Windows Analysis Report
PO0424024.exe

Overview

General Information

Sample name:	PO0424024.exe
Analysis ID:	1430828
MD5:	192be7ac2833574aafeeea8e0cd52380
SHA1:	264298e6ebda222d48c0185c1ad168c51c0dc133
SHA256:	19640f20d067c8ca1ba3e08d34ea493c05b99016c6608dbcbfdf848ca4d60452
Tags:	exe
Infos:

Detection

FormBook, PureLog Stealer

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Snort IDS alert for network traffic

Yara detected AntiVM3

Yara detected FormBook

Yara detected PureLog Stealer

.NET source code contains method to dynamically call methods (often used by packers)

.NET source code contains potential unpacker

Found direct / indirect Syscall (likely to bypass EDR)

Injects a PE file into a foreign processes

Machine Learning detection for sample

Maps a DLL or memory area into another process

Modifies the context of a thread in another process (thread injection)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to steal Mail credentials (via file / registry access)

Allocates memory with a write watch (potentially for evading sandboxes)

Binary contains a suspicious time stamp

Checks if the current process is being debugged

Contains functionality for execution timing, often used to detect debuggers

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Contains functionality to call native functions

Contains functionality to read the PEB

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Detected potential crypto function

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found inlined nop instructions (likely shell or obfuscated code)

Found large amount of non-executed APIs

Found potential string decryption / allocating functions

IP address seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

PE / OLE file has an invalid certificate

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Yara signature match

Classification

Malware Threat Intel
Provided by

Name	Description	Attribution	Blogpost URLs	Link
Formbook, Formbo	FormBook contains a unique crypter RunPE that has unique behavioral patterns subject to detection. It was initially called "Babushka Crypter" by Insidemalware.	SWEED Cobalt	http://blog.inquest.net/blog/2018/06/22/a-look-at-formbook-stealer/ http://cambuz.blogspot.de/2016/06/form-grabber-2016-cromeffoperathunderbi.html http://www.vkremez.com/2018/01/lets-learn-dissecting-formbook.html https://any.run/cybersecurity-blog/xloader-formbook-encryption-analysis-and-malware-decryption/ https://asec.ahnlab.com/en/32149/	https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook

Signatures

AV Detection

Multi AV Scanner detection for submitted file

Source: PO0424024.exe	ReversingLabs: Detection: 31%
Source: PO0424024.exe	Virustotal: Detection: 30%			Perma Link

Yara detected FormBook

Source: Yara match	File source: 2.2.PO0424024.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.PO0424024.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000007.00000002.4170807354.00000000034D0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.2174491857.00000000012C0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.4170764124.0000000003490000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.4157652949.0000000002F00000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.4176035041.0000000008660000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.2172226006.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.2174679636.0000000001470000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.4170805786.0000000002800000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY

Machine Learning detection for sample

Source: PO0424024.exe

Joe Sandbox ML: detected

Uses 32bit PE files

Source: PO0424024.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: PO0424024.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:	Binary string: vgSP.pdb source: PO0424024.exe
Source:	Binary string: takeown.pdbGCTL source: PO0424024.exe, 00000002.00000002.2172583060.0000000000AD7000.00000004.00000020.00020000.00000000.sdmp, tAFcdstzdUTfkmQlByDmlLl.exe, 00000006.00000003.2241898532.0000000000D8F000.00000004.00000001.00020000.00000000.sdmp
Source:	Binary string: R:\JoeSecurity\trunk\src\windows\usermode\tools\FakeChrome\Release\Chrome.pdb source: tAFcdstzdUTfkmQlByDmlLl.exe, 00000006.00000000.2094344581.0000000000C0E000.00000002.00000001.01000000.0000000C.sdmp
Source:	Binary string: wntdll.pdbUGP source: PO0424024.exe, 00000002.00000002.2172803570.0000000000F30000.00000040.00001000.00020000.00000000.sdmp, takeown.exe, 00000007.00000002.4170974055.0000000003710000.00000040.00001000.00020000.00000000.sdmp, takeown.exe, 00000007.00000003.2174688748.0000000003568000.00000004.00000020.00020000.00000000.sdmp, takeown.exe, 00000007.00000002.4170974055.00000000038AE000.00000040.00001000.00020000.00000000.sdmp, takeown.exe, 00000007.00000003.2172347160.00000000033B3000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: takeown.pdb source: PO0424024.exe, 00000002.00000002.2172583060.0000000000AD7000.00000004.00000020.00020000.00000000.sdmp, tAFcdstzdUTfkmQlByDmlLl.exe, 00000006.00000003.2241898532.0000000000D8F000.00000004.00000001.00020000.00000000.sdmp
Source:	Binary string: wntdll.pdb source: PO0424024.exe, PO0424024.exe, 00000002.00000002.2172803570.0000000000F30000.00000040.00001000.00020000.00000000.sdmp, takeown.exe, takeown.exe, 00000007.00000002.4170974055.0000000003710000.00000040.00001000.00020000.00000000.sdmp, takeown.exe, 00000007.00000003.2174688748.0000000003568000.00000004.00000020.00020000.00000000.sdmp, takeown.exe, 00000007.00000002.4170974055.00000000038AE000.00000040.00001000.00020000.00000000.sdmp, takeown.exe, 00000007.00000003.2172347160.00000000033B3000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: vgSP.pdbSHA256B source: PO0424024.exe

Source: C:\Windows\SysWOW64\takeown.exe

Code function: 7_2_02F1BAC0 FindFirstFileW,FindNextFileW,FindClose,

7_2_02F1BAC0

Found inlined nop instructions (likely shell or obfuscated code)

Source: C:\Users\user\Desktop\PO0424024.exe	Code function: 4x nop then mov ecx, dword ptr [ebp-38h]	0_2_04CC2E0B
Source: C:\Users\user\Desktop\PO0424024.exe	Code function: 4x nop then mov ecx, dword ptr [ebp-38h]	0_2_04CC2E10
Source: C:\Users\user\Desktop\PO0424024.exe	Code function: 4x nop then push dword ptr [ebp-24h]	0_2_071024A0
Source: C:\Users\user\Desktop\PO0424024.exe	Code function: 4x nop then mov dword ptr [ebp-1Ch], 7FFFFFFFh	0_2_071024A0
Source: C:\Users\user\Desktop\PO0424024.exe	Code function: 4x nop then mov dword ptr [ebp-1Ch], 00000000h	0_2_07101C08
Source: C:\Users\user\Desktop\PO0424024.exe	Code function: 4x nop then push dword ptr [ebp-24h]	0_2_07102495
Source: C:\Users\user\Desktop\PO0424024.exe	Code function: 4x nop then mov dword ptr [ebp-1Ch], 7FFFFFFFh	0_2_07102495
Source: C:\Users\user\Desktop\PO0424024.exe	Code function: 4x nop then jmp 0710FA83h	0_2_0710F128
Source: C:\Users\user\Desktop\PO0424024.exe	Code function: 4x nop then xor edx, edx	0_2_07101FD0
Source: C:\Users\user\Desktop\PO0424024.exe	Code function: 4x nop then xor edx, edx	0_2_07101FC5
Source: C:\Users\user\Desktop\PO0424024.exe	Code function: 4x nop then push dword ptr [ebp-20h]	0_2_07101D78
Source: C:\Users\user\Desktop\PO0424024.exe	Code function: 4x nop then mov dword ptr [ebp-1Ch], 7FFFFFFFh	0_2_07101D78
Source: C:\Users\user\Desktop\PO0424024.exe	Code function: 4x nop then push dword ptr [ebp-20h]	0_2_07101D6C
Source: C:\Users\user\Desktop\PO0424024.exe	Code function: 4x nop then mov dword ptr [ebp-1Ch], 7FFFFFFFh	0_2_07101D6C
Source: C:\Users\user\Desktop\PO0424024.exe	Code function: 4x nop then mov dword ptr [ebp-1Ch], 00000000h	0_2_07101BFD
Source: C:\Program Files (x86)\jfLWIrNvBdXUZqKTstLPidJuesjIeBIFNQYCGaQUpAbARGedGUlMKIlGqKpEAySWKlETcTxWvVYd\tAFcdstzdUTfkmQlByDmlLl.exe	Code function: 4x nop then pop edi	6_2_0869B583
Source: C:\Program Files (x86)\jfLWIrNvBdXUZqKTstLPidJuesjIeBIFNQYCGaQUpAbARGedGUlMKIlGqKpEAySWKlETcTxWvVYd\tAFcdstzdUTfkmQlByDmlLl.exe	Code function: 4x nop then xor eax, eax	6_2_0869E7D3
Source: C:\Windows\SysWOW64\takeown.exe	Code function: 4x nop then xor eax, eax	7_2_02F09290
Source: C:\Windows\SysWOW64\takeown.exe	Code function: 4x nop then pop edi	7_2_02F11FFB
Source: C:\Windows\SysWOW64\takeown.exe	Code function: 4x nop then pop edi	7_2_02F0DD18

Networking

Snort IDS alert for network traffic

Source: Traffic

Snort IDS: 2856318 ETPRO TROJAN FormBook CnC Checkin (POST) M4 192.168.2.4:49744 -> 91.195.240.19:80

IP address seen in connection with other malware

Source: Joe Sandbox View	IP Address: 84.32.84.32 84.32.84.32
Source: Joe Sandbox View	IP Address: 91.195.240.123 91.195.240.123

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic	HTTP traffic detected: GET /pq0o/?9ZZXx=T6kxVZuXAVuH9J&F49hs=J8WC84xruYdLZ+87Afe3OqqbMOMBhnRcdnGo6AhEflv3qioXWy6Vm5wGjKWjZFBj5bzfVwWaJCB72b3lEpkTXSJ8T31vhIsUx1l9uwIaTYdZUjGlsKsX5ww= HTTP/1.1Host: www.xn--yzyp76d.comAccept: /Accept-Language: en-usConnection: closeUser-Agent: Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.1; Trident/6.0) LinkCheck by Siteimprove.com
Source: global traffic	HTTP traffic detected: GET /pq0o/?F49hs=zlo+FGSBhCkM5GVJsyQNaVbtL67WnJg88Yj7BD8zO0hDA+Ttp+tE7JQXtFhQSzjU/FmrV36xGrNmbpUbkD9mLWK1UOLjaHYQ4bVPRZ9N4YEmnoiYZJFdoy8=&9ZZXx=T6kxVZuXAVuH9J HTTP/1.1Host: www.luckydomainz.shopAccept: /Accept-Language: en-usConnection: closeUser-Agent: Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.1; Trident/6.0) LinkCheck by Siteimprove.com
Source: global traffic	HTTP traffic detected: GET /pq0o/?9ZZXx=T6kxVZuXAVuH9J&F49hs=zdIBKqN9oP3plxVQyNgvYq0mMKrvq5q/57+iRklTGjPKULzejm8MTR3zmbqN1d/mp0y1+1mzyQU/+H24oE5uDnI7sp5jy5UFN+aaU0u6oQX+YH9icEJ0mm4= HTTP/1.1Host: www.cd14j.usAccept: /Accept-Language: en-usConnection: closeUser-Agent: Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.1; Trident/6.0) LinkCheck by Siteimprove.com
Source: global traffic	HTTP traffic detected: GET /pq0o/?9ZZXx=T6kxVZuXAVuH9J&F49hs=4UCjKZAQgLnMxNicE9pqcHmXIZhn5ynD4ggafyrMLg7tBb5+FldYarQ4uWITApeKqaBZVuXxHE31Fdk4aV2tLvZQCfORxMIFcNC7KFHj2TQuLtYW7VfXj0w= HTTP/1.1Host: www.happymarts.topAccept: /Accept-Language: en-usConnection: closeUser-Agent: Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.1; Trident/6.0) LinkCheck by Siteimprove.com
Source: global traffic	HTTP traffic detected: GET /pq0o/?F49hs=oyw/nBwJ61bGycTt7MUH34VrSoK42dIQz9F/9DQxJwbLEg40x6X3ShxK/IPLtNyuGmfUrEEfHvul1hK0yfa95YoddznUFYR7i1LwCbVe0J8wy+lXuD76n/g=&9ZZXx=T6kxVZuXAVuH9J HTTP/1.1Host: www.unchainedventure.comAccept: /Accept-Language: en-usConnection: closeUser-Agent: Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.1; Trident/6.0) LinkCheck by Siteimprove.com
Source: global traffic	HTTP traffic detected: GET /pq0o/?9ZZXx=T6kxVZuXAVuH9J&F49hs=p2Os9DL/ZxMFxY/q2Ap/Yp5OBLYS19DXFnG8XGpKHfd79mzMsmb8450rEHnCTj1drUgFrotC1uV7Mqyg6tK80c0eBV3oPBtu8fCz/gVC+CE8Jn7lRxODf9w= HTTP/1.1Host: www.klconstructions.netAccept: /Accept-Language: en-usConnection: closeUser-Agent: Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.1; Trident/6.0) LinkCheck by Siteimprove.com
Source: global traffic	HTTP traffic detected: GET /pq0o/?F49hs=BhpYg4yoBpmopPUlJaseZ9A32WKe1CLsx7T3vymtgFCfsO9mDgtC+XcLrPQxM3XDzIUIWI4YDMWjav9FDMEzU1DT6w46OubC82AXo7xlEXtHI7IZbAZeHk0=&9ZZXx=T6kxVZuXAVuH9J HTTP/1.1Host: www.kakaobrain.usAccept: /Accept-Language: en-usConnection: closeUser-Agent: Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.1; Trident/6.0) LinkCheck by Siteimprove.com
Source: global traffic	HTTP traffic detected: GET /pq0o/?9ZZXx=T6kxVZuXAVuH9J&F49hs=NMNyNvSWAQl+XC9g7rBusjWgWNBgohatDhvK1KIHhjj0aHE/UrTu3yYXFvlKPRx40FckhBe9K4BGmhcAc+bYC4VcVVEG0KUeJFitahxkTU5y9cpDhM+xwHc= HTTP/1.1Host: www.celebration24.co.ukAccept: /Accept-Language: en-usConnection: closeUser-Agent: Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.1; Trident/6.0) LinkCheck by Siteimprove.com
Source: global traffic	HTTP traffic detected: GET /pq0o/?F49hs=MObKLoLcQ3KtCADN97wn86+o0wPQork8bFr1s6JTaoDyqc40RECNe9PhrOxqi3MgZSZhgejHn8Ef7GGARJGddcFpBOofhs/CBnQlSCAqoezIccakXprB4JQ=&9ZZXx=T6kxVZuXAVuH9J HTTP/1.1Host: www.holein1sa.comAccept: /Accept-Language: en-usConnection: closeUser-Agent: Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.1; Trident/6.0) LinkCheck by Siteimprove.com
Source: global traffic	HTTP traffic detected: GET /pq0o/?9ZZXx=T6kxVZuXAVuH9J&F49hs=b2qFmWlReUJu6citZAtbwrrOSkIcZF9V2+9XddDidwLqjCK16JlrjYTgkvrAjFAj/kbk/ZD/H0dWxyKKd1m8GF0arunEMZ5tvTjrHaUhlNNo1MItznWZgp0= HTTP/1.1Host: www.shun-yamagata.comAccept: /Accept-Language: en-usConnection: closeUser-Agent: Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.1; Trident/6.0) LinkCheck by Siteimprove.com
Source: global traffic	HTTP traffic detected: GET /pq0o/?F49hs=ERhh1Wv2i17OvleZDVlPuLV8FPLSNlSjgSFKCO/E5FvVDH88mB+A3XwhrFKA0T7u6+xnysJANU3lpyUswnu1e2FhmydoRAv58fVG4PjZmouhcgICZXbhSfU=&9ZZXx=T6kxVZuXAVuH9J HTTP/1.1Host: www.carsinmultan.comAccept: /Accept-Language: en-usConnection: closeUser-Agent: Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.1; Trident/6.0) LinkCheck by Siteimprove.com
Source: global traffic	HTTP traffic detected: GET /pq0o/?9ZZXx=T6kxVZuXAVuH9J&F49hs=mRVcZEOhq89+MGHBKj9OIc/04Av6T2wEhyk9HpRK9pO5sVzjQ2X+QIoGEwrX8lym3PQN8R/kDgsMd57+ef1OrGKEsTU4CFRzLSC8xo47mPR0FpBjSaDhnxk= HTTP/1.1Host: www.threesomeapps.comAccept: /Accept-Language: en-usConnection: closeUser-Agent: Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.1; Trident/6.0) LinkCheck by Siteimprove.com

Source: unknown

DNS traffic detected: queries for: www.xn--yzyp76d.com

Source: unknown

HTTP traffic detected: POST /pq0o/ HTTP/1.1Host: www.luckydomainz.shopAccept: */*Accept-Language: en-usAccept-Encoding: gzip, deflateOrigin: http://www.luckydomainz.shopContent-Length: 202Connection: closeContent-Type: application/x-www-form-urlencodedCache-Control: max-age=0Referer: http://www.luckydomainz.shop/pq0o/User-Agent: Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.1; Trident/6.0) LinkCheck by Siteimprove.comData Raw: 46 34 39 68 73 3d 2b 6e 41 65 47 7a 57 59 75 77 46 2f 37 67 35 74 74 43 52 6a 56 47 79 7a 44 62 48 34 68 5a 45 42 31 75 76 37 4b 46 38 77 45 48 77 49 41 72 6a 4f 6b 2b 34 69 2f 49 77 6f 39 46 56 44 65 30 37 51 2b 32 7a 70 63 6c 43 64 43 4a 74 46 57 37 6f 37 75 43 42 2f 4e 46 43 53 56 35 44 77 62 31 78 53 78 4c 56 65 52 65 4d 5a 30 64 41 79 32 5a 4f 51 51 4d 46 4b 73 68 6e 69 64 4d 78 6e 66 48 4b 78 50 64 49 4f 6b 47 30 4e 74 32 2f 6c 30 59 63 2f 59 38 4e 4f 4b 6e 49 46 61 51 51 38 2f 5a 71 42 35 49 6c 6e 6d 32 2b 74 66 68 46 46 35 7a 74 59 33 31 63 35 35 52 7a 78 41 4e 4c 53 63 39 6c 5a 6c 51 3d 3d Data Ascii: F49hs=+nAeGzWYuwF/7g5ttCRjVGyzDbH4hZEB1uv7KF8wEHwIArjOk+4i/Iwo9FVDe07Q+2zpclCdCJtFW7o7uCB/NFCSV5Dwb1xSxLVeReMZ0dAy2ZOQQMFKshnidMxnfHKxPdIOkG0Nt2/l0Yc/Y8NOKnIFaQQ8/ZqB5Ilnm2+tfhFF5ztY31c55RzxANLSc9lZlQ==

Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Wed, 24 Apr 2024 07:21:00 GMTContent-Type: text/html; charset=UTF-8Transfer-Encoding: chunkedConnection: closeVary: Accept-EncodingData Raw: 64 34 39 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 57 33 43 2f 2f 44 54 44 20 58 48 54 4d 4c 20 31 2e 30 20 54 72 61 6e 73 69 74 69 6f 6e 61 6c 2f 2f 45 4e 22 20 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 54 52 2f 78 68 74 6d 6c 31 2f 44 54 44 2f 78 68 74 6d 6c 31 2d 74 72 61 6e 73 69 74 69 6f 6e 61 6c 2e 64 74 64 22 3e 0a 3c 68 74 6d 6c 20 78 6d 6c 6e 73 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 31 39 39 39 2f 78 68 74 6d 6c 22 3e 0a 3c 68 65 61 64 3e 0a 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 75 74 66 2d 38 22 20 2f 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 22 3e 0a 3c 74 69 74 6c 65 3e e9 95 bf e7 9b 9b 2e 63 6f 6d 3c 2f 74 69 74 6c 65 3e 0a 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 6d 61 72 6b 73 6d 69 6c 65 2e 63 6f 6d 2f 61 73 73 65 74 2f 6c 70 5f 73 74 79 6c 65 2e 63 73 73 22 20 3e 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 64 69 76 20 63 6c 61 73 73 3d 22 6d 61 69 6e 22 3e 0a 3c 61 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 6d 61 69 6c 2e 33 36 35 2e 63 6f 6d 2f 6c 6f 67 69 6e 2e 68 74 6d 6c 22 20 74 61 72 67 65 74 3d 22 5f 62 6c 61 6e 6b 22 3e 3c 69 6d 67 20 73 72 63 3d 22 2f 66 69 6c 65 2f 6d 61 69 6c 2e 70 6e 67 22 20 77 69 64 74 68 3d 22 31 30 30 25 22 20 68 65 69 67 68 74 3d 22 61 75 74 6f 22 20 61 6c 74 3d 22 33 36 35 e9 82 ae e7 ae b1 22 20 73 74 79 6c 65 3d 22 70 6f 73 69 74 69 6f 6e 3a 20 61 62 73 6f 6c 75 74 65 3b 74 6f 70 3a 30 3b 6c 65 66 74 3a 30 3b 7a 2d 69 6e 64 65 78 3a 20 31 3b 22 3e 3c 2f 61 3e 0a 3c 64 69 76 20 63 6c 61 73 73 3d 22 64 6d 22 20 3e 3c 68 32 20 69 64 3d 22 64 6f 6d 61 69 6e 22 3e e9 95 bf e7 9b 9b 2e 63 6f 6d 3c 2f 68 32 3e 3c 2f 64 69 76 3e 0a 3c 64 69 76 20 63 6c 61 73 73 3d 22 62 67 22 3e 3c 64 69 76 20 63 6c 61 73 73 3d 22 61 22 3e 3c 2f 64 69 76 3e 3c 64 69 76 20 63 6c 61 73 73 3d 22 62 22 3e 3c 2f 64 69 76 3e 3c 64 69 76 20 63 6c 61 73 73 3d 22 63 22 3e 3c 2f 64 69 76 3e 3c 64 69 76 20 63 6c 61 73 73 3d 22 64 22 3e 3c 2f 64 69 76 3e 3c 2f 64 69 76 3e 0a 3c 21 2d 2d 2f 2f 63 6f 2d 2d 3e 0a 3c 64 69 76 20 63 6c 61 73 73 3d 22 63 6f 22 3e 0a 3c 74 61 62 6c 65 20 61 6c 69 67 6e 3d 22 63 65 6e 74 65 72 22 20 62 6f 72 64 65 72 3d 22 30 22 20 63 65 6c 6c 70 61 64 64 69 6e 67 3d 22 30 22 20 63 65 6c 6c 73 70 61 63 69 6e 67 3d 22 30 22 3e 0a 3c 74 72 3e 3c 74 64 20 61 6c 69 67 6e 3d 22 6c 65 66 74 22 3e e5 9f 9f e5 90 8d e6 89 98 e7 ae a1 e5 95 86 3a 3c 69 6d 67 20 73 72 63 3d 22 66 69 6c 65 2f 6d 61 72
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Wed, 24 Apr 2024 07:21:55 GMTServer: ApacheContent-Length: 389Connection: closeContent-Type: text/htmlData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 77 69 6e 64 6f 77 73 2d 31 32 35 32 22 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0a 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE html PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><meta http-equiv="Content-Type" content="text/html; charset=windows-1252"><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Wed, 24 Apr 2024 07:21:58 GMTServer: ApacheContent-Length: 389Connection: closeContent-Type: text/htmlData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 77 69 6e 64 6f 77 73 2d 31 32 35 32 22 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0a 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE html PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><meta http-equiv="Content-Type" content="text/html; charset=windows-1252"><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Wed, 24 Apr 2024 07:22:00 GMTServer: ApacheContent-Length: 389Connection: closeContent-Type: text/htmlData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 77 69 6e 64 6f 77 73 2d 31 32 35 32 22 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0a 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE html PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><meta http-equiv="Content-Type" content="text/html; charset=windows-1252"><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Wed, 24 Apr 2024 07:22:03 GMTServer: ApacheContent-Length: 389Connection: closeContent-Type: text/html; charset=utf-8Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 77 69 6e 64 6f 77 73 2d 31 32 35 32 22 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0a 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE html PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><meta http-equiv="Content-Type" content="text/html; charset=windows-1252"><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Wed, 24 Apr 2024 07:22:09 GMTServer: ApacheContent-Length: 315Connection: closeContent-Type: text/html; charset=iso-8859-1Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Wed, 24 Apr 2024 07:22:12 GMTServer: ApacheContent-Length: 315Connection: closeContent-Type: text/html; charset=iso-8859-1Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Wed, 24 Apr 2024 07:22:15 GMTServer: ApacheContent-Length: 315Connection: closeContent-Type: text/html; charset=iso-8859-1Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Wed, 24 Apr 2024 07:22:18 GMTServer: ApacheContent-Length: 315Connection: closeContent-Type: text/html; charset=iso-8859-1Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundContent-Type: text/htmlTransfer-Encoding: chunkedConnection: closeDate: Wed, 24 Apr 2024 07:22:25 GMTServer: ApacheContent-Encoding: gzipData Raw: 31 38 39 0d 0a 1f 8b 08 00 00 00 00 00 00 03 7d 51 4b 4f e3 30 10 be f7 57 cc 7a 0f 9c 1c 37 94 43 9b 26 1c b6 ad b4 48 85 45 28 88 e5 68 62 b7 b1 e4 78 82 33 21 0d bf 1e 27 e5 b1 20 b4 27 8f ed ef 31 f3 4d fa 63 fd 67 95 df 5f 6f a0 a4 ca c2 f5 ed af ed c5 0a 18 17 e2 6e b6 12 62 9d af e1 ef ef fc 72 0b 71 34 85 dc 4b d7 18 32 e8 a4 15 62 73 c5 26 ac 24 aa 13 21 ba ae 8b ba 59 84 7e 2f f2 1b 71 18 b4 e2 81 fc 5a 72 fa 87 19 29 52 ec 7c 92 8e 86 56 ba 7d c6 b4 63 70 a8 6c f2 e9 e6 9a ec 1b f9 78 b1 58 1c 55 83 06 a4 a5 96 2a 9c 90 92 21 ab 87 0a 36 de a3 87 b3 e9 19 70 b8 42 82 1d b6 4e 0d 10 f1 8e 49 2b 4d 12 0a 74 a4 1d 65 8c f4 81 c4 d0 ce 12 8a 52 fa 46 53 d6 d2 8e cf 59 08 85 6a ae 1f 5b f3 94 b1 d5 11 ce f3 be d6 83 37 7c 51 71 c8 0b 59 94 fa 33 6b 7c e2 83 95 47 3b b6 2c 5e 7b 4e 1f 50 f5 d0 50 6f 75 c6 76 01 c0 77 b2 32 b6 4f a4 37 d2 2e 8f 16 65 fc 86 28 d0 a2 4f 7e 4e e5 ec 74 5e 2c 47 7c 63 9e 75 12 16 a3 ab 23 fa 3f a3 97 f1 d8 71 fd a6 f6 c1 9f 46 f3 77 fe 3d b6 1e 1e 3c 76 8d f6 50 48 77 12 d2 33 4e 01 95 1a 14 16 6d 15 e2 0a b1 79 af 9b 1a 9d 32 6e 0f 84 e3 ef ed cd 16 7a 6c 81 42 38 0a 8c 8b c6 c0 eb 60 9a 8a 61 ce b0 ef 31 e1 f3 c9 0b 6c 60 6d 75 72 02 00 00 0d 0a 30 0d 0a 0d 0a Data Ascii: 189}QKO0Wz7C&HE(hbx3!' '1Mcg_onbrq4K2bs&$!Y~/qZr)R\|V}cplxXU*!6pBNI+MteRFSYj[7\|QqY3k\|G;,^{NPPouvw2O7.e(O~Nt^,G\|cu#?qFw=<vPHw3Nmy2nzlB8`a1l`mur0
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundContent-Type: text/htmlTransfer-Encoding: chunkedConnection: closeDate: Wed, 24 Apr 2024 07:22:27 GMTServer: ApacheContent-Encoding: gzipData Raw: 31 38 39 0d 0a 1f 8b 08 00 00 00 00 00 00 03 7d 51 4b 4f e3 30 10 be f7 57 cc 7a 0f 9c 1c 37 94 43 9b 26 1c b6 ad b4 48 85 45 28 88 e5 68 62 b7 b1 e4 78 82 33 21 0d bf 1e 27 e5 b1 20 b4 27 8f ed ef 31 f3 4d fa 63 fd 67 95 df 5f 6f a0 a4 ca c2 f5 ed af ed c5 0a 18 17 e2 6e b6 12 62 9d af e1 ef ef fc 72 0b 71 34 85 dc 4b d7 18 32 e8 a4 15 62 73 c5 26 ac 24 aa 13 21 ba ae 8b ba 59 84 7e 2f f2 1b 71 18 b4 e2 81 fc 5a 72 fa 87 19 29 52 ec 7c 92 8e 86 56 ba 7d c6 b4 63 70 a8 6c f2 e9 e6 9a ec 1b f9 78 b1 58 1c 55 83 06 a4 a5 96 2a 9c 90 92 21 ab 87 0a 36 de a3 87 b3 e9 19 70 b8 42 82 1d b6 4e 0d 10 f1 8e 49 2b 4d 12 0a 74 a4 1d 65 8c f4 81 c4 d0 ce 12 8a 52 fa 46 53 d6 d2 8e cf 59 08 85 6a ae 1f 5b f3 94 b1 d5 11 ce f3 be d6 83 37 7c 51 71 c8 0b 59 94 fa 33 6b 7c e2 83 95 47 3b b6 2c 5e 7b 4e 1f 50 f5 d0 50 6f 75 c6 76 01 c0 77 b2 32 b6 4f a4 37 d2 2e 8f 16 65 fc 86 28 d0 a2 4f 7e 4e e5 ec 74 5e 2c 47 7c 63 9e 75 12 16 a3 ab 23 fa 3f a3 97 f1 d8 71 fd a6 f6 c1 9f 46 f3 77 fe 3d b6 1e 1e 3c 76 8d f6 50 48 77 12 d2 33 4e 01 95 1a 14 16 6d 15 e2 0a b1 79 af 9b 1a 9d 32 6e 0f 84 e3 ef ed cd 16 7a 6c 81 42 38 0a 8c 8b c6 c0 eb 60 9a 8a 61 ce b0 ef 31 e1 f3 c9 0b 6c 60 6d 75 72 02 00 00 0d 0a 30 0d 0a 0d 0a Data Ascii: 189}QKO0Wz7C&HE(hbx3!' '1Mcg_onbrq4K2bs&$!Y~/qZr)R\|V}cplxXU*!6pBNI+MteRFSYj[7\|QqY3k\|G;,^{NPPouvw2O7.e(O~Nt^,G\|cu#?qFw=<vPHw3Nmy2nzlB8`a1l`mur0
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundContent-Type: text/htmlTransfer-Encoding: chunkedConnection: closeDate: Wed, 24 Apr 2024 07:22:30 GMTServer: ApacheContent-Encoding: gzipData Raw: 31 38 39 0d 0a 1f 8b 08 00 00 00 00 00 00 03 7d 51 4b 4f e3 30 10 be f7 57 cc 7a 0f 9c 1c 37 94 43 9b 26 1c b6 ad b4 48 85 45 28 88 e5 68 62 b7 b1 e4 78 82 33 21 0d bf 1e 27 e5 b1 20 b4 27 8f ed ef 31 f3 4d fa 63 fd 67 95 df 5f 6f a0 a4 ca c2 f5 ed af ed c5 0a 18 17 e2 6e b6 12 62 9d af e1 ef ef fc 72 0b 71 34 85 dc 4b d7 18 32 e8 a4 15 62 73 c5 26 ac 24 aa 13 21 ba ae 8b ba 59 84 7e 2f f2 1b 71 18 b4 e2 81 fc 5a 72 fa 87 19 29 52 ec 7c 92 8e 86 56 ba 7d c6 b4 63 70 a8 6c f2 e9 e6 9a ec 1b f9 78 b1 58 1c 55 83 06 a4 a5 96 2a 9c 90 92 21 ab 87 0a 36 de a3 87 b3 e9 19 70 b8 42 82 1d b6 4e 0d 10 f1 8e 49 2b 4d 12 0a 74 a4 1d 65 8c f4 81 c4 d0 ce 12 8a 52 fa 46 53 d6 d2 8e cf 59 08 85 6a ae 1f 5b f3 94 b1 d5 11 ce f3 be d6 83 37 7c 51 71 c8 0b 59 94 fa 33 6b 7c e2 83 95 47 3b b6 2c 5e 7b 4e 1f 50 f5 d0 50 6f 75 c6 76 01 c0 77 b2 32 b6 4f a4 37 d2 2e 8f 16 65 fc 86 28 d0 a2 4f 7e 4e e5 ec 74 5e 2c 47 7c 63 9e 75 12 16 a3 ab 23 fa 3f a3 97 f1 d8 71 fd a6 f6 c1 9f 46 f3 77 fe 3d b6 1e 1e 3c 76 8d f6 50 48 77 12 d2 33 4e 01 95 1a 14 16 6d 15 e2 0a b1 79 af 9b 1a 9d 32 6e 0f 84 e3 ef ed cd 16 7a 6c 81 42 38 0a 8c 8b c6 c0 eb 60 9a 8a 61 ce b0 ef 31 e1 f3 c9 0b 6c 60 6d 75 72 02 00 00 0d 0a 30 0d 0a 0d 0a Data Ascii: 189}QKO0Wz7C&HE(hbx3!' '1Mcg_onbrq4K2bs&$!Y~/qZr)R\|V}cplxXU*!6pBNI+MteRFSYj[7\|QqY3k\|G;,^{NPPouvw2O7.e(O~Nt^,G\|cu#?qFw=<vPHw3Nmy2nzlB8`a1l`mur0
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundContent-Type: text/htmlContent-Length: 626Connection: closeDate: Wed, 24 Apr 2024 07:22:33 GMTServer: ApacheData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 57 33 43 2f 2f 44 54 44 20 58 48 54 4d 4c 20 31 2e 30 20 54 72 61 6e 73 69 74 69 6f 6e 61 6c 2f 2f 45 4e 22 0a 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 54 52 2f 78 68 74 6d 6c 31 2f 44 54 44 2f 78 68 74 6d 6c 31 2d 74 72 61 6e 73 69 74 69 6f 6e 61 6c 2e 64 74 64 22 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 20 78 6d 6c 3a 6c 61 6e 67 3d 22 65 6e 22 20 78 6d 6c 6e 73 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 31 39 39 39 2f 78 68 74 6d 6c 22 3e 0a 20 3c 68 65 61 64 3e 0a 20 20 3c 74 69 74 6c 65 3e 0a 20 20 20 45 72 72 6f 72 20 34 30 34 20 2d 20 4e 6f 74 20 66 6f 75 6e 64 0a 20 20 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 6d 65 74 61 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 75 74 66 2d 38 22 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 3e 0a 20 20 3c 6d 65 74 61 20 63 6f 6e 74 65 6e 74 3d 22 6e 6f 2d 63 61 63 68 65 22 20 68 74 74 70 2d 65 71 75 69 76 3d 22 63 61 63 68 65 2d 63 6f 6e 74 72 6f 6c 22 3e 0a 20 3c 2f 68 65 61 64 3e 0a 20 3c 62 6f 64 79 20 73 74 79 6c 65 3d 22 66 6f 6e 74 2d 66 61 6d 69 6c 79 3a 61 72 69 61 6c 3b 22 3e 0a 20 20 3c 68 31 20 73 74 79 6c 65 3d 22 63 6f 6c 6f 72 3a 23 30 61 33 32 38 63 3b 66 6f 6e 74 2d 73 69 7a 65 3a 31 2e 30 65 6d 3b 22 3e 0a 20 20 20 45 72 72 6f 72 20 34 30 34 20 2d 20 4e 6f 74 20 66 6f 75 6e 64 0a 20 20 3c 2f 68 31 3e 0a 20 20 3c 70 20 73 74 79 6c 65 3d 22 66 6f 6e 74 2d 73 69 7a 65 3a 30 2e 38 65 6d 3b 22 3e 0a 20 20 20 59 6f 75 72 20 62 72 6f 77 73 65 72 20 63 61 6e 27 74 20 66 69 6e 64 20 74 68 65 20 64 6f 63 75 6d 65 6e 74 20 63 6f 72 72 65 73 70 6f 6e 64 69 6e 67 20 74 6f 20 74 68 65 20 55 52 4c 20 79 6f 75 20 74 79 70 65 64 20 69 6e 2e 0a 20 20 3c 2f 70 3e 0a 20 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN""http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"><html lang="en" xml:lang="en" xmlns="http://www.w3.org/1999/xhtml"> <head> <title> Error 404 - Not found </title> <meta content="text/html; charset=utf-8" http-equiv="Content-Type"> <meta content="no-cache" http-equiv="cache-control"> </head> <body style="font-family:arial;"> <h1 style="color:#0a328c;font-size:1.0em;"> Error 404 - Not found </h1> <p style="font-size:0.8em;"> Your browser can't find the document corresponding to the URL you typed in. </p> </body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Wed, 24 Apr 2024 07:22:54 GMTContent-Type: text/html; charset=iso-8859-1Transfer-Encoding: chunkedConnection: closex-backend: web1X-Frontend: frontend1X-Trace-Id: ti_7343f46edcd9f96fb68e7e4b06c528fbContent-Encoding: gzipData Raw: 31 35 66 0d 0a 1f 8b 08 00 00 00 00 00 04 03 75 52 b1 4e c3 30 10 dd fb 15 47 16 16 c8 b5 08 24 84 d2 2c c0 c0 02 1d 90 10 e3 d5 b9 d4 56 1d 3b b2 2f 0d f9 7b ec a4 5d 90 f0 62 dd f9 de bb f7 9e 5c 5d bd 7c 3c 7f 7e ef 5e 41 4b 67 eb 55 75 b9 98 9a 54 89 11 cb f5 bb 87 9e 0e 0c ad 1f 5c 53 e1 d2 5c 55 d6 b8 23 04 b6 db 22 ca 64 39 6a 66 29 40 a6 9e b7 85 f0 8f a0 8a b1 00 1d b8 dd 16 5a a4 8f 4f 88 e3 38 96 2d 45 e9 c8 d8 21 72 50 de 09 3b 29 95 ef b0 35 89 44 7c 48 ab 32 14 d3 8c 2b 67 0e 4c 52 50 2f 92 f6 be 99 52 49 e0 a8 4b 8b 3e 7d 5f d4 15 52 96 be f9 ab 34 75 56 55 5f 7f 31 28 3f d8 c6 5d 0b b4 c6 35 40 17 3f 01 44 33 cc 46 26 3f c0 c9 44 23 dc 94 b0 b3 4c 31 a1 34 ab 63 1a 21 81 fc ac e9 c4 33 40 f9 10 58 c9 02 a4 44 28 61 02 3a 64 bd 15 f6 f3 ce b7 76 86 50 58 10 7e 74 1c c0 b7 09 6e 22 34 3e 7b bb 99 27 14 39 88 2c 43 7f 51 a5 39 61 f6 13 24 8b ff 67 57 6a b6 3d 6a 85 ec 6e 87 88 14 c4 a8 94 1e 6e 1e d6 f9 dc 3d ae 37 f7 9b a2 56 81 49 8c 3b 9c b9 71 e4 7d 76 08 c6 e5 dd 01 48 a5 60 9c e4 fc ce ca f1 9c 2f 2e 1f e1 17 03 33 d4 70 20 02 00 00 0d 0a 30 0d 0a 0d 0a Data Ascii: 15fuRN0G$,V;/{]b\]\|<~^AKgUuT\S\U#"d9jf)@ZO8-E!rP;)5D\|H2+gLRP/RIK>}_R4uVU_1(?]5@?D3F&?D#L14c!3@XD(a:dvPX~tn"4>{'9,CQ9a$gWj=jnn=7VI;q}vH`/.3p 0
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Wed, 24 Apr 2024 07:22:57 GMTContent-Type: text/html; charset=iso-8859-1Transfer-Encoding: chunkedConnection: closex-backend: web1X-Frontend: frontend1X-Trace-Id: ti_ce87ebb1c2dc981065b6c7a49f41ff91Content-Encoding: gzipData Raw: 31 35 66 0d 0a 1f 8b 08 00 00 00 00 00 04 03 75 52 b1 4e c3 30 10 dd fb 15 47 16 16 c8 b5 08 24 84 d2 2c c0 c0 02 1d 90 10 e3 d5 b9 d4 56 1d 3b b2 2f 0d f9 7b ec a4 5d 90 f0 62 dd f9 de bb f7 9e 5c 5d bd 7c 3c 7f 7e ef 5e 41 4b 67 eb 55 75 b9 98 9a 54 89 11 cb f5 bb 87 9e 0e 0c ad 1f 5c 53 e1 d2 5c 55 d6 b8 23 04 b6 db 22 ca 64 39 6a 66 29 40 a6 9e b7 85 f0 8f a0 8a b1 00 1d b8 dd 16 5a a4 8f 4f 88 e3 38 96 2d 45 e9 c8 d8 21 72 50 de 09 3b 29 95 ef b0 35 89 44 7c 48 ab 32 14 d3 8c 2b 67 0e 4c 52 50 2f 92 f6 be 99 52 49 e0 a8 4b 8b 3e 7d 5f d4 15 52 96 be f9 ab 34 75 56 55 5f 7f 31 28 3f d8 c6 5d 0b b4 c6 35 40 17 3f 01 44 33 cc 46 26 3f c0 c9 44 23 dc 94 b0 b3 4c 31 a1 34 ab 63 1a 21 81 fc ac e9 c4 33 40 f9 10 58 c9 02 a4 44 28 61 02 3a 64 bd 15 f6 f3 ce b7 76 86 50 58 10 7e 74 1c c0 b7 09 6e 22 34 3e 7b bb 99 27 14 39 88 2c 43 7f 51 a5 39 61 f6 13 24 8b ff 67 57 6a b6 3d 6a 85 ec 6e 87 88 14 c4 a8 94 1e 6e 1e d6 f9 dc 3d ae 37 f7 9b a2 56 81 49 8c 3b 9c b9 71 e4 7d 76 08 c6 e5 dd 01 48 a5 60 9c e4 fc ce ca f1 9c 2f 2e 1f e1 17 03 33 d4 70 20 02 00 00 0d 0a 30 0d 0a 0d 0a Data Ascii: 15fuRN0G$,V;/{]b\]\|<~^AKgUuT\S\U#"d9jf)@ZO8-E!rP;)5D\|H2+gLRP/RIK>}_R4uVU_1(?]5@?D3F&?D#L14c!3@XD(a:dvPX~tn"4>{'9,CQ9a$gWj=jnn=7VI;q}vH`/.3p 0
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Wed, 24 Apr 2024 07:23:00 GMTContent-Type: text/html; charset=iso-8859-1Transfer-Encoding: chunkedConnection: closex-backend: web1X-Frontend: frontend1X-Trace-Id: ti_d5c4342eba5648d0e37aff19080e5474Content-Encoding: gzipData Raw: 31 35 66 0d 0a 1f 8b 08 00 00 00 00 00 04 03 75 52 b1 4e c3 30 10 dd fb 15 47 16 16 c8 b5 08 24 84 d2 2c c0 c0 02 1d 90 10 e3 d5 b9 d4 56 1d 3b b2 2f 0d f9 7b ec a4 5d 90 f0 62 dd f9 de bb f7 9e 5c 5d bd 7c 3c 7f 7e ef 5e 41 4b 67 eb 55 75 b9 98 9a 54 89 11 cb f5 bb 87 9e 0e 0c ad 1f 5c 53 e1 d2 5c 55 d6 b8 23 04 b6 db 22 ca 64 39 6a 66 29 40 a6 9e b7 85 f0 8f a0 8a b1 00 1d b8 dd 16 5a a4 8f 4f 88 e3 38 96 2d 45 e9 c8 d8 21 72 50 de 09 3b 29 95 ef b0 35 89 44 7c 48 ab 32 14 d3 8c 2b 67 0e 4c 52 50 2f 92 f6 be 99 52 49 e0 a8 4b 8b 3e 7d 5f d4 15 52 96 be f9 ab 34 75 56 55 5f 7f 31 28 3f d8 c6 5d 0b b4 c6 35 40 17 3f 01 44 33 cc 46 26 3f c0 c9 44 23 dc 94 b0 b3 4c 31 a1 34 ab 63 1a 21 81 fc ac e9 c4 33 40 f9 10 58 c9 02 a4 44 28 61 02 3a 64 bd 15 f6 f3 ce b7 76 86 50 58 10 7e 74 1c c0 b7 09 6e 22 34 3e 7b bb 99 27 14 39 88 2c 43 7f 51 a5 39 61 f6 13 24 8b ff 67 57 6a b6 3d 6a 85 ec 6e 87 88 14 c4 a8 94 1e 6e 1e d6 f9 dc 3d ae 37 f7 9b a2 56 81 49 8c 3b 9c b9 71 e4 7d 76 08 c6 e5 dd 01 48 a5 60 9c e4 fc ce ca f1 9c 2f 2e 1f e1 17 03 33 d4 70 20 02 00 00 0d 0a 30 0d 0a 0d 0a Data Ascii: 15fuRN0G$,V;/{]b\]\|<~^AKgUuT\S\U#"d9jf)@ZO8-E!rP;)5D\|H2+gLRP/RIK>}_R4uVU_1(?]5@?D3F&?D#L14c!3@XD(a:dvPX~tn"4>{'9,CQ9a$gWj=jnn=7VI;q}vH`/.3p 0
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Wed, 24 Apr 2024 07:23:03 GMTContent-Type: text/html; charset=iso-8859-1Content-Length: 544Connection: closex-backend: web1X-Frontend: frontend1X-Trace-Id: ti_16a8c42446ad6860b49f11dbac5edcfaData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 3e 0a 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 4e 6f 20 70 61 67 65 20 66 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 74 79 70 65 3d 22 74 65 78 74 2f 63 73 73 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 77 77 77 2e 66 61 73 74 6d 61 69 6c 75 73 65 72 63 6f 6e 74 65 6e 74 2e 63 6f 6d 2f 66 69 6c 65 73 74 6f 72 61 67 65 2f 63 73 73 2f 6d 61 69 6e 2e 63 73 73 22 20 2f 3e 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 61 20 6e 61 6d 65 3d 22 54 6f 70 22 3e 3c 2f 61 3e 0a 3c 68 31 3e 4e 6f 20 70 61 67 65 20 66 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 57 65 20 63 6f 75 6c 64 6e 27 74 20 66 69 6e 64 20 61 20 70 61 67 65 20 66 6f 72 20 74 68 65 20 6c 69 6e 6b 20 79 6f 75 20 76 69 73 69 74 65 64 2e 20 50 6c 65 61 73 65 20 63 68 65 63 6b 20 74 68 61 74 20 79 6f 75 20 68 61 76 65 20 74 68 65 20 63 6f 72 72 65 63 74 20 6c 69 6e 6b 20 61 6e 64 20 74 72 79 20 61 67 61 69 6e 2e 3c 2f 70 3e 0a 3c 70 3e 49 66 20 79 6f 75 20 61 72 65 20 74 68 65 20 6f 77 6e 65 72 20 6f 66 20 74 68 69 73 20 64 6f 6d 61 69 6e 2c 20 79 6f 75 20 63 61 6e 20 73 65 74 75 70 20 61 20 70 61 67 65 20 68 65 72 65 20 62 79 20 3c 61 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 77 77 77 2e 66 61 73 74 6d 61 69 6c 2e 68 65 6c 70 2f 68 63 2f 65 6e 2d 75 73 2f 61 72 74 69 63 6c 65 73 2f 31 35 30 30 30 30 30 32 38 30 31 34 31 22 3e 63 72 65 61 74 69 6e 67 20 61 20 70 61 67 65 2f 77 65 62 73 69 74 65 20 69 6e 20 79 6f 75 72 20 61 63 63 6f 75 6e 74 3c 2f 61 3e 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE html><html><head><title>No page found</title><link rel="stylesheet" type="text/css" href="https://www.fastmailusercontent.com/filestorage/css/main.css" /></head><body><a name="Top"></a><h1>No page found</h1><p>We couldn't find a page for the link you visited. Please check that you have the correct link and try again.</p><p>If you are the owner of this domain, you can setup a page here by <a href="https://www.fastmail.help/hc/en-us/articles/1500000280141">creating a page/website in your account</a>.</p></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Wed, 24 Apr 2024 07:23:23 GMTContent-Type: text/htmlTransfer-Encoding: chunkedConnection: closeVary: Accept-EncodingLast-Modified: Tue, 25 Jul 2023 10:57:57 GMTETag: W/"afe-6014d9a904f4f"Content-Encoding: gzipData Raw: 35 31 39 0d 0a 1f 8b 08 00 00 00 00 00 04 03 8d 56 cf 6f 13 47 14 3e 7b ff 8a 61 a3 4a 25 ca 66 63 27 71 a8 b1 ad 4a 10 0a 2d 90 08 4a a1 a7 6a bc 3b b6 a7 ac 77 ac dd 75 12 b7 ca 1f 63 32 53 d1 12 95 08 50 49 0a 88 aa a0 36 4d 4b 28 ad 82 2a 0e a0 aa 97 26 d0 0b 51 a5 1e fb 66 67 d6 5e 27 06 b1 17 7b df cf ef 7d ef cd db 29 1e 38 3a 73 e4 c3 8f 67 a7 51 3d 6a 78 65 a3 28 7f 90 87 fd 5a c9 fc 14 9b 52 40 b0 0b 3f 0d 12 61 e4 d4 71 10 92 a8 64 4e 9f 3b 62 bd 3f 6b 22 1b 34 11 8d 3c 52 9e 18 9b 40 c7 a8 47 d0 69 16 a1 63 ac e5 bb 45 5b 69 b4 af 8f 1b a4 64 3a ac d9 0e 68 ad 1e 99 c8 61 7e 44 7c 08 76 24 91 a1 0b 67 a7 cf 7c 34 7d 06 9d f0 9d 51 99 3b 4e aa 1c 03 56 61 51 98 f2 3a 71 fa e8 f4 85 91 63 33 27 4f ce 9c 57 40 52 d6 73 94 cc 37 59 90 ce 32 4f dd a8 5e 72 c9 1c 75 88 15 bf 8c 50 9f 46 14 7b 56 e8 60 8f 94 b2 a3 63 23 0d 10 35 5a 8d 9e 44 a2 08 a3 36 d4 15 b5 9b 80 3f 22 0b 91 ed 84 21 c8 87 d1 e7 06 82 a7 81 83 1a f5 0b 68 ec 70 fc da c4 ae 4b fd 5a fc be 68 d0 46 4d 9b 55 58 e0 92 40 8b 5b 9e 96 6a 6b cb 23 d5 a8 80 72 a4 71 d8 58 34 e2 1e a8 e0 6c 8e 04 55 8f cd 5b ed 02 0a 9d 80 79 9e ca 52 c1 ce c5 5a 20 69 2e a0 a1 f1 ca d4 3b 95 29 e9 59 61 6e 5b 47 ae 02 bd 56 15 37 a8 07 ae a6 f8 53 70 b1 23 be 32 47 d0 29 42 83 36 1b 41 e6 d2 83 a5 df d1 d2 af e2 86 b8 29 ee 89 ab a0 32 4f 9d 45 b3 ef b1 a8 4e 1d f9 26 7e 13 db e2 6b b1 79 fd 91 b8 81 66 03 86 ce 8f 4b f1 71 1a 60 a8 98 a1 0f f0 c5 16 52 e6 52 0d ba 10 fb a1 15 92 80 56 15 cc 3d dc 78 d4 27 56 9d c8 fe 17 50 76 74 42 19 c5 48 43 fa 19 29 a0 a9 c9 b7 94 4c f2 6c 61 8f d6 80 58 07 a6 84 04 4a ee 30 8f 01 89 f3 75 1a 91 98 aa 6c ba 5c 15 24 37 d1 5c 48 45 9e d7 f9 2a cc 73 f7 bb f4 6b 65 3f fb 41 aa 40 49 9b 60 06 23 d6 80 46 8d f5 a5 48 68 3e 4e bc 39 12 51 07 f7 33 01 1d cd 69 98 af aa 2b e6 60 3f 96 14 35 b9 29 99 72 d1 68 be 49 24 45 44 b6 4b c4 9e 3e a4 67 54 96 bc 97 d5 51 b2 d0 f4 30 f5 75 2a 35 ba 56 c4 9a d0 b5 e6 02 0a 99 47 5d 34 54 ad ea 2e 6b 7d 42 ce 20 93 7e 52 47 27 15 ad 09 ac 71 a0 13 e1 56 c4 fa d8 86 64 ba e6 21 07 b7 42 32 a0 70 79 6c 24 29 da c0 a3 da 46 17 34 94 cf e7 e3 96 8f 6b b9 47 22 18 25 2b 6c 62 27 3e a3 00 f5 95 93 22 89 49 13 05 59 e2 b1 fb a4 c2 16 74 b8 04 7f 76 52 e3 4f 96 40 ef 78 5a 7b b9 35 ec 61 54 1a f0 18 b0 3d c4 9a 78 da b9 2d d6 c5 96 f8 52 ec 1a c6 00 33 29 42 c3 b6 f1 6e 83 b8 14 23 e6 7b 6d b9 18 08 f1 11 f6 5d f4 36 6c 30 b5 dd 60 d3 1c d4 22 bc 90 88 a6 f2 c0 e8 41 40 9f 19 aa e0 98 d1 4c a6 5b 63 dc 85 6c 3c d9 99 45 23 53 97 47 2b 93 49 8f 60 5e d2 a5 75 c0 a1 9c 8f 3e 83 7c cf 59 0e 7c 9f 2e db 75 4e 4d 57 bf 45 3c ae 71 78 d9 af 4c 46 d1 ab e6 6e 02 28 86 dc 69 38 bd 88 dd f9 48 55 a3 8e 68 bf 43 4e e3 5f 34 5e d7 05 24 1e 89 3b e2 ba d8 ed fc 2b ee 8a c7
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Wed, 24 Apr 2024 07:23:26 GMTContent-Type: text/htmlTransfer-Encoding: chunkedConnection: closeVary: Accept-EncodingLast-Modified: Tue, 25 Jul 2023 10:57:57 GMTETag: W/"afe-6014d9a904f4f"Content-Encoding: gzipData Raw: 35 31 39 0d 0a 1f 8b 08 00 00 00 00 00 04 03 8d 56 cf 6f 13 47 14 3e 7b ff 8a 61 a3 4a 25 ca 66 63 27 71 a8 b1 ad 4a 10 0a 2d 90 08 4a a1 a7 6a bc 3b b6 a7 ac 77 ac dd 75 12 b7 ca 1f 63 32 53 d1 12 95 08 50 49 0a 88 aa a0 36 4d 4b 28 ad 82 2a 0e a0 aa 97 26 d0 0b 51 a5 1e fb 66 67 d6 5e 27 06 b1 17 7b df cf ef 7d ef cd db 29 1e 38 3a 73 e4 c3 8f 67 a7 51 3d 6a 78 65 a3 28 7f 90 87 fd 5a c9 fc 14 9b 52 40 b0 0b 3f 0d 12 61 e4 d4 71 10 92 a8 64 4e 9f 3b 62 bd 3f 6b 22 1b 34 11 8d 3c 52 9e 18 9b 40 c7 a8 47 d0 69 16 a1 63 ac e5 bb 45 5b 69 b4 af 8f 1b a4 64 3a ac d9 0e 68 ad 1e 99 c8 61 7e 44 7c 08 76 24 91 a1 0b 67 a7 cf 7c 34 7d 06 9d f0 9d 51 99 3b 4e aa 1c 03 56 61 51 98 f2 3a 71 fa e8 f4 85 91 63 33 27 4f ce 9c 57 40 52 d6 73 94 cc 37 59 90 ce 32 4f dd a8 5e 72 c9 1c 75 88 15 bf 8c 50 9f 46 14 7b 56 e8 60 8f 94 b2 a3 63 23 0d 10 35 5a 8d 9e 44 a2 08 a3 36 d4 15 b5 9b 80 3f 22 0b 91 ed 84 21 c8 87 d1 e7 06 82 a7 81 83 1a f5 0b 68 ec 70 fc da c4 ae 4b fd 5a fc be 68 d0 46 4d 9b 55 58 e0 92 40 8b 5b 9e 96 6a 6b cb 23 d5 a8 80 72 a4 71 d8 58 34 e2 1e a8 e0 6c 8e 04 55 8f cd 5b ed 02 0a 9d 80 79 9e ca 52 c1 ce c5 5a 20 69 2e a0 a1 f1 ca d4 3b 95 29 e9 59 61 6e 5b 47 ae 02 bd 56 15 37 a8 07 ae a6 f8 53 70 b1 23 be 32 47 d0 29 42 83 36 1b 41 e6 d2 83 a5 df d1 d2 af e2 86 b8 29 ee 89 ab a0 32 4f 9d 45 b3 ef b1 a8 4e 1d f9 26 7e 13 db e2 6b b1 79 fd 91 b8 81 66 03 86 ce 8f 4b f1 71 1a 60 a8 98 a1 0f f0 c5 16 52 e6 52 0d ba 10 fb a1 15 92 80 56 15 cc 3d dc 78 d4 27 56 9d c8 fe 17 50 76 74 42 19 c5 48 43 fa 19 29 a0 a9 c9 b7 94 4c f2 6c 61 8f d6 80 58 07 a6 84 04 4a ee 30 8f 01 89 f3 75 1a 91 98 aa 6c ba 5c 15 24 37 d1 5c 48 45 9e d7 f9 2a cc 73 f7 bb f4 6b 65 3f fb 41 aa 40 49 9b 60 06 23 d6 80 46 8d f5 a5 48 68 3e 4e bc 39 12 51 07 f7 33 01 1d cd 69 98 af aa 2b e6 60 3f 96 14 35 b9 29 99 72 d1 68 be 49 24 45 44 b6 4b c4 9e 3e a4 67 54 96 bc 97 d5 51 b2 d0 f4 30 f5 75 2a 35 ba 56 c4 9a d0 b5 e6 02 0a 99 47 5d 34 54 ad ea 2e 6b 7d 42 ce 20 93 7e 52 47 27 15 ad 09 ac 71 a0 13 e1 56 c4 fa d8 86 64 ba e6 21 07 b7 42 32 a0 70 79 6c 24 29 da c0 a3 da 46 17 34 94 cf e7 e3 96 8f 6b b9 47 22 18 25 2b 6c 62 27 3e a3 00 f5 95 93 22 89 49 13 05 59 e2 b1 fb a4 c2 16 74 b8 04 7f 76 52 e3 4f 96 40 ef 78 5a 7b b9 35 ec 61 54 1a f0 18 b0 3d c4 9a 78 da b9 2d d6 c5 96 f8 52 ec 1a c6 00 33 29 42 c3 b6 f1 6e 83 b8 14 23 e6 7b 6d b9 18 08 f1 11 f6 5d f4 36 6c 30 b5 dd 60 d3 1c d4 22 bc 90 88 a6 f2 c0 e8 41 40 9f 19 aa e0 98 d1 4c a6 5b 63 dc 85 6c 3c d9 99 45 23 53 97 47 2b 93 49 8f 60 5e d2 a5 75 c0 a1 9c 8f 3e 83 7c cf 59 0e 7c 9f 2e db 75 4e 4d 57 bf 45 3c ae 71 78 d9 af 4c 46 d1 ab e6 6e 02 28 86 dc 69 38 bd 88 dd f9 48 55 a3 8e 68 bf 43 4e e3 5f 34 5e d7 05 24 1e 89 3b e2 ba d8 ed fc 2b ee 8a c7
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Wed, 24 Apr 2024 07:23:28 GMTContent-Type: text/htmlTransfer-Encoding: chunkedConnection: closeVary: Accept-EncodingLast-Modified: Tue, 25 Jul 2023 10:57:57 GMTETag: W/"afe-6014d9a904f4f"Content-Encoding: gzipData Raw: 35 31 39 0d 0a 1f 8b 08 00 00 00 00 00 04 03 8d 56 cf 6f 13 47 14 3e 7b ff 8a 61 a3 4a 25 ca 66 63 27 71 a8 b1 ad 4a 10 0a 2d 90 08 4a a1 a7 6a bc 3b b6 a7 ac 77 ac dd 75 12 b7 ca 1f 63 32 53 d1 12 95 08 50 49 0a 88 aa a0 36 4d 4b 28 ad 82 2a 0e a0 aa 97 26 d0 0b 51 a5 1e fb 66 67 d6 5e 27 06 b1 17 7b df cf ef 7d ef cd db 29 1e 38 3a 73 e4 c3 8f 67 a7 51 3d 6a 78 65 a3 28 7f 90 87 fd 5a c9 fc 14 9b 52 40 b0 0b 3f 0d 12 61 e4 d4 71 10 92 a8 64 4e 9f 3b 62 bd 3f 6b 22 1b 34 11 8d 3c 52 9e 18 9b 40 c7 a8 47 d0 69 16 a1 63 ac e5 bb 45 5b 69 b4 af 8f 1b a4 64 3a ac d9 0e 68 ad 1e 99 c8 61 7e 44 7c 08 76 24 91 a1 0b 67 a7 cf 7c 34 7d 06 9d f0 9d 51 99 3b 4e aa 1c 03 56 61 51 98 f2 3a 71 fa e8 f4 85 91 63 33 27 4f ce 9c 57 40 52 d6 73 94 cc 37 59 90 ce 32 4f dd a8 5e 72 c9 1c 75 88 15 bf 8c 50 9f 46 14 7b 56 e8 60 8f 94 b2 a3 63 23 0d 10 35 5a 8d 9e 44 a2 08 a3 36 d4 15 b5 9b 80 3f 22 0b 91 ed 84 21 c8 87 d1 e7 06 82 a7 81 83 1a f5 0b 68 ec 70 fc da c4 ae 4b fd 5a fc be 68 d0 46 4d 9b 55 58 e0 92 40 8b 5b 9e 96 6a 6b cb 23 d5 a8 80 72 a4 71 d8 58 34 e2 1e a8 e0 6c 8e 04 55 8f cd 5b ed 02 0a 9d 80 79 9e ca 52 c1 ce c5 5a 20 69 2e a0 a1 f1 ca d4 3b 95 29 e9 59 61 6e 5b 47 ae 02 bd 56 15 37 a8 07 ae a6 f8 53 70 b1 23 be 32 47 d0 29 42 83 36 1b 41 e6 d2 83 a5 df d1 d2 af e2 86 b8 29 ee 89 ab a0 32 4f 9d 45 b3 ef b1 a8 4e 1d f9 26 7e 13 db e2 6b b1 79 fd 91 b8 81 66 03 86 ce 8f 4b f1 71 1a 60 a8 98 a1 0f f0 c5 16 52 e6 52 0d ba 10 fb a1 15 92 80 56 15 cc 3d dc 78 d4 27 56 9d c8 fe 17 50 76 74 42 19 c5 48 43 fa 19 29 a0 a9 c9 b7 94 4c f2 6c 61 8f d6 80 58 07 a6 84 04 4a ee 30 8f 01 89 f3 75 1a 91 98 aa 6c ba 5c 15 24 37 d1 5c 48 45 9e d7 f9 2a cc 73 f7 bb f4 6b 65 3f fb 41 aa 40 49 9b 60 06 23 d6 80 46 8d f5 a5 48 68 3e 4e bc 39 12 51 07 f7 33 01 1d cd 69 98 af aa 2b e6 60 3f 96 14 35 b9 29 99 72 d1 68 be 49 24 45 44 b6 4b c4 9e 3e a4 67 54 96 bc 97 d5 51 b2 d0 f4 30 f5 75 2a 35 ba 56 c4 9a d0 b5 e6 02 0a 99 47 5d 34 54 ad ea 2e 6b 7d 42 ce 20 93 7e 52 47 27 15 ad 09 ac 71 a0 13 e1 56 c4 fa d8 86 64 ba e6 21 07 b7 42 32 a0 70 79 6c 24 29 da c0 a3 da 46 17 34 94 cf e7 e3 96 8f 6b b9 47 22 18 25 2b 6c 62 27 3e a3 00 f5 95 93 22 89 49 13 05 59 e2 b1 fb a4 c2 16 74 b8 04 7f 76 52 e3 4f 96 40 ef 78 5a 7b b9 35 ec 61 54 1a f0 18 b0 3d c4 9a 78 da b9 2d d6 c5 96 f8 52 ec 1a c6 00 33 29 42 c3 b6 f1 6e 83 b8 14 23 e6 7b 6d b9 18 08 f1 11 f6 5d f4 36 6c 30 b5 dd 60 d3 1c d4 22 bc 90 88 a6 f2 c0 e8 41 40 9f 19 aa e0 98 d1 4c a6 5b 63 dc 85 6c 3c d9 99 45 23 53 97 47 2b 93 49 8f 60 5e d2 a5 75 c0 a1 9c 8f 3e 83 7c cf 59 0e 7c 9f 2e db 75 4e 4d 57 bf 45 3c ae 71 78 d9 af 4c 46 d1 ab e6 6e 02 28 86 dc 69 38 bd 88 dd f9 48 55 a3 8e 68 bf 43 4e e3 5f 34 5e d7 05 24 1e 89 3b e2 ba d8 ed fc 2b ee 8a c7
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Wed, 24 Apr 2024 07:23:31 GMTContent-Type: text/htmlContent-Length: 2814Connection: closeVary: Accept-EncodingLast-Modified: Tue, 25 Jul 2023 10:57:57 GMTETag: "afe-6014d9a904f4f"Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 6a 61 22 3e 0a 3c 68 65 61 64 3e 0a 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 45 55 43 2d 4a 50 22 20 2f 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 46 69 6c 65 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 63 6f 70 79 72 69 67 68 74 22 20 63 6f 6e 74 65 6e 74 3d 22 43 6f 70 79 72 69 67 68 74 20 58 53 45 52 56 45 52 20 49 6e 63 2e 22 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 72 6f 62 6f 74 73 22 20 63 6f 6e 74 65 6e 74 3d 22 49 4e 44 45 58 2c 46 4f 4c 4c 4f 57 22 20 2f 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2e 30 2c 6d 69 6e 69 6d 75 6d 2d 73 63 61 6c 65 3d 31 2e 30 22 3e 0a 3c 73 74 79 6c 65 20 74 79 70 65 3d 22 74 65 78 74 2f 63 73 73 22 3e 0a 2a 20 7b 0a 20 20 20 20 6d 61 72 67 69 6e 3a 20 30 3b 0a 20 20 20 20 70 61 64 64 69 6e 67 3a 20 30 3b 0a 7d 0a 69 6d 67 20 7b 0a 20 20 20 20 62 6f 72 64 65 72 3a 20 30 3b 0a 7d 0a 75 6c 20 7b 0a 20 20 20 20 70 61 64 64 69 6e 67 2d 6c 65 66 74 3a 20 32 65 6d 3b 0a 7d 0a 68 74 6d 6c 20 7b 0a 20 20 20 20 6f 76 65 72 66 6c 6f 77 2d 79 3a 20 73 63 72 6f 6c 6c 3b 0a 20 20 20 20 62 61 63 6b 67 72 6f 75 6e 64 3a 20 23 33 62 37 39 62 37 3b 0a 7d 0a 62 6f 64 79 20 7b 0a 20 20 20 20 66 6f 6e 74 2d 66 61 6d 69 6c 79 3a 20 22 a5 e1 a5 a4 a5 ea a5 aa 22 2c 20 4d 65 69 72 79 6f 2c 20 22 a3 cd a3 d3 20 a3 d0 a5 b4 a5 b7 a5 c3 a5 af 22 2c 20 22 4d 53 20 50 47 6f 74 68 69 63 22 2c 20 22 a5 d2 a5 e9 a5 ae a5 ce b3 d1 a5 b4 20 50 72 6f 20 57 33 22 2c 20 22 48 69 72 61 67 69 6e 6f 20 4b 61 6b 75 20 47 6f 74 68 69 63 20 50 72 6f 22 2c 20 73 61 6e 73 2d 73 65 72 69 66 3b 0a 20 20 20 20 6d 61 72 67 69 6e 3a 20 30 3b 0a 20 20 20 20 6c 69 6e 65 2d 68 65 69 67 68 74 3a 20 31 2e 34 3b 0a 20 20 20 20 66 6f 6e 74 2d 73 69 7a 65 3a 20 37 35 25 3b 0a 20 20 20 20 74 65 78 74 2d 61 6c 69 67 6e 3a 20 63 65 6e 74 65 72 3b 0a 20 20 20 20 63 6f 6c 6f 72 3a 20 77 68 69 74 65 3b 0a 7d 0a 68 31 20 7b 0a 20 20 20 20 66 6f 6e 74 2d 73 69 7a 65 3a 20 32 34 70 78 3b 0a 20 20 20 20 66 6f 6e 74 2d 77 65 69 67 68 74 3a 20 62 6f 6c 64 3b 0a 7d 0a 68 31 20 7b 0a 20 20 20 20 66 6f 6e 74 2d 77 65 69 67 68 74 3a 20 62 6f 6c 64 3b 0a 20 20 20 20 6c 69 6e 65 2d 68 65 69 67 68 74 3a 20 31 3b 0a 20 20 20 20 70 61 64 64 69 6e 67 2d 62 6f 74 74 6f 6d 3a 20 32 30 70 78 3b 0a 20 20 20 20 66 6f 6e 74 2d 66 61 6d 69 6c 79 3a 20 48 65 6c 76 65 74 69 63 61 2c 20 73 61 6e 73 2d 73 65 72 69 66 3b 0a 7d 0a 68 32 20 7b 0a 20 20 20 20 74 65 78 74 2d 61 6c 69 67 6e 3a 20 63 65 6e 74 65 72 3b 0a 20 20 20 20 66 6f 6e 74 2d 77 65 69 67 68 74 3a 20 6

Source: PO0424024.exe	String found in binary or memory: http://crl.comodoca.com/COMODORSACertificationAuthority.crl0q
Source: PO0424024.exe	String found in binary or memory: http://crl.comodoca.com/COMODORSACodeSigningCA.crl0t
Source: PO0424024.exe	String found in binary or memory: http://ocsp.comodoca.com0
Source: PO0424024.exe	String found in binary or memory: http://tempuri.org/DataSet1.xsd
Source: PO0424024.exe, 00000000.00000002.1733639364.0000000006942000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
Source: PO0424024.exe, 00000000.00000002.1733639364.0000000006942000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.carterandcone.coml
Source: PO0424024.exe, 00000000.00000002.1733639364.0000000006942000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com
Source: PO0424024.exe, 00000000.00000002.1733639364.0000000006942000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers
Source: PO0424024.exe, 00000000.00000002.1733639364.0000000006942000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/?
Source: PO0424024.exe, 00000000.00000002.1733639364.0000000006942000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
Source: PO0424024.exe, 00000000.00000002.1733639364.0000000006942000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/frere-user.html
Source: PO0424024.exe, 00000000.00000002.1733639364.0000000006942000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers8
Source: PO0424024.exe, 00000000.00000002.1733639364.0000000006942000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers?
Source: PO0424024.exe, 00000000.00000002.1733639364.0000000006942000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designersG
Source: PO0424024.exe, 00000000.00000002.1733639364.0000000006942000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fonts.com
Source: PO0424024.exe, 00000000.00000002.1733639364.0000000006942000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.founder.com.cn/cn
Source: PO0424024.exe, 00000000.00000002.1733639364.0000000006942000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/bThe
Source: PO0424024.exe, 00000000.00000002.1733639364.0000000006942000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/cThe
Source: PO0424024.exe, 00000000.00000002.1733639364.0000000006942000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.galapagosdesign.com/DPlease
Source: PO0424024.exe, 00000000.00000002.1733639364.0000000006942000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
Source: PO0424024.exe, 00000000.00000002.1733639364.0000000006942000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.goodfont.co.kr
Source: PO0424024.exe, 00000000.00000002.1733639364.0000000006942000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/
Source: tAFcdstzdUTfkmQlByDmlLl.exe, 00000006.00000002.4174754197.0000000006614000.00000004.80000000.00040000.00000000.sdmp, takeown.exe, 00000007.00000002.4171352067.0000000004124000.00000004.10000000.00040000.00000000.sdmp, firefox.exe, 00000008.00000002.2456443722.000000000EFB4000.00000004.80000000.00040000.00000000.sdmp	String found in binary or memory: http://www.marksmile.com/asset/lp_qrcode.png
Source: tAFcdstzdUTfkmQlByDmlLl.exe, 00000006.00000002.4174754197.0000000006614000.00000004.80000000.00040000.00000000.sdmp, takeown.exe, 00000007.00000002.4171352067.0000000004124000.00000004.10000000.00040000.00000000.sdmp, firefox.exe, 00000008.00000002.2456443722.000000000EFB4000.00000004.80000000.00040000.00000000.sdmp	String found in binary or memory: http://www.marksmile.com/asset/lp_style.css
Source: PO0424024.exe, 00000000.00000002.1733639364.0000000006942000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.sajatypeworks.com
Source: PO0424024.exe, 00000000.00000002.1733538993.00000000050D0000.00000004.00000020.00020000.00000000.sdmp, PO0424024.exe, 00000000.00000002.1733639364.0000000006942000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.sakkal.com
Source: PO0424024.exe, 00000000.00000002.1733639364.0000000006942000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.sandoll.co.kr
Source: tAFcdstzdUTfkmQlByDmlLl.exe, 00000006.00000002.4176035041.00000000086E0000.00000040.80000000.00040000.00000000.sdmp	String found in binary or memory: http://www.threesomeapps.com
Source: tAFcdstzdUTfkmQlByDmlLl.exe, 00000006.00000002.4176035041.00000000086E0000.00000040.80000000.00040000.00000000.sdmp	String found in binary or memory: http://www.threesomeapps.com/pq0o/
Source: PO0424024.exe, 00000000.00000002.1733639364.0000000006942000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.tiro.com
Source: PO0424024.exe, 00000000.00000002.1733639364.0000000006942000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.typography.netD
Source: PO0424024.exe, 00000000.00000002.1733639364.0000000006942000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.urwpp.deDPlease
Source: PO0424024.exe, 00000000.00000002.1733639364.0000000006942000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.zhongyicts.com.cn
Source: takeown.exe, 00000007.00000002.4172934336.0000000007FE8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ac.ecosia.org/autocomplete?q=
Source: takeown.exe, 00000007.00000002.4172934336.0000000007FE8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
Source: takeown.exe, 00000007.00000002.4172934336.0000000007FE8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
Source: takeown.exe, 00000007.00000002.4172934336.0000000007FE8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
Source: takeown.exe, 00000007.00000002.4172934336.0000000007FE8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/ac/?q=
Source: takeown.exe, 00000007.00000002.4172934336.0000000007FE8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/chrome_newtab
Source: takeown.exe, 00000007.00000002.4172934336.0000000007FE8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
Source: takeown.exe, 00000007.00000002.4171352067.0000000004F46000.00000004.10000000.00040000.00000000.sdmp	String found in binary or memory: https://fasthosts.co.uk/
Source: tAFcdstzdUTfkmQlByDmlLl.exe, 00000006.00000002.4174754197.00000000067A6000.00000004.80000000.00040000.00000000.sdmp, tAFcdstzdUTfkmQlByDmlLl.exe, 00000006.00000002.4174754197.0000000007112000.00000004.80000000.00040000.00000000.sdmp, takeown.exe, 00000007.00000002.4172750176.0000000006530000.00000004.00000800.00020000.00000000.sdmp, takeown.exe, 00000007.00000002.4171352067.0000000004C22000.00000004.10000000.00040000.00000000.sdmp, takeown.exe, 00000007.00000002.4171352067.00000000042B6000.00000004.10000000.00040000.00000000.sdmp	String found in binary or memory: https://img.sedoparking.com/templates/images/hero_nc.svg
Source: tAFcdstzdUTfkmQlByDmlLl.exe, 00000006.00000002.4174754197.0000000006614000.00000004.80000000.00040000.00000000.sdmp, takeown.exe, 00000007.00000002.4171352067.0000000004124000.00000004.10000000.00040000.00000000.sdmp, firefox.exe, 00000008.00000002.2456443722.000000000EFB4000.00000004.80000000.00040000.00000000.sdmp	String found in binary or memory: https://lf6-cdn-tos.bytecdntp.com/cdn/expire-1-M/axios/0.26.0/axios.min.js
Source: takeown.exe, 00000007.00000002.4158156382.00000000031AA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/oauth20_authorize.srf?client_id=00000000480728C5&scope=service::ssl.live.com:
Source: takeown.exe, 00000007.00000002.4158156382.00000000031AA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/oauth20_authorize.srfclient_id=00000000480728C5&scope=service::ssl.live.com::
Source: takeown.exe, 00000007.00000002.4158156382.00000000031AA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/oauth20_desktop.srf
Source: takeown.exe, 00000007.00000002.4158156382.00000000031AA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/oauth20_desktop.srf?lc=1033
Source: takeown.exe, 00000007.00000002.4158156382.00000000031AA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/oauth20_desktop.srfd
Source: takeown.exe, 00000007.00000002.4158156382.00000000031AA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/oauth20_desktop.srflc=1033
Source: takeown.exe, 00000007.00000002.4158156382.000000000317E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/oauth20_logout.srfclient_id=00000000480728C5&redirect_uri=https://login.live.
Source: takeown.exe, 00000007.00000003.2348545654.0000000007FC0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/oauth20_logout.srfhttps://login.live.com/oauth20_authorize.srfhttps://login.l
Source: tAFcdstzdUTfkmQlByDmlLl.exe, 00000006.00000002.4174754197.0000000006614000.00000004.80000000.00040000.00000000.sdmp, takeown.exe, 00000007.00000002.4171352067.0000000004124000.00000004.10000000.00040000.00000000.sdmp, firefox.exe, 00000008.00000002.2456443722.000000000EFB4000.00000004.80000000.00040000.00000000.sdmp	String found in binary or memory: https://mail.365.com/login.html
Source: tAFcdstzdUTfkmQlByDmlLl.exe, 00000006.00000002.4174754197.0000000007436000.00000004.80000000.00040000.00000000.sdmp, takeown.exe, 00000007.00000002.4171352067.0000000004F46000.00000004.10000000.00040000.00000000.sdmp	String found in binary or memory: https://static.fasthosts.co.uk/icons/favicon.ico
Source: PO0424024.exe	String found in binary or memory: https://www.chiark.greenend.org.uk/~sgtatham/putty/0
Source: takeown.exe, 00000007.00000002.4172934336.0000000007FE8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.ecosia.org/newtab/
Source: tAFcdstzdUTfkmQlByDmlLl.exe, 00000006.00000002.4174754197.0000000007436000.00000004.80000000.00040000.00000000.sdmp, takeown.exe, 00000007.00000002.4171352067.0000000004F46000.00000004.10000000.00040000.00000000.sdmp	String found in binary or memory: https://www.fasthosts.co.uk/contact?utm_source=domainparking&utm_medium=referral&utm_campaign=fh_par
Source: tAFcdstzdUTfkmQlByDmlLl.exe, 00000006.00000002.4174754197.0000000007436000.00000004.80000000.00040000.00000000.sdmp, takeown.exe, 00000007.00000002.4171352067.0000000004F46000.00000004.10000000.00040000.00000000.sdmp	String found in binary or memory: https://www.fasthosts.co.uk/domain-names/search/?domain=$
Source: tAFcdstzdUTfkmQlByDmlLl.exe, 00000006.00000002.4174754197.0000000007436000.00000004.80000000.00040000.00000000.sdmp, takeown.exe, 00000007.00000002.4171352067.0000000004F46000.00000004.10000000.00040000.00000000.sdmp	String found in binary or memory: https://www.fasthosts.co.uk/get-online?utm_source=domainparking&utm_medium=referral&utm_campaign=fh_
Source: tAFcdstzdUTfkmQlByDmlLl.exe, 00000006.00000002.4174754197.00000000072A4000.00000004.80000000.00040000.00000000.sdmp, takeown.exe, 00000007.00000002.4171352067.0000000004DB4000.00000004.10000000.00040000.00000000.sdmp	String found in binary or memory: https://www.fastmail.help/hc/en-us/articles/1500000280141
Source: tAFcdstzdUTfkmQlByDmlLl.exe, 00000006.00000002.4174754197.00000000072A4000.00000004.80000000.00040000.00000000.sdmp, takeown.exe, 00000007.00000002.4171352067.0000000004DB4000.00000004.10000000.00040000.00000000.sdmp	String found in binary or memory: https://www.fastmailusercontent.com/filestorage/css/main.css
Source: tAFcdstzdUTfkmQlByDmlLl.exe, 00000006.00000002.4174754197.0000000007436000.00000004.80000000.00040000.00000000.sdmp, takeown.exe, 00000007.00000002.4171352067.0000000004F46000.00000004.10000000.00040000.00000000.sdmp	String found in binary or memory: https://www.googletagmanager.com/gtag/js?id=UA-199510482-1
Source: tAFcdstzdUTfkmQlByDmlLl.exe, 00000006.00000002.4174754197.0000000006614000.00000004.80000000.00040000.00000000.sdmp, takeown.exe, 00000007.00000002.4171352067.0000000004124000.00000004.10000000.00040000.00000000.sdmp, firefox.exe, 00000008.00000002.2456443722.000000000EFB4000.00000004.80000000.00040000.00000000.sdmp	String found in binary or memory: https://www.marksmile.com/
Source: tAFcdstzdUTfkmQlByDmlLl.exe, 00000006.00000002.4174754197.0000000007112000.00000004.80000000.00040000.00000000.sdmp, takeown.exe, 00000007.00000002.4172750176.0000000006530000.00000004.00000800.00020000.00000000.sdmp, takeown.exe, 00000007.00000002.4171352067.0000000004C22000.00000004.10000000.00040000.00000000.sdmp	String found in binary or memory: https://www.namecheap.com/domains/registration/results/?domain=kakaobrain.us
Source: tAFcdstzdUTfkmQlByDmlLl.exe, 00000006.00000002.4174754197.00000000067A6000.00000004.80000000.00040000.00000000.sdmp, takeown.exe, 00000007.00000002.4171352067.00000000042B6000.00000004.10000000.00040000.00000000.sdmp	String found in binary or memory: https://www.namecheap.com/domains/registration/results/?domain=luckydomainz.shop
Source: takeown.exe, 00000007.00000002.4171352067.00000000042B6000.00000004.10000000.00040000.00000000.sdmp	String found in binary or memory: https://www.sedo.com/services/parking.php3

E-Banking Fraud

Yara detected FormBook

Source: Yara match	File source: 2.2.PO0424024.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.PO0424024.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000007.00000002.4170807354.00000000034D0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.2174491857.00000000012C0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.4170764124.0000000003490000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.4157652949.0000000002F00000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.4176035041.0000000008660000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.2172226006.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.2174679636.0000000001470000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.4170805786.0000000002800000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY

System Summary

Malicious sample detected (through community Yara rule)

Source: 2.2.PO0424024.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 2.2.PO0424024.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000007.00000002.4170807354.00000000034D0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000002.00000002.2174491857.00000000012C0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000007.00000002.4170764124.0000000003490000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000007.00000002.4157652949.0000000002F00000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000006.00000002.4176035041.0000000008660000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000002.00000002.2172226006.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000002.00000002.2174679636.0000000001470000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000006.00000002.4170805786.0000000002800000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown

Contains functionality to call native functions

Source: C:\Users\user\Desktop\PO0424024.exe	Code function: 2_2_0042B263 NtClose,	2_2_0042B263
Source: C:\Users\user\Desktop\PO0424024.exe	Code function: 2_2_00FA35C0 NtCreateMutant,LdrInitializeThunk,	2_2_00FA35C0
Source: C:\Users\user\Desktop\PO0424024.exe	Code function: 2_2_00FA2B60 NtClose,LdrInitializeThunk,	2_2_00FA2B60
Source: C:\Users\user\Desktop\PO0424024.exe	Code function: 2_2_00FA2C70 NtFreeVirtualMemory,LdrInitializeThunk,	2_2_00FA2C70
Source: C:\Users\user\Desktop\PO0424024.exe	Code function: 2_2_00FA2DF0 NtQuerySystemInformation,LdrInitializeThunk,	2_2_00FA2DF0
Source: C:\Users\user\Desktop\PO0424024.exe	Code function: 2_2_00FA3090 NtSetValueKey,	2_2_00FA3090
Source: C:\Users\user\Desktop\PO0424024.exe	Code function: 2_2_00FA3010 NtOpenDirectoryObject,	2_2_00FA3010
Source: C:\Users\user\Desktop\PO0424024.exe	Code function: 2_2_00FA4340 NtSetContextThread,	2_2_00FA4340
Source: C:\Users\user\Desktop\PO0424024.exe	Code function: 2_2_00FA4650 NtSuspendThread,	2_2_00FA4650
Source: C:\Users\user\Desktop\PO0424024.exe	Code function: 2_2_00FA39B0 NtGetContextThread,	2_2_00FA39B0
Source: C:\Users\user\Desktop\PO0424024.exe	Code function: 2_2_00FA2AF0 NtWriteFile,	2_2_00FA2AF0
Source: C:\Users\user\Desktop\PO0424024.exe	Code function: 2_2_00FA2AD0 NtReadFile,	2_2_00FA2AD0
Source: C:\Users\user\Desktop\PO0424024.exe	Code function: 2_2_00FA2AB0 NtWaitForSingleObject,	2_2_00FA2AB0
Source: C:\Users\user\Desktop\PO0424024.exe	Code function: 2_2_00FA2BF0 NtAllocateVirtualMemory,	2_2_00FA2BF0
Source: C:\Users\user\Desktop\PO0424024.exe	Code function: 2_2_00FA2BE0 NtQueryValueKey,	2_2_00FA2BE0
Source: C:\Users\user\Desktop\PO0424024.exe	Code function: 2_2_00FA2BA0 NtEnumerateValueKey,	2_2_00FA2BA0
Source: C:\Users\user\Desktop\PO0424024.exe	Code function: 2_2_00FA2B80 NtQueryInformationFile,	2_2_00FA2B80
Source: C:\Users\user\Desktop\PO0424024.exe	Code function: 2_2_00FA2CF0 NtOpenProcess,	2_2_00FA2CF0
Source: C:\Users\user\Desktop\PO0424024.exe	Code function: 2_2_00FA2CC0 NtQueryVirtualMemory,	2_2_00FA2CC0
Source: C:\Users\user\Desktop\PO0424024.exe	Code function: 2_2_00FA2CA0 NtQueryInformationToken,	2_2_00FA2CA0
Source: C:\Users\user\Desktop\PO0424024.exe	Code function: 2_2_00FA2C60 NtCreateKey,	2_2_00FA2C60
Source: C:\Users\user\Desktop\PO0424024.exe	Code function: 2_2_00FA2C00 NtQueryInformationProcess,	2_2_00FA2C00
Source: C:\Users\user\Desktop\PO0424024.exe	Code function: 2_2_00FA2DD0 NtDelayExecution,	2_2_00FA2DD0
Source: C:\Users\user\Desktop\PO0424024.exe	Code function: 2_2_00FA2DB0 NtEnumerateKey,	2_2_00FA2DB0
Source: C:\Users\user\Desktop\PO0424024.exe	Code function: 2_2_00FA3D70 NtOpenThread,	2_2_00FA3D70
Source: C:\Users\user\Desktop\PO0424024.exe	Code function: 2_2_00FA2D30 NtUnmapViewOfSection,	2_2_00FA2D30
Source: C:\Users\user\Desktop\PO0424024.exe	Code function: 2_2_00FA2D10 NtMapViewOfSection,	2_2_00FA2D10
Source: C:\Users\user\Desktop\PO0424024.exe	Code function: 2_2_00FA3D10 NtOpenProcessToken,	2_2_00FA3D10
Source: C:\Users\user\Desktop\PO0424024.exe	Code function: 2_2_00FA2D00 NtSetInformationFile,	2_2_00FA2D00
Source: C:\Users\user\Desktop\PO0424024.exe	Code function: 2_2_00FA2EE0 NtQueueApcThread,	2_2_00FA2EE0
Source: C:\Users\user\Desktop\PO0424024.exe	Code function: 2_2_00FA2EA0 NtAdjustPrivilegesToken,	2_2_00FA2EA0
Source: C:\Users\user\Desktop\PO0424024.exe	Code function: 2_2_00FA2E80 NtReadVirtualMemory,	2_2_00FA2E80
Source: C:\Users\user\Desktop\PO0424024.exe	Code function: 2_2_00FA2E30 NtWriteVirtualMemory,	2_2_00FA2E30
Source: C:\Users\user\Desktop\PO0424024.exe	Code function: 2_2_00FA2FE0 NtCreateFile,	2_2_00FA2FE0
Source: C:\Users\user\Desktop\PO0424024.exe	Code function: 2_2_00FA2FB0 NtResumeThread,	2_2_00FA2FB0
Source: C:\Users\user\Desktop\PO0424024.exe	Code function: 2_2_00FA2FA0 NtQuerySection,	2_2_00FA2FA0
Source: C:\Users\user\Desktop\PO0424024.exe	Code function: 2_2_00FA2F90 NtProtectVirtualMemory,	2_2_00FA2F90
Source: C:\Users\user\Desktop\PO0424024.exe	Code function: 2_2_00FA2F60 NtCreateProcessEx,	2_2_00FA2F60
Source: C:\Users\user\Desktop\PO0424024.exe	Code function: 2_2_00FA2F30 NtCreateSection,	2_2_00FA2F30
Source: C:\Windows\SysWOW64\takeown.exe	Code function: 7_2_03784340 NtSetContextThread,LdrInitializeThunk,	7_2_03784340
Source: C:\Windows\SysWOW64\takeown.exe	Code function: 7_2_03784650 NtSuspendThread,LdrInitializeThunk,	7_2_03784650
Source: C:\Windows\SysWOW64\takeown.exe	Code function: 7_2_03782B60 NtClose,LdrInitializeThunk,	7_2_03782B60
Source: C:\Windows\SysWOW64\takeown.exe	Code function: 7_2_03782BF0 NtAllocateVirtualMemory,LdrInitializeThunk,	7_2_03782BF0
Source: C:\Windows\SysWOW64\takeown.exe	Code function: 7_2_03782BE0 NtQueryValueKey,LdrInitializeThunk,	7_2_03782BE0
Source: C:\Windows\SysWOW64\takeown.exe	Code function: 7_2_03782BA0 NtEnumerateValueKey,LdrInitializeThunk,	7_2_03782BA0
Source: C:\Windows\SysWOW64\takeown.exe	Code function: 7_2_03782AF0 NtWriteFile,LdrInitializeThunk,	7_2_03782AF0
Source: C:\Windows\SysWOW64\takeown.exe	Code function: 7_2_03782AD0 NtReadFile,LdrInitializeThunk,	7_2_03782AD0
Source: C:\Windows\SysWOW64\takeown.exe	Code function: 7_2_03782F30 NtCreateSection,LdrInitializeThunk,	7_2_03782F30
Source: C:\Windows\SysWOW64\takeown.exe	Code function: 7_2_03782FE0 NtCreateFile,LdrInitializeThunk,	7_2_03782FE0
Source: C:\Windows\SysWOW64\takeown.exe	Code function: 7_2_03782FB0 NtResumeThread,LdrInitializeThunk,	7_2_03782FB0
Source: C:\Windows\SysWOW64\takeown.exe	Code function: 7_2_03782EE0 NtQueueApcThread,LdrInitializeThunk,	7_2_03782EE0
Source: C:\Windows\SysWOW64\takeown.exe	Code function: 7_2_03782E80 NtReadVirtualMemory,LdrInitializeThunk,	7_2_03782E80
Source: C:\Windows\SysWOW64\takeown.exe	Code function: 7_2_03782D30 NtUnmapViewOfSection,LdrInitializeThunk,	7_2_03782D30
Source: C:\Windows\SysWOW64\takeown.exe	Code function: 7_2_03782D10 NtMapViewOfSection,LdrInitializeThunk,	7_2_03782D10
Source: C:\Windows\SysWOW64\takeown.exe	Code function: 7_2_03782DF0 NtQuerySystemInformation,LdrInitializeThunk,	7_2_03782DF0
Source: C:\Windows\SysWOW64\takeown.exe	Code function: 7_2_03782DD0 NtDelayExecution,LdrInitializeThunk,	7_2_03782DD0
Source: C:\Windows\SysWOW64\takeown.exe	Code function: 7_2_03782C70 NtFreeVirtualMemory,LdrInitializeThunk,	7_2_03782C70
Source: C:\Windows\SysWOW64\takeown.exe	Code function: 7_2_03782C60 NtCreateKey,LdrInitializeThunk,	7_2_03782C60
Source: C:\Windows\SysWOW64\takeown.exe	Code function: 7_2_03782CA0 NtQueryInformationToken,LdrInitializeThunk,	7_2_03782CA0
Source: C:\Windows\SysWOW64\takeown.exe	Code function: 7_2_037835C0 NtCreateMutant,LdrInitializeThunk,	7_2_037835C0
Source: C:\Windows\SysWOW64\takeown.exe	Code function: 7_2_037839B0 NtGetContextThread,LdrInitializeThunk,	7_2_037839B0
Source: C:\Windows\SysWOW64\takeown.exe	Code function: 7_2_03782B80 NtQueryInformationFile,	7_2_03782B80
Source: C:\Windows\SysWOW64\takeown.exe	Code function: 7_2_03782AB0 NtWaitForSingleObject,	7_2_03782AB0
Source: C:\Windows\SysWOW64\takeown.exe	Code function: 7_2_03782F60 NtCreateProcessEx,	7_2_03782F60
Source: C:\Windows\SysWOW64\takeown.exe	Code function: 7_2_03782FA0 NtQuerySection,	7_2_03782FA0
Source: C:\Windows\SysWOW64\takeown.exe	Code function: 7_2_03782F90 NtProtectVirtualMemory,	7_2_03782F90
Source: C:\Windows\SysWOW64\takeown.exe	Code function: 7_2_03782E30 NtWriteVirtualMemory,	7_2_03782E30
Source: C:\Windows\SysWOW64\takeown.exe	Code function: 7_2_03782EA0 NtAdjustPrivilegesToken,	7_2_03782EA0
Source: C:\Windows\SysWOW64\takeown.exe	Code function: 7_2_03782D00 NtSetInformationFile,	7_2_03782D00
Source: C:\Windows\SysWOW64\takeown.exe	Code function: 7_2_03782DB0 NtEnumerateKey,	7_2_03782DB0
Source: C:\Windows\SysWOW64\takeown.exe	Code function: 7_2_03782C00 NtQueryInformationProcess,	7_2_03782C00
Source: C:\Windows\SysWOW64\takeown.exe	Code function: 7_2_03782CF0 NtOpenProcess,	7_2_03782CF0
Source: C:\Windows\SysWOW64\takeown.exe	Code function: 7_2_03782CC0 NtQueryVirtualMemory,	7_2_03782CC0
Source: C:\Windows\SysWOW64\takeown.exe	Code function: 7_2_03783010 NtOpenDirectoryObject,	7_2_03783010
Source: C:\Windows\SysWOW64\takeown.exe	Code function: 7_2_03783090 NtSetValueKey,	7_2_03783090
Source: C:\Windows\SysWOW64\takeown.exe	Code function: 7_2_03783D70 NtOpenThread,	7_2_03783D70
Source: C:\Windows\SysWOW64\takeown.exe	Code function: 7_2_03783D10 NtOpenProcessToken,	7_2_03783D10
Source: C:\Windows\SysWOW64\takeown.exe	Code function: 7_2_02F27AD0 NtReadFile,	7_2_02F27AD0
Source: C:\Windows\SysWOW64\takeown.exe	Code function: 7_2_02F27BB0 NtDeleteFile,	7_2_02F27BB0
Source: C:\Windows\SysWOW64\takeown.exe	Code function: 7_2_02F27970 NtCreateFile,	7_2_02F27970
Source: C:\Windows\SysWOW64\takeown.exe	Code function: 7_2_02F27C50 NtClose,	7_2_02F27C50
Source: C:\Windows\SysWOW64\takeown.exe	Code function: 7_2_02F27DA0 NtAllocateVirtualMemory,	7_2_02F27DA0

Detected potential crypto function

Source: C:\Users\user\Desktop\PO0424024.exe	Code function: 0_2_0257DFE4	0_2_0257DFE4
Source: C:\Users\user\Desktop\PO0424024.exe	Code function: 0_2_04CC6E40	0_2_04CC6E40
Source: C:\Users\user\Desktop\PO0424024.exe	Code function: 0_2_04CC0589	0_2_04CC0589
Source: C:\Users\user\Desktop\PO0424024.exe	Code function: 0_2_04CC0598	0_2_04CC0598
Source: C:\Users\user\Desktop\PO0424024.exe	Code function: 0_2_04CC6E33	0_2_04CC6E33
Source: C:\Users\user\Desktop\PO0424024.exe	Code function: 0_2_04D97684	0_2_04D97684
Source: C:\Users\user\Desktop\PO0424024.exe	Code function: 0_2_04D9BC28	0_2_04D9BC28
Source: C:\Users\user\Desktop\PO0424024.exe	Code function: 0_2_071004B8	0_2_071004B8
Source: C:\Users\user\Desktop\PO0424024.exe	Code function: 0_2_071001A0	0_2_071001A0
Source: C:\Users\user\Desktop\PO0424024.exe	Code function: 0_2_07107C10	0_2_07107C10
Source: C:\Users\user\Desktop\PO0424024.exe	Code function: 0_2_0710B568	0_2_0710B568
Source: C:\Users\user\Desktop\PO0424024.exe	Code function: 0_2_071004A8	0_2_071004A8
Source: C:\Users\user\Desktop\PO0424024.exe	Code function: 0_2_0710B130	0_2_0710B130
Source: C:\Users\user\Desktop\PO0424024.exe	Code function: 0_2_07101139	0_2_07101139
Source: C:\Users\user\Desktop\PO0424024.exe	Code function: 0_2_07101148	0_2_07101148
Source: C:\Users\user\Desktop\PO0424024.exe	Code function: 0_2_07100190	0_2_07100190
Source: C:\Users\user\Desktop\PO0424024.exe	Code function: 0_2_07103F50	0_2_07103F50
Source: C:\Users\user\Desktop\PO0424024.exe	Code function: 0_2_07103FB0	0_2_07103FB0
Source: C:\Users\user\Desktop\PO0424024.exe	Code function: 0_2_07103FA1	0_2_07103FA1
Source: C:\Users\user\Desktop\PO0424024.exe	Code function: 0_2_0710CC10	0_2_0710CC10
Source: C:\Users\user\Desktop\PO0424024.exe	Code function: 0_2_07107C09	0_2_07107C09
Source: C:\Users\user\Desktop\PO0424024.exe	Code function: 0_2_0710ACF8	0_2_0710ACF8
Source: C:\Users\user\Desktop\PO0424024.exe	Code function: 0_2_07102A48	0_2_07102A48
Source: C:\Users\user\Desktop\PO0424024.exe	Code function: 0_2_07102A80	0_2_07102A80
Source: C:\Users\user\Desktop\PO0424024.exe	Code function: 0_2_0710A8C0	0_2_0710A8C0
Source: C:\Users\user\Desktop\PO0424024.exe	Code function: 0_2_071F12A0	0_2_071F12A0
Source: C:\Users\user\Desktop\PO0424024.exe	Code function: 2_2_0040E04A	2_2_0040E04A
Source: C:\Users\user\Desktop\PO0424024.exe	Code function: 2_2_0040E053	2_2_0040E053
Source: C:\Users\user\Desktop\PO0424024.exe	Code function: 2_2_00401114	2_2_00401114
Source: C:\Users\user\Desktop\PO0424024.exe	Code function: 2_2_00402920	2_2_00402920
Source: C:\Users\user\Desktop\PO0424024.exe	Code function: 2_2_00401120	2_2_00401120
Source: C:\Users\user\Desktop\PO0424024.exe	Code function: 2_2_00401280	2_2_00401280
Source: C:\Users\user\Desktop\PO0424024.exe	Code function: 2_2_00403388	2_2_00403388
Source: C:\Users\user\Desktop\PO0424024.exe	Code function: 2_2_00403390	2_2_00403390
Source: C:\Users\user\Desktop\PO0424024.exe	Code function: 2_2_00401570	2_2_00401570
Source: C:\Users\user\Desktop\PO0424024.exe	Code function: 2_2_0040FDAA	2_2_0040FDAA
Source: C:\Users\user\Desktop\PO0424024.exe	Code function: 2_2_0040FDB3	2_2_0040FDB3
Source: C:\Users\user\Desktop\PO0424024.exe	Code function: 2_2_00402640	2_2_00402640
Source: C:\Users\user\Desktop\PO0424024.exe	Code function: 2_2_0042D653	2_2_0042D653
Source: C:\Users\user\Desktop\PO0424024.exe	Code function: 2_2_00416703	2_2_00416703
Source: C:\Users\user\Desktop\PO0424024.exe	Code function: 2_2_0040FFD3	2_2_0040FFD3
Source: C:\Users\user\Desktop\PO0424024.exe	Code function: 2_2_0100A118	2_2_0100A118
Source: C:\Users\user\Desktop\PO0424024.exe	Code function: 2_2_00F770C0	2_2_00F770C0
Source: C:\Users\user\Desktop\PO0424024.exe	Code function: 2_2_0103B16B	2_2_0103B16B
Source: C:\Users\user\Desktop\PO0424024.exe	Code function: 2_2_010301AA	2_2_010301AA
Source: C:\Users\user\Desktop\PO0424024.exe	Code function: 2_2_010281CC	2_2_010281CC
Source: C:\Users\user\Desktop\PO0424024.exe	Code function: 2_2_00F7B1B0	2_2_00F7B1B0
Source: C:\Users\user\Desktop\PO0424024.exe	Code function: 2_2_00F5F172	2_2_00F5F172
Source: C:\Users\user\Desktop\PO0424024.exe	Code function: 2_2_00FA516C	2_2_00FA516C
Source: C:\Users\user\Desktop\PO0424024.exe	Code function: 2_2_0101F0CC	2_2_0101F0CC
Source: C:\Users\user\Desktop\PO0424024.exe	Code function: 2_2_0102F0E0	2_2_0102F0E0
Source: C:\Users\user\Desktop\PO0424024.exe	Code function: 2_2_010270E9	2_2_010270E9
Source: C:\Users\user\Desktop\PO0424024.exe	Code function: 2_2_00F60100	2_2_00F60100
Source: C:\Users\user\Desktop\PO0424024.exe	Code function: 2_2_00F8D2F0	2_2_00F8D2F0
Source: C:\Users\user\Desktop\PO0424024.exe	Code function: 2_2_0102132D	2_2_0102132D
Source: C:\Users\user\Desktop\PO0424024.exe	Code function: 2_2_00F8B2C0	2_2_00F8B2C0
Source: C:\Users\user\Desktop\PO0424024.exe	Code function: 2_2_0102A352	2_2_0102A352
Source: C:\Users\user\Desktop\PO0424024.exe	Code function: 2_2_00F752A0	2_2_00F752A0
Source: C:\Users\user\Desktop\PO0424024.exe	Code function: 2_2_010303E6	2_2_010303E6
Source: C:\Users\user\Desktop\PO0424024.exe	Code function: 2_2_00F7E3F0	2_2_00F7E3F0
Source: C:\Users\user\Desktop\PO0424024.exe	Code function: 2_2_00FB739A	2_2_00FB739A
Source: C:\Users\user\Desktop\PO0424024.exe	Code function: 2_2_01010274	2_2_01010274
Source: C:\Users\user\Desktop\PO0424024.exe	Code function: 2_2_00F5D34C	2_2_00F5D34C
Source: C:\Users\user\Desktop\PO0424024.exe	Code function: 2_2_010112ED	2_2_010112ED
Source: C:\Users\user\Desktop\PO0424024.exe	Code function: 2_2_01027571	2_2_01027571
Source: C:\Users\user\Desktop\PO0424024.exe	Code function: 2_2_01030591	2_2_01030591
Source: C:\Users\user\Desktop\PO0424024.exe	Code function: 2_2_00F61460	2_2_00F61460
Source: C:\Users\user\Desktop\PO0424024.exe	Code function: 2_2_0100D5B0	2_2_0100D5B0
Source: C:\Users\user\Desktop\PO0424024.exe	Code function: 2_2_0102F43F	2_2_0102F43F
Source: C:\Users\user\Desktop\PO0424024.exe	Code function: 2_2_01022446	2_2_01022446
Source: C:\Users\user\Desktop\PO0424024.exe	Code function: 2_2_00F70535	2_2_00F70535
Source: C:\Users\user\Desktop\PO0424024.exe	Code function: 2_2_0101E4F6	2_2_0101E4F6
Source: C:\Users\user\Desktop\PO0424024.exe	Code function: 2_2_00F8C6E0	2_2_00F8C6E0
Source: C:\Users\user\Desktop\PO0424024.exe	Code function: 2_2_0102F7B0	2_2_0102F7B0
Source: C:\Users\user\Desktop\PO0424024.exe	Code function: 2_2_00F6C7C0	2_2_00F6C7C0
Source: C:\Users\user\Desktop\PO0424024.exe	Code function: 2_2_00F70770	2_2_00F70770
Source: C:\Users\user\Desktop\PO0424024.exe	Code function: 2_2_00F94750	2_2_00F94750
Source: C:\Users\user\Desktop\PO0424024.exe	Code function: 2_2_010216CC	2_2_010216CC
Source: C:\Users\user\Desktop\PO0424024.exe	Code function: 2_2_00F9E8F0	2_2_00F9E8F0
Source: C:\Users\user\Desktop\PO0424024.exe	Code function: 2_2_00F738E0	2_2_00F738E0
Source: C:\Users\user\Desktop\PO0424024.exe	Code function: 2_2_00F568B8	2_2_00F568B8
Source: C:\Users\user\Desktop\PO0424024.exe	Code function: 2_2_0103A9A6	2_2_0103A9A6
Source: C:\Users\user\Desktop\PO0424024.exe	Code function: 2_2_00F72840	2_2_00F72840
Source: C:\Users\user\Desktop\PO0424024.exe	Code function: 2_2_00F7A840	2_2_00F7A840
Source: C:\Users\user\Desktop\PO0424024.exe	Code function: 2_2_00FDD800	2_2_00FDD800
Source: C:\Users\user\Desktop\PO0424024.exe	Code function: 2_2_00F729A0	2_2_00F729A0
Source: C:\Users\user\Desktop\PO0424024.exe	Code function: 2_2_00F86962	2_2_00F86962
Source: C:\Users\user\Desktop\PO0424024.exe	Code function: 2_2_00F79950	2_2_00F79950
Source: C:\Users\user\Desktop\PO0424024.exe	Code function: 2_2_00F8B950	2_2_00F8B950
Source: C:\Users\user\Desktop\PO0424024.exe	Code function: 2_2_0102AB40	2_2_0102AB40
Source: C:\Users\user\Desktop\PO0424024.exe	Code function: 2_2_00FB5AA0	2_2_00FB5AA0
Source: C:\Users\user\Desktop\PO0424024.exe	Code function: 2_2_0102FB76	2_2_0102FB76
Source: C:\Users\user\Desktop\PO0424024.exe	Code function: 2_2_00F6EA80	2_2_00F6EA80
Source: C:\Users\user\Desktop\PO0424024.exe	Code function: 2_2_00FE3A6C	2_2_00FE3A6C
Source: C:\Users\user\Desktop\PO0424024.exe	Code function: 2_2_01026BD7	2_2_01026BD7
Source: C:\Users\user\Desktop\PO0424024.exe	Code function: 2_2_00FADBF9	2_2_00FADBF9
Source: C:\Users\user\Desktop\PO0424024.exe	Code function: 2_2_01027A46	2_2_01027A46
Source: C:\Users\user\Desktop\PO0424024.exe	Code function: 2_2_0102FA49	2_2_0102FA49
Source: C:\Users\user\Desktop\PO0424024.exe	Code function: 2_2_00F8FB80	2_2_00F8FB80
Source: C:\Users\user\Desktop\PO0424024.exe	Code function: 2_2_0100DAAC	2_2_0100DAAC
Source: C:\Users\user\Desktop\PO0424024.exe	Code function: 2_2_0101DAC6	2_2_0101DAC6
Source: C:\Users\user\Desktop\PO0424024.exe	Code function: 2_2_00F60CF2	2_2_00F60CF2
Source: C:\Users\user\Desktop\PO0424024.exe	Code function: 2_2_01021D5A	2_2_01021D5A
Source: C:\Users\user\Desktop\PO0424024.exe	Code function: 2_2_01027D73	2_2_01027D73
Source: C:\Users\user\Desktop\PO0424024.exe	Code function: 2_2_00FE9C32	2_2_00FE9C32
Source: C:\Users\user\Desktop\PO0424024.exe	Code function: 2_2_00F70C00	2_2_00F70C00
Source: C:\Users\user\Desktop\PO0424024.exe	Code function: 2_2_00F6ADE0	2_2_00F6ADE0
Source: C:\Users\user\Desktop\PO0424024.exe	Code function: 2_2_00F8FDC0	2_2_00F8FDC0
Source: C:\Users\user\Desktop\PO0424024.exe	Code function: 2_2_00F88DBF	2_2_00F88DBF
Source: C:\Users\user\Desktop\PO0424024.exe	Code function: 2_2_01010CB5	2_2_01010CB5
Source: C:\Users\user\Desktop\PO0424024.exe	Code function: 2_2_00F73D40	2_2_00F73D40
Source: C:\Users\user\Desktop\PO0424024.exe	Code function: 2_2_0102FCF2	2_2_0102FCF2
Source: C:\Users\user\Desktop\PO0424024.exe	Code function: 2_2_00F7AD00	2_2_00F7AD00
Source: C:\Users\user\Desktop\PO0424024.exe	Code function: 2_2_0102FF09	2_2_0102FF09
Source: C:\Users\user\Desktop\PO0424024.exe	Code function: 2_2_00F79EB0	2_2_00F79EB0
Source: C:\Users\user\Desktop\PO0424024.exe	Code function: 2_2_00F82E90	2_2_00F82E90
Source: C:\Users\user\Desktop\PO0424024.exe	Code function: 2_2_00F70E59	2_2_00F70E59
Source: C:\Users\user\Desktop\PO0424024.exe	Code function: 2_2_0102FFB1	2_2_0102FFB1
Source: C:\Users\user\Desktop\PO0424024.exe	Code function: 2_2_0102EE26	2_2_0102EE26
Source: C:\Users\user\Desktop\PO0424024.exe	Code function: 2_2_00F62FC8	2_2_00F62FC8
Source: C:\Users\user\Desktop\PO0424024.exe	Code function: 2_2_00F71F92	2_2_00F71F92
Source: C:\Users\user\Desktop\PO0424024.exe	Code function: 2_2_0102CE93	2_2_0102CE93
Source: C:\Users\user\Desktop\PO0424024.exe	Code function: 2_2_00FE4F40	2_2_00FE4F40
Source: C:\Users\user\Desktop\PO0424024.exe	Code function: 2_2_00F90F30	2_2_00F90F30
Source: C:\Users\user\Desktop\PO0424024.exe	Code function: 2_2_00FB2F28	2_2_00FB2F28
Source: C:\Users\user\Desktop\PO0424024.exe	Code function: 2_2_0102EEDB	2_2_0102EEDB
Source: C:\Program Files (x86)\jfLWIrNvBdXUZqKTstLPidJuesjIeBIFNQYCGaQUpAbARGedGUlMKIlGqKpEAySWKlETcTxWvVYd\tAFcdstzdUTfkmQlByDmlLl.exe	Code function: 6_2_086A6AF3	6_2_086A6AF3
Source: C:\Program Files (x86)\jfLWIrNvBdXUZqKTstLPidJuesjIeBIFNQYCGaQUpAbARGedGUlMKIlGqKpEAySWKlETcTxWvVYd\tAFcdstzdUTfkmQlByDmlLl.exe	Code function: 6_2_086A1CE3	6_2_086A1CE3
Source: C:\Program Files (x86)\jfLWIrNvBdXUZqKTstLPidJuesjIeBIFNQYCGaQUpAbARGedGUlMKIlGqKpEAySWKlETcTxWvVYd\tAFcdstzdUTfkmQlByDmlLl.exe	Code function: 6_2_086A1CDA	6_2_086A1CDA
Source: C:\Program Files (x86)\jfLWIrNvBdXUZqKTstLPidJuesjIeBIFNQYCGaQUpAbARGedGUlMKIlGqKpEAySWKlETcTxWvVYd\tAFcdstzdUTfkmQlByDmlLl.exe	Code function: 6_2_086BF583	6_2_086BF583
Source: C:\Program Files (x86)\jfLWIrNvBdXUZqKTstLPidJuesjIeBIFNQYCGaQUpAbARGedGUlMKIlGqKpEAySWKlETcTxWvVYd\tAFcdstzdUTfkmQlByDmlLl.exe	Code function: 6_2_086A8633	6_2_086A8633
Source: C:\Program Files (x86)\jfLWIrNvBdXUZqKTstLPidJuesjIeBIFNQYCGaQUpAbARGedGUlMKIlGqKpEAySWKlETcTxWvVYd\tAFcdstzdUTfkmQlByDmlLl.exe	Code function: 6_2_0869FF7A	6_2_0869FF7A
Source: C:\Program Files (x86)\jfLWIrNvBdXUZqKTstLPidJuesjIeBIFNQYCGaQUpAbARGedGUlMKIlGqKpEAySWKlETcTxWvVYd\tAFcdstzdUTfkmQlByDmlLl.exe	Code function: 6_2_086A1F03	6_2_086A1F03
Source: C:\Program Files (x86)\jfLWIrNvBdXUZqKTstLPidJuesjIeBIFNQYCGaQUpAbARGedGUlMKIlGqKpEAySWKlETcTxWvVYd\tAFcdstzdUTfkmQlByDmlLl.exe	Code function: 6_2_0869FF83	6_2_0869FF83
Source: C:\Windows\SysWOW64\takeown.exe	Code function: 7_2_038103E6	7_2_038103E6
Source: C:\Windows\SysWOW64\takeown.exe	Code function: 7_2_0375E3F0	7_2_0375E3F0
Source: C:\Windows\SysWOW64\takeown.exe	Code function: 7_2_0380A352	7_2_0380A352
Source: C:\Windows\SysWOW64\takeown.exe	Code function: 7_2_037F0274	7_2_037F0274
Source: C:\Windows\SysWOW64\takeown.exe	Code function: 7_2_037D02C0	7_2_037D02C0
Source: C:\Windows\SysWOW64\takeown.exe	Code function: 7_2_037D8158	7_2_037D8158
Source: C:\Windows\SysWOW64\takeown.exe	Code function: 7_2_038101AA	7_2_038101AA
Source: C:\Windows\SysWOW64\takeown.exe	Code function: 7_2_038081CC	7_2_038081CC
Source: C:\Windows\SysWOW64\takeown.exe	Code function: 7_2_037EA118	7_2_037EA118
Source: C:\Windows\SysWOW64\takeown.exe	Code function: 7_2_03740100	7_2_03740100
Source: C:\Windows\SysWOW64\takeown.exe	Code function: 7_2_037E2000	7_2_037E2000
Source: C:\Windows\SysWOW64\takeown.exe	Code function: 7_2_03750770	7_2_03750770
Source: C:\Windows\SysWOW64\takeown.exe	Code function: 7_2_03774750	7_2_03774750
Source: C:\Windows\SysWOW64\takeown.exe	Code function: 7_2_0374C7C0	7_2_0374C7C0
Source: C:\Windows\SysWOW64\takeown.exe	Code function: 7_2_0376C6E0	7_2_0376C6E0
Source: C:\Windows\SysWOW64\takeown.exe	Code function: 7_2_03810591	7_2_03810591
Source: C:\Windows\SysWOW64\takeown.exe	Code function: 7_2_03750535	7_2_03750535
Source: C:\Windows\SysWOW64\takeown.exe	Code function: 7_2_037FE4F6	7_2_037FE4F6
Source: C:\Windows\SysWOW64\takeown.exe	Code function: 7_2_03802446	7_2_03802446
Source: C:\Windows\SysWOW64\takeown.exe	Code function: 7_2_03806BD7	7_2_03806BD7
Source: C:\Windows\SysWOW64\takeown.exe	Code function: 7_2_0380AB40	7_2_0380AB40
Source: C:\Windows\SysWOW64\takeown.exe	Code function: 7_2_0374EA80	7_2_0374EA80
Source: C:\Windows\SysWOW64\takeown.exe	Code function: 7_2_03766962	7_2_03766962
Source: C:\Windows\SysWOW64\takeown.exe	Code function: 7_2_0381A9A6	7_2_0381A9A6
Source: C:\Windows\SysWOW64\takeown.exe	Code function: 7_2_037529A0	7_2_037529A0
Source: C:\Windows\SysWOW64\takeown.exe	Code function: 7_2_03752840	7_2_03752840
Source: C:\Windows\SysWOW64\takeown.exe	Code function: 7_2_0375A840	7_2_0375A840
Source: C:\Windows\SysWOW64\takeown.exe	Code function: 7_2_0377E8F0	7_2_0377E8F0
Source: C:\Windows\SysWOW64\takeown.exe	Code function: 7_2_037368B8	7_2_037368B8
Source: C:\Windows\SysWOW64\takeown.exe	Code function: 7_2_037C4F40	7_2_037C4F40
Source: C:\Windows\SysWOW64\takeown.exe	Code function: 7_2_03770F30	7_2_03770F30
Source: C:\Windows\SysWOW64\takeown.exe	Code function: 7_2_03792F28	7_2_03792F28
Source: C:\Windows\SysWOW64\takeown.exe	Code function: 7_2_03742FC8	7_2_03742FC8
Source: C:\Windows\SysWOW64\takeown.exe	Code function: 7_2_037CEFA0	7_2_037CEFA0
Source: C:\Windows\SysWOW64\takeown.exe	Code function: 7_2_0380CE93	7_2_0380CE93
Source: C:\Windows\SysWOW64\takeown.exe	Code function: 7_2_03750E59	7_2_03750E59
Source: C:\Windows\SysWOW64\takeown.exe	Code function: 7_2_0380EEDB	7_2_0380EEDB
Source: C:\Windows\SysWOW64\takeown.exe	Code function: 7_2_0380EE26	7_2_0380EE26
Source: C:\Windows\SysWOW64\takeown.exe	Code function: 7_2_03762E90	7_2_03762E90
Source: C:\Windows\SysWOW64\takeown.exe	Code function: 7_2_037ECD1F	7_2_037ECD1F
Source: C:\Windows\SysWOW64\takeown.exe	Code function: 7_2_0375AD00	7_2_0375AD00
Source: C:\Windows\SysWOW64\takeown.exe	Code function: 7_2_0374ADE0	7_2_0374ADE0
Source: C:\Windows\SysWOW64\takeown.exe	Code function: 7_2_03768DBF	7_2_03768DBF
Source: C:\Windows\SysWOW64\takeown.exe	Code function: 7_2_03750C00	7_2_03750C00
Source: C:\Windows\SysWOW64\takeown.exe	Code function: 7_2_03740CF2	7_2_03740CF2
Source: C:\Windows\SysWOW64\takeown.exe	Code function: 7_2_037F0CB5	7_2_037F0CB5
Source: C:\Windows\SysWOW64\takeown.exe	Code function: 7_2_0373D34C	7_2_0373D34C
Source: C:\Windows\SysWOW64\takeown.exe	Code function: 7_2_0380132D	7_2_0380132D
Source: C:\Windows\SysWOW64\takeown.exe	Code function: 7_2_0379739A	7_2_0379739A
Source: C:\Windows\SysWOW64\takeown.exe	Code function: 7_2_0376D2F0	7_2_0376D2F0
Source: C:\Windows\SysWOW64\takeown.exe	Code function: 7_2_037F12ED	7_2_037F12ED
Source: C:\Windows\SysWOW64\takeown.exe	Code function: 7_2_0376B2C0	7_2_0376B2C0
Source: C:\Windows\SysWOW64\takeown.exe	Code function: 7_2_037552A0	7_2_037552A0
Source: C:\Windows\SysWOW64\takeown.exe	Code function: 7_2_0373F172	7_2_0373F172
Source: C:\Windows\SysWOW64\takeown.exe	Code function: 7_2_0378516C	7_2_0378516C
Source: C:\Windows\SysWOW64\takeown.exe	Code function: 7_2_0375B1B0	7_2_0375B1B0
Source: C:\Windows\SysWOW64\takeown.exe	Code function: 7_2_0381B16B	7_2_0381B16B
Source: C:\Windows\SysWOW64\takeown.exe	Code function: 7_2_0380F0E0	7_2_0380F0E0
Source: C:\Windows\SysWOW64\takeown.exe	Code function: 7_2_038070E9	7_2_038070E9
Source: C:\Windows\SysWOW64\takeown.exe	Code function: 7_2_037FF0CC	7_2_037FF0CC
Source: C:\Windows\SysWOW64\takeown.exe	Code function: 7_2_037570C0	7_2_037570C0
Source: C:\Windows\SysWOW64\takeown.exe	Code function: 7_2_0380F7B0	7_2_0380F7B0
Source: C:\Windows\SysWOW64\takeown.exe	Code function: 7_2_038016CC	7_2_038016CC
Source: C:\Windows\SysWOW64\takeown.exe	Code function: 7_2_037ED5B0	7_2_037ED5B0
Source: C:\Windows\SysWOW64\takeown.exe	Code function: 7_2_03807571	7_2_03807571
Source: C:\Windows\SysWOW64\takeown.exe	Code function: 7_2_03741460	7_2_03741460
Source: C:\Windows\SysWOW64\takeown.exe	Code function: 7_2_0380F43F	7_2_0380F43F
Source: C:\Windows\SysWOW64\takeown.exe	Code function: 7_2_0378DBF9	7_2_0378DBF9
Source: C:\Windows\SysWOW64\takeown.exe	Code function: 7_2_037C5BF0	7_2_037C5BF0
Source: C:\Windows\SysWOW64\takeown.exe	Code function: 7_2_0380FB76	7_2_0380FB76
Source: C:\Windows\SysWOW64\takeown.exe	Code function: 7_2_0376FB80	7_2_0376FB80
Source: C:\Windows\SysWOW64\takeown.exe	Code function: 7_2_037C3A6C	7_2_037C3A6C
Source: C:\Windows\SysWOW64\takeown.exe	Code function: 7_2_037FDAC6	7_2_037FDAC6
Source: C:\Windows\SysWOW64\takeown.exe	Code function: 7_2_03807A46	7_2_03807A46
Source: C:\Windows\SysWOW64\takeown.exe	Code function: 7_2_0380FA49	7_2_0380FA49
Source: C:\Windows\SysWOW64\takeown.exe	Code function: 7_2_037EDAAC	7_2_037EDAAC
Source: C:\Windows\SysWOW64\takeown.exe	Code function: 7_2_03795AA0	7_2_03795AA0
Source: C:\Windows\SysWOW64\takeown.exe	Code function: 7_2_03759950	7_2_03759950
Source: C:\Windows\SysWOW64\takeown.exe	Code function: 7_2_0376B950	7_2_0376B950
Source: C:\Windows\SysWOW64\takeown.exe	Code function: 7_2_037E5910	7_2_037E5910
Source: C:\Windows\SysWOW64\takeown.exe	Code function: 7_2_037BD800	7_2_037BD800
Source: C:\Windows\SysWOW64\takeown.exe	Code function: 7_2_037538E0	7_2_037538E0
Source: C:\Windows\SysWOW64\takeown.exe	Code function: 7_2_0380FFB1	7_2_0380FFB1
Source: C:\Windows\SysWOW64\takeown.exe	Code function: 7_2_0380FF09	7_2_0380FF09
Source: C:\Windows\SysWOW64\takeown.exe	Code function: 7_2_03713FD2	7_2_03713FD2
Source: C:\Windows\SysWOW64\takeown.exe	Code function: 7_2_03713FD5	7_2_03713FD5
Source: C:\Windows\SysWOW64\takeown.exe	Code function: 7_2_03751F92	7_2_03751F92
Source: C:\Windows\SysWOW64\takeown.exe	Code function: 7_2_03759EB0	7_2_03759EB0
Source: C:\Windows\SysWOW64\takeown.exe	Code function: 7_2_03753D40	7_2_03753D40
Source: C:\Windows\SysWOW64\takeown.exe	Code function: 7_2_0376FDC0	7_2_0376FDC0
Source: C:\Windows\SysWOW64\takeown.exe	Code function: 7_2_03801D5A	7_2_03801D5A
Source: C:\Windows\SysWOW64\takeown.exe	Code function: 7_2_03807D73	7_2_03807D73
Source: C:\Windows\SysWOW64\takeown.exe	Code function: 7_2_037C9C32	7_2_037C9C32
Source: C:\Windows\SysWOW64\takeown.exe	Code function: 7_2_0380FCF2	7_2_0380FCF2
Source: C:\Windows\SysWOW64\takeown.exe	Code function: 7_2_02F115B0	7_2_02F115B0
Source: C:\Windows\SysWOW64\takeown.exe	Code function: 7_2_02F130F0	7_2_02F130F0
Source: C:\Windows\SysWOW64\takeown.exe	Code function: 7_2_02F2A040	7_2_02F2A040
Source: C:\Windows\SysWOW64\takeown.exe	Code function: 7_2_02F0C7A0	7_2_02F0C7A0
Source: C:\Windows\SysWOW64\takeown.exe	Code function: 7_2_02F0C797	7_2_02F0C797
Source: C:\Windows\SysWOW64\takeown.exe	Code function: 7_2_02F0AA40	7_2_02F0AA40
Source: C:\Windows\SysWOW64\takeown.exe	Code function: 7_2_02F0AA37	7_2_02F0AA37
Source: C:\Windows\SysWOW64\takeown.exe	Code function: 7_2_02F0C9C0	7_2_02F0C9C0

Found potential string decryption / allocating functions

Source: C:\Windows\SysWOW64\takeown.exe	Code function: String function: 03785130 appears 58 times
Source: C:\Windows\SysWOW64\takeown.exe	Code function: String function: 0373B970 appears 257 times
Source: C:\Windows\SysWOW64\takeown.exe	Code function: String function: 037BEA12 appears 86 times
Source: C:\Windows\SysWOW64\takeown.exe	Code function: String function: 03797E54 appears 98 times
Source: C:\Windows\SysWOW64\takeown.exe	Code function: String function: 037CF290 appears 103 times
Source: C:\Users\user\Desktop\PO0424024.exe	Code function: String function: 00FB7E54 appears 86 times
Source: C:\Users\user\Desktop\PO0424024.exe	Code function: String function: 00F5B970 appears 250 times
Source: C:\Users\user\Desktop\PO0424024.exe	Code function: String function: 00FA5130 appears 36 times
Source: C:\Users\user\Desktop\PO0424024.exe	Code function: String function: 00FEF290 appears 103 times
Source: C:\Users\user\Desktop\PO0424024.exe	Code function: String function: 00FDEA12 appears 85 times

PE / OLE file has an invalid certificate

Source: PO0424024.exe

Static PE information: invalid certificate

Sample file is different than original file name gathered from version info

Source: PO0424024.exe, 00000000.00000002.1731456732.00000000046F0000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameTyrone.dll8 vs PO0424024.exe
Source: PO0424024.exe, 00000000.00000002.1727453508.00000000009FE000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameclr.dllT vs PO0424024.exe
Source: PO0424024.exe, 00000002.00000002.2172803570.000000000105D000.00000040.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamentdll.dllj% vs PO0424024.exe
Source: PO0424024.exe, 00000002.00000002.2172583060.0000000000AD7000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenametakeown.exej% vs PO0424024.exe
Source: PO0424024.exe	Binary or memory string: OriginalFilenamevgSP.exeX vs PO0424024.exe

Uses 32bit PE files

Source: PO0424024.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Yara signature match

Source: 2.2.PO0424024.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 2.2.PO0424024.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000007.00000002.4170807354.00000000034D0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000002.00000002.2174491857.00000000012C0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000007.00000002.4170764124.0000000003490000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000007.00000002.4157652949.0000000002F00000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000006.00000002.4176035041.0000000008660000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000002.00000002.2172226006.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000002.00000002.2174679636.0000000001470000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000006.00000002.4170805786.0000000002800000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23

Source: PO0424024.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: 0.2.PO0424024.exe.6e70000.10.raw.unpack, V4uC3Iifq56IKQcfry.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 0.2.PO0424024.exe.6e70000.10.raw.unpack, V4uC3Iifq56IKQcfry.cs	Cryptographic APIs: 'CreateDecryptor'

Source: 0.2.PO0424024.exe.46f0000.9.raw.unpack, lXG347jmgqtSJbUTFQ.cs	Security API names: _0020.SetAccessControl
Source: 0.2.PO0424024.exe.46f0000.9.raw.unpack, lXG347jmgqtSJbUTFQ.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.PO0424024.exe.46f0000.9.raw.unpack, lXG347jmgqtSJbUTFQ.cs	Security API names: _0020.AddAccessRule
Source: 0.2.PO0424024.exe.438ee30.7.raw.unpack, rljZitc2Y0Y5BASKed.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.PO0424024.exe.46f0000.9.raw.unpack, rljZitc2Y0Y5BASKed.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.PO0424024.exe.438ee30.7.raw.unpack, lXG347jmgqtSJbUTFQ.cs	Security API names: _0020.SetAccessControl
Source: 0.2.PO0424024.exe.438ee30.7.raw.unpack, lXG347jmgqtSJbUTFQ.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.PO0424024.exe.438ee30.7.raw.unpack, lXG347jmgqtSJbUTFQ.cs	Security API names: _0020.AddAccessRule

Source: 0.2.PO0424024.exe.6fa0000.11.raw.unpack, ReactionVessel.cs	Suspicious method names: .ReactionVessel.Inject
Source: 0.2.PO0424024.exe.272f628.4.raw.unpack, ReactionVessel.cs	Suspicious method names: .ReactionVessel.Inject
Source: 0.2.PO0424024.exe.2acdcc4.1.raw.unpack, ReactionVessel.cs	Suspicious method names: .ReactionVessel.Inject
Source: 0.2.PO0424024.exe.273f9e4.3.raw.unpack, ReactionVessel.cs	Suspicious method names: .ReactionVessel.Inject

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@7/2@15/11

Source: C:\Users\user\Desktop\PO0424024.exe

File created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\PO0424024.exe.log

Source: unknown	Process created: C:\Users\user\Desktop\PO0424024.exe "C:\Users\user\Desktop\PO0424024.exe"
Source: C:\Users\user\Desktop\PO0424024.exe	Process created: C:\Users\user\Desktop\PO0424024.exe "C:\Users\user\Desktop\PO0424024.exe"
Source: C:\Program Files (x86)\jfLWIrNvBdXUZqKTstLPidJuesjIeBIFNQYCGaQUpAbARGedGUlMKIlGqKpEAySWKlETcTxWvVYd\tAFcdstzdUTfkmQlByDmlLl.exe	Process created: C:\Windows\SysWOW64\takeown.exe "C:\Windows\SysWOW64\takeown.exe"
Source: C:\Windows\SysWOW64\takeown.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\Firefox.exe"
Source: C:\Users\user\Desktop\PO0424024.exe	Process created: C:\Users\user\Desktop\PO0424024.exe "C:\Users\user\Desktop\PO0424024.exe"	Jump to behavior
Source: C:\Program Files (x86)\jfLWIrNvBdXUZqKTstLPidJuesjIeBIFNQYCGaQUpAbARGedGUlMKIlGqKpEAySWKlETcTxWvVYd\tAFcdstzdUTfkmQlByDmlLl.exe	Process created: C:\Windows\SysWOW64\takeown.exe "C:\Windows\SysWOW64\takeown.exe"	Jump to behavior
Source: C:\Windows\SysWOW64\takeown.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\Firefox.exe"	Jump to behavior

Source: C:\Users\user\Desktop\PO0424024.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\PO0424024.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\PO0424024.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\PO0424024.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\PO0424024.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\PO0424024.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\PO0424024.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\PO0424024.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\PO0424024.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\PO0424024.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\PO0424024.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\PO0424024.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\PO0424024.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\PO0424024.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\PO0424024.exe	Section loaded: dwrite.dll	Jump to behavior
Source: C:\Users\user\Desktop\PO0424024.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\PO0424024.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\PO0424024.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\PO0424024.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\PO0424024.exe	Section loaded: windowscodecs.dll	Jump to behavior
Source: C:\Program Files (x86)\jfLWIrNvBdXUZqKTstLPidJuesjIeBIFNQYCGaQUpAbARGedGUlMKIlGqKpEAySWKlETcTxWvVYd\tAFcdstzdUTfkmQlByDmlLl.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Program Files (x86)\jfLWIrNvBdXUZqKTstLPidJuesjIeBIFNQYCGaQUpAbARGedGUlMKIlGqKpEAySWKlETcTxWvVYd\tAFcdstzdUTfkmQlByDmlLl.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Program Files (x86)\jfLWIrNvBdXUZqKTstLPidJuesjIeBIFNQYCGaQUpAbARGedGUlMKIlGqKpEAySWKlETcTxWvVYd\tAFcdstzdUTfkmQlByDmlLl.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Program Files (x86)\jfLWIrNvBdXUZqKTstLPidJuesjIeBIFNQYCGaQUpAbARGedGUlMKIlGqKpEAySWKlETcTxWvVYd\tAFcdstzdUTfkmQlByDmlLl.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Program Files (x86)\jfLWIrNvBdXUZqKTstLPidJuesjIeBIFNQYCGaQUpAbARGedGUlMKIlGqKpEAySWKlETcTxWvVYd\tAFcdstzdUTfkmQlByDmlLl.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Program Files (x86)\jfLWIrNvBdXUZqKTstLPidJuesjIeBIFNQYCGaQUpAbARGedGUlMKIlGqKpEAySWKlETcTxWvVYd\tAFcdstzdUTfkmQlByDmlLl.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\takeown.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\takeown.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\SysWOW64\takeown.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\takeown.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\takeown.exe	Section loaded: ieframe.dll	Jump to behavior
Source: C:\Windows\SysWOW64\takeown.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\SysWOW64\takeown.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\takeown.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\takeown.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\takeown.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\takeown.exe	Section loaded: wkscli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\takeown.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\takeown.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\takeown.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\takeown.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\takeown.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\takeown.exe	Section loaded: mlang.dll	Jump to behavior
Source: C:\Windows\SysWOW64\takeown.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\SysWOW64\takeown.exe	Section loaded: winsqlite3.dll	Jump to behavior
Source: C:\Windows\SysWOW64\takeown.exe	Section loaded: vaultcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\takeown.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\SysWOW64\takeown.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\takeown.exe	Section loaded: cryptbase.dll	Jump to behavior

Source: PO0424024.exe, frm_Graph_Drawer.cs	.Net Code: InitializeComponent System.Reflection.Assembly.Load(byte[])
Source: 0.2.PO0424024.exe.438ee30.7.raw.unpack, lXG347jmgqtSJbUTFQ.cs	.Net Code: vZNsi4Vxjb System.Reflection.Assembly.Load(byte[])
Source: 0.2.PO0424024.exe.46f0000.9.raw.unpack, lXG347jmgqtSJbUTFQ.cs	.Net Code: vZNsi4Vxjb System.Reflection.Assembly.Load(byte[])

Source: C:\Users\user\Desktop\PO0424024.exe	Code function: 0_2_025760F0 push esp; ret	0_2_025762D1
Source: C:\Users\user\Desktop\PO0424024.exe	Code function: 0_2_02574659 push edx; ret	0_2_0257465A
Source: C:\Users\user\Desktop\PO0424024.exe	Code function: 0_2_025747D7 push ebx; ret	0_2_025747DA
Source: C:\Users\user\Desktop\PO0424024.exe	Code function: 0_2_025747DF push ebx; ret	0_2_025747E2
Source: C:\Users\user\Desktop\PO0424024.exe	Code function: 0_2_025747DB push ebx; ret	0_2_025747DE
Source: C:\Users\user\Desktop\PO0424024.exe	Code function: 0_2_025748D1 push edi; ret	0_2_025748D2
Source: C:\Users\user\Desktop\PO0424024.exe	Code function: 0_2_0257489B push esi; ret	0_2_025748A2
Source: C:\Users\user\Desktop\PO0424024.exe	Code function: 0_2_02574898 push esi; ret	0_2_0257489A
Source: C:\Users\user\Desktop\PO0424024.exe	Code function: 0_2_0257AE79 pushfd ; ret	0_2_0257AE7A
Source: C:\Users\user\Desktop\PO0424024.exe	Code function: 0_2_04CCBC1B pushfd ; retf	0_2_04CCBC32
Source: C:\Users\user\Desktop\PO0424024.exe	Code function: 0_2_04CCBDCF pushfd ; retf	0_2_04CCBDD2
Source: C:\Users\user\Desktop\PO0424024.exe	Code function: 0_2_04CCBDF0 pushfd ; retf	0_2_04CCBDF2
Source: C:\Users\user\Desktop\PO0424024.exe	Code function: 0_2_04CCBDF3 pushfd ; retf	0_2_04CCBDFA
Source: C:\Users\user\Desktop\PO0424024.exe	Code function: 0_2_04CCBD60 pushfd ; retf	0_2_04CCBD62
Source: C:\Users\user\Desktop\PO0424024.exe	Code function: 0_2_04D937D0 push eax; iretd	0_2_04D937D1
Source: C:\Users\user\Desktop\PO0424024.exe	Code function: 0_2_04D9CF50 push eax; mov dword ptr [esp], edx	0_2_04D9CF64
Source: C:\Users\user\Desktop\PO0424024.exe	Code function: 0_2_04D9783F push eax; retf	0_2_04D97855
Source: C:\Users\user\Desktop\PO0424024.exe	Code function: 0_2_0710F893 pushfd ; iretd	0_2_0710F894
Source: C:\Users\user\Desktop\PO0424024.exe	Code function: 2_2_00405053 push ebx; retf	2_2_00405057
Source: C:\Users\user\Desktop\PO0424024.exe	Code function: 2_2_004120FD push ebx; retf	2_2_004121FA
Source: C:\Users\user\Desktop\PO0424024.exe	Code function: 2_2_0041188E push EFD03D13h; retf	2_2_00411893
Source: C:\Users\user\Desktop\PO0424024.exe	Code function: 2_2_0040E197 push ecx; retf	2_2_0040E19A
Source: C:\Users\user\Desktop\PO0424024.exe	Code function: 2_2_0041A996 push ss; iretd	2_2_0041A997
Source: C:\Users\user\Desktop\PO0424024.exe	Code function: 2_2_004121B7 push ebx; retf	2_2_004121FA
Source: C:\Users\user\Desktop\PO0424024.exe	Code function: 2_2_00415A03 push esi; iretd	2_2_00415A0E
Source: C:\Users\user\Desktop\PO0424024.exe	Code function: 2_2_00401A08 push B865D3CCh; retf	2_2_00401A07
Source: C:\Users\user\Desktop\PO0424024.exe	Code function: 2_2_004082D1 push eax; retf	2_2_004082DB
Source: C:\Users\user\Desktop\PO0424024.exe	Code function: 2_2_0040A468 push ebp; iretd	2_2_0040A477
Source: C:\Users\user\Desktop\PO0424024.exe	Code function: 2_2_0040A4D5 push eax; ret	2_2_0040A4D6
Source: C:\Users\user\Desktop\PO0424024.exe	Code function: 2_2_00401570 push 3D820602h; retn 74BEh	2_2_004016E4
Source: C:\Users\user\Desktop\PO0424024.exe	Code function: 2_2_0040A534 push FFFFFFDDh; ret	2_2_0040A562

Source: 0.2.PO0424024.exe.438ee30.7.raw.unpack, xf8DemTR0ISrUguC1O.cs	High entropy of concatenated method names: 'edW9l9xt5j', 'qhy9QqhwoQ', 'vNT9AO1Tqf', 'TLJ9TIjJv5', 'otN9t09Zar', 'sYZ9pUjRG9', 'Next', 'Next', 'Next', 'NextBytes'
Source: 0.2.PO0424024.exe.438ee30.7.raw.unpack, eBYpIxWVls18WZje7r.cs	High entropy of concatenated method names: 'OYI9ZurbWC', 'UPY9j1TvsM', 'jUZ9Dr2eco', 'QfE95leSYA', 'yeM91hUGpq', 'WgG9NVyUFd', 'qPU9bdY8K0', 'Bd49U6a4Op', 'd4h9FAFf2Y', 'pMm9RAWQZH'
Source: 0.2.PO0424024.exe.438ee30.7.raw.unpack, rljZitc2Y0Y5BASKed.cs	High entropy of concatenated method names: 'DmFjtUAaka', 'bywj36g4g1', 'tFXjC1YfB4', 'KhpjyvNOtN', 'Xauj23HFbI', 'AYUjIFionN', 'jVAjWO8DqS', 'R3qjhygHoH', 'EtjjnvIhV2', 'xOFjPICKcM'
Source: 0.2.PO0424024.exe.438ee30.7.raw.unpack, lXG347jmgqtSJbUTFQ.cs	High entropy of concatenated method names: 'LjeBX4dqgk', 'VijBZmq1Uh', 'AllBjxZkr6', 'aMrBDL1oex', 'oclB5u5Yxd', 'PlBB1VblDT', 'dBDBN86cgq', 'VGJBbpIG4E', 'yZ1BU2OZkS', 'Ou6BFjWGp9'
Source: 0.2.PO0424024.exe.438ee30.7.raw.unpack, uYUEXyzt1iYrE6QGDP.cs	High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'as68gFsZ6j', 'X2x8dZbT6L', 'VGJ807UqWe', 'Oq08JFv4X3', 'zal89rjJDZ', 'jao88mJ59B', 'rOS8YXiluy'
Source: 0.2.PO0424024.exe.438ee30.7.raw.unpack, ey3HbfxvqqZn9WU7CP.cs	High entropy of concatenated method names: 't3mNMmGRoE', 'MyCN4JNn8T', 'BVXNiFe8CL', 'HgGNES8dWV', 'sn5NHowslL', 'fFHNO2wHIK', 'DBZNLtKyTY', 'dv6NfbwYE7', 'aVYNui3Qd4', 'i4HNxIlMVt'
Source: 0.2.PO0424024.exe.438ee30.7.raw.unpack, n0kSbQGRSvlHte8Eib.cs	High entropy of concatenated method names: 'WA2DE5vqIT', 'aRkDOOgKjK', 'T2ZDf4GkIo', 'GCMDuUhFI5', 'cZ2DdAXlWG', 'mNqD0tEn5C', 'HwcDJTOueh', 'rDKD9t1XfJ', 'VnbD8mhN1R', 'rl6DYeUc35'
Source: 0.2.PO0424024.exe.438ee30.7.raw.unpack, bA3SS5wJKrXALX79qC.cs	High entropy of concatenated method names: 'KmxJFZfYVQ', 'X3fJRfBKKe', 'ToString', 'RSHJZGvhwF', 'F7HJjoJEyU', 'W1jJDf2mue', 'sF2J5uLaLk', 'qNhJ1XehYo', 'N2WJNuiNfu', 'ta7JbePFKo'
Source: 0.2.PO0424024.exe.438ee30.7.raw.unpack, KGeVZ28UIBVNOkPHmF.cs	High entropy of concatenated method names: 'Dispose', 'kScrnhTsoW', 'r7c6QMPEKn', 'UwoGGkv0vR', 'iE9rPvXNMj', 'QZwrzYTi76', 'ProcessDialogKey', 'Thb6kWZ6qF', 'yoL6rGSrNe', 'zTl66rjInE'
Source: 0.2.PO0424024.exe.438ee30.7.raw.unpack, n1EW1fa7RmuHh2eHM9w.cs	High entropy of concatenated method names: 'TvL8MtbMHQ', 'yUN848Zb32', 'Dsi8iqCRt6', 'OoO8EMcOQF', 'rEg8Hri0ix', 'IoC8O2RKvt', 'god8LmwVUF', 'XHs8fduDbB', 'zLD8uOLi6r', 'fn08xHlIt6'
Source: 0.2.PO0424024.exe.438ee30.7.raw.unpack, YSxpOUA4uyf5JdNj1C.cs	High entropy of concatenated method names: 'su5dScxUtQ', 'GGTdKC7MgQ', 'EaUdtZ3R2m', 'Ubgd3sk4c5', 'xeydQds1Nv', 'yvsdAQhYOe', 'DKJdTAdxXJ', 'OWodp3r7Pu', 'aS8dVVvvwS', 'nxpdqgZo2p'
Source: 0.2.PO0424024.exe.438ee30.7.raw.unpack, m09LbGHvOCXuOlhAVi.cs	High entropy of concatenated method names: 'sJKNZJmK0d', 'OQeNDXBBuX', 'my8N1oRpVo', 'ytc1PynGb0', 'IKD1zVk84N', 'awONkiFIqd', 'e9QNr1H1iI', 'ufrN6ySxA0', 'a8ZNBqcHPR', 'L3ZNsmdppw'
Source: 0.2.PO0424024.exe.438ee30.7.raw.unpack, jaKfEhvVHNriyUHBD5.cs	High entropy of concatenated method names: 'rxt5H1UaLd', 'LyO5LlCpcT', 'eIgDAL5O7a', 'LNmDT5PEpB', 'JX4DpnPCnk', 'da5DVnJwY9', 'pkDDqRjRkD', 'cPtDwnF1Li', 'Wg2DeaGPb6', 'sZjDSZo8v0'
Source: 0.2.PO0424024.exe.438ee30.7.raw.unpack, TdpK7UBYZRso2FLCgU.cs	High entropy of concatenated method names: 'NA0Jhep55i', 'R7OJPSxUU4', 'xTA9ktWs0l', 'Tve9rhE5ky', 'TYRJvVcvBa', 'xssJK2MUFV', 'RkHJmdqH1d', 'HwDJt5ryVF', 'kITJ35k2Hr', 'CpkJCNHtbF'
Source: 0.2.PO0424024.exe.438ee30.7.raw.unpack, HNrGVVaRFHRt9wE1yIH.cs	High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'KLZYtwwt4M', 'HeKY3RLRBI', 'f4oYCik7Re', 'O57YyeoAbG', 'F08Y2et9mM', 'bW2YISPhOY', 'mN9YWUPIwq'
Source: 0.2.PO0424024.exe.438ee30.7.raw.unpack, S4cgTPaaQ63YDrb3WEb.cs	High entropy of concatenated method names: 'ToString', 'gS9YB59Dv5', 'rhWYsi1gWt', 'wrbYXuT0RD', 's65YZc8k3N', 'g4FYjehAW0', 'drPYDht3br', 'uoiY5RMHje', 'qMvIaLpBgSrMUhhO7RD', 'lax7M7pHwCLP2iVxmXH'
Source: 0.2.PO0424024.exe.438ee30.7.raw.unpack, HsvUApVHHAG66pB3Hb.cs	High entropy of concatenated method names: 'qJF1XAxmTd', 'jpw1jFEGJf', 'may158qcJs', 'Ymk1NXTu8E', 'nQT1b88pyg', 'Wgg52DahZv', 'Yv85IOUgFO', 'UJ45WOvcIO', 'nrb5hi1u6r', 'mtn5n9K3Qt'
Source: 0.2.PO0424024.exe.438ee30.7.raw.unpack, LrIAQpqtGcG7NuVqi1.cs	High entropy of concatenated method names: 'O8UbjcKDeOmRuavJwmh', 'eGcJi2KRFnKbpqa8IZW', 'xb6L51KGr7L3PM8U4EB', 'b4Q19KAmrt', 'Heg18qpow3', 'QNF1YWPA4N', 'AQosqHKVuoJsCV9QoJA', 'gb5db3Ki8ZySkkFULu2', 'Jw9B1KKCLC5QN2rFFsH'
Source: 0.2.PO0424024.exe.438ee30.7.raw.unpack, sAO7rj2vMbNiiAhvyA.cs	High entropy of concatenated method names: 'c1hgfds8nC', 'MKpguKMWWa', 'oHLglJ2Y6P', 'T6WgQEdwWT', 'CiJgTQnSq4', 'FhBgpjywx3', 'LHBgqY38CD', 'gOIgwlfFxk', 'ooggSNRUVM', 'SEOgvCPM6N'
Source: 0.2.PO0424024.exe.438ee30.7.raw.unpack, ayiQZall1kUmx0W6Gb.cs	High entropy of concatenated method names: 'aLbie5RHp', 'N8OES2sHA', 'CEOOOpfqR', 'IttLgler6', 'YvkucaUKW', 'JG3xZwAR1', 'MyBFtuwulVybd7tnvi', 'cIVklsm68nhQxSstak', 'UOS9LVkEm', 'TekYCvxpU'
Source: 0.2.PO0424024.exe.438ee30.7.raw.unpack, WNlJvjLnRnZodIGnuR.cs	High entropy of concatenated method names: 'fGd8rtiLps', 'gHH8BX8m4F', 'aUj8sBIVB7', 'sTu8ZBQ8u3', 'f168jucpQ0', 'nVb85ZYpRv', 'X5681sJNoe', 'xCv9WaAWd3', 'zyt9hPl0s0', 'FYv9nTBufc'
Source: 0.2.PO0424024.exe.438ee30.7.raw.unpack, vfniaBJA1eeHlImvxN.cs	High entropy of concatenated method names: 'bT6rNgRsWI', 'lG6rb3vkNa', 'I1urFWsR1v', 'kGcrRHbteM', 'Uv0rdJMnbp', 'pv2r0UlPZ7', 'XnVoVAxRS1V02DuQk0', 'ANXSf0gkvEGrsU2KTN', 'kmGrryfgJQ', 'h8nrBjT1j8'
Source: 0.2.PO0424024.exe.438ee30.7.raw.unpack, tcpnC1NfLeotSQH8gi.cs	High entropy of concatenated method names: 'ToString', 'Rkr0vEW2qG', 'oJx0QGfEt5', 'h6y0AZ2vnP', 'Iaw0TTZmhl', 'cqh0pWN6cX', 'UEd0VSDo04', 'xAD0qtdiHi', 'O5P0wneSme', 'F3H0eoQqIE'
Source: 0.2.PO0424024.exe.6e70000.10.raw.unpack, V4uC3Iifq56IKQcfry.cs	High entropy of concatenated method names: 'JcqLcnHE8kRk7VHJhl', 'baAwnpSkPWAs4YMGxr', 'wTgrto4LNQ', 'imnL6GCB6AIFRqkhxN', 'RgtTUJcyZL', 'dHYrbjNADO', 'xiCr8b7Qs6', 'PT2rZj37UR', 'P1WruDgOtu', 'd71eKLY6YVFQv'
Source: 0.2.PO0424024.exe.6e70000.10.raw.unpack, vpednoN8EZgsJ4TDwx.cs	High entropy of concatenated method names: 'SvRTLtpnA', 'uJwWpedno', 'REZpgsJ4T', 'uwxys3A5Q', 'Tl3iTkB7U', 'EqRFtDP16', 'TW5lfqidm', 'wSKAUGlNW', 'LkrevaXpK', 'cwu0Op5AT'
Source: 0.2.PO0424024.exe.46f0000.9.raw.unpack, xf8DemTR0ISrUguC1O.cs	High entropy of concatenated method names: 'edW9l9xt5j', 'qhy9QqhwoQ', 'vNT9AO1Tqf', 'TLJ9TIjJv5', 'otN9t09Zar', 'sYZ9pUjRG9', 'Next', 'Next', 'Next', 'NextBytes'
Source: 0.2.PO0424024.exe.46f0000.9.raw.unpack, eBYpIxWVls18WZje7r.cs	High entropy of concatenated method names: 'OYI9ZurbWC', 'UPY9j1TvsM', 'jUZ9Dr2eco', 'QfE95leSYA', 'yeM91hUGpq', 'WgG9NVyUFd', 'qPU9bdY8K0', 'Bd49U6a4Op', 'd4h9FAFf2Y', 'pMm9RAWQZH'
Source: 0.2.PO0424024.exe.46f0000.9.raw.unpack, rljZitc2Y0Y5BASKed.cs	High entropy of concatenated method names: 'DmFjtUAaka', 'bywj36g4g1', 'tFXjC1YfB4', 'KhpjyvNOtN', 'Xauj23HFbI', 'AYUjIFionN', 'jVAjWO8DqS', 'R3qjhygHoH', 'EtjjnvIhV2', 'xOFjPICKcM'
Source: 0.2.PO0424024.exe.46f0000.9.raw.unpack, lXG347jmgqtSJbUTFQ.cs	High entropy of concatenated method names: 'LjeBX4dqgk', 'VijBZmq1Uh', 'AllBjxZkr6', 'aMrBDL1oex', 'oclB5u5Yxd', 'PlBB1VblDT', 'dBDBN86cgq', 'VGJBbpIG4E', 'yZ1BU2OZkS', 'Ou6BFjWGp9'
Source: 0.2.PO0424024.exe.46f0000.9.raw.unpack, uYUEXyzt1iYrE6QGDP.cs	High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'as68gFsZ6j', 'X2x8dZbT6L', 'VGJ807UqWe', 'Oq08JFv4X3', 'zal89rjJDZ', 'jao88mJ59B', 'rOS8YXiluy'
Source: 0.2.PO0424024.exe.46f0000.9.raw.unpack, ey3HbfxvqqZn9WU7CP.cs	High entropy of concatenated method names: 't3mNMmGRoE', 'MyCN4JNn8T', 'BVXNiFe8CL', 'HgGNES8dWV', 'sn5NHowslL', 'fFHNO2wHIK', 'DBZNLtKyTY', 'dv6NfbwYE7', 'aVYNui3Qd4', 'i4HNxIlMVt'
Source: 0.2.PO0424024.exe.46f0000.9.raw.unpack, n0kSbQGRSvlHte8Eib.cs	High entropy of concatenated method names: 'WA2DE5vqIT', 'aRkDOOgKjK', 'T2ZDf4GkIo', 'GCMDuUhFI5', 'cZ2DdAXlWG', 'mNqD0tEn5C', 'HwcDJTOueh', 'rDKD9t1XfJ', 'VnbD8mhN1R', 'rl6DYeUc35'
Source: 0.2.PO0424024.exe.46f0000.9.raw.unpack, bA3SS5wJKrXALX79qC.cs	High entropy of concatenated method names: 'KmxJFZfYVQ', 'X3fJRfBKKe', 'ToString', 'RSHJZGvhwF', 'F7HJjoJEyU', 'W1jJDf2mue', 'sF2J5uLaLk', 'qNhJ1XehYo', 'N2WJNuiNfu', 'ta7JbePFKo'
Source: 0.2.PO0424024.exe.46f0000.9.raw.unpack, KGeVZ28UIBVNOkPHmF.cs	High entropy of concatenated method names: 'Dispose', 'kScrnhTsoW', 'r7c6QMPEKn', 'UwoGGkv0vR', 'iE9rPvXNMj', 'QZwrzYTi76', 'ProcessDialogKey', 'Thb6kWZ6qF', 'yoL6rGSrNe', 'zTl66rjInE'
Source: 0.2.PO0424024.exe.46f0000.9.raw.unpack, n1EW1fa7RmuHh2eHM9w.cs	High entropy of concatenated method names: 'TvL8MtbMHQ', 'yUN848Zb32', 'Dsi8iqCRt6', 'OoO8EMcOQF', 'rEg8Hri0ix', 'IoC8O2RKvt', 'god8LmwVUF', 'XHs8fduDbB', 'zLD8uOLi6r', 'fn08xHlIt6'
Source: 0.2.PO0424024.exe.46f0000.9.raw.unpack, YSxpOUA4uyf5JdNj1C.cs	High entropy of concatenated method names: 'su5dScxUtQ', 'GGTdKC7MgQ', 'EaUdtZ3R2m', 'Ubgd3sk4c5', 'xeydQds1Nv', 'yvsdAQhYOe', 'DKJdTAdxXJ', 'OWodp3r7Pu', 'aS8dVVvvwS', 'nxpdqgZo2p'
Source: 0.2.PO0424024.exe.46f0000.9.raw.unpack, m09LbGHvOCXuOlhAVi.cs	High entropy of concatenated method names: 'sJKNZJmK0d', 'OQeNDXBBuX', 'my8N1oRpVo', 'ytc1PynGb0', 'IKD1zVk84N', 'awONkiFIqd', 'e9QNr1H1iI', 'ufrN6ySxA0', 'a8ZNBqcHPR', 'L3ZNsmdppw'
Source: 0.2.PO0424024.exe.46f0000.9.raw.unpack, jaKfEhvVHNriyUHBD5.cs	High entropy of concatenated method names: 'rxt5H1UaLd', 'LyO5LlCpcT', 'eIgDAL5O7a', 'LNmDT5PEpB', 'JX4DpnPCnk', 'da5DVnJwY9', 'pkDDqRjRkD', 'cPtDwnF1Li', 'Wg2DeaGPb6', 'sZjDSZo8v0'
Source: 0.2.PO0424024.exe.46f0000.9.raw.unpack, TdpK7UBYZRso2FLCgU.cs	High entropy of concatenated method names: 'NA0Jhep55i', 'R7OJPSxUU4', 'xTA9ktWs0l', 'Tve9rhE5ky', 'TYRJvVcvBa', 'xssJK2MUFV', 'RkHJmdqH1d', 'HwDJt5ryVF', 'kITJ35k2Hr', 'CpkJCNHtbF'
Source: 0.2.PO0424024.exe.46f0000.9.raw.unpack, HNrGVVaRFHRt9wE1yIH.cs	High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'KLZYtwwt4M', 'HeKY3RLRBI', 'f4oYCik7Re', 'O57YyeoAbG', 'F08Y2et9mM', 'bW2YISPhOY', 'mN9YWUPIwq'
Source: 0.2.PO0424024.exe.46f0000.9.raw.unpack, S4cgTPaaQ63YDrb3WEb.cs	High entropy of concatenated method names: 'ToString', 'gS9YB59Dv5', 'rhWYsi1gWt', 'wrbYXuT0RD', 's65YZc8k3N', 'g4FYjehAW0', 'drPYDht3br', 'uoiY5RMHje', 'qMvIaLpBgSrMUhhO7RD', 'lax7M7pHwCLP2iVxmXH'
Source: 0.2.PO0424024.exe.46f0000.9.raw.unpack, HsvUApVHHAG66pB3Hb.cs	High entropy of concatenated method names: 'qJF1XAxmTd', 'jpw1jFEGJf', 'may158qcJs', 'Ymk1NXTu8E', 'nQT1b88pyg', 'Wgg52DahZv', 'Yv85IOUgFO', 'UJ45WOvcIO', 'nrb5hi1u6r', 'mtn5n9K3Qt'
Source: 0.2.PO0424024.exe.46f0000.9.raw.unpack, LrIAQpqtGcG7NuVqi1.cs	High entropy of concatenated method names: 'O8UbjcKDeOmRuavJwmh', 'eGcJi2KRFnKbpqa8IZW', 'xb6L51KGr7L3PM8U4EB', 'b4Q19KAmrt', 'Heg18qpow3', 'QNF1YWPA4N', 'AQosqHKVuoJsCV9QoJA', 'gb5db3Ki8ZySkkFULu2', 'Jw9B1KKCLC5QN2rFFsH'
Source: 0.2.PO0424024.exe.46f0000.9.raw.unpack, sAO7rj2vMbNiiAhvyA.cs	High entropy of concatenated method names: 'c1hgfds8nC', 'MKpguKMWWa', 'oHLglJ2Y6P', 'T6WgQEdwWT', 'CiJgTQnSq4', 'FhBgpjywx3', 'LHBgqY38CD', 'gOIgwlfFxk', 'ooggSNRUVM', 'SEOgvCPM6N'
Source: 0.2.PO0424024.exe.46f0000.9.raw.unpack, ayiQZall1kUmx0W6Gb.cs	High entropy of concatenated method names: 'aLbie5RHp', 'N8OES2sHA', 'CEOOOpfqR', 'IttLgler6', 'YvkucaUKW', 'JG3xZwAR1', 'MyBFtuwulVybd7tnvi', 'cIVklsm68nhQxSstak', 'UOS9LVkEm', 'TekYCvxpU'
Source: 0.2.PO0424024.exe.46f0000.9.raw.unpack, WNlJvjLnRnZodIGnuR.cs	High entropy of concatenated method names: 'fGd8rtiLps', 'gHH8BX8m4F', 'aUj8sBIVB7', 'sTu8ZBQ8u3', 'f168jucpQ0', 'nVb85ZYpRv', 'X5681sJNoe', 'xCv9WaAWd3', 'zyt9hPl0s0', 'FYv9nTBufc'
Source: 0.2.PO0424024.exe.46f0000.9.raw.unpack, vfniaBJA1eeHlImvxN.cs	High entropy of concatenated method names: 'bT6rNgRsWI', 'lG6rb3vkNa', 'I1urFWsR1v', 'kGcrRHbteM', 'Uv0rdJMnbp', 'pv2r0UlPZ7', 'XnVoVAxRS1V02DuQk0', 'ANXSf0gkvEGrsU2KTN', 'kmGrryfgJQ', 'h8nrBjT1j8'
Source: 0.2.PO0424024.exe.46f0000.9.raw.unpack, tcpnC1NfLeotSQH8gi.cs	High entropy of concatenated method names: 'ToString', 'Rkr0vEW2qG', 'oJx0QGfEt5', 'h6y0AZ2vnP', 'Iaw0TTZmhl', 'cqh0pWN6cX', 'UEd0VSDo04', 'xAD0qtdiHi', 'O5P0wneSme', 'F3H0eoQqIE'

Source: C:\Users\user\Desktop\PO0424024.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO0424024.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO0424024.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO0424024.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO0424024.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO0424024.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO0424024.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO0424024.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO0424024.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO0424024.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO0424024.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO0424024.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO0424024.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO0424024.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO0424024.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO0424024.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO0424024.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO0424024.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO0424024.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO0424024.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO0424024.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO0424024.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO0424024.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO0424024.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO0424024.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO0424024.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO0424024.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO0424024.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO0424024.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO0424024.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO0424024.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO0424024.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO0424024.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO0424024.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO0424024.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO0424024.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO0424024.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO0424024.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO0424024.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO0424024.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\takeown.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\takeown.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\takeown.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\takeown.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\takeown.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior

Source: C:\Users\user\Desktop\PO0424024.exe	Memory allocated: C60000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\PO0424024.exe	Memory allocated: 26F0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\PO0424024.exe	Memory allocated: 46F0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\PO0424024.exe	Memory allocated: 7510000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\PO0424024.exe	Memory allocated: 8510000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\PO0424024.exe	Memory allocated: 86C0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\PO0424024.exe	Memory allocated: 96C0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\PO0424024.exe	Memory allocated: 9C40000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\PO0424024.exe	Memory allocated: AC40000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\PO0424024.exe	Memory allocated: BC40000 memory reserve \| memory write watch	Jump to behavior

Source: C:\Windows\SysWOW64\takeown.exe	Window / User API: threadDelayed 5622			Jump to behavior
Source: C:\Windows\SysWOW64\takeown.exe	Window / User API: threadDelayed 4348			Jump to behavior

Source: C:\Users\user\Desktop\PO0424024.exe	API coverage: 0.8 %
Source: C:\Windows\SysWOW64\takeown.exe	API coverage: 2.7 %

Source: C:\Users\user\Desktop\PO0424024.exe TID: 1456	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\jfLWIrNvBdXUZqKTstLPidJuesjIeBIFNQYCGaQUpAbARGedGUlMKIlGqKpEAySWKlETcTxWvVYd\tAFcdstzdUTfkmQlByDmlLl.exe TID: 7164	Thread sleep time: -70000s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\jfLWIrNvBdXUZqKTstLPidJuesjIeBIFNQYCGaQUpAbARGedGUlMKIlGqKpEAySWKlETcTxWvVYd\tAFcdstzdUTfkmQlByDmlLl.exe TID: 7164	Thread sleep count: 32 > 30	Jump to behavior
Source: C:\Program Files (x86)\jfLWIrNvBdXUZqKTstLPidJuesjIeBIFNQYCGaQUpAbARGedGUlMKIlGqKpEAySWKlETcTxWvVYd\tAFcdstzdUTfkmQlByDmlLl.exe TID: 7164	Thread sleep time: -48000s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\jfLWIrNvBdXUZqKTstLPidJuesjIeBIFNQYCGaQUpAbARGedGUlMKIlGqKpEAySWKlETcTxWvVYd\tAFcdstzdUTfkmQlByDmlLl.exe TID: 7164	Thread sleep count: 36 > 30	Jump to behavior
Source: C:\Program Files (x86)\jfLWIrNvBdXUZqKTstLPidJuesjIeBIFNQYCGaQUpAbARGedGUlMKIlGqKpEAySWKlETcTxWvVYd\tAFcdstzdUTfkmQlByDmlLl.exe TID: 7164	Thread sleep time: -36000s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\takeown.exe TID: 2932	Thread sleep count: 5622 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\takeown.exe TID: 2932	Thread sleep time: -11244000s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\takeown.exe TID: 2932	Thread sleep count: 4348 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\takeown.exe TID: 2932	Thread sleep time: -8696000s >= -30000s	Jump to behavior

Source: C:\Windows\SysWOW64\takeown.exe	Last function: Thread delayed
Source: C:\Windows\SysWOW64\takeown.exe	Last function: Thread delayed

Source: C:\Users\user\Desktop\PO0424024.exe	Process queried: DebugPort			Jump to behavior
Source: C:\Windows\SysWOW64\takeown.exe	Process queried: DebugPort			Jump to behavior

Source: C:\Program Files (x86)\jfLWIrNvBdXUZqKTstLPidJuesjIeBIFNQYCGaQUpAbARGedGUlMKIlGqKpEAySWKlETcTxWvVYd\tAFcdstzdUTfkmQlByDmlLl.exe	NtWriteVirtualMemory: Direct from: 0x76F0490C	Jump to behavior
Source: C:\Program Files (x86)\jfLWIrNvBdXUZqKTstLPidJuesjIeBIFNQYCGaQUpAbARGedGUlMKIlGqKpEAySWKlETcTxWvVYd\tAFcdstzdUTfkmQlByDmlLl.exe	NtOpenKeyEx: Direct from: 0x76F03C9C	Jump to behavior
Source: C:\Program Files (x86)\jfLWIrNvBdXUZqKTstLPidJuesjIeBIFNQYCGaQUpAbARGedGUlMKIlGqKpEAySWKlETcTxWvVYd\tAFcdstzdUTfkmQlByDmlLl.exe	NtClose: Direct from: 0x76F02B6C
Source: C:\Program Files (x86)\jfLWIrNvBdXUZqKTstLPidJuesjIeBIFNQYCGaQUpAbARGedGUlMKIlGqKpEAySWKlETcTxWvVYd\tAFcdstzdUTfkmQlByDmlLl.exe	NtCreateKey: Direct from: 0x76F02C6C	Jump to behavior
Source: C:\Program Files (x86)\jfLWIrNvBdXUZqKTstLPidJuesjIeBIFNQYCGaQUpAbARGedGUlMKIlGqKpEAySWKlETcTxWvVYd\tAFcdstzdUTfkmQlByDmlLl.exe	NtReadVirtualMemory: Direct from: 0x76F02E8C	Jump to behavior
Source: C:\Program Files (x86)\jfLWIrNvBdXUZqKTstLPidJuesjIeBIFNQYCGaQUpAbARGedGUlMKIlGqKpEAySWKlETcTxWvVYd\tAFcdstzdUTfkmQlByDmlLl.exe	NtSetInformationThread: Direct from: 0x76F02B4C	Jump to behavior
Source: C:\Program Files (x86)\jfLWIrNvBdXUZqKTstLPidJuesjIeBIFNQYCGaQUpAbARGedGUlMKIlGqKpEAySWKlETcTxWvVYd\tAFcdstzdUTfkmQlByDmlLl.exe	NtQueryAttributesFile: Direct from: 0x76F02E6C	Jump to behavior
Source: C:\Program Files (x86)\jfLWIrNvBdXUZqKTstLPidJuesjIeBIFNQYCGaQUpAbARGedGUlMKIlGqKpEAySWKlETcTxWvVYd\tAFcdstzdUTfkmQlByDmlLl.exe	NtAllocateVirtualMemory: Direct from: 0x76F048EC	Jump to behavior
Source: C:\Program Files (x86)\jfLWIrNvBdXUZqKTstLPidJuesjIeBIFNQYCGaQUpAbARGedGUlMKIlGqKpEAySWKlETcTxWvVYd\tAFcdstzdUTfkmQlByDmlLl.exe	NtQuerySystemInformation: Direct from: 0x76F048CC	Jump to behavior
Source: C:\Program Files (x86)\jfLWIrNvBdXUZqKTstLPidJuesjIeBIFNQYCGaQUpAbARGedGUlMKIlGqKpEAySWKlETcTxWvVYd\tAFcdstzdUTfkmQlByDmlLl.exe	NtQueryVolumeInformationFile: Direct from: 0x76F02F2C	Jump to behavior
Source: C:\Program Files (x86)\jfLWIrNvBdXUZqKTstLPidJuesjIeBIFNQYCGaQUpAbARGedGUlMKIlGqKpEAySWKlETcTxWvVYd\tAFcdstzdUTfkmQlByDmlLl.exe	NtOpenSection: Direct from: 0x76F02E0C	Jump to behavior
Source: C:\Program Files (x86)\jfLWIrNvBdXUZqKTstLPidJuesjIeBIFNQYCGaQUpAbARGedGUlMKIlGqKpEAySWKlETcTxWvVYd\tAFcdstzdUTfkmQlByDmlLl.exe	NtSetInformationThread: Direct from: 0x76EF63F9	Jump to behavior
Source: C:\Program Files (x86)\jfLWIrNvBdXUZqKTstLPidJuesjIeBIFNQYCGaQUpAbARGedGUlMKIlGqKpEAySWKlETcTxWvVYd\tAFcdstzdUTfkmQlByDmlLl.exe	NtDeviceIoControlFile: Direct from: 0x76F02AEC	Jump to behavior
Source: C:\Program Files (x86)\jfLWIrNvBdXUZqKTstLPidJuesjIeBIFNQYCGaQUpAbARGedGUlMKIlGqKpEAySWKlETcTxWvVYd\tAFcdstzdUTfkmQlByDmlLl.exe	NtQueryValueKey: Direct from: 0x76F02BEC	Jump to behavior
Source: C:\Program Files (x86)\jfLWIrNvBdXUZqKTstLPidJuesjIeBIFNQYCGaQUpAbARGedGUlMKIlGqKpEAySWKlETcTxWvVYd\tAFcdstzdUTfkmQlByDmlLl.exe	NtCreateFile: Direct from: 0x76F02FEC	Jump to behavior
Source: C:\Program Files (x86)\jfLWIrNvBdXUZqKTstLPidJuesjIeBIFNQYCGaQUpAbARGedGUlMKIlGqKpEAySWKlETcTxWvVYd\tAFcdstzdUTfkmQlByDmlLl.exe	NtOpenFile: Direct from: 0x76F02DCC	Jump to behavior
Source: C:\Program Files (x86)\jfLWIrNvBdXUZqKTstLPidJuesjIeBIFNQYCGaQUpAbARGedGUlMKIlGqKpEAySWKlETcTxWvVYd\tAFcdstzdUTfkmQlByDmlLl.exe	NtQueryInformationToken: Direct from: 0x76F02CAC	Jump to behavior
Source: C:\Program Files (x86)\jfLWIrNvBdXUZqKTstLPidJuesjIeBIFNQYCGaQUpAbARGedGUlMKIlGqKpEAySWKlETcTxWvVYd\tAFcdstzdUTfkmQlByDmlLl.exe	NtTerminateThread: Direct from: 0x76F02FCC	Jump to behavior
Source: C:\Program Files (x86)\jfLWIrNvBdXUZqKTstLPidJuesjIeBIFNQYCGaQUpAbARGedGUlMKIlGqKpEAySWKlETcTxWvVYd\tAFcdstzdUTfkmQlByDmlLl.exe	NtProtectVirtualMemory: Direct from: 0x76EF7B2E	Jump to behavior
Source: C:\Program Files (x86)\jfLWIrNvBdXUZqKTstLPidJuesjIeBIFNQYCGaQUpAbARGedGUlMKIlGqKpEAySWKlETcTxWvVYd\tAFcdstzdUTfkmQlByDmlLl.exe	NtOpenKeyEx: Direct from: 0x76F02B9C	Jump to behavior
Source: C:\Program Files (x86)\jfLWIrNvBdXUZqKTstLPidJuesjIeBIFNQYCGaQUpAbARGedGUlMKIlGqKpEAySWKlETcTxWvVYd\tAFcdstzdUTfkmQlByDmlLl.exe	NtProtectVirtualMemory: Direct from: 0x76F02F9C	Jump to behavior
Source: C:\Program Files (x86)\jfLWIrNvBdXUZqKTstLPidJuesjIeBIFNQYCGaQUpAbARGedGUlMKIlGqKpEAySWKlETcTxWvVYd\tAFcdstzdUTfkmQlByDmlLl.exe	NtSetInformationProcess: Direct from: 0x76F02C5C	Jump to behavior
Source: C:\Program Files (x86)\jfLWIrNvBdXUZqKTstLPidJuesjIeBIFNQYCGaQUpAbARGedGUlMKIlGqKpEAySWKlETcTxWvVYd\tAFcdstzdUTfkmQlByDmlLl.exe	NtNotifyChangeKey: Direct from: 0x76F03C2C	Jump to behavior
Source: C:\Program Files (x86)\jfLWIrNvBdXUZqKTstLPidJuesjIeBIFNQYCGaQUpAbARGedGUlMKIlGqKpEAySWKlETcTxWvVYd\tAFcdstzdUTfkmQlByDmlLl.exe	NtCreateMutant: Direct from: 0x76F035CC	Jump to behavior
Source: C:\Program Files (x86)\jfLWIrNvBdXUZqKTstLPidJuesjIeBIFNQYCGaQUpAbARGedGUlMKIlGqKpEAySWKlETcTxWvVYd\tAFcdstzdUTfkmQlByDmlLl.exe	NtWriteVirtualMemory: Direct from: 0x76F02E3C	Jump to behavior
Source: C:\Program Files (x86)\jfLWIrNvBdXUZqKTstLPidJuesjIeBIFNQYCGaQUpAbARGedGUlMKIlGqKpEAySWKlETcTxWvVYd\tAFcdstzdUTfkmQlByDmlLl.exe	NtMapViewOfSection: Direct from: 0x76F02D1C	Jump to behavior
Source: C:\Program Files (x86)\jfLWIrNvBdXUZqKTstLPidJuesjIeBIFNQYCGaQUpAbARGedGUlMKIlGqKpEAySWKlETcTxWvVYd\tAFcdstzdUTfkmQlByDmlLl.exe	NtResumeThread: Direct from: 0x76F036AC	Jump to behavior
Source: C:\Program Files (x86)\jfLWIrNvBdXUZqKTstLPidJuesjIeBIFNQYCGaQUpAbARGedGUlMKIlGqKpEAySWKlETcTxWvVYd\tAFcdstzdUTfkmQlByDmlLl.exe	NtAllocateVirtualMemory: Direct from: 0x76F02BFC	Jump to behavior
Source: C:\Program Files (x86)\jfLWIrNvBdXUZqKTstLPidJuesjIeBIFNQYCGaQUpAbARGedGUlMKIlGqKpEAySWKlETcTxWvVYd\tAFcdstzdUTfkmQlByDmlLl.exe	NtReadFile: Direct from: 0x76F02ADC	Jump to behavior
Source: C:\Program Files (x86)\jfLWIrNvBdXUZqKTstLPidJuesjIeBIFNQYCGaQUpAbARGedGUlMKIlGqKpEAySWKlETcTxWvVYd\tAFcdstzdUTfkmQlByDmlLl.exe	NtQuerySystemInformation: Direct from: 0x76F02DFC	Jump to behavior
Source: C:\Program Files (x86)\jfLWIrNvBdXUZqKTstLPidJuesjIeBIFNQYCGaQUpAbARGedGUlMKIlGqKpEAySWKlETcTxWvVYd\tAFcdstzdUTfkmQlByDmlLl.exe	NtDelayExecution: Direct from: 0x76F02DDC	Jump to behavior
Source: C:\Program Files (x86)\jfLWIrNvBdXUZqKTstLPidJuesjIeBIFNQYCGaQUpAbARGedGUlMKIlGqKpEAySWKlETcTxWvVYd\tAFcdstzdUTfkmQlByDmlLl.exe	NtQueryInformationProcess: Direct from: 0x76F02C26	Jump to behavior
Source: C:\Program Files (x86)\jfLWIrNvBdXUZqKTstLPidJuesjIeBIFNQYCGaQUpAbARGedGUlMKIlGqKpEAySWKlETcTxWvVYd\tAFcdstzdUTfkmQlByDmlLl.exe	NtResumeThread: Direct from: 0x76F02FBC	Jump to behavior
Source: C:\Program Files (x86)\jfLWIrNvBdXUZqKTstLPidJuesjIeBIFNQYCGaQUpAbARGedGUlMKIlGqKpEAySWKlETcTxWvVYd\tAFcdstzdUTfkmQlByDmlLl.exe	NtCreateUserProcess: Direct from: 0x76F0371C	Jump to behavior

Source: C:\Users\user\Desktop\PO0424024.exe	Section loaded: NULL target: C:\Program Files (x86)\jfLWIrNvBdXUZqKTstLPidJuesjIeBIFNQYCGaQUpAbARGedGUlMKIlGqKpEAySWKlETcTxWvVYd\tAFcdstzdUTfkmQlByDmlLl.exe protection: execute and read and write	Jump to behavior
Source: C:\Users\user\Desktop\PO0424024.exe	Section loaded: NULL target: C:\Windows\SysWOW64\takeown.exe protection: execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\takeown.exe	Section loaded: NULL target: C:\Program Files (x86)\jfLWIrNvBdXUZqKTstLPidJuesjIeBIFNQYCGaQUpAbARGedGUlMKIlGqKpEAySWKlETcTxWvVYd\tAFcdstzdUTfkmQlByDmlLl.exe protection: read write	Jump to behavior
Source: C:\Windows\SysWOW64\takeown.exe	Section loaded: NULL target: C:\Program Files (x86)\jfLWIrNvBdXUZqKTstLPidJuesjIeBIFNQYCGaQUpAbARGedGUlMKIlGqKpEAySWKlETcTxWvVYd\tAFcdstzdUTfkmQlByDmlLl.exe protection: execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\takeown.exe	Section loaded: NULL target: C:\Program Files\Mozilla Firefox\firefox.exe protection: read write	Jump to behavior
Source: C:\Windows\SysWOW64\takeown.exe	Section loaded: NULL target: C:\Program Files\Mozilla Firefox\firefox.exe protection: execute and read and write	Jump to behavior

Source: tAFcdstzdUTfkmQlByDmlLl.exe, 00000006.00000000.2094779642.0000000001200000.00000002.00000001.00040000.00000000.sdmp, tAFcdstzdUTfkmQlByDmlLl.exe, 00000006.00000002.4170589534.0000000001201000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: Shell_TrayWnd
Source: tAFcdstzdUTfkmQlByDmlLl.exe, 00000006.00000000.2094779642.0000000001200000.00000002.00000001.00040000.00000000.sdmp, tAFcdstzdUTfkmQlByDmlLl.exe, 00000006.00000002.4170589534.0000000001201000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: Progman
Source: tAFcdstzdUTfkmQlByDmlLl.exe, 00000006.00000000.2094779642.0000000001200000.00000002.00000001.00040000.00000000.sdmp, tAFcdstzdUTfkmQlByDmlLl.exe, 00000006.00000002.4170589534.0000000001201000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: Progmanlock
Source: tAFcdstzdUTfkmQlByDmlLl.exe, 00000006.00000000.2094779642.0000000001200000.00000002.00000001.00040000.00000000.sdmp, tAFcdstzdUTfkmQlByDmlLl.exe, 00000006.00000002.4170589534.0000000001201000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: }Program Manager

Source: Yara match	File source: 0.2.PO0424024.exe.6e70000.10.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.PO0424024.exe.6e70000.10.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.PO0424024.exe.36f9970.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.PO0424024.exe.36f9970.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.1735920141.0000000006E70000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1729875673.00000000036F9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY

Source: C:\Windows\SysWOW64\takeown.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Cookies	Jump to behavior
Source: C:\Windows\SysWOW64\takeown.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Windows\SysWOW64\takeown.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Windows\SysWOW64\takeown.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data	Jump to behavior
Source: C:\Windows\SysWOW64\takeown.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data	Jump to behavior
Source: C:\Windows\SysWOW64\takeown.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Local State	Jump to behavior
Source: C:\Windows\SysWOW64\takeown.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local State	Jump to behavior
Source: C:\Windows\SysWOW64\takeown.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data	Jump to behavior

IP	Domain	Country	ASN	ASN Name	Malicious
103.168.172.37	www.celebration24.co.uk	unknown	7575	AARNET-AS-APAustralianAcademicandResearchNetworkAARNe	false
162.43.104.164	www.shun-yamagata.com	United States	11333	CYBERTRAILSUS	false
84.32.84.32	carsinmultan.com	Lithuania	33922	NTT-LT-ASLT	false
74.208.236.153	www.klconstructions.net	United States	8560	ONEANDONE-ASBrauerstrasse48DE	false
91.195.240.123	www.cd14j.us	Germany	47846	SEDO-ASDE	false
47.76.62.167	www.xn--yzyp76d.com	United States	9500	VODAFONE-TRANSIT-ASVodafoneNZLtdNZ	false
91.195.240.19	parkingpage.namecheap.com	Germany	47846	SEDO-ASDE	false
203.161.46.103	www.happymarts.top	Malaysia	45899	VNPT-AS-VNVNPTCorpVN	false
3.33.130.190	threesomeapps.com	United States	8987	AMAZONEXPANSIONGB	false
195.242.88.141	unchainedventure.com	Romania	34301	KFNETRO	false
213.171.195.105	www.holein1sa.com	United Kingdom	8560	ONEANDONE-ASBrauerstrasse48DE	false

Name	IP	Active
carsinmultan.com	84.32.84.32	true
www.xn--yzyp76d.com	47.76.62.167	true
www.klconstructions.net	74.208.236.153	true
unchainedventure.com	195.242.88.141	true
www.holein1sa.com	213.171.195.105	true
threesomeapps.com	3.33.130.190	true
parkingpage.namecheap.com	91.195.240.19	true
www.celebration24.co.uk	103.168.172.37	true
www.cd14j.us	91.195.240.123	true
www.happymarts.top	203.161.46.103	true
www.shun-yamagata.com	162.43.104.164	true
www.kakaobrain.us	unknown	unknown
www.fashionagencylab.com	unknown	unknown
www.carsinmultan.com	unknown	unknown
www.threesomeapps.com	unknown	unknown
www.luckydomainz.shop	unknown	unknown
www.jrksa.info	unknown	unknown
www.unchainedventure.com	unknown	unknown

Name	Malicious	Antivirus Detection	Reputation
http://www.kakaobrain.us/pq0o/	true	Avira URL Cloud: safe	unknown
http://www.threesomeapps.com/pq0o/	false	Avira URL Cloud: safe	unknown
http://www.unchainedventure.com/pq0o/	false	Avira URL Cloud: safe	unknown
http://www.shun-yamagata.com/pq0o/?9ZZXx=T6kxVZuXAVuH9J&F49hs=b2qFmWlReUJu6citZAtbwrrOSkIcZF9V2+9XddDidwLqjCK16JlrjYTgkvrAjFAj/kbk/ZD/H0dWxyKKd1m8GF0arunEMZ5tvTjrHaUhlNNo1MItznWZgp0=	false	Avira URL Cloud: safe	unknown
http://www.klconstructions.net/pq0o/?9ZZXx=T6kxVZuXAVuH9J&F49hs=p2Os9DL/ZxMFxY/q2Ap/Yp5OBLYS19DXFnG8XGpKHfd79mzMsmb8450rEHnCTj1drUgFrotC1uV7Mqyg6tK80c0eBV3oPBtu8fCz/gVC+CE8Jn7lRxODf9w=	false	Avira URL Cloud: safe	unknown
http://www.celebration24.co.uk/pq0o/?9ZZXx=T6kxVZuXAVuH9J&F49hs=NMNyNvSWAQl+XC9g7rBusjWgWNBgohatDhvK1KIHhjj0aHE/UrTu3yYXFvlKPRx40FckhBe9K4BGmhcAc+bYC4VcVVEG0KUeJFitahxkTU5y9cpDhM+xwHc=	false	Avira URL Cloud: safe	unknown
http://www.kakaobrain.us/pq0o/?F49hs=BhpYg4yoBpmopPUlJaseZ9A32WKe1CLsx7T3vymtgFCfsO9mDgtC+XcLrPQxM3XDzIUIWI4YDMWjav9FDMEzU1DT6w46OubC82AXo7xlEXtHI7IZbAZeHk0=&9ZZXx=T6kxVZuXAVuH9J	true	Avira URL Cloud: safe	unknown
http://www.luckydomainz.shop/pq0o/	true	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://www.celebration24.co.uk/pq0o/	false	Avira URL Cloud: safe	unknown
http://www.happymarts.top/pq0o/?9ZZXx=T6kxVZuXAVuH9J&F49hs=4UCjKZAQgLnMxNicE9pqcHmXIZhn5ynD4ggafyrMLg7tBb5+FldYarQ4uWITApeKqaBZVuXxHE31Fdk4aV2tLvZQCfORxMIFcNC7KFHj2TQuLtYW7VfXj0w=	false	Avira URL Cloud: safe	unknown
http://www.cd14j.us/pq0o/?9ZZXx=T6kxVZuXAVuH9J&F49hs=zdIBKqN9oP3plxVQyNgvYq0mMKrvq5q/57+iRklTGjPKULzejm8MTR3zmbqN1d/mp0y1+1mzyQU/+H24oE5uDnI7sp5jy5UFN+aaU0u6oQX+YH9icEJ0mm4=	false	Avira URL Cloud: safe	unknown
http://www.unchainedventure.com/pq0o/?F49hs=oyw/nBwJ61bGycTt7MUH34VrSoK42dIQz9F/9DQxJwbLEg40x6X3ShxK/IPLtNyuGmfUrEEfHvul1hK0yfa95YoddznUFYR7i1LwCbVe0J8wy+lXuD76n/g=&9ZZXx=T6kxVZuXAVuH9J	false	Avira URL Cloud: safe	unknown
http://www.xn--yzyp76d.com/pq0o/?9ZZXx=T6kxVZuXAVuH9J&F49hs=J8WC84xruYdLZ+87Afe3OqqbMOMBhnRcdnGo6AhEflv3qioXWy6Vm5wGjKWjZFBj5bzfVwWaJCB72b3lEpkTXSJ8T31vhIsUx1l9uwIaTYdZUjGlsKsX5ww=	false	Avira URL Cloud: safe	unknown
http://www.shun-yamagata.com/pq0o/	false	Avira URL Cloud: safe	unknown
http://www.happymarts.top/pq0o/	false	Avira URL Cloud: safe	unknown
http://www.carsinmultan.com/pq0o/?F49hs=ERhh1Wv2i17OvleZDVlPuLV8FPLSNlSjgSFKCO/E5FvVDH88mB+A3XwhrFKA0T7u6+xnysJANU3lpyUswnu1e2FhmydoRAv58fVG4PjZmouhcgICZXbhSfU=&9ZZXx=T6kxVZuXAVuH9J	false	Avira URL Cloud: safe	unknown
http://www.klconstructions.net/pq0o/	false	Avira URL Cloud: safe	unknown
http://www.cd14j.us/pq0o/	false	Avira URL Cloud: safe	unknown
http://www.luckydomainz.shop/pq0o/?F49hs=zlo+FGSBhCkM5GVJsyQNaVbtL67WnJg88Yj7BD8zO0hDA+Ttp+tE7JQXtFhQSzjU/FmrV36xGrNmbpUbkD9mLWK1UOLjaHYQ4bVPRZ9N4YEmnoiYZJFdoy8=&9ZZXx=T6kxVZuXAVuH9J	true	Avira URL Cloud: safe	unknown
http://www.carsinmultan.com/pq0o/	false	Avira URL Cloud: safe	unknown
http://www.holein1sa.com/pq0o/	false	Avira URL Cloud: safe	unknown
http://www.threesomeapps.com/pq0o/?9ZZXx=T6kxVZuXAVuH9J&F49hs=mRVcZEOhq89+MGHBKj9OIc/04Av6T2wEhyk9HpRK9pO5sVzjQ2X+QIoGEwrX8lym3PQN8R/kDgsMd57+ef1OrGKEsTU4CFRzLSC8xo47mPR0FpBjSaDhnxk=	false	Avira URL Cloud: safe	unknown

Windows Analysis Report PO0424024.exe

Overview

General Information

Detection

Signatures

Classification

Malware Threat Intel Provided by

Signatures

AV Detection

Compliance

Spreading

Software Vulnerabilities

Networking

E-Banking Fraud

System Summary

Data Obfuscation

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Screenshots

Behavior Graph

Network Map

Contacted Public IPs

Contacted Domains

Contacted URLs

Windows Analysis Report
PO0424024.exe

Malware Threat Intel
Provided by

ID:	1430828
Product:	CloudBasic
Start time:	09:19:05
Start date:	24.04.2024
Sample:	PO0424024.exe
Cookbook:	default.jbs
System description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Architecture:	WINDOWS
MD5:	192be7ac2833574aafeeea8e0cd52380
SHA1:	264298e6ebda222d48c0185c1ad168c51c0dc133
SHA256:	19640f20d067c8ca1ba3e08d34ea493c05b99016c6608dbcbfdf848ca4d60452
Filetype:	Win32 Executable (generic) Net Framework (10011505/4) 49.98%

Name	Type	MD5	SHA1	SHA256
C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\PO0424024.exe.log	ASCII text, with CRLF line terminators	1330C80CAAC9A0FB172F202485E9B1E8	86BAFDA4E4AE68C7C3012714A33D85D2B6E1A492	B6C63ECE799A8F7E497C2A158B1FFC2F5CB4F745A2F8E585F794572B7CF03560
C:\Users\user\AppData\Local\Temp\43PI9J	SQLite 3.x database, last written using SQLite version 3035005, page size 2048, file counter 2, database pages 56, cookie 0x24, schema 4, UTF-8, version-valid-for 2	780853CDDEAEE8DE70F28A4B255A600B	AD7A5DA33F7AD12946153C497E990720B09005ED	1055FF62DE3DEA7645C732583242ADF4164BDCFB9DD37D9B35BBB9510D59B0A3