00000002.3899395542.0000000004456000.00000004.80000000.00040000.00000000.sdmp, mstsc.exe, 00000004.00000002.3897855714.0000000005096000.00000004.10000000.00040000.00000000.sdmp, mstsc.exe, 00000004.00000002.3899373295.0000000007390000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.gandi.net/en/domain
Source: mstsc.exe, 00000004.00000003.2351304274.000000000767E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico
Contains functionality to retrieve information about pressed keystrokes
Source: C:\Users\user\Desktop\PO-78140924.BAT.PDF.exe Code function: 0_2_00012344 GetCursorPos,ScreenToClient,GetAsyncKeyState,GetAsyncKeyState,GetAsyncKeyState,GetWindowLongW, 0_2_00012344
Potential key logger detected (key state polling based)
Source: C:\Users\user\Desktop\PO-78140924.BAT.PDF.exe Code function: 0_2_0009CB26 NtdllDialogWndProc_W,SendMessageW,GetWindowLongW,SendMessageW,SendMessageW,_wcsncpy,GetKeyState,GetKeyState,GetKeyState,SendMessageW,GetKeyState,SendMessageW,SendMessageW,SendMessageW,SetCapture,ClientToScreen,InvalidateRect,ReleaseCapture,GetCursorPos,ScreenToClient,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetCursorPos,ScreenToClient,GetParent,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,GetWindowLongW, 0_2_0009CB26

E-Banking Fraud
barindex
Yara detected FormBook
Source: Yara match File source: 2.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000004.00000002.3895831173.0000000000480000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.3897012807.0000000000D10000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.3897058690.0000000000D60000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000002.2158074372.0000000003B20000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000002.2157680976.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000002.2158514500.0000000004200000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000002.3897432800.0000000002360000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY

System Summary
barindex
Malicious sample detected (through community Yara rule)
Source: 2.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 2.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000004.00000002.3895831173.0000000000480000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000004.00000002.3897012807.0000000000D10000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000004.00000002.3897058690.0000000000D60000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000002.00000002.2158074372.0000000003B20000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000003.00000002.3900775999.0000000006310000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000002.00000002.2157680976.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000002.00000002.2158514500.0000000004200000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000003.00000002.3897432800.0000000002360000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Binary is likely a compiled AutoIt script file
Source: PO-78140924.BAT.PDF.exe String found in binary or memory: This is a third-party compiled AutoIt script.
Source: PO-78140924.BAT.PDF.exe, 00000000.00000002.2043823400.00000000000C4000.00000040.00000001.01000000.00000003.sdmp String found in binary or memory: This is a third-party compiled AutoIt script. memstr_e3465d58-a
Source: PO-78140924.BAT.PDF.exe, 00000000.00000002.2043823400.00000000000C4000.00000040.00000001.01000000.00000003.sdmp String found in binary or memory: SDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBox|SHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer" memstr_daa819c9-d
Initial sample is a PE file and has a suspicious name
Source: initial sample Static PE information: Filename: PO-78140924.BAT.PDF.exe
Contains functionality to call native functions
Source: C:\Users\user\Desktop\PO-78140924.BAT.PDF.exe Code function: 0_2_00013688 NtdllDefWindowProc_W,PostQuitMessage, 0_2_00013688
Source: C:\Users\user\Desktop\PO-78140924.BAT.PDF.exe Code function: 0_2_0009C216 PostMessageW,GetFocus,GetDlgCtrlID,_memset,GetMenuItemInfoW,GetMenuItemCount,GetMenuItemID,GetMenuItemInfoW,GetMenuItemInfoW,CheckMenuRadioItem,NtdllDialogWndProc_W, 0_2_0009C216
Source: C:\Users\user\Desktop\PO-78140924.BAT.PDF.exe Code function: 0_2_00011290 NtdllDialogWndProc_W,GetClientRect,GetCursorPos,ScreenToClient, 0_2_00011290
Source: C:\Users\user\Desktop\PO-78140924.BAT.PDF.exe Code function: 0_2_0009D422 NtdllDialogWndProc_W, 0_2_0009D422
Source: C:\Users\user\Desktop\PO-78140924.BAT.PDF.exe Code function: 0_2_0009D4A8 GetSystemMetrics,GetSystemMetrics,MoveWindow,SendMessageW,SendMessageW,ShowWindow,InvalidateRect,NtdllDialogWndProc_W, 0_2_0009D4A8
Source: C:\Users\user\Desktop\PO-78140924.BAT.PDF.exe Code function: 0_2_0009C502 GetCursorPos,TrackPopupMenuEx,GetCursorPos,NtdllDialogWndProc_W, 0_2_0009C502
Source: C:\Users\user\Desktop\PO-78140924.BAT.PDF.exe Code function: 0_2_0009C5E7 SendMessageW,NtdllDialogWndProc_W, 0_2_0009C5E7
Source: C:\Users\user\Desktop\PO-78140924.BAT.PDF.exe Code function: 0_2_0009C668 DragQueryPoint,SendMessageW,DragQueryFileW,DragQueryFileW,_wcscat,SendMessageW,SendMessageW,SendMessageW,SendMessageW,DragFinish,NtdllDialogWndProc_W, 0_2_0009C668
Source: C:\Users\user\Desktop\PO-78140924.BAT.PDF.exe Code function: 0_2_0001167D NtdllDialogWndProc_W, 0_2_0001167D
Source: C:\Users\user\Desktop\PO-78140924.BAT.PDF.exe Code function: 0_2_000116B5 NtdllDialogWndProc_W, 0_2_000116B5
Source: C:\Users\user\Desktop\PO-78140924.BAT.PDF.exe Code function: 0_2_000116DE GetParent,NtdllDialogWndProc_W, 0_2_000116DE
Source: C:\Users\user\Desktop\PO-78140924.BAT.PDF.exe Code function: 0_2_000136E5 NtdllDefWindowProc_W, 0_2_000136E5
Source: C:\Users\user\Desktop\PO-78140924.BAT.PDF.exe Code function: 0_2_0009D7F6 NtdllDialogWndProc_W, 0_2_0009D7F6
Source: C:\Users\user\Desktop\PO-78140924.BAT.PDF.exe Code function: 0_2_0001189B NtdllDialogWndProc_W, 0_2_0001189B
Source: C:\Users\user\Desktop\PO-78140924.BAT.PDF.exe Code function: 0_2_0009C8CA NtdllDialogWndProc_W, 0_2_0009C8CA
Source: C:\Users\user\Desktop\PO-78140924.BAT.PDF.exe Code function: 0_2_0009C8F9 NtdllDialogWndProc_W, 0_2_0009C8F9
Source: C:\Users\user\Desktop\PO-78140924.BAT.PDF.exe Code function: 0_2_0009C928 NtdllDialogWndProc_W, 0_2_0009C928
Source: C:\Users\user\Desktop\PO-78140924.BAT.PDF.exe Code function: 0_2_0001192B NtdllDialogWndProc_W,GetSysColor,SetBkColor,745AC8D0,NtdllDialogWndProc_W, 0_2_0001192B
Source: C:\Users\user\Desktop\PO-78140924.BAT.PDF.exe Code function: 0_2_0009C973 NtdllDialogWndProc_W, 0_2_0009C973
Source: C:\Users\user\Desktop\PO-78140924.BAT.PDF.exe Code function: 0_2_0009C9A8 ClientToScreen,NtdllDialogWndProc_W, 0_2_0009C9A8
Source: C:\Users\user\Desktop\PO-78140924.BAT.PDF.exe Code function: 0_2_00011AC2 NtdllDialogWndProc_W, 0_2_00011AC2
Source: C:\Users\user\Desktop\PO-78140924.BAT.PDF.exe Code function: 0_2_0009CAE6 GetWindowLongW,NtdllDialogWndProc_W, 0_2_0009CAE6
Source: C:\Users\user\Desktop\PO-78140924.BAT.PDF.exe Code function: 0_2_0009CB26 NtdllDialogWndProc_W,SendMessageW,GetWindowLongW,SendMessageW,SendMessageW,_wcsncpy,GetKeyState,GetKeyState,GetKeyState,SendMessageW,GetKeyState,SendMessageW,SendMessageW,SendMessageW,SetCapture,ClientToScreen,InvalidateRect,ReleaseCapture,GetCursorPos,ScreenToClient,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetCursorPos,ScreenToClient,GetParent,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,GetWindowLongW, 0_2_0009CB26
Source: C:\Users\user\Desktop\PO-78140924.BAT.PDF.exe Code function: 0_2_0009BF9A NtdllDialogWndProc_W, 0_2_0009BF9A
Source: C:\Users\user\Desktop\PO-78140924.BAT.PDF.exe Code function: 0_2_0009BFF6 ReleaseCapture,SetWindowTextW,SendMessageW,NtdllDialogWndProc_W, 0_2_0009BFF6
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_0042C553 NtClose, 2_2_0042C553
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03C735C0 NtCreateMutant,LdrInitializeThunk, 2_2_03C735C0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03C72B60 NtClose,LdrInitializeThunk, 2_2_03C72B60
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03C72DF0 NtQuerySystemInformation,LdrInitializeThunk, 2_2_03C72DF0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03C74340 NtSetContextThread, 2_2_03C74340
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03C73090 NtSetValueKey, 2_2_03C73090
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03C73010 NtOpenDirectoryObject, 2_2_03C73010
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03C74650 NtSuspendThread, 2_2_03C74650
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03C72BE0 NtQueryValueKey, 2_2_03C72BE0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03C72BF0 NtAllocateVirtualMemory, 2_2_03C72BF0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03C72B80 NtQueryInformationFile, 2_2_03C72B80
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03C72BA0 NtEnumerateValueKey, 2_2_03C72BA0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03C72AD0 NtReadFile, 2_2_03C72AD0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03C72AF0 NtWriteFile, 2_2_03C72AF0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03C72AB0 NtWaitForSingleObject, 2_2_03C72AB0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03C739B0 NtGetContextThread, 2_2_03C739B0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03C72FE0 NtCreateFile, 2_2_03C72FE0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03C72F90 NtProtectVirtualMemory, 2_2_03C72F90
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03C72FA0 NtQuerySection, 2_2_03C72FA0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03C72FB0 NtResumeThread, 2_2_03C72FB0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03C72F60 NtCreateProcessEx, 2_2_03C72F60
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03C72F30 NtCreateSection, 2_2_03C72F30
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03C72EE0 NtQueueApcThread, 2_2_03C72EE0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03C72E80 NtReadVirtualMemory, 2_2_03C72E80
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03C72EA0 NtAdjustPrivilegesToken, 2_2_03C72EA0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03C72E30 NtWriteVirtualMemory, 2_2_03C72E30
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03C72DD0 NtDelayExecution, 2_2_03C72DD0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03C72DB0 NtEnumerateKey, 2_2_03C72DB0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03C73D70 NtOpenThread, 2_2_03C73D70
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03C72D00 NtSetInformationFile, 2_2_03C72D00
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03C72D10 NtMapViewOfSection, 2_2_03C72D10
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03C73D10 NtOpenProcessToken, 2_2_03C73D10
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03C72D30 NtUnmapViewOfSection, 2_2_03C72D30
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03C72CC0 NtQueryVirtualMemory, 2_2_03C72CC0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03C72CF0 NtOpenProcess, 2_2_03C72CF0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03C72CA0 NtQueryInformationToken, 2_2_03C72CA0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03C72C60 NtCreateKey, 2_2_03C72C60
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03C72C70 NtFreeVirtualMemory, 2_2_03C72C70
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03C72C00 NtQueryInformationProcess, 2_2_03C72C00
Source: C:\Windows\SysWOW64\mstsc.exe Code function: 4_2_045635C0 NtCreateMutant,LdrInitializeThunk, 4_2_045635C0
Source: C:\Windows\SysWOW64\mstsc.exe Code function: 4_2_04564650 NtSuspendThread,LdrInitializeThunk, 4_2_04564650
Source: C:\Windows\SysWOW64\mstsc.exe Code function: 4_2_04564340 NtSetContextThread,LdrInitializeThunk, 4_2_04564340
Source: C:\Windows\SysWOW64\mstsc.exe Code function: 4_2_04562C70 NtFreeVirtualMemory,LdrInitializeThunk, 4_2_04562C70
Source: C:\Windows\SysWOW64\mstsc.exe Code function: 4_2_04562C60 NtCreateKey,LdrInitializeThunk, 4_2_04562C60
Source: C:\Windows\SysWOW64\mstsc.exe Code function: 4_2_04562CA0 NtQueryInformationToken,LdrInitializeThunk, 4_2_04562CA0
Source: C:\Windows\SysWOW64\mstsc.exe Code function: 4_2_04562D10 NtMapViewOfSection,LdrInitializeThunk, 4_2_04562D10
Source: C:\Windows\SysWOW64\mstsc.exe Code function: 4_2_04562D30 NtUnmapViewOfSection,LdrInitializeThunk, 4_2_04562D30
Source: C:\Windows\SysWOW64\mstsc.exe Code function: 4_2_04562DD0 NtDelayExecution,LdrInitializeThunk, 4_2_04562DD0
Source: C:\Windows\SysWOW64\mstsc.exe Code function: 4_2_04562DF0 NtQuerySystemInformation,LdrInitializeThunk, 4_2_04562DF0
Source: C:\Windows\SysWOW64\mstsc.exe Code function: 4_2_04562EE0 NtQueueApcThread,LdrInitializeThunk, 4_2_04562EE0
Source: C:\Windows\SysWOW64\mstsc.exe Code function: 4_2_04562E80 NtReadVirtualMemory,LdrInitializeThunk, 4_2_04562E80
Source: C:\Windows\SysWOW64\mstsc.exe Code function: 4_2_04562F30 NtCreateSection,LdrInitializeThunk, 4_2_04562F30
Source: C:\Windows\SysWOW64\mstsc.exe Code function: 4_2_04562FE0 NtCreateFile,LdrInitializeThunk, 4_2_04562FE0
Source: C:\Windows\SysWOW64\mstsc.exe Code function: 4_2_04562FB0 NtResumeThread,LdrInitializeThunk, 4_2_04562FB0
Source: C:\Windows\SysWOW64\mstsc.exe Code function: 4_2_045639B0 NtGetContextThread,LdrInitializeThunk, 4_2_045639B0
Source: C:\Windows\SysWOW64\mstsc.exe Code function: 4_2_04562AD0 NtReadFile,LdrInitializeThunk, 4_2_04562AD0
Source: C:\Windows\SysWOW64\mstsc.exe Code function: 4_2_04562AF0 NtWriteFile,LdrInitializeThunk, 4_2_04562AF0
Source: C:\Windows\SysWOW64\mstsc.exe Code function: 4_2_04562B60 NtClose,LdrInitializeThunk, 4_2_04562B60
Source: C:\Windows\SysWOW64\mstsc.exe Code function: 4_2_04562BF0 NtAllocateVirtualMemory,LdrInitializeThunk, 4_2_04562BF0
Source: C:\Windows\SysWOW64\mstsc.exe Code function: 4_2_04562BE0 NtQueryValueKey,LdrInitializeThunk, 4_2_04562BE0
Source: C:\Windows\SysWOW64\mstsc.exe Code function: 4_2_04562BA0 NtEnumerateValueKey,LdrInitializeThunk, 4_2_04562BA0
Source: C:\Windows\SysWOW64\mstsc.exe Code function: 4_2_04563010 NtOpenDirectoryObject, 4_2_04563010
Source: C:\Windows\SysWOW64\mstsc.exe Code function: 4_2_04563090 NtSetValueKey, 4_2_04563090
Source: C:\Windows\SysWOW64\mstsc.exe Code function: 4_2_04562C00 NtQueryInformationProcess, 4_2_04562C00
Source: C:\Windows\SysWOW64\mstsc.exe Code function: 4_2_04562CC0 NtQueryVirtualMemory, 4_2_04562CC0
Source: C:\Windows\SysWOW64\mstsc.exe Code function: 4_2_04562CF0 NtOpenProcess, 4_2_04562CF0
Source: C:\Windows\SysWOW64\mstsc.exe Code function: 4_2_04563D70 NtOpenThread, 4_2_04563D70
Source: C:\Windows\SysWOW64\mstsc.exe Code function: 4_2_04563D10 NtOpenProcessToken, 4_2_04563D10
Source: C:\Windows\SysWOW64\mstsc.exe Code function: 4_2_04562D00 NtSetInformationFile, 4_2_04562D00
Source: C:\Windows\SysWOW64\mstsc.exe Code function: 4_2_04562DB0 NtEnumerateKey, 4_2_04562DB0
Source: C:\Windows\SysWOW64\mstsc.exe Code function: 4_2_04562E30 NtWriteVirtualMemory, 4_2_04562E30
Source: C:\Windows\SysWOW64\mstsc.exe Code function: 4_2_04562EA0 NtAdjustPrivilegesToken, 4_2_04562EA0
Source: C:\Windows\SysWOW64\mstsc.exe Code function: 4_2_04562F60 NtCreateProcessEx, 4_2_04562F60
Source: C:\Windows\SysWOW64\mstsc.exe Code function: 4_2_04562F90 NtProtectVirtualMemory, 4_2_04562F90
Source: C:\Windows\SysWOW64\mstsc.exe Code function: 4_2_04562FA0 NtQuerySection, 4_2_04562FA0
Source: C:\Windows\SysWOW64\mstsc.exe Code function: 4_2_04562AB0 NtWaitForSingleObject, 4_2_04562AB0
Source: C:\Windows\SysWOW64\mstsc.exe Code function: 4_2_04562B80 NtQueryInformationFile, 4_2_04562B80
Source: C:\Windows\SysWOW64\mstsc.exe Code function: 4_2_004A9040 NtReadFile, 4_2_004A9040
Source: C:\Windows\SysWOW64\mstsc.exe Code function: 4_2_004A9130 NtDeleteFile, 4_2_004A9130
Source: C:\Windows\SysWOW64\mstsc.exe Code function: 4_2_004A91D0 NtClose, 4_2_004A91D0
Source: C:\Windows\SysWOW64\mstsc.exe Code function: 4_2_004A9330 NtAllocateVirtualMemory, 4_2_004A9330
Source: C:\Windows\SysWOW64\mstsc.exe Code function: 4_2_004A8EE0 NtCreateFile, 4_2_004A8EE0
Detected potential crypto function
Source: C:\Users\user\Desktop\PO-78140924.BAT.PDF.exe Code function: 0_2_0001E060 0_2_0001E060
Source: C:\Users\user\Desktop\PO-78140924.BAT.PDF.exe Code function: 0_2_00023190 0_2_00023190
Source: C:\Users\user\Desktop\PO-78140924.BAT.PDF.exe Code function: 0_2_00033307 0_2_00033307
Source: C:\Users\user\Desktop\PO-78140924.BAT.PDF.exe Code function: 0_2_00032345 0_2_00032345
Source: C:\Users\user\Desktop\PO-78140924.BAT.PDF.exe Code function: 0_2_0003F359 0_2_0003F359
Source: C:\Users\user\Desktop\PO-78140924.BAT.PDF.exe Code function: 0_2_00046452 0_2_00046452
Source: C:\Users\user\Desktop\PO-78140924.BAT.PDF.exe Code function: 0_2_000425AE 0_2_000425AE
Source: C:\Users\user\Desktop\PO-78140924.BAT.PDF.exe Code function: 0_2_00031604 0_2_00031604
Source: C:\Users\user\Desktop\PO-78140924.BAT.PDF.exe Code function: 0_2_00025680 0_2_00025680
Source: C:\Users\user\Desktop\PO-78140924.BAT.PDF.exe Code function: 0_2_0003277A 0_2_0003277A
Source: C:\Users\user\Desktop\PO-78140924.BAT.PDF.exe Code function: 0_2_00037813 0_2_00037813
Source: C:\Users\user\Desktop\PO-78140924.BAT.PDF.exe Code function: 0_2_000258C0 0_2_000258C0
Source: C:\Users\user\Desktop\PO-78140924.BAT.PDF.exe Code function: 0_2_0004890F 0_2_0004890F
Source: C:\Users\user\Desktop\PO-78140924.BAT.PDF.exe Code function: 0_2_0001192B 0_2_0001192B
Source: C:\Users\user\Desktop\PO-78140924.BAT.PDF.exe Code function: 0_2_00028968 0_2_00028968
Source: C:\Users\user\Desktop\PO-78140924.BAT.PDF.exe Code function: 0_2_000469C4 0_2_000469C4
Source: C:\Users\user\Desktop\PO-78140924.BAT.PDF.exe Code function: 0_2_00031AF8 0_2_00031AF8
Source: C:\Users\user\Desktop\PO-78140924.BAT.PDF.exe Code function: 0_2_0003CCA1 0_2_0003CCA1
Source: C:\Users\user\Desktop\PO-78140924.BAT.PDF.exe Code function: 0_2_00097E0D 0_2_00097E0D
Source: C:\Users\user\Desktop\PO-78140924.BAT.PDF.exe Code function: 0_2_0001FEA9 0_2_0001FEA9
Source: C:\Users\user\Desktop\PO-78140924.BAT.PDF.exe Code function: 0_2_00031F10 0_2_00031F10
Source: C:\Users\user\Desktop\PO-78140924.BAT.PDF.exe Code function: 0_2_0003BF26 0_2_0003BF26
Source: C:\Users\user\Desktop\PO-78140924.BAT.PDF.exe Code function: 0_2_00046F36 0_2_00046F36
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_00418563 2_2_00418563
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_00410023 2_2_00410023
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_0040E0A3 2_2_0040E0A3
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_00403109 2_2_00403109
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_00403110 2_2_00403110
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_0042EB33 2_2_0042EB33
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_0040FDFC 2_2_0040FDFC
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_00402670 2_2_00402670
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_0040FE03 2_2_0040FE03
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_00416743 2_2_00416743
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03C4E3F0 2_2_03C4E3F0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03D003E6 2_2_03D003E6
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03C8739A 2_2_03C8739A
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03C2D34C 2_2_03C2D34C
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03CFA352 2_2_03CFA352
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03CF132D 2_2_03CF132D
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03C5B2C0 2_2_03C5B2C0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03CE12ED 2_2_03CE12ED
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03C452A0 2_2_03C452A0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03CE0274 2_2_03CE0274
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03CF81CC 2_2_03CF81CC
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03C4B1B0 2_2_03C4B1B0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03D001AA 2_2_03D001AA
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03CC8158 2_2_03CC8158
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03C7516C 2_2_03C7516C
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03C2F172 2_2_03C2F172
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03D0B16B 2_2_03D0B16B
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03C30100 2_2_03C30100
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03CDA118 2_2_03CDA118
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03CEF0CC 2_2_03CEF0CC
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03C470C0 2_2_03C470C0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03CF70E9 2_2_03CF70E9
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03CFF0E0 2_2_03CFF0E0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03C3C7C0 2_2_03C3C7C0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03CFF7B0 2_2_03CFF7B0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03C64750 2_2_03C64750
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03C40770 2_2_03C40770
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03CF16CC 2_2_03CF16CC
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03C5C6E0 2_2_03C5C6E0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03D00591 2_2_03D00591
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03CDD5B0 2_2_03CDD5B0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03CF7571 2_2_03CF7571
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03C40535 2_2_03C40535
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03CEE4F6 2_2_03CEE4F6
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03CF2446 2_2_03CF2446
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03C31460 2_2_03C31460
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03CFF43F 2_2_03CFF43F
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03CF6BD7 2_2_03CF6BD7
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03CB5BF0 2_2_03CB5BF0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03C7DBF9 2_2_03C7DBF9
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03C5FB80 2_2_03C5FB80
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03CFAB40 2_2_03CFAB40
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03CFFB76 2_2_03CFFB76
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03CEDAC6 2_2_03CEDAC6
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03C3EA80 2_2_03C3EA80
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03CDDAAC 2_2_03CDDAAC
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03C85AA0 2_2_03C85AA0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03CFFA49 2_2_03CFFA49
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03CF7A46 2_2_03CF7A46
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03CB3A6C 2_2_03CB3A6C
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03C429A0 2_2_03C429A0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03D0A9A6 2_2_03D0A9A6
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03C49950 2_2_03C49950
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03C5B950 2_2_03C5B950
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03C56962 2_2_03C56962
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03C438E0 2_2_03C438E0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03C6E8F0 2_2_03C6E8F0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03C268B8 2_2_03C268B8
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03C42840 2_2_03C42840
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03C4A840 2_2_03C4A840
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03CAD800 2_2_03CAD800
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03C32FC8 2_2_03C32FC8
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03C4CFE0 2_2_03C4CFE0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03C41F92 2_2_03C41F92
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03CFFFB1 2_2_03CFFFB1
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03CB4F40 2_2_03CB4F40
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03CFFF09 2_2_03CFFF09
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03C82F28 2_2_03C82F28
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03C60F30 2_2_03C60F30
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03CFEEDB 2_2_03CFEEDB
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03C52E90 2_2_03C52E90
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03CFCE93 2_2_03CFCE93
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03C49EB0 2_2_03C49EB0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03C40E59 2_2_03C40E59
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03CFEE26 2_2_03CFEE26
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03C5FDC0 2_2_03C5FDC0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03C3ADE0 2_2_03C3ADE0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03C58DBF 2_2_03C58DBF
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03C43D40 2_2_03C43D40
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03CF1D5A 2_2_03CF1D5A
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03CF7D73 2_2_03CF7D73
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03C4AD00 2_2_03C4AD00
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03C30CF2 2_2_03C30CF2
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03CFFCF2 2_2_03CFFCF2
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03CE0CB5 2_2_03CE0CB5
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03C40C00 2_2_03C40C00
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03CB9C32 2_2_03CB9C32
Source: C:\Program Files (x86)\pxTetnvzAqfngzxdJleqlHZcbxcmKnXFSvAiPCvpGdyMKAizQhrXJTABFMLhmSrbNFDH\YKkstfciYBQ.exe Code function: 3_2_0637A29E 3_2_0637A29E
Source: C:\Program Files (x86)\pxTetnvzAqfngzxdJleqlHZcbxcmKnXFSvAiPCvpGdyMKAizQhrXJTABFMLhmSrbNFDH\YKkstfciYBQ.exe Code function: 3_2_0639E205 3_2_0639E205
Source: C:\Windows\SysWOW64\mstsc.exe Code function: 4_2_045E2446 4_2_045E2446
Source: C:\Windows\SysWOW64\mstsc.exe Code function: 4_2_04521460 4_2_04521460
Source: C:\Windows\SysWOW64\mstsc.exe Code function: 4_2_045EF43F 4_2_045EF43F
Source: C:\Windows\SysWOW64\mstsc.exe Code function: 4_2_045DE4F6 4_2_045DE4F6
Source: C:\Windows\SysWOW64\mstsc.exe Code function: 4_2_045E7571 4_2_045E7571
Source: C:\Windows\SysWOW64\mstsc.exe Code function: 4_2_04530535 4_2_04530535
Source: C:\Windows\SysWOW64\mstsc.exe Code function: 4_2_045F0591 4_2_045F0591
Source: C:\Windows\SysWOW64\mstsc.exe Code function: 4_2_045CD5B0 4_2_045CD5B0
Source: C:\Windows\SysWOW64\mstsc.exe Code function: 4_2_045E16CC 4_2_045E16CC
Source: C:\Windows\SysWOW64\mstsc.exe Code function: 4_2_0454C6E0 4_2_0454C6E0
Source: C:\Windows\SysWOW64\mstsc.exe Code function: 4_2_04554750 4_2_04554750
Source: C:\Windows\SysWOW64\mstsc.exe Code function: 4_2_04530770 4_2_04530770
Source: C:\Windows\SysWOW64\mstsc.exe Code function: 4_2_0452C7C0 4_2_0452C7C0
Source: C:\Windows\SysWOW64\mstsc.exe Code function: 4_2_045EF7B0 4_2_045EF7B0
Source: C:\Windows\SysWOW64\mstsc.exe Code function: 4_2_045DF0CC 4_2_045DF0CC
Source: C:\Windows\SysWOW64\mstsc.exe Code function: 4_2_045370C0 4_2_045370C0
Source: C:\Windows\SysWOW64\mstsc.exe Code function: 4_2_045E70E9 4_2_045E70E9
Source: C:\Windows\SysWOW64\mstsc.exe Code function: 4_2_045EF0E0 4_2_045EF0E0
Source: C:\Windows\SysWOW64\mstsc.exe Code function: 4_2_0451F172 4_2_0451F172
Source: C:\Windows\SysWOW64\mstsc.exe Code function: 4_2_045FB16B 4_2_045FB16B
Source: C:\Windows\SysWOW64\mstsc.exe Code function: 4_2_0456516C 4_2_0456516C
Source: C:\Windows\SysWOW64\mstsc.exe Code function: 4_2_045CA118 4_2_045CA118
Source: C:\Windows\SysWOW64\mstsc.exe Code function: 4_2_04520100 4_2_04520100
Source: C:\Windows\SysWOW64\mstsc.exe Code function: 4_2_045E81CC 4_2_045E81CC
Source: C:\Windows\SysWOW64\mstsc.exe Code function: 4_2_0453B1B0 4_2_0453B1B0
Source: C:\Windows\SysWOW64\mstsc.exe Code function: 4_2_045F01AA 4_2_045F01AA
Source: C:\Windows\SysWOW64\mstsc.exe Code function: 4_2_045D0274 4_2_045D0274
Source: C:\Windows\SysWOW64\mstsc.exe Code function: 4_2_0454B2C0 4_2_0454B2C0
Source: C:\Windows\SysWOW64\mstsc.exe Code function: 4_2_045D12ED 4_2_045D12ED
Source: C:\Windows\SysWOW64\mstsc.exe Code function: 4_2_045352A0 4_2_045352A0
Source: C:\Windows\SysWOW64\mstsc.exe Code function: 4_2_045EA352 4_2_045EA352
Source: C:\Windows\SysWOW64\mstsc.exe Code function: 4_2_0451D34C 4_2_0451D34C
Source: C:\Windows\SysWOW64\mstsc.exe Code function: 4_2_045E132D 4_2_045E132D
Source: C:\Windows\SysWOW64\mstsc.exe Code function: 4_2_0453E3F0 4_2_0453E3F0
Source: C:\Windows\SysWOW64\mstsc.exe Code function: 4_2_045F03E6 4_2_045F03E6
Source: C:\Windows\SysWOW64\mstsc.exe Code function: 4_2_0457739A 4_2_0457739A
Source: C:\Windows\SysWOW64\mstsc.exe Code function: 4_2_04530C00 4_2_04530C00
Source: C:\Windows\SysWOW64\mstsc.exe Code function: 4_2_045A9C32 4_2_045A9C32
Source: C:\Windows\SysWOW64\mstsc.exe Code function: 4_2_04520CF2 4_2_04520CF2
Source: C:\Windows\SysWOW64\mstsc.exe Code function: 4_2_045EFCF2 4_2_045EFCF2
Source: C:\Windows\SysWOW64\mstsc.exe Code function: 4_2_045D0CB5 4_2_045D0CB5
Source: C:\Windows\SysWOW64\mstsc.exe Code function: 4_2_045E1D5A 4_2_045E1D5A
Source: C:\Windows\SysWOW64\mstsc.exe Code function: 4_2_04533D40 4_2_04533D40
Source: C:\Windows\SysWOW64\mstsc.exe Code function: 4_2_045E7D73 4_2_045E7D73
Source: C:\Windows\SysWOW64\mstsc.exe Code function: 4_2_0453AD00 4_2_0453AD00
Source: C:\Windows\SysWOW64\mstsc.exe Code function: 4_2_0454FDC0 4_2_0454FDC0
Source: C:\Windows\SysWOW64\mstsc.exe Code function: 4_2_0452ADE0 4_2_0452ADE0
Source: C:\Windows\SysWOW64\mstsc.exe Code function: 4_2_04548DBF 4_2_04548DBF
Source: C:\Windows\SysWOW64\mstsc.exe Code function: 4_2_04530E59 4_2_04530E59
Source: C:\Windows\SysWOW64\mstsc.exe Code function: 4_2_045EEE26 4_2_045EEE26
Source: C:\Windows\SysWOW64\mstsc.exe Code function: 4_2_045EEEDB 4_2_045EEEDB
Source: C:\Windows\SysWOW64\mstsc.exe Code function: 4_2_04542E90 4_2_04542E90
Source: C:\Windows\SysWOW64\mstsc.exe Code function: 4_2_045ECE93 4_2_045ECE93
Source: C:\Windows\SysWOW64\mstsc.exe Code function: 4_2_04539EB0 4_2_04539EB0
Source: C:\Windows\SysWOW64\mstsc.exe Code function: 4_2_045A4F40 4_2_045A4F40
Source: C:\Windows\SysWOW64\mstsc.exe Code function: 4_2_045EFF09 4_2_045EFF09
Source: C:\Windows\SysWOW64\mstsc.exe Code function: 4_2_04550F30 4_2_04550F30
Source: C:\Windows\SysWOW64\mstsc.exe Code function: 4_2_04572F28 4_2_04572F28
Source: C:\Windows\SysWOW64\mstsc.exe Code function: 4_2_04522FC8 4_2_04522FC8
Source: C:\Windows\SysWOW64\mstsc.exe Code function: 4_2_0453CFE0 4_2_0453CFE0
Source: C:\Windows\SysWOW64\mstsc.exe Code function: 4_2_04531F92 4_2_04531F92
Source: C:\Windows\SysWOW64\mstsc.exe Code function: 4_2_045EFFB1 4_2_045EFFB1
Source: C:\Windows\SysWOW64\mstsc.exe Code function: 4_2_04532840 4_2_04532840
Source: C:\Windows\SysWOW64\mstsc.exe Code function: 4_2_0453A840 4_2_0453A840
Source: C:\Windows\SysWOW64\mstsc.exe Code function: 4_2_0459D800 4_2_0459D800
Source: C:\Windows\SysWOW64\mstsc.exe Code function: 4_2_0455E8F0 4_2_0455E8F0
Source: C:\Windows\SysWOW64\mstsc.exe Code function: 4_2_045338E0 4_2_045338E0
Source: C:\Windows\SysWOW64\mstsc.exe Code function: 4_2_045168B8 4_2_045168B8
Source: C:\Windows\SysWOW64\mstsc.exe Code function: 4_2_04539950 4_2_04539950
Source: C:\Windows\SysWOW64\mstsc.exe Code function: 4_2_0454B950 4_2_0454B950
Source: C:\Windows\SysWOW64\mstsc.exe Code function: 4_2_04546962 4_2_04546962
Source: C:\Windows\SysWOW64\mstsc.exe Code function: 4_2_045329A0 4_2_045329A0
Source: C:\Windows\SysWOW64\mstsc.exe Code function: 4_2_045FA9A6 4_2_045FA9A6
Source: C:\Windows\SysWOW64\mstsc.exe Code function: 4_2_045EFA49 4_2_045EFA49
Source: C:\Windows\SysWOW64\mstsc.exe Code function: 4_2_045E7A46 4_2_045E7A46
Source: C:\Windows\SysWOW64\mstsc.exe Code function: 4_2_045A3A6C 4_2_045A3A6C
Source: C:\Windows\SysWOW64\mstsc.exe Code function: 4_2_045DDAC6 4_2_045DDAC6
Source: C:\Windows\SysWOW64\mstsc.exe Code function: 4_2_0452EA80 4_2_0452EA80
Source: C:\Windows\SysWOW64\mstsc.exe Code function: 4_2_045CDAAC 4_2_045CDAAC
Source: C:\Windows\SysWOW64\mstsc.exe Code function: 4_2_04575AA0 4_2_04575AA0
Source: C:\Windows\SysWOW64\mstsc.exe Code function: 4_2_045EAB40 4_2_045EAB40
Source: C:\Windows\SysWOW64\mstsc.exe Code function: 4_2_045EFB76 4_2_045EFB76
Source: C:\Windows\SysWOW64\mstsc.exe Code function: 4_2_045E6BD7 4_2_045E6BD7
Source: C:\Windows\SysWOW64\mstsc.exe Code function: 4_2_0456DBF9 4_2_0456DBF9
Source: C:\Windows\SysWOW64\mstsc.exe Code function: 4_2_0454FB80 4_2_0454FB80
Source: C:\Windows\SysWOW64\mstsc.exe Code function: 4_2_00491B50 4_2_00491B50
Source: C:\Windows\SysWOW64\mstsc.exe Code function: 4_2_004951E0 4_2_004951E0
Source: C:\Windows\SysWOW64\mstsc.exe Code function: 4_2_004933C0 4_2_004933C0
Source: C:\Windows\SysWOW64\mstsc.exe Code function: 4_2_004AB7B0 4_2_004AB7B0
Source: C:\Windows\SysWOW64\mstsc.exe Code function: 4_2_0048CA79 4_2_0048CA79
Source: C:\Windows\SysWOW64\mstsc.exe Code function: 4_2_0048CA80 4_2_0048CA80
Source: C:\Windows\SysWOW64\mstsc.exe Code function: 4_2_0048CCA0 4_2_0048CCA0
Source: C:\Windows\SysWOW64\mstsc.exe Code function: 4_2_0048AD20 4_2_0048AD20
Source: C:\Windows\SysWOW64\mstsc.exe Code function: 4_2_00E5E378 4_2_00E5E378
Source: C:\Windows\SysWOW64\mstsc.exe Code function: 4_2_00E5E495 4_2_00E5E495
Source: C:\Windows\SysWOW64\mstsc.exe Code function: 4_2_00E6540C 4_2_00E6540C
Source: C:\Windows\SysWOW64\mstsc.exe Code function: 4_2_00E5D898 4_2_00E5D898
Source: C:\Windows\SysWOW64\mstsc.exe Code function: 4_2_00E5E833 4_2_00E5E833
Source: C:\Windows\SysWOW64\mstsc.exe Code function: 4_2_00E5CA83 4_2_00E5CA83
Source: C:\Windows\SysWOW64\mstsc.exe Code function: 4_2_00E5CB58 4_2_00E5CB58
Source: C:\Windows\SysWOW64\mstsc.exe Code function: 4_2_00E63F69 4_2_00E63F69
Found potential string decryption / allocating functions
Source: C:\Windows\SysWOW64\svchost.exe Code function: String function: 03C75130 appears 36 times
Source: C:\Windows\SysWOW64\svchost.exe Code function: String function: 03C2B970 appears 268 times
Source: C:\Windows\SysWOW64\svchost.exe Code function: String function: 03C87E54 appears 96 times
Source: C:\Windows\SysWOW64\svchost.exe Code function: String function: 03CAEA12 appears 86 times
Source: C:\Windows\SysWOW64\svchost.exe Code function: String function: 03CBF290 appears 105 times
Source: C:\Windows\SysWOW64\mstsc.exe Code function: String function: 04577E54 appears 89 times
Source: C:\Windows\SysWOW64\mstsc.exe Code function: String function: 045AF290 appears 105 times
Source: C:\Windows\SysWOW64\mstsc.exe Code function: String function: 04565130 appears 36 times
Source: C:\Windows\SysWOW64\mstsc.exe Code function: String function: 0451B970 appears 268 times
Source: C:\Windows\SysWOW64\mstsc.exe Code function: String function: 0459EA12 appears 85 times
Source: C:\Users\user\Desktop\PO-78140924.BAT.PDF.exe Code function: String function: 00038A80 appears 39 times
Sample file is different than original file name gathered from version info
Source: PO-78140924.BAT.PDF.exe, 00000000.00000003.2042653624.0000000004663000.00000004.00001000.00020000.00000000.sdmp Binary or memory string: OriginalFilenamentdll.dllj% vs PO-78140924.BAT.PDF.exe
Source: PO-78140924.BAT.PDF.exe, 00000000.00000003.2041249097.000000000480D000.00000004.00001000.00020000.00000000.sdmp Binary or memory string: OriginalFilenamentdll.dllj% vs PO-78140924.BAT.PDF.exe
Uses 32bit PE files
Source: PO-78140924.BAT.PDF.exe Static PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
Yara signature match
Source: 2.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 2.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000004.00000002.3895831173.0000000000480000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000004.00000002.3897012807.0000000000D10000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000004.00000002.3897058690.0000000000D60000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000002.00000002.2158074372.0000000003B20000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000003.00000002.3900775999.0000000006310000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000002.00000002.2157680976.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000002.00000002.2158514500.0000000004200000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000003.00000002.3897432800.0000000002360000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: classification engine Classification label: mal100.troj.spyw.evad.winEXE@7/4@11/8
Source: C:\Users\user\Desktop\PO-78140924.BAT.PDF.exe Code function: 0_2_0007A0F4 GetLastError,FormatMessageW, 0_2_0007A0F4
Source: C:\Users\user\Desktop\PO-78140924.BAT.PDF.exe Code function: 0_2_00073C99 CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,CloseHandle, 0_2_00073C99
Source: C:\Users\user\Desktop\PO-78140924.BAT.PDF.exe Code function: 0_2_00014FE9 CreateStreamOnHGlobal,FindResourceExW,LoadResource,SizeofResource,LockResource, 0_2_00014FE9
Source: C:\Users\user\Desktop\PO-78140924.BAT.PDF.exe File created: C:\Users\user\AppData\Local\Temp\proximobuccal Jump to behavior
Source: C:\Program Files\Mozilla Firefox\firefox.exe File read: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini Jump to behavior
Source: C:\Users\user\Desktop\PO-78140924.BAT.PDF.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: mstsc.exe, 00000004.00000003.2346478807.0000000000713000.00000004.00000020.00020000.00000000.sdmp, mstsc.exe, 00000004.00000003.2346272846.00000000006F2000.00000004.00000020.00020000.00000000.sdmp, mstsc.exe, 00000004.00000002.3896033202.0000000000740000.00000004.00000020.00020000.00000000.sdmp, mstsc.exe, 00000004.00000003.2349393879.000000000071D000.00000004.00000020.00020000.00000000.sdmp, mstsc.exe, 00000004.00000002.3896033202.0000000000713000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));
Source: PO-78140924.BAT.PDF.exe ReversingLabs: Detection: 79%
Source: unknown Process created: C:\Users\user\Desktop\PO-78140924.BAT.PDF.exe "C:\Users\user\Desktop\PO-78140924.BAT.PDF.exe"
Source: C:\Users\user\Desktop\PO-78140924.BAT.PDF.exe Process created: C:\Windows\SysWOW64\svchost.exe "C:\Users\user\Desktop\PO-78140924.BAT.PDF.exe"
Source: C:\Program Files (x86)\pxTetnvzAqfngzxdJleqlHZcbxcmKnXFSvAiPCvpGdyMKAizQhrXJTABFMLhmSrbNFDH\YKkstfciYBQ.exe Process created: C:\Windows\SysWOW64\mstsc.exe "C:\Windows\SysWOW64\mstsc.exe"
Source: C:\Windows\SysWOW64\mstsc.exe Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\Firefox.exe"
Source: C:\Users\user\Desktop\PO-78140924.BAT.PDF.exe Process created: C:\Windows\SysWOW64\svchost.exe "C:\Users\user\Desktop\PO-78140924.BAT.PDF.exe" Jump to behavior
Source: C:\Program Files (x86)\pxTetnvzAqfngzxdJleqlHZcbxcmKnXFSvAiPCvpGdyMKAizQhrXJTABFMLhmSrbNFDH\YKkstfciYBQ.exe Process created: C:\Windows\SysWOW64\mstsc.exe "C:\Windows\SysWOW64\mstsc.exe" Jump to behavior
Source: C:\Windows\SysWOW64\mstsc.exe Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\Firefox.exe" Jump to behavior
Source: C:\Users\user\Desktop\PO-78140924.BAT.PDF.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Users\user\Desktop\PO-78140924.BAT.PDF.exe Section loaded: mpr.dll Jump to behavior
Source: C:\Users\user\Desktop\PO-78140924.BAT.PDF.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Users\user\Desktop\PO-78140924.BAT.PDF.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\Desktop\PO-78140924.BAT.PDF.exe Section loaded: version.dll Jump to behavior
Source: C:\Users\user\Desktop\PO-78140924.BAT.PDF.exe Section loaded: wininet.dll Jump to behavior
Source: C:\Users\user\Desktop\PO-78140924.BAT.PDF.exe Section loaded: winmm.dll Jump to behavior
Source: C:\Users\user\Desktop\PO-78140924.BAT.PDF.exe Section loaded: wsock32.dll Jump to behavior
Source: C:\Users\user\Desktop\PO-78140924.BAT.PDF.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\Desktop\PO-78140924.BAT.PDF.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\Desktop\PO-78140924.BAT.PDF.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Program Files (x86)\pxTetnvzAqfngzxdJleqlHZcbxcmKnXFSvAiPCvpGdyMKAizQhrXJTABFMLhmSrbNFDH\YKkstfciYBQ.exe Section loaded: wininet.dll Jump to behavior
Source: C:\Program Files (x86)\pxTetnvzAqfngzxdJleqlHZcbxcmKnXFSvAiPCvpGdyMKAizQhrXJTABFMLhmSrbNFDH\YKkstfciYBQ.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\Program Files (x86)\pxTetnvzAqfngzxdJleqlHZcbxcmKnXFSvAiPCvpGdyMKAizQhrXJTABFMLhmSrbNFDH\YKkstfciYBQ.exe Section loaded: dnsapi.dll Jump to behavior
Source: C:\Program Files (x86)\pxTetnvzAqfngzxdJleqlHZcbxcmKnXFSvAiPCvpGdyMKAizQhrXJTABFMLhmSrbNFDH\YKkstfciYBQ.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Program Files (x86)\pxTetnvzAqfngzxdJleqlHZcbxcmKnXFSvAiPCvpGdyMKAizQhrXJTABFMLhmSrbNFDH\YKkstfciYBQ.exe Section loaded: fwpuclnt.dll Jump to behavior
Source: C:\Program Files (x86)\pxTetnvzAqfngzxdJleqlHZcbxcmKnXFSvAiPCvpGdyMKAizQhrXJTABFMLhmSrbNFDH\YKkstfciYBQ.exe Section loaded: rasadhlp.dll Jump to behavior
Source: C:\Windows\SysWOW64\mstsc.exe Section loaded: winhttp.dll Jump to behavior
Source: C:\Windows\SysWOW64\mstsc.exe Section loaded: credui.dll Jump to behavior
Source: C:\Windows\SysWOW64\mstsc.exe Section loaded: secur32.dll Jump to behavior
Source: C:\Windows\SysWOW64\mstsc.exe Section loaded: cryptui.dll Jump to behavior
Source: C:\Windows\SysWOW64\mstsc.exe Section loaded: wininet.dll Jump to behavior
Source: C:\Windows\SysWOW64\mstsc.exe Section loaded: version.dll Jump to behavior
Source: C:\Windows\SysWOW64\mstsc.exe Section loaded: netapi32.dll Jump to behavior
Source: C:\Windows\SysWOW64\mstsc.exe Section loaded: winmm.dll Jump to behavior
Source: C:\Windows\SysWOW64\mstsc.exe Section loaded: ktmw32.dll Jump to behavior
Source: C:\Windows\SysWOW64\mstsc.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\mstsc.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Windows\SysWOW64\mstsc.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\SysWOW64\mstsc.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Windows\SysWOW64\mstsc.exe Section loaded: wkscli.dll Jump to behavior
Source: C:\Windows\SysWOW64\mstsc.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\SysWOW64\mstsc.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Windows\SysWOW64\mstsc.exe Section loaded: ieframe.dll Jump to behavior
Source: C:\Windows\SysWOW64\mstsc.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Windows\SysWOW64\mstsc.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Windows\SysWOW64\mstsc.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Windows\SysWOW64\mstsc.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Windows\SysWOW64\mstsc.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\mstsc.exe Section loaded: mlang.dll Jump to behavior
Source: C:\Windows\SysWOW64\mstsc.exe Section loaded: propsys.dll Jump to behavior
Source: C:\Windows\SysWOW64\mstsc.exe Section loaded: winsqlite3.dll Jump to behavior
Source: C:\Windows\SysWOW64\mstsc.exe Section loaded: vaultcli.dll Jump to behavior
Source: C:\Windows\SysWOW64\mstsc.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Windows\SysWOW64\mstsc.exe Section loaded: dpapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\mstsc.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{3C374A40-BAE4-11CF-BF7D-00AA006946EE}\InProcServer32 Jump to behavior
Source: C:\Windows\SysWOW64\mstsc.exe Key opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\15.0\Outlook\Profiles\Outlook\ Jump to behavior
Source: PO-78140924.BAT.PDF.exe Static file information: File size 1085440 > 1048576
Source: Binary string: R:\JoeSecurity\trunk\src\windows\usermode\tools\FakeChrome\Release\Chrome.pdb source: YKkstfciYBQ.exe, 00000003.00000000.2070305149.000000000077E000.00000002.00000001.01000000.00000004.sdmp
Source: Binary string: wntdll.pdbUGP source: PO-78140924.BAT.PDF.exe, 00000000.00000003.2042653624.0000000004540000.00000004.00001000.00020000.00000000.sdmp, PO-78140924.BAT.PDF.exe, 00000000.00000003.2041650984.00000000046E0000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.2046417159.0000000003800000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.2048886154.0000000003A00000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.2158145354.0000000003D9E000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.2158145354.0000000003C00000.00000040.00001000.00020000.00000000.sdmp, mstsc.exe, 00000004.00000002.3897347942.00000000044F0000.00000040.00001000.00020000.00000000.sdmp, mstsc.exe, 00000004.00000003.2170653792.0000000000DAF000.00000004.00000020.00020000.00000000.sdmp, mstsc.exe, 00000004.00000002.3897347942.000000000468E000.00000040.00001000.00020000.00000000.sdmp, mstsc.exe, 00000004.00000003.2164958755.0000000000BFF000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: wntdll.pdb source: PO-78140924.BAT.PDF.exe, 00000000.00000003.2042653624.0000000004540000.00000004.00001000.00020000.00000000.sdmp, PO-78140924.BAT.PDF.exe, 00000000.00000003.2041650984.00000000046E0000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, svchost.exe, 00000002.00000003.2046417159.0000000003800000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.2048886154.0000000003A00000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.2158145354.0000000003D9E000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.2158145354.0000000003C00000.00000040.00001000.00020000.00000000.sdmp, mstsc.exe, mstsc.exe, 00000004.00000002.3897347942.00000000044F0000.00000040.00001000.00020000.00000000.sdmp, mstsc.exe, 00000004.00000003.2170653792.0000000000DAF000.00000004.00000020.00020000.00000000.sdmp, mstsc.exe, 00000004.00000002.3897347942.000000000468E000.00000040.00001000.00020000.00000000.sdmp, mstsc.exe, 00000004.00000003.2164958755.0000000000BFF000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: mstsc.pdbGCTL source: svchost.exe, 00000002.00000003.2115002578.0000000007300000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.2115127900.0000000007500000.00000004.00000020.00020000.00000000.sdmp, YKkstfciYBQ.exe, 00000003.00000003.2094204761.0000000003D42000.00000004.00000001.00020000.00000000.sdmp, YKkstfciYBQ.exe, 00000003.00000003.2093852104.0000000003C02000.00000004.00000001.00020000.00000000.sdmp
Source: Binary string: svchost.pdb source: YKkstfciYBQ.exe, 00000003.00000002.3899395542.0000000003EDC000.00000004.80000000.00040000.00000000.sdmp, mstsc.exe, 00000004.00000002.3897855714.0000000004B1C000.00000004.10000000.00040000.00000000.sdmp, mstsc.exe, 00000004.00000002.3896033202.00000000006A1000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 00000006.00000002.2459301249.000000003282C000.00000004.80000000.00040000.00000000.sdmp
Source: Binary string: mstsc.pdb source: svchost.exe, 00000002.00000003.2115002578.0000000007300000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.2115127900.0000000007500000.00000004.00000020.00020000.00000000.sdmp, YKkstfciYBQ.exe, 00000003.00000003.2094204761.0000000003D42000.00000004.00000001.00020000.00000000.sdmp, YKkstfciYBQ.exe, 00000003.00000003.2093852104.0000000003C02000.00000004.00000001.00020000.00000000.sdmp
Source: Binary string: svchost.pdbUGP source: YKkstfciYBQ.exe, 00000003.00000002.3899395542.0000000003EDC000.00000004.80000000.00040000.00000000.sdmp, mstsc.exe, 00000004.00000002.3897855714.0000000004B1C000.00000004.10000000.00040000.00000000.sdmp, mstsc.exe, 00000004.00000002.3896033202.00000000006A1000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 00000006.00000002.2459301249.000000003282C000.00000004.80000000.00040000.00000000.sdmp
Contains functionality to dynamically determine API calls
Source: C:\Users\user\Desktop\PO-78140924.BAT.PDF.exe Code function: 0_2_0019AAC0 EntryPoint,LoadLibraryA,GetProcAddress,ExitProcess,VirtualProtect,VirtualProtect,VirtualProtect, 0_2_0019AAC0
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\Desktop\PO-78140924.BAT.PDF.exe Code function: 0_2_000243B7 push edi; ret 0_2_000243B9
Source: C:\Users\user\Desktop\PO-78140924.BAT.PDF.exe Code function: 0_2_000243CB push edi; ret 0_2_000243CD
Source: C:\Users\user\Desktop\PO-78140924.BAT.PDF.exe Code function: 0_2_0001C590 push eax; retn 0001h 0_2_0001C599
Source: C:\Users\user\Desktop\PO-78140924.BAT.PDF.exe Code function: 0_2_0003B947 push esi; ret 0_2_0003B949
Source: C:\Users\user\Desktop\PO-78140924.BAT.PDF.exe Code function: 0_2_0003B996 push edi; ret 0_2_0003B998
Source: C:\Users\user\Desktop\PO-78140924.BAT.PDF.exe Code function: 0_2_0003BA3C push edi; ret 0_2_0003BA3E
Source: C:\Users\user\Desktop\PO-78140924.BAT.PDF.exe Code function: 0_2_00038AC5 push ecx; ret 0_2_00038AD8
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_00404878 push edx; iretd 2_2_00404879
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_004180CC push ss; iretd 2_2_004180D7
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_004021FE push ecx; ret 2_2_004021FF
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_00413A18 push ebx; retf 2_2_00413A2D
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_0041221F push ss; ret 2_2_00412220
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_00413A23 push ebx; retf 2_2_00413A2D
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_00413A2E push ebx; retf 2_2_00413A2D
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_004073CB push esi; ret 2_2_004073CE
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_00403380 push eax; ret 2_2_00403382
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_0040A623 push edi; retf 2_2_0040A62D
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_00418E2B push esi; ret 2_2_00418E2C
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_0041E76A push ebp; retf 2_2_0041E858
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_0041E71E push edx; iretd 2_2_0041E71F
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03C309AD push ecx; mov dword ptr [esp], ecx 2_2_03C309B6
Source: C:\Program Files (x86)\pxTetnvzAqfngzxdJleqlHZcbxcmKnXFSvAiPCvpGdyMKAizQhrXJTABFMLhmSrbNFDH\YKkstfciYBQ.exe Code function: 3_2_0639D02B push ss; iretd 3_2_0639D033
Source: C:\Program Files (x86)\pxTetnvzAqfngzxdJleqlHZcbxcmKnXFSvAiPCvpGdyMKAizQhrXJTABFMLhmSrbNFDH\YKkstfciYBQ.exe Code function: 3_2_0639C732 push es; retf 3_2_0639C749
Source: C:\Program Files (x86)\pxTetnvzAqfngzxdJleqlHZcbxcmKnXFSvAiPCvpGdyMKAizQhrXJTABFMLhmSrbNFDH\YKkstfciYBQ.exe Code function: 3_2_0639F3B4 push eax; ret 3_2_0639F3B6
Source: C:\Windows\SysWOW64\mstsc.exe Code function: 4_2_045209AD push ecx; mov dword ptr [esp], ecx 4_2_045209B6
Source: C:\Windows\SysWOW64\mstsc.exe Code function: 4_2_004A18CC push es; iretd 4_2_004A18C5
Source: C:\Windows\SysWOW64\mstsc.exe Code function: 4_2_00484048 push esi; ret 4_2_0048404B
Source: C:\Windows\SysWOW64\mstsc.exe Code function: 4_2_004872A0 push edi; retf 4_2_004872AA
Source: C:\Windows\SysWOW64\mstsc.exe Code function: 4_2_0049B3E7 push ebp; retf 4_2_0049B4D5
Source: C:\Windows\SysWOW64\mstsc.exe Code function: 4_2_0049B39B push edx; iretd 4_2_0049B39C
Source: C:\Windows\SysWOW64\mstsc.exe Code function: 4_2_004A043C push eax; ret 4_2_004A043D
Source: initial sample Static PE information: section name: UPX0
Source: initial sample Static PE information: section name: UPX1
Contains functionality to check if a window is minimized (may be used to check if an application is visible)
Source: C:\Users\user\Desktop\PO-78140924.BAT.PDF.exe Code function: 0_2_00014A35 GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput, 0_2_00014A35
Extensive use of GetProcAddress (often used to hide API calls)
Source: C:\Users\user\Desktop\PO-78140924.BAT.PDF.exe Code function: 0_2_00033307 RtlEncodePointer,__initp_misc_winsig,GetModuleHandleW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress, 0_2_00033307
Source: C:\Users\user\Desktop\PO-78140924.BAT.PDF.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PO-78140924.BAT.PDF.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\mstsc.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\mstsc.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\mstsc.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\mstsc.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\mstsc.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior

Malware Analysis System Evasion
barindex
Switches to a custom stack to bypass stack traces
Source: C:\Users\user\Desktop\PO-78140924.BAT.PDF.exe API/Special instruction interceptor: Address: 1712D54
Source: C:\Windows\SysWOW64\mstsc.exe API/Special instruction interceptor: Address: 7FF8C88ED324
Source: C:\Windows\SysWOW64\mstsc.exe API/Special instruction interceptor: Address: 7FF8C88ED7E4
Source: C:\Windows\SysWOW64\mstsc.exe API/Special instruction interceptor: Address: 7FF8C88ED944
Source: C:\Windows\SysWOW64\mstsc.exe API/Special instruction interceptor: Address: 7FF8C88ED504
Source: C:\Windows\SysWOW64\mstsc.exe API/Special instruction interceptor: Address: 7FF8C88ED544
Source: C:\Windows\SysWOW64\mstsc.exe API/Special instruction interceptor: Address: 7FF8C88ED1E4
Source: C:\Windows\SysWOW64\mstsc.exe API/Special instruction interceptor: Address: 7FF8C88F0154
Source: C:\Windows\SysWOW64\mstsc.exe API/Special instruction interceptor: Address: 7FF8C88EDA44
Contains functionality for execution timing, often used to detect debuggers
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03CAD1C0 rdtsc 2_2_03CAD1C0
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Source: C:\Windows\SysWOW64\mstsc.exe Window / User API: threadDelayed 9839 Jump to behavior
Found large amount of non-executed APIs
Source: C:\Users\user\Desktop\PO-78140924.BAT.PDF.exe API coverage: 8.9 %
Source: C:\Windows\SysWOW64\svchost.exe API coverage: 0.7 %
Source: C:\Windows\SysWOW64\mstsc.exe API coverage: 3.1 %
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Program Files (x86)\pxTetnvzAqfngzxdJleqlHZcbxcmKnXFSvAiPCvpGdyMKAizQhrXJTABFMLhmSrbNFDH\YKkstfciYBQ.exe TID: 5032 Thread sleep time: -65000s >= -30000s Jump to behavior
Source: C:\Program Files (x86)\pxTetnvzAqfngzxdJleqlHZcbxcmKnXFSvAiPCvpGdyMKAizQhrXJTABFMLhmSrbNFDH\YKkstfciYBQ.exe TID: 5032 Thread sleep time: -34500s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\mstsc.exe TID: 1476 Thread sleep count: 134 > 30 Jump to behavior
Source: C:\Windows\SysWOW64\mstsc.exe TID: 1476 Thread sleep time: -268000s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\mstsc.exe TID: 1476 Thread sleep count: 9839 > 30 Jump to behavior
Source: C:\Windows\SysWOW64\mstsc.exe TID: 1476 Thread sleep time: -19678000s >= -30000s Jump to behavior
Sample execution stops while process was sleeping (likely an evasion)
Source: C:\Windows\SysWOW64\mstsc.exe Last function: Thread delayed
Source: C:\Windows\SysWOW64\mstsc.exe Last function: Thread delayed
Source: C:\Users\user\Desktop\PO-78140924.BAT.PDF.exe Code function: 0_2_0007449B GetFileAttributesW,FindFirstFileW,FindClose, 0_2_0007449B
Source: C:\Windows\SysWOW64\mstsc.exe Code function: 4_2_0049C460 FindFirstFileW,FindNextFileW,FindClose, 4_2_0049C460
Source: C:\Users\user\Desktop\PO-78140924.BAT.PDF.exe Code function: 0_2_00014AFE GetVersionExW,GetCurrentProcess,IsWow64Process,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo, 0_2_00014AFE
Source: mstsc.exe, 00000004.00000002.3899490004.00000000076EB000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: VMware20,11696428655j
Source: 2348427.4.dr Binary or memory string: Canara Transaction PasswordVMware20,11696428655x
Source: mstsc.exe, 00000004.00000002.3899490004.00000000076EB000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: merica.comVMware20,11696428655|UE
Source: mstsc.exe, 00000004.00000002.3899490004.00000000076EB000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: CDYNVMware20,11696428655p
Source: 2348427.4.dr Binary or memory string: interactivebrokers.co.inVMware20,11696428655d
Source: 2348427.4.dr Binary or memory string: discord.comVMware20,11696428655f
Source: mstsc.exe, 00000004.00000002.3899490004.00000000076EB000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: EU WestVMware20,1169642%
Source: 2348427.4.dr Binary or memory string: Interactive Brokers - COM.HKVMware20,11696428655
Source: 2348427.4.dr Binary or memory string: global block list test formVMware20,11696428655
Source: 2348427.4.dr Binary or memory string: Canara Transaction PasswordVMware20,11696428655}
Source: mstsc.exe, 00000004.00000002.3899490004.00000000076EB000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: ca.comVMware20,11696428655x
Source: mstsc.exe, 00000004.00000002.3899490004.00000000076EB000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Canara Change Transaction PasswordVMware20,1169642
Source: mstsc.exe, 00000004.00000002.3899490004.00000000076EB000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: account.microsoft.com/profileVMware20,1169642r
Source: 2348427.4.dr Binary or memory string: Interactive Brokers - EU East & CentralVMware20,11696428655
Source: mstsc.exe, 00000004.00000002.3899490004.00000000076EB000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: actistorage_key EU WestVMware20,1169642%
Source: 2348427.4.dr Binary or memory string: Canara Change Transaction PasswordVMware20,11696428655^
Source: 2348427.4.dr Binary or memory string: account.microsoft.com/profileVMware20,11696428655u
Source: 2348427.4.dr Binary or memory string: secure.bankofamerica.comVMware20,11696428655|UE
Source: 2348427.4.dr Binary or memory string: www.interactivebrokers.comVMware20,11696428655}
Source: 2348427.4.dr Binary or memory string: Interactive Brokers - GDCDYNVMware20,11696428655p
Source: 2348427.4.dr Binary or memory string: Interactive Brokers - EU WestVMware20,11696428655n
Source: 2348427.4.dr Binary or memory string: outlook.office365.comVMware20,11696428655t
Source: 2348427.4.dr Binary or memory string: microsoft.visualstudio.comVMware20,11696428655x
Source: firefox.exe, 00000006.00000002.2463739189.000001D7B271C000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: 2348427.4.dr Binary or memory string: Canara Change Transaction PasswordVMware20,11696428655
Source: 2348427.4.dr Binary or memory string: outlook.office.comVMware20,11696428655s
Source: mstsc.exe, 00000004.00000002.3899490004.00000000076EB000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: interactivebrokers.comVMware20,116964286
Source: mstsc.exe, 00000004.00000002.3899490004.00000000076EB000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: nteractive Brokers - HKVMware20,11696428655]
Source: 2348427.4.dr Binary or memory string: www.interactivebrokers.co.inVMware20,11696428655~
Source: 2348427.4.dr Binary or memory string: ms.portal.azure.comVMware20,11696428655
Source: 2348427.4.dr Binary or memory string: AMC password management pageVMware20,11696428655
Source: mstsc.exe, 00000004.00000002.3899490004.00000000076EB000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: ive Brokers - NDCDYNVMware20,11696428655z
Source: 2348427.4.dr Binary or memory string: tasks.office.comVMware20,11696428655o
Source: mstsc.exe, 00000004.00000002.3899490004.00000000076EB000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: www.interactivebrokers.comVMware20D
Source: 2348427.4.dr Binary or memory string: Interactive Brokers - NDCDYNVMware20,11696428655z
Source: 2348427.4.dr Binary or memory string: turbotax.intuit.comVMware20,11696428655t
Source: 2348427.4.dr Binary or memory string: interactivebrokers.comVMware20,11696428655
Source: 2348427.4.dr Binary or memory string: Interactive Brokers - non-EU EuropeVMware20,11696428655
Source: 2348427.4.dr Binary or memory string: dev.azure.comVMware20,11696428655j
Source: 2348427.4.dr Binary or memory string: netportal.hdfcbank.comVMware20,11696428655
Source: YKkstfciYBQ.exe, 00000003.00000002.3897025898.00000000008EF000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllF
Source: 2348427.4.dr Binary or memory string: Interactive Brokers - HKVMware20,11696428655]
Source: mstsc.exe, 00000004.00000002.3896033202.00000000006A1000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllL
Source: 2348427.4.dr Binary or memory string: bankofamerica.comVMware20,11696428655x
Source: 2348427.4.dr Binary or memory string: trackpan.utiitsl.comVMware20,11696428655h
Source: 2348427.4.dr Binary or memory string: Test URL for global passwords blocklistVMware20,11696428655
Source: C:\Users\user\Desktop\PO-78140924.BAT.PDF.exe API call chain: ExitProcess graph end node
Source: C:\Users\user\Desktop\PO-78140924.BAT.PDF.exe API call chain: ExitProcess graph end node
Source: C:\Windows\SysWOW64\svchost.exe Process information queried: ProcessInformation Jump to behavior
Checks if the current process is being debugged
Source: C:\Windows\SysWOW64\svchost.exe Process queried: DebugPort Jump to behavior
Source: C:\Windows\SysWOW64\mstsc.exe Process queried: DebugPort Jump to behavior
Contains functionality for execution timing, often used to detect debuggers
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03CAD1C0 rdtsc 2_2_03CAD1C0
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_004176F3 LdrLoadDll, 2_2_004176F3
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Source: C:\Users\user\Desktop\PO-78140924.BAT.PDF.exe Code function: 0_2_0004B441 IsDebuggerPresent,OutputDebugStringW, 0_2_0004B441
Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)
Source: C:\Users\user\Desktop\PO-78140924.BAT.PDF.exe Code function: 0_2_00045BFC RtlEncodePointer,RtlEncodePointer,___crtIsPackagedApp,LoadLibraryExW,GetLastError,LoadLibraryExW,GetProcAddress,RtlEncodePointer,GetProcAddress,RtlEncodePointer,GetProcAddress,RtlEncodePointer,GetProcAddress,RtlEncodePointer,GetProcAddress,RtlEncodePointer,IsDebuggerPresent,OutputDebugStringW,RtlDecodePointer,RtlDecodePointer,RtlDecodePointer,RtlDecodePointer,RtlDecodePointer,RtlDecodePointer,RtlDecodePointer, 0_2_00045BFC
Contains functionality to dynamically determine API calls
Source: C:\Users\user\Desktop\PO-78140924.BAT.PDF.exe Code function: 0_2_0019AAC0 EntryPoint,LoadLibraryA,GetProcAddress,ExitProcess,VirtualProtect,VirtualProtect,VirtualProtect, 0_2_0019AAC0
Contains functionality to read the PEB
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03CEC3CD mov eax, dword ptr fs:[00000030h] 2_2_03CEC3CD
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03C3A3C0 mov eax, dword ptr fs:[00000030h] 2_2_03C3A3C0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03C3A3C0 mov eax, dword ptr fs:[00000030h] 2_2_03C3A3C0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03C3A3C0 mov eax, dword ptr fs:[00000030h] 2_2_03C3A3C0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03C3A3C0 mov eax, dword ptr fs:[00000030h] 2_2_03C3A3C0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03C3A3C0 mov eax, dword ptr fs:[00000030h] 2_2_03C3A3C0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03C3A3C0 mov eax, dword ptr fs:[00000030h] 2_2_03C3A3C0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03C383C0 mov eax, dword ptr fs:[00000030h] 2_2_03C383C0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03C383C0 mov eax, dword ptr fs:[00000030h] 2_2_03C383C0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03C383C0 mov eax, dword ptr fs:[00000030h] 2_2_03C383C0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03C383C0 mov eax, dword ptr fs:[00000030h] 2_2_03C383C0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03CB63C0 mov eax, dword ptr fs:[00000030h] 2_2_03CB63C0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03CEB3D0 mov ecx, dword ptr fs:[00000030h] 2_2_03CEB3D0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03CEF3E6 mov eax, dword ptr fs:[00000030h] 2_2_03CEF3E6
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03D053FC mov eax, dword ptr fs:[00000030h] 2_2_03D053FC
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03C403E9 mov eax, dword ptr fs:[00000030h] 2_2_03C403E9
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03C403E9 mov eax, dword ptr fs:[00000030h] 2_2_03C403E9
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03C403E9 mov eax, dword ptr fs:[00000030h] 2_2_03C403E9
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03C403E9 mov eax, dword ptr fs:[00000030h] 2_2_03C403E9
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03C403E9 mov eax, dword ptr fs:[00000030h] 2_2_03C403E9
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03C403E9 mov eax, dword ptr fs:[00000030h] 2_2_03C403E9
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03C403E9 mov eax, dword ptr fs:[00000030h] 2_2_03C403E9
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03C403E9 mov eax, dword ptr fs:[00000030h] 2_2_03C403E9
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03C4E3F0 mov eax, dword ptr fs:[00000030h] 2_2_03C4E3F0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03C4E3F0 mov eax, dword ptr fs:[00000030h] 2_2_03C4E3F0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03C4E3F0 mov eax, dword ptr fs:[00000030h] 2_2_03C4E3F0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03C663FF mov eax, dword ptr fs:[00000030h] 2_2_03C663FF
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03C2E388 mov eax, dword ptr fs:[00000030h] 2_2_03C2E388
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03C2E388 mov eax, dword ptr fs:[00000030h] 2_2_03C2E388
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03C2E388 mov eax, dword ptr fs:[00000030h] 2_2_03C2E388
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03C5438F mov eax, dword ptr fs:[00000030h] 2_2_03C5438F
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03C5438F mov eax, dword ptr fs:[00000030h] 2_2_03C5438F
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03D0539D mov eax, dword ptr fs:[00000030h] 2_2_03D0539D
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03C8739A mov eax, dword ptr fs:[00000030h] 2_2_03C8739A
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03C8739A mov eax, dword ptr fs:[00000030h] 2_2_03C8739A
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03C28397 mov eax, dword ptr fs:[00000030h] 2_2_03C28397
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03C28397 mov eax, dword ptr fs:[00000030h] 2_2_03C28397
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03C28397 mov eax, dword ptr fs:[00000030h] 2_2_03C28397
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03C533A5 mov eax, dword ptr fs:[00000030h] 2_2_03C533A5
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03C633A0 mov eax, dword ptr fs:[00000030h] 2_2_03C633A0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03C633A0 mov eax, dword ptr fs:[00000030h] 2_2_03C633A0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03CB2349 mov eax, dword ptr fs:[00000030h] 2_2_03CB2349
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03CB2349 mov eax, dword ptr fs:[00000030h] 2_2_03CB2349
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03CB2349 mov eax, dword ptr fs:[00000030h] 2_2_03CB2349
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03CB2349 mov eax, dword ptr fs:[00000030h] 2_2_03CB2349
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03CB2349 mov eax, dword ptr fs:[00000030h] 2_2_03CB2349
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03CB2349 mov eax, dword ptr fs:[00000030h] 2_2_03CB2349
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03CB2349 mov eax, dword ptr fs:[00000030h] 2_2_03CB2349
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03CB2349 mov eax, dword ptr fs:[00000030h] 2_2_03CB2349
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03CB2349 mov eax, dword ptr fs:[00000030h] 2_2_03CB2349
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03CB2349 mov eax, dword ptr fs:[00000030h] 2_2_03CB2349
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03CB2349 mov eax, dword ptr fs:[00000030h] 2_2_03CB2349
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03CB2349 mov eax, dword ptr fs:[00000030h] 2_2_03CB2349
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03CB2349 mov eax, dword ptr fs:[00000030h] 2_2_03CB2349
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03CB2349 mov eax, dword ptr fs:[00000030h] 2_2_03CB2349
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03CB2349 mov eax, dword ptr fs:[00000030h] 2_2_03CB2349
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03C2D34C mov eax, dword ptr fs:[00000030h] 2_2_03C2D34C
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03C2D34C mov eax, dword ptr fs:[00000030h] 2_2_03C2D34C
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03D05341 mov eax, dword ptr fs:[00000030h] 2_2_03D05341
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03C29353 mov eax, dword ptr fs:[00000030h] 2_2_03C29353
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03C29353 mov eax, dword ptr fs:[00000030h] 2_2_03C29353
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03CB035C mov eax, dword ptr fs:[00000030h] 2_2_03CB035C
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03CB035C mov eax, dword ptr fs:[00000030h] 2_2_03CB035C
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03CB035C mov eax, dword ptr fs:[00000030h] 2_2_03CB035C
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03CB035C mov ecx, dword ptr fs:[00000030h] 2_2_03CB035C
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03CB035C mov eax, dword ptr fs:[00000030h] 2_2_03CB035C
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03CB035C mov eax, dword ptr fs:[00000030h] 2_2_03CB035C
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03CFA352 mov eax, dword ptr fs:[00000030h] 2_2_03CFA352
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03CEF367 mov eax, dword ptr fs:[00000030h] 2_2_03CEF367
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03CD437C mov eax, dword ptr fs:[00000030h] 2_2_03CD437C
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03C37370 mov eax, dword ptr fs:[00000030h] 2_2_03C37370
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03C37370 mov eax, dword ptr fs:[00000030h] 2_2_03C37370
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03C37370 mov eax, dword ptr fs:[00000030h] 2_2_03C37370
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03CB930B mov eax, dword ptr fs:[00000030h] 2_2_03CB930B
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03CB930B mov eax, dword ptr fs:[00000030h] 2_2_03CB930B
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03CB930B mov eax, dword ptr fs:[00000030h] 2_2_03CB930B
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03C6A30B mov eax, dword ptr fs:[00000030h] 2_2_03C6A30B
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03C6A30B mov eax, dword ptr fs:[00000030h] 2_2_03C6A30B
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03C6A30B mov eax, dword ptr fs:[00000030h] 2_2_03C6A30B
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03C2C310 mov ecx, dword ptr fs:[00000030h] 2_2_03C2C310
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03C50310 mov ecx, dword ptr fs:[00000030h] 2_2_03C50310
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03CF132D mov eax, dword ptr fs:[00000030h] 2_2_03CF132D
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03CF132D mov eax, dword ptr fs:[00000030h] 2_2_03CF132D
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03C5F32A mov eax, dword ptr fs:[00000030h] 2_2_03C5F32A
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03C27330 mov eax, dword ptr fs:[00000030h] 2_2_03C27330
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03C3A2C3 mov eax, dword ptr fs:[00000030h] 2_2_03C3A2C3
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03C3A2C3 mov eax, dword ptr fs:[00000030h] 2_2_03C3A2C3
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03C3A2C3 mov eax, dword ptr fs:[00000030h] 2_2_03C3A2C3
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03C3A2C3 mov eax, dword ptr fs:[00000030h] 2_2_03C3A2C3
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03C3A2C3 mov eax, dword ptr fs:[00000030h] 2_2_03C3A2C3
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03C5B2C0 mov eax, dword ptr fs:[00000030h] 2_2_03C5B2C0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03C5B2C0 mov eax, dword ptr fs:[00000030h] 2_2_03C5B2C0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03C5B2C0 mov eax, dword ptr fs:[00000030h] 2_2_03C5B2C0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03C5B2C0 mov eax, dword ptr fs:[00000030h] 2_2_03C5B2C0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03C5B2C0 mov eax, dword ptr fs:[00000030h] 2_2_03C5B2C0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03C5B2C0 mov eax, dword ptr fs:[00000030h] 2_2_03C5B2C0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03C5B2C0 mov eax, dword ptr fs:[00000030h] 2_2_03C5B2C0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03C392C5 mov eax, dword ptr fs:[00000030h] 2_2_03C392C5
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03C392C5 mov eax, dword ptr fs:[00000030h] 2_2_03C392C5
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03C2B2D3 mov eax, dword ptr fs:[00000030h] 2_2_03C2B2D3
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03C2B2D3 mov eax, dword ptr fs:[00000030h] 2_2_03C2B2D3
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03C2B2D3 mov eax, dword ptr fs:[00000030h] 2_2_03C2B2D3
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03C5F2D0 mov eax, dword ptr fs:[00000030h] 2_2_03C5F2D0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03C5F2D0 mov eax, dword ptr fs:[00000030h] 2_2_03C5F2D0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03CE12ED mov eax, dword ptr fs:[00000030h] 2_2_03CE12ED
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03CE12ED mov eax, dword ptr fs:[00000030h] 2_2_03CE12ED
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03CE12ED mov eax, dword ptr fs:[00000030h] 2_2_03CE12ED
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03CE12ED mov eax, dword ptr fs:[00000030h] 2_2_03CE12ED
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03CE12ED mov eax, dword ptr fs:[00000030h] 2_2_03CE12ED
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03CE12ED mov eax, dword ptr fs:[00000030h] 2_2_03CE12ED
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03CE12ED mov eax, dword ptr fs:[00000030h] 2_2_03CE12ED
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03CE12ED mov eax, dword ptr fs:[00000030h] 2_2_03CE12ED
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03CE12ED mov eax, dword ptr fs:[00000030h] 2_2_03CE12ED
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03CE12ED mov eax, dword ptr fs:[00000030h] 2_2_03CE12ED
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03CE12ED mov eax, dword ptr fs:[00000030h] 2_2_03CE12ED
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03CE12ED mov eax, dword ptr fs:[00000030h] 2_2_03CE12ED
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03CE12ED mov eax, dword ptr fs:[00000030h] 2_2_03CE12ED
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03CE12ED mov eax, dword ptr fs:[00000030h] 2_2_03CE12ED
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03C402E1 mov eax, dword ptr fs:[00000030h] 2_2_03C402E1
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03C402E1 mov eax, dword ptr fs:[00000030h] 2_2_03C402E1
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03C402E1 mov eax, dword ptr fs:[00000030h] 2_2_03C402E1
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03D052E2 mov eax, dword ptr fs:[00000030h] 2_2_03D052E2
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03CEF2F8 mov eax, dword ptr fs:[00000030h] 2_2_03CEF2F8
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03C292FF mov eax, dword ptr fs:[00000030h] 2_2_03C292FF
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03C6E284 mov eax, dword ptr fs:[00000030h] 2_2_03C6E284
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03C6E284 mov eax, dword ptr fs:[00000030h] 2_2_03C6E284
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03CB0283 mov eax, dword ptr fs:[00000030h] 2_2_03CB0283
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03CB0283 mov eax, dword ptr fs:[00000030h] 2_2_03CB0283
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03CB0283 mov eax, dword ptr fs:[00000030h] 2_2_03CB0283
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03D05283 mov eax, dword ptr fs:[00000030h] 2_2_03D05283
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03C6329E mov eax, dword ptr fs:[00000030h] 2_2_03C6329E
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03C6329E mov eax, dword ptr fs:[00000030h] 2_2_03C6329E
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03C402A0 mov eax, dword ptr fs:[00000030h] 2_2_03C402A0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03C402A0 mov eax, dword ptr fs:[00000030h] 2_2_03C402A0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03C452A0 mov eax, dword ptr fs:[00000030h] 2_2_03C452A0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03C452A0 mov eax, dword ptr fs:[00000030h] 2_2_03C452A0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03C452A0 mov eax, dword ptr fs:[00000030h] 2_2_03C452A0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03C452A0 mov eax, dword ptr fs:[00000030h] 2_2_03C452A0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03CF92A6 mov eax, dword ptr fs:[00000030h] 2_2_03CF92A6
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03CF92A6 mov eax, dword ptr fs:[00000030h] 2_2_03CF92A6
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03CF92A6 mov eax, dword ptr fs:[00000030h] 2_2_03CF92A6
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03CF92A6 mov eax, dword ptr fs:[00000030h] 2_2_03CF92A6
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03CC62A0 mov eax, dword ptr fs:[00000030h] 2_2_03CC62A0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03CC62A0 mov ecx, dword ptr fs:[00000030h] 2_2_03CC62A0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03CC62A0 mov eax, dword ptr fs:[00000030h] 2_2_03CC62A0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03CC62A0 mov eax, dword ptr fs:[00000030h] 2_2_03CC62A0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03CC62A0 mov eax, dword ptr fs:[00000030h] 2_2_03CC62A0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03CC62A0 mov eax, dword ptr fs:[00000030h] 2_2_03CC62A0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03CC72A0 mov eax, dword ptr fs:[00000030h] 2_2_03CC72A0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03CC72A0 mov eax, dword ptr fs:[00000030h] 2_2_03CC72A0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03CB92BC mov eax, dword ptr fs:[00000030h] 2_2_03CB92BC
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03CB92BC mov eax, dword ptr fs:[00000030h] 2_2_03CB92BC
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03CB92BC mov ecx, dword ptr fs:[00000030h] 2_2_03CB92BC
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03CB92BC mov ecx, dword ptr fs:[00000030h] 2_2_03CB92BC
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03C29240 mov eax, dword ptr fs:[00000030h] 2_2_03C29240
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03C29240 mov eax, dword ptr fs:[00000030h] 2_2_03C29240
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03CB8243 mov eax, dword ptr fs:[00000030h] 2_2_03CB8243
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03CB8243 mov ecx, dword ptr fs:[00000030h] 2_2_03CB8243
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03C6724D mov eax, dword ptr fs:[00000030h] 2_2_03C6724D
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03C2A250 mov eax, dword ptr fs:[00000030h] 2_2_03C2A250
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03CEB256 mov eax, dword ptr fs:[00000030h] 2_2_03CEB256
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03CEB256 mov eax, dword ptr fs:[00000030h] 2_2_03CEB256
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03C36259 mov eax, dword ptr fs:[00000030h] 2_2_03C36259
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03C34260 mov eax, dword ptr fs:[00000030h] 2_2_03C34260
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03C34260 mov eax, dword ptr fs:[00000030h] 2_2_03C34260
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03C34260 mov eax, dword ptr fs:[00000030h] 2_2_03C34260
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03CFD26B mov eax, dword ptr fs:[00000030h] 2_2_03CFD26B
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03CFD26B mov eax, dword ptr fs:[00000030h] 2_2_03CFD26B
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03C2826B mov eax, dword ptr fs:[00000030h] 2_2_03C2826B
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03C59274 mov eax, dword ptr fs:[00000030h] 2_2_03C59274
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03C71270 mov eax, dword ptr fs:[00000030h] 2_2_03C71270
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03C71270 mov eax, dword ptr fs:[00000030h] 2_2_03C71270
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03CE0274 mov eax, dword ptr fs:[00000030h] 2_2_03CE0274
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03CE0274 mov eax, dword ptr fs:[00000030h] 2_2_03CE0274
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03CE0274 mov eax, dword ptr fs:[00000030h] 2_2_03CE0274
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03CE0274 mov eax, dword ptr fs:[00000030h] 2_2_03CE0274
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03CE0274 mov eax, dword ptr fs:[00000030h] 2_2_03CE0274
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03CE0274 mov eax, dword ptr fs:[00000030h] 2_2_03CE0274
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03CE0274 mov eax, dword ptr fs:[00000030h] 2_2_03CE0274
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03CE0274 mov eax, dword ptr fs:[00000030h] 2_2_03CE0274
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03CE0274 mov eax, dword ptr fs:[00000030h] 2_2_03CE0274
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03CE0274 mov eax, dword ptr fs:[00000030h] 2_2_03CE0274
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03CE0274 mov eax, dword ptr fs:[00000030h] 2_2_03CE0274
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03CE0274 mov eax, dword ptr fs:[00000030h] 2_2_03CE0274
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03C67208 mov eax, dword ptr fs:[00000030h] 2_2_03C67208
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03C67208 mov eax, dword ptr fs:[00000030h] 2_2_03C67208
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03D05227 mov eax, dword ptr fs:[00000030h] 2_2_03D05227
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03C2823B mov eax, dword ptr fs:[00000030h] 2_2_03C2823B
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03CF61C3 mov eax, dword ptr fs:[00000030h] 2_2_03CF61C3
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03CF61C3 mov eax, dword ptr fs:[00000030h] 2_2_03CF61C3
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03C6D1D0 mov eax, dword ptr fs:[00000030h] 2_2_03C6D1D0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03C6D1D0 mov ecx, dword ptr fs:[00000030h] 2_2_03C6D1D0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03CAE1D0 mov eax, dword ptr fs:[00000030h] 2_2_03CAE1D0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03CAE1D0 mov eax, dword ptr fs:[00000030h] 2_2_03CAE1D0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03CAE1D0 mov ecx, dword ptr fs:[00000030h] 2_2_03CAE1D0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03CAE1D0 mov eax, dword ptr fs:[00000030h] 2_2_03CAE1D0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03CAE1D0 mov eax, dword ptr fs:[00000030h] 2_2_03CAE1D0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03D051CB mov eax, dword ptr fs:[00000030h] 2_2_03D051CB
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03C551EF mov eax, dword ptr fs:[00000030h] 2_2_03C551EF
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03C551EF mov eax, dword ptr fs:[00000030h] 2_2_03C551EF
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03C551EF mov eax, dword ptr fs:[00000030h] 2_2_03C551EF
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03C551EF mov eax, dword ptr fs:[00000030h] 2_2_03C551EF
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03C551EF mov eax, dword ptr fs:[00000030h] 2_2_03C551EF
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03C551EF mov eax, dword ptr fs:[00000030h] 2_2_03C551EF
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03C551EF mov eax, dword ptr fs:[00000030h] 2_2_03C551EF
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03C551EF mov eax, dword ptr fs:[00000030h] 2_2_03C551EF
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03C551EF mov eax, dword ptr fs:[00000030h] 2_2_03C551EF
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03C551EF mov eax, dword ptr fs:[00000030h] 2_2_03C551EF
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03C551EF mov eax, dword ptr fs:[00000030h] 2_2_03C551EF
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03C551EF mov eax, dword ptr fs:[00000030h] 2_2_03C551EF
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03C551EF mov eax, dword ptr fs:[00000030h] 2_2_03C551EF
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03C351ED mov eax, dword ptr fs:[00000030h] 2_2_03C351ED
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03CD71F9 mov esi, dword ptr fs:[00000030h] 2_2_03CD71F9
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03D061E5 mov eax, dword ptr fs:[00000030h] 2_2_03D061E5
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03C601F8 mov eax, dword ptr fs:[00000030h] 2_2_03C601F8
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03C70185 mov eax, dword ptr fs:[00000030h] 2_2_03C70185
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03CEC188 mov eax, dword ptr fs:[00000030h] 2_2_03CEC188
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03CEC188 mov eax, dword ptr fs:[00000030h] 2_2_03CEC188
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03CB019F mov eax, dword ptr fs:[00000030h] 2_2_03CB019F
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03CB019F mov eax, dword ptr fs:[00000030h] 2_2_03CB019F
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03CB019F mov eax, dword ptr fs:[00000030h] 2_2_03CB019F
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03CB019F mov eax, dword ptr fs:[00000030h] 2_2_03CB019F
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03C2A197 mov eax, dword ptr fs:[00000030h] 2_2_03C2A197
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03C2A197 mov eax, dword ptr fs:[00000030h] 2_2_03C2A197
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03C2A197 mov eax, dword ptr fs:[00000030h] 2_2_03C2A197
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03C87190 mov eax, dword ptr fs:[00000030h] 2_2_03C87190
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03CE11A4 mov eax, dword ptr fs:[00000030h] 2_2_03CE11A4
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03CE11A4 mov eax, dword ptr fs:[00000030h] 2_2_03CE11A4
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03CE11A4 mov eax, dword ptr fs:[00000030h] 2_2_03CE11A4
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03CE11A4 mov eax, dword ptr fs:[00000030h] 2_2_03CE11A4
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03C4B1B0 mov eax, dword ptr fs:[00000030h] 2_2_03C4B1B0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03D05152 mov eax, dword ptr fs:[00000030h] 2_2_03D05152
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03CC4144 mov eax, dword ptr fs:[00000030h] 2_2_03CC4144
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03CC4144 mov eax, dword ptr fs:[00000030h] 2_2_03CC4144
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03CC4144 mov ecx, dword ptr fs:[00000030h] 2_2_03CC4144
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03CC4144 mov eax, dword ptr fs:[00000030h] 2_2_03CC4144
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03CC4144 mov eax, dword ptr fs:[00000030h] 2_2_03CC4144
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03C29148 mov eax, dword ptr fs:[00000030h] 2_2_03C29148
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03C29148 mov eax, dword ptr fs:[00000030h] 2_2_03C29148
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03C29148 mov eax, dword ptr fs:[00000030h] 2_2_03C29148
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03C29148 mov eax, dword ptr fs:[00000030h] 2_2_03C29148
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03C37152 mov eax, dword ptr fs:[00000030h] 2_2_03C37152
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03C2C156 mov eax, dword ptr fs:[00000030h] 2_2_03C2C156
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03CC8158 mov eax, dword ptr fs:[00000030h] 2_2_03CC8158
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03C36154 mov eax, dword ptr fs:[00000030h] 2_2_03C36154
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03C36154 mov eax, dword ptr fs:[00000030h] 2_2_03C36154
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03C2F172 mov eax, dword ptr fs:[00000030h] 2_2_03C2F172
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03C2F172 mov eax, dword ptr fs:[00000030h] 2_2_03C2F172
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03C2F172 mov eax, dword ptr fs:[00000030h] 2_2_03C2F172
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03C2F172 mov eax, dword ptr fs:[00000030h] 2_2_03C2F172
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03C2F172 mov eax, dword ptr fs:[00000030h] 2_2_03C2F172
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03C2F172 mov eax, dword ptr fs:[00000030h] 2_2_03C2F172
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03C2F172 mov eax, dword ptr fs:[00000030h] 2_2_03C2F172
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03C2F172 mov eax, dword ptr fs:[00000030h] 2_2_03C2F172
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03C2F172 mov eax, dword ptr fs:[00000030h] 2_2_03C2F172
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03C2F172 mov eax, dword ptr fs:[00000030h] 2_2_03C2F172
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03C2F172 mov eax, dword ptr fs:[00000030h] 2_2_03C2F172
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03C2F172 mov eax, dword ptr fs:[00000030h] 2_2_03C2F172
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03C2F172 mov eax, dword ptr fs:[00000030h] 2_2_03C2F172
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03C2F172 mov eax, dword ptr fs:[00000030h] 2_2_03C2F172
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03C2F172 mov eax, dword ptr fs:[00000030h] 2_2_03C2F172
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03C2F172 mov eax, dword ptr fs:[00000030h] 2_2_03C2F172
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03C2F172 mov eax, dword ptr fs:[00000030h] 2_2_03C2F172
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03C2F172 mov eax, dword ptr fs:[00000030h] 2_2_03C2F172
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03C2F172 mov eax, dword ptr fs:[00000030h] 2_2_03C2F172
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03C2F172 mov eax, dword ptr fs:[00000030h] 2_2_03C2F172
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03C2F172 mov eax, dword ptr fs:[00000030h] 2_2_03C2F172
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03CC9179 mov eax, dword ptr fs:[00000030h] 2_2_03CC9179
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03CDA118 mov ecx, dword ptr fs:[00000030h] 2_2_03CDA118
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03CDA118 mov eax, dword ptr fs:[00000030h] 2_2_03CDA118
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03CDA118 mov eax, dword ptr fs:[00000030h] 2_2_03CDA118
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03CDA118 mov eax, dword ptr fs:[00000030h] 2_2_03CDA118
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03CF0115 mov eax, dword ptr fs:[00000030h] 2_2_03CF0115
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03C60124 mov eax, dword ptr fs:[00000030h] 2_2_03C60124
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03C31131 mov eax, dword ptr fs:[00000030h] 2_2_03C31131
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03C31131 mov eax, dword ptr fs:[00000030h] 2_2_03C31131
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03C2B136 mov eax, dword ptr fs:[00000030h] 2_2_03C2B136
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03C2B136 mov eax, dword ptr fs:[00000030h] 2_2_03C2B136
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03C2B136 mov eax, dword ptr fs:[00000030h] 2_2_03C2B136
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03C2B136 mov eax, dword ptr fs:[00000030h] 2_2_03C2B136
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03C470C0 mov eax, dword ptr fs:[00000030h] 2_2_03C470C0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03C470C0 mov ecx, dword ptr fs:[00000030h] 2_2_03C470C0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03C470C0 mov ecx, dword ptr fs:[00000030h] 2_2_03C470C0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03C470C0 mov eax, dword ptr fs:[00000030h] 2_2_03C470C0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03C470C0 mov ecx, dword ptr fs:[00000030h] 2_2_03C470C0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03C470C0 mov ecx, dword ptr fs:[00000030h] 2_2_03C470C0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03C470C0 mov eax, dword ptr fs:[00000030h] 2_2_03C470C0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03C470C0 mov eax, dword ptr fs:[00000030h] 2_2_03C470C0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03C470C0 mov eax, dword ptr fs:[00000030h] 2_2_03C470C0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03C470C0 mov eax, dword ptr fs:[00000030h] 2_2_03C470C0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03C470C0 mov eax, dword ptr fs:[00000030h] 2_2_03C470C0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03C470C0 mov eax, dword ptr fs:[00000030h] 2_2_03C470C0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03C470C0 mov eax, dword ptr fs:[00000030h] 2_2_03C470C0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03C470C0 mov eax, dword ptr fs:[00000030h] 2_2_03C470C0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03C470C0 mov eax, dword ptr fs:[00000030h] 2_2_03C470C0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03C470C0 mov eax, dword ptr fs:[00000030h] 2_2_03C470C0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03C470C0 mov eax, dword ptr fs:[00000030h] 2_2_03C470C0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03C470C0 mov eax, dword ptr fs:[00000030h] 2_2_03C470C0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03D050D9 mov eax, dword ptr fs:[00000030h] 2_2_03D050D9
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03CAD0C0 mov eax, dword ptr fs:[00000030h] 2_2_03CAD0C0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03CAD0C0 mov eax, dword ptr fs:[00000030h] 2_2_03CAD0C0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03CB20DE mov eax, dword ptr fs:[00000030h] 2_2_03CB20DE
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03C590DB mov eax, dword ptr fs:[00000030h] 2_2_03C590DB
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03C550E4 mov eax, dword ptr fs:[00000030h] 2_2_03C550E4
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03C550E4 mov ecx, dword ptr fs:[00000030h] 2_2_03C550E4
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03C2A0E3 mov ecx, dword ptr fs:[00000030h] 2_2_03C2A0E3
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03C380E9 mov eax, dword ptr fs:[00000030h] 2_2_03C380E9
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03CB60E0 mov eax, dword ptr fs:[00000030h] 2_2_03CB60E0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03C2C0F0 mov eax, dword ptr fs:[00000030h] 2_2_03C2C0F0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03C720F0 mov ecx, dword ptr fs:[00000030h] 2_2_03C720F0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03C3208A mov eax, dword ptr fs:[00000030h] 2_2_03C3208A
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03C2D08D mov eax, dword ptr fs:[00000030h] 2_2_03C2D08D
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03C35096 mov eax, dword ptr fs:[00000030h] 2_2_03C35096
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03C5D090 mov eax, dword ptr fs:[00000030h] 2_2_03C5D090
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03C5D090 mov eax, dword ptr fs:[00000030h] 2_2_03C5D090
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03C6909C mov eax, dword ptr fs:[00000030h] 2_2_03C6909C
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03CC80A8 mov eax, dword ptr fs:[00000030h] 2_2_03CC80A8
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03CF60B8 mov eax, dword ptr fs:[00000030h] 2_2_03CF60B8
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03CF60B8 mov ecx, dword ptr fs:[00000030h] 2_2_03CF60B8
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03C32050 mov eax, dword ptr fs:[00000030h] 2_2_03C32050
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03CD705E mov ebx, dword ptr fs:[00000030h] 2_2_03CD705E
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03CD705E mov eax, dword ptr fs:[00000030h] 2_2_03CD705E
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03C5B052 mov eax, dword ptr fs:[00000030h] 2_2_03C5B052
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03CB6050 mov eax, dword ptr fs:[00000030h] 2_2_03CB6050
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03CB106E mov eax, dword ptr fs:[00000030h] 2_2_03CB106E
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03D05060 mov eax, dword ptr fs:[00000030h] 2_2_03D05060
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03C41070 mov eax, dword ptr fs:[00000030h] 2_2_03C41070
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03C41070 mov ecx, dword ptr fs:[00000030h] 2_2_03C41070
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03C41070 mov eax, dword ptr fs:[00000030h] 2_2_03C41070
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03C41070 mov eax, dword ptr fs:[00000030h] 2_2_03C41070
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03C41070 mov eax, dword ptr fs:[00000030h] 2_2_03C41070
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03C41070 mov eax, dword ptr fs:[00000030h] 2_2_03C41070
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03C41070 mov eax, dword ptr fs:[00000030h] 2_2_03C41070
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03C41070 mov eax, dword ptr fs:[00000030h] 2_2_03C41070
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03C41070 mov eax, dword ptr fs:[00000030h] 2_2_03C41070
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03C41070 mov eax, dword ptr fs:[00000030h] 2_2_03C41070
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03C41070 mov eax, dword ptr fs:[00000030h] 2_2_03C41070
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03C41070 mov eax, dword ptr fs:[00000030h] 2_2_03C41070
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03C41070 mov eax, dword ptr fs:[00000030h] 2_2_03C41070
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03C5C073 mov eax, dword ptr fs:[00000030h] 2_2_03C5C073
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03CAD070 mov ecx, dword ptr fs:[00000030h] 2_2_03CAD070
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03CB4000 mov ecx, dword ptr fs:[00000030h] 2_2_03CB4000
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03C4E016 mov eax, dword ptr fs:[00000030h] 2_2_03C4E016
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03C4E016 mov eax, dword ptr fs:[00000030h] 2_2_03C4E016
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03C4E016 mov eax, dword ptr fs:[00000030h] 2_2_03C4E016
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03C4E016 mov eax, dword ptr fs:[00000030h] 2_2_03C4E016
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03C2A020 mov eax, dword ptr fs:[00000030h] 2_2_03C2A020
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03C2C020 mov eax, dword ptr fs:[00000030h] 2_2_03C2C020
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03CF903E mov eax, dword ptr fs:[00000030h] 2_2_03CF903E
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03CF903E mov eax, dword ptr fs:[00000030h] 2_2_03CF903E
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03CF903E mov eax, dword ptr fs:[00000030h] 2_2_03CF903E
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03CF903E mov eax, dword ptr fs:[00000030h] 2_2_03CF903E
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03C3C7C0 mov eax, dword ptr fs:[00000030h] 2_2_03C3C7C0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03C357C0 mov eax, dword ptr fs:[00000030h] 2_2_03C357C0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03C357C0 mov eax, dword ptr fs:[00000030h] 2_2_03C357C0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03C357C0 mov eax, dword ptr fs:[00000030h] 2_2_03C357C0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03CB07C3 mov eax, dword ptr fs:[00000030h] 2_2_03CB07C3
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03C3D7E0 mov ecx, dword ptr fs:[00000030h] 2_2_03C3D7E0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03C527ED mov eax, dword ptr fs:[00000030h] 2_2_03C527ED
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03C527ED mov eax, dword ptr fs:[00000030h] 2_2_03C527ED
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03C527ED mov eax, dword ptr fs:[00000030h] 2_2_03C527ED
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03C347FB mov eax, dword ptr fs:[00000030h] 2_2_03C347FB
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03C347FB mov eax, dword ptr fs:[00000030h] 2_2_03C347FB
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03CEF78A mov eax, dword ptr fs:[00000030h] 2_2_03CEF78A
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03CB97A9 mov eax, dword ptr fs:[00000030h] 2_2_03CB97A9
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03CBF7AF mov eax, dword ptr fs:[00000030h] 2_2_03CBF7AF
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03CBF7AF mov eax, dword ptr fs:[00000030h] 2_2_03CBF7AF
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03CBF7AF mov eax, dword ptr fs:[00000030h] 2_2_03CBF7AF
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03CBF7AF mov eax, dword ptr fs:[00000030h] 2_2_03CBF7AF
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03CBF7AF mov eax, dword ptr fs:[00000030h] 2_2_03CBF7AF
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03D037B6 mov eax, dword ptr fs:[00000030h] 2_2_03D037B6
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03C307AF mov eax, dword ptr fs:[00000030h] 2_2_03C307AF
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03C5D7B0 mov eax, dword ptr fs:[00000030h] 2_2_03C5D7B0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03C2F7BA mov eax, dword ptr fs:[00000030h] 2_2_03C2F7BA
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03C2F7BA mov eax, dword ptr fs:[00000030h] 2_2_03C2F7BA
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03C2F7BA mov eax, dword ptr fs:[00000030h] 2_2_03C2F7BA
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03C2F7BA mov eax, dword ptr fs:[00000030h] 2_2_03C2F7BA
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03C2F7BA mov eax, dword ptr fs:[00000030h] 2_2_03C2F7BA
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03C2F7BA mov eax, dword ptr fs:[00000030h] 2_2_03C2F7BA
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03C2F7BA mov eax, dword ptr fs:[00000030h] 2_2_03C2F7BA
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03C2F7BA mov eax, dword ptr fs:[00000030h] 2_2_03C2F7BA
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03C2F7BA mov eax, dword ptr fs:[00000030h] 2_2_03C2F7BA
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03C43740 mov eax, dword ptr fs:[00000030h] 2_2_03C43740
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03C43740 mov eax, dword ptr fs:[00000030h] 2_2_03C43740
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03C43740 mov eax, dword ptr fs:[00000030h] 2_2_03C43740
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03C6674D mov esi, dword ptr fs:[00000030h] 2_2_03C6674D
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03C6674D mov eax, dword ptr fs:[00000030h] 2_2_03C6674D
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03C6674D mov eax, dword ptr fs:[00000030h] 2_2_03C6674D
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03C30750 mov eax, dword ptr fs:[00000030h] 2_2_03C30750
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03C72750 mov eax, dword ptr fs:[00000030h] 2_2_03C72750
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03C72750 mov eax, dword ptr fs:[00000030h] 2_2_03C72750
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03D03749 mov eax, dword ptr fs:[00000030h] 2_2_03D03749
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03CB4755 mov eax, dword ptr fs:[00000030h] 2_2_03CB4755
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03C2B765 mov eax, dword ptr fs:[00000030h] 2_2_03C2B765
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03C2B765 mov eax, dword ptr fs:[00000030h] 2_2_03C2B765
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03C2B765 mov eax, dword ptr fs:[00000030h] 2_2_03C2B765
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03C2B765 mov eax, dword ptr fs:[00000030h] 2_2_03C2B765
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03C38770 mov eax, dword ptr fs:[00000030h] 2_2_03C38770
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03C40770 mov eax, dword ptr fs:[00000030h] 2_2_03C40770
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03C40770 mov eax, dword ptr fs:[00000030h] 2_2_03C40770
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03C40770 mov eax, dword ptr fs:[00000030h] 2_2_03C40770
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03C40770 mov eax, dword ptr fs:[00000030h] 2_2_03C40770
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03C40770 mov eax, dword ptr fs:[00000030h] 2_2_03C40770
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03C40770 mov eax, dword ptr fs:[00000030h] 2_2_03C40770
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03C40770 mov eax, dword ptr fs:[00000030h] 2_2_03C40770
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03C40770 mov eax, dword ptr fs:[00000030h] 2_2_03C40770
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03C40770 mov eax, dword ptr fs:[00000030h] 2_2_03C40770
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03C40770 mov eax, dword ptr fs:[00000030h] 2_2_03C40770
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03C40770 mov eax, dword ptr fs:[00000030h] 2_2_03C40770
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03C40770 mov eax, dword ptr fs:[00000030h] 2_2_03C40770
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03C37703 mov eax, dword ptr fs:[00000030h] 2_2_03C37703
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03C35702 mov eax, dword ptr fs:[00000030h] 2_2_03C35702
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03C35702 mov eax, dword ptr fs:[00000030h] 2_2_03C35702
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03C6C700 mov eax, dword ptr fs:[00000030h] 2_2_03C6C700
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03C30710 mov eax, dword ptr fs:[00000030h] 2_2_03C30710
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03C60710 mov eax, dword ptr fs:[00000030h] 2_2_03C60710
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03C6F71F mov eax, dword ptr fs:[00000030h] 2_2_03C6F71F
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03C6F71F mov eax, dword ptr fs:[00000030h] 2_2_03C6F71F
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03CEF72E mov eax, dword ptr fs:[00000030h] 2_2_03CEF72E
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03C33720 mov eax, dword ptr fs:[00000030h] 2_2_03C33720
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03C4F720 mov eax, dword ptr fs:[00000030h] 2_2_03C4F720
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03C4F720 mov eax, dword ptr fs:[00000030h] 2_2_03C4F720
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03C4F720 mov eax, dword ptr fs:[00000030h] 2_2_03C4F720
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03CF972B mov eax, dword ptr fs:[00000030h] 2_2_03CF972B
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03C6C720 mov eax, dword ptr fs:[00000030h] 2_2_03C6C720
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03C6C720 mov eax, dword ptr fs:[00000030h] 2_2_03C6C720
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03D0B73C mov eax, dword ptr fs:[00000030h] 2_2_03D0B73C
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03D0B73C mov eax, dword ptr fs:[00000030h] 2_2_03D0B73C
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03D0B73C mov eax, dword ptr fs:[00000030h] 2_2_03D0B73C
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03D0B73C mov eax, dword ptr fs:[00000030h] 2_2_03D0B73C
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03C29730 mov eax, dword ptr fs:[00000030h] 2_2_03C29730
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03C29730 mov eax, dword ptr fs:[00000030h] 2_2_03C29730
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03C65734 mov eax, dword ptr fs:[00000030h] 2_2_03C65734
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03C3973A mov eax, dword ptr fs:[00000030h] 2_2_03C3973A
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03C3973A mov eax, dword ptr fs:[00000030h] 2_2_03C3973A
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03C6273C mov eax, dword ptr fs:[00000030h] 2_2_03C6273C
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03C6273C mov ecx, dword ptr fs:[00000030h] 2_2_03C6273C
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03C6273C mov eax, dword ptr fs:[00000030h] 2_2_03C6273C
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03CAC730 mov eax, dword ptr fs:[00000030h] 2_2_03CAC730
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03C6A6C7 mov ebx, dword ptr fs:[00000030h] 2_2_03C6A6C7
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03C6A6C7 mov eax, dword ptr fs:[00000030h] 2_2_03C6A6C7
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03C3B6C0 mov eax, dword ptr fs:[00000030h] 2_2_03C3B6C0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03C3B6C0 mov eax, dword ptr fs:[00000030h] 2_2_03C3B6C0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03C3B6C0 mov eax, dword ptr fs:[00000030h] 2_2_03C3B6C0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03C3B6C0 mov eax, dword ptr fs:[00000030h] 2_2_03C3B6C0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03C3B6C0 mov eax, dword ptr fs:[00000030h] 2_2_03C3B6C0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03C3B6C0 mov eax, dword ptr fs:[00000030h] 2_2_03C3B6C0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03CF16CC mov eax, dword ptr fs:[00000030h] 2_2_03CF16CC
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03CF16CC mov eax, dword ptr fs:[00000030h] 2_2_03CF16CC
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03CF16CC mov eax, dword ptr fs:[00000030h] 2_2_03CF16CC
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03CF16CC mov eax, dword ptr fs:[00000030h] 2_2_03CF16CC
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03CEF6C7 mov eax, dword ptr fs:[00000030h] 2_2_03CEF6C7
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03C616CF mov eax, dword ptr fs:[00000030h] 2_2_03C616CF
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03CC36EE mov eax, dword ptr fs:[00000030h] 2_2_03CC36EE
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03CC36EE mov eax, dword ptr fs:[00000030h] 2_2_03CC36EE
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03CC36EE mov eax, dword ptr fs:[00000030h] 2_2_03CC36EE
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03CC36EE mov eax, dword ptr fs:[00000030h] 2_2_03CC36EE
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03CC36EE mov eax, dword ptr fs:[00000030h] 2_2_03CC36EE
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03CC36EE mov eax, dword ptr fs:[00000030h] 2_2_03CC36EE
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03C5D6E0 mov eax, dword ptr fs:[00000030h] 2_2_03C5D6E0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03C5D6E0 mov eax, dword ptr fs:[00000030h] 2_2_03C5D6E0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03C636EF mov eax, dword ptr fs:[00000030h] 2_2_03C636EF
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03CAE6F2 mov eax, dword ptr fs:[00000030h] 2_2_03CAE6F2
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03CAE6F2 mov eax, dword ptr fs:[00000030h] 2_2_03CAE6F2
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03CAE6F2 mov eax, dword ptr fs:[00000030h] 2_2_03CAE6F2
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03CAE6F2 mov eax, dword ptr fs:[00000030h] 2_2_03CAE6F2
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03CB06F1 mov eax, dword ptr fs:[00000030h] 2_2_03CB06F1
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03CB06F1 mov eax, dword ptr fs:[00000030h] 2_2_03CB06F1
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03CED6F0 mov eax, dword ptr fs:[00000030h] 2_2_03CED6F0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03CB368C mov eax, dword ptr fs:[00000030h] 2_2_03CB368C
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03CB368C mov eax, dword ptr fs:[00000030h] 2_2_03CB368C
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03CB368C mov eax, dword ptr fs:[00000030h] 2_2_03CB368C
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03CB368C mov eax, dword ptr fs:[00000030h] 2_2_03CB368C
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03C34690 mov eax, dword ptr fs:[00000030h] 2_2_03C34690
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03C34690 mov eax, dword ptr fs:[00000030h] 2_2_03C34690
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03C6C6A6 mov eax, dword ptr fs:[00000030h] 2_2_03C6C6A6
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03C2D6AA mov eax, dword ptr fs:[00000030h] 2_2_03C2D6AA
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03C2D6AA mov eax, dword ptr fs:[00000030h] 2_2_03C2D6AA
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03C276B2 mov eax, dword ptr fs:[00000030h] 2_2_03C276B2
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03C276B2 mov eax, dword ptr fs:[00000030h] 2_2_03C276B2
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03C276B2 mov eax, dword ptr fs:[00000030h] 2_2_03C276B2
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03C666B0 mov eax, dword ptr fs:[00000030h] 2_2_03C666B0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03C4C640 mov eax, dword ptr fs:[00000030h] 2_2_03C4C640
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03CF866E mov eax, dword ptr fs:[00000030h] 2_2_03CF866E
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03CF866E mov eax, dword ptr fs:[00000030h] 2_2_03CF866E
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03C6A660 mov eax, dword ptr fs:[00000030h] 2_2_03C6A660
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03C6A660 mov eax, dword ptr fs:[00000030h] 2_2_03C6A660
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03C69660 mov eax, dword ptr fs:[00000030h] 2_2_03C69660
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03C69660 mov eax, dword ptr fs:[00000030h] 2_2_03C69660
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03C62674 mov eax, dword ptr fs:[00000030h] 2_2_03C62674
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03C61607 mov eax, dword ptr fs:[00000030h] 2_2_03C61607
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03CAE609 mov eax, dword ptr fs:[00000030h] 2_2_03CAE609
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03C6F603 mov eax, dword ptr fs:[00000030h] 2_2_03C6F603
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03C4260B mov eax, dword ptr fs:[00000030h] 2_2_03C4260B
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03C4260B mov eax, dword ptr fs:[00000030h] 2_2_03C4260B
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03C4260B mov eax, dword ptr fs:[00000030h] 2_2_03C4260B
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03C4260B mov eax, dword ptr fs:[00000030h] 2_2_03C4260B
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03C4260B mov eax, dword ptr fs:[00000030h] 2_2_03C4260B
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03C4260B mov eax, dword ptr fs:[00000030h] 2_2_03C4260B
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03C4260B mov eax, dword ptr fs:[00000030h] 2_2_03C4260B
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Source: C:\Users\user\Desktop\PO-78140924.BAT.PDF.exe Code function: 0_2_0004997C GetProcessHeap,RtlAllocateHeap,__lseeki64_nolock,SetEndOfFile,GetLastError,__lseeki64_nolock, 0_2_0004997C
Source: C:\Users\user\Desktop\PO-78140924.BAT.PDF.exe Code function: 0_2_0003A2A4 SetUnhandledExceptionFilter, 0_2_0003A2A4
Source: C:\Users\user\Desktop\PO-78140924.BAT.PDF.exe Code function: 0_2_0003A2D5 SetUnhandledExceptionFilter,UnhandledExceptionFilter, 0_2_0003A2D5

HIPS / PFW / Operating System Protection Evasion
barindex
Found direct / indirect Syscall (likely to bypass EDR)
Source: C:\Program Files (x86)\pxTetnvzAqfngzxdJleqlHZcbxcmKnXFSvAiPCvpGdyMKAizQhrXJTABFMLhmSrbNFDH\YKkstfciYBQ.exe NtAllocateVirtualMemory: Direct from: 0x76EF48EC Jump to behavior
Source: C:\Program Files (x86)\pxTetnvzAqfngzxdJleqlHZcbxcmKnXFSvAiPCvpGdyMKAizQhrXJTABFMLhmSrbNFDH\YKkstfciYBQ.exe NtQueryAttributesFile: Direct from: 0x76EF2E6C Jump to behavior
Source: C:\Program Files (x86)\pxTetnvzAqfngzxdJleqlHZcbxcmKnXFSvAiPCvpGdyMKAizQhrXJTABFMLhmSrbNFDH\YKkstfciYBQ.exe NtQueryVolumeInformationFile: Direct from: 0x76EF2F2C Jump to behavior
Source: C:\Program Files (x86)\pxTetnvzAqfngzxdJleqlHZcbxcmKnXFSvAiPCvpGdyMKAizQhrXJTABFMLhmSrbNFDH\YKkstfciYBQ.exe NtQuerySystemInformation: Direct from: 0x76EF48CC Jump to behavior
Source: C:\Program Files (x86)\pxTetnvzAqfngzxdJleqlHZcbxcmKnXFSvAiPCvpGdyMKAizQhrXJTABFMLhmSrbNFDH\YKkstfciYBQ.exe NtOpenSection: Direct from: 0x76EF2E0C Jump to behavior
Source: C:\Program Files (x86)\pxTetnvzAqfngzxdJleqlHZcbxcmKnXFSvAiPCvpGdyMKAizQhrXJTABFMLhmSrbNFDH\YKkstfciYBQ.exe NtDeviceIoControlFile: Direct from: 0x76EF2AEC Jump to behavior
Source: C:\Program Files (x86)\pxTetnvzAqfngzxdJleqlHZcbxcmKnXFSvAiPCvpGdyMKAizQhrXJTABFMLhmSrbNFDH\YKkstfciYBQ.exe NtAllocateVirtualMemory: Direct from: 0x76EF2BEC Jump to behavior
Source: C:\Program Files (x86)\pxTetnvzAqfngzxdJleqlHZcbxcmKnXFSvAiPCvpGdyMKAizQhrXJTABFMLhmSrbNFDH\YKkstfciYBQ.exe NtQueryInformationToken: Direct from: 0x76EF2CAC Jump to behavior
Source: C:\Program Files (x86)\pxTetnvzAqfngzxdJleqlHZcbxcmKnXFSvAiPCvpGdyMKAizQhrXJTABFMLhmSrbNFDH\YKkstfciYBQ.exe NtCreateFile: Direct from: 0x76EF2FEC Jump to behavior
Source: C:\Program Files (x86)\pxTetnvzAqfngzxdJleqlHZcbxcmKnXFSvAiPCvpGdyMKAizQhrXJTABFMLhmSrbNFDH\YKkstfciYBQ.exe NtOpenFile: Direct from: 0x76EF2DCC Jump to behavior
Source: C:\Program Files (x86)\pxTetnvzAqfngzxdJleqlHZcbxcmKnXFSvAiPCvpGdyMKAizQhrXJTABFMLhmSrbNFDH\YKkstfciYBQ.exe NtTerminateThread: Direct from: 0x76EF2FCC Jump to behavior
Source: C:\Program Files (x86)\pxTetnvzAqfngzxdJleqlHZcbxcmKnXFSvAiPCvpGdyMKAizQhrXJTABFMLhmSrbNFDH\YKkstfciYBQ.exe NtOpenKeyEx: Direct from: 0x76EF2B9C Jump to behavior
Source: C:\Program Files (x86)\pxTetnvzAqfngzxdJleqlHZcbxcmKnXFSvAiPCvpGdyMKAizQhrXJTABFMLhmSrbNFDH\YKkstfciYBQ.exe NtSetInformationProcess: Direct from: 0x76EF2C5C Jump to behavior
Source: C:\Program Files (x86)\pxTetnvzAqfngzxdJleqlHZcbxcmKnXFSvAiPCvpGdyMKAizQhrXJTABFMLhmSrbNFDH\YKkstfciYBQ.exe NtProtectVirtualMemory: Direct from: 0x76EF2F9C Jump to behavior
Source: C:\Program Files (x86)\pxTetnvzAqfngzxdJleqlHZcbxcmKnXFSvAiPCvpGdyMKAizQhrXJTABFMLhmSrbNFDH\YKkstfciYBQ.exe NtWriteVirtualMemory: Direct from: 0x76EF2E3C Jump to behavior
Source: C:\Program Files (x86)\pxTetnvzAqfngzxdJleqlHZcbxcmKnXFSvAiPCvpGdyMKAizQhrXJTABFMLhmSrbNFDH\YKkstfciYBQ.exe NtNotifyChangeKey: Direct from: 0x76EF3C2C Jump to behavior
Source: C:\Program Files (x86)\pxTetnvzAqfngzxdJleqlHZcbxcmKnXFSvAiPCvpGdyMKAizQhrXJTABFMLhmSrbNFDH\YKkstfciYBQ.exe NtCreateMutant: Direct from: 0x76EF35CC Jump to behavior
Source: C:\Program Files (x86)\pxTetnvzAqfngzxdJleqlHZcbxcmKnXFSvAiPCvpGdyMKAizQhrXJTABFMLhmSrbNFDH\YKkstfciYBQ.exe NtResumeThread: Direct from: 0x76EF36AC Jump to behavior
Source: C:\Program Files (x86)\pxTetnvzAqfngzxdJleqlHZcbxcmKnXFSvAiPCvpGdyMKAizQhrXJTABFMLhmSrbNFDH\YKkstfciYBQ.exe NtMapViewOfSection: Direct from: 0x76EF2D1C Jump to behavior
Source: C:\Program Files (x86)\pxTetnvzAqfngzxdJleqlHZcbxcmKnXFSvAiPCvpGdyMKAizQhrXJTABFMLhmSrbNFDH\YKkstfciYBQ.exe NtProtectVirtualMemory: Direct from: 0x76EE7B2E Jump to behavior
Source: C:\Program Files (x86)\pxTetnvzAqfngzxdJleqlHZcbxcmKnXFSvAiPCvpGdyMKAizQhrXJTABFMLhmSrbNFDH\YKkstfciYBQ.exe NtAllocateVirtualMemory: Direct from: 0x76EF2BFC Jump to behavior
Source: C:\Program Files (x86)\pxTetnvzAqfngzxdJleqlHZcbxcmKnXFSvAiPCvpGdyMKAizQhrXJTABFMLhmSrbNFDH\YKkstfciYBQ.exe NtQuerySystemInformation: Direct from: 0x76EF2DFC Jump to behavior
Source: C:\Program Files (x86)\pxTetnvzAqfngzxdJleqlHZcbxcmKnXFSvAiPCvpGdyMKAizQhrXJTABFMLhmSrbNFDH\YKkstfciYBQ.exe NtReadFile: Direct from: 0x76EF2ADC Jump to behavior
Source: C:\Program Files (x86)\pxTetnvzAqfngzxdJleqlHZcbxcmKnXFSvAiPCvpGdyMKAizQhrXJTABFMLhmSrbNFDH\YKkstfciYBQ.exe NtDelayExecution: Direct from: 0x76EF2DDC Jump to behavior
Source: C:\Program Files (x86)\pxTetnvzAqfngzxdJleqlHZcbxcmKnXFSvAiPCvpGdyMKAizQhrXJTABFMLhmSrbNFDH\YKkstfciYBQ.exe NtQueryInformationProcess: Direct from: 0x76EF2C26 Jump to behavior
Source: C:\Program Files (x86)\pxTetnvzAqfngzxdJleqlHZcbxcmKnXFSvAiPCvpGdyMKAizQhrXJTABFMLhmSrbNFDH\YKkstfciYBQ.exe NtResumeThread: Direct from: 0x76EF2FBC Jump to behavior
Source: C:\Program Files (x86)\pxTetnvzAqfngzxdJleqlHZcbxcmKnXFSvAiPCvpGdyMKAizQhrXJTABFMLhmSrbNFDH\YKkstfciYBQ.exe NtCreateUserProcess: Direct from: 0x76EF371C Jump to behavior
Source: C:\Program Files (x86)\pxTetnvzAqfngzxdJleqlHZcbxcmKnXFSvAiPCvpGdyMKAizQhrXJTABFMLhmSrbNFDH\YKkstfciYBQ.exe NtAllocateVirtualMemory: Direct from: 0x76EF3C9C Jump to behavior
Source: C:\Program Files (x86)\pxTetnvzAqfngzxdJleqlHZcbxcmKnXFSvAiPCvpGdyMKAizQhrXJTABFMLhmSrbNFDH\YKkstfciYBQ.exe NtSetInformationThread: Direct from: 0x76EE63F9 Jump to behavior
Source: C:\Program Files (x86)\pxTetnvzAqfngzxdJleqlHZcbxcmKnXFSvAiPCvpGdyMKAizQhrXJTABFMLhmSrbNFDH\YKkstfciYBQ.exe NtWriteVirtualMemory: Direct from: 0x76EF490C Jump to behavior
Source: C:\Program Files (x86)\pxTetnvzAqfngzxdJleqlHZcbxcmKnXFSvAiPCvpGdyMKAizQhrXJTABFMLhmSrbNFDH\YKkstfciYBQ.exe NtClose: Direct from: 0x76EF2B6C
Source: C:\Program Files (x86)\pxTetnvzAqfngzxdJleqlHZcbxcmKnXFSvAiPCvpGdyMKAizQhrXJTABFMLhmSrbNFDH\YKkstfciYBQ.exe NtSetInformationThread: Direct from: 0x76EF2B4C Jump to behavior
Source: C:\Program Files (x86)\pxTetnvzAqfngzxdJleqlHZcbxcmKnXFSvAiPCvpGdyMKAizQhrXJTABFMLhmSrbNFDH\YKkstfciYBQ.exe NtCreateKey: Direct from: 0x76EF2C6C Jump to behavior
Source: C:\Program Files (x86)\pxTetnvzAqfngzxdJleqlHZcbxcmKnXFSvAiPCvpGdyMKAizQhrXJTABFMLhmSrbNFDH\YKkstfciYBQ.exe NtReadVirtualMemory: Direct from: 0x76EF2E8C Jump to behavior
Maps a DLL or memory area into another process
Source: C:\Users\user\Desktop\PO-78140924.BAT.PDF.exe Section loaded: NULL target: C:\Windows\SysWOW64\svchost.exe protection: execute and read and write Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Section loaded: NULL target: C:\Program Files (x86)\pxTetnvzAqfngzxdJleqlHZcbxcmKnXFSvAiPCvpGdyMKAizQhrXJTABFMLhmSrbNFDH\YKkstfciYBQ.exe protection: execute and read and write Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Section loaded: NULL target: C:\Windows\SysWOW64\mstsc.exe protection: execute and read and write Jump to behavior
Source: C:\Windows\SysWOW64\mstsc.exe Section loaded: NULL target: C:\Program Files (x86)\pxTetnvzAqfngzxdJleqlHZcbxcmKnXFSvAiPCvpGdyMKAizQhrXJTABFMLhmSrbNFDH\YKkstfciYBQ.exe protection: read write Jump to behavior
Source: C:\Windows\SysWOW64\mstsc.exe Section loaded: NULL target: C:\Program Files (x86)\pxTetnvzAqfngzxdJleqlHZcbxcmKnXFSvAiPCvpGdyMKAizQhrXJTABFMLhmSrbNFDH\YKkstfciYBQ.exe protection: execute and read and write Jump to behavior
Source: C:\Windows\SysWOW64\mstsc.exe Section loaded: NULL target: C:\Program Files\Mozilla Firefox\firefox.exe protection: read write Jump to behavior
Source: C:\Windows\SysWOW64\mstsc.exe Section loaded: NULL target: C:\Program Files\Mozilla Firefox\firefox.exe protection: execute and read and write Jump to behavior
Modifies the context of a thread in another process (thread injection)
Source: C:\Windows\SysWOW64\mstsc.exe Thread register set: target process: 5768 Jump to behavior
Writes to foreign memory regions
Source: C:\Users\user\Desktop\PO-78140924.BAT.PDF.exe Memory written: C:\Windows\SysWOW64\svchost.exe base: 31FC008 Jump to behavior
Contains functionality to simulate keystroke presses
Source: C:\Users\user\Desktop\PO-78140924.BAT.PDF.exe Code function: 0_2_00014A35 GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput, 0_2_00014A35
Creates a process in suspended mode (likely to inject code)
Source: C:\Users\user\Desktop\PO-78140924.BAT.PDF.exe Process created: C:\Windows\SysWOW64\svchost.exe "C:\Users\user\Desktop\PO-78140924.BAT.PDF.exe" Jump to behavior
Source: C:\Program Files (x86)\pxTetnvzAqfngzxdJleqlHZcbxcmKnXFSvAiPCvpGdyMKAizQhrXJTABFMLhmSrbNFDH\YKkstfciYBQ.exe Process created: C:\Windows\SysWOW64\mstsc.exe "C:\Windows\SysWOW64\mstsc.exe" Jump to behavior
Source: C:\Windows\SysWOW64\mstsc.exe Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\Firefox.exe" Jump to behavior
Source: C:\Users\user\Desktop\PO-78140924.BAT.PDF.exe Code function: 0_2_00074A08 AllocateAndInitializeSid,CheckTokenMembership,FreeSid, 0_2_00074A08
Source: PO-78140924.BAT.PDF.exe, 00000000.00000002.2043823400.00000000000C4000.00000040.00000001.01000000.00000003.sdmp Binary or memory string: Run Script:AutoIt script files (*.au3, *.a3x)*.au3;*.a3xAll files (*.*)*.*au3#include depth exceeded. Make sure there are no recursive includesError opening the file>>>AUTOIT SCRIPT<<<Bad directive syntax errorUnterminated stringCannot parse #includeUnterminated group of commentsONOFF0%d%dShell_TrayWndREMOVEKEYSEXISTSAPPENDblankinfoquestionstopwarning
Source: YKkstfciYBQ.exe, 00000003.00000002.3897163672.0000000000D61000.00000002.00000001.00040000.00000000.sdmp, YKkstfciYBQ.exe, 00000003.00000000.2070424166.0000000000D61000.00000002.00000001.00040000.00000000.sdmp Binary or memory string: Program Manager
Source: PO-78140924.BAT.PDF.exe, YKkstfciYBQ.exe, 00000003.00000002.3897163672.0000000000D61000.00000002.00000001.00040000.00000000.sdmp, YKkstfciYBQ.exe, 00000003.00000000.2070424166.0000000000D61000.00000002.00000001.00040000.00000000.sdmp Binary or memory string: Shell_TrayWnd
Source: YKkstfciYBQ.exe, 00000003.00000002.3897163672.0000000000D61000.00000002.00000001.00040000.00000000.sdmp, YKkstfciYBQ.exe, 00000003.00000000.2070424166.0000000000D61000.00000002.00000001.00040000.00000000.sdmp Binary or memory string: Progman
Source: YKkstfciYBQ.exe, 00000003.00000002.3897163672.0000000000D61000.00000002.00000001.00040000.00000000.sdmp, YKkstfciYBQ.exe, 00000003.00000000.2070424166.0000000000D61000.00000002.00000001.00040000.00000000.sdmp Binary or memory string: Progmanlock
Contains functionality to query CPU information (cpuid)
Source: C:\Users\user\Desktop\PO-78140924.BAT.PDF.exe Code function: 0_2_000387AB cpuid 0_2_000387AB
Source: C:\Users\user\Desktop\PO-78140924.BAT.PDF.exe Code function: 0_2_00045007 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter, 0_2_00045007
Source: C:\Users\user\Desktop\PO-78140924.BAT.PDF.exe Code function: 0_2_000440BA __lock,____lc_codepage_func,__getenv_helper_nolock,_free,_strlen,__malloc_crt,_strlen,__invoke_watson,_free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte, 0_2_000440BA
Source: C:\Users\user\Desktop\PO-78140924.BAT.PDF.exe Code function: 0_2_00014AFE GetVersionExW,GetCurrentProcess,IsWow64Process,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo, 0_2_00014AFE

Stealing of Sensitive Information
barindex
Yara detected FormBook
Source: Yara match File source: 2.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000004.00000002.3895831173.0000000000480000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.3897012807.0000000000D10000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.3897058690.0000000000D60000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000002.2158074372.0000000003B20000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000002.2157680976.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000002.2158514500.0000000004200000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000002.3897432800.0000000002360000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Tries to harvest and steal browser information (history, passwords, etc)
Source: C:\Windows\SysWOW64\mstsc.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Cookies Jump to behavior
Source: C:\Windows\SysWOW64\mstsc.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies Jump to behavior
Source: C:\Windows\SysWOW64\mstsc.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data Jump to behavior
Source: C:\Windows\SysWOW64\mstsc.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data Jump to behavior
Source: C:\Windows\SysWOW64\mstsc.exe File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data Jump to behavior
Source: C:\Windows\SysWOW64\mstsc.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local State Jump to behavior
Source: C:\Windows\SysWOW64\mstsc.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Local State Jump to behavior
Source: C:\Windows\SysWOW64\mstsc.exe File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\Cookies Jump to behavior
Tries to steal Mail credentials (via file / registry access)
Source: C:\Windows\SysWOW64\mstsc.exe Key opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\ Jump to behavior

Remote Access Functionality
barindex
Yara detected FormBook
Source: Yara match File source: 2.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000004.00000002.3895831173.0000000000480000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.3897012807.0000000000D10000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.3897058690.0000000000D60000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000002.2158074372.0000000003B20000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000002.2157680976.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000002.2158514500.0000000004200000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000002.3897432800.0000000002360000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1519457 Sample: PO-78140924.BAT.PDF.exe Startdate: 26/09/2024 Architecture: WINDOWS Score: 100 31 www.heldhold.xyz 2->31 33 www.useanecdotenow.tech 2->33 35 16 other IPs or domains 2->35 39 Suricata IDS alerts for network traffic 2->39 41 Malicious sample detected (through community Yara rule) 2->41 43 Antivirus / Scanner detection for submitted sample 2->43 47 7 other signatures 2->47 10 PO-78140924.BAT.PDF.exe 3 2->10         started        signatures3 45 Performs DNS queries to domains with low reputation 31->45 process4 signatures5 57 Binary is likely a compiled AutoIt script file 10->57 59 Writes to foreign memory regions 10->59 61 Maps a DLL or memory area into another process 10->61 63 Switches to a custom stack to bypass stack traces 10->63 13 svchost.exe 10->13         started        process6 signatures7 65 Maps a DLL or memory area into another process 13->65 16 YKkstfciYBQ.exe 13->16 injected process8 dnsIp9 25 www.heldhold.xyz 67.223.117.189, 49724, 49725, 49726 VIMRO-AS15189US United States 16->25 27 www.mfgarage.net 85.153.138.113, 49740, 49741, 49742 TELECABLESpainES Turkey 16->27 29 6 other IPs or domains 16->29 37 Found direct / indirect Syscall (likely to bypass EDR) 16->37 20 mstsc.exe 13 16->20         started        signatures10 process11 signatures12 49 Tries to steal Mail credentials (via file / registry access) 20->49 51 Tries to harvest and steal browser information (history, passwords, etc) 20->51 53 Modifies the context of a thread in another process (thread injection) 20->53 55 2 other signatures 20->55 23 firefox.exe 20->23         started        process13
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
67.223.117.189
 www.heldhold.xyz United States
15189 VIMRO-AS15189US true
172.96.187.60
 dalong.site Canada
32475 SINGLEHOP-LLCUS true
103.248.137.209
 azkwupgf.as66588.com Hong Kong
59371 DNC-ASDimensionNetworkCommunicationLimitedHK true
172.67.165.25
 www.b5x7vk.agency United States
13335 CLOUDFLARENETUS true
217.70.184.50
 webredir.vip.gandi.net France
29169 GANDI-ASDomainnameregistrar-httpwwwgandinetFR true
81.88.63.46
 www.2bhp.com Italy
39729 REGISTER-ASIT true
3.33.130.190
 linkwave.cloud United States
8987 AMAZONEXPANSIONGB true
85.153.138.113
 www.mfgarage.net Turkey
12946 TELECABLESpainES true

Contacted Domains

Name IP Active
webredir.vip.gandi.net 217.70.184.50 true
azkwupgf.as66588.com 103.248.137.209 true
dalong.site 172.96.187.60 true
www.b5x7vk.agency 172.67.165.25 true
www.heldhold.xyz 67.223.117.189 true
www.2bhp.com 81.88.63.46 true
linkwave.cloud 3.33.130.190 true
asiapartnars.online 3.33.130.190 true
mgeducacaopro.online 3.33.130.190 true
www.mfgarage.net 85.153.138.113 true
www.dalong.site unknown unknown
www.useanecdotenow.tech unknown unknown
www.ultraleap.net unknown unknown
www.linkwave.cloud unknown unknown
www.mgeducacaopro.online unknown unknown
www.63582.photo unknown unknown
www.asiapartnars.online unknown unknown

Contacted URLs

Name Malicious Antivirus Detection Reputation
http://www.linkwave.cloud/al6z/ true
  • Avira URL Cloud: safe
 unknown
http://www.ultraleap.net/8pln/?vf5pwn=T9/DtY4QstE2hf5N+QbDCp08BY0+/KIvfz5cQjr/yHb6PkgoDrQz8TZtAEENUqwsBaW/Syqgj8DnNvIHzYG9qM2494p5Ur94ranWdRPLWWfdK4ZvNUpqMUToNubzG0SM8g==&lHul=nfQTqL40vDEpIp30 true
  • Avira URL Cloud: safe
 unknown
http://www.mfgarage.net/3lu7/?vf5pwn=nzWofdhWpyQTuQkAURoZiOuSpDDcsuZ4SJ26h7kwykQFM8AQx5IfrLSrYivs6QFJHI8FrKvcoPkOi5L1XFRCJcPncARSRGAtt0+HcJ3GcQEnXiNUfFJGdHJ4JUWSbdHV9w==&lHul=nfQTqL40vDEpIp30 true
  • Avira URL Cloud: safe
 unknown
http://www.heldhold.xyz/fava/?lHul=nfQTqL40vDEpIp30&vf5pwn=GCDZpLqdSYk7fT5BaAxVCvWfN8QL3LUdfdSMH3wAhEJHSlsoeLITVJbnCwS/lbUV+KMqaRxHJZIr2IJ0lKwQAngPiIKVJBW1l0NVsB5cz1lTXdEnKbnDfocvymGyGvQBrQ== true
  • Avira URL Cloud: safe
 unknown
http://www.b5x7vk.agency/zznj/ true
  • Avira URL Cloud: safe
 unknown
http://www.dalong.site/v2c3/ true
  • Avira URL Cloud: safe
 unknown
http://www.2bhp.com/a4ar/?vf5pwn=bigEPZ6XMKFUrjbkOOF/tc1QSeZpy4rj9U81Matj+rZ/AUf1cwoUFkvfutX9dfv4h0MjihypUwM2GA6oEMuOCaAaQ3Lxux4SSFbsDgkYjgjAaiC5myZdzdYIguvdh1gvDg==&lHul=nfQTqL40vDEpIp30 true
  • Avira URL Cloud: safe
 unknown
http://www.dalong.site/v2c3/?lHul=nfQTqL40vDEpIp30&vf5pwn=4KW7rJi8xQgG5JuhUUy4oHXtvgFnSuEzPrutLC9Z2JC7riozJk19TyUHcpxc9ASY/m5rLPYp2hVK9kL/MGxet5jRO5AJzixTprPi8JCHFDrvphN2mQYrYWI0Ljg/1k5GCA== true
  • Avira URL Cloud: safe
 unknown
http://www.asiapartnars.online/kt2f/?vf5pwn=3qIRfQl/AKdo1myXluGCiikgEIMzjkfYZ4NmxJouZDst8nFYGFmfJjzqUfk6VEmL81v5o0lFZhte5+gDx+sfHO+i2Ne6X81cG7kNzDpu31X3NSjbrBV+9ESn2I73xzu4qQ==&lHul=nfQTqL40vDEpIp30 true
  • Avira URL Cloud: safe
 unknown
http://www.asiapartnars.online/kt2f/ true
  • Avira URL Cloud: safe
 unknown
http://www.mfgarage.net/3lu7/ true
  • Avira URL Cloud: safe
 unknown
http://www.63582.photo/5o7d/ true
  • Avira URL Cloud: safe
 unknown
http://www.63582.photo/5o7d/?vf5pwn=zMeRclQqEZ6cHEkv6r3h6rNdPeIv0NfXLXq5VQFXrGMOKBUumeR2nXgC5pr3HgG3QDdipY9Tb1BbXYBiFpGdsHlq0LOSSwDS14egmHnY5/1aPOe4+/4uS5IVfZSCCmkbAw==&lHul=nfQTqL40vDEpIp30 true
  • Avira URL Cloud: safe
 unknown
http://www.ultraleap.net/8pln/ true
  • Avira URL Cloud: safe
 unknown
http://www.heldhold.xyz/fava/ true
  • Avira URL Cloud: safe
 unknown
http://www.mgeducacaopro.online/xamn/ true
  • Avira URL Cloud: safe
 unknown
http://www.linkwave.cloud/al6z/?lHul=nfQTqL40vDEpIp30&vf5pwn=VRCNh0NW0GgzXjJ+E9kBcAqzCeGDRYuLK6gi/31OI/HLVz3edLOFPgfBWIIFI1yv4KnHdZ/ByCAdRrOw29Cpu7tsWuW3JQaVwptT6evyL2oGhO/bgF+68v7eWhteCSlc6A== true
  • Avira URL Cloud: safe
 unknown