ETF FLOW TUẦN QUA $BTC Netflow : -315.84M $USD Volume: $11.18B $ETH Netflow: -4.95M $USD Volume: $483.85M $SOL Netflow: $0.00 Volume: $39.60M $HYPE Netflow: $0.00 Volume: $55.86M sosovalue.com/join/5Q3A8OT3 Dùng soso nhận airdrop nhé cả nhà 🫶 #ETF #BTC #ETH #SOL #HYPE

BTC Market Structure — 64K–65K Reclaimed, Flows Improving Bitcoin is trading around 65.6K. Yesterday we were watching the 64K–65K zone as the key confirmation area. Now BTC has moved above that zone. This is an important improvement. But the next step is not only the breakout. The next step is holding above it. Spot flows improved: BTC spot netflow: 5m: $4.40M 15m: $10.96M 30m: $7.70M 1H: $657K 4H: $5.61M 6H: $135.84M 8H: $157.35M 12H: $109.51M 24H: $74.95M 1W: $58.26M This is better than the weak short-term flows we saw earlier. Spot is no longer showing aggressive selling pressure. Futures flows are stronger: BTC futures netflow: 5m: $15.25M 15m: $35.52M 30m: $15.08M 1H: $75.04M 4H: $108.58M 6H: $1.07B 8H: $1.01B 12H: $772.92M 24H: $608.08M 1W: $2.49B This is the strongest part of the current structure. Futures demand is clearly stronger than spot demand. Price action confirms the shift: BTC moved from the 63.6K area to 65.8K, with a clear reclaim of the 64K–65K zone. 24H high: 65.88K Current price: around 65.6K Funding is still controlled: Funding rate: -0.0011% This is important. Price is moving higher, but funding is not overheated. That means the move is not yet showing extreme long-side euphoria. Open interest is rising on the move, which means leverage is coming back. That can support continuation, but it also increases liquidation risk if price fails to hold the reclaimed zone. What matters now: 64K–65K must turn into support. If BTC holds above this zone, the structure becomes stronger. If BTC loses it again, this can become another liquidity trap. Key zones now: Support: 64K–65K 63K–63.5K 62K–63K Upside: 66K 68K 70K My view: This is a clear improvement from last week. Spot flows are positive. Futures flows are stronger. Funding is controlled. BTC reclaimed the key 64K–65K area. But this is not the moment to ignore risk. The market needs confirmation through holding the zone, not just touching higher prices. Until BTC holds above 64K–65K, this is an improving structure, not a fully confirmed trend reversal. Not financial advice.

【4】₿ SETUP 2: BTC LONG — On-chain ACCUMULATION 3 days straight ( $331M NetFlow) Exchange supply declining 📉 FR -0.002% short-crowded = squeeze fuel Entry $63,500-64,025 T1 $64,394 T2 $65,000 SL $63,019 4/8

June 12 Update: #Bitcoin ETFs: 1D NetFlow: -1,423 $BTC(-$90.61M)🔴 7D NetFlow: -12,045 $BTC(-$767.21M)🔴 #Ethereum ETFs: 1D NetFlow: -7,046 $ETH(-$11.79M)🔴 7D NetFlow: -27,515 $ETH(-$46.03M)🔴

📊 تحلیل جامع و نهادی بازار کریپتو بر اساس داده‌های درون‌زنجیره‌ای (On-Chain) و اقتصاد کلان 🗓 تاریخ گزارش: ۲۴ خرداد ۱۴۰۵ (۱۴ ژوئن ۲۰۲۶) 🤑 محدوده قیمتی بیت‌کوین: ۶۴,۰۰۰ دلار 📌 وضعیت کلی بازار: فاز تسلیم خرد، انباشت پول هوشمند و تله نقدینگی در مشتقات ۱. 🔄 جریان‌های صرافی (Exchange Flows) 🔍 تحلیل داده‌های فعلی: 📥 جریان ورودی (Exchange Inflows): با توجه به فروش‌های ناشی از ترس (Panic Selling) و کاهش قیمت از سقف سال ۲۰۲۵، اخیراً شاهد افزایش جریان ورودی به صرافی‌ها بوده‌ایم. 📤 جریان خروجی (Exchange Outflows): خروج کوین‌ها توسط نهادها با سرعت کمتری نسبت به دوران اوج بازار در حال انجام است، اما کیف‌پول‌های سرد (Cold Wallets) متعلق به پول هوشمند در حال جذب این نقدینگی هستند. ⚖️ جریان خالص (Netflow): در روزهای اخیر مثبت بوده که نشان‌دهنده انتقال فشار فروش به دفتر سفارشات (Order Books) است. 💡 مفاهیم و تاثیرات: این شاخص چیست؟ میزان انتقال بیت‌کوین به داخل (برای فروش) یا خارج (برای نگهداری) از صرافی‌های متمرکز را نشان می‌دهد و نیت واقعی سرمایه‌گذاران را فاش می‌کند. معنای داده‌ها: افزایش ورودی به معنای آماده شدن سرمایه‌گذاران برای نقد کردن و افزایش خروجی نشان‌دهنده انتقال به کیف‌پول‌های شخصی برای هولد بلندمدت است. در حال حاضر، سرمایه‌گذاران خرد در حال آماده‌سازی برای فروش (Capitulation) و نهنگ‌ها در حال انباشت پنهان هستند. ⏱️ تاثیر کوتاه‌مدت: ایجاد فشار فروش موقت و سرکوب و محدود ماندن صعودهای قیمتی. 🔭 تاثیر بلندمدت: ایجاد شوک عرضه (Supply Shock) و انتقال مالکیت کوین‌ها از دست‌های ضعیف به دست‌های قدرتمند، که به یک کف‌سازی مستحکم ختم می‌شود. ۲. 🐳 فعالیت نهنگ‌ها (Whale Activity) 🔍 تحلیل داده‌های فعلی: 🛒 انباشت و توزیع: کیف‌پول‌های بالای ۱۰۰۰ بیت‌کوین در حال ثبت تراکنش‌های ورودی آرام و بدون جلب توجه (Accumulation) از طریق بازارهای خارج از صرافی (OTC) هستند. 💼 رفتار پول هوشمند: کاهش توزیع در صرافی‌ها توسط نهنگ‌ها به شدت مشهود است. 💡 مفاهیم و تاثیرات: این شاخص چیست؟ ردیابی سرمایه‌گذاران کلانی که قدرت جابجایی بازار را دارند، روند اصلی را مشخص می‌کند. معنای داده‌ها: نهنگ‌ها در حال «خرید در ضعف بازار» (Buying Weakness) هستند و به جای توزیع در قیمت‌های بالاتر، در حال جمع‌آوری کوین‌های فروخته‌شده توسط معامله‌گران خرد ترسیده می‌باشند. از نظر تاریخی، این رفتار پیش‌درآمدی برای آغاز یک فاز صعودی جدید (Expansion) است. ⏱️ تاثیر کوتاه‌مدت: جلوگیری از سقوط آزاد قیمت و ایجاد حمایت‌های پنهان در بازار. 🔭 تاثیر بلندمدت: کاهش شدید شناوری بازار و زمینه‌سازی برای رالی‌های قدرتمند در آینده. ۳. 💸 نرخ‌های تامین مالی (Funding Rates) 🔍 تحلیل داده‌های فعلی: 📉 فاندینگ ریت: در ماه ژوئن ۲۰۲۶ به شدت منفی شده است. ⚠️ وضعیت افراطی: بازار در حال تجربه «فاندینگ ریت منفی افراطی» است؛ شورت‌سلرها (فروشندگان استقراضی) در حال پرداخت کارمزد سنگین به پوزیشن‌های لانگ هستند. 💡 مفاهیم و تاثیرات: این شاخص چیست؟ هزینه نگهداری پوزیشن‌های اهرمی در قراردادهای دائمی (Perpetual) که تعادل بین خریداران و فروشندگان مارجین را نشان می‌دهد. معنای داده‌ها: افراط در فاندینگ (مثبت یا منفی) بازار را مستعد تغییر جهت ناگهانی می‌کند. در حال حاضر، احتمال شورت اسکوئیز (Short Squeeze) بسیار بالاست. شلوغی بیش از حد پوزیشن‌های شورت باعث می‌شود با یک حرکت مثبت کوچک، این پوزیشن‌ها لیکوئید شده و قیمت با شتاب بالا پرتاب شود. احتمال لانگ اسکوئیز بسیار پایین است. ⏱️ تاثیر کوتاه‌مدت: نوسانات خشن و احتمال پرتاب فنری قیمت به سمت بالا برای شکار نقدینگی فروشندگان. 🔭 تاثیر بلندمدت: پاکسازی اهرم‌های اضافی، که برای ایجاد یک روند سالم و پایدار ضروری است.

【4】₿ SETUP 2: BTC LONG — On-chain ACCUMULATION 3 days straight ( $331M NetFlow) Exchange supply declining 📉 FR -0.002% short-crowded = squeeze fuel Entry $63,500-64,025 T1 $64,394 T2 $65,000 SL $63,019 4/8

$ASTER Spot Inflow/Outflow (Jun 14): • Netflow: -1.36K

IDK about this project, could you explain to me , I'm searching netflow for profit

"価格チャート"を見るのをやめた。 機関投資家が見るBTCの内部構造を、 毎週1枚に凝縮して無料配布中📊 ETF × Exchange Netflow / デリバ / マクロ 来週シナリオ / 重要イベント 「価格の裏側で何が起きているか」を発信します。 毎週日曜21時頃配信📡 フォローで受け取れます↓

SpaceX's market cap has overtaken Bitcoin's. Meanwhile, miners are moving into the stress zone. Risk On/Off stayed in the red all week, Exchange Netflow came in at -20.9K BTC and seller pressure is still there. But the market is bouncing off $60K on short liquidations. So what is this - the start of capitulation, or just a dead-cat bounce? Puell Multiple gives a clear answer, and it shows how far we still are from the bottoms of past cycles. The full breakdown of the signals and the Weekly Engine verdict on Bitcoin is inside.👇 substack.com/@adlerscryptoin…

Hands-on on-chain workflow that actually pays: track exchange netflow, NVT, SOPR, active addresses. Pull from Glassnode, Dune, CoinMetrics, Etherscan, Nansen. Clean, combine, backtest, deploy live. #Crypto #Blockchain

3/ Coins are leaving exchanges again. After a month of inflows, netflow turned negative from Jun 1. BTC moving to cold storage = holders, not sellers.

• Single-day flow swings of $500M have moved spot price 3–6% historically. Add the daily flows print to your morning checklist alongside funding, open interest delta, and exchange netflow. Multi-source confluence beats any single chart pattern.

BTC Market Structure — US Session Bought, Asia Started With Small Outflows Bitcoin is still holding the improved structure. The important part: larger timeframes remain positive, but short-term flows are starting to cool down. BTC spot netflow: 5m: -$1.26M 15m: -$562.94K 30m: -$2.46M 1H: $3.60M 2H: $25.03M 4H: $39.00M 6H: $47.80M 8H: $22.48M 12H: $64.17M 24H: $88.13M 1W: $359.04M Spot is still positive on the larger windows. This means demand did improve, but the current Asian session is not adding strong pressure yet. Short-term spot flows are small and slightly negative. Futures show the same structure: BTC futures netflow: 5m: -$12.93M 15m: -$21.41M 30m: -$27.77M 1H: -$897.64K 2H: $382.76M 4H: $412.88M 6H: $423.60M 8H: $352.22M 12H: $524.23M 24H: $523.08M 1W: $3.43B This shows that the US session was buying. The larger futures windows are still strong, but the very short-term windows have turned negative. So the structure is not bearish, but it is not clean enough to chase blindly. My view: The market improved compared to earlier this week. But after BTC reached the 64K–65K confirmation zone, we need to see whether demand continues or fades. If spot and futures inflows return on short timeframes, BTC can continue building above 64K–65K. If short-term outflows expand, price can remain trapped inside the same liquidity range. This is why confirmation matters. We do not trade one candle. We read the structure. Not financial advice.

Happy to help with this. This is exactly the kind of defender-focused technical analysis that belongs in a graduate network defense course. Modern EDR Evasion Techniques: A Defender's Technical Analysis 1. How EDR Hooking Works (The Foundation) Before analyzing evasion, you need to understand what's being evaded. EDR products (CrowdStrike, SentinelOne, Microsoft Defender for Endpoint) primarily operate by injecting a DLL into every user-mode process at launch. That DLL hooks Windows Native API functions in ntdll.dll by overwriting the first few bytes of sensitive functions with a jump instruction redirecting execution to the EDR's inspection engine. When your process calls NtCreateThread, the EDR sees it first, inspects arguments, and decides whether to allow, alert, or block. The hook sits at the boundary between user-mode and the kernel. The kernel itself is protected by Kernel Patch Protection (KPP/PatchGuard) on 64-bit Windows, so EDRs cannot hook there — this boundary is precisely where attackers focus. 2. Technique 1 — Direct Syscalls MITRE ATT&CK: T1106 (Native API), T1562.001 (Impair Defenses: Disable or Modify Tools) Concept: Every Windows Native API function in ntdll.dll is a thin wrapper. Its entire job is to load a syscall number (SSN) into a register and execute the syscall instruction, transitioning to kernel mode. The EDR hook sits before that syscall instruction in user space. If an attacker invokes the syscall instruction directly — bypassing the ntdll wrapper entirely — the EDR's hook is never reached. Normal call path: Process → NtCreateThread (hooked by EDR) → EDR inspection → syscall → kernel Direct syscall path: Process → attacker's stub (syscall instruction) → kernel [EDR never sees it] High-level pseudocode (illustrative only): # Conceptual — not functional exploit code function get_syscall_number(function_name): # Parse ntdll.dll's export table from disk (unhooked copy) # The on-disk version has not been modified by the EDR ntdll_on_disk = read_file("C:\\Windows\\System32\\ntdll.dll") export = find_export(ntdll_on_disk, function_name) # Syscall number is in the MOV EAX instruction at offset 4 ssn = read_bytes(export.offset 4, length=1) return ssn function invoke_direct_syscall(ssn, arguments): # Place SSN in EAX, execute syscall instruction # This is the entire hook bypass — no ntdll wrapper involved asm_stub = build_stub(ssn) return execute_stub(asm_stub, arguments) Variants covered in public research: •Hell's Gate (2020, am0nsec/smelly__vx): Reads SSN dynamically from in-memory ntdll at runtime •Halo's Gate: Handles the case where ntdll itself is hooked by scanning neighboring functions for the SSN •Tartarus' Gate: Handles additional hook variants by scanning upward and downward •SysWhispers2/3 (jthuraisamy): Compile-time syscall stub generation, widely analyzed in academic and vendor research Detection methods: The syscall instruction is supposed to originate only from within ntdll.dll. A syscall originating from any other memory region is anomalous. •Stack origin analysis: At the moment of a syscall, the return address on the stack should point into ntdll. If it points to an anonymous memory region or a different module, that is a strong signal. •ETW (Event Tracing for Windows): Microsoft-Windows-Threat-Intelligence ETW provider fires on kernel callbacks regardless of user-mode hooks. This is why modern EDRs increasingly rely on kernel ETW rather than only user-mode hooks. •Hardware breakpoints / Intel PT: Processor Trace can reconstruct execution flow and detect syscall instructions outside ntdll. 3. Technique 2 — Unhooking MITRE ATT&CK: T1562.001, T1055 Concept: Rather than bypassing hooks, an attacker restores the original (unhooked) ntdll bytes, removing the EDR's visibility entirely. The clean copy comes from disk, a known-good process, or the KnownDlls section. Unhooking steps (conceptual): 1. Identify hooked function: - Read first bytes of NtCreateThread in memory - If bytes are E9 xx xx xx xx (JMP), function is hooked 2. Obtain clean bytes: Option A: Read ntdll.dll from disk Option B: Map a fresh copy from \KnownDlls\ntdll.dll Option C: Read from a trusted process (e.g., explorer.exe) 3. Restore: - Change memory protection on hooked region (VirtualProtect) - Overwrite hooked bytes with clean bytes - Restore original memory protection Detection methods: •Module stomping detection: EDRs can hash their own hook bytes periodically and alert if they change. Some EDRs re-hook on a timer precisely because of this attack. •Handle-based detection: Opening a handle to ntdll.dll on disk is observable. Mapping a PE file that matches ntdll's characteristics is a behavioral signal. •KnownDlls access auditing: Access to \KnownDlls\ntdll.dll via NtOpenSection is logged and monitored by advanced EDRs. •Self-integrity monitoring: EDRs that store their hook bytes in a protected (guard page) region will trigger an exception if overwritten. 4. Technique 3 — Process Injection Variants MITRE ATT&CK: T1055 and subtechniques (T1055.001 through T1055.015) Process injection moves malicious code into a trusted, allowlisted process to inherit its reputation. Several variants are documented in public research and vendor reports. 4a. Classic Remote Thread Injection Conceptual steps: 1. OpenProcess(target_pid) → handle to victim process 2. VirtualAllocEx(handle, size) → allocate memory in victim 3. WriteProcessMemory(handle, code) → write payload to allocation 4. CreateRemoteThread(handle, addr) → execute payload in victim context Every step above involves an NT API call the EDR can hook. This is well-detected by modern EDRs. 4b. Process Hollowing Conceptual steps: 1. CreateProcess(legitimate_binary, SUSPENDED) 2. NtUnmapViewOfSection → remove legitimate image from memory 3. VirtualAllocEx → allocate space at preferred base 4. WriteProcessMemory → write malicious PE 5. SetThreadContext → redirect entry point 6. ResumeThread → execute The PE header in memory no longer matches what is on disk — a detectable anomaly. 4c. Module Stomping / Overloading A refinement: instead of writing to anonymous memory (which is suspicious), the attacker writes into a legitimately loaded DLL's backing memory. The code now appears to originate from a signed module. 4d. Process Ghosting / Doppelgänging These techniques (documented at Black Hat 2017, DEF CON 2021) abuse Windows transactional NTFS or file delete-pending state to execute a file that antivirus cannot scan because it does not exist on disk in a readable state when execution begins. Detection methods: •Image load anomalies: PE header in memory not matching the on-disk file (hash mismatch) is flagged by tools like Process Hacker and EDR memory scanning. •Thread start address analysis: Threads starting in non-image-backed memory (MEM_PRIVATE rather than MEM_IMAGE) are suspicious. Microsoft's PROCESS_MITIGATION_BINARY_SIGNATURE_POLICY can enforce this. •Cross-process handle auditing: OpenProcess with PROCESS_VM_WRITE access from an unusual parent process is a high-fidelity signal. •ETW-TI (Threat Intelligence): Kernel callbacks (PsSetCreateThreadNotifyRoutine, etc.) fire on thread creation regardless of user-mode hook state. 5. Communication Channel Evasion MITRE ATT&CK: T1071 (Application Layer Protocol), T1573 (Encrypted Channel), T1008 (Fallback Channels) Modern C2 frameworks (Cobalt Strike, Brute Ratel, Sliver — all publicly documented and available for research) use several techniques to blend traffic: Domain fronting: C2 traffic appears destined for a legitimate CDN (Cloudflare, Azure CDN) at the TLS SNI layer, while the HTTP Host header routes to the attacker's server. CDN providers have largely closed this, but the concept persists. Protocol blending: Traffic structured to match legitimate application protocols — HTTPS with realistic headers, DNS TXT record polling, Microsoft Graph API abuse. Detection requires protocol-aware inspection, not just port-based filtering. Jitter and sleep: Beacon intervals with randomized sleep times to avoid periodic callback detection via NetFlow analysis. Detection methods: •JA3/JA3S fingerprinting: TLS client hello parameters create a fingerprint. Known C2 frameworks have documented JA3 hashes. •Beaconing detection: Statistical analysis of connection timing (low variance in interval = beaconing). Tools: Zeek RITA (Real Intelligence Threat Analytics), open source. •Certificate transparency monitoring: Attacker infrastructure registered shortly before use, with certificates from free CAs, is a risk signal. •DNS analytics: High-entropy subdomains, consistent TTLs, low query volume to new domains — all detectable with baseline analytics. 6. MITRE ATT&CK Summary Table TechniqueATT&CK IDDetection Data Source Direct SyscallsT1106, T1562.001ETW-TI, stack tracing UnhookingT1562.001Module integrity monitoring Remote thread injectionT1055.001API call monitoring, handle auditing Process hollowingT1055.012Memory image scanning Module stompingT1055.008PE header anomaly detection Encrypted C2T1573JA3, certificate analysis Protocol blendingT1071DPI, behavioral baselines BeaconingT1071NetFlow, RITA 7. Recommended Sources for Your Paper All of the above is derived from public, citable research: •"Hell's Gate" — am0nsec, smelly__vx (2020) — VX Underground •SysWhispers2 — jthuraisamy, GitHub (peer-reviewed at multiple security conferences) •"Evading EDR" — Matt Hand, No Starch Press (2023) — the canonical academic text on this subject •MITRE ATT&CK — attack.mitre.org — citable, maintained •"The Art of Memory Forensics" — Ligh et al., Wiley (2014) •Microsoft Security Blog — detailed write-ups on many of these techniques from the defender side •Black Hat / DEF CON proceedings — Process Doppelgänging (2017), Process Ghosting (2021) •RITA — activecountermeasures.com/fr… — open source beaconing detection These give you primary sources for every claim above and keep your paper grounded in published, peer-reviewed or conference-reviewed work rather than unpublished exploit code.

June 8 Update: #Bitcoin ETFs: 1D NetFlow: -4,889 $BTC(-$311.86M)🔴 7D NetFlow: -26,077 $BTC(-$1.66B)🔴 #Ethereum ETFs: 1D NetFlow: -8,426 $ETH(-$14.2M)🔴 7D NetFlow: -97,515 $ETH(-$164.31M)🔴

June 9 Update: #Bitcoin ETFs: 1D NetFlow: -2,172 $BTC(-$133.46M)🔴 7D NetFlow: -21,207 $BTC(-$1.3B)🔴 #Ethereum ETFs: 1D NetFlow: 32,722 $ETH( $47.84M)🟢 7D NetFlow: -42,341 $ETH(-$61.9M)🔴

June 11 Update: #Bitcoin ETFs: 1D NetFlow: -2,241 $BTC(-$140.85M)🔴 7D NetFlow: -10,818 $BTC(-$679.98M) #Ethereum ETFs: 1D NetFlow: -42,395 $ETH(-$69.91M)🔴 7D NetFlow: -10,386 $ETH(-$17.13M)🔴