Edit tour

Windows Analysis Report
3JZ4CUFqSs.exe

Overview

General Information

Sample name:	3JZ4CUFqSs.exe renamed because original name is a hash value
Original sample name:	76e96e27e37385083c72099dff75860bc2f6b5dfe30008ea6594955a6158019c.exe
Analysis ID:	1632393
MD5:	308385a05a0bd8dbcaa436fefa201092
SHA1:	f5a09cbee7f6b5417467b525229a3c4c74368544
SHA256:	76e96e27e37385083c72099dff75860bc2f6b5dfe30008ea6594955a6158019c
Tags:	AgentTeslaexeuser-adrian__luca
Infos:

Detection

FormBook

Score:	100
Range:	0 - 100
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Antivirus detection for URL or domain

Icon mismatch, binary includes an icon from a different legit application in order to fool users

Multi AV Scanner detection for submitted file

Suricata IDS alerts for network traffic

Yara detected AntiVM3

Yara detected FormBook

.NET source code contains potential unpacker

Adds a directory exclusion to Windows Defender

Allocates memory in foreign processes

Found direct / indirect Syscall (likely to bypass EDR)

Injects a PE file into a foreign processes

Joe Sandbox ML detected suspicious sample

Loading BitLocker PowerShell Module

Maps a DLL or memory area into another process

Modifies the context of a thread in another process (thread injection)

Performs DNS queries to domains with low reputation

Queues an APC in another process (thread injection)

Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet

Switches to a custom stack to bypass stack traces

Tries to harvest and steal browser information (history, passwords, etc)

Tries to steal Mail credentials (via file / registry access)

Writes to foreign memory regions

Allocates memory with a write watch (potentially for evading sandboxes)

Binary contains a suspicious time stamp

Checks if the current process is being debugged

Contains functionality for execution timing, often used to detect debuggers

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Contains functionality to call native functions

Contains functionality to read the PEB

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Detected potential crypto function

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found inlined nop instructions (likely shell or obfuscated code)

Found large amount of non-executed APIs

Found potential string decryption / allocating functions

IP address seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Sigma detected: Powershell Defender Exclusion

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

System is w10x64

3JZ4CUFqSs.exe (PID: 344 cmdline: "C:\Users\user\Desktop\3JZ4CUFqSs.exe" MD5: 308385A05A0BD8DBCAA436FEFA201092)

powershell.exe (PID: 5300 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\3JZ4CUFqSs.exe" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)

conhost.exe (PID: 1488 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

WmiPrvSE.exe (PID: 5736 cmdline: C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding MD5: 60FF40CFD7FB8FE41EE4FE9AE5FE1C51)

RegSvcs.exe (PID: 8068 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe" MD5: 9D352BC46709F0CB5EC974633A0C3C94)

Qnv7zOwnqJwbpjTFet.exe (PID: 6520 cmdline: "C:\Program Files (x86)\RURlYPNpzGspqrTdZFCLVNNkQCyMFHnvENWFCfQdvVAKrOHunHCNwPouVYtMgxCWsz\znTsQwaG0Ii.exe" MD5: 9C98D1A23EFAF1B156A130CEA7D2EE3A)

mtstocom.exe (PID: 8096 cmdline: "C:\Windows\SysWOW64\mtstocom.exe" MD5: 5930C59472F42B5F237500C999727441)

Qnv7zOwnqJwbpjTFet.exe (PID: 6936 cmdline: "C:\Program Files (x86)\RURlYPNpzGspqrTdZFCLVNNkQCyMFHnvENWFCfQdvVAKrOHunHCNwPouVYtMgxCWsz\UDES4jzpmqmEGB.exe" MD5: 9C98D1A23EFAF1B156A130CEA7D2EE3A)

firefox.exe (PID: 1780 cmdline: "C:\Program Files\Mozilla Firefox\Firefox.exe" MD5: C86B1BE9ED6496FE0E0CBE73F81D8045)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
Formbook, Formbo	FormBook contains a unique crypter RunPE that has unique behavioral patterns subject to detection. It was initially called "Babushka Crypter" by Insidemalware.	SWEED Cobalt	http://blog.inquest.net/blog/2018/06/22/a-look-at-formbook-stealer/ http://cambuz.blogspot.de/2016/06/form-grabber-2016-cromeffoperathunderbi.html http://www.vkremez.com/2018/01/lets-learn-dissecting-formbook.html https://0xmrmagnezi.github.io/malware%20analysis/FormBook/ https://any.run/cybersecurity-blog/xloader-formbook-encryption-analysis-and-malware-decryption/	https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook

Yara Signatures

Memory Dumps

Source	Rule	Description	Author
00000008.00000002.1528586558.0000000000400000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
00000008.00000002.1532226712.00000000011E0000.00000040.10000000.00040000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
0000000E.00000002.3739913753.0000000002F80000.00000040.80000000.00040000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
0000000F.00000002.3743362439.00000000052C0000.00000040.80000000.00040000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
0000000E.00000002.3741495561.0000000004E90000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
0000000E.00000002.3741452449.0000000004E40000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
00000008.00000002.1537393097.0000000001FC0000.00000040.10000000.00040000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
0000000C.00000002.3741528072.0000000002FE0000.00000040.00000001.00040000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
Process Memory Space: 3JZ4CUFqSs.exe PID: 344	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
Click to see the 4 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
8.2.RegSvcs.exe.400000.0.raw.unpack	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
8.2.RegSvcs.exe.400000.0.unpack	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security

Sigma Signatures

System Summary

Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet

Source: Process started

Author: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\3JZ4CUFqSs.exe", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\3JZ4CUFqSs.exe", CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\3JZ4CUFqSs.exe", ParentImage: C:\Users\user\Desktop\3JZ4CUFqSs.exe, ParentProcessId: 344, ParentProcessName: 3JZ4CUFqSs.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\3JZ4CUFqSs.exe", ProcessId: 5300, ProcessName: powershell.exe

Sigma detected: Powershell Defender Exclusion

Source: Process started

Sigma detected: Non Interactive PowerShell Process Spawned

Source: Process started

Author: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\3JZ4CUFqSs.exe", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\3JZ4CUFqSs.exe", CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\3JZ4CUFqSs.exe", ParentImage: C:\Users\user\Desktop\3JZ4CUFqSs.exe, ParentProcessId: 344, ParentProcessName: 3JZ4CUFqSs.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\3JZ4CUFqSs.exe", ProcessId: 5300, ProcessName: powershell.exe

Suricata Signatures

ETPRO MALWARE FormBook CnC Checkin (GET) M2

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-03-07T23:17:11.868150+0100	2855465	1	A Network Trojan was detected	192.168.2.5	49700	45.202.214.182	80	TCP
2025-03-07T23:17:35.268793+0100	2855465	1	A Network Trojan was detected	192.168.2.5	49704	13.248.169.48	80	TCP
2025-03-07T23:18:27.539342+0100	2855465	1	A Network Trojan was detected	192.168.2.5	49708	188.114.96.3	80	TCP
2025-03-07T23:18:40.737297+0100	2855465	1	A Network Trojan was detected	192.168.2.5	49712	84.32.84.32	80	TCP
2025-03-07T23:19:02.113126+0100	2855465	1	A Network Trojan was detected	192.168.2.5	49716	13.248.169.48	80	TCP
2025-03-07T23:19:15.295065+0100	2855465	1	A Network Trojan was detected	192.168.2.5	49720	13.248.169.48	80	TCP
2025-03-07T23:19:28.892176+0100	2855465	1	A Network Trojan was detected	192.168.2.5	49724	194.58.112.174	80	TCP
2025-03-07T23:19:42.513032+0100	2855465	1	A Network Trojan was detected	192.168.2.5	49728	209.74.64.58	80	TCP
2025-03-07T23:19:55.951461+0100	2855465	1	A Network Trojan was detected	192.168.2.5	49732	74.208.236.13	80	TCP
2025-03-07T23:20:09.279263+0100	2855465	1	A Network Trojan was detected	192.168.2.5	49736	13.248.169.48	80	TCP
2025-03-07T23:20:23.178840+0100	2855465	1	A Network Trojan was detected	192.168.2.5	49740	84.32.84.32	80	TCP
2025-03-07T23:20:36.523453+0100	2855465	1	A Network Trojan was detected	192.168.2.5	49744	198.187.31.216	80	TCP

ETPRO MALWARE FormBook CnC Checkin (POST) M3

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-03-07T23:17:27.449907+0100	2855464	1	A Network Trojan was detected	192.168.2.5	49701	13.248.169.48	80	TCP
2025-03-07T23:17:30.172141+0100	2855464	1	A Network Trojan was detected	192.168.2.5	49702	13.248.169.48	80	TCP
2025-03-07T23:17:32.793029+0100	2855464	1	A Network Trojan was detected	192.168.2.5	49703	13.248.169.48	80	TCP
2025-03-07T23:17:41.822352+0100	2855464	1	A Network Trojan was detected	192.168.2.5	49705	188.114.96.3	80	TCP
2025-03-07T23:17:44.429395+0100	2855464	1	A Network Trojan was detected	192.168.2.5	49706	188.114.96.3	80	TCP
2025-03-07T23:17:47.070094+0100	2855464	1	A Network Trojan was detected	192.168.2.5	49707	188.114.96.3	80	TCP
2025-03-07T23:18:33.091252+0100	2855464	1	A Network Trojan was detected	192.168.2.5	49709	84.32.84.32	80	TCP
2025-03-07T23:18:35.657227+0100	2855464	1	A Network Trojan was detected	192.168.2.5	49710	84.32.84.32	80	TCP
2025-03-07T23:18:38.185018+0100	2855464	1	A Network Trojan was detected	192.168.2.5	49711	84.32.84.32	80	TCP
2025-03-07T23:18:54.384684+0100	2855464	1	A Network Trojan was detected	192.168.2.5	49713	13.248.169.48	80	TCP
2025-03-07T23:18:56.956646+0100	2855464	1	A Network Trojan was detected	192.168.2.5	49714	13.248.169.48	80	TCP
2025-03-07T23:18:59.545192+0100	2855464	1	A Network Trojan was detected	192.168.2.5	49715	13.248.169.48	80	TCP
2025-03-07T23:19:07.659448+0100	2855464	1	A Network Trojan was detected	192.168.2.5	49717	13.248.169.48	80	TCP
2025-03-07T23:19:10.200941+0100	2855464	1	A Network Trojan was detected	192.168.2.5	49718	13.248.169.48	80	TCP
2025-03-07T23:19:12.762151+0100	2855464	1	A Network Trojan was detected	192.168.2.5	49719	13.248.169.48	80	TCP
2025-03-07T23:19:21.161145+0100	2855464	1	A Network Trojan was detected	192.168.2.5	49721	194.58.112.174	80	TCP
2025-03-07T23:19:23.789989+0100	2855464	1	A Network Trojan was detected	192.168.2.5	49722	194.58.112.174	80	TCP
2025-03-07T23:19:26.322685+0100	2855464	1	A Network Trojan was detected	192.168.2.5	49723	194.58.112.174	80	TCP
2025-03-07T23:19:34.623951+0100	2855464	1	A Network Trojan was detected	192.168.2.5	49725	209.74.64.58	80	TCP
2025-03-07T23:19:37.197042+0100	2855464	1	A Network Trojan was detected	192.168.2.5	49726	209.74.64.58	80	TCP
2025-03-07T23:19:39.887513+0100	2855464	1	A Network Trojan was detected	192.168.2.5	49727	209.74.64.58	80	TCP
2025-03-07T23:19:48.299215+0100	2855464	1	A Network Trojan was detected	192.168.2.5	49729	74.208.236.13	80	TCP
2025-03-07T23:19:50.858372+0100	2855464	1	A Network Trojan was detected	192.168.2.5	49730	74.208.236.13	80	TCP
2025-03-07T23:19:53.392831+0100	2855464	1	A Network Trojan was detected	192.168.2.5	49731	74.208.236.13	80	TCP
2025-03-07T23:20:02.527165+0100	2855464	1	A Network Trojan was detected	192.168.2.5	49733	13.248.169.48	80	TCP
2025-03-07T23:20:04.055295+0100	2855464	1	A Network Trojan was detected	192.168.2.5	49734	13.248.169.48	80	TCP
2025-03-07T23:20:06.607926+0100	2855464	1	A Network Trojan was detected	192.168.2.5	49735	13.248.169.48	80	TCP
2025-03-07T23:20:14.868415+0100	2855464	1	A Network Trojan was detected	192.168.2.5	49737	84.32.84.32	80	TCP
2025-03-07T23:20:17.421663+0100	2855464	1	A Network Trojan was detected	192.168.2.5	49738	84.32.84.32	80	TCP
2025-03-07T23:20:20.941089+0100	2855464	1	A Network Trojan was detected	192.168.2.5	49739	84.32.84.32	80	TCP
2025-03-07T23:20:28.875643+0100	2855464	1	A Network Trojan was detected	192.168.2.5	49741	198.187.31.216	80	TCP
2025-03-07T23:20:31.437326+0100	2855464	1	A Network Trojan was detected	192.168.2.5	49742	198.187.31.216	80	TCP
2025-03-07T23:20:33.955530+0100	2855464	1	A Network Trojan was detected	192.168.2.5	49743	198.187.31.216	80	TCP

ETPRO MALWARE FormBook CnC Checkin (POST) M4

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-03-07T23:19:34.623951+0100	2856318	1	A Network Trojan was detected	192.168.2.5	49725	209.74.64.58	80	TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus / Scanner detection for submitted sample

Source: 3JZ4CUFqSs.exe

Avira: detected

Antivirus detection for URL or domain

Source: http://www.fluffymooncat.fun	Avira URL Cloud: Label: malware
Source: http://www.actpisalnplay.cyou/oxsm/	Avira URL Cloud: Label: phishing
Source: http://www.maplez.online/ce0o/	Avira URL Cloud: Label: malware
Source: http://www.actpisalnplay.cyou/oxsm/?ybO=3rpXdV&oD14=zxCFRrmISA4byYvwhpsz5mfjtxbPySprQg/hKktGAk5oo3c0kXvpRnfDaqoM6N06Cw2jcr8dO5K1pfcLp1G4FRVe13O1dTHVCvwt1cbydfpQY/8ElrvBIi2/dZTTuDMGLw==	Avira URL Cloud: Label: phishing
Source: http://www.blockchainuniverse.xyz/v2n0/	Avira URL Cloud: Label: malware
Source: http://www.fluffymooncat.fun/u136/	Avira URL Cloud: Label: malware
Source: http://www.maplez.online/ce0o/?oD14=PXi+7NdXUINUcappdoV8/mYp7eq7++YpoI9MenNGTJUZ7xZJAvHSAg8GNz6JR7ts9mIu8I8I4iG5B6aS651F+Yb8z1dhQMKznFVKAjIpBsJ8IxtwKGlQZ5tRqyQUETT/XQ==&ybO=3rpXdV	Avira URL Cloud: Label: malware
Source: http://www.fluffymooncat.fun/u136/?ybO=3rpXdV&oD14=TV9zv8mjWY8yavxIr3umEUDL/kGyGf0onDZ0cFOIWysMXVldSflxDQXMLa5+N1HFbm/zd5250Q+eUZn53c04TmqmEl/4n0ZycRx41HADqyw+dPV853xEUa7gUJA9pw5k7Q==	Avira URL Cloud: Label: malware

Multi AV Scanner detection for submitted file

Source: 3JZ4CUFqSs.exe	Virustotal: Detection: 79%			Perma Link
Source: 3JZ4CUFqSs.exe	ReversingLabs: Detection: 76%

Yara detected FormBook

Source: Yara match	File source: 8.2.RegSvcs.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000008.00000002.1528586558.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.1532226712.00000000011E0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000002.3739913753.0000000002F80000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000002.3743362439.00000000052C0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000002.3741495561.0000000004E90000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000002.3741452449.0000000004E40000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.1537393097.0000000001FC0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.3741528072.0000000002FE0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY

Joe Sandbox ML detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Source: 3JZ4CUFqSs.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: 3JZ4CUFqSs.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:	Binary string: biLU.pdb source: 3JZ4CUFqSs.exe
Source:	Binary string: mtstocom.pdb source: RegSvcs.exe, 00000008.00000002.1530726582.0000000000E18000.00000004.00000020.00020000.00000000.sdmp, Qnv7zOwnqJwbpjTFet.exe, 0000000C.00000002.3740994226.00000000009FE000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: RegSvcs.pdb, source: mtstocom.exe, 0000000E.00000002.3742280763.00000000056CC000.00000004.10000000.00040000.00000000.sdmp, mtstocom.exe, 0000000E.00000002.3740321563.0000000003447000.00000004.00000020.00020000.00000000.sdmp, Qnv7zOwnqJwbpjTFet.exe, 0000000F.00000000.1607518852.0000000002E8C000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.1828302529.000000003A40C000.00000004.80000000.00040000.00000000.sdmp
Source:	Binary string: wntdll.pdbUGP source: RegSvcs.exe, 00000008.00000002.1532481800.0000000001270000.00000040.00001000.00020000.00000000.sdmp, mtstocom.exe, 0000000E.00000002.3741635568.000000000523E000.00000040.00001000.00020000.00000000.sdmp, mtstocom.exe, 0000000E.00000002.3741635568.00000000050A0000.00000040.00001000.00020000.00000000.sdmp, mtstocom.exe, 0000000E.00000003.1531662554.0000000004D44000.00000004.00000020.00020000.00000000.sdmp, mtstocom.exe, 0000000E.00000003.1538361605.0000000004EF2000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: wntdll.pdb source: RegSvcs.exe, RegSvcs.exe, 00000008.00000002.1532481800.0000000001270000.00000040.00001000.00020000.00000000.sdmp, mtstocom.exe, mtstocom.exe, 0000000E.00000002.3741635568.000000000523E000.00000040.00001000.00020000.00000000.sdmp, mtstocom.exe, 0000000E.00000002.3741635568.00000000050A0000.00000040.00001000.00020000.00000000.sdmp, mtstocom.exe, 0000000E.00000003.1531662554.0000000004D44000.00000004.00000020.00020000.00000000.sdmp, mtstocom.exe, 0000000E.00000003.1538361605.0000000004EF2000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: biLU.pdbSHA256 source: 3JZ4CUFqSs.exe
Source:	Binary string: mtstocom.pdbGCTL source: RegSvcs.exe, 00000008.00000002.1530726582.0000000000E18000.00000004.00000020.00020000.00000000.sdmp, Qnv7zOwnqJwbpjTFet.exe, 0000000C.00000002.3740994226.00000000009FE000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: RegSvcs.pdb source: mtstocom.exe, 0000000E.00000002.3742280763.00000000056CC000.00000004.10000000.00040000.00000000.sdmp, mtstocom.exe, 0000000E.00000002.3740321563.0000000003447000.00000004.00000020.00020000.00000000.sdmp, Qnv7zOwnqJwbpjTFet.exe, 0000000F.00000000.1607518852.0000000002E8C000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.1828302529.000000003A40C000.00000004.80000000.00040000.00000000.sdmp
Source:	Binary string: C:\Work\JoeSecurity\trunk\src\windows\usermode\tools\FakeChrome\Release\Chrome.pdb source: Qnv7zOwnqJwbpjTFet.exe, 0000000C.00000000.1444956896.00000000005DF000.00000002.00000001.01000000.0000000A.sdmp, Qnv7zOwnqJwbpjTFet.exe, 0000000F.00000002.3739883280.00000000005DF000.00000002.00000001.01000000.0000000A.sdmp

Source: C:\Windows\SysWOW64\mtstocom.exe

Code function: 14_2_02F9C880 FindFirstFileW,FindNextFileW,FindClose,

14_2_02F9C880

Source: C:\Users\user\Desktop\3JZ4CUFqSs.exe	Code function: 4x nop then jmp 0796BADCh	6_2_0796B0CB
Source: C:\Windows\SysWOW64\mtstocom.exe	Code function: 4x nop then xor eax, eax	14_2_02F89F70
Source: C:\Windows\SysWOW64\mtstocom.exe	Code function: 4x nop then pop edi	14_2_02F8E3E6
Source: C:\Windows\SysWOW64\mtstocom.exe	Code function: 4x nop then mov ebx, 00000004h	14_2_04F904D8

Networking

Suricata IDS alerts for network traffic

Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.5:49742 -> 198.187.31.216:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.5:49727 -> 209.74.64.58:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.5:49702 -> 13.248.169.48:80
Source: Network traffic	Suricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.5:49728 -> 209.74.64.58:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.5:49713 -> 13.248.169.48:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.5:49705 -> 188.114.96.3:80
Source: Network traffic	Suricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.5:49720 -> 13.248.169.48:80
Source: Network traffic	Suricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.5:49724 -> 194.58.112.174:80
Source: Network traffic	Suricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.5:49700 -> 45.202.214.182:80
Source: Network traffic	Suricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.5:49708 -> 188.114.96.3:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.5:49718 -> 13.248.169.48:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.5:49725 -> 209.74.64.58:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.5:49701 -> 13.248.169.48:80
Source: Network traffic	Suricata IDS: 2856318 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M4 : 192.168.2.5:49725 -> 209.74.64.58:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.5:49717 -> 13.248.169.48:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.5:49731 -> 74.208.236.13:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.5:49710 -> 84.32.84.32:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.5:49743 -> 198.187.31.216:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.5:49741 -> 198.187.31.216:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.5:49706 -> 188.114.96.3:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.5:49711 -> 84.32.84.32:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.5:49735 -> 13.248.169.48:80
Source: Network traffic	Suricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.5:49704 -> 13.248.169.48:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.5:49721 -> 194.58.112.174:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.5:49707 -> 188.114.96.3:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.5:49714 -> 13.248.169.48:80
Source: Network traffic	Suricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.5:49736 -> 13.248.169.48:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.5:49719 -> 13.248.169.48:80
Source: Network traffic	Suricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.5:49712 -> 84.32.84.32:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.5:49709 -> 84.32.84.32:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.5:49729 -> 74.208.236.13:80
Source: Network traffic	Suricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.5:49744 -> 198.187.31.216:80
Source: Network traffic	Suricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.5:49732 -> 74.208.236.13:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.5:49737 -> 84.32.84.32:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.5:49734 -> 13.248.169.48:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.5:49733 -> 13.248.169.48:80
Source: Network traffic	Suricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.5:49716 -> 13.248.169.48:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.5:49723 -> 194.58.112.174:80
Source: Network traffic	Suricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.5:49740 -> 84.32.84.32:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.5:49715 -> 13.248.169.48:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.5:49730 -> 74.208.236.13:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.5:49726 -> 209.74.64.58:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.5:49703 -> 13.248.169.48:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.5:49722 -> 194.58.112.174:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.5:49738 -> 84.32.84.32:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.5:49739 -> 84.32.84.32:80

Performs DNS queries to domains with low reputation

Source:	DNS query: www.melengkung.xyz
Source:	DNS query: www.erectus.xyz
Source:	DNS query: www.blockchainuniverse.xyz
Source:	DNS query: www.bitsensor.xyz

Source: Joe Sandbox View	IP Address: 13.248.169.48 13.248.169.48
Source: Joe Sandbox View	IP Address: 188.114.96.3 188.114.96.3
Source: Joe Sandbox View	IP Address: 188.114.96.3 188.114.96.3

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic	HTTP traffic detected: GET /h64j/?ybO=3rpXdV&oD14=QdRHvfmwrko6CmRm1GjPV55jtEN4iFrJPMUSWa5ndjdVZAdXuze6Yd8vrsqv+36H62eNybgQRfFiSq0c7btJ17uknJeeL4lAf73AhQ0b8UhsUMztpFtc4/LsPOmn/auKAA== HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-US,en;q=0.5Connection: closeHost: www.147961.topUser-Agent: Mozilla/5.0 (Linux; Android 5.1; LG-H815 Build/LMY47E) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/38.0.2125.102 Mobile Safari/537.36
Source: global traffic	HTTP traffic detected: GET /iq8z/?oD14=FkfgHc08CWYu8T02OyfM1UFD8pZcb9WBj3h0uO2LK0fyrnc/d17Mk1lrSllg/uqDqbtWVMJ+LUyovC3jDZ/nYr7eBsiRvohR8g4yxu0kgaxgkTDgyHZ0r8c4/yBXdQ2pfw==&ybO=3rpXdV HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-US,en;q=0.5Connection: closeHost: www.melengkung.xyzUser-Agent: Mozilla/5.0 (Linux; Android 5.1; LG-H815 Build/LMY47E) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/38.0.2125.102 Mobile Safari/537.36
Source: global traffic	HTTP traffic detected: GET /oxsm/?ybO=3rpXdV&oD14=zxCFRrmISA4byYvwhpsz5mfjtxbPySprQg/hKktGAk5oo3c0kXvpRnfDaqoM6N06Cw2jcr8dO5K1pfcLp1G4FRVe13O1dTHVCvwt1cbydfpQY/8ElrvBIi2/dZTTuDMGLw== HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-US,en;q=0.5Connection: closeHost: www.actpisalnplay.cyouUser-Agent: Mozilla/5.0 (Linux; Android 5.1; LG-H815 Build/LMY47E) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/38.0.2125.102 Mobile Safari/537.36
Source: global traffic	HTTP traffic detected: GET /m67s/?oD14=N3oD0rYcC4QGMPddFFlqgpy+8VvR7Af09780TOiUhBKixWIsEQ9csfVGsok8jNv3/ojUmwHMT7CVv/2XPjq6H+zQp+wMJtbkAHHbJi/RQ7V0N5ne94XMYha5Ml6uq48frA==&ybO=3rpXdV HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-US,en;q=0.5Connection: closeHost: www.bellysweep.netUser-Agent: Mozilla/5.0 (Linux; Android 5.1; LG-H815 Build/LMY47E) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/38.0.2125.102 Mobile Safari/537.36
Source: global traffic	HTTP traffic detected: GET /emrr/?oD14=7nUDY60I5tPDuTmpZ2795iv23evZF7QheBgjQKzN70LTiALhNkFNQ+8xK3GQ18q3s4CEe2fPiqkf2NvdbAat5dNhQe571nuLwhUuTBmnzlJnheX3Fnb6wLCSSw85TxK9MA==&ybO=3rpXdV HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-US,en;q=0.5Connection: closeHost: www.erectus.xyzUser-Agent: Mozilla/5.0 (Linux; Android 5.1; LG-H815 Build/LMY47E) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/38.0.2125.102 Mobile Safari/537.36
Source: global traffic	HTTP traffic detected: GET /v2n0/?oD14=gf44WXmgSrTUjXPO3/7kAdgE9EiEqOW7ck04iYPzzlWKaZqLmmkc3v8Jur8KfDf9Epw/Zrxq5Pu4OplDYi4hBzxpvr6ibw89SBaYxV8E6J0i9ihDZx0+St6XrmKtfJcCmA==&ybO=3rpXdV HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-US,en;q=0.5Connection: closeHost: www.blockchainuniverse.xyzUser-Agent: Mozilla/5.0 (Linux; Android 5.1; LG-H815 Build/LMY47E) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/38.0.2125.102 Mobile Safari/537.36
Source: global traffic	HTTP traffic detected: GET /ce0o/?oD14=PXi+7NdXUINUcappdoV8/mYp7eq7++YpoI9MenNGTJUZ7xZJAvHSAg8GNz6JR7ts9mIu8I8I4iG5B6aS651F+Yb8z1dhQMKznFVKAjIpBsJ8IxtwKGlQZ5tRqyQUETT/XQ==&ybO=3rpXdV HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-US,en;q=0.5Connection: closeHost: www.maplez.onlineUser-Agent: Mozilla/5.0 (Linux; Android 5.1; LG-H815 Build/LMY47E) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/38.0.2125.102 Mobile Safari/537.36
Source: global traffic	HTTP traffic detected: GET /rinp/?ybO=3rpXdV&oD14=0KcnTIytYIlcQo0C1MZQp3h7wUSjvAX6KT/6rCxWG0hJHwoGn2SdxyW1TyQcT/SmGwS6D8LdXTlhLcqBOlZaJBhS8S6Kfck8qAgHzdpY4M1GN1PJ6ka/hpYzLD8x2fhG7Q== HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-US,en;q=0.5Connection: closeHost: www.primelow.liveUser-Agent: Mozilla/5.0 (Linux; Android 5.1; LG-H815 Build/LMY47E) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/38.0.2125.102 Mobile Safari/537.36
Source: global traffic	HTTP traffic detected: GET /vs3q/?oD14=DKXpN07Bgl7JEL9k0cLWadJtwl6MJH1DojIImdQJHbx5M7TPFtvnb3H1y5LDrI1E+ZWp1il4VhyOFlkWBnuobpYijaegy2M3W6aSE1NNxjIKjcglKnNE76n1FYKvbbdiqA==&ybO=3rpXdV HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-US,en;q=0.5Connection: closeHost: www.srtroy.netUser-Agent: Mozilla/5.0 (Linux; Android 5.1; LG-H815 Build/LMY47E) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/38.0.2125.102 Mobile Safari/537.36
Source: global traffic	HTTP traffic detected: GET /9v0y/?ybO=3rpXdV&oD14=UmzsXtESHO97j/4Om48iMoWDrL42WBlaYaRSWMU9G4dk8dhzNAbc09+ql+G+Qje/epkRIlKFV7/VsIAXyer23d5V8Z7XE6yRDZlC25NU7HLmuUcLbB0YwTHIJixnO6JJjg== HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-US,en;q=0.5Connection: closeHost: www.bitsensor.xyzUser-Agent: Mozilla/5.0 (Linux; Android 5.1; LG-H815 Build/LMY47E) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/38.0.2125.102 Mobile Safari/537.36
Source: global traffic	HTTP traffic detected: GET /xbps/?oD14=uCu85g1C43hXUdnubsKE7O4H9O7JtjRCQT7Tjd/mPLhw8p6GND7xDgBNEpSdApg/7aNOp7NWr6poM7L1h/XQBJHSf4uEEK/FvuR6JDVgbbpj9+EO2b/QGmucD6Iy1LFpxg==&ybO=3rpXdV HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-US,en;q=0.5Connection: closeHost: www.goodnewsedutech.netUser-Agent: Mozilla/5.0 (Linux; Android 5.1; LG-H815 Build/LMY47E) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/38.0.2125.102 Mobile Safari/537.36
Source: global traffic	HTTP traffic detected: GET /u136/?ybO=3rpXdV&oD14=TV9zv8mjWY8yavxIr3umEUDL/kGyGf0onDZ0cFOIWysMXVldSflxDQXMLa5+N1HFbm/zd5250Q+eUZn53c04TmqmEl/4n0ZycRx41HADqyw+dPV853xEUa7gUJA9pw5k7Q== HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-US,en;q=0.5Connection: closeHost: www.fluffymooncat.funUser-Agent: Mozilla/5.0 (Linux; Android 5.1; LG-H815 Build/LMY47E) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/38.0.2125.102 Mobile Safari/537.36

Source: global traffic	DNS traffic detected: DNS query: www.147961.top
Source: global traffic	DNS traffic detected: DNS query: www.melengkung.xyz
Source: global traffic	DNS traffic detected: DNS query: www.actpisalnplay.cyou
Source: global traffic	DNS traffic detected: DNS query: www.bellysweep.net
Source: global traffic	DNS traffic detected: DNS query: www.milays.cloud
Source: global traffic	DNS traffic detected: DNS query: www.erectus.xyz
Source: global traffic	DNS traffic detected: DNS query: www.blockchainuniverse.xyz
Source: global traffic	DNS traffic detected: DNS query: www.maplez.online
Source: global traffic	DNS traffic detected: DNS query: www.primelow.live
Source: global traffic	DNS traffic detected: DNS query: www.srtroy.net
Source: global traffic	DNS traffic detected: DNS query: www.bitsensor.xyz
Source: global traffic	DNS traffic detected: DNS query: www.goodnewsedutech.net
Source: global traffic	DNS traffic detected: DNS query: www.fluffymooncat.fun

Source: unknown

HTTP traffic detected: POST /iq8z/ HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.5Content-Length: 205Content-Type: application/x-www-form-urlencodedCache-Control: max-age=0Connection: closeHost: www.melengkung.xyzOrigin: http://www.melengkung.xyzReferer: http://www.melengkung.xyz/iq8z/User-Agent: Mozilla/5.0 (Linux; Android 5.1; LG-H815 Build/LMY47E) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/38.0.2125.102 Mobile Safari/537.36Data Raw: 6f 44 31 34 3d 49 6d 33 41 45 71 51 79 49 78 34 7a 72 7a 73 68 51 51 48 62 79 6d 42 4d 6b 62 35 38 61 63 32 79 71 32 52 59 72 36 69 54 50 33 6e 4d 74 6b 4d 43 58 6c 33 39 75 43 39 6a 5a 56 74 5a 2f 75 4c 58 6e 65 59 6a 4d 73 42 64 44 6d 37 34 6a 67 50 69 48 35 48 55 56 37 72 53 51 4e 57 55 76 36 68 47 78 48 45 4b 67 2b 78 52 72 71 68 32 73 69 33 4b 76 7a 42 76 76 2b 51 47 68 48 78 48 50 69 58 46 4f 79 4f 4f 6b 54 62 69 6e 76 52 6b 54 57 4a 78 48 44 4f 6d 76 56 73 67 56 76 32 79 67 77 58 50 7a 4e 6e 45 33 37 50 68 2f 50 76 46 64 6f 5a 31 75 33 52 72 6b 6a 65 4d 2b 71 4d 63 76 4f 55 6e 44 4c 5a 4a 33 32 45 3d Data Ascii: oD14=Im3AEqQyIx4zrzshQQHbymBMkb58ac2yq2RYr6iTP3nMtkMCXl39uC9jZVtZ/uLXneYjMsBdDm74jgPiH5HUV7rSQNWUv6hGxHEKg+xRrqh2si3KvzBvv+QGhHxHPiXFOyOOkTbinvRkTWJxHDOmvVsgVv2ygwXPzNnE37Ph/PvFdoZ1u3RrkjeM+qMcvOUnDLZJ32E=

Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Fri, 07 Mar 2025 22:17:11 GMTContent-Type: text/htmlContent-Length: 8073Connection: closeETag: "67cacdb9-1f89"Server: layun.comAccess-Control-Allow-Origin: *
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Fri, 07 Mar 2025 22:19:21 GMTContent-Type: text/htmlTransfer-Encoding: chunkedConnection: closeContent-Encoding: gzipData Raw: 64 39 61 0d 0a 1f 8b 08 00 00 00 00 00 00 03 cd 5a 5b 8f db c6 15 7e f7 af 18 ab c0 4a b2 45 32 9b 14 81 ed 95 b4 4d e2 f4 29 97 02 eb b4 28 36 1b 61 44 8d 24 5a 14 c9 92 d4 ca b2 bd 40 62 27 4d 82 18 31 9a 06 28 10 34 e8 0d 45 9f 0a ac 2f db 6c 7c d9 fc 05 ea 1f f5 3b 67 48 8a d2 4a eb 4b 9c a2 02 76 45 cd e5 cc 99 73 f9 ce 39 33 ac 9f ee f8 76 3c 09 94 e8 c7 43 b7 59 a7 ff c2 76 65 14 35 4a 4e d4 92 1d 19 c4 ce ae 2a 09 57 7a bd 46 29 1c 95 30 46 c9 4e b3 3e 54 b1 14 76 5f 86 91 8a 1b a5 f7 2e fd d2 38 87 3e 6e f5 e4 50 35 4a 81 0c 07 8e d7 2b 09 db f7 62 e5 61 50 a8 7a e1 c8 08 41 73 7e e4 ae a3 c6 81 1f c6 85 a1 63 a7 13 f7 1b 1d b5 eb d8 ca e0 1f 35 c7 73 62 47 ba 46 64 4b 57 35 d6 41 22 76 62 57 35 c7 e3 b1 39 94 81 ab ae 9a be e7 3a 9e aa 5b ba a3 8e 1f 03 11 2a b7 51 8a e2 89 ab a2 be 52 58 63 a8 3a 8e 6c 94 a4 eb 96 44 3f 54 dd 9c 53 e6 cc 90 a3 d8 37 ed 28 02 fd d9 7c 07 7b c8 46 77 25 98 f2 3d 13 ff 36 d7 4b 82 84 07 59 0d 65 4f 59 57 0c 1e d8 ac 47 76 e8 04 71 d3 3a 53 3f bd fd c6 c5 d7 2e bd b6 7d c6 3a 35 76 bc 8e 3f 36 e3 50 da 83 2d 1e f0 96 2f 3b a2 21 ba 23 cf 8e 1d df ab 54 af ed 6d 9c b2 ce ec ec 34 cf 58 75 2b 25 92 12 13 d8 1c 86 37 4a cb c9 54 ca d6 50 7a 4e 57 45 b1 79 39 2a 57 4b 18 af c2 d0 0f 9f 72 42 4d ac 63 4e 14 da 8d 52 91 10 54 92 a9 78 14 77 59 c5 cf cc 17 d9 0b b4 46 12 89 9e 9a b7 c5 49 45 fe 16 fa 4e e2 d1 d2 c6 da f6 3b 93 cc ac db 46 00 5d 09 fd d5 22 f5 b5 52 53 e5 36 36 da d9 53 ab dd 6b b9 4e af 1f c3 1e 88 96 0a 8b 74 78 70 ab 95 76 10 c9 b9 16 4d 3d 35 f8 8e b3 bb 72 aa e1 f9 31 b1 14 ab 2b 58 28 f9 3a 39 4a 1e 25 07 c9 63 91 7c 97 ec 4f 3f c4 e3 bd e4 70 fa d1 f4 06 9e 0f f1 77 94 dc 4d f6 a9 fb ee 9a d7 8e 82 8d 3a 5c 51 3b 6d db 20 ab cd 6c b5 1f c7 41 74 c1 b2 e0 79 26 7c 57 3b 83 e7 77 7d d7 f5 c7 c2 f3 fd 40 c1 4a f0 00 3f 80 b5 a8 10 f6 2c c3 1e 79 74 ab 0d 97 1f 80 99 bf d2 ea e6 f4 c3 e9 cd ba 25 9b 75 0b fb 68 d6 17 36 d3 53 ad 56 ea e6 c6 38 94 41 00 a2 a9 80 17 db 5b ec 8b 2d f8 02 30 61 e5 20 56 4b df 8f 62 20 88 11 c5 32 76 6c 28 60 61 d5 39 59 1b e9 fa a4 a7 f5 99 34 16 34 62 30 34 94 96 81 46 7f bd 59 0f 56 4f ec 28 6d c2 f0 d3 67 57 54 bd 1d 36 93 43 ad ab e4 07 52 62 f2 03 2b f6 c1 31 55 ce c9 3b 58 b5 e7 f6 28 8e 7d 2f ca 84 8d 4d 17 2c 40 77 82 4b fd 00 0d b8 7e d8 62 15 2b cf 26 3b 4b 3b 22 e7 aa 6a 41 f9 43 e9 b2 26 52 81 e6 f3 73 e1 a5 e3 59 2b 40 e3 02 89 40 76 3a d0 51 cb 25 b3 59 34 3b 82 66 6d 7a d6 b8 ef 3b 91 b5 69 f7 95 3d 68 ac 75 38 44 1c 43 ee 35 39 0c 36 30 a1 15 f9 a3 d0 56 8d 6c 7d c2 e4 52 f3 37 44 82 6c 50 14 37 4b 2e 53 64 9e 41 bb e0 89 27 6f a6 e3 0f a5 93 43 7b e6 2e 05 be f5 00 cb 53 63 6b 73 14 0f 33 ce 8e b3 4e 9d 14 5a 46 c3 8c ed 35 6a b2 b1 25 e9 f4 bc 46 04 11 79 9d 16 08 9d bc cb e4 ef 30 89 ff 24 07 62 fa 49 72 34 fd 74 7a 53 24 f7 33 38 38 5d f0 c0 28 90 de 12 6b 0d 42 7f e
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Fri, 07 Mar 2025 22:19:23 GMTContent-Type: text/htmlTransfer-Encoding: chunkedConnection: closeContent-Encoding: gzipData Raw: 64 39 61 0d 0a 1f 8b 08 00 00 00 00 00 00 03 cd 5a 5b 8f db c6 15 7e f7 af 18 ab c0 4a b2 45 32 9b 14 81 ed 95 b4 4d e2 f4 29 97 02 eb b4 28 36 1b 61 44 8d 24 5a 14 c9 92 d4 ca b2 bd 40 62 27 4d 82 18 31 9a 06 28 10 34 e8 0d 45 9f 0a ac 2f db 6c 7c d9 fc 05 ea 1f f5 3b 67 48 8a d2 4a eb 4b 9c a2 02 76 45 cd e5 cc 99 73 f9 ce 39 33 ac 9f ee f8 76 3c 09 94 e8 c7 43 b7 59 a7 ff c2 76 65 14 35 4a 4e d4 92 1d 19 c4 ce ae 2a 09 57 7a bd 46 29 1c 95 30 46 c9 4e b3 3e 54 b1 14 76 5f 86 91 8a 1b a5 f7 2e fd d2 38 87 3e 6e f5 e4 50 35 4a 81 0c 07 8e d7 2b 09 db f7 62 e5 61 50 a8 7a e1 c8 08 41 73 7e e4 ae a3 c6 81 1f c6 85 a1 63 a7 13 f7 1b 1d b5 eb d8 ca e0 1f 35 c7 73 62 47 ba 46 64 4b 57 35 d6 41 22 76 62 57 35 c7 e3 b1 39 94 81 ab ae 9a be e7 3a 9e aa 5b ba a3 8e 1f 03 11 2a b7 51 8a e2 89 ab a2 be 52 58 63 a8 3a 8e 6c 94 a4 eb 96 44 3f 54 dd 9c 53 e6 cc 90 a3 d8 37 ed 28 02 fd d9 7c 07 7b c8 46 77 25 98 f2 3d 13 ff 36 d7 4b 82 84 07 59 0d 65 4f 59 57 0c 1e d8 ac 47 76 e8 04 71 d3 3a 53 3f bd fd c6 c5 d7 2e bd b6 7d c6 3a 35 76 bc 8e 3f 36 e3 50 da 83 2d 1e f0 96 2f 3b a2 21 ba 23 cf 8e 1d df ab 54 af ed 6d 9c b2 ce ec ec 34 cf 58 75 2b 25 92 12 13 d8 1c 86 37 4a cb c9 54 ca d6 50 7a 4e 57 45 b1 79 39 2a 57 4b 18 af c2 d0 0f 9f 72 42 4d ac 63 4e 14 da 8d 52 91 10 54 92 a9 78 14 77 59 c5 cf cc 17 d9 0b b4 46 12 89 9e 9a b7 c5 49 45 fe 16 fa 4e e2 d1 d2 c6 da f6 3b 93 cc ac db 46 00 5d 09 fd d5 22 f5 b5 52 53 e5 36 36 da d9 53 ab dd 6b b9 4e af 1f c3 1e 88 96 0a 8b 74 78 70 ab 95 76 10 c9 b9 16 4d 3d 35 f8 8e b3 bb 72 aa e1 f9 31 b1 14 ab 2b 58 28 f9 3a 39 4a 1e 25 07 c9 63 91 7c 97 ec 4f 3f c4 e3 bd e4 70 fa d1 f4 06 9e 0f f1 77 94 dc 4d f6 a9 fb ee 9a d7 8e 82 8d 3a 5c 51 3b 6d db 20 ab cd 6c b5 1f c7 41 74 c1 b2 e0 79 26 7c 57 3b 83 e7 77 7d d7 f5 c7 c2 f3 fd 40 c1 4a f0 00 3f 80 b5 a8 10 f6 2c c3 1e 79 74 ab 0d 97 1f 80 99 bf d2 ea e6 f4 c3 e9 cd ba 25 9b 75 0b fb 68 d6 17 36 d3 53 ad 56 ea e6 c6 38 94 41 00 a2 a9 80 17 db 5b ec 8b 2d f8 02 30 61 e5 20 56 4b df 8f 62 20 88 11 c5 32 76 6c 28 60 61 d5 39 59 1b e9 fa a4 a7 f5 99 34 16 34 62 30 34 94 96 81 46 7f bd 59 0f 56 4f ec 28 6d c2 f0 d3 67 57 54 bd 1d 36 93 43 ad ab e4 07 52 62 f2 03 2b f6 c1 31 55 ce c9 3b 58 b5 e7 f6 28 8e 7d 2f ca 84 8d 4d 17 2c 40 77 82 4b fd 00 0d b8 7e d8 62 15 2b cf 26 3b 4b 3b 22 e7 aa 6a 41 f9 43 e9 b2 26 52 81 e6 f3 73 e1 a5 e3 59 2b 40 e3 02 89 40 76 3a d0 51 cb 25 b3 59 34 3b 82 66 6d 7a d6 b8 ef 3b 91 b5 69 f7 95 3d 68 ac 75 38 44 1c 43 ee 35 39 0c 36 30 a1 15 f9 a3 d0 56 8d 6c 7d c2 e4 52 f3 37 44 82 6c 50 14 37 4b 2e 53 64 9e 41 bb e0 89 27 6f a6 e3 0f a5 93 43 7b e6 2e 05 be f5 00 cb 53 63 6b 73 14 0f 33 ce 8e b3 4e 9d 14 5a 46 c3 8c ed 35 6a b2 b1 25 e9 f4 bc 46 04 11 79 9d 16 08 9d bc cb e4 ef 30 89 ff 24 07 62 fa 49 72 34 fd 74 7a 53 24 f7 33 38 38 5d f0 c0 28 90 de 12 6b 0d 42 7f e
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Fri, 07 Mar 2025 22:19:26 GMTContent-Type: text/htmlTransfer-Encoding: chunkedConnection: closeContent-Encoding: gzipData Raw: 64 39 61 0d 0a 1f 8b 08 00 00 00 00 00 00 03 cd 5a 5b 8f db c6 15 7e f7 af 18 ab c0 4a b2 45 32 9b 14 81 ed 95 b4 4d e2 f4 29 97 02 eb b4 28 36 1b 61 44 8d 24 5a 14 c9 92 d4 ca b2 bd 40 62 27 4d 82 18 31 9a 06 28 10 34 e8 0d 45 9f 0a ac 2f db 6c 7c d9 fc 05 ea 1f f5 3b 67 48 8a d2 4a eb 4b 9c a2 02 76 45 cd e5 cc 99 73 f9 ce 39 33 ac 9f ee f8 76 3c 09 94 e8 c7 43 b7 59 a7 ff c2 76 65 14 35 4a 4e d4 92 1d 19 c4 ce ae 2a 09 57 7a bd 46 29 1c 95 30 46 c9 4e b3 3e 54 b1 14 76 5f 86 91 8a 1b a5 f7 2e fd d2 38 87 3e 6e f5 e4 50 35 4a 81 0c 07 8e d7 2b 09 db f7 62 e5 61 50 a8 7a e1 c8 08 41 73 7e e4 ae a3 c6 81 1f c6 85 a1 63 a7 13 f7 1b 1d b5 eb d8 ca e0 1f 35 c7 73 62 47 ba 46 64 4b 57 35 d6 41 22 76 62 57 35 c7 e3 b1 39 94 81 ab ae 9a be e7 3a 9e aa 5b ba a3 8e 1f 03 11 2a b7 51 8a e2 89 ab a2 be 52 58 63 a8 3a 8e 6c 94 a4 eb 96 44 3f 54 dd 9c 53 e6 cc 90 a3 d8 37 ed 28 02 fd d9 7c 07 7b c8 46 77 25 98 f2 3d 13 ff 36 d7 4b 82 84 07 59 0d 65 4f 59 57 0c 1e d8 ac 47 76 e8 04 71 d3 3a 53 3f bd fd c6 c5 d7 2e bd b6 7d c6 3a 35 76 bc 8e 3f 36 e3 50 da 83 2d 1e f0 96 2f 3b a2 21 ba 23 cf 8e 1d df ab 54 af ed 6d 9c b2 ce ec ec 34 cf 58 75 2b 25 92 12 13 d8 1c 86 37 4a cb c9 54 ca d6 50 7a 4e 57 45 b1 79 39 2a 57 4b 18 af c2 d0 0f 9f 72 42 4d ac 63 4e 14 da 8d 52 91 10 54 92 a9 78 14 77 59 c5 cf cc 17 d9 0b b4 46 12 89 9e 9a b7 c5 49 45 fe 16 fa 4e e2 d1 d2 c6 da f6 3b 93 cc ac db 46 00 5d 09 fd d5 22 f5 b5 52 53 e5 36 36 da d9 53 ab dd 6b b9 4e af 1f c3 1e 88 96 0a 8b 74 78 70 ab 95 76 10 c9 b9 16 4d 3d 35 f8 8e b3 bb 72 aa e1 f9 31 b1 14 ab 2b 58 28 f9 3a 39 4a 1e 25 07 c9 63 91 7c 97 ec 4f 3f c4 e3 bd e4 70 fa d1 f4 06 9e 0f f1 77 94 dc 4d f6 a9 fb ee 9a d7 8e 82 8d 3a 5c 51 3b 6d db 20 ab cd 6c b5 1f c7 41 74 c1 b2 e0 79 26 7c 57 3b 83 e7 77 7d d7 f5 c7 c2 f3 fd 40 c1 4a f0 00 3f 80 b5 a8 10 f6 2c c3 1e 79 74 ab 0d 97 1f 80 99 bf d2 ea e6 f4 c3 e9 cd ba 25 9b 75 0b fb 68 d6 17 36 d3 53 ad 56 ea e6 c6 38 94 41 00 a2 a9 80 17 db 5b ec 8b 2d f8 02 30 61 e5 20 56 4b df 8f 62 20 88 11 c5 32 76 6c 28 60 61 d5 39 59 1b e9 fa a4 a7 f5 99 34 16 34 62 30 34 94 96 81 46 7f bd 59 0f 56 4f ec 28 6d c2 f0 d3 67 57 54 bd 1d 36 93 43 ad ab e4 07 52 62 f2 03 2b f6 c1 31 55 ce c9 3b 58 b5 e7 f6 28 8e 7d 2f ca 84 8d 4d 17 2c 40 77 82 4b fd 00 0d b8 7e d8 62 15 2b cf 26 3b 4b 3b 22 e7 aa 6a 41 f9 43 e9 b2 26 52 81 e6 f3 73 e1 a5 e3 59 2b 40 e3 02 89 40 76 3a d0 51 cb 25 b3 59 34 3b 82 66 6d 7a d6 b8 ef 3b 91 b5 69 f7 95 3d 68 ac 75 38 44 1c 43 ee 35 39 0c 36 30 a1 15 f9 a3 d0 56 8d 6c 7d c2 e4 52 f3 37 44 82 6c 50 14 37 4b 2e 53 64 9e 41 bb e0 89 27 6f a6 e3 0f a5 93 43 7b e6 2e 05 be f5 00 cb 53 63 6b 73 14 0f 33 ce 8e b3 4e 9d 14 5a 46 c3 8c ed 35 6a b2 b1 25 e9 f4 bc 46 04 11 79 9d 16 08 9d bc cb e4 ef 30 89 ff 24 07 62 fa 49 72 34 fd 74 7a 53 24 f7 33 38 38 5d f0 c0 28 90 de 12 6b 0d 42 7f e
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Fri, 07 Mar 2025 22:19:28 GMTContent-Type: text/htmlTransfer-Encoding: chunkedConnection: closeData Raw: 32 36 37 66 0d 0a 3c 21 64 6f 63 74 79 70 65 20 68 74 6d 6c 3e 3c 68 74 6d 6c 20 63 6c 61 73 73 3d 22 69 73 5f 61 64 61 70 74 69 76 65 22 20 6c 61 6e 67 3d 22 72 75 22 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 3e 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 70 61 72 6b 69 6e 67 22 20 63 6f 6e 74 65 6e 74 3d 22 72 65 67 72 75 2d 72 64 61 70 22 3e 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 22 3e 3c 74 69 74 6c 65 3e 77 77 77 2e 6d 61 70 6c 65 7a 2e 6f 6e 6c 69 6e 65 3c 2f 74 69 74 6c 65 3e 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 6d 65 64 69 61 3d 22 61 6c 6c 22 20 68 72 65 66 3d 22 70 61 72 6b 69 6e 67 2d 72 64 61 70 2d 61 75 74 6f 2e 63 73 73 22 3e 3c 6c 69 6e 6b 20 72 65 6c 3d 22 69 63 6f 6e 22 20 68 72 65 66 3d 22 66 61 76 69 63 6f 6e 2e 69 63 6f 3f 31 22 20 74 79 70 65 3d 22 69 6d 61 67 65 2f 78 2d 69 63 6f 6e 22 3e 3c 73 63 72 69 70 74 3e 2f 2a 3c 21 5b 43 44 41 54 41 5b 2a 2f 0a 77 69 6e 64 6f 77 2e 74 72 61 63 6b 53 63 72 69 70 74 4c 6f 61 64 20 3d 20 66 75 6e 63 74 69 6f 6e 28 29 7b 7d 3b 0a 2f 2a 5d 5d 3e 2a 2f 3c 2f 73 63 72 69 70 74 3e 3c 73 63 72 69 70 74 20 6f 6e 6c 6f 61 64 3d 22 77 69 6e 64 6f 77 2e 74 72 61 63 6b 53 63 72 69 70 74 4c 6f 61 64 28 27 2f 6d 61 6e 69 66 65 73 74 2e 6a 73 27 29 22 20 6f 6e 65 72 72 6f 72 3d 22 77 69 6e 64 6f 77 2e 74 72 61 63 6b 53 63 72 69 70 74 4c 6f 61 64 28 27 2f 6d 61 6e 69 66 65 73 74 2e 6a 73 27 2c 20 31 29 22 20 73 72 63 3d 22 2f 6d 61 6e 69 66 65 73 74 2e 6a 73 22 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 3c 2f 73 63 72 69 70 74 3e 3c 73 63 72 69 70 74 20 6f 6e 6c 6f 61 64 3d 22 77 69 6e 64 6f 77 2e 74 72 61 63 6b 53 63 72 69 70 74 4c 6f 61 64 28 27 2f 68 65 61 64 2d 73 63 72 69 70 74 73 2e 6a 73 27 29 22 20 6f 6e 65 72 72 6f 72 3d 22 77 69 6e 64 6f 77 2e 74 72 61 63 6b 53 63 72 69 70 74 4c 6f 61 64 28 27 2f 68 65 61 64 2d 73 63 72 69 70 74 73 2e 6a 73 27 2c 20 31 29 22 20 73 72 63 3d 22 2f 68 65 61 64 2d 73 63 72 69 70 74 73 2e 6a 73 22 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 3c 2f 73 63 72 69 70 74 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 20 63 6c 61 73 73 3d 22 62 2d 70 61 67 65 20 62 2d 70 61 67 65 5f 74 79 70 65 5f 70 61 72 6b 69 6e 67 20 62 2d 70 61 72 6b 69 6e 67 20 62 2d 70 61 72 6b 69 6e 67 5f 62 67 5f 6c 69 67 68 74 22 3e 3c 68 65 61 64 65 72 20 63 6c 61 73 73 3d 22 62 2d 70 61 72 6b 69 6e 67 5f 5f 68 65 61 64 65 72 20 62 2d 70 61 72 6b 69 6e 67 5f 5f 68 65 61 64 65 72 5f 74 79 70 65 5f 72 64 61 70 22 3e 3c 64 69 76 20 63 6c 61 73 73 3d 22 62 2d 70 61 72 6b 69 6e 67 5f 5f 68 65 61 64 65 72 2d 6e 6f 74 65 20 62 2d 74 65 78 74 22 3e d0 94 d0 be d0 bc d0 b5 d0 bd 20 d0 b7 d0 b0 d1 80 d0 b5 d0 b3 d0 b8 d1 8
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Fri, 07 Mar 2025 22:19:34 GMTServer: ApacheContent-Length: 389Connection: closeContent-Type: text/htmlData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 77 69 6e 64 6f 77 73 2d 31 32 35 32 22 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0a 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE html PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><meta http-equiv="Content-Type" content="text/html; charset=windows-1252"><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Fri, 07 Mar 2025 22:19:37 GMTServer: ApacheContent-Length: 389Connection: closeContent-Type: text/htmlData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 77 69 6e 64 6f 77 73 2d 31 32 35 32 22 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0a 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE html PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><meta http-equiv="Content-Type" content="text/html; charset=windows-1252"><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Fri, 07 Mar 2025 22:19:39 GMTServer: ApacheContent-Length: 389Connection: closeContent-Type: text/htmlData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 77 69 6e 64 6f 77 73 2d 31 32 35 32 22 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0a 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE html PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><meta http-equiv="Content-Type" content="text/html; charset=windows-1252"><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Fri, 07 Mar 2025 22:19:42 GMTServer: ApacheContent-Length: 389Connection: closeContent-Type: text/html; charset=utf-8Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 77 69 6e 64 6f 77 73 2d 31 32 35 32 22 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0a 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE html PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><meta http-equiv="Content-Type" content="text/html; charset=windows-1252"><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundContent-Type: text/htmlTransfer-Encoding: chunkedConnection: closeDate: Fri, 07 Mar 2025 22:19:48 GMTServer: ApacheContent-Encoding: gzipData Raw: 31 38 39 0d 0a 1f 8b 08 00 00 00 00 00 00 03 7d 51 4b 4f e3 30 10 be f7 57 cc 7a 0f 9c 1c 37 94 43 9b 26 1c b6 ad b4 48 85 45 28 88 e5 68 62 b7 b1 e4 78 82 33 21 0d bf 1e 27 e5 b1 20 b4 27 8f ed ef 31 f3 4d fa 63 fd 67 95 df 5f 6f a0 a4 ca c2 f5 ed af ed c5 0a 18 17 e2 6e b6 12 62 9d af e1 ef ef fc 72 0b 71 34 85 dc 4b d7 18 32 e8 a4 15 62 73 c5 26 ac 24 aa 13 21 ba ae 8b ba 59 84 7e 2f f2 1b 71 18 b4 e2 81 fc 5a 72 fa 87 19 29 52 ec 7c 92 8e 86 56 ba 7d c6 b4 63 70 a8 6c f2 e9 e6 9a ec 1b f9 78 b1 58 1c 55 83 06 a4 a5 96 2a 9c 90 92 21 ab 87 0a 36 de a3 87 b3 e9 19 70 b8 42 82 1d b6 4e 0d 10 f1 8e 49 2b 4d 12 0a 74 a4 1d 65 8c f4 81 c4 d0 ce 12 8a 52 fa 46 53 d6 d2 8e cf 59 08 85 6a ae 1f 5b f3 94 b1 d5 11 ce f3 be d6 83 37 7c 51 71 c8 0b 59 94 fa 33 6b 7c e2 83 95 47 3b b6 2c 5e 7b 4e 1f 50 f5 d0 50 6f 75 c6 76 01 c0 77 b2 32 b6 4f a4 37 d2 2e 8f 16 65 fc 86 28 d0 a2 4f 7e 4e e5 ec 74 5e 2c 47 7c 63 9e 75 12 16 a3 ab 23 fa 3f a3 97 f1 d8 71 fd a6 f6 c1 9f 46 f3 77 fe 3d b6 1e 1e 3c 76 8d f6 50 48 77 12 d2 33 4e 01 95 1a 14 16 6d 15 e2 0a b1 79 af 9b 1a 9d 32 6e 0f 84 e3 ef ed cd 16 7a 6c 81 42 38 0a 8c 8b c6 c0 eb 60 9a 8a 61 ce b0 ef 31 e1 f3 c9 0b 6c 60 6d 75 72 02 00 00 0d 0a 30 0d 0a 0d 0a Data Ascii: 189}QKO0Wz7C&HE(hbx3!' '1Mcg_onbrq4K2bs&$!Y~/qZr)R\|V}cplxXU*!6pBNI+MteRFSYj[7\|QqY3k\|G;,^{NPPouvw2O7.e(O~Nt^,G\|cu#?qFw=<vPHw3Nmy2nzlB8`a1l`mur0
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundContent-Type: text/htmlTransfer-Encoding: chunkedConnection: closeDate: Fri, 07 Mar 2025 22:19:50 GMTServer: ApacheContent-Encoding: gzipData Raw: 31 38 39 0d 0a 1f 8b 08 00 00 00 00 00 00 03 7d 51 4b 4f e3 30 10 be f7 57 cc 7a 0f 9c 1c 37 94 43 9b 26 1c b6 ad b4 48 85 45 28 88 e5 68 62 b7 b1 e4 78 82 33 21 0d bf 1e 27 e5 b1 20 b4 27 8f ed ef 31 f3 4d fa 63 fd 67 95 df 5f 6f a0 a4 ca c2 f5 ed af ed c5 0a 18 17 e2 6e b6 12 62 9d af e1 ef ef fc 72 0b 71 34 85 dc 4b d7 18 32 e8 a4 15 62 73 c5 26 ac 24 aa 13 21 ba ae 8b ba 59 84 7e 2f f2 1b 71 18 b4 e2 81 fc 5a 72 fa 87 19 29 52 ec 7c 92 8e 86 56 ba 7d c6 b4 63 70 a8 6c f2 e9 e6 9a ec 1b f9 78 b1 58 1c 55 83 06 a4 a5 96 2a 9c 90 92 21 ab 87 0a 36 de a3 87 b3 e9 19 70 b8 42 82 1d b6 4e 0d 10 f1 8e 49 2b 4d 12 0a 74 a4 1d 65 8c f4 81 c4 d0 ce 12 8a 52 fa 46 53 d6 d2 8e cf 59 08 85 6a ae 1f 5b f3 94 b1 d5 11 ce f3 be d6 83 37 7c 51 71 c8 0b 59 94 fa 33 6b 7c e2 83 95 47 3b b6 2c 5e 7b 4e 1f 50 f5 d0 50 6f 75 c6 76 01 c0 77 b2 32 b6 4f a4 37 d2 2e 8f 16 65 fc 86 28 d0 a2 4f 7e 4e e5 ec 74 5e 2c 47 7c 63 9e 75 12 16 a3 ab 23 fa 3f a3 97 f1 d8 71 fd a6 f6 c1 9f 46 f3 77 fe 3d b6 1e 1e 3c 76 8d f6 50 48 77 12 d2 33 4e 01 95 1a 14 16 6d 15 e2 0a b1 79 af 9b 1a 9d 32 6e 0f 84 e3 ef ed cd 16 7a 6c 81 42 38 0a 8c 8b c6 c0 eb 60 9a 8a 61 ce b0 ef 31 e1 f3 c9 0b 6c 60 6d 75 72 02 00 00 0d 0a 30 0d 0a 0d 0a Data Ascii: 189}QKO0Wz7C&HE(hbx3!' '1Mcg_onbrq4K2bs&$!Y~/qZr)R\|V}cplxXU*!6pBNI+MteRFSYj[7\|QqY3k\|G;,^{NPPouvw2O7.e(O~Nt^,G\|cu#?qFw=<vPHw3Nmy2nzlB8`a1l`mur0
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundContent-Type: text/htmlTransfer-Encoding: chunkedConnection: closeDate: Fri, 07 Mar 2025 22:19:53 GMTServer: ApacheContent-Encoding: gzipData Raw: 31 38 39 0d 0a 1f 8b 08 00 00 00 00 00 00 03 7d 51 4b 4f e3 30 10 be f7 57 cc 7a 0f 9c 1c 37 94 43 9b 26 1c b6 ad b4 48 85 45 28 88 e5 68 62 b7 b1 e4 78 82 33 21 0d bf 1e 27 e5 b1 20 b4 27 8f ed ef 31 f3 4d fa 63 fd 67 95 df 5f 6f a0 a4 ca c2 f5 ed af ed c5 0a 18 17 e2 6e b6 12 62 9d af e1 ef ef fc 72 0b 71 34 85 dc 4b d7 18 32 e8 a4 15 62 73 c5 26 ac 24 aa 13 21 ba ae 8b ba 59 84 7e 2f f2 1b 71 18 b4 e2 81 fc 5a 72 fa 87 19 29 52 ec 7c 92 8e 86 56 ba 7d c6 b4 63 70 a8 6c f2 e9 e6 9a ec 1b f9 78 b1 58 1c 55 83 06 a4 a5 96 2a 9c 90 92 21 ab 87 0a 36 de a3 87 b3 e9 19 70 b8 42 82 1d b6 4e 0d 10 f1 8e 49 2b 4d 12 0a 74 a4 1d 65 8c f4 81 c4 d0 ce 12 8a 52 fa 46 53 d6 d2 8e cf 59 08 85 6a ae 1f 5b f3 94 b1 d5 11 ce f3 be d6 83 37 7c 51 71 c8 0b 59 94 fa 33 6b 7c e2 83 95 47 3b b6 2c 5e 7b 4e 1f 50 f5 d0 50 6f 75 c6 76 01 c0 77 b2 32 b6 4f a4 37 d2 2e 8f 16 65 fc 86 28 d0 a2 4f 7e 4e e5 ec 74 5e 2c 47 7c 63 9e 75 12 16 a3 ab 23 fa 3f a3 97 f1 d8 71 fd a6 f6 c1 9f 46 f3 77 fe 3d b6 1e 1e 3c 76 8d f6 50 48 77 12 d2 33 4e 01 95 1a 14 16 6d 15 e2 0a b1 79 af 9b 1a 9d 32 6e 0f 84 e3 ef ed cd 16 7a 6c 81 42 38 0a 8c 8b c6 c0 eb 60 9a 8a 61 ce b0 ef 31 e1 f3 c9 0b 6c 60 6d 75 72 02 00 00 0d 0a 30 0d 0a 0d 0a Data Ascii: 189}QKO0Wz7C&HE(hbx3!' '1Mcg_onbrq4K2bs&$!Y~/qZr)R\|V}cplxXU*!6pBNI+MteRFSYj[7\|QqY3k\|G;,^{NPPouvw2O7.e(O~Nt^,G\|cu#?qFw=<vPHw3Nmy2nzlB8`a1l`mur0
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundContent-Type: text/htmlContent-Length: 626Connection: closeDate: Fri, 07 Mar 2025 22:19:55 GMTServer: ApacheData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 57 33 43 2f 2f 44 54 44 20 58 48 54 4d 4c 20 31 2e 30 20 54 72 61 6e 73 69 74 69 6f 6e 61 6c 2f 2f 45 4e 22 0a 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 54 52 2f 78 68 74 6d 6c 31 2f 44 54 44 2f 78 68 74 6d 6c 31 2d 74 72 61 6e 73 69 74 69 6f 6e 61 6c 2e 64 74 64 22 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 20 78 6d 6c 3a 6c 61 6e 67 3d 22 65 6e 22 20 78 6d 6c 6e 73 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 31 39 39 39 2f 78 68 74 6d 6c 22 3e 0a 20 3c 68 65 61 64 3e 0a 20 20 3c 74 69 74 6c 65 3e 0a 20 20 20 45 72 72 6f 72 20 34 30 34 20 2d 20 4e 6f 74 20 66 6f 75 6e 64 0a 20 20 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 6d 65 74 61 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 75 74 66 2d 38 22 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 3e 0a 20 20 3c 6d 65 74 61 20 63 6f 6e 74 65 6e 74 3d 22 6e 6f 2d 63 61 63 68 65 22 20 68 74 74 70 2d 65 71 75 69 76 3d 22 63 61 63 68 65 2d 63 6f 6e 74 72 6f 6c 22 3e 0a 20 3c 2f 68 65 61 64 3e 0a 20 3c 62 6f 64 79 20 73 74 79 6c 65 3d 22 66 6f 6e 74 2d 66 61 6d 69 6c 79 3a 61 72 69 61 6c 3b 22 3e 0a 20 20 3c 68 31 20 73 74 79 6c 65 3d 22 63 6f 6c 6f 72 3a 23 30 61 33 32 38 63 3b 66 6f 6e 74 2d 73 69 7a 65 3a 31 2e 30 65 6d 3b 22 3e 0a 20 20 20 45 72 72 6f 72 20 34 30 34 20 2d 20 4e 6f 74 20 66 6f 75 6e 64 0a 20 20 3c 2f 68 31 3e 0a 20 20 3c 70 20 73 74 79 6c 65 3d 22 66 6f 6e 74 2d 73 69 7a 65 3a 30 2e 38 65 6d 3b 22 3e 0a 20 20 20 59 6f 75 72 20 62 72 6f 77 73 65 72 20 63 61 6e 27 74 20 66 69 6e 64 20 74 68 65 20 64 6f 63 75 6d 65 6e 74 20 63 6f 72 72 65 73 70 6f 6e 64 69 6e 67 20 74 6f 20 74 68 65 20 55 52 4c 20 79 6f 75 20 74 79 70 65 64 20 69 6e 2e 0a 20 20 3c 2f 70 3e 0a 20 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN""http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"><html lang="en" xml:lang="en" xmlns="http://www.w3.org/1999/xhtml"> <head> <title> Error 404 - Not found </title> <meta content="text/html; charset=utf-8" http-equiv="Content-Type"> <meta content="no-cache" http-equiv="cache-control"> </head> <body style="font-family:arial;"> <h1 style="color:#0a328c;font-size:1.0em;"> Error 404 - Not found </h1> <p style="font-size:0.8em;"> Your browser can't find the document corresponding to the URL you typed in. </p> </body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not Foundkeep-alive: timeout=5, max=100content-type: text/htmltransfer-encoding: chunkedcontent-encoding: gzipvary: Accept-Encodingdate: Fri, 07 Mar 2025 22:20:28 GMTserver: LiteSpeedx-turbo-charged-by: LiteSpeedconnection: closeData Raw: 31 33 35 38 0d 0a 1f 8b 08 00 00 00 00 00 00 03 cc 5a e9 92 e2 4a 76 fe 7f 9f 02 97 c3 f6 4c a8 ab b5 82 44 4d 55 cf 68 43 12 20 21 09 04 08 87 e3 86 d0 8e 56 b4 c3 84 1f c8 af e1 27 73 8a aa ea a2 e8 aa db 3d 0e ff 70 f6 8f 42 b9 9c 3c cb 77 ce c9 ce 93 bf fd f6 db e3 3f 71 0b 76 65 aa fc 20 a8 92 f8 db 6f 8f cf 7f 06 a0 3d 06 ae e5 7c fb ed f2 33 71 2b 0b cc a8 f2 7b f7 58 87 cd d3 1d 9b a5 95 9b 56 f7 d5 29 77 ef 06 f6 f3 d7 d3 5d e5 76 15 dc 93 f8 cb c0 0e ac a2 74 ab a7 ba f2 ee a9 bb 4f e9 58 76 e0 de f7 eb 8b 2c be 22 94 66 f7 76 3f f4 e9 42 b5 b0 fc c4 fa 47 56 f0 5d 1e 16 6e 79 b5 04 79 47 3d b5 12 f7 e9 ae 09 dd 36 cf 8a ea 6a 5a 1b 3a 55 f0 e4 b8 4d 68 bb f7 97 8f 2f 83 30 0d ab d0 8a ef 4b db 8a dd 27 f4 eb 77 52 55 58 c5 ee 37 02 21 06 4a 56 0d 26 59 9d 3a 8f f0 73 e7 b3 2a cb ea 14 bb 83 5e 6f 2f ea b2 cb f2 85 8f 5e d5 fb cc 39 0d fe 7e 99 da 7f f6 cd 03 da b9 f7 ac 24 8c 4f 0f 03 ba 00 db 7e 19 88 6e dc b8 55 68 5b 5f 06 a5 95 96 f7 a5 5b 84 de 5f 7e 5c 56 86 67 f7 61 80 12 79 f7 7e 30 0e 53 f7 3e 70 43 3f a8 c0 f0 57 02 a3 86 24 4a 60 e3 f7 b3 f6 96 1d f9 45 2f 03 30 51 9c 15 0f 83 7f f6 2e ed fd b4 d7 31 6c 82 63 38 f2 7e 2c b7 1c 27 4c fd 87 c1 4d 7f 62 15 7e 98 be eb fe cf ef ec 97 ae 5d 85 59 fa 05 88 9e 55 6e 71 a3 0f 27 2c f3 d8 02 ba d8 c7 99 1d fd 1f 6c f7 b5 c7 9f 05 34 72 bb d3 33 93 f7 b1 eb 01 2d 59 75 95 bd df ec 65 b8 78 d6 e2 8f e3 6f b2 0f 50 e4 da 02 6f 92 7e 05 88 cc b3 b4 74 ef c3 d4 cb 6e 04 7d d5 2b 7b 69 6f 7b 5f 2d 2f 2b ab aa 4b 60 1d c7 bd 59 7c 41 cd b3 f9 87 08 f2 2f 7f b4 ba 70 ad 32 4b 3f 5f 8f 0d af d7 f7 90 fc cc 04 57 9c 5d 74 6a 57 17 b9 be 7c b7 2c 90 b7 df eb be 0f 14 37 1b be 4a 8b 5c da 87 fc f6 58 ea 81 01 1c ef 03 75 5d a1 b5 70 73 d7 02 36 03 61 e4 f9 e7 1b b9 9e fd ab 99 af bb 62 63 9c 26 e8 f7 d3 5e c7 26 97 f6 36 76 25 e5 2d 47 d6 27 42 fd 3a 89 fb b0 72 93 f2 86 cc 77 24 61 00 47 3f b8 52 98 be b9 f2 18 ff 04 68 d7 f6 b8 a1 fe 82 e3 7d 56 55 59 f2 30 e8 f7 78 13 b6 d7 d7 15 96 d0 d1 f5 e0 95 26 de d1 bf 55 43 6f ee 7b c7 b5 b3 c2 ea ed f7 30 00 21 c5 2d fa 20 f4 7e a3 57 8d 83 78 c4 b0 57 d6 f8 74 9f 87 20 6b dc e2 0a 5f ef d9 78 f0 32 bb 2e 3f 1f b6 40 9c 69 6e 3d e7 95 09 8c 1e 11 e3 d1 1b 83 57 4c 7c 8e e2 d7 b8 f6 91 a1 7e 41 8d 75 7c 63 9b ef 9e 16 a6 97 98 fd 41 cc 8b c3 b2 ba bf a4 95 1e f0 a9 3b c8 ea aa 0c 41 40 e8 3f de d8 ef 0d f9 ca dd 4d 30 fe 0e af ab fe 37 69 01 4f 71 78 c3 96 17 67 bd 7f f5 91 f1 fd 0e 17 4b 5b 71 e8 03 23 db e0 84 e0 16 6f e3 6f 24 bf de f8 cd 0b e8 3f da e9 92 70 41 8e fa 2c 86 f5 81 e0 3e 4c 2c ff d6 8c df 85 fa 34 f6 5e 96 f6 a7 1c 90 a0 6e e5 eb 73 6e fb 92 1f f7 59 ec bc 49 d1 eb f1 5a ca 1f 75 d0 66 85 73 bf 07 18 89 40 8e ea ff dc 5b 71 fc 9e c0 2f 49 05 92 3a 00 f7 00 e8 0a 64 8
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not Foundkeep-alive: timeout=5, max=100content-type: text/htmltransfer-encoding: chunkedcontent-encoding: gzipvary: Accept-Encodingdate: Fri, 07 Mar 2025 22:20:31 GMTserver: LiteSpeedx-turbo-charged-by: LiteSpeedconnection: closeData Raw: 31 33 35 38 0d 0a 1f 8b 08 00 00 00 00 00 00 03 cc 5a e9 92 e2 4a 76 fe 7f 9f 02 97 c3 f6 4c a8 ab b5 82 44 4d 55 cf 68 43 12 20 21 09 04 08 87 e3 86 d0 8e 56 b4 c3 84 1f c8 af e1 27 73 8a aa ea a2 e8 aa db 3d 0e ff 70 f6 8f 42 b9 9c 3c cb 77 ce c9 ce 93 bf fd f6 db e3 3f 71 0b 76 65 aa fc 20 a8 92 f8 db 6f 8f cf 7f 06 a0 3d 06 ae e5 7c fb ed f2 33 71 2b 0b cc a8 f2 7b f7 58 87 cd d3 1d 9b a5 95 9b 56 f7 d5 29 77 ef 06 f6 f3 d7 d3 5d e5 76 15 dc 93 f8 cb c0 0e ac a2 74 ab a7 ba f2 ee a9 bb 4f e9 58 76 e0 de f7 eb 8b 2c be 22 94 66 f7 76 3f f4 e9 42 b5 b0 fc c4 fa 47 56 f0 5d 1e 16 6e 79 b5 04 79 47 3d b5 12 f7 e9 ae 09 dd 36 cf 8a ea 6a 5a 1b 3a 55 f0 e4 b8 4d 68 bb f7 97 8f 2f 83 30 0d ab d0 8a ef 4b db 8a dd 27 f4 eb 77 52 55 58 c5 ee 37 02 21 06 4a 56 0d 26 59 9d 3a 8f f0 73 e7 b3 2a cb ea 14 bb 83 5e 6f 2f ea b2 cb f2 85 8f 5e d5 fb cc 39 0d fe 7e 99 da 7f f6 cd 03 da b9 f7 ac 24 8c 4f 0f 03 ba 00 db 7e 19 88 6e dc b8 55 68 5b 5f 06 a5 95 96 f7 a5 5b 84 de 5f 7e 5c 56 86 67 f7 61 80 12 79 f7 7e 30 0e 53 f7 3e 70 43 3f a8 c0 f0 57 02 a3 86 24 4a 60 e3 f7 b3 f6 96 1d f9 45 2f 03 30 51 9c 15 0f 83 7f f6 2e ed fd b4 d7 31 6c 82 63 38 f2 7e 2c b7 1c 27 4c fd 87 c1 4d 7f 62 15 7e 98 be eb fe cf ef ec 97 ae 5d 85 59 fa 05 88 9e 55 6e 71 a3 0f 27 2c f3 d8 02 ba d8 c7 99 1d fd 1f 6c f7 b5 c7 9f 05 34 72 bb d3 33 93 f7 b1 eb 01 2d 59 75 95 bd df ec 65 b8 78 d6 e2 8f e3 6f b2 0f 50 e4 da 02 6f 92 7e 05 88 cc b3 b4 74 ef c3 d4 cb 6e 04 7d d5 2b 7b 69 6f 7b 5f 2d 2f 2b ab aa 4b 60 1d c7 bd 59 7c 41 cd b3 f9 87 08 f2 2f 7f b4 ba 70 ad 32 4b 3f 5f 8f 0d af d7 f7 90 fc cc 04 57 9c 5d 74 6a 57 17 b9 be 7c b7 2c 90 b7 df eb be 0f 14 37 1b be 4a 8b 5c da 87 fc f6 58 ea 81 01 1c ef 03 75 5d a1 b5 70 73 d7 02 36 03 61 e4 f9 e7 1b b9 9e fd ab 99 af bb 62 63 9c 26 e8 f7 d3 5e c7 26 97 f6 36 76 25 e5 2d 47 d6 27 42 fd 3a 89 fb b0 72 93 f2 86 cc 77 24 61 00 47 3f b8 52 98 be b9 f2 18 ff 04 68 d7 f6 b8 a1 fe 82 e3 7d 56 55 59 f2 30 e8 f7 78 13 b6 d7 d7 15 96 d0 d1 f5 e0 95 26 de d1 bf 55 43 6f ee 7b c7 b5 b3 c2 ea ed f7 30 00 21 c5 2d fa 20 f4 7e a3 57 8d 83 78 c4 b0 57 d6 f8 74 9f 87 20 6b dc e2 0a 5f ef d9 78 f0 32 bb 2e 3f 1f b6 40 9c 69 6e 3d e7 95 09 8c 1e 11 e3 d1 1b 83 57 4c 7c 8e e2 d7 b8 f6 91 a1 7e 41 8d 75 7c 63 9b ef 9e 16 a6 97 98 fd 41 cc 8b c3 b2 ba bf a4 95 1e f0 a9 3b c8 ea aa 0c 41 40 e8 3f de d8 ef 0d f9 ca dd 4d 30 fe 0e af ab fe 37 69 01 4f 71 78 c3 96 17 67 bd 7f f5 91 f1 fd 0e 17 4b 5b 71 e8 03 23 db e0 84 e0 16 6f e3 6f 24 bf de f8 cd 0b e8 3f da e9 92 70 41 8e fa 2c 86 f5 81 e0 3e 4c 2c ff d6 8c df 85 fa 34 f6 5e 96 f6 a7 1c 90 a0 6e e5 eb 73 6e fb 92 1f f7 59 ec bc 49 d1 eb f1 5a ca 1f 75 d0 66 85 73 bf 07 18 89 40 8e ea ff dc 5b 71 fc 9e c0 2f 49 05 92 3a 00 f7 00 e8 0a 64 8
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not Foundkeep-alive: timeout=5, max=100content-type: text/htmltransfer-encoding: chunkedcontent-encoding: gzipvary: Accept-Encodingdate: Fri, 07 Mar 2025 22:20:33 GMTserver: LiteSpeedx-turbo-charged-by: LiteSpeedconnection: closeData Raw: 31 33 35 38 0d 0a 1f 8b 08 00 00 00 00 00 00 03 cc 5a e9 92 e2 4a 76 fe 7f 9f 02 97 c3 f6 4c a8 ab b5 82 44 4d 55 cf 68 43 12 20 21 09 04 08 87 e3 86 d0 8e 56 b4 c3 84 1f c8 af e1 27 73 8a aa ea a2 e8 aa db 3d 0e ff 70 f6 8f 42 b9 9c 3c cb 77 ce c9 ce 93 bf fd f6 db e3 3f 71 0b 76 65 aa fc 20 a8 92 f8 db 6f 8f cf 7f 06 a0 3d 06 ae e5 7c fb ed f2 33 71 2b 0b cc a8 f2 7b f7 58 87 cd d3 1d 9b a5 95 9b 56 f7 d5 29 77 ef 06 f6 f3 d7 d3 5d e5 76 15 dc 93 f8 cb c0 0e ac a2 74 ab a7 ba f2 ee a9 bb 4f e9 58 76 e0 de f7 eb 8b 2c be 22 94 66 f7 76 3f f4 e9 42 b5 b0 fc c4 fa 47 56 f0 5d 1e 16 6e 79 b5 04 79 47 3d b5 12 f7 e9 ae 09 dd 36 cf 8a ea 6a 5a 1b 3a 55 f0 e4 b8 4d 68 bb f7 97 8f 2f 83 30 0d ab d0 8a ef 4b db 8a dd 27 f4 eb 77 52 55 58 c5 ee 37 02 21 06 4a 56 0d 26 59 9d 3a 8f f0 73 e7 b3 2a cb ea 14 bb 83 5e 6f 2f ea b2 cb f2 85 8f 5e d5 fb cc 39 0d fe 7e 99 da 7f f6 cd 03 da b9 f7 ac 24 8c 4f 0f 03 ba 00 db 7e 19 88 6e dc b8 55 68 5b 5f 06 a5 95 96 f7 a5 5b 84 de 5f 7e 5c 56 86 67 f7 61 80 12 79 f7 7e 30 0e 53 f7 3e 70 43 3f a8 c0 f0 57 02 a3 86 24 4a 60 e3 f7 b3 f6 96 1d f9 45 2f 03 30 51 9c 15 0f 83 7f f6 2e ed fd b4 d7 31 6c 82 63 38 f2 7e 2c b7 1c 27 4c fd 87 c1 4d 7f 62 15 7e 98 be eb fe cf ef ec 97 ae 5d 85 59 fa 05 88 9e 55 6e 71 a3 0f 27 2c f3 d8 02 ba d8 c7 99 1d fd 1f 6c f7 b5 c7 9f 05 34 72 bb d3 33 93 f7 b1 eb 01 2d 59 75 95 bd df ec 65 b8 78 d6 e2 8f e3 6f b2 0f 50 e4 da 02 6f 92 7e 05 88 cc b3 b4 74 ef c3 d4 cb 6e 04 7d d5 2b 7b 69 6f 7b 5f 2d 2f 2b ab aa 4b 60 1d c7 bd 59 7c 41 cd b3 f9 87 08 f2 2f 7f b4 ba 70 ad 32 4b 3f 5f 8f 0d af d7 f7 90 fc cc 04 57 9c 5d 74 6a 57 17 b9 be 7c b7 2c 90 b7 df eb be 0f 14 37 1b be 4a 8b 5c da 87 fc f6 58 ea 81 01 1c ef 03 75 5d a1 b5 70 73 d7 02 36 03 61 e4 f9 e7 1b b9 9e fd ab 99 af bb 62 63 9c 26 e8 f7 d3 5e c7 26 97 f6 36 76 25 e5 2d 47 d6 27 42 fd 3a 89 fb b0 72 93 f2 86 cc 77 24 61 00 47 3f b8 52 98 be b9 f2 18 ff 04 68 d7 f6 b8 a1 fe 82 e3 7d 56 55 59 f2 30 e8 f7 78 13 b6 d7 d7 15 96 d0 d1 f5 e0 95 26 de d1 bf 55 43 6f ee 7b c7 b5 b3 c2 ea ed f7 30 00 21 c5 2d fa 20 f4 7e a3 57 8d 83 78 c4 b0 57 d6 f8 74 9f 87 20 6b dc e2 0a 5f ef d9 78 f0 32 bb 2e 3f 1f b6 40 9c 69 6e 3d e7 95 09 8c 1e 11 e3 d1 1b 83 57 4c 7c 8e e2 d7 b8 f6 91 a1 7e 41 8d 75 7c 63 9b ef 9e 16 a6 97 98 fd 41 cc 8b c3 b2 ba bf a4 95 1e f0 a9 3b c8 ea aa 0c 41 40 e8 3f de d8 ef 0d f9 ca dd 4d 30 fe 0e af ab fe 37 69 01 4f 71 78 c3 96 17 67 bd 7f f5 91 f1 fd 0e 17 4b 5b 71 e8 03 23 db e0 84 e0 16 6f e3 6f 24 bf de f8 cd 0b e8 3f da e9 92 70 41 8e fa 2c 86 f5 81 e0 3e 4c 2c ff d6 8c df 85 fa 34 f6 5e 96 f6 a7 1c 90 a0 6e e5 eb 73 6e fb 92 1f f7 59 ec bc 49 d1 eb f1 5a ca 1f 75 d0 66 85 73 bf 07 18 89 40 8e ea ff dc 5b 71 fc 9e c0 2f 49 05 92 3a 00 f7 00 e8 0a 64 8
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not Foundkeep-alive: timeout=5, max=100content-type: text/htmltransfer-encoding: chunkeddate: Fri, 07 Mar 2025 22:20:36 GMTserver: LiteSpeedx-turbo-charged-by: LiteSpeedconnection: closeData Raw: 32 37 38 31 0d 0a 0a 0a 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 3e 0a 20 20 20 20 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 75 74 66 2d 38 22 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 61 63 68 65 2d 63 6f 6e 74 72 6f 6c 22 20 63 6f 6e 74 65 6e 74 3d 22 6e 6f 2d 63 61 63 68 65 22 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 50 72 61 67 6d 61 22 20 63 6f 6e 74 65 6e 74 3d 22 6e 6f 2d 63 61 63 68 65 22 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 45 78 70 69 72 65 73 22 20 63 6f 6e 74 65 6e 74 3d 22 30 22 3e 0a 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2e 30 22 3e 0a 20 20 20 20 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 20 20 20 20 3c 73 74 79 6c 65 20 74 79 70 65 3d 22 74 65 78 74 2f 63 73 73 22 3e 0a 20 20 20 20 20 20 20 20 62 6f 64 79 20 7b 0a 20 20 20 20 20 20 20 20 20 20 20 20 66 6f 6e 74 2d 66 61 6d 69 6c 79 3a 20 41 72 69 61 6c 2c 20 48 65 6c 76 65 74 69 63 61 2c 20 73 61 6e 73 2d 73 65 72 69 66 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 66 6f 6e 74 2d 73 69 7a 65 3a 20 31 34 70 78 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 6c 69 6e 65 2d 68 65 69 67 68 74 3a 20 31 2e 34 32 38 35 37 31 34 32 39 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 20 23 66 66 66 66 66 66 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 63 6f 6c 6f 72 3a 20 23 32 46 33 32 33 30 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 70 61 64 64 69 6e 67 3a 20 30 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 6d 61 72 67 69 6e 3a 20 30 3b 0a 20 20 20 20 20 20 20 20 7d 0a 20 20 20 20 20 20 20 20 73 65 63 74 69 6f 6e 2c 20 66 6f 6f 74 65 72 20 7b 0a 20 20 20 20 20 20 20 20 20 20 20 20 64 69 73 70 6c 61 79 3a 20 62 6c 6f 63 6b 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 70 61 64 64 69 6e 67 3a 20 30 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 6d 61 72 67 69 6e 3a 20 30 3b 0a 20 20 20 20 20 20 20 20 7d 0a 20 20 20 20 20 20 20 20 2e 63 6f 6e 74 61 69 6e 65 72 20 7b 0a 20 20 20 20 20 20 20 20 20 20 20 20 6d 61 72 67 69 6e 2d 6c 65 66 74 3a 20 61 75 74 6f 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 6d 61 72 67 69 6e 2d 72 69 67 68 74 3a 20 61 75 74 6f 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 70 61 64 64 69 6e 67 3a 20 30 20 31 30 70 78 3b 0a 20 20 20 20 20 20 20 20 7d 0a 20 20 20 20 20 20 20 20 2e 72 65 73 70 6f 6e 73 65 2d 69 6e 66 6f 20 7b 0a 20 20 20

Source: mtstocom.exe, 0000000E.00000002.3742280763.0000000006D8C000.00000004.10000000.00040000.00000000.sdmp, Qnv7zOwnqJwbpjTFet.exe, 0000000F.00000002.3741579681.000000000454C000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: http://cpanel.com/?utm_source=cpanelwhm&utm_medium=cplogo&utm_content=logolink&utm_campaign=404refer
Source: 3JZ4CUFqSs.exe, 00000006.00000002.1296405707.0000000002FA7000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: 3JZ4CUFqSs.exe	String found in binary or memory: http://tempuri.org/DataSet1.xsd
Source: Qnv7zOwnqJwbpjTFet.exe, 0000000F.00000002.3743362439.000000000531D000.00000040.80000000.00040000.00000000.sdmp	String found in binary or memory: http://www.fluffymooncat.fun
Source: Qnv7zOwnqJwbpjTFet.exe, 0000000F.00000002.3743362439.000000000531D000.00000040.80000000.00040000.00000000.sdmp	String found in binary or memory: http://www.fluffymooncat.fun/u136/
Source: mtstocom.exe, 0000000E.00000003.1723241727.000000000831D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ac.ecosia.org?q=
Source: mtstocom.exe, 0000000E.00000003.1723241727.000000000831D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
Source: mtstocom.exe, 0000000E.00000003.1723241727.000000000831D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
Source: mtstocom.exe, 0000000E.00000003.1723241727.000000000831D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
Source: mtstocom.exe, 0000000E.00000002.3742280763.00000000065B2000.00000004.10000000.00040000.00000000.sdmp, Qnv7zOwnqJwbpjTFet.exe, 0000000F.00000002.3741579681.0000000003D72000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: https://companies.rbc.ru/
Source: mtstocom.exe, 0000000E.00000003.1723241727.000000000831D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/ac/?q=
Source: mtstocom.exe, 0000000E.00000003.1723241727.000000000831D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/chrome_newtabv209h
Source: mtstocom.exe, 0000000E.00000003.1723241727.000000000831D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
Source: mtstocom.exe, 0000000E.00000003.1723241727.000000000831D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://gemini.google.com/app?q=
Source: mtstocom.exe, 0000000E.00000002.3742280763.00000000065B2000.00000004.10000000.00040000.00000000.sdmp, Qnv7zOwnqJwbpjTFet.exe, 0000000F.00000002.3741579681.0000000003D72000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: https://help.reg.ru/support/ssl-sertifikaty/1-etap-zakaz-ssl-sertifikata/kak-zakazat-besplatnyy-ssl-
Source: mtstocom.exe, 0000000E.00000002.3740321563.0000000003461000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/oauth20_authorize.srf?client_id=00000000480728C5&scope=service::ssl.live.com:
Source: mtstocom.exe, 0000000E.00000002.3740321563.0000000003461000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/oauth20_authorize.srfclient_id=00000000480728C5&scope=service::ssl.live.com::
Source: mtstocom.exe, 0000000E.00000002.3740321563.0000000003461000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/oauth20_desktop.srf?lc=1033
Source: mtstocom.exe, 0000000E.00000002.3740321563.0000000003461000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/oauth20_desktop.srflc=1033V0
Source: mtstocom.exe, 0000000E.00000002.3740321563.0000000003461000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/oauth20_logout.srf?client_id=00000000480728C5&redirect_uri=https://login.live
Source: mtstocom.exe, 0000000E.00000002.3740321563.0000000003461000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/oauth20_logout.srfclient_id=00000000480728C5&redirect_uri=https://login.live.
Source: mtstocom.exe, 0000000E.00000003.1718105116.00000000082F9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/oauth20_logout.srfhttps://login.live.com/oauth20_authorize.srfhttps://login.l
Source: mtstocom.exe, 0000000E.00000002.3742280763.00000000065B2000.00000004.10000000.00040000.00000000.sdmp, Qnv7zOwnqJwbpjTFet.exe, 0000000F.00000002.3741579681.0000000003D72000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: https://parking.reg.ru/script/get_domain_data?domain_name=www.maplez.online&rand=
Source: mtstocom.exe, 0000000E.00000002.3742280763.00000000065B2000.00000004.10000000.00040000.00000000.sdmp, Qnv7zOwnqJwbpjTFet.exe, 0000000F.00000002.3741579681.0000000003D72000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: https://reg.ru
Source: mtstocom.exe, 0000000E.00000003.1723241727.000000000831D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.ecosia.org/newtab/v20
Source: mtstocom.exe, 0000000E.00000003.1723241727.000000000831D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_alldp.ico
Source: mtstocom.exe, 0000000E.00000002.3742280763.00000000065B2000.00000004.10000000.00040000.00000000.sdmp, Qnv7zOwnqJwbpjTFet.exe, 0000000F.00000002.3741579681.0000000003D72000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: https://www.rbc.ru/technology_and_media/
Source: mtstocom.exe, 0000000E.00000002.3742280763.00000000065B2000.00000004.10000000.00040000.00000000.sdmp, Qnv7zOwnqJwbpjTFet.exe, 0000000F.00000002.3741579681.0000000003D72000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: https://www.reg.ru/dedicated/?utm_source=www.maplez.online&utm_medium=parking&utm_campaign=s_land_se
Source: mtstocom.exe, 0000000E.00000002.3742280763.00000000065B2000.00000004.10000000.00040000.00000000.sdmp, Qnv7zOwnqJwbpjTFet.exe, 0000000F.00000002.3741579681.0000000003D72000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: https://www.reg.ru/domain/new/?utm_source=www.maplez.online&utm_medium=parking&utm_campaign=s_land_n
Source: mtstocom.exe, 0000000E.00000002.3742280763.00000000065B2000.00000004.10000000.00040000.00000000.sdmp, Qnv7zOwnqJwbpjTFet.exe, 0000000F.00000002.3741579681.0000000003D72000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: https://www.reg.ru/hosting/?utm_source=www.maplez.online&utm_medium=parking&utm_campaign=s_land_host
Source: mtstocom.exe, 0000000E.00000002.3742280763.00000000065B2000.00000004.10000000.00040000.00000000.sdmp, Qnv7zOwnqJwbpjTFet.exe, 0000000F.00000002.3741579681.0000000003D72000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: https://www.reg.ru/sozdanie-saita/
Source: mtstocom.exe, 0000000E.00000002.3742280763.00000000065B2000.00000004.10000000.00040000.00000000.sdmp, Qnv7zOwnqJwbpjTFet.exe, 0000000F.00000002.3741579681.0000000003D72000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: https://www.reg.ru/whois/?check=&dname=www.maplez.online&reg_source=parking_auto

E-Banking Fraud

Yara detected FormBook

Source: Yara match	File source: 8.2.RegSvcs.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000008.00000002.1528586558.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.1532226712.00000000011E0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000002.3739913753.0000000002F80000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000002.3743362439.00000000052C0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000002.3741495561.0000000004E90000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000002.3741452449.0000000004E40000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.1537393097.0000000001FC0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.3741528072.0000000002FE0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_0042CA53 NtClose,	8_2_0042CA53
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_0040AC27 NtAllocateVirtualMemory,	8_2_0040AC27
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_012E2B60 NtClose,LdrInitializeThunk,	8_2_012E2B60
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_012E2DF0 NtQuerySystemInformation,LdrInitializeThunk,	8_2_012E2DF0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_012E2C70 NtFreeVirtualMemory,LdrInitializeThunk,	8_2_012E2C70
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_012E35C0 NtCreateMutant,LdrInitializeThunk,	8_2_012E35C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_012E4340 NtSetContextThread,	8_2_012E4340
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_012E4650 NtSuspendThread,	8_2_012E4650
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_012E2BA0 NtEnumerateValueKey,	8_2_012E2BA0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_012E2B80 NtQueryInformationFile,	8_2_012E2B80
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_012E2BE0 NtQueryValueKey,	8_2_012E2BE0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_012E2BF0 NtAllocateVirtualMemory,	8_2_012E2BF0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_012E2AB0 NtWaitForSingleObject,	8_2_012E2AB0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_012E2AF0 NtWriteFile,	8_2_012E2AF0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_012E2AD0 NtReadFile,	8_2_012E2AD0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_012E2D30 NtUnmapViewOfSection,	8_2_012E2D30
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_012E2D00 NtSetInformationFile,	8_2_012E2D00
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_012E2D10 NtMapViewOfSection,	8_2_012E2D10
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_012E2DB0 NtEnumerateKey,	8_2_012E2DB0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_012E2DD0 NtDelayExecution,	8_2_012E2DD0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_012E2C00 NtQueryInformationProcess,	8_2_012E2C00
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_012E2C60 NtCreateKey,	8_2_012E2C60
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_012E2CA0 NtQueryInformationToken,	8_2_012E2CA0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_012E2CF0 NtOpenProcess,	8_2_012E2CF0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_012E2CC0 NtQueryVirtualMemory,	8_2_012E2CC0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_012E2F30 NtCreateSection,	8_2_012E2F30
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_012E2F60 NtCreateProcessEx,	8_2_012E2F60
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_012E2FA0 NtQuerySection,	8_2_012E2FA0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_012E2FB0 NtResumeThread,	8_2_012E2FB0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_012E2F90 NtProtectVirtualMemory,	8_2_012E2F90
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_012E2FE0 NtCreateFile,	8_2_012E2FE0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_012E2E30 NtWriteVirtualMemory,	8_2_012E2E30
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_012E2EA0 NtAdjustPrivilegesToken,	8_2_012E2EA0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_012E2E80 NtReadVirtualMemory,	8_2_012E2E80
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_012E2EE0 NtQueueApcThread,	8_2_012E2EE0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_012E3010 NtOpenDirectoryObject,	8_2_012E3010
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_012E3090 NtSetValueKey,	8_2_012E3090
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_012E39B0 NtGetContextThread,	8_2_012E39B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_012E3D10 NtOpenProcessToken,	8_2_012E3D10
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_012E3D70 NtOpenThread,	8_2_012E3D70
Source: C:\Windows\SysWOW64\mtstocom.exe	Code function: 14_2_05114650 NtSuspendThread,LdrInitializeThunk,	14_2_05114650
Source: C:\Windows\SysWOW64\mtstocom.exe	Code function: 14_2_05114340 NtSetContextThread,LdrInitializeThunk,	14_2_05114340
Source: C:\Windows\SysWOW64\mtstocom.exe	Code function: 14_2_05112D10 NtMapViewOfSection,LdrInitializeThunk,	14_2_05112D10
Source: C:\Windows\SysWOW64\mtstocom.exe	Code function: 14_2_05112D30 NtUnmapViewOfSection,LdrInitializeThunk,	14_2_05112D30
Source: C:\Windows\SysWOW64\mtstocom.exe	Code function: 14_2_05112DD0 NtDelayExecution,LdrInitializeThunk,	14_2_05112DD0
Source: C:\Windows\SysWOW64\mtstocom.exe	Code function: 14_2_05112DF0 NtQuerySystemInformation,LdrInitializeThunk,	14_2_05112DF0
Source: C:\Windows\SysWOW64\mtstocom.exe	Code function: 14_2_05112C70 NtFreeVirtualMemory,LdrInitializeThunk,	14_2_05112C70
Source: C:\Windows\SysWOW64\mtstocom.exe	Code function: 14_2_05112C60 NtCreateKey,LdrInitializeThunk,	14_2_05112C60
Source: C:\Windows\SysWOW64\mtstocom.exe	Code function: 14_2_05112CA0 NtQueryInformationToken,LdrInitializeThunk,	14_2_05112CA0
Source: C:\Windows\SysWOW64\mtstocom.exe	Code function: 14_2_05112F30 NtCreateSection,LdrInitializeThunk,	14_2_05112F30
Source: C:\Windows\SysWOW64\mtstocom.exe	Code function: 14_2_05112FB0 NtResumeThread,LdrInitializeThunk,	14_2_05112FB0
Source: C:\Windows\SysWOW64\mtstocom.exe	Code function: 14_2_05112FE0 NtCreateFile,LdrInitializeThunk,	14_2_05112FE0
Source: C:\Windows\SysWOW64\mtstocom.exe	Code function: 14_2_05112E80 NtReadVirtualMemory,LdrInitializeThunk,	14_2_05112E80
Source: C:\Windows\SysWOW64\mtstocom.exe	Code function: 14_2_05112EE0 NtQueueApcThread,LdrInitializeThunk,	14_2_05112EE0
Source: C:\Windows\SysWOW64\mtstocom.exe	Code function: 14_2_05112B60 NtClose,LdrInitializeThunk,	14_2_05112B60
Source: C:\Windows\SysWOW64\mtstocom.exe	Code function: 14_2_05112BA0 NtEnumerateValueKey,LdrInitializeThunk,	14_2_05112BA0
Source: C:\Windows\SysWOW64\mtstocom.exe	Code function: 14_2_05112BF0 NtAllocateVirtualMemory,LdrInitializeThunk,	14_2_05112BF0
Source: C:\Windows\SysWOW64\mtstocom.exe	Code function: 14_2_05112BE0 NtQueryValueKey,LdrInitializeThunk,	14_2_05112BE0
Source: C:\Windows\SysWOW64\mtstocom.exe	Code function: 14_2_05112AD0 NtReadFile,LdrInitializeThunk,	14_2_05112AD0
Source: C:\Windows\SysWOW64\mtstocom.exe	Code function: 14_2_05112AF0 NtWriteFile,LdrInitializeThunk,	14_2_05112AF0
Source: C:\Windows\SysWOW64\mtstocom.exe	Code function: 14_2_051135C0 NtCreateMutant,LdrInitializeThunk,	14_2_051135C0
Source: C:\Windows\SysWOW64\mtstocom.exe	Code function: 14_2_051139B0 NtGetContextThread,LdrInitializeThunk,	14_2_051139B0
Source: C:\Windows\SysWOW64\mtstocom.exe	Code function: 14_2_05112D00 NtSetInformationFile,	14_2_05112D00
Source: C:\Windows\SysWOW64\mtstocom.exe	Code function: 14_2_05112DB0 NtEnumerateKey,	14_2_05112DB0
Source: C:\Windows\SysWOW64\mtstocom.exe	Code function: 14_2_05112C00 NtQueryInformationProcess,	14_2_05112C00
Source: C:\Windows\SysWOW64\mtstocom.exe	Code function: 14_2_05112CC0 NtQueryVirtualMemory,	14_2_05112CC0
Source: C:\Windows\SysWOW64\mtstocom.exe	Code function: 14_2_05112CF0 NtOpenProcess,	14_2_05112CF0
Source: C:\Windows\SysWOW64\mtstocom.exe	Code function: 14_2_05112F60 NtCreateProcessEx,	14_2_05112F60
Source: C:\Windows\SysWOW64\mtstocom.exe	Code function: 14_2_05112F90 NtProtectVirtualMemory,	14_2_05112F90
Source: C:\Windows\SysWOW64\mtstocom.exe	Code function: 14_2_05112FA0 NtQuerySection,	14_2_05112FA0
Source: C:\Windows\SysWOW64\mtstocom.exe	Code function: 14_2_05112E30 NtWriteVirtualMemory,	14_2_05112E30
Source: C:\Windows\SysWOW64\mtstocom.exe	Code function: 14_2_05112EA0 NtAdjustPrivilegesToken,	14_2_05112EA0
Source: C:\Windows\SysWOW64\mtstocom.exe	Code function: 14_2_05112B80 NtQueryInformationFile,	14_2_05112B80
Source: C:\Windows\SysWOW64\mtstocom.exe	Code function: 14_2_05112AB0 NtWaitForSingleObject,	14_2_05112AB0
Source: C:\Windows\SysWOW64\mtstocom.exe	Code function: 14_2_05113010 NtOpenDirectoryObject,	14_2_05113010
Source: C:\Windows\SysWOW64\mtstocom.exe	Code function: 14_2_05113090 NtSetValueKey,	14_2_05113090
Source: C:\Windows\SysWOW64\mtstocom.exe	Code function: 14_2_05113D10 NtOpenProcessToken,	14_2_05113D10
Source: C:\Windows\SysWOW64\mtstocom.exe	Code function: 14_2_05113D70 NtOpenThread,	14_2_05113D70
Source: C:\Windows\SysWOW64\mtstocom.exe	Code function: 14_2_02FA96F0 NtDeleteFile,	14_2_02FA96F0
Source: C:\Windows\SysWOW64\mtstocom.exe	Code function: 14_2_02FA9600 NtReadFile,	14_2_02FA9600
Source: C:\Windows\SysWOW64\mtstocom.exe	Code function: 14_2_02FA9790 NtClose,	14_2_02FA9790
Source: C:\Windows\SysWOW64\mtstocom.exe	Code function: 14_2_02FA9490 NtCreateFile,	14_2_02FA9490
Source: C:\Windows\SysWOW64\mtstocom.exe	Code function: 14_2_02FA9900 NtAllocateVirtualMemory,	14_2_02FA9900
Source: C:\Windows\SysWOW64\mtstocom.exe	Code function: 14_2_04F9FB0E NtSetContextThread,	14_2_04F9FB0E

Source: C:\Users\user\Desktop\3JZ4CUFqSs.exe	Code function: 6_2_02CF6F90	6_2_02CF6F90
Source: C:\Users\user\Desktop\3JZ4CUFqSs.exe	Code function: 6_2_02CFD3E4	6_2_02CFD3E4
Source: C:\Users\user\Desktop\3JZ4CUFqSs.exe	Code function: 6_2_052569B0	6_2_052569B0
Source: C:\Users\user\Desktop\3JZ4CUFqSs.exe	Code function: 6_2_05250006	6_2_05250006
Source: C:\Users\user\Desktop\3JZ4CUFqSs.exe	Code function: 6_2_05250040	6_2_05250040
Source: C:\Users\user\Desktop\3JZ4CUFqSs.exe	Code function: 6_2_052569A0	6_2_052569A0
Source: C:\Users\user\Desktop\3JZ4CUFqSs.exe	Code function: 6_2_070FE6F8	6_2_070FE6F8
Source: C:\Users\user\Desktop\3JZ4CUFqSs.exe	Code function: 6_2_070FCD80	6_2_070FCD80
Source: C:\Users\user\Desktop\3JZ4CUFqSs.exe	Code function: 6_2_070F6D98	6_2_070F6D98
Source: C:\Users\user\Desktop\3JZ4CUFqSs.exe	Code function: 6_2_070F7CB8	6_2_070F7CB8
Source: C:\Users\user\Desktop\3JZ4CUFqSs.exe	Code function: 6_2_070F5B88	6_2_070F5B88
Source: C:\Users\user\Desktop\3JZ4CUFqSs.exe	Code function: 6_2_070F9F70	6_2_070F9F70
Source: C:\Users\user\Desktop\3JZ4CUFqSs.exe	Code function: 6_2_070F9F80	6_2_070F9F80
Source: C:\Users\user\Desktop\3JZ4CUFqSs.exe	Code function: 6_2_070FE6E9	6_2_070FE6E9
Source: C:\Users\user\Desktop\3JZ4CUFqSs.exe	Code function: 6_2_070F8D00	6_2_070F8D00
Source: C:\Users\user\Desktop\3JZ4CUFqSs.exe	Code function: 6_2_070F8D10	6_2_070F8D10
Source: C:\Users\user\Desktop\3JZ4CUFqSs.exe	Code function: 6_2_070FA540	6_2_070FA540
Source: C:\Users\user\Desktop\3JZ4CUFqSs.exe	Code function: 6_2_070FCD6F	6_2_070FCD6F
Source: C:\Users\user\Desktop\3JZ4CUFqSs.exe	Code function: 6_2_070F7C3F	6_2_070F7C3F
Source: C:\Users\user\Desktop\3JZ4CUFqSs.exe	Code function: 6_2_070F7C7B	6_2_070F7C7B
Source: C:\Users\user\Desktop\3JZ4CUFqSs.exe	Code function: 6_2_070F4C99	6_2_070F4C99
Source: C:\Users\user\Desktop\3JZ4CUFqSs.exe	Code function: 6_2_070F7C93	6_2_070F7C93
Source: C:\Users\user\Desktop\3JZ4CUFqSs.exe	Code function: 6_2_070FD4B0	6_2_070FD4B0
Source: C:\Users\user\Desktop\3JZ4CUFqSs.exe	Code function: 6_2_070FD4C0	6_2_070FD4C0
Source: C:\Users\user\Desktop\3JZ4CUFqSs.exe	Code function: 6_2_070F9B50	6_2_070F9B50
Source: C:\Users\user\Desktop\3JZ4CUFqSs.exe	Code function: 6_2_070F5B79	6_2_070F5B79
Source: C:\Users\user\Desktop\3JZ4CUFqSs.exe	Code function: 6_2_070FA370	6_2_070FA370
Source: C:\Users\user\Desktop\3JZ4CUFqSs.exe	Code function: 6_2_070FA380	6_2_070FA380
Source: C:\Users\user\Desktop\3JZ4CUFqSs.exe	Code function: 6_2_070F6399	6_2_070F6399
Source: C:\Users\user\Desktop\3JZ4CUFqSs.exe	Code function: 6_2_070FEBC0	6_2_070FEBC0
Source: C:\Users\user\Desktop\3JZ4CUFqSs.exe	Code function: 6_2_070FEBD0	6_2_070FEBD0
Source: C:\Users\user\Desktop\3JZ4CUFqSs.exe	Code function: 6_2_070FD25A	6_2_070FD25A
Source: C:\Users\user\Desktop\3JZ4CUFqSs.exe	Code function: 6_2_070FD268	6_2_070FD268
Source: C:\Users\user\Desktop\3JZ4CUFqSs.exe	Code function: 6_2_070FE00A	6_2_070FE00A
Source: C:\Users\user\Desktop\3JZ4CUFqSs.exe	Code function: 6_2_070FD008	6_2_070FD008
Source: C:\Users\user\Desktop\3JZ4CUFqSs.exe	Code function: 6_2_070FD018	6_2_070FD018
Source: C:\Users\user\Desktop\3JZ4CUFqSs.exe	Code function: 6_2_070FE018	6_2_070FE018
Source: C:\Users\user\Desktop\3JZ4CUFqSs.exe	Code function: 6_2_070FA0E1	6_2_070FA0E1
Source: C:\Users\user\Desktop\3JZ4CUFqSs.exe	Code function: 6_2_070FA0F0	6_2_070FA0F0
Source: C:\Users\user\Desktop\3JZ4CUFqSs.exe	Code function: 6_2_079675F8	6_2_079675F8
Source: C:\Users\user\Desktop\3JZ4CUFqSs.exe	Code function: 6_2_07968308	6_2_07968308
Source: C:\Users\user\Desktop\3JZ4CUFqSs.exe	Code function: 6_2_079661F0	6_2_079661F0
Source: C:\Users\user\Desktop\3JZ4CUFqSs.exe	Code function: 6_2_07965DB8	6_2_07965DB8
Source: C:\Users\user\Desktop\3JZ4CUFqSs.exe	Code function: 6_2_07967A30	6_2_07967A30
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_004188F3	8_2_004188F3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_00403040	8_2_00403040
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_00410073	8_2_00410073
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_00401000	8_2_00401000
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_0042F0A3	8_2_0042F0A3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_0040E26A	8_2_0040E26A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_0040E273	8_2_0040E273
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_00416AF3	8_2_00416AF3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_00410293	8_2_00410293
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_0040E3C3	8_2_0040E3C3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_00402BD5	8_2_00402BD5
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_00402BE0	8_2_00402BE0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_0040E3B7	8_2_0040E3B7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_00401470	8_2_00401470
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_0040E40C	8_2_0040E40C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_00402770	8_2_00402770
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_012A0100	8_2_012A0100
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_0134A118	8_2_0134A118
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_01338158	8_2_01338158
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_013641A2	8_2_013641A2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_013701AA	8_2_013701AA
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_013681CC	8_2_013681CC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_01342000	8_2_01342000
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_0136A352	8_2_0136A352
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_013703E6	8_2_013703E6
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_012BE3F0	8_2_012BE3F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_01350274	8_2_01350274
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_013302C0	8_2_013302C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_012B0535	8_2_012B0535
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_01370591	8_2_01370591
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_01354420	8_2_01354420
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_01362446	8_2_01362446
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_0135E4F6	8_2_0135E4F6
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_012B0770	8_2_012B0770
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_012D4750	8_2_012D4750
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_012AC7C0	8_2_012AC7C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_012CC6E0	8_2_012CC6E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_012C6962	8_2_012C6962
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_012B29A0	8_2_012B29A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_0137A9A6	8_2_0137A9A6
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_012BA840	8_2_012BA840
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_012B2840	8_2_012B2840
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_012968B8	8_2_012968B8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_012DE8F0	8_2_012DE8F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_0136AB40	8_2_0136AB40
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_01366BD7	8_2_01366BD7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_012AEA80	8_2_012AEA80
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_012BAD00	8_2_012BAD00
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_0134CD1F	8_2_0134CD1F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_012C8DBF	8_2_012C8DBF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_012AADE0	8_2_012AADE0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_012B0C00	8_2_012B0C00
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_01350CB5	8_2_01350CB5
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_012A0CF2	8_2_012A0CF2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_01352F30	8_2_01352F30
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_012F2F28	8_2_012F2F28
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_012D0F30	8_2_012D0F30
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_01324F40	8_2_01324F40
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_0132EFA0	8_2_0132EFA0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_012BCFE0	8_2_012BCFE0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_012A2FC8	8_2_012A2FC8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_0136EE26	8_2_0136EE26
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_012B0E59	8_2_012B0E59
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_0136CE93	8_2_0136CE93
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_012C2E90	8_2_012C2E90
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_0136EEDB	8_2_0136EEDB
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_012E516C	8_2_012E516C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_0129F172	8_2_0129F172
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_0137B16B	8_2_0137B16B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_012BB1B0	8_2_012BB1B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_0136F0E0	8_2_0136F0E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_013670E9	8_2_013670E9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_012B70C0	8_2_012B70C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_0135F0CC	8_2_0135F0CC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_0136132D	8_2_0136132D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_0129D34C	8_2_0129D34C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_012F739A	8_2_012F739A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_012B52A0	8_2_012B52A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_013512ED	8_2_013512ED
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_012CB2C0	8_2_012CB2C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_01367571	8_2_01367571
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_0134D5B0	8_2_0134D5B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_013795C3	8_2_013795C3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_0136F43F	8_2_0136F43F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_012A1460	8_2_012A1460
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_0136F7B0	8_2_0136F7B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_012F5630	8_2_012F5630
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_013616CC	8_2_013616CC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_01345910	8_2_01345910
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_012B9950	8_2_012B9950
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_012CB950	8_2_012CB950
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_0131D800	8_2_0131D800
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_012B38E0	8_2_012B38E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_0136FB76	8_2_0136FB76
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_012CFB80	8_2_012CFB80
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_01325BF0	8_2_01325BF0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_012EDBF9	8_2_012EDBF9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_01323A6C	8_2_01323A6C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_01367A46	8_2_01367A46
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_0136FA49	8_2_0136FA49
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_012F5AA0	8_2_012F5AA0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_01351AA3	8_2_01351AA3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_0134DAAC	8_2_0134DAAC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_0135DAC6	8_2_0135DAC6
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_01367D73	8_2_01367D73
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_012B3D40	8_2_012B3D40
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_01361D5A	8_2_01361D5A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_012CFDC0	8_2_012CFDC0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_01329C32	8_2_01329C32
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_0136FCF2	8_2_0136FCF2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_0136FF09	8_2_0136FF09
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_0136FFB1	8_2_0136FFB1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_012B1F92	8_2_012B1F92
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_01273FD5	8_2_01273FD5
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_01273FD2	8_2_01273FD2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_012B9EB0	8_2_012B9EB0
Source: C:\Windows\SysWOW64\mtstocom.exe	Code function: 14_2_050E0535	14_2_050E0535
Source: C:\Windows\SysWOW64\mtstocom.exe	Code function: 14_2_051A0591	14_2_051A0591
Source: C:\Windows\SysWOW64\mtstocom.exe	Code function: 14_2_05184420	14_2_05184420
Source: C:\Windows\SysWOW64\mtstocom.exe	Code function: 14_2_05192446	14_2_05192446
Source: C:\Windows\SysWOW64\mtstocom.exe	Code function: 14_2_0518E4F6	14_2_0518E4F6
Source: C:\Windows\SysWOW64\mtstocom.exe	Code function: 14_2_05104750	14_2_05104750
Source: C:\Windows\SysWOW64\mtstocom.exe	Code function: 14_2_050E0770	14_2_050E0770
Source: C:\Windows\SysWOW64\mtstocom.exe	Code function: 14_2_050DC7C0	14_2_050DC7C0
Source: C:\Windows\SysWOW64\mtstocom.exe	Code function: 14_2_050FC6E0	14_2_050FC6E0
Source: C:\Windows\SysWOW64\mtstocom.exe	Code function: 14_2_050D0100	14_2_050D0100
Source: C:\Windows\SysWOW64\mtstocom.exe	Code function: 14_2_0517A118	14_2_0517A118
Source: C:\Windows\SysWOW64\mtstocom.exe	Code function: 14_2_05168158	14_2_05168158
Source: C:\Windows\SysWOW64\mtstocom.exe	Code function: 14_2_051A01AA	14_2_051A01AA
Source: C:\Windows\SysWOW64\mtstocom.exe	Code function: 14_2_051941A2	14_2_051941A2
Source: C:\Windows\SysWOW64\mtstocom.exe	Code function: 14_2_051981CC	14_2_051981CC
Source: C:\Windows\SysWOW64\mtstocom.exe	Code function: 14_2_05172000	14_2_05172000
Source: C:\Windows\SysWOW64\mtstocom.exe	Code function: 14_2_0519A352	14_2_0519A352
Source: C:\Windows\SysWOW64\mtstocom.exe	Code function: 14_2_051A03E6	14_2_051A03E6
Source: C:\Windows\SysWOW64\mtstocom.exe	Code function: 14_2_050EE3F0	14_2_050EE3F0
Source: C:\Windows\SysWOW64\mtstocom.exe	Code function: 14_2_05180274	14_2_05180274
Source: C:\Windows\SysWOW64\mtstocom.exe	Code function: 14_2_051602C0	14_2_051602C0
Source: C:\Windows\SysWOW64\mtstocom.exe	Code function: 14_2_0517CD1F	14_2_0517CD1F
Source: C:\Windows\SysWOW64\mtstocom.exe	Code function: 14_2_050EAD00	14_2_050EAD00
Source: C:\Windows\SysWOW64\mtstocom.exe	Code function: 14_2_050F8DBF	14_2_050F8DBF
Source: C:\Windows\SysWOW64\mtstocom.exe	Code function: 14_2_050DADE0	14_2_050DADE0
Source: C:\Windows\SysWOW64\mtstocom.exe	Code function: 14_2_050E0C00	14_2_050E0C00
Source: C:\Windows\SysWOW64\mtstocom.exe	Code function: 14_2_05180CB5	14_2_05180CB5
Source: C:\Windows\SysWOW64\mtstocom.exe	Code function: 14_2_050D0CF2	14_2_050D0CF2
Source: C:\Windows\SysWOW64\mtstocom.exe	Code function: 14_2_05100F30	14_2_05100F30
Source: C:\Windows\SysWOW64\mtstocom.exe	Code function: 14_2_05182F30	14_2_05182F30
Source: C:\Windows\SysWOW64\mtstocom.exe	Code function: 14_2_05122F28	14_2_05122F28
Source: C:\Windows\SysWOW64\mtstocom.exe	Code function: 14_2_05154F40	14_2_05154F40
Source: C:\Windows\SysWOW64\mtstocom.exe	Code function: 14_2_0515EFA0	14_2_0515EFA0
Source: C:\Windows\SysWOW64\mtstocom.exe	Code function: 14_2_050D2FC8	14_2_050D2FC8
Source: C:\Windows\SysWOW64\mtstocom.exe	Code function: 14_2_050ECFE0	14_2_050ECFE0
Source: C:\Windows\SysWOW64\mtstocom.exe	Code function: 14_2_0519EE26	14_2_0519EE26
Source: C:\Windows\SysWOW64\mtstocom.exe	Code function: 14_2_050E0E59	14_2_050E0E59
Source: C:\Windows\SysWOW64\mtstocom.exe	Code function: 14_2_0519CE93	14_2_0519CE93
Source: C:\Windows\SysWOW64\mtstocom.exe	Code function: 14_2_050F2E90	14_2_050F2E90
Source: C:\Windows\SysWOW64\mtstocom.exe	Code function: 14_2_0519EEDB	14_2_0519EEDB
Source: C:\Windows\SysWOW64\mtstocom.exe	Code function: 14_2_050F6962	14_2_050F6962
Source: C:\Windows\SysWOW64\mtstocom.exe	Code function: 14_2_050E29A0	14_2_050E29A0
Source: C:\Windows\SysWOW64\mtstocom.exe	Code function: 14_2_051AA9A6	14_2_051AA9A6
Source: C:\Windows\SysWOW64\mtstocom.exe	Code function: 14_2_050E2840	14_2_050E2840
Source: C:\Windows\SysWOW64\mtstocom.exe	Code function: 14_2_050EA840	14_2_050EA840
Source: C:\Windows\SysWOW64\mtstocom.exe	Code function: 14_2_050C68B8	14_2_050C68B8
Source: C:\Windows\SysWOW64\mtstocom.exe	Code function: 14_2_0510E8F0	14_2_0510E8F0
Source: C:\Windows\SysWOW64\mtstocom.exe	Code function: 14_2_0519AB40	14_2_0519AB40
Source: C:\Windows\SysWOW64\mtstocom.exe	Code function: 14_2_05196BD7	14_2_05196BD7
Source: C:\Windows\SysWOW64\mtstocom.exe	Code function: 14_2_050DEA80	14_2_050DEA80
Source: C:\Windows\SysWOW64\mtstocom.exe	Code function: 14_2_05197571	14_2_05197571
Source: C:\Windows\SysWOW64\mtstocom.exe	Code function: 14_2_0517D5B0	14_2_0517D5B0
Source: C:\Windows\SysWOW64\mtstocom.exe	Code function: 14_2_051A95C3	14_2_051A95C3
Source: C:\Windows\SysWOW64\mtstocom.exe	Code function: 14_2_0519F43F	14_2_0519F43F
Source: C:\Windows\SysWOW64\mtstocom.exe	Code function: 14_2_050D1460	14_2_050D1460
Source: C:\Windows\SysWOW64\mtstocom.exe	Code function: 14_2_0519F7B0	14_2_0519F7B0
Source: C:\Windows\SysWOW64\mtstocom.exe	Code function: 14_2_05125630	14_2_05125630
Source: C:\Windows\SysWOW64\mtstocom.exe	Code function: 14_2_051916CC	14_2_051916CC
Source: C:\Windows\SysWOW64\mtstocom.exe	Code function: 14_2_051AB16B	14_2_051AB16B
Source: C:\Windows\SysWOW64\mtstocom.exe	Code function: 14_2_0511516C	14_2_0511516C
Source: C:\Windows\SysWOW64\mtstocom.exe	Code function: 14_2_050CF172	14_2_050CF172
Source: C:\Windows\SysWOW64\mtstocom.exe	Code function: 14_2_050EB1B0	14_2_050EB1B0
Source: C:\Windows\SysWOW64\mtstocom.exe	Code function: 14_2_050E70C0	14_2_050E70C0
Source: C:\Windows\SysWOW64\mtstocom.exe	Code function: 14_2_0518F0CC	14_2_0518F0CC
Source: C:\Windows\SysWOW64\mtstocom.exe	Code function: 14_2_051970E9	14_2_051970E9
Source: C:\Windows\SysWOW64\mtstocom.exe	Code function: 14_2_0519F0E0	14_2_0519F0E0
Source: C:\Windows\SysWOW64\mtstocom.exe	Code function: 14_2_0519132D	14_2_0519132D
Source: C:\Windows\SysWOW64\mtstocom.exe	Code function: 14_2_050CD34C	14_2_050CD34C
Source: C:\Windows\SysWOW64\mtstocom.exe	Code function: 14_2_0512739A	14_2_0512739A
Source: C:\Windows\SysWOW64\mtstocom.exe	Code function: 14_2_050E52A0	14_2_050E52A0
Source: C:\Windows\SysWOW64\mtstocom.exe	Code function: 14_2_050FB2C0	14_2_050FB2C0
Source: C:\Windows\SysWOW64\mtstocom.exe	Code function: 14_2_051812ED	14_2_051812ED
Source: C:\Windows\SysWOW64\mtstocom.exe	Code function: 14_2_05191D5A	14_2_05191D5A
Source: C:\Windows\SysWOW64\mtstocom.exe	Code function: 14_2_050E3D40	14_2_050E3D40
Source: C:\Windows\SysWOW64\mtstocom.exe	Code function: 14_2_05197D73	14_2_05197D73
Source: C:\Windows\SysWOW64\mtstocom.exe	Code function: 14_2_050FFDC0	14_2_050FFDC0
Source: C:\Windows\SysWOW64\mtstocom.exe	Code function: 14_2_05159C32	14_2_05159C32
Source: C:\Windows\SysWOW64\mtstocom.exe	Code function: 14_2_0519FCF2	14_2_0519FCF2
Source: C:\Windows\SysWOW64\mtstocom.exe	Code function: 14_2_0519FF09	14_2_0519FF09
Source: C:\Windows\SysWOW64\mtstocom.exe	Code function: 14_2_050E1F92	14_2_050E1F92
Source: C:\Windows\SysWOW64\mtstocom.exe	Code function: 14_2_0519FFB1	14_2_0519FFB1
Source: C:\Windows\SysWOW64\mtstocom.exe	Code function: 14_2_050E9EB0	14_2_050E9EB0
Source: C:\Windows\SysWOW64\mtstocom.exe	Code function: 14_2_05175910	14_2_05175910
Source: C:\Windows\SysWOW64\mtstocom.exe	Code function: 14_2_050E9950	14_2_050E9950
Source: C:\Windows\SysWOW64\mtstocom.exe	Code function: 14_2_050FB950	14_2_050FB950
Source: C:\Windows\SysWOW64\mtstocom.exe	Code function: 14_2_0514D800	14_2_0514D800
Source: C:\Windows\SysWOW64\mtstocom.exe	Code function: 14_2_050E38E0	14_2_050E38E0
Source: C:\Windows\SysWOW64\mtstocom.exe	Code function: 14_2_0519FB76	14_2_0519FB76
Source: C:\Windows\SysWOW64\mtstocom.exe	Code function: 14_2_050FFB80	14_2_050FFB80
Source: C:\Windows\SysWOW64\mtstocom.exe	Code function: 14_2_05155BF0	14_2_05155BF0
Source: C:\Windows\SysWOW64\mtstocom.exe	Code function: 14_2_0511DBF9	14_2_0511DBF9
Source: C:\Windows\SysWOW64\mtstocom.exe	Code function: 14_2_0519FA49	14_2_0519FA49
Source: C:\Windows\SysWOW64\mtstocom.exe	Code function: 14_2_05197A46	14_2_05197A46
Source: C:\Windows\SysWOW64\mtstocom.exe	Code function: 14_2_05153A6C	14_2_05153A6C
Source: C:\Windows\SysWOW64\mtstocom.exe	Code function: 14_2_05125AA0	14_2_05125AA0
Source: C:\Windows\SysWOW64\mtstocom.exe	Code function: 14_2_0517DAAC	14_2_0517DAAC
Source: C:\Windows\SysWOW64\mtstocom.exe	Code function: 14_2_05181AA3	14_2_05181AA3
Source: C:\Windows\SysWOW64\mtstocom.exe	Code function: 14_2_0518DAC6	14_2_0518DAC6
Source: C:\Windows\SysWOW64\mtstocom.exe	Code function: 14_2_02F91F70	14_2_02F91F70
Source: C:\Windows\SysWOW64\mtstocom.exe	Code function: 14_2_02F8CFD0	14_2_02F8CFD0
Source: C:\Windows\SysWOW64\mtstocom.exe	Code function: 14_2_02F8AFB0	14_2_02F8AFB0
Source: C:\Windows\SysWOW64\mtstocom.exe	Code function: 14_2_02F8AFA7	14_2_02F8AFA7
Source: C:\Windows\SysWOW64\mtstocom.exe	Code function: 14_2_02F8CDB0	14_2_02F8CDB0
Source: C:\Windows\SysWOW64\mtstocom.exe	Code function: 14_2_02F8B0F4	14_2_02F8B0F4
Source: C:\Windows\SysWOW64\mtstocom.exe	Code function: 14_2_02F8B149	14_2_02F8B149
Source: C:\Windows\SysWOW64\mtstocom.exe	Code function: 14_2_02F8B100	14_2_02F8B100
Source: C:\Windows\SysWOW64\mtstocom.exe	Code function: 14_2_02F95630	14_2_02F95630
Source: C:\Windows\SysWOW64\mtstocom.exe	Code function: 14_2_02F93830	14_2_02F93830
Source: C:\Windows\SysWOW64\mtstocom.exe	Code function: 14_2_02FABDE0	14_2_02FABDE0
Source: C:\Windows\SysWOW64\mtstocom.exe	Code function: 14_2_04F9E77C	14_2_04F9E77C
Source: C:\Windows\SysWOW64\mtstocom.exe	Code function: 14_2_04F9E2C4	14_2_04F9E2C4
Source: C:\Windows\SysWOW64\mtstocom.exe	Code function: 14_2_04F9E3E3	14_2_04F9E3E3
Source: C:\Windows\SysWOW64\mtstocom.exe	Code function: 14_2_04F9D848	14_2_04F9D848
Source: C:\Windows\SysWOW64\mtstocom.exe	Code function: 14_2_04F9CAF3	14_2_04F9CAF3

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: String function: 0129B970 appears 280 times
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: String function: 012E5130 appears 58 times
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: String function: 012F7E54 appears 111 times
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: String function: 0132F290 appears 105 times
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: String function: 0131EA12 appears 86 times
Source: C:\Windows\SysWOW64\mtstocom.exe	Code function: String function: 05115130 appears 58 times
Source: C:\Windows\SysWOW64\mtstocom.exe	Code function: String function: 0515F290 appears 105 times
Source: C:\Windows\SysWOW64\mtstocom.exe	Code function: String function: 05127E54 appears 111 times
Source: C:\Windows\SysWOW64\mtstocom.exe	Code function: String function: 050CB970 appears 280 times
Source: C:\Windows\SysWOW64\mtstocom.exe	Code function: String function: 0514EA12 appears 86 times

Source: 3JZ4CUFqSs.exe, 00000006.00000000.1279344000.0000000000992000.00000002.00000001.01000000.00000004.sdmp	Binary or memory string: OriginalFilenamebiLU.exeB vs 3JZ4CUFqSs.exe
Source: 3JZ4CUFqSs.exe, 00000006.00000002.1295367062.0000000000EEE000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameclr.dllT vs 3JZ4CUFqSs.exe
Source: 3JZ4CUFqSs.exe, 00000006.00000002.1336719649.0000000007BD0000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameMontero.dll8 vs 3JZ4CUFqSs.exe
Source: 3JZ4CUFqSs.exe	Binary or memory string: OriginalFilenamebiLU.exeB vs 3JZ4CUFqSs.exe

Source: 3JZ4CUFqSs.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: 3JZ4CUFqSs.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: 6.2.3JZ4CUFqSs.exe.47c1fe8.1.raw.unpack, XcwMNCsvSRLcjQEXHd.cs	Security API names: System.IO.DirectoryInfo.SetAccessControl(System.Security.AccessControl.DirectorySecurity)
Source: 6.2.3JZ4CUFqSs.exe.47c1fe8.1.raw.unpack, XcwMNCsvSRLcjQEXHd.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 6.2.3JZ4CUFqSs.exe.47c1fe8.1.raw.unpack, XcwMNCsvSRLcjQEXHd.cs	Security API names: System.Security.AccessControl.FileSystemSecurity.AddAccessRule(System.Security.AccessControl.FileSystemAccessRule)
Source: 6.2.3JZ4CUFqSs.exe.7bd0000.6.raw.unpack, s0krrCXbibCQgAZJ8j.cs	Security API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: 6.2.3JZ4CUFqSs.exe.7bd0000.6.raw.unpack, s0krrCXbibCQgAZJ8j.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 6.2.3JZ4CUFqSs.exe.47c1fe8.1.raw.unpack, s0krrCXbibCQgAZJ8j.cs	Security API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: 6.2.3JZ4CUFqSs.exe.47c1fe8.1.raw.unpack, s0krrCXbibCQgAZJ8j.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 6.2.3JZ4CUFqSs.exe.484d008.3.raw.unpack, s0krrCXbibCQgAZJ8j.cs	Security API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: 6.2.3JZ4CUFqSs.exe.484d008.3.raw.unpack, s0krrCXbibCQgAZJ8j.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 6.2.3JZ4CUFqSs.exe.7bd0000.6.raw.unpack, XcwMNCsvSRLcjQEXHd.cs	Security API names: System.IO.DirectoryInfo.SetAccessControl(System.Security.AccessControl.DirectorySecurity)
Source: 6.2.3JZ4CUFqSs.exe.7bd0000.6.raw.unpack, XcwMNCsvSRLcjQEXHd.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 6.2.3JZ4CUFqSs.exe.7bd0000.6.raw.unpack, XcwMNCsvSRLcjQEXHd.cs	Security API names: System.Security.AccessControl.FileSystemSecurity.AddAccessRule(System.Security.AccessControl.FileSystemAccessRule)
Source: 6.2.3JZ4CUFqSs.exe.484d008.3.raw.unpack, XcwMNCsvSRLcjQEXHd.cs	Security API names: System.IO.DirectoryInfo.SetAccessControl(System.Security.AccessControl.DirectorySecurity)
Source: 6.2.3JZ4CUFqSs.exe.484d008.3.raw.unpack, XcwMNCsvSRLcjQEXHd.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 6.2.3JZ4CUFqSs.exe.484d008.3.raw.unpack, XcwMNCsvSRLcjQEXHd.cs	Security API names: System.Security.AccessControl.FileSystemSecurity.AddAccessRule(System.Security.AccessControl.FileSystemAccessRule)

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@11/7@14/8

Source: C:\Users\user\Desktop\3JZ4CUFqSs.exe

File created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\3JZ4CUFqSs.exe.log

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Mutant created: NULL
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1488:120:WilError_03

Source: unknown	Process created: C:\Users\user\Desktop\3JZ4CUFqSs.exe "C:\Users\user\Desktop\3JZ4CUFqSs.exe"
Source: C:\Users\user\Desktop\3JZ4CUFqSs.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\3JZ4CUFqSs.exe"
Source: C:\Users\user\Desktop\3JZ4CUFqSs.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\wbem\WmiPrvSE.exe C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
Source: C:\Program Files (x86)\RURlYPNpzGspqrTdZFCLVNNkQCyMFHnvENWFCfQdvVAKrOHunHCNwPouVYtMgxCWsz\Qnv7zOwnqJwbpjTFet.exe	Process created: C:\Windows\SysWOW64\mtstocom.exe "C:\Windows\SysWOW64\mtstocom.exe"
Source: C:\Windows\SysWOW64\mtstocom.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\Firefox.exe"
Source: C:\Users\user\Desktop\3JZ4CUFqSs.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\3JZ4CUFqSs.exe"	Jump to behavior
Source: C:\Users\user\Desktop\3JZ4CUFqSs.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"	Jump to behavior
Source: C:\Program Files (x86)\RURlYPNpzGspqrTdZFCLVNNkQCyMFHnvENWFCfQdvVAKrOHunHCNwPouVYtMgxCWsz\Qnv7zOwnqJwbpjTFet.exe	Process created: C:\Windows\SysWOW64\mtstocom.exe "C:\Windows\SysWOW64\mtstocom.exe"	Jump to behavior
Source: C:\Windows\SysWOW64\mtstocom.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\Firefox.exe"	Jump to behavior

Source: C:\Users\user\Desktop\3JZ4CUFqSs.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\3JZ4CUFqSs.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\3JZ4CUFqSs.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\3JZ4CUFqSs.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\3JZ4CUFqSs.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\3JZ4CUFqSs.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\3JZ4CUFqSs.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\3JZ4CUFqSs.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\3JZ4CUFqSs.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\3JZ4CUFqSs.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\3JZ4CUFqSs.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\3JZ4CUFqSs.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\3JZ4CUFqSs.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\3JZ4CUFqSs.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\3JZ4CUFqSs.exe	Section loaded: dwrite.dll	Jump to behavior
Source: C:\Users\user\Desktop\3JZ4CUFqSs.exe	Section loaded: windowscodecs.dll	Jump to behavior
Source: C:\Users\user\Desktop\3JZ4CUFqSs.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\3JZ4CUFqSs.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\3JZ4CUFqSs.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\3JZ4CUFqSs.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\3JZ4CUFqSs.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Users\user\Desktop\3JZ4CUFqSs.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\Desktop\3JZ4CUFqSs.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\Desktop\3JZ4CUFqSs.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\Desktop\3JZ4CUFqSs.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\3JZ4CUFqSs.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\3JZ4CUFqSs.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\3JZ4CUFqSs.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\Desktop\3JZ4CUFqSs.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\3JZ4CUFqSs.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\3JZ4CUFqSs.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\Desktop\3JZ4CUFqSs.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\Desktop\3JZ4CUFqSs.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\Desktop\3JZ4CUFqSs.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\Desktop\3JZ4CUFqSs.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Desktop\3JZ4CUFqSs.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Desktop\3JZ4CUFqSs.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: microsoft.management.infrastructure.native.unmanaged.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: miutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wmidcom.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: fastprox.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: ncobjapi.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: mpclient.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: wmitomi.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: mi.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: miutils.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: miutils.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mtstocom.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mtstocom.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mtstocom.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mtstocom.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mtstocom.exe	Section loaded: ieframe.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mtstocom.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mtstocom.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mtstocom.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mtstocom.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mtstocom.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mtstocom.exe	Section loaded: wkscli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mtstocom.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mtstocom.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mtstocom.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mtstocom.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mtstocom.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mtstocom.exe	Section loaded: mlang.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mtstocom.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mtstocom.exe	Section loaded: winsqlite3.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mtstocom.exe	Section loaded: vaultcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mtstocom.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mtstocom.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mtstocom.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Program Files (x86)\RURlYPNpzGspqrTdZFCLVNNkQCyMFHnvENWFCfQdvVAKrOHunHCNwPouVYtMgxCWsz\Qnv7zOwnqJwbpjTFet.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Program Files (x86)\RURlYPNpzGspqrTdZFCLVNNkQCyMFHnvENWFCfQdvVAKrOHunHCNwPouVYtMgxCWsz\Qnv7zOwnqJwbpjTFet.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Program Files (x86)\RURlYPNpzGspqrTdZFCLVNNkQCyMFHnvENWFCfQdvVAKrOHunHCNwPouVYtMgxCWsz\Qnv7zOwnqJwbpjTFet.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Program Files (x86)\RURlYPNpzGspqrTdZFCLVNNkQCyMFHnvENWFCfQdvVAKrOHunHCNwPouVYtMgxCWsz\Qnv7zOwnqJwbpjTFet.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Program Files (x86)\RURlYPNpzGspqrTdZFCLVNNkQCyMFHnvENWFCfQdvVAKrOHunHCNwPouVYtMgxCWsz\Qnv7zOwnqJwbpjTFet.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Program Files (x86)\RURlYPNpzGspqrTdZFCLVNNkQCyMFHnvENWFCfQdvVAKrOHunHCNwPouVYtMgxCWsz\Qnv7zOwnqJwbpjTFet.exe	Section loaded: rasadhlp.dll	Jump to behavior

Source: 6.2.3JZ4CUFqSs.exe.47c1fe8.1.raw.unpack, XcwMNCsvSRLcjQEXHd.cs	.Net Code: O1GhPThrjC System.Reflection.Assembly.Load(byte[])
Source: 6.2.3JZ4CUFqSs.exe.484d008.3.raw.unpack, XcwMNCsvSRLcjQEXHd.cs	.Net Code: O1GhPThrjC System.Reflection.Assembly.Load(byte[])
Source: 6.2.3JZ4CUFqSs.exe.3d4a508.2.raw.unpack, MainForm.cs	.Net Code: _200C_202A_200E_202D_202D_206E_202D_202E_202A_206A_200E_202D_206B_206B_206E_206A_202C_206E_202E_200D_206B_206E_202C_202C_202B_200E_200C_202B_202C_206E_200D_200E_206C_202A_202E_206C_202B_202D_206B_200C_202E System.Reflection.Assembly.Load(byte[])
Source: 6.2.3JZ4CUFqSs.exe.7bd0000.6.raw.unpack, XcwMNCsvSRLcjQEXHd.cs	.Net Code: O1GhPThrjC System.Reflection.Assembly.Load(byte[])
Source: 6.2.3JZ4CUFqSs.exe.3d6a528.0.raw.unpack, MainForm.cs	.Net Code: _200C_202A_200E_202D_202D_206E_202D_202E_202A_206A_200E_202D_206B_206B_206E_206A_202C_206E_202E_200D_206B_206E_202C_202C_202B_200E_200C_202B_202C_206E_200D_200E_206C_202A_202E_206C_202B_202D_206B_200C_202E System.Reflection.Assembly.Load(byte[])

Source: C:\Users\user\Desktop\3JZ4CUFqSs.exe	Code function: 6_2_070F7750 push cs; ret	6_2_070F7751
Source: C:\Users\user\Desktop\3JZ4CUFqSs.exe	Code function: 6_2_0796CFE0 push esp; ret	6_2_0796D025
Source: C:\Users\user\Desktop\3JZ4CUFqSs.exe	Code function: 6_2_0796E56D push FFFFFF8Bh; iretd	6_2_0796E56F
Source: C:\Users\user\Desktop\3JZ4CUFqSs.exe	Code function: 6_2_0796E4CB push edx; ret	6_2_0796E4D3
Source: C:\Users\user\Desktop\3JZ4CUFqSs.exe	Code function: 6_2_0796E472 push dword ptr [ebx+ebp-75h]; iretd	6_2_0796E47D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_00418831 push ss; retf	8_2_00418832
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_004020C5 push cs; ret	8_2_004020C8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_00416962 push esp; ret	8_2_00416982
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_00414132 push esp; iretd	8_2_0041413E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_0040DA33 push es; ret	8_2_0040DA36
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_004032C0 push eax; ret	8_2_004032C2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_00413B43 push edi; iretd	8_2_00413BB9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_004173C3 push edi; retf	8_2_004173C5
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_0041938F push esi; ret	8_2_0041939F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_004163B3 push 00000032h; retf 0733h	8_2_004163F6
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_0041445D push FFFFFFB3h; retf	8_2_00414462
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_0041946F push cs; retf	8_2_00419471
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_00406C97 push 3C1EEF70h; iretd	8_2_00406C9C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_00401D6D push ss; ret	8_2_00401DF0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_00401D7F push ss; ret	8_2_00401DF0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_00424743 push es; retf	8_2_004247B5
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_0127225F pushad ; ret	8_2_012727F9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_012727FA pushad ; ret	8_2_012727F9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_012A09AD push ecx; mov dword ptr [esp], ecx	8_2_012A09B6
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_0127283D push eax; iretd	8_2_01272858
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_01271368 push eax; iretd	8_2_01271369
Source: C:\Windows\SysWOW64\mtstocom.exe	Code function: 14_2_050A27FA pushad ; ret	14_2_050A27F9
Source: C:\Windows\SysWOW64\mtstocom.exe	Code function: 14_2_050A225F pushad ; ret	14_2_050A27F9
Source: C:\Windows\SysWOW64\mtstocom.exe	Code function: 14_2_050D09AD push ecx; mov dword ptr [esp], ecx	14_2_050D09B6
Source: C:\Windows\SysWOW64\mtstocom.exe	Code function: 14_2_050A283D push eax; iretd	14_2_050A2858
Source: C:\Windows\SysWOW64\mtstocom.exe	Code function: 14_2_050A1368 push eax; iretd	14_2_050A1369

Source: 6.2.3JZ4CUFqSs.exe.47c1fe8.1.raw.unpack, XVcuD6lbnlylJahljJ.cs	High entropy of concatenated method names: 'T0M4XZbLiD', 'kCX4aReCXP', 'yVq4QUPXGq', 'u5l49opTAt', 'De74tapsF6', 'rRH46skGem', 'vVS4KVKA2O', 'tpt4HqNTRq', 'Hvf4bBb35a', 'o2x47GapGh'
Source: 6.2.3JZ4CUFqSs.exe.47c1fe8.1.raw.unpack, ir2FaAz1NFgMY4a9oC.cs	High entropy of concatenated method names: 'egOxZWSmW1', 'aS3xXVAwaa', 'VSZxa68Y2b', 'el4xQX0vsS', 'rx7x9wZrcP', 'OTjxtV8s3p', 'qFLx64PPTU', 'HQpxgdqtI2', 'GKZxfmyYxw', 'YNMxSc6dpU'
Source: 6.2.3JZ4CUFqSs.exe.47c1fe8.1.raw.unpack, LmTgMYFh3OGojmve7Xn.cs	High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'rLsp8oLgln', 'UOwpxKT52j', 'OXDp5xvIlG', 'MPapp3cvwR', 'MPcpTFsj6v', 'y4tp2X9tRg', 'gX0pgo4xEf'
Source: 6.2.3JZ4CUFqSs.exe.47c1fe8.1.raw.unpack, LowW40Q982xWOI9xAn.cs	High entropy of concatenated method names: 'Lg1Md9u5ij', 'q2CMCke9P4', 'BUcMI1jfKV', 'Fd5MwVSguX', 'GSZMs3G3Zy', 'FSZIAnY3wG', 'zwIIuSX7R7', 'iEHIvW8E7r', 'rbTIjvQ4mD', 'W6DI17Ltjo'
Source: 6.2.3JZ4CUFqSs.exe.47c1fe8.1.raw.unpack, DJQwjBKuYSibWE4p8x.cs	High entropy of concatenated method names: 'VkfwOeudWW', 'g8Dw0IO2P5', 'kh7wM9yAiX', 'AwHMJJZgG0', 'UPbMzpZRN2', 'hvAwDcEAT2', 'CvEwFdThWR', 'gMVwRvqucV', 'zamwnJ0j4I', 'cx2whXrjhw'
Source: 6.2.3JZ4CUFqSs.exe.47c1fe8.1.raw.unpack, s0krrCXbibCQgAZJ8j.cs	High entropy of concatenated method names: 'WJeCLmIFHM', 'swoCWDS9h5', 'tAlCEDLs2I', 'ak1CkNT6Hq', 'NrOCAsQusU', 'I9gCuG5WZo', 'xesCvaXPLj', 'XP8CjjSF04', 'KBaC1Aom5u', 'mCCCJXSem0'
Source: 6.2.3JZ4CUFqSs.exe.47c1fe8.1.raw.unpack, UWTvOyBUoZbNADslHe.cs	High entropy of concatenated method names: 'nsqwf9vfMX', 'fbvwS97ZNd', 'upewP2uxWs', 'o2BwiXK6yq', 'hbCwN31NWM', 'PZIwZAhUCA', 'LtfweSC2ry', 'O9FwX88q5u', 'NwZwagfErZ', 'aejwcNn5Y0'
Source: 6.2.3JZ4CUFqSs.exe.47c1fe8.1.raw.unpack, hDLXZBFRkLpWHVswN6V.cs	High entropy of concatenated method names: 'ToString', 'G3V5XjBssB', 'PNG5aTmqDE', 'F7M5co4jlu', 'iej5Qmt811', 'zNU59ajfn0', 'TXU5yeUZqc', 'Pdd5tqPtyP', 'sBj9mLUsaY8rU3Wg6Wd', 'xSEOWwUWx8YkCHB4XWQ'
Source: 6.2.3JZ4CUFqSs.exe.47c1fe8.1.raw.unpack, qvWeVBhdrvhr8amZlX.cs	High entropy of concatenated method names: 'fJ8Fw0krrC', 'NibFsCQgAZ', 'LbrFo3AFOA', 'oTXFG1tvbQ', 'WJqFUrvKow', 'R40FV982xW', 'Jx9MrED5gFhanjTI5R', 'UNuKrQGynAp55R6qvW', 'qAkFFlRBNR', 'HbLFnXm0U1'
Source: 6.2.3JZ4CUFqSs.exe.47c1fe8.1.raw.unpack, xVPKDA1FG5aLinG5gT.cs	High entropy of concatenated method names: 'GA88Q44dmE', 'jmV893K2sI', 'Bd88ywxmqL', 'M5J8tkMgCO', 'B6w86iPgT3', 'rMB8q4nx0I', 'nvZ8KeCYfO', 'lnH8HbYUgl', 'sSF8BdlMMq', 'qNd8bMt6wA'
Source: 6.2.3JZ4CUFqSs.exe.47c1fe8.1.raw.unpack, GI66efJ24Cy1jKm2MI.cs	High entropy of concatenated method names: 'kbjx0WxL2H', 'u04xIYcD9r', 'AmxxMulaWN', 'e4cxwmeMIR', 'mNGx89BL05', 'Kxoxs6rmSK', 'Next', 'Next', 'Next', 'NextBytes'
Source: 6.2.3JZ4CUFqSs.exe.47c1fe8.1.raw.unpack, GdcJwlClFUCBbSK8pY.cs	High entropy of concatenated method names: 'Dispose', 'U9ZF1WQZbP', 'O3vR92l5Wy', 'KFNKEATNt0', 'oOfFJjEQoI', 'vv5Fz45vhx', 'ProcessDialogKey', 'oXfRDVPKDA', 'bG5RFaLinG', 'tgTRR9I66e'
Source: 6.2.3JZ4CUFqSs.exe.47c1fe8.1.raw.unpack, FUiLK3RekSFMxvcuxj.cs	High entropy of concatenated method names: 'BxAPBi1Cw', 'DXSixbJPb', 'ANSZJORjN', 'dLqe6nkcb', 'r4mahdx7T', 'EkQcaFymy', 'ppOpOAg7pXB3wuCJOF', 'FqY9c8AMoQhZLW8nx5', 'Gshm8Jmt8', 'ibax5aCO6'
Source: 6.2.3JZ4CUFqSs.exe.47c1fe8.1.raw.unpack, bTbrRHabr3AFOAUTX1.cs	High entropy of concatenated method names: 'oy30iHKXoh', 'PNa0Z1YMbh', 'koy0XxUwOR', 'pHY0aeHn3C', 'U310UO31Zv', 'jhM0VgM7Et', 'BbA0rhiOSs', 'G570moifLd', 'bFQ08i9h8d', 'GUw0x52n6A'
Source: 6.2.3JZ4CUFqSs.exe.47c1fe8.1.raw.unpack, hR8U3VuTNCYwZAtxP4.cs	High entropy of concatenated method names: 'JCLrjGUR2h', 'TcErJ777Rl', 'T9LmDkpuyy', 'hAsmFdHOlm', 'eixr7uLVHo', 'y3Br33VbgI', 'kDNrlqGwMh', 'N1XrLwmAiA', 'm0XrWLYDCd', 'C6NrE7aPvB'
Source: 6.2.3JZ4CUFqSs.exe.47c1fe8.1.raw.unpack, XcwMNCsvSRLcjQEXHd.cs	High entropy of concatenated method names: 'RltndCZMry', 'OY8nOekfrS', 'LOFnCJPCQi', 'lajn0LxfIL', 'bCnnI83VR1', 'jusnMkhh7D', 'T3gnwE8gM5', 'XpUnsjBVFC', 'n3MnYPC605', 'cldnoh2qRw'
Source: 6.2.3JZ4CUFqSs.exe.47c1fe8.1.raw.unpack, pRKek4FF7g86jJ6clPT.cs	High entropy of concatenated method names: 'frExJToYr4', 'cKqxzBmqio', 'aDA5DiknVb', 'xJN5FpPDha', 'qXG5R1rOgZ', 'mTC5nIvR6Y', 'AD25hg5BOK', 'Nto5dkt4wF', 'mJ05Ok1L25', 'Nif5ChBwJk'
Source: 6.2.3JZ4CUFqSs.exe.47c1fe8.1.raw.unpack, u5K0KakCH039B2Zh29.cs	High entropy of concatenated method names: 'zCcroUuN4C', 'trMrGqQJjQ', 'ToString', 'hitrODdbAD', 'Y6ErCBwPZ9', 'yIfr0ZERTW', 'UdfrInPLTs', 'oSWrMeKLCX', 'u9mrwvKsrh', 'cl1rsuUajS'
Source: 6.2.3JZ4CUFqSs.exe.47c1fe8.1.raw.unpack, Pctsf0FD9QOSkcvYWwo.cs	High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'prAx7tHVKL', 'cyxx3IqCoi', 'hYdxl2oevM', 'SVpxLu2rI9', 'z5yxWVP4WE', 'qJxxEY3JN8', 'hn8xkfalhr'
Source: 6.2.3JZ4CUFqSs.exe.47c1fe8.1.raw.unpack, h5Y1mavUcA9ZWQZbPU.cs	High entropy of concatenated method names: 'hdJ8UEaOFK', 'O2m8r07EDW', 'Hmj887CL7t', 'Qqs85QrORJ', 'syB8TygwVP', 'Egt8glvp8B', 'Dispose', 'RmpmONO8Vv', 'G5wmCk7wnr', 'eY0m0WXaAf'
Source: 6.2.3JZ4CUFqSs.exe.484d008.3.raw.unpack, XVcuD6lbnlylJahljJ.cs	High entropy of concatenated method names: 'T0M4XZbLiD', 'kCX4aReCXP', 'yVq4QUPXGq', 'u5l49opTAt', 'De74tapsF6', 'rRH46skGem', 'vVS4KVKA2O', 'tpt4HqNTRq', 'Hvf4bBb35a', 'o2x47GapGh'
Source: 6.2.3JZ4CUFqSs.exe.484d008.3.raw.unpack, ir2FaAz1NFgMY4a9oC.cs	High entropy of concatenated method names: 'egOxZWSmW1', 'aS3xXVAwaa', 'VSZxa68Y2b', 'el4xQX0vsS', 'rx7x9wZrcP', 'OTjxtV8s3p', 'qFLx64PPTU', 'HQpxgdqtI2', 'GKZxfmyYxw', 'YNMxSc6dpU'
Source: 6.2.3JZ4CUFqSs.exe.484d008.3.raw.unpack, LmTgMYFh3OGojmve7Xn.cs	High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'rLsp8oLgln', 'UOwpxKT52j', 'OXDp5xvIlG', 'MPapp3cvwR', 'MPcpTFsj6v', 'y4tp2X9tRg', 'gX0pgo4xEf'
Source: 6.2.3JZ4CUFqSs.exe.484d008.3.raw.unpack, LowW40Q982xWOI9xAn.cs	High entropy of concatenated method names: 'Lg1Md9u5ij', 'q2CMCke9P4', 'BUcMI1jfKV', 'Fd5MwVSguX', 'GSZMs3G3Zy', 'FSZIAnY3wG', 'zwIIuSX7R7', 'iEHIvW8E7r', 'rbTIjvQ4mD', 'W6DI17Ltjo'
Source: 6.2.3JZ4CUFqSs.exe.484d008.3.raw.unpack, DJQwjBKuYSibWE4p8x.cs	High entropy of concatenated method names: 'VkfwOeudWW', 'g8Dw0IO2P5', 'kh7wM9yAiX', 'AwHMJJZgG0', 'UPbMzpZRN2', 'hvAwDcEAT2', 'CvEwFdThWR', 'gMVwRvqucV', 'zamwnJ0j4I', 'cx2whXrjhw'
Source: 6.2.3JZ4CUFqSs.exe.484d008.3.raw.unpack, s0krrCXbibCQgAZJ8j.cs	High entropy of concatenated method names: 'WJeCLmIFHM', 'swoCWDS9h5', 'tAlCEDLs2I', 'ak1CkNT6Hq', 'NrOCAsQusU', 'I9gCuG5WZo', 'xesCvaXPLj', 'XP8CjjSF04', 'KBaC1Aom5u', 'mCCCJXSem0'
Source: 6.2.3JZ4CUFqSs.exe.484d008.3.raw.unpack, UWTvOyBUoZbNADslHe.cs	High entropy of concatenated method names: 'nsqwf9vfMX', 'fbvwS97ZNd', 'upewP2uxWs', 'o2BwiXK6yq', 'hbCwN31NWM', 'PZIwZAhUCA', 'LtfweSC2ry', 'O9FwX88q5u', 'NwZwagfErZ', 'aejwcNn5Y0'
Source: 6.2.3JZ4CUFqSs.exe.484d008.3.raw.unpack, hDLXZBFRkLpWHVswN6V.cs	High entropy of concatenated method names: 'ToString', 'G3V5XjBssB', 'PNG5aTmqDE', 'F7M5co4jlu', 'iej5Qmt811', 'zNU59ajfn0', 'TXU5yeUZqc', 'Pdd5tqPtyP', 'sBj9mLUsaY8rU3Wg6Wd', 'xSEOWwUWx8YkCHB4XWQ'
Source: 6.2.3JZ4CUFqSs.exe.484d008.3.raw.unpack, qvWeVBhdrvhr8amZlX.cs	High entropy of concatenated method names: 'fJ8Fw0krrC', 'NibFsCQgAZ', 'LbrFo3AFOA', 'oTXFG1tvbQ', 'WJqFUrvKow', 'R40FV982xW', 'Jx9MrED5gFhanjTI5R', 'UNuKrQGynAp55R6qvW', 'qAkFFlRBNR', 'HbLFnXm0U1'
Source: 6.2.3JZ4CUFqSs.exe.484d008.3.raw.unpack, xVPKDA1FG5aLinG5gT.cs	High entropy of concatenated method names: 'GA88Q44dmE', 'jmV893K2sI', 'Bd88ywxmqL', 'M5J8tkMgCO', 'B6w86iPgT3', 'rMB8q4nx0I', 'nvZ8KeCYfO', 'lnH8HbYUgl', 'sSF8BdlMMq', 'qNd8bMt6wA'
Source: 6.2.3JZ4CUFqSs.exe.484d008.3.raw.unpack, GI66efJ24Cy1jKm2MI.cs	High entropy of concatenated method names: 'kbjx0WxL2H', 'u04xIYcD9r', 'AmxxMulaWN', 'e4cxwmeMIR', 'mNGx89BL05', 'Kxoxs6rmSK', 'Next', 'Next', 'Next', 'NextBytes'
Source: 6.2.3JZ4CUFqSs.exe.484d008.3.raw.unpack, GdcJwlClFUCBbSK8pY.cs	High entropy of concatenated method names: 'Dispose', 'U9ZF1WQZbP', 'O3vR92l5Wy', 'KFNKEATNt0', 'oOfFJjEQoI', 'vv5Fz45vhx', 'ProcessDialogKey', 'oXfRDVPKDA', 'bG5RFaLinG', 'tgTRR9I66e'
Source: 6.2.3JZ4CUFqSs.exe.484d008.3.raw.unpack, FUiLK3RekSFMxvcuxj.cs	High entropy of concatenated method names: 'BxAPBi1Cw', 'DXSixbJPb', 'ANSZJORjN', 'dLqe6nkcb', 'r4mahdx7T', 'EkQcaFymy', 'ppOpOAg7pXB3wuCJOF', 'FqY9c8AMoQhZLW8nx5', 'Gshm8Jmt8', 'ibax5aCO6'
Source: 6.2.3JZ4CUFqSs.exe.484d008.3.raw.unpack, bTbrRHabr3AFOAUTX1.cs	High entropy of concatenated method names: 'oy30iHKXoh', 'PNa0Z1YMbh', 'koy0XxUwOR', 'pHY0aeHn3C', 'U310UO31Zv', 'jhM0VgM7Et', 'BbA0rhiOSs', 'G570moifLd', 'bFQ08i9h8d', 'GUw0x52n6A'
Source: 6.2.3JZ4CUFqSs.exe.484d008.3.raw.unpack, hR8U3VuTNCYwZAtxP4.cs	High entropy of concatenated method names: 'JCLrjGUR2h', 'TcErJ777Rl', 'T9LmDkpuyy', 'hAsmFdHOlm', 'eixr7uLVHo', 'y3Br33VbgI', 'kDNrlqGwMh', 'N1XrLwmAiA', 'm0XrWLYDCd', 'C6NrE7aPvB'
Source: 6.2.3JZ4CUFqSs.exe.484d008.3.raw.unpack, XcwMNCsvSRLcjQEXHd.cs	High entropy of concatenated method names: 'RltndCZMry', 'OY8nOekfrS', 'LOFnCJPCQi', 'lajn0LxfIL', 'bCnnI83VR1', 'jusnMkhh7D', 'T3gnwE8gM5', 'XpUnsjBVFC', 'n3MnYPC605', 'cldnoh2qRw'
Source: 6.2.3JZ4CUFqSs.exe.484d008.3.raw.unpack, pRKek4FF7g86jJ6clPT.cs	High entropy of concatenated method names: 'frExJToYr4', 'cKqxzBmqio', 'aDA5DiknVb', 'xJN5FpPDha', 'qXG5R1rOgZ', 'mTC5nIvR6Y', 'AD25hg5BOK', 'Nto5dkt4wF', 'mJ05Ok1L25', 'Nif5ChBwJk'
Source: 6.2.3JZ4CUFqSs.exe.484d008.3.raw.unpack, u5K0KakCH039B2Zh29.cs	High entropy of concatenated method names: 'zCcroUuN4C', 'trMrGqQJjQ', 'ToString', 'hitrODdbAD', 'Y6ErCBwPZ9', 'yIfr0ZERTW', 'UdfrInPLTs', 'oSWrMeKLCX', 'u9mrwvKsrh', 'cl1rsuUajS'
Source: 6.2.3JZ4CUFqSs.exe.484d008.3.raw.unpack, Pctsf0FD9QOSkcvYWwo.cs	High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'prAx7tHVKL', 'cyxx3IqCoi', 'hYdxl2oevM', 'SVpxLu2rI9', 'z5yxWVP4WE', 'qJxxEY3JN8', 'hn8xkfalhr'
Source: 6.2.3JZ4CUFqSs.exe.484d008.3.raw.unpack, h5Y1mavUcA9ZWQZbPU.cs	High entropy of concatenated method names: 'hdJ8UEaOFK', 'O2m8r07EDW', 'Hmj887CL7t', 'Qqs85QrORJ', 'syB8TygwVP', 'Egt8glvp8B', 'Dispose', 'RmpmONO8Vv', 'G5wmCk7wnr', 'eY0m0WXaAf'
Source: 6.2.3JZ4CUFqSs.exe.7bd0000.6.raw.unpack, XVcuD6lbnlylJahljJ.cs	High entropy of concatenated method names: 'T0M4XZbLiD', 'kCX4aReCXP', 'yVq4QUPXGq', 'u5l49opTAt', 'De74tapsF6', 'rRH46skGem', 'vVS4KVKA2O', 'tpt4HqNTRq', 'Hvf4bBb35a', 'o2x47GapGh'
Source: 6.2.3JZ4CUFqSs.exe.7bd0000.6.raw.unpack, ir2FaAz1NFgMY4a9oC.cs	High entropy of concatenated method names: 'egOxZWSmW1', 'aS3xXVAwaa', 'VSZxa68Y2b', 'el4xQX0vsS', 'rx7x9wZrcP', 'OTjxtV8s3p', 'qFLx64PPTU', 'HQpxgdqtI2', 'GKZxfmyYxw', 'YNMxSc6dpU'
Source: 6.2.3JZ4CUFqSs.exe.7bd0000.6.raw.unpack, LmTgMYFh3OGojmve7Xn.cs	High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'rLsp8oLgln', 'UOwpxKT52j', 'OXDp5xvIlG', 'MPapp3cvwR', 'MPcpTFsj6v', 'y4tp2X9tRg', 'gX0pgo4xEf'
Source: 6.2.3JZ4CUFqSs.exe.7bd0000.6.raw.unpack, LowW40Q982xWOI9xAn.cs	High entropy of concatenated method names: 'Lg1Md9u5ij', 'q2CMCke9P4', 'BUcMI1jfKV', 'Fd5MwVSguX', 'GSZMs3G3Zy', 'FSZIAnY3wG', 'zwIIuSX7R7', 'iEHIvW8E7r', 'rbTIjvQ4mD', 'W6DI17Ltjo'
Source: 6.2.3JZ4CUFqSs.exe.7bd0000.6.raw.unpack, DJQwjBKuYSibWE4p8x.cs	High entropy of concatenated method names: 'VkfwOeudWW', 'g8Dw0IO2P5', 'kh7wM9yAiX', 'AwHMJJZgG0', 'UPbMzpZRN2', 'hvAwDcEAT2', 'CvEwFdThWR', 'gMVwRvqucV', 'zamwnJ0j4I', 'cx2whXrjhw'
Source: 6.2.3JZ4CUFqSs.exe.7bd0000.6.raw.unpack, s0krrCXbibCQgAZJ8j.cs	High entropy of concatenated method names: 'WJeCLmIFHM', 'swoCWDS9h5', 'tAlCEDLs2I', 'ak1CkNT6Hq', 'NrOCAsQusU', 'I9gCuG5WZo', 'xesCvaXPLj', 'XP8CjjSF04', 'KBaC1Aom5u', 'mCCCJXSem0'
Source: 6.2.3JZ4CUFqSs.exe.7bd0000.6.raw.unpack, UWTvOyBUoZbNADslHe.cs	High entropy of concatenated method names: 'nsqwf9vfMX', 'fbvwS97ZNd', 'upewP2uxWs', 'o2BwiXK6yq', 'hbCwN31NWM', 'PZIwZAhUCA', 'LtfweSC2ry', 'O9FwX88q5u', 'NwZwagfErZ', 'aejwcNn5Y0'
Source: 6.2.3JZ4CUFqSs.exe.7bd0000.6.raw.unpack, hDLXZBFRkLpWHVswN6V.cs	High entropy of concatenated method names: 'ToString', 'G3V5XjBssB', 'PNG5aTmqDE', 'F7M5co4jlu', 'iej5Qmt811', 'zNU59ajfn0', 'TXU5yeUZqc', 'Pdd5tqPtyP', 'sBj9mLUsaY8rU3Wg6Wd', 'xSEOWwUWx8YkCHB4XWQ'
Source: 6.2.3JZ4CUFqSs.exe.7bd0000.6.raw.unpack, qvWeVBhdrvhr8amZlX.cs	High entropy of concatenated method names: 'fJ8Fw0krrC', 'NibFsCQgAZ', 'LbrFo3AFOA', 'oTXFG1tvbQ', 'WJqFUrvKow', 'R40FV982xW', 'Jx9MrED5gFhanjTI5R', 'UNuKrQGynAp55R6qvW', 'qAkFFlRBNR', 'HbLFnXm0U1'
Source: 6.2.3JZ4CUFqSs.exe.7bd0000.6.raw.unpack, xVPKDA1FG5aLinG5gT.cs	High entropy of concatenated method names: 'GA88Q44dmE', 'jmV893K2sI', 'Bd88ywxmqL', 'M5J8tkMgCO', 'B6w86iPgT3', 'rMB8q4nx0I', 'nvZ8KeCYfO', 'lnH8HbYUgl', 'sSF8BdlMMq', 'qNd8bMt6wA'
Source: 6.2.3JZ4CUFqSs.exe.7bd0000.6.raw.unpack, GI66efJ24Cy1jKm2MI.cs	High entropy of concatenated method names: 'kbjx0WxL2H', 'u04xIYcD9r', 'AmxxMulaWN', 'e4cxwmeMIR', 'mNGx89BL05', 'Kxoxs6rmSK', 'Next', 'Next', 'Next', 'NextBytes'
Source: 6.2.3JZ4CUFqSs.exe.7bd0000.6.raw.unpack, GdcJwlClFUCBbSK8pY.cs	High entropy of concatenated method names: 'Dispose', 'U9ZF1WQZbP', 'O3vR92l5Wy', 'KFNKEATNt0', 'oOfFJjEQoI', 'vv5Fz45vhx', 'ProcessDialogKey', 'oXfRDVPKDA', 'bG5RFaLinG', 'tgTRR9I66e'
Source: 6.2.3JZ4CUFqSs.exe.7bd0000.6.raw.unpack, FUiLK3RekSFMxvcuxj.cs	High entropy of concatenated method names: 'BxAPBi1Cw', 'DXSixbJPb', 'ANSZJORjN', 'dLqe6nkcb', 'r4mahdx7T', 'EkQcaFymy', 'ppOpOAg7pXB3wuCJOF', 'FqY9c8AMoQhZLW8nx5', 'Gshm8Jmt8', 'ibax5aCO6'
Source: 6.2.3JZ4CUFqSs.exe.7bd0000.6.raw.unpack, bTbrRHabr3AFOAUTX1.cs	High entropy of concatenated method names: 'oy30iHKXoh', 'PNa0Z1YMbh', 'koy0XxUwOR', 'pHY0aeHn3C', 'U310UO31Zv', 'jhM0VgM7Et', 'BbA0rhiOSs', 'G570moifLd', 'bFQ08i9h8d', 'GUw0x52n6A'
Source: 6.2.3JZ4CUFqSs.exe.7bd0000.6.raw.unpack, hR8U3VuTNCYwZAtxP4.cs	High entropy of concatenated method names: 'JCLrjGUR2h', 'TcErJ777Rl', 'T9LmDkpuyy', 'hAsmFdHOlm', 'eixr7uLVHo', 'y3Br33VbgI', 'kDNrlqGwMh', 'N1XrLwmAiA', 'm0XrWLYDCd', 'C6NrE7aPvB'
Source: 6.2.3JZ4CUFqSs.exe.7bd0000.6.raw.unpack, XcwMNCsvSRLcjQEXHd.cs	High entropy of concatenated method names: 'RltndCZMry', 'OY8nOekfrS', 'LOFnCJPCQi', 'lajn0LxfIL', 'bCnnI83VR1', 'jusnMkhh7D', 'T3gnwE8gM5', 'XpUnsjBVFC', 'n3MnYPC605', 'cldnoh2qRw'
Source: 6.2.3JZ4CUFqSs.exe.7bd0000.6.raw.unpack, pRKek4FF7g86jJ6clPT.cs	High entropy of concatenated method names: 'frExJToYr4', 'cKqxzBmqio', 'aDA5DiknVb', 'xJN5FpPDha', 'qXG5R1rOgZ', 'mTC5nIvR6Y', 'AD25hg5BOK', 'Nto5dkt4wF', 'mJ05Ok1L25', 'Nif5ChBwJk'
Source: 6.2.3JZ4CUFqSs.exe.7bd0000.6.raw.unpack, u5K0KakCH039B2Zh29.cs	High entropy of concatenated method names: 'zCcroUuN4C', 'trMrGqQJjQ', 'ToString', 'hitrODdbAD', 'Y6ErCBwPZ9', 'yIfr0ZERTW', 'UdfrInPLTs', 'oSWrMeKLCX', 'u9mrwvKsrh', 'cl1rsuUajS'
Source: 6.2.3JZ4CUFqSs.exe.7bd0000.6.raw.unpack, Pctsf0FD9QOSkcvYWwo.cs	High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'prAx7tHVKL', 'cyxx3IqCoi', 'hYdxl2oevM', 'SVpxLu2rI9', 'z5yxWVP4WE', 'qJxxEY3JN8', 'hn8xkfalhr'
Source: 6.2.3JZ4CUFqSs.exe.7bd0000.6.raw.unpack, h5Y1mavUcA9ZWQZbPU.cs	High entropy of concatenated method names: 'hdJ8UEaOFK', 'O2m8r07EDW', 'Hmj887CL7t', 'Qqs85QrORJ', 'syB8TygwVP', 'Egt8glvp8B', 'Dispose', 'RmpmONO8Vv', 'G5wmCk7wnr', 'eY0m0WXaAf'

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior

Source: C:\Users\user\Desktop\3JZ4CUFqSs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\3JZ4CUFqSs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\3JZ4CUFqSs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\3JZ4CUFqSs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\3JZ4CUFqSs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\3JZ4CUFqSs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\3JZ4CUFqSs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\3JZ4CUFqSs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\3JZ4CUFqSs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\3JZ4CUFqSs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\3JZ4CUFqSs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\3JZ4CUFqSs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\3JZ4CUFqSs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\3JZ4CUFqSs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\3JZ4CUFqSs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\3JZ4CUFqSs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\3JZ4CUFqSs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\3JZ4CUFqSs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\3JZ4CUFqSs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\3JZ4CUFqSs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\3JZ4CUFqSs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\3JZ4CUFqSs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\3JZ4CUFqSs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\3JZ4CUFqSs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\3JZ4CUFqSs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\3JZ4CUFqSs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\3JZ4CUFqSs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\3JZ4CUFqSs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\3JZ4CUFqSs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\3JZ4CUFqSs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\3JZ4CUFqSs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\3JZ4CUFqSs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\3JZ4CUFqSs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\3JZ4CUFqSs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\3JZ4CUFqSs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\3JZ4CUFqSs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\3JZ4CUFqSs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\3JZ4CUFqSs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\3JZ4CUFqSs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\3JZ4CUFqSs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\3JZ4CUFqSs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\mtstocom.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\mtstocom.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\mtstocom.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\mtstocom.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\mtstocom.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior

Source: C:\Windows\SysWOW64\mtstocom.exe	API/Special instruction interceptor: Address: 7FF84F7AD324
Source: C:\Windows\SysWOW64\mtstocom.exe	API/Special instruction interceptor: Address: 7FF84F7AD7E4
Source: C:\Windows\SysWOW64\mtstocom.exe	API/Special instruction interceptor: Address: 7FF84F7AD944
Source: C:\Windows\SysWOW64\mtstocom.exe	API/Special instruction interceptor: Address: 7FF84F7AD504
Source: C:\Windows\SysWOW64\mtstocom.exe	API/Special instruction interceptor: Address: 7FF84F7AD544
Source: C:\Windows\SysWOW64\mtstocom.exe	API/Special instruction interceptor: Address: 7FF84F7AD1E4
Source: C:\Windows\SysWOW64\mtstocom.exe	API/Special instruction interceptor: Address: 7FF84F7B0154
Source: C:\Windows\SysWOW64\mtstocom.exe	API/Special instruction interceptor: Address: 7FF84F7ADA44

Source: C:\Users\user\Desktop\3JZ4CUFqSs.exe	Memory allocated: 2AE0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\3JZ4CUFqSs.exe	Memory allocated: 2D20000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\3JZ4CUFqSs.exe	Memory allocated: 2AE0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\3JZ4CUFqSs.exe	Memory allocated: 9030000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\3JZ4CUFqSs.exe	Memory allocated: A030000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\3JZ4CUFqSs.exe	Memory allocated: A240000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\3JZ4CUFqSs.exe	Memory allocated: B240000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\3JZ4CUFqSs.exe	Memory allocated: B8D0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\3JZ4CUFqSs.exe	Memory allocated: C8D0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\3JZ4CUFqSs.exe	Memory allocated: D8D0000 memory reserve \| memory write watch	Jump to behavior

Source: C:\Users\user\Desktop\3JZ4CUFqSs.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 6744	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 1067	Jump to behavior
Source: C:\Windows\SysWOW64\mtstocom.exe	Window / User API: threadDelayed 8866	Jump to behavior
Source: C:\Windows\SysWOW64\mtstocom.exe	Window / User API: threadDelayed 1108	Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	API coverage: 0.7 %
Source: C:\Windows\SysWOW64\mtstocom.exe	API coverage: 2.7 %

Source: C:\Users\user\Desktop\3JZ4CUFqSs.exe TID: 832	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 2044	Thread sleep time: -4611686018427385s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 4832	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\mtstocom.exe TID: 5520	Thread sleep count: 8866 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\mtstocom.exe TID: 5520	Thread sleep time: -17732000s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\mtstocom.exe TID: 5520	Thread sleep count: 1108 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\mtstocom.exe TID: 5520	Thread sleep time: -2216000s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\RURlYPNpzGspqrTdZFCLVNNkQCyMFHnvENWFCfQdvVAKrOHunHCNwPouVYtMgxCWsz\Qnv7zOwnqJwbpjTFet.exe TID: 3120	Thread sleep time: -75000s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\RURlYPNpzGspqrTdZFCLVNNkQCyMFHnvENWFCfQdvVAKrOHunHCNwPouVYtMgxCWsz\Qnv7zOwnqJwbpjTFet.exe TID: 3120	Thread sleep count: 32 > 30	Jump to behavior
Source: C:\Program Files (x86)\RURlYPNpzGspqrTdZFCLVNNkQCyMFHnvENWFCfQdvVAKrOHunHCNwPouVYtMgxCWsz\Qnv7zOwnqJwbpjTFet.exe TID: 3120	Thread sleep time: -48000s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\RURlYPNpzGspqrTdZFCLVNNkQCyMFHnvENWFCfQdvVAKrOHunHCNwPouVYtMgxCWsz\Qnv7zOwnqJwbpjTFet.exe TID: 3120	Thread sleep count: 35 > 30	Jump to behavior
Source: C:\Program Files (x86)\RURlYPNpzGspqrTdZFCLVNNkQCyMFHnvENWFCfQdvVAKrOHunHCNwPouVYtMgxCWsz\Qnv7zOwnqJwbpjTFet.exe TID: 3120	Thread sleep time: -35000s >= -30000s	Jump to behavior

Source: C:\Windows\SysWOW64\mtstocom.exe	Last function: Thread delayed
Source: C:\Windows\SysWOW64\mtstocom.exe	Last function: Thread delayed

Source: mtstocom.exe, 0000000E.00000002.3744235588.000000000837E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: tasks.office.comVMware20,11696428655L=p
Source: 4qz92-7J.14.dr	Binary or memory string: Canara Transaction PasswordVMware20,11696428655x
Source: Qnv7zOwnqJwbpjTFet.exe, 0000000F.00000002.3740920246.00000000010B9000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll[
Source: 4qz92-7J.14.dr	Binary or memory string: interactivebrokers.co.inVMware20,11696428655d
Source: mtstocom.exe, 0000000E.00000002.3744235588.000000000837E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: .bankofamerica.comVMware
Source: 4qz92-7J.14.dr	Binary or memory string: discord.comVMware20,11696428655f
Source: mtstocom.exe, 0000000E.00000002.3744235588.000000000837E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: COM.HKVMware20,11696428
Source: 4qz92-7J.14.dr	Binary or memory string: Interactive Brokers - COM.HKVMware20,11696428655
Source: 4qz92-7J.14.dr	Binary or memory string: global block list test formVMware20,11696428655
Source: 4qz92-7J.14.dr	Binary or memory string: Canara Transaction PasswordVMware20,11696428655}
Source: mtstocom.exe, 0000000E.00000002.3744235588.000000000837E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: East & CentralVMware20,1
Source: 4qz92-7J.14.dr	Binary or memory string: Interactive Brokers - EU East & CentralVMware20,11696428655
Source: 4qz92-7J.14.dr	Binary or memory string: Canara Change Transaction PasswordVMware20,11696428655^
Source: 4qz92-7J.14.dr	Binary or memory string: account.microsoft.com/profileVMware20,11696428655u
Source: mtstocom.exe, 0000000E.00000002.3744235588.000000000837E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: kers.comVMware20,1169642
Source: 4qz92-7J.14.dr	Binary or memory string: secure.bankofamerica.comVMware20,11696428655\|UE
Source: 4qz92-7J.14.dr	Binary or memory string: www.interactivebrokers.comVMware20,11696428655}
Source: 4qz92-7J.14.dr	Binary or memory string: Interactive Brokers - GDCDYNVMware20,11696428655p
Source: 4qz92-7J.14.dr	Binary or memory string: Interactive Brokers - EU WestVMware20,11696428655n
Source: 4qz92-7J.14.dr	Binary or memory string: outlook.office365.comVMware20,11696428655t
Source: 4qz92-7J.14.dr	Binary or memory string: microsoft.visualstudio.comVMware20,11696428655x
Source: 3JZ4CUFqSs.exe, 00000006.00000002.1295367062.0000000000F25000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}8~
Source: mtstocom.exe, 0000000E.00000002.3740321563.0000000003447000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: 4qz92-7J.14.dr	Binary or memory string: outlook.office.comVMware20,11696428655s
Source: firefox.exe, 00000010.00000002.1829755214.000001477A35C000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllCC
Source: 4qz92-7J.14.dr	Binary or memory string: Canara Change Transaction PasswordVMware20,11696428655
Source: 4qz92-7J.14.dr	Binary or memory string: www.interactivebrokers.co.inVMware20,11696428655~
Source: 4qz92-7J.14.dr	Binary or memory string: ms.portal.azure.comVMware20,11696428655
Source: 3JZ4CUFqSs.exe, 00000006.00000002.1295367062.0000000000F25000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\v
Source: mtstocom.exe, 0000000E.00000002.3744235588.000000000837E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: ivebrokers.co.inVMware20t<0
Source: 4qz92-7J.14.dr	Binary or memory string: AMC password management pageVMware20,11696428655
Source: 4qz92-7J.14.dr	Binary or memory string: tasks.office.comVMware20,11696428655o
Source: mtstocom.exe, 0000000E.00000002.3744235588.000000000837E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: soft.com/profileVMware20d<
Source: 4qz92-7J.14.dr	Binary or memory string: Interactive Brokers - NDCDYNVMware20,11696428655z
Source: 4qz92-7J.14.dr	Binary or memory string: interactivebrokers.comVMware20,11696428655
Source: 4qz92-7J.14.dr	Binary or memory string: turbotax.intuit.comVMware20,11696428655t
Source: 4qz92-7J.14.dr	Binary or memory string: Interactive Brokers - non-EU EuropeVMware20,11696428655
Source: 4qz92-7J.14.dr	Binary or memory string: dev.azure.comVMware20,11696428655j
Source: mtstocom.exe, 0000000E.00000002.3744235588.000000000837E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: kofamerica.comVMware20,1
Source: 4qz92-7J.14.dr	Binary or memory string: netportal.hdfcbank.comVMware20,11696428655
Source: mtstocom.exe, 0000000E.00000002.3744235588.000000000837E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: rd.comVMware20,116964286H<
Source: 4qz92-7J.14.dr	Binary or memory string: Interactive Brokers - HKVMware20,11696428655]
Source: 4qz92-7J.14.dr	Binary or memory string: bankofamerica.comVMware20,11696428655x
Source: 4qz92-7J.14.dr	Binary or memory string: trackpan.utiitsl.comVMware20,11696428655h
Source: 4qz92-7J.14.dr	Binary or memory string: Test URL for global passwords blocklistVMware20,11696428655

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process queried: DebugPort			Jump to behavior
Source: C:\Windows\SysWOW64\mtstocom.exe	Process queried: DebugPort			Jump to behavior

Source: C:\Program Files (x86)\RURlYPNpzGspqrTdZFCLVNNkQCyMFHnvENWFCfQdvVAKrOHunHCNwPouVYtMgxCWsz\Qnv7zOwnqJwbpjTFet.exe	NtQuerySystemInformation: Direct from: 0x772748CC	Jump to behavior
Source: C:\Program Files (x86)\RURlYPNpzGspqrTdZFCLVNNkQCyMFHnvENWFCfQdvVAKrOHunHCNwPouVYtMgxCWsz\Qnv7zOwnqJwbpjTFet.exe	NtQueryVolumeInformationFile: Direct from: 0x77272F2C	Jump to behavior
Source: C:\Program Files (x86)\RURlYPNpzGspqrTdZFCLVNNkQCyMFHnvENWFCfQdvVAKrOHunHCNwPouVYtMgxCWsz\Qnv7zOwnqJwbpjTFet.exe	NtOpenSection: Direct from: 0x77272E0C	Jump to behavior
Source: C:\Program Files (x86)\RURlYPNpzGspqrTdZFCLVNNkQCyMFHnvENWFCfQdvVAKrOHunHCNwPouVYtMgxCWsz\Qnv7zOwnqJwbpjTFet.exe	NtClose: Direct from: 0x77272B6C
Source: C:\Program Files (x86)\RURlYPNpzGspqrTdZFCLVNNkQCyMFHnvENWFCfQdvVAKrOHunHCNwPouVYtMgxCWsz\Qnv7zOwnqJwbpjTFet.exe	NtReadVirtualMemory: Direct from: 0x77272E8C	Jump to behavior
Source: C:\Program Files (x86)\RURlYPNpzGspqrTdZFCLVNNkQCyMFHnvENWFCfQdvVAKrOHunHCNwPouVYtMgxCWsz\Qnv7zOwnqJwbpjTFet.exe	NtCreateKey: Direct from: 0x77272C6C	Jump to behavior
Source: C:\Program Files (x86)\RURlYPNpzGspqrTdZFCLVNNkQCyMFHnvENWFCfQdvVAKrOHunHCNwPouVYtMgxCWsz\Qnv7zOwnqJwbpjTFet.exe	NtSetInformationThread: Direct from: 0x77272B4C	Jump to behavior
Source: C:\Program Files (x86)\RURlYPNpzGspqrTdZFCLVNNkQCyMFHnvENWFCfQdvVAKrOHunHCNwPouVYtMgxCWsz\Qnv7zOwnqJwbpjTFet.exe	NtQueryAttributesFile: Direct from: 0x77272E6C	Jump to behavior
Source: C:\Program Files (x86)\RURlYPNpzGspqrTdZFCLVNNkQCyMFHnvENWFCfQdvVAKrOHunHCNwPouVYtMgxCWsz\Qnv7zOwnqJwbpjTFet.exe	NtAllocateVirtualMemory: Direct from: 0x772748EC	Jump to behavior
Source: C:\Program Files (x86)\RURlYPNpzGspqrTdZFCLVNNkQCyMFHnvENWFCfQdvVAKrOHunHCNwPouVYtMgxCWsz\Qnv7zOwnqJwbpjTFet.exe	NtQueryInformationToken: Direct from: 0x77272CAC	Jump to behavior
Source: C:\Program Files (x86)\RURlYPNpzGspqrTdZFCLVNNkQCyMFHnvENWFCfQdvVAKrOHunHCNwPouVYtMgxCWsz\Qnv7zOwnqJwbpjTFet.exe	NtTerminateThread: Direct from: 0x77272FCC	Jump to behavior
Source: C:\Program Files (x86)\RURlYPNpzGspqrTdZFCLVNNkQCyMFHnvENWFCfQdvVAKrOHunHCNwPouVYtMgxCWsz\Qnv7zOwnqJwbpjTFet.exe	NtOpenKeyEx: Direct from: 0x77272B9C	Jump to behavior
Source: C:\Program Files (x86)\RURlYPNpzGspqrTdZFCLVNNkQCyMFHnvENWFCfQdvVAKrOHunHCNwPouVYtMgxCWsz\Qnv7zOwnqJwbpjTFet.exe	NtDeviceIoControlFile: Direct from: 0x77272AEC	Jump to behavior
Source: C:\Program Files (x86)\RURlYPNpzGspqrTdZFCLVNNkQCyMFHnvENWFCfQdvVAKrOHunHCNwPouVYtMgxCWsz\Qnv7zOwnqJwbpjTFet.exe	NtAllocateVirtualMemory: Direct from: 0x77272BEC	Jump to behavior
Source: C:\Program Files (x86)\RURlYPNpzGspqrTdZFCLVNNkQCyMFHnvENWFCfQdvVAKrOHunHCNwPouVYtMgxCWsz\Qnv7zOwnqJwbpjTFet.exe	NtCreateFile: Direct from: 0x77272FEC	Jump to behavior
Source: C:\Program Files (x86)\RURlYPNpzGspqrTdZFCLVNNkQCyMFHnvENWFCfQdvVAKrOHunHCNwPouVYtMgxCWsz\Qnv7zOwnqJwbpjTFet.exe	NtOpenFile: Direct from: 0x77272DCC	Jump to behavior
Source: C:\Program Files (x86)\RURlYPNpzGspqrTdZFCLVNNkQCyMFHnvENWFCfQdvVAKrOHunHCNwPouVYtMgxCWsz\Qnv7zOwnqJwbpjTFet.exe	NtWriteVirtualMemory: Direct from: 0x77272E3C	Jump to behavior
Source: C:\Program Files (x86)\RURlYPNpzGspqrTdZFCLVNNkQCyMFHnvENWFCfQdvVAKrOHunHCNwPouVYtMgxCWsz\Qnv7zOwnqJwbpjTFet.exe	NtMapViewOfSection: Direct from: 0x77272D1C	Jump to behavior
Source: C:\Program Files (x86)\RURlYPNpzGspqrTdZFCLVNNkQCyMFHnvENWFCfQdvVAKrOHunHCNwPouVYtMgxCWsz\Qnv7zOwnqJwbpjTFet.exe	NtResumeThread: Direct from: 0x772736AC	Jump to behavior
Source: C:\Program Files (x86)\RURlYPNpzGspqrTdZFCLVNNkQCyMFHnvENWFCfQdvVAKrOHunHCNwPouVYtMgxCWsz\Qnv7zOwnqJwbpjTFet.exe	NtProtectVirtualMemory: Direct from: 0x77272F9C	Jump to behavior
Source: C:\Program Files (x86)\RURlYPNpzGspqrTdZFCLVNNkQCyMFHnvENWFCfQdvVAKrOHunHCNwPouVYtMgxCWsz\Qnv7zOwnqJwbpjTFet.exe	NtSetInformationProcess: Direct from: 0x77272C5C	Jump to behavior
Source: C:\Program Files (x86)\RURlYPNpzGspqrTdZFCLVNNkQCyMFHnvENWFCfQdvVAKrOHunHCNwPouVYtMgxCWsz\Qnv7zOwnqJwbpjTFet.exe	NtNotifyChangeKey: Direct from: 0x77273C2C	Jump to behavior
Source: C:\Program Files (x86)\RURlYPNpzGspqrTdZFCLVNNkQCyMFHnvENWFCfQdvVAKrOHunHCNwPouVYtMgxCWsz\Qnv7zOwnqJwbpjTFet.exe	NtCreateMutant: Direct from: 0x772735CC	Jump to behavior
Source: C:\Program Files (x86)\RURlYPNpzGspqrTdZFCLVNNkQCyMFHnvENWFCfQdvVAKrOHunHCNwPouVYtMgxCWsz\Qnv7zOwnqJwbpjTFet.exe	NtSetInformationThread: Direct from: 0x772663F9	Jump to behavior
Source: C:\Program Files (x86)\RURlYPNpzGspqrTdZFCLVNNkQCyMFHnvENWFCfQdvVAKrOHunHCNwPouVYtMgxCWsz\Qnv7zOwnqJwbpjTFet.exe	NtQueryInformationProcess: Direct from: 0x77272C26	Jump to behavior
Source: C:\Program Files (x86)\RURlYPNpzGspqrTdZFCLVNNkQCyMFHnvENWFCfQdvVAKrOHunHCNwPouVYtMgxCWsz\Qnv7zOwnqJwbpjTFet.exe	NtResumeThread: Direct from: 0x77272FBC	Jump to behavior
Source: C:\Program Files (x86)\RURlYPNpzGspqrTdZFCLVNNkQCyMFHnvENWFCfQdvVAKrOHunHCNwPouVYtMgxCWsz\Qnv7zOwnqJwbpjTFet.exe	NtCreateUserProcess: Direct from: 0x7727371C	Jump to behavior
Source: C:\Program Files (x86)\RURlYPNpzGspqrTdZFCLVNNkQCyMFHnvENWFCfQdvVAKrOHunHCNwPouVYtMgxCWsz\Qnv7zOwnqJwbpjTFet.exe	NtWriteVirtualMemory: Direct from: 0x7727490C	Jump to behavior
Source: C:\Program Files (x86)\RURlYPNpzGspqrTdZFCLVNNkQCyMFHnvENWFCfQdvVAKrOHunHCNwPouVYtMgxCWsz\Qnv7zOwnqJwbpjTFet.exe	NtAllocateVirtualMemory: Direct from: 0x77273C9C	Jump to behavior
Source: C:\Program Files (x86)\RURlYPNpzGspqrTdZFCLVNNkQCyMFHnvENWFCfQdvVAKrOHunHCNwPouVYtMgxCWsz\Qnv7zOwnqJwbpjTFet.exe	NtAllocateVirtualMemory: Direct from: 0x77272BFC	Jump to behavior
Source: C:\Program Files (x86)\RURlYPNpzGspqrTdZFCLVNNkQCyMFHnvENWFCfQdvVAKrOHunHCNwPouVYtMgxCWsz\Qnv7zOwnqJwbpjTFet.exe	NtReadFile: Direct from: 0x77272ADC	Jump to behavior
Source: C:\Program Files (x86)\RURlYPNpzGspqrTdZFCLVNNkQCyMFHnvENWFCfQdvVAKrOHunHCNwPouVYtMgxCWsz\Qnv7zOwnqJwbpjTFet.exe	NtQuerySystemInformation: Direct from: 0x77272DFC	Jump to behavior
Source: C:\Program Files (x86)\RURlYPNpzGspqrTdZFCLVNNkQCyMFHnvENWFCfQdvVAKrOHunHCNwPouVYtMgxCWsz\Qnv7zOwnqJwbpjTFet.exe	NtDelayExecution: Direct from: 0x77272DDC	Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Section loaded: NULL target: C:\Program Files (x86)\RURlYPNpzGspqrTdZFCLVNNkQCyMFHnvENWFCfQdvVAKrOHunHCNwPouVYtMgxCWsz\Qnv7zOwnqJwbpjTFet.exe protection: execute and read and write	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Section loaded: NULL target: C:\Windows\SysWOW64\mtstocom.exe protection: execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\mtstocom.exe	Section loaded: NULL target: C:\Program Files (x86)\RURlYPNpzGspqrTdZFCLVNNkQCyMFHnvENWFCfQdvVAKrOHunHCNwPouVYtMgxCWsz\Qnv7zOwnqJwbpjTFet.exe protection: read write	Jump to behavior
Source: C:\Windows\SysWOW64\mtstocom.exe	Section loaded: NULL target: C:\Program Files (x86)\RURlYPNpzGspqrTdZFCLVNNkQCyMFHnvENWFCfQdvVAKrOHunHCNwPouVYtMgxCWsz\Qnv7zOwnqJwbpjTFet.exe protection: execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\mtstocom.exe	Section loaded: NULL target: C:\Program Files\Mozilla Firefox\firefox.exe protection: read write	Jump to behavior
Source: C:\Windows\SysWOW64\mtstocom.exe	Section loaded: NULL target: C:\Program Files\Mozilla Firefox\firefox.exe protection: execute and read and write	Jump to behavior

Source: C:\Users\user\Desktop\3JZ4CUFqSs.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 400000	Jump to behavior
Source: C:\Users\user\Desktop\3JZ4CUFqSs.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 401000	Jump to behavior
Source: C:\Users\user\Desktop\3JZ4CUFqSs.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 8CC008	Jump to behavior

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report 3JZ4CUFqSs.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Yara Signatures

Memory Dumps

Unpacked PEs

Sigma Signatures

System Summary

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Spreading

Software Vulnerabilities

Networking

E-Banking Fraud

System Summary

Data Obfuscation

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Windows Analysis Report
3JZ4CUFqSs.exe

Source: Qnv7zOwnqJwbpjTFet.exe, 0000000C.00000002.3741265861.0000000000F80000.00000002.00000001.00040000.00000000.sdmp, Qnv7zOwnqJwbpjTFet.exe, 0000000C.00000000.1445225836.0000000000F81000.00000002.00000001.00040000.00000000.sdmp, Qnv7zOwnqJwbpjTFet.exe, 0000000F.00000002.3741199326.0000000001520000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: Program Manager
Source: Qnv7zOwnqJwbpjTFet.exe, 0000000C.00000002.3741265861.0000000000F80000.00000002.00000001.00040000.00000000.sdmp, Qnv7zOwnqJwbpjTFet.exe, 0000000C.00000000.1445225836.0000000000F81000.00000002.00000001.00040000.00000000.sdmp, Qnv7zOwnqJwbpjTFet.exe, 0000000F.00000002.3741199326.0000000001520000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: Shell_TrayWnd
Source: Qnv7zOwnqJwbpjTFet.exe, 0000000C.00000002.3741265861.0000000000F80000.00000002.00000001.00040000.00000000.sdmp, Qnv7zOwnqJwbpjTFet.exe, 0000000C.00000000.1445225836.0000000000F81000.00000002.00000001.00040000.00000000.sdmp, Qnv7zOwnqJwbpjTFet.exe, 0000000F.00000002.3741199326.0000000001520000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: Progman
Source: Qnv7zOwnqJwbpjTFet.exe, 0000000C.00000002.3741265861.0000000000F80000.00000002.00000001.00040000.00000000.sdmp, Qnv7zOwnqJwbpjTFet.exe, 0000000C.00000000.1445225836.0000000000F81000.00000002.00000001.00040000.00000000.sdmp, Qnv7zOwnqJwbpjTFet.exe, 0000000F.00000002.3741199326.0000000001520000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: Progmanlock

Source: C:\Users\user\Desktop\3JZ4CUFqSs.exe	Queries volume information: C:\Users\user\Desktop\3JZ4CUFqSs.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\3JZ4CUFqSs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\3JZ4CUFqSs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\3JZ4CUFqSs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\3JZ4CUFqSs.exe	Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\3JZ4CUFqSs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior

Source: C:\Windows\SysWOW64\mtstocom.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Cookies	Jump to behavior
Source: C:\Windows\SysWOW64\mtstocom.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Windows\SysWOW64\mtstocom.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data	Jump to behavior
Source: C:\Windows\SysWOW64\mtstocom.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data	Jump to behavior
Source: C:\Windows\SysWOW64\mtstocom.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data	Jump to behavior
Source: C:\Windows\SysWOW64\mtstocom.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local State	Jump to behavior
Source: C:\Windows\SysWOW64\mtstocom.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Local State	Jump to behavior
Source: C:\Windows\SysWOW64\mtstocom.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\Cookies	Jump to behavior

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	Windows Management Instrumentation	1 DLL Side-Loading	612 Process Injection	11 Masquerading	1 OS Credential Dumping	121 Security Software Discovery	Remote Services	1 Email Collection	1 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	1 Abuse Elevation Control Mechanism	11 Disable or Modify Tools	LSASS Memory	2 Process Discovery	Remote Desktop Protocol	1 Archive Collected Data	3 Ingress Tool Transfer	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	1 DLL Side-Loading	41 Virtualization/Sandbox Evasion	Security Account Manager	41 Virtualization/Sandbox Evasion	SMB/Windows Admin Shares	1 Data from Local System	4 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	612 Process Injection	NTDS	1 Application Window Discovery	Distributed Component Object Model	Input Capture	4 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	1 Deobfuscate/Decode Files or Information	LSA Secrets	2 File and Directory Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	1 Abuse Elevation Control Mechanism	Cached Domain Credentials	113 System Information Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	4 Obfuscated Files or Information	DCSync	Remote System Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	12 Software Packing	Proc Filesystem	System Owner/User Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement
Network Topology	Malvertising	Exploit Public-Facing Application	Command and Scripting Interpreter	At	At	1 Timestomp	/etc/passwd and /etc/shadow	Network Sniffing	Direct Cloud VM Connections	Data Staged	Web Protocols	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Internal Defacement
IP Addresses	Compromise Infrastructure	Supply Chain Compromise	PowerShell	Cron	Cron	1 DLL Side-Loading	Network Sniffing	Network Service Discovery	Shared Webroot	Local Data Staging	File Transfer Protocols	Exfiltration Over Asymmetric Encrypted Non-C2 Protocol	External Defacement